measuring small subgroup attacks against diffie hellman
play

Measuring small subgroup attacks against Diffie-Hellman Luke Valenta - PowerPoint PPT Presentation

Nov 04, 2023 •41 likes •461 views

Measuring small subgroup attacks against Diffie-Hellman Luke Valenta , David Adrian , Antonio Sanso , Shaanan Cohney , Joshua Fried , Marcella Hastings , J. Alex Halderman , Nadia Heninger University of

  1. Measuring small subgroup attacks against Diffie-Hellman Luke Valenta ∗ , David Adrian † , Antonio Sanso ‡ , Shaanan Cohney ∗ , Joshua Fried ∗ , Marcella Hastings ∗ , J. Alex Halderman † , Nadia Heninger ∗ ∗ University of Pennsylvania † University of Michigan ‡ Adobe February 28, 2017

  2. This work ◮ Revisit decades-old small subgroup attacks in Diffie-Hellman ◮ Looked at hosts and implementations in the wild ◮ Punch line: Nobody implements the countermeasures! ◮ Emerged from Logjam [ABDGGHHSTVVWZZ 2015]

  3. Textbook (Finite-Field) Diffie-Hellman Key Exchange [Diffie Hellman 1976] p a prime (so F ∗ p is a cyclic group) g < p group generator (often 2 or 5) g a mod p g b mod p Images from XKCD

  4. Textbook (Finite-Field) Diffie-Hellman Key Exchange [Diffie Hellman 1976] p a prime (so F ∗ p is a cyclic group) g < p group generator (often 2 or 5) g a mod p g b mod p Enc g ab ( data ) g ab mod p g ab mod p Images from XKCD

  5. Textbook (Finite-Field) Diffie-Hellman Key Exchange [Diffie Hellman 1976] p a prime (so F ∗ p is a cyclic group) g < p group generator (often 2 or 5) g a mod p g b mod p Enc g ab ( data ) g ab mod p g ab mod p Images from XKCD NH: “There are dragons swimming under the placid surface of this beautiful mathematical lake.”

  6. Background: groups, subgroups, and generators Cyclic group Order = #elements in group

  7. Background: groups, subgroups, and generators Cyclic group Order = #elements in group generator

  8. Background: groups, subgroups, and generators Cyclic group Order = #elements in group generator

  9. Background: groups, subgroups, and generators Cyclic group Order = #elements in group generator

  10. Background: groups, subgroups, and generators Cyclic group Order = #elements in group generator

  11. Background: groups, subgroups, and generators Cyclic group Order = #elements in group generator

  12. Background: groups, subgroups, and generators Subgroup Order = #elements in subgroup generator

  13. Background: groups, subgroups, and generators Subgroup Order = #elements in subgroup generator

  14. Background: groups, subgroups, and generators Subgroup Order = #elements in subgroup generator

  15. Background: groups, subgroups, and generators Subgroup Order = #elements in subgroup generator

  16. Background: groups, subgroups, and generators Small subgroup Order = #elements in subgroup generator

  17. Background: groups, subgroups, and generators Small subgroup Order = #elements in subgroup generator

  18. Background: groups, subgroups, and generators Small subgroup Order = #elements in subgroup generator

  19. Background: groups, subgroups, and generators Small subgroup Order = #elements in subgroup generator

  20. Existence of small subgroups → small subgroup attacks. g generates correct subgroup of order q g 3 generates subgroup of order 3 [Lim Lee 1997] g 3 g b , Enc g b 3 ( data ) compute b mod 3

  21. Existence of small subgroups → small subgroup attacks. g generates correct subgroup of order q g 3 generates subgroup of order 3 [Lim Lee 1997] g 3 g b , Enc g b 3 ( data ) compute b mod 3 Repeat for many small subgroups = ⇒ find b using Chinese Remainder Theorem

  22. Small subgroup attacks Made much worse with... ◮ Many small subgroups (i.e., p-1 has many small factors) ◮ Short secret exponents (common optimization) ◮ Reused Diffie-Hellman values (common optimization)

  23. Countermeasures The countermeasures against these attacks are well known, and built into every DH standard: ◮ Use a “safe” prime p = 2 q + 1, where q is prime 1. Verify 2 ≤ y ≤ p − 2 (otherwise, may leak 1 bit) ◮ Use a subgroup of large prime order q mod p 1. Verify 2 ≤ y ≤ p − 2 2. Verify 1 = y q mod p

  24. Inspiration for our work The attacks and defenses are known. Why is this work interesting?

  25. Inspiration for our work The attacks and defenses are known. Why is this work interesting? “The Internet is vast, and filled with bugs.” —Adam Langley, Crypto 2013

  26. Inspiration for our work The attacks and defenses are known. Why is this work interesting? “The Internet is vast, and filled with bugs.” —Adam Langley, Crypto 2013 Theorem (Murphy’s law) Anything that can go wrong, will go wrong. Corollary If it is possible for an implementation to have made a mistake, someone has.

  27. Standards mandate smaller subgroups Leaves room for implementation mistakes NIST SP800-56a: Recommendation for Pair-Wise Key Establishment Schemes Using Discrete Logarithm Cryptography ◮ No extra benefit from using small subgroups when already using short exponents ◮ DSA needs small subgroups, but not DH

  28. Fast internet scanning lets us study behavior of publicly accessible hosts. Widely deployed RFC5114 groups follow NIST recommendations*: Group Host Counts Name p (bits) q (bits) HTTPS SMTP IKEv1 IKEv2 Group 22 1024 160 3% ≈ 0% 17% 13% Group 23 2048 224 ≈ 0% 33% 17% 13% Group 24 2048 256 ≈ 0% ≈ 0% 18% 14% Total — — 40.6M 3.4M 1.9M 1.3M Group 23: Can recover 201 bits of exponent in ≈ 2 42 work *: Scans from November 2016

  29. Hosts don’t validate group order. Hosts accepting. . . Non-Safe DHE Hosts Primes HTTPS 11M 14% IKEv1 2.6M 13% IKEv2 1.3M 14% SSH 11M ≈ 0%

  30. Hosts don’t validate group order. Hosts accepting. . . Non-Safe DHE Hosts 0 Primes HTTPS 11M 14% 0.6% IKEv1 2.6M 13% * IKEv2 1.3M 14% * SSH 11M ≈ 0% 3% *: Did not scan: 0 causes unpatched Libre/Openswan to restart IKE daemon.

  31. Hosts don’t validate group order. Hosts accepting. . . Non-Safe DHE Hosts 0 1 Primes HTTPS 11M 14% 0.6% 3% IKEv1 2.6M 13% * 28% IKEv2 1.3M 14% * 0% SSH 11M ≈ 0% 3% 25% *: Did not scan: 0 causes unpatched Libre/Openswan to restart IKE daemon.

  32. Hosts don’t validate group order. Hosts accepting. . . Non-Safe DHE Hosts 0 1 p-1 Primes HTTPS 11M 14% 0.6% 3% 5% IKEv1 2.6M 13% * 28% 27% IKEv2 1.3M 14% * 0% 0% SSH 11M ≈ 0% 3% 25% 33% *: Did not scan: 0 causes unpatched Libre/Openswan to restart IKE daemon.

  33. Hosts don’t validate group order. Hosts accepting. . . Non-Safe DHE Hosts 0 1 p-1 g 3 / g 7 Primes HTTPS 11M 14% 0.6% 3% 5% ≈ 100% IKEv1 2.6M 13% * 28% 27% 99% IKEv2 1.3M 14% * 0% 0% 97% SSH 11M ≈ 0% 3% 25% 33% N/A *: Did not scan: 0 causes unpatched Libre/Openswan to restart IKE daemon.

  34. Libraries don’t validate group order. Similar findings to [DCE 2017 (up next!)] ◮ “The server obtains the DH parameters via a PKCS#3 file which Library Validation does not contain any subgroup (TLS) information. This file format is the Mozilla NSS g ≤ 2 defacto standard across all crypto OpenJDK g ≤ 2 libraries.” OpenSSL 1.0.2 None* BouncyCastle g ≤ 2 ◮ OpenSSL vulnerable to full Cryptlib g ≤ 2 Lim-Lee key recovery attack for libTomCrypt None RFC 5114 primes CryptoPP None Botan None GnuTLS g ≤ 2 ◮ Amazon Load Balancer vulnerable to partial key recovery attack *: before CVE-2016-0701 in Jan ’16

  35. Misconceptions Academics Implementors “There are many good reasons “safe primes (...) have quite for using smaller subgroups, some undesirable properties. including efficiency and the fact They don’t have a subgroup with that this setting matches the size of the selected security theoretical security analyses of parameter and that requires cryptosystems .” them to use very large keys .” Fact : Short exponents with safe primes and with small subgroups are both well-studied

  36. Disconnects Academics Implementors “I bet there are TLS clients (and “(...) it is only necessary to other DH users) out there that validate cryptographic use those values, and we would parameters properly - but this is break them (...) functionality very well-known .” trumps security every day, and twice on Tuesdays .” Countermeasures may be known, but are not always implemented

  37. Takeaways ◮ Standards writers: ◮ Software developers have different priorities ◮ The fewer checks required, the better! (Murphy’s Law)

  38. Takeaways ◮ Standards writers: ◮ Software developers have different priorities ◮ The fewer checks required, the better! (Murphy’s Law) ◮ Software developers: ◮ Take care when it comes to cryptographic validation ◮ Project Wycheproof: test crypto libraries against known attacks ( https://github.com/google/wycheproof )

  39. Takeaways ◮ Standards writers: ◮ Software developers have different priorities ◮ The fewer checks required, the better! (Murphy’s Law) ◮ Software developers: ◮ Take care when it comes to cryptographic validation ◮ Project Wycheproof: test crypto libraries against known attacks ( https://github.com/google/wycheproof ) ◮ Sysadmins: ◮ Test your servers with our tools! ( https://github.com/eniac/crypscan )

  40. Takeaways ◮ Standards writers: ◮ Software developers have different priorities ◮ The fewer checks required, the better! (Murphy’s Law) ◮ Software developers: ◮ Take care when it comes to cryptographic validation ◮ Project Wycheproof: test crypto libraries against known attacks ( https://github.com/google/wycheproof ) ◮ Sysadmins: ◮ Test your servers with our tools! ( https://github.com/eniac/crypscan ) Questions?

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Lecture Outline Review of Diffie-Hellman key exchange Looking at Authentication from a

Lecture Outline Review of Diffie-Hellman key exchange Looking at Authentication from a

Lecture Outline Review of Diffie-Hellman key exchange Looking at Authentication from a number of perspectives Today: authenticating users, services Agreeing on Secret Keys Without Prior Arrangement Diffie-Hellman Key Exchange

1.07k views • 73 slides
Diffie-Hellman Key Exchange Source: Wikipedia ElGamal Key Generator Generate primes p and

Diffie-Hellman Key Exchange Source: Wikipedia ElGamal Key Generator Generate primes p and

Diffie-Hellman Key Exchange Source: Wikipedia ElGamal Key Generator Generate primes p and q as well as an element g Z p that generates the subgroup G q . Choose a random x from { 0 , . . . , q 1 } . Compute h = g x .

754 views • 7 slides
Lecture 8 Public Key Cryptography (Diffie-Hellman and RSA) 1 Public Key Cryptography

Lecture 8 Public Key Cryptography (Diffie-Hellman and RSA) 1 Public Key Cryptography

Lecture 8 Public Key Cryptography (Diffie-Hellman and RSA) 1 Public Key Cryptography Asymmetric cryptography Invented in 1974-1978 (Diffie-Hellman and Rivest-Shamir- Adleman) Two keys: private (SK), public (PK) Encryption:

256 views • 22 slides
Lecture 8 Public Key Cryptography (Diffie-Hellman and RSA) 1 Public Key Cryptography

Lecture 8 Public Key Cryptography (Diffie-Hellman and RSA) 1 Public Key Cryptography

Lecture 8 Public Key Cryptography (Diffie-Hellman and RSA) 1 Public Key Cryptography Asymmetric cryptography Invented in 1974-1978 (Diffie-Hellman and Rivest-Shamir- Adleman) Two keys: private (SK), public (PK) Encryption: with

445 views • 17 slides
Lecture 7 Public Key Cryptography (Diffie-Hellman and RSA) 1 Public Key Cryptography

Lecture 7 Public Key Cryptography (Diffie-Hellman and RSA) 1 Public Key Cryptography

Lecture 7 Public Key Cryptography (Diffie-Hellman and RSA) 1 Public Key Cryptography Asymmetric cryptography Invented in 1974-1978 (Diffie-Hellman and Rivest-Shamir- Adleman) Two keys: private (SK), public (PK) Encryption:

810 views • 42 slides
Diffie-Hellman, discrete logs, the NSA, and you J. Alex Halderman University of Michigan Based

Diffie-Hellman, discrete logs, the NSA, and you J. Alex Halderman University of Michigan Based

Diffie-Hellman, discrete logs, the NSA, and you J. Alex Halderman University of Michigan Based on joint work: Imperfect Forward Secrecy: How Diffie-Hellman Fails in Practice David Adrian, Karthikeyan Bhargavan, Zakir Durumeric, Pierrick Gaudry,

879 views • 63 slides
High-speed Diffie-Hellman, part 2 D. J. Bernstein University of Illinois at Chicago Classic

High-speed Diffie-Hellman, part 2 D. J. Bernstein University of Illinois at Chicago Classic

High-speed Diffie-Hellman, part 2 D. J. Bernstein University of Illinois at Chicago Classic question about the Diffie-Hellman system: How quickly can we compute n th powers mod p ? Modular exponentiation. p ; Assume standard prime p =

684 views • 45 slides
qDSA: Small and Secure Digital Signatures with Curve-based Diffie-Hellman Key Pairs Joost Renes 1

qDSA: Small and Secure Digital Signatures with Curve-based Diffie-Hellman Key Pairs Joost Renes 1

qDSA: Small and Secure Digital Signatures with Curve-based Diffie-Hellman Key Pairs Joost Renes 1 Benjamin Smith 2 1 Radboud University 2 INRIA and Laboratoire dInformatique de l Ecole polytechnique 15 November 2017 15 November 2017 1 /

785 views • 75 slides
1 Diffie-Hellman exponential key exchange Diffie-Hellman exponential key exchange Alice has

1 Diffie-Hellman exponential key exchange Diffie-Hellman exponential key exchange Alice has

Symmetric cryptography Both parties must agree on a secret key, K message is encrypted, sent, decrypted at other side E K (P) D K (C) Secure Communication Bob Alice Key distribution must be secret otherwise messages can be

553 views • 10 slides
Man-in-the-Middle attacks revisited Hugo Jonker, Rolando Trujillo, Sjouke Mauw Man-in-the-middle

Man-in-the-Middle attacks revisited Hugo Jonker, Rolando Trujillo, Sjouke Mauw Man-in-the-middle

Man-in-the-Middle attacks revisited Hugo Jonker, Rolando Trujillo, Sjouke Mauw Man-in-the-middle attack Diffie-Hellman Alice Bob new na new nb g na g nb K = (g nb ) na K = (g na ) nb Man-in-the-middle attack Diffie-Hellman Alice Bob Alice

401 views • 25 slides
RSA Public Key CryptoSystem One way Trapdoor Functions Diffie and Hellman (76) New Directions

RSA Public Key CryptoSystem One way Trapdoor Functions Diffie and Hellman (76) New Directions

RSA Public Key CryptoSystem One way Trapdoor Functions Diffie and Hellman (76) New Directions in Cryptography Split the Bobs secret key K to two parts: K E , to be used for encrypting messages to Bob. K D , to be used for

482 views • 32 slides
C.c) DSA and Diffie-Hellman W. Schindler: Cryptography, B-IT, winter 2006 / 2007 2 C.73 DSA

C.c) DSA and Diffie-Hellman W. Schindler: Cryptography, B-IT, winter 2006 / 2007 2 C.73 DSA

1 C.c) DSA and Diffie-Hellman W. Schindler: Cryptography, B-IT, winter 2006 / 2007 2 C.73 DSA (Digital Signature Algorithm) standardized by NIST A) Generation of a key pair Select a prime q with 2 159 &lt; q &lt; 2 160 Select a

348 views • 11 slides
Diffie-Hellman not secure against Man-in-the-Middle-attack: Want to guarantee authenticity. Alice

Diffie-Hellman not secure against Man-in-the-Middle-attack: Want to guarantee authenticity. Alice

Diffie-Hellman not secure against Man-in-the-Middle-attack: Want to guarantee authenticity. Alice Mallory Bob Can achieve this with publc-key cryptography as well. g a a First example: Schnorr Signature g m m a 1024 bit

283 views • 3 slides
Diffie-Hellman not secure against Man-in-the-Middle-attack: Alice Mallory Bob g a a g

Diffie-Hellman not secure against Man-in-the-Middle-attack: Alice Mallory Bob g a a g

Diffie-Hellman not secure against Man-in-the-Middle-attack: Alice Mallory Bob g a a g m m g ma g ma g n n g b b g nb g nb g ma g ma , g nb g nb Eike Ritter Cryptography 2014/15 106

417 views • 9 slides
Public Key Cryptography Diffie-Hellman Others CSS441: Security and Cryptography Sirindhorn

Public Key Cryptography Diffie-Hellman Others CSS441: Security and Cryptography Sirindhorn

CSS441 Public Key Crypto Principles RSA Public Key Cryptography Diffie-Hellman Others CSS441: Security and Cryptography Sirindhorn International Institute of Technology Thammasat University Prepared by Steven Gordon on 20 December 2015

461 views • 29 slides
A Static Diffie-Hellman Attack on Several Direct Anonymous Attestation Schemes Ernie Brickell 1

A Static Diffie-Hellman Attack on Several Direct Anonymous Attestation Schemes Ernie Brickell 1

A Static Diffie-Hellman Attack on Several Direct Anonymous Attestation Schemes Ernie Brickell 1 Liqun Chen 2 Jiangtao Li 1 1. Intel Corporation, Hillsboro, Oregon, USA 2. Hewlett-Packard Laboratories, Bristol, UK InTrust 2012 Royal Holloway,

827 views • 17 slides
International Framework of Investment Law Dr Rodrigo Polanco Senior Lecturer and Researcher

International Framework of Investment Law Dr Rodrigo Polanco Senior Lecturer and Researcher

International Framework of Investment Law Dr Rodrigo Polanco Senior Lecturer and Researcher World Trade Institute November 2017 Outline Why people invest abroad? Treatment of Aliens under International Law - Domestic Law - Diplomatic

267 views • 25 slides
DISTRICTWIDE ENROLLMENT? Traffic between East PHR and Ashley Falls School Traffic from east

DISTRICTWIDE ENROLLMENT? Traffic between East PHR and Ashley Falls School Traffic from east

WHY SHOULD I CARE ABOUT DISTRICTWIDE ENROLLMENT? Traffic between East PHR and Ashley Falls School Traffic from east of I-5 to Del Mar Heights School

530 views • 6 slides
Secure Drupal Development Steven Van den Hout Steven Van den Hout

Secure Drupal Development Steven Van den Hout Steven Van den Hout

Secure Drupal Development Steven Van den Hout Steven Van den Hout @stevenvdhout http://dgo.to/@svdhout SECURE? 1 IS D DRUPAL AL S IS OPEN SOURCE SECURE? MANY EYES MAKE FOR SECURE CODE - Security by obscurity - Open

641 views • 51 slides
Towards a Fully Encrypted Internet CS244 | Zakir Durumeric 2013 Snowden Revelations Explicit

Towards a Fully Encrypted Internet CS244 | Zakir Durumeric 2013 Snowden Revelations Explicit

Towards a Fully Encrypted Internet CS244 | Zakir Durumeric 2013 Snowden Revelations Explicit evidence that intelligence agencies are globally wiretapping Internet backbone connections Massive collection of web tra ffi c, emails, instant

512 views • 50 slides
Session #9: Trapdoors and Applications Chris Peikert Georgia Institute of Technology Winter

Session #9: Trapdoors and Applications Chris Peikert Georgia Institute of Technology Winter

Session #9: Trapdoors and Applications Chris Peikert Georgia Institute of Technology Winter School on Lattice-Based Cryptography and Applications Bar-Ilan University, Israel 19 Feb 2012 22 Feb 2012 Lattice-Based Crypto &amp; Applications,

1.27k views • 94 slides
Trust in the Cloud i2Coalition &amp; the M3AAWG Hosting SIG Introductions by Matt Stith,

Trust in the Cloud i2Coalition &amp; the M3AAWG Hosting SIG Introductions by Matt Stith,

Trust in the Cloud i2Coalition &amp; the M3AAWG Hosting SIG Introductions by Matt Stith, Rackspace M3AAWG 37th General Meeting | Philadelphia, U.S.A. | June 2016 Speaker 1: Allan Friedman, PhD Building trust through collaboration: How the U.S.

494 views • 8 slides
Guided Learning of Nonconvex Models through Successive Functional Gradient Optimization Rie

Guided Learning of Nonconvex Models through Successive Functional Gradient Optimization Rie

Guided Learning of Nonconvex Models through Successive Functional Gradient Optimization Rie Johnson and Tong Zhang RJ Research Consulting Hong Kong University of Science and Technology 1 / 12 Training Deep Neural Networks

458 views • 21 slides
Heavy neutral leptons at ANUBIS work with M. Hirsch arXiv: 2001.04750 Zeren Simon Wang Seventh

Heavy neutral leptons at ANUBIS work with M. Hirsch arXiv: 2001.04750 Zeren Simon Wang Seventh

Heavy neutral leptons at ANUBIS work with M. Hirsch arXiv: 2001.04750 Zeren Simon Wang Seventh workshop of the LHC LLP Community May 26, 2020 Z.S. Wang Heavy neutral leptons at ANUBIS 1 / 13 Motivation Surge of interest in LLPs in recent

561 views • 15 slides

More recommend