Known-Plaintext-Only Attack on RSA-CRT with Montgomerry Multiplication

Slides:



Advertisements
Similar presentations
Side-Channel Attacks on RSA with CRT Weakness of RSA Alexander Kozak Jared Vanderbeck.
Advertisements

CRT RSA Algorithm Protected Against Fault Attacks WISTP - 5/10/07 Arnaud BOSCHER Spansion EMEA Robert NACIRI Oberthur Card Systems Emmanuel PROUFF Oberthur.
Cryptography and Network Security Chapter 9
Is there Safety in Numbers against Side Channel Leakage? Colin D. Walter UMIST, Manchester, UK
Capstone Project Presentation A Tool for Cryptography Problem Generation CSc 499 Mark Weston Winter 2006.
Session 4 Asymmetric ciphers.
Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.
Dr. Lo’ai Tawalbeh Summer 2007 Chapter 9 – Public Key Cryptography and RSA Dr. Lo’ai Tawalbeh New York Institute of Technology (NYIT) Jordan’s Campus INCS.
Introduction to Cryptography and Security Mechanisms: Unit 5 Theoretical v Practical Security Dr Keith Martin McCrea
Remote Timing Attacks -Rashmi Kukanur. Agenda  Timing Attacks  Case Study : –David Brumley –Dan Boneh  Defenses.
RSA Attacks 1 RSA Implementation Attacks RSA Attacks 2 RSA  RSA o Public key: (e,N) o Private key: d  Encrypt M C = M e (mod N)  Decrypt C M = C d.
Side-Channel Attacks on Smart Cards. Timing Analysis Cryptosystems take different amount of time to process different inputs. Performance optimisations.
Oded Regev Tel-Aviv University On Lattices, Learning with Errors, Learning with Errors, Random Linear Codes, Random Linear Codes, and Cryptography and.
Cryptography in Subgroups of Z n * Jens Groth UCLA.
Cryptography1 CPSC 3730 Cryptography Chapter 9 Public Key Cryptography and RSA.
Tallinn University of Technology Quantum computer impact on public key cryptography Roman Stepanenko.
A Cryptography Tutorial Jim Xu College of Computing Georgia Tech
ASYMMETRIC CIPHERS.
Lecture 5 Overview Does DES Work? Differential Cryptanalysis Idea – Use two plaintext that barely differ – Study the difference in the corresponding.
The RSA Algorithm Rocky K. C. Chang, March
Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 21 “Public-Key Cryptography.
RSA Ramki Thurimella.
10/1/2015 9:38:06 AM1AIIS. OUTLINE Introduction Goals In Cryptography Secrete Key Cryptography Public Key Cryptograpgy Digital Signatures 2 10/1/2015.
Santa’s Crypto Get-Together Hotel Olympic, Prague December 5, 2008 Towards Disclosing the Private Key of an e-Passport Martin Hlaváč and Tomáš Rosa Department.
Public Key Encryption and the RSA Public Key Algorithm CSCI 5857: Encoding and Encryption.
Issues of Security with the Oswald-Aigner Exponentiation Algorithm Colin D Walter Comodo Research Lab, Bradford, UK Colin D Walter.
9th IMA Conference on Cryptography & Coding Dec 2003 More Detail for a Combined Timing and Power Attack against Implementations of RSA Werner Schindler.
EPassports EAC Conformity & Interoperability Tests, Prague September 7-12, 2008 When an e-Passport Talks and it Should Not Martin Hlaváč and Tomáš Rosa.
CS526: Information Security Prof. Sam Wagstaff September 16, 2003 Cryptography Basics.
MA/CSSE 473 Day 11 Primality testing summary Data Encryption RSA.
Public-Key Encryption
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
Cryptography and Network Security Chapter 9 - Public-Key Cryptography
Utilizing Performance Monitors for Compromising keys of RSA on Intel Platforms Sarani Bhattacharya and Debdeep Mukhopadhyay Dept. of Computer Science and.
Some Number Theory Modulo Operation: Question: What is 12 mod 9?
Accelerating Homomorphic Evaluation on Reconfigurable Hardware Thomas Pöppelmann, Michael Naehrig, Andrew Putnam, Adrian Macias.
Exploiting Cache-Timing in AES: Attacks and Countermeasures Ivo Pooters March 17, 2008 Seminar Information Security Technology.
PUBLIC-KEY CRYPTOGRAPHY AND RSA – Chapter 9 PUBLIC-KEY CRYPTOGRAPHY AND RSA – Chapter 9 Principles Applications Requirements RSA Algorithm Description.
Lattice-based cryptography and quantum Oded Regev Tel-Aviv University.
Remote Timing Attacks are Practical David Brumley Dan Boneh [Modified by Somesh.
1/16 Seeing through M IST given a Small Fraction of an RSA Private Key Colin D. Walter Comodo Research Lab (Bradford, UK)
WISA 2007 Jeju Island, Korea, 27th – 29th Aug 2007 Longer Randomly Blinded RSA Keys may be Weaker than Shorter Ones Colin D. Walter
Lattice-based Fault Attacks on DSA – Another Possible Strategy Tomáš Rosa,
EE 122: Lecture 24 (Security) Ion Stoica December 4, 2001.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
1 The RSA Algorithm Rocky K. C. Chang February 23, 2007.
@Yuan Xue CS 285 Network Security Public-Key Cryptography Yuan Xue Fall 2012.
Cryptographic Insecurity of the Test&Repeat Paradigm Tomáš Rosa, eBanka, a.s., Charles University, Prague, Czech Technical University in.
Nikita Maria Department of Applied Informatics University of Macedonia - Greece.
Public Key Cryptography
Simple Power Analysis of
Public Key Encryption Major topics The RSA scheme was devised in 1978
Attacks on Public Key Encryption Algorithms
RSA and El Gamal Cryptosystems
IEEE TRANSACTIONS ON INFORMATION THEORY, JULY 1985
Public Key Cryptosystems - RSA
Cryptographic Hash Functions Part I
Background: Lattices and the Learning-with-Errors problem
Efficient CRT-Based RSA Cryptosystems
Distinguishing Exponent Digits by Observing Modular Subtractions
Unknown Input Attacks in the Parallel Setting Improving the Security of the CHES 2012 Leakage Resilient PRF Marcel Medwed François-Xavier Standaert Ventzislav.
Security through Encryption
Security in Network Communications
Public-key encryption
Cryptographic Timing Attacks
Factoring RSA Moduli: Current State of the Art J
PUBLIC-KEY CRYPTOGRAPHY AND RSA – Chapter 9
z , and therefore u =  x ~ /s is an approximation of p z.
Introduction to Cryptography
Presentation transcript:

Known-Plaintext-Only Attack on RSA-CRT with Montgomerry Multiplication Martin Hlaváč Department of Algebra, Charles University in Prague IT Security Department, Czech Insurance Corporation September 7, CHES 09, Lausanne, Switzerland

Electro-Magnetic Interface Active Authentication Outline Electronic Passport Electro-Magnetic Interface Active Authentication RSA-CRT with Mont. Multiplication Schindler's Attack, Tomoeda's Attack New attack Simulation Results Conclusion Martin Hlaváč (Charles University) KP Attack on RSA-CRT w/Mont. Mul.

Electro-Magnetic Interface Active Authentication Outline Electronic Passport Electro-Magnetic Interface Active Authentication RSA-CRT with Mont. Multiplication Schindler's Attack, Tomoeda's Attack New attack Simulation Results Conclusion Motivation & strong assumptions Martin Hlaváč (Charles University) KP Attack on RSA-CRT w/Mont. Mul.

Electro-Magnetic Interface Active Authentication Outline Electronic Passport Electro-Magnetic Interface Active Authentication RSA-CRT with Mont. Multiplication Schindler's Attack, Tomoeda's Attack New attack Simulation Results Conclusion Motivation & strong assumptions Attack Martin Hlaváč (Charles University) KP Attack on RSA-CRT w/Mont. Mul.

Electronic travel document with chip that contains Electronic Passport Electronic travel document with chip that contains MRZ (Machine Readable Zone) Photo, fingerprints?, eye retina? RSA Key pair for Active Authentication Martin Hlaváč (Charles University) KP Attack on RSA-CRT w/Mont. Mul.

Electronic Passport II. Martin Hlaváč (Charles University) KP Attack on RSA-CRT w/Mont. Mul.

Electronic Passport II. FameXE RSA co-processor antenna interface Martin Hlaváč (Charles University) KP Attack on RSA-CRT w/Mont. Mul.

Electro-Magnetic Interface HF range (13.56 MHz) Operation distance ~10 cm (4 in) Near-field communication transponder RFID terminal RFID internal network transponder field terminal field Can be seen as “high frequency transformer” Martin Hlaváč (Charles University) KP Attack on RSA-CRT w/Mont. Mul.

Active Authentication passport's anti-cloning countermeasure optional simple challenge-response protocol based on RSA public key signed by national authority private key in protected memory challenge chosen by both, passport and reader chosen plaintext attacks do not work Martin Hlaváč (Charles University) KP Attack on RSA-CRT w/Mont. Mul.

Active Authentication II. Martin Hlaváč (Charles University) KP Attack on RSA-CRT w/Mont. Mul.

Active Authentication II. chosen jointly Martin Hlaváč (Charles University) KP Attack on RSA-CRT w/Mont. Mul.

Electronic Passport II. FameXE RSA co-processor antenna interface Martin Hlaváč (Charles University) KP Attack on RSA-CRT w/Mont. Mul.

FameXP exposure in EM field Sensitive operation should not be visible Measurements by doc. Lórencz’s team, FEL CTU in Prague, april 2007 Martin Hlaváč (Charles University) KP Attack on RSA-CRT w/Mont. Mul.

FameXP exposure in EM field Sensitive operation should not be visible s = md mod N S M S M S M S M S M S Measurements by doc. Lórencz’s team, FEL CTU in Prague, april 2007 Martin Hlaváč (Charles University) KP Attack on RSA-CRT w/Mont. Mul.

RSA with Chinese Remainder Theorem Private RSA operation md mod N is computed using CRT as follows Faster then simple exponentiation Use of secret p,q make CRT vulnerable Martin Hlaváč (Charles University) KP Attack on RSA-CRT w/Mont. Mul.

RSA with Chinese Remainder Theorem Private RSA operation md mod N is computed using CRT as follows Faster then simple exponentiation Use of secret p,q make CRT vulnerable Assumption n. 1: RSA blinding is NOT employed. (Time consuming.) Martin Hlaváč (Charles University) KP Attack on RSA-CRT w/Mont. Mul.

Montgomerry exponentiation mod&div R=2512 fast Sliding windows (fixed window) exponentiation can NOT be used as it requires precomputation (i.e. a lot of memory) not available here We're not really working in Z_p but in Z_R. Since R>p, extra reduction is needed sometimes. Martin Hlaváč (Charles University) KP Attack on RSA-CRT w/Mont. Mul.

Montgomerry exponentiation mod&div R=2512 fast Assumption n. 2: No constant-time multiplication is used. Martin Hlaváč (Charles University) KP Attack on RSA-CRT w/Mont. Mul.

Schindler's Timing Attack With x fixed and B random in Zp, the probability final subtraction occurs during mont(x,B) is Martin Hlaváč (Charles University) KP Attack on RSA-CRT w/Mont. Mul.

Schindler's Timing Attack With x fixed and B random in Zp, the probability final subtraction occurs during mont(x,B) is Careful choice of plaintext allows timing ACCA. Martin Hlaváč (Charles University) KP Attack on RSA-CRT w/Mont. Mul.

Schindler's Timing Attack With x fixed and B random in Zp, the probability final subtraction occurs during mont(x,B) is Careful choice of plaintext allows timing ACCA. Assumption n. 3: Amount of final subtractions is revealed. Martin Hlaváč (Charles University) KP Attack on RSA-CRT w/Mont. Mul.

CCA attack by Tomoeda et al. Tomoeda et al. observed “almost linear” modular relation between (function of) unknown factor p, and known amount of final substitutions Martin Hlaváč (Charles University) KP Attack on RSA-CRT w/Mont. Mul.

CCA attack by Tomoeda et al. II. Martin Hlaváč (Charles University) KP Attack on RSA-CRT w/Mont. Mul.

New attack – Basic Idea Martin Hlaváč (Charles University) KP Attack on RSA-CRT w/Mont. Mul.

New attack – Basic Idea Multiply by N Martin Hlaváč (Charles University) KP Attack on RSA-CRT w/Mont. Mul.

New attack – Basic Idea Multiply by N Substitute Martin Hlaváč (Charles University) KP Attack on RSA-CRT w/Mont. Mul.

use Hidden Number Problem New attack – Basic Idea Multiply by N Substitute use Hidden Number Problem Martin Hlaváč (Charles University) KP Attack on RSA-CRT w/Mont. Mul.

Precision of approximations How good is “” in ? one-time pre-computation with 212 RSA instances 212 signatures per instance n bit precision if difference below 2-n Martin Hlaváč (Charles University) KP Attack on RSA-CRT w/Mont. Mul.

Precision of approximations II. Martin Hlaváč (Charles University) KP Attack on RSA-CRT w/Mont. Mul.

Precision of approximations II. As low as 1 bit. Not good enough for HNP. Martin Hlaváč (Charles University) KP Attack on RSA-CRT w/Mont. Mul.

Precision of approximations II. At least 4 bits. 7 bits on average. As low as 1 bit. Not good enough for HNP. Martin Hlaváč (Charles University) KP Attack on RSA-CRT w/Mont. Mul.

Instead of using max. number of FS, precompute ideal value Tweaking nmax Instead of using max. number of FS, precompute ideal value Increases minimal precision by 1 bit Martin Hlaváč (Charles University) KP Attack on RSA-CRT w/Mont. Mul.

Classical tool to solve modular approximations for x Hidden Number Problem Classical tool to solve modular approximations for x Create lattice spanned by Find lattice vector close to Hope it is Martin Hlaváč (Charles University) KP Attack on RSA-CRT w/Mont. Mul.

Simulated side information leakage Experiments 5 RSA instances Simulated side information leakage 150 signatures filtered from app. 7000 Up to 4 final subtractions taken into account Minimal precision presumed from 3.5 to 8.5 bits Factorization found in 40 minutes for each instance Computing platform 20x Opteron 844 (1.8 GHz) Debian 64bit NTL/GMP Martin Hlaváč (Charles University) KP Attack on RSA-CRT w/Mont. Mul.

Is SCH information available in ePassport scenario? Other scenarios? Future work Is SCH information available in ePassport scenario? Other scenarios? Extend to pure timing attack Improve attack Other tweaks to increase precision Handle RSA blinding Provide proof and limits when attack works probability Time complexity Martin Hlaváč (Charles University) KP Attack on RSA-CRT w/Mont. Mul.

New attack on RSA-CRT with Mont. Multiplication Conclusion New attack on RSA-CRT with Mont. Multiplication Known plaintext only (previous attacks were CCA) Another use of lattices and LLL algorithm If assumptions are true, active authentication can be broken, i.e. e-passport cloned Attack possible in other scenarios Martin Hlaváč (Charles University) KP Attack on RSA-CRT w/Mont. Mul.

Thank you for your attention! Questions? Martin Hlaváč Department of Algebra Charles University in Prague IT Security Department Czech Insurance Corporation Martin Hlaváč (Charles University) KP Attack on RSA-CRT w/Mont. Mul.

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.