add: [workshop] more content for SOC

master
Jean-Louis Huynen 3 years ago
parent 94109782df
commit 8b7e53afd3
No known key found for this signature in database
GPG Key ID: 64799157F4BD6B93
  1. 8
      docs/workshop/5-snake-oil-crypto/hands-on-support/CREDIT.md
  2. 176
      docs/workshop/5-snake-oil-crypto/rsabasics.tex
  3. BIN
      docs/workshop/5-snake-oil-crypto/soc.pdf

@ -1,4 +1,12 @@
* Parts of this material (the keys) has been borrowed to Sjoerd Langkemper
https://www.sjoerdlangkemper.nl/2019/06/19/attacking-rsa/
* Some Algorithms were borrowed from Daniel J. Bersntein's website:
http://facthacks.cr.yp.to/fermat.html
* The "shared prime" key material comes from the challenge hosted here:
http://www.loyalty.org/~schoen/rsa/
* Pictures
https://www.freecodecamp.org/news/how-does-pretty-good-privacy-work-3f5f75ecea97/
https://upload.wikimedia.org/wikipedia/commons/4/4e/Web_of_Trust-en.svg

@ -0,0 +1,176 @@
\begin{frame}
\begin{center}
{\bf Understanding RSA}
\end{center}
\end{frame}
\begin{frame}
\frametitle{RSA Basics}
Ron {\bf R}ivest, Adi {\bf S}hamir, and Leonard {\bf A}dleman in 1977:
\begin{itemize}
\item asymmetric crypto system,
\item can encrypt and sign,
\item messages are big numbers,
\item encryption is basically multiplication of big numbers,
\item creates a \textit{trapdoor permutation}: turning x in y is easy, but
finding x from y is hard.
\end{itemize}
\end{frame}
\begin{frame}[fragile]
\frametitle{RSA - Use with openssl}
\begin{itemize}
\item {\bf Hands-on}:
\begin{lstlisting}
~/hands-on/UsingRSA
\end{lstlisting}
\item Decrypt message.bin
\item generate a new private key,
\item generate the corresponding public key,
\item use this new key to encrypt a message,
\item use this new key to decrypt a message.
\end{itemize}
\end{frame}
\begin{frame}[fragile]
\frametitle{RSA ``by hand''}
run: sage rsa.sage at the folder's root:
\begin{lstlisting}[basicstyle=\tiny]
PlainText is: 1234567890
p = random_prime(2^32) = 2312340619
q = random_prime(2^32) = 2031410981
n = p*q = 4697314125248937239
phi = (p-1)*(q-1) = 4697314120905185640
e = random_prime(phi) = 2588085603940229747
d = xgcd(e,phi)[1] = -2102894211931680277
Does d*e == 1?
mod(d*e, phi) = 1
CipherText y = power_mod(x, e, n) = 1454606910711062745
Decrypted CT is: 1234567890
\end{lstlisting}
\end{frame}
\begin{frame}
\frametitle{With only one key}
Several potential weaknesses:
\begin{itemize}
\item Key size too small: keys up to 1024 bits are breakable given the
right means,
\item close p and q,
\item unsafe primes, smooth primes,
\item broken primes (FactorDB, Debian OpenSSL bug).
\item signing with RSA-CRT (instead of RSA-PSS)
\end{itemize}
\end{frame}
\begin{frame}
\frametitle{With a set of keys}
Several potential weaknesses:
\begin{itemize}
\item share moduli: if n1 = n2 then the keys share p and q,
\item share p or q,
\end{itemize}
\vspace{10mm}
{\bf In both case, it is trivial to recover the private keys.}
\end{frame}
\begin{frame}[fragile]
\frametitle{Breaking small keys\footnote{https://www.sjoerdlangkemper.nl/2019/06/19/attacking-rsa/}}
\begin{itemize}
\item {\bf Hands-on}:
\begin{lstlisting}
~/hands-on/SmallKey
\end{lstlisting}
\item what is the key size of smallkey?
\item what is n?
\item what is the public exponent?
\item what is n in base10?
\item what are p and q?
\end{itemize}
\vspace{8mm}
{\bf Let's generate the private key: }using p, then using q.
\end{frame}
\begin{frame}[fragile]
\frametitle{Close Prime Factors}
\begin{itemize}
\item {\bf Hands-on}:
\begin{lstlisting}
~/hands-on/ClosePQ
\end{lstlisting}
\item use Fermat Algorithm\footnote{\url{http://facthacks.cr.yp.to/fermat.html}} to find {\bf both p and q:}
\begin{lstlisting}[basicstyle=\tiny]
def fermatfactor(N):
if N <= 0: return [N]
if is_even(N): return [2,N/2]
a = ceil(sqrt(N))
while not is_square(a^2-N):
a = a + 1
b = sqrt(a^2-N)
return [a - b,a + b]
\end{lstlisting}
\end{itemize}
\end{frame}
\begin{frame}[fragile]
\frametitle{Shared prime factors}
Researchers have shown that several devices generated their keypairs
at boot time without enough entropy\footnote{Bernstein, Heninger, and Lange: \url{http://facthacks.cr.yp.to/}}:
\begin{lstlisting}[language=python, basicstyle=\tiny]
prng.seed(seed)
p = prng.generate_random_prime()
// prng.add_entropy()
q = prng.generate_random_prime()
n = p*q
\end{lstlisting}
Given n=pq and n' = pq' it is trivial to recover the shared p by computing their
{\bf Greatest Common Divisor (GCD)}, and therefore {\bf both private
keys}\footnote{\url{http://www.loyalty.org/~schoen/rsa/}}.\\
\vspace{5mm}
``They cracked cracked about 13000 of them''
\end{frame}
\begin{frame}[fragile]
\frametitle{Shared prime factors}
\begin{itemize}
\item {\bf Hands-on}:
\begin{lstlisting}
~/hands-on/SharedPrimeFactor
\end{lstlisting}
\item Read README.txt, you have a challenge to solve :
\begin{itemize}
\item the \emph{answers} folder should be left alone for now,
\item \emph{scripts} contains scripts that may be useful
to solve the challenge,
\item \emph{attempts} may hold your attempt are
generating private keys.
\item \emph{bgcd-bd.sage} contains Daniel J. Berstein's algorithm for computing RSA
collisions in batches.
\end{itemize}
\end{itemize}
\end{frame}
Loading…
Cancel
Save