Lecture 9-Digital Signatures Flashcards
What main types of attacks is RSA and PK Encryption systems vulnerable to?
Man-in-the-middle!
How to use RSA?
Used to encrypt symmetric key. But never use directly, add padding to key to make it 2048 bits so RSA can encrypt
What is PKCS1?
The padding you can do to your symmetric key before RSA (but insecure)
Eve can do padding oracle attack and check 16msb to see if it’s garbage or not. Attack is called Bleichenbacher
Summary of Bleichenbacher attack?
Get the first bit by guessing. Then you shift left with math operations and have it reveal 2nd bit etc
What is the defense for bleichenbacher?
If you get garbage value, act normal and generate a random R. Decrypt it and eventually the session will get dropped because the secret key won’t match R
What is a secure scheme for padding?
OAEP (optimal asymmetric encryption padding): secure if hashes H and G are random oracles
ElGamal Encryption
Once you fix a cyclic group G and a generator g, Alice creates her public key g^a and Bob creates g^b and secret key is g^ab, derive the symmetric key k, and encrypt/decrypt message with that key k
What is the ElGamal performance like?
During encryption there are two exponentiations and during decryption there’s one. But Encryption is not slower because those two exponentiations can be precomputed, decryption cannot be precomputed.
What makes ElGamal secure under CCA?
Given g, g^a, g^b you can’t compute g^ab
What is a digital signature?
Sender digitally signs a document and it can be verified by Alice and can’t be forged
Digital Signature vs MAC?
MAC: only holder of a key can verify a signature, you can’t transfer it to someone else (they need the key), MAC cannot provide non-repudiation (signer can deny signing)
Digital signature is opposite + has non-repudiation bc signature can be verified using a public key
How does a digital signature work?
Bob hashes a message and signs it using private key. Alice decrypts it using Bob’s public key and has the og message and she hashes it. Both hashes should equal each other
How is a digital signature secure?
If Eve can’t forge it (create a new valid signature, message pair)
What do you do for messages of arbitrary length to sign them?
Hash and sign paradigm: hash the message first to make it into a fixed-sized digest before signing. As long as hash is collision resistant, it is secure.
What are some attacks related to direct RSA signature?
You can easily compute the e^th root of the signature of m if m is small. You can sign random messages by choosing an arbitrary signature and calculating: sig^emodN. You can also combine two signatures to obtain a third easily.