1 of 24

## What's hot

### What's hot(20)

RSA Two Person Game
RSA Two Person Game

Cyclic Attacks on the RSA Trapdoor Function
Cyclic Attacks on the RSA Trapdoor Function

RSA cracking puzzle
RSA cracking puzzle

An Analysis of Secure Remote Password (SRP)
An Analysis of Secure Remote Password (SRP)

An Analysis of RSA Public Exponent e
An Analysis of RSA Public Exponent e

How do computers exchange secrets using Math?
How do computers exchange secrets using Math?

On the Secrecy of RSA Private Keys
On the Secrecy of RSA Private Keys

On deriving the private key from a public key
On deriving the private key from a public key

Active Attacks on DH Key Exchange
Active Attacks on DH Key Exchange

RSA ALGORITHM
RSA ALGORITHM

RSA
RSA

The rsa algorithm
The rsa algorithm

Public Key Algorithms
Public Key Algorithms

Rsa rivest shamir adleman
Rsa rivest shamir adleman

RSA ALGORITHM
RSA ALGORITHM

PKC&RSA
PKC&RSA

RSA algorithm
RSA algorithm

RSA Algorithm
RSA Algorithm

RSA Algorithm report
RSA Algorithm report

RSA-W7(rsa) d1-d2
RSA-W7(rsa) d1-d2

## Similar to RSA without Integrity Checks

Information and network security 33 rsa algorithm
Information and network security 33 rsa algorithmVaibhav Khanna

Public-Key Cryptography.pdfWrite the result of the following operation with t...
Public-Key Cryptography.pdfWrite the result of the following operation with t...FahmiOlayah

RSA Algm.pptx
RSA Algm.pptxSou Jana

11 Applied_Mathemathics HANDBOOK.pdf
11 Applied_Mathemathics HANDBOOK.pdfVipinNegi38

Broadcasting and low exponent rsa attack
Broadcasting and low exponent rsa attackAnkita Kapratwar

ch09_rsa_nemo.ppt
ch09_rsa_nemo.pptChandraB15

Rivest Shamir Adleman Algorithm and its variant : DRSA.pptx
Rivest Shamir Adleman Algorithm and its variant : DRSA.pptxwerip98386

Rsa diffi-network security-itt
Rsa diffi-network security-ittrameshvvv

Public Key Cryptography and RSA algorithm
Public Key Cryptography and RSA algorithmIndra97065

Assignment 2 (1) (1).docx
Assignment 2 (1) (1).docxpinstechwork

Cryptography using rsa cryptosystem
Cryptography using rsa cryptosystemSamdish Arora

### Similar to RSA without Integrity Checks(20)

Unit 3
Unit 3

Information and network security 33 rsa algorithm
Information and network security 33 rsa algorithm

Public-Key Cryptography.pdfWrite the result of the following operation with t...
Public-Key Cryptography.pdfWrite the result of the following operation with t...

RSA Algm.pptx
RSA Algm.pptx

Rsa cryptosystem
Rsa cryptosystem

3 pkc+rsa
3 pkc+rsa

11 Applied_Mathemathics HANDBOOK.pdf
11 Applied_Mathemathics HANDBOOK.pdf

Public key cryptography and RSA
Public key cryptography and RSA

Rsa
Rsa

Broadcasting and low exponent rsa attack
Broadcasting and low exponent rsa attack

ch09_rsa_nemo.ppt
ch09_rsa_nemo.ppt

Rivest Shamir Adleman Algorithm and its variant : DRSA.pptx
Rivest Shamir Adleman Algorithm and its variant : DRSA.pptx

Unit --3.ppt
Unit --3.ppt

Rsa diffi-network security-itt
Rsa diffi-network security-itt

Public Key Cryptography and RSA algorithm
Public Key Cryptography and RSA algorithm

Cryptography 101
Cryptography 101

Assignment 2 (1) (1).docx
Assignment 2 (1) (1).docx

15
15

15
15

Cryptography using rsa cryptosystem
Cryptography using rsa cryptosystem

## More from Dharmalingam Ganesan

Reverse Architecting using Relation Algebra.pdf
Reverse Architecting using Relation Algebra.pdfDharmalingam Ganesan

Requirements driven Model-based Testing
Requirements driven Model-based TestingDharmalingam Ganesan

Automated Traceability for Software Engineering Tasks
Automated Traceability for Software Engineering TasksDharmalingam Ganesan

Reverse Engineering of Module Dependencies
Reverse Engineering of Module DependenciesDharmalingam Ganesan

Integer security analysis using smt solver
Integer security analysis using smt solverDharmalingam Ganesan

Remote file path traversal attacks for fun and profit
Remote file path traversal attacks for fun and profitDharmalingam Ganesan

Threat Modeling: Applied on a Publish-Subscribe Architectural Style
Threat Modeling: Applied on a Publish-Subscribe Architectural StyleDharmalingam Ganesan

### More from Dharmalingam Ganesan(13)

.NET Deserialization Attacks
.NET Deserialization Attacks

Reverse Architecting using Relation Algebra.pdf
Reverse Architecting using Relation Algebra.pdf

How to exploit rand()?
How to exploit rand()?

Thank-a-Gram
Thank-a-Gram

Can I write to a read only file ?
Can I write to a read only file ?

Requirements driven Model-based Testing
Requirements driven Model-based Testing

Automated Traceability for Software Engineering Tasks
Automated Traceability for Software Engineering Tasks

Reverse Engineering of Module Dependencies
Reverse Engineering of Module Dependencies

Software Architecture
Software Architecture

Integer security analysis using smt solver
Integer security analysis using smt solver

Remote file path traversal attacks for fun and profit
Remote file path traversal attacks for fun and profit

20170605135932210 thank you card7
20170605135932210 thank you card7

Threat Modeling: Applied on a Publish-Subscribe Architectural Style
Threat Modeling: Applied on a Publish-Subscribe Architectural Style

A Deep Dive into Secure Product Development Frameworks.pdf
A Deep Dive into Secure Product Development Frameworks.pdfICS

Evolving Data Governance for the Real-time Streaming and AI Era
Evolving Data Governance for the Real-time Streaming and AI Eraconfluent

Microsoft365_Dev_Security_2024_05_16.pdf
Microsoft365_Dev_Security_2024_05_16.pdfMarkus Moeller

GraphSummit Milan - Visione e roadmap del prodotto Neo4j
GraphSummit Milan - Visione e roadmap del prodotto Neo4jNeo4j

Entropy, Software Quality, and Innovation (presented at Princeton Plasma Phys...
Entropy, Software Quality, and Innovation (presented at Princeton Plasma Phys...Andrea Goulet

Effective Strategies for Wix's Scaling challenges - GeeCon
Effective Strategies for Wix's Scaling challenges - GeeConNatan Silnitsky

CERVED e Neo4j su una nuvola, migrazione ed evoluzione di un grafo mission cr...
CERVED e Neo4j su una nuvola, migrazione ed evoluzione di un grafo mission cr...Neo4j

UNI DI NAPOLI FEDERICO II - Il ruolo dei grafi nell'AI Conversazionale Ibrida
UNI DI NAPOLI FEDERICO II - Il ruolo dei grafi nell'AI Conversazionale IbridaNeo4j

Transformer Neural Network Use Cases with Links
Transformer Neural Network Use Cases with LinksJinanKordab

OpenChain Webinar: AboutCode and Beyond - End-to-End SCA
OpenChain Webinar: AboutCode and Beyond - End-to-End SCAShane Coughlan

The mythical technical debt. (Brooke, please, forgive me)
The mythical technical debt. (Brooke, please, forgive me)Roberto Bettazzoni

The Evolution of Web App Testing_ An Ultimate Guide to Future Trends.pdf
The Evolution of Web App Testing_ An Ultimate Guide to Future Trends.pdfkalichargn70th171

GraphSummit Milan & Stockholm - Neo4j: The Art of the Possible with Graph
GraphSummit Milan & Stockholm - Neo4j: The Art of the Possible with GraphNeo4j

Food Delivery Business App Development Guide 2024
Food Delivery Business App Development Guide 2024Chirag Panchal

From Theory to Practice: Utilizing SpiraPlan's REST API
From Theory to Practice: Utilizing SpiraPlan's REST APIInflectra

Automate your OpenSIPS config tests - OpenSIPS Summit 2024
Automate your OpenSIPS config tests - OpenSIPS Summit 2024Andreas Granig

Team Transformation Tactics for Holistic Testing and Quality (NewCrafts Paris...
Team Transformation Tactics for Holistic Testing and Quality (NewCrafts Paris...Lisi Hocke

Abortion Pills For Sale WhatsApp[[+27737758557]] In Birch Acres, Abortion Pil...
Abortion Pills For Sale WhatsApp[[+27737758557]] In Birch Acres, Abortion Pil...drm1699

A Deep Dive into Secure Product Development Frameworks.pdf
A Deep Dive into Secure Product Development Frameworks.pdf

Evolving Data Governance for the Real-time Streaming and AI Era
Evolving Data Governance for the Real-time Streaming and AI Era

Microsoft365_Dev_Security_2024_05_16.pdf
Microsoft365_Dev_Security_2024_05_16.pdf

GraphSummit Milan - Visione e roadmap del prodotto Neo4j
GraphSummit Milan - Visione e roadmap del prodotto Neo4j

Entropy, Software Quality, and Innovation (presented at Princeton Plasma Phys...
Entropy, Software Quality, and Innovation (presented at Princeton Plasma Phys...

Effective Strategies for Wix's Scaling challenges - GeeCon
Effective Strategies for Wix's Scaling challenges - GeeCon

CERVED e Neo4j su una nuvola, migrazione ed evoluzione di un grafo mission cr...
CERVED e Neo4j su una nuvola, migrazione ed evoluzione di un grafo mission cr...

UNI DI NAPOLI FEDERICO II - Il ruolo dei grafi nell'AI Conversazionale Ibrida
UNI DI NAPOLI FEDERICO II - Il ruolo dei grafi nell'AI Conversazionale Ibrida

Transformer Neural Network Use Cases with Links
Transformer Neural Network Use Cases with Links

OpenChain Webinar: AboutCode and Beyond - End-to-End SCA
OpenChain Webinar: AboutCode and Beyond - End-to-End SCA

The mythical technical debt. (Brooke, please, forgive me)
The mythical technical debt. (Brooke, please, forgive me)

The Evolution of Web App Testing_ An Ultimate Guide to Future Trends.pdf
The Evolution of Web App Testing_ An Ultimate Guide to Future Trends.pdf

Abortion Clinic In Pretoria ](+27832195400*)[ 🏥 Safe Abortion Pills in Pretor...
Abortion Clinic In Pretoria ](+27832195400*)[ 🏥 Safe Abortion Pills in Pretor...

GraphSummit Milan & Stockholm - Neo4j: The Art of the Possible with Graph
GraphSummit Milan & Stockholm - Neo4j: The Art of the Possible with Graph

Food Delivery Business App Development Guide 2024
Food Delivery Business App Development Guide 2024

Abortion Pill Prices Germiston ](+27832195400*)[ 🏥 Women's Abortion Clinic in...
Abortion Pill Prices Germiston ](+27832195400*)[ 🏥 Women's Abortion Clinic in...

From Theory to Practice: Utilizing SpiraPlan's REST API
From Theory to Practice: Utilizing SpiraPlan's REST API

Automate your OpenSIPS config tests - OpenSIPS Summit 2024
Automate your OpenSIPS config tests - OpenSIPS Summit 2024

Team Transformation Tactics for Holistic Testing and Quality (NewCrafts Paris...
Team Transformation Tactics for Holistic Testing and Quality (NewCrafts Paris...

Abortion Pills For Sale WhatsApp[[+27737758557]] In Birch Acres, Abortion Pil...
Abortion Pills For Sale WhatsApp[[+27737758557]] In Birch Acres, Abortion Pil...

### RSA without Integrity Checks

• 1. Experiments on RSA without integrity checks Demo of Reversing the Plaintexts from the Ciphertexts Dr. Dharma Ganesan, Ph.D.,
• 2. Disclaimer ● The opinions expressed here are my own ○ But not the views of my employer ● The source code fragments and exploits shown here can be reused ○ But without any warranty nor accept any responsibility for failures ● Do not apply the exploit discussed here on other systems ○ Without obtaining authorization from owners 2
• 3. Goal of this presentation (details later) ● Explain how to break unauthenticated RSA ○ That is, RSA without digital signature/integrity checks ● Present exploit: Man-in-the-middle edit public exponents ○ Uses Bézout’s theorem to recover the plaintexts from ciphertexts ○ Extended Euclidean Algorithm is the core ● This challenge was given to me by a friend who works for a social media giant 3
• 4. Informal system design and constraints for attackers ● A set of apps send data to each other using public-key cryptography (RSA) ○ App i uses the public key of app j to send encrypted data to app j ○ Apps send public keys over public channels, without digital signature/certificate ● The attackers are allowed to edit only the RSA public exponent e ● The attackers cannot impersonate any app nor inject their own apps ● Goal: Reverse the plaintext from the ciphertext, satisfying the constraints 4
• 5. Prerequisite (to follow the remaining slides) Some familiarity with the following topics will help to follow the rest of the slides ● Group Theory (Abstract Algebra/Discrete Math) ● Modular Arithmetic (Number Theory) ● Algorithms and Complexity Theory ● If not, it should still be possible to obtain a high-level overview 5
• 6. How can Bob send a message to Alice securely? 6 Public Key PuA ● Alice and Bob never met each other ● Bob will encrypt using Alice’s public key ○ Assume that public keys are known to the world ● Alice will decrypt using her private key ○ Private keys are secrets (never sent out) ● Bob can sign messages using his private key ○ Alice verifies message integrity using Bob’s public key ○ Not important for this presentation/attack ● Note: Alice and Bob need other evidence (e.g., passwords, certificates) to prove their identity to each other Private Key PrA Public Key PuB Private Key PrB
• 7. RSA Public Key Cryptography System ● Published in 1977 by Ron Rivest, Adi Shamir and Leonard Adleman ● Rooted in elegant mathematics - Group Theory and Number Theory ● Core idea: Anyone can encrypt a message using recipient's public key but ○ (as far as we know) no one can efficiently decrypt unless they got the matching private key ● Encryption and Decryption are inverse operations (math details later) ○ Work of Euclid, Euler, and Fermat provide the mathematical foundation of RSA ● Eavesdropper Eve cannot easily derive the secret (math details later) ○ Unless she solves “hard” number theory problems that are computationally intractable 7
• 8. 8 Notations and Facts GCD(x, y): The greatest common divisor that divides integers x and y Co-prime: If gcd(x, y) = 1, then x and y are co-primes Zn = { 0, 1, 2, …, n-1 }, n > 0; we may imagine Zn as a circular wall clock Z* n = { x ∈ Zn | gcd(x, n) = 1 }; (additional info: Z* n is a multiplicative group) φ(n): Euler’s Totient function denotes the number of elements in Z* n φ(p) = p-1, if p is a prime number x ≡ y (mod n) denotes that n divides x-y; x is congruent to y mod n
• 9. Bézout’s identity (needed later for this attack) ● Let a and b are two integers. There exists a pair of integers x and y such that: ○ a.x + b.y = gcd(a, b) ● If a and b are relatively prime to each other, then ○ a.x + b.y = 1 ● For a given a and b, we use the Extended Euclidean Algorithm to find x and y 9
• 10. RSA - Key Generation Algo. (Fits on one page) 1. Select an appropriate bitlength of the RSA modulus n (e.g., 2048 bits) ○ Value of the parameter n is not chosen until step 3; small n is dangerous (details later) 2. Pick two independent, large random primes, p and q, of half of n’s bitlength ○ In practice, p and q are not close to each other to avoid attacks (e.g., Fermat’s factorization) 3. Compute n = p.q (n is also called the RSA modulus) 4. Compute Euler’s Totient (phi) Function φ(n) = φ(p.q) = φ(p)φ(q) = (p-1)(q-1) 5. Select numbers e and d from Zn such that e.d ≡ 1(mod φ(n)) ○ Many implementations set e to be 65537 (Note: gcd(e, φ(n)) = 1) ○ e must be relatively prime to φ(n) otherwise d cannot exist (i.e., we cannot decrypt) ○ d is the multiplicative inverse of e in Zn 6. Public key is the pair <n, e> and private key is 4-tuple <φ(n), d, p, q> Note: If p, q, d, or φ(n) is leaked, RSA is broken immediately 10
• 11. Formal definition of the RSA trapdoor function ● RSA: Zn → Zn ● Let m and c ∈ Zn ● c = RSA(m) = me mod n ● m = RSA-1 (c) = cd mod n ● e and d are also called encryption and decryption exponents, respectively ● Note: Attackers know c, e, and n but not d 11
• 12. 12
• 13. 13 MiTM changed the RSA public exponent e to e’ such that gcd(e, e’) = 1 Gibberish because e’ is not a valid public exponent
• 14. Core idea of the attack ● The attacker corrupts the public exponent e ● Instead of the standard exponent e = 65537, she modifies to e' = 65539 ● Note that gcd(e, e') = 1 ● They both are relatively prime to each other ● The receiver will get gibberish during decryption because of the corrupted e ● The receiver will resend the same public key pair <n, e> ● The sender will re-encrypt the same message using the public key pair ● Now the attacker does not modify the public key pair 14
• 15. Core idea of the attack … ● The attacker has two ciphertext pair: ● c' which is the ciphertext produced by the sender using e' ● c which is the ciphertext produced by the sender using correct e ● Goal of the attacker is to recover the plaintext m from <c, c', e, e'> 15
• 16. Algorithm: Recover the plaintext m from <c, c', e, e'> ● To recover m, the attacker applies the Extended Euclidean Algorithm: ● Since gcd(e, e' ) = 1, there must exist x and y such that e.x + e'.y = 1 ● We can prove that the plaintext m = cx . (c' )y mod n ○ cx = (me )x mod n ○ (c')y = (me' )y mod n ○ cx . (c' )y = (me )x mod n . (me' )y mod n = m(ex + e' y) mod n = m ● Summary: The attacker recovered m from <c, c', e, e', x, y> 16
• 17. Implementation of the algorithm 17 public static BigInteger reversePlaintext(BigInteger n, BigInteger e, BigInteger e_err, BigInteger c, BigInteger c_err) { BigIntEuclidean bigIntEuclidean = BigIntEuclidean.calculate(e, e_err); BigInteger x = bigIntEuclidean.x; BigInteger y = bigIntEuclidean.y; BigInteger part1 = c.modPow(x, n); BigInteger part2 = c_err.modPow(y, n); BigInteger result = part1.multiply(part2).mod(n); return result; } Mapping of variables to the algorithm: c_err → c‘ e_err → e‘ part1 → cx part2 → (c')y BigIntEuclidean class implements the Extended Euclidean Algorithm
• 19. Captured public key <n, e> 19 n = 18004824506648204194492044002988064209675766035584463299236235 06494317520722425405499266736358111222092353075238943051957607 72838177133711938809223918443876724379628144541547953255275703 55545843143202611749143674603115027112767793615940083335822504 14001260300000139604098161722910625646686414595219516699059074 64124112599480274057376820125309201418774936670930722094112920 75668511384565582317364152493210500975624064036271597500904886 41493391778556544669856827168913235058037152190508905547682028 60172358074680448465215575045155812495385151214152726263391080 32505413436163412529544236195170662429539872646199926257967 e = 65537
• 20. Captured traffic (with wrong exponent e = 65539) 20 c' = 628936728EB827FFCA8EF47ED38DEA19BA5C2FFF3B00D34A59BA 49002E4143BE5F8992C4CF46AC6CDAFA969BB4EC07C58D757245 DAAA794F5B382302ED906324B3973D453A2F4495783BDD6989DC7 5C6E7C530979F1E5216734BF3FB3203AE1FD5631B0FE135BD259A 377763ED63F961C7598C5C4871B990F3230A7BBEE60129D1B2B64 0B3AE2C36DD5B76F66AC5B9AA99C48FDF31E608DE005719BEA2A DD92D5754E7ECBDF39F9D204820EF97D473FA897860587AE4B0C 4DF01E98C7B501C4FE26A5A4624DF3648FBB0F7F61DC79DAFE1E 9881A9A27A66CE3BB4D92FC52DB790ACD48A5009325A79D157106 07B30B7BCC37E305132F6A9A2C3A56E0A5990854
• 21. Captured traffic (with correct exponent e = 65537) 21 c = 06DEC6DCE2726801CB815FFF5443960B7C11AB9E7 487F3E3B7D9613979AC473E238AE4D5624F4B97F7 567D495D5871A1D1B234E42771FCF9B47EF43F85A 08299BC98D5A9AD16A6B102FC9EC03AACC01B526 79E089589D2CBB09E9F127A1829DC59AFC7197431 E59F1B63DAC08878D0F8D0C2885CE30E955334D63 C4C30D8A619EE245A584F4704A989B2992257AE29 503EDE0C5637DA220522ECB495AAA980103505459 AE36952052B4CF5EFEB2D847405C02A60AB2EAB92 8206BA0DFE8438C491264F19C93819E158A26F8507 A1083B7A223B1A6EA145EEC2B4084E87D094426F2 6D00C84FA24369C159EF5C029918118E784A101AB D00A7B3B59E6C7E643BE
• 22. Demo client to break Raw RSA (2048-bit modulus) 22 \$ java RSA_MiTM \$n 65537 65539 \$c \$c_err Hi, How are you? The attacker recovered the secret from <c, c', e, e'>
• 23. Conclusion/Discussion 23 ● The main goal was to experiment with an incorrect RSA usage pattern ● That is, without integrity checks or digital signature ● The Man-in-the-middle (MiTM) just has to edit the public exponent e ● MiTM was able to recover plaintexts using Extended Euclidean Algo. ● Note that this attack works when RSA is used without any padding ● RSA without integrity checks can lead to interesting attacks ● In TLS, the server’s public key is digitallly signed, so MiTM’s job is very difficult to edit e ● RSA is a classical crypto system but has to be used very carefully
• 24. References ● W. Diffie and M. E. Hellman, “New Directions in Cryptography,” IEEE Transactions on Information Theory, vol. IT-22, no. 6, November, 1976. ● R. L. Rivest, A. Shamir, and L. Adleman, “A method for obtaining digital signatures and public-key cryptosystems,” CACM 21, 2, February, 1978. ● A. Menezes, P. van Oorschot, and S. Vanstone, “Handbook of Applied Cryptography,” CRC Press, 1996. ● C. Paar and J. Pelzl, “Understanding Cryptography: A Textbook for Students and Practitioners,” Springer, 2011. 24
Current LanguageEnglish
Español
Portugues
Français
Deutsche
© 2024 SlideShare from Scribd