random bits practical factorization of widely used rsa moduli€¦ · authentication tokens...
TRANSCRIPT
The Return of Coppersmith’s Attack:
Practical Factorization of Widely Used RSA ModuliMatus Nemec, Marek Sys, Petr Svenda, Dusan Klinec, Vashek Matyas
Centre for Research on Cryptography and Security, Masaryk University Ca’ Foscari University of Venice
Abstract
We discovered an algorithmic flaw in the construction of pri-mes for RSA key generation in a widely-used library of amajor manufacturer of cryptographic hardware. The primessuffer from a significant loss of entropy. We proposed a prac-tical factorization method that only requires the value of thepublic modulus and does not depend on a weak or a faultyrandom number generator. We devised an extension of Cop-persmith’s factorization attack utilizing an alternative form
of the primes in question. The library is found in NIST FIPS140-2 and CC EAL 5+ certified devices used for a wide rangeof real-world applications, including identity cards, TrustedPlatform Modules, PGP, and tokens for authentication orsoftware signing. The impacted devices are widespread. Weresponsibly disclosed our findings to the manufacturer of theflawed library. Our work was published at ACM CCS 2017 [1]and received the Real-World Impact Award.
Background – surprising biases in RSA public keys
Svenda et al. [2] described how cryptographic libraries gene-rate RSA primes in various ways, introducing subtle biases in
the public keys, sufficient to classify the keys based on theirorigin. Infineon smartcards produced especially biased keys.
Library: Microsoft CryptoAPI
P
Q
2k−1 2k
2k−1
2k
Library: OpenSSL 1.1.0e
P
Q
2k−1 2k
2k−1
2k
Library: WolfSSL 3.10.2
P
Q
2k−1 2k
2k−1
2k
Library: mbedTLS 1.3.19
P
Q
2k−1 2k
2k−1
2kCard: Infineon JTOP 80K
P
Q
2k−1 2k
2k−1
2k
The distribution of the most significant bytes of a pair of RSA primes varies for different cryptographic libraries.
The properties of vulnerable keys
The distribution of the Infineon RSA primes and keys mo-dulo small primes is irregular, unlike randomly chosen primesand keys that are distributed uniformly modulo small primes(left). In fact, the primes belong to a small subgroup modulo
a product M of small consecutive primes, what lead us to thediscovery of the structure of the primes (right). The primesand RSA moduli suffer from a significant loss of entropy andcan be uniquely fingerprinted using a fast discrete logarithm.
5 10 15Remainder
0.06
0.07
0.08
0.09
0.10
Prob
abilit
y
Random primesModulo
11131719
5 10 15Remainder
0.0
0.1
0.2
0.3
0.4
0.5
Prob
abilit
y
InfineonModulo
11131719
The distribution of RSA keys modulo small primes
N = p ∗ q
pideal = random prime
pInfineon = (k ∗M + 65537a mod M); a, k ∈ ZM = 2 ∗ 3 ∗ 5 ∗ 7 ∗ · · · ∗ Pn
Entropy in a prime
Random: random bits
Infineon: a k determined by the structure
Factorization attack complexity
The complexity of the factorization depends on the size ofthe keys (horizontal axis). However, due to the different para-meters used in their generation (different values of M at thetop of the figure), the time required to break a key (vertical
axis, blue dots) does not strictly increase. Therefore, somekey lengths are more affected, including the common sizes of1024 bits and 2048 bits. The attack can be easily parallelizedwith independent processors to achieve a linear speedup.
512 1024 1536 2048 2560 3072 3584 4096Key size [bits]
103
1012
1021
1030
1039
1048
1057
1066
1075
Wor
st c
ase
fact
oriza
tion
time
[yea
rs]
M1219 b
M2475 b
M3971 b
M41962 b
3936Worst case factorization time 512-bit: 2 CPU hours1024-bit: 2 CPU months2048-bit: 100 CPU years3072-bit & 3584-bit: allowed by BSI for QES3936-bit: attack not applicable4096-bit: 109 CPU yearsNo practical attack
Impact on real-world applications of cryptographic chips
Electronic identity documents (eID) were significantly impac-ted with Spain, Slovakia, Estonia, Austria, Bulgaria, Brazil,Italy, Kosovo, Malaysia, Poland, and Taiwan affected. Trus-
ted Platform Modules (TPM) used for platform integrity anddata encryption (e.g., by Microsoft BitLocker) were vulne-rable, as well as authentication tokens and other devices.
TPM
Programmable
Identity documents(eID, eHealth cards)
Trusted PlatformModules
Authenticationtokens
Programmablesmartcards
Message protection(S-MIME, PGP)
Software signing
Coppersmith’s factorization method
Coppersmith’s method uses a partialknowledge of one of the primes tocompute the factorization of an RSAmodulus. At least half of the bits ofthe prime must be known. However,the method performs faster with moreknown bits. We use the method as ablack-box tool.
Coppersmith’s method as a black-box tool roca.crocs.fi.muni.cz
1. Modulus ���������
2. Unknown factors ������������ �����������
3. Partial knowledge of prime p ������� ���� �����������
4. Apply Coppersmith’s attack ��������������������
���������
@CRoCS_MUNI | [email protected] The Return of Coppersmith’s Attack November 2, 2017 6 / 12
Making the attack practical
To attempt a factorization of a vulnerable RSA key, we guess the value of aand compute the much larger “known” part of the prime as 65537a mod M .We then try to compute k using Coppersmith’s method, what succeeds onlyif the guess was correct. In the worst case, the attack will require trying halfof all the possible values of a.
Coppersmith’s attack applied on Infineon primes roca.crocs.fi.muni.cz
p = k ∗ M + 65537a mod MGuess a and compute k using Coppersmith’s method
�
� ������������
��������
������� ��������
��������������
a is still too large – find a smaller M � (divisor of M)�����������������������������������������������������
��
� � �������
������ �
�������
�������� ��������
@CRoCS_MUNI | [email protected] The Return of Coppersmith’s Attack November 2, 2017 7 / 12
For the majority of RSA key sizes, the bit length of M (and 65537a mod M)is much larger than the required bound for the attack (one half of the prime’sbit length). We find a smaller M ′ (a divisor of M), such that its size is stillsufficient, yet the size of a′ is significantly reduced when compared to a.
Coppersmith’s attack applied on Infineon primes roca.crocs.fi.muni.cz
p = k ∗ M + 65537a mod MGuess a and compute k using Coppersmith’s method
�
� ������������
��������
������� ��������
��������������
a is still too large – find a smaller M � (divisor of M)�����������������������������������������������������
��
� � �������
������ �
�������
�������� ��������
@CRoCS_MUNI | [email protected] The Return of Coppersmith’s Attack November 2, 2017 7 / 12
Entropy in primes
The figure shows the number and origin of random bits in relation to the sizeof the prime (vertical axis) for keys of given length (horizontal axis). A largeportion of prime’s bits is determined by the structure (orange) and can becomputed from the knowledge of random bits (green). Coppersmith’s attackfurther reduces the required number of known bits even lower (black dots).
512 1024 1536 2048 2560 3072 3584 4096Key size [bits]
0
512
1024
1536
2048
Prim
e siz
e [b
its]
Bits of the primeDetermined by the structureRandom bits in kRandom bits in aBruteforce search space (a0)
The attack optimization process
Smaller values of M ′ (fewer known bits) require fewer guesses on the valueof a′. However, the evaluation of each guess takes more time. We select theparameters corresponding to the minimal overall time of the factorization.
260280300320340Known bits
227230233236239242
Num
ber o
f atte
mpt
s ●
0.001
0.01
0.1
1
Tim
e/at
tem
pt [s
ec] +
260280300320340Known bits
100
101
102
Tota
l tim
e [y
ears
]
Acknowledgements
This project was supported by the Czech Science Foundation, project GA16-08565S. We greatly appreciate the access to the computing resources of theNational Grid Infrastructure MetaCentrum (CESNET LM2015042).
References
[1] Matus Nemec, Marek Sys, Petr Svenda, Dusan Klinec, Vashek Matyas.The Return of Coppersmith’s Attack: Practical Factorization of WidelyUsed RSA Moduli.In Proceeding of the 24th ACM Conference on Computer andCommunications Security (ACM CCS 2017), 2017.
[2] Petr Svenda, Matus Nemec, Peter Sekan, Rudolf Kvasnovsky, DavidFormanek, David Komarek, Vashek Matyas.The Million-Key Question – Investigating the Origins of RSA Public Keys.In Proceeding of the 25th USENIX Security Symposium, 2016.
roca.crocs.fi.muni.cz [email protected]