nach oben

Erschienen in:

2019 | OriginalPaper | Buchkapitel

Safety in Numbers: On the Need for Robust Diffie-Hellman Parameter Validation

verfasst von : Steven Galbraith, Jake Massimo, Kenneth G. Paterson

Erschienen in: Public-Key Cryptography – PKC 2019

Verlag: Springer International Publishing

Einloggen

Aktivieren Sie unsere intelligente Suche, um passende Fachinhalte oder Patente zu finden.

search-config

KI-gestützte Suche

Aus

Abstract

We consider the problem of constructing Diffie-Hellman (DH) parameters which pass standard approaches to parameter validation but for which the Discrete Logarithm Problem (DLP) is relatively easy to solve. We consider both the finite field setting and the elliptic curve setting.

For finite fields, we show how to construct DH parameters (p, q, g) for the safe prime setting in which \(p=2q+1\) is prime, q is relatively smooth but fools random-base Miller-Rabin primality testing with some reasonable probability, and g is of order q mod p. The construction involves modifying and combining known methods for obtaining Carmichael numbers. Concretely, we provide an example with 1024-bit p which passes OpenSSL’s Diffie-Hellman validation procedure with probability \(2^{-24}\) (for versions of OpenSSL prior to 1.1.0i). Here, the largest factor of q has 121 bits, meaning that the DLP can be solved with about \(2^{64}\) effort using the Pohlig-Hellman algorithm. We go on to explain how this parameter set can be used to mount offline dictionary attacks against PAKE protocols. In the elliptic curve case, we use an algorithm of Bröker and Stevenhagen to construct an elliptic curve E over a finite field \({\mathbb {F}}_p\) having a specified number of points n. We are able to select n of the form \(h\cdot q\) such that h is a small co-factor, q is relatively smooth but fools random-base Miller-Rabin primality testing with some reasonable probability, and E has a point of order q. Concretely, we provide example curves at the 128-bit security level with \(h=1\), where q passes a single random-base Miller-Rabin primality test with probability 1/4 and where the elliptic curve DLP can be solved with about \(2^{44}\) effort. Alternatively, we can pass the test with probability 1/8 and solve the elliptic curve DLP with about \(2^{35.5}\) effort. These ECDH parameter sets lead to similar attacks on PAKE protocols relying on elliptic curves.

Our work shows the importance of performing proper (EC)DH parameter validation in cryptographic implementations and/or the wisdom of relying on standardised parameter sets of known provenance.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Vorheriges Kapitel Generic Constructions of Robustly Reusable Fuzzy Extractor

Nächstes Kapitel Hunting and Gathering – Verifiable Random Functions from Standard Assumptions with Short Proofs

See https://www.openssl.org/docs/man1.1.1/man3/DH_check.html for a description and https://github.com/openssl/openssl/blob/master/crypto/dh/dh_check.c for source code.

For if p is not a safe prime, then the client is forced to blindly accept the parameters or to do an expensive computation to factorise \(p-1\) and then test g for different possible orders arising as factors of \(p-1\). We know of no cryptographic library that does the latter.

Of course, one could choose not to restrict \(L^*\) in this way and just filter the resulting set \({\mathcal {P}}(L^*)\) for primes that are \(11 \bmod 12\), but this involves wasted computation and the use of larger \(L^*\) than is necessary.

Interestingly, the last time these iteration counts were changed was in February 2000 (OpenSSL version 0.9.5), before which they were all 2, independent of the bit-size of the number being tested.

[ABD+15]

Adrian, D., et al.: Imperfect forward secrecy: how Diffie-Hellman fails in practice. In: Ray, I., Li, N., Kruegel, C. (eds.) ACM CCS 2015, pp. 5–17. ACM Press, October 2015

[AMPS18]

Albrecht, M.R., Massimo, J., Paterson, K.G., Somorovsky, J.: Prime and prejudice: primality testing under adversarial conditions. In: Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security, Toronto, Canada, 15–19 October 2018 (2018)

[Arn95]

Arnault, F.: Constructing Carmichael numbers which are strong pseudoprimes to several bases. J. Symb. Comput. 20(2), 151–161 (1995)MathSciNetCrossRef

[ASS+16]

Aviram, N., et al.: DROWN: breaking TLS using SSLv2. In: Holz, T., Savage, S. (eds.) 25th USENIX Security Symposium, USENIX Security 2016, Austin, TX, USA, 10–12 August 2016, pp. 689–706. USENIX Association (2016)

[BBD+15]

Beurdouche, B., et al.: A messy state of the union: taming the composite state machines of TLS. In: 2015 IEEE Symposium on Security and Privacy, pp. 535–552. IEEE Computer Society Press, May 2015

[BCC+15]

Bernstein, D.J., et al.: How to manipulate curve standards: a white paper for the black hat http://bada55.cr.yp.to. In: Chen, L., Matsuo, S. (eds.) SSR 2015. LNCS, vol. 9497, pp. 109–139. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-27152-1_6CrossRef

[BCLN16]

Bos, J.W., Costello, C., Longa, P., Naehrig, M.: Selecting elliptic curves for cryptography: an efficiency and security analysis. J. Crypt. Eng. 6(4), 259–286 (2016)CrossRef

[BL07]

Bernstein, D.J., Lange, T.: Faster addition and doubling on elliptic curves. In: Kurosawa, K. (ed.) ASIACRYPT 2007. LNCS, vol. 4833, pp. 29–50. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-76900-2_3CrossRef

[Ble05]

Bleichenbacher, D.: Breaking a cryptographic protocol with pseudoprimes. In: Vaudenay, S. (ed.) PKC 2005. LNCS, vol. 3386, pp. 9–15. Springer, Heidelberg (2005). https://doi.org/10.1007/978-3-540-30580-4_2CrossRef

[BPR14]

Bellare, M., Paterson, K.G., Rogaway, P.: Security of symmetric encryption against mass surveillance. In: Garay, J.A., Gennaro, R. (eds.) CRYPTO 2014, Part I. LNCS, vol. 8616, pp. 1–19. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-44371-2_1CrossRef

[BS05]

Bröker, R., Stevenhagen, P.: Constructing elliptic curves in almost polynomial time. arXiv:math/0511729 (2005)

[BWBG+06]

Blake-Wilson, S., Bolyard, N., Gupta, V., Hawk, C., Moeller, B.: Elliptic Curve Cryptography (ECC) Cipher Suites for Transport Layer Security (TLS). RFC 4492 (Informational), May 2006. Obsoleted by RFC 8422, updated by RFCs 5246, 7027, 7919

[CMG+16]

Checkoway, S., et al.: A systematic analysis of the juniper dual EC incident. In: Weippl, E.R., Katzenbeisser, S., Kruegel, C., Myers,A.C., Halevi, S. (eds.) ACM CCS 2016, pp. 468–479. ACM Press, October 2016

[CNE+14]

Checkoway, S., et al.: On the practical exploitability of dual EC in TLS implementations. In: Fu, K., Jung, J. (eds.) Proceedings of the 23rd USENIX Security Symposium, San Diego, CA, USA, 20–22 August 2014, pp. 319–335. USENIX Association (2014)

[DGG+15]

Dodis, Y., Ganesh, C., Golovnev, A., Juels, A., Ristenpart, T.: A formal treatment of backdoored pseudorandom generators. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015, Part I. LNCS, vol. 9056, pp. 101–126. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46800-5_5CrossRef

[DLP93]

Damgård, I., Landrock, P., Pomerance, C.: Average case error estimates for the strong probable prime test. Math. Comput. 61(203), 177–194 (1993)MathSciNetCrossRef

[DPSW16]

Degabriele, J.P., Paterson, K.G., Schuldt, J.C.N., Woodage, J.: Backdoors in pseudorandom number generators: possibility and impossibility results. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016, Part I. LNCS, vol. 9814, pp. 403–432. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53018-4_15CrossRefMATH

[Erd56]

Erdös, P.: On pseudoprimes and Carmichael numbers. Publ. Math. Debrecen 4, 201–206 (1956)MathSciNetMATH

[FGHT17]

Fried, J., Gaudry, P., Heninger, N., Thomé, E.: A kilobit hidden SNFS discrete logarithm computation. In: Coron, J.-S., Nielsen, J.B. (eds.) EUROCRYPT 2017, Part I. LNCS, vol. 10210, pp. 202–231. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-56620-7_8CrossRef

[Gil16]

Gillmor, D.: Negotiated Finite Field Diffie-Hellman Ephemeral Parameters for Transport Layer Security (TLS). RFC 7919 (Proposed Standard), August 2016

[GMP19]

Galbraith, S., Massimo, J., Paterson, K.G.: Safety in Numbers: On the Need for Robust Diffie-Hellman Parameter Validation. Cryptology ePrint Archive, Report 2019/032 (2019). https://eprint.iacr.org/2019/032

[Gor93]

Gordon, D.M.: Designing and detecting trapdoors for discrete log cryptosystems. In: Brickell, E.F. (ed.) CRYPTO 1992. LNCS, vol. 740, pp. 66–75. Springer, Heidelberg (1993). https://doi.org/10.1007/3-540-48071-4_5CrossRef

[GP02]

Granville, A., Pomerance, C.: Two contradictory conjectures concerning Carmichael numbers. Math. Comput. 71(238), 883–908 (2002)MathSciNetCrossRef

[Hao17]

Hao, F. (ed.): J-PAKE: Password-Authenticated Key Exchange by Juggling. RFC 8236 (Informational), September 2017

[JP06]

Joye, M., Paillier, P.: Fast generation of prime numbers on portable devices: an update. In: Goubin, L., Matsui, M. (eds.) CHES 2006. LNCS, vol. 4249, pp. 160–173. Springer, Heidelberg (2006). https://doi.org/10.1007/11894063_13CrossRef

[JPV00]

Joye, M., Paillier, P., Vaudenay, S.: Efficient generation of prime numbers. In: Koç, Ç.K., Paar, C. (eds.) CHES 2000. LNCS, vol. 1965, pp. 340–354. Springer, Heidelberg (2000). https://doi.org/10.1007/3-540-44499-8_27CrossRef

[LL97]

Lim, C.H., Lee, P.J.: A key recovery attack on discrete log-based schemes using a prime order subgroup. In: Kaliski, B.S. (ed.) CRYPTO 1997. LNCS, vol. 1294, pp. 249–263. Springer, Heidelberg (1997). https://doi.org/10.1007/BFb0052240CrossRef

[Mon80]

Monier, L.: Evaluation and comparison of two efficient probabilistic primality testing algorithms. Theor. Comput. Sci. 12(1), 97–108 (1980)MathSciNetCrossRef

[Nar14]

Narayanan, S.: Improving the Speed and Accuracy of the Miller-Rabin Primality Test. MIT PRIMES-USA (2014). https://math.mit.edu/research/highschool/primes/materials/2014/-Narayanan.pdf

[Pin08]

Pinch, R.G.E.: The Carmichael numbers up to \(10^{21}\). In: Proceedings Conference on Algorithmic Number Theory, vol. 46. Turku Centre for Computer Science General Publications (2008)

[Rab80]

Rabin, M.O.: Probabilistic algorithm for testing primality. J. Number Theory 12(1), 128–138 (1980)MathSciNetCrossRef

[S+18]

Stein, W., et al.: Sage Mathematics Software Version 8.3. The Sage Development Team (2018). http://www.sagemath.org

[TWMP07]

Taylor, D., Wu, T., Mavrogiannopoulos, N., Perrin, T.: Using the Secure Remote Password (SRP) Protocol for TLS Authentication. RFC 5054 (Informational), November 2007

[VAS+17]

Valenta, L., et al.: Measuring small subgroup attacks against Diffie-Hellman. In: NDSS 2017. The Internet Society, February/March 2017

[Won16]

Wong, D.: How to backdoor Diffie-Hellman. Cryptology ePrint Archive, Report 2016/644 (2016). https://eprint.iacr.org/2016/644

[Wu00]

Wu, T.: The SRP Authentication and Key Exchange System. RFC 2945 (Proposed Standard), September 2000

[YY97]

Young, A., Yung, M.: Kleptography: using cryptography against cryptography. In: Fumy, W. (ed.) EUROCRYPT 1997. LNCS, vol. 1233, pp. 62–74. Springer, Heidelberg (1997). https://doi.org/10.1007/3-540-69053-0_6CrossRef

Titel: Safety in Numbers: On the Need for Robust Diffie-Hellman Parameter Validation
verfasst von: Steven Galbraith
Jake Massimo
Kenneth G. Paterson
Verlag: Springer International Publishing
Buch: Public-Key Cryptography – PKC 2019
Print ISBN: 978-3-030-17258-9

Electronic ISBN: 978-3-030-17259-6

Copyright-Jahr: 2019
DOI: https://doi.org/10.1007/978-3-030-17259-6_13

Springer Professional

Abstract

Bitte loggen Sie sich ein, um Zugang zu Ihrer Lizenz zu erhalten.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Springer Professional "Technik"

Springer Professional "Wirtschaft"

Premium Partner