340 likes | 348 Views
This lecture explores the security of RSA, focusing on the factoring of large numbers and the potential attacks on the encryption algorithm. It discusses various algorithms and approaches that have been used to break RSA, as well as the challenges and limitations in finding the correct prime factors of a number.
E N D
Lecture 8: Security of RSA THE MAGIC WORDS ARE SQUEAMISH OSSIFRAGE. David Evans http://www.cs.virginia.edu/~evans CS551: Security and Privacy University of Virginia Computer Science
Menu • (Anonymous) Pop Quiz • Security of RSA • Factoring • Public Key Infrastructures University of Virginia CS 551
Properties of E and D • Trap-door one way function: • D (E (M)) = M • E and D are easy to compute. • Revealing E doesn’t reveal an easy way to compute D (next time) • Trap-door one way permutation: also • E (D (M)) = M Are there other functions that have properties 1, 2 and 4? University of Virginia CS 551
RSA E(M) = Me mod n D(C) = Cd mod n n = p * q p, q are prime d is relatively prime to(p – 1)(q – 1) e * d 1 (mod (p – 1)(q – 1)) University of Virginia CS 551
Revealing E doesn’t reveal D • Revealing E: e, n. • Can attacker find D? • If attacker factors n = p * q e * d 1 (mod (p – 1)(q – 1)) Easy to find d e-1 mod (p – 1)(q – 1) • Use experience to argue factoring is hard. • Argue all other attacks are at least as hard as factoring n. University of Virginia CS 551
Gardner’s Column: Original RSA challenge ($100) n (RSA-129) = 1 1438 1625 7578 8886 7669 2357 7997 6146 6120 1021 8296 7212 4236 2562 5618 4293 5706 9352 4573 3897 8305 9712 3563 9587 0505 8989 0751 4759 9290 0268 7954 3541 e = 9007 C = 9686 9613 7546 2206 1477 1409 2225 4355 8829 0575 9991 1245 7431 9874 6951 2093 0816 2982 2514 5708 3569 3147 6622 8839 8962 8013 3919 9055 1829 9451 5781 5154 Scientific American, August 1977 University of Virginia CS 551
40000000000000000 17 Ron Rivest (1977): factoring n (129 digits) would require at least 40 quadrillion years if you could do a * b mod c in one nanosecond. Derek Atkins (April 1994): We are happy to announce that RSA-129 = 3490 5295 1084 7650 9491 4784 9619 9038 9813 3417 7646 3849 3387 8439 9082 0577 * 3 2769 1329 9326 6709 5499 6198 8190 8344 6141 3177 6429 6799 2942 5397 9828 8533 University of Virginia CS 551
How so Fast • Better factoring algorithms • Distributed computation • Still can’t do a * b mod c in one nanosecond (not faster processors) • 1ns = 10-9 s • Best processors today 1 GHz (cycle = 1ns) • But, multiplying 100 digit numbers takes many cycles University of Virginia CS 551
Trial and Error Factoring • Try every number up to n. • Requires O(n) divisions. • For RSA-129 = 1.1 * 1064 divisions, 1 per nanosecond = 3.4 * 1047 years • Just try prime numbers: requires O((n)) divisions (assumes you already know all the primes up to n) • The Prime Number Theorem: (x) ~ x/lnx • For RSA-129 = 7.2 * 1061 divisions, 1 per nanosecond = 2.3 * 1045 years University of Virginia CS 551
Pollard Rho Method • Fastest known in 1977 [Pollard75] • To find factor p, requires 4p modular multiplies • Worst case: lowest p is n, we need 4n multiplies • For RSA-129 = 1.3 * 1032 = 4 * 1015 years • Rivest probably used this, but made a math error (4 quadrilllion 40 quadrilllion) University of Virginia CS 551
Pollard Rho • Pick arbitrary x0. • Iterate: xn + 1 = xn2 + 1 • If p is prime, xnmod p must eventually repeat: xn1 xn2 mod p xn1 + k xn2 + k mod p for allk >= 0. • Can find x2n xn mod p for some n >= n1. • If gcd(x2n – xn,N)> 1 then p is a factor of N. • x2n – xn = kp = gcd(x2n – xn,N) University of Virginia CS 551
Quadratic Sieve • To factor n, find x and y such that x2 y2 mod n • Then, n divides x2 – y2 = (x – y) (x + y). • n = gcd (n, x – y) * gcd (n, x + y). • If we’re lucky, factors will be non-trivial • If x and y generated “randomly”, probability is ½ since n has 2 prime factors University of Virginia CS 551
Breaking RSA-129 • Organized by Derek Atkins and others, 1994 • Quadratic Sieve algorithm • Memory-limited (1994 – most workstations 16MB RAM), used 10M to hold .5M primes • Recruited volunteers from Internet • 1600 machines • Used 5000 MIPS years over 8 months University of Virginia CS 551
To factor r [RSA-129] we assembled the largest collaboration yet seen in computational number theory and, possibly, performed the largest single computation ever completed. In several important respects, the resources we had available were barely adequate for the task. Consequently, ingenuity and diplomacy were required for the successful completion of the project. Derek Atkins, Michael Graff, et. al., The Magic Words Are Squeamish Ossifrage, AsiaCrypt 1994. University of Virginia CS 551
Recent Factoring Algorithms • Team from CWI (Amsterdam) factored RSA-155 (512 bits), August 1999 • ~8000 MIPS years (36 CPU years) • 7 months on ~300 machines • Number Field Sieve • Lecture 1: factor RSA-300 for automatic A. How much harder is this? University of Virginia CS 551
RSA Security • Factoring is hard RSA is secure? • Can you compute D without factoring n? • Probably not, but can’t prove it. • Can prove other mathematical attacks are equivalent to factoring. University of Virginia CS 551
(n) without factoring • Calculate (n) without factoring n. e * d 1 (mod (n)) • Equivalent to factoring: (n) = n – (p + q) + 1 p + q = n – (n) –1 University of Virginia CS 551
(n) without factoring (p + q)2 – 4n = (p2 + 2pq + q2 ) – 4n = p2 + 2n + q2 –4n = p2 – 2n + q2 = p2 – 2pq + q2 = (p – q)2 p – q = sqrt ((p + q)2 – 4n) p + q = n – (n) –1 2p = sqrt ((n – (n) –1)2 – 4n) + n – (n) –1 University of Virginia CS 551
Determine dwithout (n) • Brute force: m digits long, amount of work is 10m. • Try 1M/second (special purpose hardware) • Will take 3*1036years for m = 50. • For factoring difficulty, m > 100. • Non-brute force: knowing d enables factoring. University of Virginia CS 551
Determining d factoring ed = 1mod (n) k * (n) = ed – 1 Already showed, finding (n) is same as factoring. Also true for multiple of (n). University of Virginia CS 551
Properties of RSA’s E and D • Trap-door one way function: • D (E (M)) = M • E and D are easy to compute. • Revealing E doesn’t reveal an easy way to compute D (next time) • Trap-door one way permutation: also • E (D (M)) = M University of Virginia CS 551
Key Management Public keys only useful if you know: • The key matches the entity you think it does. • The entity is trustworthy. University of Virginia CS 551
Approach 1: Public Announcement • Publish public keys in a public forum • USENET groups • Append to email messages • New York Time classifieds • Easy for rogue to pretend to be someone else University of Virginia CS 551
Approach 2: Public Directory • Trusted authority maintains directory mapping names to public keys • Entities register public keys with authority in some secure way • Authority publishes directory • Print using watermarked paper, special fonts, etc. • Allow secure electronic access University of Virginia CS 551
One Key • Electronic access requires directory have key (public/private key pair might work, but how do entities validate public key?) • If authority’s key is compromised, everything is vulnerable! • Keep the key locked up well • Directory is single point of failure University of Virginia CS 551
KUB CA = EKRTrustMe[“Alice”, KUA] CB = EKRTrustMe[“Bob”, KUB] CA CB Approach 3: Certificates TrustMe.com KUA Alice Bob How do I know “Alice” is “Alice”? University of Virginia CS 551
CA = EKRTrustMe [IDA, KUA] CB = EKRTrustMe [IDB, KUB] CA CB TrustMe.com KUA KUB Alice Bob What if Alice’s private key is compromised? University of Virginia CS 551
CA = EKRTrustMe[Time1, IDA, KUA] CB = EKRTrustMe[Time2, IDB, KUB] CA CB TrustMe.com KUA $$$$ KUB Alice Bob University of Virginia CS 551
Data encrypted using secret key exchanged using some public key associated with some certificate. University of Virginia CS 551
Web Treasure Hunt • Click on “lock” next time when you browse the web • Find a certificate with a hierarchy of trust more than one level deep • The CA has a certificate University of Virginia CS 551
Charge • PS2 Due Wednesday • Full Project Proposals due 4 Oct (description now on web) • SSL details coming in a few weeks... University of Virginia CS 551