Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

An Analysis of RSA Public Exponent e


Published on

We look into the nitty-gritty details of the RSA key generation algorithm. We study how RSA can be exploited when the public exponent e is not chosen carefully. We examine why many digital certificates use e=65537. We also experiment with Hastad's broadcast attack for short RSA exponents in particular.

Published in: Software
  • Login to see the comments

  • Be the first to like this

An Analysis of RSA Public Exponent e

  1. 1. An Analysis of RSA Public Exponent e Dr. Dharma Ganesan, Ph.D.,
  2. 2. Disclaimer ● The opinions expressed here are my own ○ But not the views of my employer ● The source code fragments and exploits shown here can be reused ○ But without any warranty nor accept any responsibility for failures ● Do not apply the exploit discussed here on other systems ○ Without obtaining authorization from owners 2
  3. 3. Table of contents ● Questions of the study ● Basic math facts ● RSA key generation algorithm ● Expose secrets by finding the roots of the ciphertext ● Experiments with Hastad’s broadcast attack ● Takeaways 3
  4. 4. Questions (standard notations are formally defined later) 1. Why RSA public exponent e is 65537 in many digital certificates? 2. How RSA key generation implementations (e.g., JDK) handle other e values? 3. How to exploit “short” public exponent e to break RSA? ○ Analysis of Hastad’s Attack using Chinese Remainder Theorem ○ Break RSA when the same message was sent to e recipients 4
  5. 5. 5 Example: RSA public exponent e (e.g., CNN)
  6. 6. 6 RSA Public Exponent e is 65537?
  7. 7. Prerequisite Some familiarity with the following topics will help to follow the rest of the slides ● Group Theory ● Number Theory ● Algorithms and Complexity Theory ● If not, it should still be possible to obtain a high-level overview 7
  8. 8. How can Bob send a message to Alice securely? 8 Public Key PuA ● Alice and Bob never met each other ● Bob will encrypt using Alice’s public key ○ Assume that public keys are known to the world ● Alice will decrypt using her private key ○ Private keys are secrets (never sent out) ● Bob can sign messages using his private key ○ Alice verifies message integrity using Bob’s public key ● Note: Alice and Bob need other evidence (e.g., passwords, certificates) to prove their identity to each other ● Who are Alice, Bob, and Eve? Private Key PrA Public Key PuB Private Key PrB
  9. 9. RSA Public Key Cryptography System ● Published in 1977 by Ron Rivest, Adi Shamir and Leonard Adleman ● Rooted in elegant mathematics - Group Theory and Number Theory ● Core idea: Anyone can encrypt a message using recipient's public key but ○ (as far as we know) no one can efficiently decrypt unless they got the matching private key ● Encryption and Decryption are inverse operations (math details later) ○ Work of Euclid, Euler, and Fermat provide the mathematical foundation of RSA ● Eavesdropper Eve cannot easily derive the secret (math details later) ○ Unless she solves “hard” number theory problems that are computationally intractable 9
  10. 10. 10 Notations and Facts (needed for RSA Trapdoor) GCD(x, y): The greatest common divisor that divides integers x and y Co-prime: If gcd(x, y) = 1, then x and y are co-primes Zn = { 0, 1, 2, …, n-1 }, n > 0; we may imagine Zn as a circular wall clock Z* n = { x ∈ Zn | gcd(x, n) = 1 }; (additional info: Z* n is a multiplicative group) φ(n): Euler’s Totient function denotes the number of elements in Z* n φ(nm) = φ(n).φ(m) (This property is called multiplicative) φ(p) = p-1, if p is a prime number
  11. 11. Notations and Facts (needed for RSA Trapdoor) ... ● x ≡ y (mod n) denotes that n divides x-y; x is congruent to y mod n ● Euler’s Theorem: aφ(n) ≡ 1 (mod n), if gcd(a, n) = 1 ● Fermat’s Little Theorem: ap ≡ a (mod p) ● Gauss’s Fundamental Theorem of Arithmetic: Any integer greater than 1 is either a prime or can be written as a unique product of primes ○ Euclid’s work is the foundation for this theorem, see The Elements ● Euclid’s Lemma: if a prime p divides the product of two natural numbers a and b, then p divides a or p divides b ● Euclid’s Infinitude of Primes (c. 300 BC): There are infinitely many primes 11
  12. 12. RSA - Key Generation Algo (Focus of this presentation: Step 5) 1. Select an appropriate bitlength of the RSA modulus n (e.g., 2048 bits) ○ Value of the parameter n is not chosen until step 3; small n is dangerous (details later) 2. Pick two independent, large random primes, p and q, of half of n’s bitlength ○ In practice, q < p < 2q to avoid attacks (e.g., Fermat’s factorization) 3. Compute n = p.q (n is also called the RSA modulus) 4. Compute Euler’s Totient (phi) Function φ(n) = φ(p.q) = φ(p)φ(q) = (p-1)(q-1) 5. Select numbers e and d from Zn such that e.d ≡ 1(mod φ(n)) ○ e must be relatively prime to φ(n) otherwise d cannot exist (i.e., we cannot decrypt) ○ d is the multiplicative inverse of e in Zn 6. Public key is the pair <n, e> and private key is 4-tuple <φ(n), d, p, q> 12
  13. 13. RSA Trapdoor ● RSA: Zn → Zn ● Let x and y ∈ Zn ● y = RSA(x) = xe mod n ○ We may view x as a plaintext, and y as the corresponding ciphertext ● x = RSA-1 (y) = yd mod n ● e and d are also called encryption and decryption exponents, respectively ● Many implementations use Chinese-Remainder Theorem (CRT) to compute yd efficiently ● We are going to use CRT to break RSA (in a wrong padding mode) 13
  14. 14. 14
  15. 15. 15 Default Public Exponent e is 65537
  16. 16. 16 Can e = 2 in RSA?
  17. 17. 17 Infinite loop when e is 4 (or any other even number) ● To understand the reason for an infinite loop, we need to understand how mod inverse works (next slides)
  18. 18. 18 ● There is no inverse for 3 in Z*6 ● That is, there does not exist an x such that 3x = 1 (mod 6) What is the inverse of 3 in Z6 * ?
  19. 19. 19
  20. 20. 20
  21. 21. 21 Summary of the RSA key generation algorithm 1. Generates two random primes p and q 2. Public encryption exponent e is chosen first 3. If e is not relatively prime to φ(n), goto step 1 4. Secret decryption exponent d = e-1 (mod φ(n)) ● How long does it take to generate d from e and φ(n)? ● What is the probability that a given e satisfies the equation of step 4? ● We will investigate these two questions next
  22. 22. 22 Response time to generate key pairs (e = 3)?
  23. 23. 23 Response time to generate key pairs (e = 9)?
  24. 24. 24 Response time to generate key pairs (e = 65537)?
  25. 25. 25 Exponent e Probability that d exists 3 28/100 5 58/100 7 69/100 11 81/100 13 82/100 17 92/100 19 90/100 23 90/100 29 98/100 Exponent e Probability that d exists 257 98/100 941 100/100 1987 100/100 7919 100/100 65537 99/100 What is the probability that d exists for a given e? ● We generated 100 random prime pairs (p and q) ● When e = 3, d did not exist for many cases ● When e = 65537, d almost always exist for all p and q
  26. 26. Are there attacks with short e values? 26 ● When e is short, we saw that it takes many attempts to find a d ● Thus, short e values will affect the time to generate RSA keys ● Next, we will demonstrate a couple of attacks when e is short ● First attack: Derive the secret using eth root when the modulus is not wrapped ● Second attack: Derive the secret when the same msg is send to e recipients
  27. 27. Decrypting the plaintext without private keys ● Let’s recall the RSA Trapdoor function ● Let x be a plaintext, and y as the corresponding ciphertext ● y = RSA(x) = xe mod n ● Note: I’m using RSA without padding ○ There are real-world browsers that used RSA without padding, see ● Can we find x given <y, e, n>? ● In other words, can we not just take the eth root of y? ● Let’s now investigate this question using examples 27
  28. 28. 28 n = 418630108698313428694041398051696328305484156102321265000687994815644901945060497673169305355519 780579662318856144730711315404635953607173304899183776634225505275993121523165199408251122433004 585864079361848046145839555807121649326648471132198376032176427737045085111849670289243939085187 934552943815115941476208683544870137188320977245006489913400172130621343720002155797242489207352 271416768557662804490758827773936301832798704670733060985562804130912668868265996541585530415283 954987338224467269102880176770610054374019812843954732951296274678195218176178595002527529799615 849799598181738984190876122042741221006642473781978036598355581948934936949136431462474031031491 307594975808291582829967107866950993895365246624457232581308668392094540435542089795962242440619 832555256837753929897181239638627749512250847990722872841176545851874284913826397816491290966784 4568848423732240757618542594566229504854123915255305085175481 e = 3 3072 bit RSA public key pair <n,e>
  29. 29. 29 ~/crypto/RSA$ java RSA_Encrypt $n $e "Number Theory Rocks the World!" Output (ciphertext): y= 75e9d87a173e3457e98151449bb16ae7ccb4b2a89bb30b985b24bd635c7e403412d2e3beac e001febd7bca0bc2566d1431724817b909b15df1d723b0ed603d759f5882d9968decc6bf91 357775a95dff004abed5b53b870b861 Let’s encrypt “Number Theory Rock the World!”
  30. 30. 30 ~/crypto/RSA$ y=75e9d87a173e3457e98151449bb16ae7ccb4b2a89bb30b985b24bd635c7e403412d2e3beace001febd7bca0bc2566d143 1724817b909b15df1d723b0ed603d759f5882d9968decc6bf91357775a95dff004abed5b53b870b861 ~/crypto/RSA$ e=3 ~/crypto/RSA$ java RSA_Root $y $e Number Theory Rocks the World! Let’s derive the plaintext by finding the eth root We reversed the plaintext without the private key
  31. 31. 31 n = 17613721293123709033582314052362695643480746314388750706635617598964825518116880160924 58566328740032575584484077965735584768462442144073836512243894382044756962259960492255 69696245644473814534908433507350563094184776985474312515306396371510759318879546743808 05931107717063466298531885659271107526943237879260924218280120414913140607289269070753 50181144911872575578928723510107598435176415855704268704023964822208371782186947708290 29964503331913440565312404166342169575555242983300296573944923657380324513084371346427 05861657979362786714008763949505434142047007744159861248333785491124979934297057622796 038037854427841 e = 7 Let’s replicate with e=7
  32. 32. 32 ~/crypto/RSA$ java RSA_Encrypt $n $e "Number Theory Rocks the World!" y = 10a5291faad30d8b5071a28c10991d9f54e1364294ecddd3178e31cd3b45f1b80c088314fc1679c118bce3eb50c942b9810a6 7cf432d2a8f27bba4d7fbfb56b822cf86a8c8c46b465519411174713eddf048cc4f36046e1019570e071be8c7cd0f48a0491d 80c7f3da4cc66f5d6dd168684ffd8d9a7dfcb79e62d0311c65a83c344935be09eff7b2e2f708eb9e501b4fa855e8818d568bd ff0da846ecf53ca160f89b19aff0806512afaa2d4e4a9ca28e3d5cccd5a9b676ef8a932f19319fafb0ccfb9acabda97d072e1 9ace1338a590e1 Let’s replicate with e=7
  33. 33. 33 ~/crypto/RSA$ java RSA_Root $y $e Number Theory Rocks the World! We reversed the plaintext without the private key Let’s derive the plaintext by finding the 7th root!
  34. 34. 34 n = 1148577793566285125208868152631908570508958901584919431418246419882582570721691111 0498864521208264833044433956062652413241617603149736120342952467183250849111765807 5505630348315884403868157517179521349840852095103877452479711410291666769310708648 498951291923002369230159297614627433753589670508276853106237907 e = 3 x= "Number Theory Rocks the World. RSA is a gift of mathematics." Let’s try on a longer text - wrap the RSA modulus
  35. 35. 35 ~/crypto/RSA$ java RSA_Encrypt $n $e $x Plaintext in integer: 9567513046587340535296539179071961647752441833262378562533444989638053890 37202558460887449064876619040466341596726156675415312928876382969361198 Ciphertext (RSA(x)): y = c2a9d8f40635cfce28b5ab6cd2d2593c0b46c856a06c5cb358d00893f7dc6435f48ab0f63 ca740625c71c5f945469173bd1357f3ca7cfc8c92e36d3ff92d7c54baaed53b6f23f158fa fef7570e38d23e7942d2184066b664c3b83afd1c4bfca6648b3bdcafafc07c1b4d739084e b91dd6427424f98795457960f16098b18206
  36. 36. 36 Ah… Finding the cube root of the ciphertext failed! We could NOT reverse the plaintext without the private key because xe > n
  37. 37. Summary on finding the eth root of ciphertext 37 ● We have shown that if the encrypted message is small, RSA is breakable ● The attacker derives the plaintext using the eth root of the ciphertext ○ xe mod n = xe , if xe < n ● If the value of e is 65537, then xe does not wrap the modulus n ○ Thus, finding the eth root of the ciphertext does not work ● This is one of the reasons why short public exponent like e = 3 is not good
  38. 38. Part-2: Sending the same msg to e recipients 38 ● In this section, we break RSA when the same msg was send to e recipients ● Let’s assume Bob sends the msg x to e recipients (R1 , R2 , …, Re ) using their public keys ● Attackers have access to e ciphertexts ● They will apply Chinese-Remainder theorem and recover the secret using e ciphertexts as inputs
  39. 39. 39 xe ≡ c1 (mod n1 ) xe ≡ c2 (mod n2 ) xe ≡ ce (mod ne ) Solving a system of congruences ● The attacker has to solve this system of congruences to reverse the secret x ● Recall n1 , n2 , …, ne are the recipients’ RSA modulus ● c1 , c2 , ... , ce are the RSA ciphertexts of an unknown message m ● We will apply Chinese Remainder Theorem! ● It will give us xe mod (n1 *n2 *...*ne ) ● Note that x < min (n1 , n2 … ne ), thus xe < (n1 *n2 *...*ne ) ● We just take the eth root of xe to expose the secret x
  40. 40. 40 There are certain things whose number is unknown. If we count them by threes, we have two left over; by fives, we have three left over; and by sevens, two are left over. How many things are there? Number Theory - Chinese Remainder Theorem
  41. 41. 41 Application of Chinese Remainder Theorem (CRT) x ≡ 2 (mod 3) x ≡ 3 (mod 5) x ≡ 2 (mod 7) import java.math.BigInteger; public class CRT_Test { public static void main(String[] args) { BigInteger[] moduli = new BigInteger[] { BigInteger.valueOf(3), BigInteger.valueOf(5), BigInteger.valueOf(7)}; BigInteger[] congruences = new BigInteger[] { BigInteger.valueOf(2), BigInteger.valueOf(3), BigInteger.valueOf(2)}; System.out.println(BigIntUtil.CRT(moduli, congruences)); } }~/crypto/RSA$ java CRT_Test 23 is the smallest solution for the system of congruences Note: 23 + k(3 . 5. 7), k is any integer, is also another solution
  42. 42. 42 public static BigInteger CRT(BigInteger[] moduli, BigInteger[] congruences){ assert moduli.length == congruences.length; int numCongr = moduli.length; BigInteger M = BigInteger.ONE; BigInteger sum = BigInteger.ZERO; for(int i = 0; i < numCongr; i++) { M = M.multiply(moduli[i]); } for(int i = 0; i < numCongr; i++) { BigInteger ithModuli = moduli[i]; BigInteger ithCongr = congruences[i]; BigInteger otherM = M.divide(ithModuli); BigInteger inverse = otherM.modInverse(ithModuli); sum = sum.add(otherM.multiply(inverse).multiply(ithCongr)); } return sum.mod(M); } Our implementation of CRT algorithm
  43. 43. 43 public interface IHastadt { public int getPublicExponent(); /* RSA public exponent e */ public BigInteger[] getAllModuli(); /* RSA modulus of all recipients*/ public BigInteger[] getAllCiphers(); /* RSA ciphertext send to all receipients */ /* Returns true to the attacker if his guessed the plaintext correctly */ public boolean validate(BigInteger guessedSecret); }
  44. 44. 44 public class HastadtClient { public static BigInteger guessSecret(IHastadt HastadtObj){ int e = HastadtObj.getPublicExponent(); BigInteger[] allModuli = HastadtObj.getAllModuli(); BigInteger[] allCiphers = HastadtObj.getAllCiphers(); BigInteger solutionCRT = BigIntUtil.CRT(allModuli, allCiphers); return BigIntUtil.iRoot(solutionCRT, e); } public static void main(String[] args) throws Exception { IHastadt HastadtObj = new Hastadt(); BigInteger guessedSecret = guessSecret(HastadtObj); System.out.println(HastadtObj.validate(guessedSecret)); } }
  45. 45. 45 ~/crypto/RSA$ time java HastadClient Number Theory Rocks the World. RSA is a gift of mathematics. real 0m1.009s user 0m0.955s sys 0m0.040s Sending the same msg to e (=3) participants Attacker successfully guessed the secret plaintext using Chinese Remainder Theorem!
  46. 46. Replicating on e (=17) participants 46 ~/crypto/RSA$ time java HastadClient Number Theory Rocks the World. RSA is a gift of mathematics. true real 0m41.478s user 0m41.290s sys 0m0.148s Attacker successfully guessed the secret plaintext using Chinese Remainder Theorem!
  47. 47. Takeaways (1/2) ● Short RSA public exponent e may reduce time to verify digital signature ● But short RSA public exponent e increases the time to generate RSA keys ● Further, short RSA public exponent e may also lead to attacks ● The attacker may reverse the plaintext by taking the eth root (if the secret x satisfies xe < n) ● By choosing e=65537, attackers cannot simply calculate eth root in mod n ○ This is an open-problem 47
  48. 48. Takeaways (2/2) 48 ● RSA (no padding) is broken when the same msg is send to e recipients ● The attacker has to simply apply the CRT tool ● However, when e is large, for example, e = 65537, the attacker has to solve 65537 congruences, which is not easy ● On the other hand, the demo shows that for short e values, this is quick ● Some certificate authorities actually issued certificates with e=3 :) ● We should avoid using RSA with short e values (just use the default e).
  49. 49. References ● W. Diffie and M. E. Hellman, “New Directions in Cryptography,” IEEE Transactions on Information Theory, vol. IT-22, no. 6, November, 1976. ● R. L. Rivest, A. Shamir, and L. Adleman, “A method for obtaining digital signatures and public-key cryptosystems,” CACM 21, 2, February, 1978. ● A. Menezes, P. van Oorschot, and S. Vanstone, “Handbook of Applied Cryptography,” CRC Press, 1996. ● C. Paar and J. Pelzl, “Understanding Cryptography: A Textbook for Students and Practitioners,” Springer, 2011. ● J. Hastad, “Solving simultaneous modular equations of low degree. SIAM J. of Computing,” 17:336-341, 1988. 49