Embed Size (px)
Citation preview
The Evolutionof
CryptographyFrom Caesar To RSA:
Investigations in the Flaws and Advantages
Jeffrey ButtaccioSam Heald
CPS 182s: Final ProjectDue 12/10/03
Abstract:
This paper examines the practical utility of RSA encryption as a means of
securing data. Recent announcements over the past ten years concerning the breaking of
RSA encryption keys have raised doubts about the security of RSA encryption. After all,
the scientists who came up with RSA initially claimed that such keys would take millions
of years to break. Our analysis of this topic is divided into two large headings: the history
of Cryptography and RSA. The history of cryptography demonstrates the cryptography is
always improving as a result of pressure by cryptanalyst techniques. Once a flaw in a
technique is uncovered, the cryptography changes to accommodate the flaw and make
itself more secure. RSA did not come from nothingness, but rather a series of
cryptographic exploits that have evolved into the cryptography goliath that exists today.
In examining, the ways that other techniques have failed in the past, we are also
demonstrating the ways that RSA has improved upon those flaws. The second half of the
paper analyzes RSA cryptography in depth both its algorithm and its implementations.
RSA can be subverted and there are alternate cryptographic techniques, but ultimately
RSA remains the most ideal form of cryptography to date and in the foreseeable future.
Thesis:
Throughout history, there has been a constant battle between the cryptographers
that encrypt and the cryptanalyst that break the encryption. Recently, there have been a
series of findings concerning flaws and security leaks in implementations of RSA
encryption. Coupled with the latest news concerning the breaking of a higher numbered
RSA encryption key, the credibility of RSA has been called into question. However, RSA
2
represents an extraordinarily secure encryption scheme that is not threatened by many
forms of subversion. With careful attention, RSA still represents a nearly unbreakable
cryptographic scheme that has come as a direct result centuries of cryptographic
evolution.
1. Introduction
Often, there is a need for two parties to send messages securely without having to
worry about a third party intercepting the message in between. For instance, a military
campaign based upon surprise still needs to be able to coordinate its attack. The science
Cryptography was spawned out of a need to ensure that a message would remain secure
even if it were intercepted along the way. The field has a long and diverse history, and the
encryption schemes produced often speak to at hybrid nature of encryption that is split
between art and science. From the simple Caesarean shift algorithm, to the Enigma
machine, through RSA encryption, and to quantum cryptography, the field has progressed
in leaps and bounds to the ever present goal of an absolutely indecipherable encryption
scheme. While that goal may have been reached with quantum cryptography, the field is
not in danger of dying out. RSA is beyond contestation as a great, practically
indecipherable encryption system. The weaknesses in RSA boil down to three unique
factors: (1) the reliance on a private key, (2) the dependence on prime numbers being very
difficult to factor, (3) the limitations of modern day computers. The latter two are
interrelated in that modern computers are limited in their ability to factor. As factoring
algorithms improve and computers become faster, RSA becomes less secure. The reliance
of a private key represents the biggest crutch that RSA encryption which hackers have
attempted to exploited. However, with proper implementation, all three issues can be
3
avoided to a large degree. While the press may give attention to when poor
implementations expose leaks in the encryption, RSA offers an undeniably superb
encryption scheme that will not be compromised in the near future.
2 History of Cryptography
Cryptography is the science of scrambling data in order to prevent unintended
parties from deciphering and reading the content of that data. Cryptography can be
divided into two categories: transposition and substitution. Transposition involves the
systemic swapping of information within a data set. For example, a simple transposition
algorithm would couple the characters of a text document into pairs. Each pair would
then swapped, “ABCD” becomes “BADC”. This sort of technique represents bad security
because once the encryption algorithm is known, any past and future encrypted text has
been irreconcilably compromised. For this reason, transposition is not an effective
cryptographic technique. As the name implies, substitution involves the substitution of
encrypted data for the plain text. The effectiveness of the substitution depends on how
easily a third party could determine the key with which the data was encrypted. A greater
number of combinations that must be checked results in a more secure algorithm. The
argument for substitution over transposition can be summed up by “Dutch linguist
Auguste Kerckoffs von Neiuwenhof...: ‘Kerckoff’s principle: The security of a
cryptographic system must not depend on keeping secret the cryptoalgorithm. The
security depends only on keeping secret the key.”i Cryptanalysis is the science of breaking
cryptography. As cryptography as evolved, the methods have become more and more
advanced to counter cryptanalysis techniques.
4
2.1.1 Caesarean Shifts:
The Roman Empire implemented one of the earliest forms of a substitution cipher.
Named for the emperor, Julius Caesar, the Caesarean Shift seems very basic by modern
standards. However, prior to the technological advances of the past century, the
Caesarean technique was practiced for nearly two millennia from the times of Caesar in
the second century A.D. to the American Civil Warii. The technique involves shifting the
alphabet a specific number of times. For example, a shift of 3 would result in ‘A’ being
encrypted as ‘D’. The alphabet wraps around such that the letter after “Z” shifted once
would be “A”. In order to standardize the text, every character is converted to uppercase
and all punctuation is removed. Suppose we wish to encrypt Caesar’s famous quotation,
“veni, vidi, vici” (translation: I came, I saw, I conquered) with a shift of Caesarean Shift
of three. The unencrypted text, “VENI VIDI VICI,” would translate into “YHQL YLGL
YLFL.”
A simple implementation can be witnessed in the Alberti cipher disk, named for
its inventor, Leone Battista Alberti. Essentially, the alphabet is wrapped around a
stationary inner disk and an outer free-moving disk, allowing the encryption and
decryption to take place easily by rotating the outer disk (see Appendix A). Our program
implementation treats each alphabet letter as an index and the shift as an increase in that
index. Therefore, the encrypted character lies a shifted amount higher than the actual
character. In java code:
private final String myAlphabet = "ABCDEFGHIJKLMNOPQRSTUVWXYZ";private int myShift;public void doEncrypt(InputStream in, PrintStream out) {
while (reading in word from in to word) {//strip away punctuation and make uppercaseword = stripPunc(word.toUpperCase());
5
//iterate over the wordfor (int k = 0; k < word.length(); k++) {
//get index of current char in alphabet int i = word.charAt(k) - 'A'; //add the shift (mod 26 to wrap around)i = (i + myShift) % 26;//output the encrypted characterout.print(myAlphabet.charAt(i));
}}
}
This simple encryption technique cannot be decrypted at a brief glace with the human eye
which is why was used for so long. However, given time and an Alberti cipher disk, one
merely has to try all twenty-five possible shifts before finding the right one. A computer
program (SimpleCaesarBreak) can run all possible shifts, look up the decrypted text
words in a dictionary, and figure out which cipher was used instantly. This brute force
technique renders the Caesarean shift completely worthless.
2.1.2 Random Substitution Ciphering:
The security of a single substitution cipher can be improving dramatically by
casting off the reliance upon the order of the alphabet. Rather than shifting the alphabet,
one randomly equates letters to a cipher alphabet. For example, ‘A’ might encrypt to ‘R’,
and ‘B’ might encrypt to ‘D’. As a result of this randomness, there are roughly 26!
factorial (or 4 x 1026) possible rearrangements. Even the faster computers of modern
times would take a very long time to try every possible cipher. “If an enemy agent were to
check one of the possible keys per second, it would take roughly a billion times the
lifetime of the universe to check all of them and decipher the message.”iii
6
2.1.3 Breaking Single Substitution Ciphers:
Cryptanalysis has been able to prove that deciphering a randomly-determined
cipher alphabet can take much less time than the above estimate. First noticed by Arab
scientists of the tenth century, letter frequency is fairly predictable. Depending on which
language is being used, certain letters will occur more frequently than others. For
example, in English, the letter ‘E’ will occur much more frequently than the letter ‘Q’. A
complete table is available in Appendix B. Because each letter is only being substituted
with a single cipher value, the encrypted character will occur just a frequently as its
plaintext counterpart. The more frequently occurring plaintext characters will be the more
frequently occurring cipher characters. Small excerpts of text might vary from the
expected frequencies, but on larger encrypted texts, the frequencies will only vary within
a half percent of the norm. Using frequency analysis, a cryptanalysist can make educated
guesses and deduce the cipher alphabet being used.
We were able to demonstrate the effectiveness of this technique by encrypting a
section of Melville’s “The Notorious Jumping Frog of Calaveras County” with a
randomly generated cipher alphabet. First, the program counts the occurrences of each
cipher character in the file. Each cipher character’s frequency is then compared to the
expected frequencies of each character. Then, the program iterates over the file a second
time. For each word, the program will try the next five best matches for each of the
characters. Once a combination has found that matches a word in the dictionary, a portion
of the cipher alphabet has been uncovered. The characters are identified as the “best
match”. If future words contradict the match, the cipher alphabet will update accordingly.
If no match occurs, the program assumes a misspelling or an odd character and will move
on. We were unable to get the program working, but we could see the effectiveness of the
7
technique. No frequency within the text file varied more than one percent from the
expected frequency.
2.2 KeyText Substitution:
KeyText substitution is a more complicated single substitution that avoids the
problems of having only one cipher alphabet. First, a source keytext is chosen, and the
first character of each word given a number based upon that word’s relative position
within the file. Therefore, each character in the available has a series of numbers to
choose from that it can encode itself as. To encode the message, every character of every
word is assigned one of its corresponding numbers in the text. For example, it the word
“the” was to be encoded and the source text was “I hate to experiment with monkeys”.
First every first character would be assigned a number so “I1 h2ate t3o e4xperiment w5ith
m6onkeys”. Then the letters of the alphabet are converted its corresponding number so
“the” is encoded into “3 2 4”.
While this may seem to represent a very simple form of encryption, the Beale
letters are a testament to the strength of the cipher. In 1885, an anonymous author
published the Beale letters in a pamphlet. The pamphlet consisted of three encrypted
letters. The second one had been decrypted using the Declaration of Independence as the
source text. In the deciphered letter, it delineated the contents of a fortune, over 20
million dollars with today’s bullion prices, that was supposedly buried by somewhere in
the hills of Virginia. Despite over a hundred years and countless attempts to crack the
encryption, the contents of the first and third letters still remain a mysteryiv. Without
knowing the keytext being used, this type of encryption is nearly impossible to break.
Furthermore, if the source text is something that has not been mass-produced, say from a
8
person’s diary, the chances of discovering the cipher become even more difficult. Despite
the potential reward of 20 million dollars to the person to successfully crack the cipher,
nobody has uncovered the Beale treasure and many people have dug in incorrect places
after fooling themselves into thinking that they had broken the encryption. Unfortunately,
this sort of encryption is completely impractical on a large scale, and it is completely
useless once a source test is known. Therefore, it only works in very personal,
individualized correspondences such as the Beale letters.
2.3 Vigenère Cipher:
Introduced to the world in 1856 by Blaise de Vigenère, the Vignere Cipher was
pronounced Le Chiffre Indéchiffrable, the undecipherable cipher. While Vigenère simply
expanded the concept of the Cesarean shift, it ushered in a whole new era of encryption.
The reason Vigenère cipher was such a great improvement over the Caeesarean shift was
that it helped to eliminate frequency analysis problems. The Vigenère cipher worked in
tandem with what was described as a Vigenère square. The Vigenère square is a matrix of
25 Caesarean shifts. The first row with a shift of one starts with the character ‘B’ and
proceeds down the alphabet to ‘A’. After another Caesarean shift, the second row starts
with ‘C’ and ends with ‘B’ (See Appendix C). This goes through 26 iterations so that the
complete Vigenère square is a 25 row and column matrix.
To encode a message a codeword must be chosen. For the purposes of this essay,
the word ‘CAT’ will be the codeword. To encode the message “SUPER”, the first
character of the codeword is used to determine the cipher. The codeword denotes that the
first cipher will be ‘C’ so using the Vigenère square from appendix C, if ‘C’ from the
horizontal axis is traced down until it meets up with the column that start with ‘S’, then
9
the first encoded letter is ‘U’. When this process is repeated with the second letter of the
codeword and so on, it is seen that the encoded word turns out to be UUIGR.
Codeword: CATCAPlaintext: SUPER
Ciphertext: UUIGR
The codeword loops until the message is fully encrypted. Because the keyword results in
different shifts being used on a per letter basis, one can encrypt the same letter as many
times as the length of the codeword without a pattern or repetition occurring. As seen in
the example above, both ‘S’ and ‘U’ became encrypted as ‘U’. This demonstrates that
frequency analysis on encrypted letters will be meaningless.
Unfortunately, this technique is not without its flaws. Using a combination of
pattern recognition and cribbing, a cryptanalyst can determine the keyword used to
encrypt a segment of text. The cipher will cycle based on the length of the keyword. One
can assume that certain common words such as “the” and “and” will occur somewhere in
the larger encrypted text. The cryptanalyst places those words randomly within the
plaintext and deduces the keyword by reversing the process. Cribbing is the process of
finding the pattern in a cryptographic text by guessing or finding single words or phrases
in plain text that have been encrypted. If one knows that “THE” was encrypted as “VHR”,
he can deduce a portion of the keyword to be “the”. The technique of guessing the content
to break the encryption is employed frequently today.
2.4 Enigma:
The Enigma machine works with three scramblers discs, six plugs, and a reflector.
The scramblers worked by being imbedded with wires that would scramble a signal. The
10
design was based upon the Alberti cipher disk, except the substitution of characters was
done in a random order as opposed to a Caesarean shift. If an ‘A’ was passed through a
scrambler, a different letter would be lighted on the other side. In each position, the
scrambler will scramble a letter differently. Moreover, after a letter is encrypted, the discs
would rotate by 1/26th. The letter ‘A’ could be entered twice and two different encoded
letters would be returned. In fact, the letter ‘A’ could be typed 263 times in a row before a
pattern would emerge. To further complicate the scheme, two more discs were added as
well as a plugboard which could invert the relays of the scramblers. A third party would
have to know which scramblers were used, what their settings were, and how the plugs
were configured. The number of possible encryption schemes to roughly
10,000,000,000,000,000 possible encryptions. Another nice feature of the Enigma was a
reflector. The reflector enabled the receiver, if he knew the correct settings, to type in the
encrypted message and receive the original massage back. A combination of engineering
and cryptanalyst genius was able to break the Enigma with a series of pattern recognition
and cribbing. Incidentally, Alan Turing of Turing Machine infamy is largely accredited
with accomplishing that momentous task. His mechanical bombes proved to be
invaluable in turning the tides of World War 2 toward the side of the Allied Nations.
3 The Present/RSA
RSA encryption, the credited first public key cryptography, was designed by
Rivest, Shamir, and Adleman in 1977. Public-key cryptography utilizes an asymmetric
cryptography technique with two keys, one public and one private. The keys are derived
from the multiple of two large prime numbers. The private key can only be deduced from
11
the public key by factoring the large multiple. RSA’s security comes from the difficulty in
factoring very large numbers. Techniques for factoring numbers are improving, but the
speed of all depend on the size of the number, which means they still take significant
time. “The advances in factoring technique, computing power and the decrease in the cost
of computing hardware. These things, especially the first one, work against the security of
RSA”v. While the possibility exists that one day there will be an extraordinary leap in our
ability to factor large numbers, it is unlikely and offers a minimal threat to RSA. The
second and third threats to RSA pose the more immediate threats and will be looked at
more in depth in section 3.3.
3.1 How RSA Works:
As stated earlier, RSA is an asymmetric encryption scheme that uses two keys, a
public and a private key, to ensure encryption. RSA can be understood in six steps:
1. Two giant prime numbers are chosen, p and q. The numbers should be enormous
and the larger the numbers, the safer the RSA encryption will be.
2. The numbers p and q are multiplied together to get the number N. Another
number e is also chosen.
3. In theory the numbers N and e can be published because they are needed to
encrypt a message to the user. The number e could be universal for everyone;
however, N should be a different number for every user.
12
4. To encrypt a message it must first be turned into a single number, M. To do this,
all the characters need to be turned into the ASCII binary representations. After
the message is turned into a single number, the formula C = Me (mod N). C
represents the message in cipher text format.
5. When the message is received in cipher text format, it can be deciphered because
the receiver knows p and q. With those two numbers, the decryption key d can be
determined using the formula e * d = 1(mod (p – 1) * (q – 1)). While deciphering
d is not exactly straight forward arithmetic, a technique known as Euclid’s
algorithm allows d to be found quickly and easily.
6. Finally, with d known, the cipher text message can be deciphered into binary
using the formula M = Cd (mod N).vi
Essentially, the public key is given as N and E. The private key is given as N and D. One
cannot calculate D without factoring N. Ideally, p and q are destroyed once the two keys
are made. Therefore, nobody can recover a lost private key.
3.2 PGP
PGP encryption is an acronym for Pretty Good Privacy. PGP combines some of
the best features of both conventional and public key cryptography. PGP is a hybrid
cryptosystem. When a user encrypts plaintext with PGP, PGP first compresses the
plaintext. Data compression saves modem transmission time and disk space and, more
importantly, strengthens cryptographic security. Most cryptanalysis techniques exploit
13
patterns found in the plaintext to crack the cipher. Compression reduces these patterns in
the plaintext, thereby greatly enhancing resistance to cryptanalysis. (Files that are too
short to compress or which don't compress well aren't compressed.)
PGP then creates a session key, which is a one-time-only secret key. This key is a
random number generated from the random movements of your mouse and the keystrokes
you type. This session key works with a very secure, fast conventional encryption
algorithm to encrypt the plaintext; the result is cipher text. Once the data is encrypted, the
session key is then encrypted to the recipient's public key. This public key-encrypted
session key is transmitted along with the cipher text to the recipient.
Decryption works in the reverse. The recipient's copy of PGP uses his or her
private key to recover the temporary session key, which PGP then uses to decrypt the
conventionally-encrypted cipher text.vii
3.3 Breaking RSA:
As mentioned previously, there are three current risks to RSA encryption. These
are advances in factoring technique, increased computing power, and lowered price of
computer hardware. We will look at then threats posed by these scenarios and a few
others.
3.3.1 Brute Force/Active Attacks:
Active attacks are designed to attack the actual encryption of RSA by decoding
the private key. These attacks rely on the factoring of very large numbers by employing
14
large amounts of computer power and the most advanced factoring algorithms. RSA
Securities posed challenges to the cryptanalyst community to break specific renditions of
its algorithm.
In 1994, in Redbank, New Jersey, Arjen Lenstra of Bellcore announced that RSA-
129 had been broken. The name, RSA-129, comes from number of digits, 129, in the
multiple N used by the RSA encryption. While they may not seem very large, the two
primes, p and q, were 64 and 65 digits long. Nonetheless, the task required six hundred
computers working in tandem for eight months. The breakthrough was made possible by
a combination of a new, more efficient factoring algorithm and a ridiculous amount of
computer power working in parallel. When RSA was introduced to the world in 1977viii, it
was based on 129 digit key. The authors believed that such a key would take millions of
years to break. Obviously, they were proven dramatically wrong. As such, this was the
first moment announced publicly where a legitimate RSA key had been broken.ix
On December 5, 2003, a team from the Federal Bureau for Security in Information
Technology announced the factorization a 174-digit number. A new method of factoring
numbers called “lattice sieving” was employed to factor the number. This is the largest
known RSA key to be factored.x
Both of the examples of RSA keys being broken used a combination of new
factoring algorithms and a lot of computing power. There also seems to be a trend in the
field that points to an acceleration in the time interval between breaking keys. While there
is a five year interval between the breaking of RSA-129 and RSA-140, there was only a
nine month difference between the breaking of RSA 160 and RSA-174. This points to the
15
success that brute force has had, and will continue to have as computers become quicker
and cheaper. Furthermore, increases in number theory which may lead to increases in
factoring tactics will only accelerate the breaking of higher numbered RSA keys.
Despite the announcements of higher numbered RSA keys being broken the fact
remains that RSA is still safe. To break the RSA keys, the teams employed distributed
processing and networks spanning hundreds of computers. The average RSA-129 or
RSA-174 key is still safe from all but the most dedicated hackers. Furthermore, RSA keys
can always chose higher and higher prime numbers for p and q. Number theory proves
that there is an infinite amount of primes.xi As a result, the brute force method does not
offer any serious threat to RSA encryption and barring the discovery of a method to factor
numbers in constant time, RSA will be able to accommodate advances in computing
power simply by choosing larger and larger prime numbers for the private key.
3.3.1.1 Trojan Horses:
While Trojan horse attacks are very unlikely, it is possible. A malicious coder
could create a program, or modify an existing one so that it looks, feels, and acts like a
legitimate program. PGP is particularly susceptible to this kind of attack because if its
nature as the number one used RSA client. However, this clandestine software could store
the password and private key to be uploaded to a database when the user signs onto the
Internet. With a user’s private key, any messages that they received could be decoded as
easily as the user could. While these attacks provide a security risk, they would be fairly
complicated to implement. Furthermore, only incoming messages directed to the user
with the compromised private key would be able to be decrypted by a third party. In order
16
for outgoing messages to be decrypted, the recipient’s private key would need to be
known also. These attacks only pose a minimal risk to RSA security because of the
difficulty in writing this kind of software, and getting the program widely distributed
before any flags were raisedxii.
3.3.2 Passive Attacks:
Passive attacks do not attempt to break RSA encryption but rather hopes to
subvert the encryption. Passive attacks provide a more realistic option at discovering the
contents of an RSA encrypted message, mostly be exposing a user’s key.
3.3.2.1 Keystroke Snooping:
Keystroke snooping works to crack RSA encryption by the simple idea that if one
has access to a user’s private key then their messages can be decoded. Keystroke
snooping works with a program that can be installed on a computer unbeknownst to the
user. With some operating systems the keystroke snooping software can be installed over
a network. The Keystroke snooper records a user’s keystrokes, so any passwords that
grant access to a RSA client, such as PGP, could be compromised. After the passwords
were obtained, the infiltrator could either come remove the software and destroy any
evidence of it ever being installed or the program could connect to the Internet and
transfer the information to a database. With access to the RSA client, the infiltrator could
recover the user’s private key, or simply view the decoded messages. The infiltrator could
then decrypt any messages sent to the user using the stolen private key. Furthermore, with
the password, the infiltrator could simply access the client and assume the identity of the
user. Keystroke snooping appears to pose the biggest threat to RSA security. The
17
programs are relatively easy to write, take little time to install, and can work unbeknownst
to the user. While this form of attack does provide the biggest threat to compromising
RSA security, it is still a reasonably small risk.
3.3.2.2 Tempest/Van Eck Snooping:
Van Eck snooping works under the same principle as Keystroke snooping, if a
user’s access password to their RSA client is determined then their security is
compromised. Van Eck snooping works with the understanding that all computer displays
emit an identifiable electronic signature. A small receiver operating in the 22MHz range
(pixel frequency) would detect the video signals minus the horizontal and vertical sync
signals. Since the device would be inside the computer itself, the signal strength would be
more than adequate to provide a quality source. The little device would then retransmit
the collected data in real-time to a remote surveillance vehicle or site where the
video/keyboard data was stored on a video or digital storage medium.
At a forensic laboratory, technicians would recreate the original screens and data
that were entered into the monitored computer. The technicians would add a vertical sync
signal of about 59.94 Hz, and a horizontal sync signal of about 27KHz. This would
stabilize the roll of the picture. In addition, the captured data would be subject to
"cleansing" - meaning that the spurious noise in the signal would be stripped using Fast
Fourier Transform techniques in either hardware or softwarexiii. Furthermore, their does
not necessarily need to be a receiver placed in the computer of the targeted person.
Conceivably, a receiver could be directed at the computer from a position outside of the
house. However, whenever the distance is increased, there would also be an increase in
18
the amount of background interference. As a result, the farther away from the target that
the receiver is, there is more information lost and is harder to reconstruct the images.
With the ability to reconstruct all screen images, RSA would be compromised.
Not only would all access passwords be revealed, but the actual messages would be
available to be read in real time as the target opens their RSA client. This method of
attack requires a very high degree of equipment and would most likely be employed by
governmental agencies such as the FBI. Since the costs involved make this form of attack
infeasible to the majority of people and organizations, it does not pose a serious threat to
RSA encryption.
3.4 Bad Implementations of RSA:
As demonstrated in section 3.3, RSA encryption provides the user with a very
strong method to encrypt their data. Furthermore, there is a minimal threat of the actual
private key being discovered through factoring the public key. The threat posed to RSA
encryption is when the actual encryption is subverted and the attacker exposes the private
key through a method such as Keystroke snooping. The weak point of RSA is not the
encryption; rather it resides in the poor implementation of a strong encryption.
3.4.1 SSL/TLS:
In March 2003, three programmers Vlastimil Klíma, Ondřej Pokorný, and Tomáš
Rosa, published a paper where they exposed a flaw in the implementation of RSA in
SSL/TLS via the Public Key Cryptography Standard (PKCS) version 1.5 whereby the
premaster secret could be discovered. The premaster secret is the key by which the one
19
time session keys are generated for SSL/TLS use. By sending a large number of chosen
ciphertexts (premaster secrets) and monitoring the applications' responses, an attacker can
discover the correct premaster secret for a given SSL/TLS session. With the premaster
secret for a previously captured SSL/TLS session, the attacker can generate the correct
master secret and session keys and decrypt the captured session.
“A widely accepted defense against the Bleichenbacher attack is for anRSA/PKCS #1 application to discard a malformed premaster secret, replace it with arandom value, and proceed to generate a master secret and session keys. Since theclient and server use different values for the premaster secret, they will generatedifferent session keys, and the SSL/TLS session will fail.
The Klíma-Pokorný-Rosa attack exploits server responses to an incorrect orunexpected SSL/TLS version number that is included as part of the premaster secret.If a server decrypts a properly formatted PKCS #1 premaster secret and discoversthat the SSL/TLS version number is not what was expected, the server mayimmediately send an error message. The authors term a server that exhibits thisbehavior a "bad version oracle (BVO)." Instead of using an error response toimproper PKCS #1 formatting, this new attack uses an error response to an incorrectSSL/TLS version number”xiv
In this instance, an attacker could exploit an error in the implementation of RSA to
recover the session key. When the key is recovered, the message can be decrypted. Once
this error was discovered, a patch was released ending the risk of attack. Even though
there was a weakness in the RSA implementation, it was corrected very soon after the
discovery of the weakness.
5. Conclusions
As can be seen in the history of cryptography and in the examples of RSA
implementation, most encryption schemes are broken because of their implementation
and not their encryption scheme. From the Enigma machine to current day RSA
encryption, weaknesses come about due to poor implementation. RSA offers the most
20
practical encryption for everyday users. From PGP to SSL/TLS, RSA allows for the
secure transfer of information across the Internet. Security in everything from business
transactions to encrypted messages are permitted because of RSA encryption. However,
future technology may render RSA encryption null.
5.1 Quantum Computing:
Quantum computing represents the absolute cutting edge in computing technology. By
exploiting the quantum property of superposition, quantum computing offers constant
time factoring of numbers. Constant time factoring of numbers renders RSA encryption
useless because it would mean that N could be factored instantly regardless of how large
N is. In theory, a Quantum computer would utilize spinning particles instead of
transistors. Transistors have only two positions, on and off, represented by either a 1 or a
0. Spinning particles would also be represented as either a 0 or 1, depending on the
direction of their spin, but by exploiting the laws of quantum mechanics, they can do
calculations as both states simultaneously. Until the spin of the particles is measured, it
can be considered to be in superposition, meaning that it is in both states at once. As a
result, quantum computers can represent all possible combinations and permutations at
the same time. The state of superposition can be likened to a multiverse. An easier way to
think of this concept is that the factorization of a number is happening in different
universes. So when the number 10 is factored, one universe would try to divide it by 2,
another by 3, another by 4, and another by 5. The numbers 2, and 5 would be returned as
the factors after only one iteration. A quantum computer would onlybe limited by the
number of spinning particles in its processor, which would affect the size of the number
that could be represented. However, since the prime numbers used for RSA encryption
21
must exist at some level on a computer, there cannot be an N that is too large to be
factoredxv.
5.2 Quantum cryptography:
The most recent advances in cryptography have focused on what is being
described as a completely unbreakable encryption: quantum cryptography. Quantum
cryptography works because of the property that a photon’s polarization is easy to control
but difficult to detect. For this explanation we will assume that there are only three types
of polarizations, vertical, horizontal, and diagonal. If a vertical filter is placed in front of a
stream of protons, the vertically polarized protons will pass through. Also, due to the laws
of quantum mechanics, half of the diagonally photons will also pass through, but will
then be oriented vertically. It is because of this property that the polarization of photons is
hard to determine. Half of the time a diagonally polarized photon will be read as
vertically polarized.
To send a message two schemes to represent 0 and 1 would be decided on before
the transmission. In the first scheme, a vertically polarized photon would represent 0 and
a horizontally polarized photon would represent 1. In the second scheme, a diagonally
polarized photon pointed to the left would represent 0, and the one pointed to the right
would represent 1. So for both 0 and 1 there are two possible representations. The sender
would then send a random string of polarized photons, noting what filter was used and
how the photon was polarized. The receiver would then randomly use either a filter that
lets through both horizontally and vertically polarized photons, or one that lets through
diagonally polarized photons. After a strong of photons was sent, the sender would call
22
the receiver on the telephone and for every photon sent, the sender would tell the receiver
whether a vertical/horizontal filter or a diagonal filter was used, but not the specific
orientation. For every time the receiver guessed correctly and used the right filter, and
presumably the polarization was measured correctly, they would mark down either a 0 or
1, depending on the orientation, and begin to assemble a one time use key. After the
assembled a large enough key, they would have a perfect one time, unbreakable key. This
scheme is undecipherable because of the nature of photon polarization. If an eavesdropper
was attempting to measure the photons, they would inevitably twist some of the
polarities. So the sender and receive could do a quick check to determine if anyone was
eavesdroppingxvi. As great as this system is, it relies on the photons being transmitted
without any interaction with anything else, which would effect its polarization. Due to
this, today its range is limited to roughly three miles. As a result, while a perfect form of
cryptography, its uses are extremely limited.
5.3 Conclusion:
As it stands today, RSA represents a strong, practically unbreakable cipher. While
quantum computing may spell the end of RSA, due to constant time factoring, but that
type of computer is not nearing completion in the foreseeable future. Quantum
cryptography offers an unbreakable cipher, yet its current limitations make it impractical
for widespread usage. In spite of recent announcements of the breaking of certain
renditions RSA, the brute force method is painfully slow and requires a huge investment
in computational resources. Moreover, the brute force method can be constantly
circumvented by choosing larger prime numbers for p and q as computational power
increases. Keystroke snooping is the most effective method of subverting RSA
23
encryption, but only offers a limited threat, which can be avoided with careful attention to
a user’s workstation and habits. Even though RSA encryption is less than perfect, it offers
an enormous amount of security. As it stands today, the benefits of RSA far outweigh the
costs, and many of the threats posed to RSA do not seriously endanger its security to large
scale.
24
AppendicesAppendix Axvii
25
Appendix Bxviii
26
Appendix Cxix
The Vigenère SquareA B C D E F G H I J K L M N O P Q R S T U V W X Y Z
B C D E F G H I J K L M N O P Q R S T U V W X Y Z A
C D E F G H I J K L M N O P Q R S T U V W X Y Z A B
D E F G H I J K L M N O P Q R S T U V W X Y Z A B C
E F G H I J K L M N O P Q R S T U V W X Y Z A B C D
F G H I J K L M N O P Q R S T U V W X Y Z A B C D E
G H I J K L M N O P Q R S T U V W X Y Z A B C D E F
H I J K L M N O P Q R S T U V W X Y Z A B C D E F G
I J K L M N O P Q R S T U V W X Y Z A B C D E F G H
J K L M N O P Q R S T U V W X Y Z A B C D E F G H I
K L M N O P Q R S T U V W X Y Z A B C D E F G H I J
L M N O P Q R S T U V W X Y Z A B C D E F G H I J K
M N O P Q R S T U V W X Y Z A B C D E F G H I J K L
N O P Q R S T U V W X Y Z A B C D E F G H I J K L M
O P Q R S T U V W X Y Z A B C D E F G H I J K L M N
P Q R S T U V W X Y Z A B C D E F G H I J K L M N O
Q R S T U V W X Y Z A B C D E F G H I J K L M N O P
R S T U V W X Y Z A B C D E F G H I J K L M N O P Q
S T U V W X Y Z A B C D E F G H I J K L M N O P Q R
T U V W X Y Z A B C D E F G H I J K L M N O P Q R S
U V W X Y Z A B C D E F G H I J K L M N O P Q R S T
V W X Y Z A B C D E F G H I J K L M N O P Q R S T U
W X Y Z A B C D E F G H I J K L M N O P Q R S T U V
X Y Z A B C D E F G H I J K L M N O P Q R S T U V W
Y Z A B C D E F G H I J K L M N O P Q R S T U V W X
Z A B C D E F G H I J K L M N O P Q R S T U V W X Y
Copyright © 2000 Sullivan Entertainment Inc., All Rights Reserved
27
Bibliography:Bennett, C.H., Brassard, C., and Ekert, A., “Quantum Cryptography,” Scientific
American, vol. 269 (October 1992), pp. 26-36.
Cipra, Barry. “Elliptic Curve Cryptography—Good Enough for Government Work,”SIAM News, vol. 35 (October 2002), <http://www.siam.org/siamnews/10-02/cryptography.pdf> (Nov. 25, 2003)
Cipra, Barry. “Safe Against Cycling Attacks: Researchers Confirm Invulnerability of RSA,” SIAM News, vol. 34, <www.siam.org/siamnews/03-01/cycling.pdf> (Nov. 25, 2003)
Diffie, Whitfield, and Hellman, Martin, “New Directions in Cryptography,” IEEE Transactions on Information Theory, vol. IT-22 (Nov. 1976), pp. 644-655.
Gaines, Helen Fouché. Cryptanalysis. New York: Dover, 1956.
Gardner, Martin. “A new kind of cipher that would take millions of years to break,” Scientific American, vol. 237 (August 1977), pp. 120-124.
Garfinkel, Simson, PGP: Pretty Good Privacy, Sebastopol, CA: O’Reilly & Associates, 1995.
Hellman, M.E., “The mathematics of public-key cryptography,” Scientific American, vol. 241 (August 1979), pp. 130-139.
Kahn, David. The Codebreakers. New York: Scribner: 1996.
Newton, David E., Encyclopedia of Cryptology, Santa Barbara, CA: ABC-Clio, 1997.
Pope, Maurice. The Story of Decipherment, London: Thames & Hudson, 1975.
RSA Laboratories, RSA Laboratories' Frequently Asked Questions About Today's Cryptography, Version 4.1, RSA Security Inc., 2000.
<http://www.rsasecurity.com/rsalabs/faq>
Rivest, Ronald L., Factoring and Letters, Science, New Series, Vol. 242, No. 4885. (Dec. 16, 1988), p. 1493.
Singh, Simon. The Code Book: The Science of Secrecy From Ancient Egypt to QuantumCryptography. New York: Random House, Inc: 1999.
Singh, Simon. The Science of Secrecy: The Secret History of Codes and Codebreaking. London: Fourth Estate Ltd: 2000.
28
Taubes, Roger. Small Army of Code-Breakers Conquers 129-Digit Giant, Science, NewSeries, Vol. 264, No. 5160. (May 6, 1994), pp. 776-777.
Zimmerman, Philip, The Official PGP User’s Guide, Cambridge, MA: MIT Press, 1996. <http://www.pgp.com>
29
i Singh, Simon. The Code Book: The Science of Secrecy from Ancient Egypt to Quantum Cryptography. (New York, NY:Anchor Books: 1999) pg. 12ii Singh, pgs. 9-15, 124-126.iii Singh, pg. 12iv Singh, pg 84 - 98v< http://www.stack.nl/~galactus/remailers/attack-2.html> ( accessed: 12/10/2003)vi Singh 1999: 387-389vii <http://www.pgpi.org/doc/pgpintro/#p10> (accessed: 12/10/2003)viii Gardner “A New Kind of Cipher That Would Take Millions of Years to Break”ix Taubes “A Small Army of Code-Breakers Conquers a 129-Digit Giant”x Weisstein “RSA-576 Factored”xi http://www.stack.nl/~galactus/remailers/attack-6.html (accessed: 12/10/2003)xii< http://www.stack.nl/~galactus/remailers/attack-5.html> (accessed: 12/10/2003)xiii http://www.stack.nl/~galactus/remailers/attack-5.html (accessed: 12/10/2003)xiv <http://www.kb.cert.org/vuls/id/888801> (accessed: 12/10/2003)xv Singh 318-331xvi Singh 331-350.xvii BletchleyPark.net, <http://www.bletchleypark.net/crypt/cipherdisk.html> (accessed: 12/10/2003)xviii GlyphWorks, < http://storm.prohosting.com/~glyph/crypto/freq-en.shtml> (accessed: 12/10/2003)xix < http://www.anne3.com/html/code/vigenere_square.html> (accessed: 12/11/03)
