Daniel Bleichenbacher. A chosen ciphertext attack against protocols based on the RSA encryption standard RSA PKCS #1. In H. Krawczyk, ed., Advances in Cryptology -- CRYPTO '98, vol. 1462 of Lecture Notes in Computer Science, pp. 1--12, Springer-Verlag, 1998.  Home/Search   Document Not in Database   Summary   Related Articles   Check

....the system (e.g. an indication about the case of fault, which may be observed due to change of behavior of components or parties within the system) The adversaries do not get actual outputs of the decryption device. We also employ such adversaries which introduce faults into ciphertexts (as in [5]) and ones which perform power analysis [21] Our test case is the RSA system. In fact, RSA is undoubtedly the most widely used and accepted public key cryptosystem. Owing to this popularity, it is also perhaps the most cryptanalyzed system [7] Furthermore, many optimizations and improvement ....

....is defined as the adversary s inability to make the di#erence between the encryptions of bits 0 and 1 , or more generally, given a challenge ciphertext, to learn any information about the corresponding plaintext. This does not imply that the converse is necessarily true: Bleichenbacher [5] has shown that the (probabilistic) encryption standard RSA PKCS#1 v1.5 does not achieve indistinguishability and exploited this failure to mount a chosen ciphertext attack on some interactive key establishment protocols (e.g. SSL) constructed from it. Other problems of plain schemes are ....

[Article contains additional citation context not shown here]

Daniel Bleichenbacher. A chosen ciphertext attack against protocols based on the RSA encryption standard RSA PKCS #1. In H. Krawczyk, ed., Advances in Cryptology -- CRYPTO '98, vol. 1462 of Lecture Notes in Computer Science, pp. 1--12, Springer-Verlag, 1998.

....scheme will remain secure if the adversary has access to such oracles. It is important to consider the actions that honest participants take when the unexpected occurs; otherwise secure protocols and implementations have been successfully attacked through an exploitation of error conditions [11, 5]. ....

Daniel Bleichenbacher. Chosen ciphertext attacks against protocols based on the RSA encryption standard PKCS #1. In Hugo Krawczyk, editor, Advances in Cryptology | CRYPTO '98, volume 1462 of Lecture Notes in Computer Science, pages 1-12, 1998.

....the system (e.g. an indication about the case of fault, which may be observed due to change of behavior of components or parties within the system) The adversaries do not get actual outputs of the decryption device. We also employ such adversaries which introduce faults into ciphertexts (as in [5]) and ones which perform power analysis [21] Our test case is the RSA system. In fact, RSA is undoubtedly the most widely used and accepted public key cryptosystem. Owing to this popularity, it is also perhaps the most cryptanalyzed system [7] Furthermore, many optimizations and improvement ....

....is defined as the adversary s inability to make the di#erence between the encryptions of bits 0 and 1 , or more generally, given a challenge ciphertext, to learn any information about the corresponding plaintext. This does not imply that the converse is necessarily true: Bleichenbacher [5] has shown that the (probabilistic) encryption standard RSA PKCS#1 v1.5 does not achieve indistinguishability and exploited this failure to mount a chosen ciphertext attack on some interactive key establishment protocols (e.g. SSL) constructed from it. Other problems of plain schemes are ....

[Article contains additional citation context not shown here]

Daniel Bleichenbacher. A chosen ciphertext attack against protocols based on the RSA encryption standard RSA PKCS #1. In H. Krawczyk, ed., Advances in Cryptology -- CRYPTO '98, vol. 1462 of Lecture Notes in Computer Science, pp. 1--12, Springer-Verlag, 1998.

....extended side channel attacks require special equipment and physical access to the machine. In this paper we only focus on the timing attack. We also note that our attack targets the implementation of RSA decryption in OpenSSL. We do not use timing attacks on the RSA padding used in SSL and TLS [2] since those attacks are less e#cient and are specific to SSL TLS. 2 OpenSSL s Implementation of RSA We begin by reviewing how OpenSSL implements RSA decryption and signing. We only review the details needed for our attack. OpenSSL closely follows algorithms described in the Handbook of Applied ....

Daniel Bleichenbacher. Chosen ciphertext attacks against protocols based on the RSA encryption standard PKCS #1. Lecture Notes in Computer Science, 1462, 1998.

....secure protocols and implementations have been successfully attacked through an exploitation of error conditions. For example, it has been demonstrated that descriptive error codes provide the adversary with enough information to launch a chosen ciphertext attack against a widely used form of RSA [11, 4]. Hence, the way in which honest participants handle errors may undermine the security provided by the cryptography. Future work must address this issue, and must do it by analyzing the behavior of the participants in depth. In particular, the environment, which we abstracted away in our paper, ....

Daniel Bleichenbacher. Chosen ciphertext attacks against protocols based on the RSA encryption standard PKCS #1. In Hugo Krawczyk, editor, Advances in Cryptology | CRYPTO '98, volume 1462 of Lecture Notes in Computer Science, 1998.

....o ers clients a means of gaining information about their message and only their message. Cryptographic Primitives : Mixmaster 2.03 and the current release of 2.9b8 both use RSA with PKCS#1 1.5 padding for asymmetric encryption. This has been shown to be vulnerable to chosen ciphertext attack [Ble98]. The attack requires that the server distinguish properly formatted keys from improperly formatted ones for the adversary; we have not found a way to implement this attack for Mixmaster. Our scheme removes such concerns, assuming the validity of the random oracle model, by using OAEP. 13 5.2 ....

Daniel Bleichenbacher. Chosen ciphertext attacks against protocols based on rsa encryption standard pkcs. In Advances in Cryptology: CRYPTO '98. IACR, 1998. http://www.belllabs. com/user/bleichen/papers/pkcs.ps.

....Web merchants only implement server authentication. Unfortunately, despite the use of SSL, there is no guarantee that the user is not being fooled by a malicious merchant [KR00] or, at least in earlier versions of SSL, that an outside attacker might not be able to break the encryption [Ble98]. There are several ways SSL can break down even if the encryption mechanism is not broken. Most users do not actually verify the certificate on a secure site. That is, most users simply look for the browser s indication that a page has been encrypted, such as Netscape s blue padlock, rather than ....

Daniel Bleichenbacher. Chosen ciphertext attacks against protocols based on RSA encryption standard PKCS #1. In Advances in Cryptology -- CRYPTO'98, LNCS vol. 1462, pages 1--12, 1998.

....Web merchants only implement server authentication. Unfortunately, despite the use of SSL, there is no guarantee that the user is not being fooled by a malicious merchant [KR00] or, at least in earlier versions of SSL, that an outside attacker might not be able to break the encryption [Ble98]. There are several ways SSL can break down even if the encryption mechanism is not broken. Most users do not actually verify the certificate on a secure site. That is, most users simply look for the browser s indication that a page has been encrypted, such as Netscape s blue padlock, rather than ....

Daniel Bleichenbacher. Chosen ciphertext attacks against protocols based on RSA encryption standard PKCS #1. In Advances in Cryptology -- CRYPTO'98, LNCS vol. 1462, pages 1--12, 1998.

....it o#ers unclear guarantees. 5) As discussed in section 3, protocol specifications often do not explain how principals react when they perceive errors. Yet proper handling of errors can be crucial to system security. For example, in describing attacks on protocols based on RSA s PKCS #1 standard [15], Bleichenbacher reported that the SSL documentation does not clearly specify error conditions and the resulting alert messages, and that SSL implementations vary in their handling of errors. He concluded that even sending out an error message may sometimes be risky and that the timing of the ....

Daniel Bleichenbacher. Chosen ciphertext attacks against protocols based on the RSA encryption standard PKCS #1. In Advances in Cryptology -- CRYPTO'98, volume 1462 of Lecture Notes in Computer Science, pages 1--12. Springer-Verlag, 1998.

....it o#ers unclear guarantees. 5) As discussed in section 2, protocol specifications often do not explain how principals react when they perceive errors. Yet proper handling of errors can be crucial to system security. For example, in describing attacks on protocols based on RSA s PKCS #1 standard [13], Bleichenbacher reported that the SSL documentation does not clearly specify error conditions and the resulting alert messages, and that SSL implementations vary in their handling of errors. He concluded that even sending out an error message may sometimes be risky and that the timing of the ....

Daniel Bleichenbacher. Chosen ciphertext attacks against protocols based on the RSA encryption standard PKCS #1. In Advances in Cryptology -- CRYPTO'98, volume 1462 of Lecture Notes in Computer Science, pages 1--12. Springer-Verlag, 1998.

No context found.

Daniel Bleichenbacher. A chosen ciphertext attack against protocols based on the RSA encryption standard RSA PKCS #1. In H. Krawczyk, ed., Advances in Cryptology -- CRYPTO '98, vol. 1462 of Lecture Notes in Computer Science, pp. 1--12, Springer-Verlag, 1998.

No context found.

Daniel Bleichenbacher. A chosen ciphertext attack against protocols based on the RSA encryption standard RSA PKCS #1. In H. Krawczyk, ed., Advances in Cryptology -- CRYPTO '98, vol. 1462 of Lecture Notes in Computer Science, pp. 1--12, Springer-Verlag, 1998.

No context found.

Daniel Bleichenbacher. Chosen ciphertext attacks against protocols based on the RSA encryption standard PKCS#1. In Advances in Cryptology - CRYPTO '98, LNCS 1462, pages 1-12. Springer, 1998.

No context found.

Daniel Bleichenbacher. A chosen ciphertext attack against protocols based on the RSA encryption standard RSA PKCS #1. In H. Krawczyk, ed., Advances in Cryptology -- CRYPTO '98, vol. 1462 of Lecture Notes in Computer Science, pp. 1--12, Springer-Verlag, 1998.

No context found.

Daniel Bleichenbacher. A chosen ciphertext attack against protocols based on the RSA encryption standard RSA PKCS #1. In H. Krawczyk, ed., Advances in Cryptology -- CRYPTO '98, vol. 1462 of Lecture Notes in Computer Science, pp. 1--12, Springer-Verlag, 1998.

No context found.

Daniel Bleichenbacher. A chosen ciphertext attack against protocols based on the RSA encryption standard RSA PKCS #1. In H. Krawczyk, ed., Advances in Cryptology -- CRYPTO '98, vol. 1462 of Lecture Notes in Computer Science, pp. 1--12, Springer-Verlag, 1998.

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC