Cryptography - RSA and ECDSA
2 likes2,935 views
The document discusses public key cryptography and the RSA algorithm. It explains that RSA works by using a public/private key pair, where the public key is used to encrypt messages and the private key is used to decrypt them. Finding the private key from only knowing the public key is computationally infeasible if large prime numbers are used. RSA is widely used in applications like HTTPS, PGP, and DNSSEC to provide encryption, authentication and digital signatures.
Cryptography - RSA and ECDSA
- 1. 2017#apricot2017 RSA and ECDSA Geoff Huston APNIC
- 2. 2017#apricot2017 It’s all about Cryptography
- 3. 2017#apricot2017 Why use Cryptography? Public key cryptography can be used in a number of ways: – protecting a session from third party eavesdroppers Encryption using a session key that is known only to the parties to the conversation – protecting a session from interference Injection (or removal) of part of a session can only be undertaken by the parties to the session – authentication and non-repudiation What is received is exactly what the other party sent, and cannot be repudiated
- 4. 2017#apricot2017 Symmetric Crypto A symmetric crypto algorithm uses the same key to – Convert a plaintext message to a crypted message – Convert a crypted message to its plaintext message • They are generally fast and simple BUT they use a shared key – This key distribution problem can be a critical weakness in the crypto framework
- 6. 2017#apricot2017 The Asymmetric Crypto Challenge Devise an algorithm (encoding) and keys such that: – Messages encoded with one key can only be decoded with the other key – Knowledge of the value of one key does not infer the value of the other key http://bit.ly/2iQ0oi7
- 7. 2017#apricot2017 RSA Select two large (> 256 bit) prime numbers, p and q, then: n = p.q ⏀(n) = (p-1).(q-1) (the number of numbers that are relatively prime to n) Pick an e that is relatively prime to ⏀(n) The PUBLIC KEY is <e,n> Pick a value for d such that d.e = 1 mod ⏀(n) The PRIVATE KEY is <d,n> For any x, xde ≡ x (mod n)
- 8. 2017#apricot2017 Why does RSA work? Encryption using the public key consists of taking a message x and raising it to the power e Crypt = xe Decryption consists of taking an encrypted message and raising it to the power d, mod n Decrypt = Cryptd mod n = (xe)d mod n = xed mod n = x Similarly, one can encrypt a message with the private key (xd ) and decrypt with the public key ((xd ) e mod n = x)
- 9. 2017#apricot2017 Why does RSA work? If you know e and n (the public key) then how can you calculate d (the private key)? Now d.e = 1 mod ⏀(n) If you know ⏀(n) you can calculate d But ⏀(n) = (p-1).(q-1), where p.q = n i.e. you need to find the prime factors of n, a large composite number that is the product of two primes
- 10. 2017#apricot2017 The ‘core’ of RSA (xe)d ≡ x mod n As long as d and n are relatively large, and n is the product of two large prime numbers, then finding the value of d when you already know the values of e and n is computationally expensive
- 11. 2017#apricot2017 The ‘core’ of RSA (xe)d ≡ x mod n As long as d and n are relatively large, and n is the product of two large prime numbers, then finding the value of d when you already know the values of e and n is computationally expensive
- 12. 2017#apricot2017 The ‘core’ of RSA (xe)d ≡ x mod n As long as d and n are relatively large, and n is the product of two large prime numbers, then finding the value of d when you already know the values of e and n is computationally expensive
- 13. 2017#apricot2017 Why is this important? Because much of the foundation of Internet Security rests upon this relationship
- 14. 2017#apricot2017 How big can RSA go? In theory we can push this to very large sizes of n to generate RSA private keys The algorithm is not itself arbitrarily limited in terms of key size But as the numbers get larger there is higher computation overhead to generate and manipulate these keys So we want it large enough not to be ‘broken’ by most forms of brute force, but small enough to be computed by our everyday processors
- 15. 2017#apricot2017 How big should RSA go? You need to consider time as well How long do you want or need your secret to remain a secret? Because if the attacker has enough time a brute force attack may work Also time is on the attacker’s side: keys that are considered robust today may not be as robust tomorrow, assuming that feasible compute capabilities rise over time So you want to pick a key size that is resistant to attempts to brute force the key both today and tomorrow
- 16. 2017#apricot2017 Bigger and bigger? Well, no – the larger the key sizes compared to compute capabilities means: – Longer times to generate keys – Longer times to encrypt (and decrypt) messages – More space to represent the key values So you need to use big keys, but no bigger then necessary!
- 20. 2017#apricot2017 TLS: Protecting the session https://rhsecurity.wordpress.com/tag/tls/
- 21. 2017#apricot2017 The Key to My Bank Yes, the fine print says my bank is using a 2048-bit RSA Public key to as the foundation of the session key used to secure access to my bank
- 22. 2017#apricot2017 I trust its my bank because … • The server has demonstrated knowledge of a private key that is associated with a public key that I have been provided • The public key has been associated with a particular domain name by a Certificate Authority • My browser trusts that this Certificate Authority never lies about such associations • So if the server can demonstrate that it has the private key then my browser will believe that its my bank!
- 23. 2017#apricot2017 DNSSEC and the DNS Another major application for crypto in the Internet is securing the DNS You want to be assured that the response you get to from DNS query is: – Authentic – Complete – Current
- 24. 2017#apricot2017 DNSSEC Interlocking Signatures . (root) .com .example.com www.example.com . Key-Signing Key – signs over . Zone-Signing Key – signs over DS for .com (Key-Signing Key) .com Key-Signing Key – signs over .com Zone-Signing Key – signs over DS for example .com (Key-Signing Key) example.com Key-Signing Key – signs over example.com Zone-Signing Key – signs over www.example.com
- 25. 2017#apricot2017 DNSSEC Interlocking Signatures . (root) .com .example.com www.example.com IN A 192.0.1 . Key-Signing Key – signs over . Zone-Signing Key – signs over DS for .com (Key-Signing Key) .com Key-Signing Key – signs over .com Zone-Signing Key – signs over DS for example .com (Key-Signing Key) example.com Key-Signing Key – signs over example.com Zone-Signing Key – signs over www.example.com
- 26. 2017#apricot2017 DNSSEC Interlocking Signatures . (root) .com .example.com www.example.com IN A 192.0.1 . Key-Signing Key – signs over . Zone-Signing Key – signs over DS for .com (Key-Signing Key) .com Key-Signing Key – signs over .com Zone-Signing Key – signs over DS for example .com (Key-Signing Key) example.com Key-Signing Key – signs over example.com Zone-Signing Key – signs over www.example.com Is the signature for this record valid? Is the ZSK for example.com valid? Is the KSK for example.com valid? Is this DS equal to the hash of the KSK? Is the signature for this record valid? Is the ZSK for .com valid? Is the KSK for .com valid? Is this DS equal to the hash of the KSK? Is the signature for this record valid? Is the ZSK for . valid? Is the KSK for . valid?
- 27. 2017#apricot2017 DNSSEC Interlocking Signatures . (root) .com .example.com www.example.com IN A 192.0.1 . Key-Signing Key – signs over . Zone-Signing Key – signs over DS for .com (Key-Signing Key) .com Key-Signing Key – signs over .com Zone-Signing Key – signs over DS for example .com (Key-Signing Key) example.com Key-Signing Key – signs over example.com Zone-Signing Key – signs over www.example.com Is the signature for this record valid? Is the ZSK for example.com valid? Is the KSK for example.com valid? Is this DS equal to the hash of the KSK? Is the signature for this record valid? Is the ZSK for .com valid? Is the KSK for .com valid? Is this DS equal to the hash of the KSK? Is the signature for this record valid? Is the ZSK for . valid? Is the KSK for . valid? As long as you have a valid local trust anchor for the root zone then you can validate a signed DNS response by constructing this backward path to the local root trust anchor
- 28. 2017#apricot2017 A DNSSEC response using RSA $ dig +dnssec u5221730329.s1425859199.i5075.vcf100.5a593.z.dotnxdomain.net ; <<>> DiG 9.9.6-P1 <<>> +dnssec u5221730329.s1425859199.i5075.vcf100.5a593.z.dotnxdomain.net ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 25461 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 4, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;u5221730329.s1425859199.i5075.vcf100.5a593.z.dotnxdomain.net. IN A ;; ANSWER SECTION: u5221730329.s1425859199.i5075.vcf100.5a593.z.dotnxdomain.net. 1 IN A 199.102.79.186 u5221730329.s1425859199.i5075.vcf100.5a593.z.dotnxdomain.net. 1 IN RRSIG A 5 4 3600 20200724235900 20130729104013 1968 5a593.z.dotnxdomain.net. ghHPoQd71aZtsdH823eW ;; AUTHORITY SECTION: 33d23a33.3b7acf35.9bd5b553.3ad4aa35.09207c36.a095a7ae.1dc33700.103ad556.3a564678.16395067.a12ec545.6183d935.c68cebfb.41a4008e.4f291b87.479c6f9e.5ea48f86.7d1187f1.7572d59a 33d23a33.3b7acf35.9bd5b553.3ad4aa35.09207c36.a095a7ae.1dc33700.103ad556.3a564678.16395067.a12ec545.6183d935.c68cebfb.41a4008e.4f291b87.479c6f9e.5ea48f86.7d1187f1.7572d59a 5a593.z.dotnxdomain.net. 3599 IN NS nsz1.z.dotnxdomain.net. 5a593.z.dotnxdomain.net. 3600 IN RRSIG NS 5 4 3600 20200724235900 20130729104013 1968 5a593.z.dotnxdomain.net. ntxWo5UwL1vQjOHY0z5DCVNDDScnd3Tglgd0PsBRRhk3B9iJ ;; Query time: 1052 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Thu Mar 12 03:59:57 UTC 2015 ;; MSG SIZE rcvd: 937 RSA signed response – 937 octets
- 29. 2017#apricot2017 $ dig +dnssec DNSKEY org ; <<>> DiG 9.11.0-P1 <<>> +dnssec DNSKEY org ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53713 ;; flags: qr rd ra; QUERY: 1, ANSWER: 7, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;org. IN DNSKEY ;; ANSWER SECTION: org. 900 IN DNSKEY 256 3 7 AwEAAXxsMmN/JgpEE9Y4uFNRJm7Q9GBwmEYUCsCxuKlgBU9WrQEFRrvA eMamUBeX4SE org. 900 IN DNSKEY 256 3 7 AwEAAayiVbuM+ehlsKsuAL1CI3mA+5JM7ti3VeY8ysmogElVMuSLNsX7 HFyq9O6qhZV org. 900 IN DNSKEY 257 3 7 AwEAAcMnWBKLuvG/LwnPVykcmpvnntwxfshHlHRhlY0F3oz8AMcuF8gw 9McCw+BoC2Y org. 900 IN DNSKEY 257 3 7 AwEAAZTjbIO5kIpxWUtyXc8avsKyHIIZ+LjC2Dv8naO+Tz6X2fqzDC1b dq7HlZwtkaq org. 900 IN RRSIG DNSKEY 7 1 900 20170207153219 20170117143219 3947 org. S6+vpFWz6hfPmvI7zxRa4 org. 900 IN RRSIG DNSKEY 7 1 900 20170207153219 20170117143219 9795 org. iEyiroy02ljtH5hf5RIdf org. 900 IN RRSIG DNSKEY 7 1 900 20170207153219 20170117143219 17883 org. A2hLUswcas+W4h8gZYpA ;; Query time: 475 msec ;; SERVER: 203.133.248.1#53(203.133.248.1) ;; WHEN: Thu Jan 19 23:37:38 UTC 2017 ;; MSG SIZE rcvd: 1625 Another DNSSEC response using RSA RSA signed response – 1,625 octets
- 30. 2017#apricot2017 Not every application can tolerate large keys… The DNS and DNSSEC is a problem here: – including the digital signature increases the response size – Large responses generate packet fragmentation – Fragments are commonly filtered by firewalls – IPv6 Fragments required IPv6 Extension Headers, and packets with Extension Headers are commonly filtered – DNS over TCP imposes server load – DNS over TCP is commonly filtered If you can avoid large responses in the DNS, you should!
- 31. 2017#apricot2017 The search for small keys • Large keys and the DNS don’t mix very well: – We try and make UDP fragmentation work reliably (for once!) – Or we switch the DNS to use TCP – Or we look for smaller keys
- 32. 2017#apricot2017 Enter Elliptic Curves y2 = x3 + ax + b
- 33. 2017#apricot2017 y2 = x3 + ax + b Enter Elliptic Curves “It is not immediately obvious why verification even functions correctly.” !!
- 35. 2017#apricot2017 ECDSA vs RSS $ dig +dnssec u5221730329.s1425859199.i5075.vcf100.5a593.y.dotnxdomain.net ; <<>> DiG 9.9.6-P1 <<>> +dnssec u5221730329.s1425859199.i5075.vcf100.5a593.y.dotnxdomain.net ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 61126 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 4, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;u5221730329.s1425859199.i5075.vcf100.5a593.y.dotnxdomain.net. IN A ;; ANSWER SECTION: u5221730329.s1425859199.i5075.vcf100.5a593.y.dotnxdomain.net. 1 IN A 144.76.167.10 u5221730329.s1425859199.i5075.vcf100.5a593.y.dotnxdomain.net. 1 IN RRSIG A 13 4 3600 20200724235900 20150301105936 35456 5a593.y.dotnxdomain.net. IMXSIJ/uKixSAt8GXsh6Lm8CvEOmK5n/5bPgs ;; AUTHORITY SECTION: ns1.5a593.y.dotnxdomain.net. 1 IN NSEC x.5a593.y.dotnxdomain.net. A RRSIG NSEC ns1.5a593.y.dotnxdomain.net. 1 IN RRSIG NSEC 13 5 1 20200724235900 20150301105936 35456 5a593.y.dotnxdomain.net. vM+5YEkAc8B9iYHV3ZO3r9v+RvICn3qfWRfneytLP+nHCOku66X31pzB 5a593.y.dotnxdomain.net. 3598 IN NS ns1.5a593.y.dotnxdomain.net. 5a593.y.dotnxdomain.net. 3600 IN RRSIG NS 13 4 3600 20200724235900 20150301105936 35456 5a593.y.dotnxdomain.net. dzFik3O4HhiEg8TXcn3dCFdCfXCzLj7V0y5qIkCNYXYQ5EfoiWMhUh1s Lb9I0CQk ;; Query time: 1880 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Thu Mar 12 03:59:42 UTC 2015 ;; MSG SIZE rcvd: 527 $ dig +dnssec u5221730329.s1425859199.i5075.vcf100.5a593.z.dotnxdomain.net ; <<>> DiG 9.9.6-P1 <<>> +dnssec u5221730329.s1425859199.i5075.vcf100.5a593.z.dotnxdomain.net ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 25461 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 4, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;u5221730329.s1425859199.i5075.vcf100.5a593.z.dotnxdomain.net. IN A ;; ANSWER SECTION: u5221730329.s1425859199.i5075.vcf100.5a593.z.dotnxdomain.net. 1 IN A 199.102.79.186 u5221730329.s1425859199.i5075.vcf100.5a593.z.dotnxdomain.net. 1 IN RRSIG A 5 4 3600 2020072423590 ;; AUTHORITY SECTION: 33d23a33.3b7acf35.9bd5b553.3ad4aa35.09207c36.a095a7ae.1dc33700.103ad556.3a564678.16395067.a12ec545.6183 33d23a33.3b7acf35.9bd5b553.3ad4aa35.09207c36.a095a7ae.1dc33700.103ad556.3a564678.16395067.a12ec545.6183 5a593.z.dotnxdomain.net. 3599 IN NS nsz1.z.dotnxdomain.net. 5a593.z.dotnxdomain.net. 3600 IN RRSIG NS 5 4 3600 20200724235900 20130729104013 1968 5a593. ;; Query time: 1052 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Thu Mar 12 03:59:57 UTC 2015 ;; MSG SIZE rcvd: 937 ECDSA signed response – 527 octets RSA signed response – 937 octets
- 36. 2017#apricot2017 ECDSA has a history…
- 37. 2017#apricot2017 ECDSA and OpenSSL • OpenSSL added ECDSA support as from 0.9.8 (2005) • Other bundles and specific builds added ECDSA support later • But deployed systems often lag behind the latest bundles, and therefore still do not include ECC support in their running configuration
- 39. 2017#apricot2017 Do folk use ECDSA for public keys? $ dig +dnssec www.cloudflare-dnssec-auth.com ; <<>> DiG 9.9.6-P1 <<>> +dnssec www.cloudflare-dnssec-auth.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 7049 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;www.cloudflare-dnssec-auth.com. IN A ;; ANSWER SECTION: www.cloudflare-dnssec-auth.com. 300 IN A 104.20.23.140 www.cloudflare-dnssec-auth.com. 300 IN A 104.20.21.140 www.cloudflare-dnssec-auth.com. 300 IN A 104.20.19.140 www.cloudflare-dnssec-auth.com. 300 IN A 104.20.22.140 www.cloudflare-dnssec-auth.com. 300 IN A 104.20.20.140 www.cloudflare-dnssec-auth.com. 300 IN RRSIG A 13 3 300 20150317021923 20150315001923 35273 cloudflare-dnssec-auth.com. pgBvfQkU4Il8ted2hGL9o8NspvKksDT8/jvQ+4o4h4tGmAX0fDBEoorb tLiW7mcdOWYLoOnjovzYh3Q0Odu0Xw== ;; Query time: 237 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Mon Mar 16 01:19:24 UTC 2015 ;; MSG SIZE rcvd: 261 Algorithm 13 is ECDSA P-256 Signed response is 261 octets long!
- 40. 2017#apricot2017 So lets use ECDSA for DNSSEC Or maybe we should look before we leap... – Is ECDSA a “well supported” crypto protocol? * – If you signed using ECDSA would resolvers validate the signature? It’s not that crypto libraries deliberately exclude ECDSA support these days. The more likely issue appears to be the operational practic es of some ISPs who use crufty old software sets to support DNS resolvers which are now running old libraries that predate the incorporation of ECDSA into Open SSL *
- 41. 2017#apricot2017 Where are the users who can validate ECDSA-signed DNSSEC records? https://stats.labs.apnic.net/ecdsa
- 42. 2017#apricot2017 And where ECDSA support is missing https://stats.labs.apnic.net/ecdsa
- 43. 2017#apricot2017 Today we’re in Vietnam…
- 44. 2017#apricot2017 Today we’re in Vietnam…
- 45. 2017#apricot2017 The Top 5 Vietnam ISPs And the extent to which their uses perform DNSSEC validation with ECDSA and RSA
- 46. 2017#apricot2017 And it if wasn’t for Google… There would probably be no DNSSEC at all! And no ECDSA!
- 47. 2017#apricot2017 APNIC Labs Report on ECDSA use https://stats.labs.apnic.net/ecdsa