pkcs#1v1.5_pkcs 1 v1 5有什么特别之处，而这种攻击不会消失

pkcs#1v1.5

RSA has been with us for many decades, and it’s still going strong. But it has weaknesses. The first is where we have a short message and the second is where we have a small value of e. To recap, in traditional RSA, we take the message of m, and an encryption key value e, along with a modulus of N, to give a cipher message of:

RSA与我们在一起已有数十年了，而且它仍然很强大。 但是它有缺点。 第一个是短消息，第二个是e较小的值。 回顾一下，在传统的RSA中，我们采用m的消息和一个加密密钥值e以及一个模数N来给出以下密码消息：

c = m^e (mod N)

c = m ^ e(模N)

To decrypt we use a value of d, to recover the message:

要解密，我们使用值d来恢复消息：

m = c^d (mod N)

m = c ^ d(mod N)

The value of N is the product to two large prime numbers (p and q).

N的值是两个大质数(p和q)的乘积。

短消息 (Short messages)

If I use a small value of m, and which is less than N, we will end up with a discrete log problem, and where:

如果我使用一个小的m值，并且小于N，那么我们将遇到离散对数问题，其中：

m^e = c

m ^ e = c

log (m^e) = log(c)

log(m ^ e)= log(c)

e log (m) = log ( c)

e log(m)=对数(c)

log (m) = log (c ) /e

对数(m)=对数(c)/ e

m = Inv Log (log ( c) /e)

m = Inv Log(log(c)/ e)

Here is the demo of this cracking:

这是此破解的演示：

An outline of the code used is:

使用的代码概述为：

import math
import sysp=14222331744261730109
q=6549179332223292769message=5
e=7N=p*qCipher=(message**e) % N
print 'Message=',message
print 'N=',N
print 'e=',e
print 'Cipher=',Cipher
print '=============='Message = 10**(math.log10(Cipher)/e)
print 'Message is:',int(round(Message)), ' Calculated from log10(Cipher/e)'
if ((message**e) > N):
	print 'Method will not work as M^e is larger than N'

The following gives a sample run:

下面给出了一个示例运行：

Message= 5
p= 14222331744261730109
q= 6549179332223292769
N= 93144601115542176265237708764769281821
e= 7
Cipher= 78125
==============
Message is: 5  Calculated from log10(Cipher/e)

We can also have a problem when we have a small value of e, such as e=3.

当e的值较小时，例如e = 3，我们也会遇到问题。

PKCS＃1 v1.5 (PKCS#1 v1.5)

PKCS#1 v1.5 aims to address the issues of small messages in RSA. With this we pad the message with random string (r):

PKCS＃1 v1.5旨在解决RSA中的小消息问题。 这样，我们用随机字符串(r)填充消息：

x = 0x00 || 0x02 || r || 0x00 || m

and then the cipher becomes:

然后密码变成：

c = x^e (mod N)

c = x ^ e(mod N)

The length of random value (r) is k-Len-3 bytes, and where k is the number of bytes in modulus (N), and Len is the number of bytes in the message. In this way we pad short messages, in order for the value of x to be large enough to make sure it is not possible to easily reverse the cipher for short messages. The receiver then derives the value of x. It then detects the 0x0 and 0x2 at the start of the value,and then removes the padding.

随机值(r)的长度是k-Len-3个字节，其中k是模数(N)中的字节数，Len是消息中的字节数。 通过这种方式，我们填充了短消息，以使x的值足够大，以确保不可能轻易地反转短消息的密码。 然后，接收器得出x的值。 然后，它会在值的开头检测到0x0和0x2，然后删除填充。

If you are interested, PKCS-15 also solves the Coppersmith’s Short Pad Attack [here] and the Hastad broadcast attack (and where the same message received by e recipients, results in a decryption of the message).

如果您有兴趣，PKCS-15还可以解决Coppersmith的Short Pad Attack( 在这里 )和Hastad广播攻击(以及在e接收者收到相同消息的地方，导致消息解密)。

布雷兴巴赫的进攻 (Bleichenbacher’s attack)

Unfortunately PKCS#1 v1.5 is sussible to Bleichenbacher’s attack [here] and has been the core of many attacks on SSL:

不幸的是，PKCS＃1 v1.5容易受到Bleichenbacher的攻击[ 这里 ]，并且已成为许多SSL攻击的核心：

Let’s say that Eve is attacking the server. In the message she sends, there’s padding of the pre-shared key (as it is much smaller than the public modulus — n). I have created a demo here:

假设Eve正在攻击服务器。 在她发送的消息中，填充了预共享密钥(因为它比公共模数n小得多)。 我在这里创建了一个演示：

In PKCS#1 v1.5 padding we then have two bytes at the start:

在PKCS＃1 v1.5填充中，我们在开头有两个字节：

0x00 0x02

Eve then captures the cipher in the handshake and which contains the SSL pre-shared key (M):

Eve然后捕获握手中的密码，该密码包含SSL预共享密钥(M)：

C=M^e (mod N)

C = M ^ e (mod N)

She then plays it back to the server, but adds an ‘s’ value (where she multiplies the cipher ( c) by s to the power of e (mod N)):

然后，她将其播放回服务器，但添加了一个s值(将密码(c)乘以s到e的幂(模N))：

C′=C×(se) (mod N)

C '= C ×( se )(mod N)

where e and N are the known public key elements. The server decrypts and gets:

其中e和N是已知的公钥元素。 服务器解密并获取：

M′=(C(s^e))^ d (modN)=C^d×s^{ed} ( modN)=M×s (modN)

M '=( C ( s ^ e )) ^ d (mod N) = C ^ d × s ^ {ed }(mod N) = M × s (mod N)

M=C′s

M = C 的

When the server reads this, the first two bytes are likely to be incorrect, so it responds to say “Bad Crypto!”. Eve then keeps trying with different s values, until the server gives her a positive response, and she’s then on her way to finding the key. As we have 16 bits at the start, it will take us between 30,000 (1 in 215 which is 1-in-32,728) and 130,000 attempts (1 in 217 which is 1-in-131,073) to get a successful access.

当服务器读取此消息时，前两个字节可能不正确，因此它会说“ Bad Crypto！”。 然后，Eve继续尝试使用不同的s值，直到服务器给出肯定的响应，然后她才开始寻找密钥。 由于开始时有16位，因此成功访问需要30,000次(215中的1分，即32,728分之一)和130,000次尝试(217中的1分，即1,131,073分之一)才能成功访问。

We use padding to make sure that M (the pre-shared key) is the same length as the modulus (n). As M is only 48 bytes, we need to pad to give a length equal to n (256 bytes for a 2048-bit key).

我们使用填充来确保M(预共享密钥)的长度与模数(n)相同。 由于M只有48个字节，因此我们需要填充以提供等于n的长度(对于2048位密钥为256个字节)。

In the end we just need to divide the original cipher by the value we have found, and we get M.

最后，我们只需要将原始密码除以找到的值，便得到M。

In this case we capture the cipher with M (which starts with \x00\x02), and then play it back with the addition of s^e, and then detect when there is a success in the cipher code:

在这种情况下，我们使用M(以\ x00 \ x02开头)捕获密码，然后在添加s ^ e的情况下进行回放，然后检测密码是否成功：

import syse=79
d=1019
N=3337def int_to_bytes(val, num_bytes):
    return [(val & (0xff << pos*8)) >> pos*8 for pos in range(num_bytes)]print '==Initial values ===='
print 'e=',e,'d=',d,'N=',N
print '\n============='
pad = '\x00\x02\x55\x55'val = int(pad.encode('hex'), 16)
print 'Padding is:',pad,' Int:',valcipher = val**e % Nprint 'Cipher is: ',cipherfor s in range(0,255):
	cipher_dash = (cipher*(s**e)) % N
	decode = cipher_dash **d % N
	result = int_to_bytes(decode,2)
	print s,
	if (result[0]==0 and result[1]==2):
		print '\n\\x00\\x02 Found it at s=',s
		break

Let’s select:

让我们选择：

P=47 Q=71

The calculation of n and PHI is:

n和PHI的计算为：

n=P × Q = 13 × 11 = 3337
PHI = (p-1)(q-1) = 3220

We can select e as:

我们可以选择e作为：

e = 79

Next we can calculate d from:

接下来，我们可以根据以下公式计算d：

(79 × d) mod 3220 = 1 [Link]
d = 1019
Encryption key [3337,79]
Decryption key [3337,1019]

Then, with a message of 688, we get:

然后，以688的消息，我们得到：

Cipher=(688)^79 (mod3337)=1570

密码 =(688)^ 79(mod3337)= 1570

Decoded=(1570)^1019 (mod3337) =688

解码 =(1570)^ 1019(mod3337)= 688

结论 (Conclusion)

So there you go, PKCS#1 v1.5 addresses several RSA issues, but beware of the Bleichenbacher attack as it just refuses to go away:

因此，PKCS＃1 v1.5解决了几个RSA问题，但是请注意Bleichenbacher攻击，因为它只是拒绝消失：

翻译自: https://medium.com/asecuritysite-when-bob-met-alice/whats-so-special-about-pkcs-1-v1-5-and-the-attack-that-just-won-t-go-away-51ccf35d65b7

pkcs#1v1.5