Presentation is loading. Please wait.

Presentation is loading. Please wait.

Mining Your Ps and Qs: Detection of Widespread Weak Keys in Network Devices N. Heninger, Z. Durumeric, E. Wustrow, and J. Halderman USENIX Sec’ 2012 1.

Published byRalf Lang Modified over 8 years ago

Similar presentations

Presentation on theme: "Mining Your Ps and Qs: Detection of Widespread Weak Keys in Network Devices N. Heninger, Z. Durumeric, E. Wustrow, and J. Halderman USENIX Sec’ 2012 1."— Presentation transcript:

1 Mining Your Ps and Qs: Detection of Widespread Weak Keys in Network Devices N. Heninger, Z. Durumeric, E. Wustrow, and J. Halderman USENIX Sec’ 2012 1

2 Background: TLS 2

3 Background: SSH 3

4 PKE with insecure channel Plaintext source Encryption E e (m) = c destination Decryption D d (c) = m c Insecure channel Alic e Bob Passive Adversary Key source d mm e Insecure channel

5 Question  How random is the random number generator used in embedded devices?  How secure are they?  Quickly break PKC just by finding public keys?  … 5

6 Random Number Generator: Vulnerabilities  1996. Goldberg and Wagner, Netscape RNG insecurity  2007. Windows RNG  2008. Karsten Nohl, MIFARE: a poor random source  2008. Debian OpenSSL, Poor RNG (SSH, VPN, …)  2010. Playstation, private key recovery since it uses the same random number  2012. Poor RNG in imbedded devices (this and *)  2013. Snowden. Dual_EC_DBRG has NSA backdoor  2013. Java Nonce collision affects Bitcoin and Android 6 Lenstra, Hughes, Augier, Bos, Joppe, Kleinjung, Wachter, (2012). "Ron was wrong, Whit is right". Crypto’12

7 Collect Public Keys for SSL and SSH 7

8 Repeated Keys 8 TLS Scan SSH Scan Number of live hosts12,828,6 13 10,216,3 63 Using repeated keys7,770,23 2 6,642,22 2 using non-vulnerable repeated keys 7,055,98 9 5,661,05 6 using vulnerable repeated keys 714,243981,166

9 Shared Keys?  Non-vulnerable reasons for shared keys ▹ Corporations share keys across certificates ▹ Shared hosting providers  Vulnerable reasons for shared keys ▹ Default certificates and keys ▹ Entropy problems during key generation 9

10 RSA Encryption  Key Generation ▹ Two random primes p and q, each roughly the same size ▹ n = pq, f(n) = (p-1)(q-1) ▹ e, 1< e < f(n), such that gcd(f(n), e) = 1 ▹ ed  1 mod f(n) ▹ A’s public key is (n, e); A’s private key is d  Encryption: compute c = m e mod n  Decryption: m = c d mod n  Why? ▹ c d mod n = m ed mod n = m 1 mod f(n) mod n = m 1 + k f(n) mod n = m if n is a product of distinct primes and if r=s mod f(n), then a r =a s (mod n) for all a  Z n *

11 Finding GCD in N integers 11

12 Results  Found 2,134 prime factors!  Can compute private keys for ▹ 64,081 TLS hosts and ▹ 2,459 SSH hosts 12

13 DSA (US Standard)  DSA Algorithm : key generation 1. select a prime q of 160 bits 2. 1024 bit p with q|p-1 3. Select g’ in Z p *, and g = g k =g’ (p-1)/q mod p, g  1 4. Select 1  x  q-1, compute y= g x mod p 5. public key (p, q, g, y), private key x  Signature Generation 1. Select a random integer k, 0 < k < q 2. Compute r=(g k mod p) mod q 3. compute k -1 mod q 4. Compute s = k -1  (h(m) + xr) mod q 5. signature = (r, s)

14 DSA Vulnerabilities  Two different signatures with same ephemeral and long-term keys ▹ Can easily compute randomness ▹ Can easily compute private key  Break ▹ Collect DSA signatures during SSH key exchange ▹ 4,365 signatures used shared ephemeral keys ▹ Compute private long-term keys for 105,728 (1.03%) of SSH hosts 14

15 Summary 15

16 Why?  Linux /dev/(u)random ▹ Random number generator in Linux kernel ▹ Nearly everything uses it  Random number generating mechanism ▹ Collect entropy ▹ Extract entropy and mix it into the (non)blocking pool ▹ Extract bytes from the (non)blocking pool 16

17 Linux RNG Bug  Linux /urandom boot-time entropy hole ▹ Return before it has been seeded with any entropy 17

Download ppt "Mining Your Ps and Qs: Detection of Widespread Weak Keys in Network Devices N. Heninger, Z. Durumeric, E. Wustrow, and J. Halderman USENIX Sec’ 2012 1."

Similar presentations

Asymmetric Digital Signatures And Key Exchange Prof. Ravi Sandhu.

Asymmetric Digital Signatures And Key Exchange Prof. Ravi Sandhu.
RIPE 68 - Measurement, Analysis and Tools Working Group15 May 2014 Internet-Wide Scanning and its Measurement Applications Zakir Durumeric University of.

RIPE 68 - Measurement, Analysis and Tools Working Group15 May 2014 Internet-Wide Scanning and its Measurement Applications Zakir Durumeric University of.
RSA COSC 201 ST. MARY’S COLLEGE OF MARYLAND FALL 2012 RSA.

RSA COSC 201 ST. MARY’S COLLEGE OF MARYLAND FALL 2012 RSA.
Network Security: Lab#2 J. H. Wang Apr. 28, 2011.

Network Security: Lab#2 J. H. Wang Apr. 28, 2011.
IS 302: Information Security and Trust Week 4: Asymmetric Encryption

IS 302: Information Security and Trust Week 4: Asymmetric Encryption
CSE331: Introduction to Networks and Security Lecture 19 Fall 2002.

CSE331: Introduction to Networks and Security Lecture 19 Fall 2002.
CPS 290 Computer Security Heartbleed Bug Key Exchange RSA Analysis RSA Performance CPS 290Page 1.

CPS 290 Computer Security Heartbleed Bug Key Exchange RSA Analysis RSA Performance CPS 290Page 1.
A A E E D D C C B B # Symmetric Keys = n*(n-1)/2 # Public/Private Keys = 2 n.

A A E E D D C C B B # Symmetric Keys = n*(n-1)/2 # Public/Private Keys = 2 n.
Public-key Cryptography Montclair State University CMPT 109 J.W. Benham Spring, 1998.

Public-key Cryptography Montclair State University CMPT 109 J.W. Benham Spring, 1998.
CNS2010handout 10 :: digital signatures1 computer and network security matt barrie.

CNS2010handout 10 :: digital signatures1 computer and network security matt barrie.
RSA ( Rivest, Shamir, Adleman) Public Key Cryptosystem

RSA ( Rivest, Shamir, Adleman) Public Key Cryptosystem
Kemal AkkayaWireless & Network Security 1 Department of Computer Science Southern Illinois University Carbondale CS 591 – Wireless & Network Security Lecture.

Kemal AkkayaWireless & Network Security 1 Department of Computer Science Southern Illinois University Carbondale CS 591 – Wireless & Network Security Lecture.
CS470, A.SelcukElGamal Cryptosystem1 ElGamal Cryptosystem and variants CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.

CS470, A.SelcukElGamal Cryptosystem1 ElGamal Cryptosystem and variants CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
Secure Hashing and DSS Sultan Almuhammadi ICS 454 Principles of Cryptography.

Secure Hashing and DSS Sultan Almuhammadi ICS 454 Principles of Cryptography.
Public Key Cryptography

Public Key Cryptography
Public Encryption: RSA

Public Encryption: RSA
How cryptography is used to secure web services Josh Benaloh Cryptographer Microsoft Research.

How cryptography is used to secure web services Josh Benaloh Cryptographer Microsoft Research.
The School of Electrical Engineering and Computer Science (EECS) CS/ECE Network Security Dr. Attila Altay Yavuz Topic 5 Essential Public Key Crypto Methods.

The School of Electrical Engineering and Computer Science (EECS) CS/ECE Network Security Dr. Attila Altay Yavuz Topic 5 Essential Public Key Crypto Methods.
Chapter 3 Encryption Algorithms & Systems (Part C)

Chapter 3 Encryption Algorithms & Systems (Part C)
Fall 2010/Lecture 311 CS 426 (Fall 2010) Public Key Encryption and Digital Signatures.

Fall 2010/Lecture 311 CS 426 (Fall 2010) Public Key Encryption and Digital Signatures.

Similar presentations

Ads by Google