Slides demonstrate how to break RSA when no padding is applied. I replicated the meet-in-the-middle attack discussed in the existing Crypto literature.
WSO2CON2024 - Why Should You Consider Ballerina for Your Next Integration
RSA without Padding
1. Cryptanalysis of Raw RSA
Experiments using Meet-in-the-middle Attack
Dr. Dharma Ganesan, Ph.D.,
2. Disclaimer
● The opinions expressed here are my own
○ But not the views of my employer
● The source code fragments and exploits shown here can be reused
○ But without any warranty nor accept any responsibility for failures
● Do not apply the exploit discussed here on other systems
○ Without obtaining authorization from owners
2
3. Goal of this presentation
● Explain how to break Raw RSA (i.e., without padding)
● Present exploits using Meet-in-the-middle attack
● Discuss experimental results
3
4. Prerequisite
Some familiarity with the following topics will help to follow the rest of the slides
● Group Theory (Abstract Algebra/Discrete Math)
● Modular Arithmetic (Number Theory)
● Algorithms and Complexity Theory
● If not, it should still be possible to obtain a high-level overview
4
5. How can Bob send a message to Alice securely?
5
Public Key PuA
● Alice and Bob never met each other
● Bob will encrypt using Alice’s public key
○ Assume that public keys are known to the world
● Alice will decrypt using her private key
○ Private keys are secrets (never sent out)
● Bob can sign messages using his private key
○ Alice verifies message integrity using Bob’s public key
○ Not important for this presentation/attack
● Note: Alice and Bob need other evidence (e.g., passwords,
certificates) to prove their identity to each other
● Who are Alice, Bob, and Eve?
Private Key PrA
Public Key PuB
Private Key PrB
6. RSA Public Key Cryptography System
● Published in 1977 by Ron Rivest, Adi Shamir and Leonard Adleman
● Rooted in elegant mathematics - Group Theory and Number Theory
● Core idea: Anyone can encrypt a message using recipient's public key but
○ (as far as we know) no one can efficiently decrypt unless they got the matching private key
● Encryption and Decryption are inverse operations (math details later)
○ Work of Euclid, Euler, and Fermat provide the mathematical foundation of RSA
● Eavesdropper Eve cannot easily derive the secret (math details later)
○ Unless she solves “hard” number theory problems that are computationally intractable
6
7. 7
Notations and Facts (needed for RSA Trapdoor)
GCD(x, y): The greatest common divisor that divides integers x and y
Co-prime: If gcd(x, y) = 1, then x and y are co-primes
Zn = { 0, 1, 2, …, n-1 }, n > 0; we may imagine Zn as a circular wall clock
Z*
n = { x ∈ Zn | gcd(x, n) = 1 }; (additional info: Z*
n is a multiplicative group)
φ(n): Euler’s Totient function denotes the number of elements in Z*
n
φ(p) = p-1, if p is a prime number
x ≡ y (mod n) denotes that n divides x-y; x is congruent to y mod n
8. RSA - Key Generation Algo. (Fits on one page)
1. Select an appropriate bitlength of the RSA modulus n (e.g., 2048 bits)
○ Value of the parameter n is not chosen until step 3; small n is dangerous (details later)
2. Pick two independent, large random primes, p and q, of half of n’s bitlength
○ In practice, p and q are not close to each other to avoid attacks (e.g., Fermat’s factorization)
3. Compute n = p.q (n is also called the RSA modulus)
4. Compute Euler’s Totient (phi) Function φ(n) = φ(p.q) = φ(p)φ(q) = (p-1)(q-1)
5. Select numbers e and d from Zn such that e.d ≡ 1(mod φ(n))
○ Many implementations set e to be 65537 (Note: gcd(e, φ(n)) = 1)
○ e must be relatively prime to φ(n) otherwise d cannot exist (i.e., we cannot decrypt)
○ d is the multiplicative inverse of e in Zn
6. Public key is the pair <n, e> and private key is 4-tuple <φ(n), d, p, q>
Note: If p, q, d, or φ(n) is leaked, RSA is broken immediately
8
9. Formal definition of the RSA trapdoor function
● RSA: Zn → Zn
● Let m and c ∈ Zn
● c = RSA(m) = me mod n
● m = RSA-1(c) = cd mod n
● e and d are also called encryption and decryption
exponents, respectively
● Note: Attackers know c, e, and n but not d
9
10. RSA Trapdoor ...
● RSACoreEngine.java implements the RSA and RSA-1 functions
○ See the method processBlock
● RSA(input) = inpute mod n
{
return input.modPow(
key.getExponent(), key.getModulus());
}
● The implementation for RSA-1 is a bit involved (Chinese-Remainder Theorem)
○ To speed-up the computation of inputd mod n, it computes inputd mod p and mod q
10
11. Raw RSA (in Java)
public static byte[] encrypt(PublicKey pubKey, String message) throws Exception
{
Cipher cipher = Cipher.getInstance("RSA/ECB/NOPADDING");
cipher.init(Cipher.ENCRYPT_MODE, pubKey);
return cipher.doFinal(message.getBytes());
}
11
12. Deterministic behavior of Raw RSA (simple demo)
12
public class RSA_Encrypt {
public static void main(String [] args) throws Exception {
if(args.length != 3) {
System.out.println("Usage: RSA_Encrypt <modulus n> <exponent e> <plaintext>");
System.exit(-1);
}
BigInteger n = new BigInteger(args[0]);
BigInteger e = new BigInteger(args[1]);
String plaintext = args[2];
PublicKey pubKey = RSAService.getPublicKey(n, e);
byte[] ciphertext = RSAService.encrypt(pubKey, plaintext);
System.out.println(javax.xml.bind.DatatypeConverter.printHexBinary(ciphertext));
}
}
13. No change in the ciphertext for the same plaintext
13
dharmalingam_ganesan11@instance-1:~/crypto/RSA$ java RSA_Encrypt $n $e "It's all Greek to Me"
29B20484723BC302E3E1D13D763AA4CF8E43627B006B431DBE1C3B9887D3A34199CA5FC74B751501D86114DADB444
04563FB5B916E8CDC5EF0EBA43C244671B63493355EE00630114B27E1E154D806ADF94374E8B52BD1D0BFC0823C52
8BE0DA95774B172235E15345DB757173954E3E09CC7213AD77C6F6452F0B63008CF773E5E2369A3CDE3A94B925849
B59410D04B1B5FCB8BD54EA545CEECEFE6BB77BD7E9ABB54D8DF2764471F6C23A66E65B1D5D7266E7E669B0C7AC1C
889420C6B81689CD9965E528F6D94297C6AB95A510A0BB380E22F99B20ABDFE3837459D8AFF6F552F7B20BD908DBE
A2906C8809A1A50F4209025C8BEB561DC58E56F13894C44
dharmalingam_ganesan11@instance-1:~/crypto/RSA$ dharmalingam_ganesan11@instance-
1:~/crypto/RSA$ java RSA_Encrypt $n $e "It's all Greek to Me"
29B20484723BC302E3E1D13D763AA4CF8E43627B006B431DBE1C3B9887D3A34199CA5FC74B751501D86114DADB444
04563FB5B916E8CDC5EF0EBA43C244671B63493355EE00630114B27E1E154D806ADF94374E8B52BD1D0BFC0823C52
8BE0DA95774B172235E15345DB757173954E3E09CC7213AD77C6F6452F0B63008CF773E5E2369A3CDE3A94B925849
B59410D04B1B5FCB8BD54EA545CEECEFE6BB77BD7E9ABB54D8DF2764471F6C23A66E65B1D5D7266E7E669B0C7AC1C
889420C6B81689CD9965E528F6D94297C6AB95A510A0BB380E22F99B20ABDFE3837459D8AFF6F552F7B20BD908DBE
A2906C8809A1A50F4209025C8BEB561DC58E56F13894C44
14. Problem statement: Break the RSA trapdoor function
● Recall that c = RSA(m) = me mod n
○ c is the ciphertext and m is the plaintext
● Breaking of the RSA function means finding m from c
○ Equivalently, reverse the plaintext from the ciphertext
● Formally, given <c, e, n> find m such that RSA(m) = c
14
15. Chosen plaintext attack of RSA trapdoor function
● RSA is a deterministic function (recall the previous demo)
● RSA(m) is always the same for a given public key pair (e, n)
○ That is, the ciphertext is the same when the plaintext m is encrypted again
● In order to find the secret x, the attacker can try all possible m as follows:
○ RSA(u) where u = 0, 1, …, 2n-1
○ If RSA(u) = RSA(m), then the attacker learns that m must u
● Chosen plaintext attack is easy for small values of public n
● Scalability problem: For very large n (e.g., 1024 bits), it is not feasible to
explore the space of 21024 possibilities, for example
○ It is difficult even if the message size is just 64 bits
15
16. Meet-in-the-middle attack - Core Idea
● Recall that the goal is to find the plaintext m such that RSA(m) = c
● What if m can be rewritten as a product of smaller numbers: m = m1 . m2
● For example, this 64-bit message m = 9223372036854775808 can be
rewritten as a product of two 32-bit numbers:
○ m1 = 2147483648
○ m2 = 4294967296
● Meet-in-the-middle attack leverages this observation to speed-up the Chosen
Plaintext attack
○ Instead of trying all possible n-bit messages, it tries only messages of size n/2
● It breaks RSA when the unknown plaintext is a product of smaller numbers
○ There are still some scalability issues (will revisit later)
16
17. Meet-in-the-middle attack - Algorithm
● Assume that the unknown message m can be rewritten as a product of two
unknown smaller numbers: m = m1 . m2
● The goal of this attack is to find m1 and m2 from ciphertext c
● c = RSA(m) = me mod n
c = (m1. m2)e mod n
c = (m1
e. m2
e) mod n
c/m2
e = m1
e mod n
● Step 1: Construct a hashtable of the right hand side for all possible m1
● Step 2: For each possible m2 if c/m2
e is present in the hashtable, them m is
recovered by multiplying matching m1 with the current m2
17
18. Step 1: Hashtable H construction
18
Key Value
0e mod n 0
1e mod n 1
2e mod n 2
3e mod n 3
... ...
(m1-1)e mod n m1 - 1
19. Step 2: Search the Hashtable H
19
● Step 2.1: For each m2, compute c/m2
e mod n
● Step 2.2: Search whether the hashtable H has the key c/m2
e mod n
● Step 2.3: If yes, extract m1 = H(c/m2
e mod n)
○ Terminate the search. Return the plaintext m = m1 . m2
● Step 2.4: Else, goto Step 2.1 and try the next possible m2
20. Implementation Details: Key-Value Store
(Hashtable)public interface IKeyValueStore {
public void put(byte[] key, byte[] data);
public byte[] get(byte[] key);
public void close();
}
20
● This interface provides an abstraction of hashtable implementations
● Allows plug-and-play of different key-value pair libraries
21. Key-Value Implementation using Java Hashmap
public class KeyValueStoreHash implements IKeyValueStore {
private HashMap<ByteBuffer, byte[]> hashMap = new HashMap<ByteBuffer, byte[]>();
public KeyValueStoreHash() {
}
public void put(byte[] key, byte[] data) {
hashMap.put(ByteBuffer.wrap(key), data);
}
public byte[] get(byte[] key) {
return hashMap.get(ByteBuffer.wrap(key));
}
public void close() {
hashMap.clear();
}
} 21
26. ~/crypto/RSA$ time java ClientRawRSA
Match m = 549986500608 m1 = 892928 m2 = 615936
The plaintext is: 549986500608
real 1m51.176s
user 1m1.520s
sys 0m4.176s
In ~1.5 min Raw RSA is broken
26
27. 11 out of 50 random messages decrypted!
27
$ time java ClientRawRSArandom
# of successful RSA breaking = 11 out of 50
real 462m0.941s
user 314m21.392s
sys 21m22.772s
28. Conclusion/Discussion
28
● The main goal was to experiment with meet-in-the-middle attack
● This attack works when RSA is used without any padding
○ Meet-in-the-middle is much better than brute-forcing all possible plaintexts
● The attack is not scalable when the message length is longer than 8 bytes
○ May be upto 10 bytes when using a large farm of computers
● Nevertheless, the attack reverses the plaintext in the order of 2m/2 bits
○ Storage requirement: Need to be able to store 2m/2 rows in the key-value table
● In part-2, I will talk about using advanced databases to store large key-value
● RSA without random padding should be avoided
29. References
● W. Diffie and M. E. Hellman, “New Directions in Cryptography,” IEEE
Transactions on Information Theory, vol. IT-22, no. 6, November, 1976.
● R. L. Rivest, A. Shamir, and L. Adleman, “A method for obtaining digital
signatures and public-key cryptosystems,” CACM 21, 2, February, 1978.
● A. Menezes, P. van Oorschot, and S. Vanstone, “Handbook of Applied
Cryptography,” CRC Press, 1996.
● C. Paar and J. Pelzl, “Understanding Cryptography: A Textbook for Students
and Practitioners,” Springer, 2011.
● D. Boneh, A. Joux, and P. Nguyen, “Why Textbook ElGamal and RSA
Encryption are Insecure,” AsiaCrypt, 2000
29