SlideShare a Scribd company logo

Recover A RSA Private key from a TLS session with perfect forward secrecy

Priyanka Aash
Priyanka Aash

This document discusses recovering an RSA private key from a TLS session using a side channel attack that exploits the RSA-CRT optimization. It begins with background on side channel attacks and an overview of the roadmap. It then discusses how RSA signatures work, the RSA-CRT optimization, and how a fault during signature generation using RSA-CRT can leak a private key factor. The document demonstrates checking for faulty signatures in TLS and recovering the private key. It notes the attack requires RSA-CRT, signatures on known values, and a faulty signature.

Technology
1 of 59
Download to read offline
Recover a RSA private key from a TLS session with Perfect Forward Secrecy (Marco Ortisi – 2016)
About me • Netizen and IT Security enthusiast since 1996 • Penetration Tester since 1999  In love with buffer overflow flaws  I adore exotic vulnerabilities • Senior/Principal Penetration tester? Just a curious guy • Get in touch with me! marco.ortisi@segfault.it
About the topic • Imagine you can get a server private key by sniffing TLS traffic or interacting through the network with a TLS service. Does it look quite exotic? • Done via a side channel attack • Side Channel Attack – from Wikipedia • “…any attack based on information gained from the physical implementation of a cryptosystem, rather than brute force or theoretical weaknesses in the algorithms (compare cryptanalysis). For example, timing information, power consumption, electromagnetic leaks or even sound can provide an extra source of information, which can be exploited to break the system…”
Roadmap Introduction First demo More insight into the attack Second demo Greetings and questions
The attack and roots with the past • (1996) Arjen Lenstra demonstrated that the usage of the so-called CRT (Chinese Remainder Theorem) optimization put the RSA implementations at great risk (aka private key leakage) if a fault occurred during the computation of a digital RSA signature. (https://infoscience.epfl.ch/record/164524/files/nscan20.PDF)
What is a RSA signature • RSA encryption  public key is used to encrypt a message  private key is used to decrypt that message • RSA signing  private key is used to sign a value (actually it is an encryption operation)  public key is used to decrypt that value
The attack and roots with the past • 1996) Arjen Lenstra demonstrated that the usage of the so-called CRT (Chinese Remainder Theorem) optimization put the RSA implementations at great risk (aka private key leakage) if a fault occurred during the computation of a digital RSA signature. (https://infoscience.epfl.ch/record/164524/files/nscan20.PDF) • (200x?) - Attack conjectured as possible on smartcards if someone has physical access to the device and can disrupt the math behind the RSA operations
The attack and roots with the past • (2001) OpenPGP Attack (http://eprint.iacr.org/2002/076.pdf). a) get a local copy of file containing the encrypted private key; b) tamper with it in order to introduce faulty bits; c) capture a single message subsequently signed with the modified encrypted private key (for example an email); d) enjoy your leaked private key  • (2015) by targeting TLS, Florian Weimer (Red Hat) unveiled the attack can have remote impacts. https://people.redhat.com/~fweimer/rsa-crt-leaks.pdf
Public key exposed
Recover a RSA private key: Prerequisites • (a) Presence of a RSA signature calculated using the RSA-CRT optimization… • (b) The signature must be applied on values known by the attacker… • (c) Generated signature faulty/miscalculated…
What if the attack is successful? • Private key is exposed • The real server can be impersonated • Man-in-The-Middle attack can be performed without alarming the legitimate clients
What if the attack is successful?
DEMO TIME (PART 1)(enter High Voltage!)
From: http://support-public.cfm.software.dell.com/33164_sonicos_5.8.4.2_releasenotes.pdf
From: http://support-public.cfm.software.dell.com/33164_sonicos_5.8.4.2_releasenotes.pdf
A Little Recap • (a) Presence of a RSA signature calculated using the RSA-CRT optimization… • (b) The signature must be applied on values known by the attacker… • (c) Generated signature faulty/miscalculated…
(a) RSA Signature with RSA-CRT • The modular exponentiations required by RSA are computationally expensive • RSA-CRT introduced a less expensive way to do RSA operations (decryption and signing) • RSA-CRT is used by default in almost every known crypto library out there (openssl, OpenJDK, libgcrypto, PolarSSL, etc…) • Condition (a) is normally satisfied
(b) Signature calculated on known values • We define “X” as the value to be signed • Padding can influence the final “shape” of “X” before being signed and make this unpredictable… • …but with SSL3.0, TLS 1.0, 1.1 and 1.2 the padding scheme (a variant of PKCS1.5) is fully deterministic (not randomized) and then predictable
(b) PKCS 1.5 Padding • Payload: 0D3F8FF87A4D697E73FE86077FD1D10C4ECC59797E759EDD89931B 2208B8044CB4A1B96A • Padded Payload (RSA 2048 bit): 0001FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF FFFFFF000D3F8FF87A4D697E73FE86077FD1D10C4ECC59797E759E DD89931B2208B8044CB4A1B96A
(b) Signature calculated on known values • We define “X” as the value to be signed • Padding can influence the final “shape” of “X” before being signed and make this unpredictable… • …but with SSL3.0, TLS 1.0, 1.1 and 1.2 the padding scheme (a variant of PKCS1.5) is fully deterministic (not randomized) and then predictable • Data signed must be known. This is ALWAYS satisfied in our attack if we carefully target the right ciphersuites
(c) Presence of faulty signature • We identify a faulty RSA signature with the letter “Y” • Events causing the generation of a faulty digital RSA signature can't be predicted but they are out there • Induced by the same vectors like in a typical bit-squatting attack:  CPU overheating  RAM errors  massive exposure of hardware to solar rays  etc…
The right ciphersuite... • Prerequisite (b) – Signature calculated on known values • The condition (b) is ALWAYS satisfied in our attack if we carefully target the right ciphersuites
The right ciphersuite... • RSA_WITH_AES_256_CBC_SHA  RSA = Authentication + Key Exchange  AES = Symmetric algorithm used to encrypt data  CBC = Mode of operation  SHA = Hashing algorithm to avoid data tampering • RSA private key leaked = all TLS sessions compromised (current, past and future ones) • The “Certificate” message contains a Signature created with the private key of CA  statically embedded inside the certificate (not generated on the fly)  the condition (b) is not satisfied
The right ciphersuite... • DHE_RSA_WITH_AES_256_CBC_SHA  DHE = Key Exchange  RSA = Only used for Authentication  [the rest is the same as previously mentioned] • The key exchange is done using private/public keys generated on the fly  Compromission of a private key breaks only that specific encrypted session, not all the previously established  This is called "Perfect Forward Secrecy"
PFS fits REALLY perfectly to us • RSA signature appended onto a TLS Server Key Exchange Message
PFS fits REALLY perfectly to us • A RSA signature is appended on a TLS Server Key Exchange Message • The values on which it is calculated are well known, padding scheme is deterministic  Client Random struct (Client Hello Message)  Server Random struct (Server Hello Message)  Server Params struct (Server Key Exchange Message) • DHE_RSA_WITH_AES_256_CBC_SHA and in general [EC]DHE_RSA_WITH_ANY_ANY_ANY ciphersuites are good for us  The condition (b) is satisfied this time
TLS Client Hello (PFS ciphersuites only negotiation) How High Voltage! works...
TLS Server Hello How High Voltage! works...
TLS Server Certificate n e How High Voltage! works...
TLS Server Key Exchange How High Voltage! works...
TLS Server Key Exchange Client Random Struct (Client Hello Message) Server Random Struct (Server Hello Message) Server Param Struct (Key Exchange Message) How High Voltage! works...
Attacking TLS abusing PFS • Because of “(c) Presence of faulty signature”, the attack can be carried out only when a RSA signature is faulty. How to determine that? • Looking for faulty signatures:  We know padding scheme (PKCS 1.5) and the values on which the server calculates its signature - Client Random struct (Client Hello Message) - Server Random struct (Server Hello Message) - Server Params struct (Server Key Exchange Message)  We know the clear-text message on which the signature is applied  We have the public key of server and can decrypt the signature from the TLS Server Key Exchange  If there is a mismatch between the decrypted signature and the expected plain-text value, we have found what we are looking for
yes Collect all TLS messages up to Server Key Exchange TLS < 1.2? Generate offline two hash (MD5 and SHA1) of Client Random + Server Random + Server Param values (O_S1) Concatenation of the MD5 and SHA1 hashes to get the (O_S2) value Use the public key from the certificate to decrypt the signature value exposed on TLS Server Key Exchange (S_S1) Remove the padding from S_S1 to get the raw signature (S_S2) Compare O_S2 and S_S2 Is there a match? Repeat the TLS handshake Try to recover the private key no yes How to check if a digital signature is invalid? (TLS < 1.2)
How to check if a digital signature is invalid? (TLS 1.2) yes Collect all TLS messages up to Server Key Exchange TLS 1.2? Parse the TLS Server Key Exchange Message to extract the algorithm with which the signature has been created from server (ALG_x) Generate offline a hash using the algorithm ALG_x on Client Random + Server Random + Server Param values (O_S1) Use the public key from the certificate to decrypt the signature value exposed in the Server Key Exchange Message (S_S1) Remove the padding from S_S1 to get the raw signature (S_S2) Compare O_S1 and S_S2 Is there a match? Repeat the TLS handshake Try to recover the private key no yes
What else? • How RSA works • RSA-CRT optimization • 2nd DEMO
How RSA works • c = ciphertext • m = message to encrypt • n, e = public key • e = little exponent (usually a value such as 3 or 65537) • n = big semiprime number (p * q) (p and q are said "prime factors") • d = inverse_mod(e,(p-1) * (q-1)) private key mathematically tied with n • getting “p” and “q” a private key can be recovered because "e" is already a public information encryption = c = m^e mod n decryption = m = c^d mod n
RSA: Rule 1 Gaining a prime factor of n (whatever of the two) we can determine very easily the other one and recover the private key • n = 77 (the public key into the certificate) • p = 7 (leaked prime factor) • q = ? n = p * q d = inverse_mod(e,(p-1) * (q-1))
RSA: Rule 1 Gaining a prime factor of n (whatever of the two) we can determine very easily the other one and recover the private key • n = 77 (the public key into the certificate) • p = 7 (leaked prime factor) • q = 11  77 / 7 • 77 / 11 = 7 (p) • 7 x 11 = 77 (n) n = p x q d = inverse_mod(e,(p-1) x (q-1))
RSA-CRT • RSA-CRT (CRT stands for Chinese Remainder Theorem) • With this optimization the RSA calculation is broken down into two smaller parts
RSA-CRT • Precompute the following values: qInv = (1/q) mod p dP = d (mod p - 1) dQ = d (mod q - 1) • …and next calculate: m1 = c^dP mod p m2 = c^dQ mod q h = qInv.(m1 - m2) mod p m = m2 + h.q If during m1 or m2 calculation there is a fault, a faulty RSA signature is generated and one prime factor can be leaked with this formula: gcd(y^e – x, n)
RSA-CRT • Precompute the following values: qInv = (1/q) mod p dP = d (mod p - 1) dQ = d (mod q - 1) • …and next calculate: m1 = c^dP mod p m2 = c^dQ mod q h = qInv.(m1 - m2) mod p m = m2 + h.q If during m1 or m2 calculation there is a fault, a faulty RSA signature is generated and one prime factor can be leaked with this formula: gcd(y^e – x, n)
RSA-CRT: Rule 2 We can leak a prime factor of n from a faulty signature when RSA-CRT is used for signing: y = faulty/miscalculated signature (this can be taken directly from the TLS Server Key Exchange message) e = public exponent (found inside the Certificate) x = the original value before to be signed (it is padded but PKCS 1.5 padding scheme is deterministic) n = public key (p * q) (found inside the Certificate) • When one of the prime factors is known... derived_prime_factor = n / leaked_prime_factor • When leaked_prime_factor and derived_prime_factor are known, p and q are known d = inverse_mod(e,(prime_factor_P - 1) * (prime_factor_Q -1 )) gcd(y^e – x, n)
RSA-CRT: Rule 2 We can leak a prime factor of n from a faulty signature when RSA-CRT is used for signing: y = faulty/miscalculated signature (this can be taken directly from the TLS Server Key Exchange message) e = public exponent (found inside the Certificate) x = the original value before to be signed (it is padded but PKCS 1.5 padding scheme is deterministic) n = public key (p * q) (found inside the Certificate) • When one of the prime factors is known... derived_prime_factor = n / leaked_prime_factor • When leaked_prime_factor and derived_prime_factor are known, p and q are known d = inverse_mod(e,(prime_factor_P - 1) * (prime_factor_Q -1 )) gcd(y^e – x, n)
DEMO TIME (PART 2)(enter Piciolla...)
The bottom line • IF:  you have a piece of software linked to a vulnerable crypto library using RSA- CRT &&  that crypto library does not verify the correctness of each RSA signature generated &&  environmental factors occur (CPU overheating, RAM error, etc...) causing the miscalculation of a RSA signature • THEN you might be in trouble…
The Fix • A few of crypto libraries allow users to disable RSA-CRT (not convenient due to performance issues) • Most vendors have recently issued a patch to address this problem Double-checks the correctness of RSA signatures without RSA-CRT optimization: if (y^e = x (mod n)) then signature_valid
Vulnerable crypto libraries PolarSSL < 2.1.1, 1.3.13 and 1.2.16: MBEDTLS_RSA_NO_CRT can be defined to disable RSA-CRT but this option is off by default) libgcrypt < 1.6.3 (equivalent to CVE-2015-5738) Nettle < 3.1: used by GnuTLS Java SE < 5.0u81, 6u91, 7u76, 8u40, and JRockit < R28.3.5 (CVE- 2015-0478) EMC RSA BSAFE Micro Edition Suite (MES) 4.0.x and 4.1.x before 4.1.5, RSA BSAFE Crypto-C Micro Edition (CCME) 4.0.x and 4.1.x before 4.1.3, RSA BSAFE Crypto-J before 6.2.1, RSA BSAFE SSL-J before 6.2.1, and RSA BSAFE SSL-C before 2.8.9 (CVE-2016-0887)
Vulnerable crypto libraries (2) OpenSSL <= 0.9.7 and *potentially* between 1.0.2 and 1.0.2d because of CVE-2015-3193 only on x86_64 architectures + custom versions Go crypto library < 1.6.2 Cryptlib up to latest 3.4.3 (CRYPT_OPTION_MISC_SIDECHANNELPROTECTION would prevent the attack but it is set to false by default) wolfSSL (formerly CyaSSL) < 3.6.8 (CVE-2015-7744) Libtomcrypt < 2.00 Eldos SecureBlackbox < 13.0.280 and 14.0.281 MatrixSSL < 3.8.3 Openswan up to latest version 2.6.47 vulnerable when not compiled with NSS
Device types mainly affected Embedded devices  Various network appliances (firewalls, routers, etc…)  Consumer / SOHO devices  SSL Accelerators  VPN Concentrators  TLS Reverse Proxies  …
FORTINET (Series 300 / FortiGate < 5.0.13 / 5.2.6 / 5.4.0 observed as vulnerable) Dell (SonicWALL< SonicOS 6.1.1.12 found affected) F5 (Traffix SDC affected) ZTE ZXSEC Firewall (affected models US2640B, US2630B, US2620B) LANCOM wireless devices (version 8.84) <- apparently silently patched since 2014 D-Link-DCS-933L Surveillance camera HILLSTONE NETWORKS (SG-6000 Firewall) CITRIX ZYXEL NORTEL QNO Viprinet BEJY Alteon Affected devices
But remember... •“…a piece of software linked to a vulnerable crypto library using RSA- CRT…” • Wait! Is this problem only related to TLS, right? • No! PFS and RSA are used A LOT in IPSEC VPN (IKE), SSH, etc…
IKEv1 (Internet Key Exchange) • Two modes for Phase 1 (Authentication of peers and Negotiation of SA)  Main  Aggressive • It is believed that only by sniffing the network traffic it is not possible to recover a private key (just as happens for TLS) and an active approach is requested.
IKEv1 Phase 1 Main Mode (Signature Auth) IKE Phase 1 Authenticated With Signatures Initiator Responder ----------- ----------- (1) HDR, SA --> <-- (2) HDR, SA (3) HDR, KE, Ni --> <-- (4) HDR, KE, Nr (5) HDR*, IDii, [ CERT, ] SIG_I --> <-- (6) HDR*, IDir, [ CERT, ] SIG_R * Indicates payload encryption
IKEv1 Phase 1 Aggressive Mode (Signature Auth) IKE Phase 1 Authenticated With Signatures Initiator Responder ----------- ----------- (1) HDR, SA, KE, Ni, IDii --> <-- (2)HDR, SA, KE, Nr, IDir, [ CERT, ] SIG_R (3) HDR, [ CERT, ] SIG_I -->
SPECIAL THANKS Frank Bosman for his nice drawings http://turniphead.deviantart.com Florian Weimer (Red Hat) https://access.redhat.com/blogs/766093/posts/1976703 https://pagure.io/symboldb/tree/tls-experiment
PLEASE VISIT SICILY...
Recover a RSA private key from a TLS session with Perferct Forward Secrecy QUESTIONS? High Voltage & Piciolla – http://www.segfault.it/tools/ Marco Ortisi (2016) Blog – http://www.segfault.it/ thanks!

Recommended

de:code 2019 Azure IoT Hub クラウド側の最新機能:デモも交えてご紹介
de:code 2019 Azure IoT Hub クラウド側の最新機能:デモも交えてご紹介de:code 2019 Azure IoT Hub クラウド側の最新機能:デモも交えてご紹介
de:code 2019 Azure IoT Hub クラウド側の最新機能:デモも交えてご紹介
Masaru Takahashi
 
第5回SIA研究会(例会)プレゼン資料
第5回SIA研究会(例会)プレゼン資料第5回SIA研究会(例会)プレゼン資料
第5回SIA研究会(例会)プレゼン資料
Tae Yoshida
 
ITエンジニアのための英語勉強法
ITエンジニアのための英語勉強法ITエンジニアのための英語勉強法
ITエンジニアのための英語勉強法
Etsuji Nakai
 
Play with DockerでDocker学習環境を整えよう!
Play with DockerでDocker学習環境を整えよう!Play with DockerでDocker学習環境を整えよう!
Play with DockerでDocker学習環境を整えよう!
Hori Tasuku
 
ウェブを速くするためにDeNAがやっていること - HTTP/2と、さらにその先
ウェブを速くするためにDeNAがやっていること - HTTP/2と、さらにその先ウェブを速くするためにDeNAがやっていること - HTTP/2と、さらにその先
ウェブを速くするためにDeNAがやっていること - HTTP/2と、さらにその先
Kazuho Oku
 
Cisco Connect Japan 2014:高密度環境におけるシスコ無線デザイン ケース スタディ
Cisco Connect Japan 2014:高密度環境におけるシスコ無線デザイン ケース スタディCisco Connect Japan 2014:高密度環境におけるシスコ無線デザイン ケース スタディ
Cisco Connect Japan 2014:高密度環境におけるシスコ無線デザイン ケース スタディ
シスコシステムズ合同会社
 
【CNDT2020】Tunaclo API Connectで実現する次世代のクラウド間アクセス
【CNDT2020】Tunaclo API Connectで実現する次世代のクラウド間アクセス【CNDT2020】Tunaclo API Connectで実現する次世代のクラウド間アクセス
【CNDT2020】Tunaclo API Connectで実現する次世代のクラウド間アクセス
Kei Furusawa
 
自宅で出来る!ゲームサーバの作り方
自宅で出来る!ゲームサーバの作り方自宅で出来る!ゲームサーバの作り方
自宅で出来る!ゲームサーバの作り方
光晶 上原
 

Recommended

de:code 2019 Azure IoT Hub クラウド側の最新機能:デモも交えてご紹介
de:code 2019 Azure IoT Hub クラウド側の最新機能:デモも交えてご紹介de:code 2019 Azure IoT Hub クラウド側の最新機能:デモも交えてご紹介
de:code 2019 Azure IoT Hub クラウド側の最新機能:デモも交えてご紹介
Masaru Takahashi
 
第5回SIA研究会(例会)プレゼン資料
第5回SIA研究会(例会)プレゼン資料第5回SIA研究会(例会)プレゼン資料
第5回SIA研究会(例会)プレゼン資料
Tae Yoshida
 
ITエンジニアのための英語勉強法
ITエンジニアのための英語勉強法ITエンジニアのための英語勉強法
ITエンジニアのための英語勉強法
Etsuji Nakai
 
Play with DockerでDocker学習環境を整えよう!
Play with DockerでDocker学習環境を整えよう!Play with DockerでDocker学習環境を整えよう!
Play with DockerでDocker学習環境を整えよう!
Hori Tasuku
 
ウェブを速くするためにDeNAがやっていること - HTTP/2と、さらにその先
ウェブを速くするためにDeNAがやっていること - HTTP/2と、さらにその先ウェブを速くするためにDeNAがやっていること - HTTP/2と、さらにその先
ウェブを速くするためにDeNAがやっていること - HTTP/2と、さらにその先
Kazuho Oku
 
Cisco Connect Japan 2014:高密度環境におけるシスコ無線デザイン ケース スタディ
Cisco Connect Japan 2014:高密度環境におけるシスコ無線デザイン ケース スタディCisco Connect Japan 2014:高密度環境におけるシスコ無線デザイン ケース スタディ
Cisco Connect Japan 2014:高密度環境におけるシスコ無線デザイン ケース スタディ
シスコシステムズ合同会社
 
【CNDT2020】Tunaclo API Connectで実現する次世代のクラウド間アクセス
【CNDT2020】Tunaclo API Connectで実現する次世代のクラウド間アクセス【CNDT2020】Tunaclo API Connectで実現する次世代のクラウド間アクセス
【CNDT2020】Tunaclo API Connectで実現する次世代のクラウド間アクセス
Kei Furusawa
 
自宅で出来る!ゲームサーバの作り方
自宅で出来る!ゲームサーバの作り方自宅で出来る!ゲームサーバの作り方
自宅で出来る!ゲームサーバの作り方
光晶 上原
 
新人研修資料 向き合うエンジニア
新人研修資料 向き合うエンジニア新人研修資料 向き合うエンジニア
新人研修資料 向き合うエンジニア
akira6592
 
スマートフォンでの脱出ゲームの作り方
スマートフォンでの脱出ゲームの作り方スマートフォンでの脱出ゲームの作り方
スマートフォンでの脱出ゲームの作り方
Takao Uchikawa
 
猫でもわかるDirectConnect.pdf
猫でもわかるDirectConnect.pdf猫でもわかるDirectConnect.pdf
猫でもわかるDirectConnect.pdf
HirooKatoh
 
Python 2/3コード共存戦略 #osakapy
Python 2/3コード共存戦略 #osakapyPython 2/3コード共存戦略 #osakapy
Python 2/3コード共存戦略 #osakapy
敦志 金谷
 
GCC2016 ゲームエフェクト制作の現状報告
GCC2016 ゲームエフェクト制作の現状報告GCC2016 ゲームエフェクト制作の現状報告
GCC2016 ゲームエフェクト制作の現状報告
t h
 
CyberChefの使い方(HamaCTF2019 WriteUp編)
CyberChefの使い方(HamaCTF2019 WriteUp編)CyberChefの使い方(HamaCTF2019 WriteUp編)
CyberChefの使い方(HamaCTF2019 WriteUp編)
Shota Shinogi
 
VRM 標準シェーダ MToon の使い方
VRM 標準シェーダ MToon の使い方VRM 標準シェーダ MToon の使い方
VRM 標準シェーダ MToon の使い方
VirtualCast, Inc.
 
ゲーム開発初心者の僕がUnity + WebSocketで何か作ってみた
ゲーム開発初心者の僕がUnity + WebSocketで何か作ってみたゲーム開発初心者の僕がUnity + WebSocketで何か作ってみた
ゲーム開発初心者の僕がUnity + WebSocketで何か作ってみた
Kohei Kadowaki
 
未経験者から世界と渡り合うネットワークエンジニアになるためのキャリア設計術
未経験者から世界と渡り合うネットワークエンジニアになるためのキャリア設計術未経験者から世界と渡り合うネットワークエンジニアになるためのキャリア設計術
未経験者から世界と渡り合うネットワークエンジニアになるためのキャリア設計術
Taiji Tsuchiya
 
Unreal Engine 4 Education 1 基礎の基礎・最初は何から学ぶ?
Unreal Engine 4 Education 1 基礎の基礎・最初は何から学ぶ?Unreal Engine 4 Education 1 基礎の基礎・最初は何から学ぶ?
Unreal Engine 4 Education 1 基礎の基礎・最初は何から学ぶ?
エピック・ゲームズ・ジャパン Epic Games Japan
 
Objective-C のキャストと Swift の型変換を比べてみる #akibaswift
Objective-C のキャストと Swift の型変換を比べてみる #akibaswiftObjective-C のキャストと Swift の型変換を比べてみる #akibaswift
Objective-C のキャストと Swift の型変換を比べてみる #akibaswift
Tomohiro Kumagai
 
[JJUG CCC 2021 Spring]Eclipse ユーザのための VSCode のススメ
[JJUG CCC 2021 Spring]Eclipse ユーザのための VSCode のススメ[JJUG CCC 2021 Spring]Eclipse ユーザのための VSCode のススメ
[JJUG CCC 2021 Spring]Eclipse ユーザのための VSCode のススメ
Satoshi Takami
 
帰ってきた凄い謎マシン (ARMのDevice Tree話, 2015年6月 東海道らぐ浜松)
帰ってきた凄い謎マシン (ARMのDevice Tree話, 2015年6月 東海道らぐ浜松)帰ってきた凄い謎マシン (ARMのDevice Tree話, 2015年6月 東海道らぐ浜松)
帰ってきた凄い謎マシン (ARMのDevice Tree話, 2015年6月 東海道らぐ浜松)
shimadah
 
ソフトシンセを作りながら学ぶPythonプログラミング
ソフトシンセを作りながら学ぶPythonプログラミングソフトシンセを作りながら学ぶPythonプログラミング
ソフトシンセを作りながら学ぶPythonプログラミング
Ransui Iso
 
ASP.NET Core の ​ パフォーマンスを支える ​ I/O Pipeline と Channel
ASP.NET Core の ​ パフォーマンスを支える ​ I/O Pipeline と ChannelASP.NET Core の ​ パフォーマンスを支える ​ I/O Pipeline と Channel
ASP.NET Core の ​ パフォーマンスを支える ​ I/O Pipeline と Channel
Joni
 
Immersal を活用した AR クラウドなシステム開発とハンズオン!
Immersal を活用した AR クラウドなシステム開発とハンズオン!Immersal を活用した AR クラウドなシステム開発とハンズオン!
Immersal を活用した AR クラウドなシステム開発とハンズオン!
NishoMatsusita
 
息抜きにUnityであそぼう(3D Game Kit Liteの話)
息抜きにUnityであそぼう(3D Game Kit Liteの話)息抜きにUnityであそぼう(3D Game Kit Liteの話)
息抜きにUnityであそぼう(3D Game Kit Liteの話)
Hiromichi Yamada
 
PostgreSQL16でのロールに関する変更点(第41回PostgreSQLアンカンファレンス@オンライン 発表資料)
PostgreSQL16でのロールに関する変更点(第41回PostgreSQLアンカンファレンス@オンライン 発表資料)PostgreSQL16でのロールに関する変更点(第41回PostgreSQLアンカンファレンス@オンライン 発表資料)
PostgreSQL16でのロールに関する変更点(第41回PostgreSQLアンカンファレンス@オンライン 発表資料)
NTT DATA Technology & Innovation
 
タウンワークアプリの案件開発を支えるオフショアチームの成り立ちとこれから / iOSDC Japan 2021
タウンワークアプリの案件開発を支えるオフショアチームの成り立ちとこれから / iOSDC Japan 2021タウンワークアプリの案件開発を支えるオフショアチームの成り立ちとこれから / iOSDC Japan 2021
タウンワークアプリの案件開発を支えるオフショアチームの成り立ちとこれから / iOSDC Japan 2021
Ataru Osaka
 
金融でスクラムやってみた
金融でスクラムやってみた金融でスクラムやってみた
金融でスクラムやってみた
Naoya Hamachiyo
 
Secure Encryption Technique (SET): A Private Key Cryptosystem
Secure Encryption Technique (SET): A Private Key CryptosystemSecure Encryption Technique (SET): A Private Key Cryptosystem
Secure Encryption Technique (SET): A Private Key Cryptosystem
Avishek Datta
 
Linkedin slides april 2015 pm
Linkedin slides april 2015 pmLinkedin slides april 2015 pm
Linkedin slides april 2015 pm
Peter Mayo
 

More Related Content

What's hot

タウンワークアプリの案件開発を支えるオフショアチームの成り立ちとこれから / iOSDC Japan 2021
タウンワークアプリの案件開発を支えるオフショアチームの成り立ちとこれから / iOSDC Japan 2021タウンワークアプリの案件開発を支えるオフショアチームの成り立ちとこれから / iOSDC Japan 2021
タウンワークアプリの案件開発を支えるオフショアチームの成り立ちとこれから / iOSDC Japan 2021
Ataru Osaka
 

What's hot (20)

新人研修資料 向き合うエンジニア
新人研修資料 向き合うエンジニア新人研修資料 向き合うエンジニア
新人研修資料 向き合うエンジニア
 
スマートフォンでの脱出ゲームの作り方
スマートフォンでの脱出ゲームの作り方スマートフォンでの脱出ゲームの作り方
スマートフォンでの脱出ゲームの作り方
 
猫でもわかるDirectConnect.pdf
猫でもわかるDirectConnect.pdf猫でもわかるDirectConnect.pdf
猫でもわかるDirectConnect.pdf
 
Python 2/3コード共存戦略 #osakapy
Python 2/3コード共存戦略 #osakapyPython 2/3コード共存戦略 #osakapy
Python 2/3コード共存戦略 #osakapy
 
GCC2016 ゲームエフェクト制作の現状報告
GCC2016 ゲームエフェクト制作の現状報告GCC2016 ゲームエフェクト制作の現状報告
GCC2016 ゲームエフェクト制作の現状報告
 
CyberChefの使い方(HamaCTF2019 WriteUp編)
CyberChefの使い方(HamaCTF2019 WriteUp編)CyberChefの使い方(HamaCTF2019 WriteUp編)
CyberChefの使い方(HamaCTF2019 WriteUp編)
 
VRM 標準シェーダ MToon の使い方
VRM 標準シェーダ MToon の使い方VRM 標準シェーダ MToon の使い方
VRM 標準シェーダ MToon の使い方
 
ゲーム開発初心者の僕がUnity + WebSocketで何か作ってみた
ゲーム開発初心者の僕がUnity + WebSocketで何か作ってみたゲーム開発初心者の僕がUnity + WebSocketで何か作ってみた
ゲーム開発初心者の僕がUnity + WebSocketで何か作ってみた
 
未経験者から世界と渡り合うネットワークエンジニアになるためのキャリア設計術
未経験者から世界と渡り合うネットワークエンジニアになるためのキャリア設計術未経験者から世界と渡り合うネットワークエンジニアになるためのキャリア設計術
未経験者から世界と渡り合うネットワークエンジニアになるためのキャリア設計術
 
Unreal Engine 4 Education 1 基礎の基礎・最初は何から学ぶ?
Unreal Engine 4 Education 1 基礎の基礎・最初は何から学ぶ?Unreal Engine 4 Education 1 基礎の基礎・最初は何から学ぶ?
Unreal Engine 4 Education 1 基礎の基礎・最初は何から学ぶ?
 
Objective-C のキャストと Swift の型変換を比べてみる #akibaswift
Objective-C のキャストと Swift の型変換を比べてみる #akibaswiftObjective-C のキャストと Swift の型変換を比べてみる #akibaswift
Objective-C のキャストと Swift の型変換を比べてみる #akibaswift
 
[JJUG CCC 2021 Spring]Eclipse ユーザのための VSCode のススメ
[JJUG CCC 2021 Spring]Eclipse ユーザのための VSCode のススメ[JJUG CCC 2021 Spring]Eclipse ユーザのための VSCode のススメ
[JJUG CCC 2021 Spring]Eclipse ユーザのための VSCode のススメ
 
帰ってきた凄い謎マシン (ARMのDevice Tree話, 2015年6月 東海道らぐ浜松)
帰ってきた凄い謎マシン (ARMのDevice Tree話, 2015年6月 東海道らぐ浜松)帰ってきた凄い謎マシン (ARMのDevice Tree話, 2015年6月 東海道らぐ浜松)
帰ってきた凄い謎マシン (ARMのDevice Tree話, 2015年6月 東海道らぐ浜松)
 
ソフトシンセを作りながら学ぶPythonプログラミング
ソフトシンセを作りながら学ぶPythonプログラミングソフトシンセを作りながら学ぶPythonプログラミング
ソフトシンセを作りながら学ぶPythonプログラミング
 
ASP.NET Core の ​ パフォーマンスを支える ​ I/O Pipeline と Channel
ASP.NET Core の ​ パフォーマンスを支える ​ I/O Pipeline と ChannelASP.NET Core の ​ パフォーマンスを支える ​ I/O Pipeline と Channel
ASP.NET Core の ​ パフォーマンスを支える ​ I/O Pipeline と Channel
 
Immersal を活用した AR クラウドなシステム開発とハンズオン!
Immersal を活用した AR クラウドなシステム開発とハンズオン!Immersal を活用した AR クラウドなシステム開発とハンズオン!
Immersal を活用した AR クラウドなシステム開発とハンズオン!
 
息抜きにUnityであそぼう(3D Game Kit Liteの話)
息抜きにUnityであそぼう(3D Game Kit Liteの話)息抜きにUnityであそぼう(3D Game Kit Liteの話)
息抜きにUnityであそぼう(3D Game Kit Liteの話)
 
PostgreSQL16でのロールに関する変更点(第41回PostgreSQLアンカンファレンス@オンライン 発表資料)
PostgreSQL16でのロールに関する変更点(第41回PostgreSQLアンカンファレンス@オンライン 発表資料)PostgreSQL16でのロールに関する変更点(第41回PostgreSQLアンカンファレンス@オンライン 発表資料)
PostgreSQL16でのロールに関する変更点(第41回PostgreSQLアンカンファレンス@オンライン 発表資料)
 
タウンワークアプリの案件開発を支えるオフショアチームの成り立ちとこれから / iOSDC Japan 2021
タウンワークアプリの案件開発を支えるオフショアチームの成り立ちとこれから / iOSDC Japan 2021タウンワークアプリの案件開発を支えるオフショアチームの成り立ちとこれから / iOSDC Japan 2021
タウンワークアプリの案件開発を支えるオフショアチームの成り立ちとこれから / iOSDC Japan 2021
 
金融でスクラムやってみた
金融でスクラムやってみた金融でスクラムやってみた
金融でスクラムやってみた
 

Viewers also liked

Advanced Crypto Service Provider – cryptography as a service
Advanced Crypto Service Provider – cryptography as a serviceAdvanced Crypto Service Provider – cryptography as a service
Advanced Crypto Service Provider – cryptography as a service
Smart Coders
 
1086: The SSL Problem and How to Deploy SHA2 Certificates (with Mark Myers)
1086: The SSL Problem and How to Deploy SHA2 Certificates (with Mark Myers)1086: The SSL Problem and How to Deploy SHA2 Certificates (with Mark Myers)
1086: The SSL Problem and How to Deploy SHA2 Certificates (with Mark Myers)
Gabriella Davis
 
Docker ansible-make-chef-puppet-unnecessary-minnihan
Docker ansible-make-chef-puppet-unnecessary-minnihanDocker ansible-make-chef-puppet-unnecessary-minnihan
Docker ansible-make-chef-puppet-unnecessary-minnihan
jbminn
 

Viewers also liked (20)

Secure Encryption Technique (SET): A Private Key Cryptosystem
Secure Encryption Technique (SET): A Private Key CryptosystemSecure Encryption Technique (SET): A Private Key Cryptosystem
Secure Encryption Technique (SET): A Private Key Cryptosystem
 
Linkedin slides april 2015 pm
Linkedin slides april 2015 pmLinkedin slides april 2015 pm
Linkedin slides april 2015 pm
 
Aplication and Transport layer- a practical approach
Aplication and Transport layer- a practical approachAplication and Transport layer- a practical approach
Aplication and Transport layer- a practical approach
 
Advanced Crypto Service Provider – cryptography as a service
Advanced Crypto Service Provider – cryptography as a serviceAdvanced Crypto Service Provider – cryptography as a service
Advanced Crypto Service Provider – cryptography as a service
 
Unified log-meetup-20160420
Unified log-meetup-20160420Unified log-meetup-20160420
Unified log-meetup-20160420
 
3429 How to transform your messaging environment to a secure messaging envi...
3429 How to transform your messaging environment to a secure messaging envi...3429 How to transform your messaging environment to a secure messaging envi...
3429 How to transform your messaging environment to a secure messaging envi...
 
An analysis of TLS handshake proxying
An analysis of TLS handshake proxyingAn analysis of TLS handshake proxying
An analysis of TLS handshake proxying
 
Kubernetes в Avito - Евгений Ольков
Kubernetes в Avito - Евгений ОльковKubernetes в Avito - Евгений Ольков
Kubernetes в Avito - Евгений Ольков
 
One time password(otp)
One time password(otp)One time password(otp)
One time password(otp)
 
1086: The SSL Problem and How to Deploy SHA2 Certificates (with Mark Myers)
1086: The SSL Problem and How to Deploy SHA2 Certificates (with Mark Myers)1086: The SSL Problem and How to Deploy SHA2 Certificates (with Mark Myers)
1086: The SSL Problem and How to Deploy SHA2 Certificates (with Mark Myers)
 
Automation and ansible
Automation and ansibleAutomation and ansible
Automation and ansible
 
Best Practice TLS for IBM Domino
Best Practice TLS for IBM DominoBest Practice TLS for IBM Domino
Best Practice TLS for IBM Domino
 
CCNA RS_NB - Chapter 5
CCNA RS_NB - Chapter 5CCNA RS_NB - Chapter 5
CCNA RS_NB - Chapter 5
 
One-Time Password
One-Time PasswordOne-Time Password
One-Time Password
 
Docker ansible-make-chef-puppet-unnecessary-minnihan
Docker ansible-make-chef-puppet-unnecessary-minnihanDocker ansible-make-chef-puppet-unnecessary-minnihan
Docker ansible-make-chef-puppet-unnecessary-minnihan
 
100 Percent Encrypted Web New Challenges For TLS RSA Conference 2017
100 Percent Encrypted Web New Challenges For TLS RSA Conference 2017100 Percent Encrypted Web New Challenges For TLS RSA Conference 2017
100 Percent Encrypted Web New Challenges For TLS RSA Conference 2017
 
Vpn
VpnVpn
Vpn
 
Secure Socket Layer
Secure Socket LayerSecure Socket Layer
Secure Socket Layer
 
IT Automation with Ansible
IT Automation with AnsibleIT Automation with Ansible
IT Automation with Ansible
 
IBM MQ V8 Security: Latest Features Deep-Dive
IBM MQ V8 Security: Latest Features Deep-DiveIBM MQ V8 Security: Latest Features Deep-Dive
IBM MQ V8 Security: Latest Features Deep-Dive
 

Similar to Recover A RSA Private key from a TLS session with perfect forward secrecy

[CONFidence 2016] Marco Ortisi - Recover a RSA private key from a TLS session...
[CONFidence 2016] Marco Ortisi - Recover a RSA private key from a TLS session...[CONFidence 2016] Marco Ortisi - Recover a RSA private key from a TLS session...
[CONFidence 2016] Marco Ortisi - Recover a RSA private key from a TLS session...
PROIDEA
 
03-SSL (1).ppt03-SSL (1).ppt03-SSL (1).ppt03-SSL (1).ppt03-SSL (1).ppt03-SSL ...
03-SSL (1).ppt03-SSL (1).ppt03-SSL (1).ppt03-SSL (1).ppt03-SSL (1).ppt03-SSL ...03-SSL (1).ppt03-SSL (1).ppt03-SSL (1).ppt03-SSL (1).ppt03-SSL (1).ppt03-SSL ...
03-SSL (1).ppt03-SSL (1).ppt03-SSL (1).ppt03-SSL (1).ppt03-SSL (1).ppt03-SSL ...
ghorilemin
 
this is ppt this is ppt this is ppt this is ppt
this is ppt this is ppt this is ppt this is pptthis is ppt this is ppt this is ppt this is ppt
this is ppt this is ppt this is ppt this is ppt
ghorilemin
 
Introduction to security_and_crypto
Introduction to security_and_cryptoIntroduction to security_and_crypto
Introduction to security_and_crypto
James Wong
 
Introduction to security_and_crypto
Introduction to security_and_cryptoIntroduction to security_and_crypto
Introduction to security_and_crypto
Young Alista
 
Introduction to security_and_crypto
Introduction to security_and_cryptoIntroduction to security_and_crypto
Introduction to security_and_crypto
David Hoen
 
Introduction to security_and_crypto
Introduction to security_and_cryptoIntroduction to security_and_crypto
Introduction to security_and_crypto
Tony Nguyen
 
Introduction to security_and_crypto
Introduction to security_and_cryptoIntroduction to security_and_crypto
Introduction to security_and_crypto
Luis Goldster
 
Introduction to security_and_crypto
Introduction to security_and_cryptoIntroduction to security_and_crypto
Introduction to security_and_crypto
Fraboni Ec
 

Similar to Recover A RSA Private key from a TLS session with perfect forward secrecy (20)

[CONFidence 2016] Marco Ortisi - Recover a RSA private key from a TLS session...
[CONFidence 2016] Marco Ortisi - Recover a RSA private key from a TLS session...[CONFidence 2016] Marco Ortisi - Recover a RSA private key from a TLS session...
[CONFidence 2016] Marco Ortisi - Recover a RSA private key from a TLS session...
 
[Wroclaw #8] TLS all the things!
[Wroclaw #8] TLS all the things![Wroclaw #8] TLS all the things!
[Wroclaw #8] TLS all the things!
 
ION Bangladesh - DANE, DNSSEC, and TLS Testing in the Go6lab
ION Bangladesh - DANE, DNSSEC, and TLS Testing in the Go6labION Bangladesh - DANE, DNSSEC, and TLS Testing in the Go6lab
ION Bangladesh - DANE, DNSSEC, and TLS Testing in the Go6lab
 
SSL overview
SSL overviewSSL overview
SSL overview
 
TLS/SSL - Study of Secured Communications
TLS/SSL - Study of Secured CommunicationsTLS/SSL - Study of Secured Communications
TLS/SSL - Study of Secured Communications
 
03-SSL (1).ppt
03-SSL (1).ppt03-SSL (1).ppt
03-SSL (1).ppt
 
03-SSL (2).ppt
03-SSL (2).ppt03-SSL (2).ppt
03-SSL (2).ppt
 
03-SSL (1).ppt03-SSL (1).ppt03-SSL (1).ppt03-SSL (1).ppt03-SSL (1).ppt03-SSL ...
03-SSL (1).ppt03-SSL (1).ppt03-SSL (1).ppt03-SSL (1).ppt03-SSL (1).ppt03-SSL ...03-SSL (1).ppt03-SSL (1).ppt03-SSL (1).ppt03-SSL (1).ppt03-SSL (1).ppt03-SSL ...
03-SSL (1).ppt03-SSL (1).ppt03-SSL (1).ppt03-SSL (1).ppt03-SSL (1).ppt03-SSL ...
 
this is ppt this is ppt this is ppt this is ppt
this is ppt this is ppt this is ppt this is pptthis is ppt this is ppt this is ppt this is ppt
this is ppt this is ppt this is ppt this is ppt
 
TLS/SSL Protocol Design 201006
TLS/SSL Protocol Design 201006TLS/SSL Protocol Design 201006
TLS/SSL Protocol Design 201006
 
Introduction to security_and_crypto
Introduction to security_and_cryptoIntroduction to security_and_crypto
Introduction to security_and_crypto
 
Introduction to security_and_crypto
Introduction to security_and_cryptoIntroduction to security_and_crypto
Introduction to security_and_crypto
 
Introduction to security_and_crypto
Introduction to security_and_cryptoIntroduction to security_and_crypto
Introduction to security_and_crypto
 
Introduction to security_and_crypto
Introduction to security_and_cryptoIntroduction to security_and_crypto
Introduction to security_and_crypto
 
Introduction to security_and_crypto
Introduction to security_and_cryptoIntroduction to security_and_crypto
Introduction to security_and_crypto
 
Introduction to security_and_crypto
Introduction to security_and_cryptoIntroduction to security_and_crypto
Introduction to security_and_crypto
 
Introduction to security_and_crypto
Introduction to security_and_cryptoIntroduction to security_and_crypto
Introduction to security_and_crypto
 
Go paranoid
Go paranoidGo paranoid
Go paranoid
 
Cours4.pptx
Cours4.pptxCours4.pptx
Cours4.pptx
 
TLS/SSL Protocol Design
TLS/SSL Protocol DesignTLS/SSL Protocol Design
TLS/SSL Protocol Design
 

More from Priyanka Aash

Ethical Hacking
Ethical HackingEthical Hacking
Ethical Hacking
Priyanka Aash
 

More from Priyanka Aash (20)

Digital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOsDigital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOs
 
Verizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdfVerizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdf
 
Top 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdfTop 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdf
 
Simplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdfSimplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdf
 
Generative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdfGenerative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdf
 
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdfEVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
 
DPDP Act 2023.pdf
DPDP Act 2023.pdfDPDP Act 2023.pdf
DPDP Act 2023.pdf
 
Cyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdfCyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdf
 
Cyber Crisis Management.pdf
Cyber Crisis Management.pdfCyber Crisis Management.pdf
Cyber Crisis Management.pdf
 
CISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdfCISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdf
 
Chennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdfChennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdf
 
Cloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdfCloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdf
 
Stories From The Web 3 Battlefield
Stories From The Web 3 BattlefieldStories From The Web 3 Battlefield
Stories From The Web 3 Battlefield
 
Lessons Learned From Ransomware Attacks
Lessons Learned From Ransomware AttacksLessons Learned From Ransomware Attacks
Lessons Learned From Ransomware Attacks
 
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
 
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
 
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
 
Cloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow LogsCloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow Logs
 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security Governance
 
Ethical Hacking
Ethical HackingEthical Hacking
Ethical Hacking
 

Recently uploaded

Search and Society: Reimagining Information Access for Radical Futures
Search and Society: Reimagining Information Access for Radical FuturesSearch and Society: Reimagining Information Access for Radical Futures
Search and Society: Reimagining Information Access for Radical Futures
Bhaskar Mitra
 
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo DiehlFuture Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
Peter Udo Diehl
 
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualitySoftware Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Inflectra
 
In-Depth Performance Testing Guide for IT Professionals
In-Depth Performance Testing Guide for IT ProfessionalsIn-Depth Performance Testing Guide for IT Professionals
In-Depth Performance Testing Guide for IT Professionals
Expeed Software
 

Recently uploaded (20)

Agentic RAG What it is its types applications and implementation.pdf
Agentic RAG What it is its types applications and implementation.pdfAgentic RAG What it is its types applications and implementation.pdf
Agentic RAG What it is its types applications and implementation.pdf
 
ODC, Data Fabric and Architecture User Group
ODC, Data Fabric and Architecture User GroupODC, Data Fabric and Architecture User Group
ODC, Data Fabric and Architecture User Group
 
Search and Society: Reimagining Information Access for Radical Futures
Search and Society: Reimagining Information Access for Radical FuturesSearch and Society: Reimagining Information Access for Radical Futures
Search and Society: Reimagining Information Access for Radical Futures
 
How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...
 
Powerful Start- the Key to Project Success, Barbara Laskowska
Powerful Start- the Key to Project Success, Barbara LaskowskaPowerful Start- the Key to Project Success, Barbara Laskowska
Powerful Start- the Key to Project Success, Barbara Laskowska
 
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMsTo Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
 
WSO2CONMay2024OpenSourceConferenceDebrief.pptx
WSO2CONMay2024OpenSourceConferenceDebrief.pptxWSO2CONMay2024OpenSourceConferenceDebrief.pptx
WSO2CONMay2024OpenSourceConferenceDebrief.pptx
 
UiPath Test Automation using UiPath Test Suite series, part 2
UiPath Test Automation using UiPath Test Suite series, part 2UiPath Test Automation using UiPath Test Suite series, part 2
UiPath Test Automation using UiPath Test Suite series, part 2
 
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo DiehlFuture Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
 
10 Differences between Sales Cloud and CPQ, Blanka Doktorová
10 Differences between Sales Cloud and CPQ, Blanka Doktorová10 Differences between Sales Cloud and CPQ, Blanka Doktorová
10 Differences between Sales Cloud and CPQ, Blanka Doktorová
 
Salesforce Adoption – Metrics, Methods, and Motivation, Antone Kom
Salesforce Adoption – Metrics, Methods, and Motivation, Antone KomSalesforce Adoption – Metrics, Methods, and Motivation, Antone Kom
Salesforce Adoption – Metrics, Methods, and Motivation, Antone Kom
 
Demystifying gRPC in .Net by John Staveley
Demystifying gRPC in .Net by John StaveleyDemystifying gRPC in .Net by John Staveley
Demystifying gRPC in .Net by John Staveley
 
Custom Approval Process: A New Perspective, Pavel Hrbacek & Anindya Halder
Custom Approval Process: A New Perspective, Pavel Hrbacek & Anindya HalderCustom Approval Process: A New Perspective, Pavel Hrbacek & Anindya Halder
Custom Approval Process: A New Perspective, Pavel Hrbacek & Anindya Halder
 
Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........
 
Measures in SQL (a talk at SF Distributed Systems meetup, 2024-05-22)
Measures in SQL (a talk at SF Distributed Systems meetup, 2024-05-22)Measures in SQL (a talk at SF Distributed Systems meetup, 2024-05-22)
Measures in SQL (a talk at SF Distributed Systems meetup, 2024-05-22)
 
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualitySoftware Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
 
In-Depth Performance Testing Guide for IT Professionals
In-Depth Performance Testing Guide for IT ProfessionalsIn-Depth Performance Testing Guide for IT Professionals
In-Depth Performance Testing Guide for IT Professionals
 
PLAI - Acceleration Program for Generative A.I. Startups
PLAI - Acceleration Program for Generative A.I. StartupsPLAI - Acceleration Program for Generative A.I. Startups
PLAI - Acceleration Program for Generative A.I. Startups
 
Key Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfKey Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdf
 
UiPath Test Automation using UiPath Test Suite series, part 1
UiPath Test Automation using UiPath Test Suite series, part 1UiPath Test Automation using UiPath Test Suite series, part 1
UiPath Test Automation using UiPath Test Suite series, part 1
 

Recover A RSA Private key from a TLS session with perfect forward secrecy

  • 1.
  • 2. Recover a RSA private key from a TLS session with Perfect Forward Secrecy (Marco Ortisi – 2016)
  • 3. About me • Netizen and IT Security enthusiast since 1996 • Penetration Tester since 1999  In love with buffer overflow flaws  I adore exotic vulnerabilities • Senior/Principal Penetration tester? Just a curious guy • Get in touch with me! marco.ortisi@segfault.it
  • 4.
  • 5. About the topic • Imagine you can get a server private key by sniffing TLS traffic or interacting through the network with a TLS service. Does it look quite exotic? • Done via a side channel attack • Side Channel Attack – from Wikipedia • “…any attack based on information gained from the physical implementation of a cryptosystem, rather than brute force or theoretical weaknesses in the algorithms (compare cryptanalysis). For example, timing information, power consumption, electromagnetic leaks or even sound can provide an extra source of information, which can be exploited to break the system…”
  • 6. Roadmap Introduction First demo More insight into the attack Second demo Greetings and questions
  • 7. The attack and roots with the past • (1996) Arjen Lenstra demonstrated that the usage of the so-called CRT (Chinese Remainder Theorem) optimization put the RSA implementations at great risk (aka private key leakage) if a fault occurred during the computation of a digital RSA signature. (https://infoscience.epfl.ch/record/164524/files/nscan20.PDF)
  • 8. What is a RSA signature • RSA encryption  public key is used to encrypt a message  private key is used to decrypt that message • RSA signing  private key is used to sign a value (actually it is an encryption operation)  public key is used to decrypt that value
  • 9. The attack and roots with the past • 1996) Arjen Lenstra demonstrated that the usage of the so-called CRT (Chinese Remainder Theorem) optimization put the RSA implementations at great risk (aka private key leakage) if a fault occurred during the computation of a digital RSA signature. (https://infoscience.epfl.ch/record/164524/files/nscan20.PDF) • (200x?) - Attack conjectured as possible on smartcards if someone has physical access to the device and can disrupt the math behind the RSA operations
  • 10. The attack and roots with the past • (2001) OpenPGP Attack (http://eprint.iacr.org/2002/076.pdf). a) get a local copy of file containing the encrypted private key; b) tamper with it in order to introduce faulty bits; c) capture a single message subsequently signed with the modified encrypted private key (for example an email); d) enjoy your leaked private key  • (2015) by targeting TLS, Florian Weimer (Red Hat) unveiled the attack can have remote impacts. https://people.redhat.com/~fweimer/rsa-crt-leaks.pdf
  • 12. Recover a RSA private key: Prerequisites • (a) Presence of a RSA signature calculated using the RSA-CRT optimization… • (b) The signature must be applied on values known by the attacker… • (c) Generated signature faulty/miscalculated…
  • 13. What if the attack is successful? • Private key is exposed • The real server can be impersonated • Man-in-The-Middle attack can be performed without alarming the legitimate clients
  • 14. What if the attack is successful?
  • 15. DEMO TIME (PART 1)(enter High Voltage!)
  • 18. A Little Recap • (a) Presence of a RSA signature calculated using the RSA-CRT optimization… • (b) The signature must be applied on values known by the attacker… • (c) Generated signature faulty/miscalculated…
  • 19. (a) RSA Signature with RSA-CRT • The modular exponentiations required by RSA are computationally expensive • RSA-CRT introduced a less expensive way to do RSA operations (decryption and signing) • RSA-CRT is used by default in almost every known crypto library out there (openssl, OpenJDK, libgcrypto, PolarSSL, etc…) • Condition (a) is normally satisfied
  • 20. (b) Signature calculated on known values • We define “X” as the value to be signed • Padding can influence the final “shape” of “X” before being signed and make this unpredictable… • …but with SSL3.0, TLS 1.0, 1.1 and 1.2 the padding scheme (a variant of PKCS1.5) is fully deterministic (not randomized) and then predictable
  • 21. (b) PKCS 1.5 Padding • Payload: 0D3F8FF87A4D697E73FE86077FD1D10C4ECC59797E759EDD89931B 2208B8044CB4A1B96A • Padded Payload (RSA 2048 bit): 0001FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF FFFFFF000D3F8FF87A4D697E73FE86077FD1D10C4ECC59797E759E DD89931B2208B8044CB4A1B96A
  • 22. (b) Signature calculated on known values • We define “X” as the value to be signed • Padding can influence the final “shape” of “X” before being signed and make this unpredictable… • …but with SSL3.0, TLS 1.0, 1.1 and 1.2 the padding scheme (a variant of PKCS1.5) is fully deterministic (not randomized) and then predictable • Data signed must be known. This is ALWAYS satisfied in our attack if we carefully target the right ciphersuites
  • 23. (c) Presence of faulty signature • We identify a faulty RSA signature with the letter “Y” • Events causing the generation of a faulty digital RSA signature can't be predicted but they are out there • Induced by the same vectors like in a typical bit-squatting attack:  CPU overheating  RAM errors  massive exposure of hardware to solar rays  etc…
  • 24. The right ciphersuite... • Prerequisite (b) – Signature calculated on known values • The condition (b) is ALWAYS satisfied in our attack if we carefully target the right ciphersuites
  • 25. The right ciphersuite... • RSA_WITH_AES_256_CBC_SHA  RSA = Authentication + Key Exchange  AES = Symmetric algorithm used to encrypt data  CBC = Mode of operation  SHA = Hashing algorithm to avoid data tampering • RSA private key leaked = all TLS sessions compromised (current, past and future ones) • The “Certificate” message contains a Signature created with the private key of CA  statically embedded inside the certificate (not generated on the fly)  the condition (b) is not satisfied
  • 26. The right ciphersuite... • DHE_RSA_WITH_AES_256_CBC_SHA  DHE = Key Exchange  RSA = Only used for Authentication  [the rest is the same as previously mentioned] • The key exchange is done using private/public keys generated on the fly  Compromission of a private key breaks only that specific encrypted session, not all the previously established  This is called "Perfect Forward Secrecy"
  • 27. PFS fits REALLY perfectly to us • RSA signature appended onto a TLS Server Key Exchange Message
  • 28. PFS fits REALLY perfectly to us • A RSA signature is appended on a TLS Server Key Exchange Message • The values on which it is calculated are well known, padding scheme is deterministic  Client Random struct (Client Hello Message)  Server Random struct (Server Hello Message)  Server Params struct (Server Key Exchange Message) • DHE_RSA_WITH_AES_256_CBC_SHA and in general [EC]DHE_RSA_WITH_ANY_ANY_ANY ciphersuites are good for us  The condition (b) is satisfied this time
  • 29. TLS Client Hello (PFS ciphersuites only negotiation) How High Voltage! works...
  • 30. TLS Server Hello How High Voltage! works...
  • 31. TLS Server Certificate n e How High Voltage! works...
  • 32. TLS Server Key Exchange How High Voltage! works...
  • 33. TLS Server Key Exchange Client Random Struct (Client Hello Message) Server Random Struct (Server Hello Message) Server Param Struct (Key Exchange Message) How High Voltage! works...
  • 34. Attacking TLS abusing PFS • Because of “(c) Presence of faulty signature”, the attack can be carried out only when a RSA signature is faulty. How to determine that? • Looking for faulty signatures:  We know padding scheme (PKCS 1.5) and the values on which the server calculates its signature - Client Random struct (Client Hello Message) - Server Random struct (Server Hello Message) - Server Params struct (Server Key Exchange Message)  We know the clear-text message on which the signature is applied  We have the public key of server and can decrypt the signature from the TLS Server Key Exchange  If there is a mismatch between the decrypted signature and the expected plain-text value, we have found what we are looking for
  • 35. yes Collect all TLS messages up to Server Key Exchange TLS < 1.2? Generate offline two hash (MD5 and SHA1) of Client Random + Server Random + Server Param values (O_S1) Concatenation of the MD5 and SHA1 hashes to get the (O_S2) value Use the public key from the certificate to decrypt the signature value exposed on TLS Server Key Exchange (S_S1) Remove the padding from S_S1 to get the raw signature (S_S2) Compare O_S2 and S_S2 Is there a match? Repeat the TLS handshake Try to recover the private key no yes How to check if a digital signature is invalid? (TLS < 1.2)
  • 36. How to check if a digital signature is invalid? (TLS 1.2) yes Collect all TLS messages up to Server Key Exchange TLS 1.2? Parse the TLS Server Key Exchange Message to extract the algorithm with which the signature has been created from server (ALG_x) Generate offline a hash using the algorithm ALG_x on Client Random + Server Random + Server Param values (O_S1) Use the public key from the certificate to decrypt the signature value exposed in the Server Key Exchange Message (S_S1) Remove the padding from S_S1 to get the raw signature (S_S2) Compare O_S1 and S_S2 Is there a match? Repeat the TLS handshake Try to recover the private key no yes
  • 37. What else? • How RSA works • RSA-CRT optimization • 2nd DEMO
  • 38. How RSA works • c = ciphertext • m = message to encrypt • n, e = public key • e = little exponent (usually a value such as 3 or 65537) • n = big semiprime number (p * q) (p and q are said "prime factors") • d = inverse_mod(e,(p-1) * (q-1)) private key mathematically tied with n • getting “p” and “q” a private key can be recovered because "e" is already a public information encryption = c = m^e mod n decryption = m = c^d mod n
  • 39. RSA: Rule 1 Gaining a prime factor of n (whatever of the two) we can determine very easily the other one and recover the private key • n = 77 (the public key into the certificate) • p = 7 (leaked prime factor) • q = ? n = p * q d = inverse_mod(e,(p-1) * (q-1))
  • 40. RSA: Rule 1 Gaining a prime factor of n (whatever of the two) we can determine very easily the other one and recover the private key • n = 77 (the public key into the certificate) • p = 7 (leaked prime factor) • q = 11  77 / 7 • 77 / 11 = 7 (p) • 7 x 11 = 77 (n) n = p x q d = inverse_mod(e,(p-1) x (q-1))
  • 41. RSA-CRT • RSA-CRT (CRT stands for Chinese Remainder Theorem) • With this optimization the RSA calculation is broken down into two smaller parts
  • 42. RSA-CRT • Precompute the following values: qInv = (1/q) mod p dP = d (mod p - 1) dQ = d (mod q - 1) • …and next calculate: m1 = c^dP mod p m2 = c^dQ mod q h = qInv.(m1 - m2) mod p m = m2 + h.q If during m1 or m2 calculation there is a fault, a faulty RSA signature is generated and one prime factor can be leaked with this formula: gcd(y^e – x, n)
  • 43. RSA-CRT • Precompute the following values: qInv = (1/q) mod p dP = d (mod p - 1) dQ = d (mod q - 1) • …and next calculate: m1 = c^dP mod p m2 = c^dQ mod q h = qInv.(m1 - m2) mod p m = m2 + h.q If during m1 or m2 calculation there is a fault, a faulty RSA signature is generated and one prime factor can be leaked with this formula: gcd(y^e – x, n)
  • 44. RSA-CRT: Rule 2 We can leak a prime factor of n from a faulty signature when RSA-CRT is used for signing: y = faulty/miscalculated signature (this can be taken directly from the TLS Server Key Exchange message) e = public exponent (found inside the Certificate) x = the original value before to be signed (it is padded but PKCS 1.5 padding scheme is deterministic) n = public key (p * q) (found inside the Certificate) • When one of the prime factors is known... derived_prime_factor = n / leaked_prime_factor • When leaked_prime_factor and derived_prime_factor are known, p and q are known d = inverse_mod(e,(prime_factor_P - 1) * (prime_factor_Q -1 )) gcd(y^e – x, n)
  • 45. RSA-CRT: Rule 2 We can leak a prime factor of n from a faulty signature when RSA-CRT is used for signing: y = faulty/miscalculated signature (this can be taken directly from the TLS Server Key Exchange message) e = public exponent (found inside the Certificate) x = the original value before to be signed (it is padded but PKCS 1.5 padding scheme is deterministic) n = public key (p * q) (found inside the Certificate) • When one of the prime factors is known... derived_prime_factor = n / leaked_prime_factor • When leaked_prime_factor and derived_prime_factor are known, p and q are known d = inverse_mod(e,(prime_factor_P - 1) * (prime_factor_Q -1 )) gcd(y^e – x, n)
  • 46. DEMO TIME (PART 2)(enter Piciolla...)
  • 47. The bottom line • IF:  you have a piece of software linked to a vulnerable crypto library using RSA- CRT &&  that crypto library does not verify the correctness of each RSA signature generated &&  environmental factors occur (CPU overheating, RAM error, etc...) causing the miscalculation of a RSA signature • THEN you might be in trouble…
  • 48. The Fix • A few of crypto libraries allow users to disable RSA-CRT (not convenient due to performance issues) • Most vendors have recently issued a patch to address this problem Double-checks the correctness of RSA signatures without RSA-CRT optimization: if (y^e = x (mod n)) then signature_valid
  • 49. Vulnerable crypto libraries PolarSSL < 2.1.1, 1.3.13 and 1.2.16: MBEDTLS_RSA_NO_CRT can be defined to disable RSA-CRT but this option is off by default) libgcrypt < 1.6.3 (equivalent to CVE-2015-5738) Nettle < 3.1: used by GnuTLS Java SE < 5.0u81, 6u91, 7u76, 8u40, and JRockit < R28.3.5 (CVE- 2015-0478) EMC RSA BSAFE Micro Edition Suite (MES) 4.0.x and 4.1.x before 4.1.5, RSA BSAFE Crypto-C Micro Edition (CCME) 4.0.x and 4.1.x before 4.1.3, RSA BSAFE Crypto-J before 6.2.1, RSA BSAFE SSL-J before 6.2.1, and RSA BSAFE SSL-C before 2.8.9 (CVE-2016-0887)
  • 50. Vulnerable crypto libraries (2) OpenSSL <= 0.9.7 and *potentially* between 1.0.2 and 1.0.2d because of CVE-2015-3193 only on x86_64 architectures + custom versions Go crypto library < 1.6.2 Cryptlib up to latest 3.4.3 (CRYPT_OPTION_MISC_SIDECHANNELPROTECTION would prevent the attack but it is set to false by default) wolfSSL (formerly CyaSSL) < 3.6.8 (CVE-2015-7744) Libtomcrypt < 2.00 Eldos SecureBlackbox < 13.0.280 and 14.0.281 MatrixSSL < 3.8.3 Openswan up to latest version 2.6.47 vulnerable when not compiled with NSS
  • 51. Device types mainly affected Embedded devices  Various network appliances (firewalls, routers, etc…)  Consumer / SOHO devices  SSL Accelerators  VPN Concentrators  TLS Reverse Proxies  …
  • 52. FORTINET (Series 300 / FortiGate < 5.0.13 / 5.2.6 / 5.4.0 observed as vulnerable) Dell (SonicWALL< SonicOS 6.1.1.12 found affected) F5 (Traffix SDC affected) ZTE ZXSEC Firewall (affected models US2640B, US2630B, US2620B) LANCOM wireless devices (version 8.84) <- apparently silently patched since 2014 D-Link-DCS-933L Surveillance camera HILLSTONE NETWORKS (SG-6000 Firewall) CITRIX ZYXEL NORTEL QNO Viprinet BEJY Alteon Affected devices
  • 53. But remember... •“…a piece of software linked to a vulnerable crypto library using RSA- CRT…” • Wait! Is this problem only related to TLS, right? • No! PFS and RSA are used A LOT in IPSEC VPN (IKE), SSH, etc…
  • 54. IKEv1 (Internet Key Exchange) • Two modes for Phase 1 (Authentication of peers and Negotiation of SA)  Main  Aggressive • It is believed that only by sniffing the network traffic it is not possible to recover a private key (just as happens for TLS) and an active approach is requested.
  • 55. IKEv1 Phase 1 Main Mode (Signature Auth) IKE Phase 1 Authenticated With Signatures Initiator Responder ----------- ----------- (1) HDR, SA --> <-- (2) HDR, SA (3) HDR, KE, Ni --> <-- (4) HDR, KE, Nr (5) HDR*, IDii, [ CERT, ] SIG_I --> <-- (6) HDR*, IDir, [ CERT, ] SIG_R * Indicates payload encryption
  • 56. IKEv1 Phase 1 Aggressive Mode (Signature Auth) IKE Phase 1 Authenticated With Signatures Initiator Responder ----------- ----------- (1) HDR, SA, KE, Ni, IDii --> <-- (2)HDR, SA, KE, Nr, IDir, [ CERT, ] SIG_R (3) HDR, [ CERT, ] SIG_I -->
  • 57. SPECIAL THANKS Frank Bosman for his nice drawings http://turniphead.deviantart.com Florian Weimer (Red Hat) https://access.redhat.com/blogs/766093/posts/1976703 https://pagure.io/symboldb/tree/tls-experiment
  • 59. Recover a RSA private key from a TLS session with Perferct Forward Secrecy QUESTIONS? High Voltage & Piciolla – http://www.segfault.it/tools/ Marco Ortisi (2016) Blog – http://www.segfault.it/ thanks!