Hacker News new | comments | show | ask | jobs | submit login

What's cool about this paper is the CCA2 attack on unpadded RSA in the middle of it. What's cool about that attack is how simple it is.

The setting, simplified: you send RSA(aes-key), AES(key, message). The server replies if the AES key it recovers from the RSA message successfully decrypts the AES ciphertext; the server is an oracle for whether the message is valid.

The attack is stupid simple: the attacker shifts 127 of the AES key bits off of the RSA message --- the attacker can do this, because RSA is homomorphic with respect to multiplication and thus malleable --- and then sends the bit-shifted RSA message along with an AES ciphertext encrypted with the 0b1000...0 AES key. If that elicits a server response, the attacker knows the bottom bit of the real AES key is 1. The attacker repeats with a 126 bit shift, then the math teachers and so on until everyone is eaten.

As I like to say, I know enough about crypto to know that I should never ever trust my knowledge about how to build a secure crypto protocol.

The more I learn the more I realize everything is a cat and mouse game. Commitment comes when you believe you've invested enough that you have more to lose if you stop than to keep going.

I appreciate your summary, and especially the way you ended it.

Interesting, I never thought of rsa being multiplicatively homomorphic.

That's the basis of several other classic attacks on RSA.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact