9: What Can Go Wrong?

192



Part III



■



Key Negotiation



For simplicity, let us suppose Alice and Bob use the DH protocol in the

subgroup illustrated in Figure 11.3 without checking that X and Y are proper

values. Furthermore, after this exchange Alice starts using the new key k

to send an encrypted and authenticated message to Bob that contains some

further protocol data. (This is a very common situation, and similar situations

can occur in IKE.)

Here is the dangerous behavior by Alice: when she receives a resend of the

second message containing Y, she simply recomputes the key k and sends the

appropriate reply to Bob. Sounds entirely harmless, right? But the attacker Eve

can now start to play games. Let d be a small divisor of (p − 1). Eve can replace

Y by an element of order d. Alice’s key k is now limited to d possible values,

and is completely determined by Y and (x mod d). Eve tries all possible values

for (x mod d), computes the key k that Alice would have gotten, and tries to

decrypt the next message that Alice sends. If Eve guesses (x mod d) correctly,

this message will decrypt properly, and Eve has learned (x mod d).

But what if p − 1 contains a number of small factors (d1 , d2 , . . . , dk )? Then

Eve can run this attack repeatedly for each of these factors and learn

(x mod d1 ), . . . , (x mod dk ). Using the general form of the Chinese Remainder Theorem (see Section 12.2) she can combine this knowledge to obtain

(x mod d1 d2 d3 · · · dk ). So if the product of all small divisors of p − 1 is large, Eve

can get a significant amount of information about x. As x is supposed to be

secret, this is always a bad development. In this particular case, Eve can finish

by forwarding the original Y to Alice and letting Alice and Bob complete the

protocol. But Eve has collected enough information about x that she can now

find the key k that Alice and Bob use.

To be quite clear: this is not an attack on IKE. It is an attack on an implementation of IKE that is allowed by the standard [60]. Still, in our opinion the protocol should include enough information for a competent programmer to create a secure implementation. Leaving this type of information out is

dangerous, as somebody somewhere will implement it the wrong way. (We

have not verified whether this attack applies to newer versions of IKE.)

For this attack to work, Eve has to be lucky enough to have a p − 1 with

sufficient small divisors. We are designing against an adversary that can

perform 2128 steps of computing. This allows Eve to take advantage of all

divisors of p − 1 up to 2128 or so. We’ve never seen a good analysis of the

probabilities of how much information Eve could get, but a quick estimate

indicates that on average Eve will be able to get approximately 128 bits of

information about x from the factors smaller than 2128 . She can then attack the

unknown part of x using a collision-style attack, and as x is only 256 bits long,

this leads to a real attack. At least, it would if we didn’t check that X and Y

were in the proper subgroup.



Chapter 11



■



Diffie-Hellman



The attack becomes even easier if Eve was the person selecting the subgroup

(p, q, g). She may have put the small divisors into p − 1 herself when she selected

p in the first place. Or maybe she sat on the committee that recommended

certain parameters for a standard. This isn’t as crazy as it seems. The U.S.

government, in the form of NIST, helpfully provides primes that can be used

with DSA, a signature scheme that uses subgroups like this. Other parts of that

same U.S. government (e.g., NSA, CIA, FBI) have a vested interest in being

able to break into private communications. We certainly don’t want to imply

that these primes are bad, but it is something that you would want to check

before you use them. This is easy to do; in fact, NIST published an algorithm

for choosing parameters that does not insert additional small factors, and you

can check whether the algorithm was indeed followed. But few people ever do.

In the end, the simplest solution is to check that every value you receive is

in the proper subgroup. All other ways of stopping small subgroup attacks

are much more complicated. You could try to detect the small factors of p − 1

directly, but that is way too complicated. You could require the person who

generated the parameter set to provide the factorization of p − 1, but that adds

a great deal of complexity to the whole system. Verifying that the received

values are in the right subgroup is a bit of work, but it is by far the simplest

and most robust solution.



11.10



Exercises



Exercise 11.1

Assume 200 people wish to communicate securely using

symmetric keys, one symmetric key for each pair of people. How many

symmetric keys would this system use in total?

Exercise 11.2 What are the subgroups generated by 3, 7, and 10 in the

multiplicative group of integers modulo p = 11?

Exercise 11.3 Why is a number r a square modulo p, p = 2q + 1 and p and q

both prime, if and only if r q = 1 (mod p).

Exercise 11.4 What problems, if any, could arise if Alice uses the same x and

gx for all her communications with Bob, and Bob uses the same y and gy for all

his communications with Alice?

Exercise 11.5 Alice and Bob wish to agree on a 256-bit AES key. They are

trying to decide between using 256-bit, 512-bit, or some other length DH public

keys gx and gy . What would be your recommendation to them?



193



CHAPTER



12

RSA



The RSA system is probably the most widely used public-key cryptosystem

in the world. It is certainly the best known. It provides both digital signatures

and public-key encryption, which makes it a very versatile tool, and it is based

on the difficulty of factoring large numbers, a problem that has fascinated

many people over the last few millennia and has been studied extensively.



12.1



Introduction



RSA is similar to, yet very different from, Diffie-Hellman (see Chapter 11).

Diffie-Hellman (DH for short) is based on a one-way function: assuming p and

g are publicly known, you can compute (gx mod p) from x, but you cannot

compute x given gx mod p. RSA is based on a trapdoor one-way function.

Given the publicly known information n and e, it is easy to compute me mod n

from m, but not the other way around. However, if you know the factorization

of n, then it is easy to do the inverse computation. The factorization of n is the

trapdoor information. If you know it, you can invert the function; if you do

not know it, you cannot invert the function. This trapdoor functionality allows

RSA to be used both for encryption and digital signatures. RSA was invented

by Ronald Rivest, Adi Shamir, and Leonard Adleman, and first published in

1978 [105].

Throughout this chapter we will use the values p, q, and n. The values p and

q are different large primes, each on the order of a thousand bits long or more.

The value n is defined by n := pq. (An ordinary product, that is, not modulo

something.)

195



196



Part III



12.2



■



Key Negotiation



The Chinese Remainder Theorem



Instead of doing computations modulo a prime p as in the DH system, we

will be doing computations modulo the composite number n. To explain what

is going on, we will need a little more number theory about computations

modulo n. A very useful tool is the Chinese Remainder Theorem, or CRT. It is

named so because the basic version was first stated by the first-century Chinese

mathematician Sun Tzu. (Most of the math you need for DH and RSA dates

back thousands of years, so it can’t be too difficult, right?)

The numbers modulo n are 0, 1, . . . , n − 1. These numbers do not form a

finite field as they would if n were a prime. Mathematicians still write Zn

for these numbers and call this a ring, but that is a term we won’t need.

For each x in Zn , we can compute the pair (x mod p, x mod q). The Chinese

Remainder Theorem states that you can compute the inverse function: if you

know (x mod p, x mod q), you can reconstruct x.

For ease of notation, we will define (a, b) := (x mod p, x mod q).

First, we show that reconstruction is possible, then we’ll give an algorithm

to compute the original x. To be able to compute x given (a, b), we must be sure

there is not a second number x in Zn such that x mod p = a and x mod q = b.

If this were the case, both x and x would result in the same (a, b) pair, and no

algorithm could figure out which of these two numbers was the original input.

Let d := x − x , the difference between the numbers that lead to the same (a, b)

pair. We have (d mod p) = (x − x ) mod p = (x mod p) − (x mod p) = a − a =

0; thus, d is a multiple of p. For much the same reason, d is a multiple of q.

This implies that d is a multiple of lcm(p, q), because lcm is, after all, the least

common multiple. As p and q are different primes, lcm(p, q) = pq = n, and thus

x − x is a multiple of n. But both x and x are in the range 0, . . . , n − 1, so x − x

must be a multiple of n in the range −n + 1, . . . , n − 1. The only valid solution

is x − x = 0, or x = x . This proves that for any given pair (a, b), there is at most

one solution for x. All we have to do now is find that solution.



12.2.1 Garner’s Formula

The most practical way of computing the solution is Garner’s formula.

x = (((a − b)(q−1 mod p)) mod p) · q + b

Here the (q−1 mod p) term is a constant that depends only on p and q. Remember

that we can divide modulo p, and therefore we can compute (1/q mod p), which

is just a different way of writing (q−1 mod p).

We don’t need to understand Garner’s formula. All we need to do is prove

that the result x is correct.

First of all, we show that x is in the right range 0, . . . , n − 1. Obviously

x ≥ 0. The part t := (((a − b)(q−1 mod p)) mod p) must be in the range



Chapter 12



■



RSA



0, . . . , p − 1 because it is a modulo p result. If t ≤ p − 1, then tq ≤ (p − 1)q and

x = tq + b ≤ (p − 1)q + (q − 1) = pq − 1 = n − 1. This shows that x is in the range

0, . . . , n − 1.

The result should also be correct modulo both p and q.

x mod q = ((((a − b)(q−1 mod p)) mod p) · q + b) mod q

= (K · q + b) mod q

for some K

= b mod q

=b

The whole thing in front of the multiplication by q is some integer K, but any

multiple of q is irrelevant when computing modulo q. Modulo p is a bit more

complicated:

x mod p = ((((a − b)(q−1 mod p)) mod p) · q + b) mod p

= (((a − b)q−1 ) · q + b) mod p

= ((a − b)(q−1 q) + b) mod p

= ((a − b) + b) mod p

= a mod p

=a

In the first line, we simply expand (x mod p). In the next line, we eliminate

a couple of redundant mod p operators. We then change the order of the

multiplications, which does not change the result. (You might remember from

school that multiplication is associative, so (ab)c = a(bc).) The next step is to

observe that q−1 q = 1 (mod p), so we can remove this term altogether. The rest

is trivial.

This derivation is a bit more complicated than the ones we have seen so far,

especially as we use more of the algebraic properties. Don’t worry if you can’t

follow it.

We can conclude that Garner’s formula gives a result x that is in the right

range and for which (a, b) = (x mod p, x mod q). As we already know that

there can only be one such solution, Garner’s formula solves the CRT problem

completely.

In real systems, you typically precompute the value q−1 mod p, so Garner’s

formula requires one subtraction modulo p, one multiplication modulo p, one

full multiplication, and an addition.



12.2.2 Generalizations

The CRT also works when n is the product of multiple primes that are all

different.1 Garner’s formula can be generalized to these situations, but we

won’t need that in this book.

1 There



are versions that work when n is divisible by the square or higher power of some primes,

but those are even more complicated.



197