94 research outputs found
Implicit factorization of unbalanced RSA moduli
International audienceLet N1 = p1q1 and N2 = p2q2 be two RSA moduli, not necessarily of the same bit-size. In 2009, May and Ritzenhofen proposed a method to factor N1 and N2 given the implicit information that p1 and p2 share an amount of least significant bits. In this paper, we propose a generalization of their attack as follows: suppose that some unknown multiples a1p1 and a2p2 of the prime factors p1 and p2 share an amount of their Most Significant Bits (MSBs) or an amount of their Least Significant Bits (LSBs). Using a method based on the continued fraction algorithm, we propose a method that leads to the factorization of N1 and N2. Using simultaneous diophantine approximations and lattice reduction , we extend the method to factor k ≥ 3 RSA moduli Ni = piqi, i = 1,. .. , k given the implicit information that there exist unknown multiples a1p1,. .. , ak pk sharing an amount of their MSBs or their LSBs. Also, this paper extends many previous works where similar results were obtained when the pi's share their MSBs or their LSBs
Generalized Implicit Factorization Problem
The Implicit Factorization Problem (IFP) was first introduced by May and Ritzenhofen at PKC\u2709, which concerns the factorization of two RSA moduli and , where and share a certain consecutive number of least significant bits. Since its introduction, many different variants of IFP have been considered, such as the cases where and share most significant bits or middle bits at the same positions. In this paper, we consider a more generalized case of IFP, in which the shared consecutive bits can be located at positions in each prime, not necessarily required to be located at the same positions as before. We propose a lattice-based algorithm to solve this problem under specific conditions, and also provide some experimental results to verify our analysis
RSA, DH, and DSA in the Wild
This book chapter outlines techniques for breaking cryptography by taking advantage of implementation mistakes made in practice, with a focus on those that exploit the mathematical structure of the most widely used public-key primitives
Finding shared RSA factors in the Certificate Transparency logs
When generating RSA keys, proper random generators are crucial. If the generators are not truly random, keys may be generated with the same factors, making them vulnerable to compromise. Doing a simple greatest common divisor computation would reveal the secret factors. We collected over 159 million unique RSA public keys from the Certificate Transparency logs, which is, to our knowledge, the largest set used for such an analysis so far. Our goal was to check if any of these keys shared factors, thus allowing us to compute the private keys easily. To do this, we implemented a batch greatest common divisor algorithm used for this purpose in previous studies. Our result from checking the 159 million RSA keys was that we factored eight keys, all of which were issued by the same certificate authority. We then gathered more than 700,000 keys from that particular certificate authority, of which we were able to factor 355 keys. We reached out to the issuer of the broken certificates, and they launched an investigation into our findings. Their investigation concluded that all broken keys were generated by a single user who they claim had abused their system.Masteroppgave i informatikkINF399MAMN-PROGMAMN-IN
On the Security of Some Variants of RSA
The RSA cryptosystem, named after its inventors, Rivest, Shamir and Adleman, is the most widely known and widely used public-key cryptosystem in the world today. Compared to other public-key cryptosystems, such as
elliptic curve cryptography, RSA requires longer keylengths and is computationally more expensive. In order to address these shortcomings, many variants of RSA have been proposed over the years. While the security
of RSA has been well studied since it was proposed in 1977, many of these variants have not. In this thesis, we investigate the security of five of these variants of RSA. In particular, we provide detailed analyses of the best known algebraic attacks (including some new attacks) on instances of
RSA with certain special private exponents, multiple instances of RSA sharing a common small private exponent, Multi-prime RSA, Common Prime RSA and Dual RSA
On the security of 1024-bit RSA and 160-bit elliptic curve cryptography
Meeting the requirements of NIST’s new cryptographic standard ‘Suite B Cryptography’ means phasing out usage of 1024-bit RSA and 160-bit Elliptic Curve Cryptography (ECC) by the year 2010. This write-up comments on the vulnerability of these systems to an open community attack effort and aims to assess the risk of their continued usage beyond 2010. We conclude that for 1024-bit RSA the risk is small at least until the year 2014, and that 160-bit ECC may safely be used for much longer – with the current state of the art in cryptanalysis we would be surprised if a public effort can make a dent in 160-bit ECC by the year 2020. Our assessment is based on the latest practical data of large scale integer factorization and elliptic curve discrete logarithm computation efforts
challenging the trustworthiness of pgp is the web of trust tear proof
The OpenPGP protocol provides a long time adopted and widespread tool for secure and authenticated asynchronous communications, as well as supplies data integrity and authenticity validation for software distribution. In this work, we analyze the Web-of-Trust on which the OpenPGP public key authentication mechanism is based, and evaluate a threat model where its functionality can be jeopardized. Since the threat model is based on the viability of compromising an OpenPGP keypair, we performed an analysis of the state of health of the global OpenPGP key repository. Despite the detected amount of weak keypairs is rather low, our results show how, under reasonable assumptions, approximately 70i¾ź% of the Web-of-Trust strong set is potentially affected by the described threat. Finally, we propose viable mitigation strategies to cope with the highlighted threat
Public keys quality
Dissertação de mestrado em Matemática e ComputaçãoThe RSA cryptosystem, invented by Ron Rivest, Adi Shamir and Len Adleman ([Rivest et al.,
1978]) is the most commonly used cryptosystem for providing privacy and ensuring authenticity
of digital data. RSA is usually used in contexts where security of digital data is priority. RSA
is used worldwide by web servers and browsers to secure web traffic, to ensure privacy and
authenticity of e-mail, to secure remote login sessions and to provide secure electronic creditcard
payment systems.
Given its importance in the protection of digital data, vulnerabilities of RSA have been
analysed by many researchers. The researches made so far led to a number of fascinating
attacks. Although the attacks helped to improve the security of this cryptosystem, showing that
securely implementing RSA is a nontrivial task, none of them was devastating.
This master thesis discusses the RSA cryptosystem and some of its vulnerabilities as well
as the description of some attacks, both recent and old, together with the description of the
underlying mathematical tools they use. Although many types of attacks exist, in this master
thesis only a few examples were analysed. The ultimate attack, based in the batch-GCD
algorithm, was implemented and tested in the RSA keys produced by a certificated Hardware
Security Modules Luna SA and the results were commented.
The random and pseudorandom numbers are fundamental to many cryptographic applications,
including the RSA cryptosystems. In fact, the produced keys must be generated in a
specific random way. The National Institute of Standards and Technology, responsible entity for
specifying safety standards, provides a package named "A Statistical Test Suit for Random and
Pseudorandom Number Generators for Cryptography Applications" which was used in this work
to test the randomness of the Luna SA generated numbers. All the statistical tests were tested
in different bit sizes number and the results commented.
The main purpose of this thesis is to study the previous subjects and create an applications
capable to test the Luna SA generated numbers randomness, a well as evaluate the security of
the RSA.
This work was developed in partnership with University of Minho and Multicert.O RSA, criado por Ron Rivest, Adi Shamir e Len Adleman ([Rivest et al., 1978]) é o
sistema criptográfico mais utilizado para providenciar segurança e assegurar a autenticação de
dados utilizados no mundo digital. O RSA é usualmente usado em contextos onde a segurança
é a grande prioridade. Hoje em dia, este sistema criptográfico é utilizado mundialmente por
servidores web e por browsers, por forma a assegurar um tráfego seguro através da Internet. É o
sistema criptográfico mais utilizado na autenticação de e-mails, nos inÃcios de sessões remotos,
na utilização de pagamentos através de cartões multibanco, garantindo segurança na utilização
destes serviços.
Dada a importância que este sistema assume na proteção da informação digital, as suas
vulnerabilidades têm sido alvo de várias investigações. Estas investigações resultaram em vários
ataques ao RSA. Embora nenhum destes ataques seja efetivamente eficaz, todos contribuÃram
para um aumento da segurança do RSA, uma vez que as implementações de referência deste
algoritmo passaram a precaver-se contra os ataques descobertos.
Esta tese de mestrado aborda o sistema criptográfico RSA, discutindo algumas das suas
vulnerabilidades, assim como alguns ataques efetuados a este sistema, estudando todos os
métodos matemáticos por estes usados. Embora existam diversos ataques, apenas alguns serão
abordados nesta tese de mestrado. O último ataque, baseado no algoritmo batch-GCD foi
implementado e foram feitos testes em chaves RSA produzidas por um Hardware Security Module
Luna SA certificado e os resultados obtidos foram discutidos.
Os números aleatórios e pseudoaleatórios são fundamentais a todas as aplicações criptográficas,
incluindo, portanto, o sistema criptográfico RSA. De facto, as chaves produzidas deverão
ser geradas com alguma aleatoriedade intrÃnseca ao sistema. O Instituto Nacional de Standards
e Tecnologia, entidade responsável pela especificação dos standards de segurança, disponibiliza
um pacote de testes estatÃsticos, denominado por "A Statistical Test Suit for Random and
Pseudorandom Number Generators for Cryptography Applications". Estes testes estatÃsticos
foram aplicados a números gerados pelo Luna SA e os resultados foram, também, comentados.
O objetivo desta tese de mestrado é desenvolver capacidade de compreensão sobre os assuntos
descritos anteriormente e criar uma aplicação capaz de testar a aleatoriedade dos números
gerados pelo Luna SA, assim como avaliar a segurança do sistema criptográfico RSA.
Este foi um trabalho desenvolvido em parceria com a Universidade do Minho e com a Multicert
Cache Timing Attacks on Public Key Encryption
The rise of cloud computing has made it a lot easier for attackers to be able to run code on the same processors as their target. This has made many attacks more viable. This thesis discusses a cache timing attack targeting the LibTomMath library. LibTom-Math is a mathematical library for computations using large integers. The library is used in some cryptographic libraries such the commercial solution WolfCrypt.
The attack mainly focuses on the modular exponentiation function of LibTom-Math which is a major part of RSA implementations. The aim of the attack is to use cache timing in order to extract the long term private key used by the server for encrypting communications. Recovering the private key, gives the attacker access to past and future communications secured using this key, which usually has a lifespan of at least one year. The attack only requires that it shares a processor with the victim and works even if the attack process and the victim process are running on different Virtual Machines.
The thesis includes a description of the RSA cipher as well as the various optimizations that are used in a lot of cryptographic libraries. Next, it describes how to use cache timing to exploit some of those optimizations in order to gain information about the secret exponent based on the memory access patterns of the target code.
Finally, it discusses the limitations of the attack as well as how cloud service providers, cryptographic library developers, as well as processor manufacturers, may be able to mitigate this class of attacks
- …