Communications security



Similar documents
Elements of Applied Cryptography Public key encryption

Cryptography and Network Security Chapter 9

RSA Attacks. By Abdulaziz Alrasheed and Fatima

CIS 5371 Cryptography. 8. Encryption --

Overview of Public-Key Cryptography

Lecture 3: One-Way Encryption, RSA Example

Advanced Cryptography

Factoring & Primality

Cryptography and Network Security

Outline. Computer Science 418. Digital Signatures: Observations. Digital Signatures: Definition. Definition 1 (Digital signature) Digital Signatures

Discrete Mathematics, Chapter 4: Number Theory and Cryptography

Public Key Cryptography: RSA and Lots of Number Theory

RSA and Primality Testing

Secure Network Communication Part II II Public Key Cryptography. Public Key Cryptography

RSA Question 2. Bob thinks that p and q are primes but p isn t. Then, Bob thinks Φ Bob :=(p-1)(q-1) = φ(n). Is this true?

Factoring Algorithms

Lecture 13: Factoring Integers

Study of algorithms for factoring integers and computing discrete logarithms

Primality Testing and Factorization Methods

MATH 168: FINAL PROJECT Troels Eriksen. 1 Introduction

CSC474/574 - Information Systems Security: Homework1 Solutions Sketch

Primality - Factorization

QUANTUM COMPUTERS AND CRYPTOGRAPHY. Mark Zhandry Stanford University

The application of prime numbers to RSA encryption

Introduction. Digital Signature

1 Signatures vs. MACs

Faster deterministic integer factorisation

Public Key (asymmetric) Cryptography

Notes on Network Security Prof. Hemant K. Soni

U.C. Berkeley CS276: Cryptography Handout 0.1 Luca Trevisan January, Notes on Algebra

Lukasz Pater CMMS Administrator and Developer

CSCE 465 Computer & Network Security

1 Message Authentication

Lecture Note 5 PUBLIC-KEY CRYPTOGRAPHY. Sourav Mukhopadhyay

Computer Networks. Network Security 1. Professor Richard Harris School of Engineering and Advanced Technology

Factoring integers, Producing primes and the RSA cryptosystem Harish-Chandra Research Institute

Software Tool for Implementing RSA Algorithm

7! Cryptographic Techniques! A Brief Introduction

Ch.9 Cryptography. The Graduate Center, CUNY.! CSc Theoretical Computer Science Konstantinos Vamvourellis

Basic Algorithms In Computer Algebra

Cryptography and Network Security

CIS 6930 Emerging Topics in Network Security. Topic 2. Network Security Primitives

An Overview of Integer Factoring Algorithms. The Problem

The Mathematics of the RSA Public-Key Cryptosystem

Cryptographic hash functions and MACs Solved Exercises for Cryptographic Hash Functions and MACs

Public-key cryptography RSA

Cryptography and Network Security Department of Computer Science and Engineering Indian Institute of Technology Kharagpur

1 Digital Signatures. 1.1 The RSA Function: The eth Power Map on Z n. Crypto: Primitives and Protocols Lecture 6.

SECURITY IMPROVMENTS TO THE DIFFIE-HELLMAN SCHEMES

International Journal of Information Technology, Modeling and Computing (IJITMC) Vol.1, No.3,August 2013

On Factoring Integers and Evaluating Discrete Logarithms

Cryptography and Network Security Chapter 8

Textbook: Introduction to Cryptography 2nd ed. By J.A. Buchmann Chap 12 Digital Signatures

Outline. CSc 466/566. Computer Security. 8 : Cryptography Digital Signatures. Digital Signatures. Digital Signatures... Christian Collberg

Forward Secrecy: How to Secure SSL from Attacks by Government Agencies

Computer and Network Security

ALGEBRAIC APPROACH TO COMPOSITE INTEGER FACTORIZATION

Network Security. Computer Networking Lecture 08. March 19, HKU SPACE Community College. HKU SPACE CC CN Lecture 08 1/23

Principles of Public Key Cryptography. Applications of Public Key Cryptography. Security in Public Key Algorithms

CS 758: Cryptography / Network Security

2 Primality and Compositeness Tests

Factoring. Factoring 1

Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur

Number Theory. Proof. Suppose otherwise. Then there would be a finite number n of primes, which we may

A New Generic Digital Signature Algorithm

SECURITY EVALUATION OF ENCRYPTION USING RANDOM NOISE GENERATED BY LCG

Table of Contents. Bibliografische Informationen digitalisiert durch

Cryptography and Network Security Number Theory

Common Pitfalls in Cryptography for Software Developers. OWASP AppSec Israel July The OWASP Foundation

Module: Applied Cryptography. Professor Patrick McDaniel Fall CSE543 - Introduction to Computer and Network Security

Cryptography Lecture 8. Digital signatures, hash functions

VoteID 2011 Internet Voting System with Cast as Intended Verification

Signature Schemes. CSG 252 Fall Riccardo Pucella

Improved Online/Offline Signature Schemes

FACTORING LARGE NUMBERS, A GREAT WAY TO SPEND A BIRTHDAY

Computational Complexity: A Modern Approach

Lecture 13 - Basic Number Theory.

How To Know If A Message Is From A Person Or A Machine

Lecture 6 - Cryptography

Public-Key Cryptanalysis

Network Security. Chapter 2 Basics 2.2 Public Key Cryptography. Public Key Cryptography. Public Key Cryptography

Library (versus Language) Based Parallelism in Factoring: Experiments in MPI. Dr. Michael Alexander Dr. Sonja Sewera.

Cryptography and Network Security Chapter 10

A Factoring and Discrete Logarithm based Cryptosystem

A SOFTWARE COMPARISON OF RSA AND ECC

Computer Security: Principles and Practice

Lecture 15 - Digital Signatures

MTAT Cryptology II. Digital Signatures. Sven Laur University of Tartu

Massachusetts Institute of Technology Handout : Network and Computer Security October 9, 2003 Professor Ronald L. Rivest.

Public-Key Cryptanalysis 1: Introduction and Factoring

Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur

Lecture 10: CPA Encryption, MACs, Hash Functions. 2 Recap of last lecture - PRGs for one time pads

Overview of Cryptographic Tools for Data Security. Murat Kantarcioglu

Integer Factorization using the Quadratic Sieve

Symmetric Key cryptosystem

Proofs in Cryptography

Determining the Optimal Combination of Trial Division and Fermat s Factorization Method

Transcription:

University of Roma Sapienza DIET Communications security Lecturer: Andrea Baiocchi DIET - University of Roma La Sapienza E-mail: andrea.baiocchi@uniroma1.it URL: http://net.infocom.uniroma1.it/corsi/index.htm Lecture 12 Attacks on RSA [Sti02], Cap. 5 (155-225) Andrea Baiocchi, DIET, Università di Roma Sapienza - Sicurezza nelle Comunicazioni - A.A. 2013-2014 1 About algorithms and code Creati un esercito di servi perfetti, capaci di eseguire per tuo conto compiti ingrati, e sarai il padrone del mondo. [N. Tartaglia, Il general trattato di numeri et misure, 1556-1560] Microprogramming an inefficient algorithm does not make it efficient. [Rausher s law] Question: what is the difference between c++ and c? Answer: one. [anonymous joke] Andrea Baiocchi, DIET, Università di Roma Sapienza - Sicurezza nelle Comunicazioni - A.A. 2013-2014 2

RSA security! All public key cryptography can offer is computational security! We cover the following RSA security issues: Choice of RSA algorithm parameters (exponents a and b); RSA pitfalls tied to the mathematical structure of RSA algorithm; Attacks on RSA algorithm based on factorization of the modulus n (key only attack); Making RSA encryption semantically secure (OAEP = Optimal Asymmetric Encryptio Padding).! As with other cryptosystems, timing and/or power analysis attacks on RSA implementations are possible. Andrea Baiocchi, DIET, Università di Roma Sapienza - Sicurezza nelle Comunicazioni - A.A. 2013-2014 3 The public exponent b! Any number 1<b<!(n) is in principle acceptable, provided it can be inverted modulo!(n), i.e. gcd(b,!(n))=1. So, b must be odd and!3! It is possible to choose a fixed value of b, then to generate random primes p and q with the constraint gcd(b,(p 1)(q 1))=1 Possible good choices of b are 3, 5, 17= 2 4 +1, 2 16 +1! A fixed value of b=3 can be taken Pros Low complexity of encryption and signature verification Easier distribution of public key info Cons To make b prime with (p 1)(q 1), p and q have to be chosen so that p and q are equal to 2 mod 3 (it can t be p or q = 0 mod 3!); this can be done by generating a random number x and testing if 6x+5 is prime Small message: if size(m) < size(n)/3 no modular reduction takes place Andrea Baiocchi, DIET, Università di Roma Sapienza - Sicurezza nelle Comunicazioni - A.A. 2013-2014 4

Problems with public exponent b! Low exponent attack The attack works if a message m is encrypted b times using b co-prime RSA moduli n i, 1"i"b; let c i =m b mod n i, 1"i"b. The attack proceeds as follows Compute c satisfying c=c i mod n i, 1"i"b, and 0"c< n 1 n b with the CRT The message m equals the b-th root of c in Z. The attack works because c =m b satisfies the same constraints as c and the CRT solution is unique (mod n) and m b < n (why?); it is made possible since m is the same for all recipients and it is practical if b is low (not the order of n)! It is essential that the public key be different for any different instance and use of RSA E.g. if RSA is used for signing messages and for encryption, two different values of b shall be chosen for these two functions Andrea Baiocchi, DIET, Università di Roma Sapienza - Sicurezza nelle Comunicazioni - A.A. 2013-2014 5 The private exponent a! Given the public key (n,b), any one of p, q,!(n), a is sufficient to recover all others Given p (q) the other prime is found immediately as q=n/p (p=n/q); then! (n) is trivially computed and a is found as the multiplicative inverse of b modulo!(n) Given!(n), we have n!(n)+1=p+q=s; then it is easily seen that p and q are the roots of the equation x 2 xs+n=0; a can be computed as above Given a, a Las Vegas kind of algorithm can be conceived to attempt the factorization of n with average-case success probability at least 1/2 (see [STIN02] p. 197; [BUCH04] p. 172) In practice, if b is a sufficiently low integer, since a<!(n), ab 1 is only a small factor times!(n); the attacker can just try to guess such small factor m, compute!(n) as (ab 1)/m and then proceed as in the previous case Andrea Baiocchi, DIET, Università di Roma Sapienza - Sicurezza nelle Comunicazioni - A.A. 2013-2014 6

Problems with private exponent a! Given the decryption exponent of RSA, a, it is possible to factor n by means of a randomized algorithm This implies that computing a is essentially no easier than factoring n More importantly, from the practical side this tells us that if a is ever compromised, it is NOT sufficient to define a different private key; also n and hence the whole set of RSA parameters MUST be generated anew! M. Wiener has shown that a polynomial time algorithm can be defined to factor an RSA modulus n provided a<n 1/4 /3 and q<p<2q. If the number of bits of n is k, this attack will succeed provided the binary representation of a has less than k/4 1 bit and p and q are not too far apart Andrea Baiocchi, DIET, Università di Roma Sapienza - Sicurezza nelle Comunicazioni - A.A. 2013-2014 7 RSA pitfalls! A basic problem of RSA is mathematical structure, that lends itself to a number of attacks! One problem is the multiplicative property of RSA: if c i (i=1,2) is the ciphertext of the plaintext m i, then the ciphertext of the new plaintext m=m 1 m 2 is just c=c 1 c 2. We ll see how this opens some possible avenues of attack specific of RSA! Another problem arises if m b <n; then, no modulo reduction takes place ever, so that the plaintext can be recovered by just taking the b-th root of the ciphertext If a 128 bit AES key is being encrypted with RSA and b=3, the resulting exponential is a 384 bit number, well below a typical choice of n Andrea Baiocchi, DIET, Università di Roma Sapienza - Sicurezza nelle Comunicazioni - A.A. 2013-2014 8

Attacking RSA algorithm! Security of RSA algorithm relies on the fact that modular exponentiation as used in RSA is deemed to be a one-way function! This ultimately relies on two facts: computing a implies factoring n (i.e. no simpler means exist to recover a) This is not proved! there is no efficient algorithm for factoring integer n=pq. Complexity of best known algorithms to date is subexponential, yet superpolynomial, i.e. O(e log(n)! log(log(n)) " )! The main attack on RSA focuses on factoring n To make this securely unfeasible with current and foreseeable technology and techniques, n should be at least a 1024 bit integer; therefore p and q must be at least 512 bit prime integers Andrea Baiocchi, DIET, Università di Roma Sapienza - Sicurezza nelle Comunicazioni - A.A. 2013-2014 9 Integer factoring! By factoring of an integer n we mean to find any factor of n (either prime or not) Complete factorization can be obtained iteratively, if needed Factorization can be trivially pursued by trial division with all primes "# (n) If n is not prime, n=p q and one of the two factors must be no greater than # (n), so that there must be at least one prime factor of n that is "# (n).! There are many algorithms to factor integers, none efficient, except special characteristics of n are given.! Most used factoring algorithms are quadratic sieve and, more recently, the number field sieve; their complexity is Quadratic sieve : O(exp((1+o(1)) # (log(n) log(log(n))))) Number field sieve: O(exp((1.92+o(1)) (log(n)) 1/3 (log(log(n))) 2/3 )) Andrea Baiocchi, DIET, Università di Roma Sapienza - Sicurezza nelle Comunicazioni - A.A. 2013-2014 10

Pollard p 1 algorithm! One of the simplest factoring algorithms! Assumes that n has a prime divisor p so that all prime powers dividing p 1 are not greater than a given B It is easily checked that then (p 1) B! We compute a=2 B! (mod n), then a=2 B! =2 m(p 1) =1 (mod p) (first equality since p is a factor of n; last one from little Fermat theorem) Therefore p (a 1) and p n, hence p d=gcd(a 1,n); d is clearly a non trivial factor of n! The algorithm just sets B, computes a=2 B! (mod n) and checks whether gcd(a 1,n)>1; if that is the case, a factor of n is found a # 2; for j=2:b do a # a j (mod n); endfor; d # gcd(a 1,n) Andrea Baiocchi, DIET, Università di Roma Sapienza - Sicurezza nelle Comunicazioni - A.A. 2013-2014 11 Practical issues! Computational complexity of Pollard p 1 algorithm The algorithm requires B 1 modular exponentiations each requiring O(log 2 B) modular moltiplications The gcd can be computed in time O((log 2 n) 3 ) Overall complexity is O(B log 2 B (log 2 n) 2 + (log 2 n) 3 ); if B is O((log 2 n) i ) for some i, the algorithm has polynomial time! The penalizing trade-off of the Pollard p 1 algorithm is that for small values of B it can hardly succeed, whereas for B in the order of # (n) its complexity is no more polynomial! It gives a useful indication though: an RSA modulus should not have a prime factor p so that p 1 has only small prime factors This is readily obtained e.g. by choosing p=2p 1 +1, where p 1 is a large prime number and p is checked to be prime as well Andrea Baiocchi, DIET, Università di Roma Sapienza - Sicurezza nelle Comunicazioni - A.A. 2013-2014 12

Factoring in practice! Early factoring: By exploiting quadratic sieve, a 69-digit number was factored in 1983; A 106-digit number was factored in 1989 with distributed computations; In 1994 RSA-129 was factored, requiring 5000 MIPS-year donated by over 600 researchers around the world.! RSA factoring challenge (ended 2007) and beyond: RSA-576, 174 decimal digita (December 2003); RSA-640, 193 decimal digits (November 2005); RSA-696, 210 decimal digits (September 2013); RSA-704, 212 decimal digits (July 2012); RSA-768, 232 decimal digits (December 2009).! 1024 bit integers can be expected to be factored before 2020 unless quantum computing comes to reality first! Andrea Baiocchi, DIET, Università di Roma Sapienza - Sicurezza nelle Comunicazioni - A.A. 2013-2014 13 Semantic security! Attacks considered up to now aim at recovering the private key! The goal of the adversary can be less ambitious; still we would like the cryptosystem not to leak any information! The following are examples Total break: Oscar is able to determine Bob s private key Partial break: with some non negligible probability, Oscar is able to decrypt or gain some information about a previously unseen ciphered plaintext Distinguishability of ciphertexts: with probability exceeding 1/2 Oscar is able to distinguish between the encryptions of two different plaintexts or between an enciphered plaintext and a random bit string! Semantic security prevents distinguishability of ciphertexts Andrea Baiocchi, DIET, Università di Roma Sapienza - Sicurezza nelle Comunicazioni - A.A. 2013-2014 14

Distinguishability! Cyphertext distinguishability problem (CDP) statement Let f be an encryption function on the plaintext set X, f: X $ X; a problem instance is given by any two distinct plaintexts x 1,x 2 %X and a cyphertext y=f(x i ), i %{1,2}. The problem is: i=1?! A semantically secure cryptosystem is one for which the CDP is unfeasible This can be shown to be equivalent to complete semantic security, i.e. nothing can be inferred of the plaintext.! A deterministic cryptosystem f is clearly insufficient; we have to include some randomization element With a chosen plaintext attack CDP for a deterministic cipher is trivial Andrea Baiocchi, DIET, Università di Roma Sapienza - Sicurezza nelle Comunicazioni - A.A. 2013-2014 15 Semantically secure cryptosystem! Let m and k be positive integers, F a family of one-way trapdoor permutations on {0,1} k, G: {0,1} k $ {0,1} m be a random oracle.! Then P={0,1} m, C={0,1} k x{0,1} m and K={(f,f 1,G): f %F}.! For K=(f,f 1,G), let r %{0,1} k be chosen randomly and let e K (x) = (y 1,y 2 ) = (f(r),g(r)&x) d K (y 1,y 2 ) = G(f 1 (y 1 ))&y 2! The private key is (f 1 ); the public key is (f,g).! Major drawback: overhead (m+k bit required for m bit plaintext) If RSA is used, it is k!1024; if G is a hash, like SHA-1, m=160. Andrea Baiocchi, DIET, Università di Roma Sapienza - Sicurezza nelle Comunicazioni - A.A. 2013-2014 16

Semantic security proof concept! Intuition The plaintext is blinded by means of a random oracle function applied to a random bitstring; since G is a random oracle function, full knowledge of its argument is required to evaluate it; on the other hand, this knowledge can be derived by inverting f, which is assumed to be unfeasible.! Proof approach by reduction Assume there exists an algorithm DISTINGUISH, which can solve correctly the CDP with probability!1/2+' for '>0. The random oracle function is simulated by a random generator SIMG. It can be shown that there exists an efficient algorithm, exploiting DISTINGUISH and SIMG, that can invert f for a randomly chosen y=f(x) with probability bounded away from 0. Andrea Baiocchi, DIET, Università di Roma Sapienza - Sicurezza nelle Comunicazioni - A.A. 2013-2014 17 Optimal Asymmetric Encryption Padding! Let m and k>m be positive integers, s=k m, F a family of oneway trapdoor permutations on {0,1} k, G: {0,1} s $ {0,1} m and H: {0,1} m $ {0,1} s be random functions.! Let P={0,1} m, C={0,1} k ={0,1} m+s and K={(f,f 1,G,H): f %F}.! For K=(f,f 1,G,H), let r %{0,1} s be chosen randomly and let y=e K (x) = f(y 1 y 2 ) with y 1 =x&g(r) and y 2 =r&h(x&g(r)); d K (y) = G(z 2 &H(z 1 ))&z 1 with f 1 (y)=z 1 z 2, and z 1 =m, z 2 =s. Andrea Baiocchi, DIET, Università di Roma Sapienza - Sicurezza nelle Comunicazioni - A.A. 2013-2014 18

Semantically secure RSA! Let O(2 s ) the desired complexity for the attack and let m=k s 1>s, where k=floor(log 2 (n)) E.g. s=128 (to guarantee unfeasibility) and k=1024.! Let us define an expansion function G: {0,1} s $ {0,1} m and a compression function H: {0,1} m $ {0,1} s They may be constructed by using cryptographic hash functions! The plaintext x is an m-bit string and r is an s-bit random number Encryption: y = (2 s (x&g(r))+(r&h(x&g(r)))) b mod n Decryption: 2 s u+r&h(u) = y a mod n = z, hence u = z div 2 s and r&h(u) = z mod 2 s, so r=(z mod 2 s )&H(z div 2 s ) and x=u&g(r). Andrea Baiocchi, DIET, Università di Roma Sapienza - Sicurezza nelle Comunicazioni - A.A. 2013-2014 19

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information