Asymmetric algorithms

encryptioncrypto101

Asymmetric algorithms (a.k.a. public-key algorithm) are algorithms in which different keys are used to encrypt and decrypt a cipher.

๐Ÿ‘‰ Used in key exchange (SSL...), digital signatures...

Encryption: we generate a cipher (c) from a message (m), encrypted with a public key (pk) using an algorithm C: c = C(pk, m)

Decryption: we generate back the message (m) from the cipher (c), a private key (sk), and using an algorithm D: m = D(sk, c)


Knapsack problem (sac-ร -dos) of Merkle-Hellman

Merkle-Hellman knapsack problem is one of the earliest public-key algorithms ๐Ÿฃ. The private key is a super-increasing knapsack problem, while the public key is the private key transformed enough so that it becomes a knapsack problem.

Knapsack problem

The most well-known bag/knapsack problem is the 0-1 knapsack problem. You got a "bag/Knapsack" of numbers (ex: 23, 5, 11, 2, 55). Your message is made of 0, and 1, and using this method 1 means you picked something from the bag, 0 means you didn't. Then, make the sum of the numbers you picked in the bag to create the cipher. Note that you will have to split the message into groups having the size of the knapsack.

  • Knapsack: $2, 5, 11, 23, 55$ (up to you, size=6)
  • Message: $1100111001 = 11001\ 10001$ (group of 6)
  • Cipher
    • $2 + 5 + 0 + 0 + 55 = 62$ (first group)
    • $2 + 0 + 0 + 0 + 55 = 57$ (second group)
  • Cipher text: $62, 57$
Super-increasing knapsack problem

An easy knapsack problem is the super-increasing knapsack problem, in which every next entry of the bag is greater than the sum of the previous terms. It makes it easy to decipher the message without the key, as if the cipher is greater than or equal to the current greatest value of the knapsack, then it is inside the knapsack of the message.

  • Knapsack: $2, 5, 11, 23, 55$
  • Cipher: 62
  • Decipher
    • $62 \ge 55$ ? yes, then 55 is in.
    • $7 \ge 23$ ? no, then 23 is not in
    • $7 \ge 11$ ? no, then 11 is not in.
    • $7 \ge 5$ ? yes, then 5 is in.
    • $2 \ge 2$ ? yes, then 2 is in.
  • Result: 11001
Generate a public key

We will pick a value $N$ greater than the sum of the values in the Knapsack, and a number $W$, so that $N \wedge W|1$ (=no common divisor aside 1).

  • We are picking $N=113$, $W=27$
  • We calculated $W^{-1} = 67\ (\text{mod}\ 113)$
  • Knapsack (public key)
    • We are multiplying the private key by $W$, modulus $N$
    • Ex: $27 * 2 = 54\ (\text{mod}\ 113)$
    • $((2, 5, 11, 23, 55) * W)\ mod\ N = 54, 22, 71, 56, 16$
    • Public key: $(54, 22, 71, 56, 16)$
Public-key exchange
  • A is generating a private-key using the super-increasing knapsack ($(2, 5, 11, 23, 55)$)
  • A is generating a public key $(54, 22, 71, 56, 16)$, using a $N=113$, and $W=27$ that B knows
  • A encrypt a message using the public key, and send the cipher text to B
    • $54 + 22 + 0 + 0 + 16 = 92$ (first group)
    • $54 + 0 + 0 + 0 + 16 = 70$ (second group)
    • Cipher text: $92, 70$
  • B generate the private-key using the public key, and both $W$, and $N$
    • We are multiplying the public key by $W^{-1}$, modulus $N$
    • We get the private key: $2, 5, 11, 23, 55$
  • B decrypt the message
    • We multiply the message by $W^{-1}$, modulus $N$
    • We get $62$, and $57$
    • We solve them using the super-increasing knapsack problem
    • The message was: $1100110001$
  • Length of pk ๐ŸŒป: size of the backpack
  • Length of sk ๐Ÿฆ„: usually greater than pk
  • Attacks ๐Ÿงจ
    • Cracked by Adi Shamir (1984)
    • Meet-in-the-middle attack (known plaintext attack)
    • Lattice reduction attack
  • Still used? ๐ŸŸฅ: no

Diffieโ€“Hellman key exchange

encryptioncrypto101 introductiontonetworking

It allows two parties to establish a shared secret key over an insecure communication channel. It works as follows:

  • Both parties agree to a large prime number p and a generator g with $(p-1) \wedge g\ |\ 1$ (=the only divisor is 1)
  • Alice chooses a secret number a and computes $A = g^a\ (mod\ p)$
  • Bob chooses a secret number b and computes $B = g^b\ (mod\ p)$
  • Both exchange their computed value
  • The shared key is $B^a\ (mod\ p)$ for Alice, and $A^b\ (mod\ p)$ for Bob.
  • Length of p ๐ŸŒป: at least 2048 bits
  • Length of each secret number ๐Ÿฆ„: at least as long as p
  • Attacks ๐Ÿงจ
    • Man-in-the-middle attacks
    • Brute-force attacks
  • Still used? ๐ŸŸฉ: yes, in combination with other security mechanisms

Rivestโ€“Shamirโ€“Adleman (RSA)

encryptioncrypto101 introductiontonetworking

  • ๐Ÿ”จ Choose two large prime numbers: p and q
  • โ›๏ธ Compute their product: $n = p * q$
  • โš’๏ธ Compute phi(n): $\phi(n) = (p-1) * (q-1)$
  • ๐Ÿ”’ Compute the exponent used for encryption e. $e$ must be coprime with $\phi(n)$, meaning that $gcd(k,\ \phi(n)) = 1$. It must be greater than 3, and it is usually equal to $2^{16}+1=65537$.
  • ๐Ÿ”‘ Compute the exponent used for decryption d using the formula: $d = e^{โˆ’1}\ mod\ \phi(n)$.

The public key is public key is $(n,e)$, while the private key is $(n,d)$.

  • Encrypt: $C(m, n, e) = m^e\ (mod\ n)$
  • Decrypt: $D(c, n, d) = c^d\ (mod\ n)$
You can use Bezout to find $d$

You can use Bรฉzout on $\phi(n)$, and $e$, to find $d$.

  • Solve $B(k,\ \phi(n)) = e * u + phi(n) * v = 1$
  • $d = u$
Example: RSA(n=35, e=7)
  • $35 = 5 * 7$, $p=5$, $q=7$
  • $\phi(N) = (5-1) * (7-1) = 24$
  • $B(7, 24) = 7 * u + 24 * v = 1$
    • One solution: $u=7$, $v=-2$
  • Encrypt
    • (2) $2^7 \mod 35 = 23$
    • (3) $3^7 \mod 35 = 17$
    • (4) $4^7 \mod 35 = 4$
  • Decrypt
    • (23) $23^7 \mod 35 = 2$
    • (17) $17^7 \mod 35 = 3$
    • (4) $4^7 \mod 35 = 4$
  • Length of key ๐Ÿฆ„: at least 2048 bits in 2022
  • Attacks ๐Ÿงจ
    • Factorization attacks
    • Brute-force attacks
    • Side-channel/timing attacks
  • Still used? ๐ŸŸฉ: yes, in combination with other security mechanisms

An attacker would have a lot of prime numbers to test ($10^{497}$ for $n \approx 10^{1000}$) to find back $\phi(n) = (p-1) * (q-1)$ from $n$.


Pentester Notes โ˜ ๏ธ

Cracking RSA

weak_rsa rsa_factorisation

You can install and use RsaCtfTool (5.2k โญ):

$ DEST="$HOME/tools/rsactftool"
$ git clone -b "master" https://github.com/RsaCtfTool/RsaCtfTool $DEST
$ wget "https://raw.githubusercontent.com/QuentinRa/blog.quentinra.dev/master/cybersecurity/cryptography/algorithms/asymmetric/rsatool_fix_setup_py.patch"
$ git apply rsatool_fix_setup_py.patch
$ pipx install $DEST
$ RsaCtfTool.py -h
$ RsaCtfTool.py --key key.pub --dumpkey
$ RsaCtfTool.py --key key.pem --dumpkey
$ RsaCtfTool.py --publickey key.pub --private
$ RsaCtfTool.py --publickey key.pub --private --output key.priv

โžก๏ธ See also: rsatool (1.1k โญ).