applied cryptography - protocols, algorithms, and source code in c

If eve ever recovers a k that alice used she can

Info iconThis preview shows page 1. Sign up to view the full content.

View Full Document Right Arrow Icon
This is the end of the preview. Sign up to access the rest of the document.

Unformatted text preview: covered without either of the decryption exponents [1457]. Let m be the plaintext message. The two encryption keys are e1 and e2. The common modulus is n. The two ciphertext messages are: c1 = me1 mod n c2 = me2 mod n The cryptanalyst knows n, e1, e2, c1, and c2. Here’s how he recovers m. Since e1 and e2 are relatively prime, the extended Euclidean algorithm can find r and s, such that re1 + se2 = 1 Assuming r is negative (either r or s has to be, so just call the negative one r), then the extended Euclidean algorithm can be used again to calculate c1-1. Then (c1-1)-r * C2s = m mod n There are two other, more subtle, attacks against this type of system. One attack uses a probabilistic method for factoring n. The other uses a deterministic algorithm for calculating someone’s secret key without factoring the modulus. Both attacks are described in detail in [449]. Moral: Don’t share a common n among a group of users. Low Encryption Exponent Attack against RSA RSA encryption and signature verification are faster if you use a low value for e, but that can also be insecure [704]. If you encrypt e(e + 1)/2 linearly dependent messages with different public keys having the same value of e, there is an attack against the system. If there are fewer than that many messages, or if the messages are unrelated, there is no problem. If the messages are identical, then e messages are enough. The easiest solution is to pad messages with independent random values. This also ensures that me mod n ` me. Most real-world RSA implementations—PEM and PGP (see Sections 24.10 and 24.12), for example—do this. Moral: Pad messages with random values before encrypting them; make sure m is about the same size as n. Low Decryption Exponent Attack against RSA Another attack, this one by Michael Wiener, will recover d, when d is up to one quarter the size of n and e is less than n [1596]. This rarely occurs if e and d are chosen at random, and cannot occur if e has a small value. Moral: Choos...
View Full Document

Ask a homework question - tutors are online