References From Textbook to Practice & How Things Can Go Wrong - - PowerPoint PPT Presentation

SLIDE 1

From Textbook to Practice

& How Things Can Go Wrong CIS 428/628: Introduction to Cryptography

Jim Royer

December 4, 2018

CIS 428/628 From Textbook to Practice 1/ 24

References

1

J.-P. Aumanson. Serious Cryptography, No Starch Press, 2018.

2

• N. Ferguson, B. Schneier, and T. Kohno Cryptography Engineering, Wiley, 2010.

CIS 428/628 From Textbook to Practice 2/ 24

Where to get random bits?

Unix-like Systems:

Typically have: /dev/random and /dev/urandom. Cryptographic PNGs, continually re-seed from various sources of entropy Treat like files of random bits you can read from. But, like real files, reading from them can fail. So include lots of sanity checks when you use them. The details of /dev/random and /dev/urandom differ from system to system. Typically, they maintain entropy pools of “random” bits draw from system behavior (e.g., i/o devices, network and user activity, etc.)

!!! These pools may be empty at boot time, and this can cause problems.

Windows:

BcryptGenRandom()

Intel processors: RDRAND — draws from a hardware source of randomness

CIS 428/628 From Textbook to Practice 3/ 24

RSA I sincerely hope you’ll never have to implement RSA from scratch. If you’re asked to, run as fast as you can and question the sanity of the person who asked you to do so. It took decades for cryptographers and engineers to develop RSA implementations that are fast, sufficiently secure, and hopefully free of debilitating bugs, so you really don’t want to reinvent RSA.

J.-P. Aumanson. Serious Cryptography

CIS 428/628 From Textbook to Practice 4/ 24

SLIDE 2

Textbook RSA Encryption

Setup

Each user U:

1

Picks two large (random) primes pU & qU (with pU = qU).

2

Computes nU = pU · qU and ϕ(nU) = (pU − 1) · (qU − 1).

3

Picks eU

ran

∈ { 1, . . . , ϕ(nU) − 1 } with gcd(eU, ϕ(nU)) = 1.

4

Computes dU = e−1

U

(mod ϕ(nU)).

5

Publishes eU and nU. Keeps dU, pU, qU, and ϕ(nU) secret.

Encryption

Bob wants to send m ∈ Zn to Alice.

1

Computes c = meA mod nA.

2

Sends c to Alice.

Decryption

Alice wants to decrypt c

1

Computes m = cdA mod nA.

CIS 428/628 From Textbook to Practice 5/ 24

Problems with Textbook RSA

Deterministic. (m1 · m2)e ∼ = me

1 · me 2 (mod n)

Etc.

It is very bad to have any kind of structure in the numbers that RSA operates on. —Cryptographic Engineering Ferguson, Schneier, and Kohno

CIS 428/628 From Textbook to Practice 6/ 24

RSA with Optimal Asymmetric Encryption Padding (RSA-OAEP)

For 2048-bit RSA, this scheme uses: H ∈ { 0, 1 }256, a constant of the scheme A pseudo-random generator g : { 0, 1 }256 → { 0, 1 }1864 A hash-function h : { 0, 1 }1864 → { 0, 1 }256 (e.g., SHA-256) Encryption of m0 ∈ { 0, 1 }1520

r0

ran

∈ { 0, 1 }256 m1 ← H# » 0 01m0 m2 ← g(r0) ⊕ m1 r1 ← r0 ⊕ h(m2) x ← 00r1m2 c ← xe (mod n)

# » 0 = 270-many 0’s Decryption of c

x ← cd (mod n)// x = 00r1m2 r0 ← r1 ⊕ h(m2) m1 ← g(r0) ⊕ m2 // m1 = H# » 0 01m0 return m0

CIS 428/628 From Textbook to Practice 7/ 24

RSA-OAEP, Continued

Encryption of m0 ∈ { 0, 1 }1520

r0

ran

∈ { 0, 1 }256 m1 ← H# » 0 01m0 m2 ← g(r0) ⊕ m1 r1 ← r0 ⊕ h(m2) x ← 00r1m2 c ← xe (mod n)

Decryption of c

x ← cd (mod n)// x = 00r1m2 r0 ← r1 ⊕ h(m2) m1 ← g(r0) ⊕ m2 // m1 = H# » 0 01m0 return m0 (r0, m1) ❀ (r1, m2) is an example of an all-or-nothing transformation.

To recover m1, you need to recover the entire r0 and the entire m2.

Because of h, you need the entire m2 to recover r0 from r1. Because of g, you need the entire r0 to recover m1 from m2.

So, figuring out just part of x does you no good.

CIS 428/628 From Textbook to Practice 8/ 24

SLIDE 3

Textbook RSA Signatures: Trivial Forgeries

Setup for RSA Signatures

Just like RSA-encryption

Signing

Bob wants to sign a m ∈ Zn.

1

Computes s = mdB mod nB.

2

Sends (m, s) to Alice.

Verifying

Alice wants to check (m, s)

1

Tests m ? = (seB mod nB).

Trivial Forgery

For all nU and dU and for x = 0, 1, (nU − 1): xdU ∼ = x (mod nU). So we can forge signatures for m = 0, 1, (nU − 1) without knowing dU.

CIS 428/628 From Textbook to Practice 9/ 24

Textbook RSA Signatures: Blinding Attack

Setup for RSA Signatures

Just like RSA-encryption

Signing

Bob wants to sign a m ∈ Zn.

1

Computes s = mdB mod nB.

2

Sends (m, s) to Alice.

Verifying

Alice wants to check (m, s)

1

Tests m ? = (seB mod nB).

Blinding Attack

Suppose m is a message Alice would not sign. Suppose you find r such that Alice would sign message reAm (mod nA). Have Alice sign reAm with signature s = (reAm)dA (mod nA). Then: s · r−1 ∼ = (reA·dAmdA) · r−1 ∼ = (r · mdA) · r−1 ∼ = mdA (mod nA) = Alice’s signature on m

CIS 428/628 From Textbook to Practice 10/ 24

Full Domain Hash Signatures & The Probabilistic Signature Scheme

Full Domain Hash Signatures

Hash = a good crypto-hash function

Signing

Bob wants to sign an m.

1

Computes x = Hash(m).

2

Computes s = xdB mod nB.

3

Sends (m, s) to Alice.

Verifying

Alice wants to check (m, s)

1

Tests Hash(m) ? = (seB mod nB).

Problem

RSA-FDH is not randomized, so it is open to certain attacks.

Probabilistic Signature Scheme

A scheme similar to RSA-OAEP that is randomized, but a lot more complex than RSA-FDH.

CIS 428/628 From Textbook to Practice 11/ 24

Flaws in RSA Implementations: Low Entropy Primes, 1

In 2012 researchers scanned are large chunk of the net and collected public keys from TLS certificates and SSH hosts. They found a fair number of systems with either:

1

identical RSA moduli If Alice and Bob have nA = nB, then they can compute each other’s decryption exponents.

2

similar RSA moduli (i.e., a shared prime in the moduli) If nA = p · q and nB = p · q′, then gcd(nA, nB) = p and q = nA/p and q′ = nB/p.

How did this happen? Many systems determine RSA keys at boot-time.

prng.seed(seed) p = prng.generate random prime() q = prng.generate random prime() n = p*q

What happens when two systems with the same seed run this code?

CIS 428/628 From Textbook to Practice 12/ 24

SLIDE 4

Flaws in RSA Implementations: Low Entropy Primes, 2

In 2012 researchers scanned are large chunk of the net and collected public keys from TLS certificates and SSH hosts. They found a fair number of systems with either:

1

identical RSA moduli If Alice and Bob have nA = nB, then they can compute each other’s decryption exponents.

2

similar RSA moduli (i.e., a shared prime in the moduli) If nA = p · q and nB = p · q′, then gcd(nA, nB) = p and q = nA/p and q′ = nB/p.

How did this happen? Many systems determine RSA keys at boot-time.

prng.seed(seed) p = prng.generate random prime() prng.add entropy() q = prng.generate random prime() n = p*q

What happens when two systems with the same seed run this code?

CIS 428/628 From Textbook to Practice 13/ 24

The Bellcore Attack on RSA-Chinese-Remainder-Theorem

A fault-injection attack, forces an error in the execution of an algorithm by altering a circuit’s voltage or shooting a laser at part of the circuit. Recall that in using the CRT to compute xd, you compute

xp = ys mod p xq = yt mod q Then x =

• xp · q · (q−1 mod p) + xq · p · (p−1 mod q)
• mod n

Suppose we force a mistake in the computation of xq, getting a value x′

q.

Let x′ = (xp · q · (q−1 mod p) + x′

q · p · (p−1 mod q)) mod n.

Then x − x′ = ((xq − x′

q) · p · (p−1 mod q)) mod n, which is a multiple of p.

Thereforem, p = gcd(n, x − x′) and q = n/p. Randomized versions of RSA are safe against this attack. (Why?)

CIS 428/628 From Textbook to Practice 14/ 24

Diffie-Hellman

Diffie-Hellman is a key agreement protocol. Used extensively all over the net.

CIS 428/628 From Textbook to Practice 15/ 24

Possible Attacks on a Key Agreement Protocol

The eavesdropper The attacker sees all messages exchanged and can modify/drop/inject messages. The data leak The attacker learns the session key and all temporary secrets for a few runs of the protocol, but doesn’t know any long-term secrets. The breach/corruption The attacker learns the long-term key of one or more party.

CIS 428/628 From Textbook to Practice 16/ 24

SLIDE 5

Security Goals of a Key Agreement Protocol

Authentication Each party should be able to authenticate the other. Key control No party should be able to choose/restrict the final shared secret. Forward secrecy Even if all long-term secrets are exposed, shared secrets from previous protocol-runs cannot be computed. Resistance to key-compromise impersonation If Eve leans Alice’s long-term key, then the protocol should protect against Eve impersonating Alice.

CIS 428/628 From Textbook to Practice 17/ 24

Anonymous Diffie–Hellman

Setup p, a large prime (Pub) and α, a prim. elem. of Z∗

p (Pub)

Alice Picks x

ran

∈ Z∗

p−1 (Priv.) and sends αx (mod p) to Bob

Bob Picks y

ran

∈ Z∗

p−1 (Priv.) and sends αy (mod p) to Alice

Alice Computes k = (αy)x = αxy (mod p). Bob Computes k = (αx)y = αxy (mod p). Recall: This is vulnerable to eavesdropper (man-in-the-middle) attacks.

CIS 428/628 From Textbook to Practice 18/ 24

Authenticated Diffie–Hellman (ADH): Strengths

Setup p, a large prime (Pub) and g, a prim. elem. of Z∗

p (Pub)

Alice Picks x

ran

∈ Z∗

p−1 (Priv.), computes kA = gx (mod p) & sA = sigA(kA)

and sends (kA, sA) to Bob Bob Picks y

ran

∈ Z∗

p−1 (Priv.) computes kB = gy (mod p) & sB = sigB(kB)

and sends (kB, sB) to Alice Alice Computes k = (kB)x = gxy (mod p) and verifies sB. Bob Computes k = (kA)y = gxy (mod p) and verifies sA. The keys for the signatures are long-term keys. Authentication stops the man-in-the-middle attack. ADH provides forward secrecy; past session keys are safe. ADH prevents any party from controlling the value of gxy.

CIS 428/628 From Textbook to Practice 19/ 24

Authenticated Diffie–Hellman (ADH): Weaknesses

Setup p, a large prime (Pub) and g, a prim. elem. of Z∗

p (Pub)

Alice Picks x

ran

∈ Z∗

p−1 (Priv.), computes kA = gx (mod p) & sA = sigA(kA)

and sends (kA, sA) to Bob Bob Picks y

ran

∈ Z∗

p−1 (Priv.) computes kB = gy (mod p) & sB = sigB(kB)

and sends (kB, sB) to Alice Alice Computes k = (kB)x = gxy (mod p) and verifies sB. Bob Computes k = (kA)y = gxy (mod p) and verifies sA. ADH is not secure against replay attacks. (You need to add key confirmation: nonces + challanges) ADH is also not secure against data leaks

If Eve learns short-term secrets, x and y, Eve can impersonate either Alice or Bob. If Eve learns both: (i) Alice’s short-term secret (i.e., x) and (ii) Alice’s long-term secret (the key to sigA), then Eve can impersonate Alice.

CIS 428/628 From Textbook to Practice 20/ 24

SLIDE 6

Menezes–Qu–Vanstone (MQV): Diffie-Hellman on Steroids

Setup

p a prime with a hard discrete-log problem. g a primitive element of Z∗

p.

For each user U: a private long-term key ℓU & a public key LU = gℓU(mod p).

Alice Picks x

ran

∈ Z∗

p−1.

Sends Bob X = gx (mod p). Bob Picks y

ran

∈ Z∗

p−1

Sends Alice Y = gy (mod p). Alice Computes K = (Y · LY

B)x+ℓA·X (mod p).

Bob Computes K′ = (X · LX

A)y+ℓB·Y (mod p).

Claim: K = K′ (Y · LY

B)(x+ℓA·X) ∼

= (gy · (gℓB)Y)(x+ℓA·X) ∼ = (gy+ℓB·Y)(x+ℓA·X) ∼ = g(x+ℓA·X)·(y+ℓB·Y). (X · LX

A)(y+ℓB·Y) ∼

= (gx · (gℓA)X)(y+ℓB·Y) ∼ = (gx+ℓA·B)(y+ℓB·Y) ∼ = g(x+ℓA·X)·(y+ℓB·Y).

CIS 428/628 From Textbook to Practice 21/ 24

Menezes–Qu–Vanstone (MQV): Diffie-Hellman on Steroids

Setup

p a prime with a hard discrete-log problem. g a primitive element of Z∗

p.

For each user U: a private long-term key ℓU & a public key LU = gℓU(mod p).

Alice Picks x

ran

∈ Z∗

p−1.

Sends Bob X = gx (mod p). Bob Picks y

ran

∈ Z∗

p−1

Sends Alice Y = gy (mod p). Alice Computes K = (Y · LY

B)x+ℓA·X (mod p).

Bob Computes K′ = (X · LX

A)y+ℓB·Y (mod p).

MQV cannot be broken by Eve learning temporary secrets (x and y). Suppose Eve learns Alice’s key ℓA. Previous shared secrets are safe because they involved temporary secrets (x and y). There is a forward secrecy attack; to defend against it you need to add key confirmation. MQV is rarely used in practice: too complex, too many pattents.

CIS 428/628 From Textbook to Practice 22/ 24

Diffie-Hellman in Practice, 1

gxy should determine (but not be) the shared secret

The elements of Z∗

p have too much structure as (k + 1)-bit numbers,

where 2k < p < 2k+1. Take SHA3(gxy mod p) as the shared secret; the hash function will spread out the randomness.

Legacy Diffie-Hellman in TSL

TSL uses Diffie-Hellman for session key generation. TSL allows different flavors of Diffie-Hellman, including Anonymous Diffie-Hellman, which is subject to man-in-the-middle attacks!

CIS 428/628 From Textbook to Practice 23/ 24

Diffie-Hellman in Practice, 2

Imperfect Forward Secrecy: How Diffie-Hellman Fails in Practice, by David Adrian et al, 22nd ACM Conference on Computer and Communications Security, 2015. https://weakdh.org/imperfect-forward-secrecy-ccs15.pdf The authors found that people were ignoring the “Suppose p is a prime with a hard-discrete log problem” proviso. Many Diffie-Hellman implmentations where accepting primes p such that (p − 1) had many small divisors. This leads to troubles. As a result of the paper, lots of patching of major systems occurred in 2016 (e.g., the OpenSSL toolkit). The way to guard against this is to demand that (p − 1)/2 is itself prime. (Why would this help?)

CIS 428/628 From Textbook to Practice 24/ 24