Security Engineering. Ross Anderson

Читать онлайн.
Название Security Engineering
Автор произведения Ross Anderson
Жанр Зарубежная компьютерная литература
Серия
Издательство Зарубежная компьютерная литература
Год выпуска 0
isbn 9781119642817



Скачать книгу

alt="upper C 2 circled-plus h left-parenthesis upper C 1 right-parenthesis"/> and recovers upper M as upper C 1 circled-plus h left-parenthesis upper N right-parenthesis [213]. This was eventually proven to be secure. There are a number of public-key cryptography standards; PKCS #1 describes OAEP [995]. These block a whole lot of attacks that were discovered in the 20th century and about which people have mostly forgotten, such as the fact that an opponent can detect if you encrypt the same message with two different RSA keys. In fact, one of the things we learned in the 1990s was that randomisation helps make crypto protocols more robust against all sorts of attacks, and not just the mathematical ones. Side-channel attacks and even physical probing of devices take a lot more work.

      Many of the things that have gone wrong with real implementations have to do with side channels and error handling. One spectacular example was when Daniel Bleichenbacher found a way to break the RSA implementation in SSL v 3.0 by sending suitably chosen ciphertexts to the victim and observing any resulting error messages. If he could learn from the target whether a given c, when decrypted as c Superscript d (mod n), corresponds to a PKCS #1 message, then he could use this to decrypt or sign messages [265]. There have been many more side-channel attacks on common public-key implementations, typically via measuring the precise time taken to decrypt. RSA is also mathematically fragile; you can break it using homomorphisms, or if you have the same ciphertext encrypted under too many different small keys, or if the message is too short, or if two messages are related by a known polynomial, or in several other edge cases. Errors in computation can also give a result that's correct modulo one factor of the modulus and wrong modulo the other, enabling the modulus to be factored; errors can be inserted tactically, by interfering with the crypto device, or strategically, for example by the chipmaker arranging for one particular value of a 64-bit multiply to be computed incorrectly. Yet other attacks have involved stack overflows, whether by sending the attack code in as keys, or as padding in poorly-implemented standards.

      5.7.2 Cryptography based on discrete logarithms

      While RSA was the first public-key encryption algorithm deployed in the SSL and SSH protocols, the most popular public-key algorithms now are based on discrete logarithms. There are a number of flavors, some using normal modular arithmetic while others use elliptic curves. I'll explain the normal case first.

      Thus 5 is a primitive root modulo 7. This means that given any y, we can always solve the equation y equals 5 Superscript x (mod 7); x is then called the discrete logarithm of y modulo 7. Small examples like this can be solved by inspection, but for a large random prime number p, we do not know how to do this efficiently. So the mapping f colon x right-arrow g Superscript x (mod p) is a one-way function, with the additional properties that f left-parenthesis x plus y right-parenthesis equals f left-parenthesis x right-parenthesis f left-parenthesis y right-parenthesis and f left-parenthesis n x right-parenthesis equals f left-parenthesis x right-parenthesis Superscript n. In other words, it is a one-way homomorphism. As such, it can be used to construct digital signature and public key encryption algorithms.

5 Superscript 1 = 5 (mod 7)
5 squared = 25 identical-to 4 (mod 7)
5 cubed identical-to 4 x 5 identical-to 6 (mod 7)
5 Superscript 4 identical-to 6 x 5 identical-to 2 (mod 7)
5 Superscript 5 identical-to 2 x 5 identical-to 3 (mod 7)
5 Superscript 6