1 / 26

Ensuring Sufficient Entropy in RSA Modulus Generation

Ensuring Sufficient Entropy in RSA Modulus Generation. Wendy Mu Henry Corrigan-Gibbs Dan Boneh. Motivation #1. Security of RSA relies on hardness of factoring modulus What happens when , are generated with faulty random number generators?. Motivation #1.

aletta
Download Presentation

Ensuring Sufficient Entropy in RSA Modulus Generation

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Ensuring Sufficient Entropy in RSA Modulus Generation Wendy Mu Henry Corrigan-Gibbs Dan Boneh

  2. Motivation #1 • Security of RSA relies on hardness of factoring modulus • What happens when , are generated with faulty random number generators?

  3. Motivation #1 • A study by Heninger et al. (2012) found… • 5.57% of TLS hosts had same private keys as another host • 0.50% of these hosts’ private keys were easily computed through finding all-pairs GCDs

  4. Motivation #1 Reason for these common factors? Weak entropy!

  5. Motivation #2 • Kleptography (Young and Yung, 1996) • Attack where third party can figure out private key • Malicious black box key generator encrypts in last bits of ) • Third party with key can decrypt and factor

  6. Goals • An efficient way for a host to obtain randomness from a trusted source with high entropy • A way for the host to prove that the generated modulus was generated using the given randomness

  7. Overview TLS Host (e.g., web server) Key generation protocol Key verification protocol Certificate Authority Entropy Authority

  8. Overview TLS Host (e.g., web server) 1. Modulus generation 4. CA-signed certificate 2. EA-signed certificate 3. EA-signed certificate Certificate Authority Entropy Authority

  9. Building blocks • Pedersen commitments (Pedersen) • Computationally binding • Information theoretically hiding • Additively homomorphic

  10. Building blocks • Zero-knowledge proofs • Prove that and are commitments to and with (Cramer and Damgard)

  11. Building blocks • Public-key signature scheme (Goldwasser et al.) • Sign and verify functions • Existentially unforgeable

  12. Protocol: Modulus Generation

  13. Protocol: Modulus Generation

  14. Protocol: Modulus Verification

  15. Application: SSH SSH Server 1. Modulus generation 2. EA-signed certificate 3. EA-signed certificate SSH Client Entropy Authority

  16. Security • are 1024 bit primes • are 20 bit numbers • is 2048 bits • (modulus for commitments) is 2148 bits (100 bits more than ), since

  17. Security • Desired properties: • Maintain secrecy of and • Ensure resulting contains sufficient entropy

  18. Security • If the host has no entropy, a global eavesdropper could always learn and • Assume that the host gets a free communication with EA • Assume host is not malicious

  19. Even if the host has low entropy, the resulting modulus will be as strong as an RSA modulus generated using the traditional algorithm with high entropy.

  20. If the host has high entropy, the EA cannot learn anything about and .

  21. If the host does not follow the protocol, either the EA or CA will be able to detect the violation, or the resulting will still have high entropy. Therefore, a misbehaving host cannot get a CA to sign a low-entropy key.

  22. Performance • On a laptop… • Traditional RSA: 0.59s • Our protocol: 3.18s

  23. Performance • On a Linksys router… • Traditional RSA: 59.6s • Our protocol: 111.7s • Includes ~100ms RTT network latency • Relatively small overhead: ~2x

  24. Related Work • Juels and Guajardo (2002) introduced the idea of a randomness authority, with a protocol for key generation • Uses range proofs (proving a commitment is to an integer in a given range) • Expensive, many calculations • Our protocol avoids range proofs faster

  25. Future work • Integrate protocol into certificate signing request to CA

  26. Conclusion • Protocol for generating an RSA modulus with sufficient randomness • Feasible to implement on today’s hardware • Small overhead to traditional RSA Contact: wmu@cs.stanford.edu

More Related