Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision		 Previous revision
public:papers:privrsa_esorics20 [2020-09-16 07:22] – [Biased RSA private keys: Origin attribution of GCD-factorable keys [Esorics 2020]] xjanovskpublic:papers:privrsa_esorics20 [2022-10-12 08:51] (current) xsvenda
Line 1: Line 1:
-====== Biased RSA private keys: Origin attribution of GCD-factorable keys [Esorics 2020]  ======+====== Biased RSA private keys: Origin attribution of GCD-factorable keys [ESORICS 2020]  ======
 ~~NOTOC~~ ~~NOTOC~~
  
Line 17: Line 17:
 <TEXT align="right"> <TEXT align="right">
  
-<popover trigger="focus" title="Not yet available" content="Publication in progress."> 
 <button type="warning" icon="fa fa-file-pdf-o">[[https://arxiv.org/abs/2009.06700|Pre-print PDF]]</button> <button type="warning" icon="fa fa-file-pdf-o">[[https://arxiv.org/abs/2009.06700|Pre-print PDF]]</button>
-</popover> 
 \_ \_
-<popover trigger="focus" title="Not yet available" content="Presentation will be added soon."> +<button icon="fa fa-file-image-o">[[https://crocs.fi.muni.cz/_media/public/papers/esorics_presentation.pdf|Presentation]]</button>
-<button icon="fa fa-file-image-o">Presentation</button+
-</popover>+
 \_ \_
 <button collapse="bibtex" icon="fa fa-file-code-o">BiBTeX</button> <button collapse="bibtex" icon="fa fa-file-code-o">BiBTeX</button>
 +
 \_ \_
 <button type="primary" icon="fa fa-github">[[https://github.com/crocs-muni/RSABias|Github]]</button> <button type="primary" icon="fa fa-github">[[https://github.com/crocs-muni/RSABias|Github]]</button>
Line 33: Line 30:
  
 <collapse id="bibtex" collapsed="true"> <collapse id="bibtex" collapsed="true">
-  @InProceedings{2020-esorics-privrsabias,+  @InProceedings{2020-esorics-biasedrsaprivatekeys,
     Title         = {Biased RSA private keys: Origin attribution of GCD-factorable keys},     Title         = {Biased RSA private keys: Origin attribution of GCD-factorable keys},
-    Author        = {Adam JanovskyMatus NemecPetr SvendaPeter Sekan and Vashek Matyas},+    Author        = {Adam Janovsky and Matus Nemec and Petr Svenda and Peter Sekan and Vashek Matyas},
     BookTitle     = {25th European Symposium on Research in Computer Security (ESORICS) 2020},     BookTitle     = {25th European Symposium on Research in Computer Security (ESORICS) 2020},
     Year          = {2020},     Year          = {2020},
     Publisher     = {Springer},     Publisher     = {Springer},
-    crocsweb      = {https://crocs.fi.muni.cz/papers/privrsa_esorics20}, +    crocsweb      = {https://crocs.fi.muni.cz/public/papers/privrsa_esorics20}, 
-    Keywords      = {RSA, private key biasorigin attribution},+    Keywords      = {Cryptographic library, RSA factorizationMeasurement, RSA key classificationStatistical model},
   }   }
 </collapse> </collapse>
Line 48: Line 45:
 We extend the technique to two new scenarios when not only public but also private keys are available for the origin attribution -- analysis of a source of GCD-factorable keys in IPv4-wide TLS scans and forensic investigation of an unknown source. We learn several representatives of the bias from the private keys to train a model on more than 150 million keys collected from 70 cryptographic libraries, hardware security modules and cryptographic smartcards. Our model not only doubles the number of distinguishable groups of libraries (compared to public keys from Švenda et al.) but also improves more than twice in accuracy w.r.t. random guessing when a single key is classified. For a forensic scenario where at least 10 keys from the same source are available, the correct origin library is correctly identified with average accuracy of 89\% compared to 4\% accuracy of a random guess. The technique was also used to identify libraries producing GCD-factorable TLS keys, showing that only three groups are the probable suspects. We extend the technique to two new scenarios when not only public but also private keys are available for the origin attribution -- analysis of a source of GCD-factorable keys in IPv4-wide TLS scans and forensic investigation of an unknown source. We learn several representatives of the bias from the private keys to train a model on more than 150 million keys collected from 70 cryptographic libraries, hardware security modules and cryptographic smartcards. Our model not only doubles the number of distinguishable groups of libraries (compared to public keys from Švenda et al.) but also improves more than twice in accuracy w.r.t. random guessing when a single key is classified. For a forensic scenario where at least 10 keys from the same source are available, the correct origin library is correctly identified with average accuracy of 89\% compared to 4\% accuracy of a random guess. The technique was also used to identify libraries producing GCD-factorable TLS keys, showing that only three groups are the probable suspects.
 </panel> </panel>
 +
 +
 +===== Artifacts, tools... =====
 +{{fa>database}}\_//// [[https://owncloud.cesnet.cz/index.php/s/Ihhw3BKKzKTaxB9|Dataset of all collected RSA keys (39GB)]]
  
 ===== Further research ===== ===== Further research =====
 +This research is related to our previous papers:
 +
 +[[https://crocs.fi.muni.cz/papers/acsac2017|Measuring Popularity of Cryptographic Libraries in Internet-Wide Scans (ACSAC 2017)]]
 +
 +[[https://crocs.fi.muni.cz/papers/rsa_ccs17|The Return of Coppersmith’s Attack: Practical Factorization of Widely Used RSA Moduli (CCS 2017)]]
 +
 +[[http://crcs.cz/rsa|The Million-Key Question – Investigating the Origins of RSA Public Keys (USENIX 2016)]]
 +
 +===== Key points =====
 +
 +  * We investigated the properties of keys as generated by 70 cryptographic libraries, identified biased features in the primes produced, andcompared three models based on Bayes classifiers for the private key attribution.
 +  * The information available in private keys significantly increases the classification performance compared to the result achieved on public keys. Our worke nables to distinguish 26 groups of sources (compared to 13 on public keys) while increasing the accuracy more than twice w.r.t. random guessing.
 +  * Finally, we designed a method usable also for a dataset of keys where one prime is significantly correlated. Such primes are found in GCD-factorable TLS keys  where one prime was generated with  insufficient randomness. As a result, we can identify libraries responsible for the production of these GCD-factorable keys, showing that only three groups are a relevant source of such keys.
 +
 +===== Summary video ======
  
-FIXME +{{ youtube>CXCkdmFUGwU?900x520 Biased RSA private keys}}
-<button type="primary" icon="fa fa-github">[[https://github.com/crocs-muni/FIXME|FIXME]]</button>+