Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
public:papers:acsac2017 [2017-12-04 19:41] – [Q&A section] xnemec1public:papers:acsac2017 [2022-10-12 08:52] (current) xsvenda
Line 13: Line 13:
   * Conference page: [[https://www.acsac.org/2017/ | ACSAC 2017]] | [[https://www.acsac.org/2017/openconf/modules/request.php?module=oc_program&action=summary.php&id=106 | Paper page]]   * Conference page: [[https://www.acsac.org/2017/ | ACSAC 2017]] | [[https://www.acsac.org/2017/openconf/modules/request.php?module=oc_program&action=summary.php&id=106 | Paper page]]
   * Download author pre-print of the paper: {{ :public:papers:acsac2017_nemec_rsa_fingerprints.pdf | pdf}}   * Download author pre-print of the paper: {{ :public:papers:acsac2017_nemec_rsa_fingerprints.pdf | pdf}}
-  * Download presentation: {{ fixme | pdf}}+  * Download presentation: {{ :public:papers:acsac-nemec-handout.pdf Handout-PDF}} | {{ :public:papers:acsac-nemec.pdf | Conference-PDF }}
  
 **Bibtex (regular paper)** **Bibtex (regular paper)**
  
   @inproceedings{2017-acsac-nemec,   @inproceedings{2017-acsac-nemec,
-    Author        = {Matus Nemec and Dusan Klinec and Petr Svenda and Peter Sekan and Vashek Matyas}, +    author = {Nemec, Matus and Klinec, Dusan and Svenda, Petr and Sekan, Peter and Matyas, Vashek}, 
-    Title         = {Measuring Popularity of Cryptographic Libraries in Internet-Wide Scans}, +    title = {Measuring Popularity of Cryptographic Libraries in Internet-Wide Scans}, 
-    BookTitle     = {Proceedings of the 33rd Annual Computer Security Applications Conference (ACSAC'2017)}, +    booktitle = {Proceedings of the 33rd Annual Computer Security Applications Conference}, 
-    Year          = {2017}, +    series = {ACSAC 2017}, 
-    Pages         = {??--??}, +    year = {2017}, 
-    ISBN          = {??}, +    isbn = {978-1-4503-5345-8}, 
-    Publisher     = {ACM}+    pages = {162--175}, 
 +    url = {http://doi.acm.org/10.1145/3134600.3134612}, 
 +    doi = {10.1145/3134600.3134612}, 
 +    publisher = {ACM}
   }   }
  
Line 32: Line 35:
  
   * Measurement (classification) tool: [[https://github.com/crocs-muni/classifyRSAkey | GitHub link]]   * Measurement (classification) tool: [[https://github.com/crocs-muni/classifyRSAkey | GitHub link]]
-  * RSA keys from reference libraries: [[https://drive.google.com/drive/u/3/folders/0B0PpUrsKytcyMllkUHJ0RkZkdzA Google Drive link]]+  * {{fa>database}}\_//// [[https://owncloud.cesnet.cz/index.php/s/Ihhw3BKKzKTaxB9|Dataset of all collected RSA keys (39GB)]]
   * Data processing (TLS, PGP): [[https://github.com/crocs-muni/acsac2017-data-tools | GitHub link]]   * Data processing (TLS, PGP): [[https://github.com/crocs-muni/acsac2017-data-tools | GitHub link]]
   * Data processing (Certificate Transparency): [[https://github.com/crocs-muni/acsac2017-certificate-transparency-java | GitHub link]]   * Data processing (Certificate Transparency): [[https://github.com/crocs-muni/acsac2017-certificate-transparency-java | GitHub link]]
Line 38: Line 41:
 ===== Q&A section ===== ===== Q&A section =====
  
-==Q: So what did you do?== +==Q: What did you do?== 
-A: FIXME+A: We used the fact that distributions of RSA public keys generated by cryptographic libraries are slightly biased, to measure the popularity of cryptographic libraries in Internet-wide scans.
  
 ==Q: Does it mean the biased RSA key generation methods are broken?== ==Q: Does it mean the biased RSA key generation methods are broken?==
-A: No, in general, the bias is not enough for key factorization. However, we did break the Infineon implementation in our recent paper [[https://crocs.fi.muni.cz/public/papers/rsa_ccs17 | The Return of Coppersmith's Attack (ROCA)]]+A: No, in general, the bias is not enough for key factorization. However, we did break the Infineon implementation in our recent paper [[https://crocs.fi.muni.cz/public/papers/rsa_ccs17 | The Return of Coppersmith's Attack (ROCA)]].
  
 +==Q: What parts of an RSA public key are biased?==
 +A: We extract an 8-bit feature vector from a public modulus N: we use the remainder of division of the modulus N modulo 3, remainder modulo 4, and the 2nd to 7th most significant bits of the modulus.
 +
 +{{:public:papers:acsac2017_explain_mask_openssl.png?400|}}
 +
 +==Q: What was the motivation for the measurement?==
 +A: We developed a method for probabilistic classification of keys based on their source in our paper [[https://crocs.fi.muni.cz/public/papers/usenix2016 | The Million-Key Question]] at [[https://www.usenix.org/node/197198 | USENIX Security 2016]]. However, we were missing an accurate estimation of library popularity and could not find any papers accomplishing that. We also needed to measure the impacts of [[https://crocs.fi.muni.cz/public/papers/rsa_ccs17 | ROCA vulnerability]] and this is a general method for such measurements.
 +
 +==Q: What libraries did you analyze? Can you tell all libraries apart?==
 +A: You can see all the analyzed sources in the following graph. Libraries in the same Group (Group number in square brackets) produce very similar distributions. The popularity of individual Groups can be measured.
 +
 +{{:public:papers:acsac2017_dendrogram.png?600|}}
 +
 +==Q: Does popularity of libraries change in time?==
 +A: Yes, for one, the number of OpenSSL keys increases significantly.
 +{{:public:papers:acsac2017_intime.png?800|}}
 +
 +==Q: I want to know the popularity of library X, why wasn't it included? ==
 +A: To suggest other sources that we can add to our analysis, please get in touch with us. If you can also provide keys generated by hardware, open-source and proprietary libraries, we will add them to the [[https://drive.google.com/drive/u/3/folders/0B0PpUrsKytcyMllkUHJ0RkZkdzA | Collection of RSA keys from reference libraries]].
 +
 +==Q: Why can't you associate a key with its source with certainty?==
 +A: The features extracted from the keys are not unique. Different (groups of) libraries can produce keys with the same features. Only the distribution of the features differs, as illustrated here:
 +
 +{{:public:papers:acsac2017_reference.png?800|}}
 +
 +==Q: What is the accuracy of the measurement?==
 +A: We performed simulations to determine the accuracy. The expected error of the measurement was within 1 percentage point of the estimation (e.g., OpenSSL being estimated at 70% means that we expect it to be between 69% and 71%). The error might be larger in some cases, however the ground truth is not always known. Our estimation of ROCA vulnerable keys in a PGP dataset was at 0.10%, that is within 0.02 percentage points from the correct proportion found by a much more reliable method specific to the ROCA keys.