lecture 17&18 – cryptographic algorithms
DESCRIPTION
Distributed Systems. Lecture 17&18 – Cryptographic Algorithms. - PowerPoint PPT PresentationTRANSCRIPT
Lecture 17&18 – Cryptographic Algorithms
Part 1 – RSA Public-key Algorithm: We will continue our study of cryptography today, by looking in detail at a particular algorithm known as RSA. It was developed in 1978 and was named after its inventors. RSA is an asymmetric algorithm that relies on a public key for encryption and a private key for decryption.
RSA:• Rivest (Ron)
• Shamir (Adi)
• Adelman (Len)
Ron Rivest
Shamir, Rivest, & Adleman in 1978
Adleman, Shamir, & RivestAt the Crypto-82 Conference in 1982
Advances in Cryptology:Proceedings of Crypto 82
(Still available at amazon.com for $132.99)
Google Hits:Crypto 78 to Crypto 2006
RSA• Depends on finding two large primes ...
>10100
i.e. numbers with over 100 decimal digits!
Is this like looking for a
needle in a haystack?
How difficult is this?
Prime Number Theorem:Let (n) be the number of prime numbers equal to or less than n
(n) = n / ln nn lim
(n) n / ln n
even when n is only 109
For n>109, this is accurate within 5%
As n increases to 10100, clearly n / ln n gets pretty close to (n)
So …
To find two primes for RSA, pick a random number larger than 10100, then start searching for
primes …
How dense are the primes up near 10100?
If there are n/ln n primes below n, then the
ratio of primes to numbers is 1:ln n
Therefore, at 10100, this ratio is 1:ln 10100
which is approximately 1:230
So, its more like looking for a needle on a table full
of needles.
So, if we pick a number somewhat larger than 10100, we should be able to find a pair of prime numbers by testing primes on either side of it 115.
… or at least that’s the generally accepted theory …
!
(n) here can be used to describe the average density of
all the primes here
What about the density of the primes right at n?
n
0
…
We want to know how far (x) we expect to move to pick up a new prime. We could solve this:
#primes below n - #primes below (n+x) = 1
n/ln n - (n+x)/ln(n+x) = 1
OR …
since this is rather difficult, let’s take an alternate approach
At n, the rate of change in the total number of primes below n is equal to the density of the primes at n.
In other words, if we go to the next number, n+1, and we now have (n+1) / ln(n+1) below us, then the expected number of additional primes we pick up in moving from n to n+1 is the density of the primes at n.
So, instead, we can take advantage of this observation that the rate of change of n/ln n is the prime density at n as follows:
Solve: n . ln n
dn
d
apply chain rule, then split into partial fractions:
1 / ln n - 1 / (ln n)2
So, at n=10100, the density of the primes is:
1 / ln n - 1 / (ln n)2
= 1 / ln 10100 - 1 / (ln 10100)2
0.004324
So, we expect to go 1/0.004324 or 231 away to find
the next prime … NOT 230!!!
The reason that the local density at 10100 is virtually the same as the average density from one to 10100 can be understood by observing that the second derivative is practically zero throughout the entire interval.
So, we begin by finding two large primes, say P and Q
Next, calculate the following:
N = P X Q
and
Z = ( P - 1 ) X ( Q - 1 )
Clearly Z and N do not share any common factors.
(presumably |P-Q|>1)
So, Z is not divisible by P or Q.
Now, chose a “d” which has no factors in common with Z.
d will be used for decryption
Solve for “e” in the following:
e X d = 1 mod Ze will be used for encryption
Note:
e X d = 1 mod Z
means:
(e X d) mod Z = 1[ most of us prefer the second … pure mathematicians have no problem with the original representation. ]
We now have the following:
d e P Q N Zand
M and c
where the latter are the plaintext and the ciphertext respectively.
The encryption function is then:
E(e,N,M) = Me mod N
and the decryption function is:
D(d,N,c) = cd mod N
So, the effective “keys” are as follows:
Ke = <e,N>
Kd = <d,N>
Let’s test:
Message M = “G” = ASCII 71
P =11, Q =19
N = 11 X 19 = 209
Z = 10 X 18 =180
d =7
( e X d ) mod 180 = 1
7e % 180 =1
7 X 103 =721 and 721 % 180 = 1
e = 103
Let’s test:
c = Me mod N
= 71103 mod 209
= 59
Now we will decrypt:
cd mod N
=597 mod 209
=71
It works!!!!!
… but WHY does it work?
http://www.cse.iitd.ac.in/~suban/cs120/rsa/node9.html
And you thought that was difficult?
Elliptical Curve Algorithms are an alternative developed in 1993
Text says:
“The relevant mathematics involves some quite complex properties of elliptical curves and is beyond the scope of this book.”
Part 2 – Hybrid Protocols: We will review the advantages and disadvantages of the cryptographic systems we have studied so far and will see how consideration of these advantages and disadvantages motivates the development of hybrid cryptographic protocols.
• Easy to compute
• Requires secure transfer of a secret key
• Complicated to compute
• Exchange of shared secret key not required
• Combines strengths of both systems
• Uses an asymmetric cipher to exchange a secret shared key securely
• Only complicated to compute for the exchange of the shared key - small
• Simpler method based on shared secret key is used once the key is securely exchanged
So public-key encryption is used only for authenticating the parties and exchanging a secret key which is used for all subsequent communication.
An example implementation of such a hybrid protocol is SSL used in SSH.
Part 3 – Digital Signatures: So far, we have seen cryptography applied in a way to conceal the contents of a communication to prevent a third party from examining the contents while the message was in transit. In the case of a digital signature, the motivation behind the use of cryptography is completely different. In general, our primary goal is not to hide the contents of the message (although we may still elect to do so) but rather to provide proof that a document is authentic. We will now discuss this further.
• Authentic
• Unforgeable
• Non-repudiable
Properties of written signatures on hardcopy documents:
• Authentic: A signature shows that the document is authentic and that the signer agrees with the the contents
• Unforgeable: It proves that the signer deliberately signed the document and that no one else could have done that
• Non-repudiable: The signer can not deny that they signed the document
Oh course we realize that these things are not guaranteed with hardcopy documents and signatures. They could, ironically, be potentially more trustworthy in electronic form.
Digital Signing:
The simplest approach involves including an encrypted version of the document encrypted using a secret key shared by the signer and those wishing to authenticate the document, or using public-key encryption.
Message MessageMessage signed
document
Oh course this is somewhat redundant … why not just send the document in encrypted form?
Digest Functions:• Also called “secure hash functions.”
• The digest is relatively small compared to the document used to produce the digest.
• Like a CRC or checksum but even less likely to be correct unless the original document is unaltered.
• The digest is signed rather than the entire document.
Review:
Signed document using a digest:
MessageDigest Digest
signed document
Here the document remains unencrypted, but the digest, which anyone can compute is included in an encrypted form …
Message
Digest Digest
signed document
If the digest is encrypted using a secret key, only those with access to the secret key could have signed the document and only they can verify the authenticity of the signature.
If the digest is encrypted using public-key encryption, only that principal with access the private key could have signed the document and any party can verify its authenticity with the public key.
NOTE:
When signing using public-key encryption, the PRIVATE key is used to sign, and the public key is used to verify. This is the opposite usage to that when encrypting a document.
… let’s verify that this works and preserves privacy ...
Let’s test:
Message digest M =“G”= ASCII 71
P =11, Q =19
N = 11 X 19 = 209
Z = 10 X 18 =180
d =7
( e X d ) mod 180 = 1
7e % 180 =1
7 X 103 =721 and 721 % 180 = 1
e = 103
Let’s test:
c = Md mod N
= 717 mod 209
= 3
Now we will decrypt:
ce mod N
=3103 mod 209
=71
It works!!!!!
NB: Last time we got 59
NB: The encrypted message is different when we do it this way … of course! Otherwise we’d have a problem! If the encryption and decryption keys both produced the same encryption, either could be used to decrypt!
An open question for you to think about:
We know that, in general,
Me%N Md%N
but, does there exist an M for which the above does hold? Why or why not?
More on how public-key encryption works:
How can we calculate numbers raised to such high exponents efficiently?
be mod m = ( b X b X b … X b ) mod m
This is obvious … but hard to compute …
“e” of these
What is not so obvious, is the alternative:
be mod m = (…(((b X b) mod m X b) mod m) X … X b) mod m
This is not so obvious … but is much easier to compute!
This approach keeps the numbers down to a manageable number of significant digits.
“e” repetitions
Part 4 – Secure Digest Functions: We will now discuss the features that a secure digest function should have. We will also discuss how the security of a digest function could be compromised and what strategy can be employed to defeat such attacks. We will look at a few typical digest functions.
Secure Digest Function:
A secure digest function producing h from M should have the following properties …
• Given M, h should be easy to compute
• Given h, it should be difficult to compute M
• Given M, it should be difficult to find another message which also produces the same digest.
How difficult is it to find an M that has a particular h?
To explore this, we will introduce …
There are 365 days in a year. What is the probability that a person in a room will have a birthday on a particular date?
If there is only one person, 1:365 … but what if there are more? … and how many would have to be in the room before we consider it likely that someone will have a birthday on a particular date? i.e. greater than 50/50
Wouldn’t you think that this would happen if there were 182 people in the room … i.e. ½ of 365?
Q: Why is this logic flawed?
A: Because it suggests that it is likely that in a room full of 182 people, no two have the same birthday! i.e. they all have unique birthdays.
So, what is the correct way to proceed?
Let:
p(target) represent the probability that a person has the target date as a birthday
p(non_target) represent the probability that a person does not have the target birthday.
Then:
p(non_target) = 1 - p(target)
= 1 - 1/365
What about n people? Since these are independent events, the individual probabilities multiply giving:
p(n_not_target) = [p(not_target)]n
Then the probability that at least one person DOES have the target birthday is simply:
1-[p(not_target)]n
For n=252 we have:
1-(1-1/365)252
= 0.499105
and for n=253 we have:
1-(1-1/365)253
= 0.500477
0.5 = 1 - ( 1 - 1/365)x
1 - 0.5 = (364/365)x
0.5 = 0.99726x
ln 0.5 = ln (0.99726x) -0.693147 = x ln (0.99726) -0.693147 = x (- 0.00274376) x = 0.693147/0.00274376 x = 252.6
We therefore conclude that in a room with 253 or more people, it becomes likely that one or more will have a birthday on the specified date.
Or if we wish to be a bit more formal:
Now what about the probability that two people in the same room have the same birthday? i.e. how many people have to be in the same room before it becomes likely that at least two will have the same birthday?
Take a group of n people. There are n X (n-1)/2 possible pairs.The chances of failure that 2 will have the same birthday is:
(1-1/365) X (1-1/365) X … [n*(n-1)/2] times.
The chances of success are then:p = 1- (1-1/365)n X (n-1) / 2
for n=22, we get:
p = 0.469399
and for n=23, we get:p = 0.500477
Or, once again, we can be more formal:
0.5 = 1-(1-1/365)n X (n-1) / 2
1 - 0.5 = (364/365) n X (n-1) / 2
0.5 = (364/365) n X (n-1) / 2
0.5 2 = (0.99726) n X (n-1)
0.25 = (0.99726) n X (n-1)
ln 0.25 = ln 0.99726 n X (n-1)
ln 0.25 = n (n-1) ln 0.99726 -1.38629 = n (n-1) (-0.00274376) n (n-1) = 1.38629 / 0.00274376 n (n-1) = 505.25
n2 -n -505.25 = 0n = (-B (B2-4AC))/2An = (1 (1+4(505.25)))/2n = (1 (2022))/2n = (1 44.967)/2n = 45.967/2n = 22.9835
We conclude that in a room with 23 or more people, it is likely that two or move the same birthday.
Conclusion:
Now how does this relate to cryptography?
The difference between trying to find a piece of plaintext that matches a particular digest, as opposed to trying to find two pieces of plaintext that have the same digest …
is the same as
… the difference between trying to finding a person with a particular birthday and trying to find two people with the same birthday.
Summary conclusion:
So, its difficult for an attacker to find a piece of plaintext that will match a particular digest, however an attacker can take two documents, one favorable and another not favorable, and “tweek” the pair until they have the same digest, but “look” the same as the two originals …
Dear Eve:
I owe you $20.00
I will pay you next year.
signed:Adam
Dear Eve:
I owe you $2,000,000.00
I will pay you tomorrow.
signed:
Adam
Add the odd invisible blank or tab characters here and there at the ends of the lines until the digests of each document match.
Dear Eve:
I owe you $20.00
I will pay you next year.
signed:Adam
Eve gives this document to Adam to sign, who is happy to do so …
Dear Eve:
I owe you $20.00
I will pay you next year.
signed:Adam
Adam signs the document and returns it to Eve …
Digest Digest
Eve combines Adam’s signature (encrypted digest) to the unfavorable document and claims it to be authentic! …
Dear Eve:
I owe you $2,000,000.00
I will pay you tomorrow.
signed:
Adam
Digest Digest
How serious is this threat, and how do we guard against it?
If the digest function is 64 bits long, 232 versions of M and M’ are required on average for this attack to be feasible.
Solution: Use a bigger digest function of at least 128 bits.
Part 5 – More on the Math: To complete today’s lecture, we will look a bit deeper into the mathematics behind how some of the encryption works. In particular, we will investigate how the mod function works in conjunction with the exponentiation function. This is one of the key features in making the system manageable.
Earlier, we noted that:
be mod m = (…(((b X b) mod m X b) mod m) X … X b) mod m
How and why does this work?
“e” repetitions
For the same reason, we note that:(d X e) mod Z = (d mod Z)(e mod Z) mod Z
Suppose d=jZ+D and e=kZ+E, where D,E < Z
In other words. d mod Z = D & e mod Z = E
Then (d X e) mod Z = (jZ+D)(kZ+E) mod Z
= (jkZ2 +DkZ +EjZ +DE)
mod Z
= ((jkZ+Dk +Ej)Z + DE) mod Z
= DE mod Z
= (d mod Z)(e mod Z) mod Z
Now, consider Me mod N, and apply the above …
Me % N = M Me-1 % N
= (M%N)(Me-1%N)%N
So we can apply the mod function to either term of a product, or to the product as a whole at any point without affecting the result.
So, Me % N can be calculated as:
(…((M%N XM)%N XM)%N … )%N
as we noted earlier.