David Evans http://www.cs.virginia.edu/~evans Lecture 8: Security of RSA THE MAGIC WORDS ARE SQUEAMISH OSSIFRAGE. Background just got here last week finished degree at MIT week before Philosophy of advising students don’t come to grad school to implement someone else’s idea can get paid more to do that in industry learn to be a researcher important part of that is deciding what problems and ideas are worth spending time on grad students should have their own project looking for students who can come up with their own ideas for research will take good students interested in things I’m interested in – systems, programming languages & compilers, security rest of talk – give you a flavor of the kinds of things I am interested in meant to give you ideas (hopefully even inspiration!) but not meant to suggest what you should work on CS551: Security and Privacy University of Virginia Computer Science David Evans http://www.cs.virginia.edu/~evans
University of Virginia CS 551 Menu (Anonymous) Pop Quiz Security of RSA Factoring Public Key Infrastructures 11 January 2019 University of Virginia CS 551
Properties of E and D Trap-door one way function: D (E (M)) = M E and D are easy to compute. Revealing E doesn’t reveal an easy way to compute D (next time) Trap-door one way permutation: also E (D (M)) = M Are there other functions that have properties 1, 2 and 4? 11 January 2019 University of Virginia CS 551
University of Virginia CS 551 RSA E(M) = Me mod n D(C) = Cd mod n n = p * q p, q are prime d is relatively prime to (p – 1)(q – 1) e * d 1 (mod (p – 1)(q – 1)) 11 January 2019 University of Virginia CS 551
Revealing E doesn’t reveal D Revealing E: e, n. Can attacker find D? If attacker factors n = p * q e * d 1 (mod (p – 1)(q – 1)) Easy to find d e-1 mod (p – 1)(q – 1) Use experience to argue factoring is hard. Argue all other attacks are at least as hard as factoring n. 11 January 2019 University of Virginia CS 551
Gardner’s Column: Original RSA challenge ($100) n (RSA-129) = 1 1438 1625 7578 8886 7669 2357 7997 6146 6120 1021 8296 7212 4236 2562 5618 4293 5706 9352 4573 3897 8305 9712 3563 9587 0505 8989 0751 4759 9290 0268 7954 3541 e = 9007 C = 9686 9613 7546 2206 1477 1409 2225 4355 8829 0575 9991 1245 7431 9874 6951 2093 0816 2982 2514 5708 3569 3147 6622 8839 8962 8013 3919 9055 1829 9451 5781 5154 Scientific American, August 1977 11 January 2019 University of Virginia CS 551
University of Virginia CS 551 40000000000000000 17 Ron Rivest (1977): factoring n (129 digits) would require at least 40 quadrillion years if you could do a * b mod c in one nanosecond. Derek Atkins (April 1994): We are happy to announce that RSA-129 = 3490 5295 1084 7650 9491 4784 9619 9038 9813 3417 7646 3849 3387 8439 9082 0577 * 3 2769 1329 9326 6709 5499 6198 8190 8344 6141 3177 6429 6799 2942 5397 9828 8533 11 January 2019 University of Virginia CS 551
University of Virginia CS 551 How so Fast Better factoring algorithms Distributed computation Still can’t do a * b mod c in one nanosecond (not faster processors) 1ns = 10-9 s Best processors today 1 GHz (cycle = 1ns) But, multiplying 100 digit numbers takes many cycles 11 January 2019 University of Virginia CS 551
Trial and Error Factoring Try every number up to n. Requires O(n) divisions. For RSA-129 = 1.1 * 1064 divisions, 1 per nanosecond = 3.4 * 1047 years Just try prime numbers: requires O((n)) divisions (assumes you already know all the primes up to n) The Prime Number Theorem: (x) ~ x/ln x For RSA-129 = 7.2 * 1061 divisions, 1 per nanosecond = 2.3 * 1045 years 11 January 2019 University of Virginia CS 551
University of Virginia CS 551 Pollard Rho Method Fastest known in 1977 [Pollard75] To find factor p, requires 4p modular multiplies Worst case: lowest p is n, we need 4n multiplies For RSA-129 = 1.3 * 1032 = 4 * 1015 years Rivest probably used this, but made a math error (4 quadrilllion 40 quadrilllion) 11 January 2019 University of Virginia CS 551
University of Virginia CS 551 Pollard Rho Pick arbitrary x0. Iterate: xn + 1 = xn2 + 1 If p is prime, xn mod p must eventually repeat: xn1 xn2 mod p xn1 + k xn2 + k mod p for all k >= 0. Can find x2n xn mod p for some n >= n1. If gcd (x2n – xn, N) > 1 then p is a factor of N. x2n – xn = kp = gcd (x2n – xn, N) 11 January 2019 University of Virginia CS 551
University of Virginia CS 551 Quadratic Sieve To factor n, find x and y such that x2 y2 mod n Then, n divides x2 – y2 = (x – y) (x + y). n = gcd (n, x – y) * gcd (n, x + y). If we’re lucky, factors will be non-trivial If x and y generated “randomly”, probability is ½ since n has 2 prime factors 11 January 2019 University of Virginia CS 551
University of Virginia CS 551 Breaking RSA-129 Organized by Derek Atkins and others, 1994 Quadratic Sieve algorithm Memory-limited (1994 – most workstations 16MB RAM), used 10M to hold .5M primes Recruited volunteers from Internet 1600 machines Used 5000 MIPS years over 8 months 11 January 2019 University of Virginia CS 551
University of Virginia CS 551 To factor r [RSA-129] we assembled the largest collaboration yet seen in computational number theory and, possibly, performed the largest single computation ever completed. In several important respects, the resources we had available were barely adequate for the task. Consequently, ingenuity and diplomacy were required for the successful completion of the project. Derek Atkins, Michael Graff, et. al., The Magic Words Are Squeamish Ossifrage, AsiaCrypt 1994. 11 January 2019 University of Virginia CS 551
Recent Factoring Algorithms Team from CWI (Amsterdam) factored RSA-155 (512 bits), August 1999 ~8000 MIPS years (36 CPU years) 7 months on ~300 machines Number Field Sieve Lecture 1: factor RSA-300 for automatic A. How much harder is this? 11 January 2019 University of Virginia CS 551
University of Virginia CS 551 RSA Security Factoring is hard RSA is secure? Can you compute D without factoring n? Probably not, but can’t prove it. Can prove other mathematical attacks are equivalent to factoring. 11 January 2019 University of Virginia CS 551
(n) without factoring Calculate (n) without factoring n. e * d 1 (mod (n)) Equivalent to factoring: (n) = n – (p + q) + 1 p + q = n – (n) –1 11 January 2019 University of Virginia CS 551
(n) without factoring (p + q)2 – 4n = (p2 + 2pq + q2 ) – 4n = p2 + 2n + q2 –4n = p2 – 2n + q2 = p2 – 2pq + q2 = (p – q)2 p – q = sqrt ((p + q)2 – 4n) p + q = n – (n) –1 2p = sqrt ((n – (n) –1)2 – 4n) + n – (n) –1 11 January 2019 University of Virginia CS 551
Determine d without (n) Brute force: m digits long, amount of work is 10m. Try 1M/second (special purpose hardware) Will take 3*1036 years for m = 50. For factoring difficulty, m > 100. Non-brute force: knowing d enables factoring. 11 January 2019 University of Virginia CS 551
Determining d factoring ed = 1 mod (n) k * (n) = ed – 1 Already showed, finding (n) is same as factoring. Also true for multiple of (n). 11 January 2019 University of Virginia CS 551
Properties of RSA’s E and D Trap-door one way function: D (E (M)) = M E and D are easy to compute. Revealing E doesn’t reveal an easy way to compute D (next time) Trap-door one way permutation: also E (D (M)) = M 11 January 2019 University of Virginia CS 551
University of Virginia CS 551 Key Management Public keys only useful if you know: The key matches the entity you think it does. The entity is trustworthy. 11 January 2019 University of Virginia CS 551
Approach 1: Public Announcement Publish public keys in a public forum USENET groups Append to email messages New York Time classifieds Easy for rogue to pretend to be someone else 11 January 2019 University of Virginia CS 551
Approach 2: Public Directory Trusted authority maintains directory mapping names to public keys Entities register public keys with authority in some secure way Authority publishes directory Print using watermarked paper, special fonts, etc. Allow secure electronic access 11 January 2019 University of Virginia CS 551
University of Virginia CS 551 One Key Electronic access requires directory have key (public/private key pair might work, but how do entities validate public key?) If authority’s key is compromised, everything is vulnerable! Keep the key locked up well Directory is single point of failure 11 January 2019 University of Virginia CS 551
Approach 3: Certificates TrustMe.com KUA KUB CB = EKRTrustMe[“Bob”, KUB] CA = EKRTrustMe[“Alice”, KUA] CB CA Alice Bob How do I know “Alice” is “Alice”? 11 January 2019 University of Virginia CS 551
TrustMe.com KUA KUB CA = EKRTrustMe [IDA, KUA] CB = EKRTrustMe [IDB, KUB] CB CA Alice Bob What if Alice’s private key is compromised? 11 January 2019 University of Virginia CS 551
$$$$ TrustMe.com KUA KUB CA = EKRTrustMe[Time1, IDA, KUA] CB = EKRTrustMe[Time2, IDB, KUB] CB CA Alice Bob 11 January 2019 University of Virginia CS 551
University of Virginia CS 551 Data encrypted using secret key exchanged using some public key associated with some certificate. 11 January 2019 University of Virginia CS 551
University of Virginia CS 551 11 January 2019 University of Virginia CS 551
University of Virginia CS 551 11 January 2019 University of Virginia CS 551
University of Virginia CS 551 11 January 2019 University of Virginia CS 551
University of Virginia CS 551 Web Treasure Hunt Click on “lock” next time when you browse the web Find a certificate with a hierarchy of trust more than one level deep The CA has a certificate 11 January 2019 University of Virginia CS 551
University of Virginia CS 551 Charge PS2 Due Wednesday Full Project Proposals due 4 Oct (description now on web) SSL details coming in a few weeks... 11 January 2019 University of Virginia CS 551