a common weakness in rsa signatures extracting public
play

A common weakness in RSA signatures: extracting public keys from - PowerPoint PPT Presentation

Feb 13, 2024 •195 likes •598 views

A common weakness in RSA signatures: extracting public keys from communications and embedded devices Hackito Ergo Sum 24-26 April 2014 Renaud Lifchitz renaud.lifchitz @ oppida.fr Speakers bio French computer security engineer

  1. A common weakness in RSA signatures: extracting public keys from communications and embedded devices Hackito Ergo Sum 24-26 April 2014 Renaud Lifchitz renaud.lifchitz @ oppida.fr

  2. Speaker’s bio • French computer security engineer working at Oppida, France • Main activities: – Penetration testing & security audits – Security research – Security trainings • Main interests: – Security of protocols (authentication, cryptography, information leakage…) – Number theory (integer factorization, primality testing…) 2 Hackito Ergo Sum 2014 – 24-26 April « A common weakness in RSA signatures: extracting public keys from communications and embedded devices », Renaud Lifchitz

  3. RSA signature basics 3

  4. Introduction – Digital signatures • Asymmetric cryptography is widely used to do digital signatures: – Private keys are used to digitally sign messages – Corresponding public keys are used to verify signatures – Integer fatorization allows an attacker to find the private keys from public ones, but is generally hard Public keys are almost always transmitted out-of-band • (public key server, local keystore) before communication/usage • One of the most used signature scheme is RSA signature 4 Hackito Ergo Sum 2014 – 24-26 April « A common weakness in RSA signatures: extracting public keys from communications and embedded devices », Renaud Lifchitz

  5. Introduction – RSA signature • Steps to sign a message using RSA: – Message m is hashed using a hash algorithm h( ) : MD5, SHA1, SHA256, … – Hash is then padded to avoir forgery by multiplication, using a padding algorithm p( ) like PKCS – The result is raised to the d -th power and reduced modulo n , where d is the private exponent and n is the public key �(ℎ � ) � ≡ � (mod �) 5 Hackito Ergo Sum 2014 – 24-26 April « A common weakness in RSA signatures: extracting public keys from communications and embedded devices », Renaud Lifchitz

  6. Extracting public keys from signed messages 6

  7. The idea • Suppose we have 2 different messages with their corresponding signatures (m 1 ,s 1 ), (m 2 ,s 2 ) with unknown public key n : � �(ℎ � � ) � ≡ � � mod � ��� � � � � ≡ � � mod � ≡ � �� mod � with quotient � � ⇒ � � � � � by Euler theorem ��� � � � ≡ � �� mod � with quotient � � ⇒ gcd � �� � � � � � , � �� ���� � � � gcd � � , � � . � which gives a small (probably smooth) multiple of public key n 7 Hackito Ergo Sum 2014 – 24-26 April « A common weakness in RSA signatures: extracting public keys from communications and embedded devices », Renaud Lifchitz

  8. The idea • Then we have to remove all small factors from the result until the residue size is a well-known asymmetric key size (512, 768, 1024, 2048, 4096 bits…) • Trial division is sufficient in 99,9999 % of cases, otherwise we can use an additional signed message in the GCD or use ECM factoring algorithm to help • We now have computationally extracted our unknown public key! 8 Hackito Ergo Sum 2014 – 24-26 April « A common weakness in RSA signatures: extracting public keys from communications and embedded devices », Renaud Lifchitz

  9. Requirements • Hash and padding algorithms must be known or guessed • e should be small because computation will be done without modular arithmetic • n should be small to medium 9 Hackito Ergo Sum 2014 – 24-26 April « A common weakness in RSA signatures: extracting public keys from communications and embedded devices », Renaud Lifchitz

  10. Complexity • Main limitation is memory consumption • The computation: – takes about O ( e .log( n )) bits of memory – costs about: • O (log( e )) big integer multiplications (exponentiation step) • O ( e .log( n )) big integer divisions (GCD step) 10 Hackito Ergo Sum 2014 – 24-26 April « A common weakness in RSA signatures: extracting public keys from communications and embedded devices », Renaud Lifchitz

  11. Applications • Without access to any kind of keyserver nor keystore and being entirely passive, we can: – Extract public keys used in RSA signatures – Authenticate subsequent messages – Find people or devices using weak keys that weren’t discoverable before: this gives a new angle of attack for embedded devices/blackbox protocols using RSA signatures – Safely test whether different messages are signed using the same key/come from the same person (without relying on any kind of spoofable key id) 11 Hackito Ergo Sum 2014 – 24-26 April « A common weakness in RSA signatures: extracting public keys from communications and embedded devices », Renaud Lifchitz

  12. State of the art of factorization algorithms 12

  13. Introduction • There exists several algorithms for integer factorization, more or less naive • Some algorithms are generic and can factor any number, some are form-specific • Key generation weaknesses: – p and q too close – p-1, q-1, p+1 and/or q+1 too smooth – weak RNG (Random Number Generator) • A generic but good open source program for factoring: Yafu (http://sourceforge.net/projects/yafu/) 13 Hackito Ergo Sum 2014 – 24-26 April « A common weakness in RSA signatures: extracting public keys from communications and embedded devices », Renaud Lifchitz

  14. Finding small factors in large integers • Trial factoring: when there are very small factors (less than 10 digits) • Pollard Rho: for small factors • Pollard’s P-1: when one or more factors are p-1 smooth • Williams’ P+1: when one or more factors are p+1 smooth • Elliptic Curve Method (ECM): for factors up to 80 digits 14 Hackito Ergo Sum 2014 – 24-26 April « A common weakness in RSA signatures: extracting public keys from communications and embedded devices », Renaud Lifchitz

  15. Finding large factors in small integers • Fermat algorithm: when a factor and its co-factor are really near in absolute value • Quadratic sieve (QS): faster and simpler NFS for integers < 100 digits • Number Field Sieve (NFS): for integers of intermediate size • General Number Field Sieve (GNFS): for numbers up to 230 digits (RSA-768) • Special Number Field Sieve (SNFS): for numbers with specific form ( " � ± � with r and s small) up to 320 digits 15 Hackito Ergo Sum 2014 – 24-26 April « A common weakness in RSA signatures: extracting public keys from communications and embedded devices », Renaud Lifchitz

  16. Practical applications - PGP 16

  17. What is PGP? • Pretty Good Privacy (PGP) is a data encryption and decryption program mostly used for securing e-mails • Created in 1991 by Phil Zimmermann • Software: PGP (Windows) / GnuPG (Linux) • OpenPGP standard (RFC 4880) 17 Hackito Ergo Sum 2014 – 24-26 April « A common weakness in RSA signatures: extracting public keys from communications and embedded devices », Renaud Lifchitz

  18. Computation steps to extract public key - PGP • Prepare original message before hashing: – Canonicalize message (newlines are converted to \r\n ) – Append specific PGP data: • PGP version • Signature type • Public algorithm (here RSA) • Hash algorithm • Signature date & time • Recreate PKCS#1 padded ASN.1 message hash following RFC 4880 • Compute: gcd � �$%%&' − � ℎ �′ � , � �$%%&' −�(ℎ �′ � ) 18 Hackito Ergo Sum 2014 – 24-26 April « A common weakness in RSA signatures: extracting public keys from communications and embedded devices », Renaud Lifchitz

  19. Proof-of-concept implementation • Just a proof-of-concept: – Supports RSA signature with SHA-1 hashing only – Not optimized (mixed Python + PARI-GP implementation, would be faster in C) • Able to find the signing public key of anybody using only 2 signed mails! 19 Hackito Ergo Sum 2014 – 24-26 April « A common weakness in RSA signatures: extracting public keys from communications and embedded devices », Renaud Lifchitz

  20. Proof-of-concept implementation 20 Hackito Ergo Sum 2014 – 24-26 April « A common weakness in RSA signatures: extracting public keys from communications and embedded devices », Renaud Lifchitz

  21. Practical applications - Vigik access control system 21

  22. What is Vigik? • French access control for residential buildings (nearly 1 million buildings are protected by Vigik in France) • Contactless system • Made to replace the old T25 lock and avoid existing master keys • 2 kinds of tokens: – Resident tokens (various contactless protocols, not interesting), can access a given building at any time – Service tokens (based on Mifare Classic + RSA signature of 768 or 1024 bits), can access all buildings during specific time slots • May be used for other kinds of access control like ATMs or military premises 22 Hackito Ergo Sum 2014 – 24-26 April « A common weakness in RSA signatures: extracting public keys from communications and embedded devices », Renaud Lifchitz

  23. What is Vigik? Vigik contactless Resident token Service token reader 23 Hackito Ergo Sum 2014 – 24-26 April « A common weakness in RSA signatures: extracting public keys from communications and embedded devices », Renaud Lifchitz

Recommend

vulnerabilities CVE, Common Vulnerabilities and Exposures CWE, Common Weakness Enumeration

vulnerabilities CVE, Common Vulnerabilities and Exposures CWE, Common Weakness Enumeration

Security &amp; Knowledge Management a.a. 2019/20 There are a set of sources that provide updated information about security vulnerabilities CVE, Common Vulnerabilities and Exposures CWE, Common Weakness Enumeration CAPEC,

197 views • 8 slides
1 Methods of Extracting or Obtaining Essential Oils The most common method for extracting

1 Methods of Extracting or Obtaining Essential Oils The most common method for extracting

1 Methods of Extracting or Obtaining Essential Oils The most common method for extracting essential oils is using steam distillation. Solvents are often used in extracting oils that are waxy The most expensive method is using CO2 which does not

358 views • 16 slides
Proving tight security for Rabin-Williams signatures D. J. Bernstein Public-key signatures 1976

Proving tight security for Rabin-Williams signatures D. J. Bernstein Public-key signatures 1976

Proving tight security for Rabin-Williams signatures D. J. Bernstein Public-key signatures 1976 Diffie Hellman: Public-key signatures would allow verification by anyone, not just signer. Cool! Can we build a signature system? 1977 Rivest

743 views • 33 slides
Signatures with Flexible Public Key: Introducing Equivalence Classes for Public Keys Michael

Signatures with Flexible Public Key: Introducing Equivalence Classes for Public Keys Michael

Signatures with Flexible Public Key: Introducing Equivalence Classes for Public Keys Michael Backes, Lucjan Hanzlik, Kamil Kluzcniak, Jonas Schneider This Talk New primitive! Signatures with Flexible Public Key Applications to

1.11k views • 56 slides
Signatures Lecture 22 Signatures Signatures Signatures with various functionality/properties

Signatures Lecture 22 Signatures Signatures Signatures with various functionality/properties

Signatures Lecture 22 Signatures Signatures Signatures with various functionality/properties Signatures Signatures with various functionality/properties Constructions come in different flavors (well sample each flavor): Signatures

1.55k views • 131 slides
Digital Signatures Digital Signatures And Putting It All Together Digital Signatures And

Digital Signatures Digital Signatures And Putting It All Together Digital Signatures And

Digital Signatures Digital Signatures And Putting It All Together Digital Signatures And Putting It All Together Lecture 12 Digital Signatures Digital Signatures Syntax: KeyGen, Sign SK and Verify VK . Security: Same experiment as MAC s,

1.72k views • 142 slides
Baryogenesis and Neutrino Mass A Common Link and Experimental Signatures Bhupal Dev Washington

Baryogenesis and Neutrino Mass A Common Link and Experimental Signatures Bhupal Dev Washington

Baryogenesis and Neutrino Mass A Common Link and Experimental Signatures Bhupal Dev Washington University in St. Louis XIth International Conference of Interconnections between Particle Physics and Cosmology (PPC 2017) Texas A&amp;M University

583 views • 47 slides
Lecture 9 Public Key Cryptography: Encryption + Signatures 1 El Gamal PK cryptosystem (83) -

Lecture 9 Public Key Cryptography: Encryption + Signatures 1 El Gamal PK cryptosystem (83) -

Lecture 9 Public Key Cryptography: Encryption + Signatures 1 El Gamal PK cryptosystem (83) - p large prime - b base, primitive element, generator - x private exponent - x y public residue y b p ; mod = P Z * p =

272 views • 25 slides
Tightly Secure Signatures and Public-Key Encryp8on Dennis

Tightly Secure Signatures and Public-Key Encryp8on Dennis

Tightly Secure Signatures and Public-Key Encryp8on Dennis Ho&lt;einz and Tibor Jager Karlsruhe Ins,tute of Technology CRYPTO 2012 1 Tight

477 views • 15 slides
Construction of Universal Designated-Verifier Signatures and Identity-Based Signatures from

Construction of Universal Designated-Verifier Signatures and Identity-Based Signatures from

Motivation Research Question Results Conclusion Notes Construction of Universal Designated-Verifier Signatures and Identity-Based Signatures from Standard Signatures Siamak Shahandashti 1 Rei Safavi-Naini 2 1 SCSSE &amp; CCISR, Uni

465 views • 46 slides
1 Arbitrated Digital Signatures Digital Signature Standard (DSS) US Govt approved signature

1 Arbitrated Digital Signatures Digital Signature Standard (DSS) US Govt approved signature

CPE 542: CRYPTOGRAPHY &amp; NETWORK SECURITY Digital Signatures have looked at message authentication but does not address issues of lack of trust Chapter 13 Digital Signatures digital signatures provide the ability to:

361 views • 3 slides
Extracting Gait Parameters Extracting Gait Parameters from Raw Data from Raw Data

Extracting Gait Parameters Extracting Gait Parameters from Raw Data from Raw Data

Extracting Gait Parameters Extracting Gait Parameters from Raw Data from Raw Data Accelerometers Accelerometers Andr DIAS a,b,c , Lukas GORZELNIAK b , Angela DRING c , Gunnar HARTVIGSEN a,d , Alexander HORSCH b,d a Norwegian Centre for

582 views • 15 slides
Efficient Unlinkable Sanitizable Signatures from Signatures with Re-Randomizable Keys Nils

Efficient Unlinkable Sanitizable Signatures from Signatures with Re-Randomizable Keys Nils

Efficient Unlinkable Sanitizable Signatures from Signatures with Re-Randomizable Keys Nils Fleischhacker Johannes Krupp Giulio Malavolta Jonas Schneider Dominique Schr oder Mark Simkin March 7, 2016 Sanitizable Signatures

577 views • 46 slides
Outline Public-key crypto basics Public key encryption and signatures CSci 5271 Introduction to

Outline Public-key crypto basics Public key encryption and signatures CSci 5271 Introduction to

Outline Public-key crypto basics Public key encryption and signatures CSci 5271 Introduction to Computer Security Announcements Day 16: Cryptographic protocols and failures Cryptographic protocols Stephen McCamant HW1 debrief University of

673 views • 11 slides
Lecture 7 Public Key Cryptography I: Encryption + Signatures [lecture slides are adapted from

Lecture 7 Public Key Cryptography I: Encryption + Signatures [lecture slides are adapted from

Lecture 7 Public Key Cryptography I: Encryption + Signatures [lecture slides are adapted from previous slides by Prof. Gene Tsudik] 1 Public Key Cryptography Asymmetric cryptography Invented in 1974-1978 (Diffie-Hellman and

478 views • 23 slides
Lecture 12 Digital Signatures from one-way functions Signatures vs. MACs Signatures MAC s

Lecture 12 Digital Signatures from one-way functions Signatures vs. MACs Signatures MAC s

Lecture 12 Digital Signatures from one-way functions Signatures vs. MACs Signatures MAC s users require only secretkeys users require n 2 secretkeys Privately verifiable and non-transferable Same signature

764 views • 53 slides
Leptophilic Higgs Leptophilic Higgs Signatures at the LHC Signatures at the LHC (And the

Leptophilic Higgs Leptophilic Higgs Signatures at the LHC Signatures at the LHC (And the

Leptophilic Higgs Leptophilic Higgs Signatures at the LHC Signatures at the LHC (And the Importance of Leptonic Decays for Higgs Discovery) Brooks Thomas (The University of Arizona) Shufang Su &amp; BT [arXiv:0903.0667] What do we know about

375 views • 26 slides
Outline Public-key crypto basics Public key encryption and signatures CSci 5271 Announcements

Outline Public-key crypto basics Public key encryption and signatures CSci 5271 Announcements

Outline Public-key crypto basics Public key encryption and signatures CSci 5271 Announcements intermission Introduction to Computer Security Day 16: Crypto protocols and S protocols Cryptographic protocols, pt. 1 Stephen McCamant Key

492 views • 11 slides
Extracting Tables from PDFs Extracting Tables from PDFs Using Camelot and Excalibur to

Extracting Tables from PDFs Extracting Tables from PDFs Using Camelot and Excalibur to

Extracting Tables from PDFs Extracting Tables from PDFs Using Camelot and Excalibur to automate PDF table extraction and export Dimiter Naydenov @dimitern 1 . 1 Overview Overview PDF: brief history, structure, representing tables Camelot

355 views • 13 slides
Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel) Digital Signatures

Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel) Digital Signatures

Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel) Digital Signatures 2020-02-25 1 Outline Recap: security experiments Message space extension One-time signatures One-time signatures from one-way functions Digital

1.07k views • 48 slides
Digital Signatures Model A public key analog of MAC A digital signature scheme includes

Digital Signatures Model A public key analog of MAC A digital signature scheme includes

Digital Signatures Model A public key analog of MAC A digital signature scheme includes the following elements: A private key k A public key k A signature algorithm Public key is published Signature requires

475 views • 24 slides
Cryptography Authentication Public Key Key Management ITS335: IT Security Signatures Random

Cryptography Authentication Public Key Key Management ITS335: IT Security Signatures Random

ITS335 Cryptography Encrypt for Confidentiality Symmetric Key Cryptography Authentication Public Key Key Management ITS335: IT Security Signatures Random Numbers Sirindhorn International Institute of Technology Summary Thammasat

1.15k views • 86 slides
Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel) Digital Signatures

Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel) Digital Signatures

Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel) Digital Signatures 2020-03-03 1 Outline Why assumptions? Efficient one-time signatures Digital Signatures 2020-03-03 2 Recap: Lamport EUF-1-CMA secure

1.14k views • 37 slides
SafeCurves: Cryptography choosing safe curves for Public-key signatures: elliptic-curve

SafeCurves: Cryptography choosing safe curves for Public-key signatures: elliptic-curve

SafeCurves: Cryptography choosing safe curves for Public-key signatures: elliptic-curve cryptography e.g., RSA, DSA, ECDSA. Daniel J. Bernstein Some uses: signed OS updates, University of Illinois at Chicago &amp; SSL certificates,

1.85k views • 165 slides

More recommend