Breaking a Cryptographic Protocol with Pseudoprimes

The Miller-Rabin pseudo primality test is widely used in cryptographic libraries, because of its apparent simplicity. But the test is not always correctly implemented. For example the pseudo primality test in GNU Crypto 1.1.0 uses a fixed set of bases. This paper shows how this flaw can be exploited to break the SRP implementation in GNU Crypto. The attack is demonstrated by explicitly constructing pseudoprimes that satisfy the parameter checks in SRP and that allow a dictionary attack. This dictionary attack would not be possible if the pseudo primality test were correctly implemented. Often important details are overlooked in implementations of cryptographic protocols until specific attacks have been demonstrated. The goal of the paper is to demonstrate the need to implement pseudo primality tests carefully. This is done by describing a concrete attack against GNU Crypto 1.1.0. The pseudo primality test of this library is incorrect. It performs a trial division and a MillerRabin test with a fixed set of bases. Because the bases are known in advance an attacker can find composite numbers that pass the primality test with probability 1. A protocol implemented in GNU Crypto that requires a reliable primality test is SRP. The security of SRP depends on a group for which computing DL is hard. In SRP the server chooses the group parameters and sends them to the client. It is then important that the client verifies that computing DLs in the chosen group is indeed hard. Otherwise, the client could expose his password to a dictionary attack. This paper shows that the flaw in the GNU Crypto primality test indeed weakens the SRP implementation by explicitly constructing weak parameters for SRP. The weakness would not exist if a reliable primality test were implemented. 1 The Miller-Rabin pseudo primality test. A well-known Theorem by Fermat states that if n is a prime and b is coprime to n then b ≡ 1 (mod n) (1) Hence if Equation (1) is not satisfied for a pair (b, n) that is coprime then n is composite. Unfortunately, there also exist pairs (b, n) that satisfy Equation (1), but where n is composite. Composite numbers n that satisfy Equation (1) for all Breaking a Cryptographic Protocol with Pseudoprimes 11 b coprime to n are called Carmichael numbers. Korselt proposed the following criterion for such numbers [7]. Korselt’s criterion. A composite number n is a Carmichael number if and only if n is squarefree and all prime divisors p of n satisfy