Project Topic: Chosen Ciphertext Attack on Padded RSA
This project resembles in many respects the `padding oracle' attack on
block ciphers operating in CBC mode. Here the attack is on a
standard
implementation of RSA with a prescribed scheme for random
padding. The idea is this: SSL servers that receive
RSA-encrypted ciphertexts might decrypt the message, and then send an
error message if they detect that the padded plaintext is not in the
proper format. Using just the information provided by these error
messages, it is possible to choose ciphertexts adaptively to decrypt an
intercepted ciphertext.
Read the paper describing this attack `Chosen Ciphertext Attacks
Against Protocols Based on the RSA Encryption Standard PKCS#1' by
Daniel Bleichenbacher. Your project should present this attack,
with a good explanation of why it works, and include an experimental
implementation. Bleichenbacher estimates approximately 106
chosen ciphertexts are required to decrypt the intercepted ciphertext
for 512-bit RSA keys, and the results are borne out by his
experiments. This means that an experimental implementation could
take a very long time. But you can carry out a proof-of-concept
demonstration by simplifying the padding scheme, using only a
single-byte header instead of two bytes and a smaller key size.
This should lead to an attack that requires only a few thousand chosen
ciphertexts instead of a million.
You also might want to looks at the Matasano Crypto challenges, linked to on the course website. Two of the challenges are to implement this attack, one in
a baby version and the other a full-blown version.