Chosen-Ciphertext Attacks
Against Protocols Based on the
RSA Encryption Standard
PKCS #1
(Public-Key Cryptography
Standards)
Daniel Bleichenbacher
Elizabeth Loza-Garay
Christopher Thoma Orosco
Cynthia A Guozden
Yonghua Li
Overview
•
•
•
•
•
•
Introduction
PKCS #1 description
Description of the algorithm
Prevention techniques
Experimental results
Conclusion
Objetive
• Introduces a new adaptive
Chosen Ciphertext Attack
against protocols based on RSA
RSA/PKCS #1 encryption
Bob
Alice
PK:(n=pq,e)
message: m
padding:
m M
e
C=M (mod n)
SK:(p,q,d: ed=1 mod j(n))
C
decrypt: M’ =C d(mod n)
?? remove padding: M’ m’
Situation analyzed in this talk
Bob
Alice
PK:(n=pq,e)
message: m
padding: m
M
C=Me (mod n)
Eve
SK:(p,q,d: ed=1 mod j(n))
C
R
decrypt: M’= Cd (mod n)
remove padding: M’ m’
R=1 if padding correct
R=0 if padding incorrect
Chosen-ciphertext attack
Alice
PK:(n=pq,e)
Bob
SK:(p,q,d: ed=1 mod j(n))
C
Ask
Eve
M=Cdmod n
S=rnd int
M’=C’d
M= M’S-1 mod n
e
C’=CS (mod n)
d
R= 0/1 (depending
on correctness of
padding of C’)
PKCS #1 (v.1.5) padding for
encryption
RSA modulus: n=pq of length k bytes;
i.e. 256 k-1< n < 256k
most significant byte
00 02 padding string 00
at least 8 bytes
k bytes
Length (n)
least significant byte
message
Data block
PKCS # 1 (Cont)
00 02 padding string 00
at least 8 bytes
message
Data block
00||02||PS||00||D
EB1=00
EB2=02
EB3 through EB10 are nonzero
At least one of the bytes EB11 through EBk is 00
Observations
PKCS #1 (v.1.5) padding for encryption is correct if
•
•
•
•
1st byte is 00
2nd byte is 02
next 8 bytes different from 00
at least one more 00 byte
• less significant bit on RSA encryption is as secure
as the whole message  single bits per ciphertext
may be sufficient
Chosen-Ciphertext Attacks
Adaptive:chosen-ciphertexts  previous outcomes
Theoretical weakness  Practical (easy to get
information from the oracle reply)
Attack
Kind of error
Server
How the attack works: Overview
Eve
M=Cd ??
Bob
Ci =CS ei (mod n)
R
If a message C i is PKCS conforming then
2*256k-2-1 < MS < 3*256k-2
3 phases: Blinding, slow phase and fast phase
Blinding
•Yields a ciphertext c0 that corresponds to and unknown
message m0
Given an integer c, choose different random integers
si, then check, by sending them to the Oracle, whether
c(si)^e mod n is PKCS conforming. For the first
successful value si, set
c0  c(si)^e mod n
M0  {[2B, 3B-1]} // 2*256k-2-1 < M0 = MS < 3*256k-2
i1
Slow phase
• The attacker tries to find small values of si for which the
ciphertext c0(si)^e mod n is PKCS conforming. For each
successful value for si, the attacker computes, using previous
knowledge about m0, a set of intervals that must contain m0.
Slow Phase
If (i=1) s1> n/3B | c0(si)^e mod n == PKCS conforming
else if ( i> 1 && Mi-1 >= 2) // Mi > one interval
{search( si> si -1 | c0(si)^e mod n == PKCS conforming)}
else if ( Mi-1 == {[a,b]}) // exactly one interval
{ while(!(c0(si)^e mod n == PKCS conforming))
{choose(ri, si) | ri>= 2((b(si-1) - 2B)/n) &&
(2B + (ri)n)/b <= si< (3B + (ri)n)/a
}
}
Fast phase
• First two bytes of M0Si are correct with prob. 
• A message is PKCS conforming with prob. > 0.09.
• Each PKCS conforming message roughly cuts the
remaining interval in half.
Fast Phase
After si has been found, the set Mi is computed as:
Mi  a i b // contained in a sufficiently small interval
/* search si | si approx. 2si -1 and the two sets overlap */
For all [a,b] contained in Mi -1 and (a(si) - 3B + 1/n) <= r<=(b(si) - 2B/n)
If (Mi == {[a,a]})
{ m  a(si) -1 mod n;
return m; // m is the solution to m = c^d mod n
}
i++;
goTo slowPhase();
Countermeasures
• Chance key pairs frequently
• Use different key pairs for different servers
• Check format of the message after decryption
Countermeasures (cont.)
• Identical error message and same amount of
time
• Have a data block for 1024 bits key
Countermeasures (cont.)
• Add structure to data value D (e.g. hash
function on D)
• PKCS#1 v2 will support Optimal
Asymmetric Encryption Padding (OAEP)
Countermeasures (cont.)
Data
Seed
Padding operation
(introduces
Redundancy)
Padded Data
XOR
Masking Function
Masked Data
Masking Function
Masked Data
XOR
Masked Seed
Access to an Oracle
• Plain Encryption
• Detailed Error Messages
• Timing Attack
Signing and Encrypting
Some protocols (e.g. SHTTP, S/MIME) sign and
encrypt messages.
Bob: SKB; PKB
Alice:
SKA; PKA
m
sign
encrypt
C
decrypt
m’ sig(m’)
verify sig.
Timing attacks
Decryption is sometimes done as follows:
1. Decrypt the ciphertext C
2. If the padding is incorrect return an error.
3. Verify the signature
4. If the signature is incorrect return an error.
• Signature is verified only when padding of C is OK.
• An attacker might get the information about the
padding of C by measuring response times.
• The message is authenticated after step 4, but step 2
might leak information.
• Such protocols should be used carefully in
client/server applications.
SSL Block Format
00 02 padding string
00 03 00 premastersecret
46 bytes
SSL Version 3.0
Client
<Client.hello>
Random, Ciphersuites
<Server.hello>
Random, Ciphersuites, PK, Cert
chose PreMaster
Secret (PMS)
<Client Key Exchange>
{PMS}PK
error alert
compute master
secret (MS)
<Client.finished>
hash(MS, ...)
<Server.finished>
Server
decrypt {PMS}PK
if padding is incorrect
compute (MS)
verify hash(MS, ...)
SSL Version 3.0 (correction)
Client
<Client.hello>
Random, Ciphersuites
<Server.hello>
Random, Ciphersuites, PK, Cert
chose PreMaster
Secret (PMS)
<Client Key Exchange>
{PMS}PK
compute master
secret (MS)
<Client.finished>
hash(MS, ...)
error alert
<Server.finished>
Server
decrypt {PMS}PK
compute (MS)
verify hash(MS, ...)
if padding or hash is
incorrect
Conclusions
• Consider chosen-ciphertext attacks.
• Details (e.g. error messages) do matter.
• The phase between decryption and integrity check
of a message is critical. No information should
leak in that phase.
• An integrity check should be close the decryption
step. (e.g. PKCS #1 v.2.0, SSL v.3.0 patch,
Cramer-Shoup cryptosyst
Thank you
?