The Return of Coppersmith’s Attack: Practical Factorization of Widely Used RSA Moduli ACM CCS’17, Dallas, TX, USA Matus Nemec 1,2 Marek Sys 1 Petr Svenda 1 Dusan Klinec 3,1 Vashek Matyas 1 1 Masaryk University 2 Ca’ Foscari University 3 Enigma Bridge Brno, Czech Republic Venice, Italy Cambridge, UK
12
Embed
The Return of Coppersmith's Attack: Practical Factorization of Widely ... · The Return of Coppersmith’s Attack: Practical Factorization of Widely Used RSA Moduli ACMCCS’17,Dallas,TX,USA
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
The Return of Coppersmith’s Attack:Practical Factorization of Widely Used RSA ModuliACM CCS’17, Dallas, TX, USA
Matus Nemec1,2 Marek Sys1 Petr Svenda1 Dusan Klinec3,1 Vashek Matyas1
1Masaryk University 2Ca’ Foscari University 3Enigma BridgeBrno, Czech Republic Venice, Italy Cambridge, UK
Contributions roca.crocs.fi.muni.cz
Structure of RSA primes in library of Infineon TechnologiesApplication of Coppersmith’s factorization methodAnalysis of impacted domains, including eID, TPM, tokensand other NIST FIPS 140-2 and CC EAL 5+ certified devicesLessons learned and mitigation
@CRoCS_MUNI | [email protected] The Return of Coppersmith’s Attack November 2, 2017 2 / 12
Test public keys for fingerprint at roca.crocs.fi.muni.czRevoke certificates of weak keys (services become unavailable)Change algorithm, e.g. ECC (must update infrastructure)Generate new, secure keys:
Firmware update (uncommon), replace the device (costly)Import a secure keypair (requires trusted environment)
Temporarily switch to less affected key lengths (e.g., 3936-bit)Significantly reduced security level, attack may improve
Additional risk management when a vulnerable key is detected
@CRoCS_MUNI | [email protected] The Return of Coppersmith’s Attack November 2, 2017 10 / 12
Oct 23rd: Tanja Lange & Daniel J.Bernstein announced a faster attack
Vulnerable devices from 2007 found
Oct 30th: Full paper published
Daniel J. Bernstein@hashbreaker
Chicago, Illinois
cr.yp.to/djb.html
Joined July 2009
Tweet to Daniel J. Bernstein
4 Followers you know
Photos and videos
Daniel J. Bernstein @hashbreaker · 18h
Wait: @matthew_d_green named DUHK "Attack of the week" on _Monday_?
Top-10-attacks-this-week judges meet on Fridays!
Attack of the week: DUHK
Before we get started, fair warning: this is going to be apost about a fairly absurd (but non-trivial!) attack oncryptographic systems. But that’s ok, because it’s ba...
blog.cryptographyengineering.com
2 9 30
Daniel J. Bernstein @hashbreaker · Oct 23
Replying to @graham_steel
Yup. Our 2048bit attack using @sagemath is now 5-25% faster than ROCA blog.
ROCA: Infineon RSA vulnerability. Contribute to rocadevelopment by creating an account on GitHub.
github.com
4 29 71
Tweets Tweets & replies Media
Tweets
1,135Following
19Followers
16.2KLikes
27 Following
Home Notifications Messages Search Twitter Tweet
Graham Steel @graham_steel · Oct 17
I guess that was inevitable... will they have a faster version of the attack before
the paper is even released?
Had fun reverse engineering github.com/crocs-muni/roc… w/ @hashbreaker SHA256: 01463fbab8a8f9e345cd3f2201556a26d2f81b03cf2b8760643148b9a01255a6
2 2 14
16 Retweets 33 Likes
Daniel J. Bernstein @hashbreaker
Replying to @graham_steel
Yup. Our 2048bit attack using @sagemath is now 5-25% faster than ROCA blog. 3fd6a53a3b6362248ac10de4a8108df3c839a7193a96d0991c6675990599d91712:34 AM - 23 Oct 2017
Following
16 33
Tweet your reply
Tanja Lange @hyperelliptic
@CRoCS_MUNI | [email protected] The Return of Coppersmith’s Attack November 2, 2017 11 / 12
Optimizations may weaken securitySecret design ⇒ delayed discovery of flaws ⇒ increased impactsReconsider the certification processPrevent a single point of failure
Secure multi-party computationCollaborative RSA
Thank you for your attention
@CRoCS_MUNI | [email protected] The Return of Coppersmith’s Attack November 2, 2017 12 / 12