Ensuring sufficient entropy in rsa modulus generation
Download
1 / 26

Ensuring Sufficient Entropy in RSA Modulus Generation - PowerPoint PPT Presentation


  • 108 Views
  • Uploaded on

Ensuring Sufficient Entropy in RSA Modulus Generation. Wendy Mu Henry Corrigan-Gibbs Dan Boneh. Motivation #1. Security of RSA relies on hardness of factoring modulus What happens when , are generated with faulty random number generators?. Motivation #1.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Ensuring Sufficient Entropy in RSA Modulus Generation' - aletta


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Ensuring sufficient entropy in rsa modulus generation

Ensuring Sufficient Entropy in RSA Modulus Generation

Wendy Mu

Henry Corrigan-Gibbs

Dan Boneh


Motivation 1
Motivation #1

  • Security of RSA relies on hardness of factoring modulus

  • What happens when , are generated with faulty random number generators?


Motivation 11
Motivation #1

  • A study by Heninger et al. (2012) found…

  • 5.57% of TLS hosts had same private keys as another host

  • 0.50% of these hosts’ private keys were easily computed through finding all-pairs GCDs


Motivation 12
Motivation #1

Reason for these common factors?

Weak entropy!


Motivation 2
Motivation #2

  • Kleptography (Young and Yung, 1996)

    • Attack where third party can figure out private key

    • Malicious black box key generator encrypts in last bits of )

    • Third party with key can decrypt and factor


Goals
Goals

  • An efficient way for a host to obtain randomness from a trusted source with high entropy

  • A way for the host to prove that the generated modulus was generated using the given randomness


Overview
Overview

TLS Host (e.g., web server)

Key generation

protocol

Key verification

protocol

Certificate Authority

Entropy Authority


Overview1
Overview

TLS Host (e.g., web server)

1. Modulus generation

4. CA-signed

certificate

2. EA-signed certificate

3. EA-signed certificate

Certificate Authority

Entropy Authority


Building blocks
Building blocks

  • Pedersen commitments (Pedersen)

    • Computationally binding

    • Information theoretically hiding

    • Additively homomorphic


Building blocks1
Building blocks

  • Zero-knowledge proofs

    • Prove that and are commitments to and with (Cramer and Damgard)


Building blocks2
Building blocks

  • Public-key signature scheme (Goldwasser et al.)

    • Sign and verify functions

    • Existentially unforgeable





Application ssh
Application: SSH

SSH Server

1. Modulus generation

2. EA-signed certificate

3. EA-signed certificate

SSH Client

Entropy Authority


Security
Security

  • are 1024 bit primes

  • are 20 bit numbers

  • is 2048 bits

  • (modulus for commitments) is 2148 bits (100 bits more than ), since


Security1
Security

  • Desired properties:

    • Maintain secrecy of and

    • Ensure resulting contains sufficient entropy


Security2
Security

  • If the host has no entropy, a global eavesdropper could always learn and

    • Assume that the host gets a free communication with EA

  • Assume host is not malicious


Ensuring sufficient entropy in rsa modulus generation

Even if the host has low entropy, the resulting modulus will be as strong as an RSA modulus generated using the traditional algorithm with high entropy.



Ensuring sufficient entropy in rsa modulus generation

If the host does not follow the protocol, either the EA or CA will be able to detect the violation, or the resulting will still have high entropy.

Therefore, a misbehaving host cannot get a CA to sign a low-entropy key.


Performance
Performance CA will be able to detect the violation, or the resulting

  • On a laptop…

    • Traditional RSA: 0.59s

    • Our protocol: 3.18s


Performance1
Performance CA will be able to detect the violation, or the resulting

  • On a Linksys router…

    • Traditional RSA: 59.6s

    • Our protocol: 111.7s

  • Includes ~100ms RTT network latency

  • Relatively small overhead: ~2x


Related work
Related Work CA will be able to detect the violation, or the resulting

  • Juels and Guajardo (2002) introduced the idea of a randomness authority, with a protocol for key generation

  • Uses range proofs (proving a commitment is to an integer in a given range)

    • Expensive, many calculations

  • Our protocol avoids range proofs faster


Future work
Future work CA will be able to detect the violation, or the resulting

  • Integrate protocol into certificate signing request to CA


Conclusion
Conclusion CA will be able to detect the violation, or the resulting

  • Protocol for generating an RSA modulus with sufficient randomness

  • Feasible to implement on today’s hardware

  • Small overhead to traditional RSA

    Contact: wmu@cs.stanford.edu