1 / 42

Attacking RSA

Attacking RSA. Brian Winant bwinant@gwu.edu. Reference. “Twenty Years of Attacks on the RSA Cryptosystem” By Dan Boneh In Notices of the American Mathematical Society (AMS), Vol. 46, No. 2, pp. 203-213, 1999. Introduction. RSA introduced August 1977 R = Ron Rivest S = Adi Shamir

osma
Download Presentation

Attacking RSA

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Attacking RSA Brian Winant bwinant@gwu.edu

  2. Reference “Twenty Years of Attacks on the RSA Cryptosystem” By Dan Boneh In Notices of the American Mathematical Society (AMS), Vol. 46, No. 2, pp. 203-213, 1999

  3. Introduction • RSA introduced August 1977 • R = Ron Rivest • S = Adi Shamir • A = Len Adleman • Subject to two+ decades of cryptanalysis • No serious attacks found • Most known attacks based on implementation weaknesses

  4. RSA Review - Modulus • Let pq = N • N is n bits long • p, q are large primes of length n/2 • In practice N is at least 1024 bits • 1024 bits = 309 decimal digits

  5. RSA Review - Keys • Choose exponents e and d • Such that ed = 1 mod j(N) • j(N) is the Euler phi function • Since N=pq, j(N) = (p – 1)(q – 1) • j(N) is the order of the multiplicative group ZN* • (N, e), (N, d) are the public/private keys • Doesn’t matter which is which

  6. RSA Review - Encryption • Plaintext M Î ZN* • Ciphertext C Î ZN* • Encryption • fk(M) = C = Me mod N • Decryption • gk(C) = Cd mod N • Med mod N = M

  7. Trapdoors • fk(M) is a one-way trapdoor function • Exponent d is the trapdoor • Makes inverting fk(M) easy • How hard is it to invert fk(M) without the trapdoor? • No known mechanism to easily invert fk(M) • However, not proven to be impossible

  8. Breaking RSA • Goal • Invert fk(M) without knowing d • Formally • Given (N, e, C) • Assume the factorization of N is unknown • How hard is it to compute the eth root of C mod N?

  9. Naïve Approach • ZN* is finite • Try all M Î ZN* • Runtime is exponential • Interested only in efficient algorithms • O(nc) where • n = log2 N • c is a small constant (< 5)

  10. Theory vs. Implementation • Difference between the function and the cryptosystem • Cryptosystem is not semantically secure • Given (N, e, C) it is possible to recover some information about M • Example: Jacobi symbol of M over N • Fixed by padding M with random bits

  11. Types of Attacks • Factoring • Elementary • Low Private Exponent • Low Public Exponent • Implementation

  12. Factoring • If N can be factored • p,q are known • j(N) can be computed • d = e-1 mod j(N) easily computed using Euclid’s method • State of the art factoring algorithms still exponential log N • General Number Field Sieve • Largest factored modulus: 576 bits • 174 decimal digits

  13. More Factoring • For some N, factoring is easy • Pollard’s p – 1 algorithm • p – 1 is a product of primes less than B • N can be factored O(B3) • Some RSA implementations reject such p

  14. Breaking RSA vs. Factoring • If an efficient factoring algorithm exists, RSA is insecure • Open Problem: Is converse true? • Must N be factored in order to efficiently compute eth roots mod N? • Is breaking RSA as hard as factoring?

  15. Open Problem: Definition • Given N, e = gcd(e, j(N)) = 1 • Define fe,N: ZN* -> ZN* = x1/e mod N • Given an oracle that evaluates f in unit time • Is there a polynomial-time algorithm A that computes factorization of N?

  16. Open Problem: Answer? • Probably not • Evidence that for small e, answer may be no • There may not exist a polynomial-time reduction from factoring to breaking RSA • However, not proven • Negative answered probably preferred over positive answer

  17. Elementary Attacks • Due to misuse of RSA • Many exist • Modulus Reuse • Blinding

  18. Modulus Reuse • To save time, why not reuse N? • Trusted authority can provide user i with keys (N, ei), (N, di) • Attacker can use own ea, da to factor N • Once N is factored, recovering di easy • Do not reuse N

  19. Blinding • Fool Bob into signing an arbitrary M • e,d are Bob’s public and private keys • Choose random r Î ZN* • Let M’ = reM mod N • Have Bob sign S’ = (M’)d mod N

  20. Blinding • Compute S = S’/r mod N • Se = (S’)e/re = (M’)ed/re = (reM)ed/re = reM/re = M • Attacker now has signature on M

  21. Blinding: Defense • In practice, attack not feasible • Prevented by first hashing M before signing • An attack, but required for anonymous digital cash

  22. Low Private Exponent • Reduce decryption time by using small d • If d < (1/3)N1/4, d can be recovered • Approximation method based on continued fractions • Small d can still be chosen using Chinese Remainder Theorem in a possibly secure manner • Ensure d mod j(N) is still large • Open Problem: How small can d be?

  23. Open Problem • Let N = pq • Let d < N0.5 • Let e <j(N) • ed = 1 mod j(N) • If attacker is given (N, e), can d be recovered efficiently?

  24. Low Public Exponent • In practice, small public keys are used • Reduces encryption, signature-verification time • Smallest e = 3 • Recommended e = 216 + 1 • For signature-verification: • Requires 17 multiplications • Approx. 1000 when random e used • Small public keys are not as dangerous as small private keys

  25. Low Public Exponent Attacks • Broadcast Attack • Related Message Attack • Short Pad Attack • Partial Key Exposure Attack

  26. Broadcast Attack • Bob sends M to parties P1 … PK • Pi has public key (Ni, ei) • M < Ni for all i • Bob encrypts M with key for each Pi • Attacker can collect all k ciphertexts and recover M if k ³e

  27. Broadcast Attack: Simplified • Assume ei = 3 for all i • Attacker collects C1, C2, C3 • C1 = M3 mod N1 • C2 = M3 mod N2 • C3 = M3 mod N3 • Chinese Remainder Theorem • C’ = M3 mod N1N2N3

  28. Broadcast Attack: Simplified • Since M < all Ni, M3 < N1N2N3 • So C’ = M3 • Recover M by calculating cube root of C’

  29. Broadcast Attack: Defense • Pad M with random bits • Padding M with non-random bits allows other attacks

  30. Related Message Attack • Bob sends Alice related messages using same modulus • (N, e) is Alice’s public key • M1¹ M2Î ZN* • M1 = f(M2) mod N • f is a publicly known polynomial mod N • f(x) = ax + b mod N, b ¹ 0 • Given (N, e, C1, C2, f) attacker can recover M1, M2 in quadratic time log N

  31. Related Message Attack • Works by computing GCD of two polynomials • g1(x) = f(x)e – C1 • g1(x) = xe – C2 • For large e, computing GCD too expensive

  32. Short Pad Attack • Exploit naïve random paddings of M • Add random bits to one end of M • Requires knowledge of two ciphertexts corresponding to the same message

  33. Short Pad Attack • |N| = n • m = floor(n/e2) • Relationship between pad and key lengths • |M| = n – m • M1 = 2mM + r1 • M2 = 2mM + r2 • 0 £ r1, r2 < 2m • Given (N, e, C1, C2), M can be efficiently recovered

  34. Partial Key Exposure Attack • If a portion of d is exposed, can all of d be recovered? • Yes, if e is small • e < sqrt(N) • Need ceil(n/4) least significant bits of d

  35. Implementation Attacks • Attack the implementation of RSA, not the underlying mathematical structure • Timing • Random Faults • PCKS 1

  36. Timing Attack • Smartcard attack • Based on timing the efficient modulo exponentiation algorithm • Can recover bits based on whether or not the squaring step is performed • Similar attack based on monitoring power consumption

  37. Timing Attack: Defense • Add delay • Use blinding on itself • Adds randomness to ciphertext • Less correlation between input and key bits • Approach due to Rivest

  38. Random Faults • Many RSA implementations use Chinese Remainder Theorem • Speed up computation of Md mod N • Let a = d mod (p – 1) • Let b = d mod (q – 1) • Ca = Mamod p • Cb = Mbmod q • C = T1Ca + T2C2 mod N • Faster since less exponentiation is needed

  39. Random Faults • Suppose computer glitch causes an incorrect bit • Either Ca or Cb will be incorrect • Can detect the incorrect result C • Ce = M mod p • Ce¹ M mod q • Exposes a factor of N, but requires knowledge of M

  40. Random Faults: Defense • Requires M to not be padded • Add random bits • Check before sending • You’re doing this anyway, right?

  41. PKCS 1 Attack • Possible in older version of standard • Implementations will raise error if C does not contain 16 bit “02” • Equals an oracle which can reveal whether the most significant 16 bits of C equals 02

  42. Conclusion • RSA function susceptible to mathematical trickery • Exploits are not practical • Easy to defend against • Would never occur in reality • Requires correct and secure implementation • No known dangerous attacks against properly implemented RSA

More Related