Presentation is loading. Please wait.

Presentation is loading. Please wait.

CPS 290 Computer Security Heartbleed Bug Key Exchange RSA Analysis RSA Performance CPS 290Page 1.

Similar presentations


Presentation on theme: "CPS 290 Computer Security Heartbleed Bug Key Exchange RSA Analysis RSA Performance CPS 290Page 1."— Presentation transcript:

1 CPS 290 Computer Security Heartbleed Bug Key Exchange RSA Analysis RSA Performance CPS 290Page 1

2 OpenSSL “Heartbleed” Bug Announced April, 2014. Exploits a programming mistake in the OpenSSL implementation of the TLS ``heartbeat hello’’ extension. Heartbeat protocol is used to keep a TLS connection alive without continuously transferring data. One endpoint (e.g., a Web browser) sends a HeartbeatRequest message containing a payload to the other endpoint (e.g. a Web server). The server then sends back a HeartbeatReply message containing the same payload. “Buffer over-read” error caused by a failure to check for an invalid read-length parameter. CPS 290 Page 2

3 From RFC 6520 CPS 290 Page 3 Heartbeat Request and Response Messages The Heartbeat protocol messages consist of their type and an arbitrary payload and padding. struct { HeartbeatMessageType type; uint16 payload_length; opaque payload[HeartbeatMessage.payload_length]; opaque padding[padding_length]; } HeartbeatMessage; The total length of a HeartbeatMessage MUST NOT exceed 2^14 or max_fragment_length when negotiated as defined in [RFC6066].RFC6066 type: The message type, either heartbeat_request or heartbeat_response. payload_length: The length of the payload. payload: The payload consists of arbitrary content. padding: The padding is random content that MUST be ignored by the receiver. Problem: no check that payload_length matches the actual length of the payload

4 Heartbleed Vulnerability RSA private keys p, q, p-1, q-1, d can be extracted by the attacker, as can anything else in the right portion of server memory, such as passwords. All Web sites using OpenSSL (e.g., using Apache, nginx servers) should have their certificates revoked, and new certificates issued. Akamai was informed before the bug was announced publicly and released a patch, but (oops!) there was a bug in that too. Widely agreed to be a catastrophic security failure. CPS 290 Page 4

5 CPS 290Page 5 Diffie-Hellman Key Exchange A group (G,*) and a primitive element (generator) g is made public. –Alice picks a, and sends g a to Bob –Bob picks b and sends g b to Alice –The shared key is g ab Note this is easy for Alice or Bob to compute, but assuming discrete logs are hard is hard for anyone else to compute. Can someone see a problem with this protocol?

6 CPS 290Page 6 Person-in-the-middle attack Alice BobMallory gaga gbgb gdgd gcgc Key 1 = g ad Key 1 = g cb Mallory gets to listen to everything.

7 CPS 290Page 7 RSA Invented by Rivest, Shamir and Adleman in 1978 Based on difficulty of factoring. Used to hide the size of a group Z n * since: Factoring has not been reduced to RSA –an algorithm that generates m from c does not give an efficient algorithm for factoring On the other hand, factoring has been reduced to finding the private-key. –there is an efficient algorithm for factoring given one that can find the private key.

8 CPS 290Page 8 RSA Public-key Cryptosystem What we need: p and q, primes of approximately the same size n = pq  (n) = (p-1)(q-1) e  Z  (n) * d = inv. of e in Z  (n) * i.e., d = e -1 mod  (n) Public Key: (e,n) Private Key: d Encode: m  Z n E(m) = m e mod n Decode: D(c) = c d mod n

9 CPS 290Page 9 RSA continued Why it works: D(c) = c d mod n = m ed mod n = m 1 + k(p-1)(q-1) mod n = m 1 + k  (n) mod n = m(m  (n) ) k mod n = m (because  (n) = 0 mod  (n)) Why is this argument not quite sound? What if m  Z n * then m  (n)  1 mod n Answer 1: Not hard to show that it still works. Answer 2: jackpot – you can factor n using Euclid’s alg.

10 CPS 290Page 10 RSA computations To generate the keys, we need to –Find two primes p and q. Generate candidates and use primality testing to filter them. –Find e -1 mod (p-1)(q-1). Use Euclid’s algorithm. Takes time log 2 (n) To encode and decode –Take m e or c d. Use the power method. Takes time log(e) log 2 (n) and log(d) log 2 (n). In practice e is selected to be small so that encoding is fast.

11 CPS 290Page 11 Security of RSA Warning: –Do not use this or any other algorithm naively! Possible security holes: –Need to use “safe” primes p and q. In particular p- 1 and q-1 should have large prime factors. –p and q should not have the same number of digits. Can use a middle attack starting at sqrt(n). –e cannot be too small –Don’t use same n for different e’s. –You should always “pad”

12 CPS 290Page 12 RSA Performance Performance: (600Mhz PIII) (from: ssh toolkit):ssh toolkit AlgorithmBits/keyMbits/sec RSA Keygen 1024.35sec/key 20482.83sec/key RSA Encrypt 10241786/sec3.5 2048672/sec1.2 RSA Decrypt 102474/sec.074 204812/sec.024 ElGamal Enc.102431/sec.031 ElGamal Dec.102461/sec.061 DES-cbc5695 twofish-cbc128140 Rijndael128180

13 CPS 290Page 13 RSA in the “Real World” Part of many standards: PKCS, ITU X.509, ANSI X9.31, IEEE P1363 Used by: SSL, PEM, PGP, Entrust, … The standards specify many details on the implementation, e.g. –e should be selected to be small, but not too small – “multi prime” versions make use of n = pqr… this makes it cheaper to decode especially in parallel (uses Chinese remainder theorem).

14 CPS 290Page 14 Factoring in the Real World Quadratic Sieve (QS): –Used in 1994 to factor a 129 digit (428-bit) number. 1600 Machines, 8 months. Number field Sieve (NFS): –Used in 1999 to factor 155 digit (512-bit) number. 35 CPU years. At least 4x faster than QS –Used in 2003-2005 to factor 200 digits (663 bits) 75 CPU years ($20K prize)


Download ppt "CPS 290 Computer Security Heartbleed Bug Key Exchange RSA Analysis RSA Performance CPS 290Page 1."

Similar presentations


Ads by Google