Session H1: Crypto Attacks CCS’17, October 30-November 3, 2017, Dallas, TX, USA The Return of Coppersmith’s Aack: Practical Factorization of Widely Used RSA Moduli Matus Nemec Marek Sys∗ Petr Svenda Masaryk University, Masaryk University Masaryk University Ca’ Foscari University of Venice [email protected] [email protected] [email protected] Dusan Klinec Vashek Matyas EnigmaBridge, Masaryk University Masaryk University [email protected] [email protected] ABSTRACT 1 INTRODUCTION We report on our discovery of an algorithmic aw in the construc- RSA [69] is a widespread algorithm for asymmetric cryptography tion of primes for RSA key generation in a widely-used library used for digital signatures and message encryption. RSA security of a major manufacturer of cryptographic hardware. e primes is based on the integer factorization problem, which is believed generated by the library suer from a signicant loss of entropy. to be computationally infeasible or at least extremely dicult for We propose a practical factorization method for various key lengths suciently large security parameters – the size of the private primes including 1024 and 2048 bits. Our method requires no additional and the resulting public modulus N . As of 2017, the most common information except for the value of the public modulus and does length of the modulus N is 2048 bits, with shorter key lengths not depend on a weak or a faulty random number generator. We such as 1024 bits still used in practice (although not recommend devised an extension of Coppersmith’s factorization aack utilizing anymore) and longer lengths like 4096 bits becoming increasingly an alternative form of the primes in question. e library in ques- common. As the private part of the key is a very sensitive item, a tion is found in NIST FIPS 140-2 and CC EAL 5+ certied devices user may use secure hardware such as a cryptographic smartcard used for a wide range of real-world applications, including identity to securely store and use the private key value. cards, passports, Trusted Platform Modules, PGP and tokens for Successful aacks against RSA based on integer factorization authentication or soware signing. As the relevant library code was (nding the private primes p and q from the public modulus N ) en- introduced in 2012 at the latest (and probably earlier), the impacted able the aacker to impersonate the key owner and decrypt private devices are now widespread. Tens of thousands of such keys were messages. e keys used by secure hardware are of special interest directly identied, many with signicant impacts, especially for due to the generally higher value of the information protected – electronic identity documents, soware signing, Trusted Comput- e.g., securing payment transactions. ing and PGP. We estimate the number of aected devices to be in RSA requires two large random primes p and q, that can be the order of at least tens of millions. obtained by generating a random candidate number (usually with e worst cases for the factorization of 1024 and 2048-bit keys half of the bits of N ) and then testing it for primality. If the candidate are less than 3 CPU-months and 100 CPU-years on single core of is found to be composite, the process is repeated with a dierent common recent CPUs, respectively, while the expected time is half candidate number. of that of the worst case. e aack can be parallelized on multiple However, there are at least three reasons to construct a candidate CPUs. Worse still, all susceptible keys contain a strong ngerprint number from several smaller (randomly) generated components that is veriable in microseconds on an ordinary laptop – meaning instead of generating it randomly: 1) an improved resistance against that all vulnerable keys can be quickly identied, even in very large certain factorization methods, such as Pollard’s p − 1 method [65]; datasets. 2) certication requirements such as the NIST FIPS 140-2 standard, which mandates that for all primes p, the values of p − 1 and p + 1 KEYWORDS have at least one large (101-bit or larger) factor each; and 3) speedup RSA, factorization, smartcard, Coppersmith’s algorithm of keypair generation, since testing random candidate values for primality is time consuming, especially on restricted devices like ∗M. Sys and M. Nemec contributed equally. smartcards. Yet, constructed primes may bring new problems as demon- Permission to make digital or hard copies of all or part of this work for personal or strated in our work. In the past, practical aacks against RSA classroom use is granted without fee provided that copies are not made or distributed for prot or commercial advantage and that copies bear this notice and the full citation exploited the use of insecurely short key lengths susceptible to on the rst page. Copyrights for components of this work owned by others than the factorization via NFS [67] (e.g., 512-bit, still found on the Inter- author(s) must be honored. Abstracting with credit is permied. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specic permission net [38]); faulty or weak random number generators producing and/or a fee. Request permissions from [email protected]. partially predictable primes, as in the electronic IDs of Taiwanese CCS’17, October 30–November 3, 2017, Dallas, TX, USA citizens [9]; soware bugs causing primes to be generated from an © 2017 Copyright held by the owner/author(s). Publication rights licensed to ACM. ISBN 978-1-4503-4946-8/17/10...$15.00 insuciently large space, as in the Debian RNG aw [7]; or seeding DOI: hp://dx.doi.org/10.1145/3133956.3133969 with insucient entropy, leading to multiple keypairs sharing a 1631 Session H1: Crypto Attacks CCS’17, October 30-November 3, 2017, Dallas, TX, USA prime [38]. e knowledge or recovery of all bits of a private key is method uses knowledge of the specic structure of such primes to not always required for a successful aack thanks to the powerful apply our derivation of Coppersmith’s method. Furthermore, we technique proposed by Coppersmith [22]. If at least one half of devised an alternative representation of the primes in question to the bits of one of the primes is known, the remaining bits can be make the aack computationally feasible on consumer hardware. computationally recovered. en, even otherwise secure designs e impact is signicant due to Manufacturer being one of the can be aacked by various side-channel and implementation-based top three secure integrated circuit (IC) producers. Furthermore, aacks or by introducing faults into the computation. the weakness lies in an on-device soware library; hence, it is not Only on very rare occasions is an aacker potentially able to limited just to a particular range of physical devices. e weakness recover the private primes of a chosen key of a seemingly su- can be traced back to at least the year 2012, increasing the number cient bit length, without physical access to the target device or a of aected domains. We assessed the impact in a several important large amount of side-channel information. One notable aack that real-world usage scenarios and made some recommendations for comes close is a simple GCD computation [10], which can quickly mitigation. factorize a collection of moduli, but only if they happen to share a e ngerprinting method is fast, requiring just microseconds common prime, making the aack less likely to succeed on a single to run on a modulus. We successfully used the ngerprinting tech- targeted keypair. e cause of such vulnerability is typically insuf- nique on large datasets of certicates, such as those submied to cient entropy during the keypair generation, as demonstrated for Certicate Transparency logs, collected in Internet-wide TLS scans a large number of TLS and SSH keys [36, 38], therefore requiring and stored on public PGP keyservers. is led to a discovery of multiple public keys to be created with the same malfunctioning thousands of keys in the wild with primes of the form in question. implementation of a random number generator. Our method has negligible false negative and false positive rates We present our aack against keys generated in cryptographic (observed as zero), as guaranteed by the very rare properties. smartcards of Inneon Technologies AG (further denoted as Manu- Where datasets with public RSA keys were not available (e.g., facturer), and our aack is not based on any weakness in a random Trusted Platform Modules or EMV payment cards), we collected bit generator or any additional side-channel information. Instead, sample keys from dierent devices to get an idea about the typical the aack utilizes the specic structure of the primes as generated key lengths used for the domain and to estimate the prevalence of by Manufacturer’s on-chip cryptographic library (further denoted devices producing potentially vulnerable keys. as RSALib1). We had access neither to the RSALib’s source code Although the RSALib is not automatically shipped with every nor to the object code (since it is stored only in the secure on-chip chip, the developers are motivated to deploy it in order to benet memory and is not extractable), and the whole analysis was per- from ready-to-use higher-level functions (such as the RsaKeyGen formed solely using RSA keys generated and exported from the method in question) and to get an implementation designed with Manufacturer’s cards and tokens. protections against side-channel and fault induction aacks in mind. In short, the paper has the following contributions: However, even for certication, the RSALib is provided only as 1. Recovery of the internal structure of the primes: We object les, without the source code [20].
Details
-
File Typepdf
-
Upload Time-
-
Content LanguagesEnglish
-
Upload UserAnonymous/Not logged-in
-
File Pages18 Page
-
File Size-