SlideShare une entreprise Scribd logo

Crypto lecture PDF

Nedia Hamoudi
Nedia Hamoudi
1  sur  29
Télécharger pour lire hors ligne
Cryptography and attacks (or how to start WWIII with your home computer) Ari Trachtenberg
Alice Bob Dear Bob, blah, blah, blah,... gushy romantic nonsense... Marvin serious demands... you look like Superman... Alice
• Caesar cipher a b c d e f g h i j k l m n o p q r s t u v w x y z D E F G H I J K L M N O P Q R S T U V W X Y Z A B C h => g e => f • al-Kalka-shandi (1412): transposition, substitution l => q o => r hello -> gfqqr • German enigma machine (WWII) • Number theoretic schemes: “It is not possible to justify the life of any genuine professional mathematician on the ground of the 'utility' of his work.” -G.H. Hardy, A Mathematician’s Apology
• Rot-13 hello → uryyb • Permutation h => g e l => => f q hello → gfqqr o => r • Binary XOR h e l l o 01000 00101 01100 01100 01111 10010 10111 00010 10101 00111 <= Random 11010 10010 01110 11001 01000 <= Result z r n y h
•  shift cipher •  substitution cipher •  Vignere cipher •  DES •  Triple DES
Table of Contents •  Introduction –  review of number theory –  review of RSA –  Security of RSA basis •  Computational attacks –  “Intuitively obvious” attacks –  Bad choice of primes –  Netscape’s bug •  Implementation attacks –  Timing attacks –  Random faults (to err is not computer-like) •  Conclusions –  How to implement a “secure” RSA cryptosystem
(the basis of RSA)
6 people: 15 keys! 10,000 people: 49 million keys!
BOB BOB BOB BOB BOB Alice Bob Dear Bob, BOB blah, blah, blah,... BOB BOB do you like cs... what is 0.5 in binary... let’s go out... BOB Alice
Modulo 3 ≡ 15 ≡ 27 …   (mod  12 ) a ≡ b   (mod m) ⇔ ∃k   s.t.   a + km = b Inverses 3 ⋅ 7 ≡ 1     (mod 10 ) aa−1 ≡ 1   (mod m ) ⇒ ∃k   aa−1 + km = 1 Euler’s phi function φ (n) =#   of  integers   <  n   that   are  relatively  prime  with  n ⎛ 1 ⎞ φ (n ) = n∏ ⎜1 − ⎟ φ (p) = d n ⎝ d ⎠ φ ( pq) =
Order ord(a) (mod n) smallest t s.t. at ≡ 1(mod n ) ord(3) (mod 10) =4 Euler’s theorem φ (n ) ∀a,   a ≡ 1   (mod n ) Euclid’s algorithm Given x and y, we can find A and B such that: Ax+By = gcd(x,y) Discrete logarithm theorem x y g ≡ g (mod n ) ⇔ x ≡ y (mod φ (n ))
Given n=n1n2n3... nk, there is a one-to-one correspondence: a ↔ (a1 , a2 , a3 ,…, ak ) a ∈ Ζn ai ≡ a (mod ni ), ai ∈ Ζ ni Example: 63 (mod 13) 11 (mod 13) 63 (mod 390) → 63 (mod 10 ) → 3 (mod 10 ) 63 (mod 3) 0 (mod 3) 11 (mod 13) m1 = 10 ⋅ 3 = 30 m1−1 ≡ 10 3 (mod 10 ) → m2 = 13 ⋅ 3 = 39 → m2 1 ≡ 9 − 0 (mod 3) m3 = 13 ⋅10 = 130 m3 1 ≡ 1 − 11 ⋅ 30 ⋅10 = 3300 → 3 ⋅ 39 ⋅ 9 = 1053 → 3300 + 1053 + 0 ≡ 63 (mod 390 ) 0 ⋅130 ⋅1 = 0
Bob’s Initialization: • pick NBob=pq • pick public key eBob • finds secret key dBob eBob d Bob ≡ 1 Alice: Bob: (mod( p − 1)(q − 1)) • message M • decodes: • public info: • encodes: C = M eBob (mod N ) C d Bob ≡ M eBobd Bob (mod N ) (eBob , N Bob ) (or signs): ≡ M (mod N ) • (or checks signature): • private info: S = PAlice ( M ) S e Alice ≡ M d Alice e Alice d Bob ≡ M dAlice ( mod N ) ≡ M (mod N )
Basis for RSA security (be afraid…be very afraid) 1. Factoring N=pq is hard to do or else can compute (p-1)(q-1) and use Euclidean algorithm to get d and M 2. Getting the private key d is hard or else, given Me can compute Med ≡ M (mod N) 3. Discrete logarithm is hard Given e and Me (mod N), can we compute M?
Basis for RSA security (=>) Factoring is as hard as computing “d” • Given p, q, N=pq: φ (N ) = ( p −1)(q −1) • By the Euclidean algorithm, we can solve for d, K: de + Kφ (N ) = gcd(e, φ (N )) = 1 ed ≡ 1 (mod φ (N )) 16
Basis for RSA security (<=) Computing “d” is as hard as factoring Given <N,e> and d, we can factor N=pq “efficiently” using a probabilistic Las Vegas algorithm 1. Compute k = ed − 1, So that ed ≡ 1 (mod φ (N )) ⇒ φ (N ) k ⇒ ∀a, a k ≡ 1 (mod N ) 2. N has four square roots of 1 by CRT : 1 (mod p ) 1 (mod q ) ⇒ 1 (mod N ) 1 (mod p ) − 1 (mod q ) ⇒ x (mod N ) − 1 (mod p ) 1 (mod q ) ⇒ − x (mod N ) − 1 (mod p ) − 1 (mod q ) ⇒ − 1 (mod N ) 3. gcd(x − 1, N ) = p 17
Basis for RSA security (<=) Computing “x” with a Las Vegas algorithm) To compute x: (expected run time is O((log N)3)) * Choose a random g ∈ Z . N Compute : k k g , g 2 , g 4 , …, g odd number k (recall: k = ed-1) With probability 0.5, an exponent of g equals x: x 1, 1, 1, …, , …, ≠ 1 −1 18
Computational attacks 1) No bit padding (common sense) C = 2347809AE8 => Attack at midnight! 59820BCE84 2347809AE8 684930EFFF 2) p and q are too close N = pq = p (p-c) => p2-cp-N=0. Solve using quadratic theorem! In general, bad when (for some constant k): k p−q < p (log p )
3) Netscape’s bug: generating p,q N If we know SEED, Random Number we know p,q SEED 8 8*7 (mod 13) 4 4*7 (mod 13) 2 p 2*7 (mod 13) 1 1*7 (mod 13) 7 q 7*7 (mod 13) 10 10*7 (mod 13) 5
Computational attacks 4) p-1 is the product of small primes<=B (Pollard ‘74) B 5 34 a ≡ 22 = 2 B! (mod N) ⇒ a ≡ 2 B! ≡ 2(p -1)k ≡ 1k ≡ 1 (mod p ) ⇒ p gcd(a − 1, N ) 5) Common modulus (Simmons): Fix N for all users; different keys e and d. thesis 6) Blinding: Get advisor to sign “innocent” M’=reM: signed thesis! d d ( S ' = (M ') = r M e ) = r ed M d ≡ rM d (mod N ) 21
More computational attacks 6) Low private exponent d 1 Theorem: Assume q < p < 2q and d < 1 N 4 and e < φ (N ). (Wiener ‘90) 3 Given N , e , Marvin can recover d . Proof: ed ≡ 1 (modφ (N )) ⇒ ed − kφ (N ) = 1 e k 1 ⇒ − = φ (N ) d dφ (N ) e k 1 ⇒ − ≤ 2 N d d Running time: Compute convergents of continued fraction in linear time! Fixes: 1. use e > N1.5 22 2. Use CRT with big d and small (mod p-1) and (mod q-1)
Implementation Attacks 1.  Timing attack (Kocher ’96) Long method: Repeated squaring: 2 2 32 2 = 2 2 2 2 2 2 2 2 2 ⋅ 2 ⋅ 2 ⋅ 2 ⋅ 2 ⋅ 2 ⋅ 2 ⋅ 2 ⎛ (( ) ) ⎞⎟⎠ ⎞⎟⎟ 232 = ⎜ ⎛ 2 ⎜ ⎜ 2 2 2 ⋅ ⋅ ⋅ ⋅ ⋅ ⋅ ⋅ ⎝ ⎝ ⎠ 2 ⋅ 2 ⋅ 2 ⋅ 2 ⋅ 2 ⋅ 2 ⋅ 2 ⋅ 2 2 2 2 ⋅ 2 ⋅ 2 ⋅ 2 ⋅ 2 ⋅ 2 ⋅ 2 ⋅ 2 233 ⎜ ⎝ (( ) ) ⎛ ⎛ 2 = 2 ⋅ ⎜ ⎜ 2 2 2 ⎞ ⎞ ⎟ ⎟ ⎠ ⎟ ⎝ ⎠ 2 2 39 = 100111 in binary 239 ⎛ ⎛ = 2 ⋅ ⎜ 2 ⋅ ⎜ 2 ⋅ 2 2 ⎜ ⎝ (( ) ) 2 2 ⎞ ⎞ ⎟ ⎟ ⎠ ⎟ ⎝ ⎠ Computation time is correlated with number of 1’s in exponent
2. Random faults (Boneh, DeMillo, Lipton ‘97) xy (mod pq ) x y + error (mod p) xy (mod q ) x y + error ⋅ p (mod pq) gcd(error ⋅ p, pq) p One error can lead to a factorization of p. Two errors are ok.
Fancier attacks (mathematical basis) LLL: Let L be a lattice spanned by w bases. Given these bases as input, LLL outputs v in L satisfying: w 1 v ≤2 4 det(L ) w Theorem: Take N and poly. f(x) of degree d. Take X=N1/d-s for (Coppersmith, ‘97) some s>=0. Given <N,f>, Marvin can efficiently find all integers |x0|<X satisfying f(x0)=0 (mod N). Lemma: Take poly. h(x) of degree d and pos. integer X. Suppose ||h(xX)||<N/sqrt(d). If |x0 |<X satisfies h(x0 )=0 (mod N), then h(x0 )=0 holds over integers. 25
Fancier attacks 1. Hastad’s Broadcast Attack ‘88 (low public exponent) 2. Franklin-Reiter Related Message Attack ‘96 3. Coppersmith’s Short Pad Attack 4. Partial Key Exposure (BDF ‘98) Theorem: For N=pq of size n bits, revealing the n/4 least-significant or n/4 most-siginificant bits is enough 26 to factor N efficiently.
How to built a safe RSA cryptosystem (as of 2000) 1. Use long, random padding of messages 2. Use large secret key d (256 bits) 3. Use large public key e (65,537 is recommended) 4. Use primes p,q that are not too close and not 1+ product of small factors 5. Do not reveal any part of your key.
References •  Twenty Years of Attacks on the RSA Cryptosystem by Dan Boneh, Notices of the AMS, February 1999. • Cryptography: Theory and Practice by Douglas R. Stinson, CRC Press , 1995. • Cryptanalysis of Short RSA Secret Exponents by Michael J. Wiener, IEEE Transactions on Information Theory, May 1990. • Sphere Packings, Lattices and Groups by J.H. Conway and N.J.A. Sloane, Springer-Verlag 1993.
(the basis of RSA)

Recommandé

Bch and reed solomon codes generation in frequency domain
Bch and reed solomon codes generation in frequency domainBch and reed solomon codes generation in frequency domain
Bch and reed solomon codes generation in frequency domainMadhumita Tamhane
 
IntrRSCode
IntrRSCodeIntrRSCode
IntrRSCodeaniruddh Tyagi
 
Reed Solomon encoder and decoder \ ريد سلمون
Reed Solomon encoder and decoder \ ريد سلمونReed Solomon encoder and decoder \ ريد سلمون
Reed Solomon encoder and decoder \ ريد سلمونMuhammed Abdulmahdi
 
Computer graphics lab report with code in cpp
Computer graphics lab report with code in cppComputer graphics lab report with code in cpp
Computer graphics lab report with code in cppAlamgir Hossain
 
1524 elliptic curve cryptography
1524 elliptic curve cryptography1524 elliptic curve cryptography
1524 elliptic curve cryptographyDr Fereidoun Dejahang
 
Number Theory for Security
Number Theory for SecurityNumber Theory for Security
Number Theory for SecurityAbhijit Mondal
 
Regras diferenciacao
Regras diferenciacaoRegras diferenciacao
Regras diferenciacaoUniengenheiros2011
 
Elliptic Curve Cryptography
Elliptic Curve CryptographyElliptic Curve Cryptography
Elliptic Curve CryptographyJorgeVillamarin5
 

Recommandé

Bch and reed solomon codes generation in frequency domain
Bch and reed solomon codes generation in frequency domainBch and reed solomon codes generation in frequency domain
Bch and reed solomon codes generation in frequency domainMadhumita Tamhane
 
IntrRSCode
IntrRSCodeIntrRSCode
IntrRSCodeaniruddh Tyagi
 
Reed Solomon encoder and decoder \ ريد سلمون
Reed Solomon encoder and decoder \ ريد سلمونReed Solomon encoder and decoder \ ريد سلمون
Reed Solomon encoder and decoder \ ريد سلمونMuhammed Abdulmahdi
 
Computer graphics lab report with code in cpp
Computer graphics lab report with code in cppComputer graphics lab report with code in cpp
Computer graphics lab report with code in cppAlamgir Hossain
 
1524 elliptic curve cryptography
1524 elliptic curve cryptography1524 elliptic curve cryptography
1524 elliptic curve cryptographyDr Fereidoun Dejahang
 
Number Theory for Security
Number Theory for SecurityNumber Theory for Security
Number Theory for SecurityAbhijit Mondal
 
Regras diferenciacao
Regras diferenciacaoRegras diferenciacao
Regras diferenciacaoUniengenheiros2011
 
Elliptic Curve Cryptography
Elliptic Curve CryptographyElliptic Curve Cryptography
Elliptic Curve CryptographyJorgeVillamarin5
 
Cs 601
Cs 601Cs 601
Cs 601Web Developer
 
Error control coding bch, reed-solomon etc..
Error control coding bch, reed-solomon etc..Error control coding bch, reed-solomon etc..
Error control coding bch, reed-solomon etc..Madhumita Tamhane
 
Ch01 basic concepts_nosoluiton
Ch01 basic concepts_nosoluitonCh01 basic concepts_nosoluiton
Ch01 basic concepts_nosoluitonshin
 
Linear algebra-solutions-manual-kuttler-1-30-11-otc
Linear algebra-solutions-manual-kuttler-1-30-11-otcLinear algebra-solutions-manual-kuttler-1-30-11-otc
Linear algebra-solutions-manual-kuttler-1-30-11-otckjalili
 
numdoc
numdocnumdoc
numdocwebuploader
 
SA09 Realtime education
SA09 Realtime educationSA09 Realtime education
SA09 Realtime educationfumoto kazuhiro
 
Função quadrática resumo teórico e exercícios - celso brasil
Função quadrática resumo teórico e exercícios - celso brasilFunção quadrática resumo teórico e exercícios - celso brasil
Função quadrática resumo teórico e exercícios - celso brasilCelso do Rozário Brasil Gonçalves
 
calculo vectorial
calculo vectorialcalculo vectorial
calculo vectorialChalio Solano
 
暗認本読書会11
暗認本読書会11暗認本読書会11
暗認本読書会11MITSUNARI Shigeo
 
Profº. Marcelo Santos Chaves - Cálculo I (Limites e Continuidades) - Exercíci...
Profº. Marcelo Santos Chaves - Cálculo I (Limites e Continuidades) - Exercíci...Profº. Marcelo Santos Chaves - Cálculo I (Limites e Continuidades) - Exercíci...
Profº. Marcelo Santos Chaves - Cálculo I (Limites e Continuidades) - Exercíci...MarcelloSantosChaves
 
Lista exercintegrais
Lista exercintegraisLista exercintegrais
Lista exercintegraisUniversidade de São Paulo USP
 
Common derivatives integrals_reduced
Common derivatives integrals_reducedCommon derivatives integrals_reduced
Common derivatives integrals_reducedKyro Fitkry
 
25 Years of C++ History Flashed in Front of My Eyes
25 Years of C++ History Flashed in Front of My Eyes25 Years of C++ History Flashed in Front of My Eyes
25 Years of C++ History Flashed in Front of My EyesYauheni Akhotnikau
 
Identidades
IdentidadesIdentidades
Identidadesmchamorro2
 
Profº Marcelo Santos Chaves Cálculo I (limites trigonométricos)
Profº Marcelo Santos Chaves Cálculo I (limites trigonométricos)Profº Marcelo Santos Chaves Cálculo I (limites trigonométricos)
Profº Marcelo Santos Chaves Cálculo I (limites trigonométricos)MarcelloSantosChaves
 
A compact zero knowledge proof to restrict message space in homomorphic encry...
A compact zero knowledge proof to restrict message space in homomorphic encry...A compact zero knowledge proof to restrict message space in homomorphic encry...
A compact zero knowledge proof to restrict message space in homomorphic encry...MITSUNARI Shigeo
 
Escola naval 2016
Escola naval 2016Escola naval 2016
Escola naval 2016KalculosOnline
 
CVPR2010: higher order models in computer vision: Part 1, 2
CVPR2010: higher order models in computer vision: Part 1, 2CVPR2010: higher order models in computer vision: Part 1, 2
CVPR2010: higher order models in computer vision: Part 1, 2zukun
 
Limites trigonométricos
Limites trigonométricosLimites trigonométricos
Limites trigonométricosAnderson Queiroz
 
Mat 128 11 3
Mat 128 11 3Mat 128 11 3
Mat 128 11 3zwaneroger8912
 
SIEM for Beginners: Everything You Wanted to Know About Log Management but We...
SIEM for Beginners: Everything You Wanted to Know About Log Management but We...SIEM for Beginners: Everything You Wanted to Know About Log Management but We...
SIEM for Beginners: Everything You Wanted to Know About Log Management but We...AlienVault
 
From SIEM to SA: The Path Forward
From SIEM to SA: The Path ForwardFrom SIEM to SA: The Path Forward
From SIEM to SA: The Path ForwardEMC
 

Contenu connexe

Tendances

Error control coding bch, reed-solomon etc..
Error control coding bch, reed-solomon etc..Error control coding bch, reed-solomon etc..
Error control coding bch, reed-solomon etc..Madhumita Tamhane
 
Ch01 basic concepts_nosoluiton
Ch01 basic concepts_nosoluitonCh01 basic concepts_nosoluiton
Ch01 basic concepts_nosoluitonshin
 
Linear algebra-solutions-manual-kuttler-1-30-11-otc
Linear algebra-solutions-manual-kuttler-1-30-11-otcLinear algebra-solutions-manual-kuttler-1-30-11-otc
Linear algebra-solutions-manual-kuttler-1-30-11-otckjalili
 
Função quadrática resumo teórico e exercícios - celso brasil
Função quadrática resumo teórico e exercícios - celso brasilFunção quadrática resumo teórico e exercícios - celso brasil
Função quadrática resumo teórico e exercícios - celso brasilCelso do Rozário Brasil Gonçalves
 
Profº. Marcelo Santos Chaves - Cálculo I (Limites e Continuidades) - Exercíci...
Profº. Marcelo Santos Chaves - Cálculo I (Limites e Continuidades) - Exercíci...Profº. Marcelo Santos Chaves - Cálculo I (Limites e Continuidades) - Exercíci...
Profº. Marcelo Santos Chaves - Cálculo I (Limites e Continuidades) - Exercíci...MarcelloSantosChaves
 
Common derivatives integrals_reduced
Common derivatives integrals_reducedCommon derivatives integrals_reduced
Common derivatives integrals_reducedKyro Fitkry
 
25 Years of C++ History Flashed in Front of My Eyes
25 Years of C++ History Flashed in Front of My Eyes25 Years of C++ History Flashed in Front of My Eyes
25 Years of C++ History Flashed in Front of My EyesYauheni Akhotnikau
 
Profº Marcelo Santos Chaves Cálculo I (limites trigonométricos)
Profº Marcelo Santos Chaves Cálculo I (limites trigonométricos)Profº Marcelo Santos Chaves Cálculo I (limites trigonométricos)
Profº Marcelo Santos Chaves Cálculo I (limites trigonométricos)MarcelloSantosChaves
 
A compact zero knowledge proof to restrict message space in homomorphic encry...
A compact zero knowledge proof to restrict message space in homomorphic encry...A compact zero knowledge proof to restrict message space in homomorphic encry...
A compact zero knowledge proof to restrict message space in homomorphic encry...MITSUNARI Shigeo
 
CVPR2010: higher order models in computer vision: Part 1, 2
CVPR2010: higher order models in computer vision: Part 1, 2CVPR2010: higher order models in computer vision: Part 1, 2
CVPR2010: higher order models in computer vision: Part 1, 2zukun
 

Tendances (20)

Cs 601
Cs 601Cs 601
Cs 601
 
Error control coding bch, reed-solomon etc..
Error control coding bch, reed-solomon etc..Error control coding bch, reed-solomon etc..
Error control coding bch, reed-solomon etc..
 
Ch01 basic concepts_nosoluiton
Ch01 basic concepts_nosoluitonCh01 basic concepts_nosoluiton
Ch01 basic concepts_nosoluiton
 
Linear algebra-solutions-manual-kuttler-1-30-11-otc
Linear algebra-solutions-manual-kuttler-1-30-11-otcLinear algebra-solutions-manual-kuttler-1-30-11-otc
Linear algebra-solutions-manual-kuttler-1-30-11-otc
 
numdoc
numdocnumdoc
numdoc
 
SA09 Realtime education
SA09 Realtime educationSA09 Realtime education
SA09 Realtime education
 
Função quadrática resumo teórico e exercícios - celso brasil
Função quadrática resumo teórico e exercícios - celso brasilFunção quadrática resumo teórico e exercícios - celso brasil
Função quadrática resumo teórico e exercícios - celso brasil
 
calculo vectorial
calculo vectorialcalculo vectorial
calculo vectorial
 
暗認本読書会11
暗認本読書会11暗認本読書会11
暗認本読書会11
 
Profº. Marcelo Santos Chaves - Cálculo I (Limites e Continuidades) - Exercíci...
Profº. Marcelo Santos Chaves - Cálculo I (Limites e Continuidades) - Exercíci...Profº. Marcelo Santos Chaves - Cálculo I (Limites e Continuidades) - Exercíci...
Profº. Marcelo Santos Chaves - Cálculo I (Limites e Continuidades) - Exercíci...
 
Lista exercintegrais
Lista exercintegraisLista exercintegrais
Lista exercintegrais
 
Common derivatives integrals_reduced
Common derivatives integrals_reducedCommon derivatives integrals_reduced
Common derivatives integrals_reduced
 
25 Years of C++ History Flashed in Front of My Eyes
25 Years of C++ History Flashed in Front of My Eyes25 Years of C++ History Flashed in Front of My Eyes
25 Years of C++ History Flashed in Front of My Eyes
 
Identidades
IdentidadesIdentidades
Identidades
 
Profº Marcelo Santos Chaves Cálculo I (limites trigonométricos)
Profº Marcelo Santos Chaves Cálculo I (limites trigonométricos)Profº Marcelo Santos Chaves Cálculo I (limites trigonométricos)
Profº Marcelo Santos Chaves Cálculo I (limites trigonométricos)
 
A compact zero knowledge proof to restrict message space in homomorphic encry...
A compact zero knowledge proof to restrict message space in homomorphic encry...A compact zero knowledge proof to restrict message space in homomorphic encry...
A compact zero knowledge proof to restrict message space in homomorphic encry...
 
Escola naval 2016
Escola naval 2016Escola naval 2016
Escola naval 2016
 
CVPR2010: higher order models in computer vision: Part 1, 2
CVPR2010: higher order models in computer vision: Part 1, 2CVPR2010: higher order models in computer vision: Part 1, 2
CVPR2010: higher order models in computer vision: Part 1, 2
 
Limites trigonométricos
Limites trigonométricosLimites trigonométricos
Limites trigonométricos
 
Mat 128 11 3
Mat 128 11 3Mat 128 11 3
Mat 128 11 3
 

En vedette

SIEM for Beginners: Everything You Wanted to Know About Log Management but We...
SIEM for Beginners: Everything You Wanted to Know About Log Management but We...SIEM for Beginners: Everything You Wanted to Know About Log Management but We...
SIEM for Beginners: Everything You Wanted to Know About Log Management but We...AlienVault
 
From SIEM to SA: The Path Forward
From SIEM to SA: The Path ForwardFrom SIEM to SA: The Path Forward
From SIEM to SA: The Path ForwardEMC
 
RSA: Security Analytics Architecture for APT
RSA: Security Analytics Architecture for APTRSA: Security Analytics Architecture for APT
RSA: Security Analytics Architecture for APTLee Wei Yeong
 
Beginner's Guide to SIEM
Beginner's Guide to SIEM Beginner's Guide to SIEM
Beginner's Guide to SIEM AlienVault
 
An introduction to SOC (Security Operation Center)
An introduction to SOC (Security Operation Center)An introduction to SOC (Security Operation Center)
An introduction to SOC (Security Operation Center)Ahmad Haghighi
 
DTS Solution - Building a SOC (Security Operations Center)
DTS Solution - Building a SOC (Security Operations Center)DTS Solution - Building a SOC (Security Operations Center)
DTS Solution - Building a SOC (Security Operations Center)Shah Sheikh
 
SOC presentation- Building a Security Operations Center
SOC presentation- Building a Security Operations CenterSOC presentation- Building a Security Operations Center
SOC presentation- Building a Security Operations CenterMichael Nickle
 

En vedette (8)

SIEM for Beginners: Everything You Wanted to Know About Log Management but We...
SIEM for Beginners: Everything You Wanted to Know About Log Management but We...SIEM for Beginners: Everything You Wanted to Know About Log Management but We...
SIEM for Beginners: Everything You Wanted to Know About Log Management but We...
 
From SIEM to SA: The Path Forward
From SIEM to SA: The Path ForwardFrom SIEM to SA: The Path Forward
From SIEM to SA: The Path Forward
 
RSA: Security Analytics Architecture for APT
RSA: Security Analytics Architecture for APTRSA: Security Analytics Architecture for APT
RSA: Security Analytics Architecture for APT
 
RSA Anatomy of an Attack
RSA Anatomy of an AttackRSA Anatomy of an Attack
RSA Anatomy of an Attack
 
Beginner's Guide to SIEM
Beginner's Guide to SIEM Beginner's Guide to SIEM
Beginner's Guide to SIEM
 
An introduction to SOC (Security Operation Center)
An introduction to SOC (Security Operation Center)An introduction to SOC (Security Operation Center)
An introduction to SOC (Security Operation Center)
 
DTS Solution - Building a SOC (Security Operations Center)
DTS Solution - Building a SOC (Security Operations Center)DTS Solution - Building a SOC (Security Operations Center)
DTS Solution - Building a SOC (Security Operations Center)
 
SOC presentation- Building a Security Operations Center
SOC presentation- Building a Security Operations CenterSOC presentation- Building a Security Operations Center
SOC presentation- Building a Security Operations Center
 

Similaire à Crypto lecture PDF

Signyourd digital signature certificate provider
Signyourd digital signature certificate providerSignyourd digital signature certificate provider
Signyourd digital signature certificate providerKishankant Yadav
 
Public Key Cryptography
Public Key CryptographyPublic Key Cryptography
Public Key CryptographyAbhijit Mondal
 
parameterized complexity for graph Motif
parameterized complexity for graph Motifparameterized complexity for graph Motif
parameterized complexity for graph MotifAMR koura
 
DAA - UNIT 4 - Engineering.pptx
DAA - UNIT 4 - Engineering.pptxDAA - UNIT 4 - Engineering.pptx
DAA - UNIT 4 - Engineering.pptxvaishnavi339314
 
A study on number theory and its applications
A study on number theory and its applicationsA study on number theory and its applications
A study on number theory and its applicationsItishree Dash
 
Dynamic Programming.pptx
Dynamic Programming.pptxDynamic Programming.pptx
Dynamic Programming.pptxThanga Ramya S
 
Introduction to Homomorphic Encryption
Introduction to Homomorphic EncryptionIntroduction to Homomorphic Encryption
Introduction to Homomorphic EncryptionChristoph Matthies
 
Introduction to Homomorphic Encryption
Introduction to Homomorphic EncryptionIntroduction to Homomorphic Encryption
Introduction to Homomorphic Encryptionhubx
 
Number theoretic-rsa-chailos-new
Number theoretic-rsa-chailos-newNumber theoretic-rsa-chailos-new
Number theoretic-rsa-chailos-newChristos Loizos
 
Triangle counting handout
Triangle counting handoutTriangle counting handout
Triangle counting handoutcsedays
 
Homomorphic Encryption
Homomorphic EncryptionHomomorphic Encryption
Homomorphic EncryptionVictor Pereira
 
Introduction to the AKS Primality Test
Introduction to the AKS Primality TestIntroduction to the AKS Primality Test
Introduction to the AKS Primality TestPranshu Bhatnagar
 
implementing the encryption in the JAVA.ppt
implementing the encryption in the JAVA.pptimplementing the encryption in the JAVA.ppt
implementing the encryption in the JAVA.pptMuhammadAbdullah311866
 

Similaire à Crypto lecture PDF (20)

Signyourd digital signature certificate provider
Signyourd digital signature certificate providerSignyourd digital signature certificate provider
Signyourd digital signature certificate provider
 
Public Key Cryptography
Public Key CryptographyPublic Key Cryptography
Public Key Cryptography
 
Number theory lecture (part 2)
Number theory lecture (part 2)Number theory lecture (part 2)
Number theory lecture (part 2)
 
parameterized complexity for graph Motif
parameterized complexity for graph Motifparameterized complexity for graph Motif
parameterized complexity for graph Motif
 
Unit 3
Unit 3Unit 3
Unit 3
 
Unit 3
Unit 3Unit 3
Unit 3
 
factoring
factoringfactoring
factoring
 
DAA - UNIT 4 - Engineering.pptx
DAA - UNIT 4 - Engineering.pptxDAA - UNIT 4 - Engineering.pptx
DAA - UNIT 4 - Engineering.pptx
 
A study on number theory and its applications
A study on number theory and its applicationsA study on number theory and its applications
A study on number theory and its applications
 
MFCS-17.ppt
MFCS-17.pptMFCS-17.ppt
MFCS-17.ppt
 
Dynamic Programming.pptx
Dynamic Programming.pptxDynamic Programming.pptx
Dynamic Programming.pptx
 
Introduction to Homomorphic Encryption
Introduction to Homomorphic EncryptionIntroduction to Homomorphic Encryption
Introduction to Homomorphic Encryption
 
Introduction to Homomorphic Encryption
Introduction to Homomorphic EncryptionIntroduction to Homomorphic Encryption
Introduction to Homomorphic Encryption
 
Number theoretic-rsa-chailos-new
Number theoretic-rsa-chailos-newNumber theoretic-rsa-chailos-new
Number theoretic-rsa-chailos-new
 
Triangle counting handout
Triangle counting handoutTriangle counting handout
Triangle counting handout
 
Homomorphic Encryption
Homomorphic EncryptionHomomorphic Encryption
Homomorphic Encryption
 
Introduction to the AKS Primality Test
Introduction to the AKS Primality TestIntroduction to the AKS Primality Test
Introduction to the AKS Primality Test
 
Computing on Encrypted Data
Computing on Encrypted DataComputing on Encrypted Data
Computing on Encrypted Data
 
implementing the encryption in the JAVA.ppt
implementing the encryption in the JAVA.pptimplementing the encryption in the JAVA.ppt
implementing the encryption in the JAVA.ppt
 
2.ppt
2.ppt2.ppt
2.ppt
 

Crypto lecture PDF

  • 1. Cryptography and attacks (or how to start WWIII with your home computer) Ari Trachtenberg
  • 2. Alice Bob Dear Bob, blah, blah, blah,... gushy romantic nonsense... Marvin serious demands... you look like Superman... Alice
  • 3. • Caesar cipher a b c d e f g h i j k l m n o p q r s t u v w x y z D E F G H I J K L M N O P Q R S T U V W X Y Z A B C h => g e => f • al-Kalka-shandi (1412): transposition, substitution l => q o => r hello -> gfqqr • German enigma machine (WWII) • Number theoretic schemes: “It is not possible to justify the life of any genuine professional mathematician on the ground of the 'utility' of his work.” -G.H. Hardy, A Mathematician’s Apology
  • 4. • Rot-13 hello → uryyb • Permutation h => g e l => => f q hello → gfqqr o => r • Binary XOR h e l l o 01000 00101 01100 01100 01111 10010 10111 00010 10101 00111 <= Random 11010 10010 01110 11001 01000 <= Result z r n y h
  • 5. •  shift cipher •  substitution cipher •  Vignere cipher •  DES •  Triple DES
  • 6.
  • 7. Table of Contents •  Introduction –  review of number theory –  review of RSA –  Security of RSA basis •  Computational attacks –  “Intuitively obvious” attacks –  Bad choice of primes –  Netscape’s bug •  Implementation attacks –  Timing attacks –  Random faults (to err is not computer-like) •  Conclusions –  How to implement a “secure” RSA cryptosystem
  • 9. 6 people: 15 keys! 10,000 people: 49 million keys!
  • 10. BOB BOB BOB BOB BOB Alice Bob Dear Bob, BOB blah, blah, blah,... BOB BOB do you like cs... what is 0.5 in binary... let’s go out... BOB Alice
  • 11. Modulo 3 ≡ 15 ≡ 27 …   (mod  12 ) a ≡ b   (mod m) ⇔ ∃k   s.t.   a + km = b Inverses 3 ⋅ 7 ≡ 1     (mod 10 ) aa−1 ≡ 1   (mod m ) ⇒ ∃k   aa−1 + km = 1 Euler’s phi function φ (n) =#   of  integers   <  n   that   are  relatively  prime  with  n ⎛ 1 ⎞ φ (n ) = n∏ ⎜1 − ⎟ φ (p) = d n ⎝ d ⎠ φ ( pq) =
  • 12. Order ord(a) (mod n) smallest t s.t. at ≡ 1(mod n ) ord(3) (mod 10) =4 Euler’s theorem φ (n ) ∀a,   a ≡ 1   (mod n ) Euclid’s algorithm Given x and y, we can find A and B such that: Ax+By = gcd(x,y) Discrete logarithm theorem x y g ≡ g (mod n ) ⇔ x ≡ y (mod φ (n ))
  • 13. Given n=n1n2n3... nk, there is a one-to-one correspondence: a ↔ (a1 , a2 , a3 ,…, ak ) a ∈ Ζn ai ≡ a (mod ni ), ai ∈ Ζ ni Example: 63 (mod 13) 11 (mod 13) 63 (mod 390) → 63 (mod 10 ) → 3 (mod 10 ) 63 (mod 3) 0 (mod 3) 11 (mod 13) m1 = 10 ⋅ 3 = 30 m1−1 ≡ 10 3 (mod 10 ) → m2 = 13 ⋅ 3 = 39 → m2 1 ≡ 9 − 0 (mod 3) m3 = 13 ⋅10 = 130 m3 1 ≡ 1 − 11 ⋅ 30 ⋅10 = 3300 → 3 ⋅ 39 ⋅ 9 = 1053 → 3300 + 1053 + 0 ≡ 63 (mod 390 ) 0 ⋅130 ⋅1 = 0
  • 14. Bob’s Initialization: • pick NBob=pq • pick public key eBob • finds secret key dBob eBob d Bob ≡ 1 Alice: Bob: (mod( p − 1)(q − 1)) • message M • decodes: • public info: • encodes: C = M eBob (mod N ) C d Bob ≡ M eBobd Bob (mod N ) (eBob , N Bob ) (or signs): ≡ M (mod N ) • (or checks signature): • private info: S = PAlice ( M ) S e Alice ≡ M d Alice e Alice d Bob ≡ M dAlice ( mod N ) ≡ M (mod N )
  • 15. Basis for RSA security (be afraid…be very afraid) 1. Factoring N=pq is hard to do or else can compute (p-1)(q-1) and use Euclidean algorithm to get d and M 2. Getting the private key d is hard or else, given Me can compute Med ≡ M (mod N) 3. Discrete logarithm is hard Given e and Me (mod N), can we compute M?
  • 16. Basis for RSA security (=>) Factoring is as hard as computing “d” • Given p, q, N=pq: φ (N ) = ( p −1)(q −1) • By the Euclidean algorithm, we can solve for d, K: de + Kφ (N ) = gcd(e, φ (N )) = 1 ed ≡ 1 (mod φ (N )) 16
  • 17. Basis for RSA security (<=) Computing “d” is as hard as factoring Given <N,e> and d, we can factor N=pq “efficiently” using a probabilistic Las Vegas algorithm 1. Compute k = ed − 1, So that ed ≡ 1 (mod φ (N )) ⇒ φ (N ) k ⇒ ∀a, a k ≡ 1 (mod N ) 2. N has four square roots of 1 by CRT : 1 (mod p ) 1 (mod q ) ⇒ 1 (mod N ) 1 (mod p ) − 1 (mod q ) ⇒ x (mod N ) − 1 (mod p ) 1 (mod q ) ⇒ − x (mod N ) − 1 (mod p ) − 1 (mod q ) ⇒ − 1 (mod N ) 3. gcd(x − 1, N ) = p 17
  • 18. Basis for RSA security (<=) Computing “x” with a Las Vegas algorithm) To compute x: (expected run time is O((log N)3)) * Choose a random g ∈ Z . N Compute : k k g , g 2 , g 4 , …, g odd number k (recall: k = ed-1) With probability 0.5, an exponent of g equals x: x 1, 1, 1, …, , …, ≠ 1 −1 18
  • 19. Computational attacks 1) No bit padding (common sense) C = 2347809AE8 => Attack at midnight! 59820BCE84 2347809AE8 684930EFFF 2) p and q are too close N = pq = p (p-c) => p2-cp-N=0. Solve using quadratic theorem! In general, bad when (for some constant k): k p−q < p (log p )
  • 20. 3) Netscape’s bug: generating p,q N If we know SEED, Random Number we know p,q SEED 8 8*7 (mod 13) 4 4*7 (mod 13) 2 p 2*7 (mod 13) 1 1*7 (mod 13) 7 q 7*7 (mod 13) 10 10*7 (mod 13) 5
  • 21. Computational attacks 4) p-1 is the product of small primes<=B (Pollard ‘74) B 5 34 a ≡ 22 = 2 B! (mod N) ⇒ a ≡ 2 B! ≡ 2(p -1)k ≡ 1k ≡ 1 (mod p ) ⇒ p gcd(a − 1, N ) 5) Common modulus (Simmons): Fix N for all users; different keys e and d. thesis 6) Blinding: Get advisor to sign “innocent” M’=reM: signed thesis! d d ( S ' = (M ') = r M e ) = r ed M d ≡ rM d (mod N ) 21
  • 22. More computational attacks 6) Low private exponent d 1 Theorem: Assume q < p < 2q and d < 1 N 4 and e < φ (N ). (Wiener ‘90) 3 Given N , e , Marvin can recover d . Proof: ed ≡ 1 (modφ (N )) ⇒ ed − kφ (N ) = 1 e k 1 ⇒ − = φ (N ) d dφ (N ) e k 1 ⇒ − ≤ 2 N d d Running time: Compute convergents of continued fraction in linear time! Fixes: 1. use e > N1.5 22 2. Use CRT with big d and small (mod p-1) and (mod q-1)
  • 23. Implementation Attacks 1.  Timing attack (Kocher ’96) Long method: Repeated squaring: 2 2 32 2 = 2 2 2 2 2 2 2 2 2 ⋅ 2 ⋅ 2 ⋅ 2 ⋅ 2 ⋅ 2 ⋅ 2 ⋅ 2 ⎛ (( ) ) ⎞⎟⎠ ⎞⎟⎟ 232 = ⎜ ⎛ 2 ⎜ ⎜ 2 2 2 ⋅ ⋅ ⋅ ⋅ ⋅ ⋅ ⋅ ⎝ ⎝ ⎠ 2 ⋅ 2 ⋅ 2 ⋅ 2 ⋅ 2 ⋅ 2 ⋅ 2 ⋅ 2 2 2 2 ⋅ 2 ⋅ 2 ⋅ 2 ⋅ 2 ⋅ 2 ⋅ 2 ⋅ 2 233 ⎜ ⎝ (( ) ) ⎛ ⎛ 2 = 2 ⋅ ⎜ ⎜ 2 2 2 ⎞ ⎞ ⎟ ⎟ ⎠ ⎟ ⎝ ⎠ 2 2 39 = 100111 in binary 239 ⎛ ⎛ = 2 ⋅ ⎜ 2 ⋅ ⎜ 2 ⋅ 2 2 ⎜ ⎝ (( ) ) 2 2 ⎞ ⎞ ⎟ ⎟ ⎠ ⎟ ⎝ ⎠ Computation time is correlated with number of 1’s in exponent
  • 24. 2. Random faults (Boneh, DeMillo, Lipton ‘97) xy (mod pq ) x y + error (mod p) xy (mod q ) x y + error ⋅ p (mod pq) gcd(error ⋅ p, pq) p One error can lead to a factorization of p. Two errors are ok.
  • 25. Fancier attacks (mathematical basis) LLL: Let L be a lattice spanned by w bases. Given these bases as input, LLL outputs v in L satisfying: w 1 v ≤2 4 det(L ) w Theorem: Take N and poly. f(x) of degree d. Take X=N1/d-s for (Coppersmith, ‘97) some s>=0. Given <N,f>, Marvin can efficiently find all integers |x0|<X satisfying f(x0)=0 (mod N). Lemma: Take poly. h(x) of degree d and pos. integer X. Suppose ||h(xX)||<N/sqrt(d). If |x0 |<X satisfies h(x0 )=0 (mod N), then h(x0 )=0 holds over integers. 25
  • 26. Fancier attacks 1. Hastad’s Broadcast Attack ‘88 (low public exponent) 2. Franklin-Reiter Related Message Attack ‘96 3. Coppersmith’s Short Pad Attack 4. Partial Key Exposure (BDF ‘98) Theorem: For N=pq of size n bits, revealing the n/4 least-significant or n/4 most-siginificant bits is enough 26 to factor N efficiently.
  • 27. How to built a safe RSA cryptosystem (as of 2000) 1. Use long, random padding of messages 2. Use large secret key d (256 bits) 3. Use large public key e (65,537 is recommended) 4. Use primes p,q that are not too close and not 1+ product of small factors 5. Do not reveal any part of your key.
  • 28. References •  Twenty Years of Attacks on the RSA Cryptosystem by Dan Boneh, Notices of the AMS, February 1999. • Cryptography: Theory and Practice by Douglas R. Stinson, CRC Press , 1995. • Cryptanalysis of Short RSA Secret Exponents by Michael J. Wiener, IEEE Transactions on Information Theory, May 1990. • Sphere Packings, Lattices and Groups by J.H. Conway and N.J.A. Sloane, Springer-Verlag 1993.