Fastest Rsa Key Generation Time 4,7/5 9220 votes
Purpose: Enabling RSA Encryption on your client and server.

The proposed design is implemented by Verilog HDL and synthesized in a 0.18µm CMOS process. A rate of 3 pairs per second can be achieved for 1024-bit RSA key generation at the frequency of 100 MHz. Mar 31, 2011  Step 1: Generate a public and private key. This tool will generate a private and public key, the public key is a simple biginteger with an exponent which is usually 65537, and the private key is kept hidden in our server to decrypt our data sent by the public key, if the private key EVER gets leaked, someone could sniff the data and decode it.


Difficulty: 7 (Most people do not know how it works, so they just disable it, and this will NOT be a beginner friendly tutorial, since I suck at writing tutorials..)
Assumed Knowledge: Java and your way around the classes.
Classes Modified:
Client side: Stream.java
Server side:
Hyperion: org/hyperion/rs2/net/RS2LoginDecoder.java

Rsa Key Generation Program


PI: server/net/RS2LoginProtocolDecoder.java
Tested On(if it applies):
Hyperion, PI (RS2HD Shouldn't be far off both, and it's simple enough to read)
For Apollo, use [Only registered and activated users can see links. ]
What this does:
RSA is an encryption algorithm put in place by Jagex to stop packet sniffers like autorune, which can fake packets, by hiding their isaac keys in the encrypted buffer, it made it impossible to decrypt the raw isaac cipher data.
We shouldn't disable it for 2 reasons, it stops sniffing of usernames and passwords, and also gives isaac a purpose again.
For a full description of what the RSA Algorithm is, visit this link: [Only registered and activated users can see links. ]
Originally Posted by Sean
Hi
Here two reasons why you shouldnt remove these
RSA stopps people sniffing passwords and usernames
ISAAC
Stops packet injection
its very simple, dunno why you remove it, if you ask super_, he should tell you it in more detail, i rlly cba

Step 1:

Generate a public and private key.
This tool will generate a private and public key, the public key is a simple biginteger with an exponent which is usually 65537, and the private key is kept hidden in our server to decrypt our data sent by the public key, if the private key EVER gets leaked, someone could sniff the data and decode it.
Compile and run, then you should get 2 files, rsapub and rsapriv, in that directory.
You will need them later on.
Step 2:
Preparing the server.
In your server files, open the Login Decoder class, and find something like this:
For Hyperion:
For PI:
Under it a bit, you should see something like this:
Hyperion:
PI:
Above this, you want to read the encryption bytes and decrypt them, so you have to create a byte array with size of the encrypted bytes, like this:
Hyperion:
Pi:
And then read the bytes into the array
Andd then decrypt:
Hyperion:
PI:Generation
Now, add the code from 'rsapriv' file generated earlier to the top of the class, under the class declaration.
After this, You will have to go through and change every 'get*' type method that's after the new changes to the new buffer method, like this:
This should be done now, so save and close your files.
Step 3:
Re-enabling what shouldn't have been disabled!
Client side is a bit easier, since the code is pretty much the same on all clients, so open the Stream class or equiv class, and find 'BigInteger ', this should be your RSA encryption method.
If the method is blank, I can't help you there, since some people delete the whole method to skip it, some comment it out and some comment the line that encrypts it out.
My client was like this:
And you can see where biginteger3 was changed to not encrypt.
To fix this, you see 'bigInteger2;' or equiv, which is simply setting a variable to another one without the modPow, change that line to something like:

Rsa Key Generation Example

Now, go into your rsapub file and copy those lines to the Stream class.
That should be it, anything I missed? Let me know.
This tutorial is NOT for Delta or winterlove based servers, since it will be using methods to read from the IoBuffer class.

This is going to hurt a little: You can do everything right and still screw up majorly.

Many of you read about the Infineon crypto module flaw. The story has been reported with variations of on the theme of “RSA algorithm weakness in Infineon chips”.

First, let’s get this right. This was not about a weakness in the RSA® algorithm, nor was it about Infineon’s implementation of the algorithm. Infineon did that part just fine.

The problem occurred in the way Infineon generated the prime numbers used as key material. They took shortcuts to produce the key material prime numbers, because without those shortcuts the generation of the primes would simply take too long.

Rsa Key Generation Example

“That’s stupid and irresponsible!” some may scream. As if it would be that simple. There are valid reasons to speed up prime number generation on embedded devices (Smartcards, TPM chips) used directly by end-users. The chips lack CPU power as their main job is to protect the key material, not to run video games.

When generating RSA keys (and, therefore, primes) on thousands of devices it had better be fast; people don’t like to wait. The crypto-aware end-user understands that key generation can take time, but many others will simply yank the smart card out of the reader because it “hangs”.

Using shortcuts in RSA implementations is a very common practice. For example, people often choose encryption exponents like 3, 17, or 65,537 because they lend themselves to much faster computation. In some implementations, these choices have proven problematic, but on the whole, they have proven to be a sound way to implement the RSA algorithm in practice. Like any cryptographic approach, these choices have to withstand the test of time.

It’s worth noting that these attacks are not obvious. It requires some fairly ingenious observations made by some incredibly smart people. Cryptography is hard. Implementing it correctly is even harder. On the surface, it seems that Infineon likely exercised good diligence and correctly implemented an approach for fast prime generation. This approach was only recently discovered to have a subtle, but critical, mathematical flaw. This is not the typical “I invented my own crypto!” story.

Yet here Infineon sits, after selling truckloads of chips with the faulty key generator.

Two things stand out to me:

  1. The problem is substantial as the attack could be performed by anyone with few resources, or know-how. All you need is the public key and some CPU time. Both are pretty easy to come by.
  2. The smart card chip plus firmware was certified to Common Criteria EAL 5+, which is a pretty extensive certification. The TPM module certified EAL 4+, which is also pretty high.

Looking at the Common Criteria website, which lists all certified products, there are several Infineon chips and libraries included. While I am not sure this is the exact chip in question it serves well as an example for the points I make below. This Infineon chip was certified to EAL5+.

Some may be shocked that this flaw could slip thru such an extensive certification process. Understanding how certifications actually work removes the shock factor.

Certifications, such as Common Criteria EAL, do not certify that the product doing function X is secure in every possible way. It certifies that function X was implemented in a secure way. These are not the same thing.

Additionally, there can be confusion as to what is certified. Certifications are about the “Target of Evaluation” (ToE), which describes what will be certified. Everything not mentioned in the ToE is not included in the evaluation, even if it is closely related. In the example evaluation linked to above, the random number generator is included in the ToE, but there is no mention of the prime number check. It may be somewhere in the ToE, but remember, the certification is about the secure implementation of function X and not about the security of X itself. /generate-ssh-key-windows-git.html.

In other words: the security of the “fast prime” functionality – even if included in the –ToE was never part of the evaluation.

Fastest Rsa Key Generation Time Travel

This should serve as a stark reminder that certification stamps, such as Common Criteria, FIPS and so on, do not mean the product is secure. Nor does it mean that installation of a certified product equals a secure deployment. It only means what the ToE explicitly states.

Infineon released a patch to end users via device and OS manufacturers for the TPMs. The smart cards need to be physically replaced. As with most patches, this patch won’t be installed immediately on every system and it takes time to reissue affected smart cards leaving a large attack window. Combined with the fact that some use cases for the affected smart cards involve digital signatures and that timestamping a legally binding digital signature is not yet mandatory, this could get interesting. One scenario could have an attacker deriving the private key sometime in the future to create valid signatures on documents (e.g. contracts). Due to the lack of timestamps it cannot be proven they were created after the compromised certificate had been revoked.

PKI (Public Key Infrastructure) and cryptography aren’t easy. Hindsight allows us to say where Infineon went wrong, but at the time the decisions were made things simply looked OK. Most of us would have made the same decision in that position.

Any cryptographic algorithm must withstand the test of time. As the oldest public-key cryptosystem, the RSA algorithm has withstood that test for the better part of 40 years. One should, therefore, continue to have confidence in it knowing that it has been thoroughly examined for so long, and continues to be used. Newer algorithms, as promising as they may seem, can be more risky since they may contain issues yet to be unearthed.

Coments are closed
Scroll to top