Presentation is loading. Please wait.

Presentation is loading. Please wait.

Lecture 8: Security of RSA THE MAGIC WORDS ARE SQUEAMISH OSSIFRAGE.

Published byBernd Koenig Modified over 6 years ago

Similar presentations

Presentation on theme: "Lecture 8: Security of RSA THE MAGIC WORDS ARE SQUEAMISH OSSIFRAGE."— Presentation transcript:

1 David Evans http://www.cs.virginia.edu/~evans
Lecture 8: Security of RSA THE MAGIC WORDS ARE SQUEAMISH OSSIFRAGE. Background just got here last week finished degree at MIT week before Philosophy of advising students don’t come to grad school to implement someone else’s idea can get paid more to do that in industry learn to be a researcher important part of that is deciding what problems and ideas are worth spending time on grad students should have their own project looking for students who can come up with their own ideas for research will take good students interested in things I’m interested in – systems, programming languages & compilers, security rest of talk – give you a flavor of the kinds of things I am interested in meant to give you ideas (hopefully even inspiration!) but not meant to suggest what you should work on CS551: Security and Privacy University of Virginia Computer Science David Evans

2 University of Virginia CS 551
Menu (Anonymous) Pop Quiz Security of RSA Factoring Public Key Infrastructures 11 January 2019 University of Virginia CS 551

3 Properties of E and D Trap-door one way function:
D (E (M)) = M E and D are easy to compute. Revealing E doesn’t reveal an easy way to compute D (next time) Trap-door one way permutation: also E (D (M)) = M Are there other functions that have properties 1, 2 and 4? 11 January 2019 University of Virginia CS 551

4 University of Virginia CS 551
RSA E(M) = Me mod n D(C) = Cd mod n n = p * q p, q are prime d is relatively prime to (p – 1)(q – 1) e * d  1 (mod (p – 1)(q – 1)) 11 January 2019 University of Virginia CS 551

5 Revealing E doesn’t reveal D
Revealing E: e, n. Can attacker find D? If attacker factors n = p * q e * d  1 (mod (p – 1)(q – 1)) Easy to find d  e-1 mod (p – 1)(q – 1) Use experience to argue factoring is hard. Argue all other attacks are at least as hard as factoring n. 11 January 2019 University of Virginia CS 551

6 Gardner’s Column: Original RSA challenge ($100)
n (RSA-129) = e = 9007 C = Scientific American, August 1977 11 January 2019 University of Virginia CS 551

7 University of Virginia CS 551
 17 Ron Rivest (1977): factoring n (129 digits) would require at least 40 quadrillion years if you could do a * b mod c in one nanosecond. Derek Atkins (April 1994): We are happy to announce that RSA-129 = * 11 January 2019 University of Virginia CS 551

8 University of Virginia CS 551
How so Fast Better factoring algorithms Distributed computation Still can’t do a * b mod c in one nanosecond (not faster processors) 1ns = 10-9 s Best processors today 1 GHz (cycle = 1ns) But, multiplying 100 digit numbers takes many cycles 11 January 2019 University of Virginia CS 551

9 Trial and Error Factoring
Try every number up to n. Requires O(n) divisions. For RSA-129 = 1.1 * 1064 divisions, 1 per nanosecond = 3.4 * 1047 years Just try prime numbers: requires O((n)) divisions (assumes you already know all the primes up to n) The Prime Number Theorem: (x) ~ x/ln x For RSA-129 = 7.2 * 1061 divisions, 1 per nanosecond = 2.3 * 1045 years 11 January 2019 University of Virginia CS 551

10 University of Virginia CS 551
Pollard Rho Method Fastest known in 1977 [Pollard75] To find factor p, requires 4p modular multiplies Worst case: lowest p is n, we need 4n multiplies For RSA-129 = 1.3 * 1032 = 4 * 1015 years Rivest probably used this, but made a math error (4 quadrilllion  40 quadrilllion) 11 January 2019 University of Virginia CS 551

11 University of Virginia CS 551
Pollard Rho Pick arbitrary x0. Iterate: xn + 1 = xn2 + 1 If p is prime, xn mod p must eventually repeat: xn1  xn2 mod p xn1 + k  xn2 + k mod p for all k >= 0. Can find x2n  xn mod p for some n >= n1. If gcd (x2n – xn, N) > 1 then p is a factor of N. x2n – xn = kp = gcd (x2n – xn, N) 11 January 2019 University of Virginia CS 551

12 University of Virginia CS 551
Quadratic Sieve To factor n, find x and y such that x2  y2 mod n Then, n divides x2 – y2 = (x – y) (x + y). n = gcd (n, x – y) * gcd (n, x + y). If we’re lucky, factors will be non-trivial If x and y generated “randomly”, probability is ½ since n has 2 prime factors 11 January 2019 University of Virginia CS 551

13 University of Virginia CS 551
Breaking RSA-129 Organized by Derek Atkins and others, 1994 Quadratic Sieve algorithm Memory-limited (1994 – most workstations 16MB RAM), used 10M to hold .5M primes Recruited volunteers from Internet 1600 machines Used 5000 MIPS years over 8 months 11 January 2019 University of Virginia CS 551

14 University of Virginia CS 551
To factor r [RSA-129] we assembled the largest collaboration yet seen in computational number theory and, possibly, performed the largest single computation ever completed. In several important respects, the resources we had available were barely adequate for the task. Consequently, ingenuity and diplomacy were required for the successful completion of the project. Derek Atkins, Michael Graff, et. al., The Magic Words Are Squeamish Ossifrage, AsiaCrypt 1994. 11 January 2019 University of Virginia CS 551

15 Recent Factoring Algorithms
Team from CWI (Amsterdam) factored RSA-155 (512 bits), August 1999 ~8000 MIPS years (36 CPU years) 7 months on ~300 machines Number Field Sieve Lecture 1: factor RSA-300 for automatic A. How much harder is this? 11 January 2019 University of Virginia CS 551

16 University of Virginia CS 551
RSA Security Factoring is hard  RSA is secure? Can you compute D without factoring n? Probably not, but can’t prove it. Can prove other mathematical attacks are equivalent to factoring. 11 January 2019 University of Virginia CS 551

17 (n) without factoring
Calculate (n) without factoring n. e * d  1 (mod (n)) Equivalent to factoring: (n) = n – (p + q) + 1 p + q = n – (n) –1 11 January 2019 University of Virginia CS 551

18 (n) without factoring
(p + q)2 – 4n = (p2 + 2pq + q2 ) – 4n = p2 + 2n + q2 –4n = p2 – 2n + q2 = p2 – 2pq + q2 = (p – q)2 p – q = sqrt ((p + q)2 – 4n) p + q = n – (n) –1 2p = sqrt ((n – (n) –1)2 – 4n) + n – (n) –1 11 January 2019 University of Virginia CS 551

19 Determine d without (n)
Brute force: m digits long, amount of work is 10m. Try 1M/second (special purpose hardware) Will take 3*1036 years for m = 50. For factoring difficulty, m > 100. Non-brute force: knowing d enables factoring. 11 January 2019 University of Virginia CS 551

20 Determining d  factoring
ed = 1 mod  (n) k *  (n) = ed – 1 Already showed, finding (n) is same as factoring. Also true for multiple of (n). 11 January 2019 University of Virginia CS 551

21 Properties of RSA’s E and D
Trap-door one way function: D (E (M)) = M E and D are easy to compute. Revealing E doesn’t reveal an easy way to compute D (next time) Trap-door one way permutation: also E (D (M)) = M 11 January 2019 University of Virginia CS 551

22 University of Virginia CS 551
Key Management Public keys only useful if you know: The key matches the entity you think it does. The entity is trustworthy. 11 January 2019 University of Virginia CS 551

23 Approach 1: Public Announcement
Publish public keys in a public forum USENET groups Append to messages New York Time classifieds Easy for rogue to pretend to be someone else 11 January 2019 University of Virginia CS 551

24 Approach 2: Public Directory
Trusted authority maintains directory mapping names to public keys Entities register public keys with authority in some secure way Authority publishes directory Print using watermarked paper, special fonts, etc. Allow secure electronic access 11 January 2019 University of Virginia CS 551

25 University of Virginia CS 551
One Key Electronic access requires directory have key (public/private key pair might work, but how do entities validate public key?) If authority’s key is compromised, everything is vulnerable! Keep the key locked up well Directory is single point of failure 11 January 2019 University of Virginia CS 551

26 Approach 3: Certificates
TrustMe.com KUA KUB CB = EKRTrustMe[“Bob”, KUB] CA = EKRTrustMe[“Alice”, KUA] CB CA Alice Bob How do I know “Alice” is “Alice”? 11 January 2019 University of Virginia CS 551

27 TrustMe.com KUA KUB CA = EKRTrustMe [IDA, KUA]
CB = EKRTrustMe [IDB, KUB] CB CA Alice Bob What if Alice’s private key is compromised? 11 January 2019 University of Virginia CS 551

28 $$$$ TrustMe.com KUA KUB CA = EKRTrustMe[Time1, IDA, KUA]
CB = EKRTrustMe[Time2, IDB, KUB] CB CA Alice Bob 11 January 2019 University of Virginia CS 551

29 University of Virginia CS 551
Data encrypted using secret key exchanged using some public key associated with some certificate. 11 January 2019 University of Virginia CS 551

30 University of Virginia CS 551
11 January 2019 University of Virginia CS 551

31 University of Virginia CS 551
11 January 2019 University of Virginia CS 551

32 University of Virginia CS 551
11 January 2019 University of Virginia CS 551

33 University of Virginia CS 551
Web Treasure Hunt Click on “lock” next time when you browse the web Find a certificate with a hierarchy of trust more than one level deep The CA has a certificate 11 January 2019 University of Virginia CS 551

34 University of Virginia CS 551
Charge PS2 Due Wednesday Full Project Proposals due 4 Oct (description now on web) SSL details coming in a few weeks... 11 January 2019 University of Virginia CS 551

Download ppt "Lecture 8: Security of RSA THE MAGIC WORDS ARE SQUEAMISH OSSIFRAGE."

Similar presentations

RSA.

RSA.
Digital Signatures. Anononymity and the Internet.

Digital Signatures. Anononymity and the Internet.
David Evans CS588: Security and Privacy University of Virginia Computer Science Lecture 11: Birthday Paradoxes.

David Evans CS588: Security and Privacy University of Virginia Computer Science Lecture 11: Birthday Paradoxes.
15-251 Great Theoretical Ideas in Computer Science.

Great Theoretical Ideas in Computer Science.
Cryptography in World War II Jefferson Institute for Lifelong Learning at UVa Spring 2006 David Evans Class 4: Modern Cryptography

Cryptography in World War II Jefferson Institute for Lifelong Learning at UVa Spring 2006 David Evans Class 4: Modern Cryptography
Public-key Cryptography Montclair State University CMPT 109 J.W. Benham Spring, 1998.

Public-key Cryptography Montclair State University CMPT 109 J.W. Benham Spring, 1998.
1 Lecture #10 Public Key Algorithms HAIT Summer 2005 Shimrit Tzur-David.

1 Lecture #10 Public Key Algorithms HAIT Summer 2005 Shimrit Tzur-David.
C HAPTER 13 Asymmetric Key Cryptography Slides adapted from Foundations of Security: What Every Programmer Needs To Know by Neil Daswani, Christoph Kern,

C HAPTER 13 Asymmetric Key Cryptography Slides adapted from "Foundations of Security: What Every Programmer Needs To Know" by Neil Daswani, Christoph Kern,
Computer Science Public Key Management Lecture 5.

Computer Science Public Key Management Lecture 5.
David Evans CS150: Computer Science University of Virginia Computer Science Class 36: Public Key Crypto.

David Evans CS150: Computer Science University of Virginia Computer Science Class 36: Public Key Crypto.
Chapter 12 Cryptography (slides edited by Erin Chambers)

Chapter 12 Cryptography (slides edited by Erin Chambers)
Because both the system’s privacy and the security of digital money depend on encryption, a breakthrough in mathematics or computer science that defeats.

Because both the system’s privacy and the security of digital money depend on encryption, a breakthrough in mathematics or computer science that defeats.
David Evans CS588: Security and Privacy University of Virginia Computer Science Lecture 13: Security of RSA THE MAGIC.

David Evans CS588: Security and Privacy University of Virginia Computer Science Lecture 13: Security of RSA THE MAGIC.
A Brief History of Factorization Techniques March 9 th, 2006.

A Brief History of Factorization Techniques March 9 th, 2006.
Page 1 Secure Communication Paul Krzyzanowski Distributed Systems Except as otherwise noted, the content of this presentation.

Page 1 Secure Communication Paul Krzyzanowski Distributed Systems Except as otherwise noted, the content of this presentation.
David Evans CS588: Security and Privacy University of Virginia Computer Science Lecture 12: Non-secret Key Cryptosystems.

David Evans CS588: Security and Privacy University of Virginia Computer Science Lecture 12: Non-secret Key Cryptosystems.
15-251 Great Theoretical Ideas in Computer Science.

Great Theoretical Ideas in Computer Science.
Cryptography: RSA & DES Marcia Noel Ken Roe Jaime Buccheri.

Cryptography: RSA & DES Marcia Noel Ken Roe Jaime Buccheri.
David Evans CS200: Computer Science University of Virginia Computer Science Class 36: Public-Key Cryptography If you want.

David Evans CS200: Computer Science University of Virginia Computer Science Class 36: Public-Key Cryptography If you want.
Modular Arithmetic with Applications to Cryptography Lecture 47 Section 10.4 Wed, Apr 13, 2005.

Modular Arithmetic with Applications to Cryptography Lecture 47 Section 10.4 Wed, Apr 13, 2005.

Similar presentations

Ads by Google