RSA trick in email reply - encryption

A uses RSA encryption for her email. B finds an encrypted email to A: c = m^e mod n that he wants to know the plain text. B knows that when A replies to her email, she always includes the text of the message she is responding to in the reply.
Assume A only receives messages that are bit strings of length at most log n, which can be
mapped to Zn.
Also assume that B cannot simply send c as his own email to A and expect a reply, but that A will respond to email messages other than c.
How can B learn m using only c, e, n and random values from Zn?

From wikipedia:
RSA has the property that the product
of two ciphertexts is equal to the
encryption of the product of the
respective plaintexts. That is m1^e m2^e≡(m1m2)^e (mod n) Because
of this multiplicative property a
chosen-ciphertext attack is possible.
E.g. an attacker, who wants to know
the decryption of a ciphertext c = m^e
(mod n) may ask the holder of the
private key to decrypt an
unsuspicious-looking ciphertext c' =
cr^e (mod n) for some value r chosen by
the attacker. Because of the
multiplicative property c' is the
encryption of mr (mod n). Hence, if
the attacker is successful with the
attack, he will learn mr (mod n) from
which he can derive the message m by
multiplying mr with the modular
inverse of r modulo n.
That's actually pretty neat, thanks for asking the question that lead me to learning this.
As for your question of 3020 vs 600, it's multiplicative; rarely are concatenations used in mathematics, since after all we should always be working independent of base.

Related

rsa - calculating plaintext from ciphertext

I was solving a crypto question but now I am stuck for a long time.
I have to calculate plaintext, when I am given ciphertext, n, and e only. How to do so?
I don't have the totient otherwise it would have become easy.
ciphertext: 107524013451079348539944510756143604203925717262185033799328445011792760545528944993719783392542163428637172323512252624567111110666168664743115203791510985709942366609626436995887781674651272233566303814979677507101168587739375699009734588985482369702634499544891509228440194615376339573685285125730286623323
e = 3
n = 27566996291508213932419371385141522859343226560050921196294761870500846140132385080994630946107675330189606021165260590147068785820203600882092467797813519434652632126061353583124063944373336654246386074125394368479677295167494332556053947231141336142392086767742035970752738056297057898704112912616565299451359791548536846025854378347423520104947907334451056339439706623069503088916316369813499705073573777577169392401411708920615574908593784282546154486446779246790294398198854547069593987224578333683144886242572837465834139561122101527973799583927411936200068176539747586449939559180772690007261562703222558103359
I am not able to solve this for finding plaintext... i know i am missing something. Could you please help?

How to decrypt an RSA-encrypted message if I know p, q, dp, and dq?

I have the values of p, q, dp (which is d (mod p - 1)), and dq (which is d(mod q - 1)), and of course, the encrypted message itself.
I don't understand how to extract the remaining necessary values to decrypt the message.
In addition, the numeric values are so huge almost no online calculator site can solve them. (The encrypted message is 308 digits, p and q are each 155 digits, and dp and dq are each 154 digits, and the n value I got from multiplying p and q is 309 digits.)
If I were to write a program to solve it, C# or Python would be preferred.
I am very new to learning encryption and decryption, so a walkthrough perhaps in the answer would be very much appreciated!
The RSA math is explained in RFC 3447, section 5.1.2, you want Step 2, part b. And then you'll need to unpad the message, either according to OAEP or PKCS1 rules (see section 7).

How can I decrypt an RSA cipher knowing only p and q?

Knowing only p and q, how can I definitively find e and d in order to be able to decrypt the ciphertext?
Given that you are "well aware" of the RSA algorithm (I'm assuming textbook RSA) then you are probably also aware that e can be chosen as any value between 1 and φ(n), provided both e and φ(n) are co-prime.
If your question boils down to Can I determine, with 100% certainty, the values of e and d given only p and q? then the answer is no.
This is because any valid value of e selected will decrypt the ciphertext to something, not neccessarily the original, but to something. You'd have to have some indication of the plaintext's context, e.g. is it English? If you knew this, and provided p and q were relatively small, you could test possible values of e until you received a result in English.
In practice, e is often chosen as 3 or 65537.

Why does a .key file include P,Q,DP,DQ

By loading a pre-created .key file that includes an RSA Private Key only I noticed, that it contains the following numbers:
Modulus (private modulus)
Exponent (private exponent)
P (prime exponent)
Q (prime exponent)
DP
DQ
InverseQ
I am saving the key file somewhere, where storage is very small (portable). I though of only saving Modulus and Exponent. I understand P,Q and E are necessary to create modulus and exponent, however:
Question:
What is the purpose in saving all this data to a .key file, when PrivateModulus and PrivateExponent are enought to sign and decrypt messages?
Well, you need the public key Modulus and Exponent for encryption and the private key Modulus and D for decryption and signing.
P and Q are probably just added there for safety, since there is no efficient way to reconstruct them from the other given values. So in case your D gets corrupted, you can reconstruct it or if possibly a special implementation requires them for some Math-tricks to optimize the calculations.
The values of DP, DQ and InverseQ are used by some implementations to calculate RSA using the Chinese Remainder Theorem for speeding up the whole process.
DP = D mod (P - 1)
DQ = D mod (Q - 1)
InverseQ = Q^-1 mod (P - 1)
For more information on how that works, best check out this crpypto.stackexchange-question or the Wikipedia-article.

What is the difference between DSA and RSA?

It appears they are both encryption algorithms that require public and private keys. Why would I pick one versus the other to provide encryption in my client server application?
Check AVA's answer below.
My old answer seems wrong
Referring, https://web.archive.org/web/20140212143556/http://courses.cs.tamu.edu:80/pooch/665_spring2008/Australian-sec-2006/less19.html
RSA
RSA encryption and decryption are commutative
hence it may be used directly as a digital signature scheme
given an RSA scheme {(e,R), (d,p,q)}
to sign a message M, compute:
S = M power d (mod R)
to verify a signature, compute:
M = S power e(mod R) = M power e.d(mod R) = M(mod R)
RSA can be used both for encryption and digital signatures,
simply by reversing the order in which the exponents are used:
the secret exponent (d) to create the signature, the public exponent (e)
for anyone to verify the signature. Everything else is identical.
DSA (Digital Signature Algorithm)
DSA is a variant on the ElGamal and Schnorr algorithms.
It creates a 320 bit signature, but with 512-1024 bit security
again rests on difficulty of computing discrete logarithms
has been quite widely accepted.
DSA Key Generation
firstly shared global public key values (p,q,g) are chosen:
choose a large prime p = 2 power L
where L= 512 to 1024 bits and is a multiple of 64
choose q, a 160 bit prime factor of p-1
choose g = h power (p-1)/q
for any h<p-1, h(p-1)/q(mod p)>1
then each user chooses a private key and computes their public key:
choose x<q
compute y = g power x(mod p)
DSA key generation is related to, but somewhat more complex than El Gamal.
Mostly because of the use of the secondary 160-bit modulus q used to help
speed up calculations and reduce the size of the resulting signature.
DSA Signature Creation and Verification
to sign a message M
generate random signature key k, k<q
compute
r = (g power k(mod p))(mod q)
s = k-1.SHA(M)+ x.r (mod q)
send signature (r,s) with message
to verify a signature, compute:
w = s-1(mod q)
u1= (SHA(M).w)(mod q)
u2= r.w(mod q)
v = (g power u1.y power u2(mod p))(mod q)
if v=r then the signature is verified
Signature creation is again similar to ElGamal with the use of a
per message temporary signature key k, but doing calc first mod p,
then mod q to reduce the size of the result. Note that the use of
the hash function SHA is explicit here. Verification also consists of
comparing two computations, again being a bit more complex than,
but related to El Gamal.
Note that nearly all the calculations are mod q, and
hence are much faster.
But, In contrast to RSA, DSA can be used only for digital signatures
DSA Security
The presence of a subliminal channel exists in many schemes (any that need a random number to be chosen), not just DSA. It emphasises the need for "system security", not just a good algorithm.
Btw, you cannot encrypt with DSA, only sign. Although they are mathematically equivalent (more or less) you cannot use DSA in practice as an encryption scheme, only as a digital signature scheme.
With reference to man ssh-keygen, the length of a DSA key is restricted to exactly 1024 bit to remain compliant with NIST's FIPS 186-2. Nonetheless, longer DSA keys are theoretically possible; FIPS 186-3 explicitly allows them. Furthermore, security is no longer guaranteed with 1024 bit long RSA or DSA keys.
In conclusion, a 2048 bit RSA key is currently the best choice.
MORE PRECAUTIONS TO TAKE
Establishing a secure SSH connection entails more than selecting safe encryption key pair technology. In view of Edward Snowden's NSA revelations, one has to be even more vigilant than what previously was deemed sufficient.
To name just one example, using a safe key exchange algorithm is equally important. Here is a nice overview of current best SSH hardening practices.
And in addition to the above nice answers.
DSA uses Discrete logarithm.
RSA uses Integer Factorization.
RSA stands for Ron Rivest, Adi Shamir and Leonard Adleman.

Resources