SlideShare a Scribd company logo
1 of 24
Download to read offline
Experiments on RSA
without integrity checks
Demo of Reversing the Plaintexts from the Ciphertexts
Dr. Dharma Ganesan, Ph.D.,
Disclaimer
● The opinions expressed here are my own
○ But not the views of my employer
● The source code fragments and exploits shown here can be reused
○ But without any warranty nor accept any responsibility for failures
● Do not apply the exploit discussed here on other systems
○ Without obtaining authorization from owners
2
Goal of this presentation (details later)
● Explain how to break unauthenticated RSA
○ That is, RSA without digital signature/integrity checks
● Present exploit: Man-in-the-middle edit public exponents
○ Uses Bézout’s theorem to recover the plaintexts from ciphertexts
○ Extended Euclidean Algorithm is the core
● This challenge was given to me by a friend who works for
a social media giant
3
Informal system design and constraints for attackers
● A set of apps send data to each other using public-key cryptography (RSA)
○ App i uses the public key of app j to send encrypted data to app j
○ Apps send public keys over public channels, without digital signature/certificate
● The attackers are allowed to edit only the RSA public exponent e
● The attackers cannot impersonate any app nor inject their own apps
● Goal: Reverse the plaintext from the ciphertext, satisfying the constraints
4
Prerequisite (to follow the remaining slides)
Some familiarity with the following topics will help to follow the rest of the slides
● Group Theory (Abstract Algebra/Discrete Math)
● Modular Arithmetic (Number Theory)
● Algorithms and Complexity Theory
● If not, it should still be possible to obtain a high-level overview
5
How can Bob send a message to Alice securely?
6
Public Key PuA
● Alice and Bob never met each other
● Bob will encrypt using Alice’s public key
○ Assume that public keys are known to the world
● Alice will decrypt using her private key
○ Private keys are secrets (never sent out)
● Bob can sign messages using his private key
○ Alice verifies message integrity using Bob’s public key
○ Not important for this presentation/attack
● Note: Alice and Bob need other evidence (e.g., passwords,
certificates) to prove their identity to each other
Private Key PrA
Public Key PuB
Private Key PrB
RSA Public Key Cryptography System
● Published in 1977 by Ron Rivest, Adi Shamir and Leonard Adleman
● Rooted in elegant mathematics - Group Theory and Number Theory
● Core idea: Anyone can encrypt a message using recipient's public key but
○ (as far as we know) no one can efficiently decrypt unless they got the matching private key
● Encryption and Decryption are inverse operations (math details later)
○ Work of Euclid, Euler, and Fermat provide the mathematical foundation of RSA
● Eavesdropper Eve cannot easily derive the secret (math details later)
○ Unless she solves “hard” number theory problems that are computationally intractable
7
8
Notations and Facts
GCD(x, y): The greatest common divisor that divides integers x and y
Co-prime: If gcd(x, y) = 1, then x and y are co-primes
Zn
= { 0, 1, 2, …, n-1 }, n > 0; we may imagine Zn
as a circular wall clock
Z*
n
= { x ∈ Zn
| gcd(x, n) = 1 }; (additional info: Z*
n
is a multiplicative
group)
φ(n): Euler’s Totient function denotes the number of elements in Z*
n
φ(p) = p-1, if p is a prime number
x ≡ y (mod n) denotes that n divides x-y; x is congruent to y mod n
Bézout’s identity (needed later for this attack)
● Let a and b are two integers. There exists a pair of integers x and y such that:
○ a.x + b.y = gcd(a, b)
● If a and b are relatively prime to each other, then
○ a.x + b.y = 1
● For a given a and b, we use the Extended Euclidean Algorithm to find x and y
9
RSA - Key Generation Algo. (Fits on one page)
1. Select an appropriate bitlength of the RSA modulus n (e.g., 2048 bits)
○ Value of the parameter n is not chosen until step 3; small n is dangerous (details later)
2. Pick two independent, large random primes, p and q, of half of n’s bitlength
○ In practice, p and q are not close to each other to avoid attacks (e.g., Fermat’s factorization)
3. Compute n = p.q (n is also called the RSA modulus)
4. Compute Euler’s Totient (phi) Function φ(n) = φ(p.q) = φ(p)φ(q) = (p-1)(q-1)
5. Select numbers e and d from Zn
such that e.d ≡ 1(mod φ(n))
○ Many implementations set e to be 65537 (Note: gcd(e, φ(n)) = 1)
○ e must be relatively prime to φ(n) otherwise d cannot exist (i.e., we cannot decrypt)
○ d is the multiplicative inverse of e in Zn
6. Public key is the pair <n, e> and private key is 4-tuple <φ(n), d, p, q>
Note: If p, q, d, or φ(n) is leaked, RSA is broken immediately
10
Formal definition of the RSA trapdoor function
● RSA: Zn
→ Zn
● Let m and c ∈ Zn
● c = RSA(m) = me
mod n
● m = RSA-1
(c) = cd
mod n
● e and d are also called encryption and decryption
exponents, respectively
● Note: Attackers know c, e, and n but not d
11
12
13
MiTM changed the RSA
public exponent e to e’ such
that gcd(e, e’) = 1
Gibberish because e’ is not a
valid public exponent
Core idea of the attack
● The attacker corrupts the public exponent e
● Instead of the standard exponent e = 65537, she modifies to e' = 65539
● Note that gcd(e, e') = 1
● They both are relatively prime to each other
● The receiver will get gibberish during decryption because of the corrupted e
● The receiver will resend the same public key pair <n, e>
● The sender will re-encrypt the same message using the public key pair
● Now the attacker does not modify the public key pair
14
Core idea of the attack …
● The attacker has two ciphertext pair:
● c' which is the ciphertext produced by the sender using e'
● c which is the ciphertext produced by the sender using correct e
● Goal of the attacker is to recover the plaintext m from <c, c', e, e'>
15
Algorithm: Recover the plaintext m from <c, c', e, e'>
● To recover m, the attacker applies the Extended Euclidean Algorithm:
● Since gcd(e, e' ) = 1, there must exist x and y such that e.x + e'.y = 1
● We can prove that the plaintext m = cx
. (c' )y
mod n
○ cx
= (me
)x
mod n
○ (c')y
= (me'
)y
mod n
○ cx
. (c' )y
= (me
)x
mod n . (me'
)y
mod n
= m(ex + e' y)
mod n = m
● Summary: The attacker recovered m from <c, c', e, e', x, y>
16
Implementation of the algorithm
17
public static BigInteger reversePlaintext(BigInteger n, BigInteger e,
BigInteger e_err, BigInteger c, BigInteger c_err) {
BigIntEuclidean bigIntEuclidean = BigIntEuclidean.calculate(e, e_err);
BigInteger x = bigIntEuclidean.x;
BigInteger y = bigIntEuclidean.y;
BigInteger part1 = c.modPow(x, n);
BigInteger part2 = c_err.modPow(y, n);
BigInteger result = part1.multiply(part2).mod(n);
return result;
}
Mapping of variables to the algorithm:
c_err → c‘
e_err → e‘
part1 → cx
part2 → (c')y
BigIntEuclidean class implements
the Extended Euclidean Algorithm
Slide demo
18
Captured public key <n, e>
19
n =
18004824506648204194492044002988064209675766035584463299236235
06494317520722425405499266736358111222092353075238943051957607
72838177133711938809223918443876724379628144541547953255275703
55545843143202611749143674603115027112767793615940083335822504
14001260300000139604098161722910625646686414595219516699059074
64124112599480274057376820125309201418774936670930722094112920
75668511384565582317364152493210500975624064036271597500904886
41493391778556544669856827168913235058037152190508905547682028
60172358074680448465215575045155812495385151214152726263391080
32505413436163412529544236195170662429539872646199926257967
e = 65537
Captured traffic (with wrong exponent e = 65539)
20
c' =
628936728EB827FFCA8EF47ED38DEA19BA5C2FFF3B00D34A59BA
49002E4143BE5F8992C4CF46AC6CDAFA969BB4EC07C58D757245
DAAA794F5B382302ED906324B3973D453A2F4495783BDD6989DC7
5C6E7C530979F1E5216734BF3FB3203AE1FD5631B0FE135BD259A
377763ED63F961C7598C5C4871B990F3230A7BBEE60129D1B2B64
0B3AE2C36DD5B76F66AC5B9AA99C48FDF31E608DE005719BEA2A
DD92D5754E7ECBDF39F9D204820EF97D473FA897860587AE4B0C
4DF01E98C7B501C4FE26A5A4624DF3648FBB0F7F61DC79DAFE1E
9881A9A27A66CE3BB4D92FC52DB790ACD48A5009325A79D157106
07B30B7BCC37E305132F6A9A2C3A56E0A5990854
Captured traffic (with correct exponent e = 65537)
21
c =
06DEC6DCE2726801CB815FFF5443960B7C11AB9E7
487F3E3B7D9613979AC473E238AE4D5624F4B97F7
567D495D5871A1D1B234E42771FCF9B47EF43F85A
08299BC98D5A9AD16A6B102FC9EC03AACC01B526
79E089589D2CBB09E9F127A1829DC59AFC7197431
E59F1B63DAC08878D0F8D0C2885CE30E955334D63
C4C30D8A619EE245A584F4704A989B2992257AE29
503EDE0C5637DA220522ECB495AAA980103505459
AE36952052B4CF5EFEB2D847405C02A60AB2EAB92
8206BA0DFE8438C491264F19C93819E158A26F8507
A1083B7A223B1A6EA145EEC2B4084E87D094426F2
6D00C84FA24369C159EF5C029918118E784A101AB
D00A7B3B59E6C7E643BE
Demo client to break Raw RSA (2048-bit modulus)
22
$ java RSA_MiTM $n 65537 65539 $c $c_err
Hi, How are you?
The attacker recovered the secret
from <c, c', e, e'>
Conclusion/Discussion
23
● The main goal was to experiment with an incorrect RSA usage pattern
● That is, without integrity checks or digital signature
● The Man-in-the-middle (MiTM) just has to edit the public exponent e
● MiTM was able to recover plaintexts using Extended Euclidean Algo.
● Note that this attack works when RSA is used without any padding
● RSA without integrity checks can lead to interesting attacks
● In TLS, the server’s public key is digitallly signed, so MiTM’s job is very difficult to edit e
● RSA is a classical crypto system but has to be used very carefully
References
● W. Diffie and M. E. Hellman, “New Directions in Cryptography,” IEEE
Transactions on Information Theory, vol. IT-22, no. 6, November, 1976.
● R. L. Rivest, A. Shamir, and L. Adleman, “A method for obtaining digital
signatures and public-key cryptosystems,” CACM 21, 2, February, 1978.
● A. Menezes, P. van Oorschot, and S. Vanstone, “Handbook of Applied
Cryptography,” CRC Press, 1996.
● C. Paar and J. Pelzl, “Understanding Cryptography: A Textbook for Students
and Practitioners,” Springer, 2011.
24

More Related Content

What's hot (20)

RSA Two Person Game
RSA Two Person GameRSA Two Person Game
RSA Two Person Game
 
Cyclic Attacks on the RSA Trapdoor Function
Cyclic Attacks on the RSA Trapdoor FunctionCyclic Attacks on the RSA Trapdoor Function
Cyclic Attacks on the RSA Trapdoor Function
 
RSA cracking puzzle
RSA cracking puzzleRSA cracking puzzle
RSA cracking puzzle
 
An Analysis of Secure Remote Password (SRP)
An Analysis of Secure Remote Password (SRP)An Analysis of Secure Remote Password (SRP)
An Analysis of Secure Remote Password (SRP)
 
An Analysis of RSA Public Exponent e
An Analysis of RSA Public Exponent eAn Analysis of RSA Public Exponent e
An Analysis of RSA Public Exponent e
 
How do computers exchange secrets using Math?
How do computers exchange secrets using Math?How do computers exchange secrets using Math?
How do computers exchange secrets using Math?
 
On the Secrecy of RSA Private Keys
On the Secrecy of RSA Private KeysOn the Secrecy of RSA Private Keys
On the Secrecy of RSA Private Keys
 
On deriving the private key from a public key
On deriving the private key from a public keyOn deriving the private key from a public key
On deriving the private key from a public key
 
Active Attacks on DH Key Exchange
Active Attacks on DH Key ExchangeActive Attacks on DH Key Exchange
Active Attacks on DH Key Exchange
 
RSA ALGORITHM
RSA ALGORITHMRSA ALGORITHM
RSA ALGORITHM
 
RSA
RSARSA
RSA
 
The rsa algorithm
The rsa algorithmThe rsa algorithm
The rsa algorithm
 
Public Key Algorithms
Public Key AlgorithmsPublic Key Algorithms
Public Key Algorithms
 
Rsa rivest shamir adleman
Rsa rivest shamir adlemanRsa rivest shamir adleman
Rsa rivest shamir adleman
 
RSA ALGORITHM
RSA ALGORITHMRSA ALGORITHM
RSA ALGORITHM
 
PKC&RSA
PKC&RSAPKC&RSA
PKC&RSA
 
RSA algorithm
RSA algorithmRSA algorithm
RSA algorithm
 
RSA Algorithm
RSA AlgorithmRSA Algorithm
RSA Algorithm
 
RSA Algorithm report
RSA Algorithm reportRSA Algorithm report
RSA Algorithm report
 
RSA-W7(rsa) d1-d2
RSA-W7(rsa) d1-d2RSA-W7(rsa) d1-d2
RSA-W7(rsa) d1-d2
 

Similar to RSA without Integrity Checks

Information and network security 33 rsa algorithm
Information and network security 33 rsa algorithmInformation and network security 33 rsa algorithm
Information and network security 33 rsa algorithmVaibhav Khanna
 
Public-Key Cryptography.pdfWrite the result of the following operation with t...
Public-Key Cryptography.pdfWrite the result of the following operation with t...Public-Key Cryptography.pdfWrite the result of the following operation with t...
Public-Key Cryptography.pdfWrite the result of the following operation with t...FahmiOlayah
 
RSA Algm.pptx
RSA Algm.pptxRSA Algm.pptx
RSA Algm.pptxSou Jana
 
11 Applied_Mathemathics HANDBOOK.pdf
11 Applied_Mathemathics HANDBOOK.pdf11 Applied_Mathemathics HANDBOOK.pdf
11 Applied_Mathemathics HANDBOOK.pdfVipinNegi38
 
Broadcasting and low exponent rsa attack
Broadcasting and low exponent rsa attackBroadcasting and low exponent rsa attack
Broadcasting and low exponent rsa attackAnkita Kapratwar
 
ch09_rsa_nemo.ppt
ch09_rsa_nemo.pptch09_rsa_nemo.ppt
ch09_rsa_nemo.pptChandraB15
 
Rivest Shamir Adleman Algorithm and its variant : DRSA.pptx
Rivest Shamir Adleman Algorithm and its variant : DRSA.pptxRivest Shamir Adleman Algorithm and its variant : DRSA.pptx
Rivest Shamir Adleman Algorithm and its variant : DRSA.pptxwerip98386
 
Rsa diffi-network security-itt
Rsa diffi-network security-ittRsa diffi-network security-itt
Rsa diffi-network security-ittrameshvvv
 
Public Key Cryptography and RSA algorithm
Public Key Cryptography and RSA algorithmPublic Key Cryptography and RSA algorithm
Public Key Cryptography and RSA algorithmIndra97065
 
Assignment 2 (1) (1).docx
Assignment 2 (1) (1).docxAssignment 2 (1) (1).docx
Assignment 2 (1) (1).docxpinstechwork
 
Cryptography using rsa cryptosystem
Cryptography using rsa cryptosystemCryptography using rsa cryptosystem
Cryptography using rsa cryptosystemSamdish Arora
 

Similar to RSA without Integrity Checks (20)

Unit 3
Unit 3Unit 3
Unit 3
 
Information and network security 33 rsa algorithm
Information and network security 33 rsa algorithmInformation and network security 33 rsa algorithm
Information and network security 33 rsa algorithm
 
Public-Key Cryptography.pdfWrite the result of the following operation with t...
Public-Key Cryptography.pdfWrite the result of the following operation with t...Public-Key Cryptography.pdfWrite the result of the following operation with t...
Public-Key Cryptography.pdfWrite the result of the following operation with t...
 
RSA Algm.pptx
RSA Algm.pptxRSA Algm.pptx
RSA Algm.pptx
 
Rsa cryptosystem
Rsa cryptosystemRsa cryptosystem
Rsa cryptosystem
 
3 pkc+rsa
3 pkc+rsa3 pkc+rsa
3 pkc+rsa
 
11 Applied_Mathemathics HANDBOOK.pdf
11 Applied_Mathemathics HANDBOOK.pdf11 Applied_Mathemathics HANDBOOK.pdf
11 Applied_Mathemathics HANDBOOK.pdf
 
Public key cryptography and RSA
Public key cryptography and RSAPublic key cryptography and RSA
Public key cryptography and RSA
 
Rsa
RsaRsa
Rsa
 
Broadcasting and low exponent rsa attack
Broadcasting and low exponent rsa attackBroadcasting and low exponent rsa attack
Broadcasting and low exponent rsa attack
 
ch09_rsa_nemo.ppt
ch09_rsa_nemo.pptch09_rsa_nemo.ppt
ch09_rsa_nemo.ppt
 
Rivest Shamir Adleman Algorithm and its variant : DRSA.pptx
Rivest Shamir Adleman Algorithm and its variant : DRSA.pptxRivest Shamir Adleman Algorithm and its variant : DRSA.pptx
Rivest Shamir Adleman Algorithm and its variant : DRSA.pptx
 
Unit --3.ppt
Unit --3.pptUnit --3.ppt
Unit --3.ppt
 
Rsa diffi-network security-itt
Rsa diffi-network security-ittRsa diffi-network security-itt
Rsa diffi-network security-itt
 
Public Key Cryptography and RSA algorithm
Public Key Cryptography and RSA algorithmPublic Key Cryptography and RSA algorithm
Public Key Cryptography and RSA algorithm
 
Cryptography 101
Cryptography 101Cryptography 101
Cryptography 101
 
Assignment 2 (1) (1).docx
Assignment 2 (1) (1).docxAssignment 2 (1) (1).docx
Assignment 2 (1) (1).docx
 
15
1515
15
 
15
1515
15
 
Cryptography using rsa cryptosystem
Cryptography using rsa cryptosystemCryptography using rsa cryptosystem
Cryptography using rsa cryptosystem
 

More from Dharmalingam Ganesan

Reverse Architecting using Relation Algebra.pdf
Reverse Architecting using Relation Algebra.pdfReverse Architecting using Relation Algebra.pdf
Reverse Architecting using Relation Algebra.pdfDharmalingam Ganesan
 
Requirements driven Model-based Testing
Requirements driven Model-based TestingRequirements driven Model-based Testing
Requirements driven Model-based TestingDharmalingam Ganesan
 
Automated Traceability for Software Engineering Tasks
Automated Traceability for Software Engineering TasksAutomated Traceability for Software Engineering Tasks
Automated Traceability for Software Engineering TasksDharmalingam Ganesan
 
Reverse Engineering of Module Dependencies
Reverse Engineering of Module DependenciesReverse Engineering of Module Dependencies
Reverse Engineering of Module DependenciesDharmalingam Ganesan
 
Integer security analysis using smt solver
Integer security analysis using smt solverInteger security analysis using smt solver
Integer security analysis using smt solverDharmalingam Ganesan
 
Remote file path traversal attacks for fun and profit
Remote file path traversal attacks for fun and profitRemote file path traversal attacks for fun and profit
Remote file path traversal attacks for fun and profitDharmalingam Ganesan
 
Threat Modeling: Applied on a Publish-Subscribe Architectural Style
Threat Modeling: Applied on a Publish-Subscribe Architectural StyleThreat Modeling: Applied on a Publish-Subscribe Architectural Style
Threat Modeling: Applied on a Publish-Subscribe Architectural StyleDharmalingam Ganesan
 

More from Dharmalingam Ganesan (13)

.NET Deserialization Attacks
.NET Deserialization Attacks.NET Deserialization Attacks
.NET Deserialization Attacks
 
Reverse Architecting using Relation Algebra.pdf
Reverse Architecting using Relation Algebra.pdfReverse Architecting using Relation Algebra.pdf
Reverse Architecting using Relation Algebra.pdf
 
How to exploit rand()?
How to exploit rand()?How to exploit rand()?
How to exploit rand()?
 
Thank-a-Gram
Thank-a-GramThank-a-Gram
Thank-a-Gram
 
Can I write to a read only file ?
Can I write to a read only file ?Can I write to a read only file ?
Can I write to a read only file ?
 
Requirements driven Model-based Testing
Requirements driven Model-based TestingRequirements driven Model-based Testing
Requirements driven Model-based Testing
 
Automated Traceability for Software Engineering Tasks
Automated Traceability for Software Engineering TasksAutomated Traceability for Software Engineering Tasks
Automated Traceability for Software Engineering Tasks
 
Reverse Engineering of Module Dependencies
Reverse Engineering of Module DependenciesReverse Engineering of Module Dependencies
Reverse Engineering of Module Dependencies
 
Software Architecture
Software ArchitectureSoftware Architecture
Software Architecture
 
Integer security analysis using smt solver
Integer security analysis using smt solverInteger security analysis using smt solver
Integer security analysis using smt solver
 
Remote file path traversal attacks for fun and profit
Remote file path traversal attacks for fun and profitRemote file path traversal attacks for fun and profit
Remote file path traversal attacks for fun and profit
 
20170605135932210 thank you card7
20170605135932210 thank you card720170605135932210 thank you card7
20170605135932210 thank you card7
 
Threat Modeling: Applied on a Publish-Subscribe Architectural Style
Threat Modeling: Applied on a Publish-Subscribe Architectural StyleThreat Modeling: Applied on a Publish-Subscribe Architectural Style
Threat Modeling: Applied on a Publish-Subscribe Architectural Style
 

Recently uploaded

A Deep Dive into Secure Product Development Frameworks.pdf
A Deep Dive into Secure Product Development Frameworks.pdfA Deep Dive into Secure Product Development Frameworks.pdf
A Deep Dive into Secure Product Development Frameworks.pdfICS
 
Evolving Data Governance for the Real-time Streaming and AI Era
Evolving Data Governance for the Real-time Streaming and AI EraEvolving Data Governance for the Real-time Streaming and AI Era
Evolving Data Governance for the Real-time Streaming and AI Eraconfluent
 
Microsoft365_Dev_Security_2024_05_16.pdf
Microsoft365_Dev_Security_2024_05_16.pdfMicrosoft365_Dev_Security_2024_05_16.pdf
Microsoft365_Dev_Security_2024_05_16.pdfMarkus Moeller
 
GraphSummit Milan - Visione e roadmap del prodotto Neo4j
GraphSummit Milan - Visione e roadmap del prodotto Neo4jGraphSummit Milan - Visione e roadmap del prodotto Neo4j
GraphSummit Milan - Visione e roadmap del prodotto Neo4jNeo4j
 
Entropy, Software Quality, and Innovation (presented at Princeton Plasma Phys...
Entropy, Software Quality, and Innovation (presented at Princeton Plasma Phys...Entropy, Software Quality, and Innovation (presented at Princeton Plasma Phys...
Entropy, Software Quality, and Innovation (presented at Princeton Plasma Phys...Andrea Goulet
 
Effective Strategies for Wix's Scaling challenges - GeeCon
Effective Strategies for Wix's Scaling challenges - GeeConEffective Strategies for Wix's Scaling challenges - GeeCon
Effective Strategies for Wix's Scaling challenges - GeeConNatan Silnitsky
 
CERVED e Neo4j su una nuvola, migrazione ed evoluzione di un grafo mission cr...
CERVED e Neo4j su una nuvola, migrazione ed evoluzione di un grafo mission cr...CERVED e Neo4j su una nuvola, migrazione ed evoluzione di un grafo mission cr...
CERVED e Neo4j su una nuvola, migrazione ed evoluzione di un grafo mission cr...Neo4j
 
UNI DI NAPOLI FEDERICO II - Il ruolo dei grafi nell'AI Conversazionale Ibrida
UNI DI NAPOLI FEDERICO II - Il ruolo dei grafi nell'AI Conversazionale IbridaUNI DI NAPOLI FEDERICO II - Il ruolo dei grafi nell'AI Conversazionale Ibrida
UNI DI NAPOLI FEDERICO II - Il ruolo dei grafi nell'AI Conversazionale IbridaNeo4j
 
Transformer Neural Network Use Cases with Links
Transformer Neural Network Use Cases with LinksTransformer Neural Network Use Cases with Links
Transformer Neural Network Use Cases with LinksJinanKordab
 
OpenChain Webinar: AboutCode and Beyond - End-to-End SCA
OpenChain Webinar: AboutCode and Beyond - End-to-End SCAOpenChain Webinar: AboutCode and Beyond - End-to-End SCA
OpenChain Webinar: AboutCode and Beyond - End-to-End SCAShane Coughlan
 
The mythical technical debt. (Brooke, please, forgive me)
The mythical technical debt. (Brooke, please, forgive me)The mythical technical debt. (Brooke, please, forgive me)
The mythical technical debt. (Brooke, please, forgive me)Roberto Bettazzoni
 
The Evolution of Web App Testing_ An Ultimate Guide to Future Trends.pdf
The Evolution of Web App Testing_ An Ultimate Guide to Future Trends.pdfThe Evolution of Web App Testing_ An Ultimate Guide to Future Trends.pdf
The Evolution of Web App Testing_ An Ultimate Guide to Future Trends.pdfkalichargn70th171
 
GraphSummit Milan & Stockholm - Neo4j: The Art of the Possible with Graph
GraphSummit Milan & Stockholm - Neo4j: The Art of the Possible with GraphGraphSummit Milan & Stockholm - Neo4j: The Art of the Possible with Graph
GraphSummit Milan & Stockholm - Neo4j: The Art of the Possible with GraphNeo4j
 
Food Delivery Business App Development Guide 2024
Food Delivery Business App Development Guide 2024Food Delivery Business App Development Guide 2024
Food Delivery Business App Development Guide 2024Chirag Panchal
 
From Theory to Practice: Utilizing SpiraPlan's REST API
From Theory to Practice: Utilizing SpiraPlan's REST APIFrom Theory to Practice: Utilizing SpiraPlan's REST API
From Theory to Practice: Utilizing SpiraPlan's REST APIInflectra
 
Automate your OpenSIPS config tests - OpenSIPS Summit 2024
Automate your OpenSIPS config tests - OpenSIPS Summit 2024Automate your OpenSIPS config tests - OpenSIPS Summit 2024
Automate your OpenSIPS config tests - OpenSIPS Summit 2024Andreas Granig
 
Team Transformation Tactics for Holistic Testing and Quality (NewCrafts Paris...
Team Transformation Tactics for Holistic Testing and Quality (NewCrafts Paris...Team Transformation Tactics for Holistic Testing and Quality (NewCrafts Paris...
Team Transformation Tactics for Holistic Testing and Quality (NewCrafts Paris...Lisi Hocke
 
Abortion Pills For Sale WhatsApp[[+27737758557]] In Birch Acres, Abortion Pil...
Abortion Pills For Sale WhatsApp[[+27737758557]] In Birch Acres, Abortion Pil...Abortion Pills For Sale WhatsApp[[+27737758557]] In Birch Acres, Abortion Pil...
Abortion Pills For Sale WhatsApp[[+27737758557]] In Birch Acres, Abortion Pil...drm1699
 

Recently uploaded (20)

A Deep Dive into Secure Product Development Frameworks.pdf
A Deep Dive into Secure Product Development Frameworks.pdfA Deep Dive into Secure Product Development Frameworks.pdf
A Deep Dive into Secure Product Development Frameworks.pdf
 
Evolving Data Governance for the Real-time Streaming and AI Era
Evolving Data Governance for the Real-time Streaming and AI EraEvolving Data Governance for the Real-time Streaming and AI Era
Evolving Data Governance for the Real-time Streaming and AI Era
 
Microsoft365_Dev_Security_2024_05_16.pdf
Microsoft365_Dev_Security_2024_05_16.pdfMicrosoft365_Dev_Security_2024_05_16.pdf
Microsoft365_Dev_Security_2024_05_16.pdf
 
GraphSummit Milan - Visione e roadmap del prodotto Neo4j
GraphSummit Milan - Visione e roadmap del prodotto Neo4jGraphSummit Milan - Visione e roadmap del prodotto Neo4j
GraphSummit Milan - Visione e roadmap del prodotto Neo4j
 
Entropy, Software Quality, and Innovation (presented at Princeton Plasma Phys...
Entropy, Software Quality, and Innovation (presented at Princeton Plasma Phys...Entropy, Software Quality, and Innovation (presented at Princeton Plasma Phys...
Entropy, Software Quality, and Innovation (presented at Princeton Plasma Phys...
 
Effective Strategies for Wix's Scaling challenges - GeeCon
Effective Strategies for Wix's Scaling challenges - GeeConEffective Strategies for Wix's Scaling challenges - GeeCon
Effective Strategies for Wix's Scaling challenges - GeeCon
 
CERVED e Neo4j su una nuvola, migrazione ed evoluzione di un grafo mission cr...
CERVED e Neo4j su una nuvola, migrazione ed evoluzione di un grafo mission cr...CERVED e Neo4j su una nuvola, migrazione ed evoluzione di un grafo mission cr...
CERVED e Neo4j su una nuvola, migrazione ed evoluzione di un grafo mission cr...
 
UNI DI NAPOLI FEDERICO II - Il ruolo dei grafi nell'AI Conversazionale Ibrida
UNI DI NAPOLI FEDERICO II - Il ruolo dei grafi nell'AI Conversazionale IbridaUNI DI NAPOLI FEDERICO II - Il ruolo dei grafi nell'AI Conversazionale Ibrida
UNI DI NAPOLI FEDERICO II - Il ruolo dei grafi nell'AI Conversazionale Ibrida
 
Transformer Neural Network Use Cases with Links
Transformer Neural Network Use Cases with LinksTransformer Neural Network Use Cases with Links
Transformer Neural Network Use Cases with Links
 
OpenChain Webinar: AboutCode and Beyond - End-to-End SCA
OpenChain Webinar: AboutCode and Beyond - End-to-End SCAOpenChain Webinar: AboutCode and Beyond - End-to-End SCA
OpenChain Webinar: AboutCode and Beyond - End-to-End SCA
 
The mythical technical debt. (Brooke, please, forgive me)
The mythical technical debt. (Brooke, please, forgive me)The mythical technical debt. (Brooke, please, forgive me)
The mythical technical debt. (Brooke, please, forgive me)
 
The Evolution of Web App Testing_ An Ultimate Guide to Future Trends.pdf
The Evolution of Web App Testing_ An Ultimate Guide to Future Trends.pdfThe Evolution of Web App Testing_ An Ultimate Guide to Future Trends.pdf
The Evolution of Web App Testing_ An Ultimate Guide to Future Trends.pdf
 
Abortion Clinic In Pretoria ](+27832195400*)[ 🏥 Safe Abortion Pills in Pretor...
Abortion Clinic In Pretoria ](+27832195400*)[ 🏥 Safe Abortion Pills in Pretor...Abortion Clinic In Pretoria ](+27832195400*)[ 🏥 Safe Abortion Pills in Pretor...
Abortion Clinic In Pretoria ](+27832195400*)[ 🏥 Safe Abortion Pills in Pretor...
 
GraphSummit Milan & Stockholm - Neo4j: The Art of the Possible with Graph
GraphSummit Milan & Stockholm - Neo4j: The Art of the Possible with GraphGraphSummit Milan & Stockholm - Neo4j: The Art of the Possible with Graph
GraphSummit Milan & Stockholm - Neo4j: The Art of the Possible with Graph
 
Food Delivery Business App Development Guide 2024
Food Delivery Business App Development Guide 2024Food Delivery Business App Development Guide 2024
Food Delivery Business App Development Guide 2024
 
Abortion Pill Prices Germiston ](+27832195400*)[ 🏥 Women's Abortion Clinic in...
Abortion Pill Prices Germiston ](+27832195400*)[ 🏥 Women's Abortion Clinic in...Abortion Pill Prices Germiston ](+27832195400*)[ 🏥 Women's Abortion Clinic in...
Abortion Pill Prices Germiston ](+27832195400*)[ 🏥 Women's Abortion Clinic in...
 
From Theory to Practice: Utilizing SpiraPlan's REST API
From Theory to Practice: Utilizing SpiraPlan's REST APIFrom Theory to Practice: Utilizing SpiraPlan's REST API
From Theory to Practice: Utilizing SpiraPlan's REST API
 
Automate your OpenSIPS config tests - OpenSIPS Summit 2024
Automate your OpenSIPS config tests - OpenSIPS Summit 2024Automate your OpenSIPS config tests - OpenSIPS Summit 2024
Automate your OpenSIPS config tests - OpenSIPS Summit 2024
 
Team Transformation Tactics for Holistic Testing and Quality (NewCrafts Paris...
Team Transformation Tactics for Holistic Testing and Quality (NewCrafts Paris...Team Transformation Tactics for Holistic Testing and Quality (NewCrafts Paris...
Team Transformation Tactics for Holistic Testing and Quality (NewCrafts Paris...
 
Abortion Pills For Sale WhatsApp[[+27737758557]] In Birch Acres, Abortion Pil...
Abortion Pills For Sale WhatsApp[[+27737758557]] In Birch Acres, Abortion Pil...Abortion Pills For Sale WhatsApp[[+27737758557]] In Birch Acres, Abortion Pil...
Abortion Pills For Sale WhatsApp[[+27737758557]] In Birch Acres, Abortion Pil...
 

RSA without Integrity Checks

  • 1. Experiments on RSA without integrity checks Demo of Reversing the Plaintexts from the Ciphertexts Dr. Dharma Ganesan, Ph.D.,
  • 2. Disclaimer ● The opinions expressed here are my own ○ But not the views of my employer ● The source code fragments and exploits shown here can be reused ○ But without any warranty nor accept any responsibility for failures ● Do not apply the exploit discussed here on other systems ○ Without obtaining authorization from owners 2
  • 3. Goal of this presentation (details later) ● Explain how to break unauthenticated RSA ○ That is, RSA without digital signature/integrity checks ● Present exploit: Man-in-the-middle edit public exponents ○ Uses Bézout’s theorem to recover the plaintexts from ciphertexts ○ Extended Euclidean Algorithm is the core ● This challenge was given to me by a friend who works for a social media giant 3
  • 4. Informal system design and constraints for attackers ● A set of apps send data to each other using public-key cryptography (RSA) ○ App i uses the public key of app j to send encrypted data to app j ○ Apps send public keys over public channels, without digital signature/certificate ● The attackers are allowed to edit only the RSA public exponent e ● The attackers cannot impersonate any app nor inject their own apps ● Goal: Reverse the plaintext from the ciphertext, satisfying the constraints 4
  • 5. Prerequisite (to follow the remaining slides) Some familiarity with the following topics will help to follow the rest of the slides ● Group Theory (Abstract Algebra/Discrete Math) ● Modular Arithmetic (Number Theory) ● Algorithms and Complexity Theory ● If not, it should still be possible to obtain a high-level overview 5
  • 6. How can Bob send a message to Alice securely? 6 Public Key PuA ● Alice and Bob never met each other ● Bob will encrypt using Alice’s public key ○ Assume that public keys are known to the world ● Alice will decrypt using her private key ○ Private keys are secrets (never sent out) ● Bob can sign messages using his private key ○ Alice verifies message integrity using Bob’s public key ○ Not important for this presentation/attack ● Note: Alice and Bob need other evidence (e.g., passwords, certificates) to prove their identity to each other Private Key PrA Public Key PuB Private Key PrB
  • 7. RSA Public Key Cryptography System ● Published in 1977 by Ron Rivest, Adi Shamir and Leonard Adleman ● Rooted in elegant mathematics - Group Theory and Number Theory ● Core idea: Anyone can encrypt a message using recipient's public key but ○ (as far as we know) no one can efficiently decrypt unless they got the matching private key ● Encryption and Decryption are inverse operations (math details later) ○ Work of Euclid, Euler, and Fermat provide the mathematical foundation of RSA ● Eavesdropper Eve cannot easily derive the secret (math details later) ○ Unless she solves “hard” number theory problems that are computationally intractable 7
  • 8. 8 Notations and Facts GCD(x, y): The greatest common divisor that divides integers x and y Co-prime: If gcd(x, y) = 1, then x and y are co-primes Zn = { 0, 1, 2, …, n-1 }, n > 0; we may imagine Zn as a circular wall clock Z* n = { x ∈ Zn | gcd(x, n) = 1 }; (additional info: Z* n is a multiplicative group) φ(n): Euler’s Totient function denotes the number of elements in Z* n φ(p) = p-1, if p is a prime number x ≡ y (mod n) denotes that n divides x-y; x is congruent to y mod n
  • 9. Bézout’s identity (needed later for this attack) ● Let a and b are two integers. There exists a pair of integers x and y such that: ○ a.x + b.y = gcd(a, b) ● If a and b are relatively prime to each other, then ○ a.x + b.y = 1 ● For a given a and b, we use the Extended Euclidean Algorithm to find x and y 9
  • 10. RSA - Key Generation Algo. (Fits on one page) 1. Select an appropriate bitlength of the RSA modulus n (e.g., 2048 bits) ○ Value of the parameter n is not chosen until step 3; small n is dangerous (details later) 2. Pick two independent, large random primes, p and q, of half of n’s bitlength ○ In practice, p and q are not close to each other to avoid attacks (e.g., Fermat’s factorization) 3. Compute n = p.q (n is also called the RSA modulus) 4. Compute Euler’s Totient (phi) Function φ(n) = φ(p.q) = φ(p)φ(q) = (p-1)(q-1) 5. Select numbers e and d from Zn such that e.d ≡ 1(mod φ(n)) ○ Many implementations set e to be 65537 (Note: gcd(e, φ(n)) = 1) ○ e must be relatively prime to φ(n) otherwise d cannot exist (i.e., we cannot decrypt) ○ d is the multiplicative inverse of e in Zn 6. Public key is the pair <n, e> and private key is 4-tuple <φ(n), d, p, q> Note: If p, q, d, or φ(n) is leaked, RSA is broken immediately 10
  • 11. Formal definition of the RSA trapdoor function ● RSA: Zn → Zn ● Let m and c ∈ Zn ● c = RSA(m) = me mod n ● m = RSA-1 (c) = cd mod n ● e and d are also called encryption and decryption exponents, respectively ● Note: Attackers know c, e, and n but not d 11
  • 12. 12
  • 13. 13 MiTM changed the RSA public exponent e to e’ such that gcd(e, e’) = 1 Gibberish because e’ is not a valid public exponent
  • 14. Core idea of the attack ● The attacker corrupts the public exponent e ● Instead of the standard exponent e = 65537, she modifies to e' = 65539 ● Note that gcd(e, e') = 1 ● They both are relatively prime to each other ● The receiver will get gibberish during decryption because of the corrupted e ● The receiver will resend the same public key pair <n, e> ● The sender will re-encrypt the same message using the public key pair ● Now the attacker does not modify the public key pair 14
  • 15. Core idea of the attack … ● The attacker has two ciphertext pair: ● c' which is the ciphertext produced by the sender using e' ● c which is the ciphertext produced by the sender using correct e ● Goal of the attacker is to recover the plaintext m from <c, c', e, e'> 15
  • 16. Algorithm: Recover the plaintext m from <c, c', e, e'> ● To recover m, the attacker applies the Extended Euclidean Algorithm: ● Since gcd(e, e' ) = 1, there must exist x and y such that e.x + e'.y = 1 ● We can prove that the plaintext m = cx . (c' )y mod n ○ cx = (me )x mod n ○ (c')y = (me' )y mod n ○ cx . (c' )y = (me )x mod n . (me' )y mod n = m(ex + e' y) mod n = m ● Summary: The attacker recovered m from <c, c', e, e', x, y> 16
  • 17. Implementation of the algorithm 17 public static BigInteger reversePlaintext(BigInteger n, BigInteger e, BigInteger e_err, BigInteger c, BigInteger c_err) { BigIntEuclidean bigIntEuclidean = BigIntEuclidean.calculate(e, e_err); BigInteger x = bigIntEuclidean.x; BigInteger y = bigIntEuclidean.y; BigInteger part1 = c.modPow(x, n); BigInteger part2 = c_err.modPow(y, n); BigInteger result = part1.multiply(part2).mod(n); return result; } Mapping of variables to the algorithm: c_err → c‘ e_err → e‘ part1 → cx part2 → (c')y BigIntEuclidean class implements the Extended Euclidean Algorithm
  • 19. Captured public key <n, e> 19 n = 18004824506648204194492044002988064209675766035584463299236235 06494317520722425405499266736358111222092353075238943051957607 72838177133711938809223918443876724379628144541547953255275703 55545843143202611749143674603115027112767793615940083335822504 14001260300000139604098161722910625646686414595219516699059074 64124112599480274057376820125309201418774936670930722094112920 75668511384565582317364152493210500975624064036271597500904886 41493391778556544669856827168913235058037152190508905547682028 60172358074680448465215575045155812495385151214152726263391080 32505413436163412529544236195170662429539872646199926257967 e = 65537
  • 20. Captured traffic (with wrong exponent e = 65539) 20 c' = 628936728EB827FFCA8EF47ED38DEA19BA5C2FFF3B00D34A59BA 49002E4143BE5F8992C4CF46AC6CDAFA969BB4EC07C58D757245 DAAA794F5B382302ED906324B3973D453A2F4495783BDD6989DC7 5C6E7C530979F1E5216734BF3FB3203AE1FD5631B0FE135BD259A 377763ED63F961C7598C5C4871B990F3230A7BBEE60129D1B2B64 0B3AE2C36DD5B76F66AC5B9AA99C48FDF31E608DE005719BEA2A DD92D5754E7ECBDF39F9D204820EF97D473FA897860587AE4B0C 4DF01E98C7B501C4FE26A5A4624DF3648FBB0F7F61DC79DAFE1E 9881A9A27A66CE3BB4D92FC52DB790ACD48A5009325A79D157106 07B30B7BCC37E305132F6A9A2C3A56E0A5990854
  • 21. Captured traffic (with correct exponent e = 65537) 21 c = 06DEC6DCE2726801CB815FFF5443960B7C11AB9E7 487F3E3B7D9613979AC473E238AE4D5624F4B97F7 567D495D5871A1D1B234E42771FCF9B47EF43F85A 08299BC98D5A9AD16A6B102FC9EC03AACC01B526 79E089589D2CBB09E9F127A1829DC59AFC7197431 E59F1B63DAC08878D0F8D0C2885CE30E955334D63 C4C30D8A619EE245A584F4704A989B2992257AE29 503EDE0C5637DA220522ECB495AAA980103505459 AE36952052B4CF5EFEB2D847405C02A60AB2EAB92 8206BA0DFE8438C491264F19C93819E158A26F8507 A1083B7A223B1A6EA145EEC2B4084E87D094426F2 6D00C84FA24369C159EF5C029918118E784A101AB D00A7B3B59E6C7E643BE
  • 22. Demo client to break Raw RSA (2048-bit modulus) 22 $ java RSA_MiTM $n 65537 65539 $c $c_err Hi, How are you? The attacker recovered the secret from <c, c', e, e'>
  • 23. Conclusion/Discussion 23 ● The main goal was to experiment with an incorrect RSA usage pattern ● That is, without integrity checks or digital signature ● The Man-in-the-middle (MiTM) just has to edit the public exponent e ● MiTM was able to recover plaintexts using Extended Euclidean Algo. ● Note that this attack works when RSA is used without any padding ● RSA without integrity checks can lead to interesting attacks ● In TLS, the server’s public key is digitallly signed, so MiTM’s job is very difficult to edit e ● RSA is a classical crypto system but has to be used very carefully
  • 24. References ● W. Diffie and M. E. Hellman, “New Directions in Cryptography,” IEEE Transactions on Information Theory, vol. IT-22, no. 6, November, 1976. ● R. L. Rivest, A. Shamir, and L. Adleman, “A method for obtaining digital signatures and public-key cryptosystems,” CACM 21, 2, February, 1978. ● A. Menezes, P. van Oorschot, and S. Vanstone, “Handbook of Applied Cryptography,” CRC Press, 1996. ● C. Paar and J. Pelzl, “Understanding Cryptography: A Textbook for Students and Practitioners,” Springer, 2011. 24