The Return of Coppersmith’s Attack: Practical Factorization of Widely Used RSA Moduli Mat´ uˇ s Nemec, Marek S´ ys, Petr ˇ Svenda, Duˇ san Klinec, Vashek Maty´ aˇ s Centre for Research on Cryptography and Security, Masaryk University Ca’ Foscari University of Venice Abstract We discovered an algorithmic flaw in the construction of pri- mes for RSA key generation in a widely-used library of a major manufacturer of cryptographic hardware. The primes suffer from a significant loss of entropy. We proposed a prac- tical factorization method that only requires the value of the public modulus and does not depend on a weak or a faulty random number generator. We devised an extension of Cop- persmith’s factorization attack utilizing an alternative form of the primes in question. The library is found in NIST FIPS 140-2 and CC EAL 5+ certified devices used for a wide range of real-world applications, including identity cards, Trusted Platform Modules, PGP, and tokens for authentication or software signing. The impacted devices are widespread. We responsibly disclosed our findings to the manufacturer of the flawed library. Our work was published at ACM CCS 2017 [1] and received the Real-World Impact Award. Background – surprising biases in RSA public keys ˇ Svenda et al. [2] described how cryptographic libraries gene- rate RSA primes in various ways, introducing subtle biases in the public keys, sufficient to classify the keys based on their origin. Infineon smartcards produced especially biased keys. Library: Microsoft CryptoAPI P Q 2 k-1 2 k 2 k-1 2 k Library: OpenSSL 1.1.0e P Q 2 k-1 2 k 2 k-1 2 k Library: WolfSSL 3.10.2 P Q 2 k-1 2 k 2 k-1 2 k Library: mbedTLS 1.3.19 P Q 2 k-1 2 k 2 k-1 2 k Card: Infineon JTOP 80K P Q 2 k-1 2 k 2 k-1 2 k The distribution of the most significant bytes of a pair of RSA primes varies for different cryptographic libraries. The properties of vulnerable keys The distribution of the Infineon RSA primes and keys mo- dulo small primes is irregular, unlike randomly chosen primes and keys that are distributed uniformly modulo small primes (left). In fact, the primes belong to a small subgroup modulo a product M of small consecutive primes, what lead us to the discovery of the structure of the primes (right). The primes and RSA moduli suffer from a significant loss of entropy and can be uniquely fingerprinted using a fast discrete logarithm. The distribution of RSA keys modulo small primes N = p * q p ideal = random prime p Infineon =(k * M + 65537 a mod M ); a, k ∈ Z M =2 * 3 * 5 * 7 *···* P n Entropy in a prime Random: Infineon: Factorization attack complexity The complexity of the factorization depends on the size of the keys (horizontal axis). However, due to the different para- meters used in their generation (different values of M at the top of the figure), the time required to break a key (vertical axis, blue dots) does not strictly increase. Therefore, some key lengths are more affected, including the common sizes of 1024 bits and 2048 bits. The attack can be easily parallelized with independent processors to achieve a linear speedup. 512 1024 1536 2048 2560 3072 3584 4096 Key size [bits] 10 3 10 12 10 21 10 30 10 39 10 48 10 57 10 66 10 75 Worst case factorization time [years] M 1 219 b M 2 475 b M 3 971 b M 4 1962 b 3936 Worst case factorization time 512-bit: 2 CPU hours 1024-bit: 2 CPU months 2048-bit: 100 CPU years 3072-bit & 3584-bit: allowed by BSI for QES 3936-bit: attack not applicable 4096-bit: 10 9 CPU years No practical attack Impact on real-world applications of cryptographic chips Electronic identity documents (eID) were significantly impac- ted with Spain, Slovakia, Estonia, Austria, Bulgaria, Brazil, Italy, Kosovo, Malaysia, Poland, and Taiwan affected. Trus- ted Platform Modules (TPM) used for platform integrity and data encryption (e.g., by Microsoft BitLocker) were vulne- rable, as well as authentication tokens and other devices. TPM Identity documents (eID, eHealth cards) Trusted Platform Modules Authentication tokens Programmable smartcards Message protection (S-MIME, PGP) Software signing Coppersmith’s factorization method Coppersmith’s method uses a partial knowledge of one of the primes to compute the factorization of an RSA modulus. At least half of the bits of the prime must be known. However, the method performs faster with more known bits. We use the method as a black-box tool. Making the attack practical To attempt a factorization of a vulnerable RSA key, we guess the value of a and compute the much larger “known” part of the prime as 65537 a mod M . We then try to compute k using Coppersmith’s method, what succeeds only if the guess was correct. In the worst case, the attack will require trying half of all the possible values of a. s still too large – find a smaller M � (divisor of M ) For the majority of RSA key sizes, the bit length of M (and 65537 a mod M ) is much larger than the required bound for the attack (one half of the prime’s bit length). We find a smaller M 0 (a divisor of M ), such that its size is still sufficient, yet the size of a 0 is significantly reduced when compared to a. Entropy in primes The figure shows the number and origin of random bits in relation to the size of the prime (vertical axis) for keys of given length (horizontal axis). A large portion of prime’s bits is determined by the structure (orange) and can be computed from the knowledge of random bits (green). Coppersmith’s attack further reduces the required number of known bits even lower (black dots). 512 1024 1536 2048 2560 3072 3584 4096 Key size [bits] 0 512 1024 1536 2048 Prime size [bits] Bits of the prime Determined by the structure Random bits in k Random bits in a Bruteforce search space (a 0 ) The attack optimization process Smaller values of M 0 (fewer known bits) require fewer guesses on the value of a 0 . However, the evaluation of each guess takes more time. We select the parameters corresponding to the minimal overall time of the factorization. 260 280 300 320 340 Known bits 2 27 2 30 2 33 2 36 2 39 2 42 Number of attempts ● 0.001 0.01 0.1 1 Time/attempt [sec] + 260 280 300 320 340 Known bits 10 0 10 1 10 2 Total time [years] Acknowledgements This project was supported by the Czech Science Foundation, project GA16- 08565S. We greatly appreciate the access to the computing resources of the National Grid Infrastructure MetaCentrum (CESNET LM2015042). References [1] Mat´ uˇ s Nemec, Marek S´ ys, Petr ˇ Svenda, Duˇ san Klinec, Vashek Maty´ aˇ s. The Return of Coppersmith’s Attack: Practical Factorization of Widely Used RSA Moduli. In Proceeding of the 24th ACM Conference on Computer and Communications Security (ACM CCS 2017), 2017. [2] Petr ˇ Svenda, Mat´ uˇ s Nemec, Peter Sekan, Rudolf Kvaˇ sˇ novsk´ y, David Form´ anek, David Kom´ arek, Vashek Maty´ aˇ s. The Million-Key Question – Investigating the Origins of RSA Public Keys. In Proceeding of the 25th USENIX Security Symposium, 2016. roca.crocs.fi.muni.cz [email protected]