Security Articles from Wikipedia

More documents

Recommendations

Info

RSA (algorithm) 113 Attacks against plain RSA There are a number of attacks against plain RSA as described below. • When encrypting with low encryption exponents (e.g., ) and small values of the , (i.e. ) the result of is strictly less than the modulus . In this case, ciphertexts can be easily decrypted by taking the th root of the ciphertext over the integers. • If the same clear text message is sent to or more recipients in an encrypted way, and the receivers share the same exponent , but different , , and therefore , then it is easy to decrypt the original clear text message via the Chinese remainder theorem. Johan Håstad noticed that this attack is possible even if the cleartexts are not equal, but the attacker knows a linear relation between them. [7] This attack was later improved by Don Coppersmith. [8] • Because RSA encryption is a deterministic encryption algorithm – i.e., has no random component – an attacker can successfully launch a chosen plaintext attack against the cryptosystem, by encrypting likely plaintexts under the public key and test if they are equal to the ciphertext. A cryptosystem is called semantically secure if an attacker cannot distinguish two encryptions from each other even if the attacker knows (or has chosen) the corresponding plaintexts. As described above, RSA without padding is not semantically secure. • RSA has the property that the product of two ciphertexts is equal to the encryption of the product of the respective plaintexts. That is Because of this multiplicative property a chosen-ciphertext attack is possible. E.g. an attacker, who wants to know the decryption of a ciphertext may ask the holder of the private key to decrypt an unsuspicious-looking ciphertext for some value chosen by the attacker. Because of the multiplicative property is the encryption of . Hence, if the attacker is successful with the attack, he will learn from which he can derive the message m by multiplying with the modular inverse of modulo . Padding schemes To avoid these problems, practical RSA implementations typically embed some form of structured, randomized padding into the value before encrypting it. This padding ensures that does not fall into the range of insecure plaintexts, and that a given message, once padded, will encrypt to one of a large number of different possible ciphertexts. Standards such as PKCS#1 have been carefully designed to securely pad messages prior to RSA encryption. Because these schemes pad the plaintext with some number of additional bits, the size of the un-padded message M must be somewhat smaller. RSA padding schemes must be carefully designed so as to prevent sophisticated attacks which may be facilitated by a predictable message structure. Early versions of the PKCS#1 standard (up to version 1.5) used a construction that turned RSA into a semantically secure encryption scheme. This version was later found vulnerable to a practical adaptive chosen ciphertext attack. Later versions of the standard include Optimal Asymmetric Encryption Padding (OAEP), which prevents these attacks. The PKCS#1 standard also incorporates processing schemes designed to provide additional security for RSA signatures, e.g., the Probabilistic Signature Scheme for RSA (RSA-PSS).
RSA (algorithm) 114 Signing messages Suppose Alice uses Bob's public key to send him an encrypted message. In the message, she can claim to be Alice but Bob has no way of verifying that the message was actually from Alice since anyone can use Bob's public key to send him encrypted messages. In order to verify the origin of a message, RSA can also be used to sign a message. Suppose Alice wishes to send a signed message to Bob. She can use her own private key to do so. She produces a hash value of the message, raises it to the power of (as she does when decrypting a message), and attaches it as a "signature" to the message. When Bob receives the signed message, he uses the same hash algorithm in conjunction with Alice's public key. He raises the signature to the power of (as he does when encrypting a message), and compares the resulting hash value with the message's actual hash value. If the two agree, he knows that the author of the message was in possession of Alice's private key, and that the message has not been tampered with since. Secure padding schemes such as RSA-PSS are as essential for the security of message signing as they are for message encryption. The same key should never be used for both encryption and signing. [9] Security and practical considerations Integer factorization and RSA problem The security of the RSA cryptosystem is based on two mathematical problems: the problem of factoring large numbers and the RSA problem. Full decryption of an RSA ciphertext is thought to be infeasible on the assumption that both of these problems are hard, i.e., no efficient algorithm exists for solving them. Providing security against partial decryption may require the addition of a secure padding scheme. The RSA problem is defined as the task of taking th roots modulo a composite : recovering a value such that , where is an RSA public key and is an RSA ciphertext. Currently the most promising approach to solving the RSA problem is to factor the modulus . With the ability to recover prime factors, an attacker can compute the secret exponent from a public key , then decrypt using the standard procedure. To accomplish this, an attacker factors into and , and computes which allows the determination of from . No polynomial-time method for factoring large integers on a classical computer has yet been found, but it has not been proven that none exists. See integer factorization for a discussion of this problem. Rivest, Shamir and Adleman note [1] that Miller has shown that - assuming the Extended Riemann Hypothesis (though others call it the Generalized Riemann Hypothesis) - finding d from n and e is as hard as factoring n into p and q (up to a polynomial time difference). [10] However, this proof does not imply that inverting RSA is equally hard as factoring. As of 2010, the largest (known) number factored by a general-purpose factoring algorithm was 768 bits long (see RSA-768), using a state-of-the-art distributed implementation. RSA keys are typically 1024–2048 bits long. Some experts believe that 1024-bit keys may become breakable in the near future (though this is disputed); few see any way that 4096-bit keys could be broken in the foreseeable future. Therefore, it is generally presumed that RSA is secure if is sufficiently large. If is 300 bits or shorter, it can be factored in a few hours on a personal computer, using software already freely available. Keys of 512 bits have been shown to be practically breakable in 1999 when RSA-155 was factored by using several hundred computers and are now factored in a few weeks using common hardware. [11] Exploits using 512-bit code-signing certificates that may have been factored were reported in 2011. [12] A theoretical hardware device named TWIRL and described by Shamir and Tromer in 2003 called into question the security of 1024 bit keys. It is currently recommended that be at least 2048 bits long. [13] In 1994, Peter Shor showed that a quantum computer (if one could ever be practically created for the purpose) would be able to factor in polynomial time, breaking RSA.
Page 1 and 2:
Security Articles from Wikipedia PD
Page 3 and 4:
Article Licenses License 180
Page 5 and 6:
Advanced Encryption Standard 2 is a
Page 7 and 8:
Advanced Encryption Standard 4 The
Page 9 and 10:
Advanced Encryption Standard 6 Know
Page 11 and 12:
Advanced Encryption Standard 8 Test
Page 13 and 14:
Block cipher 10 Block cipher In cry
Page 15 and 16:
Block cipher 12 Block ciphers and o
Page 17 and 18:
Block cipher modes of operation 14
Page 19 and 20:
Page 21 and 22:
Page 23 and 24:
Page 25 and 26:
Page 27 and 28:
Certificate authority 24 Certificat
Page 29 and 30:
Certificate authority 26 Security T
Page 31 and 32:
CMAC 28 The CMAC tag generation pro
Page 33 and 34:
Cryptographic hash function 30 resi
Page 35 and 36:
Cryptographic hash function 32 func
Page 37 and 38:
Cryptographic hash function 34 Algo
Page 39 and 40:
DiffieHellman key exchange 36 The s
Page 41 and 42:
DiffieHellman key exchange 38 3. Bo
Page 43 and 44:
DiffieHellman key exchange 40 Upon
Page 45 and 46:
DiffieHellman key exchange 42 • C
Page 47 and 48:
Digital signature 44 every paramete
Page 49 and 50:
Digital signature 46 implemented. I
Page 51 and 52:
Digital signature 48 authority). Fo
Page 53 and 54:
Digital Signature Algorithm 50 Digi
Page 55 and 56:
Digital Signature Algorithm 52 Sens
Page 57 and 58:
HMAC 54 Implementation The followin
Page 59 and 60:
HMAC 56 External links • FIPS PUB
Page 61 and 62:
HTTP Secure 58 Browser integration
Page 63 and 64:
HTTP Secure 60 From an architectura
Page 65 and 66: IPsec 62 IPsec Internet Protocol Se
Page 67 and 68: IPsec 64 operates directly on top o
Page 69 and 70: IPsec 66 Cryptographic algorithms C
Page 71 and 72: IPsec 68 External links • All IET
Page 73 and 74: Kerberos (protocol) 70 Kerberos (pr
Page 75 and 76: Kerberos (protocol) 72 Client Authe
Page 77 and 78: Kerberos (protocol) 74 External lin
Page 79 and 80: Message authentication code 76 Mess
Page 81 and 82: Message authentication code 78 Exte
Page 83 and 84: NeedhamSchroeder protocol 80 S resp
Page 85 and 86: Pretty Good Privacy 82 Pretty Good
Page 87 and 88: Pretty Good Privacy 84 Security qua
Page 89 and 90: Pretty Good Privacy 86 PGP 3 and fo
Page 91 and 92: Pretty Good Privacy 88 based on sec
Page 93 and 94: Public key certificate 90 Public ke
Page 95 and 96: Public key certificate 92 (b) ensur
Page 97 and 98: Public key certificate 94 Usefulnes
Page 99 and 100: Public key infrastructure 96 As tim
Page 101 and 102: Public key infrastructure 98 Extern
Page 103 and 104: Public-key cryptography 100 In cont
Page 105 and 106: Public-key cryptography 102 To achi
Page 107 and 108: Public-key cryptography 104 using t
Page 109 and 110: Public-key cryptography 106 Spreadi
Page 111 and 112: Public-key cryptography 108 Externa
Page 113 and 114: RSA (algorithm) 110 The RSA algorit
Page 115: RSA (algorithm) 112 A working examp
Page 119 and 120: RSA (algorithm) 116 Side-channel an
Page 121 and 122: RSA (algorithm) 118 • The PKCS #1
Page 123 and 124: S/MIME 120 administrative overhead
Page 125 and 126: Secure Electronic Transaction 122 T
Page 127 and 128: Secure Shell 124 Usage SSH is typic
Page 129 and 130: Secure Shell 126 • RFC 4462, Gene
Page 131 and 132: Secure Shell 128 ability to multipl
Page 133 and 134: Security service (telecommunication
Page 135 and 136: Security service (telecommunication
Page 137 and 138: SHA-1 134 SHA-1 SHA-1 General Desig
Page 139 and 140: SHA-1 136 Applications SHA-1 forms
Page 141 and 142: SHA-1 138 At the Rump Session of CR
Page 143 and 144: SHA-1 140 a = temp Add this chunk's
Page 145 and 146: SHA-1 142 • Xiaoyun Wang, Yiqun L
Page 147 and 148: Stream cipher 144 Types of stream c
Page 149 and 150: Stream cipher 146 Filter generator
Page 151 and 152: Stream cipher 148 SNOW Pre-2003 Ver
Page 153 and 154: Symmetric-key algorithm 150 Key gen
Page 155 and 156: Transport Layer Security 152 TLS 1.
Page 157 and 158: Transport Layer Security 154 • SS
Page 159 and 160: Transport Layer Security 156 • Fi
Page 161 and 162: Transport Layer Security 158 Length
Page 163 and 164: Transport Layer Security 160 layer
Page 165 and 166: Transport Layer Security 162 Suppor
Page 167 and 168:
Transport Layer Security 164 • RF
Page 169 and 170:
Transport Layer Security 166 Extern
Page 171 and 172:
X.509 168 Extensions informing a sp
Page 173 and 174:
X.509 170 00:d3:a4:50:6e:c8:ff:56:6
Page 175 and 176:
X.509 172 Exploits • MD2-based ce
Page 177 and 178:
X.509 174 External links • ITU-T
Page 179 and 180:
Article Sources and Contributors 17
Page 181 and 182:
Article Sources and Contributors 17
Page 183:
License 180 License Creative Common
show all

Security Articles from Wikipedia

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?