- 1. Cryptanalysis of Raw RSA Experiments using Meet-in-the-middle Attack Dr. Dharma Ganesan, Ph.D.,
- 2. Disclaimer ● The opinions expressed here are my own ○ But not the views of my employer ● The source code fragments and exploits shown here can be reused ○ But without any warranty nor accept any responsibility for failures ● Do not apply the exploit discussed here on other systems ○ Without obtaining authorization from owners 2
- 3. Goal of this presentation ● Explain how to break Raw RSA (i.e., without padding) ● Present exploits using Meet-in-the-middle attack ● Discuss experimental results 3
- 4. Prerequisite Some familiarity with the following topics will help to follow the rest of the slides ● Group Theory (Abstract Algebra/Discrete Math) ● Modular Arithmetic (Number Theory) ● Algorithms and Complexity Theory ● If not, it should still be possible to obtain a high-level overview 4
- 5. How can Bob send a message to Alice securely? 5 Public Key PuA ● Alice and Bob never met each other ● Bob will encrypt using Alice’s public key ○ Assume that public keys are known to the world ● Alice will decrypt using her private key ○ Private keys are secrets (never sent out) ● Bob can sign messages using his private key ○ Alice verifies message integrity using Bob’s public key ○ Not important for this presentation/attack ● Note: Alice and Bob need other evidence (e.g., passwords, certificates) to prove their identity to each other ● Who are Alice, Bob, and Eve? Private Key PrA Public Key PuB Private Key PrB
- 6. RSA Public Key Cryptography System ● Published in 1977 by Ron Rivest, Adi Shamir and Leonard Adleman ● Rooted in elegant mathematics - Group Theory and Number Theory ● Core idea: Anyone can encrypt a message using recipient's public key but ○ (as far as we know) no one can efficiently decrypt unless they got the matching private key ● Encryption and Decryption are inverse operations (math details later) ○ Work of Euclid, Euler, and Fermat provide the mathematical foundation of RSA ● Eavesdropper Eve cannot easily derive the secret (math details later) ○ Unless she solves “hard” number theory problems that are computationally intractable 6
- 7. 7 Notations and Facts (needed for RSA Trapdoor) GCD(x, y): The greatest common divisor that divides integers x and y Co-prime: If gcd(x, y) = 1, then x and y are co-primes Zn = { 0, 1, 2, …, n-1 }, n > 0; we may imagine Zn as a circular wall clock Z* n = { x ∈ Zn | gcd(x, n) = 1 }; (additional info: Z* n is a multiplicative group) φ(n): Euler’s Totient function denotes the number of elements in Z* n φ(p) = p-1, if p is a prime number x ≡ y (mod n) denotes that n divides x-y; x is congruent to y mod n
- 8. RSA - Key Generation Algo. (Fits on one page) 1. Select an appropriate bitlength of the RSA modulus n (e.g., 2048 bits) ○ Value of the parameter n is not chosen until step 3; small n is dangerous (details later) 2. Pick two independent, large random primes, p and q, of half of n’s bitlength ○ In practice, p and q are not close to each other to avoid attacks (e.g., Fermat’s factorization) 3. Compute n = p.q (n is also called the RSA modulus) 4. Compute Euler’s Totient (phi) Function φ(n) = φ(p.q) = φ(p)φ(q) = (p-1)(q-1) 5. Select numbers e and d from Zn such that e.d ≡ 1(mod φ(n)) ○ Many implementations set e to be 65537 (Note: gcd(e, φ(n)) = 1) ○ e must be relatively prime to φ(n) otherwise d cannot exist (i.e., we cannot decrypt) ○ d is the multiplicative inverse of e in Zn 6. Public key is the pair <n, e> and private key is 4-tuple <φ(n), d, p, q> Note: If p, q, d, or φ(n) is leaked, RSA is broken immediately 8
- 9. Formal definition of the RSA trapdoor function ● RSA: Zn → Zn ● Let m and c ∈ Zn ● c = RSA(m) = me mod n ● m = RSA-1(c) = cd mod n ● e and d are also called encryption and decryption exponents, respectively ● Note: Attackers know c, e, and n but not d 9
- 10. RSA Trapdoor ... ● RSACoreEngine.java implements the RSA and RSA-1 functions ○ See the method processBlock ● RSA(input) = inpute mod n { return input.modPow( key.getExponent(), key.getModulus()); } ● The implementation for RSA-1 is a bit involved (Chinese-Remainder Theorem) ○ To speed-up the computation of inputd mod n, it computes inputd mod p and mod q 10
- 11. Raw RSA (in Java) public static byte[] encrypt(PublicKey pubKey, String message) throws Exception { Cipher cipher = Cipher.getInstance("RSA/ECB/NOPADDING"); cipher.init(Cipher.ENCRYPT_MODE, pubKey); return cipher.doFinal(message.getBytes()); } 11
- 12. Deterministic behavior of Raw RSA (simple demo) 12 public class RSA_Encrypt { public static void main(String [] args) throws Exception { if(args.length != 3) { System.out.println("Usage: RSA_Encrypt <modulus n> <exponent e> <plaintext>"); System.exit(-1); } BigInteger n = new BigInteger(args[0]); BigInteger e = new BigInteger(args[1]); String plaintext = args[2]; PublicKey pubKey = RSAService.getPublicKey(n, e); byte[] ciphertext = RSAService.encrypt(pubKey, plaintext); System.out.println(javax.xml.bind.DatatypeConverter.printHexBinary(ciphertext)); } }
- 13. No change in the ciphertext for the same plaintext 13 dharmalingam_ganesan11@instance-1:~/crypto/RSA$ java RSA_Encrypt $n $e "It's all Greek to Me" 29B20484723BC302E3E1D13D763AA4CF8E43627B006B431DBE1C3B9887D3A34199CA5FC74B751501D86114DADB444 04563FB5B916E8CDC5EF0EBA43C244671B63493355EE00630114B27E1E154D806ADF94374E8B52BD1D0BFC0823C52 8BE0DA95774B172235E15345DB757173954E3E09CC7213AD77C6F6452F0B63008CF773E5E2369A3CDE3A94B925849 B59410D04B1B5FCB8BD54EA545CEECEFE6BB77BD7E9ABB54D8DF2764471F6C23A66E65B1D5D7266E7E669B0C7AC1C 889420C6B81689CD9965E528F6D94297C6AB95A510A0BB380E22F99B20ABDFE3837459D8AFF6F552F7B20BD908DBE A2906C8809A1A50F4209025C8BEB561DC58E56F13894C44 dharmalingam_ganesan11@instance-1:~/crypto/RSA$ dharmalingam_ganesan11@instance- 1:~/crypto/RSA$ java RSA_Encrypt $n $e "It's all Greek to Me" 29B20484723BC302E3E1D13D763AA4CF8E43627B006B431DBE1C3B9887D3A34199CA5FC74B751501D86114DADB444 04563FB5B916E8CDC5EF0EBA43C244671B63493355EE00630114B27E1E154D806ADF94374E8B52BD1D0BFC0823C52 8BE0DA95774B172235E15345DB757173954E3E09CC7213AD77C6F6452F0B63008CF773E5E2369A3CDE3A94B925849 B59410D04B1B5FCB8BD54EA545CEECEFE6BB77BD7E9ABB54D8DF2764471F6C23A66E65B1D5D7266E7E669B0C7AC1C 889420C6B81689CD9965E528F6D94297C6AB95A510A0BB380E22F99B20ABDFE3837459D8AFF6F552F7B20BD908DBE A2906C8809A1A50F4209025C8BEB561DC58E56F13894C44
- 14. Problem statement: Break the RSA trapdoor function ● Recall that c = RSA(m) = me mod n ○ c is the ciphertext and m is the plaintext ● Breaking of the RSA function means finding m from c ○ Equivalently, reverse the plaintext from the ciphertext ● Formally, given <c, e, n> find m such that RSA(m) = c 14
- 15. Chosen plaintext attack of RSA trapdoor function ● RSA is a deterministic function (recall the previous demo) ● RSA(m) is always the same for a given public key pair (e, n) ○ That is, the ciphertext is the same when the plaintext m is encrypted again ● In order to find the secret x, the attacker can try all possible m as follows: ○ RSA(u) where u = 0, 1, …, 2n-1 ○ If RSA(u) = RSA(m), then the attacker learns that m must u ● Chosen plaintext attack is easy for small values of public n ● Scalability problem: For very large n (e.g., 1024 bits), it is not feasible to explore the space of 21024 possibilities, for example ○ It is difficult even if the message size is just 64 bits 15
- 16. Meet-in-the-middle attack - Core Idea ● Recall that the goal is to find the plaintext m such that RSA(m) = c ● What if m can be rewritten as a product of smaller numbers: m = m1 . m2 ● For example, this 64-bit message m = 9223372036854775808 can be rewritten as a product of two 32-bit numbers: ○ m1 = 2147483648 ○ m2 = 4294967296 ● Meet-in-the-middle attack leverages this observation to speed-up the Chosen Plaintext attack ○ Instead of trying all possible n-bit messages, it tries only messages of size n/2 ● It breaks RSA when the unknown plaintext is a product of smaller numbers ○ There are still some scalability issues (will revisit later) 16
- 17. Meet-in-the-middle attack - Algorithm ● Assume that the unknown message m can be rewritten as a product of two unknown smaller numbers: m = m1 . m2 ● The goal of this attack is to find m1 and m2 from ciphertext c ● c = RSA(m) = me mod n c = (m1. m2)e mod n c = (m1 e. m2 e) mod n c/m2 e = m1 e mod n ● Step 1: Construct a hashtable of the right hand side for all possible m1 ● Step 2: For each possible m2 if c/m2 e is present in the hashtable, them m is recovered by multiplying matching m1 with the current m2 17
- 18. Step 1: Hashtable H construction 18 Key Value 0e mod n 0 1e mod n 1 2e mod n 2 3e mod n 3 ... ... (m1-1)e mod n m1 - 1
- 19. Step 2: Search the Hashtable H 19 ● Step 2.1: For each m2, compute c/m2 e mod n ● Step 2.2: Search whether the hashtable H has the key c/m2 e mod n ● Step 2.3: If yes, extract m1 = H(c/m2 e mod n) ○ Terminate the search. Return the plaintext m = m1 . m2 ● Step 2.4: Else, goto Step 2.1 and try the next possible m2
- 20. Implementation Details: Key-Value Store (Hashtable)public interface IKeyValueStore { public void put(byte[] key, byte[] data); public byte[] get(byte[] key); public void close(); } 20 ● This interface provides an abstraction of hashtable implementations ● Allows plug-and-play of different key-value pair libraries
- 21. Key-Value Implementation using Java Hashmap public class KeyValueStoreHash implements IKeyValueStore { private HashMap<ByteBuffer, byte[]> hashMap = new HashMap<ByteBuffer, byte[]>(); public KeyValueStoreHash() { } public void put(byte[] key, byte[] data) { hashMap.put(ByteBuffer.wrap(key), data); } public byte[] get(byte[] key) { return hashMap.get(ByteBuffer.wrap(key)); } public void close() { hashMap.clear(); } } 21
- 22. Step 1: Hashtable construction (basic version) public void buildHashTable() { BigInteger two = BigInteger.valueOf(2); BigInteger minM1 = two.pow(minNumBitsM1 - 1); BigInteger maxM1 = two.pow(maxNumBitsM1); for(BigInteger m1 = minM1; m1.compareTo(maxM1) < 0; m1 = m1.add(BigInteger.ONE)) { byte[] m1PowE = m1.modPow(e, n).toByteArray(); keyValueStore.put(m1PowE, m1.toByteArray()); } } 22
- 23. Step 2: Search the hashtable for a match public BigInteger breakRSA(BigInteger c) { BigInteger m = BigInteger.ZERO; BigInteger two = BigInteger.valueOf(2); BigInteger minM2 = two.pow(minNumBitsM2 - 1); BigInteger maxM2 = two.pow(maxNumBitsM2); for(BigInteger m2 = minM2; m2.compareTo(maxM2) < 0; m2 = m2.add(BigInteger.ONE)) { BigInteger m2powe = m2.modPow(e, n); byte[] lhs = c.multiply(m2powe.modInverse(n)).mod(n).toByteArray(); if(keyValueStore.get(lhs) != null) { BigInteger m1 = new BigInteger(keyValueStore.get(lhs)); m = m1.multiply(m2); System.out.println("Match m = " + m + " m1 = " + m1 + " m2 = " + m2); break; } } return m; } 23
- 24. Demo client to break Raw RSA (2048-bit modulus) 24
- 25. Demo client to break RSA ... 25
- 26. ~/crypto/RSA$ time java ClientRawRSA Match m = 549986500608 m1 = 892928 m2 = 615936 The plaintext is: 549986500608 real 1m51.176s user 1m1.520s sys 0m4.176s In ~1.5 min Raw RSA is broken 26
- 27. 11 out of 50 random messages decrypted! 27 $ time java ClientRawRSArandom # of successful RSA breaking = 11 out of 50 real 462m0.941s user 314m21.392s sys 21m22.772s
- 28. Conclusion/Discussion 28 ● The main goal was to experiment with meet-in-the-middle attack ● This attack works when RSA is used without any padding ○ Meet-in-the-middle is much better than brute-forcing all possible plaintexts ● The attack is not scalable when the message length is longer than 8 bytes ○ May be upto 10 bytes when using a large farm of computers ● Nevertheless, the attack reverses the plaintext in the order of 2m/2 bits ○ Storage requirement: Need to be able to store 2m/2 rows in the key-value table ● In part-2, I will talk about using advanced databases to store large key-value ● RSA without random padding should be avoided
- 29. References ● W. Diffie and M. E. Hellman, “New Directions in Cryptography,” IEEE Transactions on Information Theory, vol. IT-22, no. 6, November, 1976. ● R. L. Rivest, A. Shamir, and L. Adleman, “A method for obtaining digital signatures and public-key cryptosystems,” CACM 21, 2, February, 1978. ● A. Menezes, P. van Oorschot, and S. Vanstone, “Handbook of Applied Cryptography,” CRC Press, 1996. ● C. Paar and J. Pelzl, “Understanding Cryptography: A Textbook for Students and Practitioners,” Springer, 2011. ● D. Boneh, A. Joux, and P. Nguyen, “Why Textbook ElGamal and RSA Encryption are Insecure,” AsiaCrypt, 2000 29