Score:1

Break RSA without padding using a rainbow table attack

cl flag

We are using RSA without OAEP, with a relatively small input domain.

Lets assume we have John and Bob connected on a line, and we are eavesdropping them. Bob first sends John his public key (e,n), then John encrypts his message m and sends it on the line encrypted. When we eavesdrop the line we get his encrypted message, for example 3211 4431 9938 ... (I'm using a low modulo just for the example)

Me as the attacker can make a rainbow table of encryption of each number from 0 to n, and then decrypt John's message using the table I created.

  1. Am I correct?
  2. When we use any padding technique, we are preventing this attack (right?), by inserting random bits into the message, but how the decryptor (Bob) can 'remove' those random bits if he doesn't know them.
kelalaka avatar
in flag
If you can build a rainbow table for modulus of size 2048, you don't need to worry about OAEP at all. For short messages, yes there is a danger for the TextBook RSA. Padding is crucial to see probabilistic encrption.
kelalaka avatar
in flag
A related q/[Difference between known-plaintext attack and forward search attack](https://crypto.stackexchange.com/q/15040/18298)
Maarten Bodewes avatar
in flag
@kelalaka I don't see how textbook RSA would be problematic from building a rainbow table for a specific public key. It all depends on the input domain though, and if you only have one message it would take as long as brute forcing the message in the first place. Other ways of attacking textbook RSA can be found [here](https://crypto.stackexchange.com/q/20085/1172)
kelalaka avatar
in flag
@MaartenBodewes for each public key and modulus, can you build a rainbow table for the message sizes upto 2048? For short messages, yes, possible. My point was, if you can reach for the modulus size of the table, you can break the modulus :)
Maarten Bodewes avatar
in flag
Yeah, that's what I mean with "input domain". I don't think it is a bad way to attack small input domains and multiple messages, to be honest. And it is a pretty generic attack as well. That's why I reopened the question, as we have a Q/A to list all attacks on plaintext RSA already.
Yotam Sofer avatar
cl flag
@MaartenBodewes, IF I can assume the message includes only ascii letters, so the input domain is very small, right? and it should break easily. moreover, any answer for my second part of the question?
Maarten Bodewes avatar
in flag
Yes, you can disable this attack if you add *enough* random bits. You can use any kind of encoding for this, actually PKCS#1 has a pretty simple encoding: bytes valued 01..FF and 00 as ending byte value (with the strong disadvantage that it requires getting a range from a PRNG of course) but any other reversible encoding will do. After you are able to identify the random bits, you can simply ignore them and return the message. Of course, there are other attacks **such as** padding attacks possible on PKCS#1 and OAEP, I guess that requires additional study.
kelalaka avatar
in flag
@MaartenBodewes any padding is too generic, however, if the total size of the message with the random padding is in the range of the rainbow table, one will see the random bits, too...
Score:2
ng flag
  1. Yes, the attack in the question would work for the low modulo of the example. The term "dictionary" is more appropriate than "rainbow table" (used in the context of making a compact table of precomputed hashes).

    Actual attacks can't work this way though. In RSA as practiced it's impossible to build a large-enough dictionary, as it would take too much time to build (proportional to the modulus $n$, which is typically at least 2048-bit nowadays). However, if Alice encrypted a message known to belong to a small set (such as the names on the class roll) directly with textbook RSA $m\mapsto c:=m^e\bmod n$, then it is possible to decrypt $c$ by encrypting each possible message and testing which matches $c$. A sequential search of the $m$ in the class roll will do: a dictionary of the corresponding $c$ is only useful if there are several messages (and RSA is not practically used by breaking messages into small chunks, as in the question).

  2. Random encryption padding solves this problem, by reversibly turning a message $m$ into a sufficiently random-like message representative $\widetilde m\in[0,n)$. Then textbook RSA can be safely applied to $\widetilde m$, per the RSA assumption: for proper public key $(n,e)$ and random $x\in[0,n)$, it's hard to find $x$ from $x^e\bmod n$.

    how can the decryptor (Bob) 'remove' those random bits if he doesn't know them?

    The big picture is there is a convention between Alice and Bob about which bits of $\widetilde m$ are padding (some of which random) added by Alice, that should be removed by Bob. That simplified description is quite close to the deprecated padding technique in RSAES-PKCS1-v1_5. The modern RSAES-OAEP has extra steps so all except (at most) 8 bits of $\widetilde m$ appear random even when $m$ is not (which is obtained by a reversible symmetric cryptographic transformation after applying random padding, which diffuse the randomness), but the idea remains.

kelalaka avatar
in flag
I think the padding must be on the MSB's so that when 3 is used as the public exponent the $\sqrt[3]{c}$ can't be found.
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.