question about rsa encryption
Hagai Bar-El
info at hbarel.com
Sun Feb 23 05:40:56 EST 2003
Hello Scott,
At 03/02/03 21:50, Scott G. Kelly wrote:
>I have a question regarding RSA encryption - forgive me if this seems
>amateur-ish -, but 'm still a beginner. I seem to recall reading
>somewhere that there is some issue with directly encrypting data with an
>RSA public key, perhaps some vulnerability, but I can't find any
>reference after a cursory look. Does anyone know of any issue with using
>RSA encryption to encrypt a symmetric key under the target's public key
>if the encrypted value is public (e.g. sent over a network)?
Sorry for the delayed response.
As mentioned in the other postings, there are several technical problems
with doing the RSA encryption in its most simple fashion by exponentiation
and MOD calculation alone. However, in addition to all that was said,
please note the following two general problems with such an approach, which
apply not just to RSA but to any other asymmetric encryption when done
directly on the plaintext:
First, when encrypting a plain-text block as it is, with no random (or
otherwise variable) padding, you are actually performing encryption in an
ECB mode. The ECB (and other) modes of operation are known in block-cipher
contexts, but the problems related to using ECB are reflected well when you
perform simple block-by-block encryption using an asymmetric cipher as
well. Of course, RSA uses block sizes that are much larger than the
"regular" 64-bit or 128-bit block sizes, so code-book attacks are much
harder to mount in comparison to code-book attacks on DES-ECB, but are
still possible. So, simple block-by-block encryption using RSA (or any
other asymmetric cipher), leads to the same vulnerabilities that are caused
by simple block-by-block encryption with DES or other block ciphers,
especially when it comes to code-book attacks.
Second, there is a big inherent quality of all asymmetric ciphers which is
that encryption can be simulated (by an opponent). Here is a brief
explanation: When using symmetric encryption, an opponent who does not have
the key cannot simulate neither correct decryption nor correct encryption,
which means that he has no way (assuming the cryptographic algorithm is
strong) to guess the plain-text unless he can guess the key. The only
possible avenue of attack is therefore by brute-forcing the key. With
"simple" asymmetric encryption, however, the encryption process can be
simulated (repeated) by the opponent, hence he can obtain knowledge of the
plaintext either by brute-forcing the key or by brute-forcing the
plaintext, which might often be easier to do (for example, if the plaintext
is one of known choices, or can otherwise be guessed). So, if you encrypt
plaintext that may be guessed easily, the attacker can simply mount a
brute-force attack on the plaintext to find what it is.
Again, please note that these two are true not just for RSA, but for any
other asymmetric cipher if implemented without salting (or otherwise wisely
manipulating) the plaintext.
Hope this helps.
Regards,
Hagai.
Hagai Bar-El - Information Security Analyst
Tel.: 972-8-9354152 Fax.: 972-8-9354152
E-mail: info at hbarel.com Web: www.hbarel.com
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com
More information about the cryptography
mailing list