diffie hellman discrete logs the nsa and you
play

Diffie-Hellman, discrete logs, the NSA, and you J. Alex Halderman - PowerPoint PPT Presentation

Mar 13, 2023 •229 likes •879 views

Diffie-Hellman, discrete logs, the NSA, and you J. Alex Halderman University of Michigan Based on joint work: Imperfect Forward Secrecy: How Diffie-Hellman Fails in Practice David Adrian, Karthikeyan Bhargavan, Zakir Durumeric, Pierrick Gaudry,

  1. Diffie-Hellman, discrete logs, the NSA, and you J. Alex Halderman University of Michigan

  2. Based on joint work: Imperfect Forward Secrecy: How Diffie-Hellman Fails in Practice David Adrian, Karthikeyan Bhargavan, Zakir Durumeric, Pierrick Gaudry, Matthew Green, J. Alex Halderman, Nadia Heninger, Drew Springall, Emmanuel Thom´ e, Luke Valenta, Benjamin VanderSloot, Eric Wustrow, Santiago Zanella-B´ eguelin, Paul Zimmermann 22nd ACM Conference on Computer and Communications Security , CCS ’15, October 2015. Best paper award! https://weakdh.org

  10. Textbook RSA Encryption [Rivest Shamir Adleman 1977] Public Key Private Key N = pq modulus p , q primes e encryption exponent d decryption exponent ( d = e − 1 mod ( p − 1)( q − 1)) public key = ( N , e ) ciphertext = message e mod N message = ciphertext d mod N

  11. RSA cryptanalysis Factoring Problem: Factor N into p and q . ◮ Lets an attacker compute the private key. ◮ Factoring is much harder than multiplication. ◮ Best known algorithm: number field sieve.

  12. Factoring with the number field sieve Algorithm 1. Polynomial selection Choose a good number field. 2. Relation finding Factor many small-ish integers. 3. Linear algebra Use the factorizations to construct squares. 4. Square root Take square roots and check if factor N . linear polynomial square sieving algebra selection root p N

  13. How long does it take to factor using the number field sieve? Answer 1: L (1 / 3 , 1 . 923) = exp(1 . 923(log N ) 1 / 3 (log log N ) 2 / 3 )

  14. How long does it take to factor using the number field sieve? Answer 1: L (1 / 3 , 1 . 923) = exp(1 . 923(log N ) 1 / 3 (log log N ) 2 / 3 ) Answer 2: 512-bit RSA: < 1 core-year. (4 hours + $ 75 on EC2! seclab.upenn.edu/projects/faas/) 768-bit RSA: < 1,000 core-years. ( < 1 calendar year) 1024-bit RSA: ≈ 1,000,000 core-years. 2048-bit RSA: Minimum recommended key size today.

  15. “We stand today on the brink of a revolution in cryptography.” – November 1976

  16. Textbook Diffie-Hellman Public Parameters p a prime g < p (often 2 or 5) Key Exchange g a mod p g b mod p g ab mod p g ab mod p shared secret

  17. Textbook Diffie-Hellman Public Parameters Provides perfect forward secrecy: Can’t later hack Alice or Bob to decrypt p a prime connections intercepted today.* g < p (often 2 or 5) Key Exchange g a mod p g b mod p g ab mod p g ab mod p shared secret

  18. Advocating Diffie-Hellman over RSA for perfect forward secrecy “Sites that use perfect forward secrecy can provide better security to users in cases where the encrypted data is being monitored and recorded by a third party.” “With Perfect Forward Secrecy, anyone possessing the private key and a wiretap of Internet activity can decrypt nothing.” “Ideally the DH group would match or exceed the RSA key size but 1024-bit DHE is arguably better than straight 2048-bit RSA so you can get away with that if you want to.” “But in practical terms the risk of private key theft, for a non-ephemeral key, dwarfs out any cryptanalytic risk for any RSA or DH of 1024 bits or more; in that sense, PFS is a must-have and DHE with a 1024-bit DH key is much safer than RSA-based cipher suites, regardless of the RSA key size.”

  19. We were wrong. We’re sorry. :(

  20. Diffie-Hellman cryptanalysis Discrete Log Problem: Given y = g a mod p , compute a . ◮ Allows attacker to compute shared key. ◮ Discrete log is much harder than modular exponentiation. ◮ Best known algorithm: number field sieve for discrete log.

  21. Diffie-Hellman cryptanalysis: number field sieve discrete log algorithm linear polynomial sieving descent y , g algebra selection p log db a

  22. Diffie-Hellman cryptanalysis: number field sieve discrete log algorithm linear polynomial sieving descent y , g algebra selection p log db a How long does the number field sieve take? Answer 1: L (1 / 3 , 1 . 923) = exp(1 . 923(log N ) 1 / 3 (log log N ) 2 / 3 )

  23. Diffie-Hellman cryptanalysis: number field sieve discrete log algorithm linear polynomial sieving descent y , g selection algebra p log db a How long does the number field sieve take? Answer 2: 512-bit DH: ≈ 10 core-years. 768-bit DH: ≈ 35,000 core-years. 1024-bit DH: ≈ 45,000,000 core-years. 2048-bit DH: Minimum recommended key size today.

  24. Diffie-Hellman cryptanalysis: number field sieve discrete log algorithm But... What if you want to break many connections that use the same public parameter p ? linear polynomial sieving descent y , g algebra selection p log db a

  25. Diffie-Hellman cryptanalysis: number field sieve discrete log algorithm But... What if you want to break many connections that use the same public parameter p ? linear polynomial sieving descent y , g algebra selection p log db a precomputation individual log

  26. Diffie-Hellman cryptanalysis: number field sieve discrete log algorithm But... What if you want to break many connections that use the same public parameter p ? linear polynomial sieving descent y , g algebra selection Uh oh! p log db a precomputation individual log

  27. Diffie-Hellman cryptanalysis: number field sieve discrete log algorithm But... What if you want to break many connections that use the same public parameter p ? linear polynomial sieving descent y , g algebra selection Uh oh! p log db a precomputation individual log Precomputation Individual Log DH-512 10 core-years 10 core-minutes DH-768 35,000 core-years 2 core-days DH-1024 45,000,000 core-years 30 core-days Precomputation can be done once and reused for many individual logs!

  28. Exploiting Diffie-Hellman Logjam attack: Anyone can use HTTPS backdoors from ’90s crypto war to pwn modern browsers.

  29. International Traffic in Arms Regulations April 1, 1992 version Category XIII--Auxiliary Military Equipment ... (b) Information Security Systems and equipment, cryptographic devices, software, and components specifically designed or modified therefore, including: (1) Cryptographic (including key management) systems, equipment, assemblies, modules, integrated circuits, components or software with the capability of maintaining secrecy or confidentiality of information or information systems, except cryptographic equipment and software as follows: (i) Restricted to decryption functions specifically designed to allow the execution of copy protected software, provided the decryption functions are not user-accessible. (ii) Specially designed, developed or modified for use in machines for banking or money transactions, and restricted to use only in such transactions. Machines for banking or money transactions include automatic teller machines, self-service statement printers, point of sale terminals or equipment for the encryption of interbanking transactions. ...

  30. Commerce Control List: Category 5 - Info. Security a.1.a. A symmetric algorithm employing a key length in excess of 56-bits; or a.1.b. An asymmetric algorithm where the security of the algorithm is based on any of the following: a.1.b.1. Factorization of integers in excess of 512 bits (e.g., RSA); a.1.b.2. Computation of discrete logarithms in a multiplicative group of a finite field of size greater than 512 bits (e.g., Diffie-Hellman over Z/pZ); or a.1.b.3. Discrete logarithms in a group other than mentioned in 5A002.a.1.b.2 in excess of 112 bits (e.g., Diffie-Hellman over an elliptic curve); a.2. Designed or modified to perform cryptanalytic functions;

  31. Export cipher suites in TLS TLS_RSA_EXPORT_WITH_RC4_40_MD5 TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 TLS_RSA_EXPORT_WITH_DES40_CBC_SHA TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA

  32. Export cipher suites in TLS TLS_RSA_EXPORT_WITH_RC4_40_MD5 TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 TLS_RSA_EXPORT_WITH_DES40_CBC_SHA FREAK attack [BDFKPSZZ 2015]: Implementation flaw; use fast 512-bit factorization to downgrade modern browsers to broken export-grade RSA. Affected most browsers and 9.6% of Alexa top million HTTPS sites. TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA Logjam attack: Protocol flaw; use fast 512-bit discrete log to downgrade modern browsers to broken export-grade DH. Affected all browsers and 8.4% of Alexa top million HTTPS sites.

  33. Logjam: Active downgrade attack to export Diffie-Hellman Protocol flaw: Server does not sign chosen cipher suite. hello, client random [. . . DHE . . . ] hello, server random, [DHE] certificate = public RSA key + CA signatures p , g , g a , Sign RSAkey ( p , g , g a ) g b KDF( g ab , KDF( g ab , client finished: Auth k mc (dialog) randoms) → randoms) → k m c , k m s , k e server finished: Auth k ms (dialog) k m c , k m s , k e Enc k e (request)

  34. Logjam: Active downgrade attack to export Diffie-Hellman Protocol flaw: Server does not sign chosen cipher suite. hello, client random [. . . DHE . . . ] [DHE EXPORT] hello, server random, [DHE] certificate = public RSA key + CA signatures p , g , g a , Sign RSAkey ( p , g , g a ) g b KDF( g ab , KDF( g ab , client finished: Auth k mc (dialog) randoms) → randoms) → k m c , k m s , k e server finished: Auth k ms (dialog) k m c , k m s , k e Enc k e (request)

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

DTTF/NB479: Dszquphsbqiz Day 27 Announcements: Questions? This week: Discrete Logs,

DTTF/NB479: Dszquphsbqiz Day 27 Announcements: Questions? This week: Discrete Logs,

DTTF/NB479: Dszquphsbqiz Day 27 Announcements: Questions? This week: Discrete Logs, Diffie-Hellman, ElGamal Hash Functions and SHA-1 Birthday attacks Hash Functions Message m Message digest, y (long) Cryptographic hash

645 views • 12 slides
Lecture Outline Review of Diffie-Hellman key exchange Looking at Authentication from a

Lecture Outline Review of Diffie-Hellman key exchange Looking at Authentication from a

Lecture Outline Review of Diffie-Hellman key exchange Looking at Authentication from a number of perspectives Today: authenticating users, services Agreeing on Secret Keys Without Prior Arrangement Diffie-Hellman Key Exchange

1.07k views • 73 slides
A kilobit hidden SNFS discrete log computation Joshua Fried , Pierrick Gaudry, Nadia Heninger,

A kilobit hidden SNFS discrete log computation Joshua Fried , Pierrick Gaudry, Nadia Heninger,

A kilobit hidden SNFS discrete log computation Joshua Fried , Pierrick Gaudry, Nadia Heninger, Emmanuel Thom e May 1, 2017 Textbook (Finite-Field) Diffie-Hellman Key Exchange [Diffie Hellman 1976] p a prime (so F p is a cyclic group) g

598 views • 30 slides
Lecture 7 Public Key Cryptography (Diffie-Hellman and RSA) 1 Public Key Cryptography

Lecture 7 Public Key Cryptography (Diffie-Hellman and RSA) 1 Public Key Cryptography

Lecture 7 Public Key Cryptography (Diffie-Hellman and RSA) 1 Public Key Cryptography Asymmetric cryptography Invented in 1974-1978 (Diffie-Hellman and Rivest-Shamir- Adleman) Two keys: private (SK), public (PK) Encryption:

810 views • 42 slides
Lecture 8 Public Key Cryptography (Diffie-Hellman and RSA) 1 Public Key Cryptography

Lecture 8 Public Key Cryptography (Diffie-Hellman and RSA) 1 Public Key Cryptography

Lecture 8 Public Key Cryptography (Diffie-Hellman and RSA) 1 Public Key Cryptography Asymmetric cryptography Invented in 1974-1978 (Diffie-Hellman and Rivest-Shamir- Adleman) Two keys: private (SK), public (PK) Encryption: with

445 views • 17 slides
Lecture 8 Public Key Cryptography (Diffie-Hellman and RSA) 1 Public Key Cryptography

Lecture 8 Public Key Cryptography (Diffie-Hellman and RSA) 1 Public Key Cryptography

Lecture 8 Public Key Cryptography (Diffie-Hellman and RSA) 1 Public Key Cryptography Asymmetric cryptography Invented in 1974-1978 (Diffie-Hellman and Rivest-Shamir- Adleman) Two keys: private (SK), public (PK) Encryption:

256 views • 22 slides
Mathematical Cryptography Diffie Hellman, Discrete Log Problem, Collision Algorithms Mentor: Tao

Mathematical Cryptography Diffie Hellman, Discrete Log Problem, Collision Algorithms Mentor: Tao

Mathematical Cryptography Diffie Hellman, Discrete Log Problem, Collision Algorithms Mentor: Tao Song , Mentee: Lisette del Pino University of Pennsylvania Directed Reading Program May 16, 2020 Mentor: Tao Song , Mentee: Lisette del Pino

1.35k views • 98 slides
High-speed Diffie-Hellman, part 2 D. J. Bernstein University of Illinois at Chicago Classic

High-speed Diffie-Hellman, part 2 D. J. Bernstein University of Illinois at Chicago Classic

High-speed Diffie-Hellman, part 2 D. J. Bernstein University of Illinois at Chicago Classic question about the Diffie-Hellman system: How quickly can we compute n th powers mod p ? Modular exponentiation. p ; Assume standard prime p =

684 views • 45 slides
Applications Mark Zhandry Stanford University Diffie-Hellman Key Exchange Exchange keys over

Applications Mark Zhandry Stanford University Diffie-Hellman Key Exchange Exchange keys over

Multilinear Maps and Their Applications Mark Zhandry Stanford University Diffie-Hellman Key Exchange Exchange keys over a public channel: Public group , generator , order (Potential) Hard Problems in Groups Discrete Log (DL):

621 views • 60 slides
1 Diffie-Hellman exponential key exchange Diffie-Hellman exponential key exchange Alice has

1 Diffie-Hellman exponential key exchange Diffie-Hellman exponential key exchange Alice has

Symmetric cryptography Both parties must agree on a secret key, K message is encrypted, sent, decrypted at other side E K (P) D K (C) Secure Communication Bob Alice Key distribution must be secret otherwise messages can be

553 views • 10 slides
Outline CPSC 418/MATH 318 Introduction to Cryptography More Number Theory 1 Primitive Roots

Outline CPSC 418/MATH 318 Introduction to Cryptography More Number Theory 1 Primitive Roots

Outline CPSC 418/MATH 318 Introduction to Cryptography More Number Theory 1 Primitive Roots (Recall) Number Theory, Security and Efficiency of Diffie-Hellman, Hash Eulers Function Functions Security of Diffie-Hellman 2 Discrete Log

671 views • 7 slides
RSA Public Key CryptoSystem One way Trapdoor Functions Diffie and Hellman (76) New Directions

RSA Public Key CryptoSystem One way Trapdoor Functions Diffie and Hellman (76) New Directions

RSA Public Key CryptoSystem One way Trapdoor Functions Diffie and Hellman (76) New Directions in Cryptography Split the Bobs secret key K to two parts: K E , to be used for encrypting messages to Bob. K D , to be used for

482 views • 32 slides
C.c) DSA and Diffie-Hellman W. Schindler: Cryptography, B-IT, winter 2006 / 2007 2 C.73 DSA

C.c) DSA and Diffie-Hellman W. Schindler: Cryptography, B-IT, winter 2006 / 2007 2 C.73 DSA

1 C.c) DSA and Diffie-Hellman W. Schindler: Cryptography, B-IT, winter 2006 / 2007 2 C.73 DSA (Digital Signature Algorithm) standardized by NIST A) Generation of a key pair Select a prime q with 2 159 &lt; q &lt; 2 160 Select a

348 views • 11 slides
Diffie-Hellman not secure against Man-in-the-Middle-attack: Want to guarantee authenticity. Alice

Diffie-Hellman not secure against Man-in-the-Middle-attack: Want to guarantee authenticity. Alice

Diffie-Hellman not secure against Man-in-the-Middle-attack: Want to guarantee authenticity. Alice Mallory Bob Can achieve this with publc-key cryptography as well. g a a First example: Schnorr Signature g m m a 1024 bit

283 views • 3 slides
Diffie-Hellman not secure against Man-in-the-Middle-attack: Alice Mallory Bob g a a g

Diffie-Hellman not secure against Man-in-the-Middle-attack: Alice Mallory Bob g a a g

Diffie-Hellman not secure against Man-in-the-Middle-attack: Alice Mallory Bob g a a g m m g ma g ma g n n g b b g nb g nb g ma g ma , g nb g nb Eike Ritter Cryptography 2014/15 106

417 views • 9 slides
Public Key Cryptography Diffie-Hellman Others CSS441: Security and Cryptography Sirindhorn

Public Key Cryptography Diffie-Hellman Others CSS441: Security and Cryptography Sirindhorn

CSS441 Public Key Crypto Principles RSA Public Key Cryptography Diffie-Hellman Others CSS441: Security and Cryptography Sirindhorn International Institute of Technology Thammasat University Prepared by Steven Gordon on 20 December 2015

461 views • 29 slides
International Framework of Investment Law Dr Rodrigo Polanco Senior Lecturer and Researcher

International Framework of Investment Law Dr Rodrigo Polanco Senior Lecturer and Researcher

International Framework of Investment Law Dr Rodrigo Polanco Senior Lecturer and Researcher World Trade Institute November 2017 Outline Why people invest abroad? Treatment of Aliens under International Law - Domestic Law - Diplomatic

267 views • 25 slides
DISTRICTWIDE ENROLLMENT? Traffic between East PHR and Ashley Falls School Traffic from east

DISTRICTWIDE ENROLLMENT? Traffic between East PHR and Ashley Falls School Traffic from east

WHY SHOULD I CARE ABOUT DISTRICTWIDE ENROLLMENT? Traffic between East PHR and Ashley Falls School Traffic from east of I-5 to Del Mar Heights School

530 views • 6 slides
Secure Drupal Development Steven Van den Hout Steven Van den Hout

Secure Drupal Development Steven Van den Hout Steven Van den Hout

Secure Drupal Development Steven Van den Hout Steven Van den Hout @stevenvdhout http://dgo.to/@svdhout SECURE? 1 IS D DRUPAL AL S IS OPEN SOURCE SECURE? MANY EYES MAKE FOR SECURE CODE - Security by obscurity - Open

641 views • 51 slides
Torus actions in the normalization problem Jasmin Raissy Dipartimento di Matematica &quot;L.

Torus actions in the normalization problem Jasmin Raissy Dipartimento di Matematica &quot;L.

Torus actions in the normalization problem Jasmin Raissy Dipartimento di Matematica &quot;L. Tonelli&quot; Universit di Pisa School-Conference in Complex Analysis and Geometry CIRM, July 1317, 2009 Jasmin Raissy (Universit di Pisa)

1.01k views • 65 slides
Measuring small subgroup attacks against Diffie-Hellman Luke Valenta , David Adrian ,

Measuring small subgroup attacks against Diffie-Hellman Luke Valenta , David Adrian ,

Measuring small subgroup attacks against Diffie-Hellman Luke Valenta , David Adrian , Antonio Sanso , Shaanan Cohney , Joshua Fried , Marcella Hastings , J. Alex Halderman , Nadia Heninger University of

461 views • 42 slides
Towards a Fully Encrypted Internet CS244 | Zakir Durumeric 2013 Snowden Revelations Explicit

Towards a Fully Encrypted Internet CS244 | Zakir Durumeric 2013 Snowden Revelations Explicit

Towards a Fully Encrypted Internet CS244 | Zakir Durumeric 2013 Snowden Revelations Explicit evidence that intelligence agencies are globally wiretapping Internet backbone connections Massive collection of web tra ffi c, emails, instant

512 views • 50 slides
Session #9: Trapdoors and Applications Chris Peikert Georgia Institute of Technology Winter

Session #9: Trapdoors and Applications Chris Peikert Georgia Institute of Technology Winter

Session #9: Trapdoors and Applications Chris Peikert Georgia Institute of Technology Winter School on Lattice-Based Cryptography and Applications Bar-Ilan University, Israel 19 Feb 2012 22 Feb 2012 Lattice-Based Crypto &amp; Applications,

1.27k views • 94 slides
Trust in the Cloud i2Coalition &amp; the M3AAWG Hosting SIG Introductions by Matt Stith,

Trust in the Cloud i2Coalition &amp; the M3AAWG Hosting SIG Introductions by Matt Stith,

Trust in the Cloud i2Coalition &amp; the M3AAWG Hosting SIG Introductions by Matt Stith, Rackspace M3AAWG 37th General Meeting | Philadelphia, U.S.A. | June 2016 Speaker 1: Allan Friedman, PhD Building trust through collaboration: How the U.S.

494 views • 8 slides

More recommend