CryptographyPublic Key Cryptosystems

Anita JonesCS451 Information Security

Copyright(C) Anita Jones

September, 2006

Public key encryption

The two problems to be solved: Key distribution Digital signature

Revolutionary new approach Based on math functions, not simple

operations on bit patterns

Asymmetric (Public Key) Encryption

Ralph Merkle, Martin Hellman, Whitfield Diffie (1977)

Len Adleman

Ronald Rivest Adi Shamir

September, 2006

Contributions

Diffie & Hellman showed that encryption with pairs of keys was possible

Rivest, Shamir & Adleman created a cost-effective method, and then commercialized it which make it readily accessible to users

September, 2006

A revolution of sorts

Diffie & Hellman (1976) sought to solve 2 problems: better way to distribute keys provide for a digital document signature

public key encryption is based on mathematical functions, not on substitution & permutation

asymmetric – two different keys it does not displace block ciphers (symmetric keys)

Why not? Because it costs too much

September, 2006

Basics

Each user generates a pair of keysEach user places one key in a publicly

accessible placeEach user keeps the other key secret

EKR(M) = C EKU(C) = M

Where, M = plaintext (message); C = ciphertextKR = restricted (private) key KU = unrestricted (public) key

September, 2006

Requirements for Public Key

Computationally EASY to generate a pair of keys (public KU, private KR) encrypt, given key KU & message M decrypt, given key KR & encrypted message, C

Computationally INFEASIBLE to determine private key KR, knowing public key KU recover original message (M), given public key KU

& ciphertext, C, for message M

September, 2006

First of two uses

Confidentiality A wants to send message to B A encrypts message with B’s public key A sends encrypted message to B B decrypts message with its private key

(and by the way, B’s public key will not “decrypt” the encrypted message)

September, 2006

Second of two uses

Authentication, or digital signature A wants to send message to B in a way that B can be assured

that A (and no one else) sent it A encrypts message with A’s private key (sign!) A sends encrypted/signed message to B B decrypts message with A’s public key B then knows that

only A could have sent it data integrity assured, once encrypted (if whole message is

encrypted)

How do you distribute the Public Key?

September, 2006

Digression

What does the receiver know about a message once it is “correctly” decrypted? Plaintext is readable, i.e. understandable If a “bit flipped”, then resulting plaintext is

unintelligible; remember “avalanche” property

Both the cryptanalyst and a legitimate receiver know when they decrypt and read plaintext

September, 2006

Comparisons – Preview *

Primary Source: Security in Computing, Pfleeger&Pfleeger, p. 75

Symmetric Asymmetric• 1 2

• Must be kept secret One secret; One public

• Crypto “workhorse”; Key distribution, authenticationsecrecy & integrity of data–single characters to blocks of data, messages, files

• Must be “out-of-band” Public key can be used to distribute other keys

• Fast - based on addition, Slow; complex mathematics (e.g. masks, and shifts exponentiation); typically 10,000 times slower than symmetric keys

• 40, 128, 256, 512 512, 1024, 2048

• DES, 3DES, AES, RSA, El Gamal, Merkle-Hellman, Blowfish, Twofish, IDEA Elliptic Curve

•# of Keys

•Protection of key

•Best Uses

•Key Distribution

•Speed

•Key Lengths

•Examples

September, 2006

Some Misconceptions about Symmetric vs Asymmetric encryption

One is superior to the other

Public key encryption replaces symmetric encryption

Public key encryption makes key distribution trivially easy

September, 2006

RSA (Rivest, Shamir, Adelman) Algorithm

plaintext and ciphertext are (considered) integers between 0 and n-1, some n

public KU = {e, n} and public KR = {d, n}

for plaintext M and ciphertext C C = Me mod n M = Cd mod n = (Me)d mod n = Med mod n

Why so prevalent? Because RSA Inc. commercialized it

September, 2006

RSA Important properties

There exists e, d, n such that

Med = M mod n for all M < n

Easy to calculate Me and Cd

for all values of M < n

Infeasible to determine d, given e and n

September, 2006

Modulo arithmetic – review

a mod n is the remainder of a divided by n

So, values of a mod n are all between 0 and n-1

24 mod 7 = 3 5 mod 7 = 5

a = b mod n means a mod n = b mod ni.e. give the same remainder

a=b mod n means a = b + kn (k negative or positive)

a and b are congruent mod n

24 mod 7 = 10 mod 7 = 3, so 24 =10 = 3 mod 7

September, 2006

RSA: computing e, n, and d

select 2 prime numbers p, q (p not = q)

calculate n = p * q (n is the modulus)

calculate ø(n) = (p-1) * (q-1)select e such that

e is relatively prime to ø(n) and 1 < e < ø(n)

determine d such that d * e = 1 mod ø(n)

September, 2006

RSA: computing e, n, and d

select prime numbers p = 7, q = 17calculate n = p * q = 119calculate ø(n) = (p-1) * (q-1) = 6 * 16 = 96select e = 5 such that

e is relative prime to ø(n) and e < ø(n)

determine d = 77 such that d * e = 1 mod ø(n) and d < ø(n) 5 * 77 = 385 = 4 * 96 + 1

September, 2006

RSA: applying e, n, and d

KU = {5, 119} and KR = {77, 119} let plaintext M = 19Encryption C = Me mod n

C = EKU(19) = 195 mod 119 = 2,476,099 mod 119

= 66

Decryption M = Cd mod n M = DKR(66) = 6677 mod 119

= <big number> mod 119 = 19 mod 119 = 19

September, 2006

RSA -- getting parameters “right”

need to choose suitably large p, q e is usually chosen to be smalltypically e may be the same for all users originally a value of 3 was suggested, but

it is regarded as too small currently216 -1 = 65535 is typical used the decryption exponent d will be large

September, 2006

Practical aspects of RSA

So why is RSA so much slower than DES? today’s computer’s can't directly handle

numbers larger than 32- or 64-bits

need multiple precision arithmetic requiring libraries to handle large numbers

September, 2006

Is Public Key Crypto Secure?

A 128 bit key would be a number between 1 and 340,282,366,920,938,000,000,000,000,000,000,000,000

How many prime numbers are between 1 and this number? approximately n / ln(n) which is about 2^128 / ln( 2^128 ) =

3,835,341,275,459,350,000,000,000,000,000,000,000

How long would it take to find all of these prime numbers if you could calculate one trillion of these numbers per second? More than 121,617,874,031,562,000 years (i.e., about 10 million times

longer than the universe has existed so far.) Reference: http://www.livinginternet.com/?i/is_crypt_pkc_inv.htm

Answer – Yes, but know its limitations (e.g. plaintext attacks, block sizes, etc.)

September, 2006

Speeding up RSA

modulo arithmetic permits reducing intermediate results, because(a*b) mod n = [(a mod n)*(b mod n)]mod n

195 mod 119 = 2,476,099 mod 119 = ? = [(191 mod 119) * ( 192 mod 119) * (192 mod 119)] mod 119 Note: 192 mod 119 = 361 mod 119 = 4 195 mod 119 = [19 * 4 * 4] mod 119 = 304 mod 119 = 66

September, 2006

Speeding up RSA

usual multiplication takes O(n2) bit opsfaster technique: Schonhage-Strassen Integer

Multiplication Algorithm: breaks each integer into blocks, & uses them as coefficients of a

polynomial evaluates these polynomials at suitable points, & multiplies the

resultant values interpolates these values to form the coefficients of the product

polynomial combines the coefficients to form the product of the original

integer

September, 2006

Attacks on RSA

Brute force – try all possible private keys Depends on length of the key

Mathematical attack – factor n into its two primes

Timing attack – use measurement of the decryption time to guess values

September, 2006

RSA security rests on factoring

security of RSA is assumed to rest on the difficulty of computing ø(n), i.e. finding (p-1), (q-1)

best known theoretical factoring algorithms take years (assume 1 binary op per nanosec) when number of decimal digits in n exceed 100

so, 1024 + bits looks secure for now

September, 2006

Breaking RSA

RSA inventors offered $100 reward for finding a plaintext sentence enciphered via RSA

public key had 129 decimal digits (~ 428 bits)RSA predicted 40 quadrillion years was

needed1994 -- a group claimed the prize after 8

months of work (1600 computers used)

September, 2006

Elliptic Curve Cryptography

RSA challenger – uses fewer bits than RSA, so is computationally cheaper

Based on cubic equations of form: y2 + axy + by = x3 +cx2 + dx + e … real a, b, c, d, eDefine a form of addition on points on curve -

multiple additions are the counterpart of modular exponentiation in RSA

Less experience, so it is not as trusted as RSA

September, 2006

Applications

September, 2006

Digital Signature

Construct that authenticates both the origin & content of a message In a manner that is provable to a third party

E.g. A sends EA-R [M]; B has EA-U [M], M

where M = EA-U [EA-R [M]] Repudiation problem: A says “My key was stolen”

September, 2006

Key Distribution

A sends/posts A’s public keyAll others can see it

Forgery problem: Z posts a key and says that it is A’s public key Z can read what others send to A Until A alerts others to the forged key

September, 2006

Public Key Certificate

Create a trusted third party Key distribution center (KDC) or certificate authority

(CA) Maintains a registry of user keys Creates certificates: [ID of A, A’s public key] Certificate signed by CA

Encrypted with KDC’s private key

Use: user gives CA the user’s public key User obtains certificate; publishes certificate Assumed valid until user informs CA that key is invalid

September, 2006

Key distribution -- using certificates

A and B register with the CA

A and B exchange certificates

A creates secret (shared) session key

A encrypts session key with A’s private key

A then encrypts with B’s public key

A sends to B

September, 2006

We need a more formal way of describing these exchanges!

Let’s talk about security protocols!

September, 2006

Backups

September, 2006

Why?

Why should it be the case that if M is plaintext & C is ciphertext

& if C = Me mod n, that

M = Cd mod n = (Me)d mod n = Med mod n,

I.e. what makes us think that there even exists an e and d such that Med mod n = M?

September, 2006

Theory behind RSA

if n = pq where p, q are primes, then: xø(n) = 1 mod n for all x not divisible by p or q, ie gcd(x,ø(n))=1 where ø(n)=(p-1)(q-1) RSA chooses e & d to be inverses mod ø(n) ie e*d=1+q*ø(n) therefore M = Cd = Med = M1+q*ø(n) = M1 *(M ø(n) )q = M1*(1)q = M1 mod N

September, 2006

Speeding up RSA (cont)

Discrete Fourier Transform, & the Convolution Theorem are used to speed up the interpolation stage

results in multiplying in O(n log n) bit ops (versus O(n2)

special hardware is a possibility