Who’s right

Who’s Right?

Recently-discovered Vulnerabilities in RSA Keys

Robert Dallas Gray

1

The Problem

‣ 12 February 2012: ‘Ron was Wrong, Whit is Right’

2

The Problem

‣ 12 February 2012: ‘Ron was Wrong, Whit is Right’- A paper by Arjen K Lenstra et al

3

The Problem


- Found 0.2% of RSA keys ‘offered no security’

- Concluded that generating keys for ‘multiple secret’ cryptosystems is inherently riskier than for ‘single secret’ systems (e.g. ElGamal, DSA)

4

The Problem




5

The Problem




6

The Problem




7

What is RSA?

‣ RSA is an algorithm for public key cryptography

8

What is RSA?


‣ First publicly described by Ron Rivest, Adi Shamir, Leonard Adleman, 1978

9

What is RSA?



‣ Also the name of the security company founded by Rivest, Shamir and Adleman in 1982

10

What is RSA?



‣ Also the name of the security company founded by Rivest, Shamir and Adleman in 1982

‣ Acquired in 2006 for $2.1bn

11

Public Key Cryptography

‣ Each principal has two keys:- One public

- One private

12



- One private

13



- One private

‣ Public key crypto can be used to:- Encrypt private conversations

14



- One private


- Sign messages

15



- One private


- Sign messages

- Authenticate principals

16

Encryption

‣ Alice sends her public key to Bob

17

Bob Alice

Encryption


18

Bob Alice

Encryption


‣ Bob encrypts a message using Alice’s public key

19

Hello Alice! a3e506b3aa1

Bob Alice

Encryption



‣ Only Alice’s private key can decrypt the message

20

Hello Alice! a3e506b3aa1

Bob Alice

Encryption



‣ Only Alice’s private key can decrypt the message

21

Hello Alice! a3e506b3aa1 a3e506b3aa1 Hello Alice!

Bob Alice

Signing

‣ Alice sends a plaintext message to Bob

22

Hello Bob!

Bob Alice

Signing

‣ Alice sends a plaintext message to Bob- Plus a version of the message encrypted with her

private key

23

Bob Alice

b2e3f600d5

Hello Bob!

Hello Bob!

Signing


private key

‣ Bob decrypts the ‘signature’ using Alice’s public key, verifying that it matches the plaintext message

24

Bob Alice

b2e3f600d5

Hello Bob!

Hello Bob!b2e3f600d5

Hello Bob!

Hello Bob!

Hello Bob!

Signing


private key

‣ Bob decrypts the ‘signature’ using Alice’s public key, verifying that it matches the plaintext message - He can be sure the message came from Alice

25

Bob Alice

b2e3f600d5

Hello Bob!

Hello Bob!b2e3f600d5

Hello Bob!

Hello Bob!

Hello Bob!

‣ Alice creates a certificate containing, e.g., her email address, and her public key

Authentication

26

Bob Alice

‣ Alice creates a certificate containing, e.g., her email address, and her public key

Authentication

27

Bob Alice@

‣ Alice creates a certificate containing, e.g., her email address, and her public key- She has the certificate signed by a trusted authority

(using the trusted authority’s private key)

Authentication

28

Bob Alice@



Authentication

29

Bob Alice@@



‣ Bob can decrypt the certificate using the trusted authority’s public key

Authentication

30

Bob Alice@@



‣ Bob can decrypt the certificate using the trusted authority’s public key- He can be sure that the public key he retrieves

belongs to Alice

Authentication

31

Bob Alice@@@

Practical Uses

‣ Public Key Crypto is calculation-intensive- So it’s not generally used to encrypt

full conversations

32

Practical Uses


full conversations

- It’s used for authentication

33

Practical Uses


full conversations


- And to encrypt ‘handshake’ procedures – during which the encryption for the full conversationis negotiated between principals

34

Practical Uses


full conversations


- And to encrypt ‘handshake’ procedures – during which the encryption for the full conversationis negotiated between principals

- For example, to authenticate chip-and-pin cards

- In this case the issuer is the trusted third party

35

‣ TLS or SSL- Transport Layer Security (new)

or Secure Sockets Layer

Practical Uses

36



- Allows secure communication between applications

Practical Uses

37




- Typically a web browser (client) to a hosted application or server

Practical Uses

38




- Typically a web browser (client) to a hosted applications or server

Practical Uses

39





Practical Uses

40





Practical Uses

41

How SSL/TLS Works

‣ Client is presented with a certificate, issued by a trusted authority- Certificate verifies site name, email address or DNS entry

- Binds this to a public key

‣ Client can then be sure the given public key belongs to the intended server

‣ Client can use public key to encrypt negotiation of a shared key to encrypt session traffic

42

X.509 Certificate

Certificate: Data: Version: 1 (0x0) Serial Number: 7829 (0x1e95) Signature Algorithm: md5WithRSAEncryption Issuer: C=ZA, ST=Western Cape, L=Cape Town, O=Thawte Consulting cc, OU=Certification Services Division, CN=Thawte Server CA/[email protected] Validity Not Before: Jul 9 16:04:02 1998 GMT Not After : Jul 9 16:04:02 1999 GMT Subject: C=US, ST=Maryland, L=Pasadena, O=Brent Baccala, OU=FreeSoft, CN=www.freesoft.org/[email protected] Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00:b4:31:98:0a:c4:bc:62:c1:88:aa:dc:b0:c8:bb: 33:35:19:d5:0c:64:b9:3d:41:b2:96:fc:f3:31:e1: 66:36:d0:8e:56:12:44:ba:75:eb:e8:1c:9c:5b:66: 70:33:52:14:c9:ec:4f:91:51:70:39:de:53:85:17: 16:94:6e:ee:f4:d5:6f:d5:ca:b3:47:5e:1b:0c:7b: c5:cc:2b:6b:c1:90:c3:16:31:0d:bf:7a:c7:47:77: 8f:a0:21:c7:4c:d0:16:65:00:c1:0f:d7:b8:80:e3: d2:75:6b:c1:ea:9e:5c:5c:ea:7d:c1:a1:10:bc:b8: e8:35:1c:9e:27:52:7e:41:8f Exponent: 65537 (0x10001) Signature Algorithm: md5WithRSAEncryption 93:5f:8f:5f:c5:af:bf:0a:ab:a5:6d:fb:24:5f:b6:59:5d:9d: 92:2e:4a:1b:8b:ac:7d:99:17:5d:cd:19:f6:ad:ef:63:2f:92: ab:2f:4b:cf:0a:13:90:ee:2c:0e:43:03:be:f6:ea:8e:9c:67: d0:a2:40:03:f7:ef:6a:15:09:79:a9:46:ed:b7:16:1b:41:72: 0d:19:aa:ad:dd:9a:df:ab:97:50:65:f5:5e:85:a6:ef:19:d1: 5a:de:9d:ea:63:cd:cb:cc:6d:5d:01:85:b5:6d:c8:f3:d9:f7: 8f:0e:fc:ba:1f:34:e9:96:6e:6c:cf:f2:ef:9b:bf:de:b5:22: 68:9f

43

X.509 Certificate

Certificate: Data: Version: 1 (0x0) Serial Number: 7829 (0x1e95) Signature Algorithm: md5WithRSAEncryption Issuer: C=ZA, ST=Western Cape, L=Cape Town, O=Thawte Consulting cc, OU=Certification Services Division, CN=Thawte Server CA/[email protected] Validity Not Before: Jul 9 16:04:02 1998 GMT Not After : Jul 9 16:04:02 1999 GMT Subject: C=US, ST=Maryland, L=Pasadena, O=Brent Baccala, OU=FreeSoft, CN=www.freesoft.org/[email protected] Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00:b4:31:98:0a:c4:bc:62:c1:88:aa:dc:b0:c8:bb: 33:35:19:d5:0c:64:b9:3d:41:b2:96:fc:f3:31:e1: 66:36:d0:8e:56:12:44:ba:75:eb:e8:1c:9c:5b:66: 70:33:52:14:c9:ec:4f:91:51:70:39:de:53:85:17: 16:94:6e:ee:f4:d5:6f:d5:ca:b3:47:5e:1b:0c:7b: c5:cc:2b:6b:c1:90:c3:16:31:0d:bf:7a:c7:47:77: 8f:a0:21:c7:4c:d0:16:65:00:c1:0f:d7:b8:80:e3: d2:75:6b:c1:ea:9e:5c:5c:ea:7d:c1:a1:10:bc:b8: e8:35:1c:9e:27:52:7e:41:8f Exponent: 65537 (0x10001) Signature Algorithm: md5WithRSAEncryption 93:5f:8f:5f:c5:af:bf:0a:ab:a5:6d:fb:24:5f:b6:59:5d:9d: 92:2e:4a:1b:8b:ac:7d:99:17:5d:cd:19:f6:ad:ef:63:2f:92: ab:2f:4b:cf:0a:13:90:ee:2c:0e:43:03:be:f6:ea:8e:9c:67: d0:a2:40:03:f7:ef:6a:15:09:79:a9:46:ed:b7:16:1b:41:72: 0d:19:aa:ad:dd:9a:df:ab:97:50:65:f5:5e:85:a6:ef:19:d1: 5a:de:9d:ea:63:cd:cb:cc:6d:5d:01:85:b5:6d:c8:f3:d9:f7: 8f:0e:fc:ba:1f:34:e9:96:6e:6c:cf:f2:ef:9b:bf:de:b5:22: 68:9f

44

How does RSA work?

‣ Requirements for public key crypto:

45

How does RSA work?

‣ Requirements for public key crypto:- If a message is encrypted with one key, the other key

must decrypt it

46

How does RSA work?

‣ Requirements for public key crypto:- If a message is encrypted with one key, the other key

must decrypt it

- The private key MUST NOT be discoverable from knowledge of the public key

47

Nuts and Bolts

‣ Alice chooses two large prime numbers p, q

48

Nuts and Bolts


‣ She creates the modulus for the public key by multiplying p by q:- n = p × q

49

Nuts and Bolts



‣ She applies a function to n to create a new number, k- The function is Euler’s Totient Function

- It counts the number of positive integers <= n that are relatively prime to n

- Relatively prime numbers share no common factors other than 1

50

Nuts and Bolts



‣ She applies a function to n to create a new number, k- The function is Euler’s Totient Function

- It counts the number of positive integers <= n that are relatively prime to n

- Relatively prime numbers share no common factors other than 1

‣ She finds two numbers e, d such that e × d % k = 1

51

Nuts and Bolts

‣ Alice’s public key is composed of: n (the modulus) and e (the exponent)

52

Nuts and Bolts


‣ Her private key is d

53

Nuts and Bolts



‣ A message m can be encrypted by raising it to the power e and taking the result modulo n.- m_enc = me % n

54

Nuts and Bolts



‣ A message m can be encrypted by raising it to the power e and taking the result modulo n.- m_enc = me % n

‣ It can be decrypted by raising it to the power d and taking the result modulo n.- m_dec = m_encd % n

55

Summary

‣ Both public and private keys depend on the two large primes p, q

‣ The security of RSA depends on the difficulty of recovering these two numbers once they have been multiplied together (factoring)

‣ If p and q can be found from a public key, the private key can be reconstructed and security is lost

56

‘Ron was Wrong, Whit is Right’

‣ The researchers collected about 6.4m RSA public keys from the web- Sources: X.509 certificates, PGP keys

57



‣ About 71,000 moduli occurred more than once- Some thousands of times

58




‣ About 13,000 moduli ‘offer no security’- The private keys can be recovered by anyone who can

replicate the researchers’ work

59




‣ About 13,000 moduli ‘offer no security’- The private keys can be recovered by anyone who can

replicate the researchers’ work

‣ The loss of security affects about 21,000 X.509 certificates and PGP keys- Of which about a quarter are probably still in use

60

Conclusion

‣ RSA ‘provides 99.8% security at best’

61

How were the keys broken?

‣ Euclid’s algorithm- An efficient method of computing the

greatest common divisor (gcd) of two numbers

62




‣ The researchers ran the algorithm on all pairs of moduli

63




‣ The researchers ran the algorithm on all pairs of moduli- The vulnerable moduli shared a

common factor

- Knowledge of that factor allowed calculation of the other prime factor

64

Nuts and Bolts

‣ n1 = p1 × q1

65

Nuts and Bolts

‣ n1 = p1 × q1

n2 = p2 × q2

66

Nuts and Bolts

‣ n1 = p1 × q1

n2 = p2 × q2

- Moduli n1 and n2 are each composed of two unknown prime numbers

67

Nuts and Bolts

‣ n1 = p1 × q1

n2 = p2 × q2


‣ gcd(n1, n2) = p- If the greatest common divisor of

n1 and n2 is > 1, we know p1 = p2 = p

68

Nuts and Bolts

‣ n1 = p1 × q1

n2 = p2 × q2




‣ If we know p …

69

Nuts and Bolts

‣ n1 = p1 × q1

n2 = p2 × q2




‣ If we know p …- We can calculate q1 AND q2

- We can now reconstruct the private keys for moduli n1 and n2

70

Conclusion, revisited

‣ The researchers claim that the use of ‘multiple secrets’ in RSA is a design problem- Because RSA needs two secret prime numbers,

if factors are shared, all keys sharing a factor are vulnerable to factorisation

‣ Other systems only need one secret number- It is easier to choose one secure secret than to choose two

- If two keys are shared, only those two are affected

71

Reactions

‣ Dan Kaminsky:- ‘Survey is good.

Thesis is strange’

- The data is instructive, but demonstrates an implementation problem, not a design problem

72

Reactions

‣ Bruce Schneier:- ‘The cause of this is almost certainly

a lousy random number generator’

- Design and testing of RNGs is hard

- Could some RNGs have been deliberately compromised?

73

Reactions

‣ Lenstra et al claim ‘single-secret’ algorithms like Diffie-Hellman are more secure – ‘Whit is right’.- At the 2012 RSA Security Conference, Whit and Ron

discussed the issue

- Whit (Diffie) said the problem could be just ‘one random number generator’ and suggested ‘outing’ it

- Ron (Rivest) conceded that he was ‘sometimes wrong’, but that there ‘wasn’t really much substance’ to the paper

74

Design vs Implementation

‣ Users of RSA need to ensure that random number generation is done properly- According to Schneier, RNG is ‘hard’

‣ Other cryptosystems would also be affected by poor random number generation- But RSA may be more vulnerable owing to its

‘multiple secret’ design

75

Design vs Implementation

‣ Users of RSA need to ensure that random number generation is done properly- According to Schneier, RNG is ‘hard’

‣ Other cryptosystems would also be affected by poor random number generation- But RSA may be more vulnerable owing to its

‘multiple secret’ design

‣ Can an implementation problem which allows users to render the system insecure be considered a design problem?

76

Epilogue

‣ February 15 2012: New research released

77

Epilogue


‣ Paper by Heninger, Durumeric, Wustrow Halderman is awaiting responses from concerned parties before publication

‣ Researchers were able to compromise 0.4% of harvested RSA keys

78

Epilogue


‣ Paper by Heninger, Durumeric, Wustrow Halderman is awaiting responses from concerned parties before publication

‣ Researchers were able to compromise 0.4% of harvested RSA keys

‣ But affected servers were almost all embedded devices – routers, firewalls, VPN devices, etc.- Keys would be used for internal IPSec or SSH

79

Epilogue

‣ Around 200,000 devices probably compromised – possibly whole classes of device- Keys are probably generated on device startup,

introducing RNG issues (same seed used for many devices)

‣ The data surveyed is probably essentially the same as Lenstra et al’s- Secure web servers are probably not affected by the

vulnerability

80

Who’s Right?

‣ Questions?

81

Who’s right

Technology

Transcript of Who’s right