RSA without Integrity Checks

Experiments on RSA
without integrity checks
Demo of Reversing the Plaintexts from the Ciphertexts
Dr. Dharma Ganesan, Ph.D.,

Disclaimer
● The opinions expressed here are my own
○ But not the views of my employer
● The source code fragments and exploits shown here can be reused
○ But without any warranty nor accept any responsibility for failures
● Do not apply the exploit discussed here on other systems
○ Without obtaining authorization from owners
2

Goal of this presentation (details later)
● Explain how to break unauthenticated RSA
○ That is, RSA without digital signature/integrity checks
● Present exploit: Man-in-the-middle edit public exponents
○ Uses Bézout’s theorem to recover the plaintexts from ciphertexts
○ Extended Euclidean Algorithm is the core
● This challenge was given to me by a friend who works for
a social media giant
3

Informal system design and constraints for attackers
● A set of apps send data to each other using public-key cryptography (RSA)
○ App i uses the public key of app j to send encrypted data to app j
○ Apps send public keys over public channels, without digital signature/certificate
● The attackers are allowed to edit only the RSA public exponent e
● The attackers cannot impersonate any app nor inject their own apps
● Goal: Reverse the plaintext from the ciphertext, satisfying the constraints
4

Prerequisite (to follow the remaining slides)
Some familiarity with the following topics will help to follow the rest of the slides
● Group Theory (Abstract Algebra/Discrete Math)
● Modular Arithmetic (Number Theory)
● Algorithms and Complexity Theory
● If not, it should still be possible to obtain a high-level overview
5

How can Bob send a message to Alice securely?
6
Public Key PuA
● Alice and Bob never met each other
● Bob will encrypt using Alice’s public key
○ Assume that public keys are known to the world
● Alice will decrypt using her private key
○ Private keys are secrets (never sent out)
● Bob can sign messages using his private key
○ Alice verifies message integrity using Bob’s public key
○ Not important for this presentation/attack
● Note: Alice and Bob need other evidence (e.g., passwords,
certificates) to prove their identity to each other
Private Key PrA
Public Key PuB
Private Key PrB

RSA Public Key Cryptography System
● Published in 1977 by Ron Rivest, Adi Shamir and Leonard Adleman
● Rooted in elegant mathematics - Group Theory and Number Theory
● Core idea: Anyone can encrypt a message using recipient's public key but
○ (as far as we know) no one can efficiently decrypt unless they got the matching private key
● Encryption and Decryption are inverse operations (math details later)
○ Work of Euclid, Euler, and Fermat provide the mathematical foundation of RSA
● Eavesdropper Eve cannot easily derive the secret (math details later)
○ Unless she solves “hard” number theory problems that are computationally intractable
7

8
Notations and Facts
GCD(x, y): The greatest common divisor that divides integers x and y
Co-prime: If gcd(x, y) = 1, then x and y are co-primes
Zn
= { 0, 1, 2, …, n-1 }, n > 0; we may imagine Zn
as a circular wall clock
Z*
n
= { x ∈ Zn
| gcd(x, n) = 1 }; (additional info: Z*
n
is a multiplicative
group)
φ(n): Euler’s Totient function denotes the number of elements in Z*
n
φ(p) = p-1, if p is a prime number
x ≡ y (mod n) denotes that n divides x-y; x is congruent to y mod n

Bézout’s identity (needed later for this attack)
● Let a and b are two integers. There exists a pair of integers x and y such that:
○ a.x + b.y = gcd(a, b)
● If a and b are relatively prime to each other, then
○ a.x + b.y = 1
● For a given a and b, we use the Extended Euclidean Algorithm to find x and y
9

RSA - Key Generation Algo. (Fits on one page)
1. Select an appropriate bitlength of the RSA modulus n (e.g., 2048 bits)
○ Value of the parameter n is not chosen until step 3; small n is dangerous (details later)
2. Pick two independent, large random primes, p and q, of half of n’s bitlength
○ In practice, p and q are not close to each other to avoid attacks (e.g., Fermat’s factorization)
3. Compute n = p.q (n is also called the RSA modulus)
4. Compute Euler’s Totient (phi) Function φ(n) = φ(p.q) = φ(p)φ(q) = (p-1)(q-1)
5. Select numbers e and d from Zn
such that e.d ≡ 1(mod φ(n))
○ Many implementations set e to be 65537 (Note: gcd(e, φ(n)) = 1)
○ e must be relatively prime to φ(n) otherwise d cannot exist (i.e., we cannot decrypt)
○ d is the multiplicative inverse of e in Zn
6. Public key is the pair <n, e> and private key is 4-tuple <φ(n), d, p, q>
Note: If p, q, d, or φ(n) is leaked, RSA is broken immediately
10

Formal definition of the RSA trapdoor function
● RSA: Zn
→ Zn
● Let m and c ∈ Zn
● c = RSA(m) = me
mod n
● m = RSA-1
(c) = cd
mod n
● e and d are also called encryption and decryption
exponents, respectively
● Note: Attackers know c, e, and n but not d
11

13
MiTM changed the RSA
public exponent e to e’ such
that gcd(e, e’) = 1
Gibberish because e’ is not a
valid public exponent

Core idea of the attack
● The attacker corrupts the public exponent e
● Instead of the standard exponent e = 65537, she modifies to e' = 65539
● Note that gcd(e, e') = 1
● They both are relatively prime to each other
● The receiver will get gibberish during decryption because of the corrupted e
● The receiver will resend the same public key pair <n, e>
● The sender will re-encrypt the same message using the public key pair
● Now the attacker does not modify the public key pair
14

Core idea of the attack …
● The attacker has two ciphertext pair:
● c' which is the ciphertext produced by the sender using e'
● c which is the ciphertext produced by the sender using correct e
● Goal of the attacker is to recover the plaintext m from <c, c', e, e'>
15

Algorithm: Recover the plaintext m from <c, c', e, e'>
● To recover m, the attacker applies the Extended Euclidean Algorithm:
● Since gcd(e, e' ) = 1, there must exist x and y such that e.x + e'.y = 1
● We can prove that the plaintext m = cx
. (c' )y
mod n
○ cx
= (me
)x
mod n
○ (c')y
= (me'
)y
mod n
○ cx
. (c' )y
= (me
)x
mod n . (me'
)y
mod n
= m(ex + e' y)
mod n = m
● Summary: The attacker recovered m from <c, c', e, e', x, y>
16

Implementation of the algorithm
17
public static BigInteger reversePlaintext(BigInteger n, BigInteger e,
BigInteger e_err, BigInteger c, BigInteger c_err) {
BigIntEuclidean bigIntEuclidean = BigIntEuclidean.calculate(e, e_err);
BigInteger x = bigIntEuclidean.x;
BigInteger y = bigIntEuclidean.y;
BigInteger part1 = c.modPow(x, n);
BigInteger part2 = c_err.modPow(y, n);
BigInteger result = part1.multiply(part2).mod(n);
return result;
}
Mapping of variables to the algorithm:
c_err → c‘
e_err → e‘
part1 → cx
part2 → (c')y
BigIntEuclidean class implements
the Extended Euclidean Algorithm

Captured public key <n, e>
19
n =
18004824506648204194492044002988064209675766035584463299236235
06494317520722425405499266736358111222092353075238943051957607
72838177133711938809223918443876724379628144541547953255275703
55545843143202611749143674603115027112767793615940083335822504
14001260300000139604098161722910625646686414595219516699059074
64124112599480274057376820125309201418774936670930722094112920
75668511384565582317364152493210500975624064036271597500904886
41493391778556544669856827168913235058037152190508905547682028
60172358074680448465215575045155812495385151214152726263391080
32505413436163412529544236195170662429539872646199926257967
e = 65537

Captured traffic (with wrong exponent e = 65539)
20
c' =
628936728EB827FFCA8EF47ED38DEA19BA5C2FFF3B00D34A59BA
49002E4143BE5F8992C4CF46AC6CDAFA969BB4EC07C58D757245
DAAA794F5B382302ED906324B3973D453A2F4495783BDD6989DC7
5C6E7C530979F1E5216734BF3FB3203AE1FD5631B0FE135BD259A
377763ED63F961C7598C5C4871B990F3230A7BBEE60129D1B2B64
0B3AE2C36DD5B76F66AC5B9AA99C48FDF31E608DE005719BEA2A
DD92D5754E7ECBDF39F9D204820EF97D473FA897860587AE4B0C
4DF01E98C7B501C4FE26A5A4624DF3648FBB0F7F61DC79DAFE1E
9881A9A27A66CE3BB4D92FC52DB790ACD48A5009325A79D157106
07B30B7BCC37E305132F6A9A2C3A56E0A5990854

Captured traffic (with correct exponent e = 65537)
21
c =
06DEC6DCE2726801CB815FFF5443960B7C11AB9E7
487F3E3B7D9613979AC473E238AE4D5624F4B97F7
567D495D5871A1D1B234E42771FCF9B47EF43F85A
08299BC98D5A9AD16A6B102FC9EC03AACC01B526
79E089589D2CBB09E9F127A1829DC59AFC7197431
E59F1B63DAC08878D0F8D0C2885CE30E955334D63
C4C30D8A619EE245A584F4704A989B2992257AE29
503EDE0C5637DA220522ECB495AAA980103505459
AE36952052B4CF5EFEB2D847405C02A60AB2EAB92
8206BA0DFE8438C491264F19C93819E158A26F8507
A1083B7A223B1A6EA145EEC2B4084E87D094426F2
6D00C84FA24369C159EF5C029918118E784A101AB
D00A7B3B59E6C7E643BE

Demo client to break Raw RSA (2048-bit modulus)
22
$ java RSA_MiTM $n 65537 65539 $c $c_err
Hi, How are you?
The attacker recovered the secret
from <c, c', e, e'>

Conclusion/Discussion
23
● The main goal was to experiment with an incorrect RSA usage pattern
● That is, without integrity checks or digital signature
● The Man-in-the-middle (MiTM) just has to edit the public exponent e
● MiTM was able to recover plaintexts using Extended Euclidean Algo.
● Note that this attack works when RSA is used without any padding
● RSA without integrity checks can lead to interesting attacks
● In TLS, the server’s public key is digitallly signed, so MiTM’s job is very difficult to edit e
● RSA is a classical crypto system but has to be used very carefully

References
● W. Diffie and M. E. Hellman, “New Directions in Cryptography,” IEEE
Transactions on Information Theory, vol. IT-22, no. 6, November, 1976.
● R. L. Rivest, A. Shamir, and L. Adleman, “A method for obtaining digital
signatures and public-key cryptosystems,” CACM 21, 2, February, 1978.
● A. Menezes, P. van Oorschot, and S. Vanstone, “Handbook of Applied
Cryptography,” CRC Press, 1996.
● C. Paar and J. Pelzl, “Understanding Cryptography: A Textbook for Students
and Practitioners,” Springer, 2011.
24

RSA without Integrity Checks

More Related Content

What's hot (20)

Similar to RSA without Integrity Checks (20)

More from Dharmalingam Ganesan (13)

Recently uploaded (20)

RSA without Integrity Checks