
Stupid certificate tricks - ryan-c
https://rya.nc/cert-tricks.html
======
tptacek
Not that the author claimed it to be safe, but this probably isn't secure:

[https://rjlipton.wordpress.com/2012/03/01/do-gaps-between-
pr...](https://rjlipton.wordpress.com/2012/03/01/do-gaps-between-primes-
affect-rsa-keys/)

The technique relies on starting a search for one of the prime factors of the
modulus at a particular (large) place, although if I understand the code
right, not a place related to the other factor, so maybe it's not devastating,
or who knows. That article is still very worth reading. :)

~~~
ryan-c
It does say "stupid" right there in the title :-)

The article about prime gaps is interesting, thanks for sharing.

There's a paper[0] that appears to use a very similar technique to achieve an
RSA backdoor, however I don't have access to the full article. From the
excerpt[1] I was able to find (just now - I wrote the code quite a while ago)
they appear to choose p, randomly generate n with data spliced in the top half
of the modulus, and find an acceptable q. The paper seems to argue the scheme
is secure against those who don't have the backdoor key, but there are some
pages hidden in the middle of that.

0\.
[http://link.springer.com/chapter/10.1007%2F11693383_9](http://link.springer.com/chapter/10.1007%2F11693383_9)

1\.
[https://books.google.com/books?id=skYDCAAAQBAJ&pg=PA128&lpg=...](https://books.google.com/books?id=skYDCAAAQBAJ&pg=PA128&lpg=PA128&dq=space+efficient+rsa+backdoor&source=bl&ots=KVNcXU6iWS&sig=7_sztRtcFcaFSzA2_xymwqJf9jk&hl=en&sa=X&ei=gENOVYTJBpPooAT2o4GgCg&ved=0CDIQ6AEwAw#v=onepage&q=space%20efficient%20rsa%20backdoor&f=false)

------
kbwt
So basically the idea with RSA is that all computations are done modulo N,
where N is the product of two secret primes p and q.

What was done here is manipulating the high bits of N (yielding N'), and
finding new prime q' slightly larger than N'/p. The high bits of N'' = p * q'
are unaffected because the gap between N'/p and q' is small enough in
practice.

~~~
e12e
I'm going to have to read the article again, carefully -- and play some more
with RSA. But I'm surprised so many... digits are shared between the _secret_
key and the public cert. Or is that a typo in the article?

I've only done the toy mental gymnastics with RSA in base10 -- it's probably a
good idea to play with in bitstrings as well...

~~~
ryan-c
The modulus - the part that has data embedded in it - isn't a secret part of
the key. I _think_ the part confusing you is that the modulus (N) is included
in both the public and private key.

The private key contains: [p, q, N, e, d, d_p, d_q, q_inv]

The public key contains: [N, e]

If you do find a typo somewhere, please let me know (I have an email address
listed in my HN profile).

~~~
tptacek
pedantic: Conceptually, the public key is n, e and the private key is n, d.
The other values you mention are secret, in that they can be used to derive d,
but aren't the private key. OpenSSL keeps some intermediate values for
performance, but they aren't strictly required for RSA to work.

~~~
e12e
If the n is public, it's not really part of the private _key_ is it? (Or
_private_ key) Granted d is not sufficient as a key either - but n clearly
isn't secret. Is there a term for that? "Commmon key", maybe? Key parameter?
Keystone? ;)

~~~
ryan-c
If one wanted to be _even more pedantic_ , N is the modulus, e is the public
exponent and d is the private exponent. N is required for both public and
private operations.

~~~
e12e
Yes. But is there a more general (or specific, depending on one's point of
view) term that applies to (public key) cryptography? Eg "some random, public,
non-repeated stuff" is a _nonce_ , a _key_ is a parameter to an encryption
function etc. Ecc keys are over a certain [ed]curve - so you need parameters
for that too, but modulus while entirely correct mathematically, doesn't
really capture the essence of N from a cryptographic point of view. Maybe just
"public parameter"?

~~~
tptacek
The usual term here is indeed "parameter", as in "parameter validation flaw".

------
ffk
rya.nc is also actively using the certificate he generated. :)

~~~
devcpp
Really? I'm getting serial number 0X043f60 (instead of 0x1599c5), validity
starting on May 7 2015. Might that have to do with using Firefox or anything
client-related? Or he switched it?

~~~
ryan-c
I updated the server certificate to one signed with RSA+SHA256 to make chrome
happy, but the new one has the same thing done to it.

~~~
wolf550e
Is the private key from the blog post valid to impersonate your server?

~~~
mithras
Depends on whether he revoked it or not.

~~~
ryan-c
The private key in the article was generated specifically for the article as
an example - there's no CA-signed certificate that used it.

Also, certificate revocation is _very_ unreliable.

------
kccqzy
This reminds me of tricks like putting a "we're hiring" comment in the source
code, the developer console or the HTTP header but this takes it to a whole
new level.

Edit: typo

------
alanh
"I couldn't come up with an an attack vector, but I didn’t try very hard."

Would it be feasible to exploit the fact that this trick relies on primes very
close to each other?

~~~
Dylan16807
In what way does it do that? It starts with two fully random primes and then
fixes some of the bits in the middle of one. Then it adjusts the lowest bits
to make it prime again. Almost all of that prime is still random, and it's
still within a tiny fraction of a percent of its original value.

