References From Textbook to Practice & How Things Can Go Wrong J.-P. Aumanson. Serious Cryptography , No Starch Press, 2018. 1 CIS 428/628: Introduction to N. Ferguson, B. Schneier, and T. Kohno Cryptography Engineering, Wiley, 2010. 2 Cryptography Jim Royer December 4, 2018 CIS 428/628 From Textbook to Practice 1/ 24 CIS 428/628 From Textbook to Practice 2/ 24 Where to get random bits? RSA Unix-like Systems: I sincerely hope you’ll never have to implement RSA from Typically have: /dev/random and /dev/urandom . scratch. Cryptographic PNGs, continually re-seed from various sources of entropy If you’re asked to, run as fast as you can and question the Treat like files of random bits you can read from. But, like real files, reading from them can fail. sanity of the person who asked you to do so. So include lots of sanity checks when you use them. The details of /dev/random and /dev/urandom differ from system to system. It took decades for cryptographers and engineers to develop Typically, they maintain entropy pools of “random” bits draw from system behavior RSA implementations that are fast, sufficiently secure, and (e.g., i/o devices, network and user activity, etc.) hopefully free of debilitating bugs, so you really don’t want !!! These pools may be empty at boot time, and this can cause problems. to reinvent RSA. Windows: BcryptGenRandom() Intel processors: RDRAND — draws from a hardware source of randomness J.-P. Aumanson. Serious Cryptography CIS 428/628 From Textbook to Practice 3/ 24 CIS 428/628 From Textbook to Practice 4/ 24
Textbook RSA Encryption Problems with Textbook RSA Setup Each user U : Encryption Deterministic. Picks two large (random) primes p U & 1 ( m 1 · m 2 ) e ∼ = m e 1 · m e 2 ( mod n ) Bob wants to send m ∈ Z n to Alice. q U (with p U � = q U ). Computes c = m e A mod n A . Etc. 1 Computes n U = p U · q U and 2 Sends c to Alice. 2 ϕ ( n U ) = ( p U − 1 ) · ( q U − 1 ) . It is very bad to have any kind of structure in the numbers that RSA operates on. ran ∈ { 1, . . . , ϕ ( n U ) − 1 } with Picks e U Decryption 3 — Cryptographic Engineering gcd ( e U , ϕ ( n U )) = 1. Alice wants to decrypt c Ferguson, Schneier, and Kohno Computes d U = e − 1 ( mod ϕ ( n U )) . 4 Computes m = c d A mod n A . U 1 Publishes e U and n U . 5 Keeps d U , p U , q U , and ϕ ( n U ) secret. CIS 428/628 From Textbook to Practice 5/ 24 CIS 428/628 From Textbook to Practice 6/ 24 RSA with Optimal Asymmetric Encryption Padding (RSA-OAEP) RSA-OAEP, Continued Encryption of m 0 ∈ { 0, 1 } 1520 For 2048-bit RSA, this scheme uses: Decryption of c H ∈ { 0, 1 } 256 , a constant of the scheme ran ∈ { 0, 1 } 256 r 0 A pseudo-random generator g : { 0, 1 } 256 → { 0, 1 } 1864 x ← c d ( mod n ) // x = 00 � r 1 � m 2 m 1 ← H � # » 0 01 � m 0 A hash-function h : { 0, 1 } 1864 → { 0, 1 } 256 (e.g., SHA-256) r 0 ← r 1 ⊕ h ( m 2 ) m 2 ← g ( r 0 ) ⊕ m 1 m 1 ← g ( r 0 ) ⊕ m 2 // m 1 = H � # » Encryption of m 0 ∈ { 0, 1 } 1520 # » 0 01 � m 0 0 = 270-many 0’s r 1 ← r 0 ⊕ h ( m 2 ) ran ∈ { 0, 1 } 256 x ← 00 � r 1 � m 2 r 0 return m 0 Decryption of c c ← x e ( mod n ) m 1 ← H � # » 0 01 � m 0 x ← c d ( mod n ) // x = 00 � r 1 � m 2 m 2 ← g ( r 0 ) ⊕ m 1 r 0 ← r 1 ⊕ h ( m 2 ) ( r 0 , m 1 ) ❀ ( r 1 , m 2 ) is an example of an all-or-nothing transformation. r 1 ← r 0 ⊕ h ( m 2 ) To recover m 1 , you need to recover the entire r 0 and the entire m 2 . m 1 ← g ( r 0 ) ⊕ m 2 // m 1 = H � # » 0 01 � m 0 Because of h , you need the entire m 2 to recover r 0 from r 1 . x ← 00 � r 1 � m 2 Because of g , you need the entire r 0 to recover m 1 from m 2 . return m 0 c ← x e ( mod n ) So, figuring out just part of x does you no good. CIS 428/628 From Textbook to Practice 7/ 24 CIS 428/628 From Textbook to Practice 8/ 24
Textbook RSA Signatures: Trivial Forgeries Textbook RSA Signatures: Blinding Attack Blinding Attack Setup for RSA Signatures Setup for RSA Signatures Suppose m is a message Alice would not sign. Just like RSA-encryption Just like RSA-encryption Suppose you find r such that Alice would sign message r e A m ( mod n A ) . Signing Signing Trivial Forgery Have Alice sign r e A m with signature Bob wants to sign a m ∈ Z n . Bob wants to sign a m ∈ Z n . For all n U and d U and for x = 0, 1, ( n U − 1 ) : s = ( r e A m ) d A ( mod n A ) . x d U ∼ Computes s = m d B mod n B . Computes s = m d B mod n B . = x ( mod n U ) . 1 1 Then: s · r − 1 Sends ( m , s ) to Alice. Sends ( m , s ) to Alice. 2 2 So we can forge signatures for m = 0, 1, ( n U − 1 ) ∼ = ( r e A · d A m d A ) · r − 1 without knowing d U . Verifying Verifying ∼ = ( r · m d A ) · r − 1 Alice wants to check ( m , s ) Alice wants to check ( m , s ) ∼ = m d A ( mod n A ) Tests m ? Tests m ? = ( s e B mod n B ) . = ( s e B mod n B ) . 1 = Alice’s signature on m 1 CIS 428/628 From Textbook to Practice 9/ 24 CIS 428/628 From Textbook to Practice 10/ 24 Full Domain Hash Signatures & The Probabilistic Signature Scheme Flaws in RSA Implementations: Low Entropy Primes, 1 Full Domain Hash Signatures In 2012 researchers scanned are large chunk of the net and collected public keys from Hash = a good crypto-hash function TLS certificates and SSH hosts. They found a fair number of systems with either: Signing identical RSA moduli 1 Problem If Alice and Bob have n A = n B , then they can compute each other’s decryption exponents. Bob wants to sign an m . similar RSA moduli (i.e., a shared prime in the moduli) RSA-FDH is not randomized, 2 If n A = p · q and n B = p · q ′ , then gcd ( n A , n B ) = p and q = n A / p and q ′ = n B / p. Computes x = Hash ( m ) . 1 so it is open to certain attacks. Computes s = x d B mod n B . How did this happen? 2 Probabilistic Signature Scheme Sends ( m , s ) to Alice. 3 Many systems determine RSA keys at boot-time. A scheme similar to RSA-OAEP that is randomized, but a lot more complex than prng.seed(seed) Verifying RSA-FDH. p = prng.generate random prime() What happens when two systems with Alice wants to check ( m , s ) q = prng.generate random prime() the same seed run this code? Tests Hash ( m ) ? n = p*q = ( s e B mod n B ) . 1 CIS 428/628 From Textbook to Practice 11/ 24 CIS 428/628 From Textbook to Practice 12/ 24
Flaws in RSA Implementations: Low Entropy Primes, 2 The Bellcore Attack on RSA-Chinese-Remainder-Theorem A fault-injection attack, forces an error in the execution of an In 2012 researchers scanned are large chunk of the net and collected public keys from algorithm by altering a circuit’s voltage or shooting a laser at TLS certificates and SSH hosts. They found a fair number of systems with either: part of the circuit. identical RSA moduli 1 If Alice and Bob have n A = n B , then they can compute each other’s decryption exponents. Recall that in using the CRT to compute x d , you compute similar RSA moduli (i.e., a shared prime in the moduli) 2 If n A = p · q and n B = p · q ′ , then gcd ( n A , n B ) = p and q = n A / p and q ′ = n B / p. x p = y s mod p x q = y t mod q How did this happen? x p · q · ( q − 1 mod p ) + x q · p · ( p − 1 mod q ) � � Then x = mod n Many systems determine RSA keys at boot-time. Suppose we force a mistake in the computation of x q , getting a value x ′ q . prng.seed(seed) Let x ′ = ( x p · q · ( q − 1 mod p ) + x ′ q · p · ( p − 1 mod q )) mod n . p = prng.generate random prime() Then x − x ′ = (( x q − x ′ q ) · p · ( p − 1 mod q )) mod n , which is a multiple of p . What happens when two systems with prng.add entropy() the same seed run this code? q = prng.generate random prime() Thereforem, p = gcd ( n , x − x ′ ) and q = n / p . n = p*q Randomized versions of RSA are safe against this attack. (Why?) CIS 428/628 From Textbook to Practice 13/ 24 CIS 428/628 From Textbook to Practice 14/ 24 Diffie-Hellman Possible Attacks on a Key Agreement Protocol The eavesdropper The attacker sees all messages exchanged and can modify/drop/inject messages. Diffie-Hellman is a key agreement protocol. The data leak The attacker learns the session key and all temporary secrets Used extensively all over the net. for a few runs of the protocol, but doesn’t know any long-term secrets. The breach/corruption The attacker learns the long-term key of one or more party. CIS 428/628 From Textbook to Practice 15/ 24 CIS 428/628 From Textbook to Practice 16/ 24
Recommend
More recommend
