Results of some basic experiments with the Diffie-Hellman Key Exchange System. I analyse the key-exchange algorithm using brute-force as well using the Baby-step Giant-step algorithm.
Cryptography is the practice and study of techniques for conveying information security.
The goal of Cryptography is to allow the intended recipients of the message to receive the message securely.
The most famous algorithm used today is RSA algorithm
Computing the Square Roots of Unity to break RSA using Quantum AlgorithmsDharmalingam Ganesan
We study the problem of finding the square roots of unity in a finite group in order to factor composite numbers used in RSA. We implemented Peter Shor’s algorithm to find the square root of unity. Experimental results showed that finding the square roots of unity in a finite group multiplicative group is “hard”.
The Cryptography puzzle discussed here is part of an online challenge. I demonstrate how I broke RSA when random prime numbers were common among a set of keys. I discuss basic metrics as well as implementation/design of my exploit scripts, too.
This presentation contains the contents pertaining to the undergraduate course on Cryptography and Network Security (UITC203) at Sri Ramakrishna Institute of Technology. This covers the ElGamal Cryptosystem.
Cryptography is the practice and study of techniques for conveying information security.
The goal of Cryptography is to allow the intended recipients of the message to receive the message securely.
The most famous algorithm used today is RSA algorithm
Computing the Square Roots of Unity to break RSA using Quantum AlgorithmsDharmalingam Ganesan
We study the problem of finding the square roots of unity in a finite group in order to factor composite numbers used in RSA. We implemented Peter Shor’s algorithm to find the square root of unity. Experimental results showed that finding the square roots of unity in a finite group multiplicative group is “hard”.
The Cryptography puzzle discussed here is part of an online challenge. I demonstrate how I broke RSA when random prime numbers were common among a set of keys. I discuss basic metrics as well as implementation/design of my exploit scripts, too.
This presentation contains the contents pertaining to the undergraduate course on Cryptography and Network Security (UITC203) at Sri Ramakrishna Institute of Technology. This covers the ElGamal Cryptosystem.
Threat Modeling as a structured activity for identifying and managing the objects (such as application) threats.
Threat Modeling – also called Architectural Risk Analysis is an essential step in the development of your application.
Without it, your protection is a shot in the dark
This presentation is based on the paper :
"A Method for Obtaining Digital Signatures and Public-Key Cryptosystems" by R.L. Rivest, A. Shamir, and L. Adleman
The following slides explains about elliptic curves, their interpretation over Gallois finite fields, algorithms that reduces arithmetic computational requirements and primarly applications of the ECC.
Automated Malware Analysis and Cyber Security IntelligenceJason Choi
This presentation is an introduction to Cuckoo Sandbox, an automated a malware analysis system, and Intelligence to use this tool, at Department of Scientific Criminal Investigation in SungKyunKwan University in Korea.
Talk Venue: BSides Tampa 2020
Speakers: Mike Felch & Joff Thyer
This talk will focus on the many different ways that a penetration tester, or Red Teamer can leverage the Python programming language during offensive operations. Python is a rich and powerful programming language which above all else allows a competent developer to very quickly write new tools that might start as a Proof of Concept, but soon become an invaluable addition to the Red Teamer's tool-belt. Having the skills to both generate new tools, and modify existing tools on the fly is critically important to agility during testing engagement. Everything from utility processing of data, network protocol, API interaction, and exploit development can be rapidly developed due to the high functionality level and intuitive nature of Python.
Here Be Dragons: The Unexplored Land of Active Directory ACLsAndy Robbins
Presented by Andy Robbins, Rohan Vazarkar, and Will Schroeder at DerbyCon 7.0: Legacy, in Louisville, Kentucky, 2017.
See the video recording of the presentation here: https://www.youtube.com/watch?v=mfaFuXEiLF4
Talk given at Devoxx UK 2014
Caveat - without the video these slides can be taken out of context, see Parleys for the full video.
RSA is the oldest kid in the public-key cryptography playground, and its position of toughest and fastest is under sharp competition from ECC (Elliptic Curve Cryptography). We look at the mathematical difference between the two cryptosystems, showing why ECC is faster and “harder” than RSA, but also very energy efficient hence its unique advantage in the mobile space. We show how to use ECC in your Java and Android applications. Before finally summarising the “state of the union” for RSA and ECC in the light of the Snowden leaks, and the likely near-future for public-key cryptography.
The slides demonstrate how to break RSA when used incorrectly without integrity checks. The man-in-the-middle is allowed to edit the RSA public exponent e in such a way that the Extended Euclidean Algorithm can be employed to reconstruct the plaintexts from the given ciphertexts.
Threat Modeling as a structured activity for identifying and managing the objects (such as application) threats.
Threat Modeling – also called Architectural Risk Analysis is an essential step in the development of your application.
Without it, your protection is a shot in the dark
This presentation is based on the paper :
"A Method for Obtaining Digital Signatures and Public-Key Cryptosystems" by R.L. Rivest, A. Shamir, and L. Adleman
The following slides explains about elliptic curves, their interpretation over Gallois finite fields, algorithms that reduces arithmetic computational requirements and primarly applications of the ECC.
Automated Malware Analysis and Cyber Security IntelligenceJason Choi
This presentation is an introduction to Cuckoo Sandbox, an automated a malware analysis system, and Intelligence to use this tool, at Department of Scientific Criminal Investigation in SungKyunKwan University in Korea.
Talk Venue: BSides Tampa 2020
Speakers: Mike Felch & Joff Thyer
This talk will focus on the many different ways that a penetration tester, or Red Teamer can leverage the Python programming language during offensive operations. Python is a rich and powerful programming language which above all else allows a competent developer to very quickly write new tools that might start as a Proof of Concept, but soon become an invaluable addition to the Red Teamer's tool-belt. Having the skills to both generate new tools, and modify existing tools on the fly is critically important to agility during testing engagement. Everything from utility processing of data, network protocol, API interaction, and exploit development can be rapidly developed due to the high functionality level and intuitive nature of Python.
Here Be Dragons: The Unexplored Land of Active Directory ACLsAndy Robbins
Presented by Andy Robbins, Rohan Vazarkar, and Will Schroeder at DerbyCon 7.0: Legacy, in Louisville, Kentucky, 2017.
See the video recording of the presentation here: https://www.youtube.com/watch?v=mfaFuXEiLF4
Talk given at Devoxx UK 2014
Caveat - without the video these slides can be taken out of context, see Parleys for the full video.
RSA is the oldest kid in the public-key cryptography playground, and its position of toughest and fastest is under sharp competition from ECC (Elliptic Curve Cryptography). We look at the mathematical difference between the two cryptosystems, showing why ECC is faster and “harder” than RSA, but also very energy efficient hence its unique advantage in the mobile space. We show how to use ECC in your Java and Android applications. Before finally summarising the “state of the union” for RSA and ECC in the light of the Snowden leaks, and the likely near-future for public-key cryptography.
The slides demonstrate how to break RSA when used incorrectly without integrity checks. The man-in-the-middle is allowed to edit the RSA public exponent e in such a way that the Extended Euclidean Algorithm can be employed to reconstruct the plaintexts from the given ciphertexts.
Slides demonstrate how to break RSA when no padding is applied. I replicated the meet-in-the-middle attack discussed in the existing Crypto literature.
CNIT 141 8. Public-Key Cryptosystems Based on the DLPSam Bowne
For a college course -- CNIT 140: "Cryptography for Computer Networks" at City College San Francisco
Instructor: Sam Bowne
More info: https://samsclass.info/141/141_F17.shtml
Based on "Understanding Cryptography: A Textbook for Students and Practitioners" by Christof Paar, Jan Pelzl, and Bart Preneel, ISBN: 3642041000
CTF3, Stripe's third Capture-the-Flag, focused on distributed systems engineering with a goal of learning to build fault-tolerant, performant software while playing around with a bunch of cool cutting-edge technologies.
More here: https://stripe.com/blog/ctf3-launch.
This is a set of lectures for the 7Gate academy boot camp. This covers a number of important topics in Cryptography that include secret key cryptography, public key cryptography, zero knowledge proofs, privacy, and anonymity. This is followed with a number of exercises in node.js.
CORRECTIONS
In page 14, replace "The public key can be announced with compromising security." with "The public key can be announced without compromising security."
You have an application that works well on a single node, and you’ve heard that Erlang lets you scale out in a cluster. How do you go about doing that?
We’ll walk through the steps I took to turn ExVenture (a multiplayer game server) into a distributed application.
Starting with connecting nodes in development and production, to picking a cluster leader via the Raft protocol, and dealing with process groups to fan calls throughout the cluster.
Finally we’ll see some of the hurdles I encountered when spanning multiple nodes.
We study the behavior of the RSA trapdoor function by repeatedly encrypting the ciphertext sent over the public channel. We discuss the problem of finding a cycle in order to reverse the plaintext from the given ciphertext. Simple demos and algorithms/python programs are also presented. While the attack is not necessarily practical, it is educational to learn how the RSA trapdoor function behaves.
We look into the nitty-gritty details of the RSA key generation algorithm. We study how RSA can be exploited when the public exponent e is not chosen carefully. We examine why many digital certificates use e=65537. We also experiment with Hastad's broadcast attack for short RSA exponents in particular.
We study the internal structure of the SRP key exchange protocol and experiment with it. SRP establishes a shared encryption key between communicating parties using passwords that were shared out-of-band. We perform basic cryptanalysis of SRP using open-source implementations. We present a demo of how SRP was compromised due to an implementation bug, allowing the attacker to login without the password. The author of the Go-SRP library promptly fixed the issue on the very same day we reported the vulnerability.
We allow Eve to modify DH parameters as well as public keys of Alice and Bob. This allows Eve to derive the secret key and break the DH crypto system. We demonstrate that the DH key exchange algorithm should not be used without digital signatures.
This was an invited talk at the Central Middle School, Maryland. Without going into a lot of math, I try to explain the fundamental key exchange problem. It was a blast. 8th graders enjoyed it as much as I enjoyed it.
Can we reveal the RSA private exponent d from its public key <e, n>? We study this question for two specific cases: e = 3 and e = 65537. Using demos, we verify that RSA reveals the most significant half of the private exponent d when the public exponent e is small. For example, for 2048-bit RSA, the most significant 1024 bits are revealed!
We experiment with Wiener's attack to break RSA when the secret exponent is short, meaning it is smaller than one quarter of the public modulus size. We discuss cryptanalysis details and present demos of the attack. Our very minor extension of Wiener's attack is also discussed.
If we have an RSA 2048 bits configuration, but our private exponent d is only about 512 bits, then the above attack breaks RSA in a few seconds.
This work uses Continued Fractions to derive the private keys from the given public keys. It turned out that one can derive the private exponent d by approximating it as a ratio of e/n, both are public values.
In a default settings of standard RSA libaries, this attack and my minor extension are not relevant (to the best of our knowledge). However, if we configure our library to choose a very large public encryption exponent e, then our private decryption exponent d could be short enough to mount an attack.
An RSA private key is made of a few private variables. We analyze how these private variables are chained together. Further, we study if one of the private variables is leaked, can we derive the other private variables? Demos of the algorithms are also provided.
The slides demonstrate how to reverse the plaintext from the RSA encrypted ciphertext using an oracle that answers the question: is the last bit of the message 0 or 1?
Slides present a demo of exploiting the homomorphic properties of raw RSA (i.e., without any padding) to reverse an RSA ciphertext, without the private key. We have two roles: Adversary and Challenger. The challenger presents a ciphertext to the adversary to break it. The adversary is allowed to ask for encryption/decryption of any text, except the decryption of the challenge ciphertext. The goal of the adversary is to break the ciphertext.
IRSim implements an approach to establish traceability links among artifacts such as requirements, source code, and test cases. This presentation shows how we used IRSim on NASA software to establish traceability links for sofware analysis, program understanding, and quality improvement, etc.
A Comprehensive Look at Generative AI in Retail App Testing.pdfkalichargn70th171
Traditional software testing methods are being challenged in retail, where customer expectations and technological advancements continually shape the landscape. Enter generative AI—a transformative subset of artificial intelligence technologies poised to revolutionize software testing.
How to Position Your Globus Data Portal for Success Ten Good PracticesGlobus
Science gateways allow science and engineering communities to access shared data, software, computing services, and instruments. Science gateways have gained a lot of traction in the last twenty years, as evidenced by projects such as the Science Gateways Community Institute (SGCI) and the Center of Excellence on Science Gateways (SGX3) in the US, The Australian Research Data Commons (ARDC) and its platforms in Australia, and the projects around Virtual Research Environments in Europe. A few mature frameworks have evolved with their different strengths and foci and have been taken up by a larger community such as the Globus Data Portal, Hubzero, Tapis, and Galaxy. However, even when gateways are built on successful frameworks, they continue to face the challenges of ongoing maintenance costs and how to meet the ever-expanding needs of the community they serve with enhanced features. It is not uncommon that gateways with compelling use cases are nonetheless unable to get past the prototype phase and become a full production service, or if they do, they don't survive more than a couple of years. While there is no guaranteed pathway to success, it seems likely that for any gateway there is a need for a strong community and/or solid funding streams to create and sustain its success. With over twenty years of examples to draw from, this presentation goes into detail for ten factors common to successful and enduring gateways that effectively serve as best practices for any new or developing gateway.
How Recreation Management Software Can Streamline Your Operations.pptxwottaspaceseo
Recreation management software streamlines operations by automating key tasks such as scheduling, registration, and payment processing, reducing manual workload and errors. It provides centralized management of facilities, classes, and events, ensuring efficient resource allocation and facility usage. The software offers user-friendly online portals for easy access to bookings and program information, enhancing customer experience. Real-time reporting and data analytics deliver insights into attendance and preferences, aiding in strategic decision-making. Additionally, effective communication tools keep participants and staff informed with timely updates. Overall, recreation management software enhances efficiency, improves service delivery, and boosts customer satisfaction.
In software engineering, the right architecture is essential for robust, scalable platforms. Wix has undergone a pivotal shift from event sourcing to a CRUD-based model for its microservices. This talk will chart the course of this pivotal journey.
Event sourcing, which records state changes as immutable events, provided robust auditing and "time travel" debugging for Wix Stores' microservices. Despite its benefits, the complexity it introduced in state management slowed development. Wix responded by adopting a simpler, unified CRUD model. This talk will explore the challenges of event sourcing and the advantages of Wix's new "CRUD on steroids" approach, which streamlines API integration and domain event management while preserving data integrity and system resilience.
Participants will gain valuable insights into Wix's strategies for ensuring atomicity in database updates and event production, as well as caching, materialization, and performance optimization techniques within a distributed system.
Join us to discover how Wix has mastered the art of balancing simplicity and extensibility, and learn how the re-adoption of the modest CRUD has turbocharged their development velocity, resilience, and scalability in a high-growth environment.
Enhancing Research Orchestration Capabilities at ORNL.pdfGlobus
Cross-facility research orchestration comes with ever-changing constraints regarding the availability and suitability of various compute and data resources. In short, a flexible data and processing fabric is needed to enable the dynamic redirection of data and compute tasks throughout the lifecycle of an experiment. In this talk, we illustrate how we easily leveraged Globus services to instrument the ACE research testbed at the Oak Ridge Leadership Computing Facility with flexible data and task orchestration capabilities.
In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I ...Juraj Vysvader
In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I didn't get rich from it but it did have 63K downloads (powered possible tens of thousands of websites).
Strategies for Successful Data Migration Tools.pptxvarshanayak241
Data migration is a complex but essential task for organizations aiming to modernize their IT infrastructure and leverage new technologies. By understanding common challenges and implementing these strategies, businesses can achieve a successful migration with minimal disruption. Data Migration Tool like Ask On Data play a pivotal role in this journey, offering features that streamline the process, ensure data integrity, and maintain security. With the right approach and tools, organizations can turn the challenge of data migration into an opportunity for growth and innovation.
OpenFOAM solver for Helmholtz equation, helmholtzFoam / helmholtzBubbleFoamtakuyayamamoto1800
In this slide, we show the simulation example and the way to compile this solver.
In this solver, the Helmholtz equation can be solved by helmholtzFoam. Also, the Helmholtz equation with uniformly dispersed bubbles can be simulated by helmholtzBubbleFoam.
Providing Globus Services to Users of JASMIN for Environmental Data AnalysisGlobus
JASMIN is the UK’s high-performance data analysis platform for environmental science, operated by STFC on behalf of the UK Natural Environment Research Council (NERC). In addition to its role in hosting the CEDA Archive (NERC’s long-term repository for climate, atmospheric science & Earth observation data in the UK), JASMIN provides a collaborative platform to a community of around 2,000 scientists in the UK and beyond, providing nearly 400 environmental science projects with working space, compute resources and tools to facilitate their work. High-performance data transfer into and out of JASMIN has always been a key feature, with many scientists bringing model outputs from supercomputers elsewhere in the UK, to analyse against observational or other model data in the CEDA Archive. A growing number of JASMIN users are now realising the benefits of using the Globus service to provide reliable and efficient data movement and other tasks in this and other contexts. Further use cases involve long-distance (intercontinental) transfers to and from JASMIN, and collecting results from a mobile atmospheric radar system, pushing data to JASMIN via a lightweight Globus deployment. We provide details of how Globus fits into our current infrastructure, our experience of the recent migration to GCSv5.4, and of our interest in developing use of the wider ecosystem of Globus services for the benefit of our user community.
First Steps with Globus Compute Multi-User EndpointsGlobus
In this presentation we will share our experiences around getting started with the Globus Compute multi-user endpoint. Working with the Pharmacology group at the University of Auckland, we have previously written an application using Globus Compute that can offload computationally expensive steps in the researcher's workflows, which they wish to manage from their familiar Windows environments, onto the NeSI (New Zealand eScience Infrastructure) cluster. Some of the challenges we have encountered were that each researcher had to set up and manage their own single-user globus compute endpoint and that the workloads had varying resource requirements (CPUs, memory and wall time) between different runs. We hope that the multi-user endpoint will help to address these challenges and share an update on our progress here.
Prosigns: Transforming Business with Tailored Technology SolutionsProsigns
Unlocking Business Potential: Tailored Technology Solutions by Prosigns
Discover how Prosigns, a leading technology solutions provider, partners with businesses to drive innovation and success. Our presentation showcases our comprehensive range of services, including custom software development, web and mobile app development, AI & ML solutions, blockchain integration, DevOps services, and Microsoft Dynamics 365 support.
Custom Software Development: Prosigns specializes in creating bespoke software solutions that cater to your unique business needs. Our team of experts works closely with you to understand your requirements and deliver tailor-made software that enhances efficiency and drives growth.
Web and Mobile App Development: From responsive websites to intuitive mobile applications, Prosigns develops cutting-edge solutions that engage users and deliver seamless experiences across devices.
AI & ML Solutions: Harnessing the power of Artificial Intelligence and Machine Learning, Prosigns provides smart solutions that automate processes, provide valuable insights, and drive informed decision-making.
Blockchain Integration: Prosigns offers comprehensive blockchain solutions, including development, integration, and consulting services, enabling businesses to leverage blockchain technology for enhanced security, transparency, and efficiency.
DevOps Services: Prosigns' DevOps services streamline development and operations processes, ensuring faster and more reliable software delivery through automation and continuous integration.
Microsoft Dynamics 365 Support: Prosigns provides comprehensive support and maintenance services for Microsoft Dynamics 365, ensuring your system is always up-to-date, secure, and running smoothly.
Learn how our collaborative approach and dedication to excellence help businesses achieve their goals and stay ahead in today's digital landscape. From concept to deployment, Prosigns is your trusted partner for transforming ideas into reality and unlocking the full potential of your business.
Join us on a journey of innovation and growth. Let's partner for success with Prosigns.
Code reviews are vital for ensuring good code quality. They serve as one of our last lines of defense against bugs and subpar code reaching production.
Yet, they often turn into annoying tasks riddled with frustration, hostility, unclear feedback and lack of standards. How can we improve this crucial process?
In this session we will cover:
- The Art of Effective Code Reviews
- Streamlining the Review Process
- Elevating Reviews with Automated Tools
By the end of this presentation, you'll have the knowledge on how to organize and improve your code review proces
Designing for Privacy in Amazon Web ServicesKrzysztofKkol1
Data privacy is one of the most critical issues that businesses face. This presentation shares insights on the principles and best practices for ensuring the resilience and security of your workload.
Drawing on a real-life project from the HR industry, the various challenges will be demonstrated: data protection, self-healing, business continuity, security, and transparency of data processing. This systematized approach allowed to create a secure AWS cloud infrastructure that not only met strict compliance rules but also exceeded the client's expectations.
We describe the deployment and use of Globus Compute for remote computation. This content is aimed at researchers who wish to compute on remote resources using a unified programming interface, as well as system administrators who will deploy and operate Globus Compute services on their research computing infrastructure.
Globus Compute wth IRI Workflows - GlobusWorld 2024Globus
As part of the DOE Integrated Research Infrastructure (IRI) program, NERSC at Lawrence Berkeley National Lab and ALCF at Argonne National Lab are working closely with General Atomics on accelerating the computing requirements of the DIII-D experiment. As part of the work the team is investigating ways to speedup the time to solution for many different parts of the DIII-D workflow including how they run jobs on HPC systems. One of these routes is looking at Globus Compute as a way to replace the current method for managing tasks and we describe a brief proof of concept showing how Globus Compute could help to schedule jobs and be a tool to connect compute at different facilities.
Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...Globus
Large Language Models (LLMs) are currently the center of attention in the tech world, particularly for their potential to advance research. In this presentation, we'll explore a straightforward and effective method for quickly initiating inference runs on supercomputers using the vLLM tool with Globus Compute, specifically on the Polaris system at ALCF. We'll begin by briefly discussing the popularity and applications of LLMs in various fields. Following this, we will introduce the vLLM tool, and explain how it integrates with Globus Compute to efficiently manage LLM operations on Polaris. Attendees will learn the practical aspects of setting up and remotely triggering LLMs from local machines, focusing on ease of use and efficiency. This talk is ideal for researchers and practitioners looking to leverage the power of LLMs in their work, offering a clear guide to harnessing supercomputing resources for quick and effective LLM inference.
Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...
On deriving the private key from a public key
1. On Deriving the Private Key
from a Public Key
Basic Experiments with the Diffie-Hellman System
Dr. Dharma Ganesan, Ph.D.,
2. Disclaimer
● The opinions expressed here are my own but not the views of my employer
● The source code fragments shown here can be reused but
○ without any warranty nor accept any responsibility for failures
● Do not apply the exploit discussed here on other systems
○ without obtaining authorization from owners
2
3. Context
● The problem discussed here is given by a Cryptographer (Prof. Dan Boneh)
○ I performed this experiment to harden my under-the-hood Cryptography foundation
○ Applied Cryptography is an essential component of my professional work, too
● The key exchange system is Diffie-Hellman Public Key Cryptography
○ More details later
○ Alias: Diffie-Hellman (DH) or Diffie-Hellman-Merkle System
● The problem is to mechanically derive the private key given a public key
3
4. Agenda
● Overview of the DH key exchange system
● Breaking the DH system using Bruteforce
● Applying Baby-step Giant-step Algorithm to break the DH system
● Limitations of Baby-step Giant-step Algorithm
4
5. Prerequisite
The slides assume that the reader is comfortable with the basics of
● Group Theory (Abstract Algebra/Discrete Math)
● Modular arithmetic principles (Number Theory)
● Algorithms and Complexity Theory
● Probability Theory
● If not, it should still be possible to obtain a high-level overview
5
6. How can Alice and Bob agree on a common key K
for symmetric encryption/decryption?
6
Key K Key K
● Alice and Bob never met each other
● Alice will encrypt using the key K
● Bob will decrypt using the same key K
● But how will Alice and Bob agree on
the same key K?
7. Diffie-Hellman Key Exchange
● Invented in 1970s
● Solved the problem of symmetric key exchange over a public channel
○ Rooted in elegant mathematics (details later) - Finite Field
● Alice and Bob arrive at a shared key for encryption/decryption using math
● Eavesdropper Eve cannot easily derive the shared key
○ unless she solves hard math problems that are computationally intractable
7
8. Diffie-Hellman Key Exchange (Basic Version)
● Let G be a finite cyclic group of order p (prime)
● Let g be a generator of G
● Let Alice and Bob are two parties who want to communicate securely
● Keys of Alice:
○ Private key is a which is a random element of group G
○ Public key is ga
○ <ga
, a> is the public and private key pair of Alice
● Keys of Bob:
○ Private key is b which is a random element of group G
○ Public key is gb
○ <gb
, b> is the public and private key pair of Bob
8
9. Assumptions of the Basic Version
● Alice and Bob authenticate each other through other means
○ For example, using digital certificates, out of band shared key, etc.
● Attackers can only eavesdrop the public channel
● Attackers are not allowed to edit data exchanged over the public channel
9
10. Deriving the Shared Key for Encryption/Decryption
● Alice publishes A = ga
mod p
● Bob publishes B = gb
mod p
● Alice computes Key K = Ba
= (gb
)a
mod p
● Bob computes Key K = Ab
= (ga
)b
mod p
● Since (gb
)a
= gba
= (ga
)b
, both users have the same shared key K = gab
○ It is remarkable that a simple exponentiation property solves the key exchange problem
10
11. ● g, A= ga
, B= gb
, and p are public
○ Attackers can see values
● a and b are private
○ Never sent out by Alice and Bob
11
12. Exponents grow so fast (240
has 13 digits-10 trillions)
dharma@kali:~/crypto# java Growth 41
2 power 0:1:1
2 power 1:2:1
2 power 2:4:1
2 power 3:8:1
2 power 4:16:2
2 power 5:32:2
2 power 6:64:2
2 power 7:128:3
2 power 8:256:3
2 power 9:512:3
2 power 10:1024:4
2 power 11:2048:4
2 power 12:4096:4
2 power 13:8192:4
2 power 14:16384:5
2 power 15:32768:5
2 power 16:65536:5
2 power 17:131072:6
2 power 18:262144:6
2 power 19:524288:6
2 power 20:1048576:7
2 power 21:2097152:7
2 power 22:4194304:7
2 power 23:8388608:7
2 power 24:16777216:8
2 power 25:33554432:8
2 power 26:67108864:8
2 power 27:134217728:9
2 power 28:268435456:9
2 power 29:536870912:9
2 power 30:1073741824:10
2 power 31:2147483648:10
2 power 32:4294967296:10
2 power 33:8589934592:10
2 power 34:17179869184:11
2 power 35:34359738368:11
2 power 36:68719476736:11
2 power 37:137438953472:12
2 power 38:274877906944:12
2 power 39:549755813888:12
2 power 40:1099511627776:13
12
13. But Exponentiation is very fast to compute
● On my laptop, I can compute 25000
in ~0.15 sec; 25000
has 1506 digits
○ Thanks to Java’s BigInteger class
13
14. My little Exponent Wrapper Code
import java.math.BigInteger;
public class Power {
public static void main(String[] args) {
if(args.length != 2) {
System.err.println("Usage: java Power <base> <exponent>");
System.exit(1);
}
BigInteger base = new BigInteger(args[0]);
int exponent = Integer.parseInt(args[1]);
BigInteger basePowExp = base.pow(exponent);
System.out.println(base + " power " + exponent + " = " + basePowExp.toString() + ":"
+ basePowExp.toString().length());
}
}
14
15. Exponentiation in a Finite Group is very fast, too
We can compute (22
)5000
mod 100000 in 0.13s on a laptop
15
16. My little Modular Exponent Wrapper code
import java.math.BigInteger;
public class ModPower {
public static void main(String[] args) {
if(args.length != 3) {
System.err.println("Usage: java ModPower <base> <exponent> <mod>");
System.exit(1);
}
BigInteger base = new BigInteger(args[0]);
BigInteger exponent = new BigInteger(args[1]);
BigInteger m = new BigInteger(args[2]);
BigInteger basePowExp = base.modPow(exponent, m);
System.out.println(basePowExp.toString());
}
}
16
17. Complexity of Modular Exponentiation
● We need to compute gx
mod p for some random x in a finite field
● gx
can be calculated in the order of log2
(x);
○ The complexity is O(log2
x)
● For example, 232
can be calculated just using 5 multiplications
○ Right-to-left binary method is a classical method for modular exponentiation
● It is easy to calculate gx
mod p for very large x
○ For example, if x = 2200
then gx
can be computed with just 200 multiplications
● Both Alice and Bob do not have to perform many multiplications!
○ Generating public keys is fast even for very large x
○ In ~0.15 sec, Alice and Bob can compute modular exponentiation
17
18. Threat Model of the Key Exchange Method
● Given <g, ga
, gb
>, the attackers’ goal is to compute gab
, the encryption key
○ gab
also called the shared session secret key
● If gab
can be computed efficiently, the game is over because it is the
encryption key
○ Equivalently, there is no confidentiality if gab
can be computed in a short time
● If the attackers can compute a from ga
, then they compute gab
immediately
○ Similarly, if b is computable from gb
, gab
is also immediately available
18
19. Complexity of Reverse Exponentiation
● Given h = gx
mod p, we can bruteforce for all x until a suitable h is found
● Brute-force is linear in the order of the group (experimental details later)
○ Not practical for very large group of order, say 2100
or more
● Reverse of a modular exponentiation is a “hard” CS/Math problem
○ No publicly known algorithm can find x in a reasonable amount of time for very large groups
ExponentiationReverse
Exponentiation
19
20. General Problem Statement
● Given a finite cyclic group of order p, generator g, the public key h, find the
private key x.
● That is, given h = gx
mod p, the goal is to find x
● This problem is called the discrete logarithm problem in CS/Math
20
21. Simplified Problem Statement
Write a program to compute discrete log modulo a prime p.
Let g be some element in Z*
p
and suppose you are given h in Z*
p
such that h=gx
where 1≤x≤240
. Your goal is to find x. More precisely, the input to your program is
p,g,h and the output is x.
Z*
p
denotes a finite integer cyclic group of order p
❖ Let’s crack it using Baby-step Giant-step algorithm (implementation in Java)
21
22. Brute-force/naive Exponent Search Code
Given a finite cyclic group of order p, generator g, the public key h, find the private key x by brute-forcing
to break the Diffie-Hellman for exponents less than the given bound.
public static long search(BigInteger p, BigInteger g, BigInteger h, long bound) {
for(long x = 0; x < bound; x++) {
BigInteger gRaisedx = g.modPow(BigInteger.valueOf(x), p);
if(gRaisedx.equals(h)) {
return x;
}
}
return 0;
}
22
23. Junit test client for brute-force search
public class DiscreteLogTestBF extends
TestCase{
public void testRecoverExponent() {
BigInteger p = new
BigInteger("13407807929942597099574024998
205846127479365820592393377723561443721
764030073546976801874298166903427690031
858186486050853753882811946569946433649
006084171");
BigInteger g = new
BigInteger("11717829880366207009516117596
335367088558084999998952205599979459063
929499736583746670572176471460312928594
829675428279466566527115212748467589894
601965568");
BigInteger h = new
BigInteger("32394751040504504435652643787
280657886490975209524495278347924529719
819761432925580738569379585531805328789
280014947060973941085775857324523076734
44020333");
/* Assume that the exponent is bounded by 2
power 40.
*/
long bound = (long) Math.pow(2, 40);
long x = DiscreteLogBF.search(p, g, h,
bound);
BigInteger gRaisedx =
g.modPow(BigInteger.valueOf(x), p);
assert gRaisedx.equals(h);
}
} 23
24. Brute-force - didn’t work even after ~10 hrs
● Brute-force is hopeless to solve the discrete log problem
● I had to press ctrl+c to terminate the program after ~10 hrs
dharma@kali:~/crypto# time junit DiscreteLogTestBF
^C
real 550m57.510s
user 549m19.944s
sys 0m31.444s
24
25. Baby-step Giant-step algorithm
● Assume that the unknown x < 2n
, for a given n > 0
● The exponent is rewritten using smaller numbers
○ where B = ⌈√2n
⌉, and x0
, x1
in [0, B-1]
○ Split the exponent into two sides
● Phase1:Built a hashtable of the left-hand side(LHS)
○ Map from h/gxi
to xi
○ Key-value pair: h/gxi
→ xi
● Phase2: For each x0
compute the RHS and
○ search until the RHS is part of the hashtable
■ compute x using known values x0
, x1
, and B
● Alias: Meet-in-the-middle attack
25
26. Baby-step Giant-step implementation - phase 1
26
BigInteger findExponent(BigInteger p, BigInteger g, BigInteger h, long bound) {
Hashtable<BigInteger, Long> hashtable = new Hashtable<BigInteger, Long>();
BigInteger gRaisedB = g.modPow(BigInteger.valueOf(bound), p);
BigInteger x = BigInteger.ZERO;
for(long x1 = 0; x1 < bound; x1 = x1+1) {
BigInteger lhs = g.modPow(BigInteger.valueOf(x1), p).
modInverse(p).multiply(h).m
hashtable.put(lhs, x1);
}
Baby-step: Building a
hashtable between h/gx1
and x1
28. Given public parameters p, g, and h, find x (private)
public void testRecoverExponent() {
BigInteger p = new
BigInteger("134078079299425970995740249982058461274793658205923933777235614437217640300735469768
01874298166903427690031858186486050853753882811946569946433649006084171");
BigInteger g = new
BigInteger("117178298803662070095161175963353670885580849999989522055999794590639294997365837466
70572176471460312928594829675428279466566527115212748467589894601965568");
BigInteger h = new
BigInteger("323947510405045044356526437872806578864909752095244952783479245297198197614329255807
3856937958553180532878928001494706097394108577585732452307673444020333");
long expMiddle = (long) Math.pow(2, 40/2);
BigInteger x = DiscreteLog.findExponent(p, g, h, expMiddle);
BigInteger gRaisedx = g.modPow(x, p);
System.out.println("Exponent x = " + x);
assert gRaisedx.equals(h);
}
● p, g, and h are about 150 digits
● The finite group size is 512 bits
28
29. Output: private key x such that h = gx
mod p
29
● On a DELL personal laptop it took only ~1.5 minutes to extract the private key
○ This includes the time to build the hash table and search
dharma@kali:~/crypto# time junit DiscreteLogTest
x0 = 357984 x1 = 787046
Exponent x = 375374217830 (i.e., 375 billion, 374 million, 217 thousand, and 830)
real 1m54.240s
user 1m56.588s
sys 0m0.416s
30. Scalability problems - out of Heap Memory
● The Baby-step builds a large hashtable
● I was curious how large the exponent I can handle on my laptop
● Tried for exponent x ≤ 250
● The Baby-step table will have at most 225
hash table entries
○ This is about 34 million entries (just too many)
● My Java JVM heap ran out of memory when x > 242
30
31. Scalability Problems - Out of Disk Memory
● I stored the hash table onto my disk
○ This storage strategy can break DH if x ≤ 254
● The Baby-step table will have at most 227
hash table entries
○ This is about 135 million entries (just too many)
● My disk ran out of memory, if x > 254
31
32. Complexity of Baby-step Giant-step algorithm
● Time complexity is the square root of order of the group: O(p1/2
)
● If the order is 240
, the private key can be computed in 220
operations
○ This is significantly better and faster than brute-force search
● But, in practice the order of the group is very large, for example, 2400
○ Then, the Baby-step giant-step will take 2200
operations (still a lot of time)
● This algorithm is promising but not scalable for very large groups
○ Java heap runs out of memory after storing 222
key-value pairs in memory
○ Distributed hashing or disk-based hashing could help but not dramatic (exponents grow fast)
● No easy way to recover the private key from a public key in general
32
33. Probabilistic Analysis
● The private key we reconstructed is x = 375374217830
● x = (101011101100110000011000000001001100110)2
● # of bits of x is only 39 bits
○ dharma@kali:~/crypto# echo -n "101011101100110000011000000001001100110" | wc -c
39
● Recall that our prime field’s order is 512 bits
● Prob (x < 240
) = 240
/2512
= 1/2472
○ There is a negligible probability that a random private key (or exponent) x is less than 240
● Popular libraries check whether the random exponent is very large
○ Otherwise, it is easy to derive the private key from the public key
○ Details given later
33
34. Distributed searching for private key (i.e. exponent)?
● Let’s assume the exponent strength is 160-bits (i.e. x < 2160
)
● Baby-step giant-step will need to build a hash table of 280
entries
● Based on this experiment, we can build a hash table of 227
per computer
○ Thus, we would need 280
/ 227
= 253
computers
● The world has about 231
= 2 billion computers (in 2017) but we need 253
computers
○ 253
= 9007199254740992
● In 231
computers, we can store 231
* 227
= 258
hash table entries
● If the exponent x is less than 2116
, we can use all computers in the world to
solve the discrete log problem
34
35. Similar Attacks - LogJam
● A team of Cryptographers used other discrete log algorithm to break DH
○ Number Field Sieve (NFS)
● Three major phases of NFS only depend on the order of group
○ Most implementations use well-known, published groups in RFC standards
● LogJam precomputes the computationally intensive phases upfront
● Finally, it uses session-specific parameters to find x such that h = gx
mod p
35
36. Do real implementations check the strength of the
Private Key (i.e., exponent x)?
36
○ It appears that Bouncy Castle implementation checks the strength of the random
number used as the private key
■ See DHKeyGeneratorHelper.java and DHParameters
○ public class DHParameters implements CipherParameters {
private static final int DEFAULT_MINIMUM_LENGTH = 160;
for (;;) {
BigInteger x = BigIntegers.createRandomInRange(min, max, random);
if (WNafUtil.getNafWeight(x) >= minWeight) {
return x;
}
}
37. Non-standard implementations do not check the
strength of the private key
37
http://www.geeksforgeeks.org/implementation-diffie-hellman-algorithm/
http://www.programmingboss.com/2015/11/diffie-hellman-key-exchange-algorithm.
html
https://gist.github.com/cloudwu/8838724
https://github.com/pannous/Diffie-Hellman/blob/master/DH.java
...
38. Amateur code do not check private key strength :)
38
https://github.com/pannous/Diffie-Hellman/blob/master/DH.java
// on machine 1
secretA = new BigInteger(bitLength-2,randomGenerator);
// on machine 2
secretB = new BigInteger(bitLength-2,randomGenerator);
// to be published:
publicA=generatorValue.modPow(secretA, primeValue);
publicB=generatorValue.modPow(secretB, primeValue);
sharedKeyA = publicB.modPow(secretA,primeValue);
sharedKeyB = publicA.modPow(secretB,primeValue);
secretA or B
can be small.
39. An interesting comment that surprised me :)
https://gist.github.com/cloudwu/8838724
This implementation of DH possible works for 64-bit key size but can be broken
easily using Baby-step Giant-step (hash table size will only be 232
)
39
40. Closing Remarks
● DH key exchange system is based on one-way functions
○ Easy to compute (exponentiation) but difficult to reverse
● Brute-force is hopeless to solve the discrete log problem to reverse
○ Did not solve even after running for 10 hrs
● Baby-step Giant-step algorithm is much better than brute-force
● Given h = gx
mod p, finding x is possible for “smaller” x values only though
○ By small, I mean on my laptop, x <= 244
○ If we store the hash table onto the disk, we can break if x <= 254
● If we choose standard implementations, the lower bound of x is checked!
○ This makes it difficult to break DH using Baby-step Giant-step algorithm
○ Non-standard implementations do not have the check - can be dangerous
40
41. Tentative Future Plans
● Using powerful key-store implementations (e.g., Berkeley DB)
● Experiment with other discrete log algorithms. For example:
○ Pollard Rho method
○ Index Calculus
○ Number field sieve
● Analyse existing open-source implementations of DH
● Discrete log in Elliptic Curve Crypto
41
42. References
● W. Diffie and M. E. Hellman. “New Directions in Cryptography”, IEEE
Transactions on Information Theory, vol. IT-22, no. 6, november, 1976.
● Modular Exponentiation
https://en.wikipedia.org/wiki/Exponentiation_by_squaring
● David Adrian et. al. “Imperfect Forward Secrecy: How Diffie-Hellman Fails in
Practice”, ACM Conference on Computer and Communications Security.
42
43. References ...
● C. Paar and J. Pelzl. “Understanding Cryptography: A Textbook for Students
and Practitioners”, Springer, 2011.
43