SlideShare a Scribd company logo
1 of 29
Cryptanalysis of Raw RSA
Experiments using Meet-in-the-middle Attack
Dr. Dharma Ganesan, Ph.D.,
Disclaimer
● The opinions expressed here are my own
○ But not the views of my employer
● The source code fragments and exploits shown here can be reused
○ But without any warranty nor accept any responsibility for failures
● Do not apply the exploit discussed here on other systems
○ Without obtaining authorization from owners
2
Goal of this presentation
● Explain how to break Raw RSA (i.e., without padding)
● Present exploits using Meet-in-the-middle attack
● Discuss experimental results
3
Prerequisite
Some familiarity with the following topics will help to follow the rest of the slides
● Group Theory (Abstract Algebra/Discrete Math)
● Modular Arithmetic (Number Theory)
● Algorithms and Complexity Theory
● If not, it should still be possible to obtain a high-level overview
4
How can Bob send a message to Alice securely?
5
Public Key PuA
● Alice and Bob never met each other
● Bob will encrypt using Alice’s public key
○ Assume that public keys are known to the world
● Alice will decrypt using her private key
○ Private keys are secrets (never sent out)
● Bob can sign messages using his private key
○ Alice verifies message integrity using Bob’s public key
○ Not important for this presentation/attack
● Note: Alice and Bob need other evidence (e.g., passwords,
certificates) to prove their identity to each other
● Who are Alice, Bob, and Eve?
Private Key PrA
Public Key PuB
Private Key PrB
RSA Public Key Cryptography System
● Published in 1977 by Ron Rivest, Adi Shamir and Leonard Adleman
● Rooted in elegant mathematics - Group Theory and Number Theory
● Core idea: Anyone can encrypt a message using recipient's public key but
○ (as far as we know) no one can efficiently decrypt unless they got the matching private key
● Encryption and Decryption are inverse operations (math details later)
○ Work of Euclid, Euler, and Fermat provide the mathematical foundation of RSA
● Eavesdropper Eve cannot easily derive the secret (math details later)
○ Unless she solves “hard” number theory problems that are computationally intractable
6
7
Notations and Facts (needed for RSA Trapdoor)
GCD(x, y): The greatest common divisor that divides integers x and y
Co-prime: If gcd(x, y) = 1, then x and y are co-primes
Zn = { 0, 1, 2, …, n-1 }, n > 0; we may imagine Zn as a circular wall clock
Z*
n = { x ∈ Zn | gcd(x, n) = 1 }; (additional info: Z*
n is a multiplicative group)
φ(n): Euler’s Totient function denotes the number of elements in Z*
n
φ(p) = p-1, if p is a prime number
x ≡ y (mod n) denotes that n divides x-y; x is congruent to y mod n
RSA - Key Generation Algo. (Fits on one page)
1. Select an appropriate bitlength of the RSA modulus n (e.g., 2048 bits)
○ Value of the parameter n is not chosen until step 3; small n is dangerous (details later)
2. Pick two independent, large random primes, p and q, of half of n’s bitlength
○ In practice, p and q are not close to each other to avoid attacks (e.g., Fermat’s factorization)
3. Compute n = p.q (n is also called the RSA modulus)
4. Compute Euler’s Totient (phi) Function φ(n) = φ(p.q) = φ(p)φ(q) = (p-1)(q-1)
5. Select numbers e and d from Zn such that e.d ≡ 1(mod φ(n))
○ Many implementations set e to be 65537 (Note: gcd(e, φ(n)) = 1)
○ e must be relatively prime to φ(n) otherwise d cannot exist (i.e., we cannot decrypt)
○ d is the multiplicative inverse of e in Zn
6. Public key is the pair <n, e> and private key is 4-tuple <φ(n), d, p, q>
Note: If p, q, d, or φ(n) is leaked, RSA is broken immediately
8
Formal definition of the RSA trapdoor function
● RSA: Zn → Zn
● Let m and c ∈ Zn
● c = RSA(m) = me mod n
● m = RSA-1(c) = cd mod n
● e and d are also called encryption and decryption
exponents, respectively
● Note: Attackers know c, e, and n but not d
9
RSA Trapdoor ...
● RSACoreEngine.java implements the RSA and RSA-1 functions
○ See the method processBlock
● RSA(input) = inpute mod n
{
return input.modPow(
key.getExponent(), key.getModulus());
}
● The implementation for RSA-1 is a bit involved (Chinese-Remainder Theorem)
○ To speed-up the computation of inputd mod n, it computes inputd mod p and mod q
10
Raw RSA (in Java)
public static byte[] encrypt(PublicKey pubKey, String message) throws Exception
{
Cipher cipher = Cipher.getInstance("RSA/ECB/NOPADDING");
cipher.init(Cipher.ENCRYPT_MODE, pubKey);
return cipher.doFinal(message.getBytes());
}
11
Deterministic behavior of Raw RSA (simple demo)
12
public class RSA_Encrypt {
public static void main(String [] args) throws Exception {
if(args.length != 3) {
System.out.println("Usage: RSA_Encrypt <modulus n> <exponent e> <plaintext>");
System.exit(-1);
}
BigInteger n = new BigInteger(args[0]);
BigInteger e = new BigInteger(args[1]);
String plaintext = args[2];
PublicKey pubKey = RSAService.getPublicKey(n, e);
byte[] ciphertext = RSAService.encrypt(pubKey, plaintext);
System.out.println(javax.xml.bind.DatatypeConverter.printHexBinary(ciphertext));
}
}
No change in the ciphertext for the same plaintext
13
dharmalingam_ganesan11@instance-1:~/crypto/RSA$ java RSA_Encrypt $n $e "It's all Greek to Me"
29B20484723BC302E3E1D13D763AA4CF8E43627B006B431DBE1C3B9887D3A34199CA5FC74B751501D86114DADB444
04563FB5B916E8CDC5EF0EBA43C244671B63493355EE00630114B27E1E154D806ADF94374E8B52BD1D0BFC0823C52
8BE0DA95774B172235E15345DB757173954E3E09CC7213AD77C6F6452F0B63008CF773E5E2369A3CDE3A94B925849
B59410D04B1B5FCB8BD54EA545CEECEFE6BB77BD7E9ABB54D8DF2764471F6C23A66E65B1D5D7266E7E669B0C7AC1C
889420C6B81689CD9965E528F6D94297C6AB95A510A0BB380E22F99B20ABDFE3837459D8AFF6F552F7B20BD908DBE
A2906C8809A1A50F4209025C8BEB561DC58E56F13894C44
dharmalingam_ganesan11@instance-1:~/crypto/RSA$ dharmalingam_ganesan11@instance-
1:~/crypto/RSA$ java RSA_Encrypt $n $e "It's all Greek to Me"
29B20484723BC302E3E1D13D763AA4CF8E43627B006B431DBE1C3B9887D3A34199CA5FC74B751501D86114DADB444
04563FB5B916E8CDC5EF0EBA43C244671B63493355EE00630114B27E1E154D806ADF94374E8B52BD1D0BFC0823C52
8BE0DA95774B172235E15345DB757173954E3E09CC7213AD77C6F6452F0B63008CF773E5E2369A3CDE3A94B925849
B59410D04B1B5FCB8BD54EA545CEECEFE6BB77BD7E9ABB54D8DF2764471F6C23A66E65B1D5D7266E7E669B0C7AC1C
889420C6B81689CD9965E528F6D94297C6AB95A510A0BB380E22F99B20ABDFE3837459D8AFF6F552F7B20BD908DBE
A2906C8809A1A50F4209025C8BEB561DC58E56F13894C44
Problem statement: Break the RSA trapdoor function
● Recall that c = RSA(m) = me mod n
○ c is the ciphertext and m is the plaintext
● Breaking of the RSA function means finding m from c
○ Equivalently, reverse the plaintext from the ciphertext
● Formally, given <c, e, n> find m such that RSA(m) = c
14
Chosen plaintext attack of RSA trapdoor function
● RSA is a deterministic function (recall the previous demo)
● RSA(m) is always the same for a given public key pair (e, n)
○ That is, the ciphertext is the same when the plaintext m is encrypted again
● In order to find the secret x, the attacker can try all possible m as follows:
○ RSA(u) where u = 0, 1, …, 2n-1
○ If RSA(u) = RSA(m), then the attacker learns that m must u
● Chosen plaintext attack is easy for small values of public n
● Scalability problem: For very large n (e.g., 1024 bits), it is not feasible to
explore the space of 21024 possibilities, for example
○ It is difficult even if the message size is just 64 bits
15
Meet-in-the-middle attack - Core Idea
● Recall that the goal is to find the plaintext m such that RSA(m) = c
● What if m can be rewritten as a product of smaller numbers: m = m1 . m2
● For example, this 64-bit message m = 9223372036854775808 can be
rewritten as a product of two 32-bit numbers:
○ m1 = 2147483648
○ m2 = 4294967296
● Meet-in-the-middle attack leverages this observation to speed-up the Chosen
Plaintext attack
○ Instead of trying all possible n-bit messages, it tries only messages of size n/2
● It breaks RSA when the unknown plaintext is a product of smaller numbers
○ There are still some scalability issues (will revisit later)
16
Meet-in-the-middle attack - Algorithm
● Assume that the unknown message m can be rewritten as a product of two
unknown smaller numbers: m = m1 . m2
● The goal of this attack is to find m1 and m2 from ciphertext c
● c = RSA(m) = me mod n
c = (m1. m2)e mod n
c = (m1
e. m2
e) mod n
c/m2
e = m1
e mod n
● Step 1: Construct a hashtable of the right hand side for all possible m1
● Step 2: For each possible m2 if c/m2
e is present in the hashtable, them m is
recovered by multiplying matching m1 with the current m2
17
Step 1: Hashtable H construction
18
Key Value
0e mod n 0
1e mod n 1
2e mod n 2
3e mod n 3
... ...
(m1-1)e mod n m1 - 1
Step 2: Search the Hashtable H
19
● Step 2.1: For each m2, compute c/m2
e mod n
● Step 2.2: Search whether the hashtable H has the key c/m2
e mod n
● Step 2.3: If yes, extract m1 = H(c/m2
e mod n)
○ Terminate the search. Return the plaintext m = m1 . m2
● Step 2.4: Else, goto Step 2.1 and try the next possible m2
Implementation Details: Key-Value Store
(Hashtable)public interface IKeyValueStore {
public void put(byte[] key, byte[] data);
public byte[] get(byte[] key);
public void close();
}
20
● This interface provides an abstraction of hashtable implementations
● Allows plug-and-play of different key-value pair libraries
Key-Value Implementation using Java Hashmap
public class KeyValueStoreHash implements IKeyValueStore {
private HashMap<ByteBuffer, byte[]> hashMap = new HashMap<ByteBuffer, byte[]>();
public KeyValueStoreHash() {
}
public void put(byte[] key, byte[] data) {
hashMap.put(ByteBuffer.wrap(key), data);
}
public byte[] get(byte[] key) {
return hashMap.get(ByteBuffer.wrap(key));
}
public void close() {
hashMap.clear();
}
} 21
Step 1: Hashtable construction (basic version)
public void buildHashTable() {
BigInteger two = BigInteger.valueOf(2);
BigInteger minM1 = two.pow(minNumBitsM1 - 1);
BigInteger maxM1 = two.pow(maxNumBitsM1);
for(BigInteger m1 = minM1; m1.compareTo(maxM1) < 0; m1 = m1.add(BigInteger.ONE)) {
byte[] m1PowE = m1.modPow(e, n).toByteArray();
keyValueStore.put(m1PowE, m1.toByteArray());
}
}
22
Step 2: Search the hashtable for a match
public BigInteger breakRSA(BigInteger c) {
BigInteger m = BigInteger.ZERO;
BigInteger two = BigInteger.valueOf(2);
BigInteger minM2 = two.pow(minNumBitsM2 - 1);
BigInteger maxM2 = two.pow(maxNumBitsM2);
for(BigInteger m2 = minM2; m2.compareTo(maxM2) < 0; m2 = m2.add(BigInteger.ONE)) {
BigInteger m2powe = m2.modPow(e, n);
byte[] lhs = c.multiply(m2powe.modInverse(n)).mod(n).toByteArray();
if(keyValueStore.get(lhs) != null) {
BigInteger m1 = new BigInteger(keyValueStore.get(lhs));
m = m1.multiply(m2);
System.out.println("Match m = " + m + " m1 = " + m1 + " m2 = " + m2);
break;
}
}
return m;
}
23
Demo client to break Raw RSA (2048-bit modulus)
24
Demo client to break RSA ...
25
~/crypto/RSA$ time java ClientRawRSA
Match m = 549986500608 m1 = 892928 m2 = 615936
The plaintext is: 549986500608
real 1m51.176s
user 1m1.520s
sys 0m4.176s
In ~1.5 min Raw RSA is broken
26
11 out of 50 random messages decrypted!
27
$ time java ClientRawRSArandom
# of successful RSA breaking = 11 out of 50
real 462m0.941s
user 314m21.392s
sys 21m22.772s
Conclusion/Discussion
28
● The main goal was to experiment with meet-in-the-middle attack
● This attack works when RSA is used without any padding
○ Meet-in-the-middle is much better than brute-forcing all possible plaintexts
● The attack is not scalable when the message length is longer than 8 bytes
○ May be upto 10 bytes when using a large farm of computers
● Nevertheless, the attack reverses the plaintext in the order of 2m/2 bits
○ Storage requirement: Need to be able to store 2m/2 rows in the key-value table
● In part-2, I will talk about using advanced databases to store large key-value
● RSA without random padding should be avoided
References
● W. Diffie and M. E. Hellman, “New Directions in Cryptography,” IEEE
Transactions on Information Theory, vol. IT-22, no. 6, November, 1976.
● R. L. Rivest, A. Shamir, and L. Adleman, “A method for obtaining digital
signatures and public-key cryptosystems,” CACM 21, 2, February, 1978.
● A. Menezes, P. van Oorschot, and S. Vanstone, “Handbook of Applied
Cryptography,” CRC Press, 1996.
● C. Paar and J. Pelzl, “Understanding Cryptography: A Textbook for Students
and Practitioners,” Springer, 2011.
● D. Boneh, A. Joux, and P. Nguyen, “Why Textbook ElGamal and RSA
Encryption are Insecure,” AsiaCrypt, 2000
29

More Related Content

What's hot

Random number generators
Random number generatorsRandom number generators
Random number generatorsBob Landstrom
 
현업 엔지니어의 시각에서 본 알고리즘 공부의 장점과 단점
현업 엔지니어의 시각에서 본 알고리즘 공부의 장점과 단점현업 엔지니어의 시각에서 본 알고리즘 공부의 장점과 단점
현업 엔지니어의 시각에서 본 알고리즘 공부의 장점과 단점Wonha Ryu
 
Ordonnanc-Proc_Threads (1).pdf
Ordonnanc-Proc_Threads (1).pdfOrdonnanc-Proc_Threads (1).pdf
Ordonnanc-Proc_Threads (1).pdfMbarkiIsraa
 
Public Key Cryptography and RSA algorithm
Public Key Cryptography and RSA algorithmPublic Key Cryptography and RSA algorithm
Public Key Cryptography and RSA algorithmIndra97065
 
Ndc2014 시즌 2 : 멀티쓰레드 프로그래밍이 왜 이리 힘드나요? (Lock-free에서 Transactional Memory까지)
Ndc2014 시즌 2 : 멀티쓰레드 프로그래밍이  왜 이리 힘드나요?  (Lock-free에서 Transactional Memory까지)Ndc2014 시즌 2 : 멀티쓰레드 프로그래밍이  왜 이리 힘드나요?  (Lock-free에서 Transactional Memory까지)
Ndc2014 시즌 2 : 멀티쓰레드 프로그래밍이 왜 이리 힘드나요? (Lock-free에서 Transactional Memory까지)내훈 정
 
chap3 numerisation_des_signaux
chap3 numerisation_des_signauxchap3 numerisation_des_signaux
chap3 numerisation_des_signauxBAKKOURY Jamila
 
DQN (Deep Q-Network)
DQN (Deep Q-Network)DQN (Deep Q-Network)
DQN (Deep Q-Network)Dong Guo
 
인프콘 2022 - Rust 크로스 플랫폼 프로그래밍
인프콘 2022 - Rust 크로스 플랫폼 프로그래밍인프콘 2022 - Rust 크로스 플랫폼 프로그래밍
인프콘 2022 - Rust 크로스 플랫폼 프로그래밍Chris Ohk
 
On deriving the private key from a public key
On deriving the private key from a public keyOn deriving the private key from a public key
On deriving the private key from a public keyDharmalingam Ganesan
 
Cyclic Attacks on the RSA Trapdoor Function
Cyclic Attacks on the RSA Trapdoor FunctionCyclic Attacks on the RSA Trapdoor Function
Cyclic Attacks on the RSA Trapdoor FunctionDharmalingam Ganesan
 
Reinforcement Learning 6. Temporal Difference Learning
Reinforcement Learning 6. Temporal Difference LearningReinforcement Learning 6. Temporal Difference Learning
Reinforcement Learning 6. Temporal Difference LearningSeung Jae Lee
 
A brief introduction to Gaussian process
A brief introduction to Gaussian processA brief introduction to Gaussian process
A brief introduction to Gaussian processEric Xihui Lin
 
Digital Signature Standard
Digital Signature StandardDigital Signature Standard
Digital Signature StandardSou Jana
 

What's hot (20)

Random number generators
Random number generatorsRandom number generators
Random number generators
 
현업 엔지니어의 시각에서 본 알고리즘 공부의 장점과 단점
현업 엔지니어의 시각에서 본 알고리즘 공부의 장점과 단점현업 엔지니어의 시각에서 본 알고리즘 공부의 장점과 단점
현업 엔지니어의 시각에서 본 알고리즘 공부의 장점과 단점
 
Ordonnanc-Proc_Threads (1).pdf
Ordonnanc-Proc_Threads (1).pdfOrdonnanc-Proc_Threads (1).pdf
Ordonnanc-Proc_Threads (1).pdf
 
Encryption
EncryptionEncryption
Encryption
 
quantum cryptography
quantum cryptographyquantum cryptography
quantum cryptography
 
Public Key Cryptography and RSA algorithm
Public Key Cryptography and RSA algorithmPublic Key Cryptography and RSA algorithm
Public Key Cryptography and RSA algorithm
 
5.1 greedy
5.1 greedy5.1 greedy
5.1 greedy
 
Ndc2014 시즌 2 : 멀티쓰레드 프로그래밍이 왜 이리 힘드나요? (Lock-free에서 Transactional Memory까지)
Ndc2014 시즌 2 : 멀티쓰레드 프로그래밍이  왜 이리 힘드나요?  (Lock-free에서 Transactional Memory까지)Ndc2014 시즌 2 : 멀티쓰레드 프로그래밍이  왜 이리 힘드나요?  (Lock-free에서 Transactional Memory까지)
Ndc2014 시즌 2 : 멀티쓰레드 프로그래밍이 왜 이리 힘드나요? (Lock-free에서 Transactional Memory까지)
 
chap3 numerisation_des_signaux
chap3 numerisation_des_signauxchap3 numerisation_des_signaux
chap3 numerisation_des_signaux
 
DQN (Deep Q-Network)
DQN (Deep Q-Network)DQN (Deep Q-Network)
DQN (Deep Q-Network)
 
인프콘 2022 - Rust 크로스 플랫폼 프로그래밍
인프콘 2022 - Rust 크로스 플랫폼 프로그래밍인프콘 2022 - Rust 크로스 플랫폼 프로그래밍
인프콘 2022 - Rust 크로스 플랫폼 프로그래밍
 
Quantum neural network
Quantum neural networkQuantum neural network
Quantum neural network
 
On deriving the private key from a public key
On deriving the private key from a public keyOn deriving the private key from a public key
On deriving the private key from a public key
 
AI
AIAI
AI
 
Cyclic Attacks on the RSA Trapdoor Function
Cyclic Attacks on the RSA Trapdoor FunctionCyclic Attacks on the RSA Trapdoor Function
Cyclic Attacks on the RSA Trapdoor Function
 
Reinforcement Learning 6. Temporal Difference Learning
Reinforcement Learning 6. Temporal Difference LearningReinforcement Learning 6. Temporal Difference Learning
Reinforcement Learning 6. Temporal Difference Learning
 
A brief introduction to Gaussian process
A brief introduction to Gaussian processA brief introduction to Gaussian process
A brief introduction to Gaussian process
 
rnn BASICS
rnn BASICSrnn BASICS
rnn BASICS
 
Digital Signature Standard
Digital Signature StandardDigital Signature Standard
Digital Signature Standard
 
Rsa cryptosystem
Rsa cryptosystemRsa cryptosystem
Rsa cryptosystem
 

Similar to RSA without Padding

An Analysis of RSA Public Exponent e
An Analysis of RSA Public Exponent eAn Analysis of RSA Public Exponent e
An Analysis of RSA Public Exponent eDharmalingam Ganesan
 
Security of RSA and Integer Factorization
Security of RSA and Integer FactorizationSecurity of RSA and Integer Factorization
Security of RSA and Integer FactorizationDharmalingam Ganesan
 
Dependency Analysis of RSA Private Variables
Dependency Analysis of RSA Private VariablesDependency Analysis of RSA Private Variables
Dependency Analysis of RSA Private VariablesDharmalingam Ganesan
 
On the Secrecy of RSA Private Keys
On the Secrecy of RSA Private KeysOn the Secrecy of RSA Private Keys
On the Secrecy of RSA Private KeysDharmalingam Ganesan
 
Computing the Square Roots of Unity to break RSA using Quantum Algorithms
Computing the Square Roots of Unity to break RSA using Quantum AlgorithmsComputing the Square Roots of Unity to break RSA using Quantum Algorithms
Computing the Square Roots of Unity to break RSA using Quantum AlgorithmsDharmalingam Ganesan
 
Analysis of Short RSA Secret Exponent d
Analysis of Short RSA Secret Exponent dAnalysis of Short RSA Secret Exponent d
Analysis of Short RSA Secret Exponent dDharmalingam Ganesan
 
Broadcasting and low exponent rsa attack
Broadcasting and low exponent rsa attackBroadcasting and low exponent rsa attack
Broadcasting and low exponent rsa attackAnkita Kapratwar
 
Public-Key Cryptography.pdfWrite the result of the following operation with t...
Public-Key Cryptography.pdfWrite the result of the following operation with t...Public-Key Cryptography.pdfWrite the result of the following operation with t...
Public-Key Cryptography.pdfWrite the result of the following operation with t...FahmiOlayah
 
Solutions to online rsa factoring challenges
Solutions to online rsa factoring challengesSolutions to online rsa factoring challenges
Solutions to online rsa factoring challengesDharmalingam Ganesan
 
Information and network security 33 rsa algorithm
Information and network security 33 rsa algorithmInformation and network security 33 rsa algorithm
Information and network security 33 rsa algorithmVaibhav Khanna
 
Presentation about RSA
Presentation about RSAPresentation about RSA
Presentation about RSASrilal Buddika
 
Security_Attacks_On_RSA~ A Computational Number Theoretic Approach.pptx
Security_Attacks_On_RSA~ A Computational Number Theoretic Approach.pptxSecurity_Attacks_On_RSA~ A Computational Number Theoretic Approach.pptx
Security_Attacks_On_RSA~ A Computational Number Theoretic Approach.pptxshahiduljahid71
 
Rivest Shamir Adleman Algorithm and its variant : DRSA.pptx
Rivest Shamir Adleman Algorithm and its variant : DRSA.pptxRivest Shamir Adleman Algorithm and its variant : DRSA.pptx
Rivest Shamir Adleman Algorithm and its variant : DRSA.pptxwerip98386
 

Similar to RSA without Padding (20)

RSA cracking puzzle
RSA cracking puzzleRSA cracking puzzle
RSA cracking puzzle
 
An Analysis of RSA Public Exponent e
An Analysis of RSA Public Exponent eAn Analysis of RSA Public Exponent e
An Analysis of RSA Public Exponent e
 
Security of RSA and Integer Factorization
Security of RSA and Integer FactorizationSecurity of RSA and Integer Factorization
Security of RSA and Integer Factorization
 
RSA without Integrity Checks
RSA without Integrity ChecksRSA without Integrity Checks
RSA without Integrity Checks
 
RSA Game using an Oracle
RSA Game using an OracleRSA Game using an Oracle
RSA Game using an Oracle
 
RSA Two Person Game
RSA Two Person GameRSA Two Person Game
RSA Two Person Game
 
Dependency Analysis of RSA Private Variables
Dependency Analysis of RSA Private VariablesDependency Analysis of RSA Private Variables
Dependency Analysis of RSA Private Variables
 
On the Secrecy of RSA Private Keys
On the Secrecy of RSA Private KeysOn the Secrecy of RSA Private Keys
On the Secrecy of RSA Private Keys
 
Analysis of Shared RSA Modulus
Analysis of Shared RSA ModulusAnalysis of Shared RSA Modulus
Analysis of Shared RSA Modulus
 
Computing the Square Roots of Unity to break RSA using Quantum Algorithms
Computing the Square Roots of Unity to break RSA using Quantum AlgorithmsComputing the Square Roots of Unity to break RSA using Quantum Algorithms
Computing the Square Roots of Unity to break RSA using Quantum Algorithms
 
Analysis of Short RSA Secret Exponent d
Analysis of Short RSA Secret Exponent dAnalysis of Short RSA Secret Exponent d
Analysis of Short RSA Secret Exponent d
 
Broadcasting and low exponent rsa attack
Broadcasting and low exponent rsa attackBroadcasting and low exponent rsa attack
Broadcasting and low exponent rsa attack
 
Public-Key Cryptography.pdfWrite the result of the following operation with t...
Public-Key Cryptography.pdfWrite the result of the following operation with t...Public-Key Cryptography.pdfWrite the result of the following operation with t...
Public-Key Cryptography.pdfWrite the result of the following operation with t...
 
Solutions to online rsa factoring challenges
Solutions to online rsa factoring challengesSolutions to online rsa factoring challenges
Solutions to online rsa factoring challenges
 
Information and network security 33 rsa algorithm
Information and network security 33 rsa algorithmInformation and network security 33 rsa algorithm
Information and network security 33 rsa algorithm
 
Presentation about RSA
Presentation about RSAPresentation about RSA
Presentation about RSA
 
Security_Attacks_On_RSA~ A Computational Number Theoretic Approach.pptx
Security_Attacks_On_RSA~ A Computational Number Theoretic Approach.pptxSecurity_Attacks_On_RSA~ A Computational Number Theoretic Approach.pptx
Security_Attacks_On_RSA~ A Computational Number Theoretic Approach.pptx
 
PKC&RSA
PKC&RSAPKC&RSA
PKC&RSA
 
Rivest Shamir Adleman Algorithm and its variant : DRSA.pptx
Rivest Shamir Adleman Algorithm and its variant : DRSA.pptxRivest Shamir Adleman Algorithm and its variant : DRSA.pptx
Rivest Shamir Adleman Algorithm and its variant : DRSA.pptx
 
Rsa
RsaRsa
Rsa
 

More from Dharmalingam Ganesan

Reverse Architecting using Relation Algebra.pdf
Reverse Architecting using Relation Algebra.pdfReverse Architecting using Relation Algebra.pdf
Reverse Architecting using Relation Algebra.pdfDharmalingam Ganesan
 
An Analysis of Secure Remote Password (SRP)
An Analysis of Secure Remote Password (SRP)An Analysis of Secure Remote Password (SRP)
An Analysis of Secure Remote Password (SRP)Dharmalingam Ganesan
 
How do computers exchange secrets using Math?
How do computers exchange secrets using Math?How do computers exchange secrets using Math?
How do computers exchange secrets using Math?Dharmalingam Ganesan
 
Requirements driven Model-based Testing
Requirements driven Model-based TestingRequirements driven Model-based Testing
Requirements driven Model-based TestingDharmalingam Ganesan
 
Automated Traceability for Software Engineering Tasks
Automated Traceability for Software Engineering TasksAutomated Traceability for Software Engineering Tasks
Automated Traceability for Software Engineering TasksDharmalingam Ganesan
 
Reverse Engineering of Module Dependencies
Reverse Engineering of Module DependenciesReverse Engineering of Module Dependencies
Reverse Engineering of Module DependenciesDharmalingam Ganesan
 
Integer security analysis using smt solver
Integer security analysis using smt solverInteger security analysis using smt solver
Integer security analysis using smt solverDharmalingam Ganesan
 
Remote file path traversal attacks for fun and profit
Remote file path traversal attacks for fun and profitRemote file path traversal attacks for fun and profit
Remote file path traversal attacks for fun and profitDharmalingam Ganesan
 
Threat Modeling: Applied on a Publish-Subscribe Architectural Style
Threat Modeling: Applied on a Publish-Subscribe Architectural StyleThreat Modeling: Applied on a Publish-Subscribe Architectural Style
Threat Modeling: Applied on a Publish-Subscribe Architectural StyleDharmalingam Ganesan
 

More from Dharmalingam Ganesan (16)

.NET Deserialization Attacks
.NET Deserialization Attacks.NET Deserialization Attacks
.NET Deserialization Attacks
 
Reverse Architecting using Relation Algebra.pdf
Reverse Architecting using Relation Algebra.pdfReverse Architecting using Relation Algebra.pdf
Reverse Architecting using Relation Algebra.pdf
 
How to exploit rand()?
How to exploit rand()?How to exploit rand()?
How to exploit rand()?
 
An Analysis of Secure Remote Password (SRP)
An Analysis of Secure Remote Password (SRP)An Analysis of Secure Remote Password (SRP)
An Analysis of Secure Remote Password (SRP)
 
Thank-a-Gram
Thank-a-GramThank-a-Gram
Thank-a-Gram
 
Active Attacks on DH Key Exchange
Active Attacks on DH Key ExchangeActive Attacks on DH Key Exchange
Active Attacks on DH Key Exchange
 
Can I write to a read only file ?
Can I write to a read only file ?Can I write to a read only file ?
Can I write to a read only file ?
 
How do computers exchange secrets using Math?
How do computers exchange secrets using Math?How do computers exchange secrets using Math?
How do computers exchange secrets using Math?
 
Requirements driven Model-based Testing
Requirements driven Model-based TestingRequirements driven Model-based Testing
Requirements driven Model-based Testing
 
Automated Traceability for Software Engineering Tasks
Automated Traceability for Software Engineering TasksAutomated Traceability for Software Engineering Tasks
Automated Traceability for Software Engineering Tasks
 
Reverse Engineering of Module Dependencies
Reverse Engineering of Module DependenciesReverse Engineering of Module Dependencies
Reverse Engineering of Module Dependencies
 
Software Architecture
Software ArchitectureSoftware Architecture
Software Architecture
 
Integer security analysis using smt solver
Integer security analysis using smt solverInteger security analysis using smt solver
Integer security analysis using smt solver
 
Remote file path traversal attacks for fun and profit
Remote file path traversal attacks for fun and profitRemote file path traversal attacks for fun and profit
Remote file path traversal attacks for fun and profit
 
20170605135932210 thank you card7
20170605135932210 thank you card720170605135932210 thank you card7
20170605135932210 thank you card7
 
Threat Modeling: Applied on a Publish-Subscribe Architectural Style
Threat Modeling: Applied on a Publish-Subscribe Architectural StyleThreat Modeling: Applied on a Publish-Subscribe Architectural Style
Threat Modeling: Applied on a Publish-Subscribe Architectural Style
 

Recently uploaded

Weeding your micro service landscape.pdf
Weeding your micro service landscape.pdfWeeding your micro service landscape.pdf
Weeding your micro service landscape.pdftimtebeek1
 
Alluxio Monthly Webinar | Simplify Data Access for AI in Multi-Cloud
Alluxio Monthly Webinar | Simplify Data Access for AI in Multi-CloudAlluxio Monthly Webinar | Simplify Data Access for AI in Multi-Cloud
Alluxio Monthly Webinar | Simplify Data Access for AI in Multi-CloudAlluxio, Inc.
 
Jax, FL Admin Community Group 05.14.2024 Combined Deck
Jax, FL Admin Community Group 05.14.2024 Combined DeckJax, FL Admin Community Group 05.14.2024 Combined Deck
Jax, FL Admin Community Group 05.14.2024 Combined DeckMarc Lester
 
Abortion Pill Prices Jane Furse ](+27832195400*)[ 🏥 Women's Abortion Clinic i...
Abortion Pill Prices Jane Furse ](+27832195400*)[ 🏥 Women's Abortion Clinic i...Abortion Pill Prices Jane Furse ](+27832195400*)[ 🏥 Women's Abortion Clinic i...
Abortion Pill Prices Jane Furse ](+27832195400*)[ 🏥 Women's Abortion Clinic i...Abortion Clinic
 
Team Transformation Tactics for Holistic Testing and Quality (NewCrafts Paris...
Team Transformation Tactics for Holistic Testing and Quality (NewCrafts Paris...Team Transformation Tactics for Holistic Testing and Quality (NewCrafts Paris...
Team Transformation Tactics for Holistic Testing and Quality (NewCrafts Paris...Lisi Hocke
 
GraphSummit Milan - Visione e roadmap del prodotto Neo4j
GraphSummit Milan - Visione e roadmap del prodotto Neo4jGraphSummit Milan - Visione e roadmap del prodotto Neo4j
GraphSummit Milan - Visione e roadmap del prodotto Neo4jNeo4j
 
Novo Nordisk: When Knowledge Graphs meet LLMs
Novo Nordisk: When Knowledge Graphs meet LLMsNovo Nordisk: When Knowledge Graphs meet LLMs
Novo Nordisk: When Knowledge Graphs meet LLMsNeo4j
 
Community is Just as Important as Code by Andrea Goulet
Community is Just as Important as Code by Andrea GouletCommunity is Just as Important as Code by Andrea Goulet
Community is Just as Important as Code by Andrea GouletAndrea Goulet
 
The mythical technical debt. (Brooke, please, forgive me)
The mythical technical debt. (Brooke, please, forgive me)The mythical technical debt. (Brooke, please, forgive me)
The mythical technical debt. (Brooke, please, forgive me)Roberto Bettazzoni
 
Wired_2.0_CREATE YOUR ULTIMATE LEARNING ENVIRONMENT_JCON_16052024
Wired_2.0_CREATE YOUR ULTIMATE LEARNING ENVIRONMENT_JCON_16052024Wired_2.0_CREATE YOUR ULTIMATE LEARNING ENVIRONMENT_JCON_16052024
Wired_2.0_CREATE YOUR ULTIMATE LEARNING ENVIRONMENT_JCON_16052024SimonedeGijt
 
Effective Strategies for Wix's Scaling challenges - GeeCon
Effective Strategies for Wix's Scaling challenges - GeeConEffective Strategies for Wix's Scaling challenges - GeeCon
Effective Strategies for Wix's Scaling challenges - GeeConNatan Silnitsky
 
[GeeCON2024] How I learned to stop worrying and love the dark silicon apocalypse
[GeeCON2024] How I learned to stop worrying and love the dark silicon apocalypse[GeeCON2024] How I learned to stop worrying and love the dark silicon apocalypse
[GeeCON2024] How I learned to stop worrying and love the dark silicon apocalypseTomasz Kowalczewski
 
Your Ultimate Web Studio for Streaming Anywhere | Evmux
Your Ultimate Web Studio for Streaming Anywhere | EvmuxYour Ultimate Web Studio for Streaming Anywhere | Evmux
Your Ultimate Web Studio for Streaming Anywhere | Evmuxevmux96
 
Workshop: Enabling GenAI Breakthroughs with Knowledge Graphs - GraphSummit Milan
Workshop: Enabling GenAI Breakthroughs with Knowledge Graphs - GraphSummit MilanWorkshop: Enabling GenAI Breakthroughs with Knowledge Graphs - GraphSummit Milan
Workshop: Enabling GenAI Breakthroughs with Knowledge Graphs - GraphSummit MilanNeo4j
 
Software Engineering - Introduction + Process Models + Requirements Engineering
Software Engineering - Introduction + Process Models + Requirements EngineeringSoftware Engineering - Introduction + Process Models + Requirements Engineering
Software Engineering - Introduction + Process Models + Requirements EngineeringPrakhyath Rai
 
Transformer Neural Network Use Cases with Links
Transformer Neural Network Use Cases with LinksTransformer Neural Network Use Cases with Links
Transformer Neural Network Use Cases with LinksJinanKordab
 
Incident handling is a clearly defined set of procedures to manage and respon...
Incident handling is a clearly defined set of procedures to manage and respon...Incident handling is a clearly defined set of procedures to manage and respon...
Incident handling is a clearly defined set of procedures to manage and respon...Varun Mithran
 

Recently uploaded (20)

Weeding your micro service landscape.pdf
Weeding your micro service landscape.pdfWeeding your micro service landscape.pdf
Weeding your micro service landscape.pdf
 
Alluxio Monthly Webinar | Simplify Data Access for AI in Multi-Cloud
Alluxio Monthly Webinar | Simplify Data Access for AI in Multi-CloudAlluxio Monthly Webinar | Simplify Data Access for AI in Multi-Cloud
Alluxio Monthly Webinar | Simplify Data Access for AI in Multi-Cloud
 
Jax, FL Admin Community Group 05.14.2024 Combined Deck
Jax, FL Admin Community Group 05.14.2024 Combined DeckJax, FL Admin Community Group 05.14.2024 Combined Deck
Jax, FL Admin Community Group 05.14.2024 Combined Deck
 
Abortion Pill Prices Turfloop ](+27832195400*)[ 🏥 Women's Abortion Clinic in ...
Abortion Pill Prices Turfloop ](+27832195400*)[ 🏥 Women's Abortion Clinic in ...Abortion Pill Prices Turfloop ](+27832195400*)[ 🏥 Women's Abortion Clinic in ...
Abortion Pill Prices Turfloop ](+27832195400*)[ 🏥 Women's Abortion Clinic in ...
 
Abortion Pill Prices Jane Furse ](+27832195400*)[ 🏥 Women's Abortion Clinic i...
Abortion Pill Prices Jane Furse ](+27832195400*)[ 🏥 Women's Abortion Clinic i...Abortion Pill Prices Jane Furse ](+27832195400*)[ 🏥 Women's Abortion Clinic i...
Abortion Pill Prices Jane Furse ](+27832195400*)[ 🏥 Women's Abortion Clinic i...
 
Team Transformation Tactics for Holistic Testing and Quality (NewCrafts Paris...
Team Transformation Tactics for Holistic Testing and Quality (NewCrafts Paris...Team Transformation Tactics for Holistic Testing and Quality (NewCrafts Paris...
Team Transformation Tactics for Holistic Testing and Quality (NewCrafts Paris...
 
GraphSummit Milan - Visione e roadmap del prodotto Neo4j
GraphSummit Milan - Visione e roadmap del prodotto Neo4jGraphSummit Milan - Visione e roadmap del prodotto Neo4j
GraphSummit Milan - Visione e roadmap del prodotto Neo4j
 
Novo Nordisk: When Knowledge Graphs meet LLMs
Novo Nordisk: When Knowledge Graphs meet LLMsNovo Nordisk: When Knowledge Graphs meet LLMs
Novo Nordisk: When Knowledge Graphs meet LLMs
 
Community is Just as Important as Code by Andrea Goulet
Community is Just as Important as Code by Andrea GouletCommunity is Just as Important as Code by Andrea Goulet
Community is Just as Important as Code by Andrea Goulet
 
The mythical technical debt. (Brooke, please, forgive me)
The mythical technical debt. (Brooke, please, forgive me)The mythical technical debt. (Brooke, please, forgive me)
The mythical technical debt. (Brooke, please, forgive me)
 
Wired_2.0_CREATE YOUR ULTIMATE LEARNING ENVIRONMENT_JCON_16052024
Wired_2.0_CREATE YOUR ULTIMATE LEARNING ENVIRONMENT_JCON_16052024Wired_2.0_CREATE YOUR ULTIMATE LEARNING ENVIRONMENT_JCON_16052024
Wired_2.0_CREATE YOUR ULTIMATE LEARNING ENVIRONMENT_JCON_16052024
 
Abortion Pill Prices Mthatha (@](+27832195400*)[ 🏥 Women's Abortion Clinic In...
Abortion Pill Prices Mthatha (@](+27832195400*)[ 🏥 Women's Abortion Clinic In...Abortion Pill Prices Mthatha (@](+27832195400*)[ 🏥 Women's Abortion Clinic In...
Abortion Pill Prices Mthatha (@](+27832195400*)[ 🏥 Women's Abortion Clinic In...
 
Effective Strategies for Wix's Scaling challenges - GeeCon
Effective Strategies for Wix's Scaling challenges - GeeConEffective Strategies for Wix's Scaling challenges - GeeCon
Effective Strategies for Wix's Scaling challenges - GeeCon
 
[GeeCON2024] How I learned to stop worrying and love the dark silicon apocalypse
[GeeCON2024] How I learned to stop worrying and love the dark silicon apocalypse[GeeCON2024] How I learned to stop worrying and love the dark silicon apocalypse
[GeeCON2024] How I learned to stop worrying and love the dark silicon apocalypse
 
Your Ultimate Web Studio for Streaming Anywhere | Evmux
Your Ultimate Web Studio for Streaming Anywhere | EvmuxYour Ultimate Web Studio for Streaming Anywhere | Evmux
Your Ultimate Web Studio for Streaming Anywhere | Evmux
 
Workshop: Enabling GenAI Breakthroughs with Knowledge Graphs - GraphSummit Milan
Workshop: Enabling GenAI Breakthroughs with Knowledge Graphs - GraphSummit MilanWorkshop: Enabling GenAI Breakthroughs with Knowledge Graphs - GraphSummit Milan
Workshop: Enabling GenAI Breakthroughs with Knowledge Graphs - GraphSummit Milan
 
Software Engineering - Introduction + Process Models + Requirements Engineering
Software Engineering - Introduction + Process Models + Requirements EngineeringSoftware Engineering - Introduction + Process Models + Requirements Engineering
Software Engineering - Introduction + Process Models + Requirements Engineering
 
Transformer Neural Network Use Cases with Links
Transformer Neural Network Use Cases with LinksTransformer Neural Network Use Cases with Links
Transformer Neural Network Use Cases with Links
 
Abortion Clinic In Pretoria ](+27832195400*)[ 🏥 Safe Abortion Pills in Pretor...
Abortion Clinic In Pretoria ](+27832195400*)[ 🏥 Safe Abortion Pills in Pretor...Abortion Clinic In Pretoria ](+27832195400*)[ 🏥 Safe Abortion Pills in Pretor...
Abortion Clinic In Pretoria ](+27832195400*)[ 🏥 Safe Abortion Pills in Pretor...
 
Incident handling is a clearly defined set of procedures to manage and respon...
Incident handling is a clearly defined set of procedures to manage and respon...Incident handling is a clearly defined set of procedures to manage and respon...
Incident handling is a clearly defined set of procedures to manage and respon...
 

RSA without Padding

  • 1. Cryptanalysis of Raw RSA Experiments using Meet-in-the-middle Attack Dr. Dharma Ganesan, Ph.D.,
  • 2. Disclaimer ● The opinions expressed here are my own ○ But not the views of my employer ● The source code fragments and exploits shown here can be reused ○ But without any warranty nor accept any responsibility for failures ● Do not apply the exploit discussed here on other systems ○ Without obtaining authorization from owners 2
  • 3. Goal of this presentation ● Explain how to break Raw RSA (i.e., without padding) ● Present exploits using Meet-in-the-middle attack ● Discuss experimental results 3
  • 4. Prerequisite Some familiarity with the following topics will help to follow the rest of the slides ● Group Theory (Abstract Algebra/Discrete Math) ● Modular Arithmetic (Number Theory) ● Algorithms and Complexity Theory ● If not, it should still be possible to obtain a high-level overview 4
  • 5. How can Bob send a message to Alice securely? 5 Public Key PuA ● Alice and Bob never met each other ● Bob will encrypt using Alice’s public key ○ Assume that public keys are known to the world ● Alice will decrypt using her private key ○ Private keys are secrets (never sent out) ● Bob can sign messages using his private key ○ Alice verifies message integrity using Bob’s public key ○ Not important for this presentation/attack ● Note: Alice and Bob need other evidence (e.g., passwords, certificates) to prove their identity to each other ● Who are Alice, Bob, and Eve? Private Key PrA Public Key PuB Private Key PrB
  • 6. RSA Public Key Cryptography System ● Published in 1977 by Ron Rivest, Adi Shamir and Leonard Adleman ● Rooted in elegant mathematics - Group Theory and Number Theory ● Core idea: Anyone can encrypt a message using recipient's public key but ○ (as far as we know) no one can efficiently decrypt unless they got the matching private key ● Encryption and Decryption are inverse operations (math details later) ○ Work of Euclid, Euler, and Fermat provide the mathematical foundation of RSA ● Eavesdropper Eve cannot easily derive the secret (math details later) ○ Unless she solves “hard” number theory problems that are computationally intractable 6
  • 7. 7 Notations and Facts (needed for RSA Trapdoor) GCD(x, y): The greatest common divisor that divides integers x and y Co-prime: If gcd(x, y) = 1, then x and y are co-primes Zn = { 0, 1, 2, …, n-1 }, n > 0; we may imagine Zn as a circular wall clock Z* n = { x ∈ Zn | gcd(x, n) = 1 }; (additional info: Z* n is a multiplicative group) φ(n): Euler’s Totient function denotes the number of elements in Z* n φ(p) = p-1, if p is a prime number x ≡ y (mod n) denotes that n divides x-y; x is congruent to y mod n
  • 8. RSA - Key Generation Algo. (Fits on one page) 1. Select an appropriate bitlength of the RSA modulus n (e.g., 2048 bits) ○ Value of the parameter n is not chosen until step 3; small n is dangerous (details later) 2. Pick two independent, large random primes, p and q, of half of n’s bitlength ○ In practice, p and q are not close to each other to avoid attacks (e.g., Fermat’s factorization) 3. Compute n = p.q (n is also called the RSA modulus) 4. Compute Euler’s Totient (phi) Function φ(n) = φ(p.q) = φ(p)φ(q) = (p-1)(q-1) 5. Select numbers e and d from Zn such that e.d ≡ 1(mod φ(n)) ○ Many implementations set e to be 65537 (Note: gcd(e, φ(n)) = 1) ○ e must be relatively prime to φ(n) otherwise d cannot exist (i.e., we cannot decrypt) ○ d is the multiplicative inverse of e in Zn 6. Public key is the pair <n, e> and private key is 4-tuple <φ(n), d, p, q> Note: If p, q, d, or φ(n) is leaked, RSA is broken immediately 8
  • 9. Formal definition of the RSA trapdoor function ● RSA: Zn → Zn ● Let m and c ∈ Zn ● c = RSA(m) = me mod n ● m = RSA-1(c) = cd mod n ● e and d are also called encryption and decryption exponents, respectively ● Note: Attackers know c, e, and n but not d 9
  • 10. RSA Trapdoor ... ● RSACoreEngine.java implements the RSA and RSA-1 functions ○ See the method processBlock ● RSA(input) = inpute mod n { return input.modPow( key.getExponent(), key.getModulus()); } ● The implementation for RSA-1 is a bit involved (Chinese-Remainder Theorem) ○ To speed-up the computation of inputd mod n, it computes inputd mod p and mod q 10
  • 11. Raw RSA (in Java) public static byte[] encrypt(PublicKey pubKey, String message) throws Exception { Cipher cipher = Cipher.getInstance("RSA/ECB/NOPADDING"); cipher.init(Cipher.ENCRYPT_MODE, pubKey); return cipher.doFinal(message.getBytes()); } 11
  • 12. Deterministic behavior of Raw RSA (simple demo) 12 public class RSA_Encrypt { public static void main(String [] args) throws Exception { if(args.length != 3) { System.out.println("Usage: RSA_Encrypt <modulus n> <exponent e> <plaintext>"); System.exit(-1); } BigInteger n = new BigInteger(args[0]); BigInteger e = new BigInteger(args[1]); String plaintext = args[2]; PublicKey pubKey = RSAService.getPublicKey(n, e); byte[] ciphertext = RSAService.encrypt(pubKey, plaintext); System.out.println(javax.xml.bind.DatatypeConverter.printHexBinary(ciphertext)); } }
  • 13. No change in the ciphertext for the same plaintext 13 dharmalingam_ganesan11@instance-1:~/crypto/RSA$ java RSA_Encrypt $n $e "It's all Greek to Me" 29B20484723BC302E3E1D13D763AA4CF8E43627B006B431DBE1C3B9887D3A34199CA5FC74B751501D86114DADB444 04563FB5B916E8CDC5EF0EBA43C244671B63493355EE00630114B27E1E154D806ADF94374E8B52BD1D0BFC0823C52 8BE0DA95774B172235E15345DB757173954E3E09CC7213AD77C6F6452F0B63008CF773E5E2369A3CDE3A94B925849 B59410D04B1B5FCB8BD54EA545CEECEFE6BB77BD7E9ABB54D8DF2764471F6C23A66E65B1D5D7266E7E669B0C7AC1C 889420C6B81689CD9965E528F6D94297C6AB95A510A0BB380E22F99B20ABDFE3837459D8AFF6F552F7B20BD908DBE A2906C8809A1A50F4209025C8BEB561DC58E56F13894C44 dharmalingam_ganesan11@instance-1:~/crypto/RSA$ dharmalingam_ganesan11@instance- 1:~/crypto/RSA$ java RSA_Encrypt $n $e "It's all Greek to Me" 29B20484723BC302E3E1D13D763AA4CF8E43627B006B431DBE1C3B9887D3A34199CA5FC74B751501D86114DADB444 04563FB5B916E8CDC5EF0EBA43C244671B63493355EE00630114B27E1E154D806ADF94374E8B52BD1D0BFC0823C52 8BE0DA95774B172235E15345DB757173954E3E09CC7213AD77C6F6452F0B63008CF773E5E2369A3CDE3A94B925849 B59410D04B1B5FCB8BD54EA545CEECEFE6BB77BD7E9ABB54D8DF2764471F6C23A66E65B1D5D7266E7E669B0C7AC1C 889420C6B81689CD9965E528F6D94297C6AB95A510A0BB380E22F99B20ABDFE3837459D8AFF6F552F7B20BD908DBE A2906C8809A1A50F4209025C8BEB561DC58E56F13894C44
  • 14. Problem statement: Break the RSA trapdoor function ● Recall that c = RSA(m) = me mod n ○ c is the ciphertext and m is the plaintext ● Breaking of the RSA function means finding m from c ○ Equivalently, reverse the plaintext from the ciphertext ● Formally, given <c, e, n> find m such that RSA(m) = c 14
  • 15. Chosen plaintext attack of RSA trapdoor function ● RSA is a deterministic function (recall the previous demo) ● RSA(m) is always the same for a given public key pair (e, n) ○ That is, the ciphertext is the same when the plaintext m is encrypted again ● In order to find the secret x, the attacker can try all possible m as follows: ○ RSA(u) where u = 0, 1, …, 2n-1 ○ If RSA(u) = RSA(m), then the attacker learns that m must u ● Chosen plaintext attack is easy for small values of public n ● Scalability problem: For very large n (e.g., 1024 bits), it is not feasible to explore the space of 21024 possibilities, for example ○ It is difficult even if the message size is just 64 bits 15
  • 16. Meet-in-the-middle attack - Core Idea ● Recall that the goal is to find the plaintext m such that RSA(m) = c ● What if m can be rewritten as a product of smaller numbers: m = m1 . m2 ● For example, this 64-bit message m = 9223372036854775808 can be rewritten as a product of two 32-bit numbers: ○ m1 = 2147483648 ○ m2 = 4294967296 ● Meet-in-the-middle attack leverages this observation to speed-up the Chosen Plaintext attack ○ Instead of trying all possible n-bit messages, it tries only messages of size n/2 ● It breaks RSA when the unknown plaintext is a product of smaller numbers ○ There are still some scalability issues (will revisit later) 16
  • 17. Meet-in-the-middle attack - Algorithm ● Assume that the unknown message m can be rewritten as a product of two unknown smaller numbers: m = m1 . m2 ● The goal of this attack is to find m1 and m2 from ciphertext c ● c = RSA(m) = me mod n c = (m1. m2)e mod n c = (m1 e. m2 e) mod n c/m2 e = m1 e mod n ● Step 1: Construct a hashtable of the right hand side for all possible m1 ● Step 2: For each possible m2 if c/m2 e is present in the hashtable, them m is recovered by multiplying matching m1 with the current m2 17
  • 18. Step 1: Hashtable H construction 18 Key Value 0e mod n 0 1e mod n 1 2e mod n 2 3e mod n 3 ... ... (m1-1)e mod n m1 - 1
  • 19. Step 2: Search the Hashtable H 19 ● Step 2.1: For each m2, compute c/m2 e mod n ● Step 2.2: Search whether the hashtable H has the key c/m2 e mod n ● Step 2.3: If yes, extract m1 = H(c/m2 e mod n) ○ Terminate the search. Return the plaintext m = m1 . m2 ● Step 2.4: Else, goto Step 2.1 and try the next possible m2
  • 20. Implementation Details: Key-Value Store (Hashtable)public interface IKeyValueStore { public void put(byte[] key, byte[] data); public byte[] get(byte[] key); public void close(); } 20 ● This interface provides an abstraction of hashtable implementations ● Allows plug-and-play of different key-value pair libraries
  • 21. Key-Value Implementation using Java Hashmap public class KeyValueStoreHash implements IKeyValueStore { private HashMap<ByteBuffer, byte[]> hashMap = new HashMap<ByteBuffer, byte[]>(); public KeyValueStoreHash() { } public void put(byte[] key, byte[] data) { hashMap.put(ByteBuffer.wrap(key), data); } public byte[] get(byte[] key) { return hashMap.get(ByteBuffer.wrap(key)); } public void close() { hashMap.clear(); } } 21
  • 22. Step 1: Hashtable construction (basic version) public void buildHashTable() { BigInteger two = BigInteger.valueOf(2); BigInteger minM1 = two.pow(minNumBitsM1 - 1); BigInteger maxM1 = two.pow(maxNumBitsM1); for(BigInteger m1 = minM1; m1.compareTo(maxM1) < 0; m1 = m1.add(BigInteger.ONE)) { byte[] m1PowE = m1.modPow(e, n).toByteArray(); keyValueStore.put(m1PowE, m1.toByteArray()); } } 22
  • 23. Step 2: Search the hashtable for a match public BigInteger breakRSA(BigInteger c) { BigInteger m = BigInteger.ZERO; BigInteger two = BigInteger.valueOf(2); BigInteger minM2 = two.pow(minNumBitsM2 - 1); BigInteger maxM2 = two.pow(maxNumBitsM2); for(BigInteger m2 = minM2; m2.compareTo(maxM2) < 0; m2 = m2.add(BigInteger.ONE)) { BigInteger m2powe = m2.modPow(e, n); byte[] lhs = c.multiply(m2powe.modInverse(n)).mod(n).toByteArray(); if(keyValueStore.get(lhs) != null) { BigInteger m1 = new BigInteger(keyValueStore.get(lhs)); m = m1.multiply(m2); System.out.println("Match m = " + m + " m1 = " + m1 + " m2 = " + m2); break; } } return m; } 23
  • 24. Demo client to break Raw RSA (2048-bit modulus) 24
  • 25. Demo client to break RSA ... 25
  • 26. ~/crypto/RSA$ time java ClientRawRSA Match m = 549986500608 m1 = 892928 m2 = 615936 The plaintext is: 549986500608 real 1m51.176s user 1m1.520s sys 0m4.176s In ~1.5 min Raw RSA is broken 26
  • 27. 11 out of 50 random messages decrypted! 27 $ time java ClientRawRSArandom # of successful RSA breaking = 11 out of 50 real 462m0.941s user 314m21.392s sys 21m22.772s
  • 28. Conclusion/Discussion 28 ● The main goal was to experiment with meet-in-the-middle attack ● This attack works when RSA is used without any padding ○ Meet-in-the-middle is much better than brute-forcing all possible plaintexts ● The attack is not scalable when the message length is longer than 8 bytes ○ May be upto 10 bytes when using a large farm of computers ● Nevertheless, the attack reverses the plaintext in the order of 2m/2 bits ○ Storage requirement: Need to be able to store 2m/2 rows in the key-value table ● In part-2, I will talk about using advanced databases to store large key-value ● RSA without random padding should be avoided
  • 29. References ● W. Diffie and M. E. Hellman, “New Directions in Cryptography,” IEEE Transactions on Information Theory, vol. IT-22, no. 6, November, 1976. ● R. L. Rivest, A. Shamir, and L. Adleman, “A method for obtaining digital signatures and public-key cryptosystems,” CACM 21, 2, February, 1978. ● A. Menezes, P. van Oorschot, and S. Vanstone, “Handbook of Applied Cryptography,” CRC Press, 1996. ● C. Paar and J. Pelzl, “Understanding Cryptography: A Textbook for Students and Practitioners,” Springer, 2011. ● D. Boneh, A. Joux, and P. Nguyen, “Why Textbook ElGamal and RSA Encryption are Insecure,” AsiaCrypt, 2000 29