What Did The Ancient Chinese Teach Us About Hacking?
What Did The Ancient Chinese Teach Us About Hacking?
And so a large army met. The general asks the collected troops to arrange themselves into groups of 50. He counts that there are four troops left without a group. He then asks for groups of 60, and there are 14 left, and finally, he asks for groups of 70, and there are 24 left. The general stands up and tells the army that they are 201,554 strong. So how did the general do it?
>>> army%50
4
>>> army%60
14
>>> army%70
24
>>> print (army)
201554
The Chinese remainder theorem was first published by Chinese mathematician Sun Tzu. It determines a number x so that, when divided by some given divisors, leaves given remainders. As public key encryption typically involves this type of operation, CRT is well setup to help to crack encrypted messages. So what value will x equal in the following [Soln]:
x mod 3 = 2
x mod 5 = 3
x mod 7 = 2
The answer is 23, as 23 divided by 3 gives 21 remainder 2, 23 divided by 5 gives 4 remainder 3, and 23 divided by 7 gives 3 remainder 2.
CRT and RSA
If we capture enough RSA encrypted messages with the same e value and different modulus values (N), we can crack the message using Chinese Remainder Theorem (CRT). For example, if we have an e value of 3 we just need to capture three cipher messages to be able to recover the message.
In this case, we will use the following (where p1 and q1 generate N1, p2 and q2 generate N2 and p3 and q3 generate N3):
e=3,
message=123456789123456,
p1=1131701, q1=1131721,
p2=1131727, q2=1131737,
p3=1131749, q3=1131751
The run the gives:
eGCD of N values: 1
N1= 1280769787421 N2= 1280817319799 N3= 1280858062499
Message= 1234567891234 e= 3
Cipher1= 184224238921 Cipher2= 173356604414 Cipher3= 369941826218
The equations we have to solve are then:
M^e mod 1280769787421=184224238921
M^e mod 1280817319799=173356604414
M^e mod 1280858062499=369941826218
If we now use Chinese Remainder Theorem we get a result of:
Result (M^e) is: 188,1676,377,431,587,319,857,436,861,793,600,904
And then we just use: 10^(log10(M^e)/e)
and recover the message of 1234567891234
Try here.
A more detailed example is [here]:
N1= 20439437 N2= 20684303 N3= 20830087
Message= 1500000 e= 3
Cipher1= 6509102 Cipher2= 9683741 Cipher3= 3214286
=======Equations to solve=======
M^e mod 20439437=6509102
M^e mod 20684303=9683741
M^e mod 20830087=3214286
======Chinese Remainder Theorm Calc========
Result (M^e) is: 3375000000000000000
Calculated value of m is 1500000 Using 10^(log10(M^e)/e)
So what?
Werner Schindler [here] defined a timing attack on RSA which involves a factorization on the RSA-modulus if CRT has been used. The work goes back to 1996, when Arjen Lenstra defined an attack against an optimization (called the CRT). If a fault was generated in calculating a signature (using RSA-CRT optimization), the attacker can recover the associated private key from a signature. This is known as the “RSA-CRT key leak”.
Many systems have been immune from this attack as TLS did not use an RSA signature. Unfortunately, the forward security option in TLS is now being recommended, and this has re-introduced the problem.
Researchers at Red Hat [here] also now found many Web sites which were not hardened against this type of attack and found quite a few with RSA-CRT key leaks (none of which were code repositories). They found that the private key of a Web site can be leaked to the intruder, who can then decoded all of the encrypted communications with the site, and also impersonate it.
Forward secrecy is used with a key-exchange method and uses a session key which derives itself from a given set of long-term keys and which will not reveal the session key even in the long-term keys are breached.
How do we protect against this?
There are two ways to defend against this attack. The first is to make sure that e always exceeds the copies of messages that can be copied, and the other is to pad messages with random bits. In most applications, now e is 65,537.