Presentation is loading. Please wait.

Presentation is loading. Please wait.

Heartbleed Bug RSA Analysis RSA Performance

Published byCurtis Washington Modified over 7 years ago

Similar presentations

Presentation on theme: "Heartbleed Bug RSA Analysis RSA Performance"— Presentation transcript:

1 Heartbleed Bug RSA Analysis RSA Performance
CPS 290 Computer Security Heartbleed Bug RSA Analysis RSA Performance CPS 290

2 OpenSSL “Heartbleed” Bug
Announced April, (But bad code checked in December 31, 2011!) Exploits a programming mistake in the OpenSSL implementation of the TLS “heartbeat hello’’ extension. Heartbeat protocol is used to keep a TLS connection alive without continuously transferring data. One endpoint (e.g., a Web browser) sends a HeartbeatRequest message containing a payload to the other endpoint (e.g. a Web server). The server then sends back a HeartbeatReply message containing the same payload. “Buffer over-read” error caused by a failure to check for an invalid read-length parameter. CPS 290

3 From RFC 6520 Heartbeat Request and Response Messages The Heartbeat protocol messages consist of their type and an arbitrary payload and padding. struct { HeartbeatMessageType type; uint16 payload_length; opaque payload[HeartbeatMessage.payload_length]; opaque padding[padding_length]; } HeartbeatMessage; The total length of a HeartbeatMessage MUST NOT exceed 2^14 or max_fragment_length when negotiated as defined in [RFC6066]. type: The message type, either heartbeat_request or heartbeat_response. payload_length: The length of the payload. payload: The payload consists of arbitrary content. padding: The padding is random content that MUST be ignored by the receiver. Problem: no check that payload_length matches the actual length of the payload CPS 290

4 Illustration From CPS 290

5 Broken OpenSSL Code struct ssl3_record_st { /* generic struct used to store message */ unsigned int length; /* How many bytes available */ /* ignore */ unsigned int off; /* ignore */ unsigned char *data; /* pointer to the record data */ /* ignore */ } SSL3_RECORD; /* Read type and payload length first */ hbtype = *p++; /* message type goes in hbtype, p now points to length */ n2s(p, payload); /* copies length into variable payload, adds 2 to p */ pl = p; /* Enter response type, length and copy payload */ *bp++ = TLS1_HB_RESPONSE; /* set type to response */ s2n(payload, bp); /* write payload (length) to memory, add 2 to p */ memcpy(bp, pl, payload);/*copy payload bytes from memory (up to 64K)*/ CPS 290

6 The Fix hbtype = *p++; n2s(p, payload); if ( payload + 16 > s->s3->rrec.length) return 0; /* silently discard per RFC 6520 sec. 4 */ pl = p; CPS 290

7 Heartbleed Vulnerability
RSA private keys p, q, p-1, q-1, d can be extracted by the attacker, as can anything else in the right portion of server memory, such as passwords. All Web sites using OpenSSL (e.g., using Apache, nginx servers) should have their certificates revoked, and new certificates issued. Akamai was informed before the bug was announced publicly and released a patch, but (oops!) there was a bug in that too. Widely agreed to be a catastrophic security failure. Moral: check input data carefully before acting! CPS 290

8 (a mod n) means the remainder of a divided by n.

9 Definition: Modular equivalence of integers a and b
a n b (a mod n) = (b mod n)  a = b + kn for some integer k “a is congruent to b modulo n” or “a and b are equivalent modulo n”

10 n induces a natural partition of the integers into n classes.
a and b are said to be in the same “residue class” or “congruence class” exactly when a n b.

11 Residue Classes Mod 3: [0] = { …, -6, -3, 0, 3, 6, ..}
[1] = { …, -5, -2, 1, 4, 7, ..} [2] = { …, -4, -1, 2, 5, 8, ..}

12 Fundamental lemma of plus, minus, and times modulo n:
If (x n y) and (a n b). Then 1) x + a n y + b 2) x - a n y - b 3) x * a n y * b

13 A Unique Representation System Modulo n:
We pick exactly one representative from each residue class. We do all our calculations using these representatives.

14 Perhaps the most convenient set of representatives:
The reduced system modulo n: Zn = {0, 1, 2, …, n-1} Define operations +n and *n: a +n b = (a+b mod n) a *n b = (a*b mod n)

15 The reduced system modulo 3
Z3 = {0, 1, 2} Two binary, associative operators on Z3: +3 1 2 *3 1 2

16 Is there a fundamental lemma of division modulo n?
cx n cy  x n y ? This statement holds if c has a multiplicative inverse. cx n cy  c-1cx n c-1cy  x n y

17 When doesn’t c have an inverse?
If GCD(c,n) > 1 (i.e., c shares a factor p>1 with n), then c does not have an inverse. c = k1p, n = k2p Proof by contradiction: Suppose that c has an inverse c-1. Then c*c-1= 1 + kn for some integer k. k1pc-1= 1 + kk2p p(k1c-1-kk2) = 1 But no multiple of p can be equal to 1.

18 Fundamental lemma of division modulo n.
If GCD(c,n)=1, then ca n cb  a n b Consider the set Zn* = {x  Zn | GCD(x,n) =1} Multiplication over this set Zn* will have the cancellation property.

19 Z6 = {0, 1,2,3,4,5} Z6* = {1,5} * 1 2 3 4 5

20 Z12* = {0 ≤ x < 12 | gcd(x,12) = 1} = {1,5,7,11}
*12 1 5 7 11

21 Z5* = {1,2,3,4} = Z5 \ {0} *5 1 2 3 4 For all primes p, Zp* = Zp \ {0}, since all 0 < x < p satisfy gcd(x,p) = 1

22 Euler Phi Function (n)
Define (n) = size of Zn* = number of 1 ≤ k < n that are relatively prime to n. p prime  Zp*= {1,2,3,…,p-1}  (p) = p-1

23 Z12* = {0 ≤ x < 12 | gcd(x,12) = 1} = {1,5,7,11}
(12) = 4 *12 1 5 7 11

24 Theorem: if p,q distinct primes then f(pq) = (p-1)(q-1)
pq = # of numbers from 1 to pq p = # of multiples of q up to pq q = # of multiples of p up to pq 1 = # of multiple of both p and q up to pq f(pq) = pq – p – q + 1 = (p-1)(q-1)

25 Fundamental lemma of powers? If (a n b) Then xa n xb ? NO!
(2 3 5) , but it is not the case that: 22 3 25 Notice that in xa, a is an integer indicating how many times to apply the multiplication operation, whereas x is an element in a multiplicative group. These are objects of different types.

26 Fermat’s Little Theorem
Euler’s Theorem a  Zn*, a(n) n 1 Fermat’s Little Theorem (special case) p prime, a  Zp* ap-1 p 1

27 Fundamental lemma of powers.
Suppose x  Zn*, and a,b,n are naturals. If a (n) b Then xa n xb

28 RSA Invented by Rivest, Shamir and Adleman in 1978
Based on difficulty of factoring. Used to hide the size of a group Zn* since: Factoring has not been reduced to RSA an algorithm that generates m from c does not give an efficient algorithm for factoring On the other hand, factoring has been reduced to finding the private-key. there is an efficient algorithm for factoring given one that can find the private key.

29 RSA Public-key Cryptosystem
What we need: p and q, primes of approximately the same size n = pq (n) = (p-1)(q-1) e  Z (n) d = inv. of e in Z (n) i.e., d = e-1 mod (n) Public Key: (e,n) Private Key: d Encode: m  Zn E(m) = me mod n Can you give an example in which solving the discrete log is simple? All finite groups are isomorphic to (Zn,+) so why isn’t it always easy? Decode: D(c) = cd mod n

30 Decryption Analysis D(c) n cd n med n m1 + k(p-1)(q-1)
n m1 + k (n) n m(m (n))k n m (by Euler’s Theorem, m(n) n 1, if m and n are relatively prime.) Page 30

31 Oops! What if m and n share a factor?
Then m  Zn* and Euler’s theorem doesn’t guarantee that m(n) n 1. Answer 1: Special case, still works. By the Chinese Remainder Theorem, if p and q are relatively prime and med p m and med q m, then med pq m. So let’s show med p m. (The med q m case is symmetric.) If m p 0, then med p 0ed p 0 p m. Otherwise because by Fermat’s Little Theorem, for (m mod p) ≠0, mp−1  p 1 Answer 2: jackpot – you can factor n using Euclid’s alg. CPS 290 Page 31

32 RSA computations To generate the keys, we need to
Find two primes p and q. Generate candidates and use primality testing to filter them. Find e-1 mod (p-1)(q-1). Use Euclid’s algorithm. Takes time log2(n) To encode and decode Take me or cd. Use the power method. Takes time log(e) log2(n) and log(d) log2(n) . In practice e is selected to be small so that encoding is fast. CPS 290

33 Security of RSA Warning:
Do not use this or any other algorithm naively! Possible security holes: Need to use “safe” primes p and q. In particular p-1 and q-1 should have large prime factors. p and q should not have the same number of digits. Can use a middle attack starting at sqrt(n). e cannot be too small Don’t use same n for different e’s. You should always “pad” CPS 290

34 RSA Performance Performance: (600Mhz PIII) (from: ssh toolkit):
Algorithm Bits/key Mbits/sec RSA Keygen 1024 .35sec/key 2048 2.83sec/key RSA Encrypt 1786/sec 3.5 672/sec 1.2 RSA Decrypt 74/sec .074 12/sec .024 ElGamal Enc. 31/sec .031 ElGamal Dec. 61/sec .061 DES-cbc 56 95 twofish-cbc 128 140 Rijndael 180 CPS 290

35 Factoring in the Real World
Quadratic Sieve (QS): Used in 1994 to factor a 129 digit (428-bit) number Machines, 8 months. Number field Sieve (NFS): Used in 1999 to factor 155 digit (512-bit) number CPU years. At least 4x faster than QS Used in to factor 200 digits (663 bits) 75 CPU years ($20K prize) Used in to factor 232 digits (768 bits), 2000 CPU years CPS 290

Download ppt "Heartbleed Bug RSA Analysis RSA Performance"

Similar presentations

1 Lect. 12: Number Theory. Contents Prime and Relative Prime Numbers Modular Arithmetic Fermat’s and Euler’s Theorem Extended Euclid’s Algorithm.

1 Lect. 12: Number Theory. Contents Prime and Relative Prime Numbers Modular Arithmetic Fermat’s and Euler’s Theorem Extended Euclid’s Algorithm.
Primality Testing Patrick Lee 12 July 2003 (updated on 13 July 2003)

Primality Testing Patrick Lee 12 July 2003 (updated on 13 July 2003)
22C:19 Discrete Structures Integers and Modular Arithmetic

22C:19 Discrete Structures Integers and Modular Arithmetic
CPS 290 Computer Security Heartbleed Bug Key Exchange RSA Analysis RSA Performance CPS 290Page 1.

CPS 290 Computer Security Heartbleed Bug Key Exchange RSA Analysis RSA Performance CPS 290Page 1.
15-251 Great Theoretical Ideas in Computer Science.

Great Theoretical Ideas in Computer Science.
and Factoring Integers (I)

and Factoring Integers (I)
and Factoring Integers

and Factoring Integers
CSE331: Introduction to Networks and Security Lecture 20 Fall 2002.

CSE331: Introduction to Networks and Security Lecture 20 Fall 2002.
CSE 321 Discrete Structures Winter 2008 Lecture 8 Number Theory: Modular Arithmetic.

CSE 321 Discrete Structures Winter 2008 Lecture 8 Number Theory: Modular Arithmetic.
15-251 Great Theoretical Ideas in Computer Science.

Great Theoretical Ideas in Computer Science.
15-251 Great Theoretical Ideas in Computer Science.

Great Theoretical Ideas in Computer Science.
1 Network Security Lecture 6 Public Key Algorithms Waleed Ejaz

1 Network Security Lecture 6 Public Key Algorithms Waleed Ejaz
MATH 224 – Discrete Mathematics

MATH 224 – Discrete Mathematics
RSA and its Mathematics Behind

RSA and its Mathematics Behind
15-251 Great Theoretical Ideas in Computer Science.

Great Theoretical Ideas in Computer Science.
Prelude to Public-Key Cryptography Rocky K. C. Chang, February 2014 1.

Prelude to Public-Key Cryptography Rocky K. C. Chang, February
Modular Arithmetic with Applications to Cryptography Lecture 47 Section 10.4 Wed, Apr 13, 2005.

Modular Arithmetic with Applications to Cryptography Lecture 47 Section 10.4 Wed, Apr 13, 2005.
RSA and its Mathematics Behind July 2011. Topics  Modular Arithmetic  Greatest Common Divisor  Euler’s Identity  RSA algorithm  Security in RSA.

RSA and its Mathematics Behind July Topics  Modular Arithmetic  Greatest Common Divisor  Euler’s Identity  RSA algorithm  Security in RSA.
1 Section 10.5.1 Congruences In short, a congruence relation is an equivalence relation on the carrier of an algebra such that the operations of the algebra.

1 Section Congruences In short, a congruence relation is an equivalence relation on the carrier of an algebra such that the operations of the algebra.
15-251 Great Theoretical Ideas in Computer Science for Some.

Great Theoretical Ideas in Computer Science for Some.

Similar presentations

Ads by Google