Class 24: Return of ROCA

Slide 1

Slide 1 text

Class 24: Return of ROCA Attack cs2102: Discrete Mathematics | F17 uvacs2102.github.io David Evans University of Virginia

Slide 2

Slide 2 text

Goal for Today

Slide 3

Slide 3 text

Goal for Today

Slide 4

Slide 4 text

Goal for Today

Slide 5

Slide 5 text

Why are the Estonian and Spanish ID cards broken?

Slide 6

Slide 6 text

Recap (last class): Diffie-Hellman-Merkle Key Exchange " = " mod * = * mod Picks secret Picks secret Public values: (primitive root), (large prime) "* = * " mod *" = " * mod As long as discrete log problem is “hard”, eavesdropper cannot learn anything useful about "* from , , " = " mod , * = *mod .

Slide 7

Slide 7 text

Encryption 7 Encrypt Decrypt Plaintext Ciphertext Plaintext Insecure Channel Key Key Symmetric Crypto: channel encrypted with shared secret key. MightBeEvil.org Client (Browser) Server

Slide 8

Slide 8 text

Symmetric Encryption 8 Jefferson’s Cipher Wheel (1802) “on the periphery of each, and between the black lines, put all the letters of the alphabet, not in their established order, but jumbled, & without order, so that no two shall be alike.”

Slide 9

Slide 9 text

Modern Symmetric Encryption 9 AES Round 128 or more key bits ~1017 J needed for most efficient possible brute force attack Very inexpensive: instructions built in to most processors

Slide 10

Slide 10 text

Modern Symmetric Encryption 10 AES Round 128 or more key bits ~1017 J needed for most efficient possible brute force attack Very inexpensive: instructions built in to most processors

Slide 11

Slide 11 text

11 “virginia.edu”, = … = ... signed by Certificate Authority Verify and Decrypt: 7 9 () = Verify signature on certificate Server Recap (before Halloween): Is D-H-M Key Exchange enough to solve digital signatures?

Slide 12

Slide 12 text

Asymmetry Required Need a function f that is: Easy to compute: given x, easy to compute f (x) Hard to invert: given f (x), hard to compute x Has a trap-door: given f (x) and t, easy to compute x 12

Slide 13

Slide 13 text

Asymmetric (Public Key) Encryption: Confidentiality 13 Encrypt Decrypt Plaintext Ciphertext Plaintext Bunny’s Public Key Bunny’s Private Key Insecure Channel Asymmetric Crypto: Armadillo obtains Bunny’s Public Key, and can send private messages to Bob.

Slide 14

Slide 14 text

14 Encrypt Decrypt Plaintext Ciphertext Plaintext Bunny’s Public Key Bunny’s Private Key Insecure Channel Signatures: Bunny signs a message with her Private Key; Armadillo verifies signature with Bunny’s Public Key. Asymmetric (Public Key) Encryption: Confidentiality Signatures

Slide 15

Slide 15 text

1977

Slide 16

Slide 16 text

No content

Slide 17

Slide 17 text

17 Ron Rivest Len Adleman Adi Shamir

Slide 18

Slide 18 text

18 Ron Rivest Len Adleman Adi Shamir

Slide 19

Slide 19 text

19 RSA Cryptosystem 9 = 9 mod = mod Encryption using public key (, ): Decryption using private key and public :

Slide 20

Slide 20 text

20 Correctness of RSA Cryptosystem 9 = 9 mod = mod Correctness property: for all messages ∈ , =

Slide 21

Slide 21 text

21 Correctness of RSA Cryptosystem 9 = 9 mod = mod Correctness property: for all messages ∈ , = 7 9 () = (9mod ) = 9 mod = For RSA to be correct, and must be chosen to ensure this property!

Slide 22

Slide 22 text

22 Ensuring Correctness 7 9 () = (9mod ) = 9 mod = 9 mod = 9 EF mod = 1 Divide by Euler Fermat

Slide 23

Slide 23 text

Fermat’s Little Theorem GEF ≡ 1 (mod ) If is not divisible by :

Slide 24

Slide 24 text

Relatively Prime

Slide 25

Slide 25 text

Fermat’s Little Theorem GEF ≡ 1 (mod ) If is not divisible by :

Slide 26

Slide 26 text

Fermat’s Little Theorem GEF ≡ 1 (mod ) If is not divisible by : mod , 2 mod , … , − 1 mod = {1, 2, … , − 1 } × 2 × ⋯ × − 1 ≡ 1 × 2 × … × ( − 1) mod − 1 ! GEF ≡ − 1 ! mod GEF ≡ 1 mod

Slide 27

Slide 27 text

Euler’s Totient Function = number of numbers between 1 and that are relatively prime to .

Slide 28

Slide 28 text

= number of numbers between 1 and that are relatively prime to .

Slide 29

Slide 29 text

= number of numbers between 1 and that are relatively prime to . If is prime, = − 1. If is composite, (maybe) hard to compute .

Slide 30

Slide 30 text

Euler’s Theorem Euler R(S) ≡ 1 mod For and relatively prime:

Slide 31

Slide 31 text

Euler’s Theorem Euler R(S) ≡ 1 mod For and relatively prime: Case 1: is prime = − 1 So, R(S) ≡ 1 mod by Fermat’s Little Theorem

Slide 32

Slide 32 text

Euler’s Theorem Euler R(S) ≡ 1 mod For and relatively prime: Case 2: is not prime =number of numbers between 1 and that are relatively prime to

Slide 33

Slide 33 text

Euler Case 2: is not prime =number of numbers between 1 and that are relatively prime to

Slide 34

Slide 34 text

Euler’s Theorem Euler R(S) ≡ 1 mod For and relatively prime: Case 2: is not prime =number of numbers between 1 and that are relatively prime to . = set of those numbers = { F , V , … , R S } = multiply each in by (mod ) = { F mod , V mod , … , R(S) mod }

Slide 35

Slide 35 text

Euler’s Theorem Euler Case 2: is not prime = set of those numbers = { F , V , … , R S } = multiply each in by (mod ) = { F mod , V mod , … , R(S) mod } Since and are relatively prime, is relatively prime to all X, X is relatively prime to , So: = .

Slide 36

Slide 36 text

Euler’s Theorem Euler Case 2: is not prime = set of numbers < relatively prime to = { F , V , … , R S } = = { F mod , V mod , … , R(S) mod } So, product() = product():

Slide 37

Slide 37 text

Euler’s Theorem Euler Case 2: is not prime = set of numbers < relatively prime to = { F , V , … , R S } = = { F mod , V mod , … , R(S) mod } So, product() = product(): F ×V × ⋯ × R S = F mod × ⋯ ×R S mod F ×V × ⋯ × R S = R S F ×V × ⋯ ×R S mod 1 ≡ R S mod

Slide 38

Slide 38 text

38 Correctness of RSA Cryptosystem 9 = 9 mod = mod 7 9 () = (9mod ) = 9 mod = Euler’s Theorem For and relatively prime: R(S) ≡ 1 mod

Slide 39

Slide 39 text

Totient of Product of Primes? = for primes and =

Slide 40

Slide 40 text

Totient of Product of Primes? = for primes and = − 1 − − 1 − − 1 numbers between 1 and numbers divisible by numbers divisible by

Slide 41

Slide 41 text

Totient of Product of Primes? = for primes and = − 1 − − 1 − − 1 = − + + 1 = − 1 − 1

Slide 42

Slide 42 text

42 9 = 9 mod = mod 7 9 () = (9mod ) = 9 mod = Euler’s Theorem For and relatively prime: R(S) ≡ 1 mod = = − 1 − 1

Slide 43

Slide 43 text

43 7 9 () = (9mod ) = 9 mod = Euler’s Theorem For and relatively prime: R(S) ≡ 1 mod = = − 1 − 1 e⋅R(S) ≡ 1 mod e⋅R S gF ≡ mod Pick , such that: ≡ 1 mod

Slide 44

Slide 44 text

44 9 = 9 mod = mod 7 9 () = (9mod ) = 9 mod = Euler’s Theorem For and relatively prime: R(S) ≡ 1 mod = = − 1 − 1 relatively prime to ≡ 1 mod ( − 1)( − 1) ≡ EF mod ( − 1)( − 1)

Slide 45

Slide 45 text

Summary: RSA Cryptosystem ≡ EF mod ( − 1)( − 1) 9 = 9 mod = mod = ( and are prime) Pick , public exponent

Slide 46

Slide 46 text

Asymmetry Required Need a function f that is: Easy to compute: given x, easy to compute f (x) Hard to invert: given f (x), hard to compute x Has a trap-door: given f (x) and t, easy to compute x 46

Slide 47

Slide 47 text

Easy (Enough) to Compute Easy to compute: 47 9 = 9 mod Using fast exponentiation, compute mod about log2 multiplications

Slide 48

Slide 48 text

Hard to Invert 48 Given ( ), and , hard to compute M. ≡ EF mod ( − 1)( − 1)

Slide 49

Slide 49 text

Hard to Invert 49 Given ( ), and , hard to compute M. If attacker can factor = , easy to find : = EF ( – 1)( – 1) All other attacks seem to be equivalent to factoring .

Slide 50

Slide 50 text

Is Factoring Hard? 352432324251959084756578934940271832400483985714292821262 040320277771378360436620207075955562640185258807844069182 906412495150821892985591491761845028084891200728449926873 928072877767359714183472702618963750149718246911650776133 798590957000973304597488084284017974291006424586918171951 187461215151726546322822168699875491824224336372590851418 654620435767984233871847744479207399342365848238242811981 638150106748104516603773060562016196762561338441436038339 044149526344321901146575444541784240209246165157233507787 077498171257724679629263863563732899121548314381678998850 404453640235273819513786365643912120103971228221207203578

Slide 51

Slide 51 text

Hard to Invert 51 Given ( ), and , hard to compute M. If attacker can factor = , easy to find : = EF ( – 1)( – 1) All other attacks seem to be equivalent to factoring . No one seems to know a fast way to factor in general, except with a quantum computer (and building a large one seems pretty hard).

Slide 52

Slide 52 text

Hard to Invert 52 Given ( ), and , hard to compute M. If attacker can factor = , easy to find : = EF ( – 1)( – 1) All other attacks seem to be equivalent to factoring . No one seems to know a fast way to factor, except with a quantum computer (and building a large one seems pretty hard). RSA paper, 1977

Slide 53

Slide 53 text

Easy to Invert with Trapdoor 53 9 = 9 mod = mod 9 mod =

Slide 54

Slide 54 text

Generating RSA Keys Pick two large primes: , Generate modulus: = Pick public exponent: Compute secret exponent: = EF mod − 1 − 1 Publish public key: (, ) Store secret key securely: Destroy and

Slide 55

Slide 55 text

Generating RSA Keys (1) Pick two large primes: , (2) Generate modulus: = (3) Pick public exponent: (4) Compute secret exponent: = EF mod − 1 − 1 (5) Publish public key: (, ) (6) Store secret key securely: Which is the hardest step?

Slide 56

Slide 56 text

Finding Large Random Primes “Hard” way: def find_prime_above(k): p = k while not is_prime(p): p += 1 return p

Slide 57

Slide 57 text

How many guesses?

Slide 58

Slide 58 text

How many guesses? = number of primes up ≤

Slide 59

Slide 59 text

How many guesses? To find a prime around , need about log guesses. = number of primes up ≤ ≈ log

Slide 60

Slide 60 text

Finding Large Random Primes “Hard” way: def find_prime_above(k): p = k while not is_prime(p): p += 1 return p Problems with the hard way: 1. Expensive to compute: is_prime is fairly expense, expect about log () guesses 2. Might pick a “bad” prime: also need − 1 and + 1 having large prime factors, etc.

Slide 61

Slide 61 text

Finding Large Random Primes Infineon’s way (RSALib): pick random ∈ ℤ (about 37 bits) pick random ∈ ℤ (62 bits for 512-bit RSA) v = product of first primes = 2 ×3 ×5 × ⋯ ×v = v + (65537" v ) (for RSA-512, = 39)

Slide 62

Slide 62 text

From Matus Nemec’s CCS slides: https://crocs.fi.muni.cz/_media/public/papers/ccs-nemec-handout.pdf

Slide 63

Slide 63 text

No content

Slide 64

Slide 64 text

No content

Slide 65

Slide 65 text

Charge Happy Thanksgiving! Be careful when you factorize your turkey, not to violate any primorial traditions!