The Cryptography puzzle discussed here is part of an online challenge. I demonstrate how I broke RSA when random prime numbers were common among a set of keys. I discuss basic metrics as well as implementation/design of my exploit scripts, too.
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
RSA cracking puzzle
1. Solution to an RSA Puzzle
When random primes repeat during Crypto key generation...
Dr. Dharma Ganesan, Ph.D.,
If Victim1
= p. q1
and Victim2
= p. q2
, then we call Euclid
2. Disclaimer
● The opinions expressed here are my own
○ But not the views of my employer
● The source code fragments and exploits shown here can be reused
○ But without any warranty nor accept any responsibility for failures
● Do not apply the exploit discussed here on other systems
○ Without obtaining authorization from owners
2
3. Context
● The Cryptography puzzle discussed here is part of an online challenge
○ I worked on this puzzle to harden my under-the-hood Cryptography foundation
● The puzzle deals with the RSA Public Key Cryptography Algorithm
○ Weaknesses in the random number generation process leads to interesting problems
● The puzzle helps us to understand the problem discussed in NY Times (2012)
○ When Random Primes are Not Random Enough
★ Buckle-up and get ready for some dazzling math and crypto
○ It is not an academic exercise, very relevant in practice
○ Real-world RSA implementations are also briefly analyzed
3
4. The RSA Puzzle Overview
● The challenge of the puzzle is to mechanically:
○ Derive RSA private keys from a set of RSA public keys where
■ some of the random primes repeat during the key generation process
○ Extract plaintext from ciphertext using the recovered private keys
● The puzzle demonstrates that RSA is breakable if random primes repeat
○ We can derive private keys of any two parties if they have the same primes in their public keys
● This puzzle reminds me of some notable previous work in particular
○ Randomness and the Netscape Browser
○ Cryptographic key material may be guessable
4
5. 5
● Solution to the RSA puzzle will
explain this article in depth
○ Nice to see theory in action
● My exploit scripts are also handy
to follow the puzzle
● The keys we will break in the
puzzle are synthetic dataset
○ I will also use real world
keys for demo
6. 6
Why random numbers repeated?
● Researchers found that it relates to invalid or inadequate CSPRNG seeding
● CSPRNGs on systems used to generate keys were not initialized with
○ environmentally-supplied entropy at boot time
○ or were given an extremely small amount of entropy
● In this puzzle, we exploit this weakness to break RSA
● Real implementations of RSA are also shown to clarify core ideas
7. Agenda
● Brief Overview of the RSA Public Key Cryptography System
○ RSA Key Generation Algorithm
○ RSA Trapdoor Permutation (Foundation for Public Key Crypto)
● Cryptanalysis of RSA
○ Attack Trees based on RSA’s mathematical structure/assumptions
● Puzzle - Break RSA when random primes repeat during key generation
○ Formal Problem Statement
○ My solution (including both naïve and relatively advanced approaches)
○ Implementation detail
○ Additional analysis
7
8. Prerequisite
Some familiarity with the following topics will help to follow the rest of the slides
● Group Theory (Abstract Algebra/Discrete Math)
● Modular Arithmetic (Number Theory)
● Algorithms and Complexity Theory
● If not, it should still be possible to obtain a high-level overview
8
9. How can Alice send a message to Bob securely?
9
Public Key PuA
● Alice and Bob never met each other
● Bob will encrypt using Alice’s public key
○ Assume that public keys are known to the world
● Alice will decrypt using her private key
○ Private keys are secrets (never sent out)
● Bob can sign messages using his private key
○ Alice verifies message integrity using Bob’s public key
○ Not important for this presentation/attack
● Note: Alice and Bob need other evidence (e.g., passwords,
certificates) to prove their identity to each other
● Who are Alice, Bob, and Eve?
Private Key PrA
Public Key PuB
Private Key PrB
10. RSA Public Key Cryptography System
● Published in 1977 by Ron Rivest, Adi Shamir and Leonard Adleman
● Rooted in elegant mathematics - Group Theory and Number Theory
● Core idea: Anyone can encrypt a message using recipient's public key but
○ (as far as we know) no one can efficiently decrypt unless they got the matching private key
● Encryption and Decryption are inverse operations (math details later)
○ Work of Euclid, Euler, and Fermat provide the mathematical foundation of RSA
● Eavesdropper Eve cannot easily derive the secret (math details later)
○ Unless she solves “hard” number theory problems that are computationally intractable
10
11. 11
....
Note: There is a change in the
notation of symbols in other
publications since 1977.
We will not use symbols w, r, s.
e will be used but with a different
meaning (explained in next slides).
12. 12
Notations and Facts (needed for RSA Trapdoor)
GCD(x, y): The greatest common divisor that divides integers x and y
Co-prime: If gcd(x, y) = 1, then x and y are co-primes
Zn
= { 0, 1, 2, …, n-1 }, n > 0; we may imagine Zn
as a circular wall clock
Z*
n
= { x ∈ Zn
| gcd(x, n) = 1 }; (additional info: Z*
n
is a multiplicative group)
φ(n): Euler’s Totient function denotes the number of elements in Z*
n
φ(nm) = φ(n).φ(m) (This property is called multiplicative)
φ(p) = p-1, if p is a prime number
13. Notations and Facts (needed for RSA Trapdoor) ...
● x ≡ y (mod n) denotes that n divides x-y; x is congruent to y mod n
● Euler’s Theorem: aφ(n)
≡ 1 (mod n), if gcd(a, n) = 1
● Fermat’s little Theorem: ap
≡ a (mod p)
● Gauss’s Fundamental Theorem of Arithmetic: Any integer greater than 1 is
either a prime or can be written as a unique product of primes
○ Euclid’s work is the foundation for this theorem, see The Elements
● Euclid’s Lemma: if a prime p divides the product of two natural numbers a
and b, then p divides a or p divides b
● Euclid’s Infinitude of Primes (c. 300 BC): There are infinitely many primes
13
14. RSA - Key Generation Algo. (Fits on one page)
1. Select an appropriate bitlength of the RSA modulus n (e.g., 2048 bits)
○ Value of the parameter n is not chosen until step 3; small n is dangerous (details later)
2. Pick two independent, large random primes, p and q, of half of n’s bitlength
○ In practice, p and q are not close to each other to avoid attacks (e.g., Fermat’s factorization)
3. Compute n = p.q (n is also called the RSA modulus)
4. Compute Euler’s Totient (phi) Function φ(n) = φ(p.q) = φ(p)φ(q) = (p-1)(q-1)
5. Select numbers e and d from Zn
such that e.d ≡ 1(mod φ(n))
○ Many implementations set e to be 65537 (Note: gcd(e, φ(n)) = 1)
○ e must be relatively prime to φ(n) otherwise d cannot exist (i.e., we cannot decrypt)
○ d is the multiplicative inverse of e in Zn
6. Public key is the pair <n, e> and private key is 4-tuple <φ(n), d, p, q>
Note: If p, q, d, or φ(n) is leaked, RSA is broken immediately
14
15. 15
e = param.getPublicExponent();
p = chooseRandomPrime(pbitlength, e, squaredBound);
//
// generate a modulus of the required length
//
for (; ; )
{
q = chooseRandomPrime(qbitlength, e, squaredBound);
// p and q should not be too close together (or equal!)
BigInteger diff = q.subtract(p).abs();
if (diff.bitLength() < mindiffbits || diff.compareTo(minDiff) <= 0)
{
continue;
}
//
// calculate the modulus
//
n = p.multiply(q);
RSAKeyPairGenerator.java
part of Bouncy Castle Java
implementation
This ~implements the algo.
of the previous slide
This code makes sure p
and q are not close
Look at the for loop it tries
until a good q is chosen
16. RSA - Key Generation - in real Implementation
16
● If either p (or q) is common among two different
keys, we can break RSA (Topic of this puzzle)
● Of course, there is no way for any implementation
to check this property
○ Unless there is a trustable 3rd party we can
share p and q and query for duplicates
p = chooseRandomPrime(pbitlength, e, squaredBound);
...
q = chooseRandomPrime(qbitlength, e, squaredBound);
17. RSA Trapdoor
● RSA: Zn
→ Zn
● Let x and y ∈ Zn
● y = RSA(x) = xe
mod n
● x = RSA-1
(y) = yd
mod n
○ Many implementations use Chinese-Remainder Theorem (CRT) to compute yd
efficiently
■ I will use CRT later in my Python script to perform decryption
● e and d are also called encryption and decryption exponents, respectively
● RSA as defined above is the foundation for public-key Crypto
17
18. RSA Padding - Overview (needed for the puzzle)
● The puzzle uses PKCS1 version 1.5 to add randomness before encryption
○ Without randomness, there is no notion of semantic security in RSA
○ Sending the message two times will result in the same ciphertext
● Before calling RSA on msg x, random padding is attached (see below)
● 02 denotes that PKCS is used in encryption mode
● FF denotes the end of the random pad
● RSA trapdoor function is used on this msg after padding
● After RSA-1
, all bytes until FF are removed to recover msg x
18
02 Random Pad FF x
19. Typical usage of RSA in practice
● RSA is usually not directly used for message encryption
○ Performance is an issue in RSA due to very large d
○ Message cannot be longer than the RSA modulus (explained my RSA proof later)
● Instead, RSA is used in practice together with symmetric encryption
○ Bob generates a symmetric key (e.g., AES), say K
○ Bob encrypts his message M using C = AES(M, K)
○ Bob encrypts the symmetric key using Alice’s public key using RSA with random padding
■ Padding adds randomness before calling the RSA trapdoor function
○ Bob sends the pair <RSA(K), C>
○ Alice calls RSA-1
(K) to recover K and then AES-1
(C, K) to decrypt the secret message M
■ Eve cannot call RSA-1
(K) because she does not have the private d
19
20. RSA Trapdoor ...
● RSACoreEngine.java implements the RSA and RSA-1
functions
○ See the method processBlock
● RSA(input) = inpute
mod n
{
return input.modPow(
key.getExponent(), key.getModulus());
}
● The implementation for RSA-1
is a bit involved (Chinese-Remainder Theorem)
○ To speed-up the computation of inputd
mod n, it computes inputd
mod p and mod q
20
21. Why the RSA-1
recovers x from y (proof)?
● Proof uses Euler’s Theorem: xφ(n)
≡ 1 mod n, if x and n are co-primes
● y = RSA(x) ≡ xe
mod n
● RSA-1
(y) = yd
mod n ≡ (xe
)d
mod n
≡ xed
mod n
≡ x(k.φ(n)+1)
mod n (see the additional notes)
≡ xk.φ(n)
x mod n
≡ (xφ(n)
)k
x mod n ≡ x mod n = x (since x < n)
● Additional notes:
■ Recall that ed ≡ 1 mod φ(n) , meaning φ(n) divides (ed-1).
■ or, ed-1 = k.φ(n) for some integer k ≥ 1;ed = k. φ(n) + 1
■ Fermat’s little Theorem is used when x and n are not co-primes to prove RSA
21
22. Cryptanalysis of RSA - Basic Attack Tree (4 Paths)
22
Break RSA
Factorize n to
reverse p and q
Compute φ(n)
from n directly
Reverse d from e
and n
● Path 1: Factoring n is like finding the integral sides of a rectangle given its area
○ It is an interesting problem for several years (Mathematicians are trying)
● Path 2: Brute-forcing φ(n) is difficult, although φ(n) is of the same size as n
○ I have not found any scalable algorithm that computes φ(n) from n (open problem?)
● Path 3: Reversing of private d from public <n, e> is possible but for small d (e.g., d < n1/2
)
● Path 4: Compute the e-th root of RSA encrypted value y to recover secret x
○ Appears to be equivalent of path 1
1 2 3
Compute e-th root
of y to recover x
4
23. Cryptanalysis of RSA - Common Factor Attack
23
Break RSA
Side-Channel
Attacks
Hardware
Fault Attacks
5 6
Search for common factors
among all public keys
7
● Path 7: Compare all public keys in the world and check whether any
random primes repeat (We will use this attack for solving the puzzle)
24. Math behind Common Factor Attack
24
● The world has billions of public keys as part of digital certificates
● PubKeySpace = {<n1
, e>, <n2
, e>, <n3
, e>, ...}
○ All real implementations out there use the same e 65537 (I will show a demo later)
○ Faster to compute RSA(x) because encryption operation xe
requires only 17 multiplications
● But we know that each n is a composition of private random primes n = p.q
● In a truly random world, all primes are different
○ gcd(n1
, n2
) = 1; if n1
and n2
are made of distinct primes
● Little proof by contradiction (using Euclid’s Lemmas):
○ If gcd is not 1, then there is a number m that divides n1
and n2
○ Which means that m will divide the prime factors of n1
and n2
○ Which is a contradiction to the defn. of primes
25. Common Factor Attack - Core idea of the algorithm
25
● What happens if random numbers repeat among public keys?
● Let’s say n1
= p. q1
and n2
= p. q2
○ Recall that p, q1
and q2
are private (never published - not part of digital certificates)
● We can nevertheless derive p, q1
and q2
based on gcd(n1
, n2
)
○ gcd(n1
, n2
) = p; this follows from the very defn. of GCD and primes
● q1
= n1
/gcd(n1
, n2
) = n1
/p
● q2
= n2
/gcd(n1
, n2
) = n2
/p
● That’s it! We successfully factored RSA modules
○ We can immediately compute φ(n1
) = (p-1)(q1
-1)
○ Then we can compute private exponent d as e-1
mod φ(n1
)
○ Similarly, we can factor n2
and decrypt all messages
26. Common Factor Attack - Efficient Algorithm
● Computing pairwise GCD for all public keys in the world is very slow although
Euclid’s GCD algorithm is logarithmic time complexity
○ Heninger et al. mention that it may take at least 30 years or so
○ I have some metrics from my experiment (later)
● I also implemented a fast algorithm to find GCD among a set of numbers, the
complexity is O(n(lgn)2
lglgn)
○ See my Python script for the implementation details
● The core algorithm is rooted in the work of Prof. Bernstein
○ How to find the smooth parts of integers?
26
27. 27
How to get public keys? (e.g., CNN)
I just happen to read Breaking
News - CNN is not my target
29. Command to extract RSA modulus and exponent
# echo | openssl s_client -connect cnn.com:443 -servername cnn.com
2>&1 | awk '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/' | openssl
x509 -pubkey -noout | openssl rsa -pubin -text -noout
Public-Key: (2048 bits)
Modulus:
00:b9:ef:0b:b6:26:47:c5:72:9a:27:38:88:e8:95:
3a:d7:c6:07:6c:d7:62:98:f6:16:ca:91:c4:12:17:
...
Exponent: 65537 (0x10001)
29
● It is not difficult to extract the set of all RSA
modulus n available on the Internet
● The above command downloads certificates
from cnn.com, for example
○ It can be extended to download
certificates from Internet-facing products
● https://scans.io/
https://censys.io/
https://zmap.io/
30. Back to the RSA cracking puzzle
● We are given 100 public keys (*.pem) and 100 encrypted messages (*.bin)
○ Screenshot shows a fragment (The author of the puzzle has generated these pem/bin files)
● The goal is to apply the Common Factor Attack on these keys
● We need to derive private keys from public keys and then decrypt *bin files
30
31. Common Factor Attack - Implementation/Approach
● I will present two implementations to find the repeated random primes
○ Recall that the prime numbers are private (not part of digital certificates)
● The first implementation is naïve
○ It will compare every public key with other public keys in the dataset
● The second implementation is somewhat advanced number theory
○ It compares all keys once to find the common factors
○ Several orders of magnitude faster than naïve
● Contact me if you want to access to my Python proof-of-concept script
31
32. Common Factor Attack - My Python proof-of-concept
32
Input: Two public
key files
The public keys
share a random
prime if gcd is 1
This is a naïve algorithm -
does not scale due to
pairwise gcd computation
33. Generate private keys from prime factors p and q
33
In order to use the Chinese
Remainder Theorem, we will have
to compute dp, dq, qinv
Easy to derive them from p and q
though (see the script)
34. Private keys that were derived using this attack
34
Each priv.pem
file contains
private keys
● We broke 12 private keys (e.g., 44.priv.pem) from the given 100 public keys
● Each of these 12 keys shares random primes with at least one other key
● I confirmed the results with the author of the puzzle
35. Let’s decrypt using the derived private keys
35
● The size of all encrypted message files (i.e., bin files) are all the same
○ Linux command line: wc -c *.bin
● All bin files have 128 bytes
○ RSA 1024-bit
● Since all encrypted files have the same size, I guessed that PKCS1 is used
● Next slides show the script that uses PKCS1 for RSA decryption
36. Let’s decrypt using the derived private keys ...
36
root@kali:~/crypto/RSA_Puzzle/challenge# openssl rsautl -inkey 44.priv.pem -decrypt < 44.bin
Sarpedon ubi tot Simois correpta sub undis
Inputs: Private key and Encrypted File
My Python script decrypts
all the encrypted files using
the cracked private keys
37. Output of my Python script - decrypted messages!
37
This is in Latin, there is another non-cryptographic step in the puzzle to find one
English word for all these Latin messages (It’s left us an exercise)
38. Finding the common factors efficiently
38
Input: List of public keys
Output: For each RSA modulus,
the common factor it shares with
other keys
Note:
commonFactor is equal to the
modulus when both primes are
shared
We can use the pairwise Naïve
algorithm for those public keys (see
pairwiseCandidates)
39. Pairwise GCD (Naïve) vs Bernstein’s Algo: Speed
39
Pairwise GCD
$time python RSACommonFactorPuzzle.py
real 0m2.484s
user 0m2.408s
sys 0m0.060s
real 0m2.475s
user 0m2.384s
sys 0m0.060s
real 0m2.450s
user 0m2.360s
sys 0m0.072s
Bernstein’s smooth integer algorithm
$time python RSACommonFactorPuzzle.py
real 0m0.369s
user 0m0.312s
sys 0m0.012s
real 0m0.351s
user 0m0.288s
sys 0m0.032s
real 0m0.390s
user 0m0.348s
sys 0m0.024s
Pairwise GCD is orders
of magnitude slower
40. Additional Analysis
40
● After finishing the puzzle, I had a lot of questions and investigated a few
● Can we efficiently derive private Euler Totient φ(n) from the RSA modulus n?
● Similarly, can we efficiently derive private exponent d from n?
● I developed some utility programs and generated a bunch of RSA keys
● Next, I demonstrate my observation based on metrics
● First I show that it is easy to check whether n is equal to p.q
41. Checking the result of factorization is easy
41
● For example, we found that 58.pem and 71.pem have a common prime factor
● Let’s see what is the common factor and check the result is correct
● 58.pem’s RSA modulus n58
is
○ 132009813808533392577123110438741884286561400398429860761027919959189196549797215586297
852825375342475728679074489933320371765026814849875692023263110656924146683347962741534
495754902097930935910070831755220321417369411370818762253940133993629997648473607090782
039210687337530507010114741418840031542303031081
● 71.pem’s RSA modulus n71
is
○ 135472400918611757666622822789636901038207639581474006488496906937544113899819968264216
470405393313301250508761651903965883874352772699986982247519612608840409853757718079903
608120168842687889231898954817245684707914621259848016658887023606975529849256590875282
759156328281549546230980205644358325222571914637
42. Checking the result of factorization is easy ...
● The common factor for 58.pem and 71.pem is the common prime p:
○ 129137502646234622763374256441287111746758133368804650684610186816450800479188353483236
21347173714301224881492646558739535118834131362641424915974945262413
● 58.pem’s private q58
:
○ 102224226970043949777256885320880162508867547271189728340583126434163937246274052502556
81036829301071437886544959801218835717885646951246124126053948898637
● 71.pem’s private q71
:
○ 104905544975367267702914249740242771357439818837898485544233978656125835584538419552523
13841219976974375731593387395755291375663525635781387394235606102849
● It takes only a few microseconds to check whether factorization is correct
○ n58
= p.q58
and n71
= p.q71
; you may use calculator to check
● However, given n58
(or n71
) factorization takes years to find the factors
○ Easy in one-direction but “hard” in another-direction
42
44. Distribution of φ(n) for a small dataset
44
Figure from Wikipedia
If p is prime, φ(p) is p-1. φ is multiplicative
that’s why we see diagonal lines
when n increases, φ(n) does not always
increase
RSA is immediately broken if we can
efficiently compute φ(n) from public n
45. Additional analysis of φ(n)
● In the words of Hardy & Wright, “the order of φ(n) is always nearly n”
● I went ahead and measured how close φ(n) to n
○ I randomly generated different primes of different size for this analysis
● Metrics (next slides) confirm that φ(n) and n have the same number of bits
● However, the distance between φ(n) to n is about half the bitlength of n
● Meaning if n is a 2048-bit number, we still have to bruteforce 21024
combinations on a classical computer (The sun will cool down?)
● If n is small (e.g., 768 bits), researchers have already factored its p and q
○ See the list of broken RSA numbers here
45
46. Let’s look at an example private n its private φ(n)
n =
13200981380853339257712311043874188428656140039842986076102791995918919654979721558629785282537534
24757286790744899333203717650268148498756920232631106569241466833479627415344957549020979309359100
70831755220321417369411370818762253940133993629997648473607090782039210687337530507010114741418840
031542303031081
φ(n) =
13200981380853339257712311043874188428656140039842986076102791995918919654979721558629785282537534
24757286790744899333203717650268148498756920232631106569010105103863348842804326407258812035103475
02767755782418898038086309344989707699535414327613645458234428014001604327379159670290336427531290
989513408870032
● This shows that the n and φ(n) share the first half but the other half is different
○ Finding the other private half by bruteforce is a computational challenge as far as we know
46
47. Why public n and private φ(n) have common prefix?
● Euler’s φ(n) = (p-1)(q-1) = n(1-1/p)(1-1/q) [Recall that n = p.q]
● Since p and q are large numbers, 1/p and 1/q are close to zero
● n(1-1/p)(1-1/q) means that we take some fraction of large n because
○ (1-1/p)(1-1/q) is between 0 and 1
● In RSA, p and q are large prime numbers (but far from infinity), thus φ(n) is
not that close to public n to bruteforce
● Why n is not a prime in RSA? If n is a prime, φ(n) is computable in constant
time (recall that φ(p) = p-1 if p is prime)
47
48. Additional analysis of φ(n) (on my dataset)
48
# of bits in n # of bits in φ(n) # of bits in n-φ(n)
256 256 129
512 512 257
1024 1024 513
2048 2048 1025
4096 4096 2049
● Bruteforce of φ(n) from n looks very challenging since n-φ(n) is ~half the bitlength of n
● Computational hardness assumption is an interesting topic
● General feeling is that algorithm for φ(n) is not in class P (P vs NP problem debate)
● More future analysis is needed to understand the structure of φ(n)
49. Additional analysis of φ(n) ...
49
● Consider this formula (based on Fourier transform) to compute φ(n) from n
● This formula works computationally well for small n
○ Even though GCD is fast to compute, this formula does not scale
● For example, if n is a 2048-bit number, we end up calling call gcd 22048
times
● In experiments, gcd(x, y) took ~ 24
microseconds
● This means that we need 22052
microseconds to compute GCD
○ A year has a very conservative approximation of 240
microseconds
● Thus, 22052
/240
= 22012
years to compute gcd(k, n) for all k, 1 ≤ k ≤ n
● Formulas to derive φ(n) cannot be applied unless there is no iterative loop
○ They may be elegant formulas from a math perspective but not computationally efficient
50. Bruteforcing private d from public modulus n?
50
● Another thought I had when solving the puzzle was why not bruteforce d?
● Recall that RSA-1
(y) = yd
mod n will expose the secret if we know d
○ Recall that d and φ(n) are private; n is public
● But we know that d and n are related indirectly
○ e.d ≡1 (mod φ(n))
● Metrics (next slides) show that d and n are roughly the same bitlength
○ But, they are not that close to each other in the number line
● Bruteforcing d from n appears to be not feasible based on my metrics
51. Let’s look at an example public n and private d
n =
13200981380853339257712311043874188428656140039842986076102791995918919654979721558629785282537534
24757286790744899333203717650268148498756920232631106569241466833479627415344957549020979309359100
70831755220321417369411370818762253940133993629997648473607090782039210687337530507010114741418840
031542303031081
d =
75978610202753857637808928174151149355159620108164462027648094066872400229768695117493248219679843
72468202350870134862511898586770001887958104761408874343204779669152618879500006421075482546363592
78636456980460020140777818406855940068430936484365580768818014966834080783182309651548207889662373
33482548523393
● This shows that the n and d are nearly the same size (n has 1 more digit)
51
52. How far is private d from public n? (on my dataset)
52
Trial # of bits in n # of bits in d # of bits in n-d
1 1024 1024 1020
2 1024 1023 1019
3 1024 1022 1023
4 2048 2047 2045
5 2048 2047 2046
6 2048 2046 2048
● Bruteforce of d from n looks very challenging since n and n-d are ~the same bitlength
53. Conclusion/Discussion
53
● The main goal was to demonstrate my end-to-end solution to an RSA puzzle
● This puzzle demonstrates that if public keys are made of repeated random
primes, RSA is not difficult to break
● If random number generation algorithms are not properly seeded, Euclid’s
GCD math can derive the private keys from the public keys!
● Prof. Knuth’s remark is highly relevant: random numbers should not be
generated with a method chosen at random
● “Factoring may be easier than you think,” says Cohn, an interesting view!
54. Conclusion/Discussion ...
● Prof. D. Boneh stresses that Crypto implementation is very difficult
○ Even experts (with solid education in math/cs) found it difficult to implement it correctly
○ https://robotattack.org/
● The author of the puzzle shared the valuable information given below
● The attack discussed in the puzzle may not affect TLS when forward secrecy
is used (e.g., Diffie-Hellman DHE ciphersuite Ephemeral Keys)
○ TLS - Transport Layer Security
● A goal of DHE is to protect confidential content of sessions even if
the long-term (private) keys are compromised
○ Active attacks are still possible
○ Attacks against non-forward-secret ciphers are still possible
54
55. Acknowledgement
● Mr. Seth David Schoen and his colleagues for constructing the RSA puzzle
○ http://www.loyalty.org/~schoen/
● Seth for critical reviews of my slides and offering new pointers to Crypto work
○ All remaining mistakes are mine
○ Nice that you are in the committee of EFF Cooperative Computing Awards
● It is always a pleasure to understand under-the-hood Crypto
○ I barely scratched the surface though there is a lot more analysis to be performed...
● The more I think about it the more I realize that RSA is not that simple
○ I have many more deeper questions and have to experiment when I get some time
55
57. References
● W. Diffie and M. E. Hellman, “New Directions in Cryptography,” IEEE
Transactions on Information Theory, vol. IT-22, no. 6, November, 1976.
● R. L. Rivest, A. Shamir, and L. Adleman, “A method for obtaining digital
signatures and public-key cryptosystems,” CACM 21, 2, February, 1978.
● I. Goldberg and D. Wagner, “Randomness and the Netscape Browser,”
http://people.eecs.berkeley.edu/~daw/papers/ddj-netscape.html
● N. Heninger, Z. Durumeric, E. Wustrow, J. A. Halderman, “Mining Your Ps
and Qs: Detection of Widespread Weak Keys in Network Devices,” USENIX
security, 2012.
57
58. References ...
● D. J. Bernstein, “How to find the smooth parts of integers,”
http://cr.yp.to/papers.html#smoothparts.
● A. Menezes, P. van Oorschot, and S. Vanstone, “Handbook of Applied
Cryptography,” CRC Press, 1996.
● C. Paar and J. Pelzl. “Understanding Cryptography: A Textbook for Students
and Practitioners,” Springer, 2011.
● A. Lenstra et al., “Ron was wrong, Whit is right,” Cryptology ePrint Archive,
Report 2012/064, 2012. http://eprint.iacr.org/2012/064.pdf.
58