{"id":8307,"date":"2019-01-21T13:31:38","date_gmt":"2019-01-21T18:31:38","guid":{"rendered":"https:\/\/www.thesslstore.com\/blog\/?p=8307"},"modified":"2021-03-12T15:28:12","modified_gmt":"2021-03-12T20:28:12","slug":"is-it-still-safe-to-use-rsa-encryption","status":"publish","type":"post","link":"https:\/\/www.thesslstore.com\/blog\/is-it-still-safe-to-use-rsa-encryption\/","title":{"rendered":"Is it still safe to use RSA Encryption?"},"content":{"rendered":"\n<h2 class=\"wp-block-heading\" id=\"h-rsa-could-potentially-be-cracked-by-careless-implementation-but-does-that-mean-it-s-broken\">RSA could potentially be cracked by careless implementation, but does that mean\nit\u2019s broken?<\/h2>\n\n\n\n<p>Let\u2019s talk about RSA encryption. Last month we wrote about an exploit called <a href=\"https:\/\/www.thesslstore.com\/blog\/bleichenbachers-cat-rsa-key-exchange\/\">Bleichenbacher\u2019s CAT<\/a> that could impact RSA key generation. Today we\u2019re going to discuss how poorly configured RSA can lead to cracked public keys.<\/p>\n\n\n\n<p>This actually isn\u2019t new research, <a href=\"https:\/\/eprint.iacr.org\/2012\/064.pdf\">it stems from a 2012 research paper<\/a>,\nbut a blog post by William Kuszmaul on Algorithm Soup last week kicked the\ntires on it. <a href=\"https:\/\/algorithmsoup.wordpress.com\/2019\/01\/15\/breaking-an-unbreakable-code-part-1-the-hack\/\">You\ncan find that post here<\/a>, it\u2019s very well written, William is an MIT PHD\nstudent that specializes in computer science and algorithms. <\/p>\n\n\n\n<p>Or, if that sounds a bit daunting you can let me hash it out\nfor you.<\/p>\n\n\n\n<p>Either way, today we\u2019ll be discussing the RSA cryptosystem, its\nweaknesses and why random number generators may not be so random after all. <\/p>\n\n\n\n<p>Let\u2019s hash it out. <span id=\"newline\"><\/span><\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-let-s-start-with-rsa\">Let\u2019s start with RSA<\/h2>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"alignright\"><img loading=\"lazy\" decoding=\"async\" width=\"171\" height=\"300\" src=\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2019\/01\/Encryption-HO-Colored-171x300.png\" alt=\"Encryption\" class=\"wp-image-9992\" srcset=\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2019\/01\/Encryption-HO-Colored-171x300.png 171w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2019\/01\/Encryption-HO-Colored-584x1024.png 584w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2019\/01\/Encryption-HO-Colored.png 748w\" sizes=\"auto, (max-width: 171px) 100vw, 171px\" \/><\/figure><\/div>\n\n\n\n<p>RSA stands for Rivest-Shamir-Adleman, the surnames of its creators. As we\u2019ve discussed before, <a href=\"https:\/\/www.thesslstore.com\/blog\/public-key-cryptography-key-exchange\/\">Public Key cryptography<\/a> was actually \u201cdiscovered\u201d twice, once by the UK\u2019s GCHQ in 1973 \u2013 at the time it was deemed impractical \u2013 and then by Whitfield Diffie and Martin Hellman (with an assist from Ralph Merkle) in 1976. <\/p>\n\n\n\n<p>At that point things were still fairly theoretical, nobody\nhad been able to make the encryption a one-way function, one that was nearly\nimpossible to reverse engineer. <\/p>\n\n\n\n<p>Ron Rivest, Adi Shamir and Leonard Adleman set out to accomplish that in 1977. Rivest and Shamir were both computer scientists while Adleman was a mathematician. Eventually after several failed approaches (and having nearly lost all hope), they arrived at prime factorization as a method for one-way encryption.<\/p>\n\n\n\n<p> [<em>Prime numbers &#8211; for those who slept through high school math &#8211; are numbers greater than one that are only divisible by one and themselves (factors).<\/em>] <\/p>\n\n\n\n<p>Remember, public key encryption, one-way encryption, asymmetric encryption \u2013 whatever you feel like calling it \u2013 is what facilitates key exchange with SSL\/TLS. We\u2019ve given an over-the-top look at this before, today we\u2019ll dive a little bit deeper.<\/p>\n\n\n\n<span style=\"--tl-form-height-m:150.25px;--tl-form-height-t:121.4583px;--tl-form-height-d:121.4583px;\" class=\"tl-placeholder-f-type-shortcode_12753 tl-preload-form\"><span><\/span><\/span>\n\n\n\n<p>When we mention prime factorization, what\u2019s meant is that RSA uses two large random prime numbers (<em>p<\/em> and <em>q<\/em>) \u2013 we\u2019re talking huge, hundreds of bits long \u2013 and multiplies them to create a public key. <\/p>\n\n\n\n<p>So, <em>p * q = x<\/em><\/p>\n\n\n\n<p>And, <em>x = Public Key<\/em><\/p>\n\n\n\n<p>Anyone can take the public key and use it to encrypt a piece of data. Typically in the context of SSL\/TLS what\u2019s being encrypted is the <a href=\"https:\/\/www.thesslstore.com\/blog\/difference-encryption-hashing-salting\/\">session key<\/a>. However, without knowing the values of the two prime numbers,<em> p<\/em> and <em>q<\/em>, nobody else can decrypt the message.<\/p>\n\n\n\n<p>To give you a better idea of the computational hardness of RSA, factoring a 232-digit number took a <a href=\"http:\/\/eprint.iacr.org\/2010\/006.pdf\">group of researchers<\/a> over 1,500 years of computing time (distributed across hundreds of computers). You can also check out this video.<\/p>\n\n\n\n<figure class=\"wp-block-embed is-type-video is-provider-youtube wp-block-embed-youtube wp-embed-aspect-16-9 wp-has-aspect-ratio\"><div class=\"wp-block-embed__wrapper\">\n<iframe loading=\"lazy\" title=\"Security Of RSA - Applied Cryptography\" width=\"960\" height=\"540\" src=\"https:\/\/www.youtube.com\/embed\/-SK3qIjz5P8?feature=oembed\" frameborder=\"0\" allow=\"accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture\" allowfullscreen><\/iframe>\n<\/div><\/figure>\n\n\n\n<p>Typically, key length is what indicates computational hardness. Currently the standard is 2,048-bit RSA keys, up from 1,024, which was allowable until just a few years ago. Some organizations use 3,072-bit and 4,096-bit keys, but as RSA key sizes grow, the amount of security provided by them isn\u2019t commensurate to the amount of computational power that will be required to use them. <\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-so-what-s-the-problem-with-rsa\">So, what\u2019s the problem with RSA?<\/h2>\n\n\n\n<p>Well, aside from the fact it scales poorly, the Achilles heel for RSA is that it relies on random number generators to determine the prime numbers (<em>p<\/em> and <em>q<\/em>). <\/p>\n\n\n\n<p>A random number generator (RNG) is really just a device or program\nthat generates a sequence of numbers that can\u2019t be predicted with any more\nprobability than you would have at random. Hence the name.<\/p>\n\n\n\n<p>From an RSA standpoint, RNGs have two big problems:<\/p>\n\n\n\n<ol class=\"wp-block-list\"><li>They\u2019re not really that random<\/li><li>Almost everyone uses the same ones<\/li><\/ol>\n\n\n\n<p>I\u2019m going to try to keep this high level because I am not a mathematician and I don\u2019t want your eyes to glaze over and roll up into the back of your skull. [Update: we ended up covering RNGs about a month later, <a href=\"https:\/\/www.thesslstore.com\/blog\/why-all-the-fuss-about-64-bit-serial-numbers\/\">you can read about them here<\/a>] So, here goes:<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"alignright\"><img loading=\"lazy\" decoding=\"async\" width=\"300\" height=\"300\" src=\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2019\/04\/CSPRNG-300x300.png\" alt=\"Random number generator\" class=\"wp-image-9994\" srcset=\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2019\/04\/CSPRNG-300x300.png 300w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2019\/04\/CSPRNG-768x768.png 768w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2019\/04\/CSPRNG-1024x1024.png 1024w\" sizes=\"auto, (max-width: 300px) 100vw, 300px\" \/><\/figure><\/div>\n\n\n\n<p>There are, for all intents and purposes, two ways to\nrandomly generate numbers. The first requires you to map some naturally occurring\nevent or phenomenon that is expected to be random. There\u2019s actually a fairly <a href=\"https:\/\/onlinelibrary.wiley.com\/doi\/full\/10.1002\/adts.201800154\">new biological\nkey generation method being tested at Penn State University<\/a> that maps the\nmovement of living cells against a grid that\u2019s overlaid and then uses that to\ngenerate a cryptographic key. Cloudflare does something similar <a href=\"https:\/\/blog.cloudflare.com\/lavarand-in-production-the-nitty-gritty-technical-details\/\">with\nthe lava lamps in its lobby<\/a>. <\/p>\n\n\n\n<p>Frankly, the first way is kind of fascinating but it\u2019s also\na rabbit hole that we\u2019re going to avoid right now. The second method is called\npseudorandom number generation and it relies on computational algorithms. For\nthe sake of RSA encryption we call these cryptographically secure pseudorandom\nnumber generators (CSPRNGs) and they produce long sequences of what appear to\nbe random results, which are actually determined entirely on the basis of a\nshorter value, called a seed. <\/p>\n\n\n\n<p>Here\u2019s a list of some of the most commonly used CSPRNGs that\nhave been standardized:<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>FIPS 186-4<\/li><li>NIST SP 800-900A Rev. 1<\/li><li>ANSI X9.17-1985 Appendix C<\/li><li>ANSI X9.31-1998 Appendix A.2.4<\/li><li>ANSI X9.62-2005, Annex D<\/li><\/ul>\n\n\n\n<p>Let\u2019s get back to seeds. When you hear politicians and law enforcement officials talk about <a href=\"https:\/\/www.thesslstore.com\/blog\/five-eyes-intelligence-alliance-demanding-encryption-backdoors\/\">encryption backdoors<\/a>, one way to accomplish that is to share the seed that was used during key generation, which can help to determine the value of the keys faster and more efficiently. <\/p>\n\n\n\n<p>This lack of seed diversity goes back to the first issue RSA\nhas: the prime numbers being generated aren\u2019t really random. <\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-rsa-encryption-provides-less-than-99-8-security\">RSA Encryption Provides less than 99.8% security<\/h2>\n\n\n\n<p>The 2012 research paper, titled \u201c<a href=\"https:\/\/eprint.iacr.org\/2012\/064.pdf\">Ron was wrong, Whit is right<\/a>\u201d (alluding to Ron Rivest of RSA fame and Whitfield Diffie of Diffie-Hellman), sought to examine the \u201cvalidity of the assumption that different random choices are made each time keys are generated.\u201d<\/p>\n\n\n\n<p>We\u2019ve already covered the issues with random number\ngeneration not being so random, and that the same methods for RNG are widely\nused. The result is that many public keys share a prime.<\/p>\n\n\n\n<p>But why is that a problem?<\/p>\n\n\n\n<p><a href=\"https:\/\/www.i-programmer.info\/news\/149-security\/12471-rsa-encryption-cracked-by-careless-implemenation.html\">Here&#8217;s why<\/a>:<\/p>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\"><p>This is where the surprise comes in for any non-number theory expert. If two public keys share a prime then this prime is a common divisor and, the surprise is that, it is easier to find the greatest common denominator of two numbers than it is to factor a number. Finding a common divisor takes time proportional to the number of digits. Once you have the common divisor you can read messages sent by any of the public keys.<\/p><\/blockquote>\n\n\n\n<p>What that means, is that you could, for instance, grab a copy of the session key being exchanged during the SSL\/TLS handshake and eavesdrop on the entire connection. <\/p>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\"><p>Armed with this idea, the researchers scanned the web and collected 6.2 million actual public keys. They then computed the largest common divisor between pairs of keys, cracking a key whenever it shared a prime factor with any other key. All in all, they were able to break 12,934 keys. In other words, if used carelessly, RSA encryption provides less than 99.8% security.<\/p><\/blockquote>\n\n\n\n<p>That sounds negligible, it\u2019s about two in every 1,000. <\/p>\n\n\n\n<p>But does that mean RSA is cracked? Not quite, just vulnerable. One of the things that the researchers from the 2012 paper downplayed, and the element that caught William\u2019s attention, was the algorithm that was used during the research to help factor and crack nearly 13,000 public keys.<\/p>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\"><p>According to the authors, they were able to run the entire computation in a matter of hours on a <em>single<\/em> core. But a back-of-the-envelope calculation suggests that it should take <em>years<\/em>&nbsp;to compute GCD\u2019s between 36 trillion pairs of keys, not <em>hours<\/em>.<\/p><\/blockquote>\n\n\n\n<p>This was accomplished with an ingenious, yet purposely opaque algorithm and something called a triple-logarithmic factor. <a href=\"https:\/\/pure.tue.nl\/ws\/files\/67735608\/741686-1.pdf\">According to one paper<\/a> such an algorithm would take roughly 7.65 seconds per 1,000 keys, which would take about 13 hours to run all 6.2-million keys. Another, <a href=\"https:\/\/www.usenix.org\/system\/files\/conference\/usenixsecurity12\/sec12-final228.pdf\">slightly more elegant version<\/a> of the algorithm could run 1,000 in 4.5 seconds, which would take about seven and a half hours to complete all 6.2 million. <\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"alignright\"><img loading=\"lazy\" decoding=\"async\" width=\"300\" height=\"201\" src=\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2019\/01\/Encryption-Key-300x201.png\" alt=\"Encryption key\" class=\"wp-image-9993\" srcset=\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2019\/01\/Encryption-Key-300x200.png 300w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2019\/01\/Encryption-Key-768x515.png 768w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2019\/01\/Encryption-Key-1024x686.png 1024w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2019\/01\/Encryption-Key.png 1092w\" sizes=\"auto, (max-width: 300px) 100vw, 300px\" \/><\/figure><\/div>\n\n\n\n<p>Let\u2019s double back to our original question. Is RSA cracked? No, but again, it\u2019s vulnerable. The vast majority of the cracked keys were from devices like routers, or embedded applications like firewalls. This would point to the fact that many manufacturers are likely using the same RNG and possibly even the same seeding. <\/p>\n\n\n\n<p>Ironically, it seems to be easier to break keys in batches than doing it one-by-one. That means you need to ensure that none of your public keys share primes with related keys. Also, assess what CSPRNG you\u2019re using and review whether it provides sufficient entropy. Entropy, for lack of a better definition, is a measure of randomness. The more random \u2013 the better. <\/p>\n\n\n\n<p>Or, as we suggested in our last RSA-related blog post, <a href=\"https:\/\/www.thesslstore.com\/blog\/bleichenbachers-cat-rsa-key-exchange\/\">you could always just switch to Elliptic Curve Diffie-Helman<\/a>.<\/p>\n\n\n\n<p><em>As always, leave any comments or questions below\u2026<\/em><\/p>\n\n\n\n<figure class=\"wp-block-image\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"267\" src=\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2018\/08\/bigstock-222348568-1024x267.jpg\" alt=\"Hashed Out by The SSL Store is the voice of record in the SSL\/TLS industry.\" class=\"wp-image-7276\" srcset=\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2018\/08\/bigstock-222348568-1024x267.jpg 1024w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2018\/08\/bigstock-222348568-300x78.jpg 300w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2018\/08\/bigstock-222348568-768x200.jpg 768w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2018\/08\/bigstock-222348568.jpg 1559w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n","protected":false},"excerpt":{"rendered":"<p>RSA could potentially be cracked by careless implementation, but does that mean it\u2019s broken? Let\u2019s talk about RSA encryption. Last month we wrote about an exploit called Bleichenbacher\u2019s CAT that&#8230;<\/p>\n","protected":false},"author":6,"featured_media":9990,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":"","tve_updated_post":"","tve_custom_css":"","tve_user_custom_css":"","tve_globals":{},"tcb2_ready":0,"tcb_editor_enabled":0,"tve_landing_page":"","_tve_header":"","_tve_footer":""},"categories":[130],"tags":[9431],"class_list":["post-8307","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-everything-encryption","tag-rsa","post-with-tags"],"views":63412,"jetpack_featured_media_url":"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2019\/01\/HO-RSA.png","_links":{"self":[{"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/posts\/8307","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/users\/6"}],"replies":[{"embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/comments?post=8307"}],"version-history":[{"count":0,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/posts\/8307\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/media\/9990"}],"wp:attachment":[{"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/media?parent=8307"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/categories?post=8307"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/tags?post=8307"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}