This preview shows page 1. Sign up to view the full content.
Unformatted text preview: random session key. Security of PublicKey Algorithms
Since a cryptanalyst has access to the public key, he can always choose any message to encrypt. This means that a cryptanalyst, given C = EK(P), can guess the value of P and easily check his guess. This is a serious problem if the number of possible plaintext messages is small enough to allow exhaustive search, but can be solved by padding messages with a string of random bits. This makes identical plaintext messages encrypt to different ciphertext messages. (For more about this concept, see Section 23.15.) This is especially important if a publickey algorithm is used to encrypt a session key. Eve can generate a database of all possible session keys encrypted with Bob’s public key. Sure, this requires a large amount of time and memory, but for a 40bit exportable key or a 56bit DES key, it’s a whole lot less time and memory than breaking Bob’s public key. Once Eve has generated the database, she will have his key and can read his mail at will. Publickey algorithms are designed to resist chosenplaintext attacks; their security is based both on the difficulty of deducing the secret key from the public key and the difficulty of deducing the plaintext from the ciphertext. However, most publickey algorithms are particularly susceptible to a chosenciphertext attack (see Section 1.1). In systems where the digital signature operation is the inverse of the encryption operation, this attack is impossible to prevent unless different keys are used for encryption and signatures. Consequently, it is important to look at the whole system and not just at the individual parts. Good publickey protocols are designed so that the various parties can’t decrypt arbitrary messages generated by other parties—the proofofidentity protocols are a good example (see Section 5.2). 19.2 Knapsack Algorithms
The first algorithm for generalized publickey encryption was the knapsack algorithm developed by Ralph Merkle and Martin Hellm...
View
Full
Document
This note was uploaded on 10/18/2010 for the course MATH CS 301 taught by Professor Aliulger during the Fall '10 term at Koç University.
 Fall '10
 ALIULGER
 Cryptography

Click to edit the document details