This preview shows page 1. Sign up to view the full content.
Unformatted text preview: ilistic; what happens if p or q is composite? Well, first you can make the odds of that happening as small as you want. And if it does happen, the odds are that encryption and decryption won’t work properly—you’ll notice right away. There are a few numbers, called Carmichael numbers, which certain probabilistic primality algorithms will fail to detect. These are exceedingly rare, but they are insecure [746]. Honestly, I wouldn’t worry about it. Chosen Ciphertext Attack against RSA
Some attacks work against the implementation of RSA. These are not attacks against the basic algorithm, but against the protocol. It’s important to realize that it’s not enough to use RSA. Details matter. Scenario 1: Eve, listening in on Alice’s communications, manages to collect a ciphertext message, c, encrypted with RSA in her public key. Eve wants to be able to read the message. Mathematically, she wants m, in which m = cd To recover m, she first chooses a random number, r, such that r is less than n. She gets Alice’s public key, e. Then she computes x = re mod n y = xc mod n t = r1 mod n If x = re mod n, then r = xd mod n. Now, Eve gets Alice to sign y with her private key, thereby decrypting y. (Alice has to sign the message, not the hash of the message.) Remember, Alice has never seen y before. Alice sends Eve u = yd mod n Now, Eve computes tu mod n = r1yd mod n = r1xdcd mod n = cd mod n = m Eve now has m. Scenario 2: Trent is a computer notary public. If Alice wants a document notarized, she sends it to Trent. Trent signs it with an RSA digital signature and sends it back. (No oneway hash functions are used here; Trent encrypts the entire message with his private key.) Mallory wants Trent to sign a message he otherwise wouldn’t. Maybe it has a phony timestamp; maybe it purports to be from another person. Whatever the reason, Trent would never sign it if he had a choice. Let’s call this message m’. First, Mallory chooses an arbitrary value x and computes y = xe mod n. He can easily get e; it...
View
Full
Document
This note was uploaded on 10/18/2010 for the course MATH CS 301 taught by Professor Aliulger during the Fall '10 term at Koç University.
 Fall '10
 ALIULGER
 Cryptography

Click to edit the document details