Weak Keys Detection in Network Devices

Slide Note
Embed
Share

TLS and SSH rely on RSA and DSA for security, but weaknesses in random number generation can lead to widespread weak keys among hosts on the Internet. This paper uncovers the prevalence of repeated keys and easily inferred private keys, emphasizing the importance of entropy pools in key generation. The experiment setup involved using Nmap and Amazon EC2 instances to scan for RSA and DSA keys, with results highlighting potential vulnerabilities. Additionally, the overview of RSA shows the risks of insecure key pairs and strategies to enhance security against factorization attacks.

guil_bin
guil_bin Follow

Uploaded on Oct 09, 2024 | 0 Views

Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

E N D

Presentation Transcript

  1. Mining Your Ps and Qs: Detection of Widespread Weak Keys in Network Devices N. Heninger, Z. Durumeric, E. Wustrow, and J. A. Halderman, USENIX Sec 12 20194315 Duckwoo Kim 1

  2. Paper Summary TLS and SSH use RSA and DSA, which is very secure unless RNG (random number generator) malfunctions Are all hosts over Internet correctly generating their keys? 2

  3. Paper Summary No! There are mainly 2 problems: Repeated keys among multiple hosts- 5.57% of TLS-using hosts, 9.6% of SSH-using Easily inferred private keys - 0.5% of TLS-using hosts, 1.06% of SSH-using private key = d public key = (e, N) private key = d public key = (e , N ) private key = d public key = (e, N) d is ### Why? How to defense? * entropy pool is important 3

  4. Experiment Setup Finding all hosts over Internet Use Nmap Use 25 Amazon EC2 Micro, spread across worldwide Take ~25 hours Retrieving certificate and public keys Multiple run which target RSA-based keys, and DSA-based keys In RSA, parse the certificate chain Also get signature when DSA run Store into database, investigate them 4

  5. Experiment Result 5

  6. Experiment Result ? ? ? ? 6

  7. RSA Overview RSA use two random prime number (p, q) Public key: ?,? , ? = ?? Private key: ? = ? 1 ???(? 1)(? 1) It is very hard to factorize large ? into ? and ? Note: Computing ??? ?1,?2 is very fast 7

  8. RSA may not be Secure If ?1= ??1,?2= ??2, then ??? ?1,?2 = ? 1 We can factorize both ?1 and ?2! Getting ??? ?1,?2 takes ~15us However Pr(??? ?1,?2 1) is very small Attacker should consider all possible pairs (??, ??) for ? < ? < ? There are 6 1013pairs in gathered dataset It takes ~30 years How to reduce the computation time? 8

  9. RSA may not be Secure Use a Bernstein algorithm: 1. Compute ? = ?? 2. Compute ??= ? ?????2 3. if ??? ??,?? ~O(n) time complexity 1? ?? e.g. (vulnerable case) put ?1= ??1?2= ??2 P = ?2?1?2 ?1= ?2?1? + ??1??? ?2?12 = ?2?1? (?<?1) ??? ?1,?1 ?1 = ??? ??1,?? = ? 9

  10. DSA (digital signature algorithm) Overview DSA use two random prime number (p, q) + one more random number ? as ephemeral key Public key: ?,?,?,? , ? = ????? ?, ? is made from ? ??? ? Private key: ?,? , ? is ???? ????, and ? is ?? ?????? ??? Signature: (?,?), ? = ????? ? ??? ?, ? = ? 1? ? + ?? ??? ? It is very hard to infer ? or ? from public key and signature 10

  11. DSA may not be Secure If multiple signature with same ephemeral key k Generate (?1,?1), (?2,?2) using same ?,? ?1= ?2= ????? ? ??? ? ? ?1 ??1 ?? ??? ?, ? ?2 ??2 ?? ??? ? ? = ? 1? ? + ?? ??? ? ?? ? ? + ?? ??? ? (?1 ?2) 1??? ? ? = ? ?1 ? ?2 ? =? 1?? ? ? ??? ? ? = ? 1? ? + ?? ??? ? Summary: same public key, same ? private key exposed 11

  12. Randomness is very Important In RSA, all ?,? must not be duplicated when generated Also, the key itself should not be different to other hosts In DSA, random number ? should not be reused N = pq N = pq N = p q N = pq public key = (e, N) public key = (e , N ) public key = (e , N ) public key = (e, N) How to ensure randomness ? 12

  13. How to Ensure Randomness? Entropy: the randomness collected by an operating system or by an application (e.g. OpenSSL, Dropbear) There are many entropy source that cannot be predictable User input (mouse/keyboard), disk access timing, noise, Kernel stores these entropy source into entropy pool mix Entropy Pool 13

  14. How to Ensure Randomness? Kernel extract data from the pool to generate random num. Done by reading /dev/random or /dev/urandom If entropy pool is empty, then random will blocked, and wait until the pool is filled urandom will generate number anyway, with less randomness 14

  15. Linux RNG (random number generator) Entropy counter block (when less entropy) 780 Fresh entropy extract read update Blocking pool /dev/random synchronous extract Input pool extract read Nonblocking pool /dev/urandom asynchronous extract Most use this 15

  16. Linux RNG (random number generator) Entropy counter block (when less entropy) 10 Fresh entropy read /dev/random update Blocking pool X synchronous extract Input pool read /dev/urandom extract Nonblocking pool asynchronous extract Most use this 16

  17. Experiment Result (again) 17 Main problem is lack of entropy!

  18. Vulnerablities Lack of entropy in some timing at some devices Embedded and headless devices can t get entropy from user input Right after booting, there is entropy hole that machine didn t get enough entropy source During entropy hole, output of /dev/urandom is predictable and repeatable 18

  19. Vulnerablities Lack of entropy in some timing at some devices Embedded and headless devices 19

  20. Vulnerablities Applications does not work in secure well OpenSSL and Dropbear use their own entropy pool They first get a seed from Linux via /dev/urandom at launch If one generate multiple keys at same time, the random number may be repeated 20

  21. Vulnerablities Applications does not work in secure well Note: In one host using RSA, repeated N is better than repeated p OpenSSL changes entropy pool in the middle of key generation First numbers are generated from same pool, and second from different Only one different Problematic! Both factor different Very good Both factor repeated Not bad 21

  22. Vulnerablities Applications does not work in secure well 22

  23. Defense Various fields of developers all need to be careful For OS developers: Don t abuse /dev/urandom But random is much worse, so maybe new operation is needed Consider various device, such as the headless and embedded 23

  24. Defense Various fields of developers all need to be careful For library, app developers: Set default as the most secure configuration Dropbear has option that prevent repeated ephemeral key, but not default Use RSA and DSA defensively In RSA, make repeated key rather than repeated factor Generate keys in lazy manner, not on install or first boot 24

  25. Defense Various fields of developers all need to be careful For device manufacturers: Add seed entropy at the factory Each device in same model get unique state Ensure sufficient entropy source Be aware of that embedded device are lack of source Add HRNG (hardware random number generator) chip 25

  26. Defense Various fields of developers all need to be careful For certificate authorities: Check repeated, weak, factorable keys They can repeat our experiment For end users: Do not use default key Check for known weak keys 26

  27. Related Works Other cryptographic vulnerabilities Unsecure ECDSA key Elliptic curve cryptography in practice. , FC 14 Diffie-Hellman algorithm Imperfect Forward Secrecy: How Diffie-Hellman Fails in Practice , CCS 15 Malfunction of RNG Security Analysis of Pseudo-Random Number Generators with Input: /dev/random is not Robust, CCS 13 Not-so-random numbers in virtualized Linux and the Whirlwind RNG, SP 14 27

  28. Conclusion Insecure RNG makes TLS and SSH vulnerable There are already lots of vulnerable private keys throughout the Internet Simple scanning and analysis can find subtle flaws in cryptographic implementations This works are a reminder to everyone 28

Related


Key and Splines Design at Minia University

Key and Splines Design at Minia University

elja911
Understanding Keys in Relational Databases

Understanding Keys in Relational Databases

valentin
Understanding Intrusion Detection Systems (IDS) and Snort in Network Security

Understanding Intrusion Detection Systems (IDS) and Snort in Network Security

adrol
Exploring Computer Keyboards And Typewriters

Exploring Computer Keyboards And Typewriters

isabela
Understanding Matching Keys in Database Systems

Understanding Matching Keys in Database Systems

keagen
Understanding I/O Systems and Devices

Understanding I/O Systems and Devices

dson
Automated Anomaly Detection Tool for Network Performance Optimization

Automated Anomaly Detection Tool for Network Performance Optimization

sana
LD-Sketch: Distributed Sketching Design for Anomaly Detection in Network Data Streams

LD-Sketch: Distributed Sketching Design for Anomaly Detection in Network Data Streams

khgs736
Understanding Strong and Weak Forms in English Pronunciation

Understanding Strong and Weak Forms in English Pronunciation

kason
Understanding the Key Concepts of Relational Databases

Understanding the Key Concepts of Relational Databases

marcello
Understanding Database Constraints, Keys, and Triggers

Understanding Database Constraints, Keys, and Triggers

mach848
Automated Melanoma Detection Using Convolutional Neural Network

Automated Melanoma Detection Using Convolutional Neural Network

shiloh
Understanding Network Devices and Connectivity

Understanding Network Devices and Connectivity

jay
Overview of GRANDproto Project Workshop on Autonomous Radio Detection

Overview of GRANDproto Project Workshop on Autonomous Radio Detection

eri_sto
Anomaly-Based Network Intrusion Detection in Cyber Security

Anomaly-Based Network Intrusion Detection in Cyber Security

kam_for
Understanding Snort: An Open-Source Network Intrusion Detection System

Understanding Snort: An Open-Source Network Intrusion Detection System

farah
Understanding Face Detection via AdaBoost - CSE 455.1

Understanding Face Detection via AdaBoost - CSE 455.1

alas797
Methods and Devices for Detection of Deception

Methods and Devices for Detection of Deception

nyx_f
Network Function Virtualization (NFV) Overview

Network Function Virtualization (NFV) Overview

brey983
Enhancing Network Stability with Network Monitoring Systems

Enhancing Network Stability with Network Monitoring Systems

rosa_735
Computer Peripherals and Interfacing

Computer Peripherals and Interfacing

ellen
Understanding Input and Output Devices in Computing

Understanding Input and Output Devices in Computing

esha
Overview of Computer Input and Output Devices

Overview of Computer Input and Output Devices

brennan
Understanding Weak Superconductivity and Functional Coordinates

Understanding Weak Superconductivity and Functional Coordinates

hallisey_n

More Related Content

Understanding Acids and Bases: Ionization and Properties
Understanding Acids and Bases: Ionization and Properties
Understanding Acids and Bases in Chemistry: Key Concepts and Terminology
Understanding Acids and Bases in Chemistry: Key Concepts and Terminology
Weak Supervision for NLP: Overcoming Labelled Data Challenges
Weak Supervision for NLP: Overcoming Labelled Data Challenges
Colorimetric Detection of Hydrogen Peroxide Using Magnetic Rod-Based Metal-Organic Framework Composites
Colorimetric Detection of Hydrogen Peroxide Using Magnetic Rod-Based Metal-Organic Framework Composites
Understanding Anomaly Detection in Data Mining
Understanding Anomaly Detection in Data Mining
Object Detection Techniques Overview
Object Detection Techniques Overview
Security Concerns and Future Challenges of Internet Connected Devices in Budva, Montenegro
Security Concerns and Future Challenges of Internet Connected Devices in Budva, Montenegro
Innovative Device-Free Passive Motion Detection System
Innovative Device-Free Passive Motion Detection System
Understanding VSAM Logical Record Access Methods
Understanding VSAM Logical Record Access Methods
Key Management and Distribution Techniques in Cryptography
Key Management and Distribution Techniques in Cryptography
Introduction to Public Key Cryptography
Introduction to Public Key Cryptography
Understanding Database Management Systems and Keys in SQL
Understanding Database Management Systems and Keys in SQL
Exploring Dichotomous Keys in Biology
Exploring Dichotomous Keys in Biology
Understanding Cryptography and Symmetric Keys in Digital Communication
Understanding Cryptography and Symmetric Keys in Digital Communication
The Case of the Missing Keys
The Case of the Missing Keys
Advanced SQL Concepts and Queries Overview
Advanced SQL Concepts and Queries Overview
Understanding Edge Computing for Optimizing Internet Devices
Understanding Edge Computing for Optimizing Internet Devices
Understanding Distributed Hash Tables in Peer-to-Peer Systems
Understanding Distributed Hash Tables in Peer-to-Peer Systems
Network Slicing with OAI 5G CN Workshop Overview
Network Slicing with OAI 5G CN Workshop Overview
DoS Detection for IoT Networks Using Machine Learning: Study Overview
DoS Detection for IoT Networks Using Machine Learning: Study Overview
Automotive Grade 10 Joining Methods: Locking Devices Overview
Automotive Grade 10 Joining Methods: Locking Devices Overview
Understanding Basics of Computer Systems
Understanding Basics of Computer Systems
Wireless Office Docking Model for Multiple Devices
Wireless Office Docking Model for Multiple Devices
Gait Device Selection for Children with Lumbar Level Myelomeningocele
Gait Device Selection for Children with Lumbar Level Myelomeningocele