SlideShare a Scribd company logo

RSA cracking puzzle

Dharmalingam Ganesan
Dharmalingam Ganesan

The Cryptography puzzle discussed here is part of an online challenge. I demonstrate how I broke RSA when random prime numbers were common among a set of keys. I discuss basic metrics as well as implementation/design of my exploit scripts, too.

Software
1 of 59
Download to read offline
Solution to an RSA Puzzle When random primes repeat during Crypto key generation... Dr. Dharma Ganesan, Ph.D., If Victim1 = p. q1 and Victim2 = p. q2 , then we call Euclid
Disclaimer ● The opinions expressed here are my own ○ But not the views of my employer ● The source code fragments and exploits shown here can be reused ○ But without any warranty nor accept any responsibility for failures ● Do not apply the exploit discussed here on other systems ○ Without obtaining authorization from owners 2
Context ● The Cryptography puzzle discussed here is part of an online challenge ○ I worked on this puzzle to harden my under-the-hood Cryptography foundation ● The puzzle deals with the RSA Public Key Cryptography Algorithm ○ Weaknesses in the random number generation process leads to interesting problems ● The puzzle helps us to understand the problem discussed in NY Times (2012) ○ When Random Primes are Not Random Enough ★ Buckle-up and get ready for some dazzling math and crypto ○ It is not an academic exercise, very relevant in practice ○ Real-world RSA implementations are also briefly analyzed 3
The RSA Puzzle Overview ● The challenge of the puzzle is to mechanically: ○ Derive RSA private keys from a set of RSA public keys where ■ some of the random primes repeat during the key generation process ○ Extract plaintext from ciphertext using the recovered private keys ● The puzzle demonstrates that RSA is breakable if random primes repeat ○ We can derive private keys of any two parties if they have the same primes in their public keys ● This puzzle reminds me of some notable previous work in particular ○ Randomness and the Netscape Browser ○ Cryptographic key material may be guessable 4
5 ● Solution to the RSA puzzle will explain this article in depth ○ Nice to see theory in action ● My exploit scripts are also handy to follow the puzzle ● The keys we will break in the puzzle are synthetic dataset ○ I will also use real world keys for demo
6 Why random numbers repeated? ● Researchers found that it relates to invalid or inadequate CSPRNG seeding ● CSPRNGs on systems used to generate keys were not initialized with ○ environmentally-supplied entropy at boot time ○ or were given an extremely small amount of entropy ● In this puzzle, we exploit this weakness to break RSA ● Real implementations of RSA are also shown to clarify core ideas
Agenda ● Brief Overview of the RSA Public Key Cryptography System ○ RSA Key Generation Algorithm ○ RSA Trapdoor Permutation (Foundation for Public Key Crypto) ● Cryptanalysis of RSA ○ Attack Trees based on RSA’s mathematical structure/assumptions ● Puzzle - Break RSA when random primes repeat during key generation ○ Formal Problem Statement ○ My solution (including both naïve and relatively advanced approaches) ○ Implementation detail ○ Additional analysis 7
Prerequisite Some familiarity with the following topics will help to follow the rest of the slides ● Group Theory (Abstract Algebra/Discrete Math) ● Modular Arithmetic (Number Theory) ● Algorithms and Complexity Theory ● If not, it should still be possible to obtain a high-level overview 8
How can Alice send a message to Bob securely? 9 Public Key PuA ● Alice and Bob never met each other ● Bob will encrypt using Alice’s public key ○ Assume that public keys are known to the world ● Alice will decrypt using her private key ○ Private keys are secrets (never sent out) ● Bob can sign messages using his private key ○ Alice verifies message integrity using Bob’s public key ○ Not important for this presentation/attack ● Note: Alice and Bob need other evidence (e.g., passwords, certificates) to prove their identity to each other ● Who are Alice, Bob, and Eve? Private Key PrA Public Key PuB Private Key PrB
RSA Public Key Cryptography System ● Published in 1977 by Ron Rivest, Adi Shamir and Leonard Adleman ● Rooted in elegant mathematics - Group Theory and Number Theory ● Core idea: Anyone can encrypt a message using recipient's public key but ○ (as far as we know) no one can efficiently decrypt unless they got the matching private key ● Encryption and Decryption are inverse operations (math details later) ○ Work of Euclid, Euler, and Fermat provide the mathematical foundation of RSA ● Eavesdropper Eve cannot easily derive the secret (math details later) ○ Unless she solves “hard” number theory problems that are computationally intractable 10
11 .... Note: There is a change in the notation of symbols in other publications since 1977. We will not use symbols w, r, s. e will be used but with a different meaning (explained in next slides).
12 Notations and Facts (needed for RSA Trapdoor) GCD(x, y): The greatest common divisor that divides integers x and y Co-prime: If gcd(x, y) = 1, then x and y are co-primes Zn = { 0, 1, 2, …, n-1 }, n > 0; we may imagine Zn as a circular wall clock Z* n = { x ∈ Zn | gcd(x, n) = 1 }; (additional info: Z* n is a multiplicative group) φ(n): Euler’s Totient function denotes the number of elements in Z* n φ(nm) = φ(n).φ(m) (This property is called multiplicative) φ(p) = p-1, if p is a prime number
Notations and Facts (needed for RSA Trapdoor) ... ● x ≡ y (mod n) denotes that n divides x-y; x is congruent to y mod n ● Euler’s Theorem: aφ(n) ≡ 1 (mod n), if gcd(a, n) = 1 ● Fermat’s little Theorem: ap ≡ a (mod p) ● Gauss’s Fundamental Theorem of Arithmetic: Any integer greater than 1 is either a prime or can be written as a unique product of primes ○ Euclid’s work is the foundation for this theorem, see The Elements ● Euclid’s Lemma: if a prime p divides the product of two natural numbers a and b, then p divides a or p divides b ● Euclid’s Infinitude of Primes (c. 300 BC): There are infinitely many primes 13
RSA - Key Generation Algo. (Fits on one page) 1. Select an appropriate bitlength of the RSA modulus n (e.g., 2048 bits) ○ Value of the parameter n is not chosen until step 3; small n is dangerous (details later) 2. Pick two independent, large random primes, p and q, of half of n’s bitlength ○ In practice, p and q are not close to each other to avoid attacks (e.g., Fermat’s factorization) 3. Compute n = p.q (n is also called the RSA modulus) 4. Compute Euler’s Totient (phi) Function φ(n) = φ(p.q) = φ(p)φ(q) = (p-1)(q-1) 5. Select numbers e and d from Zn such that e.d ≡ 1(mod φ(n)) ○ Many implementations set e to be 65537 (Note: gcd(e, φ(n)) = 1) ○ e must be relatively prime to φ(n) otherwise d cannot exist (i.e., we cannot decrypt) ○ d is the multiplicative inverse of e in Zn 6. Public key is the pair <n, e> and private key is 4-tuple <φ(n), d, p, q> Note: If p, q, d, or φ(n) is leaked, RSA is broken immediately 14
15 e = param.getPublicExponent(); p = chooseRandomPrime(pbitlength, e, squaredBound); // // generate a modulus of the required length // for (; ; ) { q = chooseRandomPrime(qbitlength, e, squaredBound); // p and q should not be too close together (or equal!) BigInteger diff = q.subtract(p).abs(); if (diff.bitLength() < mindiffbits || diff.compareTo(minDiff) <= 0) { continue; } // // calculate the modulus // n = p.multiply(q); RSAKeyPairGenerator.java part of Bouncy Castle Java implementation This ~implements the algo. of the previous slide This code makes sure p and q are not close Look at the for loop it tries until a good q is chosen
RSA - Key Generation - in real Implementation 16 ● If either p (or q) is common among two different keys, we can break RSA (Topic of this puzzle) ● Of course, there is no way for any implementation to check this property ○ Unless there is a trustable 3rd party we can share p and q and query for duplicates p = chooseRandomPrime(pbitlength, e, squaredBound); ... q = chooseRandomPrime(qbitlength, e, squaredBound);
RSA Trapdoor ● RSA: Zn → Zn ● Let x and y ∈ Zn ● y = RSA(x) = xe mod n ● x = RSA-1 (y) = yd mod n ○ Many implementations use Chinese-Remainder Theorem (CRT) to compute yd efficiently ■ I will use CRT later in my Python script to perform decryption ● e and d are also called encryption and decryption exponents, respectively ● RSA as defined above is the foundation for public-key Crypto 17
RSA Padding - Overview (needed for the puzzle) ● The puzzle uses PKCS1 version 1.5 to add randomness before encryption ○ Without randomness, there is no notion of semantic security in RSA ○ Sending the message two times will result in the same ciphertext ● Before calling RSA on msg x, random padding is attached (see below) ● 02 denotes that PKCS is used in encryption mode ● FF denotes the end of the random pad ● RSA trapdoor function is used on this msg after padding ● After RSA-1 , all bytes until FF are removed to recover msg x 18 02 Random Pad FF x
Typical usage of RSA in practice ● RSA is usually not directly used for message encryption ○ Performance is an issue in RSA due to very large d ○ Message cannot be longer than the RSA modulus (explained my RSA proof later) ● Instead, RSA is used in practice together with symmetric encryption ○ Bob generates a symmetric key (e.g., AES), say K ○ Bob encrypts his message M using C = AES(M, K) ○ Bob encrypts the symmetric key using Alice’s public key using RSA with random padding ■ Padding adds randomness before calling the RSA trapdoor function ○ Bob sends the pair <RSA(K), C> ○ Alice calls RSA-1 (K) to recover K and then AES-1 (C, K) to decrypt the secret message M ■ Eve cannot call RSA-1 (K) because she does not have the private d 19
RSA Trapdoor ... ● RSACoreEngine.java implements the RSA and RSA-1 functions ○ See the method processBlock ● RSA(input) = inpute mod n { return input.modPow( key.getExponent(), key.getModulus()); } ● The implementation for RSA-1 is a bit involved (Chinese-Remainder Theorem) ○ To speed-up the computation of inputd mod n, it computes inputd mod p and mod q 20
Why the RSA-1 recovers x from y (proof)? ● Proof uses Euler’s Theorem: xφ(n) ≡ 1 mod n, if x and n are co-primes ● y = RSA(x) ≡ xe mod n ● RSA-1 (y) = yd mod n ≡ (xe )d mod n ≡ xed mod n ≡ x(k.φ(n)+1) mod n (see the additional notes) ≡ xk.φ(n) x mod n ≡ (xφ(n) )k x mod n ≡ x mod n = x (since x < n) ● Additional notes: ■ Recall that ed ≡ 1 mod φ(n) , meaning φ(n) divides (ed-1). ■ or, ed-1 = k.φ(n) for some integer k ≥ 1;ed = k. φ(n) + 1 ■ Fermat’s little Theorem is used when x and n are not co-primes to prove RSA 21
Cryptanalysis of RSA - Basic Attack Tree (4 Paths) 22 Break RSA Factorize n to reverse p and q Compute φ(n) from n directly Reverse d from e and n ● Path 1: Factoring n is like finding the integral sides of a rectangle given its area ○ It is an interesting problem for several years (Mathematicians are trying) ● Path 2: Brute-forcing φ(n) is difficult, although φ(n) is of the same size as n ○ I have not found any scalable algorithm that computes φ(n) from n (open problem?) ● Path 3: Reversing of private d from public <n, e> is possible but for small d (e.g., d < n1/2 ) ● Path 4: Compute the e-th root of RSA encrypted value y to recover secret x ○ Appears to be equivalent of path 1 1 2 3 Compute e-th root of y to recover x 4
Cryptanalysis of RSA - Common Factor Attack 23 Break RSA Side-Channel Attacks Hardware Fault Attacks 5 6 Search for common factors among all public keys 7 ● Path 7: Compare all public keys in the world and check whether any random primes repeat (We will use this attack for solving the puzzle)
Math behind Common Factor Attack 24 ● The world has billions of public keys as part of digital certificates ● PubKeySpace = {<n1 , e>, <n2 , e>, <n3 , e>, ...} ○ All real implementations out there use the same e 65537 (I will show a demo later) ○ Faster to compute RSA(x) because encryption operation xe requires only 17 multiplications ● But we know that each n is a composition of private random primes n = p.q ● In a truly random world, all primes are different ○ gcd(n1 , n2 ) = 1; if n1 and n2 are made of distinct primes ● Little proof by contradiction (using Euclid’s Lemmas): ○ If gcd is not 1, then there is a number m that divides n1 and n2 ○ Which means that m will divide the prime factors of n1 and n2 ○ Which is a contradiction to the defn. of primes
Common Factor Attack - Core idea of the algorithm 25 ● What happens if random numbers repeat among public keys? ● Let’s say n1 = p. q1 and n2 = p. q2 ○ Recall that p, q1 and q2 are private (never published - not part of digital certificates) ● We can nevertheless derive p, q1 and q2 based on gcd(n1 , n2 ) ○ gcd(n1 , n2 ) = p; this follows from the very defn. of GCD and primes ● q1 = n1 /gcd(n1 , n2 ) = n1 /p ● q2 = n2 /gcd(n1 , n2 ) = n2 /p ● That’s it! We successfully factored RSA modules ○ We can immediately compute φ(n1 ) = (p-1)(q1 -1) ○ Then we can compute private exponent d as e-1 mod φ(n1 ) ○ Similarly, we can factor n2 and decrypt all messages
Common Factor Attack - Efficient Algorithm ● Computing pairwise GCD for all public keys in the world is very slow although Euclid’s GCD algorithm is logarithmic time complexity ○ Heninger et al. mention that it may take at least 30 years or so ○ I have some metrics from my experiment (later) ● I also implemented a fast algorithm to find GCD among a set of numbers, the complexity is O(n(lgn)2 lglgn) ○ See my Python script for the implementation details ● The core algorithm is rooted in the work of Prof. Bernstein ○ How to find the smooth parts of integers? 26
27 How to get public keys? (e.g., CNN) I just happen to read Breaking News - CNN is not my target
28 CNN’s RSA public key n and modulus e
Command to extract RSA modulus and exponent # echo | openssl s_client -connect cnn.com:443 -servername cnn.com 2>&1 | awk '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/' | openssl x509 -pubkey -noout | openssl rsa -pubin -text -noout Public-Key: (2048 bits) Modulus: 00:b9:ef:0b:b6:26:47:c5:72:9a:27:38:88:e8:95: 3a:d7:c6:07:6c:d7:62:98:f6:16:ca:91:c4:12:17: ... Exponent: 65537 (0x10001) 29 ● It is not difficult to extract the set of all RSA modulus n available on the Internet ● The above command downloads certificates from cnn.com, for example ○ It can be extended to download certificates from Internet-facing products ● https://scans.io/ https://censys.io/ https://zmap.io/
Back to the RSA cracking puzzle ● We are given 100 public keys (*.pem) and 100 encrypted messages (*.bin) ○ Screenshot shows a fragment (The author of the puzzle has generated these pem/bin files) ● The goal is to apply the Common Factor Attack on these keys ● We need to derive private keys from public keys and then decrypt *bin files 30
Common Factor Attack - Implementation/Approach ● I will present two implementations to find the repeated random primes ○ Recall that the prime numbers are private (not part of digital certificates) ● The first implementation is naïve ○ It will compare every public key with other public keys in the dataset ● The second implementation is somewhat advanced number theory ○ It compares all keys once to find the common factors ○ Several orders of magnitude faster than naïve ● Contact me if you want to access to my Python proof-of-concept script 31
Common Factor Attack - My Python proof-of-concept 32 Input: Two public key files The public keys share a random prime if gcd is 1 This is a naïve algorithm - does not scale due to pairwise gcd computation
Generate private keys from prime factors p and q 33 In order to use the Chinese Remainder Theorem, we will have to compute dp, dq, qinv Easy to derive them from p and q though (see the script)
Private keys that were derived using this attack 34 Each priv.pem file contains private keys ● We broke 12 private keys (e.g., 44.priv.pem) from the given 100 public keys ● Each of these 12 keys shares random primes with at least one other key ● I confirmed the results with the author of the puzzle
Let’s decrypt using the derived private keys 35 ● The size of all encrypted message files (i.e., bin files) are all the same ○ Linux command line: wc -c *.bin ● All bin files have 128 bytes ○ RSA 1024-bit ● Since all encrypted files have the same size, I guessed that PKCS1 is used ● Next slides show the script that uses PKCS1 for RSA decryption
Let’s decrypt using the derived private keys ... 36 root@kali:~/crypto/RSA_Puzzle/challenge# openssl rsautl -inkey 44.priv.pem -decrypt < 44.bin Sarpedon ubi tot Simois correpta sub undis Inputs: Private key and Encrypted File My Python script decrypts all the encrypted files using the cracked private keys
Output of my Python script - decrypted messages! 37 This is in Latin, there is another non-cryptographic step in the puzzle to find one English word for all these Latin messages (It’s left us an exercise)
Finding the common factors efficiently 38 Input: List of public keys Output: For each RSA modulus, the common factor it shares with other keys Note: commonFactor is equal to the modulus when both primes are shared We can use the pairwise Naïve algorithm for those public keys (see pairwiseCandidates)
Pairwise GCD (Naïve) vs Bernstein’s Algo: Speed 39 Pairwise GCD $time python RSACommonFactorPuzzle.py real 0m2.484s user 0m2.408s sys 0m0.060s real 0m2.475s user 0m2.384s sys 0m0.060s real 0m2.450s user 0m2.360s sys 0m0.072s Bernstein’s smooth integer algorithm $time python RSACommonFactorPuzzle.py real 0m0.369s user 0m0.312s sys 0m0.012s real 0m0.351s user 0m0.288s sys 0m0.032s real 0m0.390s user 0m0.348s sys 0m0.024s Pairwise GCD is orders of magnitude slower
Additional Analysis 40 ● After finishing the puzzle, I had a lot of questions and investigated a few ● Can we efficiently derive private Euler Totient φ(n) from the RSA modulus n? ● Similarly, can we efficiently derive private exponent d from n? ● I developed some utility programs and generated a bunch of RSA keys ● Next, I demonstrate my observation based on metrics ● First I show that it is easy to check whether n is equal to p.q
Checking the result of factorization is easy 41 ● For example, we found that 58.pem and 71.pem have a common prime factor ● Let’s see what is the common factor and check the result is correct ● 58.pem’s RSA modulus n58 is ○ 132009813808533392577123110438741884286561400398429860761027919959189196549797215586297 852825375342475728679074489933320371765026814849875692023263110656924146683347962741534 495754902097930935910070831755220321417369411370818762253940133993629997648473607090782 039210687337530507010114741418840031542303031081 ● 71.pem’s RSA modulus n71 is ○ 135472400918611757666622822789636901038207639581474006488496906937544113899819968264216 470405393313301250508761651903965883874352772699986982247519612608840409853757718079903 608120168842687889231898954817245684707914621259848016658887023606975529849256590875282 759156328281549546230980205644358325222571914637
Checking the result of factorization is easy ... ● The common factor for 58.pem and 71.pem is the common prime p: ○ 129137502646234622763374256441287111746758133368804650684610186816450800479188353483236 21347173714301224881492646558739535118834131362641424915974945262413 ● 58.pem’s private q58 : ○ 102224226970043949777256885320880162508867547271189728340583126434163937246274052502556 81036829301071437886544959801218835717885646951246124126053948898637 ● 71.pem’s private q71 : ○ 104905544975367267702914249740242771357439818837898485544233978656125835584538419552523 13841219976974375731593387395755291375663525635781387394235606102849 ● It takes only a few microseconds to check whether factorization is correct ○ n58 = p.q58 and n71 = p.q71 ; you may use calculator to check ● However, given n58 (or n71 ) factorization takes years to find the factors ○ Easy in one-direction but “hard” in another-direction 42
Why can’t we bruteforce private φ(n) from n? 43
Distribution of φ(n) for a small dataset 44 Figure from Wikipedia If p is prime, φ(p) is p-1. φ is multiplicative that’s why we see diagonal lines when n increases, φ(n) does not always increase RSA is immediately broken if we can efficiently compute φ(n) from public n
Additional analysis of φ(n) ● In the words of Hardy & Wright, “the order of φ(n) is always nearly n” ● I went ahead and measured how close φ(n) to n ○ I randomly generated different primes of different size for this analysis ● Metrics (next slides) confirm that φ(n) and n have the same number of bits ● However, the distance between φ(n) to n is about half the bitlength of n ● Meaning if n is a 2048-bit number, we still have to bruteforce 21024 combinations on a classical computer (The sun will cool down?) ● If n is small (e.g., 768 bits), researchers have already factored its p and q ○ See the list of broken RSA numbers here 45
Let’s look at an example private n its private φ(n) n = 13200981380853339257712311043874188428656140039842986076102791995918919654979721558629785282537534 24757286790744899333203717650268148498756920232631106569241466833479627415344957549020979309359100 70831755220321417369411370818762253940133993629997648473607090782039210687337530507010114741418840 031542303031081 φ(n) = 13200981380853339257712311043874188428656140039842986076102791995918919654979721558629785282537534 24757286790744899333203717650268148498756920232631106569010105103863348842804326407258812035103475 02767755782418898038086309344989707699535414327613645458234428014001604327379159670290336427531290 989513408870032 ● This shows that the n and φ(n) share the first half but the other half is different ○ Finding the other private half by bruteforce is a computational challenge as far as we know 46
Why public n and private φ(n) have common prefix? ● Euler’s φ(n) = (p-1)(q-1) = n(1-1/p)(1-1/q) [Recall that n = p.q] ● Since p and q are large numbers, 1/p and 1/q are close to zero ● n(1-1/p)(1-1/q) means that we take some fraction of large n because ○ (1-1/p)(1-1/q) is between 0 and 1 ● In RSA, p and q are large prime numbers (but far from infinity), thus φ(n) is not that close to public n to bruteforce ● Why n is not a prime in RSA? If n is a prime, φ(n) is computable in constant time (recall that φ(p) = p-1 if p is prime) 47
Additional analysis of φ(n) (on my dataset) 48 # of bits in n # of bits in φ(n) # of bits in n-φ(n) 256 256 129 512 512 257 1024 1024 513 2048 2048 1025 4096 4096 2049 ● Bruteforce of φ(n) from n looks very challenging since n-φ(n) is ~half the bitlength of n ● Computational hardness assumption is an interesting topic ● General feeling is that algorithm for φ(n) is not in class P (P vs NP problem debate) ● More future analysis is needed to understand the structure of φ(n)
Additional analysis of φ(n) ... 49 ● Consider this formula (based on Fourier transform) to compute φ(n) from n ● This formula works computationally well for small n ○ Even though GCD is fast to compute, this formula does not scale ● For example, if n is a 2048-bit number, we end up calling call gcd 22048 times ● In experiments, gcd(x, y) took ~ 24 microseconds ● This means that we need 22052 microseconds to compute GCD ○ A year has a very conservative approximation of 240 microseconds ● Thus, 22052 /240 = 22012 years to compute gcd(k, n) for all k, 1 ≤ k ≤ n ● Formulas to derive φ(n) cannot be applied unless there is no iterative loop ○ They may be elegant formulas from a math perspective but not computationally efficient
Bruteforcing private d from public modulus n? 50 ● Another thought I had when solving the puzzle was why not bruteforce d? ● Recall that RSA-1 (y) = yd mod n will expose the secret if we know d ○ Recall that d and φ(n) are private; n is public ● But we know that d and n are related indirectly ○ e.d ≡1 (mod φ(n)) ● Metrics (next slides) show that d and n are roughly the same bitlength ○ But, they are not that close to each other in the number line ● Bruteforcing d from n appears to be not feasible based on my metrics
Let’s look at an example public n and private d n = 13200981380853339257712311043874188428656140039842986076102791995918919654979721558629785282537534 24757286790744899333203717650268148498756920232631106569241466833479627415344957549020979309359100 70831755220321417369411370818762253940133993629997648473607090782039210687337530507010114741418840 031542303031081 d = 75978610202753857637808928174151149355159620108164462027648094066872400229768695117493248219679843 72468202350870134862511898586770001887958104761408874343204779669152618879500006421075482546363592 78636456980460020140777818406855940068430936484365580768818014966834080783182309651548207889662373 33482548523393 ● This shows that the n and d are nearly the same size (n has 1 more digit) 51
How far is private d from public n? (on my dataset) 52 Trial # of bits in n # of bits in d # of bits in n-d 1 1024 1024 1020 2 1024 1023 1019 3 1024 1022 1023 4 2048 2047 2045 5 2048 2047 2046 6 2048 2046 2048 ● Bruteforce of d from n looks very challenging since n and n-d are ~the same bitlength
Conclusion/Discussion 53 ● The main goal was to demonstrate my end-to-end solution to an RSA puzzle ● This puzzle demonstrates that if public keys are made of repeated random primes, RSA is not difficult to break ● If random number generation algorithms are not properly seeded, Euclid’s GCD math can derive the private keys from the public keys! ● Prof. Knuth’s remark is highly relevant: random numbers should not be generated with a method chosen at random ● “Factoring may be easier than you think,” says Cohn, an interesting view!
Conclusion/Discussion ... ● Prof. D. Boneh stresses that Crypto implementation is very difficult ○ Even experts (with solid education in math/cs) found it difficult to implement it correctly ○ https://robotattack.org/ ● The author of the puzzle shared the valuable information given below ● The attack discussed in the puzzle may not affect TLS when forward secrecy is used (e.g., Diffie-Hellman DHE ciphersuite Ephemeral Keys) ○ TLS - Transport Layer Security ● A goal of DHE is to protect confidential content of sessions even if the long-term (private) keys are compromised ○ Active attacks are still possible ○ Attacks against non-forward-secret ciphers are still possible 54
Acknowledgement ● Mr. Seth David Schoen and his colleagues for constructing the RSA puzzle ○ http://www.loyalty.org/~schoen/ ● Seth for critical reviews of my slides and offering new pointers to Crypto work ○ All remaining mistakes are mine ○ Nice that you are in the committee of EFF Cooperative Computing Awards ● It is always a pleasure to understand under-the-hood Crypto ○ I barely scratched the surface though there is a lot more analysis to be performed... ● The more I think about it the more I realize that RSA is not that simple ○ I have many more deeper questions and have to experiment when I get some time 55
56 https://www.eff.org/awards/coop is a pretty cool effort.
References ● W. Diffie and M. E. Hellman, “New Directions in Cryptography,” IEEE Transactions on Information Theory, vol. IT-22, no. 6, November, 1976. ● R. L. Rivest, A. Shamir, and L. Adleman, “A method for obtaining digital signatures and public-key cryptosystems,” CACM 21, 2, February, 1978. ● I. Goldberg and D. Wagner, “Randomness and the Netscape Browser,” http://people.eecs.berkeley.edu/~daw/papers/ddj-netscape.html ● N. Heninger, Z. Durumeric, E. Wustrow, J. A. Halderman, “Mining Your Ps and Qs: Detection of Widespread Weak Keys in Network Devices,” USENIX security, 2012. 57
References ... ● D. J. Bernstein, “How to find the smooth parts of integers,” http://cr.yp.to/papers.html#smoothparts. ● A. Menezes, P. van Oorschot, and S. Vanstone, “Handbook of Applied Cryptography,” CRC Press, 1996. ● C. Paar and J. Pelzl. “Understanding Cryptography: A Textbook for Students and Practitioners,” Springer, 2011. ● A. Lenstra et al., “Ron was wrong, Whit is right,” Cryptology ePrint Archive, Report 2012/064, 2012. http://eprint.iacr.org/2012/064.pdf. 58
References … (Euclid’s book) 59

Recommended

RSA Game using an Oracle
RSA Game using an OracleRSA Game using an Oracle
RSA Game using an OracleDharmalingam Ganesan
 
Broadcasting and low exponent rsa attack
Broadcasting and low exponent rsa attackBroadcasting and low exponent rsa attack
Broadcasting and low exponent rsa attackAnkita Kapratwar
 
Cryptography using rsa cryptosystem
Cryptography using rsa cryptosystemCryptography using rsa cryptosystem
Cryptography using rsa cryptosystemSamdish Arora
 
Rethinking Attention with Performers
Rethinking Attention with PerformersRethinking Attention with Performers
Rethinking Attention with PerformersJoonhyung Lee
 
Attention in Deep Learning
Attention in Deep LearningAttention in Deep Learning
Attention in Deep Learning健程 杨
 
RSA algorithm
RSA algorithmRSA algorithm
RSA algorithmArpana shree
 
Introduction to Transformers for NLP - Olga Petrova
Introduction to Transformers for NLP - Olga PetrovaIntroduction to Transformers for NLP - Olga Petrova
Introduction to Transformers for NLP - Olga PetrovaAlexey Grigorev
 
Lecture 4: Transformers (Full Stack Deep Learning - Spring 2021)
Lecture 4: Transformers (Full Stack Deep Learning - Spring 2021)Lecture 4: Transformers (Full Stack Deep Learning - Spring 2021)
Lecture 4: Transformers (Full Stack Deep Learning - Spring 2021)Sergey Karayev
 

Recommended

RSA Game using an Oracle
RSA Game using an OracleRSA Game using an Oracle
RSA Game using an OracleDharmalingam Ganesan
 
Broadcasting and low exponent rsa attack
Broadcasting and low exponent rsa attackBroadcasting and low exponent rsa attack
Broadcasting and low exponent rsa attackAnkita Kapratwar
 
Cryptography using rsa cryptosystem
Cryptography using rsa cryptosystemCryptography using rsa cryptosystem
Cryptography using rsa cryptosystemSamdish Arora
 
Rethinking Attention with Performers
Rethinking Attention with PerformersRethinking Attention with Performers
Rethinking Attention with PerformersJoonhyung Lee
 
Attention in Deep Learning
Attention in Deep LearningAttention in Deep Learning
Attention in Deep Learning健程 杨
 
RSA algorithm
RSA algorithmRSA algorithm
RSA algorithmArpana shree
 
Introduction to Transformers for NLP - Olga Petrova
Introduction to Transformers for NLP - Olga PetrovaIntroduction to Transformers for NLP - Olga Petrova
Introduction to Transformers for NLP - Olga PetrovaAlexey Grigorev
 
Lecture 4: Transformers (Full Stack Deep Learning - Spring 2021)
Lecture 4: Transformers (Full Stack Deep Learning - Spring 2021)Lecture 4: Transformers (Full Stack Deep Learning - Spring 2021)
Lecture 4: Transformers (Full Stack Deep Learning - Spring 2021)Sergey Karayev
 
Discrete Logarithmic Problem- Basis of Elliptic Curve Cryptosystems
Discrete Logarithmic Problem- Basis of Elliptic Curve CryptosystemsDiscrete Logarithmic Problem- Basis of Elliptic Curve Cryptosystems
Discrete Logarithmic Problem- Basis of Elliptic Curve CryptosystemsNIT Sikkim
 
12 Elliptic Curves
12 Elliptic Curves12 Elliptic Curves
12 Elliptic CurvesSam Bowne
 
INTRODUCTION TO NLP, RNN, LSTM, GRU
INTRODUCTION TO NLP, RNN, LSTM, GRUINTRODUCTION TO NLP, RNN, LSTM, GRU
INTRODUCTION TO NLP, RNN, LSTM, GRUSri Geetha
 
Post Quantum Cryptography: Technical Overview
Post Quantum Cryptography: Technical OverviewPost Quantum Cryptography: Technical Overview
Post Quantum Cryptography: Technical OverviewRamesh Nagappan
 
Asymmetric Cryptography
Asymmetric CryptographyAsymmetric Cryptography
Asymmetric CryptographyUTD Computer Security Group
 
Introduction to Named Entity Recognition
Introduction to Named Entity RecognitionIntroduction to Named Entity Recognition
Introduction to Named Entity RecognitionTomer Lieber
 
CRYPTOGRAPHY & NETWORK SECURITY - unit 1
CRYPTOGRAPHY & NETWORK SECURITY - unit 1CRYPTOGRAPHY & NETWORK SECURITY - unit 1
CRYPTOGRAPHY & NETWORK SECURITY - unit 1RAMESHBABU311293
 
Asymmetric Cryptography.pptx
Asymmetric Cryptography.pptxAsymmetric Cryptography.pptx
Asymmetric Cryptography.pptxdiaa46
 
Training Neural Networks
Training Neural NetworksTraining Neural Networks
Training Neural NetworksDatabricks
 
Information Security Cryptography ( L02- Types Cryptography)
Information Security Cryptography ( L02- Types Cryptography)Information Security Cryptography ( L02- Types Cryptography)
Information Security Cryptography ( L02- Types Cryptography)Anas Rock
 
BERT: Pre-training of Deep Bidirectional Transformers for Language Understanding
BERT: Pre-training of Deep Bidirectional Transformers for Language UnderstandingBERT: Pre-training of Deep Bidirectional Transformers for Language Understanding
BERT: Pre-training of Deep Bidirectional Transformers for Language Understandinggohyunwoong
 
1524 elliptic curve cryptography
1524 elliptic curve cryptography1524 elliptic curve cryptography
1524 elliptic curve cryptographyDr Fereidoun Dejahang
 
Reinforcement learning, Q-Learning
Reinforcement learning, Q-LearningReinforcement learning, Q-Learning
Reinforcement learning, Q-LearningKuppusamy P
 
Presentation about RSA
Presentation about RSAPresentation about RSA
Presentation about RSASrilal Buddika
 
Attention is all you need (UPC Reading Group 2018, by Santi Pascual)
Attention is all you need (UPC Reading Group 2018, by Santi Pascual)Attention is all you need (UPC Reading Group 2018, by Santi Pascual)
Attention is all you need (UPC Reading Group 2018, by Santi Pascual)Universitat Politècnica de Catalunya
 
Relational knowledge distillation
Relational knowledge distillationRelational knowledge distillation
Relational knowledge distillationNAVER Engineering
 
5 csp
5 csp5 csp
5 cspMhd Sb
 
Transformer Seq2Sqe Models: Concepts, Trends & Limitations (DLI)
Transformer Seq2Sqe Models: Concepts, Trends & Limitations (DLI)Transformer Seq2Sqe Models: Concepts, Trends & Limitations (DLI)
Transformer Seq2Sqe Models: Concepts, Trends & Limitations (DLI)Deep Learning Italia
 
Homomorphic Encryption
Homomorphic EncryptionHomomorphic Encryption
Homomorphic EncryptionVictor Pereira
 
Deep deterministic policy gradient
Deep deterministic policy gradientDeep deterministic policy gradient
Deep deterministic policy gradientSlobodan Blazeski
 
An Analysis of RSA Public Exponent e
An Analysis of RSA Public Exponent eAn Analysis of RSA Public Exponent e
An Analysis of RSA Public Exponent eDharmalingam Ganesan
 
Security of RSA and Integer Factorization
Security of RSA and Integer FactorizationSecurity of RSA and Integer Factorization
Security of RSA and Integer FactorizationDharmalingam Ganesan
 

More Related Content

What's hot

Discrete Logarithmic Problem- Basis of Elliptic Curve Cryptosystems
Discrete Logarithmic Problem- Basis of Elliptic Curve CryptosystemsDiscrete Logarithmic Problem- Basis of Elliptic Curve Cryptosystems
Discrete Logarithmic Problem- Basis of Elliptic Curve CryptosystemsNIT Sikkim
 
12 Elliptic Curves
12 Elliptic Curves12 Elliptic Curves
12 Elliptic CurvesSam Bowne
 
INTRODUCTION TO NLP, RNN, LSTM, GRU
INTRODUCTION TO NLP, RNN, LSTM, GRUINTRODUCTION TO NLP, RNN, LSTM, GRU
INTRODUCTION TO NLP, RNN, LSTM, GRUSri Geetha
 
Post Quantum Cryptography: Technical Overview
Post Quantum Cryptography: Technical OverviewPost Quantum Cryptography: Technical Overview
Post Quantum Cryptography: Technical OverviewRamesh Nagappan
 
Introduction to Named Entity Recognition
Introduction to Named Entity RecognitionIntroduction to Named Entity Recognition
Introduction to Named Entity RecognitionTomer Lieber
 
CRYPTOGRAPHY & NETWORK SECURITY - unit 1
CRYPTOGRAPHY & NETWORK SECURITY - unit 1CRYPTOGRAPHY & NETWORK SECURITY - unit 1
CRYPTOGRAPHY & NETWORK SECURITY - unit 1RAMESHBABU311293
 
Asymmetric Cryptography.pptx
Asymmetric Cryptography.pptxAsymmetric Cryptography.pptx
Asymmetric Cryptography.pptxdiaa46
 
Training Neural Networks
Training Neural NetworksTraining Neural Networks
Training Neural NetworksDatabricks
 
Information Security Cryptography ( L02- Types Cryptography)
Information Security Cryptography ( L02- Types Cryptography)Information Security Cryptography ( L02- Types Cryptography)
Information Security Cryptography ( L02- Types Cryptography)Anas Rock
 
BERT: Pre-training of Deep Bidirectional Transformers for Language Understanding
BERT: Pre-training of Deep Bidirectional Transformers for Language UnderstandingBERT: Pre-training of Deep Bidirectional Transformers for Language Understanding
BERT: Pre-training of Deep Bidirectional Transformers for Language Understandinggohyunwoong
 
Reinforcement learning, Q-Learning
Reinforcement learning, Q-LearningReinforcement learning, Q-Learning
Reinforcement learning, Q-LearningKuppusamy P
 
Presentation about RSA
Presentation about RSAPresentation about RSA
Presentation about RSASrilal Buddika
 
Attention is all you need (UPC Reading Group 2018, by Santi Pascual)
Attention is all you need (UPC Reading Group 2018, by Santi Pascual)Attention is all you need (UPC Reading Group 2018, by Santi Pascual)
Attention is all you need (UPC Reading Group 2018, by Santi Pascual)Universitat Politècnica de Catalunya
 
Relational knowledge distillation
Relational knowledge distillationRelational knowledge distillation
Relational knowledge distillationNAVER Engineering
 
Transformer Seq2Sqe Models: Concepts, Trends & Limitations (DLI)
Transformer Seq2Sqe Models: Concepts, Trends & Limitations (DLI)Transformer Seq2Sqe Models: Concepts, Trends & Limitations (DLI)
Transformer Seq2Sqe Models: Concepts, Trends & Limitations (DLI)Deep Learning Italia
 
Homomorphic Encryption
Homomorphic EncryptionHomomorphic Encryption
Homomorphic EncryptionVictor Pereira
 
Deep deterministic policy gradient
Deep deterministic policy gradientDeep deterministic policy gradient
Deep deterministic policy gradientSlobodan Blazeski
 

What's hot (20)

Discrete Logarithmic Problem- Basis of Elliptic Curve Cryptosystems
Discrete Logarithmic Problem- Basis of Elliptic Curve CryptosystemsDiscrete Logarithmic Problem- Basis of Elliptic Curve Cryptosystems
Discrete Logarithmic Problem- Basis of Elliptic Curve Cryptosystems
 
12 Elliptic Curves
12 Elliptic Curves12 Elliptic Curves
12 Elliptic Curves
 
INTRODUCTION TO NLP, RNN, LSTM, GRU
INTRODUCTION TO NLP, RNN, LSTM, GRUINTRODUCTION TO NLP, RNN, LSTM, GRU
INTRODUCTION TO NLP, RNN, LSTM, GRU
 
Post Quantum Cryptography: Technical Overview
Post Quantum Cryptography: Technical OverviewPost Quantum Cryptography: Technical Overview
Post Quantum Cryptography: Technical Overview
 
Asymmetric Cryptography
Asymmetric CryptographyAsymmetric Cryptography
Asymmetric Cryptography
 
Introduction to Named Entity Recognition
Introduction to Named Entity RecognitionIntroduction to Named Entity Recognition
Introduction to Named Entity Recognition
 
CRYPTOGRAPHY & NETWORK SECURITY - unit 1
CRYPTOGRAPHY & NETWORK SECURITY - unit 1CRYPTOGRAPHY & NETWORK SECURITY - unit 1
CRYPTOGRAPHY & NETWORK SECURITY - unit 1
 
Asymmetric Cryptography.pptx
Asymmetric Cryptography.pptxAsymmetric Cryptography.pptx
Asymmetric Cryptography.pptx
 
Training Neural Networks
Training Neural NetworksTraining Neural Networks
Training Neural Networks
 
Information Security Cryptography ( L02- Types Cryptography)
Information Security Cryptography ( L02- Types Cryptography)Information Security Cryptography ( L02- Types Cryptography)
Information Security Cryptography ( L02- Types Cryptography)
 
BERT: Pre-training of Deep Bidirectional Transformers for Language Understanding
BERT: Pre-training of Deep Bidirectional Transformers for Language UnderstandingBERT: Pre-training of Deep Bidirectional Transformers for Language Understanding
BERT: Pre-training of Deep Bidirectional Transformers for Language Understanding
 
1524 elliptic curve cryptography
1524 elliptic curve cryptography1524 elliptic curve cryptography
1524 elliptic curve cryptography
 
Reinforcement learning, Q-Learning
Reinforcement learning, Q-LearningReinforcement learning, Q-Learning
Reinforcement learning, Q-Learning
 
Presentation about RSA
Presentation about RSAPresentation about RSA
Presentation about RSA
 
Attention is all you need (UPC Reading Group 2018, by Santi Pascual)
Attention is all you need (UPC Reading Group 2018, by Santi Pascual)Attention is all you need (UPC Reading Group 2018, by Santi Pascual)
Attention is all you need (UPC Reading Group 2018, by Santi Pascual)
 
Relational knowledge distillation
Relational knowledge distillationRelational knowledge distillation
Relational knowledge distillation
 
5 csp
5 csp5 csp
5 csp
 
Transformer Seq2Sqe Models: Concepts, Trends & Limitations (DLI)
Transformer Seq2Sqe Models: Concepts, Trends & Limitations (DLI)Transformer Seq2Sqe Models: Concepts, Trends & Limitations (DLI)
Transformer Seq2Sqe Models: Concepts, Trends & Limitations (DLI)
 
Homomorphic Encryption
Homomorphic EncryptionHomomorphic Encryption
Homomorphic Encryption
 
Deep deterministic policy gradient
Deep deterministic policy gradientDeep deterministic policy gradient
Deep deterministic policy gradient
 

Similar to RSA cracking puzzle

An Analysis of RSA Public Exponent e
An Analysis of RSA Public Exponent eAn Analysis of RSA Public Exponent e
An Analysis of RSA Public Exponent eDharmalingam Ganesan
 
Security of RSA and Integer Factorization
Security of RSA and Integer FactorizationSecurity of RSA and Integer Factorization
Security of RSA and Integer FactorizationDharmalingam Ganesan
 
Cyclic Attacks on the RSA Trapdoor Function
Cyclic Attacks on the RSA Trapdoor FunctionCyclic Attacks on the RSA Trapdoor Function
Cyclic Attacks on the RSA Trapdoor FunctionDharmalingam Ganesan
 
Dependency Analysis of RSA Private Variables
Dependency Analysis of RSA Private VariablesDependency Analysis of RSA Private Variables
Dependency Analysis of RSA Private VariablesDharmalingam Ganesan
 
Analysis of Short RSA Secret Exponent d
Analysis of Short RSA Secret Exponent dAnalysis of Short RSA Secret Exponent d
Analysis of Short RSA Secret Exponent dDharmalingam Ganesan
 
On the Secrecy of RSA Private Keys
On the Secrecy of RSA Private KeysOn the Secrecy of RSA Private Keys
On the Secrecy of RSA Private KeysDharmalingam Ganesan
 
Solutions to online rsa factoring challenges
Solutions to online rsa factoring challengesSolutions to online rsa factoring challenges
Solutions to online rsa factoring challengesDharmalingam Ganesan
 
Computing the Square Roots of Unity to break RSA using Quantum Algorithms
Computing the Square Roots of Unity to break RSA using Quantum AlgorithmsComputing the Square Roots of Unity to break RSA using Quantum Algorithms
Computing the Square Roots of Unity to break RSA using Quantum AlgorithmsDharmalingam Ganesan
 
RSA Algm.pptx
RSA Algm.pptxRSA Algm.pptx
RSA Algm.pptxSou Jana
 
Rivest Shamir Adleman Algorithm and its variant : DRSA.pptx
Rivest Shamir Adleman Algorithm and its variant : DRSA.pptxRivest Shamir Adleman Algorithm and its variant : DRSA.pptx
Rivest Shamir Adleman Algorithm and its variant : DRSA.pptxwerip98386
 
Deep dive into rsa
Deep dive into rsaDeep dive into rsa
Deep dive into rsaBill GU
 
Information and network security 33 rsa algorithm
Information and network security 33 rsa algorithmInformation and network security 33 rsa algorithm
Information and network security 33 rsa algorithmVaibhav Khanna
 

Similar to RSA cracking puzzle (20)

An Analysis of RSA Public Exponent e
An Analysis of RSA Public Exponent eAn Analysis of RSA Public Exponent e
An Analysis of RSA Public Exponent e
 
Security of RSA and Integer Factorization
Security of RSA and Integer FactorizationSecurity of RSA and Integer Factorization
Security of RSA and Integer Factorization
 
Cyclic Attacks on the RSA Trapdoor Function
Cyclic Attacks on the RSA Trapdoor FunctionCyclic Attacks on the RSA Trapdoor Function
Cyclic Attacks on the RSA Trapdoor Function
 
RSA without Padding
RSA without PaddingRSA without Padding
RSA without Padding
 
RSA Two Person Game
RSA Two Person GameRSA Two Person Game
RSA Two Person Game
 
Dependency Analysis of RSA Private Variables
Dependency Analysis of RSA Private VariablesDependency Analysis of RSA Private Variables
Dependency Analysis of RSA Private Variables
 
Analysis of Short RSA Secret Exponent d
Analysis of Short RSA Secret Exponent dAnalysis of Short RSA Secret Exponent d
Analysis of Short RSA Secret Exponent d
 
Analysis of Shared RSA Modulus
Analysis of Shared RSA ModulusAnalysis of Shared RSA Modulus
Analysis of Shared RSA Modulus
 
On the Secrecy of RSA Private Keys
On the Secrecy of RSA Private KeysOn the Secrecy of RSA Private Keys
On the Secrecy of RSA Private Keys
 
RSA without Integrity Checks
RSA without Integrity ChecksRSA without Integrity Checks
RSA without Integrity Checks
 
Solutions to online rsa factoring challenges
Solutions to online rsa factoring challengesSolutions to online rsa factoring challenges
Solutions to online rsa factoring challenges
 
rsa-1
rsa-1rsa-1
rsa-1
 
rsa-1
rsa-1rsa-1
rsa-1
 
rsa-1
rsa-1rsa-1
rsa-1
 
Computing the Square Roots of Unity to break RSA using Quantum Algorithms
Computing the Square Roots of Unity to break RSA using Quantum AlgorithmsComputing the Square Roots of Unity to break RSA using Quantum Algorithms
Computing the Square Roots of Unity to break RSA using Quantum Algorithms
 
PKC&RSA
PKC&RSAPKC&RSA
PKC&RSA
 
RSA Algm.pptx
RSA Algm.pptxRSA Algm.pptx
RSA Algm.pptx
 
Rivest Shamir Adleman Algorithm and its variant : DRSA.pptx
Rivest Shamir Adleman Algorithm and its variant : DRSA.pptxRivest Shamir Adleman Algorithm and its variant : DRSA.pptx
Rivest Shamir Adleman Algorithm and its variant : DRSA.pptx
 
Deep dive into rsa
Deep dive into rsaDeep dive into rsa
Deep dive into rsa
 
Information and network security 33 rsa algorithm
Information and network security 33 rsa algorithmInformation and network security 33 rsa algorithm
Information and network security 33 rsa algorithm
 

More from Dharmalingam Ganesan

Reverse Architecting using Relation Algebra.pdf
Reverse Architecting using Relation Algebra.pdfReverse Architecting using Relation Algebra.pdf
Reverse Architecting using Relation Algebra.pdfDharmalingam Ganesan
 
An Analysis of Secure Remote Password (SRP)
An Analysis of Secure Remote Password (SRP)An Analysis of Secure Remote Password (SRP)
An Analysis of Secure Remote Password (SRP)Dharmalingam Ganesan
 
How do computers exchange secrets using Math?
How do computers exchange secrets using Math?How do computers exchange secrets using Math?
How do computers exchange secrets using Math?Dharmalingam Ganesan
 
Requirements driven Model-based Testing
Requirements driven Model-based TestingRequirements driven Model-based Testing
Requirements driven Model-based TestingDharmalingam Ganesan
 
Automated Traceability for Software Engineering Tasks
Automated Traceability for Software Engineering TasksAutomated Traceability for Software Engineering Tasks
Automated Traceability for Software Engineering TasksDharmalingam Ganesan
 
On deriving the private key from a public key
On deriving the private key from a public keyOn deriving the private key from a public key
On deriving the private key from a public keyDharmalingam Ganesan
 
Reverse Engineering of Module Dependencies
Reverse Engineering of Module DependenciesReverse Engineering of Module Dependencies
Reverse Engineering of Module DependenciesDharmalingam Ganesan
 
Integer security analysis using smt solver
Integer security analysis using smt solverInteger security analysis using smt solver
Integer security analysis using smt solverDharmalingam Ganesan
 
Remote file path traversal attacks for fun and profit
Remote file path traversal attacks for fun and profitRemote file path traversal attacks for fun and profit
Remote file path traversal attacks for fun and profitDharmalingam Ganesan
 
Threat Modeling: Applied on a Publish-Subscribe Architectural Style
Threat Modeling: Applied on a Publish-Subscribe Architectural StyleThreat Modeling: Applied on a Publish-Subscribe Architectural Style
Threat Modeling: Applied on a Publish-Subscribe Architectural StyleDharmalingam Ganesan
 

More from Dharmalingam Ganesan (17)

.NET Deserialization Attacks
.NET Deserialization Attacks.NET Deserialization Attacks
.NET Deserialization Attacks
 
Reverse Architecting using Relation Algebra.pdf
Reverse Architecting using Relation Algebra.pdfReverse Architecting using Relation Algebra.pdf
Reverse Architecting using Relation Algebra.pdf
 
How to exploit rand()?
How to exploit rand()?How to exploit rand()?
How to exploit rand()?
 
An Analysis of Secure Remote Password (SRP)
An Analysis of Secure Remote Password (SRP)An Analysis of Secure Remote Password (SRP)
An Analysis of Secure Remote Password (SRP)
 
Thank-a-Gram
Thank-a-GramThank-a-Gram
Thank-a-Gram
 
Active Attacks on DH Key Exchange
Active Attacks on DH Key ExchangeActive Attacks on DH Key Exchange
Active Attacks on DH Key Exchange
 
Can I write to a read only file ?
Can I write to a read only file ?Can I write to a read only file ?
Can I write to a read only file ?
 
How do computers exchange secrets using Math?
How do computers exchange secrets using Math?How do computers exchange secrets using Math?
How do computers exchange secrets using Math?
 
Requirements driven Model-based Testing
Requirements driven Model-based TestingRequirements driven Model-based Testing
Requirements driven Model-based Testing
 
Automated Traceability for Software Engineering Tasks
Automated Traceability for Software Engineering TasksAutomated Traceability for Software Engineering Tasks
Automated Traceability for Software Engineering Tasks
 
On deriving the private key from a public key
On deriving the private key from a public keyOn deriving the private key from a public key
On deriving the private key from a public key
 
Reverse Engineering of Module Dependencies
Reverse Engineering of Module DependenciesReverse Engineering of Module Dependencies
Reverse Engineering of Module Dependencies
 
Software Architecture
Software ArchitectureSoftware Architecture
Software Architecture
 
Integer security analysis using smt solver
Integer security analysis using smt solverInteger security analysis using smt solver
Integer security analysis using smt solver
 
Remote file path traversal attacks for fun and profit
Remote file path traversal attacks for fun and profitRemote file path traversal attacks for fun and profit
Remote file path traversal attacks for fun and profit
 
20170605135932210 thank you card7
20170605135932210 thank you card720170605135932210 thank you card7
20170605135932210 thank you card7
 
Threat Modeling: Applied on a Publish-Subscribe Architectural Style
Threat Modeling: Applied on a Publish-Subscribe Architectural StyleThreat Modeling: Applied on a Publish-Subscribe Architectural Style
Threat Modeling: Applied on a Publish-Subscribe Architectural Style
 

Recently uploaded

Payment Gateway Testing Simplified_ A Step-by-Step Guide for Beginners.pdf
Payment Gateway Testing Simplified_ A Step-by-Step Guide for Beginners.pdfPayment Gateway Testing Simplified_ A Step-by-Step Guide for Beginners.pdf
Payment Gateway Testing Simplified_ A Step-by-Step Guide for Beginners.pdfkalichargn70th171
 
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfonteinmasabamasaba
 
AI & Machine Learning Presentation Template
AI & Machine Learning Presentation TemplateAI & Machine Learning Presentation Template
AI & Machine Learning Presentation TemplatePresentation.STUDIO
 
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...ICS
 
Right Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsRight Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsJhone kinadey
 
8257 interfacing 2 in microprocessor for btech students
8257 interfacing 2 in microprocessor for btech students8257 interfacing 2 in microprocessor for btech students
8257 interfacing 2 in microprocessor for btech studentsHimanshiGarg82
 
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...Shane Coughlan
 
VTU technical seminar 8Th Sem on Scikit-learn
VTU technical seminar 8Th Sem on Scikit-learnVTU technical seminar 8Th Sem on Scikit-learn
VTU technical seminar 8Th Sem on Scikit-learnAmarnathKambale
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...panagenda
 
Introducing Microsoft’s new Enterprise Work Management (EWM) Solution
Introducing Microsoft’s new Enterprise Work Management (EWM) SolutionIntroducing Microsoft’s new Enterprise Work Management (EWM) Solution
Introducing Microsoft’s new Enterprise Work Management (EWM) SolutionOnePlan Solutions
 
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdfintroduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdfVishalKumarJha10
 
%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisa%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisamasabamasaba
 
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerHow To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerThousandEyes
 
The Top App Development Trends Shaping the Industry in 2024-25 .pdf
The Top App Development Trends Shaping the Industry in 2024-25 .pdfThe Top App Development Trends Shaping the Industry in 2024-25 .pdf
The Top App Development Trends Shaping the Industry in 2024-25 .pdfayushiqss
 
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfThe Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfkalichargn70th171
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsAlberto González Trastoy
 
Azure_Native_Qumulo_High_Performance_Compute_Benchmarks.pdf
Azure_Native_Qumulo_High_Performance_Compute_Benchmarks.pdfAzure_Native_Qumulo_High_Performance_Compute_Benchmarks.pdf
Azure_Native_Qumulo_High_Performance_Compute_Benchmarks.pdfryanfarris8
 
Unlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language ModelsUnlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language Modelsaagamshah0812
 
%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain
%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain
%in Bahrain+277-882-255-28 abortion pills for sale in Bahrainmasabamasaba
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️Delhi Call girls
 

Recently uploaded (20)

Payment Gateway Testing Simplified_ A Step-by-Step Guide for Beginners.pdf
Payment Gateway Testing Simplified_ A Step-by-Step Guide for Beginners.pdfPayment Gateway Testing Simplified_ A Step-by-Step Guide for Beginners.pdf
Payment Gateway Testing Simplified_ A Step-by-Step Guide for Beginners.pdf
 
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein
 
AI & Machine Learning Presentation Template
AI & Machine Learning Presentation TemplateAI & Machine Learning Presentation Template
AI & Machine Learning Presentation Template
 
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
 
Right Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsRight Money Management App For Your Financial Goals
Right Money Management App For Your Financial Goals
 
8257 interfacing 2 in microprocessor for btech students
8257 interfacing 2 in microprocessor for btech students8257 interfacing 2 in microprocessor for btech students
8257 interfacing 2 in microprocessor for btech students
 
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
 
VTU technical seminar 8Th Sem on Scikit-learn
VTU technical seminar 8Th Sem on Scikit-learnVTU technical seminar 8Th Sem on Scikit-learn
VTU technical seminar 8Th Sem on Scikit-learn
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
 
Introducing Microsoft’s new Enterprise Work Management (EWM) Solution
Introducing Microsoft’s new Enterprise Work Management (EWM) SolutionIntroducing Microsoft’s new Enterprise Work Management (EWM) Solution
Introducing Microsoft’s new Enterprise Work Management (EWM) Solution
 
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdfintroduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
 
%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisa%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisa
 
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerHow To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
 
The Top App Development Trends Shaping the Industry in 2024-25 .pdf
The Top App Development Trends Shaping the Industry in 2024-25 .pdfThe Top App Development Trends Shaping the Industry in 2024-25 .pdf
The Top App Development Trends Shaping the Industry in 2024-25 .pdf
 
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfThe Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
 
Azure_Native_Qumulo_High_Performance_Compute_Benchmarks.pdf
Azure_Native_Qumulo_High_Performance_Compute_Benchmarks.pdfAzure_Native_Qumulo_High_Performance_Compute_Benchmarks.pdf
Azure_Native_Qumulo_High_Performance_Compute_Benchmarks.pdf
 
Unlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language ModelsUnlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language Models
 
%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain
%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain
%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
 

RSA cracking puzzle

  • 1. Solution to an RSA Puzzle When random primes repeat during Crypto key generation... Dr. Dharma Ganesan, Ph.D., If Victim1 = p. q1 and Victim2 = p. q2 , then we call Euclid
  • 2. Disclaimer ● The opinions expressed here are my own ○ But not the views of my employer ● The source code fragments and exploits shown here can be reused ○ But without any warranty nor accept any responsibility for failures ● Do not apply the exploit discussed here on other systems ○ Without obtaining authorization from owners 2
  • 3. Context ● The Cryptography puzzle discussed here is part of an online challenge ○ I worked on this puzzle to harden my under-the-hood Cryptography foundation ● The puzzle deals with the RSA Public Key Cryptography Algorithm ○ Weaknesses in the random number generation process leads to interesting problems ● The puzzle helps us to understand the problem discussed in NY Times (2012) ○ When Random Primes are Not Random Enough ★ Buckle-up and get ready for some dazzling math and crypto ○ It is not an academic exercise, very relevant in practice ○ Real-world RSA implementations are also briefly analyzed 3
  • 4. The RSA Puzzle Overview ● The challenge of the puzzle is to mechanically: ○ Derive RSA private keys from a set of RSA public keys where ■ some of the random primes repeat during the key generation process ○ Extract plaintext from ciphertext using the recovered private keys ● The puzzle demonstrates that RSA is breakable if random primes repeat ○ We can derive private keys of any two parties if they have the same primes in their public keys ● This puzzle reminds me of some notable previous work in particular ○ Randomness and the Netscape Browser ○ Cryptographic key material may be guessable 4
  • 5. 5 ● Solution to the RSA puzzle will explain this article in depth ○ Nice to see theory in action ● My exploit scripts are also handy to follow the puzzle ● The keys we will break in the puzzle are synthetic dataset ○ I will also use real world keys for demo
  • 6. 6 Why random numbers repeated? ● Researchers found that it relates to invalid or inadequate CSPRNG seeding ● CSPRNGs on systems used to generate keys were not initialized with ○ environmentally-supplied entropy at boot time ○ or were given an extremely small amount of entropy ● In this puzzle, we exploit this weakness to break RSA ● Real implementations of RSA are also shown to clarify core ideas
  • 7. Agenda ● Brief Overview of the RSA Public Key Cryptography System ○ RSA Key Generation Algorithm ○ RSA Trapdoor Permutation (Foundation for Public Key Crypto) ● Cryptanalysis of RSA ○ Attack Trees based on RSA’s mathematical structure/assumptions ● Puzzle - Break RSA when random primes repeat during key generation ○ Formal Problem Statement ○ My solution (including both naïve and relatively advanced approaches) ○ Implementation detail ○ Additional analysis 7
  • 8. Prerequisite Some familiarity with the following topics will help to follow the rest of the slides ● Group Theory (Abstract Algebra/Discrete Math) ● Modular Arithmetic (Number Theory) ● Algorithms and Complexity Theory ● If not, it should still be possible to obtain a high-level overview 8
  • 9. How can Alice send a message to Bob securely? 9 Public Key PuA ● Alice and Bob never met each other ● Bob will encrypt using Alice’s public key ○ Assume that public keys are known to the world ● Alice will decrypt using her private key ○ Private keys are secrets (never sent out) ● Bob can sign messages using his private key ○ Alice verifies message integrity using Bob’s public key ○ Not important for this presentation/attack ● Note: Alice and Bob need other evidence (e.g., passwords, certificates) to prove their identity to each other ● Who are Alice, Bob, and Eve? Private Key PrA Public Key PuB Private Key PrB
  • 10. RSA Public Key Cryptography System ● Published in 1977 by Ron Rivest, Adi Shamir and Leonard Adleman ● Rooted in elegant mathematics - Group Theory and Number Theory ● Core idea: Anyone can encrypt a message using recipient's public key but ○ (as far as we know) no one can efficiently decrypt unless they got the matching private key ● Encryption and Decryption are inverse operations (math details later) ○ Work of Euclid, Euler, and Fermat provide the mathematical foundation of RSA ● Eavesdropper Eve cannot easily derive the secret (math details later) ○ Unless she solves “hard” number theory problems that are computationally intractable 10
  • 11. 11 .... Note: There is a change in the notation of symbols in other publications since 1977. We will not use symbols w, r, s. e will be used but with a different meaning (explained in next slides).
  • 12. 12 Notations and Facts (needed for RSA Trapdoor) GCD(x, y): The greatest common divisor that divides integers x and y Co-prime: If gcd(x, y) = 1, then x and y are co-primes Zn = { 0, 1, 2, …, n-1 }, n > 0; we may imagine Zn as a circular wall clock Z* n = { x ∈ Zn | gcd(x, n) = 1 }; (additional info: Z* n is a multiplicative group) φ(n): Euler’s Totient function denotes the number of elements in Z* n φ(nm) = φ(n).φ(m) (This property is called multiplicative) φ(p) = p-1, if p is a prime number
  • 13. Notations and Facts (needed for RSA Trapdoor) ... ● x ≡ y (mod n) denotes that n divides x-y; x is congruent to y mod n ● Euler’s Theorem: aφ(n) ≡ 1 (mod n), if gcd(a, n) = 1 ● Fermat’s little Theorem: ap ≡ a (mod p) ● Gauss’s Fundamental Theorem of Arithmetic: Any integer greater than 1 is either a prime or can be written as a unique product of primes ○ Euclid’s work is the foundation for this theorem, see The Elements ● Euclid’s Lemma: if a prime p divides the product of two natural numbers a and b, then p divides a or p divides b ● Euclid’s Infinitude of Primes (c. 300 BC): There are infinitely many primes 13
  • 14. RSA - Key Generation Algo. (Fits on one page) 1. Select an appropriate bitlength of the RSA modulus n (e.g., 2048 bits) ○ Value of the parameter n is not chosen until step 3; small n is dangerous (details later) 2. Pick two independent, large random primes, p and q, of half of n’s bitlength ○ In practice, p and q are not close to each other to avoid attacks (e.g., Fermat’s factorization) 3. Compute n = p.q (n is also called the RSA modulus) 4. Compute Euler’s Totient (phi) Function φ(n) = φ(p.q) = φ(p)φ(q) = (p-1)(q-1) 5. Select numbers e and d from Zn such that e.d ≡ 1(mod φ(n)) ○ Many implementations set e to be 65537 (Note: gcd(e, φ(n)) = 1) ○ e must be relatively prime to φ(n) otherwise d cannot exist (i.e., we cannot decrypt) ○ d is the multiplicative inverse of e in Zn 6. Public key is the pair <n, e> and private key is 4-tuple <φ(n), d, p, q> Note: If p, q, d, or φ(n) is leaked, RSA is broken immediately 14
  • 15. 15 e = param.getPublicExponent(); p = chooseRandomPrime(pbitlength, e, squaredBound); // // generate a modulus of the required length // for (; ; ) { q = chooseRandomPrime(qbitlength, e, squaredBound); // p and q should not be too close together (or equal!) BigInteger diff = q.subtract(p).abs(); if (diff.bitLength() < mindiffbits || diff.compareTo(minDiff) <= 0) { continue; } // // calculate the modulus // n = p.multiply(q); RSAKeyPairGenerator.java part of Bouncy Castle Java implementation This ~implements the algo. of the previous slide This code makes sure p and q are not close Look at the for loop it tries until a good q is chosen
  • 16. RSA - Key Generation - in real Implementation 16 ● If either p (or q) is common among two different keys, we can break RSA (Topic of this puzzle) ● Of course, there is no way for any implementation to check this property ○ Unless there is a trustable 3rd party we can share p and q and query for duplicates p = chooseRandomPrime(pbitlength, e, squaredBound); ... q = chooseRandomPrime(qbitlength, e, squaredBound);
  • 17. RSA Trapdoor ● RSA: Zn → Zn ● Let x and y ∈ Zn ● y = RSA(x) = xe mod n ● x = RSA-1 (y) = yd mod n ○ Many implementations use Chinese-Remainder Theorem (CRT) to compute yd efficiently ■ I will use CRT later in my Python script to perform decryption ● e and d are also called encryption and decryption exponents, respectively ● RSA as defined above is the foundation for public-key Crypto 17
  • 18. RSA Padding - Overview (needed for the puzzle) ● The puzzle uses PKCS1 version 1.5 to add randomness before encryption ○ Without randomness, there is no notion of semantic security in RSA ○ Sending the message two times will result in the same ciphertext ● Before calling RSA on msg x, random padding is attached (see below) ● 02 denotes that PKCS is used in encryption mode ● FF denotes the end of the random pad ● RSA trapdoor function is used on this msg after padding ● After RSA-1 , all bytes until FF are removed to recover msg x 18 02 Random Pad FF x
  • 19. Typical usage of RSA in practice ● RSA is usually not directly used for message encryption ○ Performance is an issue in RSA due to very large d ○ Message cannot be longer than the RSA modulus (explained my RSA proof later) ● Instead, RSA is used in practice together with symmetric encryption ○ Bob generates a symmetric key (e.g., AES), say K ○ Bob encrypts his message M using C = AES(M, K) ○ Bob encrypts the symmetric key using Alice’s public key using RSA with random padding ■ Padding adds randomness before calling the RSA trapdoor function ○ Bob sends the pair <RSA(K), C> ○ Alice calls RSA-1 (K) to recover K and then AES-1 (C, K) to decrypt the secret message M ■ Eve cannot call RSA-1 (K) because she does not have the private d 19
  • 20. RSA Trapdoor ... ● RSACoreEngine.java implements the RSA and RSA-1 functions ○ See the method processBlock ● RSA(input) = inpute mod n { return input.modPow( key.getExponent(), key.getModulus()); } ● The implementation for RSA-1 is a bit involved (Chinese-Remainder Theorem) ○ To speed-up the computation of inputd mod n, it computes inputd mod p and mod q 20
  • 21. Why the RSA-1 recovers x from y (proof)? ● Proof uses Euler’s Theorem: xφ(n) ≡ 1 mod n, if x and n are co-primes ● y = RSA(x) ≡ xe mod n ● RSA-1 (y) = yd mod n ≡ (xe )d mod n ≡ xed mod n ≡ x(k.φ(n)+1) mod n (see the additional notes) ≡ xk.φ(n) x mod n ≡ (xφ(n) )k x mod n ≡ x mod n = x (since x < n) ● Additional notes: ■ Recall that ed ≡ 1 mod φ(n) , meaning φ(n) divides (ed-1). ■ or, ed-1 = k.φ(n) for some integer k ≥ 1;ed = k. φ(n) + 1 ■ Fermat’s little Theorem is used when x and n are not co-primes to prove RSA 21
  • 22. Cryptanalysis of RSA - Basic Attack Tree (4 Paths) 22 Break RSA Factorize n to reverse p and q Compute φ(n) from n directly Reverse d from e and n ● Path 1: Factoring n is like finding the integral sides of a rectangle given its area ○ It is an interesting problem for several years (Mathematicians are trying) ● Path 2: Brute-forcing φ(n) is difficult, although φ(n) is of the same size as n ○ I have not found any scalable algorithm that computes φ(n) from n (open problem?) ● Path 3: Reversing of private d from public <n, e> is possible but for small d (e.g., d < n1/2 ) ● Path 4: Compute the e-th root of RSA encrypted value y to recover secret x ○ Appears to be equivalent of path 1 1 2 3 Compute e-th root of y to recover x 4
  • 23. Cryptanalysis of RSA - Common Factor Attack 23 Break RSA Side-Channel Attacks Hardware Fault Attacks 5 6 Search for common factors among all public keys 7 ● Path 7: Compare all public keys in the world and check whether any random primes repeat (We will use this attack for solving the puzzle)
  • 24. Math behind Common Factor Attack 24 ● The world has billions of public keys as part of digital certificates ● PubKeySpace = {<n1 , e>, <n2 , e>, <n3 , e>, ...} ○ All real implementations out there use the same e 65537 (I will show a demo later) ○ Faster to compute RSA(x) because encryption operation xe requires only 17 multiplications ● But we know that each n is a composition of private random primes n = p.q ● In a truly random world, all primes are different ○ gcd(n1 , n2 ) = 1; if n1 and n2 are made of distinct primes ● Little proof by contradiction (using Euclid’s Lemmas): ○ If gcd is not 1, then there is a number m that divides n1 and n2 ○ Which means that m will divide the prime factors of n1 and n2 ○ Which is a contradiction to the defn. of primes
  • 25. Common Factor Attack - Core idea of the algorithm 25 ● What happens if random numbers repeat among public keys? ● Let’s say n1 = p. q1 and n2 = p. q2 ○ Recall that p, q1 and q2 are private (never published - not part of digital certificates) ● We can nevertheless derive p, q1 and q2 based on gcd(n1 , n2 ) ○ gcd(n1 , n2 ) = p; this follows from the very defn. of GCD and primes ● q1 = n1 /gcd(n1 , n2 ) = n1 /p ● q2 = n2 /gcd(n1 , n2 ) = n2 /p ● That’s it! We successfully factored RSA modules ○ We can immediately compute φ(n1 ) = (p-1)(q1 -1) ○ Then we can compute private exponent d as e-1 mod φ(n1 ) ○ Similarly, we can factor n2 and decrypt all messages
  • 26. Common Factor Attack - Efficient Algorithm ● Computing pairwise GCD for all public keys in the world is very slow although Euclid’s GCD algorithm is logarithmic time complexity ○ Heninger et al. mention that it may take at least 30 years or so ○ I have some metrics from my experiment (later) ● I also implemented a fast algorithm to find GCD among a set of numbers, the complexity is O(n(lgn)2 lglgn) ○ See my Python script for the implementation details ● The core algorithm is rooted in the work of Prof. Bernstein ○ How to find the smooth parts of integers? 26
  • 27. 27 How to get public keys? (e.g., CNN) I just happen to read Breaking News - CNN is not my target
  • 28. 28 CNN’s RSA public key n and modulus e
  • 29. Command to extract RSA modulus and exponent # echo | openssl s_client -connect cnn.com:443 -servername cnn.com 2>&1 | awk '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/' | openssl x509 -pubkey -noout | openssl rsa -pubin -text -noout Public-Key: (2048 bits) Modulus: 00:b9:ef:0b:b6:26:47:c5:72:9a:27:38:88:e8:95: 3a:d7:c6:07:6c:d7:62:98:f6:16:ca:91:c4:12:17: ... Exponent: 65537 (0x10001) 29 ● It is not difficult to extract the set of all RSA modulus n available on the Internet ● The above command downloads certificates from cnn.com, for example ○ It can be extended to download certificates from Internet-facing products ● https://scans.io/ https://censys.io/ https://zmap.io/
  • 30. Back to the RSA cracking puzzle ● We are given 100 public keys (*.pem) and 100 encrypted messages (*.bin) ○ Screenshot shows a fragment (The author of the puzzle has generated these pem/bin files) ● The goal is to apply the Common Factor Attack on these keys ● We need to derive private keys from public keys and then decrypt *bin files 30
  • 31. Common Factor Attack - Implementation/Approach ● I will present two implementations to find the repeated random primes ○ Recall that the prime numbers are private (not part of digital certificates) ● The first implementation is naïve ○ It will compare every public key with other public keys in the dataset ● The second implementation is somewhat advanced number theory ○ It compares all keys once to find the common factors ○ Several orders of magnitude faster than naïve ● Contact me if you want to access to my Python proof-of-concept script 31
  • 32. Common Factor Attack - My Python proof-of-concept 32 Input: Two public key files The public keys share a random prime if gcd is 1 This is a naïve algorithm - does not scale due to pairwise gcd computation
  • 33. Generate private keys from prime factors p and q 33 In order to use the Chinese Remainder Theorem, we will have to compute dp, dq, qinv Easy to derive them from p and q though (see the script)
  • 34. Private keys that were derived using this attack 34 Each priv.pem file contains private keys ● We broke 12 private keys (e.g., 44.priv.pem) from the given 100 public keys ● Each of these 12 keys shares random primes with at least one other key ● I confirmed the results with the author of the puzzle
  • 35. Let’s decrypt using the derived private keys 35 ● The size of all encrypted message files (i.e., bin files) are all the same ○ Linux command line: wc -c *.bin ● All bin files have 128 bytes ○ RSA 1024-bit ● Since all encrypted files have the same size, I guessed that PKCS1 is used ● Next slides show the script that uses PKCS1 for RSA decryption
  • 36. Let’s decrypt using the derived private keys ... 36 root@kali:~/crypto/RSA_Puzzle/challenge# openssl rsautl -inkey 44.priv.pem -decrypt < 44.bin Sarpedon ubi tot Simois correpta sub undis Inputs: Private key and Encrypted File My Python script decrypts all the encrypted files using the cracked private keys
  • 37. Output of my Python script - decrypted messages! 37 This is in Latin, there is another non-cryptographic step in the puzzle to find one English word for all these Latin messages (It’s left us an exercise)
  • 38. Finding the common factors efficiently 38 Input: List of public keys Output: For each RSA modulus, the common factor it shares with other keys Note: commonFactor is equal to the modulus when both primes are shared We can use the pairwise Naïve algorithm for those public keys (see pairwiseCandidates)
  • 39. Pairwise GCD (Naïve) vs Bernstein’s Algo: Speed 39 Pairwise GCD $time python RSACommonFactorPuzzle.py real 0m2.484s user 0m2.408s sys 0m0.060s real 0m2.475s user 0m2.384s sys 0m0.060s real 0m2.450s user 0m2.360s sys 0m0.072s Bernstein’s smooth integer algorithm $time python RSACommonFactorPuzzle.py real 0m0.369s user 0m0.312s sys 0m0.012s real 0m0.351s user 0m0.288s sys 0m0.032s real 0m0.390s user 0m0.348s sys 0m0.024s Pairwise GCD is orders of magnitude slower
  • 40. Additional Analysis 40 ● After finishing the puzzle, I had a lot of questions and investigated a few ● Can we efficiently derive private Euler Totient φ(n) from the RSA modulus n? ● Similarly, can we efficiently derive private exponent d from n? ● I developed some utility programs and generated a bunch of RSA keys ● Next, I demonstrate my observation based on metrics ● First I show that it is easy to check whether n is equal to p.q
  • 41. Checking the result of factorization is easy 41 ● For example, we found that 58.pem and 71.pem have a common prime factor ● Let’s see what is the common factor and check the result is correct ● 58.pem’s RSA modulus n58 is ○ 132009813808533392577123110438741884286561400398429860761027919959189196549797215586297 852825375342475728679074489933320371765026814849875692023263110656924146683347962741534 495754902097930935910070831755220321417369411370818762253940133993629997648473607090782 039210687337530507010114741418840031542303031081 ● 71.pem’s RSA modulus n71 is ○ 135472400918611757666622822789636901038207639581474006488496906937544113899819968264216 470405393313301250508761651903965883874352772699986982247519612608840409853757718079903 608120168842687889231898954817245684707914621259848016658887023606975529849256590875282 759156328281549546230980205644358325222571914637
  • 42. Checking the result of factorization is easy ... ● The common factor for 58.pem and 71.pem is the common prime p: ○ 129137502646234622763374256441287111746758133368804650684610186816450800479188353483236 21347173714301224881492646558739535118834131362641424915974945262413 ● 58.pem’s private q58 : ○ 102224226970043949777256885320880162508867547271189728340583126434163937246274052502556 81036829301071437886544959801218835717885646951246124126053948898637 ● 71.pem’s private q71 : ○ 104905544975367267702914249740242771357439818837898485544233978656125835584538419552523 13841219976974375731593387395755291375663525635781387394235606102849 ● It takes only a few microseconds to check whether factorization is correct ○ n58 = p.q58 and n71 = p.q71 ; you may use calculator to check ● However, given n58 (or n71 ) factorization takes years to find the factors ○ Easy in one-direction but “hard” in another-direction 42
  • 43. Why can’t we bruteforce private φ(n) from n? 43
  • 44. Distribution of φ(n) for a small dataset 44 Figure from Wikipedia If p is prime, φ(p) is p-1. φ is multiplicative that’s why we see diagonal lines when n increases, φ(n) does not always increase RSA is immediately broken if we can efficiently compute φ(n) from public n
  • 45. Additional analysis of φ(n) ● In the words of Hardy & Wright, “the order of φ(n) is always nearly n” ● I went ahead and measured how close φ(n) to n ○ I randomly generated different primes of different size for this analysis ● Metrics (next slides) confirm that φ(n) and n have the same number of bits ● However, the distance between φ(n) to n is about half the bitlength of n ● Meaning if n is a 2048-bit number, we still have to bruteforce 21024 combinations on a classical computer (The sun will cool down?) ● If n is small (e.g., 768 bits), researchers have already factored its p and q ○ See the list of broken RSA numbers here 45
  • 46. Let’s look at an example private n its private φ(n) n = 13200981380853339257712311043874188428656140039842986076102791995918919654979721558629785282537534 24757286790744899333203717650268148498756920232631106569241466833479627415344957549020979309359100 70831755220321417369411370818762253940133993629997648473607090782039210687337530507010114741418840 031542303031081 φ(n) = 13200981380853339257712311043874188428656140039842986076102791995918919654979721558629785282537534 24757286790744899333203717650268148498756920232631106569010105103863348842804326407258812035103475 02767755782418898038086309344989707699535414327613645458234428014001604327379159670290336427531290 989513408870032 ● This shows that the n and φ(n) share the first half but the other half is different ○ Finding the other private half by bruteforce is a computational challenge as far as we know 46
  • 47. Why public n and private φ(n) have common prefix? ● Euler’s φ(n) = (p-1)(q-1) = n(1-1/p)(1-1/q) [Recall that n = p.q] ● Since p and q are large numbers, 1/p and 1/q are close to zero ● n(1-1/p)(1-1/q) means that we take some fraction of large n because ○ (1-1/p)(1-1/q) is between 0 and 1 ● In RSA, p and q are large prime numbers (but far from infinity), thus φ(n) is not that close to public n to bruteforce ● Why n is not a prime in RSA? If n is a prime, φ(n) is computable in constant time (recall that φ(p) = p-1 if p is prime) 47
  • 48. Additional analysis of φ(n) (on my dataset) 48 # of bits in n # of bits in φ(n) # of bits in n-φ(n) 256 256 129 512 512 257 1024 1024 513 2048 2048 1025 4096 4096 2049 ● Bruteforce of φ(n) from n looks very challenging since n-φ(n) is ~half the bitlength of n ● Computational hardness assumption is an interesting topic ● General feeling is that algorithm for φ(n) is not in class P (P vs NP problem debate) ● More future analysis is needed to understand the structure of φ(n)
  • 49. Additional analysis of φ(n) ... 49 ● Consider this formula (based on Fourier transform) to compute φ(n) from n ● This formula works computationally well for small n ○ Even though GCD is fast to compute, this formula does not scale ● For example, if n is a 2048-bit number, we end up calling call gcd 22048 times ● In experiments, gcd(x, y) took ~ 24 microseconds ● This means that we need 22052 microseconds to compute GCD ○ A year has a very conservative approximation of 240 microseconds ● Thus, 22052 /240 = 22012 years to compute gcd(k, n) for all k, 1 ≤ k ≤ n ● Formulas to derive φ(n) cannot be applied unless there is no iterative loop ○ They may be elegant formulas from a math perspective but not computationally efficient
  • 50. Bruteforcing private d from public modulus n? 50 ● Another thought I had when solving the puzzle was why not bruteforce d? ● Recall that RSA-1 (y) = yd mod n will expose the secret if we know d ○ Recall that d and φ(n) are private; n is public ● But we know that d and n are related indirectly ○ e.d ≡1 (mod φ(n)) ● Metrics (next slides) show that d and n are roughly the same bitlength ○ But, they are not that close to each other in the number line ● Bruteforcing d from n appears to be not feasible based on my metrics
  • 51. Let’s look at an example public n and private d n = 13200981380853339257712311043874188428656140039842986076102791995918919654979721558629785282537534 24757286790744899333203717650268148498756920232631106569241466833479627415344957549020979309359100 70831755220321417369411370818762253940133993629997648473607090782039210687337530507010114741418840 031542303031081 d = 75978610202753857637808928174151149355159620108164462027648094066872400229768695117493248219679843 72468202350870134862511898586770001887958104761408874343204779669152618879500006421075482546363592 78636456980460020140777818406855940068430936484365580768818014966834080783182309651548207889662373 33482548523393 ● This shows that the n and d are nearly the same size (n has 1 more digit) 51
  • 52. How far is private d from public n? (on my dataset) 52 Trial # of bits in n # of bits in d # of bits in n-d 1 1024 1024 1020 2 1024 1023 1019 3 1024 1022 1023 4 2048 2047 2045 5 2048 2047 2046 6 2048 2046 2048 ● Bruteforce of d from n looks very challenging since n and n-d are ~the same bitlength
  • 53. Conclusion/Discussion 53 ● The main goal was to demonstrate my end-to-end solution to an RSA puzzle ● This puzzle demonstrates that if public keys are made of repeated random primes, RSA is not difficult to break ● If random number generation algorithms are not properly seeded, Euclid’s GCD math can derive the private keys from the public keys! ● Prof. Knuth’s remark is highly relevant: random numbers should not be generated with a method chosen at random ● “Factoring may be easier than you think,” says Cohn, an interesting view!
  • 54. Conclusion/Discussion ... ● Prof. D. Boneh stresses that Crypto implementation is very difficult ○ Even experts (with solid education in math/cs) found it difficult to implement it correctly ○ https://robotattack.org/ ● The author of the puzzle shared the valuable information given below ● The attack discussed in the puzzle may not affect TLS when forward secrecy is used (e.g., Diffie-Hellman DHE ciphersuite Ephemeral Keys) ○ TLS - Transport Layer Security ● A goal of DHE is to protect confidential content of sessions even if the long-term (private) keys are compromised ○ Active attacks are still possible ○ Attacks against non-forward-secret ciphers are still possible 54
  • 55. Acknowledgement ● Mr. Seth David Schoen and his colleagues for constructing the RSA puzzle ○ http://www.loyalty.org/~schoen/ ● Seth for critical reviews of my slides and offering new pointers to Crypto work ○ All remaining mistakes are mine ○ Nice that you are in the committee of EFF Cooperative Computing Awards ● It is always a pleasure to understand under-the-hood Crypto ○ I barely scratched the surface though there is a lot more analysis to be performed... ● The more I think about it the more I realize that RSA is not that simple ○ I have many more deeper questions and have to experiment when I get some time 55
  • 57. References ● W. Diffie and M. E. Hellman, “New Directions in Cryptography,” IEEE Transactions on Information Theory, vol. IT-22, no. 6, November, 1976. ● R. L. Rivest, A. Shamir, and L. Adleman, “A method for obtaining digital signatures and public-key cryptosystems,” CACM 21, 2, February, 1978. ● I. Goldberg and D. Wagner, “Randomness and the Netscape Browser,” http://people.eecs.berkeley.edu/~daw/papers/ddj-netscape.html ● N. Heninger, Z. Durumeric, E. Wustrow, J. A. Halderman, “Mining Your Ps and Qs: Detection of Widespread Weak Keys in Network Devices,” USENIX security, 2012. 57
  • 58. References ... ● D. J. Bernstein, “How to find the smooth parts of integers,” http://cr.yp.to/papers.html#smoothparts. ● A. Menezes, P. van Oorschot, and S. Vanstone, “Handbook of Applied Cryptography,” CRC Press, 1996. ● C. Paar and J. Pelzl. “Understanding Cryptography: A Textbook for Students and Practitioners,” Springer, 2011. ● A. Lenstra et al., “Ron was wrong, Whit is right,” Cryptology ePrint Archive, Report 2012/064, 2012. http://eprint.iacr.org/2012/064.pdf. 58