A presentation I gave as part of my studies on the Research Readings in Information Security course at Glasgow University, covering the recent scare over discovery of a vulnerability in online RSA keys.
3. The Problem
‣ 12 February 2012: ‘Ron was Wrong, Whit is Right’
- A paper by Arjen K Lenstra et al
3
4. The Problem
‣ 12 February 2012: ‘Ron was Wrong, Whit is Right’
- A paper by Arjen K Lenstra et al
- Found 0.2% of RSA keys ‘offered no security’
- Concluded that generating keys for ‘multiple secret’
cryptosystems is inherently riskier than for ‘single secret’
systems (e.g. ElGamal, DSA)
4
5. The Problem
‣ 12 February 2012: ‘Ron was Wrong, Whit is Right’
- A paper by Arjen K Lenstra et al
- Found 0.2% of RSA keys ‘offered no security’
- Concluded that generating keys for ‘multiple secret’
cryptosystems is inherently riskier than for ‘single secret’
systems (e.g. ElGamal, DSA)
5
6. The Problem
‣ 12 February 2012: ‘Ron was Wrong, Whit is Right’
- A paper by Arjen K Lenstra et al
- Found 0.2% of RSA keys ‘offered no security’
- Concluded that generating keys for ‘multiple secret’
cryptosystems is inherently riskier than for ‘single secret’
systems (e.g. ElGamal, DSA)
6
7. The Problem
‣ 12 February 2012: ‘Ron was Wrong, Whit is Right’
- A paper by Arjen K Lenstra et al
- Found 0.2% of RSA keys ‘offered no security’
- Concluded that generating keys for ‘multiple secret’
cryptosystems is inherently riskier than for ‘single secret’
systems (e.g. ElGamal, DSA)
7
8. What is RSA?
‣ RSA is an algorithm for public
key cryptography
8
9. What is RSA?
‣ RSA is an algorithm for public
key cryptography
‣ First publicly described by
Ron Rivest, Adi Shamir,
Leonard Adleman, 1978
9
10. What is RSA?
‣ RSA is an algorithm for public
key cryptography
‣ First publicly described by
Ron Rivest, Adi Shamir,
Leonard Adleman, 1978
‣ Also the name of the security
company founded by Rivest,
Shamir and Adleman in 1982
10
11. What is RSA?
‣ RSA is an algorithm for public
key cryptography
‣ First publicly described by
Ron Rivest, Adi Shamir,
Leonard Adleman, 1978
‣ Also the name of the security
company founded by Rivest,
Shamir and Adleman in 1982
‣ Acquired in 2006 for $2.1bn
11
14. Public Key Cryptography
‣ Each principal has two keys:
- One public
- One private
‣ Public key crypto can be used to:
- Encrypt private conversations
14
15. Public Key Cryptography
‣ Each principal has two keys:
- One public
- One private
‣ Public key crypto can be used to:
- Encrypt private conversations
- Sign messages
15
16. Public Key Cryptography
‣ Each principal has two keys:
- One public
- One private
‣ Public key crypto can be used to:
- Encrypt private conversations
- Sign messages
- Authenticate principals
16
19. Encryption
‣ Alice sends her public key to Bob
‣ Bob encrypts a message using Alice’s public key
Hello Alice! a3e506b3aa1
Bob Alice
19
20. Encryption
‣ Alice sends her public key to Bob
‣ Bob encrypts a message using Alice’s public key
‣ Only Alice’s private key can decrypt the message
Hello Alice! a3e506b3aa1
Bob Alice
20
21. Encryption
‣ Alice sends her public key to Bob
‣ Bob encrypts a message using Alice’s public key
‣ Only Alice’s private key can decrypt the message
Hello Alice! a3e506b3aa1 a3e506b3aa1 Hello Alice!
Bob Alice
21
23. Signing
‣ Alice sends a plaintext message to Bob
- Plus a version of the message encrypted with her
private key
Hello Bob!
b2e3f600d5 Hello Bob!
Bob Alice
23
24. Signing
‣ Alice sends a plaintext message to Bob
- Plus a version of the message encrypted with her
private key
‣ Bob decrypts the ‘signature’ using Alice’s public key,
verifying that it matches the plaintext message
Hello Bob! Hello Bob! Hello Bob!
Hello Bob! b2e3f600d5 b2e3f600d5 Hello Bob!
Bob Alice
24
25. Signing
‣ Alice sends a plaintext message to Bob
- Plus a version of the message encrypted with her
private key
‣ Bob decrypts the ‘signature’ using Alice’s public key,
verifying that it matches the plaintext message
- He can be sure the message came from Alice
Hello Bob! Hello Bob! Hello Bob!
Hello Bob! b2e3f600d5 b2e3f600d5 Hello Bob!
Bob Alice
25
28. Authentication
‣ Alice creates a certificate containing, e.g., her email
address, and her public key
- She has the certificate signed by a trusted authority
(using the trusted authority’s private key)
Bob Alice
@
28
29. Authentication
‣ Alice creates a certificate containing, e.g., her email
address, and her public key
- She has the certificate signed by a trusted authority
(using the trusted authority’s private key)
Bob Alice
@ @
29
30. Authentication
‣ Alice creates a certificate containing, e.g., her email
address, and her public key
- She has the certificate signed by a trusted authority
(using the trusted authority’s private key)
‣ Bob can decrypt the certificate using the trusted
authority’s public key
Bob Alice
@ @
30
31. Authentication
‣ Alice creates a certificate containing, e.g., her email
address, and her public key
- She has the certificate signed by a trusted authority
(using the trusted authority’s private key)
‣ Bob can decrypt the certificate using the trusted
authority’s public key
- He can be sure that the public key he retrieves
belongs to Alice
Bob Alice
@ @ @
31
32. Practical Uses
‣ Public Key Crypto is calculation-intensive
- So it’s not generally used to encrypt
full conversations
32
33. Practical Uses
‣ Public Key Crypto is calculation-intensive
- So it’s not generally used to encrypt
full conversations
- It’s used for authentication
33
34. Practical Uses
‣ Public Key Crypto is calculation-intensive
- So it’s not generally used to encrypt
full conversations
- It’s used for authentication
- And to encrypt ‘handshake’
procedures – during which the
encryption for the full conversation
is negotiated between principals
34
35. Practical Uses
‣ Public Key Crypto is calculation-intensive
- So it’s not generally used to encrypt
full conversations
- It’s used for authentication
- And to encrypt ‘handshake’
procedures – during which the
encryption for the full conversation
is negotiated between principals
- For example, to authenticate chip-and-pin cards
- In this case the issuer is the trusted third party
35
36. Practical Uses
‣ TLS or SSL
- Transport Layer Security (new)
or Secure Sockets Layer
36
37. Practical Uses
‣ TLS or SSL
- Transport Layer Security (new)
or Secure Sockets Layer
- Allows secure communication between applications
37
38. Practical Uses
‣ TLS or SSL
- Transport Layer Security (new)
or Secure Sockets Layer
- Allows secure communication between applications
- Typically a web browser (client) to a hosted application
or server
38
39. Practical Uses
‣ TLS or SSL
- Transport Layer Security (new)
or Secure Sockets Layer
- Allows secure communication between applications
- Typically a web browser (client) to a hosted applications
or server
39
40. Practical Uses
‣ TLS or SSL
- Transport Layer Security (new)
or Secure Sockets Layer
- Allows secure communication between applications
- Typically a web browser (client) to a hosted applications
or server
40
41. Practical Uses
‣ TLS or SSL
- Transport Layer Security (new)
or Secure Sockets Layer
- Allows secure communication between applications
- Typically a web browser (client) to a hosted applications
or server
41
42. How SSL/TLS Works
‣ Client is presented with a certificate, issued by a
trusted authority
- Certificate verifies site name, email address or DNS entry
- Binds this to a public key
‣ Client can then be sure the given public key belongs
to the intended server
‣ Client can use public key to encrypt negotiation of a
shared key to encrypt session traffic
42
45. How does RSA work?
‣ Requirements for public key crypto:
45
46. How does RSA work?
‣ Requirements for public key crypto:
- If a message is encrypted with one key, the other key
must decrypt it
46
47. How does RSA work?
‣ Requirements for public key crypto:
- If a message is encrypted with one key, the other key
must decrypt it
- The private key MUST NOT be discoverable from
knowledge of the public key
47
49. Nuts and Bolts
‣ Alice chooses two large prime numbers p, q
‣ She creates the modulus for the public key by
multiplying p by q:
- n=p×q
49
50. Nuts and Bolts
‣ Alice chooses two large prime numbers p, q
‣ She creates the modulus for the public key by
multiplying p by q:
- n=p×q
‣ She applies a function to n to create a new number, k
- The function is Euler’s Totient Function
- It counts the number of positive integers <= n that are relatively prime to n
- Relatively prime numbers share no common factors other than 1
50
51. Nuts and Bolts
‣ Alice chooses two large prime numbers p, q
‣ She creates the modulus for the public key by
multiplying p by q:
- n=p×q
‣ She applies a function to n to create a new number, k
- The function is Euler’s Totient Function
- It counts the number of positive integers <= n that are relatively prime to n
- Relatively prime numbers share no common factors other than 1
‣ She finds two numbers e, d such that e × d % k = 1
51
52. Nuts and Bolts
‣ Alice’s public key is composed of:
n (the modulus) and e (the exponent)
52
53. Nuts and Bolts
‣ Alice’s public key is composed of:
n (the modulus) and e (the exponent)
‣ Her private key is d
53
54. Nuts and Bolts
‣ Alice’s public key is composed of:
n (the modulus) and e (the exponent)
‣ Her private key is d
‣ A message m can be encrypted by raising it to the
power e and taking the result modulo n.
- m_enc = me % n
54
55. Nuts and Bolts
‣ Alice’s public key is composed of:
n (the modulus) and e (the exponent)
‣ Her private key is d
‣ A message m can be encrypted by raising it to the
power e and taking the result modulo n.
- m_enc = me % n
‣ It can be decrypted by raising it to the power d and
taking the result modulo n.
- m_dec = m_encd % n
55
56. Summary
‣ Both public and private keys depend on the two
large primes p, q
‣ The security of RSA depends on the difficulty of
recovering these two numbers once they have been
multiplied together (factoring)
‣ If p and q can be found from a public key, the
private key can be reconstructed and security is lost
56
57. ‘Ron was Wrong, Whit is Right’
‣ The researchers collected about 6.4m RSA public
keys from the web
- Sources: X.509 certificates, PGP keys
57
58. ‘Ron was Wrong, Whit is Right’
‣ The researchers collected about 6.4m RSA public
keys from the web
- Sources: X.509 certificates, PGP keys
‣ About 71,000 moduli occurred more than once
- Some thousands of times
58
59. ‘Ron was Wrong, Whit is Right’
‣ The researchers collected about 6.4m RSA public
keys from the web
- Sources: X.509 certificates, PGP keys
‣ About 71,000 moduli occurred more than once
- Some thousands of times
‣ About 13,000 moduli ‘offer no security’
- The private keys can be recovered by anyone who can
replicate the researchers’ work
59
60. ‘Ron was Wrong, Whit is Right’
‣ The researchers collected about 6.4m RSA public
keys from the web
- Sources: X.509 certificates, PGP keys
‣ About 71,000 moduli occurred more than once
- Some thousands of times
‣ About 13,000 moduli ‘offer no security’
- The private keys can be recovered by anyone who can
replicate the researchers’ work
‣ The loss of security affects about 21,000 X.509
certificates and PGP keys
- Of which about a quarter are probably still in use
60
62. How were the keys broken?
‣ Euclid’s algorithm
- An efficient method of computing the
greatest common divisor (gcd) of two
numbers
62
63. How were the keys broken?
‣ Euclid’s algorithm
- An efficient method of computing the
greatest common divisor (gcd) of two
numbers
‣ The researchers ran the algorithm
on all pairs of moduli
63
64. How were the keys broken?
‣ Euclid’s algorithm
- An efficient method of computing the
greatest common divisor (gcd) of two
numbers
‣ The researchers ran the algorithm
on all pairs of moduli
- The vulnerable moduli shared a
common factor
- Knowledge of that factor allowed
calculation of the other prime factor
64
67. Nuts and Bolts
‣ n1 = p1 × q1
n2 = p2 × q2
- Moduli n1 and n2 are each composed of
two unknown prime numbers
67
68. Nuts and Bolts
‣ n1 = p1 × q1
n2 = p2 × q2
- Moduli n1 and n2 are each composed of
two unknown prime numbers
‣ gcd(n1, n2) = p
- If the greatest common divisor of
n1 and n2 is > 1, we know p1 = p2 = p
68
69. Nuts and Bolts
‣ n1 = p1 × q1
n2 = p2 × q2
- Moduli n1 and n2 are each composed of
two unknown prime numbers
‣ gcd(n1, n2) = p
- If the greatest common divisor of
n1 and n2 is > 1, we know p1 = p2 = p
‣ If we know p …
69
70. Nuts and Bolts
‣ n1 = p1 × q1
n2 = p2 × q2
- Moduli n1 and n2 are each composed of
two unknown prime numbers
‣ gcd(n1, n2) = p
- If the greatest common divisor of
n1 and n2 is > 1, we know p1 = p2 = p
‣ If we know p …
- We can calculate q1 AND q2
- We can now reconstruct the private
keys for moduli n1 and n2
70
71. Conclusion, revisited
‣ The researchers claim that the use of ‘multiple
secrets’ in RSA is a design problem
- Because RSA needs two secret prime numbers,
if factors are shared, all keys sharing a factor are
vulnerable to factorisation
‣ Other systems only need one secret number
- It is easier to choose one secure secret than to choose two
- If two keys are shared, only those two are affected
71
72. Reactions
‣ Dan Kaminsky:
- ‘Survey is good.
Thesis is strange’
- The data is instructive,
but demonstrates an
implementation problem,
not a design problem
72
73. Reactions
‣ Bruce Schneier:
- ‘The cause of this is almost certainly
a lousy random number generator’
- Design and testing of RNGs is hard
- Could some RNGs have been
deliberately compromised?
73
74. Reactions
‣ Lenstra et al claim
‘single-secret’ algorithms
like Diffie-Hellman are
more secure –
‘Whit is right’.
- At the 2012 RSA Security Conference, Whit and Ron
discussed the issue
- Whit (Diffie) said the problem could be just
‘one random number generator’ and suggested ‘outing’ it
- Ron (Rivest) conceded that he was ‘sometimes wrong’, but
that there ‘wasn’t really much substance’ to the paper
74
75. Design vs Implementation
‣ Users of RSA need to ensure that random number
generation is done properly
- According to Schneier, RNG is ‘hard’
‣ Other cryptosystems would also be affected by poor
random number generation
- But RSA may be more vulnerable owing to its
‘multiple secret’ design
75
76. Design vs Implementation
‣ Users of RSA need to ensure that random number
generation is done properly
- According to Schneier, RNG is ‘hard’
‣ Other cryptosystems would also be affected by poor
random number generation
- But RSA may be more vulnerable owing to its
‘multiple secret’ design
‣ Can an implementation problem which allows
users to render the system insecure be considered
a design problem?
76
78. Epilogue
‣ February 15 2012: New research released
‣ Paper by Heninger, Durumeric, Wustrow
Halderman is awaiting responses from concerned
parties before publication
‣ Researchers were able to compromise 0.4% of
harvested RSA keys
78
79. Epilogue
‣ February 15 2012: New research released
‣ Paper by Heninger, Durumeric, Wustrow
Halderman is awaiting responses from concerned
parties before publication
‣ Researchers were able to compromise 0.4% of
harvested RSA keys
‣ But affected servers were almost all embedded
devices – routers, firewalls, VPN devices, etc.
- Keys would be used for internal IPSec or SSH
79
80. Epilogue
‣ Around 200,000 devices probably compromised –
possibly whole classes of device
- Keys are probably generated on device startup,
introducing RNG issues (same seed used for many
devices)
‣ The data surveyed is probably essentially the same
as Lenstra et al’s
- Secure web servers are probably not affected by the
vulnerability
80