Attacks on Digital

Signature Algorithm: RSA

John Nguyen
RSA as a Digital Signature Algorithm
 The need for digital signature: online banking,
routable forms…
 Requirement: something uniquely identify
oneself, and people can verify that unique
identification.
 RSA is a public key cryptography which offers
that need.
 Private key to sign the message.
 Public key to verify the signature.
 RSA
 A public key algorithm
 Easy to understand and implement
 Popular, used by numerous companies such as
Motorola and Adobe in its Acrobat product.
 De facto standard in much of the world.
 RSA Algorithm
 Choose 2 large prime numbers p and q
 Then compute: n = pq
 Choose e such that e and (p-1)(q-1) are relatively
prime.
 key d can be computed by using extended
Euclidean algorithm:
ed ≡ 1 mod (p-1)(q-1)
 RSA Encrytion
 Public key: n and e
 Private key: d
 Encrypting:
c = me mod n
 Decrypting:
m = cd mod n
 Digital signature:
 c = md mod n (signing)
 m = ce mod n (verification)
 Proof
 cd = (me)d (mod n)
= med
= mk(p-1)(q-1) + 1
= mmk(p-1)(q-1)
= m *1 = m
 mk(p-1)(q-1) = mk(n) = m* 1 (Euler’s
generalization of Fermat’s little theorem)
 Security of RSA
 Factoring n is the most obvious attack.
 Difficult
 Factoring techonology: best 129-decimal-digital modulus
 N must be larger than that to be secure
 Guessing value of (p-1)(q-1), but the difficulty is the
same as factoring n
 Common attacks against RSA’s implementation: attack
against the protocol, not the basic algorithm.
 Chosen Cipher Attack against RSA
 Eve: attacker, Alice: user
 Eve got c encrypted by Alice’s public key. Eve
wants to read plaintext m from c.
 Mathematically, Eve needs d: m = cd, but Eve
does not know d.
 Eve decided to figure out m without first
knowing exactly what d is.
 Chosen Ciphertext attack…
 Eve chooses a random number r (r < n), then compute:
x = re mod n
y = xc mod n
t = r-1 mod n
 Eve gets Alice to sign y with her private key, therefore
decrypting y.
 Alice sends Eve: u = yd mod n
 Eve computes, and get m:
tu mod n = r-1yd mod n = r-1xdcd mod n = cd mod n =
m
 Prevent against this chosen
ciphertext attack
 Signing and encrypting (& decrypting) are 2
different things.
 They can be done separately.
 1 set of keys for signing and verification.
 1 set of keys for decrypting and encrypting.
 Sign on a one-way hash of message, not the
message.
 Signing will not decrypt the message, so Eve can
not figure out m
 Attack on Encrypting and Signing
with RSA
 Alice sends a message m to Bob
 She encrypts m with Bob public key, then signs
with her private key:
(meB mod nB)dA mod nA
 Bob can claim that Alice sent him m’, not m.
 He can find x, such that:
m’x = m mod n
 If he can publish xeB replace old eB
 To prevent this attack…
 Assign each user fixed keys
 Usually be done by third party: VeriSign…
 Moreover, common good practice: sign first,
encrypt later.