DOI QR코드

DOI QR Code

OpenSSL을 이용한 키쌍(공개키·개인키) 충돌율 분석

Key-pair(Public key, Private key) conflict analysis using OpenSSL

  • 이광형 (서일대학교 인터넷정보과) ;
  • 박정효 (숭실대학교 컴퓨터공학과) ;
  • 전문석 (숭실대학교 컴퓨터공학과)
  • 투고 : 2014.07.22
  • 심사 : 2014.08.07
  • 발행 : 2014.08.31

초록

공개키 기반 기술의 발전은 전자정부, 전자금융, 전자결제 등 다양한 서비스를 가능하게 하였으며, 완벽한 안전성을 가지고 있는 것으로 평가된다. 하지만, 최근 허트블리드 버그 등 공개키 기반 이용 기술에 대한 취약점이 지속적으로 발견되고 있다. 본 논문에서는 공개키 기반구조의 안전성 및 신뢰성을 검증하기 위해, OpenSSL을 이용하여 키쌍의 충돌율을 분석하였다. 실험은 OpenSSL을 이용하여 5개의 사설인증기관을 생성하고, 각 사설인증기관에서 200만개의 인증서를 생성해 총 1,000만개의 인증서를 생성하여 키쌍 충돌 여부를 분석하였다. 실험은 다음과 같은 과정으로 수행되었다. Openssl을 이용하여 5개의 사설인증기관 생성, 각 사설인증기관에서 200만개의 인증서를 생성, 총 1,000만개의 인증서를 생성하여 키쌍 충돌 여부를 분석하였다. 실험 결과 1,000만건 중 35,000건, 즉 0.35%의 확률로 공개키 개인키가 충돌을 발생하였다. 이는 전자상거래, 보안서버 등 다양한 분야에서 충분한 위협이 될 수 있는 요소이다. 향후에는 공개키 기반기술의 위협요소를 제거하기 위해 난수생성기, 큰 소수 선택 문제 등 깊이 있는 연구를 진행할 것이다.

The development of public-key-based technique that enables a variety of services(E-government, e-banking, e-payment, etc.) evaluated as having complete safety. On the other hand, vulnerabilities(e.g, heartbleed bug, etc.) are constantly being discovered. In this paper, a public key infrastructure to verify the safety and reliability, the collision rate using OpenSSL key pair was analyzed. the experiment was performed using the following procedure. Openssl was used to create five private certification agencies, and each of the private certificate authority certificates to create 2 million, generating a total of 10 million by the certificate of the key pair conflicts analysis. The results revealed 35,000 in 1 million, 0.35% chance of a public key, a private key conflict occurred. This is sufficient in various fields(E-payment, Security Server, etc.). A future public-key-based technique to remove the threat of a random number generator, large minority issues, in-depth study of selection will be needed.

키워드

참고문헌

  1. M. Stevens, A. Sotirov, J. Appelbaum, A. Lenstra, D. Molnar, D. A. Osvik, and B. de Weger, "Short chosen-prex collisions for MD5 and the creation of a rogue CA certicate", In S. Halevi, editor, Crypto 2009, volume 5677 of Lecture Notes in Computer Science, pages 55-69. Springer, Heidelberg, 2009. DOI: http://dx.doi.org/10.1007/978-3-642-03356-8_4
  2. D. Loebenberger and M. Nusken, "Analyzing standards for RSA integers", In A. Nitaj and D. Pointcheval,editors, Africacrypt '11, volume 6737 of Lecture Notes in Computer Science, pp.260-277, Springer, 2011.
  3. In Bum Kim, "A Study on Enforce the Policy of User Certification in Public Certificate System", Journal of Korea Information Assurance Society 10(4), PP.69-76, 2010.
  4. Yeon-ho Jung, "Domestic PKI Construction and technology", Journal of Korea Information Assurance Society 17(6), pp.122-131, December, 2007.
  5. Seon-keun Lee, "A Study on the Modulus Multiplier Speed-up Throughput in the RSA Cryptosystem." THE JOURNAL OF KOREA INFORMATION AND COMMUNICATIONS SOCIETY 4(3), pp.217-233, September, 2009.
  6. Kwang-Eun Gil, Yi-Roo Baek, Whan-koo Kim, Jea-cheol Ha, "Fault Analysis Attacks on Control Statement of RSA Exponentiation Algorithm", Journal of The Korea Institute of Information Security and Cryptology 19(6), pp.63-70, December, 2009.
  7. Behrouz A. Forouzan, "Cryptography and Network Security", McGrawHillKorea, 2008.
  8. Woo Hyun Ahn, Hyungsu Kim, "Attacking OpenSSL Shared Library Using Code Injection", Journal of KISS : Computer Systems and Theory, pp.226-238, August, 2010.
  9. Jong-Hoon Park, Chul-won Kim, "Design and Implementation of Web Service System for secure Message Transmission in Electronic Commerce", THE JOURNAL OF KOREA INFORMATION AND COMMUNICATIONS SOCIETY 14(8), August, 2010. DOI: http://dx.doi.org/10.6109/jkiice.2010.14.8.1855
  10. Yunyoung Lee, Soonhaeng Hur, Sangjoo Park, Donghwi Shin, Dongho Won, Seungjoo Kim, "CipherSuite Setting Problem of SSL Protocol and It's Solutions", Korea Information Processing Society Review, pp.359-366, October, 2008.
  11. Soo-jong Mo, Won-hi Cho, Sun-young Yu, Jae-hong Yim, "Design and Implementation of PKI based Cryptography Communication Component", Journal of the Korea Institute of Information and Communication Engineering, pp.1316-1322, 2005.
  12. R. Holz, L. Braun, N. Kammenhuber, and G. Carle. The SSL landscape: a thorough analysis of the x.509 PKI using active and passive measurements. In Proceedings of the 2011 ACM SIGCOMM conference on Internet measurement conference, IMC '11, pages 427-444. ACM, 2011. DOI: http://dx.doi.org/10.1145/2068816.2068856
  13. S. Cavallar, Zimmermann, "Factorization of a 512-bit RSA modulus", In B. Preneel, editor, Eurocrypt 2000, volume 1807 of Lecture Notes in Computer Science, pages 1-18, Springer, Heidelberg, 2000.
  14. S. Yilek, E. Rescorla, H. Shacham, B. Enright, and S. Savage, "When private keys are public: results from the 2008 debian OpenSSL vulnerability", In A. Feldmann and L. Mathy, editors, Internet Measurement Conference, pp.15-27, ACM, 2009. DOI: http://dx.doi.org/10.1145/1644893.1644896
  15. Kyoung-Soon Hong, "Accessibility Evaluation of Accredited Certificate Subscriber Software", Journal of the Korea Contents Association, pp.40-53, February, 2011. DOI: http://dx.doi.org/10.5392/JKCA.2011.11.2.040
  16. P. Q. Nguyen and I. Shparlinski, "The insecurity of the digital signature algorithm with partially known nonces", Journal of Cryptology 15(3), pp.151-176, 2002. DOI: http://dx.doi.org/10.1007/s00145-002-0021-3
  17. D. Cooper, S. Santesson, S. Farrell, S. Boeyen, R. Housley, and W. Polk. "Internet X.509 Public Key Infrastructure Certicate and Certicate Revocation List (CRL) Prole", RFC 5280, 2008.
  18. Pil-Yong Kang, "Certificate usage and policy direction of the mobile revolution era", KIISC, Review 21(1), pp.51-56, Fedbruary, 2011.
  19. W.-J. Kang, "An Efficient Privacy Preserving Method based on Semantic Security Policy Enforcement", The Journal of The Institute of Internet, Broadcasting and Communication, Vol. 13, No. 6, pp. 173-186, Dec. 2013. https://doi.org/10.7236/JIIBC.2013.13.6.173
  20. J.-M. Kang, Y.-J. Song, "A Study on Structural Holes of Privacy Protection for Life Logging Service as analyzing/processing of Big-Data", The Journal of The Institute of Internet, Broadcasting and Communication, Vol. 14, No. 1, pp. 189-193, Feb. 2014. https://doi.org/10.7236/JIIBC.2014.14.1.189
  21. J.-H. Jun, M.-J. Kim, J.-H. Cho, C.-W. Ahn, S.-H. Kim, "Detection Method of Distributed Denial-of-Service Flooding Attacks Using Analysis of Flow Information", The Journal of The Institute of Internet, Broadcasting and Communication, Vol. 14, No. 1, pp. 203-209, Feb. 2014. https://doi.org/10.7236/JIIBC.2014.14.1.203