Computer Security

Computer Security Modular Arithmetic RSA Analysis SSL/TLS Heartbleed Bug

(a mod n) means the remainder of a divided by n.

Definition: Modular equivalenceof integers a and b • a  b [mod n] •  (a mod n) = (b mod n) a = b + kn for some integer k • Written as a n b, and spoken • “a is congruent to b modulo n” or • “a and b are equivalent modulo n”

n induces a natural partition of the integers into n classes. • a and b are said to be in the same “residue class” or “congruence class” exactly when a n b.

Residue Classes Mod 3: • [0] = { …, -6, -3, 0, 3, 6, ..} • [1] = { …, -5, -2, 1, 4, 7, ..} • [2] = { …, -4, -1, 2, 5, 8, ..} • [-6] = { …, -6, -3, 0, 3, 6, ..} • [7] = { …, -5, -2, 1, 4, 7, ..} • [-1] = { …, -4, -1, 2, 5, 8, ..}

Fundamental lemma of plus, minus, and times modulo n: • If (x n y) and (a n b). Then • 1) x + a n y + b2) x - a n y - b3) x * a n y * b

A Unique Representation System Modulo n: • We pick exactly one representative from each residue class. We do all our calculations using these representatives.

Perhaps the most convenient set of representatives: • The reduced system modulo n: • Zn = {0, 1, 2, …, n-1} • Define operations +n and *n: • a +n b = (a+b mod n) • a *n b = (a*b mod n)

The reduced system modulo 3 • Z3 = {0, 1, 2} • Two binary, associative operators on Z3:

Is there a fundamental lemma of division modulo n? • cx n cy  x n y ?This statement holds if c has a multiplicative inverse. • cx n cy  c-1cx n c-1cy  x n y

When doesn’t c have an inverse? • If GCD(c,n) > 1 (i.e., c shares a factor p>1 with n), then c does not have an inverse. • c = k1p, n = k2p • Proof by contradiction: • Suppose that c has an inverse c-1. • Then c*c-1= 1 + kn for some integer k. • k1pc-1= 1 + kk2p • p(k1c-1-kk2) = 1 • But no multiple of p can be equal to 1.

Fundamental lemma of division modulo n. • If GCD(c,n)=1, then ca n cb  a n b • Consider the set • Zn* = {x  Zn | GCD(x,n) =1} • Multiplication over this set Zn*will have the cancellation property.

Z6 = {0, 1,2,3,4,5}Z6* = {1,5}

Z12* = {0 ≤ x < 12 | gcd(x,12) = 1} = {1,5,7,11}

Z5* = {1,2,3,4} • = Z5 \ {0} • For all primes p, Zp* = Zp \ {0}, since all 0 < x < p satisfy gcd(x,p) = 1

Euler Phi Function (n) • Define (n) = size of Zn* • = number of 1 ≤ k < n that are relatively prime to n. • p prime  Zp*= {1,2,3,…,p-1}(p) = p-1

Z12* = {0 ≤ x < 12 | gcd(x,12) = 1} = {1,5,7,11} • (12) = 4

Theorem: if p,q distinct primes then f(pq) = (p-1)(q-1) • pq = # of numbers from 1 to pq • p = # of multiples of q up to pq • q = # of multiples of p up to pq • 1 = # of multiple of both p and q up to pq • f(pq) = pq – p – q + 1 = (p-1)(q-1)

Fundamental lemma of powers? • If (a n b) • Then xan xb ? • NO! • (2 3 5) , but it is not the case that: 223 25 • Notice that in xa, a is an integer indicating how many times to apply the multiplication operation, whereas x is an element in a multiplicative group. These are objects of different types.

Euler’s Theorem • a  Zn*, a(n)n 1 • Fermat’s Little Theorem • (special case) • p prime, a  Zp*ap-1p 1

Fundamental lemma of powers. • Suppose x  Zn*, and a,b,n are naturals. • If a (n) b Then xan xb

RSA • Invented by Rivest, Shamir and Adleman in 1978 • Based on difficulty of factoring. • Used to hide the size of a group Zn* since: • Factoring has not been reduced to RSA • an algorithm that generates m from c does not give an efficient algorithm for factoring • On the other hand, factoring has been reduced to finding the private-key. • there is an efficient algorithm for factoring given one that can find the private key.

RSA Public-key Cryptosystem • What we need: • p and q, primes of approximately the same size • n = pq(n) = (p-1)(q-1) • e  Z (n) • d = inv. of e in Z (n) i.e., d = e-1 mod (n) • Public Key: (e,n) • Private Key: d • Encode: • m  Zn • E(m) = me mod n • Decode: • D(c) = cd mod n

RSA continued • Why it works: • D(c) = cd mod n • = med mod n • = m1 + k(p-1)(q-1) mod n • = m1 + k (n) mod n • = m(m (n))k mod n • = m (by Euler’s Theorem, m k(n) mod n = m0 mod n, if m and n are relatively prime.) • Note that in general ma ma mod n mod n, but by Euler’s Theorem ma = ma mod (n) mod n,where (n) = |Zn*|, and Zn* = {s  Zn such that s and n are relatively prime}, and m  Zn*. • Page 25

What if m and n share a factor? • Euler’s theorem doesn’t guarantee that mk(n) = 1 mod n • Answer 1: Special case, still works. By the Chinese Remainder Theorem, if med=m mod p and med=m mod q, then med=m mod pq, where p and q are relatively prime. • If m = 0 mod p, then med = 0ed = 0 = m mod p. • Otherwise • where by Fermat’s Little Theorem mp−1 = 1 mod p • Answer 2: jackpot – you can factor n using Euclid’s alg. • CPS 290 • Page 26

RSA computations • To generate the keys, we need to • Find two primes p and q. Generate candidates and use primality testing to filter them. • Find e-1 mod (p-1)(q-1). Use Euclid’s algorithm. Takes time log2(n) • To encode and decode • Take me or cd. Use the power method.Takes time log(e) log2(n) and log(d) log2(n) . • In practice e is selected to be small so that encoding is fast. CPS 290

Security of RSA • Warning: • Do not use this or any other algorithm naively! • Possible security holes: • Need to use “safe” primes p and q. In particular p-1 and q-1 should have large prime factors. • p and q should not have the same number of digits. Can use a middle attack starting at sqrt(n). • e cannot be too small • Don’t use same n for different e’s. • You should always “pad” CPS 290

RSA Performance • Performance: (600Mhz PIII) (from: ssh toolkit): CPS 290

Factoring in the Real World • Quadratic Sieve (QS): • Used in 1994 to factor a 129 digit (428-bit) number. 1600 Machines, 8 months. • Number field Sieve (NFS): • Used in 1999 to factor 155 digit (512-bit) number. 35 CPU years. At least 4x faster than QS • Used in 2003-2005 to factor 200 digits (663 bits) 75 CPU years ($20K prize) CPS 290

Example of SSL (3.0) • SSL (Secure Socket Layer) is the standard for the web (https). • Protocol (somewhat simplified): Bob -> amazon.com • B->A: clienthello: protocol version, acceptable CipherSuites • A->B: serverhello: CipherSuite, session ID, |amazon.com|verisign • B->A: key exchange, {masterkey}amazon’s public key • A->B: server finish: ([amazon,prev-messages,masterkey])key1 • B->A: client finish: ([bob,prev-messages,masterkey])key2 • A->B: server message: (message1,[message1])key1 • B->A: client message: (message2,[message2])key2 • |h|issuer = Certificate • = Issuer, <h,h’s public key, time stamp>issuer’s private key • <…>private key= Digital signature {…}public key= Public-key encryption • [..] = Secure Hash (…)key = Private-key encryption • key1 and key2 are derived from randommasterkeyand session ID • hand-shake • data CPS 290

Server Name Issue • The client expects the server to send a certificate matching the domain of the requested Web site. • But the client doesn’t tell the server which Web site it is requesting -- not a problem if server hosts only one site. • For servers hosting multiple secure Web sites, the “solution” is to assign multiple IP addresses to the network interface, one for each certificate. • Akamai uses approximately 13M IPv4 addresses for this purpose. • Better solution: “server name” extension in successor to SSL, TLS CPS 290

TLS Client Hello – TLS Version 1.0 (SSL 3.1) CPS 290

TLS Client Hello Message – Cipher Suite CPS 290

TLS Client Hello – Server Name Extension CPS 290

TLS Server Hello -- Cypher CPS 290

TLS Server Hello – Certificate CPS 290

Computer Security