Communications security

Transcription

1 University of Roma Sapienza DIET Communications security Lecturer: Andrea Baiocchi DIET - University of Roma La Sapienza [email protected] URL: Lecture 12 Attacks on RSA [Sti02], Cap. 5 ( ) Andrea Baiocchi, DIET, Università di Roma Sapienza - Sicurezza nelle Comunicazioni - A.A About algorithms and code Creati un esercito di servi perfetti, capaci di eseguire per tuo conto compiti ingrati, e sarai il padrone del mondo. [N. Tartaglia, Il general trattato di numeri et misure, ] Microprogramming an inefficient algorithm does not make it efficient. [Rausher s law] Question: what is the difference between c++ and c? Answer: one. [anonymous joke] Andrea Baiocchi, DIET, Università di Roma Sapienza - Sicurezza nelle Comunicazioni - A.A

2 RSA security! All public key cryptography can offer is computational security! We cover the following RSA security issues: Choice of RSA algorithm parameters (exponents a and b); RSA pitfalls tied to the mathematical structure of RSA algorithm; Attacks on RSA algorithm based on factorization of the modulus n (key only attack); Making RSA encryption semantically secure (OAEP = Optimal Asymmetric Encryptio Padding).! As with other cryptosystems, timing and/or power analysis attacks on RSA implementations are possible. Andrea Baiocchi, DIET, Università di Roma Sapienza - Sicurezza nelle Comunicazioni - A.A The public exponent b! Any number 1<b<!(n) is in principle acceptable, provided it can be inverted modulo!(n), i.e. gcd(b,!(n))=1. So, b must be odd and!3! It is possible to choose a fixed value of b, then to generate random primes p and q with the constraint gcd(b,(p 1)(q 1))=1 Possible good choices of b are 3, 5, 17= , ! A fixed value of b=3 can be taken Pros Low complexity of encryption and signature verification Easier distribution of public key info Cons To make b prime with (p 1)(q 1), p and q have to be chosen so that p and q are equal to 2 mod 3 (it can t be p or q = 0 mod 3!); this can be done by generating a random number x and testing if 6x+5 is prime Small message: if size(m) < size(n)/3 no modular reduction takes place Andrea Baiocchi, DIET, Università di Roma Sapienza - Sicurezza nelle Comunicazioni - A.A

3 Problems with public exponent b! Low exponent attack The attack works if a message m is encrypted b times using b co-prime RSA moduli n i, 1"i"b; let c i =m b mod n i, 1"i"b. The attack proceeds as follows Compute c satisfying c=c i mod n i, 1"i"b, and 0"c< n 1 n b with the CRT The message m equals the b-th root of c in Z. The attack works because c =m b satisfies the same constraints as c and the CRT solution is unique (mod n) and m b < n (why?); it is made possible since m is the same for all recipients and it is practical if b is low (not the order of n)! It is essential that the public key be different for any different instance and use of RSA E.g. if RSA is used for signing messages and for encryption, two different values of b shall be chosen for these two functions Andrea Baiocchi, DIET, Università di Roma Sapienza - Sicurezza nelle Comunicazioni - A.A The private exponent a! Given the public key (n,b), any one of p, q,!(n), a is sufficient to recover all others Given p (q) the other prime is found immediately as q=n/p (p=n/q); then! (n) is trivially computed and a is found as the multiplicative inverse of b modulo!(n) Given!(n), we have n!(n)+1=p+q=s; then it is easily seen that p and q are the roots of the equation x 2 xs+n=0; a can be computed as above Given a, a Las Vegas kind of algorithm can be conceived to attempt the factorization of n with average-case success probability at least 1/2 (see [STIN02] p. 197; [BUCH04] p. 172) In practice, if b is a sufficiently low integer, since a<!(n), ab 1 is only a small factor times!(n); the attacker can just try to guess such small factor m, compute!(n) as (ab 1)/m and then proceed as in the previous case Andrea Baiocchi, DIET, Università di Roma Sapienza - Sicurezza nelle Comunicazioni - A.A

4 Problems with private exponent a! Given the decryption exponent of RSA, a, it is possible to factor n by means of a randomized algorithm This implies that computing a is essentially no easier than factoring n More importantly, from the practical side this tells us that if a is ever compromised, it is NOT sufficient to define a different private key; also n and hence the whole set of RSA parameters MUST be generated anew! M. Wiener has shown that a polynomial time algorithm can be defined to factor an RSA modulus n provided a<n 1/4 /3 and q<p<2q. If the number of bits of n is k, this attack will succeed provided the binary representation of a has less than k/4 1 bit and p and q are not too far apart Andrea Baiocchi, DIET, Università di Roma Sapienza - Sicurezza nelle Comunicazioni - A.A RSA pitfalls! A basic problem of RSA is mathematical structure, that lends itself to a number of attacks! One problem is the multiplicative property of RSA: if c i (i=1,2) is the ciphertext of the plaintext m i, then the ciphertext of the new plaintext m=m 1 m 2 is just c=c 1 c 2. We ll see how this opens some possible avenues of attack specific of RSA! Another problem arises if m b <n; then, no modulo reduction takes place ever, so that the plaintext can be recovered by just taking the b-th root of the ciphertext If a 128 bit AES key is being encrypted with RSA and b=3, the resulting exponential is a 384 bit number, well below a typical choice of n Andrea Baiocchi, DIET, Università di Roma Sapienza - Sicurezza nelle Comunicazioni - A.A

5 Attacking RSA algorithm! Security of RSA algorithm relies on the fact that modular exponentiation as used in RSA is deemed to be a one-way function! This ultimately relies on two facts: computing a implies factoring n (i.e. no simpler means exist to recover a) This is not proved! there is no efficient algorithm for factoring integer n=pq. Complexity of best known algorithms to date is subexponential, yet superpolynomial, i.e. O(e log(n)! log(log(n)) " )! The main attack on RSA focuses on factoring n To make this securely unfeasible with current and foreseeable technology and techniques, n should be at least a 1024 bit integer; therefore p and q must be at least 512 bit prime integers Andrea Baiocchi, DIET, Università di Roma Sapienza - Sicurezza nelle Comunicazioni - A.A Integer factoring! By factoring of an integer n we mean to find any factor of n (either prime or not) Complete factorization can be obtained iteratively, if needed Factorization can be trivially pursued by trial division with all primes "# (n) If n is not prime, n=p q and one of the two factors must be no greater than # (n), so that there must be at least one prime factor of n that is "# (n).! There are many algorithms to factor integers, none efficient, except special characteristics of n are given.! Most used factoring algorithms are quadratic sieve and, more recently, the number field sieve; their complexity is Quadratic sieve : O(exp((1+o(1)) # (log(n) log(log(n))))) Number field sieve: O(exp((1.92+o(1)) (log(n)) 1/3 (log(log(n))) 2/3 )) Andrea Baiocchi, DIET, Università di Roma Sapienza - Sicurezza nelle Comunicazioni - A.A

6 Pollard p 1 algorithm! One of the simplest factoring algorithms! Assumes that n has a prime divisor p so that all prime powers dividing p 1 are not greater than a given B It is easily checked that then (p 1) B! We compute a=2 B! (mod n), then a=2 B! =2 m(p 1) =1 (mod p) (first equality since p is a factor of n; last one from little Fermat theorem) Therefore p (a 1) and p n, hence p d=gcd(a 1,n); d is clearly a non trivial factor of n! The algorithm just sets B, computes a=2 B! (mod n) and checks whether gcd(a 1,n)>1; if that is the case, a factor of n is found a # 2; for j=2:b do a # a j (mod n); endfor; d # gcd(a 1,n) Andrea Baiocchi, DIET, Università di Roma Sapienza - Sicurezza nelle Comunicazioni - A.A Practical issues! Computational complexity of Pollard p 1 algorithm The algorithm requires B 1 modular exponentiations each requiring O(log 2 B) modular moltiplications The gcd can be computed in time O((log 2 n) 3 ) Overall complexity is O(B log 2 B (log 2 n) 2 + (log 2 n) 3 ); if B is O((log 2 n) i ) for some i, the algorithm has polynomial time! The penalizing trade-off of the Pollard p 1 algorithm is that for small values of B it can hardly succeed, whereas for B in the order of # (n) its complexity is no more polynomial! It gives a useful indication though: an RSA modulus should not have a prime factor p so that p 1 has only small prime factors This is readily obtained e.g. by choosing p=2p 1 +1, where p 1 is a large prime number and p is checked to be prime as well Andrea Baiocchi, DIET, Università di Roma Sapienza - Sicurezza nelle Comunicazioni - A.A

7 Factoring in practice! Early factoring: By exploiting quadratic sieve, a 69-digit number was factored in 1983; A 106-digit number was factored in 1989 with distributed computations; In 1994 RSA-129 was factored, requiring 5000 MIPS-year donated by over 600 researchers around the world.! RSA factoring challenge (ended 2007) and beyond: RSA-576, 174 decimal digita (December 2003); RSA-640, 193 decimal digits (November 2005); RSA-696, 210 decimal digits (September 2013); RSA-704, 212 decimal digits (July 2012); RSA-768, 232 decimal digits (December 2009).! 1024 bit integers can be expected to be factored before 2020 unless quantum computing comes to reality first! Andrea Baiocchi, DIET, Università di Roma Sapienza - Sicurezza nelle Comunicazioni - A.A Semantic security! Attacks considered up to now aim at recovering the private key! The goal of the adversary can be less ambitious; still we would like the cryptosystem not to leak any information! The following are examples Total break: Oscar is able to determine Bob s private key Partial break: with some non negligible probability, Oscar is able to decrypt or gain some information about a previously unseen ciphered plaintext Distinguishability of ciphertexts: with probability exceeding 1/2 Oscar is able to distinguish between the encryptions of two different plaintexts or between an enciphered plaintext and a random bit string! Semantic security prevents distinguishability of ciphertexts Andrea Baiocchi, DIET, Università di Roma Sapienza - Sicurezza nelle Comunicazioni - A.A

8 Distinguishability! Cyphertext distinguishability problem (CDP) statement Let f be an encryption function on the plaintext set X, f: X $ X; a problem instance is given by any two distinct plaintexts x 1,x 2 %X and a cyphertext y=f(x i ), i %{1,2}. The problem is: i=1?! A semantically secure cryptosystem is one for which the CDP is unfeasible This can be shown to be equivalent to complete semantic security, i.e. nothing can be inferred of the plaintext.! A deterministic cryptosystem f is clearly insufficient; we have to include some randomization element With a chosen plaintext attack CDP for a deterministic cipher is trivial Andrea Baiocchi, DIET, Università di Roma Sapienza - Sicurezza nelle Comunicazioni - A.A Semantically secure cryptosystem! Let m and k be positive integers, F a family of one-way trapdoor permutations on {0,1} k, G: {0,1} k $ {0,1} m be a random oracle.! Then P={0,1} m, C={0,1} k x{0,1} m and K={(f,f 1,G): f %F}.! For K=(f,f 1,G), let r %{0,1} k be chosen randomly and let e K (x) = (y 1,y 2 ) = (f(r),g(r)&x) d K (y 1,y 2 ) = G(f 1 (y 1 ))&y 2! The private key is (f 1 ); the public key is (f,g).! Major drawback: overhead (m+k bit required for m bit plaintext) If RSA is used, it is k!1024; if G is a hash, like SHA-1, m=160. Andrea Baiocchi, DIET, Università di Roma Sapienza - Sicurezza nelle Comunicazioni - A.A

9 Semantic security proof concept! Intuition The plaintext is blinded by means of a random oracle function applied to a random bitstring; since G is a random oracle function, full knowledge of its argument is required to evaluate it; on the other hand, this knowledge can be derived by inverting f, which is assumed to be unfeasible.! Proof approach by reduction Assume there exists an algorithm DISTINGUISH, which can solve correctly the CDP with probability!1/2+' for '>0. The random oracle function is simulated by a random generator SIMG. It can be shown that there exists an efficient algorithm, exploiting DISTINGUISH and SIMG, that can invert f for a randomly chosen y=f(x) with probability bounded away from 0. Andrea Baiocchi, DIET, Università di Roma Sapienza - Sicurezza nelle Comunicazioni - A.A Optimal Asymmetric Encryption Padding! Let m and k>m be positive integers, s=k m, F a family of oneway trapdoor permutations on {0,1} k, G: {0,1} s $ {0,1} m and H: {0,1} m $ {0,1} s be random functions.! Let P={0,1} m, C={0,1} k ={0,1} m+s and K={(f,f 1,G,H): f %F}.! For K=(f,f 1,G,H), let r %{0,1} s be chosen randomly and let y=e K (x) = f(y 1 y 2 ) with y 1 =x&g(r) and y 2 =r&h(x&g(r)); d K (y) = G(z 2 &H(z 1 ))&z 1 with f 1 (y)=z 1 z 2, and z 1 =m, z 2 =s. Andrea Baiocchi, DIET, Università di Roma Sapienza - Sicurezza nelle Comunicazioni - A.A

10 Semantically secure RSA! Let O(2 s ) the desired complexity for the attack and let m=k s 1>s, where k=floor(log 2 (n)) E.g. s=128 (to guarantee unfeasibility) and k=1024.! Let us define an expansion function G: {0,1} s $ {0,1} m and a compression function H: {0,1} m $ {0,1} s They may be constructed by using cryptographic hash functions! The plaintext x is an m-bit string and r is an s-bit random number Encryption: y = (2 s (x&g(r))+(r&h(x&g(r)))) b mod n Decryption: 2 s u+r&h(u) = y a mod n = z, hence u = z div 2 s and r&h(u) = z mod 2 s, so r=(z mod 2 s )&H(z div 2 s ) and x=u&g(r). Andrea Baiocchi, DIET, Università di Roma Sapienza - Sicurezza nelle Comunicazioni - A.A