Cryptography

From miki
Jump to navigation Jump to search

References

Key Lengths

RSA

See recommendations from Bruce Schneier in Applied Cryptography (§7.2, [1]). See also [2]

Recommended public-key key lengths (in bits) — Source: Applied Cryptography, 2nd edition
Year vs. industry vs. Corporate vs. Government
1995 768 1280 1536
2000 1024 1280 1536
2005 1280 1536 2048
2010 1280 1536 2048
2015 1536 2048 2048

Crypto performance

SW Speed on ARM

Hash Algorithm
Name Throughput (kB/s)
SHA-1 1915
MD5 3516
Symmetric algorithms
Name Throughput (kB/s)
AES-CBC 825
AES-ECB 874
AES-CCM, CT only 373
AES-CCM, AD only 816
3DES-CBC 326
3DES-CTR 317
3DES-ECB 333
Asymmetric, Encrypt/Decrypt
Name Time (s)
RSA-1024 encrypt 0.01
RSA-1024 decrypt 0.27
RSA-2048 encrypt 0.05
RSA-2048 decrypt 2.13
Asymmetric, Sign/Verify
Name Time (s)
RSA-1024 sign 0.27
RSA-1024 verify 0.01
RSA-2048 sign 2.13
RSA-2048 verify 0.05
DSA-1024 sign 0.17
DSA-1024 verify 0.33
Diffie-Hellman
Modulus Size (b) Private Key size (b) Time (s)
1024 160 0.17
1024 1024 1.08
2048 224 0.93
2048 2048 8.48
More bench

(see SharkSSL_Benchmark_for_ARM_Cortex_M3.pdf)

HW Speed on NXP SMX P5Cx08x

Based on linecard figures:

Algo Size Sign Verify
RSA 1024-bit 99 ms (CRT) 2 ms
ECC 192-bit 20 ms 30 ms
DES3 <40 µs <40 µs
AES 128/192/256 12/13/15 µs 12/13/15 µs

Crypto Libraries

NTRU

BouncyCastle

  • Free Java crypto library

Crypto++

  • A crypto library in C++

Crypto calculators

Online

OpenSSL

#Computing AES-128 CBC No padding
echo "000102030405060708090a0b0c0d0e0f000102030405060708090a0b0c0d0e0f" | xxd -r -p |openssl aes-128-cbc -iv 0 -K 01010101020202020303030304040404 -nopad \
| xxd -p

#Advanced mumbo-jambo
echo $(( (0x$(echo "1111111111f2222222222f3333333333f4444444444f5555555555f6666666666f7777777777f8888888888f9999999999f0000000000f80"\
|xxd -r -p |openssl des-cbc -iv 0 -K 0102030405060708 -nopad |xxd -p|tail -c 6) & 0x03ffff) + (0x10*2**18) ))

RSA

References

  • Dan Boneh, Twenty Years of Attacks on the RSA Cryptosystem, February 1999, Notices of the AMS, http://www.ams.org/notices/199902/boneh.pdf
  • Don Coppersmith, Small solutions to polynomial equations, and low exponent rsa vulnerabilities, Journal of Cryptology 10 (1997), no. 4, 233–260. 1997-JOC-Vol10-4-002.pdf
    This paper covers the 2 papers:
    • Don Coppersmith, Finding a Small Root of a Bivariate Integer Equation; Factoring with High Bits Known, U. Maurer (Ed.): Advances in Cryptology - EUROCRYPT '96, LNCS 1070, pp. 178-189, 1996. 1996-EUROCRYPT-016.pdf
    • Don Coppersmith, Finding a Small Root of a Univariate Modular Equation, U. Maurer (Ed.): Advances in Cryptology - EUROCRYPT ’96, LNCS 1070, pp. 155-165, 1996. 1996-EUROCRYPT-014.pdf
  • ? Seong-Min Hong, Sang-Yeop Oh, and Hyunsoo Yoon, New Modular Multiplication Algorithms for Fast Modular Exponentiation, Proceeding EuroCrypt'96 (U. Maurer,ed.), Lecture Notes in Computer Science, vol. 1070, Springer-Verlag, 1996, pp. 166--177.
  • ~ Alexander May, New RSA Vulnerabilities Using Lattice Reduction Methods, PhD thesis, University of Paderborn, October 2003. http://www.cs.uni-paderborn.de/uploads/tx_sibibtex/bp.pdf
(Coppersmith method, breaking RSA from partial knowledge of message, partial export of private exponent or prime factors, variants of RSA...)
  • ~ Leo Reyzin, Notes for lecture 8 — Chinese Remainder Theorem and Blum-Blum-Shub PRG, Fall 2004, BU CAS CS 538, http://www.cs.bu.edu/~reyzin/teaching/f04cs538/notes8.pdf
  • ~ Scott A. Vanstone and Robert J. Zuccherato, Short RSA Keys and Their Generation, J. Cryptology 8 (1995), no. 2, 101--114. 1995-JOC-Vol08-2-003.pdf
(Generate modulus with given modulus bit pattern, but the methods in this paper are inefficient and broken - better alternatives below)
  • ? RSA Moduli with a Predetermined Portion: Techniques and Applications, Information Security Practice and Experience (ISPEC 2008), vol. 4991 of Lecture Notes in Computer Science, pp. 116{130, Springer, 2008. http://joye.site88.net/papers/Joy08rsacompr.pdf
  • ~ Arjen K. Lenstra. Generating RSA moduli with a predetermined portion. In Advances in Cryptology - ASIACRYPT'98, volume 1514 of Lecture Notes in Computer Science, pages 1{10. Springer, 1998.
(Implement obvious method; pick n' with the fixed pattern. pick p random prime, round n' up to nearest multiple, compute q' s.t. n'=pq', find nearest prime q, compute n=pq)
Publications by authors

Generate RSA Keys

Under Linux, Install package racoon. Then you can use plainrsa-gen to generate a RSA key pair:

sudo plainrsa-gen -b 512 -e 65537
$ plainrsa-gen -b 512 -e 65537
: RSA	{
	# RSA 256 bits
	# pubkey=0sAwEAAZI52+jaMTOU7BVFJfR3XO0/HNuagkdwnODaOEz5Vl57
	Modulus: 0x9239dbe8da313394ec154525f4775ced3f1cdb9a8247709ce0da384cf9565e7b
	PublicExponent: 0x010001
	PrivateExponent: 0x6a32c54916f676dce89d060c6bc128e6384ddd3480ebc38abb26b06bbbc39ee9
	Prime1: 0xc2ebb37492f49c2536d1425a1e98bced
	Prime2: 0xc00bedf79253f91bc219fb076fdb8407
	Exponent1: 0x6a70e3d268dd82d71f942e33a039b011
	Exponent2: 0x143e2dab36e55b10adf90718d59591e9
	Coefficient: 0x3d988139c172a1b329850a294347b99e
  }

Another solution is to use openssl:

openssl genrsa 256 > private.pem
Generating RSA private key, 256 bit long modulus
......+++++++++++++++++++++++++++
.............+++++++++++++++++++++++++++
e is 65537 (0x10001)

This produce a private key in .PEM format

cat private.pem
-----BEGIN RSA PRIVATE KEY-----
MIGqAgEAAiEArBZ8o1wXjfGaJoYyEw20HewqLGTJ6mI3i2ntexqztc8CAwEAAQIg
ObfNFAmGSPB40GUAFI3rE/VQokHFKOpqBnu2/fEGwdECEQDX5IwHMajhOd/e4h1O
J//ZAhEAzA6pCZiM+kcFPDo/S/wB5wIQAlGyL2GZLtIwVXSYW/6SAQIQZQ/VtETz
fXjzJNMMSkuzfQIRAM0VX/ffPwICmDEJGxg5YqY=
-----END RSA PRIVATE KEY-----

See below for how to display components or RSA keys.

The following script will generate 10 keys for each size in the set {1024 1536 1664 1792 1920 2048 2304 2560 2816 3072 3328 3584 3840 4096}:

#! /bin/bash
#
# Script to generate a batch of RSA keys of various length
#

function gen-one-key()
{
	openssl genrsa $1 | openssl pkcs8 -topk8 -nocrypt -outform DER -out "$2-pk8.der"
	openssl asn1parse -inform DER -in "$2-pk8.der" > "$2-pk8.txt"
	echo -e "\n############### Content of RSA Private Key object ###############\n" >> "$2-pk8.txt"
	openssl pkcs8 -inform DER -in "$2-pk8.der" -nocrypt | openssl asn1parse >> "$2-pk8.txt"
}

for keylength in 1024 1536 1664 1792 1920 2048 2304 2560 2816 3072 3328 3584 3840 4096; do
	for keyidx in $(seq 1 10); do
		keyname="rsakey-${keylength}b-$(printf '%02d' $keyidx)"
		echo "########## gen-one-key $keylength \"$keyname\""
		gen-one-key $keylength "$keyname"
	done
done

View and convert RSA Keys

Use openssl rsa -text to display the key

openssl rsa -text <private.pem        # or openssl rsa -in private.pem -text
Private-Key: (256 bit)
modulus:
    00:ac:16:7c:a3:5c:17:8d:f1:9a:26:86:32:13:0d:
    b4:1d:ec:2a:2c:64:c9:ea:62:37:8b:69:ed:7b:1a:
    b3:b5:cf
publicExponent: 65537 (0x10001)
privateExponent:
    39:b7:cd:14:09:86:48:f0:78:d0:65:00:14:8d:eb:
    13:f5:50:a2:41:c5:28:ea:6a:06:7b:b6:fd:f1:06:
    c1:d1
prime1:
    00:d7:e4:8c:07:31:a8:e1:39:df:de:e2:1d:4e:27:
    ff:d9
prime2:
    00:cc:0e:a9:09:98:8c:fa:47:05:3c:3a:3f:4b:fc:
    01:e7
exponent1:
    02:51:b2:2f:61:99:2e:d2:30:55:74:98:5b:fe:92:
    01
exponent2:
    65:0f:d5:b4:44:f3:7d:78:f3:24:d3:0c:4a:4b:b3:
    7d
coefficient:
    00:cd:15:5f:f7:df:3f:02:02:98:31:09:1b:18:39:
    62:a6
writing RSA key
-----BEGIN RSA PRIVATE KEY-----
MIGqAgEAAiEArBZ8o1wXjfGaJoYyEw20HewqLGTJ6mI3i2ntexqztc8CAwEAAQIg
ObfNFAmGSPB40GUAFI3rE/VQokHFKOpqBnu2/fEGwdECEQDX5IwHMajhOd/e4h1O
J//ZAhEAzA6pCZiM+kcFPDo/S/wB5wIQAlGyL2GZLtIwVXSYW/6SAQIQZQ/VtETz
fXjzJNMMSkuzfQIRAM0VX/ffPwICmDEJGxg5YqY=
-----END RSA PRIVATE KEY-----

... or openssl asn1parse to display the key

openssl asn1parse <private.pem
    0:d=0  hl=3 l= 170 cons: SEQUENCE          
    3:d=1  hl=2 l=   1 prim: INTEGER           :00
    6:d=1  hl=2 l=  33 prim: INTEGER           :AC167CA35C178DF19A268632130DB41DEC2A2C64C9EA62378B69ED7B1AB3B5CF
   41:d=1  hl=2 l=   3 prim: INTEGER           :010001
   46:d=1  hl=2 l=  32 prim: INTEGER           :39B7CD14098648F078D06500148DEB13F550A241C528EA6A067BB6FDF106C1D1
   80:d=1  hl=2 l=  17 prim: INTEGER           :D7E48C0731A8E139DFDEE21D4E27FFD9
   99:d=1  hl=2 l=  17 prim: INTEGER           :CC0EA909988CFA47053C3A3F4BFC01E7
  118:d=1  hl=2 l=  16 prim: INTEGER           :0251B22F61992ED2305574985BFE9201
  136:d=1  hl=2 l=  16 prim: INTEGER           :650FD5B444F37D78F324D30C4A4BB37D
  154:d=1  hl=2 l=  17 prim: INTEGER           :CD155FF7DF3F02029831091B183962A6

Use option -pubout to extract public keys from private key (PEM format):

openssl rsa -in private.pem -pubout -out public.pem
writing RSA key

To view a public key from a PEM file, use options -pubin -text

openssl rsa -in public.pem -pubin -text
Public-Key: (256 bit)
Modulus:
    00:ac:16:7c:a3:5c:17:8d:f1:9a:26:86:32:13:0d:
    b4:1d:ec:2a:2c:64:c9:ea:62:37:8b:69:ed:7b:1a:
    b3:b5:cf
Exponent: 65537 (0x10001)
writing RSA key
-----BEGIN PUBLIC KEY-----
MDwwDQYJKoZIhvcNAQEBBQADKwAwKAIhAKwWfKNcF43xmiaGMhMNtB3sKixkyepi
N4tp7Xsas7XPAgMBAAE=
-----END PUBLIC KEY-----

Factor RSA modulus

Using Sage (see [3]):

# RSA 192-bit
mod192=0xbdd0fcbce5f05aae8049f0699443b575c3119a00f712fd67
print "Factoring RSA 192-bit modulus"
print "mod192=",mod192
print "Using factor():"
time mod192.factor()
print "Using ecm.factor():"
time ecm.factor(mod192)

This gives:

  Factoring RSA 192-bit modulus
  mod192= 4654283518078358737104805100407304944292151641869472955751
  Using factor():
  67662411935248621468167032027 * 68786840210963828271650042213
  Time: CPU 12.14 s, Wall: 13.55 s
  Using ecm.factor():
  [67662411935248621468167032027, 68786840210963828271650042213]
  Time: CPU 0.00 s, Wall: 62.04 s

Other method based on the General Number Field Sieve (GNFS). There are several free ports on Linux:

For instance, using YAFU. First factorization is for RSA 192-bit, second is for RSA 256-bit:

$ unzip yafu-1.19.2.zip
$ cd yafu-1.19.2
$ chmod +X yafu-*
$ ./yafu-64k-linux64

>> factor(4654283518078358737104805100407304944292151641869472955751)

factoring 4654283518078358737104805100407304944292151641869472955751

...

Total factoring time = 8.2085 seconds

***factors found***

PRP29 = 67662411935248621468167032027
PRP29 = 68786840210963828271650042213

or even better with multi-threading:

$ echo "factor(67838243504816110168272546172330833508240822615334162379358840774428225237019)" | ./yafu-64k-linux64 -threads 24

factoring 67838243504816110168272546172330833508240822615334162379358840774428225237019

...

Total factoring time = 17.05 seconds

***factors found***

PRP39 = 255668459558430779725491264793137830843
PRP39 = 265336770996237319406691555335704774433

Elliptic Curve Cryptography (ECC)

Standards:

Specifies the recommended curves for ECC (NIST Curve P-256, Curve P-384...).

Very nice introduction by Andrea Corbellini:

(including nice graphics and visuals with HTML5/Javascript, source available)

ECC Security

Polynomials Equations over F2

Misc Speed Info

HW LM
M/s
NTLM
M/s
MD5
M/s
Ref
NVidia Tesla S1070 680 2600 1920 [5]
NVidia GTX 295 250 1330 880-920 [6]
NVidia GTX 285 195 795 570-585 [7]
Intel Q6600 32 87 70

Ciphers

Bilateral ciphers

Example: http://www.cabinetmagazine.org/issues/40/sherman.php

In this example, people on a photograph are forming a coded phrase by facing forward or sideways, using the code:

code meaning code meaning code meaning code meaning
aaaaa A aaaab B aaaba C aaabb D
aabaa E aabab F aabba G aabbb H
abaaa I/J abaab K ababa L ababb M
abbaa N abbab O abbba P abbbb Q
baaaa R baaab S baaba T baabb U/V
babaa W babab X babba Y babbb Z
Sir Francis Bacon Bilateral code

This code was invented by Sir Francis Bacon. The power of that code is that a's and b's in a message can easily be hidden: he allowed the a’s and b’s in his system to designate the different forms of anything that can be divided into two classes, sorts, or types (which Bacon referred to as the a-form and the b-form). Examples of a/b-forms are: colors of flower, size of objects,


Stream Cipher

Security Properties

  • Stream cipher building block must be invertible, otherwise it is easy to create collisions.


Hash Functions

Security Attacks

  • Man-in-the-Middle pre-image attacks.
Principle is to generate a message m = m1||m2, such that H(m)=h. If H(m)=g(F(IV,m1),m2), the MITM attacks consists in generate random m1, m2 until one get G-1(h,m2) = F(IV,m1). Power of the attack relies on the fact that probability of finding a collision is inv. prop. to sqrt of the state size.
'Countermeasures' - prevent attacker to exploit symmmetry properties between round so that he can't discard part of the state, or control part of the state. Make attacker to use too much memory.