Presentation is loading. Please wait.

Presentation is loading. Please wait.

Attacking RSA Brian Winant Reference “Twenty Years of Attacks on the RSA Cryptosystem” By Dan Boneh In Notices of the American Mathematical.

Published byBaldwin Gavin Mathews Modified over 8 years ago

Similar presentations

Presentation on theme: "Attacking RSA Brian Winant Reference “Twenty Years of Attacks on the RSA Cryptosystem” By Dan Boneh In Notices of the American Mathematical."— Presentation transcript:

1 Attacking RSA Brian Winant bwinant@gwu.edu

2 Reference “Twenty Years of Attacks on the RSA Cryptosystem” By Dan Boneh In Notices of the American Mathematical Society (AMS), Vol. 46, No. 2, pp. 203- 213, 1999

3 Introduction RSA introduced August 1977 R = Ron Rivest S = Adi Shamir A = Len Adleman Subject to two+ decades of cryptanalysis No serious attacks found Most known attacks based on implementation weaknesses

4 RSA Review - Modulus Let pq = N N is n bits long p, q are large primes of length n/2 In practice N is at least 1024 bits  1024 bits = 309 decimal digits

5 RSA Review - Keys Choose exponents e and d Such that ed = 1 mod  (N)  (N) is the Euler phi function Since N=pq,  (N) = (p – 1)(q – 1)  (N) is the order of the multiplicative group Z N * (N, e), (N, d) are the public/private keys Doesn’t matter which is which

6 RSA Review - Encryption Plaintext M  Z N * Ciphertext C  Z N * Encryption f k (M) = C = M e mod N Decryption g k (C) = C d mod N M ed mod N = M

7 Trapdoors f k (M) is a one-way trapdoor function Exponent d is the trapdoor Makes inverting f k (M) easy How hard is it to invert f k (M) without the trapdoor? No known mechanism to easily invert f k (M) However, not proven to be impossible

8 Breaking RSA Goal Invert f k (M) without knowing d Formally Given (N, e, C) Assume the factorization of N is unknown How hard is it to compute the e th root of C mod N?

9 Naïve Approach Z N * is finite Try all M  Z N * Runtime is exponential Interested only in efficient algorithms O(n c ) where  n = log 2 N  c is a small constant (< 5)

10 Theory vs. Implementation Difference between the function and the cryptosystem Cryptosystem is not semantically secure Given (N, e, C) it is possible to recover some information about M Example: Jacobi symbol of M over N Fixed by padding M with random bits

11 Types of Attacks Factoring Elementary Low Private Exponent Low Public Exponent Implementation

12 Factoring If N can be factored p,q are known  (N) can be computed d = e -1 mod  (N) easily computed using Euclid’s method State of the art factoring algorithms still exponential log N General Number Field Sieve Largest factored modulus: 576 bits 174 decimal digits

13 More Factoring For some N, factoring is easy Pollard’s p – 1 algorithm p – 1 is a product of primes less than B N can be factored O(B 3 ) Some RSA implementations reject such p

14 Breaking RSA vs. Factoring If an efficient factoring algorithm exists, RSA is insecure Open Problem: Is converse true? Must N be factored in order to efficiently compute e th roots mod N? Is breaking RSA as hard as factoring?

15 Open Problem: Definition Given N, e = gcd(e,  (N)) = 1 Define f e,N: Z N * -> Z N * = x 1/e mod N Given an oracle that evaluates f in unit time Is there a polynomial-time algorithm A that computes factorization of N?

16 Open Problem: Answer? Probably not Evidence that for small e, answer may be no There may not exist a polynomial-time reduction from factoring to breaking RSA However, not proven Negative answered probably preferred over positive answer

17 Elementary Attacks Due to misuse of RSA Many exist Modulus Reuse Blinding

18 Modulus Reuse To save time, why not reuse N? Trusted authority can provide user i with keys (N, e i ), (N, d i ) Attacker can use own e a, d a to factor N Once N is factored, recovering d i easy Do not reuse N

19 Blinding Fool Bob into signing an arbitrary M e,d are Bob’s public and private keys Choose random r  Z N * Let M’ = r e M mod N Have Bob sign S’ = (M’) d mod N

20 Blinding Compute S = S’/r mod N S e = (S’) e /r e = (M’) ed /r e = (r e M) ed /r e = r e M/r e = M Attacker now has signature on M

21 Blinding: Defense In practice, attack not feasible Prevented by first hashing M before signing An attack, but required for anonymous digital cash

22 Low Private Exponent Reduce decryption time by using small d If d < (1/3)N 1/4, d can be recovered Approximation method based on continued fractions Small d can still be chosen using Chinese Remainder Theorem in a possibly secure manner Ensure d mod  (N) is still large Open Problem: How small can d be?

23 Open Problem Let N = pq Let d < N 0.5 Let e <  (N) ed = 1 mod  (N) If attacker is given (N, e), can d be recovered efficiently?

24 Low Public Exponent In practice, small public keys are used Reduces encryption, signature-verification time Smallest e = 3 Recommended e = 2 16 + 1 For signature-verification:  Requires 17 multiplications  Approx. 1000 when random e used Small public keys are not as dangerous as small private keys

25 Low Public Exponent Attacks Broadcast Attack Related Message Attack Short Pad Attack Partial Key Exposure Attack

26 Broadcast Attack Bob sends M to parties P 1 … P K P i has public key (N i, e i ) M < N i for all i Bob encrypts M with key for each P i Attacker can collect all k ciphertexts and recover M if k  e

27 Broadcast Attack: Simplified Assume e i = 3 for all i Attacker collects C 1, C 2, C 3 C 1 = M 3 mod N 1 C 2 = M 3 mod N 2 C 3 = M 3 mod N 3 Chinese Remainder Theorem C’ = M 3 mod N 1 N 2 N 3

28 Broadcast Attack: Simplified Since M < all N i, M 3 < N 1 N 2 N 3 So C’ = M 3 Recover M by calculating cube root of C’

29 Broadcast Attack: Defense Pad M with random bits Padding M with non-random bits allows other attacks

30 Related Message Attack Bob sends Alice related messages using same modulus (N, e) is Alice’s public key M 1  M 2  Z N * M 1 = f(M 2 ) mod N f is a publicly known polynomial mod N f(x) = ax + b mod N, b  Given (N, e, C 1, C 2, f) attacker can recover M 1, M 2 in quadratic time log N

31 Related Message Attack Works by computing GCD of two polynomials g 1 (x) = f(x) e – C 1 g 1 (x) = x e – C 2 For large e, computing GCD too expensive

32 Short Pad Attack Exploit naïve random paddings of M Add random bits to one end of M Requires knowledge of two ciphertexts corresponding to the same message

33 Short Pad Attack |N| = n m = floor(n/e 2 ) Relationship between pad and key lengths |M| = n – m M 1 = 2 m M + r 1 M 2 = 2 m M + r 2 0  r 1, r 2 < 2 m Given (N, e, C 1, C 2 ), M can be efficiently recovered

34 Partial Key Exposure Attack If a portion of d is exposed, can all of d be recovered? Yes, if e is small  e < sqrt(N) Need ceil(n/4) least significant bits of d

35 Implementation Attacks Attack the implementation of RSA, not the underlying mathematical structure Timing Random Faults PCKS 1

36 Timing Attack Smartcard attack Based on timing the efficient modulo exponentiation algorithm Can recover bits based on whether or not the squaring step is performed Similar attack based on monitoring power consumption

37 Timing Attack: Defense Add delay Use blinding on itself Adds randomness to ciphertext Less correlation between input and key bits Approach due to Rivest

38 Random Faults Many RSA implementations use Chinese Remainder Theorem Speed up computation of M d mod N Let a = d mod (p – 1) Let b = d mod (q – 1) C a = M a mod p C b = M b mod q C = T 1 C a + T 2 C 2 mod N Faster since less exponentiation is needed

39 Random Faults Suppose computer glitch causes an incorrect bit Either C a or C b will be incorrect Can detect the incorrect result C C e = M mod p C e  M mod q Exposes a factor of N, but requires knowledge of M

40 Random Faults: Defense Requires M to not be padded Add random bits Check before sending You’re doing this anyway, right?

41 PKCS 1 Attack Possible in older version of standard Implementations will raise error if C does not contain 16 bit “02” Equals an oracle which can reveal whether the most significant 16 bits of C equals 02

42 Conclusion RSA function susceptible to mathematical trickery Exploits are not practical Easy to defend against Would never occur in reality Requires correct and secure implementation No known dangerous attacks against properly implemented RSA

Download ppt "Attacking RSA Brian Winant Reference “Twenty Years of Attacks on the RSA Cryptosystem” By Dan Boneh In Notices of the American Mathematical."

Similar presentations

RSA.

RSA.
Side-Channel Attacks on RSA with CRT Weakness of RSA Alexander Kozak Jared Vanderbeck.

Side-Channel Attacks on RSA with CRT Weakness of RSA Alexander Kozak Jared Vanderbeck.
22C:19 Discrete Structures Integers and Modular Arithmetic

22C:19 Discrete Structures Integers and Modular Arithmetic
7. Asymmetric encryption-

7. Asymmetric encryption-
15-251 Great Theoretical Ideas in Computer Science.

Great Theoretical Ideas in Computer Science.
Dr. Lo’ai Tawalbeh Summer 2007 Chapter 9 – Public Key Cryptography and RSA Dr. Lo’ai Tawalbeh New York Institute of Technology (NYIT) Jordan’s Campus INCS.

Dr. Lo’ai Tawalbeh Summer 2007 Chapter 9 – Public Key Cryptography and RSA Dr. Lo’ai Tawalbeh New York Institute of Technology (NYIT) Jordan’s Campus INCS.
Cryptography and Network Security Chapter 9 Fourth Edition by William Stallings.

Cryptography and Network Security Chapter 9 Fourth Edition by William Stallings.
The RSA Cryptosystem Dan Boneh Stanford University.

The RSA Cryptosystem Dan Boneh Stanford University.
Cryptography Lecture 11: Oct 12. Cryptography AliceBob Cryptography is the study of methods for sending and receiving secret messages. adversary Goal:

Cryptography Lecture 11: Oct 12. Cryptography AliceBob Cryptography is the study of methods for sending and receiving secret messages. adversary Goal:
Public Encryption: RSA

Public Encryption: RSA
Public Key Cryptography and the RSA Algorithm

Public Key Cryptography and the RSA Algorithm
Cryptography1 CPSC 3730 Cryptography Chapter 9 Public Key Cryptography and RSA.

Cryptography1 CPSC 3730 Cryptography Chapter 9 Public Key Cryptography and RSA.
Private-Key Cryptography traditional private/secret/single key cryptography uses one key shared by both sender and receiver if this key is disclosed communications.

Private-Key Cryptography traditional private/secret/single key cryptography uses one key shared by both sender and receiver if this key is disclosed communications.
Dr.Saleem Al_Zoubi1 Cryptography and Network Security Third Edition by William Stallings Public Key Cryptography and RSA.

Dr.Saleem Al_Zoubi1 Cryptography and Network Security Third Edition by William Stallings Public Key Cryptography and RSA.
Public Key Algorithms 4/17/2017 M. Chatterjee.

Public Key Algorithms 4/17/2017 M. Chatterjee.
Cryptography and Network Security Chapter 9 5th Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Chapter 9 5th Edition by William Stallings Lecture slides by Lawrie Brown.
Computer Science CSC 474Dr. Peng Ning1 CSC 474 Information Systems Security Topic 2.5 Public Key Algorithms.

Computer Science CSC 474Dr. Peng Ning1 CSC 474 Information Systems Security Topic 2.5 Public Key Algorithms.
Cryptography and Network Security Chapter 9 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Chapter 9 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.
Dan Boneh Public Key Encryption from trapdoor permutations RSA in practice Online Cryptography Course Dan Boneh.

Dan Boneh Public Key Encryption from trapdoor permutations RSA in practice Online Cryptography Course Dan Boneh.
Lecture 6: Public Key Cryptography

Lecture 6: Public Key Cryptography

Similar presentations

Ads by Google