• Coding

  • Exploiting Weaknesses in RSA

I've been recently working on one of the most interesting topics in my field and one of my favorite as well:
Cryptography and Information Security...

I - Introduction
Cryptography is probably the most important aspect of communications security and is becoming increasingly important as a basic building block for computer security.

By far the most important automated tool for network and communications security is encryption. Two forms of encryption are in common use:
1- Conventional, or symmetric encryption.
2- Public-key, or asymmetric encryption.

The RSA algorithm was developed in 1977 by Ron Rivest, Adi Shamir, and Len Adleman at MIT and first published in 1978. The Rivest-Shamir-Adleman (RSA) scheme has since that time reigned supreme as the most widely accepted and implemented general-purpose approach to public-key encryption.

II - Description of the Algorithm
Note: (I used images to show operators, powers, and other mathematical terms that cannot be expressed here)

Encryption and decryption are of the following form, for some plaintext block M and ciphertext block C:

Both sender and receiver must know the value of n. The sender knows the value of e, and only the receiver knows the value of d. Thus, this is a public-key encryption algorithm.

The ingredients of the RSA are the following:

The private key consists of {d, n} and the public key consists of {e, n}. Suppose that user A has published its public key and that user B wishes to send the message M to A. Then B calculates C = M^e mod n and transmits C.
On receipt of this ciphertext, user A decrypts by calculating M = C^d mod n.


The resulting keys are public key PU = {7,187} and private key PR = {23,187}. The example shows the use of these keys for a plaintext input of M = 88. For encryption, we need to calculate C = 88^7 mod 187. This can be done by exploiting the properties of Modular Arithmetic.


III - The Security of RSA
Four possible approaches to attacking the RSA algorithm are as follows:

1- Brute force: This involves trying all possible private keys.
2- Mathematical attacks: There are several approaches, all equivalent in effort to factoring the product of two primes.
3- Timing attacks: These depend on the running time of the decryption algorithm.
4- Chosen ciphertext attacks: This type of attack exploits properties of the RSA algorithm.


The defense against the brute-force approach is the same for RSA as for other cryptosystems, namely, use a large key space. Thus, the larger the number of bits in d, the better.
However, because the calculations involved, both in key generation and in encryption/decryption, are complex, the larger the size of the key, the slower the system will run.


We can identify three approaches to attacking RSA mathematically:

1- Factor n into its two prime factors. This enables calculation of f(n) = (p - 1) x (q - 1), which, in turn, enables determination of d e^-1 (mod f(n)).
2- Determine f(n) directly, without first determining p and q. Again, this enables determination of d e1 (mod f(n)).
3- Determine d directly, without first determining f(n).


Most discussions of the cryptanalysis of RSA have focused on the task of factoring n into its two prime factors. Determining f(n) given n is equivalent to factoring n.
With presently known algorithms, determining d given e and n appears to be at least as time-consuming as the factoring problem. Hence, we can use factoring performance as a benchmark against which to evaluate the security of RSA.

For a large n with large prime factors, factoring is a hard problem, but not as hard as it appears...

IV - The Attack on RSA
There are 3 known algorithms to attack RSA by factorizing N into 2 prime numbers,

1- Quadratic Sieve (April 1991)
2- General Number Field Sieve (April 1996)
3- Lattice Sieve (April 2003)


V - The Code
What follows is a C# code i wrote today to factorize N into 2 prime numbers.
long n = _N; // Get the value of N
long sqrtOfN = (long)Math.Sqrt(n);  // Find the Square root of N.

long p = 0;
long q = 0;

// Loop through all values untill reaching the Square Root (There's no need to continue beyond this number)
for (p = 2; p <= sqrtOfN; p++)
{
    // Check For Primality of P.
    if (_CheckIfPrime(p) == true)
    {
        // If P is prime, calculate q = N / P. If Q must be a prime number too.
        q = n / p;
     
        // Check For Primality of Q.
        if (_CheckIfPrime(q) == true)
        {
            if (q * p == n)
            {
                // Display Results...
                MessageBox.Show(p.ToString() + "\n" + q.ToString());
                break;
            }
        }                    
    }
}
In order to check if a number is a prime, i wrote another function that returns the bool value True is the number checked is a prime.
Here's the function:
public bool _CheckIfPrime(long number)
{
    bool isPrimeNumberFound = true;

    // Get Square root of number and iterate, start from 2 (cannot start from 0 or 1).
    int checking = (int)Math.Sqrt((double)(number));

    // perform iteration from 2 all the way to the value of "checking".
    for (int j = 2; j <= checking; j++)
    {
        // If remainder = 0 ==> current number is not a prime number...
        if (number % j == 0)
        {
            isPrimeNumberFound = false;
            break;
        }
    }
    return isPrimeNumberFound;
}
Testing is code with values of N ranging between 0 and 2^32 gives instant results.
for example, if N = 654643387, P and Q are equal to 25583 and 25589. (calculated instantly)

Larger values takes some time to compute the 2 prime numbers P and Q.

Note that for better security in the RSA, P and Q should be selected carefully. To avoid values of n that may be factored more easily, P and Q should differ in length by only few digits and should be on a close order of magnitude. The Closer to the Square root of N, the harder to guess P and Q.

For example, if P = 11, which is a prime, it takes less than a fraction of a second to guess Q, since we'll be checking values of P starting from 0 till the Square Root of N.


-------------
This is it for today, I hope you'll like this post as much as i do. I tried to explain all keywords by adding references to Wkikipedia.

I'd also appreciate any comments on this post.
Cheers'
ok, nice presentation, but that dosen't make it practical. What you described (and coded) isn't really a weakness ... and take a LONG time when you are working with real keys (2^128 and waay above)
as for your code 
for (int j = 2; j <= checking; j++)
you can make it faster by omitting all the even number that you are checking.
A good and constructive thread/topic.
9/10 + extra 100points for effort and achievement ;)
what i was more interested in is the reference analysis on which your conclusion regarding optimal length was based.

another thing you could have been more specific on is at what level of a stack the RSA is being implemented
and what is being achieved by that implementation.

can we expect more good threads from you? :)
@Georges, I really enjoyed reading your post, it is quite nice and informative. It gave me a general idea oh how RSA keys are cracked and I had no clue about that previously. Hope to read more cool posts from you, keep up the good work man :)
@BashLogic: It's easy to see that the further a factor is from the square root (from above) the closer the corresponding prime is to 1.
128 bit prime multiple. You should at most have to test around 2^64 numbers. If a factor was around 2^96, the remaining factors will multiply at up to 2^32 so they are individually <= 2^32.
Of course, saying that indeed a factor should be around the square root is a deficiency in itself, since attackers can start working starting from there. I believe cryptographic algorithms use cryptographic random generators that are not as easy as the usual random generators to predict a pattern of.
@George: This is a nice and interesting post. I went directly to wiki after reading this read to see where things you skipped fit. It is however too convoluted to get into casually.
Thank you first for your feedback.

Padre:
Regarding what you mentioned about the key length and its effect on the time, especially when dealing with keys up to 2^1024 and perhaps 2^2048, the function that checks for primality is not efficient at all ! and i know that.

Optimizing the code is another discussion, and this can be done by previously calculating all prime numbers from 0 up to 2^1024 and then directly checking for the primes in the first function.

One more advanced and smart solution is sorting the previously calculated primes by order of magnitude to facilitate calculations (The sum of magnitude of prime numbers should be as close as possible as the length of the key)
For example, you don't have to check for numbers with low powers: (2^5) * (2^20) will not give you a key of 2^1024.

BashLogic:
Your first question was answered by arithma in his topic. He mentioned 2 good points i was going to include in this topic. The proximity of numbers from the square root is a disadvantage as well, and the randomly generated numbers.

And i didn't understand what you meant in your second question. Would you please explain it more ?

Aymanov
Thank you my friend ! And yes, definitely more interesting posts will be posted soon.

Arithma
That was a good explanation for BashLogic's question.
I realize that RSA is very complicated to understand, implement, and crack. and i'll be working next with larger key values. I'll be optimizing the code, go deeper into each mathematical attack algorithm mentioned above, and perhaps i can win a noble prize xD
This is an interesting tanget: http://en.wikipedia.org/wiki/Primality_test
Apparently, you don't need to decompose a number to its factors to learn about whether its prime or not (if that's all you need, such as in the case of generating two primes)
arithma wroteThis is an interesting tanget: http://en.wikipedia.org/wiki/Primality_test
Apparently, you don't need to decompose a number to its factors to learn about whether its prime or not (if that's all you need, such as in the case of generating two primes)
I think you're getting it wrong here.

1- The key N is not a prime number and cannot be one. Since it's the result of the multiplication of 2 primes.
2- The prime number cannot be decomposed into 2 prime numbers. (It's already a prime :P)
--

As for checking for Primality of a number, we can simply ignore it in our process, since a previously calculated list of all prime numbers from 0 to 2^1024 will allow you to only Compare numbers - without checking for their primality...

I'm thinking of this as an optimization of my code...
Georges Raad wroteThank you first for your feedback.


BashLogic:
And i didn't understand what you meant in your second question. Would you please explain it more ?
;) ok, let me rephrase my statement. what I meant is to point out where RSA is being implemented and benefited of. for example, SSH. within a stack, SSH runs of TCP/IP and serves for example shell functions and port redirecting. what i wanted you to bring out is that people have heard of different encryption methods but most often people have not totally grasped what the encryption achieves as an implemented solution. encrypting data, yes, but data can be in several states from security perspective. for example:

- in transit (concerns transfer protocols such as SSH),
- in place (archived and crypted data),
- in process (being processed by an application or set of application interfaces)
You're getting it wrong.
0 to 2^1024. To represent each of these numbers you'll need at least 1024 bits for each number to represent the numbers on the larger end. That's 256Bytes per entry. 2^1024 * 256Bytes / 2^10 ( K ) / 2^10 ( M ) / 2 ^ 10 (G) / 2 ^ 10 (T) = 992 TB to choose from. Of course prime count is always > 1/ln(n) which means it's somewhere between 1TB and 992TB

Simply, don't try this at home :P
arithma wrote@BashLogic: It's easy to see that the further a factor is from the square root (from above) the closer the corresponding prime is to 1.
128 bit prime multiple. You should at most have to test around 2^64 numbers. If a factor was around 2^96, the remaining factors will multiply at up to 2^32 so they are individually <= 2^32.
Of course, saying that indeed a factor should be around the square root is a deficiency in itself, since attackers can start working starting from there. I believe cryptographic algorithms use cryptographic random generators that are not as easy as the usual random generators to predict a pattern of.
@George: This is a nice and interesting post. I went directly to wiki after reading this read to see where things you skipped fit. It is however too convoluted to get into casually.
you put it in a nice way ;)
16 days later
@geroges plz leave the reference of the book at the end next time.
for those who are interested it's
Cryptography and Network Security
Principles and Practice
Second Edition
William Stallings
It's a great book actually i know it by heart that's how I've figured out the reference specially when talking about RSA :D
I think it will be a real pain to find it here in Lebanon i don't know.
speaking about decrypting RSA.
there is some rumors that it was cracked and not by using brute force.
Brute forcing is for limited mind people.
and by pure coincidence wikileaks.com now is publishing some data that suppose to be ciphered using RSA.
so if they really hacked the us government they must know how to crack RSA.
actually i'm trying to attack the RSA cipher as a personal effort maybe i'll get it some times :D
by the way nice effort doing the coding. apparently it doesn't take a lot of time but you deserve a credit for that. but you like it or not you need to get to binary. you need to program a software that is able to manipulate binary numbers and not integers. any one interested in cracking RSA is welcome to help!
g-087 wrote@geroges plz leave the reference of the book at the end next time.
for those who are interested it's
Cryptography and Network Security
Principles and Practice
Second Edition
William Stallings
It's a great book actually i know it by heart that's how I've figured out the reference specially when talking about RSA :D
I think it will be a real pain to find it here in Lebanon i don't know.
speaking about decrypting RSA.
there is some rumors that it was cracked and not by using brute force.
Brute forcing is for limited mind people.
and by pure coincidence wikileaks.com now is publishing some data that suppose to be ciphered using RSA.
so if they really hacked the us government they must know how to crack RSA.
actually i'm trying to attack the RSA cipher as a personal effort maybe i'll get it some times :D
by the way nice effort doing the coding. apparently it doesn't take a lot of time but you deserve a credit for that. but you like it or not you need to get to binary. you need to program a software that is able to manipulate binary numbers and not integers. any one interested in cracking RSA is welcome to help!
I have the ebook but the 4th edition.
Going to read it after i finish up the other books.
g-087 wrote@geroges plz leave the reference of the book at the end next time.
for those who are interested it's
Cryptography and Network Security
Principles and Practice
Second Edition
William Stallings
It's a great book actually i know it by heart that's how I've figured out the reference specially when talking about RSA :D
I think it will be a real pain to find it here in Lebanon i don't know.
speaking about decrypting RSA.
there is some rumors that it was cracked and not by using brute force.
Brute forcing is for limited mind people.
and by pure coincidence wikileaks.com now is publishing some data that suppose to be ciphered using RSA.
so if they really hacked the us government they must know how to crack RSA.
actually i'm trying to attack the RSA cipher as a personal effort maybe i'll get it some times :D
by the way nice effort doing the coding. apparently it doesn't take a lot of time but you deserve a credit for that. but you like it or not you need to get to binary. you need to program a software that is able to manipulate binary numbers and not integers. any one interested in cracking RSA is welcome to help!
Reference: Stallings - Cryptography and Network Security - Principles and Practices 4e (Prentice, 2005)

1- I have a hard copy of this book, AND a soft copy too :)
2- Brute Force Techniques are pretty much useless.
3- I Think that ALL encryption algorithms can be decrypted in RealTime. Supercomputers can do a great job in that field.
4- Wikileaks didn't hack the U.S government. Someone leaked these documents to them.
5- Attacking an RSA Cipher is what i'm currently doing. - In fact, it's my final project in the Inf. Security course.

6- What about binaries, i didn't get what you meant ? - Explain it again please.
7- English. Try to write in clear and proper English please.

Thanks for your feedback. I appreciate it.
m0ei wroteI have the ebook but the 4th edition.
Going to read it after i finish up the other books.
I highly recommend this book. A must read for every information security addict :)
first of all no one have ever complained about my English :/
I don't want want to be mean but this is the funniest thing that someone have ever told me
Attacking an RSA Cipher is what i'm currently doing. - In fact, it's my final project in the Inf. Security course
seriously???
and you teacher knows about that?? i bet he don't because he will laugh at you man.
take it easy man.
cracking RSA is not a final project. it's a multi billion project. every one want to crack the RSA not only you.
by the way what is you major? i bet it's computer science because you didn't get the binary stuff and you like c#. stick to c++ and for a graphic interface use Qt it's free and it's highly recommended
1st of all don't kid yourself supercomputers do not help you Brute forcing RSA at least not for now
super computers are used for other things...
when you encrypt a document in fact you encrypt it's binary code
to crack the RSA you need to figure out a relation between the ciphered text and the public key to get the private one. the problem is to regenerate a private key that it will act the same as the original. it can be different. just read chapter 7 on this book it's about numbers. it's not a great deal to have a hard and a soft copy of a book. but at least read one of them.
so if you want to crack RSA you need to carefully watch how the process is done on a binary stage or you can just invent another theorem and i'll be the stupid one laughing at a genius :S
and by the way one of the use of supercomputers is to find huge prime numbers because they are priceless in encryption
g-087 wroteI don't want want to be mean but this is the funniest thing that someone have ever told me
Attacking an RSA Cipher is what i'm currently doing. - In fact, it's my final project in the Inf. Security course
seriously???
YES - And whether you like that or not, i'm doing it but not necessarily on a 1Kb key.
And you mentioned in your previous post that you're willing to do that too. Oh wait, SERIOUSLY???, this is the funniest thing that someone have ever told me too :)
g-087 wrotetake it easy man.
I am!
g-087 wrotefirst of all no one have ever complained about my English :/
I guess i'm the first one then :)

-- Previous post.
• @geroges
• there is some rumors
• limited mind people. - English please.
data that suppose to be ciphered.
• as a personal effort maybe i'll get it some times.
• but Whether you like it or not.

--- Latest post.
• and you teacher knows about that. - Yes. Me teacher knows about that.
every one want to crack the RSA.
• and for a graphic interface.
1st of all don't kid yourself - This should be Second.
• the problem is to regenerate a private key that it will act the same as the original.
• just read chapter 7 on this book - Yes yes, on top of this book.
• and by the way one of the use of supercomputers.

Not to mention the missing Capital Letters and the Punctuation (which, apparently, you never heard about before).
g-087 wrote1st of all don't kid yourself supercomputers do not help you Brute forcing RSA at least not for now
super computers are used for other things...
...
and by the way one of the use of supercomputers is to find huge prime numbers because they are priceless in encryption
Yes right, and they use them to play Solitaire while processing large spy satellites' images too.
g-087 wrote...and i'll be the stupid one laughing at a genius :S
You're not Stupid. And i'm not a Genius. But apparently, we're both trying to be so.
thank you for paying such an attention to my posts. really!! not bad for a secretary in fact just quite RSA :D
i thought i was reinventing english when you told me "english please" it's not bad in fact. i'm not shakespeare and when you'll learn speed typing you'll make worse mistakes. and for records i know how to write georges it's my first name in fact :|
i'm pleased that you didn't understand my english because i've mentioned a lot of interesting and useful informations you have skipped during your research :D
and if you really want to crack RSA why don't you just start to crack my english apparently it's a tough exercise for a beginner. really you need to start somewhere
Georges wrote5- Attacking an RSA Cipher is what i'm currently doing. - In fact, it's my final project in the Inf. Security course.
It's your final project in information security? Did you study exploits development,Penetration testing, hacking with metasploit,Social engineering, Fuzzing to find Vulnerabilities and stuffs like that.
Or you passed them for Cryptography only ?
g-087 wrotethank you for paying such an attention to my posts. really!! not bad for a secretary in fact just quite RSA :D
i thought i was reinventing english when you told me "english please" it's not bad in fact. i'm not shakespeare and when you'll learn speed typing you'll make worse mistakes. and for records i know how to write georges it's my first name in fact :|
i'm pleased that you didn't understand my english because i've mentioned a lot of interesting and useful informations you have skipped during your research :D
and if you really want to crack RSA why don't you just start to crack my english apparently it's a tough exercise for a beginner. really you need to start somewhere
*Facepalm*
----
m0ei wrote
Georges wrote5- Attacking an RSA Cipher is what i'm currently doing. - In fact, it's my final project in the Inf. Security course.
It's your final project in information security? Did you study exploits development,Penetration testing, hacking with metasploit,Social engineering, Fuzzing to find Vulnerabilities and stuffs like that.
Or you passed them for Cryptography only ?
Unfortunately, i didn't.
I'll simply be given an RSA-encrypted Cipher and i have to decrypt it by finding the Private Key.
Key length is definitely not large (1024 or 2048).
-- I also PMed you. Check your inbox please.