Abstract
We show that the security of the TLS handshake protocol based on RSA can be related to the hardness of inverting RSA given a certain “partial-RSA” decision oracle. The reduction takes place in a security model with reasonable assumptions on the underlying TLS pseudo-random function, thereby addressing concerns about its construction in terms of two hash functions. The result is extended to a wide class of constructions that we denote tagged key-encapsulation mechanisms.
Chapter PDF
Similar content being viewed by others
References
M. Bellare and P. Rogaway. Random Oracles are Practical: A Paradigm for Designing Efficient Protocols. Proceedings of the First Annual Conference on Computer and Communications Security. ACM, 1993.
M. Bellare and P. Rogaway. Optimal Asymmetric Encryption — How to Encrypt with RSA. Advances in Cryptology — Eurocrypt’ 94, pp. 92–111. Springer Verlag, 1994.
D. Bleichenbacher. Chosen Ciphertext Attacks against Protocols Based on the RSA Encryption Standard PKCS #1. Advances in Cryptology — Crypto’ 98, pp. 1–12. Springer Verlag, 1998.
B. den Boer and A. Bosselaers. Collisions for the Compression Function of MD5. Advances in Cryptology — Eurocrypt’ 93, pp. 293–304. Springer Verlag, 1994.
D. Coppersmith. Small Solutions to Polynomial Equations, and Low Exponent RSA Vulnerabilities. Journal of Cryptology, 10, pp. 233–260, 1997.
D. Coppersmith, M. Franklin, J. Patarin and M. Reiter. Low-Exponent RSA with Related Messages. Advances in Cryptology — Eurocrypt’ 96, pp. 1–9. Springer Verlag, 1996.
J.-S. Coron, H. Handschuh, M. Joye, P. Paillier, D. Pointcheval and C. Tymen. GEM: a Generic Chosen-Ciphertext Secure Encryption Method. Topics in Cryptology — CT-RSA 2002, pp. 263–276. Springer Verlag, 2002.
J.-S. Coron, M. Joye, D. Naccache and P. Paillier. New Attacks on PKCS #1 v1.5 Encryption. Advances in Cryptology — Eurocrypt 2000, pp. 369–379. Springer Verlag, 2000.
J.-S. Coron, M. Joye, D. Naccache and P. Paillier. Universal Padding Schemes for RSA. Advances in Cryptology — Crypto 2002, these proceedings.
T. Dierks and C. Allen. IETF RFC 2246: The TLS Protocol Version 1.0. January 1999.
W. Diffie and M. E. Hellman. New Directions in Cryptography. IEEE Transactions on Information Theory, IT-22(6), pp. 644–654. November 1976.
H. Dobbertin. Cryptanalysis of MD5 Compress. Presented at the rump session of Eurocrypt’ 96, May 14, 1996.
T. ElGamal. A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms. IEEE Transactions on Information Theory, IT-31(4), pp. 469–472. July 1985.
J. Feigenbaum. Locally Random Reductions in Interactive Complexity Theory. Advances in Computational Complexity, DIMACS Series in Discrete Mathematics and Theoretical Computer Science, vol. 13, pp. 73–98, 1993.
A. O. Freier, P. Karlton, and P. C. Kocher. The SSL Protocol Version 3.0. Netscape Communications Corp., November 1996.
E. Fujisaki, T. Okamoto, D. Pointcheval and J. Stern. RSA-OAEP Is Secure under the RSA Assumption. Advances in Cryptology — Crypto 2001, pp. 260–274. Springer Verlag, 2001.
S. Goldwasser and S. Micali. Probabilistic Encryption. Journal of Computer and System Sciences, 28 (2). April 1984.
D. B. Johnson. Theoretical Security Concerns with TLS Use of MD5. Contribution to ANSI X9F1 working group. June 21, 2001.
H. Krawczyk, M. Bellare and R. Canetti. IETF RFC 2104: HMAC: Keyed-Hashing for Message Authentication. February 1997.
J. Manger. A Chosen Ciphertext Attack on RSA Optimal Asymmetric Encryption Padding (OAEP) as Standardized in PKCS #1 v2.0. Advances in Cryptology — Crypto 2001, pp. 260–274. Springer Verlag, 2001.
A. J. Menezes, P. C. van Oorschot and S. A. Vanstone. Handbook of Applied Cryptography, CRC Press, 1996.
T. Okamoto and D. Pointcheval. The Gap-Problems: a New Class of Problems for the Security of Cryptographic Schemes. Proceedings of the 2001 International Workshop on Practice and Theory in Public Key Cryptography (PKC’2001), pp. 104–118. Springer-Verlag, 2001.
T. Okamoto and D. Pointcheval. REACT: Rapid Enhanced-security Asymmetric Cryptosystem Transform. Topics in Cryptology — CT-RSA 2001, pp. 159–175. Springer Verlag, 2001.
L. C. Paulson. Inductive analysis of the Internet protocol TLS. ACM Transactions on Information and System Security, 2(3), pp. 332–351. August 1999.
C. Racko. and D. R. Simon. Non-Interactive Zero-Knowledge Proof of Knowledge and Chosen Ciphertext Attack. Advances in Cryptology — Crypto’ 91, pp. 433–444. Springer-Verlag, 1992.
R. Rivest. IETF RFC 1321: The MD5 Message-Digest Algorithm. April 1992.
V. Shoup. OAEP Reconsidered. Advances in Cryptology — Crypto 2001, pp. 239–259. Springer Verlag, 2001.
V. Shoup. A Proposal for an ISO Standard for Public Key Encryption. Preprint, December 2001. Available from http://www.eprint.iacr.org/2001/112.
National Institute of Standards and Technology (NIST). Draft FIPS 180-2: Secure Hash Standard. Draft, May 2001.
R. Rivest, A. Shamir and L. Adleman. A Method for Obtaining Digital Signatures and Public-Key Cryptosystems. Communications of the ACM, 21(2), pp. 120–126. February 1978.
RSA Laboratories. PKCS #1 v1.5: RSA Encryption Standard. November 1993.
Y. Zheng and J. Seberry. Practical Approaches to Attaining Security Against Adaptively Chosen Ciphertext Attacks. Advances in Cryptology — Crypto’ 92, pp. 292–304. Springer Verlag, 1992.
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2002 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Jonsson, J., Kaliski, B.S. (2002). On the Security of RSA Encryption in TLS. In: Yung, M. (eds) Advances in Cryptology — CRYPTO 2002. CRYPTO 2002. Lecture Notes in Computer Science, vol 2442. Springer, Berlin, Heidelberg. https://doi.org/10.1007/3-540-45708-9_9
Download citation
DOI: https://doi.org/10.1007/3-540-45708-9_9
Published:
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-44050-5
Online ISBN: 978-3-540-45708-4
eBook Packages: Springer Book Archive