Academic Integrity: tutoring, explanations, and feedback — we don’t complete graded work or submit on a student’s behalf.

The PKCS #1 v1.5 padding scheme for RSA has been proven to have some weakness wh

ID: 653390 • Letter: T

Question

The PKCS #1 v1.5 padding scheme for RSA has been proven to have some weakness when used with TLS for example.

My question is: is it still secure under the following conditions?

Alice sends a message to Bob encrypted with RSA using PKCS #1 v1.5 padding scheme. If Bob figures out that the message is correct, he will send an answering message back to Alice, otherwise, he will discard the message and won't send anything to Alice. Alice cannot know if Bob accepted the message nor how much it took to bob to decrypt it (and this makes timing attacks impossibile) because Bob may decrypt it after one day, one week or one year.

Explanation / Answer

Though Bob may potentially delay his response by one year or more, the attacker may probably assume that, in practice, Bob will respond rather promptly. Thus, an active attacker can infer from Bob's response, or lack thereof, whether decryption occurred or not. This is a setup where Bleichenbacher's attack seems to apply.

However, one must take the fine print into account: Bleichenbacher's attack works by knowing whether, upon decryption, Bob found a seemingly correct padding, i.e. one that begins with the two bytes 0x00 0x02. When Bob finds that padding, he will then extract the "message" by removing the leading non-zero bytes (after the 0x02), which are supposed to be random padding bytes, as per PKCS#1 specification. In the case of Bleichenbacher's attack, the message will then be random junk.

If your setup is exactly the following:

Bob decrypts the incoming sequences of bytes with the RSA modular exponentiation;
if the exponentiation result does not begin with 0x00 0x02, Bob does not respond;
otherwise, Bob always respond, possibly with a "Alice, you sent me random junk";

Then Bleichenbacher's attack applies.

Related Questions

The P wave represents atrial depolarization. In a normal EKG, the P-wave precede
Question #3480229
The P-A-D law firm offers 3 types of consultations; pre-nups (product P), annulm
Question #431359
The P-CI bond length in PCla is 204 pm. In contrast, PCIs has two different P-CI
Question #303698
The P-V m of a cyclic thermal p for 2 g of He is shown below. The system follows
Question #1563066
The P-V m of a cyclic thermal p for 2 g of He is shown below. The system follows
Question #1611658
The P-machine: In this assignment, you will implement a virtual machine (VM) kno
Question #3817145
The P-value for a hypothesis test is 0.0680.068. For each of the following signi
Question #3320152
The P-value for a hypothesis test is 0.072. For each of the following significan
Question #3200155
Hire Me For All Your Tutoring Needs
Integrity-first tutoring: clear explanations, guidance, and feedback.
Drop an Email at
drjack9650@gmail.com
Chat Now And Get Quote

Navigate

Previous
The PICO format is used to guide the nurse in developing clinical questions for
Next
The PLANTS1 data set in the Data Appendix gives the percent of nitrogen in four

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.