Implicit factorization of unbalanced RSA moduli

International audienceLet N1 = p1q1 and N2 = p2q2 be two RSA moduli, not necessarily of the same bit-size. In 2009, May and Ritzenhofen proposed a method to factor N1 and N2 given the implicit information that p1 and p2 share an amount of least significant bits. In this paper, we propose a generalization of their attack as follows: suppose that some unknown multiples a1p1 and a2p2 of the prime factors p1 and p2 share an amount of their Most Significant Bits (MSBs) or an amount of their Least Significant Bits (LSBs). Using a method based on the continued fraction algorithm, we propose a method that leads to the factorization of N1 and N2. Using simultaneous diophantine approximations and lattice reduction , we extend the method to factor k ≥ 3 RSA moduli Ni = piqi, i = 1,. .. , k given the implicit information that there exist unknown multiples a1p1,. .. , ak pk sharing an amount of their MSBs or their LSBs. Also, this paper extends many previous works where similar results were obtained when the pi's share their MSBs or their LSBs

Generalized Implicit Factorization Problem

The Implicit Factorization Problem (IFP) was first introduced by May and Ritzenhofen at PKC\u2709, which concerns the factorization of two RSA moduli $N_1=p_1q_1$ and $N_2=p_2q_2$, where $p_1$ and $p_2$ share a certain consecutive number of least significant bits. Since its introduction, many different variants of IFP have been considered, such as the cases where $p_1$ and $p_2$ share most significant bits or middle bits at the same positions. In this paper, we consider a more generalized case of IFP, in which the shared consecutive bits can be located at $any$ positions in each prime, not necessarily required to be located at the same positions as before. We propose a lattice-based algorithm to solve this problem under specific conditions, and also provide some experimental results to verify our analysis

RSA, DH, and DSA in the Wild

This book chapter outlines techniques for breaking cryptography by taking advantage of implementation mistakes made in practice, with a focus on those that exploit the mathematical structure of the most widely used public-key primitives

Finding shared RSA factors in the Certificate Transparency logs

When generating RSA keys, proper random generators are crucial. If the generators are not truly random, keys may be generated with the same factors, making them vulnerable to compromise. Doing a simple greatest common divisor computation would reveal the secret factors. We collected over 159 million unique RSA public keys from the Certificate Transparency logs, which is, to our knowledge, the largest set used for such an analysis so far. Our goal was to check if any of these keys shared factors, thus allowing us to compute the private keys easily. To do this, we implemented a batch greatest common divisor algorithm used for this purpose in previous studies. Our result from checking the 159 million RSA keys was that we factored eight keys, all of which were issued by the same certificate authority. We then gathered more than 700,000 keys from that particular certificate authority, of which we were able to factor 355 keys. We reached out to the issuer of the broken certificates, and they launched an investigation into our findings. Their investigation concluded that all broken keys were generated by a single user who they claim had abused their system.Masteroppgave i informatikkINF399MAMN-PROGMAMN-IN

On the Security of Some Variants of RSA

The RSA cryptosystem, named after its inventors, Rivest, Shamir and Adleman, is the most widely known and widely used public-key cryptosystem in the world today. Compared to other public-key cryptosystems, such as elliptic curve cryptography, RSA requires longer keylengths and is computationally more expensive. In order to address these shortcomings, many variants of RSA have been proposed over the years. While the security of RSA has been well studied since it was proposed in 1977, many of these variants have not. In this thesis, we investigate the security of five of these variants of RSA. In particular, we provide detailed analyses of the best known algebraic attacks (including some new attacks) on instances of RSA with certain special private exponents, multiple instances of RSA sharing a common small private exponent, Multi-prime RSA, Common Prime RSA and Dual RSA

On the security of 1024-bit RSA and 160-bit elliptic curve cryptography

Meeting the requirements of NIST’s new cryptographic standard ‘Suite B Cryptography’ means phasing out usage of 1024-bit RSA and 160-bit Elliptic Curve Cryptography (ECC) by the year 2010. This write-up comments on the vulnerability of these systems to an open community attack effort and aims to assess the risk of their continued usage beyond 2010. We conclude that for 1024-bit RSA the risk is small at least until the year 2014, and that 160-bit ECC may safely be used for much longer – with the current state of the art in cryptanalysis we would be surprised if a public effort can make a dent in 160-bit ECC by the year 2020. Our assessment is based on the latest practical data of large scale integer factorization and elliptic curve discrete logarithm computation efforts

challenging the trustworthiness of pgp is the web of trust tear proof

The OpenPGP protocol provides a long time adopted and widespread tool for secure and authenticated asynchronous communications, as well as supplies data integrity and authenticity validation for software distribution. In this work, we analyze the Web-of-Trust on which the OpenPGP public key authentication mechanism is based, and evaluate a threat model where its functionality can be jeopardized. Since the threat model is based on the viability of compromising an OpenPGP keypair, we performed an analysis of the state of health of the global OpenPGP key repository. Despite the detected amount of weak keypairs is rather low, our results show how, under reasonable assumptions, approximately 70i¾ź% of the Web-of-Trust strong set is potentially affected by the described threat. Finally, we propose viable mitigation strategies to cope with the highlighted threat

Public keys quality

Dissertação de mestrado em Matemática e ComputaçãoThe RSA cryptosystem, invented by Ron Rivest, Adi Shamir and Len Adleman ([Rivest et al., 1978]) is the most commonly used cryptosystem for providing privacy and ensuring authenticity of digital data. RSA is usually used in contexts where security of digital data is priority. RSA is used worldwide by web servers and browsers to secure web traffic, to ensure privacy and authenticity of e-mail, to secure remote login sessions and to provide secure electronic creditcard payment systems. Given its importance in the protection of digital data, vulnerabilities of RSA have been analysed by many researchers. The researches made so far led to a number of fascinating attacks. Although the attacks helped to improve the security of this cryptosystem, showing that securely implementing RSA is a nontrivial task, none of them was devastating. This master thesis discusses the RSA cryptosystem and some of its vulnerabilities as well as the description of some attacks, both recent and old, together with the description of the underlying mathematical tools they use. Although many types of attacks exist, in this master thesis only a few examples were analysed. The ultimate attack, based in the batch-GCD algorithm, was implemented and tested in the RSA keys produced by a certificated Hardware Security Modules Luna SA and the results were commented. The random and pseudorandom numbers are fundamental to many cryptographic applications, including the RSA cryptosystems. In fact, the produced keys must be generated in a specific random way. The National Institute of Standards and Technology, responsible entity for specifying safety standards, provides a package named "A Statistical Test Suit for Random and Pseudorandom Number Generators for Cryptography Applications" which was used in this work to test the randomness of the Luna SA generated numbers. All the statistical tests were tested in different bit sizes number and the results commented. The main purpose of this thesis is to study the previous subjects and create an applications capable to test the Luna SA generated numbers randomness, a well as evaluate the security of the RSA. This work was developed in partnership with University of Minho and Multicert.O RSA, criado por Ron Rivest, Adi Shamir e Len Adleman ([Rivest et al., 1978]) é o sistema criptográfico mais utilizado para providenciar segurança e assegurar a autenticação de dados utilizados no mundo digital. O RSA é usualmente usado em contextos onde a segurança é a grande prioridade. Hoje em dia, este sistema criptográfico é utilizado mundialmente por servidores web e por browsers, por forma a assegurar um tráfego seguro através da Internet. É o sistema criptográfico mais utilizado na autenticação de e-mails, nos inícios de sessões remotos, na utilização de pagamentos através de cartões multibanco, garantindo segurança na utilização destes serviços. Dada a importância que este sistema assume na proteção da informação digital, as suas vulnerabilidades têm sido alvo de várias investigações. Estas investigações resultaram em vários ataques ao RSA. Embora nenhum destes ataques seja efetivamente eficaz, todos contribuíram para um aumento da segurança do RSA, uma vez que as implementações de referência deste algoritmo passaram a precaver-se contra os ataques descobertos. Esta tese de mestrado aborda o sistema criptográfico RSA, discutindo algumas das suas vulnerabilidades, assim como alguns ataques efetuados a este sistema, estudando todos os métodos matemáticos por estes usados. Embora existam diversos ataques, apenas alguns serão abordados nesta tese de mestrado. O último ataque, baseado no algoritmo batch-GCD foi implementado e foram feitos testes em chaves RSA produzidas por um Hardware Security Module Luna SA certificado e os resultados obtidos foram discutidos. Os números aleatórios e pseudoaleatórios são fundamentais a todas as aplicações criptográficas, incluindo, portanto, o sistema criptográfico RSA. De facto, as chaves produzidas deverão ser geradas com alguma aleatoriedade intrínseca ao sistema. O Instituto Nacional de Standards e Tecnologia, entidade responsável pela especificação dos standards de segurança, disponibiliza um pacote de testes estatísticos, denominado por "A Statistical Test Suit for Random and Pseudorandom Number Generators for Cryptography Applications". Estes testes estatísticos foram aplicados a números gerados pelo Luna SA e os resultados foram, também, comentados. O objetivo desta tese de mestrado é desenvolver capacidade de compreensão sobre os assuntos descritos anteriormente e criar uma aplicação capaz de testar a aleatoriedade dos números gerados pelo Luna SA, assim como avaliar a segurança do sistema criptográfico RSA. Este foi um trabalho desenvolvido em parceria com a Universidade do Minho e com a Multicert

Cache Timing Attacks on Public Key Encryption

The rise of cloud computing has made it a lot easier for attackers to be able to run code on the same processors as their target. This has made many attacks more viable. This thesis discusses a cache timing attack targeting the LibTomMath library. LibTom-Math is a mathematical library for computations using large integers. The library is used in some cryptographic libraries such the commercial solution WolfCrypt. The attack mainly focuses on the modular exponentiation function of LibTom-Math which is a major part of RSA implementations. The aim of the attack is to use cache timing in order to extract the long term private key used by the server for encrypting communications. Recovering the private key, gives the attacker access to past and future communications secured using this key, which usually has a lifespan of at least one year. The attack only requires that it shares a processor with the victim and works even if the attack process and the victim process are running on different Virtual Machines. The thesis includes a description of the RSA cipher as well as the various optimizations that are used in a lot of cryptographic libraries. Next, it describes how to use cache timing to exploit some of those optimizations in order to gain information about the secret exponent based on the memory access patterns of the target code. Finally, it discusses the limitations of the attack as well as how cloud service providers, cryptographic library developers, as well as processor manufacturers, may be able to mitigate this class of attacks