Cryptology ePrint Archive: Report 2002/071

Further Results and Considerations on Side Channel Attacks on RSA

Vlastimil Klima and Tomas Rosa

Abstract: This paper contains three parts. In the first part we present a new side channel attack on plaintext encrypted by EME-OAEP PKCS#1 v.2.1. In contrast with Manger´s attack, we attack that part of the plaintext, which is shielded by the OAEP method. In the second part we show that Bleichenbacher’s and Manger’s attack on the RSA encryption scheme PKCS#1 v.1.5 and EME-OAEP PKCS#1 v.2.1 can be converted to an attack on the RSA signature scheme with any message encoding (not only PKCS). This is a new threat for those implementations of PKI, in which the roles of signature and encryption keys are not strictly separated. This situation is often encountered in the SSL protocol used to secure access to web servers. In the third part we deploy a general idea of fault-based attacks on the RSA-KEM scheme and present two particular attacks as the examples. The result is the private key instead of the plaintext as with attacks on PKCS#1 v.1.5 and v.2.1. These attacks should highlight the fact that the RSA-KEM scheme is not an entirely universal solution to problems of RSAES-OAEP implementation and that even here the manner of implementation is significant.

Category / Keywords: public-key cryptography / side channel attack, confirmation oracle, RSA-KEM, RSAES-OAEP, PKCS#1 v.1.5, PKCS#1 v.2.1, Bleichenbacher's attack, Manger's attack, power analysis, fault analysis

Publication Info: Final version is to be published in proceedings of CHES 2002.

Date: received 23 May 2002, last revised 28 Aug 2002

Contact author: vlastimil klima at i cz

Available format(s): PDF | BibTeX Citation

Note: Several typos corrected.

Version: 20020828:120342 (All versions of this report)

Discussion forum: Show discussion | Start new discussion


[ Cryptology ePrint archive ]