Class 24: Return of ROCA

Transcript

1. Class 24: Return of ROCA Attack cs2102: Discrete Mathematics |

   F17 uvacs2102.github.io David Evans University of Virginia

2. Goal for Today

3. Goal for Today

4. Goal for Today

5. Why are the Estonian and Spanish ID cards broken?

6. Recap (last class): Diffie-Hellman-Merkle Key Exchange " = " mod

   * = * mod Picks secret Picks secret Public values: (primitive root), (large prime) "* = * " mod *" = " * mod As long as discrete log problem is “hard”, eavesdropper cannot learn anything useful about "* from , , " = " mod , * = *mod .

7. Encryption 7 Encrypt Decrypt Plaintext Ciphertext Plaintext Insecure Channel Key

   Key Symmetric Crypto: channel encrypted with shared secret key. MightBeEvil.org Client (Browser) Server

8. Symmetric Encryption 8 Jefferson’s Cipher Wheel (1802) “on the periphery

   of each, and between the black lines, put all the letters of the alphabet, not in their established order, but jumbled, & without order, so that no two shall be alike.”

9. Modern Symmetric Encryption 9 AES Round 128 or more key

   bits ~1017 J needed for most efficient possible brute force attack Very inexpensive: instructions built in to most processors

10. Modern Symmetric Encryption 10 AES Round 128 or more key

    bits ~1017 J needed for most efficient possible brute force attack Very inexpensive: instructions built in to most processors

11. 11 “virginia.edu”, = … = ... signed by Certificate Authority

    Verify and Decrypt: 7 9 () = Verify signature on certificate Server Recap (before Halloween): Is D-H-M Key Exchange enough to solve digital signatures?

12. Asymmetry Required Need a function f that is: Easy to

    compute: given x, easy to compute f (x) Hard to invert: given f (x), hard to compute x Has a trap-door: given f (x) and t, easy to compute x 12

13. Asymmetric (Public Key) Encryption: Confidentiality 13 Encrypt Decrypt Plaintext Ciphertext

    Plaintext Bunny’s Public Key Bunny’s Private Key Insecure Channel Asymmetric Crypto: Armadillo obtains Bunny’s Public Key, and can send private messages to Bob.

14. 14 Encrypt Decrypt Plaintext Ciphertext Plaintext Bunny’s Public Key Bunny’s

    Private Key Insecure Channel Signatures: Bunny signs a message with her Private Key; Armadillo verifies signature with Bunny’s Public Key. Asymmetric (Public Key) Encryption: Confidentiality Signatures

15. 1977

16. None

17. 17 Ron Rivest Len Adleman Adi Shamir

18. 18 Ron Rivest Len Adleman Adi Shamir

19. 19 RSA Cryptosystem 9 = 9 mod = mod Encryption

    using public key (, ): Decryption using private key and public :

20. 20 Correctness of RSA Cryptosystem 9 = 9 mod =

    mod Correctness property: for all messages ∈ , =

21. 21 Correctness of RSA Cryptosystem 9 = 9 mod =

    mod Correctness property: for all messages ∈ , = 7 9 () = (9mod ) = 9 mod = For RSA to be correct, and must be chosen to ensure this property!

22. 22 Ensuring Correctness 7 9 () = (9mod ) =

    9 mod = 9 mod = 9 EF mod = 1 Divide by Euler Fermat

23. Fermat’s Little Theorem GEF ≡ 1 (mod ) If is

    not divisible by :

24. Relatively Prime

25. Fermat’s Little Theorem GEF ≡ 1 (mod ) If is

    not divisible by :

26. Fermat’s Little Theorem GEF ≡ 1 (mod ) If is

    not divisible by : mod , 2 mod , … , − 1 mod = {1, 2, … , − 1 } × 2 × ⋯ × − 1 ≡ 1 × 2 × … × ( − 1) mod − 1 ! GEF ≡ − 1 ! mod GEF ≡ 1 mod

27. Euler’s Totient Function = number of numbers between 1 and

    that are relatively prime to .

28. = number of numbers between 1 and that are relatively

    prime to .

29. = number of numbers between 1 and that are relatively

    prime to . If is prime, = − 1. If is composite, (maybe) hard to compute .

30. Euler’s Theorem Euler R(S) ≡ 1 mod For and relatively

    prime:

31. Euler’s Theorem Euler R(S) ≡ 1 mod For and relatively

    prime: Case 1: is prime = − 1 So, R(S) ≡ 1 mod by Fermat’s Little Theorem

32. Euler’s Theorem Euler R(S) ≡ 1 mod For and relatively

    prime: Case 2: is not prime =number of numbers between 1 and that are relatively prime to

33. Euler Case 2: is not prime =number of numbers between

    1 and that are relatively prime to

34. Euler’s Theorem Euler R(S) ≡ 1 mod For and relatively

    prime: Case 2: is not prime =number of numbers between 1 and that are relatively prime to . = set of those numbers = { F , V , … , R S } = multiply each in by (mod ) = { F mod , V mod , … , R(S) mod }

35. Euler’s Theorem Euler Case 2: is not prime = set

    of those numbers = { F , V , … , R S } = multiply each in by (mod ) = { F mod , V mod , … , R(S) mod } Since and are relatively prime, is relatively prime to all X, X is relatively prime to , So: = .

36. Euler’s Theorem Euler Case 2: is not prime = set

    of numbers < relatively prime to = { F , V , … , R S } = = { F mod , V mod , … , R(S) mod } So, product() = product():

37. Euler’s Theorem Euler Case 2: is not prime = set

    of numbers < relatively prime to = { F , V , … , R S } = = { F mod , V mod , … , R(S) mod } So, product() = product(): F ×V × ⋯ × R S = F mod × ⋯ ×R S mod F ×V × ⋯ × R S = R S F ×V × ⋯ ×R S mod 1 ≡ R S mod

38. 38 Correctness of RSA Cryptosystem 9 = 9 mod =

    mod 7 9 () = (9mod ) = 9 mod = Euler’s Theorem For and relatively prime: R(S) ≡ 1 mod

39. Totient of Product of Primes? = for primes and =

40. Totient of Product of Primes? = for primes and =

    − 1 − − 1 − − 1 numbers between 1 and numbers divisible by numbers divisible by

41. Totient of Product of Primes? = for primes and =

    − 1 − − 1 − − 1 = − + + 1 = − 1 − 1

42. 42 9 = 9 mod = mod 7 9 ()

    = (9mod ) = 9 mod = Euler’s Theorem For and relatively prime: R(S) ≡ 1 mod = = − 1 − 1

43. 43 7 9 () = (9mod ) = 9 mod

    = Euler’s Theorem For and relatively prime: R(S) ≡ 1 mod = = − 1 − 1 e⋅R(S) ≡ 1 mod e⋅R S gF ≡ mod Pick , such that: ≡ 1 mod

44. 44 9 = 9 mod = mod 7 9 ()

    = (9mod ) = 9 mod = Euler’s Theorem For and relatively prime: R(S) ≡ 1 mod = = − 1 − 1 relatively prime to ≡ 1 mod ( − 1)( − 1) ≡ EF mod ( − 1)( − 1)

45. Summary: RSA Cryptosystem ≡ EF mod ( − 1)( −

    1) 9 = 9 mod = mod = ( and are prime) Pick , public exponent

46. Asymmetry Required Need a function f that is: Easy to

    compute: given x, easy to compute f (x) Hard to invert: given f (x), hard to compute x Has a trap-door: given f (x) and t, easy to compute x 46

47. Easy (Enough) to Compute Easy to compute: 47 9 =

    9 mod Using fast exponentiation, compute mod about log2 multiplications

48. Hard to Invert 48 Given ( ), and , hard

    to compute M. ≡ EF mod ( − 1)( − 1)

49. Hard to Invert 49 Given ( ), and , hard

    to compute M. If attacker can factor = , easy to find : = EF ( – 1)( – 1) All other attacks seem to be equivalent to factoring .

50. Is Factoring Hard? 352432324251959084756578934940271832400483985714292821262 040320277771378360436620207075955562640185258807844069182 906412495150821892985591491761845028084891200728449926873 928072877767359714183472702618963750149718246911650776133 798590957000973304597488084284017974291006424586918171951 187461215151726546322822168699875491824224336372590851418 654620435767984233871847744479207399342365848238242811981

    638150106748104516603773060562016196762561338441436038339 044149526344321901146575444541784240209246165157233507787 077498171257724679629263863563732899121548314381678998850 404453640235273819513786365643912120103971228221207203578

51. Hard to Invert 51 Given ( ), and , hard

    to compute M. If attacker can factor = , easy to find : = EF ( – 1)( – 1) All other attacks seem to be equivalent to factoring . No one seems to know a fast way to factor in general, except with a quantum computer (and building a large one seems pretty hard).

52. Hard to Invert 52 Given ( ), and , hard

    to compute M. If attacker can factor = , easy to find : = EF ( – 1)( – 1) All other attacks seem to be equivalent to factoring . No one seems to know a fast way to factor, except with a quantum computer (and building a large one seems pretty hard). RSA paper, 1977

53. Easy to Invert with Trapdoor 53 9 = 9 mod

    = mod 9 mod =

54. Generating RSA Keys Pick two large primes: , Generate modulus:

    = Pick public exponent: Compute secret exponent: = EF mod − 1 − 1 Publish public key: (, ) Store secret key securely: Destroy and

55. Generating RSA Keys (1) Pick two large primes: , (2)

    Generate modulus: = (3) Pick public exponent: (4) Compute secret exponent: = EF mod − 1 − 1 (5) Publish public key: (, ) (6) Store secret key securely: Which is the hardest step?

56. Finding Large Random Primes “Hard” way: def find_prime_above(k): p =

    k while not is_prime(p): p += 1 return p

57. How many guesses?

58. How many guesses? = number of primes up ≤

59. How many guesses? To find a prime around , need

    about log guesses. = number of primes up ≤ ≈ log

60. Finding Large Random Primes “Hard” way: def find_prime_above(k): p =

    k while not is_prime(p): p += 1 return p Problems with the hard way: 1. Expensive to compute: is_prime is fairly expense, expect about log () guesses 2. Might pick a “bad” prime: also need − 1 and + 1 having large prime factors, etc.

61. Finding Large Random Primes Infineon’s way (RSALib): pick random ∈

    ℤ (about 37 bits) pick random ∈ ℤ (62 bits for 512-bit RSA) v = product of first primes = 2 ×3 ×5 × ⋯ ×v = v + (65537" v ) (for RSA-512, = 39)

62. From Matus Nemec’s CCS slides: https://crocs.fi.muni.cz/_media/public/papers/ccs-nemec-handout.pdf

63. None
64. None

65. Charge Happy Thanksgiving! Be careful when you factorize your turkey,

    not to violate any primorial traditions!