Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision		 Previous revision
public:papers:usenix2016 [2016-08-10 20:23] petrspublic:papers:usenix2016 [2023-06-02 09:20] (current) xsvenda
Line 1: Line 1:
-====== The Million-Key Question – Investigating the Origins of RSA Public Keys [Usenix Sec 2016] ======+====== The Million-Key Question – Investigating the Origins of RSA Public Keys [Usenix Sec 2016, Best Paper Award] ======
 ~~NOTOC~~ ~~NOTOC~~
 **Authors: Petr Svenda, Matus Nemec, Peter Sekan, Rudolf Kvasnovsky, David Formanek, David Komarek and Vashek Matyas** **Authors: Petr Svenda, Matus Nemec, Peter Sekan, Rudolf Kvasnovsky, David Formanek, David Komarek and Vashek Matyas**
 +
 +**[[https://rsa.sekan.eu/|---> Try online classification tool!]]**
 +
  
 **Primary contact:** Petr Svenda <svenda@fi.muni.cz>  **Primary contact:** Petr Svenda <svenda@fi.muni.cz> 
Line 10: Line 13:
  
   * Conference page: [[https://www.usenix.org/conference/usenixsecurity16/|Usenix Security 2016]]   * Conference page: [[https://www.usenix.org/conference/usenixsecurity16/|Usenix Security 2016]]
-  * Download author pre-print of the paper: {{:public:papers:UsenixSec16_1MRSAKeys.pdf|pdf}} (will be available right after the talk) +  * Download conference version of the paper: [[https://www.usenix.org/system/files/conference/usenixsecurity16/sec16_paper_svenda.pdf|pdf]] 
-  * Download extended version of paper: {{:public:papers:UsenixSec16_1MRSAKeys_TRFIMU_201603.pdf|FIMU-RS-2016-03}} (technical report, FI MUNI) (will be available right after the talk+  * Download author pre-print of the paper: {{:public:papers:UsenixSec16_1MRSAKeys.pdf|pdf}}  
-  * Download presentation: {{:public:papers:usenixsec16_1mrsakeys_svenda_slides.pdf|pdf}} (will be available right after the talk)+  * Download extended version of paper: {{:public:papers:UsenixSec16_1MRSAKeys_TRFIMU_201603.pdf|FIMU-RS-2016-03}} (technical report, FI MUNI)  
 +  * Download presentation: {{:public:papers:1mrsa_usenix2016_20160812_final.pdf|pdf}} 
 +  * See 1 minute [[https://www.youtube.com/watch?v=Qa2M5JWStRw | lighting talk]] 
 +  * See [[https://www.youtube.com/watch?v=Y4U1E4ievRk | full conference talk]] 
 +  * {{fa>database}}\_//// [[https://owncloud.cesnet.cz/index.php/s/Ihhw3BKKzKTaxB9|Dataset of all collected RSA keys (39GB)]]
   * Download [[:public:papers:usenix2016#datasets_and_tools |datasets, tools and used scripts]]   * Download [[:public:papers:usenix2016#datasets_and_tools |datasets, tools and used scripts]]
   * Try online key classification tool: http://crcs.cz/rsapp/   * Try online key classification tool: http://crcs.cz/rsapp/
  
-**Bibtex (regular paper):**+ 
 +**Bibtex (regular paper)**
    @inproceedings{1mrsa_usenix2016,    @inproceedings{1mrsa_usenix2016,
      author = {Petr Svenda \and Matus Nemec \and Peter Sekan \and Rudolf Kvasnovsky \and David Formanek \and David Komarek \and Vashek Matyas},      author = {Petr Svenda \and Matus Nemec \and Peter Sekan \and Rudolf Kvasnovsky \and David Formanek \and David Komarek \and Vashek Matyas},
Line 27: Line 35:
    }    }
      
-**Bibtex (technical report):**+**Bibtex (technical report)**
    @inproceedings{1mrsa_usenix2016_TR,    @inproceedings{1mrsa_usenix2016_TR,
      author = {Petr Svenda \and Matus Nemec \and Peter Sekan \and Rudolf Kvasnovsky \and David Formanek \and David Komarek \and Vashek Matyas},      author = {Petr Svenda \and Matus Nemec \and Peter Sekan \and Rudolf Kvasnovsky \and David Formanek \and David Komarek \and Vashek Matyas},
Line 45: Line 53:
 ===== Q&A section ===== ===== Q&A section =====
  
-==Q: So what you did?== +==Q: So what did you do?== 
-A: Figured out that RSA public key is leaking info about library which created it. So we can tell which library you used for your key - based on public key only.+A: We figured out that RSA public key is leaking info about the library which created it. Hence we can tell which library you used to generate your key - based on public key only.
  
 ==Q: Is single key enough to identify source library?== ==Q: Is single key enough to identify source library?==
-A: Sometimes yes, but mostly no. If you have 5 keys from the same source, it will be quite accurate. Try automatic tool at http://crcs.cz/rsapp/+A: Sometimes yes, but mostly no. If you have 5 keys from the same source, it will be quite accurate. Try our automatic tool at [[http://crcs.cz/rsapp/]]
  
 ==Q: Can I mutually distinguish all libraries?== ==Q: Can I mutually distinguish all libraries?==
-A: Not always. Source libraries introducing exactly same bias to the value of generated public moduli will be undistinguishable.+A: Not always. Source libraries introducing exactly same bias to the value of generated public moduli will be indistinguishable.
  
-==Q: Can I identify also the version of used library?==+==Q: Can I also identify the version of used library?==
 A: Sometimes. The new version of a library that did not change source code of key generation method will not be distinguishable from the older one. E.g., OpenSSL 1.0.2f is not distinguishable from OpenSSL 1.0.2g, but OpenSSL 1.0.2g is distinguishable from OpenSSL 2.0.12 FIPS. A: Sometimes. The new version of a library that did not change source code of key generation method will not be distinguishable from the older one. E.g., OpenSSL 1.0.2f is not distinguishable from OpenSSL 1.0.2g, but OpenSSL 1.0.2g is distinguishable from OpenSSL 2.0.12 FIPS.
  
 ==Q: Have you tested all libraries of the world?== ==Q: Have you tested all libraries of the world?==
-A: No. We test a lot of them, but not all. We also did not test all possible version of given library. We are also missing hardware sources like SSL accelerators (contact us please, if you have one and like to contribute).+A: No. We tested a lot of them, but not all. We also did not test all possible version of given library. We are also missing hardware sources such as SSL accelerators (contact us please, if you have one and like to contribute).
  
 ==Q: How quickly will be the information leakage vulnerability you found fixed?== ==Q: How quickly will be the information leakage vulnerability you found fixed?==
-A: Probably not soon. The fix would require changing code of key generation method for the most libraries. And developers don't like to mess with that part of crypto too often. Even if fixed in the new version, lot of old legacy libraries will use for a long time.+A: Probably not soon. The fix would require changing code of key generation method for the most libraries. And developers don't like to mess with that part of crypto too often. Even if fixed in the new version, lot of old legacy libraries will be used for a long time.
  
 ==Q: So how can I protect my key(s)?== ==Q: So how can I protect my key(s)?==
-A: If you need just one key, it is easy - just generate 5 keys instead of one, let all to be classified by our tool (http://crcs.cz/rsapp/) and then keep the one which is classified with the least accuracy. If you need more keys to keep, it is slightly more tricky, but still can be done (with more keys generated and discarded).+A: If you need just one key, it is easy - just generate 5 keys instead of one, let all be classified by our tool ([[http://crcs.cz/rsapp/]]) and then keep the one which is classified with the least accuracy. If you need more keys to keep, it is slightly more tricky, but still can be done (with more keys generated and discarded).
  
-==Q: Are data you gathered and used publicly available?== +==Q: Are the data you gathered and used publicly available?== 
-A: Definitely! Download everything in datasets section and try own analysis. Please don't forget to cite us+A: Definitely! Download everything in the datasets section and try your own analysis. Please don't forget to cite our Usenix paper if you will use it
  
 ==Q: I want to know more details!== ==Q: I want to know more details!==
Line 88: Line 96:
       * //Mask value// (first column) is computed as: 2nd-7th most significant bit of modulus | 2nd least significant bit of modulus | modulus mod 3 | modulus_length_in_bits mod 2       * //Mask value// (first column) is computed as: 2nd-7th most significant bit of modulus | 2nd least significant bit of modulus | modulus mod 3 | modulus_length_in_bits mod 2
       * Probability for given group is given in percentage. If a group never produces modulus with particular mask value, sign '-' is listed instead.       * Probability for given group is given in percentage. If a group never produces modulus with particular mask value, sign '-' is listed instead.
-  * Dataset: [[https://drive.google.com/folderview?id=0B0PpUrsKytcyUUV5d3kwX0VRNFk&usp=sharing | RSA keys from software libraries]] +  * {{fa>database}}\_//// [[https://owncloud.cesnet.cz/index.php/s/Ihhw3BKKzKTaxB9|Dataset of all collected RSA keys (39GB)]]
-    * Separate zip files for every library and length of RSA keys. Naming format: //library_version_keylength.zip//  +
-  * Dataset: [[https://drive.google.com/open?id=0B_DMu_2XOQ9XQWYyQmxXbDZuems RSA keys from cryptographic smartcards]] +
-    * Separate zip files for every library and length of RSA keys. Format: //smartcard-numberOfKeys-keyLength.zip// +
-  * Dataset: [[https://drive.google.com/open?id=0B4LeBLNCWpOWN0MzM2tjcjhVNEk | Random data from cryptographic smartcards, up to 100MB]]  +
-    * Separate binary files for every smartcard obtained using RandomData.generate() on-card method. If more files for the same card were generated, appendix _0/1/2 is used. Format: //smartcard_type.bin// +
-  * Dataset: [[https://drive.google.com/open?id=0B4LeBLNCWpOWYzNVcTJpdE1acFU | Random data from cryptographic smartcards, up to 1GB]]  +
-    * Separate binary files for every smartcard obtained using RandomData.generate() on-card method. If more files for the same card were generated, appendix _0/1/2 is used. Format: //smartcard_type.bin// +
-  * Coming soon: Filtered TLS dataset, filtered PGP dataset, filtered Certificate Transparency set +
-  * Coming soon: Processing scripts+