SlideShare a Scribd company logo
1 of 36
Download to read offline
On the Secrecy of RSA Private Keys
Dr. Dharma Ganesan, Ph.D.,
Disclaimer
● The opinions expressed here are my own
○ But not the views of my employer
● The source code fragments and exploits shown here can be reused
○ But without any warranty nor accept any responsibility for failures
● Do not apply the exploit discussed here on other systems
○ Without obtaining authorization from owners
2
Question (standard notations are defined later)
● Can we reveal the RSA private exponent d from its public key <e, n>?
● We study this question for two specific cases: e = 3 and e = 65537
● Using demos, we verify that RSA reveals the most significant half of the
private exponent d when the public exponent e is small
● For example, for 2048-bit RSA, the most significant 1024 bits are revealed!
3
Agenda
● Overview of Public Key Cryptography using RSA
● Math facts
● Algorithm to approximate private key from public key
● Demo
● Conclusion
● Appendix
4
Prerequisite
Some familiarity with the following topics will help to follow the rest of the slides
● Group Theory
● Number Theory
● Algorithms and Complexity Theory
● If not, it should still be possible to obtain a high-level overview
5
How can Bob send a message to Alice securely?
6
Public Key PuA
● Alice and Bob never met each other
● Bob will encrypt using Alice’s public key
○ Assume that public keys are known to the world
● Alice will decrypt using her private key
○ Private keys are secrets (never sent out)
● Bob can sign messages using his private key
○ Alice verifies message integrity using Bob’s public key
○ Not important for this presentation/attack
● Note: Alice and Bob need other evidence (e.g., passwords,
certificates) to prove their identity to each other
● Who are Alice, Bob, and Eve?
Private Key PrA
Public Key PuB
Private Key PrB
RSA Public Key Cryptography System
● Published in 1977 by Ron Rivest, Adi Shamir and Leonard Adleman
● Rooted in elegant mathematics - Group Theory and Number Theory
● Core idea: Anyone can encrypt a message using recipient's public key but
○ (as far as we know) no one can efficiently decrypt unless they got the matching private key
● Encryption and Decryption are inverse operations (math details later)
○ Work of Euclid, Euler, and Fermat provide the mathematical foundation of RSA
● Eavesdropper Eve cannot easily derive the secret (math details later)
○ Unless she solves “hard” number theory problems that are computationally intractable
7
8
Notations and Facts
GCD(x, y): The greatest common divisor that divides integers x and y
Co-prime: If gcd(x, y) = 1, then x and y are co-primes
Zn
= { 0, 1, 2, …, n-1 }, n > 0; we may imagine Zn
as a circular wall clock
Z*
n
= { x ∈ Zn
| gcd(x, n) = 1 }; (additional info: Z*
n
is a multiplicative group)
φ(n): Euler’s Totient function denotes the number of elements in Z*
n
φ(nm) = φ(n).φ(m) (This property is called multiplicative)
φ(p) = p-1, if p is a prime number
Notations and Facts ...
● x ≡ y (mod n) denotes that n divides x-y; x is congruent to y mod n
● Euler’s Theorem: aφ(n)
≡ 1 (mod n), if gcd(a, n) = 1
● Fermat’s Little Theorem: ap
≡ a (mod p)
● Gauss’s Fundamental Theorem of Arithmetic: Any integer greater than 1 is
either a prime or can be written as a unique product of primes
○ Euclid’s work is the foundation for this theorem, see The Elements
● Euclid’s Lemma: if a prime p divides the product of two natural numbers a
and b, then p divides a or p divides b
● Euclid’s Infinitude of Primes (c. 300 BC): There are infinitely many primes
9
RSA - Key Generation Algo
1. Select an appropriate bitlength of the RSA modulus n (e.g., 2048 bits)
○ Value of the parameter n is not chosen until step 3; small n is dangerous (details later)
2. Pick two independent, large random primes, p and q, of half of n’s bitlength
○ In practice, q < p < 2q to avoid attacks (e.g., Fermat’s factorization)
3. Compute n = p.q (n is also called the RSA modulus)
4. Compute Euler’s Totient (phi) Function φ(n) = φ(p.q) = φ(p)φ(q) = (p-1)(q-1)
5. Select numbers e and d from Zn
such that e.d ≡ 1(mod φ(n))
○ e must be relatively prime to φ(n) otherwise d cannot exist (i.e., we cannot decrypt)
○ d is the multiplicative inverse of e in Zn
6. Public key is the pair <n, e> and private key is 4-tuple <φ(n), d, p, q>
10
RSA Trapdoor
● RSA: Zn
→ Zn
● Let x and y ∈ Zn
● y = RSA(x) = xe
mod n
○ We may view x as a plaintext, and y as the corresponding ciphertext
● x = RSA-1
(y) = yd
mod n
● e and d are also called encryption and decryption exponents, respectively
● Many implementations use Chinese-Remainder Theorem (CRT) to compute
yd
efficiently
● I will use CRT later for an RSA game
11
RSA Trapdoor variables’ dependency graph
12
Private variable
Public variable
Note: Public exponent e affects the private exponent d
13
Fact: Let n = pq, p and q are two prime numbers such that q < p < 2q,
then p+q ≤ 3√n
Proof:
p + q < 2q + q = 3q ……………………. (1)
Since n = pq, n > q2
(since p > q )
Thus, q < √n …………………………………..(2)
Thus, combining (1) and (2), we obtain p + q < 3q < 3√n
14
Fact: If ed - 1 = k φ(n), then k < e
Proof (by contradiction):
Suppose k ≥ e then ed - 1 ≥ e φ(n)
Since ed > ed - 1 ≥ eφ(n)
ed ≥ e φ(n)
Since e > 0, divide by e of the above inequality, d ≥ φ(n)
This is a contradiction because RSA private exponent d is smaller than
φ(n). Note: One can similarly prove that k < d, too.
Algorithm to approximate the private exponent d
15
https://www.ams.org/notices/199902/boneh.pdf
We experiment with this algorithm (page 8 in boneh.pdf)
We provide a proof that k = 2 when e = 3, which was not
given in the paper
16
e.d ≡ 1(mod φ(n))
e.d - 1 = k (p-1)(q-1) for some integer k, recall that φ(n) = (p-1) (q-1)
= k (pq - p - q + 1)
e.d - 1 = k (n - p - q + 1) (since n = pq)
d = (1 + k(n - p - q + 1))/e
Since p and q are half the bitsize of n, (n-p-q+1) is of the same bitsize as n.
Let’s approximate n-p-q+1 by n; Thus, d^
= ⌊(1 + kn)/e⌋ is an approximation of
the private exponent d.
Note that we know n and e, but not k
Algorithm: derive private exponent d from public key
17
Fact: |d - d^
| < 3√n
Proof:
We know that d = (1+k(n-p-q+1))/e and d^
= ⌊(1 + kn)/e⌋
|d - d^
| = (1 + kn)/e - (1+kn-kp-kq+k)/e
|d - d^
| = (kp+kq-k)/e = k(p+q-1)/e < k (p + q)/e
|d - d^
| < 3√n (Since p+q ≤ 3√n and k < e)
Summary: d^
approximates d; half of the most significant bits is the same
18
e.d ≡ 1(mod φ(n))
3.d - 1 = k φ(n)
K can be either 1 or 2. We can prove that k ≠ 1 as follows:
Suppose k = 1, then 3d - 1 = φ(n) then d = (φ(n) + 1)/3
Since d is an odd number and φ(n) is an even number, we can deduce that
φ(n) ∈ {2, 8, 14, 20, 26, … }, or φ(n) = 2 + 6t for some non-negative integer t
φ(n) = 2 + 6t = 2(1 + 3t). If t is even, then (1+3t) is an odd number, but φ(n)
should only be a product of two even numbers. Thus, φ(n) ∉ {2, 14, 26, … }
Analysis of d^
when e = 3
Analysis of d^
when e = 3
19
We have established that φ(n) ∈ {8, 20, 32, … }; i.e., φ(n) = 8 + 12t
Let’s prove that the only possible value of φ(n) can be 8.
Case 1: φ(n) = 8 + 12t = 4(2 + 3t)
By defn., φ(n) is a product of two even numbers (p-1) and (q-1)
Let’s take q-1 = 4 and p-1 = 2+3t; i.e., q = 5 and p = 3+3t.
Clearly, 3+3t is not a prime number when t > 0. Thus, φ(n) ≠ 4(2 + 3t)
Analysis of d^
when e = 3
20
Case 2: φ(n) = 8 + 12t = 2(4 + 6t)
Let q-1 = 2 and p-1 = 4+6t. That is, q = 3 and p = 5+6t
Since RSA definition assumes that q < p < 2q,
3 < 5 + 6t is true for all t, but 5+6t > 2*3 (except t = 0 case)
Since p < 2q is violated, φ(n) ≠ 2(4 + 6t).
Thus, we proved that when e =3, k must be 2. (k = 1 is only possible if q = 3
and p = 5, but such small p and q are absurd anyways)
Demo
21
● Demo 1: When e = 3, the first half of the most significant private exponent d
bits is leaked
● Demo 2: When e = 65537, there are only at most 65537 possible values of
the most significant bits of d (instead of 2n/2
possibilities)
● For both demos, we will show that half of the most significant bits of the
private exponent d can be revealed by using the public parameters <e, n>
● The demos use 2048-bit RSA key (but applicable for other key sizes)
● Appendix has my implementation of the algorithm used in the demos
Demo 1: e = 3
22
23
~/crypto/RSA$ e=3
~/crypto/RSA$ java RSA_KeyPair 2048 $e
d=1421237067484190664687467641737187734480432074691163039233098997475699692733759482574032952
504058684945672246071323206448263776167088791315805030995938598788917861285158127945424492484
083185531159037194902697979212301225881718304183586919116140663186232111508302003084235247162
790681958249261347807069877965041559837274254672179935363751863511411580357365707845953663926
861042738958587605928377974474390920562141137897933563181368621890970668452394101228784250684
949276876015095331870308805317389193397861773963131721670380660776616208922972152524281777702
9163150275214370671181822432156547192936318586434345409301739
n=2131855601226285997031201462605781601720648112036744558849648496213549539100639223861049428
756088027418508369106984809672395664250633186973707546493907898183376791927737191918136738726
124778296738555792354046968818451838822577456275380378674210994779348167262453004626352870744
186022937373892021710604816947591541716920848648232267991218076826874172399457724605435745051
969912159268306241010887191644608211396202072313259815055304203147180860750050654130709105253
252072039356069016123192746164428752945697718217090400475781422732315382047928432005892912423
2687942502070000081779339907151328354852637293825990658859773
(on the next slide, we will reveal parts of the private d from public parameters <e, n>)
RSA_KeyPair is my program that generates RSA keys
24
~/crypto/RSA$ java RSA_DCap $e $n
k=1 d^ =
710618533742095332343733820868593867240216037345581519616549498737849846366879741287016476252029342
472836123035661603224131888083544395657902515497969299394458930642579063972712246242041592765579518
597451348989606150612940859152091793459558070331593116055754151001542117623581395340979124630673903
534938982530513905640282882744089330406025608958057466485908201811915017323304053089435413670295730
548202737132067357437753271685101401049060286916683551376903035084417357346452023005374397582054809
584315232572739030133491927140910771794015976144001964304141089598083402333336059311330238377611828
4212431275330219619924
k=2 d^ =
142123706748419066468746764173718773448043207469116303923309899747569969273375948257403295250405868
494567224607132320644826377616708879131580503099593859878891786128515812794542449248408318553115903
719490269797921230122588171830418358691911614066318623211150830200308423524716279068195824926134780
706987796506102781128056576548817866081205121791611493297181640362383003464660810617887082734059146
109640547426413471487550654337020280209812057383336710275380607016883471469290404601074879516410961
916863046514547806026698385428182154358803195228800392860828217919616680466667211862266047675522365
68424862550660439239849
k=3 d^ =
213185560122628599703120146260578160172064811203674455884964849621354953910063922386104942875608802
741850836910698480967239566425063318697370754649390789818337679192773719191813673872612477829673855
579235404696881845183882257745627538037867421099477934816726245300462635287074418602293737389202171
060481694759154171692084864823226799121807682687417239945772460543574505196991215926830624101088719
164460821139620207231325981505530420314718086075005065413070910525325207203935606901612319274616442
875294569771821709040047578142273231538204792843200589291242326879425020700000817793399071513283548
RSA_DCap is my program (see appendix)
25
We already proved that when e = 3, k = 2
d^
=142123706748419066468746764173718773448043207469116303923309899747569969
273375948257403295250405868494567224607132320644826377616708879131580503099
593859878891786128515812794542449248408318553115903719490269797921230122588
171830418358691911614066318623211150830200308423524716279068195824926134780
706987796506102781128056576548817866081205121791611493297181640362383003464
660810617887082734059146109640547426413471487550654337020280209812057383336
710275380607016883471469290404601074879516410961916863046514547806026698385
428182154358803195228800392860828217919616680466667211862266047675522365684
24862550660439239849
We see that d^
revealed half of the private exponent d using the
public key parameters <e, n>
26
Demo 2: e = 65537
27
Example: RSA public exponent e (e.g., CNN)
Disclaimer: CNN is just a random
example. We are not attacking it.
28
RSA Public Exponent
e is 65537 for CNN
29
Java JDK RSA key generation Code
30
Default Public
Exponent e is 65537
31
~/crypto/RSA$ java RSA_KeyPair 2048 65537
d=1491629145334706896467017294894892007671534965487629464211591052998312042021202036862248300189034
142316438082203748580728041607410808263351850622119133237512511436360765640238531295687593993896556
379805652151480308009131445209611685478461405326137092441371914212447136849213035694365635044042262
249824359449236690818626487184413087475423626176858565860592456883256289778387604384353711846146381
990134324009985938782618001216802708526050010979574880940401482976305545922019524306316518714599787
458458410757158810193932688548523743542459048263467703772587696279955036020135068150653908985091923
4654150061036966845424033
n=1978083757543518532451617006384592017538838264531824609389620454074269046902944514161092004238946
389821780708081486659958997628993972908848446665759239882372672238056970816760676356241963730837689
507554087920913900161765429475967645309630212886666261176248303151378956043846109273606649613140383
267234703464710971180657618980402253949546710953311699153301788485281409238637350429069319629583467
726988461505380836551971149145379567858344693903298557007299040518049531377666675151765379279923234
752095969737037013565533109667398191120453837912308378294097448282776247294362326194476537661616750
4687282086327354786906827
e = 65537
32
java RSA_DCap $e $n
k=4942
d^
=14916291453347068964670172948948920076715349654876294642115910529983120420
21202036862248300189034142316438082203748580728041607410808263351850622119133
23751251143636076564023853129568759399389655637980565215148030800913144520961
16854784614053261370924413719142124471368492130356943656350440422622498243594
49257918362880503074774240355625043186484950061128437172018970117238473811810
21066106191884077345266942217285500426004798294465049353453317995464090084352
96398651248041119672893944491479051749177231854428675467086726545740361196397
25187699773491223215803817723443053331103514510753270668601927889140940039319
674
We see that d^
revealed half of the private exponent d using the
public key parameters <e, n> (in 4942 attempts - see previous slide)
33
Conclusion
● When RSA is used with the public exponent e = 3, the most significant half of
the private exponent d is revealed (in one attempt)
● So, we want to avoid using e = 3 during key generation even if we use RSA
with proper random padding (e.g., OAEP)
● The default e = 65537 reveals half of the private key (65537 attempts at most)
● But, do not simply increase the value of e, then d will likely decrease!
● At this time of writing, e = 65537 is the NIST recommended value
● If RSA modulus size is b bit, the most significant b/2 bits of the private
key are known to attackers!
○ This is also true when e = 65537
References
● W. Diffie and M. E. Hellman, “New Directions in Cryptography,” IEEE
Transactions on Information Theory, vol. IT-22, no. 6, November, 1976.
● R. L. Rivest, A. Shamir, and L. Adleman, “A method for obtaining digital
signatures and public-key cryptosystems,” CACM 21, 2, February, 1978.
● A. Menezes, P. van Oorschot, and S. Vanstone, “Handbook of Applied
Cryptography,” CRC Press, 1996.
● C. Paar and J. Pelzl. “Understanding Cryptography: A Textbook for Students
and Practitioners,” Springer, 2011.
34
Appendix
35
36
public static BigInteger[] leakPrivExp(int e, BigInteger n) {
BigInteger[] dcaps = new BigInteger[e];
for(int i = 1; i <= e; i++)
{
BigInteger k = BigInteger.valueOf(i);
// dcap = floor((1+kN)/e)
dcaps[i-1] = one.add(k.multiply(n)).divide(BigInteger.valueOf(e));
}
return dcaps;
}
Given the public parameters e and n, this code attempts to leak the private exponent d

More Related Content

What's hot

The rsa algorithm
The rsa algorithmThe rsa algorithm
The rsa algorithm
Komal Singh
 

What's hot (20)

RSA Game using an Oracle
RSA Game using an OracleRSA Game using an Oracle
RSA Game using an Oracle
 
Analysis of Shared RSA Modulus
Analysis of Shared RSA ModulusAnalysis of Shared RSA Modulus
Analysis of Shared RSA Modulus
 
RSA Two Person Game
RSA Two Person GameRSA Two Person Game
RSA Two Person Game
 
Solutions to online rsa factoring challenges
Solutions to online rsa factoring challengesSolutions to online rsa factoring challenges
Solutions to online rsa factoring challenges
 
An Analysis of RSA Public Exponent e
An Analysis of RSA Public Exponent eAn Analysis of RSA Public Exponent e
An Analysis of RSA Public Exponent e
 
RSA without Padding
RSA without PaddingRSA without Padding
RSA without Padding
 
On deriving the private key from a public key
On deriving the private key from a public keyOn deriving the private key from a public key
On deriving the private key from a public key
 
Cyclic Attacks on the RSA Trapdoor Function
Cyclic Attacks on the RSA Trapdoor FunctionCyclic Attacks on the RSA Trapdoor Function
Cyclic Attacks on the RSA Trapdoor Function
 
An Analysis of Secure Remote Password (SRP)
An Analysis of Secure Remote Password (SRP)An Analysis of Secure Remote Password (SRP)
An Analysis of Secure Remote Password (SRP)
 
RSA-W7(rsa) d1-d2
RSA-W7(rsa) d1-d2RSA-W7(rsa) d1-d2
RSA-W7(rsa) d1-d2
 
RSA ALGORITHM
RSA ALGORITHMRSA ALGORITHM
RSA ALGORITHM
 
RSA
RSARSA
RSA
 
The rsa algorithm
The rsa algorithmThe rsa algorithm
The rsa algorithm
 
Rsa rivest shamir adleman
Rsa rivest shamir adlemanRsa rivest shamir adleman
Rsa rivest shamir adleman
 
The rsa algorithm JooSeok Song
The rsa algorithm JooSeok SongThe rsa algorithm JooSeok Song
The rsa algorithm JooSeok Song
 
PKC&RSA
PKC&RSAPKC&RSA
PKC&RSA
 
The Mathematics of RSA Encryption
The Mathematics of RSA EncryptionThe Mathematics of RSA Encryption
The Mathematics of RSA Encryption
 
Presentation about RSA
Presentation about RSAPresentation about RSA
Presentation about RSA
 
Implementation of RSA Algorithm for Speech Data Encryption and Decryption
Implementation of RSA Algorithm for Speech Data Encryption and DecryptionImplementation of RSA Algorithm for Speech Data Encryption and Decryption
Implementation of RSA Algorithm for Speech Data Encryption and Decryption
 
Ntewrok secuirty cs7
Ntewrok secuirty cs7Ntewrok secuirty cs7
Ntewrok secuirty cs7
 

Similar to On the Secrecy of RSA Private Keys

RSA final notation change2
RSA final notation change2RSA final notation change2
RSA final notation change2
Coleman Gorham
 
2010 3-24 cryptography stamatiou
2010 3-24 cryptography stamatiou2010 3-24 cryptography stamatiou
2010 3-24 cryptography stamatiou
vafopoulos
 
Senior Research Final Draft3
Senior Research Final Draft3Senior Research Final Draft3
Senior Research Final Draft3
Coleman Gorham
 
Crypto cs36 39
Crypto cs36 39Crypto cs36 39
Crypto cs36 39
sravanbabu
 

Similar to On the Secrecy of RSA Private Keys (20)

Information and network security 33 rsa algorithm
Information and network security 33 rsa algorithmInformation and network security 33 rsa algorithm
Information and network security 33 rsa algorithm
 
RSA final notation change2
RSA final notation change2RSA final notation change2
RSA final notation change2
 
Rsa cryptosystem
Rsa cryptosystemRsa cryptosystem
Rsa cryptosystem
 
Public-Key Cryptography.pdfWrite the result of the following operation with t...
Public-Key Cryptography.pdfWrite the result of the following operation with t...Public-Key Cryptography.pdfWrite the result of the following operation with t...
Public-Key Cryptography.pdfWrite the result of the following operation with t...
 
RSA ALGORITHM
RSA ALGORITHMRSA ALGORITHM
RSA ALGORITHM
 
Chapter 06 rsa cryptosystem
Chapter 06   rsa cryptosystemChapter 06   rsa cryptosystem
Chapter 06 rsa cryptosystem
 
Signyourd digital signature certificate provider
Signyourd   digital signature certificate providerSignyourd   digital signature certificate provider
Signyourd digital signature certificate provider
 
implementing the encryption in the JAVA.ppt
implementing the encryption in the JAVA.pptimplementing the encryption in the JAVA.ppt
implementing the encryption in the JAVA.ppt
 
Rsa documentation
Rsa documentationRsa documentation
Rsa documentation
 
Deep dive into rsa
Deep dive into rsaDeep dive into rsa
Deep dive into rsa
 
2010 3-24 cryptography stamatiou
2010 3-24 cryptography stamatiou2010 3-24 cryptography stamatiou
2010 3-24 cryptography stamatiou
 
Eulers totient
Eulers totientEulers totient
Eulers totient
 
01 - DAA - PPT.pptx
01 - DAA - PPT.pptx01 - DAA - PPT.pptx
01 - DAA - PPT.pptx
 
Senior Research Final Draft3
Senior Research Final Draft3Senior Research Final Draft3
Senior Research Final Draft3
 
11 Applied_Mathemathics HANDBOOK.pdf
11 Applied_Mathemathics HANDBOOK.pdf11 Applied_Mathemathics HANDBOOK.pdf
11 Applied_Mathemathics HANDBOOK.pdf
 
Codes and Isogenies
Codes and IsogeniesCodes and Isogenies
Codes and Isogenies
 
RSA
RSARSA
RSA
 
Unit 3
Unit 3Unit 3
Unit 3
 
MFCS-17.ppt
MFCS-17.pptMFCS-17.ppt
MFCS-17.ppt
 
Crypto cs36 39
Crypto cs36 39Crypto cs36 39
Crypto cs36 39
 

More from Dharmalingam Ganesan

More from Dharmalingam Ganesan (13)

.NET Deserialization Attacks
.NET Deserialization Attacks.NET Deserialization Attacks
.NET Deserialization Attacks
 
Reverse Architecting using Relation Algebra.pdf
Reverse Architecting using Relation Algebra.pdfReverse Architecting using Relation Algebra.pdf
Reverse Architecting using Relation Algebra.pdf
 
How to exploit rand()?
How to exploit rand()?How to exploit rand()?
How to exploit rand()?
 
Thank-a-Gram
Thank-a-GramThank-a-Gram
Thank-a-Gram
 
Can I write to a read only file ?
Can I write to a read only file ?Can I write to a read only file ?
Can I write to a read only file ?
 
Requirements driven Model-based Testing
Requirements driven Model-based TestingRequirements driven Model-based Testing
Requirements driven Model-based Testing
 
Automated Traceability for Software Engineering Tasks
Automated Traceability for Software Engineering TasksAutomated Traceability for Software Engineering Tasks
Automated Traceability for Software Engineering Tasks
 
Reverse Engineering of Module Dependencies
Reverse Engineering of Module DependenciesReverse Engineering of Module Dependencies
Reverse Engineering of Module Dependencies
 
Software Architecture
Software ArchitectureSoftware Architecture
Software Architecture
 
Integer security analysis using smt solver
Integer security analysis using smt solverInteger security analysis using smt solver
Integer security analysis using smt solver
 
Remote file path traversal attacks for fun and profit
Remote file path traversal attacks for fun and profitRemote file path traversal attacks for fun and profit
Remote file path traversal attacks for fun and profit
 
20170605135932210 thank you card7
20170605135932210 thank you card720170605135932210 thank you card7
20170605135932210 thank you card7
 
Threat Modeling: Applied on a Publish-Subscribe Architectural Style
Threat Modeling: Applied on a Publish-Subscribe Architectural StyleThreat Modeling: Applied on a Publish-Subscribe Architectural Style
Threat Modeling: Applied on a Publish-Subscribe Architectural Style
 

Recently uploaded

Team Transformation Tactics for Holistic Testing and Quality (NewCrafts Paris...
Team Transformation Tactics for Holistic Testing and Quality (NewCrafts Paris...Team Transformation Tactics for Holistic Testing and Quality (NewCrafts Paris...
Team Transformation Tactics for Holistic Testing and Quality (NewCrafts Paris...
Lisi Hocke
 

Recently uploaded (20)

Team Transformation Tactics for Holistic Testing and Quality (NewCrafts Paris...
Team Transformation Tactics for Holistic Testing and Quality (NewCrafts Paris...Team Transformation Tactics for Holistic Testing and Quality (NewCrafts Paris...
Team Transformation Tactics for Holistic Testing and Quality (NewCrafts Paris...
 
Modern binary build systems - PyCon 2024
Modern binary build systems - PyCon 2024Modern binary build systems - PyCon 2024
Modern binary build systems - PyCon 2024
 
BusinessGPT - Security and Governance for Generative AI
BusinessGPT  - Security and Governance for Generative AIBusinessGPT  - Security and Governance for Generative AI
BusinessGPT - Security and Governance for Generative AI
 
Auto Affiliate AI Earns First Commission in 3 Hours..pdf
Auto Affiliate  AI Earns First Commission in 3 Hours..pdfAuto Affiliate  AI Earns First Commission in 3 Hours..pdf
Auto Affiliate AI Earns First Commission in 3 Hours..pdf
 
Community is Just as Important as Code by Andrea Goulet
Community is Just as Important as Code by Andrea GouletCommunity is Just as Important as Code by Andrea Goulet
Community is Just as Important as Code by Andrea Goulet
 
Workshop - Architecting Innovative Graph Applications- GraphSummit Milan
Workshop -  Architecting Innovative Graph Applications- GraphSummit MilanWorkshop -  Architecting Innovative Graph Applications- GraphSummit Milan
Workshop - Architecting Innovative Graph Applications- GraphSummit Milan
 
Encryption Recap: A Refresher on Key Concepts
Encryption Recap: A Refresher on Key ConceptsEncryption Recap: A Refresher on Key Concepts
Encryption Recap: A Refresher on Key Concepts
 
Lessons Learned from Building a Serverless Notifications System.pdf
Lessons Learned from Building a Serverless Notifications System.pdfLessons Learned from Building a Serverless Notifications System.pdf
Lessons Learned from Building a Serverless Notifications System.pdf
 
Abortion Pill Prices Turfloop ](+27832195400*)[ 🏥 Women's Abortion Clinic in ...
Abortion Pill Prices Turfloop ](+27832195400*)[ 🏥 Women's Abortion Clinic in ...Abortion Pill Prices Turfloop ](+27832195400*)[ 🏥 Women's Abortion Clinic in ...
Abortion Pill Prices Turfloop ](+27832195400*)[ 🏥 Women's Abortion Clinic in ...
 
Software Engineering - Introduction + Process Models + Requirements Engineering
Software Engineering - Introduction + Process Models + Requirements EngineeringSoftware Engineering - Introduction + Process Models + Requirements Engineering
Software Engineering - Introduction + Process Models + Requirements Engineering
 
Abortion Clinic In Pretoria ](+27832195400*)[ 🏥 Safe Abortion Pills in Pretor...
Abortion Clinic In Pretoria ](+27832195400*)[ 🏥 Safe Abortion Pills in Pretor...Abortion Clinic In Pretoria ](+27832195400*)[ 🏥 Safe Abortion Pills in Pretor...
Abortion Clinic In Pretoria ](+27832195400*)[ 🏥 Safe Abortion Pills in Pretor...
 
Microsoft365_Dev_Security_2024_05_16.pdf
Microsoft365_Dev_Security_2024_05_16.pdfMicrosoft365_Dev_Security_2024_05_16.pdf
Microsoft365_Dev_Security_2024_05_16.pdf
 
A Deep Dive into Secure Product Development Frameworks.pdf
A Deep Dive into Secure Product Development Frameworks.pdfA Deep Dive into Secure Product Development Frameworks.pdf
A Deep Dive into Secure Product Development Frameworks.pdf
 
Wired_2.0_CREATE YOUR ULTIMATE LEARNING ENVIRONMENT_JCON_16052024
Wired_2.0_CREATE YOUR ULTIMATE LEARNING ENVIRONMENT_JCON_16052024Wired_2.0_CREATE YOUR ULTIMATE LEARNING ENVIRONMENT_JCON_16052024
Wired_2.0_CREATE YOUR ULTIMATE LEARNING ENVIRONMENT_JCON_16052024
 
Abortion Pill Prices Germiston ](+27832195400*)[ 🏥 Women's Abortion Clinic in...
Abortion Pill Prices Germiston ](+27832195400*)[ 🏥 Women's Abortion Clinic in...Abortion Pill Prices Germiston ](+27832195400*)[ 🏥 Women's Abortion Clinic in...
Abortion Pill Prices Germiston ](+27832195400*)[ 🏥 Women's Abortion Clinic in...
 
Novo Nordisk: When Knowledge Graphs meet LLMs
Novo Nordisk: When Knowledge Graphs meet LLMsNovo Nordisk: When Knowledge Graphs meet LLMs
Novo Nordisk: When Knowledge Graphs meet LLMs
 
Test Automation Design Patterns_ A Comprehensive Guide.pdf
Test Automation Design Patterns_ A Comprehensive Guide.pdfTest Automation Design Patterns_ A Comprehensive Guide.pdf
Test Automation Design Patterns_ A Comprehensive Guide.pdf
 
Alluxio Monthly Webinar | Simplify Data Access for AI in Multi-Cloud
Alluxio Monthly Webinar | Simplify Data Access for AI in Multi-CloudAlluxio Monthly Webinar | Simplify Data Access for AI in Multi-Cloud
Alluxio Monthly Webinar | Simplify Data Access for AI in Multi-Cloud
 
[GRCPP] Introduction to concepts (C++20)
[GRCPP] Introduction to concepts (C++20)[GRCPP] Introduction to concepts (C++20)
[GRCPP] Introduction to concepts (C++20)
 
Food Delivery Business App Development Guide 2024
Food Delivery Business App Development Guide 2024Food Delivery Business App Development Guide 2024
Food Delivery Business App Development Guide 2024
 

On the Secrecy of RSA Private Keys

  • 1. On the Secrecy of RSA Private Keys Dr. Dharma Ganesan, Ph.D.,
  • 2. Disclaimer ● The opinions expressed here are my own ○ But not the views of my employer ● The source code fragments and exploits shown here can be reused ○ But without any warranty nor accept any responsibility for failures ● Do not apply the exploit discussed here on other systems ○ Without obtaining authorization from owners 2
  • 3. Question (standard notations are defined later) ● Can we reveal the RSA private exponent d from its public key <e, n>? ● We study this question for two specific cases: e = 3 and e = 65537 ● Using demos, we verify that RSA reveals the most significant half of the private exponent d when the public exponent e is small ● For example, for 2048-bit RSA, the most significant 1024 bits are revealed! 3
  • 4. Agenda ● Overview of Public Key Cryptography using RSA ● Math facts ● Algorithm to approximate private key from public key ● Demo ● Conclusion ● Appendix 4
  • 5. Prerequisite Some familiarity with the following topics will help to follow the rest of the slides ● Group Theory ● Number Theory ● Algorithms and Complexity Theory ● If not, it should still be possible to obtain a high-level overview 5
  • 6. How can Bob send a message to Alice securely? 6 Public Key PuA ● Alice and Bob never met each other ● Bob will encrypt using Alice’s public key ○ Assume that public keys are known to the world ● Alice will decrypt using her private key ○ Private keys are secrets (never sent out) ● Bob can sign messages using his private key ○ Alice verifies message integrity using Bob’s public key ○ Not important for this presentation/attack ● Note: Alice and Bob need other evidence (e.g., passwords, certificates) to prove their identity to each other ● Who are Alice, Bob, and Eve? Private Key PrA Public Key PuB Private Key PrB
  • 7. RSA Public Key Cryptography System ● Published in 1977 by Ron Rivest, Adi Shamir and Leonard Adleman ● Rooted in elegant mathematics - Group Theory and Number Theory ● Core idea: Anyone can encrypt a message using recipient's public key but ○ (as far as we know) no one can efficiently decrypt unless they got the matching private key ● Encryption and Decryption are inverse operations (math details later) ○ Work of Euclid, Euler, and Fermat provide the mathematical foundation of RSA ● Eavesdropper Eve cannot easily derive the secret (math details later) ○ Unless she solves “hard” number theory problems that are computationally intractable 7
  • 8. 8 Notations and Facts GCD(x, y): The greatest common divisor that divides integers x and y Co-prime: If gcd(x, y) = 1, then x and y are co-primes Zn = { 0, 1, 2, …, n-1 }, n > 0; we may imagine Zn as a circular wall clock Z* n = { x ∈ Zn | gcd(x, n) = 1 }; (additional info: Z* n is a multiplicative group) φ(n): Euler’s Totient function denotes the number of elements in Z* n φ(nm) = φ(n).φ(m) (This property is called multiplicative) φ(p) = p-1, if p is a prime number
  • 9. Notations and Facts ... ● x ≡ y (mod n) denotes that n divides x-y; x is congruent to y mod n ● Euler’s Theorem: aφ(n) ≡ 1 (mod n), if gcd(a, n) = 1 ● Fermat’s Little Theorem: ap ≡ a (mod p) ● Gauss’s Fundamental Theorem of Arithmetic: Any integer greater than 1 is either a prime or can be written as a unique product of primes ○ Euclid’s work is the foundation for this theorem, see The Elements ● Euclid’s Lemma: if a prime p divides the product of two natural numbers a and b, then p divides a or p divides b ● Euclid’s Infinitude of Primes (c. 300 BC): There are infinitely many primes 9
  • 10. RSA - Key Generation Algo 1. Select an appropriate bitlength of the RSA modulus n (e.g., 2048 bits) ○ Value of the parameter n is not chosen until step 3; small n is dangerous (details later) 2. Pick two independent, large random primes, p and q, of half of n’s bitlength ○ In practice, q < p < 2q to avoid attacks (e.g., Fermat’s factorization) 3. Compute n = p.q (n is also called the RSA modulus) 4. Compute Euler’s Totient (phi) Function φ(n) = φ(p.q) = φ(p)φ(q) = (p-1)(q-1) 5. Select numbers e and d from Zn such that e.d ≡ 1(mod φ(n)) ○ e must be relatively prime to φ(n) otherwise d cannot exist (i.e., we cannot decrypt) ○ d is the multiplicative inverse of e in Zn 6. Public key is the pair <n, e> and private key is 4-tuple <φ(n), d, p, q> 10
  • 11. RSA Trapdoor ● RSA: Zn → Zn ● Let x and y ∈ Zn ● y = RSA(x) = xe mod n ○ We may view x as a plaintext, and y as the corresponding ciphertext ● x = RSA-1 (y) = yd mod n ● e and d are also called encryption and decryption exponents, respectively ● Many implementations use Chinese-Remainder Theorem (CRT) to compute yd efficiently ● I will use CRT later for an RSA game 11
  • 12. RSA Trapdoor variables’ dependency graph 12 Private variable Public variable Note: Public exponent e affects the private exponent d
  • 13. 13 Fact: Let n = pq, p and q are two prime numbers such that q < p < 2q, then p+q ≤ 3√n Proof: p + q < 2q + q = 3q ……………………. (1) Since n = pq, n > q2 (since p > q ) Thus, q < √n …………………………………..(2) Thus, combining (1) and (2), we obtain p + q < 3q < 3√n
  • 14. 14 Fact: If ed - 1 = k φ(n), then k < e Proof (by contradiction): Suppose k ≥ e then ed - 1 ≥ e φ(n) Since ed > ed - 1 ≥ eφ(n) ed ≥ e φ(n) Since e > 0, divide by e of the above inequality, d ≥ φ(n) This is a contradiction because RSA private exponent d is smaller than φ(n). Note: One can similarly prove that k < d, too.
  • 15. Algorithm to approximate the private exponent d 15 https://www.ams.org/notices/199902/boneh.pdf We experiment with this algorithm (page 8 in boneh.pdf) We provide a proof that k = 2 when e = 3, which was not given in the paper
  • 16. 16 e.d ≡ 1(mod φ(n)) e.d - 1 = k (p-1)(q-1) for some integer k, recall that φ(n) = (p-1) (q-1) = k (pq - p - q + 1) e.d - 1 = k (n - p - q + 1) (since n = pq) d = (1 + k(n - p - q + 1))/e Since p and q are half the bitsize of n, (n-p-q+1) is of the same bitsize as n. Let’s approximate n-p-q+1 by n; Thus, d^ = ⌊(1 + kn)/e⌋ is an approximation of the private exponent d. Note that we know n and e, but not k Algorithm: derive private exponent d from public key
  • 17. 17 Fact: |d - d^ | < 3√n Proof: We know that d = (1+k(n-p-q+1))/e and d^ = ⌊(1 + kn)/e⌋ |d - d^ | = (1 + kn)/e - (1+kn-kp-kq+k)/e |d - d^ | = (kp+kq-k)/e = k(p+q-1)/e < k (p + q)/e |d - d^ | < 3√n (Since p+q ≤ 3√n and k < e) Summary: d^ approximates d; half of the most significant bits is the same
  • 18. 18 e.d ≡ 1(mod φ(n)) 3.d - 1 = k φ(n) K can be either 1 or 2. We can prove that k ≠ 1 as follows: Suppose k = 1, then 3d - 1 = φ(n) then d = (φ(n) + 1)/3 Since d is an odd number and φ(n) is an even number, we can deduce that φ(n) ∈ {2, 8, 14, 20, 26, … }, or φ(n) = 2 + 6t for some non-negative integer t φ(n) = 2 + 6t = 2(1 + 3t). If t is even, then (1+3t) is an odd number, but φ(n) should only be a product of two even numbers. Thus, φ(n) ∉ {2, 14, 26, … } Analysis of d^ when e = 3
  • 19. Analysis of d^ when e = 3 19 We have established that φ(n) ∈ {8, 20, 32, … }; i.e., φ(n) = 8 + 12t Let’s prove that the only possible value of φ(n) can be 8. Case 1: φ(n) = 8 + 12t = 4(2 + 3t) By defn., φ(n) is a product of two even numbers (p-1) and (q-1) Let’s take q-1 = 4 and p-1 = 2+3t; i.e., q = 5 and p = 3+3t. Clearly, 3+3t is not a prime number when t > 0. Thus, φ(n) ≠ 4(2 + 3t)
  • 20. Analysis of d^ when e = 3 20 Case 2: φ(n) = 8 + 12t = 2(4 + 6t) Let q-1 = 2 and p-1 = 4+6t. That is, q = 3 and p = 5+6t Since RSA definition assumes that q < p < 2q, 3 < 5 + 6t is true for all t, but 5+6t > 2*3 (except t = 0 case) Since p < 2q is violated, φ(n) ≠ 2(4 + 6t). Thus, we proved that when e =3, k must be 2. (k = 1 is only possible if q = 3 and p = 5, but such small p and q are absurd anyways)
  • 21. Demo 21 ● Demo 1: When e = 3, the first half of the most significant private exponent d bits is leaked ● Demo 2: When e = 65537, there are only at most 65537 possible values of the most significant bits of d (instead of 2n/2 possibilities) ● For both demos, we will show that half of the most significant bits of the private exponent d can be revealed by using the public parameters <e, n> ● The demos use 2048-bit RSA key (but applicable for other key sizes) ● Appendix has my implementation of the algorithm used in the demos
  • 22. Demo 1: e = 3 22
  • 23. 23 ~/crypto/RSA$ e=3 ~/crypto/RSA$ java RSA_KeyPair 2048 $e d=1421237067484190664687467641737187734480432074691163039233098997475699692733759482574032952 504058684945672246071323206448263776167088791315805030995938598788917861285158127945424492484 083185531159037194902697979212301225881718304183586919116140663186232111508302003084235247162 790681958249261347807069877965041559837274254672179935363751863511411580357365707845953663926 861042738958587605928377974474390920562141137897933563181368621890970668452394101228784250684 949276876015095331870308805317389193397861773963131721670380660776616208922972152524281777702 9163150275214370671181822432156547192936318586434345409301739 n=2131855601226285997031201462605781601720648112036744558849648496213549539100639223861049428 756088027418508369106984809672395664250633186973707546493907898183376791927737191918136738726 124778296738555792354046968818451838822577456275380378674210994779348167262453004626352870744 186022937373892021710604816947591541716920848648232267991218076826874172399457724605435745051 969912159268306241010887191644608211396202072313259815055304203147180860750050654130709105253 252072039356069016123192746164428752945697718217090400475781422732315382047928432005892912423 2687942502070000081779339907151328354852637293825990658859773 (on the next slide, we will reveal parts of the private d from public parameters <e, n>) RSA_KeyPair is my program that generates RSA keys
  • 24. 24 ~/crypto/RSA$ java RSA_DCap $e $n k=1 d^ = 710618533742095332343733820868593867240216037345581519616549498737849846366879741287016476252029342 472836123035661603224131888083544395657902515497969299394458930642579063972712246242041592765579518 597451348989606150612940859152091793459558070331593116055754151001542117623581395340979124630673903 534938982530513905640282882744089330406025608958057466485908201811915017323304053089435413670295730 548202737132067357437753271685101401049060286916683551376903035084417357346452023005374397582054809 584315232572739030133491927140910771794015976144001964304141089598083402333336059311330238377611828 4212431275330219619924 k=2 d^ = 142123706748419066468746764173718773448043207469116303923309899747569969273375948257403295250405868 494567224607132320644826377616708879131580503099593859878891786128515812794542449248408318553115903 719490269797921230122588171830418358691911614066318623211150830200308423524716279068195824926134780 706987796506102781128056576548817866081205121791611493297181640362383003464660810617887082734059146 109640547426413471487550654337020280209812057383336710275380607016883471469290404601074879516410961 916863046514547806026698385428182154358803195228800392860828217919616680466667211862266047675522365 68424862550660439239849 k=3 d^ = 213185560122628599703120146260578160172064811203674455884964849621354953910063922386104942875608802 741850836910698480967239566425063318697370754649390789818337679192773719191813673872612477829673855 579235404696881845183882257745627538037867421099477934816726245300462635287074418602293737389202171 060481694759154171692084864823226799121807682687417239945772460543574505196991215926830624101088719 164460821139620207231325981505530420314718086075005065413070910525325207203935606901612319274616442 875294569771821709040047578142273231538204792843200589291242326879425020700000817793399071513283548 RSA_DCap is my program (see appendix)
  • 25. 25 We already proved that when e = 3, k = 2 d^ =142123706748419066468746764173718773448043207469116303923309899747569969 273375948257403295250405868494567224607132320644826377616708879131580503099 593859878891786128515812794542449248408318553115903719490269797921230122588 171830418358691911614066318623211150830200308423524716279068195824926134780 706987796506102781128056576548817866081205121791611493297181640362383003464 660810617887082734059146109640547426413471487550654337020280209812057383336 710275380607016883471469290404601074879516410961916863046514547806026698385 428182154358803195228800392860828217919616680466667211862266047675522365684 24862550660439239849 We see that d^ revealed half of the private exponent d using the public key parameters <e, n>
  • 26. 26 Demo 2: e = 65537
  • 27. 27 Example: RSA public exponent e (e.g., CNN) Disclaimer: CNN is just a random example. We are not attacking it.
  • 28. 28 RSA Public Exponent e is 65537 for CNN
  • 29. 29 Java JDK RSA key generation Code
  • 31. 31 ~/crypto/RSA$ java RSA_KeyPair 2048 65537 d=1491629145334706896467017294894892007671534965487629464211591052998312042021202036862248300189034 142316438082203748580728041607410808263351850622119133237512511436360765640238531295687593993896556 379805652151480308009131445209611685478461405326137092441371914212447136849213035694365635044042262 249824359449236690818626487184413087475423626176858565860592456883256289778387604384353711846146381 990134324009985938782618001216802708526050010979574880940401482976305545922019524306316518714599787 458458410757158810193932688548523743542459048263467703772587696279955036020135068150653908985091923 4654150061036966845424033 n=1978083757543518532451617006384592017538838264531824609389620454074269046902944514161092004238946 389821780708081486659958997628993972908848446665759239882372672238056970816760676356241963730837689 507554087920913900161765429475967645309630212886666261176248303151378956043846109273606649613140383 267234703464710971180657618980402253949546710953311699153301788485281409238637350429069319629583467 726988461505380836551971149145379567858344693903298557007299040518049531377666675151765379279923234 752095969737037013565533109667398191120453837912308378294097448282776247294362326194476537661616750 4687282086327354786906827 e = 65537
  • 32. 32 java RSA_DCap $e $n k=4942 d^ =14916291453347068964670172948948920076715349654876294642115910529983120420 21202036862248300189034142316438082203748580728041607410808263351850622119133 23751251143636076564023853129568759399389655637980565215148030800913144520961 16854784614053261370924413719142124471368492130356943656350440422622498243594 49257918362880503074774240355625043186484950061128437172018970117238473811810 21066106191884077345266942217285500426004798294465049353453317995464090084352 96398651248041119672893944491479051749177231854428675467086726545740361196397 25187699773491223215803817723443053331103514510753270668601927889140940039319 674 We see that d^ revealed half of the private exponent d using the public key parameters <e, n> (in 4942 attempts - see previous slide)
  • 33. 33 Conclusion ● When RSA is used with the public exponent e = 3, the most significant half of the private exponent d is revealed (in one attempt) ● So, we want to avoid using e = 3 during key generation even if we use RSA with proper random padding (e.g., OAEP) ● The default e = 65537 reveals half of the private key (65537 attempts at most) ● But, do not simply increase the value of e, then d will likely decrease! ● At this time of writing, e = 65537 is the NIST recommended value ● If RSA modulus size is b bit, the most significant b/2 bits of the private key are known to attackers! ○ This is also true when e = 65537
  • 34. References ● W. Diffie and M. E. Hellman, “New Directions in Cryptography,” IEEE Transactions on Information Theory, vol. IT-22, no. 6, November, 1976. ● R. L. Rivest, A. Shamir, and L. Adleman, “A method for obtaining digital signatures and public-key cryptosystems,” CACM 21, 2, February, 1978. ● A. Menezes, P. van Oorschot, and S. Vanstone, “Handbook of Applied Cryptography,” CRC Press, 1996. ● C. Paar and J. Pelzl. “Understanding Cryptography: A Textbook for Students and Practitioners,” Springer, 2011. 34
  • 36. 36 public static BigInteger[] leakPrivExp(int e, BigInteger n) { BigInteger[] dcaps = new BigInteger[e]; for(int i = 1; i <= e; i++) { BigInteger k = BigInteger.valueOf(i); // dcap = floor((1+kN)/e) dcaps[i-1] = one.add(k.multiply(n)).divide(BigInteger.valueOf(e)); } return dcaps; } Given the public parameters e and n, this code attempts to leak the private exponent d