跳到主要內容

臺灣博碩士論文加值系統

(3.236.110.106) 您好!臺灣時間:2021/07/29 16:44
字體大小: 字級放大   字級縮小   預設字形  
回查詢結果 :::

詳目顯示

我願授權國圖
: 
twitterline
研究生:張起豪
研究生(外文):Chi-Hao Chang
論文名稱:選擇密文攻擊法之研究與實作
論文名稱(外文):The Research and Implementation of Chosen Ciphertext Attacks
指導教授:顏嵩銘顏嵩銘引用關係
指導教授(外文):Sung-Ming Yen
學位類別:碩士
校院名稱:國立中央大學
系所名稱:資訊工程研究所
學門:工程學門
學類:電資工程學類
論文種類:學術論文
論文出版年:2004
畢業學年度:92
語文別:英文
論文頁數:66
中文關鍵詞:選擇密文攻擊法可證明安全性
外文關鍵詞:Random Oracle ModelCCA
相關次數:
  • 被引用被引用:0
  • 點閱點閱:844
  • 評分評分:
  • 下載下載:0
  • 收藏至我的研究室書目清單書目收藏:0
近年來網際網路的普及以及使用人數的快速成長,越來越多的應用與服務建構於網際網路上 (如:網路報�氶B電子商務)。但由於網際網路為一個開放的架構,不可避免的,對於網際網路上的安全需求也越來越多,各種安全需求中,個人資訊隱藏為一個非常重要的課題,以往都是使用密碼演算法來保護個人的資訊,但隨著應用的增加,為符合各種需求,這類系統通常會對原本的密碼演算法作一些延伸,另一方面網際網路上的服務往往被設計成全自動的,換句話說這些服務的行為是預先被設計好的,這些行為包含了錯誤控制、流程控制等等。

很不幸的,有些延伸與設計往往會造成安全上的漏洞,選擇密文攻擊法 (CCA)就是針對這類的漏洞加以攻擊,攻擊者利用自選的密文對網際網路上之服務反覆的進行測試,分析此服務的回應以還原欲破解的密文成相對應明文。這類攻擊法對於網際網路上的服務來說往往難以發覺,因為服務沒有足夠資訊判斷錯誤的密文為單純錯誤或是由攻擊者所發出的測試密文,為此,事先的預防比事後補救更為重要,Bellare 與 Rogaway 於 1995 年提出了一種證明方法,Random Oracle Model,利用Rondom Oracle Model可以證明加密方法、簽章方法以及通訊協定可以抵抗選擇密文攻擊。

第五章將介紹一個新的Padding編碼方式BLRP,BLRP 改良 RSA PKCS #1 v1.5 與 RSA PKCS#1 v2.1的Padding編碼方式,BLRP效率較RSA PKCS#1 v2.1為高並且可以抵抗選擇密文攻擊法,關於BLRP的安全性我們將使用 Random Oracle Model 證明。

第六章將介紹一個針對S/MIME郵件加密通訊協定的選擇密文攻擊法,此攻擊法針對單一金鑰加密之 Mode of operation進行攻擊,此攻擊法只需要一次的存取即可取得加密電子郵件相對應的原始內容。
People throughout the world could communicate instantly and
transfer information with others on the Internet via variety
applications (e.g., e-mail, e-commerce, online banking, etc.).
Due to the very openness of the Internet, more and more security
issues were required to protect personal privacy and
commercial confidentiality. A reliable, trusted cryptography
is expected to protect private information according to the
increasing number of Internet services that applies cryptography.

The extensions usually cause security leaks. The Chosen
Ciphertext Attacks (CCA) is aimed at this kind of leaks. If
an adversary can intercept an encrypted message and modify
it, the adversary then resend modified message to the same
service and analyze the service response. Therefore, the adversary
can restore the original message.

It is hard for Internet service to discover CCA, since the
Internet service does not have enough information to distinguish
between the general error messages, which are created by normal
users, and sample messages, which are created by adversaries.
In fact, would rather fill up leak of standard then proven the
standard is secure against CCA in designed stage. Bellare
and Rogaway introduce a proof named random oracle model
and it can be used to prove that encryption scheme, signature
scheme and protocol are secure against CCA.

A new RSA padding scheme have by introduced as BLRP, will be proposed
to improve the cryptographic methods of RSA PKCS #1 v1.5 and
RSA PKCS #1 v2.1. Not only the efficiency is better than RSA
PKCS #1 v2.1, the security is also better than RSA PKCS #1 v1.5.
In addition, BLRP is proven in random oracle model and is secure
against CCA.

Besides, A new CCA attack is proposed to attack the most popular
internet S/MIME standard, S/MIME (Secure/Multipurpose Internet
Mail Extensions) which provides the following cryptographic
security services for electronic messaging applications:
authentication, message integrity and non-repudiation of
origin (using digital signatures) and privacy and data
security (using encryption). The new propose CCA attack can decrypt
E-mail of S/MIME encrypted format without private-key and just ask
oracle ones. We also propose the countermeasures in addition.
1 Intorduction 1
1.1 Motivation 1
1.2 Introduction to CCA Attacks 1
1.2.1 CCA Attacks under Asymmetric Encryption Scheme 1
1.2.2 CCA Attacks under Symmetric Encryption Scheme 2
1.3 Introduction to Provable Security 2
1.3.1 Security Notion 2
1.3.2 Random Oracle Model 3
1.4 Our Contributions 3
1.5 Overview of the Thesis 3

2 Review of Related Security Standards 6
2.1 Introduction to PKCS 6
2.2 RSA Padding Scheme 7
2.2.1 PKCS #1 v1.5 7
2.2.2 PKCS #1 v2.1 8
2.3 Block Cipher Modes of Operation 10
2.3.1 Cipher Block Chaining Mode 10
2.3.2 Cipher Feedback Mode 11
2.4 Secure Multipurpose Internet Mail Extensions 12
2.5 Multipurpose Internet Mail Extensions 12
2.6 The Enhanced Contents of S/MIME 13

3 CCA Attacks Review 16
3.1 CCA Attacks against RSA Encryption 16
3.1.1 Bleichenbacher's Attack 17
3.1.2 Manger's Attack 17
3.2 The CCA Attacks against Block Cipher Operation 19
3.2.1 The K-S Attack 19
3.2.2 Possibility of Specific Decryption Oracle 20

4 Review of Provable Security 22
4.1 Review of Related CCA Attacks 22
4.2 Review of Security Notion 23
4.2.1 Definition of Public-Key System 23
4.2.2 Indistinguishability 23
4.2.3 Non-Malleability 24
4.3 Review of Random Oracle Model 26
4.3.1 Prove Sketch of Random Oracle Model 26
4.3.2 Provable Instance in Random Oracle Model 26
4.4 Review of IND-CCA2 Security Proof 28
4.4.1 Definition of POW and S-POW 28
4.4.2 Different Concept of IND-CCA2 Proof 29

5 Proposed BLRP Padding and Its Security Proof 31
5.1 The Weakness of PKCS #1 v1.5 and PKCS #1 v2.1 31
5.2 BLRP Padding Scheme 31
5.2.1 Notation of the BLRP Scheme 31
5.2.2 Encoding and Decoding of BLRP 32
5.3 Security Analysis of BLRP 33
5.3.1 Security Proof of BLRP under IND-CPA 33
5.3.2 Security Proof of BLRP under IND-CCA1 34
5.3.3 Exact Security Result of BLRP 35
5.3.4 Security Proof of BLRP under IND-CCA2 35
5.3.5 The Non-Malleability of BLRP 41
5.4 The BLRP Efficiency Analysis 41
5.5 Summary 43

6 The Proposed CCA Attack against S/MIME 45
6.1 The CCA Attack against CBC Mode 45
6.2 The CCA Attack against S/MIME 47
6.2.1 The CCA Attack against Encrypted-Only E-mail 47
6.2.2 The CCA Attack against Signed-and-Encrypted E-Mail 48
6.4 Possible Countermeasures 49
6.5 Potential Problem 49

7 Conclusions 51
7.1 Brief Review of Main Contributions 51
7.2 Further Research Topics and Directions 52
[1] R.L Rivest, A. Shamir, and L. Adleman. ``A method for obtaining digital signatures and public-key cryptosystems,' Communications of the ACM, 21(2):120-126, February 1978.
[2] An RSA Laboratories, ``PKCS #1 v1.5: RSA encryption standard,' 1993.
[3] D. Bleichenbacher, ``Chosen Ciphertext Attacks against Protocols Based on the RSA Encryption Standard PKCS #1, 'Advances in Cryptology - CRYPTO '98, Lecture Notes in Computer Science, vol.1462, Springer Verlag, pp.1-12, 1998.
[4] An RSA Laboratories, ``PKCS #1 v2.0: RSA encryption standard,' 1998.
[5] An RSA Laboratories, ``PKCS #1 v2.1: RSA Cryptography Standard,' 2002.
[6] M. Bellare and P. Rogaway, ``Optimal Asymmetric Encryption,' Advances in Cryptology - EUROCRYPT '94}, Lecture Notes in Computer Science, vol.0950, Springer Verlag, pp.92-111, 1994.
[7] S. Goldwasser and S. Micali, ``Probabilistic encryption,'Journal of Computer and System Sciences, 28:270-299, 1984.
[8] D. Dolev, C. Dwork, and M. Naor, ``Non-malleable Cryptography,'SIAM Journal of Computing, vol.30(2), pp.391-437, 2000.
[9] M. Bellare, A. Desai, D. Pointcheval, P.Rogaway, ``Relations Among Notions of Security for Public-Key Encryption Scheme,' Advances in Cryptology - CRYPTO '98, Lecture Notes in Computer Science, vol.1462, pages 26-45. Springer-Verlag, Berlin, 1998.
[10] D. Atkins, W. Stallings, P. Zimmermann, ``PGP message exchange formats,' RFC 1991, August 1996.
[11] M. Bellare and P. Rogaway, ``Random Oracle are Practical: A Paradigm for Designing Efficient Protocols, 'Proc. of the 1st CCS, pages 62-73. ACM Press, New Youk, 1993.
[12] M. Naor and M. Yung, ``Public-key Cryptosystems Provably Secure against Chosen Ciphertext Attacks,'Proceedings of the 22nd Annual Symposium on Theory of Computing, ACM, 1990.
[13] C. Rackoff and D.Simon, ``Non-interactive Zero-knowledge Proof of Knowledge and Chosen Ciphertext Attack,' Advances in Cryptology - CRYPTO 1991, Lecture Notes in Computer Science, vol.576, Springer Verlag, 1991.
[14] M. Bellare, P.Rogaway, ``The Exact Security of Digital Signatures - How to Sign with RSA and Rabin,' Advances in Cryptology - EUROCRYPTO '96, Lecture Notes in Computer Science, vol.1070, pages 399-416. Springer-Verlag, Berlin, 1996.
[15] V. Shoup, ``OAEP Reconsidered, 'Advances in Cryptology - CRYPTO 2001, Lecture Notes in Computer Science, vol.2139, Springer Verlag, pp.239-259, 2001.
[16] J. Katz and B. Schneier, ``A chosen ciphertext attack against several e-mail encryption protocols,' Proc. of the 9th USENIX Security Symposium, 2000.
[17] E. Fujisaki, T. Okamoto, D. Pointcheval, and J. Stern, ``RSA-OAEP Is Secure under RSA Assumption,' Advances in Cryptology - CRYPTO 2001}, Lecture Notes in Computer Science, vol.2139, Springer Verlag, pp.260-274, 2001.
[18] M. Bellare, A. Desai, E. Jokipii, and P. Rogaway, ``A concrete security treatment of yymmetric encryption,' Proc. of the 38th Symposium on Foundations of Computer Science}, IEEE, 1997.
[19] J. Callas, L. Donnerhacke, H. Finney, and R. Thayer, ``OpenPGP message format,' RFC 2440, November 1998.
[20] J. Callas, L. Donnerhacke, H. Finney, and R. Thayer, ``OpenPGP message format,' RFC 2440, draft 09, October 2003.
[21] R.Canetti, O. Goldreich and S. Halevi, ``The Random Oracle Methodology,' Proc. of the 30 th STOC}, ACM Press, New Youk, 1998, 209-218.
[22] G. I. Davida, ``Chosen signature cryptanalysis of the RSA(MIT) public key cryptosystem,' Technical Report TR-CS-82-2, Departement of Electical Engineering and Computer Science, University of Wisconsin, Milwaukee, 1982.
[23] S. Vaudenay, ``Security flaws induced by CBC padding -- applications to SSL, IPSEC, WTLS ...,' Advances in Cryptology -- EUROCRYPT 2002, Lecture Notes in Computer Science, Vol.2332, Springer Verlag, pp.534-545, 2002.
[24] ANSI X3.106, ``American National Standard for Information Systems -- Data Encryption Algorithm -- modes of operation,' American National Standards Institute, 1983.
[25] ISO 8372, ``Information processing -- modes of operation for a 64-bit block cipher algorithm,' International Organization for Standardization, Geneva, Switzerland, 1987.
[26] N. Freed, ``MIME Part One: Format of Internet Message Bodies,' RFC 2045, draft 09} November 1996
[27] N. Freed, ``MIME Part Two: Media Types,' RFC 2046, draft 09 November 1996
[28] N. Freed, ``MIME Part Three: Message Header Extensions for Non-ASCII Text,' RFC 2047, draft 09 November 1996
[29] N. Freed, ``MIME Part Four: Registration Procedures,' RFC 2048, draft 09 November 1996
[30] N. Freed, ``MIME Part Five: Conformance Criteria and Examples,' RFC 2049, draft 09} November 1996
[31] S. Dusse, P. Hoffman, B. Ramsdell, L. Lundblade, L. Repka, ``S/MIME Version 2 Message Specification,' RFC 2311, March 1998.
[32] S. Garfinkel, PGP: pretty good privacy, O'Reilly, 1995.
[33] David H. Crocker, ``Standard for The Format of ARPA Internet Text Messages' RFC 822, August 1982
[34] R. Housley, ``Cryptographic Message Syntax,' RFC 2630, June 1999.
[35] R. Housley, ``Cryptographic Message Syntax,' RFC 3369, June 2002.
[36] R. Housley, ``Cryptographic Message Syntax Algorithm,' RFC 3370, June 2002.
[37] K. Jallad, J. Katz, and B. Schneier, ``Implementation of chosen-ciphertetx attacks against PGP and GnuPG,' Information Security -- ISC 2002, Lecture Notes in Computer Science, Vol.2433, Springer Verlag, pp.90-101, 2002.
[38] J. Jonsson and B. Kaliski Jr., ``On the Security of RSA Encryption in TLS,' Advances in Cryptology - CRYPTO 2002, Lecture Notes in Computer Science, vol.2442, Springer Verlag, pp.127-142, 2002.
[39] J. Manger, ``A Chosen Ciphertext Attack on RSA Optimal Asymmetric Encryption Padding (OAEP) as Standardized in PKCS #1 v2.0,' Advances in Cryptology - CRYPTO 2001, Lecture Notes in Computer Science, vol.2139, Springer Verlag, pp.230-238, 2001.
[40] B. Ramsdell, ``S/MIME Version 3 Message Specification,' RFC 2633, June 1999.
[41] J. Stern, ``Why Provable Security Matters?' Advances in Cryptology -- EUROCRYPT 2003, Lecture Notes in Computer Science, Vol.2656, Springer Verlag, pp.449-461, 2003.
[42] W. Stallings, ``Cryptography and Network Security Principles and Practice Second Edition,' Prentice Hall, 1998.
[43] P. Zimmerman, The offical PGP user's guide, MIT Press, 1995.
[44] An RSA Laboratories, ``A Layman's Guide to a subset of ASN.1, BER, and DER' November 1993.
[45] An RSA Laboratories, ``PKCS #7 v1.5: Cryptographic Message Syntax Standard,' 1993.
[46] National Bureau of Standards, ``DES modes of operation,' NBS FIPS PUB 81, U.S. Department ofvCommerce, December 1980.
[47] J.Hastad and Mast Naslund, ``The security of individual RSA bits,' IEEE Symposium on Foundations of Computer science, pp. 510-521, 1998.
[48] CCITT. Recommendation X.208: Specification of Abstract Syntax Notation One(ASN.1). 1988
[49] CCITT. Recommendation X.209: Specification of Basic Encoding Rules for Abstract Syntax Notation One(ASN.1). 1988
QRCODE
 
 
 
 
 
                                                                                                                                                                                                                                                                                                                                                                                                               
第一頁 上一頁 下一頁 最後一頁 top
無相關論文
 
1. 王大維(1995)。健康家庭系統之探討。學生輔導通訊,40,90-101。
2. 王鍾和、郭俊豪(1998)。祖孫家庭與親職教育。學生輔導,59,50-61。
3. 甘夢龍(1993)。國小學生困擾何其多?---國小學生行為困擾及其相關因素之研究。國教之友,44(3),15-26。
4. 朱崑中(1996)。談親子溝通。測驗與輔導,2849-2853。
5. 汪文聖(1997)。「描述」與「解釋」---胡塞爾現象學作為科學之探討。哲學雜誌,20,64-89。
6. 周玉慧、吳齊殷(2001)。教養方式、親子互動與青少年行為:親子知覺的相對重要性。人文及社會科學集刊,13(4),439-476。
7. 林良姿(1993)。親子溝通型態對兒童焦慮之相關研究。青少年兒童福利學報,2,105-119。
8. 姜得勝(1998)。社會變遷中「親子關係」的反省與重建。臺灣教育,567,6-11。
9. 馬傳鎮(1982)。少年犯的親子關係、家長社會地位、家庭背景及學校背景之調查研究。教育與心理研究,5,177-224。
10. 高淑清(2001b)。在美華人留學生太太的生活世界之詮釋與反思。本土心理學研究,16,225-285。
11. 張汝倫(1997)。現象學方法的多重含義。哲學雜誌,20,90-115。
12. 曹常仁(1993)。親子溝通的藝術。國教之聲,26(3),37-40。
13. 陳小娥、蘇建文(1976)。父母教養行為與少年生活適應。教育心理學報,10,91-106。
14. 陳曉蕙、蔣碧君(1999)。家庭系統理論及其在親職教育的應用。教育實習輔導,2,83-109。
15. 陳麗欣、翁福元、許維素與林志忠(2000a)。我國隔代教養家庭現況之分析(上)。成人教育通訊,2,37-40。