SlideShare a Scribd company logo
1 of 30
Download to read offline
Dependency Analysis of RSA Private
Variables
Dr. Dharma Ganesan, Ph.D.,
Disclaimer
● The opinions expressed here are my own
○ But not the views of my employer
● The source code fragments and exploits shown here can be reused
○ But without any warranty nor accept any responsibility for failures
● Do not apply the exploit discussed here on other systems
○ Without obtaining authorization from owners
2
High-level Question
● An RSA private key is made of a few private variables
● If a private variable is exposed, can we efficiently derive
the rest of the private variables?
3
Detailed questions (notations are defined later)
1. How to derive the private prime factors of RSA modulus n from φ(n)?
2. How to derive the private exponent d from φ(n)?
3. How to derive the private prime factors p and q from the private exponent d?
4
Agenda
● Brief overview of RSA algorithm
● Formal definition of RSA Trapdoor function
● Algorithms and Demos (for the three questions)
● Conclusion
5
Prerequisite
Some familiarity with the following topics will help to follow the rest of the slides
● Group Theory
● Number Theory
● Algorithms and Complexity Theory
● If not, it should still be possible to obtain a high-level overview
6
How can Bob send a message to Alice securely?
7
Public Key PuA
● Alice and Bob never met each other
● Bob will encrypt using Alice’s public key
○ Assume that public keys are known to the world
● Alice will decrypt using her private key
○ Private keys are secrets (never sent out)
● Bob can sign messages using his private key
○ Alice verifies message integrity using Bob’s public key
○ Not important for this presentation/attack
● Note: Alice and Bob need other evidence (e.g., passwords,
certificates) to prove their identity to each other
● Who are Alice, Bob, and Eve?
Private Key PrA
Public Key PuB
Private Key PrB
RSA Public Key Cryptography System
● Published in 1977 by Ron Rivest, Adi Shamir and Leonard Adleman
● Rooted in elegant mathematics - Group Theory and Number Theory
● Core idea: Anyone can encrypt a message using recipient's public key but
○ (as far as we know) no one can efficiently decrypt unless they got the matching private key
● Encryption and Decryption are inverse operations (math details later)
○ Work of Euclid, Euler, and Fermat provide the mathematical foundation of RSA
● Eavesdropper Eve cannot easily derive the secret (math details later)
○ Unless she solves “hard” number theory problems that are computationally intractable
8
9
Notations and Facts
GCD(x, y): The greatest common divisor that divides integers x and y
Co-prime: If gcd(x, y) = 1, then x and y are co-primes
Zn
= { 0, 1, 2, …, n-1 }, n > 0; we may imagine Zn
as a circular wall clock
Z*
n
= { x ∈ Zn
| gcd(x, n) = 1 }; (additional info: Z*
n
is a multiplicative group)
φ(n): Euler’s Totient function denotes the number of elements in Z*
n
φ(nm) = φ(n).φ(m) (This property is called multiplicative)
φ(p) = p-1, if p is a prime number
Notations and Facts ...
● x ≡ y (mod n) denotes that n divides x-y; x is congruent to y mod n
● Euler’s Theorem: aφ(n)
≡ 1 (mod n), if gcd(a, n) = 1
● Fermat’s Little Theorem: ap
≡ a (mod p)
● Gauss’s Fundamental Theorem of Arithmetic: Any integer greater than 1 is
either a prime or can be written as a unique product of primes
○ Euclid’s work is the foundation for this theorem, see The Elements
● Euclid’s Lemma: if a prime p divides the product of two natural numbers a
and b, then p divides a or p divides b
● Euclid’s Infinitude of Primes (c. 300 BC): There are infinitely many primes
10
RSA - Key Generation Algo
1. Select an appropriate bitlength of the RSA modulus n (e.g., 2048 bits)
○ Value of the parameter n is not chosen until step 3; small n is dangerous (details later)
2. Pick two independent, large random primes, p and q, of half of n’s bitlength
○ In practice, p and q satisfy q < p < 2q to avoid polynomial time factorization algorithms
3. Compute n = p.q (n is also called the RSA modulus)
4. Compute Euler’s Totient (phi) Function φ(n) = φ(p.q) = φ(p)φ(q) = (p-1)(q-1)
5. Select numbers e and d from Zn
such that e.d ≡ 1(mod φ(n))
○ e must be relatively prime to φ(n) otherwise d cannot exist (i.e., we cannot decrypt)
○ d is the multiplicative inverse of e in Zn
6. Public key is the pair <n, e> and private key is 4-tuple <φ(n), d, p, q>
11
RSA Trapdoor
● RSA: Zn
→ Zn
● Let x and y ∈ Zn
● y = RSA(x) = xe
mod n
○ We may view x as a plaintext, and y as the corresponding ciphertext
● x = RSA-1
(y) = yd
mod n
● e and d are also called encryption and decryption exponents, respectively
12
RSA Trapdoor variables’ dependency graph
13
Private variable
Public variable
Note: Public exponent e affects the private exponent d
Question 1: Factor n when private φ(n) is given
14
φ(n) = (p-1)(q-1)
φ(n) = pq - p - q + 1
φ(n) = n - p - n/p + 1 (since n = pq)
pφ(n) = np -p2
-n+ p
p2
- np - p+ pφ(n)+ n = 0
p2
- (n+ 1- φ(n))p + n = 0
This is a quadratic equation in p. We know how to solve ax2
+bx+c = 0.
x = (-b ∓ √(b2
- 4ac))/2a
Note also that the product of the two roots = c/a.
In our case, a = 1, thus the products of the roots are the prime factors of n
Demo 1: Factor n when private φ(n) is given
15
Let’s generate a 2048 RSA key pair as follows: keysize = 2048, e = 65537
~/crypto/RSA$ java RSA_KeyPair $keysize $e
Output: <phi, n, d, p, q> are shown below
Demo 1: Factor n when private φ(n) is given
16
Demo 1: Factor n when private φ(n) is given ...
17
~/crypto/RSA$ java PrimeFactorsFromPhi $n $phi
p=17903874057903527472517669435513313630569762683771632088937031464400624513093903398720
5261101355504048933406381667101125804436997838009295776233608129356643657709953464604266
4278240107564127344919624324139339067172539410416522168861149638310907790220912279762890
15575518486062027786802049855038992628112233123
q=17874883566449270685325299591622537894696700693308029291565246263883560607941716737808
6464578047472634374830076876987053824678362512846985147502313908595068657410399492853189
9056645383086939677868549377884628581065684311026875287600736273831026715753577358550340
05824459505427320400617171847420795137628994559
We see that this p and q are the same on the previous slide
Equivalently, we derived the private prime factors p and q of n from another private variable φ(n)
Demo 1: Prime factors of n using phi(n)
18
/*
* Given n and phi(n), returns the factors of n: p and q
*/
public static BigInteger[] factorize(BigInteger n, BigInteger phi) {
BigInteger one = BigInteger.valueOf(1);
BigInteger minusOne = BigInteger.valueOf(-1);
/* p*p -(n+1-phi(n))p + n = 0 */
BigInteger z = n.add(one).subtract(phi).multiply(minusOne);
/* Roots of this quadratic equation are the prime factors of n */
BigInteger[] factors = BigIntUtil.quadraticSol(one,z,n);
assert n.equals(factors[0].multiply(factors[1]));
return factors;
}
19
/*
* Returns the integer roots of the ax2 + bx + c = 0
*/
public static BigInteger[] quadraticSol(BigInteger a, BigInteger b, BigInteger c) {
BigInteger zero = BigInteger.ZERO;
BigInteger minusOne = BigInteger.valueOf(-1);
BigInteger two = BigInteger.valueOf(2);
BigInteger four = BigInteger.valueOf(4);
BigInteger b2_4ac = b.multiply(b).subtract(four.multiply(a.multiply(c)));
assert a.compareTo(zero) != 0 && b2_4ac.compareTo(zero) >= 0;
BigInteger negB = b.multiply(minusOne);
BigInteger root_b2_4ac = iRoot(b2_4ac, 2);
assert root_b2_4ac.multiply(root_b2_4ac).compareTo(b2_4ac) == 0;
BigInteger[] roots = new BigInteger[2];
roots[0] = negB.add(root_b2_4ac).divide(two.multiply(a));
roots[1] = negB.subtract(root_b2_4ac).divide(two.multiply(a));
return roots;
}
Question 2: Derive private exponent d from φ(n)
20
We know that e.d ≡ 1(mod φ(n))
To find d, we multiply both sides by the inverse of e (i.e., e-1
)
Thus, d ≡ e-1
mod φ(n)
Note that e-1
should exist because e and φ(n) are relatively prime
21
Java’s BigInteger has ModInverse
Demo 2: Derive private exponent d from φ(n)
22
~/crypto/RSA$ java ModInverse $e $phi
Modular Inverse of 65537 is
2205151223696884190252381916635434764104221807529134232843816122898922433546108
3287372976252503587328696591274260031885794600481314199611651200179626903675369
0028009274857755022760288405248617492304240282041017910963309960636514481667802
6944157259783475257086607960394921579465796075728094174066371810325736212160395
6922757355039274603476879690439127159645339789795023593785438145131390767349450
4634404929864749265927992741511730020925412893911025985705705945455643610869142
0863758917973667307103241295297662510557556262730109970320101433216326920736123
5840090794589733305253198877867831375654052088316468016370497257
This is the same private d generated by the RSA key pair generator (see Demo 1)
Question 3: Derive the prime factors p and q from d
23
We know that e.d ≡ 1(mod φ(n))
e.d - 1 ≡ 0 ( mod φ(n))
e.d - 1 = r φ(n) for some integer r.
Let k = e.d - 1. This means that k is a multiple of φ(n). K is even because φ(n) is even
Let g be a random element of Z*
n
. That is, g is relatively prime to n.
Euler’s theorem says gk
≡ 1 (mod n) since gcd (g, n) =1 .
This implies gk/2
is a square of one mod n because gk/2
. gk/2
= gk
≡ 1 (mod n)
Question 3: Algorithm to factorize n from d
24
Step 1: Pick a random g from the multiplicative group Zn
*
Step 2: Construct a sequence: gk/2
, gk/4
, gk/8
, … until not equal to 1 mod n
Note: If k/2i
is not an even number, go back to step 1 and pick a new g
Step 3: Now we have calculated square root of one in mod n.
That is, z2
≡ 1 (mod n) and z ≠ ∓ 1 (mod n)
(z+1)(z-1) ≡ 0 (mod n)
This implies n divides (z+1) and (z-1).
Equivalently, n must share factors with (z+1) and (z-1).
Step 4: Compute gcd(n, z-1) to extract one of the prime factors (say p) of n
Step 5: Derive another prime factor q = n/p
25
My implementation of the
algorithm to find the prime
factors p and q from d
26
~/crypto/RSA$ java PrimeFactorsFromD $e $n $d
p=17903874057903527472517669435513313630569762683771632088937031464400624513093903398720
5261101355504048933406381667101125804436997838009295776233608129356643657709953464604266
4278240107564127344919624324139339067172539410416522168861149638310907790220912279762890
15575518486062027786802049855038992628112233123
q=17874883566449270685325299591622537894696700693308029291565246263883560607941716737808
6464578047472634374830076876987053824678362512846985147502313908595068657410399492853189
9056645383086939677868549377884628581065684311026875287600736273831026715753577358550340
05824459505427320400617171847420795137628994559
We see that the p and q are the factors of n (as expected)
Equivalently, we derived the private prime factors p and q of n from another private variable d
Demo 3: Derive the prime factors p and q from d
Conclusion
27
● We analyzed the dependencies of RSA private variables
● We efficiently derived the
○ private prime factors p and q of RSA modulus n from φ(n)
○ private exponent d from φ(n)
○ private prime factors p and q from the private exponent d
● This analysis shows that if one of the private variables is leaked the rest is public
○ We need to throw away all the private variables and generate new keys
● If we can efficiently solve z2
≡ 1 (mod n) (of course, z ≠ ∓ 1), then RSA is breakable
○ We used this fact in Demo 3, because d is given to us
References
● W. Diffie and M. E. Hellman, “New Directions in Cryptography,” IEEE
Transactions on Information Theory, vol. IT-22, no. 6, November, 1976.
● R. L. Rivest, A. Shamir, and L. Adleman, “A method for obtaining digital
signatures and public-key cryptosystems,” CACM 21, 2, February, 1978.
● A. Menezes, P. van Oorschot, and S. Vanstone, “Handbook of Applied
Cryptography,” CRC Press, 1996.
● C. Paar and J. Pelzl. “Understanding Cryptography: A Textbook for Students
and Practitioners,” Springer, 2011.
28
References
● Finding a non-trivial square root of n:
http://www.tricki.org/article/To_factorize_n_find_a_non-trivial_square_root_of
_1_mod_n
● D. Boneh and Victor Shoup, “A Graduate Course in Applied Cryptography,”
https://toc.cryptobook.us/
29
Appendix - graphviz for the dependency graph
digraph G {
{
p [color = red, shape=box]
q [color = red, shape=box]
"φ(n)" [color = red, shape=box]
d [color = red, shape=box]
x [color = red, shape=box]
y [color = blue]
e [color = blue]
n [color = blue]
}
n -> {p q}
"φ(n)" -> {p q}
d -> {e "φ(n)"}
y -> {x e n}
}
30

More Related Content

What's hot

What's hot (20)

Solutions to online rsa factoring challenges
Solutions to online rsa factoring challengesSolutions to online rsa factoring challenges
Solutions to online rsa factoring challenges
 
RSA without Padding
RSA without PaddingRSA without Padding
RSA without Padding
 
Cyclic Attacks on the RSA Trapdoor Function
Cyclic Attacks on the RSA Trapdoor FunctionCyclic Attacks on the RSA Trapdoor Function
Cyclic Attacks on the RSA Trapdoor Function
 
An Analysis of RSA Public Exponent e
An Analysis of RSA Public Exponent eAn Analysis of RSA Public Exponent e
An Analysis of RSA Public Exponent e
 
How do computers exchange secrets using Math?
How do computers exchange secrets using Math?How do computers exchange secrets using Math?
How do computers exchange secrets using Math?
 
An Analysis of Secure Remote Password (SRP)
An Analysis of Secure Remote Password (SRP)An Analysis of Secure Remote Password (SRP)
An Analysis of Secure Remote Password (SRP)
 
On the Secrecy of RSA Private Keys
On the Secrecy of RSA Private KeysOn the Secrecy of RSA Private Keys
On the Secrecy of RSA Private Keys
 
On deriving the private key from a public key
On deriving the private key from a public keyOn deriving the private key from a public key
On deriving the private key from a public key
 
Active Attacks on DH Key Exchange
Active Attacks on DH Key ExchangeActive Attacks on DH Key Exchange
Active Attacks on DH Key Exchange
 
RSA ALGORITHM
RSA ALGORITHMRSA ALGORITHM
RSA ALGORITHM
 
Rsa rivest shamir adleman
Rsa rivest shamir adlemanRsa rivest shamir adleman
Rsa rivest shamir adleman
 
RSA
RSARSA
RSA
 
The rsa algorithm
The rsa algorithmThe rsa algorithm
The rsa algorithm
 
Public Key Algorithms
Public Key AlgorithmsPublic Key Algorithms
Public Key Algorithms
 
RSA Algorithm
RSA AlgorithmRSA Algorithm
RSA Algorithm
 
RSA ALGORITHM
RSA ALGORITHMRSA ALGORITHM
RSA ALGORITHM
 
1508.07756v1
1508.07756v11508.07756v1
1508.07756v1
 
PKC&RSA
PKC&RSAPKC&RSA
PKC&RSA
 
RSA Algorithm report
RSA Algorithm reportRSA Algorithm report
RSA Algorithm report
 
Presentation about RSA
Presentation about RSAPresentation about RSA
Presentation about RSA
 

Similar to Dependency Analysis of RSA Private Variables

Cyber Security Part-3.pptx
Cyber Security Part-3.pptxCyber Security Part-3.pptx
Cyber Security Part-3.pptxRavikumarVadana
 
Algorithms - A Sneak Peek
Algorithms - A Sneak PeekAlgorithms - A Sneak Peek
Algorithms - A Sneak PeekBADR
 
Information and network security 33 rsa algorithm
Information and network security 33 rsa algorithmInformation and network security 33 rsa algorithm
Information and network security 33 rsa algorithmVaibhav Khanna
 
RSA final notation change2
RSA final notation change2RSA final notation change2
RSA final notation change2Coleman Gorham
 
2010 3-24 cryptography stamatiou
2010 3-24 cryptography stamatiou2010 3-24 cryptography stamatiou
2010 3-24 cryptography stamatiouvafopoulos
 
RSA Algm.pptx
RSA Algm.pptxRSA Algm.pptx
RSA Algm.pptxSou Jana
 
The Mathematics of RSA Encryption
The Mathematics of RSA EncryptionThe Mathematics of RSA Encryption
The Mathematics of RSA EncryptionNathan F. Dunn
 
Rivest Shamir Adleman Algorithm and its variant : DRSA.pptx
Rivest Shamir Adleman Algorithm and its variant : DRSA.pptxRivest Shamir Adleman Algorithm and its variant : DRSA.pptx
Rivest Shamir Adleman Algorithm and its variant : DRSA.pptxwerip98386
 
01 - DAA - PPT.pptx
01 - DAA - PPT.pptx01 - DAA - PPT.pptx
01 - DAA - PPT.pptxKokilaK25
 
Chapter 06 rsa cryptosystem
Chapter 06   rsa cryptosystemChapter 06   rsa cryptosystem
Chapter 06 rsa cryptosystemAnkur Choudhary
 
Deep dive into rsa
Deep dive into rsaDeep dive into rsa
Deep dive into rsaBill GU
 
Discrete Logarithm Problem over Prime Fields, Non-canonical Lifts and Logarit...
Discrete Logarithm Problem over Prime Fields, Non-canonical Lifts and Logarit...Discrete Logarithm Problem over Prime Fields, Non-canonical Lifts and Logarit...
Discrete Logarithm Problem over Prime Fields, Non-canonical Lifts and Logarit...PadmaGadiyar
 
NumberTheory explanations in the easiest way.ppt
NumberTheory explanations in the easiest way.pptNumberTheory explanations in the easiest way.ppt
NumberTheory explanations in the easiest way.pptIshwariKhanal
 
implementing the encryption in the JAVA.ppt
implementing the encryption in the JAVA.pptimplementing the encryption in the JAVA.ppt
implementing the encryption in the JAVA.pptMuhammadAbdullah311866
 

Similar to Dependency Analysis of RSA Private Variables (20)

Cyber Security Part-3.pptx
Cyber Security Part-3.pptxCyber Security Part-3.pptx
Cyber Security Part-3.pptx
 
Algorithms - A Sneak Peek
Algorithms - A Sneak PeekAlgorithms - A Sneak Peek
Algorithms - A Sneak Peek
 
Information and network security 33 rsa algorithm
Information and network security 33 rsa algorithmInformation and network security 33 rsa algorithm
Information and network security 33 rsa algorithm
 
RSA final notation change2
RSA final notation change2RSA final notation change2
RSA final notation change2
 
Rsa cryptosystem
Rsa cryptosystemRsa cryptosystem
Rsa cryptosystem
 
2010 3-24 cryptography stamatiou
2010 3-24 cryptography stamatiou2010 3-24 cryptography stamatiou
2010 3-24 cryptography stamatiou
 
Unit 3
Unit 3Unit 3
Unit 3
 
RSA Algm.pptx
RSA Algm.pptxRSA Algm.pptx
RSA Algm.pptx
 
Randomized algorithms ver 1.0
Randomized algorithms ver 1.0Randomized algorithms ver 1.0
Randomized algorithms ver 1.0
 
The Mathematics of RSA Encryption
The Mathematics of RSA EncryptionThe Mathematics of RSA Encryption
The Mathematics of RSA Encryption
 
Rivest Shamir Adleman Algorithm and its variant : DRSA.pptx
Rivest Shamir Adleman Algorithm and its variant : DRSA.pptxRivest Shamir Adleman Algorithm and its variant : DRSA.pptx
Rivest Shamir Adleman Algorithm and its variant : DRSA.pptx
 
Eulers totient
Eulers totientEulers totient
Eulers totient
 
01 - DAA - PPT.pptx
01 - DAA - PPT.pptx01 - DAA - PPT.pptx
01 - DAA - PPT.pptx
 
NFSFIXES
NFSFIXESNFSFIXES
NFSFIXES
 
Rsa algorithm
Rsa algorithmRsa algorithm
Rsa algorithm
 
Chapter 06 rsa cryptosystem
Chapter 06   rsa cryptosystemChapter 06   rsa cryptosystem
Chapter 06 rsa cryptosystem
 
Deep dive into rsa
Deep dive into rsaDeep dive into rsa
Deep dive into rsa
 
Discrete Logarithm Problem over Prime Fields, Non-canonical Lifts and Logarit...
Discrete Logarithm Problem over Prime Fields, Non-canonical Lifts and Logarit...Discrete Logarithm Problem over Prime Fields, Non-canonical Lifts and Logarit...
Discrete Logarithm Problem over Prime Fields, Non-canonical Lifts and Logarit...
 
NumberTheory explanations in the easiest way.ppt
NumberTheory explanations in the easiest way.pptNumberTheory explanations in the easiest way.ppt
NumberTheory explanations in the easiest way.ppt
 
implementing the encryption in the JAVA.ppt
implementing the encryption in the JAVA.pptimplementing the encryption in the JAVA.ppt
implementing the encryption in the JAVA.ppt
 

More from Dharmalingam Ganesan

Reverse Architecting using Relation Algebra.pdf
Reverse Architecting using Relation Algebra.pdfReverse Architecting using Relation Algebra.pdf
Reverse Architecting using Relation Algebra.pdfDharmalingam Ganesan
 
Requirements driven Model-based Testing
Requirements driven Model-based TestingRequirements driven Model-based Testing
Requirements driven Model-based TestingDharmalingam Ganesan
 
Automated Traceability for Software Engineering Tasks
Automated Traceability for Software Engineering TasksAutomated Traceability for Software Engineering Tasks
Automated Traceability for Software Engineering TasksDharmalingam Ganesan
 
Reverse Engineering of Module Dependencies
Reverse Engineering of Module DependenciesReverse Engineering of Module Dependencies
Reverse Engineering of Module DependenciesDharmalingam Ganesan
 
Integer security analysis using smt solver
Integer security analysis using smt solverInteger security analysis using smt solver
Integer security analysis using smt solverDharmalingam Ganesan
 
Remote file path traversal attacks for fun and profit
Remote file path traversal attacks for fun and profitRemote file path traversal attacks for fun and profit
Remote file path traversal attacks for fun and profitDharmalingam Ganesan
 
Threat Modeling: Applied on a Publish-Subscribe Architectural Style
Threat Modeling: Applied on a Publish-Subscribe Architectural StyleThreat Modeling: Applied on a Publish-Subscribe Architectural Style
Threat Modeling: Applied on a Publish-Subscribe Architectural StyleDharmalingam Ganesan
 

More from Dharmalingam Ganesan (13)

.NET Deserialization Attacks
.NET Deserialization Attacks.NET Deserialization Attacks
.NET Deserialization Attacks
 
Reverse Architecting using Relation Algebra.pdf
Reverse Architecting using Relation Algebra.pdfReverse Architecting using Relation Algebra.pdf
Reverse Architecting using Relation Algebra.pdf
 
How to exploit rand()?
How to exploit rand()?How to exploit rand()?
How to exploit rand()?
 
Thank-a-Gram
Thank-a-GramThank-a-Gram
Thank-a-Gram
 
Can I write to a read only file ?
Can I write to a read only file ?Can I write to a read only file ?
Can I write to a read only file ?
 
Requirements driven Model-based Testing
Requirements driven Model-based TestingRequirements driven Model-based Testing
Requirements driven Model-based Testing
 
Automated Traceability for Software Engineering Tasks
Automated Traceability for Software Engineering TasksAutomated Traceability for Software Engineering Tasks
Automated Traceability for Software Engineering Tasks
 
Reverse Engineering of Module Dependencies
Reverse Engineering of Module DependenciesReverse Engineering of Module Dependencies
Reverse Engineering of Module Dependencies
 
Software Architecture
Software ArchitectureSoftware Architecture
Software Architecture
 
Integer security analysis using smt solver
Integer security analysis using smt solverInteger security analysis using smt solver
Integer security analysis using smt solver
 
Remote file path traversal attacks for fun and profit
Remote file path traversal attacks for fun and profitRemote file path traversal attacks for fun and profit
Remote file path traversal attacks for fun and profit
 
20170605135932210 thank you card7
20170605135932210 thank you card720170605135932210 thank you card7
20170605135932210 thank you card7
 
Threat Modeling: Applied on a Publish-Subscribe Architectural Style
Threat Modeling: Applied on a Publish-Subscribe Architectural StyleThreat Modeling: Applied on a Publish-Subscribe Architectural Style
Threat Modeling: Applied on a Publish-Subscribe Architectural Style
 

Recently uploaded

Crafting the Perfect Measurement Sheet with PLM Integration
Crafting the Perfect Measurement Sheet with PLM IntegrationCrafting the Perfect Measurement Sheet with PLM Integration
Crafting the Perfect Measurement Sheet with PLM IntegrationWave PLM
 
KLARNA - Language Models and Knowledge Graphs: A Systems Approach
KLARNA -  Language Models and Knowledge Graphs: A Systems ApproachKLARNA -  Language Models and Knowledge Graphs: A Systems Approach
KLARNA - Language Models and Knowledge Graphs: A Systems ApproachNeo4j
 
iGaming Platform & Lottery Solutions by Skilrock
iGaming Platform & Lottery Solutions by SkilrockiGaming Platform & Lottery Solutions by Skilrock
iGaming Platform & Lottery Solutions by SkilrockSkilrock Technologies
 
IT Software Development Resume, Vaibhav jha 2024
IT Software Development Resume, Vaibhav jha 2024IT Software Development Resume, Vaibhav jha 2024
IT Software Development Resume, Vaibhav jha 2024vaibhav130304
 
AI/ML Infra Meetup | Improve Speed and GPU Utilization for Model Training & S...
AI/ML Infra Meetup | Improve Speed and GPU Utilization for Model Training & S...AI/ML Infra Meetup | Improve Speed and GPU Utilization for Model Training & S...
AI/ML Infra Meetup | Improve Speed and GPU Utilization for Model Training & S...Alluxio, Inc.
 
A Python-based approach to data loading in TM1 - Using Airflow as an ETL for TM1
A Python-based approach to data loading in TM1 - Using Airflow as an ETL for TM1A Python-based approach to data loading in TM1 - Using Airflow as an ETL for TM1
A Python-based approach to data loading in TM1 - Using Airflow as an ETL for TM1KnowledgeSeed
 
Designing for Privacy in Amazon Web Services
Designing for Privacy in Amazon Web ServicesDesigning for Privacy in Amazon Web Services
Designing for Privacy in Amazon Web ServicesKrzysztofKkol1
 
How Does XfilesPro Ensure Security While Sharing Documents in Salesforce?
How Does XfilesPro Ensure Security While Sharing Documents in Salesforce?How Does XfilesPro Ensure Security While Sharing Documents in Salesforce?
How Does XfilesPro Ensure Security While Sharing Documents in Salesforce?XfilesPro
 
INGKA DIGITAL: Linked Metadata by Design
INGKA DIGITAL: Linked Metadata by DesignINGKA DIGITAL: Linked Metadata by Design
INGKA DIGITAL: Linked Metadata by DesignNeo4j
 
Microsoft 365 Copilot; An AI tool changing the world of work _PDF.pdf
Microsoft 365 Copilot; An AI tool changing the world of work _PDF.pdfMicrosoft 365 Copilot; An AI tool changing the world of work _PDF.pdf
Microsoft 365 Copilot; An AI tool changing the world of work _PDF.pdfQ-Advise
 
Implementing KPIs and Right Metrics for Agile Delivery Teams.pdf
Implementing KPIs and Right Metrics for Agile Delivery Teams.pdfImplementing KPIs and Right Metrics for Agile Delivery Teams.pdf
Implementing KPIs and Right Metrics for Agile Delivery Teams.pdfVictor Lopez
 
A Guideline to Zendesk to Re:amaze Data Migration
A Guideline to Zendesk to Re:amaze Data MigrationA Guideline to Zendesk to Re:amaze Data Migration
A Guideline to Zendesk to Re:amaze Data MigrationHelp Desk Migration
 
10 Essential Software Testing Tools You Need to Know About.pdf
10 Essential Software Testing Tools You Need to Know About.pdf10 Essential Software Testing Tools You Need to Know About.pdf
10 Essential Software Testing Tools You Need to Know About.pdfkalichargn70th171
 
APVP,apvp apvp High quality supplier safe spot transport, 98% purity
APVP,apvp apvp High quality supplier safe spot transport, 98% purityAPVP,apvp apvp High quality supplier safe spot transport, 98% purity
APVP,apvp apvp High quality supplier safe spot transport, 98% purityamy56318795
 
Secure Software Ecosystem Teqnation 2024
Secure Software Ecosystem Teqnation 2024Secure Software Ecosystem Teqnation 2024
Secure Software Ecosystem Teqnation 2024Soroosh Khodami
 
AI/ML Infra Meetup | Reducing Prefill for LLM Serving in RAG
AI/ML Infra Meetup | Reducing Prefill for LLM Serving in RAGAI/ML Infra Meetup | Reducing Prefill for LLM Serving in RAG
AI/ML Infra Meetup | Reducing Prefill for LLM Serving in RAGAlluxio, Inc.
 
A Guideline to Gorgias to to Re:amaze Data Migration
A Guideline to Gorgias to to Re:amaze Data MigrationA Guideline to Gorgias to to Re:amaze Data Migration
A Guideline to Gorgias to to Re:amaze Data MigrationHelp Desk Migration
 
Advanced Flow Concepts Every Developer Should Know
Advanced Flow Concepts Every Developer Should KnowAdvanced Flow Concepts Every Developer Should Know
Advanced Flow Concepts Every Developer Should KnowPeter Caitens
 
GraphSummit Stockholm - Neo4j - Knowledge Graphs and Product Updates
GraphSummit Stockholm - Neo4j - Knowledge Graphs and Product UpdatesGraphSummit Stockholm - Neo4j - Knowledge Graphs and Product Updates
GraphSummit Stockholm - Neo4j - Knowledge Graphs and Product UpdatesNeo4j
 

Recently uploaded (20)

Crafting the Perfect Measurement Sheet with PLM Integration
Crafting the Perfect Measurement Sheet with PLM IntegrationCrafting the Perfect Measurement Sheet with PLM Integration
Crafting the Perfect Measurement Sheet with PLM Integration
 
KLARNA - Language Models and Knowledge Graphs: A Systems Approach
KLARNA -  Language Models and Knowledge Graphs: A Systems ApproachKLARNA -  Language Models and Knowledge Graphs: A Systems Approach
KLARNA - Language Models and Knowledge Graphs: A Systems Approach
 
iGaming Platform & Lottery Solutions by Skilrock
iGaming Platform & Lottery Solutions by SkilrockiGaming Platform & Lottery Solutions by Skilrock
iGaming Platform & Lottery Solutions by Skilrock
 
IT Software Development Resume, Vaibhav jha 2024
IT Software Development Resume, Vaibhav jha 2024IT Software Development Resume, Vaibhav jha 2024
IT Software Development Resume, Vaibhav jha 2024
 
AI/ML Infra Meetup | Improve Speed and GPU Utilization for Model Training & S...
AI/ML Infra Meetup | Improve Speed and GPU Utilization for Model Training & S...AI/ML Infra Meetup | Improve Speed and GPU Utilization for Model Training & S...
AI/ML Infra Meetup | Improve Speed and GPU Utilization for Model Training & S...
 
A Python-based approach to data loading in TM1 - Using Airflow as an ETL for TM1
A Python-based approach to data loading in TM1 - Using Airflow as an ETL for TM1A Python-based approach to data loading in TM1 - Using Airflow as an ETL for TM1
A Python-based approach to data loading in TM1 - Using Airflow as an ETL for TM1
 
Designing for Privacy in Amazon Web Services
Designing for Privacy in Amazon Web ServicesDesigning for Privacy in Amazon Web Services
Designing for Privacy in Amazon Web Services
 
How Does XfilesPro Ensure Security While Sharing Documents in Salesforce?
How Does XfilesPro Ensure Security While Sharing Documents in Salesforce?How Does XfilesPro Ensure Security While Sharing Documents in Salesforce?
How Does XfilesPro Ensure Security While Sharing Documents in Salesforce?
 
INGKA DIGITAL: Linked Metadata by Design
INGKA DIGITAL: Linked Metadata by DesignINGKA DIGITAL: Linked Metadata by Design
INGKA DIGITAL: Linked Metadata by Design
 
Microsoft 365 Copilot; An AI tool changing the world of work _PDF.pdf
Microsoft 365 Copilot; An AI tool changing the world of work _PDF.pdfMicrosoft 365 Copilot; An AI tool changing the world of work _PDF.pdf
Microsoft 365 Copilot; An AI tool changing the world of work _PDF.pdf
 
5 Reasons Driving Warehouse Management Systems Demand
5 Reasons Driving Warehouse Management Systems Demand5 Reasons Driving Warehouse Management Systems Demand
5 Reasons Driving Warehouse Management Systems Demand
 
Implementing KPIs and Right Metrics for Agile Delivery Teams.pdf
Implementing KPIs and Right Metrics for Agile Delivery Teams.pdfImplementing KPIs and Right Metrics for Agile Delivery Teams.pdf
Implementing KPIs and Right Metrics for Agile Delivery Teams.pdf
 
A Guideline to Zendesk to Re:amaze Data Migration
A Guideline to Zendesk to Re:amaze Data MigrationA Guideline to Zendesk to Re:amaze Data Migration
A Guideline to Zendesk to Re:amaze Data Migration
 
10 Essential Software Testing Tools You Need to Know About.pdf
10 Essential Software Testing Tools You Need to Know About.pdf10 Essential Software Testing Tools You Need to Know About.pdf
10 Essential Software Testing Tools You Need to Know About.pdf
 
APVP,apvp apvp High quality supplier safe spot transport, 98% purity
APVP,apvp apvp High quality supplier safe spot transport, 98% purityAPVP,apvp apvp High quality supplier safe spot transport, 98% purity
APVP,apvp apvp High quality supplier safe spot transport, 98% purity
 
Secure Software Ecosystem Teqnation 2024
Secure Software Ecosystem Teqnation 2024Secure Software Ecosystem Teqnation 2024
Secure Software Ecosystem Teqnation 2024
 
AI/ML Infra Meetup | Reducing Prefill for LLM Serving in RAG
AI/ML Infra Meetup | Reducing Prefill for LLM Serving in RAGAI/ML Infra Meetup | Reducing Prefill for LLM Serving in RAG
AI/ML Infra Meetup | Reducing Prefill for LLM Serving in RAG
 
A Guideline to Gorgias to to Re:amaze Data Migration
A Guideline to Gorgias to to Re:amaze Data MigrationA Guideline to Gorgias to to Re:amaze Data Migration
A Guideline to Gorgias to to Re:amaze Data Migration
 
Advanced Flow Concepts Every Developer Should Know
Advanced Flow Concepts Every Developer Should KnowAdvanced Flow Concepts Every Developer Should Know
Advanced Flow Concepts Every Developer Should Know
 
GraphSummit Stockholm - Neo4j - Knowledge Graphs and Product Updates
GraphSummit Stockholm - Neo4j - Knowledge Graphs and Product UpdatesGraphSummit Stockholm - Neo4j - Knowledge Graphs and Product Updates
GraphSummit Stockholm - Neo4j - Knowledge Graphs and Product Updates
 

Dependency Analysis of RSA Private Variables

  • 1. Dependency Analysis of RSA Private Variables Dr. Dharma Ganesan, Ph.D.,
  • 2. Disclaimer ● The opinions expressed here are my own ○ But not the views of my employer ● The source code fragments and exploits shown here can be reused ○ But without any warranty nor accept any responsibility for failures ● Do not apply the exploit discussed here on other systems ○ Without obtaining authorization from owners 2
  • 3. High-level Question ● An RSA private key is made of a few private variables ● If a private variable is exposed, can we efficiently derive the rest of the private variables? 3
  • 4. Detailed questions (notations are defined later) 1. How to derive the private prime factors of RSA modulus n from φ(n)? 2. How to derive the private exponent d from φ(n)? 3. How to derive the private prime factors p and q from the private exponent d? 4
  • 5. Agenda ● Brief overview of RSA algorithm ● Formal definition of RSA Trapdoor function ● Algorithms and Demos (for the three questions) ● Conclusion 5
  • 6. Prerequisite Some familiarity with the following topics will help to follow the rest of the slides ● Group Theory ● Number Theory ● Algorithms and Complexity Theory ● If not, it should still be possible to obtain a high-level overview 6
  • 7. How can Bob send a message to Alice securely? 7 Public Key PuA ● Alice and Bob never met each other ● Bob will encrypt using Alice’s public key ○ Assume that public keys are known to the world ● Alice will decrypt using her private key ○ Private keys are secrets (never sent out) ● Bob can sign messages using his private key ○ Alice verifies message integrity using Bob’s public key ○ Not important for this presentation/attack ● Note: Alice and Bob need other evidence (e.g., passwords, certificates) to prove their identity to each other ● Who are Alice, Bob, and Eve? Private Key PrA Public Key PuB Private Key PrB
  • 8. RSA Public Key Cryptography System ● Published in 1977 by Ron Rivest, Adi Shamir and Leonard Adleman ● Rooted in elegant mathematics - Group Theory and Number Theory ● Core idea: Anyone can encrypt a message using recipient's public key but ○ (as far as we know) no one can efficiently decrypt unless they got the matching private key ● Encryption and Decryption are inverse operations (math details later) ○ Work of Euclid, Euler, and Fermat provide the mathematical foundation of RSA ● Eavesdropper Eve cannot easily derive the secret (math details later) ○ Unless she solves “hard” number theory problems that are computationally intractable 8
  • 9. 9 Notations and Facts GCD(x, y): The greatest common divisor that divides integers x and y Co-prime: If gcd(x, y) = 1, then x and y are co-primes Zn = { 0, 1, 2, …, n-1 }, n > 0; we may imagine Zn as a circular wall clock Z* n = { x ∈ Zn | gcd(x, n) = 1 }; (additional info: Z* n is a multiplicative group) φ(n): Euler’s Totient function denotes the number of elements in Z* n φ(nm) = φ(n).φ(m) (This property is called multiplicative) φ(p) = p-1, if p is a prime number
  • 10. Notations and Facts ... ● x ≡ y (mod n) denotes that n divides x-y; x is congruent to y mod n ● Euler’s Theorem: aφ(n) ≡ 1 (mod n), if gcd(a, n) = 1 ● Fermat’s Little Theorem: ap ≡ a (mod p) ● Gauss’s Fundamental Theorem of Arithmetic: Any integer greater than 1 is either a prime or can be written as a unique product of primes ○ Euclid’s work is the foundation for this theorem, see The Elements ● Euclid’s Lemma: if a prime p divides the product of two natural numbers a and b, then p divides a or p divides b ● Euclid’s Infinitude of Primes (c. 300 BC): There are infinitely many primes 10
  • 11. RSA - Key Generation Algo 1. Select an appropriate bitlength of the RSA modulus n (e.g., 2048 bits) ○ Value of the parameter n is not chosen until step 3; small n is dangerous (details later) 2. Pick two independent, large random primes, p and q, of half of n’s bitlength ○ In practice, p and q satisfy q < p < 2q to avoid polynomial time factorization algorithms 3. Compute n = p.q (n is also called the RSA modulus) 4. Compute Euler’s Totient (phi) Function φ(n) = φ(p.q) = φ(p)φ(q) = (p-1)(q-1) 5. Select numbers e and d from Zn such that e.d ≡ 1(mod φ(n)) ○ e must be relatively prime to φ(n) otherwise d cannot exist (i.e., we cannot decrypt) ○ d is the multiplicative inverse of e in Zn 6. Public key is the pair <n, e> and private key is 4-tuple <φ(n), d, p, q> 11
  • 12. RSA Trapdoor ● RSA: Zn → Zn ● Let x and y ∈ Zn ● y = RSA(x) = xe mod n ○ We may view x as a plaintext, and y as the corresponding ciphertext ● x = RSA-1 (y) = yd mod n ● e and d are also called encryption and decryption exponents, respectively 12
  • 13. RSA Trapdoor variables’ dependency graph 13 Private variable Public variable Note: Public exponent e affects the private exponent d
  • 14. Question 1: Factor n when private φ(n) is given 14 φ(n) = (p-1)(q-1) φ(n) = pq - p - q + 1 φ(n) = n - p - n/p + 1 (since n = pq) pφ(n) = np -p2 -n+ p p2 - np - p+ pφ(n)+ n = 0 p2 - (n+ 1- φ(n))p + n = 0 This is a quadratic equation in p. We know how to solve ax2 +bx+c = 0. x = (-b ∓ √(b2 - 4ac))/2a Note also that the product of the two roots = c/a. In our case, a = 1, thus the products of the roots are the prime factors of n
  • 15. Demo 1: Factor n when private φ(n) is given 15 Let’s generate a 2048 RSA key pair as follows: keysize = 2048, e = 65537 ~/crypto/RSA$ java RSA_KeyPair $keysize $e Output: <phi, n, d, p, q> are shown below
  • 16. Demo 1: Factor n when private φ(n) is given 16
  • 17. Demo 1: Factor n when private φ(n) is given ... 17 ~/crypto/RSA$ java PrimeFactorsFromPhi $n $phi p=17903874057903527472517669435513313630569762683771632088937031464400624513093903398720 5261101355504048933406381667101125804436997838009295776233608129356643657709953464604266 4278240107564127344919624324139339067172539410416522168861149638310907790220912279762890 15575518486062027786802049855038992628112233123 q=17874883566449270685325299591622537894696700693308029291565246263883560607941716737808 6464578047472634374830076876987053824678362512846985147502313908595068657410399492853189 9056645383086939677868549377884628581065684311026875287600736273831026715753577358550340 05824459505427320400617171847420795137628994559 We see that this p and q are the same on the previous slide Equivalently, we derived the private prime factors p and q of n from another private variable φ(n)
  • 18. Demo 1: Prime factors of n using phi(n) 18 /* * Given n and phi(n), returns the factors of n: p and q */ public static BigInteger[] factorize(BigInteger n, BigInteger phi) { BigInteger one = BigInteger.valueOf(1); BigInteger minusOne = BigInteger.valueOf(-1); /* p*p -(n+1-phi(n))p + n = 0 */ BigInteger z = n.add(one).subtract(phi).multiply(minusOne); /* Roots of this quadratic equation are the prime factors of n */ BigInteger[] factors = BigIntUtil.quadraticSol(one,z,n); assert n.equals(factors[0].multiply(factors[1])); return factors; }
  • 19. 19 /* * Returns the integer roots of the ax2 + bx + c = 0 */ public static BigInteger[] quadraticSol(BigInteger a, BigInteger b, BigInteger c) { BigInteger zero = BigInteger.ZERO; BigInteger minusOne = BigInteger.valueOf(-1); BigInteger two = BigInteger.valueOf(2); BigInteger four = BigInteger.valueOf(4); BigInteger b2_4ac = b.multiply(b).subtract(four.multiply(a.multiply(c))); assert a.compareTo(zero) != 0 && b2_4ac.compareTo(zero) >= 0; BigInteger negB = b.multiply(minusOne); BigInteger root_b2_4ac = iRoot(b2_4ac, 2); assert root_b2_4ac.multiply(root_b2_4ac).compareTo(b2_4ac) == 0; BigInteger[] roots = new BigInteger[2]; roots[0] = negB.add(root_b2_4ac).divide(two.multiply(a)); roots[1] = negB.subtract(root_b2_4ac).divide(two.multiply(a)); return roots; }
  • 20. Question 2: Derive private exponent d from φ(n) 20 We know that e.d ≡ 1(mod φ(n)) To find d, we multiply both sides by the inverse of e (i.e., e-1 ) Thus, d ≡ e-1 mod φ(n) Note that e-1 should exist because e and φ(n) are relatively prime
  • 22. Demo 2: Derive private exponent d from φ(n) 22 ~/crypto/RSA$ java ModInverse $e $phi Modular Inverse of 65537 is 2205151223696884190252381916635434764104221807529134232843816122898922433546108 3287372976252503587328696591274260031885794600481314199611651200179626903675369 0028009274857755022760288405248617492304240282041017910963309960636514481667802 6944157259783475257086607960394921579465796075728094174066371810325736212160395 6922757355039274603476879690439127159645339789795023593785438145131390767349450 4634404929864749265927992741511730020925412893911025985705705945455643610869142 0863758917973667307103241295297662510557556262730109970320101433216326920736123 5840090794589733305253198877867831375654052088316468016370497257 This is the same private d generated by the RSA key pair generator (see Demo 1)
  • 23. Question 3: Derive the prime factors p and q from d 23 We know that e.d ≡ 1(mod φ(n)) e.d - 1 ≡ 0 ( mod φ(n)) e.d - 1 = r φ(n) for some integer r. Let k = e.d - 1. This means that k is a multiple of φ(n). K is even because φ(n) is even Let g be a random element of Z* n . That is, g is relatively prime to n. Euler’s theorem says gk ≡ 1 (mod n) since gcd (g, n) =1 . This implies gk/2 is a square of one mod n because gk/2 . gk/2 = gk ≡ 1 (mod n)
  • 24. Question 3: Algorithm to factorize n from d 24 Step 1: Pick a random g from the multiplicative group Zn * Step 2: Construct a sequence: gk/2 , gk/4 , gk/8 , … until not equal to 1 mod n Note: If k/2i is not an even number, go back to step 1 and pick a new g Step 3: Now we have calculated square root of one in mod n. That is, z2 ≡ 1 (mod n) and z ≠ ∓ 1 (mod n) (z+1)(z-1) ≡ 0 (mod n) This implies n divides (z+1) and (z-1). Equivalently, n must share factors with (z+1) and (z-1). Step 4: Compute gcd(n, z-1) to extract one of the prime factors (say p) of n Step 5: Derive another prime factor q = n/p
  • 25. 25 My implementation of the algorithm to find the prime factors p and q from d
  • 26. 26 ~/crypto/RSA$ java PrimeFactorsFromD $e $n $d p=17903874057903527472517669435513313630569762683771632088937031464400624513093903398720 5261101355504048933406381667101125804436997838009295776233608129356643657709953464604266 4278240107564127344919624324139339067172539410416522168861149638310907790220912279762890 15575518486062027786802049855038992628112233123 q=17874883566449270685325299591622537894696700693308029291565246263883560607941716737808 6464578047472634374830076876987053824678362512846985147502313908595068657410399492853189 9056645383086939677868549377884628581065684311026875287600736273831026715753577358550340 05824459505427320400617171847420795137628994559 We see that the p and q are the factors of n (as expected) Equivalently, we derived the private prime factors p and q of n from another private variable d Demo 3: Derive the prime factors p and q from d
  • 27. Conclusion 27 ● We analyzed the dependencies of RSA private variables ● We efficiently derived the ○ private prime factors p and q of RSA modulus n from φ(n) ○ private exponent d from φ(n) ○ private prime factors p and q from the private exponent d ● This analysis shows that if one of the private variables is leaked the rest is public ○ We need to throw away all the private variables and generate new keys ● If we can efficiently solve z2 ≡ 1 (mod n) (of course, z ≠ ∓ 1), then RSA is breakable ○ We used this fact in Demo 3, because d is given to us
  • 28. References ● W. Diffie and M. E. Hellman, “New Directions in Cryptography,” IEEE Transactions on Information Theory, vol. IT-22, no. 6, November, 1976. ● R. L. Rivest, A. Shamir, and L. Adleman, “A method for obtaining digital signatures and public-key cryptosystems,” CACM 21, 2, February, 1978. ● A. Menezes, P. van Oorschot, and S. Vanstone, “Handbook of Applied Cryptography,” CRC Press, 1996. ● C. Paar and J. Pelzl. “Understanding Cryptography: A Textbook for Students and Practitioners,” Springer, 2011. 28
  • 29. References ● Finding a non-trivial square root of n: http://www.tricki.org/article/To_factorize_n_find_a_non-trivial_square_root_of _1_mod_n ● D. Boneh and Victor Shoup, “A Graduate Course in Applied Cryptography,” https://toc.cryptobook.us/ 29
  • 30. Appendix - graphviz for the dependency graph digraph G { { p [color = red, shape=box] q [color = red, shape=box] "φ(n)" [color = red, shape=box] d [color = red, shape=box] x [color = red, shape=box] y [color = blue] e [color = blue] n [color = blue] } n -> {p q} "φ(n)" -> {p q} d -> {e "φ(n)"} y -> {x e n} } 30