This preview shows page 1. Sign up to view the full content.
Unformatted text preview: e a large value for d. Lessons Learned
Judith Moore lists several restrictions on the use of RSA, based on the success of these attacks [1114, 1115]: — Knowledge of one encryption/decryption pair of exponents for a given modulus enables an attacker to factor the modulus. — Knowledge of one encryption/decryption pair of exponents for a given modulus enables an attacker to calculate other encryption/decryption pairs without having to factor n. — A common modulus should not be used in a protocol using RSA in a communications network. (This should be obvious from the previous two points.) — Messages should be padded with random values to prevent attacks on low encryption exponents. — The decryption exponent should be large. Remember, it is not enough to have a secure cryptographic algorithm. The entire cryptosystem must be secure, and the cryptographic protocol must be secure. A failure in any of those three areas makes the overall system insecure. Attack on Encrypting and Signing with RSA It makes sense to sign a message before encrypting it (see Section 2.7), but not everyone follows this practice. With RSA, there is an attack against protocols that encrypt before signing [48]. Alice wants to send a message to Bob. First she encrypts it with Bob’s public key; then she signs it with her private key. Her encrypted and signed message looks like: (meB mod nB)dA mod nA Here’s how Bob can claim that Alice sent him m’ and not m. Realize that since Bob knows the factorization of nB (it’s his modulus), he can calculate discrete logarithms with respect to nB. Therefore, all he has to do is to find an x such that m’x = m mod nB Then, if he can publish xeB as his new public exponent and keep nB as his modulus, he can claim that Alice sent him message m’ encrypted in this new exponent. This is a particularly nasty attack in some circumstances. Note that hash functions don’t solve the problem. However, forcing a fixed encryption exponent for every user does. Standards
RSA is a de facto standard in much of...
View
Full
Document
This note was uploaded on 10/18/2010 for the course MATH CS 301 taught by Professor Aliulger during the Fall '10 term at Koç University.
 Fall '10
 ALIULGER
 Cryptography

Click to edit the document details