Blinding Attack on RSA Digital Signatures¶
RSA security is often executed without the knowledge of the user. These automated processes rely on an application of RSA called Digital Signatures. Basically, when Alice encrypts a msg with Bob's public key, only Bob can decrypt the message. This proof of identity is called Digital Signatures. Often Bob sets up defenses so that he doesn't sign some dangerous messages sent by Marvin (Someone pretending to be Alice). But Blinding Attack utilizes another property of RSA to bypass these defenses.
Digital Signatures usually works in three steps:- 1. Alice sends a message M (M < N) to Bob. 2. Bob checks if the message falls within his defensive rules and signs the message (C = Mᵈ % N) and sends it back to Alice. 3. Alice decrypts the message (M = Cᵉ % N) and checks if the returned message is the same as the one she sent.
When Marvin tries to send a message similar to Alices, Bob notices that the message has some dangerous messages in it and refuses to sign the message. But RSA doesn't have any checking mechanisms inherently, these constraints can be bypassed easily. Sometimes just multiplying the dangerous message with a prime number would suffice. So Marvin can attempt a Blinding Attack by using the following steps:- 1. Prepare a buffer rᵉ (r = small integer and e = public key) and send messages multiplied with buffer. * M' = ( rᵉ * M ) % N * These buffers are often referred to as Blinding Factors 2. Since Bob only checks for certain characters/strings, Marvin's message will be approved because from Bob's perspective, Marvin is sending a random message that doesn't contain any unwanted text. And bob returns the signed message. * S' = M'ᵈ % N 3. Now all Marvin has to do is decrypt the message and remove the blinding factor. * ( S'ᵉ / rᵉ ) % N
Here is a small implementation blinding.py.