manger s attack revisited
play

Mangers Attack revisited Falko Strenzke 1 1 - FlexSecure GmbH, - PowerPoint PPT Presentation

Mangers Attack revisited Falko Strenzke 1 1 - FlexSecure GmbH, Germany, strenzke@flexsecure.de February 8, 2013 Mangers Attack revisited Falko Strenzke 1 / 1 Mangers Attack RSA-OAEP Encoding introduced to thwart Bleichenbachers


  1. Manger’s Attack revisited Falko Strenzke 1 1 - FlexSecure GmbH, Germany, strenzke@flexsecure.de February 8, 2013 Manger’s Attack revisited Falko Strenzke 1 / 1

  2. Manger’s Attack RSA-OAEP Encoding introduced to thwart Bleichenbacher’s Attack against RSA with PKCS#1 v1.5 Encoding The OAEP is a so called CCA2 conversion that secures a cryptosystem against adaptive chosen ciphertext attacks (any manipulation of an original ciphertext is detected during the decryption) CRYPTO 2001: James Manger introduces a Fault/Timing Attack against straightforward implementations of RSA-OAEP Manger’s Attack revisited Falko Strenzke 2 / 1

  3. Manger’s Attack RSA-OAEP Encoding introduced to thwart Bleichenbacher’s Attack against RSA with PKCS#1 v1.5 Encoding The OAEP is a so called CCA2 conversion that secures a cryptosystem against adaptive chosen ciphertext attacks (any manipulation of an original ciphertext is detected during the decryption) CRYPTO 2001: James Manger introduces a Fault/Timing Attack against straightforward implementations of RSA-OAEP Manger’s Attack revisited Falko Strenzke 2 / 1

  4. Manger’s Attack RSA-OAEP Encoding introduced to thwart Bleichenbacher’s Attack against RSA with PKCS#1 v1.5 Encoding The OAEP is a so called CCA2 conversion that secures a cryptosystem against adaptive chosen ciphertext attacks (any manipulation of an original ciphertext is detected during the decryption) CRYPTO 2001: James Manger introduces a Fault/Timing Attack against straightforward implementations of RSA-OAEP Manger’s Attack revisited Falko Strenzke 2 / 1

  5. Manger’s Attack RSA-OAEP Encoding introduced to thwart Bleichenbacher’s Attack against RSA with PKCS#1 v1.5 Encoding The OAEP is a so called CCA2 conversion that secures a cryptosystem against adaptive chosen ciphertext attacks (any manipulation of an original ciphertext is detected during the decryption) CRYPTO 2001: James Manger introduces a Fault/Timing Attack against straightforward implementations of RSA-OAEP Manger’s Attack revisited Falko Strenzke 2 / 1

  6. RSA public key: public exponent e and public modulus n private key: private exponent d with x ed = x mod n encryption: z = m e mod n decryption: m = z d = m ed mod n Manger’s Attack revisited Falko Strenzke 3 / 1

  7. RSA public key: public exponent e and public modulus n private key: private exponent d with x ed = x mod n encryption: z = m e mod n decryption: m = z d = m ed mod n Manger’s Attack revisited Falko Strenzke 3 / 1

  8. RSA public key: public exponent e and public modulus n private key: private exponent d with x ed = x mod n encryption: z = m e mod n decryption: m = z d = m ed mod n Manger’s Attack revisited Falko Strenzke 3 / 1

  9. RSA public key: public exponent e and public modulus n private key: private exponent d with x ed = x mod n encryption: z = m e mod n decryption: m = z d = m ed mod n Manger’s Attack revisited Falko Strenzke 3 / 1

  10. OAEP Encoding Figure: The RSA-OAEP decoding procedure. Here, � denotes XOR. Manger’s Attack revisited Falko Strenzke 4 / 1

  11. Manger’s Attack - the observable Error Condition OAEP Decoding checks that Y = 0 ( Y � = 0 → “supernumerary octet”) Y � = 0 can be learned either through a specific error message shorter time to the error message compared to later OAEP errors (time difference might become huge if the attacker can control the public parameters to be hashed within the OAEP decoding routine) Manger’s Attack revisited Falko Strenzke 5 / 1

  12. Manger’s Attack - the observable Error Condition OAEP Decoding checks that Y = 0 ( Y � = 0 → “supernumerary octet”) Y � = 0 can be learned either through a specific error message shorter time to the error message compared to later OAEP errors (time difference might become huge if the attacker can control the public parameters to be hashed within the OAEP decoding routine) Manger’s Attack revisited Falko Strenzke 5 / 1

  13. Manger’s Attack - the observable Error Condition OAEP Decoding checks that Y = 0 ( Y � = 0 → “supernumerary octet”) Y � = 0 can be learned either through a specific error message shorter time to the error message compared to later OAEP errors (time difference might become huge if the attacker can control the public parameters to be hashed within the OAEP decoding routine) Manger’s Attack revisited Falko Strenzke 5 / 1

  14. Manger’s Attack - the observable Error Condition OAEP Decoding checks that Y = 0 ( Y � = 0 → “supernumerary octet”) Y � = 0 can be learned either through a specific error message shorter time to the error message compared to later OAEP errors (time difference might become huge if the attacker can control the public parameters to be hashed within the OAEP decoding routine) Manger’s Attack revisited Falko Strenzke 5 / 1

  15. Manger’s Attack - the observable Error Condition OAEP Decoding checks that Y = 0 ( Y � = 0 → “supernumerary octet”) Y � = 0 can be learned either through a specific error message shorter time to the error message compared to later OAEP errors (time difference might become huge if the attacker can control the public parameters to be hashed within the OAEP decoding routine) Manger’s Attack revisited Falko Strenzke 5 / 1

  16. Manger’s Attack - the observable Error Condition OAEP Decoding checks that Y = 0 ( Y � = 0 → “supernumerary octet”) Y � = 0 can be learned either through a specific error message shorter time to the error message compared to later OAEP errors (time difference might become huge if the attacker can control the public parameters to be hashed within the OAEP decoding routine) Manger’s Attack revisited Falko Strenzke 5 / 1

  17. Manger’s Attack - the Information Gain The attacker wants to decrypt the ciphertext c 0 = m e 0 mod n He chooses f ∈ { 0 , 1 , . . . , n − 1 } He creates ciphertexts c f = f e c 0 = ( fm 0 ) e mod n He observes the decryption of c f If Y � = 0 he learns fm 0 mod n ≥ B Manger gives a specific strategy how to choose f initially and how to adapt f in in subsequent queries Manger’s Attack revisited Falko Strenzke 6 / 1

  18. Manger’s Attack - the Information Gain The attacker wants to decrypt the ciphertext c 0 = m e 0 mod n He chooses f ∈ { 0 , 1 , . . . , n − 1 } He creates ciphertexts c f = f e c 0 = ( fm 0 ) e mod n He observes the decryption of c f If Y � = 0 he learns fm 0 mod n ≥ B Manger gives a specific strategy how to choose f initially and how to adapt f in in subsequent queries Manger’s Attack revisited Falko Strenzke 6 / 1

  19. Manger’s Attack - the Information Gain The attacker wants to decrypt the ciphertext c 0 = m e 0 mod n He chooses f ∈ { 0 , 1 , . . . , n − 1 } He creates ciphertexts c f = f e c 0 = ( fm 0 ) e mod n He observes the decryption of c f If Y � = 0 he learns fm 0 mod n ≥ B Manger gives a specific strategy how to choose f initially and how to adapt f in in subsequent queries Manger’s Attack revisited Falko Strenzke 6 / 1

  20. Manger’s Attack - the Information Gain The attacker wants to decrypt the ciphertext c 0 = m e 0 mod n He chooses f ∈ { 0 , 1 , . . . , n − 1 } He creates ciphertexts c f = f e c 0 = ( fm 0 ) e mod n He observes the decryption of c f If Y � = 0 he learns fm 0 mod n ≥ B Manger gives a specific strategy how to choose f initially and how to adapt f in in subsequent queries Manger’s Attack revisited Falko Strenzke 6 / 1

  21. Manger’s Attack - the Information Gain The attacker wants to decrypt the ciphertext c 0 = m e 0 mod n He chooses f ∈ { 0 , 1 , . . . , n − 1 } He creates ciphertexts c f = f e c 0 = ( fm 0 ) e mod n He observes the decryption of c f If Y � = 0 he learns fm 0 mod n ≥ B Manger gives a specific strategy how to choose f initially and how to adapt f in in subsequent queries Manger’s Attack revisited Falko Strenzke 6 / 1

  22. Manger’s Attack - the Information Gain The attacker wants to decrypt the ciphertext c 0 = m e 0 mod n He chooses f ∈ { 0 , 1 , . . . , n − 1 } He creates ciphertexts c f = f e c 0 = ( fm 0 ) e mod n He observes the decryption of c f If Y � = 0 he learns fm 0 mod n ≥ B Manger gives a specific strategy how to choose f initially and how to adapt f in in subsequent queries Manger’s Attack revisited Falko Strenzke 6 / 1

  23. Manger’s Attack - the Information Gain The attacker wants to decrypt the ciphertext c 0 = m e 0 mod n He chooses f ∈ { 0 , 1 , . . . , n − 1 } He creates ciphertexts c f = f e c 0 = ( fm 0 ) e mod n He observes the decryption of c f If Y � = 0 he learns fm 0 mod n ≥ B Manger gives a specific strategy how to choose f initially and how to adapt f in in subsequent queries Manger’s Attack revisited Falko Strenzke 6 / 1

  24. Manger’s Attack revisited Falko Strenzke 7 / 1

  25. Analysis of the OpenSSL Library lzero = num - flen; if (lzero < 0) { /* signalling this error immediately after detection might allow for * side-channel attacks (e.g. timing if ’plen’ is huge – cf. James * H. Manger, ”A Chosen Ciphertext Attack on RSA Optimal * Asymmetric Encryption Padding (OAEP) [...]”, CRYPTO 2001), * so we use a ’bad’ flag */ bad = 1; lzero = 0; flen = num; /* don’t overflow the memcpy to padded from */ } . . . if (memcmp(db, phash, SHA DIGEST LENGTH) != 0 || bad) goto decoding err; Manger’s Attack revisited Falko Strenzke 8 / 1

Recommend


More recommend