question about rsa encryption

Hagai Bar-El info at hbarel.com
Sun Feb 23 05:40:56 EST 2003 

Hello Scott,

At 03/02/03 21:50, Scott G. Kelly wrote:
>I have a question regarding RSA encryption - forgive me if this seems
>amateur-ish -, but 'm still a beginner. I seem to recall reading
>somewhere that there is some issue with directly encrypting data with an
>RSA public key, perhaps some vulnerability, but I can't find any
>reference after a cursory look. Does anyone know of any issue with using
>RSA encryption to encrypt a symmetric key under the target's public key
>if the encrypted value is public (e.g. sent over a network)?

Sorry for the delayed response.

As mentioned in the other postings, there are several technical problems 
with doing the RSA encryption in its most simple fashion by exponentiation 
and MOD calculation alone. However, in addition to all that was said, 
please note the following two general problems with such an approach, which 
apply not just to RSA but to any other asymmetric encryption when done 
directly on the plaintext:

First, when encrypting a plain-text block as it is, with no random (or 
otherwise variable) padding, you are actually performing encryption in an 
ECB mode. The ECB (and other) modes of operation are known in block-cipher 
contexts, but the problems related to using ECB are reflected well when you 
perform simple block-by-block encryption using an asymmetric cipher as 
well. Of course, RSA uses block sizes that are much larger than the 
"regular" 64-bit or 128-bit block sizes, so code-book attacks are much 
harder to mount in comparison to code-book attacks on DES-ECB, but are 
still possible. So, simple block-by-block encryption using RSA (or any 
other asymmetric cipher), leads to the same vulnerabilities that are caused 
by simple block-by-block encryption with DES or other block ciphers, 
especially when it comes to code-book attacks.

Second, there is a big inherent quality of all asymmetric ciphers which is 
that encryption can be simulated (by an opponent). Here is a brief 
explanation: When using symmetric encryption, an opponent who does not have 
the key cannot simulate neither correct decryption nor correct encryption, 
which means that he has no way (assuming the cryptographic algorithm is 
strong) to guess the plain-text unless he can guess the key. The only 
possible avenue of attack is therefore by brute-forcing the key. With 
"simple" asymmetric encryption, however, the encryption process can be 
simulated (repeated) by the opponent, hence he can obtain knowledge of the 
plaintext either by brute-forcing the key or by brute-forcing the 
plaintext, which might often be easier to do (for example, if the plaintext 
is one of known choices, or can otherwise be guessed). So, if you encrypt 
plaintext that may be guessed easily, the attacker can simply mount a 
brute-force attack on the plaintext to find what it is.

Again, please note that these two are true not just for RSA, but for any 
other asymmetric cipher if implemented without salting (or otherwise wisely 
manipulating) the plaintext.

Hope this helps.

Regards,
Hagai.



Hagai Bar-El - Information Security Analyst
Tel.: 972-8-9354152  Fax.: 972-8-9354152
E-mail: info at hbarel.com  Web: www.hbarel.com



---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com

More information about the cryptography mailing list