跳到主要內容

簡易檢索 / 詳目顯示

回結果列表
研究生: 張起豪
Chi-Hao Chang
論文名稱: 選擇密文攻擊法之研究與實作
The Research and Implementation of Chosen Ciphertext Attacks
指導教授: 顏嵩銘
Sung-Ming Yen
口試委員:
學位類別: 碩士
Master
系所名稱: 資訊電機學院 - 資訊工程學系
Department of Computer Science & Information Engineering
畢業學年度: 92
語文別: 英文
論文頁數: 66
中文關鍵詞: 選擇密文攻擊法可證明安全性
外文關鍵詞: Random Oracle Model, CCA
相關次數: 點閱:7下載:0
分享至:
查詢本校圖書館目錄 查詢臺灣博碩士論文知識加值系統 勘誤回報

    • 近年來網際網路的普及以及使用人數的快速成長,越來越多的應用與服務建構於網際網路上 (如:網路報

    People throughout the world could communicate instantly and
    transfer information with others on the Internet via variety
    applications (e.g., e-mail, e-commerce, online banking, etc.).
    Due to the very openness of the Internet, more and more security
    issues were required to protect personal privacy and
    commercial confidentiality. A reliable, trusted cryptography
    is expected to protect private information according to the
    increasing number of Internet services that applies cryptography.
    The extensions usually cause security leaks. The Chosen
    Ciphertext Attacks (CCA) is aimed at this kind of leaks. If
    an adversary can intercept an encrypted message and modify
    it, the adversary then resend modified message to the same
    service and analyze the service response. Therefore, the adversary
    can restore the original message.
    It is hard for Internet service to discover CCA, since the
    Internet service does not have enough information to distinguish
    between the general error messages, which are created by normal
    users, and sample messages, which are created by adversaries.
    In fact, would rather fill up leak of standard then proven the
    standard is secure against CCA in designed stage. Bellare
    and Rogaway introduce a proof named random oracle model
    and it can be used to prove that encryption scheme, signature
    scheme and protocol are secure against CCA.
    A new RSA padding scheme have by introduced as BLRP, will be proposed
    to improve the cryptographic methods of RSA PKCS #1 v1.5 and
    RSA PKCS #1 v2.1. Not only the efficiency is better than RSA
    PKCS #1 v2.1, the security is also better than RSA PKCS #1 v1.5.
    In addition, BLRP is proven in random oracle model and is secure
    against CCA.
    Besides, A new CCA attack is proposed to attack the most popular
    internet S/MIME standard, S/MIME (Secure/Multipurpose Internet
    Mail Extensions) which provides the following cryptographic
    security services for electronic messaging applications:
    authentication, message integrity and non-repudiation of
    origin (using digital signatures) and privacy and data
    security (using encryption). The new propose CCA attack can decrypt
    E-mail of S/MIME encrypted format without private-key and just ask
    oracle ones. We also propose the countermeasures in addition.

    1 Intorduction 1 1.1 Motivation 1 1.2 Introduction to CCA Attacks 1 1.2.1 CCA Attacks under Asymmetric Encryption Scheme 1 1.2.2 CCA Attacks under Symmetric Encryption Scheme 2 1.3 Introduction to Provable Security 2 1.3.1 Security Notion 2 1.3.2 Random Oracle Model 3 1.4 Our Contributions 3 1.5 Overview of the Thesis 3 2 Review of Related Security Standards 6 2.1 Introduction to PKCS 6 2.2 RSA Padding Scheme 7 2.2.1 PKCS #1 v1.5 7 2.2.2 PKCS #1 v2.1 8 2.3 Block Cipher Modes of Operation 10 2.3.1 Cipher Block Chaining Mode 10 2.3.2 Cipher Feedback Mode 11 2.4 Secure Multipurpose Internet Mail Extensions 12 2.5 Multipurpose Internet Mail Extensions 12 2.6 The Enhanced Contents of S/MIME 13 3 CCA Attacks Review 16 3.1 CCA Attacks against RSA Encryption 16 3.1.1 Bleichenbacher''s Attack 17 3.1.2 Manger''s Attack 17 3.2 The CCA Attacks against Block Cipher Operation 19 3.2.1 The K-S Attack 19 3.2.2 Possibility of Specific Decryption Oracle 20 4 Review of Provable Security 22 4.1 Review of Related CCA Attacks 22 4.2 Review of Security Notion 23 4.2.1 Definition of Public-Key System 23 4.2.2 Indistinguishability 23 4.2.3 Non-Malleability 24 4.3 Review of Random Oracle Model 26 4.3.1 Prove Sketch of Random Oracle Model 26 4.3.2 Provable Instance in Random Oracle Model 26 4.4 Review of IND-CCA2 Security Proof 28 4.4.1 Definition of POW and S-POW 28 4.4.2 Different Concept of IND-CCA2 Proof 29 5 Proposed BLRP Padding and Its Security Proof 31 5.1 The Weakness of PKCS #1 v1.5 and PKCS #1 v2.1 31 5.2 BLRP Padding Scheme 31 5.2.1 Notation of the BLRP Scheme 31 5.2.2 Encoding and Decoding of BLRP 32 5.3 Security Analysis of BLRP 33 5.3.1 Security Proof of BLRP under IND-CPA 33 5.3.2 Security Proof of BLRP under IND-CCA1 34 5.3.3 Exact Security Result of BLRP 35 5.3.4 Security Proof of BLRP under IND-CCA2 35 5.3.5 The Non-Malleability of BLRP 41 5.4 The BLRP Efficiency Analysis 41 5.5 Summary 43 6 The Proposed CCA Attack against S/MIME 45 6.1 The CCA Attack against CBC Mode 45 6.2 The CCA Attack against S/MIME 47 6.2.1 The CCA Attack against Encrypted-Only E-mail 47 6.2.2 The CCA Attack against Signed-and-Encrypted E-Mail 48 6.4 Possible Countermeasures 49 6.5 Potential Problem 49 7 Conclusions 51 7.1 Brief Review of Main Contributions 51 7.2 Further Research Topics and Directions 52

    [1] R.L Rivest, A. Shamir, and L. Adleman. ``A method for obtaining digital signatures and public-key cryptosystems,'' Communications of the ACM, 21(2):120-126, February 1978.
    [2] An RSA Laboratories, ``PKCS #1 v1.5: RSA encryption standard,'' 1993.
    [3] D. Bleichenbacher, ``Chosen Ciphertext Attacks against Protocols Based on the RSA Encryption Standard PKCS #1, ''Advances in Cryptology - CRYPTO ''98, Lecture Notes in Computer Science, vol.1462, Springer Verlag, pp.1-12, 1998.
    [4] An RSA Laboratories, ``PKCS #1 v2.0: RSA encryption standard,'' 1998.
    [5] An RSA Laboratories, ``PKCS #1 v2.1: RSA Cryptography Standard,'' 2002.
    [6] M. Bellare and P. Rogaway, ``Optimal Asymmetric Encryption,'' Advances in Cryptology - EUROCRYPT ''94}, Lecture Notes in Computer Science, vol.0950, Springer Verlag, pp.92-111, 1994.
    [7] S. Goldwasser and S. Micali, ``Probabilistic encryption,''Journal of Computer and System Sciences, 28:270-299, 1984.
    [8] D. Dolev, C. Dwork, and M. Naor, ``Non-malleable Cryptography,''SIAM Journal of Computing, vol.30(2), pp.391-437, 2000.
    [9] M. Bellare, A. Desai, D. Pointcheval, P.Rogaway, ``Relations Among Notions of Security for Public-Key Encryption Scheme,'' Advances in Cryptology - CRYPTO ''98, Lecture Notes in Computer Science, vol.1462, pages 26-45. Springer-Verlag, Berlin, 1998.
    [10] D. Atkins, W. Stallings, P. Zimmermann, ``PGP message exchange formats,'' RFC 1991, August 1996.
    [11] M. Bellare and P. Rogaway, ``Random Oracle are Practical: A Paradigm for Designing Efficient Protocols, ''Proc. of the 1st CCS, pages 62-73. ACM Press, New Youk, 1993.
    [12] M. Naor and M. Yung, ``Public-key Cryptosystems Provably Secure against Chosen Ciphertext Attacks,''Proceedings of the 22nd Annual Symposium on Theory of Computing, ACM, 1990.
    [13] C. Rackoff and D.Simon, ``Non-interactive Zero-knowledge Proof of Knowledge and Chosen Ciphertext Attack,'' Advances in Cryptology - CRYPTO 1991, Lecture Notes in Computer Science, vol.576, Springer Verlag, 1991.
    [14] M. Bellare, P.Rogaway, ``The Exact Security of Digital Signatures - How to Sign with RSA and Rabin,'' Advances in Cryptology - EUROCRYPTO ''96, Lecture Notes in Computer Science, vol.1070, pages 399-416. Springer-Verlag, Berlin, 1996.
    [15] V. Shoup, ``OAEP Reconsidered, ''Advances in Cryptology - CRYPTO 2001, Lecture Notes in Computer Science, vol.2139, Springer Verlag, pp.239-259, 2001.
    [16] J. Katz and B. Schneier, ``A chosen ciphertext attack against several e-mail encryption protocols,'' Proc. of the 9th USENIX Security Symposium, 2000.
    [17] E. Fujisaki, T. Okamoto, D. Pointcheval, and J. Stern, ``RSA-OAEP Is Secure under RSA Assumption,'' Advances in Cryptology - CRYPTO 2001}, Lecture Notes in Computer Science, vol.2139, Springer Verlag, pp.260-274, 2001.
    [18] M. Bellare, A. Desai, E. Jokipii, and P. Rogaway, ``A concrete security treatment of yymmetric encryption,'' Proc. of the 38th Symposium on Foundations of Computer Science}, IEEE, 1997.
    [19] J. Callas, L. Donnerhacke, H. Finney, and R. Thayer, ``OpenPGP message format,'' RFC 2440, November 1998.
    [20] J. Callas, L. Donnerhacke, H. Finney, and R. Thayer, ``OpenPGP message format,'' RFC 2440, draft 09, October 2003.
    [21] R.Canetti, O. Goldreich and S. Halevi, ``The Random Oracle Methodology,'' Proc. of the 30 th STOC}, ACM Press, New Youk, 1998, 209-218.
    [22] G. I. Davida, ``Chosen signature cryptanalysis of the RSA(MIT) public key cryptosystem,'' Technical Report TR-CS-82-2, Departement of Electical Engineering and Computer Science, University of Wisconsin, Milwaukee, 1982.
    [23] S. Vaudenay, ``Security flaws induced by CBC padding -- applications to SSL, IPSEC, WTLS ...,'' Advances in Cryptology -- EUROCRYPT 2002, Lecture Notes in Computer Science, Vol.2332, Springer Verlag, pp.534-545, 2002.
    [24] ANSI X3.106, ``American National Standard for Information Systems -- Data Encryption Algorithm -- modes of operation,'' American National Standards Institute, 1983.
    [25] ISO 8372, ``Information processing -- modes of operation for a 64-bit block cipher algorithm,'' International Organization for Standardization, Geneva, Switzerland, 1987.
    [26] N. Freed, ``MIME Part One: Format of Internet Message Bodies,'' RFC 2045, draft 09} November 1996
    [27] N. Freed, ``MIME Part Two: Media Types,'' RFC 2046, draft 09 November 1996
    [28] N. Freed, ``MIME Part Three: Message Header Extensions for Non-ASCII Text,'' RFC 2047, draft 09 November 1996
    [29] N. Freed, ``MIME Part Four: Registration Procedures,'' RFC 2048, draft 09 November 1996
    [30] N. Freed, ``MIME Part Five: Conformance Criteria and Examples,'' RFC 2049, draft 09} November 1996
    [31] S. Dusse, P. Hoffman, B. Ramsdell, L. Lundblade, L. Repka, ``S/MIME Version 2 Message Specification,'' RFC 2311, March 1998.
    [32] S. Garfinkel, PGP: pretty good privacy, O''Reilly, 1995.
    [33] David H. Crocker, ``Standard for The Format of ARPA Internet Text Messages'' RFC 822, August 1982
    [34] R. Housley, ``Cryptographic Message Syntax,'' RFC 2630, June 1999.
    [35] R. Housley, ``Cryptographic Message Syntax,'' RFC 3369, June 2002.
    [36] R. Housley, ``Cryptographic Message Syntax Algorithm,'' RFC 3370, June 2002.
    [37] K. Jallad, J. Katz, and B. Schneier, ``Implementation of chosen-ciphertetx attacks against PGP and GnuPG,'' Information Security -- ISC 2002, Lecture Notes in Computer Science, Vol.2433, Springer Verlag, pp.90-101, 2002.
    [38] J. Jonsson and B. Kaliski Jr., ``On the Security of RSA Encryption in TLS,'' Advances in Cryptology - CRYPTO 2002, Lecture Notes in Computer Science, vol.2442, Springer Verlag, pp.127-142, 2002.
    [39] J. Manger, ``A Chosen Ciphertext Attack on RSA Optimal Asymmetric Encryption Padding (OAEP) as Standardized in PKCS #1 v2.0,'' Advances in Cryptology - CRYPTO 2001, Lecture Notes in Computer Science, vol.2139, Springer Verlag, pp.230-238, 2001.
    [40] B. Ramsdell, ``S/MIME Version 3 Message Specification,'' RFC 2633, June 1999.
    [41] J. Stern, ``Why Provable Security Matters?'' Advances in Cryptology -- EUROCRYPT 2003, Lecture Notes in Computer Science, Vol.2656, Springer Verlag, pp.449-461, 2003.
    [42] W. Stallings, ``Cryptography and Network Security Principles and Practice Second Edition,'' Prentice Hall, 1998.
    [43] P. Zimmerman, The offical PGP user''s guide, MIT Press, 1995.
    [44] An RSA Laboratories, ``A Layman''s Guide to a subset of ASN.1, BER, and DER'' November 1993.
    [45] An RSA Laboratories, ``PKCS #7 v1.5: Cryptographic Message Syntax Standard,'' 1993.
    [46] National Bureau of Standards, ``DES modes of operation,'' NBS FIPS PUB 81, U.S. Department ofvCommerce, December 1980.
    [47] J.Hastad and Mast Naslund, ``The security of individual RSA bits,'' IEEE Symposium on Foundations of Computer science, pp. 510-521, 1998.
    [48] CCITT. Recommendation X.208: Specification of Abstract Syntax Notation One(ASN.1). 1988
    [49] CCITT. Recommendation X.209: Specification of Basic Encoding Rules for Abstract Syntax Notation One(ASN.1). 1988

    QR CODE
    :::