3.2 Speed
RSA is very much slower than DES and other symmetric cryptosystems. In practice, Bob typically encrypts a secret message with a symmetric algorithm, encrypts the (comparatively short) symmetric key with RSA, and transmits both the RSA-encrypted symmetric key and the symmetrically-encrypted message to Alice.
This procedure raises additional security issues. For instance, it is of utmost importance to use a strong random number generator for the symmetric key, because otherwise Eve could bypass RSA by guessing the symmetric key.
3.3 Key distribution
As with all ciphers, how RSA public keys are distributed is important to security. Key distribution must be secured against a man-in-the-middle attack. Suppose Eve has some way to give Bob arbitrary keys and make him believe they belong to Alice. Suppose further that Eve can intercept transmissions between Alice and Bob. Eve sends Bob her own public key, which Bob believes to be Alice's. Eve can then intercept any ciphertext sent by Bob, decrypt it with her own secret key, keep a copy of the message, encrypt the message with Alice's public key, and send the new ciphertext to Alice. In principle, neither Alice nor Bob would be able to detect Eve's presence. Defenses against such attacks are often based on digital certificates or other components of a public key infrastructure.
3.4 Timing attacks
Kocher described an ingenious new attack on RSA in 1995: if the attacker Eve knows Alice's hardware in sufficient detail and is able to measure the decryption times for several known ciphertexts, she can deduce the decryption key d quickly. This attack can also be applied against the RSA signature scheme. One way to thwart the attack is to ensure that the decryption operation takes a constant amount of time for every ciphertext. Another way makes use of the multiplicative property of RSA. Instead of computing cd mod N, Alice first chooses a secret random value r and computes (rec)d mod N. The result of this computation is rm mod N and so the effect of r can be removed by multiplying by its inverse. A new value of r is chosen for each ciphertext. With this technique, known as message blinding, the decryption time is no longer correlated to the value of the ciphertext and so the timing attack fails.
3.5 Adaptive chosen ciphertext attacks
In 1998, Daniel Bleichenbacher described the first practical adaptive chosen ciphertext attack, against RSA-encrypted messages using the PKCS #1 v1 redundancy function (a redundancy function adds structure to an RSA-encrypted message, so it is possible to determine whether a decrypted message is valid.) Due to flaws with the PKCS #1 scheme, Bleichenbacher was able to mount a practical attack against RSA implementations of the Secure Socket Layer protocol, and potentially reveal session keys. As a result of this work, cryptographers now recommend the use of provably secure redundancy checks such as OAEP , and RSA Laboratories has released new versions of PKCS #1 that are not vulnerable to these attacks.
4 Related articles
5 External link
Asymmetric-key cryptosystems
