{"title":"错误生成的RSA密钥:我如何学会停止担心和恢复丢失的明文","authors":"D. Shumow","doi":"10.1093/comjnl/bxac199","DOIUrl":null,"url":null,"abstract":"\n When generating primes $p$ and $q$ for an RSA key, the algorithm specifies that if $p-1$ and $q-1$ must be relatively prime to the public exponent $e$. If this is not done, then the decryption exponent is not well defined. However, what if a software bug allows the generation of public parameters $N$ and $e$ of an RSA key with this property and then it is subsequently used for encryption? Though this may seem like a purely academic question, a software bug in a preview release of the Windows 10 operating system makes this question of more than purely theoretical. Without a well defined decryption exponent, plaintexts encrypted to such keys will be undecryptable thus potentially losing user data, a serious software defect. Though the decryption exponent is no longer well defined, it is in fact possible to recover the a small number of potential plaintexts, if the prime factors $p$ and $q$ of the public modulus $N$ are known. This paper presents an analysis of what steps fail in the RSA algorithm and derives a plaintext recovery algorithm. The runtime of this algorithm is $O(e)$ making it practical to use, and it has been implemented in python.","PeriodicalId":21872,"journal":{"name":"South Afr. Comput. J.","volume":"31 1","pages":"1342-1349"},"PeriodicalIF":0.0000,"publicationDate":"2023-01-22","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"1","resultStr":"{\"title\":\"Incorrectly Generated RSA Keys: How I Learned To Stop Worrying And Recover Lost Plaintexts\",\"authors\":\"D. Shumow\",\"doi\":\"10.1093/comjnl/bxac199\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"\\n When generating primes $p$ and $q$ for an RSA key, the algorithm specifies that if $p-1$ and $q-1$ must be relatively prime to the public exponent $e$. If this is not done, then the decryption exponent is not well defined. However, what if a software bug allows the generation of public parameters $N$ and $e$ of an RSA key with this property and then it is subsequently used for encryption? Though this may seem like a purely academic question, a software bug in a preview release of the Windows 10 operating system makes this question of more than purely theoretical. Without a well defined decryption exponent, plaintexts encrypted to such keys will be undecryptable thus potentially losing user data, a serious software defect. Though the decryption exponent is no longer well defined, it is in fact possible to recover the a small number of potential plaintexts, if the prime factors $p$ and $q$ of the public modulus $N$ are known. This paper presents an analysis of what steps fail in the RSA algorithm and derives a plaintext recovery algorithm. The runtime of this algorithm is $O(e)$ making it practical to use, and it has been implemented in python.\",\"PeriodicalId\":21872,\"journal\":{\"name\":\"South Afr. Comput. J.\",\"volume\":\"31 1\",\"pages\":\"1342-1349\"},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2023-01-22\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"1\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"South Afr. Comput. J.\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.1093/comjnl/bxac199\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"South Afr. Comput. J.","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1093/comjnl/bxac199","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
Incorrectly Generated RSA Keys: How I Learned To Stop Worrying And Recover Lost Plaintexts
When generating primes $p$ and $q$ for an RSA key, the algorithm specifies that if $p-1$ and $q-1$ must be relatively prime to the public exponent $e$. If this is not done, then the decryption exponent is not well defined. However, what if a software bug allows the generation of public parameters $N$ and $e$ of an RSA key with this property and then it is subsequently used for encryption? Though this may seem like a purely academic question, a software bug in a preview release of the Windows 10 operating system makes this question of more than purely theoretical. Without a well defined decryption exponent, plaintexts encrypted to such keys will be undecryptable thus potentially losing user data, a serious software defect. Though the decryption exponent is no longer well defined, it is in fact possible to recover the a small number of potential plaintexts, if the prime factors $p$ and $q$ of the public modulus $N$ are known. This paper presents an analysis of what steps fail in the RSA algorithm and derives a plaintext recovery algorithm. The runtime of this algorithm is $O(e)$ making it practical to use, and it has been implemented in python.