a common weakness in rsa signatures extracting public
play

A common weakness in RSA signatures: extracting public keys from - PowerPoint PPT Presentation

Feb 13, 2024 •195 likes •598 views

A common weakness in RSA signatures: extracting public keys from communications and embedded devices Hackito Ergo Sum 24-26 April 2014 Renaud Lifchitz renaud.lifchitz @ oppida.fr Speakers bio French computer security engineer

  1. A common weakness in RSA signatures: extracting public keys from communications and embedded devices Hackito Ergo Sum 24-26 April 2014 Renaud Lifchitz renaud.lifchitz @ oppida.fr

  2. Speaker’s bio • French computer security engineer working at Oppida, France • Main activities: – Penetration testing & security audits – Security research – Security trainings • Main interests: – Security of protocols (authentication, cryptography, information leakage…) – Number theory (integer factorization, primality testing…) 2 Hackito Ergo Sum 2014 – 24-26 April « A common weakness in RSA signatures: extracting public keys from communications and embedded devices », Renaud Lifchitz

  3. RSA signature basics 3

  4. Introduction – Digital signatures • Asymmetric cryptography is widely used to do digital signatures: – Private keys are used to digitally sign messages – Corresponding public keys are used to verify signatures – Integer fatorization allows an attacker to find the private keys from public ones, but is generally hard Public keys are almost always transmitted out-of-band • (public key server, local keystore) before communication/usage • One of the most used signature scheme is RSA signature 4 Hackito Ergo Sum 2014 – 24-26 April « A common weakness in RSA signatures: extracting public keys from communications and embedded devices », Renaud Lifchitz

  5. Introduction – RSA signature • Steps to sign a message using RSA: – Message m is hashed using a hash algorithm h( ) : MD5, SHA1, SHA256, … – Hash is then padded to avoir forgery by multiplication, using a padding algorithm p( ) like PKCS – The result is raised to the d -th power and reduced modulo n , where d is the private exponent and n is the public key �(ℎ � ) � ≡ � (mod �) 5 Hackito Ergo Sum 2014 – 24-26 April « A common weakness in RSA signatures: extracting public keys from communications and embedded devices », Renaud Lifchitz

  6. Extracting public keys from signed messages 6

  7. The idea • Suppose we have 2 different messages with their corresponding signatures (m 1 ,s 1 ), (m 2 ,s 2 ) with unknown public key n : � �(ℎ � � ) � ≡ � � mod � ��� � � � � ≡ � � mod � ≡ � �� mod � with quotient � � ⇒ � � � � � by Euler theorem ��� � � � ≡ � �� mod � with quotient � � ⇒ gcd � �� � � � � � , � �� ���� � � � gcd � � , � � . � which gives a small (probably smooth) multiple of public key n 7 Hackito Ergo Sum 2014 – 24-26 April « A common weakness in RSA signatures: extracting public keys from communications and embedded devices », Renaud Lifchitz

  8. The idea • Then we have to remove all small factors from the result until the residue size is a well-known asymmetric key size (512, 768, 1024, 2048, 4096 bits…) • Trial division is sufficient in 99,9999 % of cases, otherwise we can use an additional signed message in the GCD or use ECM factoring algorithm to help • We now have computationally extracted our unknown public key! 8 Hackito Ergo Sum 2014 – 24-26 April « A common weakness in RSA signatures: extracting public keys from communications and embedded devices », Renaud Lifchitz

  9. Requirements • Hash and padding algorithms must be known or guessed • e should be small because computation will be done without modular arithmetic • n should be small to medium 9 Hackito Ergo Sum 2014 – 24-26 April « A common weakness in RSA signatures: extracting public keys from communications and embedded devices », Renaud Lifchitz

  10. Complexity • Main limitation is memory consumption • The computation: – takes about O ( e .log( n )) bits of memory – costs about: • O (log( e )) big integer multiplications (exponentiation step) • O ( e .log( n )) big integer divisions (GCD step) 10 Hackito Ergo Sum 2014 – 24-26 April « A common weakness in RSA signatures: extracting public keys from communications and embedded devices », Renaud Lifchitz

  11. Applications • Without access to any kind of keyserver nor keystore and being entirely passive, we can: – Extract public keys used in RSA signatures – Authenticate subsequent messages – Find people or devices using weak keys that weren’t discoverable before: this gives a new angle of attack for embedded devices/blackbox protocols using RSA signatures – Safely test whether different messages are signed using the same key/come from the same person (without relying on any kind of spoofable key id) 11 Hackito Ergo Sum 2014 – 24-26 April « A common weakness in RSA signatures: extracting public keys from communications and embedded devices », Renaud Lifchitz

  12. State of the art of factorization algorithms 12

  13. Introduction • There exists several algorithms for integer factorization, more or less naive • Some algorithms are generic and can factor any number, some are form-specific • Key generation weaknesses: – p and q too close – p-1, q-1, p+1 and/or q+1 too smooth – weak RNG (Random Number Generator) • A generic but good open source program for factoring: Yafu (http://sourceforge.net/projects/yafu/) 13 Hackito Ergo Sum 2014 – 24-26 April « A common weakness in RSA signatures: extracting public keys from communications and embedded devices », Renaud Lifchitz

  14. Finding small factors in large integers • Trial factoring: when there are very small factors (less than 10 digits) • Pollard Rho: for small factors • Pollard’s P-1: when one or more factors are p-1 smooth • Williams’ P+1: when one or more factors are p+1 smooth • Elliptic Curve Method (ECM): for factors up to 80 digits 14 Hackito Ergo Sum 2014 – 24-26 April « A common weakness in RSA signatures: extracting public keys from communications and embedded devices », Renaud Lifchitz

  15. Finding large factors in small integers • Fermat algorithm: when a factor and its co-factor are really near in absolute value • Quadratic sieve (QS): faster and simpler NFS for integers < 100 digits • Number Field Sieve (NFS): for integers of intermediate size • General Number Field Sieve (GNFS): for numbers up to 230 digits (RSA-768) • Special Number Field Sieve (SNFS): for numbers with specific form ( " � ± � with r and s small) up to 320 digits 15 Hackito Ergo Sum 2014 – 24-26 April « A common weakness in RSA signatures: extracting public keys from communications and embedded devices », Renaud Lifchitz

  16. Practical applications - PGP 16

  17. What is PGP? • Pretty Good Privacy (PGP) is a data encryption and decryption program mostly used for securing e-mails • Created in 1991 by Phil Zimmermann • Software: PGP (Windows) / GnuPG (Linux) • OpenPGP standard (RFC 4880) 17 Hackito Ergo Sum 2014 – 24-26 April « A common weakness in RSA signatures: extracting public keys from communications and embedded devices », Renaud Lifchitz

  18. Computation steps to extract public key - PGP • Prepare original message before hashing: – Canonicalize message (newlines are converted to \r\n ) – Append specific PGP data: • PGP version • Signature type • Public algorithm (here RSA) • Hash algorithm • Signature date & time • Recreate PKCS#1 padded ASN.1 message hash following RFC 4880 • Compute: gcd � �$%%&' − � ℎ �′ � , � �$%%&' −�(ℎ �′ � ) 18 Hackito Ergo Sum 2014 – 24-26 April « A common weakness in RSA signatures: extracting public keys from communications and embedded devices », Renaud Lifchitz

  19. Proof-of-concept implementation • Just a proof-of-concept: – Supports RSA signature with SHA-1 hashing only – Not optimized (mixed Python + PARI-GP implementation, would be faster in C) • Able to find the signing public key of anybody using only 2 signed mails! 19 Hackito Ergo Sum 2014 – 24-26 April « A common weakness in RSA signatures: extracting public keys from communications and embedded devices », Renaud Lifchitz

  20. Proof-of-concept implementation 20 Hackito Ergo Sum 2014 – 24-26 April « A common weakness in RSA signatures: extracting public keys from communications and embedded devices », Renaud Lifchitz

  21. Practical applications - Vigik access control system 21

  22. What is Vigik? • French access control for residential buildings (nearly 1 million buildings are protected by Vigik in France) • Contactless system • Made to replace the old T25 lock and avoid existing master keys • 2 kinds of tokens: – Resident tokens (various contactless protocols, not interesting), can access a given building at any time – Service tokens (based on Mifare Classic + RSA signature of 768 or 1024 bits), can access all buildings during specific time slots • May be used for other kinds of access control like ATMs or military premises 22 Hackito Ergo Sum 2014 – 24-26 April « A common weakness in RSA signatures: extracting public keys from communications and embedded devices », Renaud Lifchitz

  23. What is Vigik? Vigik contactless Resident token Service token reader 23 Hackito Ergo Sum 2014 – 24-26 April « A common weakness in RSA signatures: extracting public keys from communications and embedded devices », Renaud Lifchitz

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

vulnerabilities CVE, Common Vulnerabilities and Exposures CWE, Common Weakness Enumeration

vulnerabilities CVE, Common Vulnerabilities and Exposures CWE, Common Weakness Enumeration

Security &amp; Knowledge Management a.a. 2019/20 There are a set of sources that provide updated information about security vulnerabilities CVE, Common Vulnerabilities and Exposures CWE, Common Weakness Enumeration CAPEC,

197 views • 8 slides
1 Methods of Extracting or Obtaining Essential Oils The most common method for extracting

1 Methods of Extracting or Obtaining Essential Oils The most common method for extracting

1 Methods of Extracting or Obtaining Essential Oils The most common method for extracting essential oils is using steam distillation. Solvents are often used in extracting oils that are waxy The most expensive method is using CO2 which does not

358 views • 16 slides
Proving tight security for Rabin-Williams signatures D. J. Bernstein Public-key signatures 1976

Proving tight security for Rabin-Williams signatures D. J. Bernstein Public-key signatures 1976

Proving tight security for Rabin-Williams signatures D. J. Bernstein Public-key signatures 1976 Diffie Hellman: Public-key signatures would allow verification by anyone, not just signer. Cool! Can we build a signature system? 1977 Rivest

743 views • 33 slides
Signatures with Flexible Public Key: Introducing Equivalence Classes for Public Keys Michael

Signatures with Flexible Public Key: Introducing Equivalence Classes for Public Keys Michael

Signatures with Flexible Public Key: Introducing Equivalence Classes for Public Keys Michael Backes, Lucjan Hanzlik, Kamil Kluzcniak, Jonas Schneider This Talk New primitive! Signatures with Flexible Public Key Applications to

1.11k views • 56 slides
Signatures Lecture 22 Signatures Signatures Signatures with various functionality/properties

Signatures Lecture 22 Signatures Signatures Signatures with various functionality/properties

Signatures Lecture 22 Signatures Signatures Signatures with various functionality/properties Signatures Signatures with various functionality/properties Constructions come in different flavors (well sample each flavor): Signatures

1.55k views • 131 slides
Digital Signatures Digital Signatures And Putting It All Together Digital Signatures And

Digital Signatures Digital Signatures And Putting It All Together Digital Signatures And

Digital Signatures Digital Signatures And Putting It All Together Digital Signatures And Putting It All Together Lecture 12 Digital Signatures Digital Signatures Syntax: KeyGen, Sign SK and Verify VK . Security: Same experiment as MAC s,

1.72k views • 142 slides
Baryogenesis and Neutrino Mass A Common Link and Experimental Signatures Bhupal Dev Washington

Baryogenesis and Neutrino Mass A Common Link and Experimental Signatures Bhupal Dev Washington

Baryogenesis and Neutrino Mass A Common Link and Experimental Signatures Bhupal Dev Washington University in St. Louis XIth International Conference of Interconnections between Particle Physics and Cosmology (PPC 2017) Texas A&amp;M University

583 views • 47 slides
Lecture 9 Public Key Cryptography: Encryption + Signatures 1 El Gamal PK cryptosystem (83) -

Lecture 9 Public Key Cryptography: Encryption + Signatures 1 El Gamal PK cryptosystem (83) -

Lecture 9 Public Key Cryptography: Encryption + Signatures 1 El Gamal PK cryptosystem (83) - p large prime - b base, primitive element, generator - x private exponent - x y public residue y b p ; mod = P Z * p =

272 views • 25 slides
Tightly Secure Signatures and Public-Key Encryp8on Dennis

Tightly Secure Signatures and Public-Key Encryp8on Dennis

Tightly Secure Signatures and Public-Key Encryp8on Dennis Ho&lt;einz and Tibor Jager Karlsruhe Ins,tute of Technology CRYPTO 2012 1 Tight

477 views • 15 slides
Construction of Universal Designated-Verifier Signatures and Identity-Based Signatures from

Construction of Universal Designated-Verifier Signatures and Identity-Based Signatures from

Motivation Research Question Results Conclusion Notes Construction of Universal Designated-Verifier Signatures and Identity-Based Signatures from Standard Signatures Siamak Shahandashti 1 Rei Safavi-Naini 2 1 SCSSE &amp; CCISR, Uni

465 views • 46 slides
1 Arbitrated Digital Signatures Digital Signature Standard (DSS) US Govt approved signature

1 Arbitrated Digital Signatures Digital Signature Standard (DSS) US Govt approved signature

CPE 542: CRYPTOGRAPHY &amp; NETWORK SECURITY Digital Signatures have looked at message authentication but does not address issues of lack of trust Chapter 13 Digital Signatures digital signatures provide the ability to:

361 views • 3 slides
Extracting Gait Parameters Extracting Gait Parameters from Raw Data from Raw Data

Extracting Gait Parameters Extracting Gait Parameters from Raw Data from Raw Data

Extracting Gait Parameters Extracting Gait Parameters from Raw Data from Raw Data Accelerometers Accelerometers Andr DIAS a,b,c , Lukas GORZELNIAK b , Angela DRING c , Gunnar HARTVIGSEN a,d , Alexander HORSCH b,d a Norwegian Centre for

582 views • 15 slides
Efficient Unlinkable Sanitizable Signatures from Signatures with Re-Randomizable Keys Nils

Efficient Unlinkable Sanitizable Signatures from Signatures with Re-Randomizable Keys Nils

Efficient Unlinkable Sanitizable Signatures from Signatures with Re-Randomizable Keys Nils Fleischhacker Johannes Krupp Giulio Malavolta Jonas Schneider Dominique Schr oder Mark Simkin March 7, 2016 Sanitizable Signatures

577 views • 46 slides
Outline Public-key crypto basics Public key encryption and signatures CSci 5271 Introduction to

Outline Public-key crypto basics Public key encryption and signatures CSci 5271 Introduction to

Outline Public-key crypto basics Public key encryption and signatures CSci 5271 Introduction to Computer Security Announcements Day 16: Cryptographic protocols and failures Cryptographic protocols Stephen McCamant HW1 debrief University of

673 views • 11 slides
Lecture 7 Public Key Cryptography I: Encryption + Signatures [lecture slides are adapted from

Lecture 7 Public Key Cryptography I: Encryption + Signatures [lecture slides are adapted from

Lecture 7 Public Key Cryptography I: Encryption + Signatures [lecture slides are adapted from previous slides by Prof. Gene Tsudik] 1 Public Key Cryptography Asymmetric cryptography Invented in 1974-1978 (Diffie-Hellman and

478 views • 23 slides
Lecture 12 Digital Signatures from one-way functions Signatures vs. MACs Signatures MAC s

Lecture 12 Digital Signatures from one-way functions Signatures vs. MACs Signatures MAC s

Lecture 12 Digital Signatures from one-way functions Signatures vs. MACs Signatures MAC s users require only secretkeys users require n 2 secretkeys Privately verifiable and non-transferable Same signature

764 views • 53 slides
Paper Summaries Any takers? Material Properties Assignments Projects Proposals

Paper Summaries Any takers? Material Properties Assignments Projects Proposals

Paper Summaries Any takers? Material Properties Assignments Projects Proposals Should all have received feedback via e-mail. Checkpoint 2 Grading Due Wednesday ACCEPTED Any questions? CONDITIONALLY

459 views • 11 slides
Using Cache Algorithms to Choose Shortcut Links Justin Brickell Inderjit S. Dhillon Dharmendra

Using Cache Algorithms to Choose Shortcut Links Justin Brickell Inderjit S. Dhillon Dharmendra

Using Cache Algorithms to Choose Shortcut Links Justin Brickell Inderjit S. Dhillon Dharmendra S. Modha WebKDD 2006 Workshop on Knowledge Discovery on the Web, Aug. 20, 2006, at KDD 2006, Philadelphia, PA, USA Using Cache Algorithms to Choose

353 views • 21 slides
EU Webinar Series | #5 Social Enterprises &amp; Public Procurement 23 September 2015

EU Webinar Series | #5 Social Enterprises &amp; Public Procurement 23 September 2015

EU Webinar Series | #5 Social Enterprises &amp; Public Procurement 23 September 2015 With the financial support of the European Union GoToWebinar | Tips &amp; Tricks (1/2) GETTING STARTED You are able to Open and Hide your

736 views • 69 slides
September 3 rd , 2019 1 SparkMeter by the numbers. Enabling community Countries Installations

September 3 rd , 2019 1 SparkMeter by the numbers. Enabling community Countries Installations

Asian Utility Week September 3 rd , 2019 1 SparkMeter by the numbers. Enabling community Countries Installations Meters sold Offices power world-wide. 60,000+ 200+ 30 Washington, D.C., USA Nairobi, Kenya Nairobi, Kenya Washington,

527 views • 14 slides
ITG for Joint Phrasal Translation Modeling Colin Cherry Dekang Lin University of Alberta

ITG for Joint Phrasal Translation Modeling Colin Cherry Dekang Lin University of Alberta

ITG for Joint Phrasal Translation Modeling Colin Cherry Dekang Lin University of Alberta Google Inc. April 26, 2007 University of Alberta The Gist Joint phrasal translation models (JPTM) learn a bilingual phrase table using EM

341 views • 31 slides
Section 4: Statistics and Inference Probability : an abstract mathematical framework for

Section 4: Statistics and Inference Probability : an abstract mathematical framework for

Mathematical Tools for Neural and Cognitive Science Fall semester, 2016 Section 4: Statistics and Inference Probability : an abstract mathematical framework for describing random quantities (e.g. measurements) Statistics : use of probability

529 views • 25 slides
Jerry Gilfoyle Shroud 1 / 11 How Old is the Shroud of Turin? What is the Clock? Jerry Gilfoyle

Jerry Gilfoyle Shroud 1 / 11 How Old is the Shroud of Turin? What is the Clock? Jerry Gilfoyle

Jerry Gilfoyle Shroud 1 / 11 How Old is the Shroud of Turin? What is the Clock? Jerry Gilfoyle Shroud 2 / 11 How Old is the Shroud of Turin? What is the Clock? Mass Spectrometry Jerry Gilfoyle Shroud 2 / 11 How Old is the Shroud of

309 views • 13 slides
Lecture at the J. Stefan Institute Ljubljana within the course: 'Advanced particle detectors and

Lecture at the J. Stefan Institute Ljubljana within the course: 'Advanced particle detectors and

Lecture at the J. Stefan Institute Ljubljana within the course: 'Advanced particle detectors and data analysis' Hermann Kolanoski Humboldt-Universitt zu Berlin and DESY Ljubljana, March 2015 H.Kolanoski - Lecture 'Origin of Cosmic Rays' - 1

892 views • 63 slides

More recommend