Instructor: Zendra Barr TRS Administrator [email protected] ...
Attacking RSA Brian Winant [email protected]. Reference “Twenty Years of Attacks on the RSA...
-
Upload
baldwin-gavin-mathews -
Category
Documents
-
view
228 -
download
0
Transcript of Attacking RSA Brian Winant [email protected]. Reference “Twenty Years of Attacks on the RSA...
![Page 2: Attacking RSA Brian Winant bwinant@gwu.edu. Reference “Twenty Years of Attacks on the RSA Cryptosystem” By Dan Boneh In Notices of the American Mathematical.](https://reader035.fdocuments.in/reader035/viewer/2022062217/5697bf7d1a28abf838c84769/html5/thumbnails/2.jpg)
Reference
“Twenty Years of Attacks on the RSA Cryptosystem”
By Dan BonehIn Notices of the American
Mathematical Society (AMS), Vol. 46, No. 2, pp. 203-213, 1999
![Page 3: Attacking RSA Brian Winant bwinant@gwu.edu. Reference “Twenty Years of Attacks on the RSA Cryptosystem” By Dan Boneh In Notices of the American Mathematical.](https://reader035.fdocuments.in/reader035/viewer/2022062217/5697bf7d1a28abf838c84769/html5/thumbnails/3.jpg)
Introduction
RSA introduced August 1977 R = Ron Rivest S = Adi Shamir A = Len Adleman
Subject to two+ decades of cryptanalysis No serious attacks found Most known attacks based on
implementation weaknesses
![Page 4: Attacking RSA Brian Winant bwinant@gwu.edu. Reference “Twenty Years of Attacks on the RSA Cryptosystem” By Dan Boneh In Notices of the American Mathematical.](https://reader035.fdocuments.in/reader035/viewer/2022062217/5697bf7d1a28abf838c84769/html5/thumbnails/4.jpg)
RSA Review - Modulus
Let pq = N N is n bits long p, q are large primes of length n/2 In practice N is at least 1024 bits
1024 bits = 309 decimal digits
![Page 5: Attacking RSA Brian Winant bwinant@gwu.edu. Reference “Twenty Years of Attacks on the RSA Cryptosystem” By Dan Boneh In Notices of the American Mathematical.](https://reader035.fdocuments.in/reader035/viewer/2022062217/5697bf7d1a28abf838c84769/html5/thumbnails/5.jpg)
RSA Review - Keys
Choose exponents e and d Such that ed = 1 mod (N) (N) is the Euler phi function Since N=pq, (N) = (p – 1)(q – 1) (N) is the order of the multiplicative group
ZN*
(N, e), (N, d) are the public/private keys Doesn’t matter which is which
![Page 6: Attacking RSA Brian Winant bwinant@gwu.edu. Reference “Twenty Years of Attacks on the RSA Cryptosystem” By Dan Boneh In Notices of the American Mathematical.](https://reader035.fdocuments.in/reader035/viewer/2022062217/5697bf7d1a28abf838c84769/html5/thumbnails/6.jpg)
RSA Review - Encryption
Plaintext M ZN*
Ciphertext C ZN*
Encryption fk(M) = C = Me mod N
Decryption gk(C) = Cd mod N Med mod N = M
![Page 7: Attacking RSA Brian Winant bwinant@gwu.edu. Reference “Twenty Years of Attacks on the RSA Cryptosystem” By Dan Boneh In Notices of the American Mathematical.](https://reader035.fdocuments.in/reader035/viewer/2022062217/5697bf7d1a28abf838c84769/html5/thumbnails/7.jpg)
Trapdoors
fk(M) is a one-way trapdoor function
Exponent d is the trapdoor Makes inverting fk(M) easy
How hard is it to invert fk(M) without the trapdoor? No known mechanism to easily invert
fk(M) However, not proven to be impossible
![Page 8: Attacking RSA Brian Winant bwinant@gwu.edu. Reference “Twenty Years of Attacks on the RSA Cryptosystem” By Dan Boneh In Notices of the American Mathematical.](https://reader035.fdocuments.in/reader035/viewer/2022062217/5697bf7d1a28abf838c84769/html5/thumbnails/8.jpg)
Breaking RSA
Goal Invert fk(M) without knowing d
Formally Given (N, e, C) Assume the factorization of N is
unknown How hard is it to compute the eth root
of C mod N?
![Page 9: Attacking RSA Brian Winant bwinant@gwu.edu. Reference “Twenty Years of Attacks on the RSA Cryptosystem” By Dan Boneh In Notices of the American Mathematical.](https://reader035.fdocuments.in/reader035/viewer/2022062217/5697bf7d1a28abf838c84769/html5/thumbnails/9.jpg)
Naïve Approach
ZN* is finite
Try all M ZN*
Runtime is exponentialInterested only in efficient algorithms O(nc) where
n = log2 N c is a small constant (< 5)
![Page 10: Attacking RSA Brian Winant bwinant@gwu.edu. Reference “Twenty Years of Attacks on the RSA Cryptosystem” By Dan Boneh In Notices of the American Mathematical.](https://reader035.fdocuments.in/reader035/viewer/2022062217/5697bf7d1a28abf838c84769/html5/thumbnails/10.jpg)
Theory vs. Implementation
Difference between the function and the cryptosystemCryptosystem is not semantically secure Given (N, e, C) it is possible to recover
some information about M Example: Jacobi symbol of M over N Fixed by padding M with random bits
![Page 11: Attacking RSA Brian Winant bwinant@gwu.edu. Reference “Twenty Years of Attacks on the RSA Cryptosystem” By Dan Boneh In Notices of the American Mathematical.](https://reader035.fdocuments.in/reader035/viewer/2022062217/5697bf7d1a28abf838c84769/html5/thumbnails/11.jpg)
Types of Attacks
FactoringElementaryLow Private ExponentLow Public ExponentImplementation
![Page 12: Attacking RSA Brian Winant bwinant@gwu.edu. Reference “Twenty Years of Attacks on the RSA Cryptosystem” By Dan Boneh In Notices of the American Mathematical.](https://reader035.fdocuments.in/reader035/viewer/2022062217/5697bf7d1a28abf838c84769/html5/thumbnails/12.jpg)
Factoring
If N can be factored p,q are known (N) can be computed d = e-1 mod (N) easily computed using
Euclid’s method
State of the art factoring algorithms still exponential log N General Number Field Sieve
Largest factored modulus: 576 bits 174 decimal digits
![Page 13: Attacking RSA Brian Winant bwinant@gwu.edu. Reference “Twenty Years of Attacks on the RSA Cryptosystem” By Dan Boneh In Notices of the American Mathematical.](https://reader035.fdocuments.in/reader035/viewer/2022062217/5697bf7d1a28abf838c84769/html5/thumbnails/13.jpg)
More Factoring
For some N, factoring is easyPollard’s p – 1 algorithm p – 1 is a product of primes less than
B N can be factored O(B3)
Some RSA implementations reject such p
![Page 14: Attacking RSA Brian Winant bwinant@gwu.edu. Reference “Twenty Years of Attacks on the RSA Cryptosystem” By Dan Boneh In Notices of the American Mathematical.](https://reader035.fdocuments.in/reader035/viewer/2022062217/5697bf7d1a28abf838c84769/html5/thumbnails/14.jpg)
Breaking RSA vs. Factoring
If an efficient factoring algorithm exists, RSA is insecureOpen Problem: Is converse true? Must N be factored in order to
efficiently compute eth roots mod N? Is breaking RSA as hard as factoring?
![Page 15: Attacking RSA Brian Winant bwinant@gwu.edu. Reference “Twenty Years of Attacks on the RSA Cryptosystem” By Dan Boneh In Notices of the American Mathematical.](https://reader035.fdocuments.in/reader035/viewer/2022062217/5697bf7d1a28abf838c84769/html5/thumbnails/15.jpg)
Open Problem: Definition
Given N, e = gcd(e, (N)) = 1Define fe,N: ZN* -> ZN
* = x1/e mod N
Given an oracle that evaluates f in unit timeIs there a polynomial-time algorithm A that computes factorization of N?
![Page 16: Attacking RSA Brian Winant bwinant@gwu.edu. Reference “Twenty Years of Attacks on the RSA Cryptosystem” By Dan Boneh In Notices of the American Mathematical.](https://reader035.fdocuments.in/reader035/viewer/2022062217/5697bf7d1a28abf838c84769/html5/thumbnails/16.jpg)
Open Problem: Answer?
Probably not Evidence that for small e, answer may be no
There may not exist a polynomial-time reduction from factoring to breaking RSA However, not proven
Negative answered probably preferred over positive answer
![Page 17: Attacking RSA Brian Winant bwinant@gwu.edu. Reference “Twenty Years of Attacks on the RSA Cryptosystem” By Dan Boneh In Notices of the American Mathematical.](https://reader035.fdocuments.in/reader035/viewer/2022062217/5697bf7d1a28abf838c84769/html5/thumbnails/17.jpg)
Elementary Attacks
Due to misuse of RSAMany exist Modulus Reuse Blinding
![Page 18: Attacking RSA Brian Winant bwinant@gwu.edu. Reference “Twenty Years of Attacks on the RSA Cryptosystem” By Dan Boneh In Notices of the American Mathematical.](https://reader035.fdocuments.in/reader035/viewer/2022062217/5697bf7d1a28abf838c84769/html5/thumbnails/18.jpg)
Modulus Reuse
To save time, why not reuse N?Trusted authority can provide user i with keys (N, ei), (N, di)
Attacker can use own ea, da to factor N
Once N is factored, recovering di easy
Do not reuse N
![Page 19: Attacking RSA Brian Winant bwinant@gwu.edu. Reference “Twenty Years of Attacks on the RSA Cryptosystem” By Dan Boneh In Notices of the American Mathematical.](https://reader035.fdocuments.in/reader035/viewer/2022062217/5697bf7d1a28abf838c84769/html5/thumbnails/19.jpg)
BlindingFool Bob into signing an arbitrary M e,d are Bob’s public and private keys
Choose random r ZN*
Let M’ = reM mod NHave Bob sign S’ = (M’)d mod N
![Page 20: Attacking RSA Brian Winant bwinant@gwu.edu. Reference “Twenty Years of Attacks on the RSA Cryptosystem” By Dan Boneh In Notices of the American Mathematical.](https://reader035.fdocuments.in/reader035/viewer/2022062217/5697bf7d1a28abf838c84769/html5/thumbnails/20.jpg)
Blinding
Compute S = S’/r mod N Se = (S’)e/re = (M’)ed/re = (reM)ed/re =
reM/re = M
Attacker now has signature on M
![Page 21: Attacking RSA Brian Winant bwinant@gwu.edu. Reference “Twenty Years of Attacks on the RSA Cryptosystem” By Dan Boneh In Notices of the American Mathematical.](https://reader035.fdocuments.in/reader035/viewer/2022062217/5697bf7d1a28abf838c84769/html5/thumbnails/21.jpg)
Blinding: Defense
In practice, attack not feasible Prevented by first hashing M before
signing
An attack, but required for anonymous digital cash
![Page 22: Attacking RSA Brian Winant bwinant@gwu.edu. Reference “Twenty Years of Attacks on the RSA Cryptosystem” By Dan Boneh In Notices of the American Mathematical.](https://reader035.fdocuments.in/reader035/viewer/2022062217/5697bf7d1a28abf838c84769/html5/thumbnails/22.jpg)
Low Private Exponent
Reduce decryption time by using small dIf d < (1/3)N1/4, d can be recovered Approximation method based on continued
fractions
Small d can still be chosen using Chinese Remainder Theorem in a possibly secure manner Ensure d mod (N) is still large
Open Problem: How small can d be?
![Page 23: Attacking RSA Brian Winant bwinant@gwu.edu. Reference “Twenty Years of Attacks on the RSA Cryptosystem” By Dan Boneh In Notices of the American Mathematical.](https://reader035.fdocuments.in/reader035/viewer/2022062217/5697bf7d1a28abf838c84769/html5/thumbnails/23.jpg)
Open Problem
Let N = pqLet d < N0.5
Let e <(N)ed = 1 mod (N)If attacker is given (N, e), can d be recovered efficiently?
![Page 24: Attacking RSA Brian Winant bwinant@gwu.edu. Reference “Twenty Years of Attacks on the RSA Cryptosystem” By Dan Boneh In Notices of the American Mathematical.](https://reader035.fdocuments.in/reader035/viewer/2022062217/5697bf7d1a28abf838c84769/html5/thumbnails/24.jpg)
Low Public Exponent
In practice, small public keys are used Reduces encryption, signature-verification
time
Smallest e = 3Recommended e = 216 + 1 For signature-verification:
Requires 17 multiplications Approx. 1000 when random e used
Small public keys are not as dangerous as small private keys
![Page 25: Attacking RSA Brian Winant bwinant@gwu.edu. Reference “Twenty Years of Attacks on the RSA Cryptosystem” By Dan Boneh In Notices of the American Mathematical.](https://reader035.fdocuments.in/reader035/viewer/2022062217/5697bf7d1a28abf838c84769/html5/thumbnails/25.jpg)
Low Public Exponent Attacks
Broadcast AttackRelated Message AttackShort Pad AttackPartial Key Exposure Attack
![Page 26: Attacking RSA Brian Winant bwinant@gwu.edu. Reference “Twenty Years of Attacks on the RSA Cryptosystem” By Dan Boneh In Notices of the American Mathematical.](https://reader035.fdocuments.in/reader035/viewer/2022062217/5697bf7d1a28abf838c84769/html5/thumbnails/26.jpg)
Broadcast Attack
Bob sends M to parties P1 … PK
Pi has public key (Ni, ei)
M < Ni for all i
Bob encrypts M with key for each Pi
Attacker can collect all k ciphertexts and recover M if k e
![Page 27: Attacking RSA Brian Winant bwinant@gwu.edu. Reference “Twenty Years of Attacks on the RSA Cryptosystem” By Dan Boneh In Notices of the American Mathematical.](https://reader035.fdocuments.in/reader035/viewer/2022062217/5697bf7d1a28abf838c84769/html5/thumbnails/27.jpg)
Broadcast Attack: Simplified
Assume ei = 3 for all i
Attacker collects C1, C2, C3
C1 = M3 mod N1
C2 = M3 mod N2
C3 = M3 mod N3
Chinese Remainder Theorem C’ = M3 mod N1N2N3
![Page 28: Attacking RSA Brian Winant bwinant@gwu.edu. Reference “Twenty Years of Attacks on the RSA Cryptosystem” By Dan Boneh In Notices of the American Mathematical.](https://reader035.fdocuments.in/reader035/viewer/2022062217/5697bf7d1a28abf838c84769/html5/thumbnails/28.jpg)
Broadcast Attack: Simplified
Since M < all Ni, M3 < N1N2N3
So C’ = M3
Recover M by calculating cube root of C’
![Page 29: Attacking RSA Brian Winant bwinant@gwu.edu. Reference “Twenty Years of Attacks on the RSA Cryptosystem” By Dan Boneh In Notices of the American Mathematical.](https://reader035.fdocuments.in/reader035/viewer/2022062217/5697bf7d1a28abf838c84769/html5/thumbnails/29.jpg)
Broadcast Attack: Defense
Pad M with random bitsPadding M with non-random bits allows other attacks
![Page 30: Attacking RSA Brian Winant bwinant@gwu.edu. Reference “Twenty Years of Attacks on the RSA Cryptosystem” By Dan Boneh In Notices of the American Mathematical.](https://reader035.fdocuments.in/reader035/viewer/2022062217/5697bf7d1a28abf838c84769/html5/thumbnails/30.jpg)
Related Message Attack
Bob sends Alice related messages using same modulus(N, e) is Alice’s public keyM1 M2 ZN
*
M1 = f(M2) mod N f is a publicly known polynomial mod N f(x) = ax + b mod N, b
Given (N, e, C1, C2, f) attacker can recover M1, M2 in quadratic time log N
![Page 31: Attacking RSA Brian Winant bwinant@gwu.edu. Reference “Twenty Years of Attacks on the RSA Cryptosystem” By Dan Boneh In Notices of the American Mathematical.](https://reader035.fdocuments.in/reader035/viewer/2022062217/5697bf7d1a28abf838c84769/html5/thumbnails/31.jpg)
Related Message Attack
Works by computing GCD of two polynomials g1(x) = f(x)e – C1
g1(x) = xe – C2
For large e, computing GCD too expensive
![Page 32: Attacking RSA Brian Winant bwinant@gwu.edu. Reference “Twenty Years of Attacks on the RSA Cryptosystem” By Dan Boneh In Notices of the American Mathematical.](https://reader035.fdocuments.in/reader035/viewer/2022062217/5697bf7d1a28abf838c84769/html5/thumbnails/32.jpg)
Short Pad Attack
Exploit naïve random paddings of M Add random bits to one end of M
Requires knowledge of two ciphertexts corresponding to the same message
![Page 33: Attacking RSA Brian Winant bwinant@gwu.edu. Reference “Twenty Years of Attacks on the RSA Cryptosystem” By Dan Boneh In Notices of the American Mathematical.](https://reader035.fdocuments.in/reader035/viewer/2022062217/5697bf7d1a28abf838c84769/html5/thumbnails/33.jpg)
Short Pad Attack
|N| = nm = floor(n/e2) Relationship between pad and key lengths
|M| = n – mM1 = 2mM + r1
M2 = 2mM + r2
0 r1, r2 < 2m
Given (N, e, C1, C2), M can be efficiently recovered
![Page 34: Attacking RSA Brian Winant bwinant@gwu.edu. Reference “Twenty Years of Attacks on the RSA Cryptosystem” By Dan Boneh In Notices of the American Mathematical.](https://reader035.fdocuments.in/reader035/viewer/2022062217/5697bf7d1a28abf838c84769/html5/thumbnails/34.jpg)
Partial Key Exposure Attack
If a portion of d is exposed, can all of d be recovered? Yes, if e is small
e < sqrt(N) Need ceil(n/4) least significant bits of
d
![Page 35: Attacking RSA Brian Winant bwinant@gwu.edu. Reference “Twenty Years of Attacks on the RSA Cryptosystem” By Dan Boneh In Notices of the American Mathematical.](https://reader035.fdocuments.in/reader035/viewer/2022062217/5697bf7d1a28abf838c84769/html5/thumbnails/35.jpg)
Implementation Attacks
Attack the implementation of RSA, not the underlying mathematical structureTimingRandom FaultsPCKS 1
![Page 36: Attacking RSA Brian Winant bwinant@gwu.edu. Reference “Twenty Years of Attacks on the RSA Cryptosystem” By Dan Boneh In Notices of the American Mathematical.](https://reader035.fdocuments.in/reader035/viewer/2022062217/5697bf7d1a28abf838c84769/html5/thumbnails/36.jpg)
Timing Attack
Smartcard attackBased on timing the efficient modulo exponentiation algorithm Can recover bits based on whether or
not the squaring step is performed
Similar attack based on monitoring power consumption
![Page 37: Attacking RSA Brian Winant bwinant@gwu.edu. Reference “Twenty Years of Attacks on the RSA Cryptosystem” By Dan Boneh In Notices of the American Mathematical.](https://reader035.fdocuments.in/reader035/viewer/2022062217/5697bf7d1a28abf838c84769/html5/thumbnails/37.jpg)
Timing Attack: Defense
Add delayUse blinding on itself Adds randomness to ciphertext Less correlation between input and
key bits Approach due to Rivest
![Page 38: Attacking RSA Brian Winant bwinant@gwu.edu. Reference “Twenty Years of Attacks on the RSA Cryptosystem” By Dan Boneh In Notices of the American Mathematical.](https://reader035.fdocuments.in/reader035/viewer/2022062217/5697bf7d1a28abf838c84769/html5/thumbnails/38.jpg)
Random FaultsMany RSA implementations use Chinese Remainder Theorem Speed up computation of Md mod N Let a = d mod (p – 1) Let b = d mod (q – 1) Ca = Ma
mod p Cb = Mb
mod q C = T1Ca + T2C2 mod N
Faster since less exponentiation is needed
![Page 39: Attacking RSA Brian Winant bwinant@gwu.edu. Reference “Twenty Years of Attacks on the RSA Cryptosystem” By Dan Boneh In Notices of the American Mathematical.](https://reader035.fdocuments.in/reader035/viewer/2022062217/5697bf7d1a28abf838c84769/html5/thumbnails/39.jpg)
Random Faults
Suppose computer glitch causes an incorrect bitEither Ca or Cb will be incorrectCan detect the incorrect result C Ce = M mod p Ce M mod q
Exposes a factor of N, but requires knowledge of M
![Page 40: Attacking RSA Brian Winant bwinant@gwu.edu. Reference “Twenty Years of Attacks on the RSA Cryptosystem” By Dan Boneh In Notices of the American Mathematical.](https://reader035.fdocuments.in/reader035/viewer/2022062217/5697bf7d1a28abf838c84769/html5/thumbnails/40.jpg)
Random Faults: Defense
Requires M to not be padded Add random bits
Check before sending You’re doing this anyway, right?
![Page 41: Attacking RSA Brian Winant bwinant@gwu.edu. Reference “Twenty Years of Attacks on the RSA Cryptosystem” By Dan Boneh In Notices of the American Mathematical.](https://reader035.fdocuments.in/reader035/viewer/2022062217/5697bf7d1a28abf838c84769/html5/thumbnails/41.jpg)
PKCS 1 Attack
Possible in older version of standardImplementations will raise error if C does not contain 16 bit “02”Equals an oracle which can reveal whether the most significant 16 bits of C equals 02
![Page 42: Attacking RSA Brian Winant bwinant@gwu.edu. Reference “Twenty Years of Attacks on the RSA Cryptosystem” By Dan Boneh In Notices of the American Mathematical.](https://reader035.fdocuments.in/reader035/viewer/2022062217/5697bf7d1a28abf838c84769/html5/thumbnails/42.jpg)
Conclusion
RSA function susceptible to mathematical trickeryExploits are not practical Easy to defend against Would never occur in reality
Requires correct and secure implementationNo known dangerous attacks against properly implemented RSA