Differences
This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision Next revisionBoth sides next revision | ||
public:papers:acsac2017 [2017-12-04 19:41] – [Q&A section] xnemec1 | public:papers:acsac2017 [2017-12-04 20:14] – [Q&A section] xnemec1 | ||
---|---|---|---|
Line 38: | Line 38: | ||
===== Q&A section ===== | ===== Q&A section ===== | ||
- | ==Q: So what did you do?== | + | ==Q: What did you do?== |
- | A: FIXME | + | A: We used the fact that distributions of RSA public keys generated by cryptographic libraries are slightly biased, to measure the popularity of cryptographic libraries in Internet-wide scans. |
==Q: Does it mean the biased RSA key generation methods are broken?== | ==Q: Does it mean the biased RSA key generation methods are broken?== | ||
- | A: No, in general, the bias is not enough for key factorization. However, we did break the Infineon implementation in our recent paper [[https:// | + | A: No, in general, the bias is not enough for key factorization. However, we did break the Infineon implementation in our recent paper [[https:// |
+ | ==Q: What parts of an RSA public key are biased?== | ||
+ | A: We extract an 8-bit feature vector from a public modulus N: we use the remainder of division of the modulus N modulo 3, remainder modulo 4, and the 2nd to 7th most significant bits of the modulus. | ||
+ | |||
+ | {{: | ||
+ | |||
+ | ==Q: What was the motivation for the measurement? | ||
+ | A: We developed a method for probabilistic classification of keys based on their source in our paper [[https:// | ||
+ | |||
+ | ==Q: What libraries did you analyze? Can you tell all libraries apart?== | ||
+ | A: You can see all the analyzed sources in the following graph. Libraries in the same Group (Group number in square brackets) produce very similar distributions. The popularity of individual Groups can be measured. | ||
+ | |||
+ | {{: | ||
+ | |||
+ | ==Q: I want to know the popularity of library X, why wasn't it included? == | ||
+ | A: To suggest other sources that we can add to our analysis, please get in touch with us. If you can also provide keys generated by hardware, open-source and proprietary libraries, we will add them to the [[https:// | ||
+ | |||
+ | ==Q: Why can't you associate a key with its source with certainty? | ||
+ | A: The features extracted from the keys are not unique. Different (groups of) libraries can produce keys with the same features. Only the distribution of the features differs, as illustrated here: | ||
+ | |||
+ | |||
+ | |||
+ | ==Q: What is the accuracy of the measurement? | ||
+ | A: We performed simulations to determine the accuracy. The expected error of the measurement was within 1 percentage point of the estimation (e.g., OpenSSL being estimated at 70% means that we expect it to be between 69% and 71%). The error might be larger in some cases, however the ground truth is not always known. Our estimation of ROCA vulnerable keys in a PGP dataset was at 0.10%, that is within 0.02 percentage points from the correct proportion found by a much more reliable method specific to the ROCA keys. | ||