|
<<
^
>>
Date: 1998-07-16
RSA/crack: Crypto/head Bruce Schneier analysiert
-.-. --.- -.-. --.- -.-. --.- -.-. --.- -.-. --.- -.-. --.-
& stellt in den letzten Zeilen fest, dass dieser neue
Ansatz,
RSA/Schlüssel zu knacken, die jahrelang gängige
Lehr/meinung auf den Kopf gestellt habe. Numehr gelte: Hast
du ein Stück von RSA geknackt, gehört dir der ganze Code.
Conclusio:"Nice attack"
Post/scrypt an die p.t. Print/journalist/inn/en auf der
Liste:
1. RSA ist US Marktführer
2. Schon mal geguckt, welche Bank in .at oder .de welche
Schlüssel
nützt?
-.-.- --.- -.-.- --.- -.-.- --.-
Breaking RSA in PKCS1
July 15, 1998
Reports of RSA's death have been greatly exaggerated. There
is a new attack on RSA implementations that can, in some
circumstances, can be pretty devastating. Fortunately, the
attack does not apply to RSA in general. Unfortunately, the
"circumstances" aren't all that uncommon.
The attack is simple to explain. I am the attacker, and I
want to know the plaintext for a particular ciphertext
encrypted with RSA. (Generally, this is a session key used
for something else.) I send my victim a bunch of related
messages (about one million of them) and watch his
reaction. By learning which of those messages conform to
particular data formats (PKCS1 in the paper), I can do some
straightforward mathematical analysis and break the message
I started with.
Point 1: the attacker does not recover the secret key, only
the plaintext to a particular message. That means that
after I send the victim one million messages and watch the
reactions to each, I only get to read one secret message.
If I want to read another secret message, it takes another
million related messages.
Point 2: the attacker is relying on some information from
the victim. In this case, he needs to know if the related
messages he sends decrypt in a certain way. I like to call
this general class of attack a "reaction attack," since it
uses the victim's reaction as input. This is an old and
powerful idea, but unfortunately in the age of computers it
is easy to implement. Computer systems are good at
automatically reacting to things, and then broadcasting
those reactions to the world. Error messages, status
messages, health information: it's all there if an attacker
wants it.
Point 3: the attacker has to send the victim a whole lot of
related messages to break one message. The general attack
requires one billion messages. This number can be reduced
somewhat--the experiments against SSL required anywhere from
300,000 to 2 million related messages--but that's still a
lot of messages. Still, computers are good at dealing with
a lot of messages, and automated systems are likely to
process those kind of message quantities without even
noticing. Smart cards that the attacker can put in his own
test setup are also vulnerable.
...
There were several fixes announced. (Obvious fix: don't
tell the attacker if the message was valid or not.) The
quick ones increase the number of related messages required
to break one message. These fixes make it much harder to
mount this attack against on-line systems--the message
volume will clog the system--and moderately harder against
off-line systems like smart cards. Better fixes are to
change the PKCS1 protocol, which specifies how the bits of
plaintext are packed into a data structure that RSA can then
encrypt. The RSA message packaging scheme in SET, for
example, is not vulnerable to this attack.
The attack has ramifications outside PKCS1. Many protocols
will have to be corrected and many systems will have to be
changed. Many people will have no idea that this attack
exists and will design insecure implementations of RSA.
Many years ago there was a string of theoretical
cryptographic results that proved that every bit of RSA is
as secure as the whole message. All of us cryptographers
read the papers and decided that the results weren't
terribly useful: if the entire RSA-encrypted message is
secure, then each individual bit is secure. This piece of
work turns that result on its head: if you can break single
bit of an RSA message, then you can break the whole message.
Nice attack.
Relayed by
schneier@counterpane.com
http://www.counterpane.com
related story
http://www.wired.com/news/news/technology/story/13281.html
-.-.- --.- -.-.- --.- -.-.- --.-
TIP
Download free PGP 5.5.3i (Win95/NT & Mac)
http://keyserver.ad.or.at/pgp/download/
-.-.- --.- -.-.- --.- -.-.- --.-
- -.-. --.- -.-. --.- -.-. --.- -.-. --.- -.-. --.- -.-. --.-
edited by Harkank
published on: 1998-07-16
comments to office@quintessenz.at
subscribe Newsletter
- -.-. --.- -.-. --.- -.-. --.- -.-. --.- -.-. --.- -.-. --.-
<<
^
>>
|
|
|
|