错误生成的RSA密钥:我如何学会停止担心和恢复丢失的明文

D. Shumow
{"title":"错误生成的RSA密钥:我如何学会停止担心和恢复丢失的明文","authors":"D. Shumow","doi":"10.1093/comjnl/bxac199","DOIUrl":null,"url":null,"abstract":"\n When generating primes $p$ and $q$ for an RSA key, the algorithm specifies that if $p-1$ and $q-1$ must be relatively prime to the public exponent $e$. If this is not done, then the decryption exponent is not well defined. However, what if a software bug allows the generation of public parameters $N$ and $e$ of an RSA key with this property and then it is subsequently used for encryption? Though this may seem like a purely academic question, a software bug in a preview release of the Windows 10 operating system makes this question of more than purely theoretical. Without a well defined decryption exponent, plaintexts encrypted to such keys will be undecryptable thus potentially losing user data, a serious software defect. Though the decryption exponent is no longer well defined, it is in fact possible to recover the a small number of potential plaintexts, if the prime factors $p$ and $q$ of the public modulus $N$ are known. This paper presents an analysis of what steps fail in the RSA algorithm and derives a plaintext recovery algorithm. The runtime of this algorithm is $O(e)$ making it practical to use, and it has been implemented in python.","PeriodicalId":21872,"journal":{"name":"South Afr. Comput. J.","volume":"31 1","pages":"1342-1349"},"PeriodicalIF":0.0000,"publicationDate":"2023-01-22","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"1","resultStr":"{\"title\":\"Incorrectly Generated RSA Keys: How I Learned To Stop Worrying And Recover Lost Plaintexts\",\"authors\":\"D. Shumow\",\"doi\":\"10.1093/comjnl/bxac199\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"\\n When generating primes $p$ and $q$ for an RSA key, the algorithm specifies that if $p-1$ and $q-1$ must be relatively prime to the public exponent $e$. If this is not done, then the decryption exponent is not well defined. However, what if a software bug allows the generation of public parameters $N$ and $e$ of an RSA key with this property and then it is subsequently used for encryption? Though this may seem like a purely academic question, a software bug in a preview release of the Windows 10 operating system makes this question of more than purely theoretical. Without a well defined decryption exponent, plaintexts encrypted to such keys will be undecryptable thus potentially losing user data, a serious software defect. Though the decryption exponent is no longer well defined, it is in fact possible to recover the a small number of potential plaintexts, if the prime factors $p$ and $q$ of the public modulus $N$ are known. This paper presents an analysis of what steps fail in the RSA algorithm and derives a plaintext recovery algorithm. The runtime of this algorithm is $O(e)$ making it practical to use, and it has been implemented in python.\",\"PeriodicalId\":21872,\"journal\":{\"name\":\"South Afr. Comput. J.\",\"volume\":\"31 1\",\"pages\":\"1342-1349\"},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2023-01-22\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"1\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"South Afr. Comput. J.\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.1093/comjnl/bxac199\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"South Afr. Comput. J.","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1093/comjnl/bxac199","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
引用次数: 1

摘要

当为RSA密钥生成质数$p$和$q$时,该算法指定如果$p-1$和$q-1$必须相对于公共指数$e$为质数。如果没有这样做,则解密指数没有很好地定义。但是,如果软件错误允许生成具有此属性的RSA密钥的公共参数$N$和$e$,然后将其用于加密,该怎么办?虽然这看起来像是一个纯粹的学术问题,但Windows 10操作系统预览版中的一个软件漏洞使这个问题不仅仅是纯粹的理论问题。如果没有定义良好的解密指数,加密到此类密钥的明文将无法解密,因此可能会丢失用户数据,这是一个严重的软件缺陷。虽然解密指数不再被很好地定义,但如果已知公共模数N$的素数因子$p$和$q$,则实际上有可能恢复少量潜在的明文。本文分析了RSA算法中失败的步骤,并推导出一种明文恢复算法。该算法的运行时间为$O(e)$,使其易于使用,并且已在python中实现。
本文章由计算机程序翻译,如有差异,请以英文原文为准。
Incorrectly Generated RSA Keys: How I Learned To Stop Worrying And Recover Lost Plaintexts
When generating primes $p$ and $q$ for an RSA key, the algorithm specifies that if $p-1$ and $q-1$ must be relatively prime to the public exponent $e$. If this is not done, then the decryption exponent is not well defined. However, what if a software bug allows the generation of public parameters $N$ and $e$ of an RSA key with this property and then it is subsequently used for encryption? Though this may seem like a purely academic question, a software bug in a preview release of the Windows 10 operating system makes this question of more than purely theoretical. Without a well defined decryption exponent, plaintexts encrypted to such keys will be undecryptable thus potentially losing user data, a serious software defect. Though the decryption exponent is no longer well defined, it is in fact possible to recover the a small number of potential plaintexts, if the prime factors $p$ and $q$ of the public modulus $N$ are known. This paper presents an analysis of what steps fail in the RSA algorithm and derives a plaintext recovery algorithm. The runtime of this algorithm is $O(e)$ making it practical to use, and it has been implemented in python.
求助全文
通过发布文献求助,成功后即可免费获取论文全文。 去求助
来源期刊
自引率
0.00%
发文量
0
×
引用
GB/T 7714-2015
复制
MLA
复制
APA
复制
导出至
BibTeX EndNote RefMan NoteFirst NoteExpress
×
提示
您的信息不完整,为了账户安全,请先补充。
现在去补充
×
提示
您因"违规操作"
具体请查看互助需知
我知道了
×
提示
确定
请完成安全验证×
copy
已复制链接
快去分享给好友吧!
我知道了
右上角分享
点击右上角分享
0
联系我们:info@booksci.cn Book学术提供免费学术资源搜索服务,方便国内外学者检索中英文文献。致力于提供最便捷和优质的服务体验。 Copyright © 2023 布克学术 All rights reserved.
京ICP备2023020795号-1
ghs 京公网安备 11010802042870号
Book学术文献互助
Book学术文献互助群
群 号:481959085
Book学术官方微信