Dan Boneh
PKCS 1
Dan Boneh
RSA
ciphertext
msg Preprocessing
key
Main questions:
How should the preprocessing be done?
Can we argue about security of resulting system?
Dan Boneh
PKCS1 v1.5
PKCS1 mode 2:
(encryption)
16 bits
02
random pad
FF
msg
Dan Boneh
(Bleichenbacher 1998)
d
Web
Server
c= ciphertext
c
yes: continue
no: error
Attacker
PKCS1(m))
Dan Boneh
Baby Bleichenbacher
c= ciphertext
compute xcd in ZN
d
Web
Server
is
msb=1?
1
Suppose N is N = 2n
Then:
yes: continue
no: error
Attacker
Dan Boneh
HTTPS Defense
(RFC 5246)
Dan Boneh
check pad
on decryption.
reject CT if invalid.
[BR94]
01 00..0
rand.
H
G
n-1
Dan Boneh
OAEP Improvements
OAEP+:
[Shoup01]
trap-door permutation F
F-OAEP+ is CCA secure when
H,G,W are random oracles.
W(m,r)
[B01]
W(m,r)
+
Dan Boneh
W(m,r)
+
x
r
RS
A
ciphertext
(x,r) RSA-1(sk,ct) ,
(x,r) RSA-1(sk,ct) ,
(x,r) RSA-1(sk,ct) ,
[M 00]
OAEP-decrypt(ct):
error = 0;
if ( RSA-1(ct) > 2n-1 )
{ error =1; goto exit; }
if ( pad(OAEP-1(RSA-1(ct))) != 01000 )
{ error = 1; goto exit; }
Dan Boneh
End of Segment
Dan Boneh