- 1. On the Secrecy of RSA Private Keys Dr. Dharma Ganesan, Ph.D.,
- 2. Disclaimer ● The opinions expressed here are my own ○ But not the views of my employer ● The source code fragments and exploits shown here can be reused ○ But without any warranty nor accept any responsibility for failures ● Do not apply the exploit discussed here on other systems ○ Without obtaining authorization from owners 2
- 3. Question (standard notations are defined later) ● Can we reveal the RSA private exponent d from its public key <e, n>? ● We study this question for two specific cases: e = 3 and e = 65537 ● Using demos, we verify that RSA reveals the most significant half of the private exponent d when the public exponent e is small ● For example, for 2048-bit RSA, the most significant 1024 bits are revealed! 3
- 4. Agenda ● Overview of Public Key Cryptography using RSA ● Math facts ● Algorithm to approximate private key from public key ● Demo ● Conclusion ● Appendix 4
- 5. Prerequisite Some familiarity with the following topics will help to follow the rest of the slides ● Group Theory ● Number Theory ● Algorithms and Complexity Theory ● If not, it should still be possible to obtain a high-level overview 5
- 6. How can Bob send a message to Alice securely? 6 Public Key PuA ● Alice and Bob never met each other ● Bob will encrypt using Alice’s public key ○ Assume that public keys are known to the world ● Alice will decrypt using her private key ○ Private keys are secrets (never sent out) ● Bob can sign messages using his private key ○ Alice verifies message integrity using Bob’s public key ○ Not important for this presentation/attack ● Note: Alice and Bob need other evidence (e.g., passwords, certificates) to prove their identity to each other ● Who are Alice, Bob, and Eve? Private Key PrA Public Key PuB Private Key PrB
- 7. RSA Public Key Cryptography System ● Published in 1977 by Ron Rivest, Adi Shamir and Leonard Adleman ● Rooted in elegant mathematics - Group Theory and Number Theory ● Core idea: Anyone can encrypt a message using recipient's public key but ○ (as far as we know) no one can efficiently decrypt unless they got the matching private key ● Encryption and Decryption are inverse operations (math details later) ○ Work of Euclid, Euler, and Fermat provide the mathematical foundation of RSA ● Eavesdropper Eve cannot easily derive the secret (math details later) ○ Unless she solves “hard” number theory problems that are computationally intractable 7
- 8. 8 Notations and Facts GCD(x, y): The greatest common divisor that divides integers x and y Co-prime: If gcd(x, y) = 1, then x and y are co-primes Zn = { 0, 1, 2, …, n-1 }, n > 0; we may imagine Zn as a circular wall clock Z* n = { x ∈ Zn | gcd(x, n) = 1 }; (additional info: Z* n is a multiplicative group) φ(n): Euler’s Totient function denotes the number of elements in Z* n φ(nm) = φ(n).φ(m) (This property is called multiplicative) φ(p) = p-1, if p is a prime number
- 9. Notations and Facts ... ● x ≡ y (mod n) denotes that n divides x-y; x is congruent to y mod n ● Euler’s Theorem: aφ(n) ≡ 1 (mod n), if gcd(a, n) = 1 ● Fermat’s Little Theorem: ap ≡ a (mod p) ● Gauss’s Fundamental Theorem of Arithmetic: Any integer greater than 1 is either a prime or can be written as a unique product of primes ○ Euclid’s work is the foundation for this theorem, see The Elements ● Euclid’s Lemma: if a prime p divides the product of two natural numbers a and b, then p divides a or p divides b ● Euclid’s Infinitude of Primes (c. 300 BC): There are infinitely many primes 9
- 10. RSA - Key Generation Algo 1. Select an appropriate bitlength of the RSA modulus n (e.g., 2048 bits) ○ Value of the parameter n is not chosen until step 3; small n is dangerous (details later) 2. Pick two independent, large random primes, p and q, of half of n’s bitlength ○ In practice, q < p < 2q to avoid attacks (e.g., Fermat’s factorization) 3. Compute n = p.q (n is also called the RSA modulus) 4. Compute Euler’s Totient (phi) Function φ(n) = φ(p.q) = φ(p)φ(q) = (p-1)(q-1) 5. Select numbers e and d from Zn such that e.d ≡ 1(mod φ(n)) ○ e must be relatively prime to φ(n) otherwise d cannot exist (i.e., we cannot decrypt) ○ d is the multiplicative inverse of e in Zn 6. Public key is the pair <n, e> and private key is 4-tuple <φ(n), d, p, q> 10
- 11. RSA Trapdoor ● RSA: Zn → Zn ● Let x and y ∈ Zn ● y = RSA(x) = xe mod n ○ We may view x as a plaintext, and y as the corresponding ciphertext ● x = RSA-1 (y) = yd mod n ● e and d are also called encryption and decryption exponents, respectively ● Many implementations use Chinese-Remainder Theorem (CRT) to compute yd efficiently ● I will use CRT later for an RSA game 11
- 12. RSA Trapdoor variables’ dependency graph 12 Private variable Public variable Note: Public exponent e affects the private exponent d
- 13. 13 Fact: Let n = pq, p and q are two prime numbers such that q < p < 2q, then p+q ≤ 3√n Proof: p + q < 2q + q = 3q ……………………. (1) Since n = pq, n > q2 (since p > q ) Thus, q < √n …………………………………..(2) Thus, combining (1) and (2), we obtain p + q < 3q < 3√n
- 14. 14 Fact: If ed - 1 = k φ(n), then k < e Proof (by contradiction): Suppose k ≥ e then ed - 1 ≥ e φ(n) Since ed > ed - 1 ≥ eφ(n) ed ≥ e φ(n) Since e > 0, divide by e of the above inequality, d ≥ φ(n) This is a contradiction because RSA private exponent d is smaller than φ(n). Note: One can similarly prove that k < d, too.
- 15. Algorithm to approximate the private exponent d 15 https://www.ams.org/notices/199902/boneh.pdf We experiment with this algorithm (page 8 in boneh.pdf) We provide a proof that k = 2 when e = 3, which was not given in the paper
- 16. 16 e.d ≡ 1(mod φ(n)) e.d - 1 = k (p-1)(q-1) for some integer k, recall that φ(n) = (p-1) (q-1) = k (pq - p - q + 1) e.d - 1 = k (n - p - q + 1) (since n = pq) d = (1 + k(n - p - q + 1))/e Since p and q are half the bitsize of n, (n-p-q+1) is of the same bitsize as n. Let’s approximate n-p-q+1 by n; Thus, d^ = ⌊(1 + kn)/e⌋ is an approximation of the private exponent d. Note that we know n and e, but not k Algorithm: derive private exponent d from public key
- 17. 17 Fact: |d - d^ | < 3√n Proof: We know that d = (1+k(n-p-q+1))/e and d^ = ⌊(1 + kn)/e⌋ |d - d^ | = (1 + kn)/e - (1+kn-kp-kq+k)/e |d - d^ | = (kp+kq-k)/e = k(p+q-1)/e < k (p + q)/e |d - d^ | < 3√n (Since p+q ≤ 3√n and k < e) Summary: d^ approximates d; half of the most significant bits is the same
- 18. 18 e.d ≡ 1(mod φ(n)) 3.d - 1 = k φ(n) K can be either 1 or 2. We can prove that k ≠ 1 as follows: Suppose k = 1, then 3d - 1 = φ(n) then d = (φ(n) + 1)/3 Since d is an odd number and φ(n) is an even number, we can deduce that φ(n) ∈ {2, 8, 14, 20, 26, … }, or φ(n) = 2 + 6t for some non-negative integer t φ(n) = 2 + 6t = 2(1 + 3t). If t is even, then (1+3t) is an odd number, but φ(n) should only be a product of two even numbers. Thus, φ(n) ∉ {2, 14, 26, … } Analysis of d^ when e = 3
- 19. Analysis of d^ when e = 3 19 We have established that φ(n) ∈ {8, 20, 32, … }; i.e., φ(n) = 8 + 12t Let’s prove that the only possible value of φ(n) can be 8. Case 1: φ(n) = 8 + 12t = 4(2 + 3t) By defn., φ(n) is a product of two even numbers (p-1) and (q-1) Let’s take q-1 = 4 and p-1 = 2+3t; i.e., q = 5 and p = 3+3t. Clearly, 3+3t is not a prime number when t > 0. Thus, φ(n) ≠ 4(2 + 3t)
- 20. Analysis of d^ when e = 3 20 Case 2: φ(n) = 8 + 12t = 2(4 + 6t) Let q-1 = 2 and p-1 = 4+6t. That is, q = 3 and p = 5+6t Since RSA definition assumes that q < p < 2q, 3 < 5 + 6t is true for all t, but 5+6t > 2*3 (except t = 0 case) Since p < 2q is violated, φ(n) ≠ 2(4 + 6t). Thus, we proved that when e =3, k must be 2. (k = 1 is only possible if q = 3 and p = 5, but such small p and q are absurd anyways)
- 21. Demo 21 ● Demo 1: When e = 3, the first half of the most significant private exponent d bits is leaked ● Demo 2: When e = 65537, there are only at most 65537 possible values of the most significant bits of d (instead of 2n/2 possibilities) ● For both demos, we will show that half of the most significant bits of the private exponent d can be revealed by using the public parameters <e, n> ● The demos use 2048-bit RSA key (but applicable for other key sizes) ● Appendix has my implementation of the algorithm used in the demos
- 22. Demo 1: e = 3 22
- 23. 23 ~/crypto/RSA$ e=3 ~/crypto/RSA$ java RSA_KeyPair 2048 $e d=1421237067484190664687467641737187734480432074691163039233098997475699692733759482574032952 504058684945672246071323206448263776167088791315805030995938598788917861285158127945424492484 083185531159037194902697979212301225881718304183586919116140663186232111508302003084235247162 790681958249261347807069877965041559837274254672179935363751863511411580357365707845953663926 861042738958587605928377974474390920562141137897933563181368621890970668452394101228784250684 949276876015095331870308805317389193397861773963131721670380660776616208922972152524281777702 9163150275214370671181822432156547192936318586434345409301739 n=2131855601226285997031201462605781601720648112036744558849648496213549539100639223861049428 756088027418508369106984809672395664250633186973707546493907898183376791927737191918136738726 124778296738555792354046968818451838822577456275380378674210994779348167262453004626352870744 186022937373892021710604816947591541716920848648232267991218076826874172399457724605435745051 969912159268306241010887191644608211396202072313259815055304203147180860750050654130709105253 252072039356069016123192746164428752945697718217090400475781422732315382047928432005892912423 2687942502070000081779339907151328354852637293825990658859773 (on the next slide, we will reveal parts of the private d from public parameters <e, n>) RSA_KeyPair is my program that generates RSA keys
- 24. 24 ~/crypto/RSA$ java RSA_DCap $e $n k=1 d^ = 710618533742095332343733820868593867240216037345581519616549498737849846366879741287016476252029342 472836123035661603224131888083544395657902515497969299394458930642579063972712246242041592765579518 597451348989606150612940859152091793459558070331593116055754151001542117623581395340979124630673903 534938982530513905640282882744089330406025608958057466485908201811915017323304053089435413670295730 548202737132067357437753271685101401049060286916683551376903035084417357346452023005374397582054809 584315232572739030133491927140910771794015976144001964304141089598083402333336059311330238377611828 4212431275330219619924 k=2 d^ = 142123706748419066468746764173718773448043207469116303923309899747569969273375948257403295250405868 494567224607132320644826377616708879131580503099593859878891786128515812794542449248408318553115903 719490269797921230122588171830418358691911614066318623211150830200308423524716279068195824926134780 706987796506102781128056576548817866081205121791611493297181640362383003464660810617887082734059146 109640547426413471487550654337020280209812057383336710275380607016883471469290404601074879516410961 916863046514547806026698385428182154358803195228800392860828217919616680466667211862266047675522365 68424862550660439239849 k=3 d^ = 213185560122628599703120146260578160172064811203674455884964849621354953910063922386104942875608802 741850836910698480967239566425063318697370754649390789818337679192773719191813673872612477829673855 579235404696881845183882257745627538037867421099477934816726245300462635287074418602293737389202171 060481694759154171692084864823226799121807682687417239945772460543574505196991215926830624101088719 164460821139620207231325981505530420314718086075005065413070910525325207203935606901612319274616442 875294569771821709040047578142273231538204792843200589291242326879425020700000817793399071513283548 RSA_DCap is my program (see appendix)
- 25. 25 We already proved that when e = 3, k = 2 d^ =142123706748419066468746764173718773448043207469116303923309899747569969 273375948257403295250405868494567224607132320644826377616708879131580503099 593859878891786128515812794542449248408318553115903719490269797921230122588 171830418358691911614066318623211150830200308423524716279068195824926134780 706987796506102781128056576548817866081205121791611493297181640362383003464 660810617887082734059146109640547426413471487550654337020280209812057383336 710275380607016883471469290404601074879516410961916863046514547806026698385 428182154358803195228800392860828217919616680466667211862266047675522365684 24862550660439239849 We see that d^ revealed half of the private exponent d using the public key parameters <e, n>
- 26. 26 Demo 2: e = 65537
- 27. 27 Example: RSA public exponent e (e.g., CNN) Disclaimer: CNN is just a random example. We are not attacking it.
- 28. 28 RSA Public Exponent e is 65537 for CNN
- 29. 29 Java JDK RSA key generation Code
- 30. 30 Default Public Exponent e is 65537
- 31. 31 ~/crypto/RSA$ java RSA_KeyPair 2048 65537 d=1491629145334706896467017294894892007671534965487629464211591052998312042021202036862248300189034 142316438082203748580728041607410808263351850622119133237512511436360765640238531295687593993896556 379805652151480308009131445209611685478461405326137092441371914212447136849213035694365635044042262 249824359449236690818626487184413087475423626176858565860592456883256289778387604384353711846146381 990134324009985938782618001216802708526050010979574880940401482976305545922019524306316518714599787 458458410757158810193932688548523743542459048263467703772587696279955036020135068150653908985091923 4654150061036966845424033 n=1978083757543518532451617006384592017538838264531824609389620454074269046902944514161092004238946 389821780708081486659958997628993972908848446665759239882372672238056970816760676356241963730837689 507554087920913900161765429475967645309630212886666261176248303151378956043846109273606649613140383 267234703464710971180657618980402253949546710953311699153301788485281409238637350429069319629583467 726988461505380836551971149145379567858344693903298557007299040518049531377666675151765379279923234 752095969737037013565533109667398191120453837912308378294097448282776247294362326194476537661616750 4687282086327354786906827 e = 65537
- 32. 32 java RSA_DCap $e $n k=4942 d^ =14916291453347068964670172948948920076715349654876294642115910529983120420 21202036862248300189034142316438082203748580728041607410808263351850622119133 23751251143636076564023853129568759399389655637980565215148030800913144520961 16854784614053261370924413719142124471368492130356943656350440422622498243594 49257918362880503074774240355625043186484950061128437172018970117238473811810 21066106191884077345266942217285500426004798294465049353453317995464090084352 96398651248041119672893944491479051749177231854428675467086726545740361196397 25187699773491223215803817723443053331103514510753270668601927889140940039319 674 We see that d^ revealed half of the private exponent d using the public key parameters <e, n> (in 4942 attempts - see previous slide)
- 33. 33 Conclusion ● When RSA is used with the public exponent e = 3, the most significant half of the private exponent d is revealed (in one attempt) ● So, we want to avoid using e = 3 during key generation even if we use RSA with proper random padding (e.g., OAEP) ● The default e = 65537 reveals half of the private key (65537 attempts at most) ● But, do not simply increase the value of e, then d will likely decrease! ● At this time of writing, e = 65537 is the NIST recommended value ● If RSA modulus size is b bit, the most significant b/2 bits of the private key are known to attackers! ○ This is also true when e = 65537
- 34. References ● W. Diffie and M. E. Hellman, “New Directions in Cryptography,” IEEE Transactions on Information Theory, vol. IT-22, no. 6, November, 1976. ● R. L. Rivest, A. Shamir, and L. Adleman, “A method for obtaining digital signatures and public-key cryptosystems,” CACM 21, 2, February, 1978. ● A. Menezes, P. van Oorschot, and S. Vanstone, “Handbook of Applied Cryptography,” CRC Press, 1996. ● C. Paar and J. Pelzl. “Understanding Cryptography: A Textbook for Students and Practitioners,” Springer, 2011. 34
- 35. Appendix 35
- 36. 36 public static BigInteger[] leakPrivExp(int e, BigInteger n) { BigInteger[] dcaps = new BigInteger[e]; for(int i = 1; i <= e; i++) { BigInteger k = BigInteger.valueOf(i); // dcap = floor((1+kN)/e) dcaps[i-1] = one.add(k.multiply(n)).divide(BigInteger.valueOf(e)); } return dcaps; } Given the public parameters e and n, this code attempts to leak the private exponent d