1 of 30

## What's hot

### What's hot(20)

Solutions to online rsa factoring challenges
Solutions to online rsa factoring challenges

Cyclic Attacks on the RSA Trapdoor Function
Cyclic Attacks on the RSA Trapdoor Function

An Analysis of RSA Public Exponent e
An Analysis of RSA Public Exponent e

How do computers exchange secrets using Math?
How do computers exchange secrets using Math?

An Analysis of Secure Remote Password (SRP)
An Analysis of Secure Remote Password (SRP)

On the Secrecy of RSA Private Keys
On the Secrecy of RSA Private Keys

On deriving the private key from a public key
On deriving the private key from a public key

Active Attacks on DH Key Exchange
Active Attacks on DH Key Exchange

RSA ALGORITHM
RSA ALGORITHM

Rsa rivest shamir adleman
Rsa rivest shamir adleman

RSA
RSA

The rsa algorithm
The rsa algorithm

Public Key Algorithms
Public Key Algorithms

RSA Algorithm
RSA Algorithm

RSA ALGORITHM
RSA ALGORITHM

1508.07756v1
1508.07756v1

PKC&RSA
PKC&RSA

RSA Algorithm report
RSA Algorithm report

## Similar to Dependency Analysis of RSA Private Variables

Cyber Security Part-3.pptx

Algorithms - A Sneak Peek
Algorithms - A Sneak PeekBADR

Information and network security 33 rsa algorithm
Information and network security 33 rsa algorithmVaibhav Khanna

RSA final notation change2
RSA final notation change2Coleman Gorham

2010 3-24 cryptography stamatiou
2010 3-24 cryptography stamatiouvafopoulos

RSA Algm.pptx
RSA Algm.pptxSou Jana

The Mathematics of RSA Encryption
The Mathematics of RSA EncryptionNathan F. Dunn

Rivest Shamir Adleman Algorithm and its variant : DRSA.pptx
Rivest Shamir Adleman Algorithm and its variant : DRSA.pptxwerip98386

01 - DAA - PPT.pptx
01 - DAA - PPT.pptxKokilaK25

Chapter 06 rsa cryptosystem
Chapter 06 rsa cryptosystemAnkur Choudhary

Deep dive into rsa
Deep dive into rsaBill GU

Discrete Logarithm Problem over Prime Fields, Non-canonical Lifts and Logarit...
Discrete Logarithm Problem over Prime Fields, Non-canonical Lifts and Logarit...PadmaGadiyar

NumberTheory explanations in the easiest way.ppt
NumberTheory explanations in the easiest way.pptIshwariKhanal

implementing the encryption in the JAVA.ppt
implementing the encryption in the JAVA.pptMuhammadAbdullah311866

### Similar to Dependency Analysis of RSA Private Variables(20)

Cyber Security Part-3.pptx
Cyber Security Part-3.pptx

Algorithms - A Sneak Peek
Algorithms - A Sneak Peek

Information and network security 33 rsa algorithm
Information and network security 33 rsa algorithm

RSA final notation change2
RSA final notation change2

Rsa cryptosystem
Rsa cryptosystem

2010 3-24 cryptography stamatiou
2010 3-24 cryptography stamatiou

Unit 3
Unit 3

RSA Algm.pptx
RSA Algm.pptx

Randomized algorithms ver 1.0
Randomized algorithms ver 1.0

The Mathematics of RSA Encryption
The Mathematics of RSA Encryption

Rivest Shamir Adleman Algorithm and its variant : DRSA.pptx
Rivest Shamir Adleman Algorithm and its variant : DRSA.pptx

Eulers totient
Eulers totient

01 - DAA - PPT.pptx
01 - DAA - PPT.pptx

NFSFIXES
NFSFIXES

Rsa algorithm
Rsa algorithm

Chapter 06 rsa cryptosystem
Chapter 06 rsa cryptosystem

Deep dive into rsa
Deep dive into rsa

Discrete Logarithm Problem over Prime Fields, Non-canonical Lifts and Logarit...
Discrete Logarithm Problem over Prime Fields, Non-canonical Lifts and Logarit...

NumberTheory explanations in the easiest way.ppt
NumberTheory explanations in the easiest way.ppt

implementing the encryption in the JAVA.ppt
implementing the encryption in the JAVA.ppt

## More from Dharmalingam Ganesan

Reverse Architecting using Relation Algebra.pdf
Reverse Architecting using Relation Algebra.pdfDharmalingam Ganesan

Requirements driven Model-based Testing
Requirements driven Model-based TestingDharmalingam Ganesan

Automated Traceability for Software Engineering Tasks
Automated Traceability for Software Engineering TasksDharmalingam Ganesan

Reverse Engineering of Module Dependencies
Reverse Engineering of Module DependenciesDharmalingam Ganesan

Integer security analysis using smt solver
Integer security analysis using smt solverDharmalingam Ganesan

Remote file path traversal attacks for fun and profit
Remote file path traversal attacks for fun and profitDharmalingam Ganesan

Threat Modeling: Applied on a Publish-Subscribe Architectural Style
Threat Modeling: Applied on a Publish-Subscribe Architectural StyleDharmalingam Ganesan

### More from Dharmalingam Ganesan(13)

.NET Deserialization Attacks
.NET Deserialization Attacks

Reverse Architecting using Relation Algebra.pdf
Reverse Architecting using Relation Algebra.pdf

How to exploit rand()?
How to exploit rand()?

Thank-a-Gram
Thank-a-Gram

Can I write to a read only file ?
Can I write to a read only file ?

Requirements driven Model-based Testing
Requirements driven Model-based Testing

Automated Traceability for Software Engineering Tasks
Automated Traceability for Software Engineering Tasks

Reverse Engineering of Module Dependencies
Reverse Engineering of Module Dependencies

Software Architecture
Software Architecture

Integer security analysis using smt solver
Integer security analysis using smt solver

Remote file path traversal attacks for fun and profit
Remote file path traversal attacks for fun and profit

20170605135932210 thank you card7
20170605135932210 thank you card7

Threat Modeling: Applied on a Publish-Subscribe Architectural Style
Threat Modeling: Applied on a Publish-Subscribe Architectural Style

Crafting the Perfect Measurement Sheet with PLM Integration
Crafting the Perfect Measurement Sheet with PLM IntegrationWave PLM

KLARNA - Language Models and Knowledge Graphs: A Systems Approach
KLARNA - Language Models and Knowledge Graphs: A Systems ApproachNeo4j

iGaming Platform & Lottery Solutions by Skilrock
iGaming Platform & Lottery Solutions by SkilrockSkilrock Technologies

IT Software Development Resume, Vaibhav jha 2024
IT Software Development Resume, Vaibhav jha 2024vaibhav130304

AI/ML Infra Meetup | Improve Speed and GPU Utilization for Model Training & S...
AI/ML Infra Meetup | Improve Speed and GPU Utilization for Model Training & S...Alluxio, Inc.

A Python-based approach to data loading in TM1 - Using Airflow as an ETL for TM1
A Python-based approach to data loading in TM1 - Using Airflow as an ETL for TM1KnowledgeSeed

Designing for Privacy in Amazon Web Services
Designing for Privacy in Amazon Web ServicesKrzysztofKkol1

How Does XfilesPro Ensure Security While Sharing Documents in Salesforce?
How Does XfilesPro Ensure Security While Sharing Documents in Salesforce?XfilesPro

Microsoft 365 Copilot; An AI tool changing the world of work _PDF.pdf
Microsoft 365 Copilot; An AI tool changing the world of work _PDF.pdfQ-Advise

Implementing KPIs and Right Metrics for Agile Delivery Teams.pdf
Implementing KPIs and Right Metrics for Agile Delivery Teams.pdfVictor Lopez

A Guideline to Zendesk to Re:amaze Data Migration
A Guideline to Zendesk to Re:amaze Data MigrationHelp Desk Migration

10 Essential Software Testing Tools You Need to Know About.pdf
10 Essential Software Testing Tools You Need to Know About.pdfkalichargn70th171

APVP,apvp apvp High quality supplier safe spot transport, 98% purity
APVP,apvp apvp High quality supplier safe spot transport, 98% purityamy56318795

Secure Software Ecosystem Teqnation 2024
Secure Software Ecosystem Teqnation 2024Soroosh Khodami

AI/ML Infra Meetup | Reducing Prefill for LLM Serving in RAG
AI/ML Infra Meetup | Reducing Prefill for LLM Serving in RAGAlluxio, Inc.

A Guideline to Gorgias to to Re:amaze Data Migration
A Guideline to Gorgias to to Re:amaze Data MigrationHelp Desk Migration

Advanced Flow Concepts Every Developer Should Know
Advanced Flow Concepts Every Developer Should KnowPeter Caitens

GraphSummit Stockholm - Neo4j - Knowledge Graphs and Product Updates
GraphSummit Stockholm - Neo4j - Knowledge Graphs and Product UpdatesNeo4j

Crafting the Perfect Measurement Sheet with PLM Integration
Crafting the Perfect Measurement Sheet with PLM Integration

KLARNA - Language Models and Knowledge Graphs: A Systems Approach
KLARNA - Language Models and Knowledge Graphs: A Systems Approach

iGaming Platform & Lottery Solutions by Skilrock
iGaming Platform & Lottery Solutions by Skilrock

IT Software Development Resume, Vaibhav jha 2024
IT Software Development Resume, Vaibhav jha 2024

AI/ML Infra Meetup | Improve Speed and GPU Utilization for Model Training & S...
AI/ML Infra Meetup | Improve Speed and GPU Utilization for Model Training & S...

A Python-based approach to data loading in TM1 - Using Airflow as an ETL for TM1
A Python-based approach to data loading in TM1 - Using Airflow as an ETL for TM1

Designing for Privacy in Amazon Web Services
Designing for Privacy in Amazon Web Services

How Does XfilesPro Ensure Security While Sharing Documents in Salesforce?
How Does XfilesPro Ensure Security While Sharing Documents in Salesforce?

Microsoft 365 Copilot; An AI tool changing the world of work _PDF.pdf
Microsoft 365 Copilot; An AI tool changing the world of work _PDF.pdf

5 Reasons Driving Warehouse Management Systems Demand
5 Reasons Driving Warehouse Management Systems Demand

Implementing KPIs and Right Metrics for Agile Delivery Teams.pdf
Implementing KPIs and Right Metrics for Agile Delivery Teams.pdf

A Guideline to Zendesk to Re:amaze Data Migration
A Guideline to Zendesk to Re:amaze Data Migration

10 Essential Software Testing Tools You Need to Know About.pdf
10 Essential Software Testing Tools You Need to Know About.pdf

APVP,apvp apvp High quality supplier safe spot transport, 98% purity
APVP,apvp apvp High quality supplier safe spot transport, 98% purity

Secure Software Ecosystem Teqnation 2024
Secure Software Ecosystem Teqnation 2024

AI/ML Infra Meetup | Reducing Prefill for LLM Serving in RAG
AI/ML Infra Meetup | Reducing Prefill for LLM Serving in RAG

A Guideline to Gorgias to to Re:amaze Data Migration
A Guideline to Gorgias to to Re:amaze Data Migration

Advanced Flow Concepts Every Developer Should Know
Advanced Flow Concepts Every Developer Should Know

GraphSummit Stockholm - Neo4j - Knowledge Graphs and Product Updates
GraphSummit Stockholm - Neo4j - Knowledge Graphs and Product Updates

### Dependency Analysis of RSA Private Variables

• 1. Dependency Analysis of RSA Private Variables Dr. Dharma Ganesan, Ph.D.,
• 2. Disclaimer ● The opinions expressed here are my own ○ But not the views of my employer ● The source code fragments and exploits shown here can be reused ○ But without any warranty nor accept any responsibility for failures ● Do not apply the exploit discussed here on other systems ○ Without obtaining authorization from owners 2
• 3. High-level Question ● An RSA private key is made of a few private variables ● If a private variable is exposed, can we efficiently derive the rest of the private variables? 3
• 4. Detailed questions (notations are defined later) 1. How to derive the private prime factors of RSA modulus n from φ(n)? 2. How to derive the private exponent d from φ(n)? 3. How to derive the private prime factors p and q from the private exponent d? 4
• 5. Agenda ● Brief overview of RSA algorithm ● Formal definition of RSA Trapdoor function ● Algorithms and Demos (for the three questions) ● Conclusion 5
• 6. Prerequisite Some familiarity with the following topics will help to follow the rest of the slides ● Group Theory ● Number Theory ● Algorithms and Complexity Theory ● If not, it should still be possible to obtain a high-level overview 6
• 7. How can Bob send a message to Alice securely? 7 Public Key PuA ● Alice and Bob never met each other ● Bob will encrypt using Alice’s public key ○ Assume that public keys are known to the world ● Alice will decrypt using her private key ○ Private keys are secrets (never sent out) ● Bob can sign messages using his private key ○ Alice verifies message integrity using Bob’s public key ○ Not important for this presentation/attack ● Note: Alice and Bob need other evidence (e.g., passwords, certificates) to prove their identity to each other ● Who are Alice, Bob, and Eve? Private Key PrA Public Key PuB Private Key PrB
• 8. RSA Public Key Cryptography System ● Published in 1977 by Ron Rivest, Adi Shamir and Leonard Adleman ● Rooted in elegant mathematics - Group Theory and Number Theory ● Core idea: Anyone can encrypt a message using recipient's public key but ○ (as far as we know) no one can efficiently decrypt unless they got the matching private key ● Encryption and Decryption are inverse operations (math details later) ○ Work of Euclid, Euler, and Fermat provide the mathematical foundation of RSA ● Eavesdropper Eve cannot easily derive the secret (math details later) ○ Unless she solves “hard” number theory problems that are computationally intractable 8
• 9. 9 Notations and Facts GCD(x, y): The greatest common divisor that divides integers x and y Co-prime: If gcd(x, y) = 1, then x and y are co-primes Zn = { 0, 1, 2, …, n-1 }, n > 0; we may imagine Zn as a circular wall clock Z* n = { x ∈ Zn | gcd(x, n) = 1 }; (additional info: Z* n is a multiplicative group) φ(n): Euler’s Totient function denotes the number of elements in Z* n φ(nm) = φ(n).φ(m) (This property is called multiplicative) φ(p) = p-1, if p is a prime number
• 10. Notations and Facts ... ● x ≡ y (mod n) denotes that n divides x-y; x is congruent to y mod n ● Euler’s Theorem: aφ(n) ≡ 1 (mod n), if gcd(a, n) = 1 ● Fermat’s Little Theorem: ap ≡ a (mod p) ● Gauss’s Fundamental Theorem of Arithmetic: Any integer greater than 1 is either a prime or can be written as a unique product of primes ○ Euclid’s work is the foundation for this theorem, see The Elements ● Euclid’s Lemma: if a prime p divides the product of two natural numbers a and b, then p divides a or p divides b ● Euclid’s Infinitude of Primes (c. 300 BC): There are infinitely many primes 10
• 11. RSA - Key Generation Algo 1. Select an appropriate bitlength of the RSA modulus n (e.g., 2048 bits) ○ Value of the parameter n is not chosen until step 3; small n is dangerous (details later) 2. Pick two independent, large random primes, p and q, of half of n’s bitlength ○ In practice, p and q satisfy q < p < 2q to avoid polynomial time factorization algorithms 3. Compute n = p.q (n is also called the RSA modulus) 4. Compute Euler’s Totient (phi) Function φ(n) = φ(p.q) = φ(p)φ(q) = (p-1)(q-1) 5. Select numbers e and d from Zn such that e.d ≡ 1(mod φ(n)) ○ e must be relatively prime to φ(n) otherwise d cannot exist (i.e., we cannot decrypt) ○ d is the multiplicative inverse of e in Zn 6. Public key is the pair <n, e> and private key is 4-tuple <φ(n), d, p, q> 11
• 12. RSA Trapdoor ● RSA: Zn → Zn ● Let x and y ∈ Zn ● y = RSA(x) = xe mod n ○ We may view x as a plaintext, and y as the corresponding ciphertext ● x = RSA-1 (y) = yd mod n ● e and d are also called encryption and decryption exponents, respectively 12
• 13. RSA Trapdoor variables’ dependency graph 13 Private variable Public variable Note: Public exponent e affects the private exponent d
• 14. Question 1: Factor n when private φ(n) is given 14 φ(n) = (p-1)(q-1) φ(n) = pq - p - q + 1 φ(n) = n - p - n/p + 1 (since n = pq) pφ(n) = np -p2 -n+ p p2 - np - p+ pφ(n)+ n = 0 p2 - (n+ 1- φ(n))p + n = 0 This is a quadratic equation in p. We know how to solve ax2 +bx+c = 0. x = (-b ∓ √(b2 - 4ac))/2a Note also that the product of the two roots = c/a. In our case, a = 1, thus the products of the roots are the prime factors of n
• 15. Demo 1: Factor n when private φ(n) is given 15 Let’s generate a 2048 RSA key pair as follows: keysize = 2048, e = 65537 ~/crypto/RSA\$ java RSA_KeyPair \$keysize \$e Output: <phi, n, d, p, q> are shown below
• 16. Demo 1: Factor n when private φ(n) is given 16
• 17. Demo 1: Factor n when private φ(n) is given ... 17 ~/crypto/RSA\$ java PrimeFactorsFromPhi \$n \$phi p=17903874057903527472517669435513313630569762683771632088937031464400624513093903398720 5261101355504048933406381667101125804436997838009295776233608129356643657709953464604266 4278240107564127344919624324139339067172539410416522168861149638310907790220912279762890 15575518486062027786802049855038992628112233123 q=17874883566449270685325299591622537894696700693308029291565246263883560607941716737808 6464578047472634374830076876987053824678362512846985147502313908595068657410399492853189 9056645383086939677868549377884628581065684311026875287600736273831026715753577358550340 05824459505427320400617171847420795137628994559 We see that this p and q are the same on the previous slide Equivalently, we derived the private prime factors p and q of n from another private variable φ(n)
• 18. Demo 1: Prime factors of n using phi(n) 18 /* * Given n and phi(n), returns the factors of n: p and q */ public static BigInteger[] factorize(BigInteger n, BigInteger phi) { BigInteger one = BigInteger.valueOf(1); BigInteger minusOne = BigInteger.valueOf(-1); /* p*p -(n+1-phi(n))p + n = 0 */ BigInteger z = n.add(one).subtract(phi).multiply(minusOne); /* Roots of this quadratic equation are the prime factors of n */ BigInteger[] factors = BigIntUtil.quadraticSol(one,z,n); assert n.equals(factors[0].multiply(factors[1])); return factors; }
• 19. 19 /* * Returns the integer roots of the ax2 + bx + c = 0 */ public static BigInteger[] quadraticSol(BigInteger a, BigInteger b, BigInteger c) { BigInteger zero = BigInteger.ZERO; BigInteger minusOne = BigInteger.valueOf(-1); BigInteger two = BigInteger.valueOf(2); BigInteger four = BigInteger.valueOf(4); BigInteger b2_4ac = b.multiply(b).subtract(four.multiply(a.multiply(c))); assert a.compareTo(zero) != 0 && b2_4ac.compareTo(zero) >= 0; BigInteger negB = b.multiply(minusOne); BigInteger root_b2_4ac = iRoot(b2_4ac, 2); assert root_b2_4ac.multiply(root_b2_4ac).compareTo(b2_4ac) == 0; BigInteger[] roots = new BigInteger[2]; roots[0] = negB.add(root_b2_4ac).divide(two.multiply(a)); roots[1] = negB.subtract(root_b2_4ac).divide(two.multiply(a)); return roots; }
• 20. Question 2: Derive private exponent d from φ(n) 20 We know that e.d ≡ 1(mod φ(n)) To find d, we multiply both sides by the inverse of e (i.e., e-1 ) Thus, d ≡ e-1 mod φ(n) Note that e-1 should exist because e and φ(n) are relatively prime
• 22. Demo 2: Derive private exponent d from φ(n) 22 ~/crypto/RSA\$ java ModInverse \$e \$phi Modular Inverse of 65537 is 2205151223696884190252381916635434764104221807529134232843816122898922433546108 3287372976252503587328696591274260031885794600481314199611651200179626903675369 0028009274857755022760288405248617492304240282041017910963309960636514481667802 6944157259783475257086607960394921579465796075728094174066371810325736212160395 6922757355039274603476879690439127159645339789795023593785438145131390767349450 4634404929864749265927992741511730020925412893911025985705705945455643610869142 0863758917973667307103241295297662510557556262730109970320101433216326920736123 5840090794589733305253198877867831375654052088316468016370497257 This is the same private d generated by the RSA key pair generator (see Demo 1)
• 23. Question 3: Derive the prime factors p and q from d 23 We know that e.d ≡ 1(mod φ(n)) e.d - 1 ≡ 0 ( mod φ(n)) e.d - 1 = r φ(n) for some integer r. Let k = e.d - 1. This means that k is a multiple of φ(n). K is even because φ(n) is even Let g be a random element of Z* n . That is, g is relatively prime to n. Euler’s theorem says gk ≡ 1 (mod n) since gcd (g, n) =1 . This implies gk/2 is a square of one mod n because gk/2 . gk/2 = gk ≡ 1 (mod n)
• 24. Question 3: Algorithm to factorize n from d 24 Step 1: Pick a random g from the multiplicative group Zn * Step 2: Construct a sequence: gk/2 , gk/4 , gk/8 , … until not equal to 1 mod n Note: If k/2i is not an even number, go back to step 1 and pick a new g Step 3: Now we have calculated square root of one in mod n. That is, z2 ≡ 1 (mod n) and z ≠ ∓ 1 (mod n) (z+1)(z-1) ≡ 0 (mod n) This implies n divides (z+1) and (z-1). Equivalently, n must share factors with (z+1) and (z-1). Step 4: Compute gcd(n, z-1) to extract one of the prime factors (say p) of n Step 5: Derive another prime factor q = n/p
• 25. 25 My implementation of the algorithm to find the prime factors p and q from d
• 26. 26 ~/crypto/RSA\$ java PrimeFactorsFromD \$e \$n \$d p=17903874057903527472517669435513313630569762683771632088937031464400624513093903398720 5261101355504048933406381667101125804436997838009295776233608129356643657709953464604266 4278240107564127344919624324139339067172539410416522168861149638310907790220912279762890 15575518486062027786802049855038992628112233123 q=17874883566449270685325299591622537894696700693308029291565246263883560607941716737808 6464578047472634374830076876987053824678362512846985147502313908595068657410399492853189 9056645383086939677868549377884628581065684311026875287600736273831026715753577358550340 05824459505427320400617171847420795137628994559 We see that the p and q are the factors of n (as expected) Equivalently, we derived the private prime factors p and q of n from another private variable d Demo 3: Derive the prime factors p and q from d
• 27. Conclusion 27 ● We analyzed the dependencies of RSA private variables ● We efficiently derived the ○ private prime factors p and q of RSA modulus n from φ(n) ○ private exponent d from φ(n) ○ private prime factors p and q from the private exponent d ● This analysis shows that if one of the private variables is leaked the rest is public ○ We need to throw away all the private variables and generate new keys ● If we can efficiently solve z2 ≡ 1 (mod n) (of course, z ≠ ∓ 1), then RSA is breakable ○ We used this fact in Demo 3, because d is given to us
• 28. References ● W. Diffie and M. E. Hellman, “New Directions in Cryptography,” IEEE Transactions on Information Theory, vol. IT-22, no. 6, November, 1976. ● R. L. Rivest, A. Shamir, and L. Adleman, “A method for obtaining digital signatures and public-key cryptosystems,” CACM 21, 2, February, 1978. ● A. Menezes, P. van Oorschot, and S. Vanstone, “Handbook of Applied Cryptography,” CRC Press, 1996. ● C. Paar and J. Pelzl. “Understanding Cryptography: A Textbook for Students and Practitioners,” Springer, 2011. 28
• 29. References ● Finding a non-trivial square root of n: http://www.tricki.org/article/To_factorize_n_find_a_non-trivial_square_root_of _1_mod_n ● D. Boneh and Victor Shoup, “A Graduate Course in Applied Cryptography,” https://toc.cryptobook.us/ 29
• 30. Appendix - graphviz for the dependency graph digraph G { { p [color = red, shape=box] q [color = red, shape=box] "φ(n)" [color = red, shape=box] d [color = red, shape=box] x [color = red, shape=box] y [color = blue] e [color = blue] n [color = blue] } n -> {p q} "φ(n)" -> {p q} d -> {e "φ(n)"} y -> {x e n} } 30
Current LanguageEnglish
Español
Portugues
Français
Deutsche
© 2024 SlideShare from Scribd