選擇密文攻擊法之研究與實作

以作者查詢圖書館館藏

、以作者查詢臺灣博碩士

、以作者查詢全國書目

、勘誤回報

、線上人數：67

、訪客IP：3.145.64.245

姓名

張起豪(Chi-Hao Chang) 查詢紙本館藏

畢業系所

資訊工程學系

論文名稱

選擇密文攻擊法之研究與實作
(The Research and Implementation of Chosen Ciphertext Attacks)

相關論文

★ 多種數位代理簽章之設計	★ 小額電子支付系統之研究
★ 實體密碼攻擊法之研究	★ 商業性金鑰恢復與金鑰託管機制之研究
★ AES資料加密標準之實體密碼分析研究	★ 電子競標系統之研究
★ 針對堆疊滿溢攻擊之動態程式區段保護機制	★ 通用型數域篩選因數分解法之參數探討
★ 於8051單晶片上實作可防禦DPA攻擊之AES加密器	★ 以非確定式軟體與遮罩分割對策防禦能量攻擊之研究
★ 遮罩保護機制防禦差分能量攻擊之研究	★ AES資料加密標準之能量密碼分析研究
★ 小額電子付費系統之設計與密碼分析	★ 公平電子現金系統之研究
★ RSA公開金鑰系統之實體密碼分析研究	★ 保護行動代理人所收集資料之研究

檔案

[Endnote RIS 格式]

[Bibtex 格式]

[相關文章]

[文章引用]

[完整記錄]

[館藏目錄]

[檢視]

[下載]

本電子論文使用權限為同意立即開放。
已達開放權限電子全文僅授權使用者為學術研究之目的，進行個人非營利性質之檢索、閱讀、列印。
請遵守中華民國著作權法之相關規定，切勿任意重製、散佈、改作、轉貼、播送，以免觸法。

摘要(中)

近年來網際網路的普及以及使用人數的快速成長，越來越多的應用與服務建構於網際網路上 (如：網路報

摘要(英)

People throughout the world could communicate instantly and
transfer information with others on the Internet via variety
applications (e.g., e-mail, e-commerce, online banking, etc.).
Due to the very openness of the Internet, more and more security
issues were required to protect personal privacy and
commercial confidentiality. A reliable, trusted cryptography
is expected to protect private information according to the
increasing number of Internet services that applies cryptography.
The extensions usually cause security leaks. The Chosen
Ciphertext Attacks (CCA) is aimed at this kind of leaks. If
an adversary can intercept an encrypted message and modify
it, the adversary then resend modified message to the same
service and analyze the service response. Therefore, the adversary
can restore the original message.
It is hard for Internet service to discover CCA, since the
Internet service does not have enough information to distinguish
between the general error messages, which are created by normal
users, and sample messages, which are created by adversaries.
In fact, would rather fill up leak of standard then proven the
standard is secure against CCA in designed stage. Bellare
and Rogaway introduce a proof named random oracle model
and it can be used to prove that encryption scheme, signature
scheme and protocol are secure against CCA.
A new RSA padding scheme have by introduced as BLRP, will be proposed
to improve the cryptographic methods of RSA PKCS #1 v1.5 and
RSA PKCS #1 v2.1. Not only the efficiency is better than RSA
PKCS #1 v2.1, the security is also better than RSA PKCS #1 v1.5.
In addition, BLRP is proven in random oracle model and is secure
against CCA.
Besides, A new CCA attack is proposed to attack the most popular
internet S/MIME standard, S/MIME (Secure/Multipurpose Internet
Mail Extensions) which provides the following cryptographic
security services for electronic messaging applications:
authentication, message integrity and non-repudiation of
origin (using digital signatures) and privacy and data
security (using encryption). The new propose CCA attack can decrypt
E-mail of S/MIME encrypted format without private-key and just ask
oracle ones. We also propose the countermeasures in addition.

關鍵字(中)

★ 選擇密文攻擊法
★ 可證明安全性

關鍵字(英)

★ Random Oracle Model
★ CCA

論文目次

1 Intorduction 1
1.1 Motivation 1
1.2 Introduction to CCA Attacks 1
1.2.1 CCA Attacks under Asymmetric Encryption Scheme 1
1.2.2 CCA Attacks under Symmetric Encryption Scheme 2
1.3 Introduction to Provable Security 2
1.3.1 Security Notion 2
1.3.2 Random Oracle Model 3
1.4 Our Contributions 3
1.5 Overview of the Thesis 3
2 Review of Related Security Standards 6
2.1 Introduction to PKCS 6
2.2 RSA Padding Scheme 7
2.2.1 PKCS #1 v1.5 7
2.2.2 PKCS #1 v2.1 8
2.3 Block Cipher Modes of Operation 10
2.3.1 Cipher Block Chaining Mode 10
2.3.2 Cipher Feedback Mode 11
2.4 Secure Multipurpose Internet Mail Extensions 12
2.5 Multipurpose Internet Mail Extensions 12
2.6 The Enhanced Contents of S/MIME 13
3 CCA Attacks Review 16
3.1 CCA Attacks against RSA Encryption 16
3.1.1 Bleichenbacher's Attack 17
3.1.2 Manger's Attack 17
3.2 The CCA Attacks against Block Cipher Operation 19
3.2.1 The K-S Attack 19
3.2.2 Possibility of Specific Decryption Oracle 20
4 Review of Provable Security 22
4.1 Review of Related CCA Attacks 22
4.2 Review of Security Notion 23
4.2.1 Definition of Public-Key System 23
4.2.2 Indistinguishability 23
4.2.3 Non-Malleability 24
4.3 Review of Random Oracle Model 26
4.3.1 Prove Sketch of Random Oracle Model 26
4.3.2 Provable Instance in Random Oracle Model 26
4.4 Review of IND-CCA2 Security Proof 28
4.4.1 Definition of POW and S-POW 28
4.4.2 Different Concept of IND-CCA2 Proof 29
5 Proposed BLRP Padding and Its Security Proof 31
5.1 The Weakness of PKCS #1 v1.5 and PKCS #1 v2.1 31
5.2 BLRP Padding Scheme 31
5.2.1 Notation of the BLRP Scheme 31
5.2.2 Encoding and Decoding of BLRP 32
5.3 Security Analysis of BLRP 33
5.3.1 Security Proof of BLRP under IND-CPA 33
5.3.2 Security Proof of BLRP under IND-CCA1 34
5.3.3 Exact Security Result of BLRP 35
5.3.4 Security Proof of BLRP under IND-CCA2 35
5.3.5 The Non-Malleability of BLRP 41
5.4 The BLRP Efficiency Analysis 41
5.5 Summary 43
6 The Proposed CCA Attack against S/MIME 45
6.1 The CCA Attack against CBC Mode 45
6.2 The CCA Attack against S/MIME 47
6.2.1 The CCA Attack against Encrypted-Only E-mail 47
6.2.2 The CCA Attack against Signed-and-Encrypted E-Mail 48
6.4 Possible Countermeasures 49
6.5 Potential Problem 49
7 Conclusions 51
7.1 Brief Review of Main Contributions 51
7.2 Further Research Topics and Directions 52

參考文獻

[1] R.L Rivest, A. Shamir, and L. Adleman. ``A method for obtaining digital signatures and public-key cryptosystems,' Communications of the ACM, 21(2):120-126, February 1978.
[2] An RSA Laboratories, ``PKCS #1 v1.5: RSA encryption standard,' 1993.
[3] D. Bleichenbacher, ``Chosen Ciphertext Attacks against Protocols Based on the RSA Encryption Standard PKCS #1, 'Advances in Cryptology - CRYPTO '98, Lecture Notes in Computer Science, vol.1462, Springer Verlag, pp.1-12, 1998.
[4] An RSA Laboratories, ``PKCS #1 v2.0: RSA encryption standard,' 1998.
[5] An RSA Laboratories, ``PKCS #1 v2.1: RSA Cryptography Standard,' 2002.
[6] M. Bellare and P. Rogaway, ``Optimal Asymmetric Encryption,' Advances in Cryptology - EUROCRYPT '94}, Lecture Notes in Computer Science, vol.0950, Springer Verlag, pp.92-111, 1994.
[7] S. Goldwasser and S. Micali, ``Probabilistic encryption,'Journal of Computer and System Sciences, 28:270-299, 1984.
[8] D. Dolev, C. Dwork, and M. Naor, ``Non-malleable Cryptography,'SIAM Journal of Computing, vol.30(2), pp.391-437, 2000.
[9] M. Bellare, A. Desai, D. Pointcheval, P.Rogaway, ``Relations Among Notions of Security for Public-Key Encryption Scheme,' Advances in Cryptology - CRYPTO '98, Lecture Notes in Computer Science, vol.1462, pages 26-45. Springer-Verlag, Berlin, 1998.
[10] D. Atkins, W. Stallings, P. Zimmermann, ``PGP message exchange formats,' RFC 1991, August 1996.
[11] M. Bellare and P. Rogaway, ``Random Oracle are Practical: A Paradigm for Designing Efficient Protocols, 'Proc. of the 1st CCS, pages 62-73. ACM Press, New Youk, 1993.
[12] M. Naor and M. Yung, ``Public-key Cryptosystems Provably Secure against Chosen Ciphertext Attacks,'Proceedings of the 22nd Annual Symposium on Theory of Computing, ACM, 1990.
[13] C. Rackoff and D.Simon, ``Non-interactive Zero-knowledge Proof of Knowledge and Chosen Ciphertext Attack,' Advances in Cryptology - CRYPTO 1991, Lecture Notes in Computer Science, vol.576, Springer Verlag, 1991.
[14] M. Bellare, P.Rogaway, ``The Exact Security of Digital Signatures - How to Sign with RSA and Rabin,' Advances in Cryptology - EUROCRYPTO '96, Lecture Notes in Computer Science, vol.1070, pages 399-416. Springer-Verlag, Berlin, 1996.
[15] V. Shoup, ``OAEP Reconsidered, 'Advances in Cryptology - CRYPTO 2001, Lecture Notes in Computer Science, vol.2139, Springer Verlag, pp.239-259, 2001.
[16] J. Katz and B. Schneier, ``A chosen ciphertext attack against several e-mail encryption protocols,' Proc. of the 9th USENIX Security Symposium, 2000.
[17] E. Fujisaki, T. Okamoto, D. Pointcheval, and J. Stern, ``RSA-OAEP Is Secure under RSA Assumption,' Advances in Cryptology - CRYPTO 2001}, Lecture Notes in Computer Science, vol.2139, Springer Verlag, pp.260-274, 2001.
[18] M. Bellare, A. Desai, E. Jokipii, and P. Rogaway, ``A concrete security treatment of yymmetric encryption,' Proc. of the 38th Symposium on Foundations of Computer Science}, IEEE, 1997.
[19] J. Callas, L. Donnerhacke, H. Finney, and R. Thayer, ``OpenPGP message format,' RFC 2440, November 1998.
[20] J. Callas, L. Donnerhacke, H. Finney, and R. Thayer, ``OpenPGP message format,' RFC 2440, draft 09, October 2003.
[21] R.Canetti, O. Goldreich and S. Halevi, ``The Random Oracle Methodology,' Proc. of the 30 th STOC}, ACM Press, New Youk, 1998, 209-218.
[22] G. I. Davida, ``Chosen signature cryptanalysis of the RSA(MIT) public key cryptosystem,' Technical Report TR-CS-82-2, Departement of Electical Engineering and Computer Science, University of Wisconsin, Milwaukee, 1982.
[23] S. Vaudenay, ``Security flaws induced by CBC padding -- applications to SSL, IPSEC, WTLS ...,' Advances in Cryptology -- EUROCRYPT 2002, Lecture Notes in Computer Science, Vol.2332, Springer Verlag, pp.534-545, 2002.
[24] ANSI X3.106, ``American National Standard for Information Systems -- Data Encryption Algorithm -- modes of operation,' American National Standards Institute, 1983.
[25] ISO 8372, ``Information processing -- modes of operation for a 64-bit block cipher algorithm,' International Organization for Standardization, Geneva, Switzerland, 1987.
[26] N. Freed, ``MIME Part One: Format of Internet Message Bodies,' RFC 2045, draft 09} November 1996
[27] N. Freed, ``MIME Part Two: Media Types,' RFC 2046, draft 09 November 1996
[28] N. Freed, ``MIME Part Three: Message Header Extensions for Non-ASCII Text,' RFC 2047, draft 09 November 1996
[29] N. Freed, ``MIME Part Four: Registration Procedures,' RFC 2048, draft 09 November 1996
[30] N. Freed, ``MIME Part Five: Conformance Criteria and Examples,' RFC 2049, draft 09} November 1996
[31] S. Dusse, P. Hoffman, B. Ramsdell, L. Lundblade, L. Repka, ``S/MIME Version 2 Message Specification,' RFC 2311, March 1998.
[32] S. Garfinkel, PGP: pretty good privacy, O'Reilly, 1995.
[33] David H. Crocker, ``Standard for The Format of ARPA Internet Text Messages' RFC 822, August 1982
[34] R. Housley, ``Cryptographic Message Syntax,' RFC 2630, June 1999.
[35] R. Housley, ``Cryptographic Message Syntax,' RFC 3369, June 2002.
[36] R. Housley, ``Cryptographic Message Syntax Algorithm,' RFC 3370, June 2002.
[37] K. Jallad, J. Katz, and B. Schneier, ``Implementation of chosen-ciphertetx attacks against PGP and GnuPG,' Information Security -- ISC 2002, Lecture Notes in Computer Science, Vol.2433, Springer Verlag, pp.90-101, 2002.
[38] J. Jonsson and B. Kaliski Jr., ``On the Security of RSA Encryption in TLS,' Advances in Cryptology - CRYPTO 2002, Lecture Notes in Computer Science, vol.2442, Springer Verlag, pp.127-142, 2002.
[39] J. Manger, ``A Chosen Ciphertext Attack on RSA Optimal Asymmetric Encryption Padding (OAEP) as Standardized in PKCS #1 v2.0,' Advances in Cryptology - CRYPTO 2001, Lecture Notes in Computer Science, vol.2139, Springer Verlag, pp.230-238, 2001.
[40] B. Ramsdell, ``S/MIME Version 3 Message Specification,' RFC 2633, June 1999.
[41] J. Stern, ``Why Provable Security Matters?' Advances in Cryptology -- EUROCRYPT 2003, Lecture Notes in Computer Science, Vol.2656, Springer Verlag, pp.449-461, 2003.
[42] W. Stallings, ``Cryptography and Network Security Principles and Practice Second Edition,' Prentice Hall, 1998.
[43] P. Zimmerman, The offical PGP user's guide, MIT Press, 1995.
[44] An RSA Laboratories, ``A Layman's Guide to a subset of ASN.1, BER, and DER' November 1993.
[45] An RSA Laboratories, ``PKCS #7 v1.5: Cryptographic Message Syntax Standard,' 1993.
[46] National Bureau of Standards, ``DES modes of operation,' NBS FIPS PUB 81, U.S. Department ofvCommerce, December 1980.
[47] J.Hastad and Mast Naslund, ``The security of individual RSA bits,' IEEE Symposium on Foundations of Computer science, pp. 510-521, 1998.
[48] CCITT. Recommendation X.208: Specification of Abstract Syntax Notation One(ASN.1). 1988
[49] CCITT. Recommendation X.209: Specification of Basic Encoding Rules for Abstract Syntax Notation One(ASN.1). 1988

指導教授

顏嵩銘(Sung-Ming Yen)

審核日期

2004-6-28

推文