Reaction Attacks against several Public-Key Cryptosystems (original) (raw)

Chosen Ciphertext Attacks Against Protocols Based on the RSA Encryption Standard PKCS #1

This paper introduces a new adaptive chosen ciphertext attack against certain protocols based on RSA. We show that an RSA private-key operation can be performed if the attacker has access to an oracle that, for any chosen ciphertext, returns only one bit telling whether the ciphertext corresponds to some unknown block of data en-crypted using PKCS #1. An example of a protocol susceptible to our attack is SSL V.3.0. In this paper, we analyze the following situation. Let n, e be an RSA public key, and let d be the corresponding secret key. Assume that an attacker has access to an oracle that, for any chosen ciphertext c, indicates whether the corresponding plaintext c d mod n has the correct format according to the RSA encryption standard PKCS #1. We show how to use this oracle to decrypt or sign a message. The attacker carefully prepares ciphertexts that are sent to the oracle. Combining the returns from the oracle, the attacker gradually gains information on c d. The chosen ci-phertexts are based on previous outcomes of the oracle. Thus, this technique is an example of an adaptive chosen-ciphertext attack. Usually, a chosen ciphertext attack is based on the theoretical assumption that the attacker has access to a decryption device that returns the complete decryption for a chosen ciphertext. Hence, if a public-key cryptosystem is susceptible to a chosen-ciphertext attack, that often is considered to be only a theoretical weakness. However, the attack shown in this paper is practical, because it is easy to get the necessary information corresponding to the oracle reply. The attack can be carried out if, for example, the attacker has access to a server that accepts encrypted messages and returns an error message depending on whether the decrypted message is PKCS conforming. This paper is organized as follows. We describe the RSA encryption standard PKCS #1 in Section 2. In Section 3, we describe and analyze our chosen-ciphertext attack. Different situations in which this attack can be carried out