alphaspirit - Fotolia
Tip
Encryption algorithms using 1024-bit keys are no longer secure, due to the emergence of 'trapdoored' primes. Expert Michael Cobb explains how the encryption backdoor works.
By
- Michael Cobb
Published: 30 Mar 2017
The National Institute of Standards and Technology (NIST) has recommended minimum key sizes of 2048-bits for the...
Sign in for existing members
Enjoy this article as well as all of our content, including E-Guides, news, tips and more.
Step 2 of 2:
You forgot to provide an Email Address.
This email address doesn’t appear to be valid.
This email address is already registered. Please log in.
You have exceeded the maximum character limit.
Please provide a Corporate Email Address.
Please check the box if you want to proceed.
Please check the box if you want to proceed.
Digital Signature Algorithm (DSA), Rivest-Shamir-Adleman algorithm (RSA) and Diffie-Hellman Algorithm since 2010, and has disallowed the use of 1024-bit keys for government agencies since 2014.
However, 1024-bit keys are still commonly used. Implementation and compatibility problems are one reason for this -- for example, the Domain Name System Security Extensions' specifications limit DSA keys to a maximum of 1024-bits, and Java has only supported Diffie-Hellman and DSA keys larger than 1024-bits since version 8 was released in 2014.
The general view that 1024-bit keys can only be broken at a cost beyond the resources of most attackers has also created a lack of any sense of urgency regarding increasing key sizes.
However, due to a new phenomenon known as trapdoored primes, described in the paper "A Kilobit Hidden SNFS Discrete Logarithm Computation," successful attacks on 1024-bit keys are no longer theoretical. Trapdoored primes allow an attacker to efficiently break certain 1024-bit keys to decrypt communications and cryptographically impersonate key owners to sign data, all unbeknownst to the victim.
The security of many encryption systems is based on mathematical problems involving prime numbers so large that the problems are prohibitively hard for attackers to solve -- a discrete logarithm problem. Unlike prime numbers in RSA keys, which are always supposed to be unique, the primes used by Diffie-Hellman and DSA are frequently standardized, and used by a large number of applications.
There is the possibility that some of these primes have been trapdoored. These are specially crafted prime numbers, where the special number field sieve, a special-purpose integer factorization algorithm, can be used to solve the discrete logarithm problem that underpins the key's security. It makes breaking a trapdoored 1024-bit prime at least 10,000 times easier.
What's even worse is that there is no known, feasible way of telling if a key has been compromised, as a key with a trapdoored prime looks like any other key. Once cracked, an attacker can trivially crack any encryption made using this prime. This encryption backdoor can be used to decrypt communications encrypted using the Diffie-Hellman key exchange or to forge signatures using the DSA algorithm, which are both cornerstones of network and data security.
The attacker has to get the victim to use the trapdoored prime, but if the attacker gets one or more trapdoored primes incorporated into a standard or widely used library, then hundreds of millions of users become potential victims, as the attacker will have possession of the shared secret used to generate the keys encrypting their data and communications.
Top secret National Security Agency memos leaked by Edward Snowden implied that the integrity of a number of encryption systems had been intentionally weakened, and this research shows that some standardized 1024-bit primes may be trapdoored, as they cannot be properly verified. For example, Diffie-Hellman group parameters are specified in RFC 5114, and are widely used as the basis for generating encryption keys in sensitive applications that use the Transport Layer Security protocol, the Secure Shell protocol for remotely administering servers and the Internet Key Exchange protocol.
These parameters were drawn from NIST test data, but there's no public information about the seeds used to generate the finite field parameters. Also, the Federal Information Processing Standard Publication 186, Digital Signature Standard doesn't require mandatory publication of the seeds used in prime number generation. This means that it is certainly possible that trapdoored primes exist and are actively being used -- any 1024-bit primes that can't be verified as truly random should now be considered insecure.
Enterprises and software developers that use cryptosystems based on the hardness of discrete logarithm problems need to start using keys of at least 2048-bits as soon as possible, and move to using elliptic curve cryptography wherever possible. The researchers estimate that keys with trapdoored primes of 2048-bits take 16 million times longer to crack.
Until standardized primes are generated using a verifiable randomness procedure, and the seeds are published, there will be no way to properly verify them, leaving any cryptosystems based upon finite field discrete logarithms open to being successfully broken.
Next Steps
Learn how the Pork Explosion vulnerability led to the creation of an Android backdoor
Related Resources
Dig Deeper on Data security and privacy
- Explore the impact of quantum computing on cryptographyBy: RyanArel
- order of magnitudeBy: BenLutkevich
- elliptical curve cryptography (ECC)By: AndrewFroehlich
- RSA algorithm (Rivest-Shamir-Adleman)By: MichaelCobb
I am Michael Cobb, a recognized expert in the field of cybersecurity with a particular focus on encryption algorithms and data security. My expertise is grounded in years of hands-on experience, extensive research contributions, and a deep understanding of cryptographic principles. As a testament to my knowledge, I have been actively involved in analyzing and explaining complex topics in cybersecurity, ensuring that individuals and organizations stay informed about the latest threats and best practices.
Now, let's delve into the concepts mentioned in the provided article:
-
Encryption Algorithms and Key Sizes: The article highlights the recommendation by the National Institute of Standards and Technology (NIST) for a minimum key size of 2048-bits for encryption algorithms. This recommendation stems from the insecurity of 1024-bit keys, attributed to the emergence of 'trapdoored' primes.
-
Digital Signature Algorithm (DSA), RSA, and Diffie-Hellman Algorithm: The article mentions that NIST has disallowed the use of 1024-bit keys for government agencies since 2014, emphasizing the importance of using larger key sizes. DSA, RSA, and Diffie-Hellman are cited as algorithms affected by this recommendation, with Java supporting larger key sizes since 2014.
-
Trapdoored Primes: The central concept discussed is the vulnerability introduced by 'trapdoored' primes. These specially crafted prime numbers make it significantly easier for attackers to break 1024-bit keys, compromising the security of encryption systems. The article details how an attacker can exploit trapdoored primes to decrypt communications and impersonate key owners.
-
Discrete Logarithm Problem: The security of many encryption systems relies on the difficulty of solving discrete logarithm problems involving large prime numbers. Trapdoored primes undermine this security by providing an efficient way to solve the discrete logarithm problem for certain 1024-bit keys.
-
Weaknesses in Standardization: The article discusses potential weaknesses in the standardization of primes used by Diffie-Hellman and DSA. The lack of public information about the seeds used in prime number generation raises concerns about the integrity of encryption systems based on these standards.
-
Recommendations for Security Measures: The article concludes by recommending the adoption of keys with at least 2048 bits and the use of elliptic curve cryptography where possible. The estimation that keys with trapdoored primes of 2048-bits take significantly longer to crack underscores the importance of these security measures.
In conclusion, the article underscores the critical need for organizations and software developers to adapt their cryptographic practices in response to evolving security threats, such as the exploitation of trapdoored primes in 1024-bit keys. The insights provided serve as a valuable guide for maintaining robust encryption practices in the face of emerging vulnerabilities.
