Applied Cryptography (Public Key) RSA. Public Key Cryptography Every Egyptian received two names, which were known respectively as the true name and the.

Applied CryptographyApplied Cryptography(Public Key)(Public Key)

RSARSA

Public Key CryptographyPublic Key Cryptography

Every Egyptian received two names, which were Every Egyptian received two names, which were known respectively as the true name and the known respectively as the true name and the good name, or the great name and the little good name, or the great name and the little name; and while the good or little name was name; and while the good or little name was made public, the true or great name appears to made public, the true or great name appears to have been carefully concealed.have been carefully concealed.

——The Golden Bough, The Golden Bough, Sir James George FrazerSir James George Frazer

Private-Key CryptographyPrivate-Key Cryptography

traditional traditional private/secret/single keyprivate/secret/single key cryptography uses cryptography uses oneone key key

shared by both sender and receiver shared by both sender and receiver if this key is disclosed communications are if this key is disclosed communications are

compromised compromised also is also is symmetricsymmetric, parties are equal , parties are equal hence does not protect sender from hence does not protect sender from

receiver forging a message & claiming is receiver forging a message & claiming is sent by sender sent by sender

Public-Key CryptographyPublic-Key Cryptography

probably most significant advance in the probably most significant advance in the 3000 year history of cryptography 3000 year history of cryptography

uses uses twotwo keys – a public & a private key keys – a public & a private key asymmetricasymmetric since parties are since parties are notnot equal equal uses clever application of number uses clever application of number

theoretic concepts to functiontheoretic concepts to function complements complements rather thanrather than replaces private replaces private

key cryptokey crypto

Why Public-Key Why Public-Key Cryptography?Cryptography?

developed to address two key issues:developed to address two key issues: key distributionkey distribution – how to have secure – how to have secure

communications in general without having to communications in general without having to trust a KDC with your keytrust a KDC with your key

digital signaturesdigital signatures – how to verify a message – how to verify a message comes intact from the claimed sendercomes intact from the claimed sender

public invention due to Whitfield Diffie & public invention due to Whitfield Diffie & Martin Hellman at Stanford Uni in 1976Martin Hellman at Stanford Uni in 1976 known earlier in classified communityknown earlier in classified community

Public-Key CryptographyPublic-Key Cryptography

public-key/two-key/asymmetricpublic-key/two-key/asymmetric cryptography cryptography involves the use of involves the use of twotwo keys: keys: a a public-keypublic-key, which may be known by anybody, and , which may be known by anybody, and

can be used to can be used to encrypt messagesencrypt messages, and , and verify verify signaturessignatures

a a private-keyprivate-key, known only to the recipient, used to , known only to the recipient, used to decrypt messagesdecrypt messages, and , and signsign (create) (create) signatures signatures

is is asymmetricasymmetric because because those who encrypt messages or verify signatures those who encrypt messages or verify signatures

cannotcannot decrypt messages or create signatures decrypt messages or create signatures

Public-Key CryptographyPublic-Key Cryptography

Public-Key CharacteristicsPublic-Key Characteristics

Public-Key algorithms rely on two keys where:Public-Key algorithms rely on two keys where: it is computationally infeasible to find decryption key it is computationally infeasible to find decryption key

knowing only algorithm & encryption keyknowing only algorithm & encryption key it is computationally easy to en/decrypt messages it is computationally easy to en/decrypt messages

when the relevant (en/decrypt) key is knownwhen the relevant (en/decrypt) key is known either of the two related keys can be used for either of the two related keys can be used for

encryption, with the other used for decryption (for encryption, with the other used for decryption (for some algorithms)some algorithms)

Public-Key CryptosystemsPublic-Key Cryptosystems

Public-Key ApplicationsPublic-Key Applications

can classify uses into 3 categories:can classify uses into 3 categories: encryption/decryptionencryption/decryption (provide secrecy) (provide secrecy) digital signaturesdigital signatures (provide authentication) (provide authentication) key exchangekey exchange (of session keys) (of session keys)

some algorithms are suitable for all uses, some algorithms are suitable for all uses, others are specific to oneothers are specific to one

Security of Public Key SchemesSecurity of Public Key Schemes like private key schemes brute force like private key schemes brute force exhaustive exhaustive

searchsearch attack is always theoretically possible attack is always theoretically possible but keys used are too large (>512bits) but keys used are too large (>512bits) security relies on a security relies on a large enoughlarge enough difference in difference in

difficulty between difficulty between easyeasy (en/decrypt) and (en/decrypt) and hardhard (cryptanalyse) problems(cryptanalyse) problems

more generally the more generally the hardhard problem is known, but problem is known, but is made hard enough to be impractical to break is made hard enough to be impractical to break

requires the use of requires the use of very large numbersvery large numbers hence is hence is slowslow compared to private key schemes compared to private key schemes

RSARSA

by Rivest, Shamir & Adleman of MIT in 1977 by Rivest, Shamir & Adleman of MIT in 1977 best known & widely used public-key scheme best known & widely used public-key scheme based on exponentiation in a finite (Galois) field based on exponentiation in a finite (Galois) field

over integers modulo a prime over integers modulo a prime nb. exponentiation takes O((log n)nb. exponentiation takes O((log n)33) operations (easy) ) operations (easy)

uses large integers (eg. 1024 bits)uses large integers (eg. 1024 bits) security due to cost of factoring large numbers security due to cost of factoring large numbers

nb. factorization takes O(e nb. factorization takes O(e log n log log nlog n log log n) operations (hard) ) operations (hard)

RSA Key SetupRSA Key Setup

each user generates a public/private key pair by: each user generates a public/private key pair by: selecting two large primes at random - selecting two large primes at random - p, qp, q computing their system modulus computing their system modulus n=p.qn=p.q

note note ø(n)=(p-1)(q-1)ø(n)=(p-1)(q-1) selecting at random the encryption key selecting at random the encryption key ee

• where 1<where 1<e<ø(n), gcd(e,ø(n))=1 e<ø(n), gcd(e,ø(n))=1

solve following equation to find decryption key solve following equation to find decryption key dd e.d=1 mod ø(n) and 0e.d=1 mod ø(n) and 0≤≤dd≤≤nn

publish their public encryption key: PU={e,n} publish their public encryption key: PU={e,n} keep secret private decryption key: PR={d,n} keep secret private decryption key: PR={d,n}

RSA UseRSA Use

to encrypt a message M the sender:to encrypt a message M the sender: obtains obtains public keypublic key of recipient of recipient PU={e,n}PU={e,n} computes: computes: C = MC = Mee mod n mod n, where , where 00≤≤MM<<nn

to decrypt the ciphertext C the owner:to decrypt the ciphertext C the owner: uses their private key uses their private key PR={d,n}PR={d,n} computes: computes: M = CM = Cdd mod n mod n

note that the message M must be smaller note that the message M must be smaller than the modulus n (block if needed)than the modulus n (block if needed)

Why RSA WorksWhy RSA Works

because of Euler's Theorem:because of Euler's Theorem: aaø(n)ø(n)mod n = 1 mod n = 1 where where gcd(a,n)=1gcd(a,n)=1

in RSA have:in RSA have: n=p.qn=p.q ø(n)=(p-1)(q-1)ø(n)=(p-1)(q-1) carefully chose carefully chose ee & & dd to be inverses to be inverses mod ø(n)mod ø(n) hence hence e.d=1+k.ø(n)e.d=1+k.ø(n) for some for some kk

hence :hence :CCdd = M = Me.d e.d = M= M1+k.ø(n)1+k.ø(n) = M = M11.(M.(Mø(n)ø(n)))kk = M= M11.(1).(1)kk = M = M11 = M mod n = M mod n

RSA Example - Key SetupRSA Example - Key Setup

1.1. Select primes: Select primes: pp=17 & =17 & qq=11=112.2. ComputeCompute n n = = pq pq =17=17 x x 11=18711=1873.3. ComputeCompute ø( ø(nn)=()=(p–p–1)(1)(q-q-1)=161)=16 x x 10=16010=1604.4. Select Select ee:: gcd(e,160)=1; gcd(e,160)=1; choose choose ee=7=75.5. Determine Determine dd:: de=de=1 mod 1601 mod 160 and and d d < 160< 160

Value is Value is d=23d=23 since since 2323xx7=161= 107=161= 10xx160+1160+16.6. Publish public key Publish public key PU={7,187}PU={7,187}7.7. Keep secret private key Keep secret private key PR={23,PR={23,187}187}

RSA Example - En/DecryptionRSA Example - En/Decryption

sample RSA encryption/decryption is: sample RSA encryption/decryption is: given message given message M = 88M = 88 (nb. (nb. 88<18788<187)) encryption:encryption:

C = 88C = 8877 mod 187 = 11 mod 187 = 11 decryption:decryption:

M = 11M = 112323 mod 187 = 88 mod 187 = 88

RSA Key GenerationRSA Key Generation

users of RSA must:users of RSA must: determine two primes determine two primes at random - at random - p, qp, q select either select either ee or or dd and compute the other and compute the other

primes primes p,qp,q must not be easily derived must not be easily derived from modulus from modulus n=p.qn=p.q means must be sufficiently largemeans must be sufficiently large typically guess and use probabilistic testtypically guess and use probabilistic test

exponents exponents ee, , dd are inverses, so use are inverses, so use Inverse algorithm to compute the otherInverse algorithm to compute the other

RSA SecurityRSA Security

possible approaches to attacking RSA are:possible approaches to attacking RSA are: brute force key search (infeasible given size brute force key search (infeasible given size

of numbers)of numbers) mathematical attacks (based on difficulty of mathematical attacks (based on difficulty of

computing ø(n), by factoring modulus n)computing ø(n), by factoring modulus n) timing attacks (on running of decryption)timing attacks (on running of decryption) chosen ciphertext attacks (given properties of chosen ciphertext attacks (given properties of

RSA)RSA)

Timing AttacksTiming Attacks

developed by Paul Kocher in mid-1990’sdeveloped by Paul Kocher in mid-1990’s exploit timing variations in operationsexploit timing variations in operations

eg. multiplying by small vs large number eg. multiplying by small vs large number or IF's varying which instructions executedor IF's varying which instructions executed

infer operand size based on time taken infer operand size based on time taken RSA exploits time taken in exponentiationRSA exploits time taken in exponentiation countermeasurescountermeasures

use constant exponentiation timeuse constant exponentiation time add random delaysadd random delays blind values used in calculationsblind values used in calculations

Chosen Ciphertext AttacksChosen Ciphertext Attacks

• RSA is vulnerable to a Chosen RSA is vulnerable to a Chosen Ciphertext Attack (CCA)Ciphertext Attack (CCA)

• attackers chooses ciphertexts & gets attackers chooses ciphertexts & gets decrypted plaintext backdecrypted plaintext back

• choose ciphertext to exploit choose ciphertext to exploit properties of RSA to provide info to properties of RSA to provide info to help cryptanalysishelp cryptanalysis

• can counter with random pad of can counter with random pad of plaintextplaintext

• or use Optimal Asymmetric Encryption or use Optimal Asymmetric Encryption Padding (OASP)Padding (OASP)

Public AnnouncementPublic Announcement

users distribute public keys to recipients or users distribute public keys to recipients or broadcast to community at largebroadcast to community at large eg. append PGP keys to email messages or eg. append PGP keys to email messages or

post to news groups or email listpost to news groups or email list major weakness is forgerymajor weakness is forgery

anyone can create a key claiming to be anyone can create a key claiming to be someone else and broadcast itsomeone else and broadcast it

until forgery is discovered can masquerade as until forgery is discovered can masquerade as claimed userclaimed user

Publicly Available DirectoryPublicly Available Directory

can obtain greater security by registering can obtain greater security by registering keys with a public directorykeys with a public directory

directory must be trusted with properties:directory must be trusted with properties: contains {name,public-key} entriescontains {name,public-key} entries participants register securely with directoryparticipants register securely with directory participants can replace key at any timeparticipants can replace key at any time directory is periodically publisheddirectory is periodically published directory can be accessed electronicallydirectory can be accessed electronically

still vulnerable to tampering or forgerystill vulnerable to tampering or forgery

Public-Key AuthorityPublic-Key Authority

improve security by tightening control over improve security by tightening control over distribution of keys from directorydistribution of keys from directory

has properties of directoryhas properties of directory and requires users to know public key for and requires users to know public key for

the directorythe directory then users interact with directory to obtain then users interact with directory to obtain

any desired public key securelyany desired public key securely does require real-time access to directory does require real-time access to directory

when keys are neededwhen keys are needed

Public-Key CertificatesPublic-Key Certificates

certificates allow key exchange without certificates allow key exchange without real-time access to real-time access to public-key authoritypublic-key authority

a certificate a certificate binds binds identityidentity to to public keypublic key usually with other info such as period of usually with other info such as period of

validity, rights of use etcvalidity, rights of use etc with all contents with all contents signedsigned by a by a trusted trusted

Public-Key or Certificate Authority (CA)Public-Key or Certificate Authority (CA) can be verified by anyone who knows the can be verified by anyone who knows the

public-key authorities public-key public-key authorities public-key

Public-Key CertificatesPublic-Key Certificates

Public-Key DPublic-Key Distribution of Secret istribution of Secret KeysKeys

use previous methods to obtain public-keyuse previous methods to obtain public-key can use for secrecy or authenticationcan use for secrecy or authentication but public-key algorithms are slowbut public-key algorithms are slow so usually want to use private-key so usually want to use private-key

encryption to protect message contentsencryption to protect message contents hence need a session keyhence need a session key have several alternatives for negotiating a have several alternatives for negotiating a

suitable sessionsuitable session

Public-Key Distribution of Secret Public-Key Distribution of Secret KeysKeys

if have securely exchanged public-keys:if have securely exchanged public-keys:

Diffie-Hellman Key ExchangeDiffie-Hellman Key Exchange

first public-key type scheme proposed first public-key type scheme proposed by Diffie & Hellman in 1976 along with the by Diffie & Hellman in 1976 along with the

exposition of public key conceptsexposition of public key concepts note: now know that note: now know that WilliamsonWilliamson (UK CESG) (UK CESG)

secretly proposed the concept in 1970 secretly proposed the concept in 1970 is a practical method for is a practical method for public exchange public exchange

of a secret keyof a secret key used in a number of commercial productsused in a number of commercial products

Diffie-Hellman Key ExchangeDiffie-Hellman Key Exchange

a public-key distribution scheme a public-key distribution scheme cannot be used to exchange an arbitrary message cannot be used to exchange an arbitrary message rather it can establish a common key rather it can establish a common key known only to the two participants known only to the two participants

value of key depends on the participants (and value of key depends on the participants (and their private and public key information) their private and public key information)

based on exponentiation in a finite (Galois) field based on exponentiation in a finite (Galois) field (modulo a prime or a polynomial) - easy(modulo a prime or a polynomial) - easy

security relies on the difficulty of computing security relies on the difficulty of computing discrete logarithms (similar to factoring) – harddiscrete logarithms (similar to factoring) – hard

Diffie-Hellman SetupDiffie-Hellman Setup

all users agree on all users agree on global parametersglobal parameters:: large prime integer or polynomial large prime integer or polynomial qq aa being a primitive root mod being a primitive root mod qq

each user (eg. A) generates their keyeach user (eg. A) generates their key chooses a secret key (number): chooses a secret key (number): xxAA < q < q

compute their compute their public keypublic key: : yyAA = = aaxxAA mod q mod q

each user makes public that key each user makes public that key yyAA

Diffie-Hellman Key ExchangeDiffie-Hellman Key Exchange

shared session key for users A & B is Kshared session key for users A & B is KABAB: :

KKABAB = = aaxxA.A.xxBB mod q mod q

= y= yAA

xxBB mod q (which mod q (which BB can compute) can compute)

= y= yBB

xxAA mod q (which mod q (which AA can compute) can compute)

KKABAB is used as is used as session keysession key in private-key in private-key encryption scheme between Alice and Bobencryption scheme between Alice and Bob

if Alice and Bob subsequently communicate, they if Alice and Bob subsequently communicate, they will have the will have the samesame key as before, unless they key as before, unless they choose new public-keys choose new public-keys

attacker needs an x, must solve discrete logattacker needs an x, must solve discrete log

Diffie-Hellman Example Diffie-Hellman Example

users Alice & Bob who users Alice & Bob who wish to swap keyswish to swap keys:: agree on prime agree on prime q=353q=353 and and aa=3=3 select random secret keys:select random secret keys:

A chooses A chooses xxAA=97, =97, B chooses B chooses xxBB=233=233 compute respective public keys:compute respective public keys:

yyAA==3397 97 mod 353 = 40 mod 353 = 40 (Alice)(Alice)

yyBB==33233233 mod 353 = 248 mod 353 = 248 (Bob)(Bob)

compute shared session key as:compute shared session key as: KKABAB= y= yBB

xxAA mod 353 = mod 353 = 2482489797 = 160 = 160 (Alice)(Alice)

KKABAB= y= yAAxxBB mod 353 = mod 353 = 4040

233233 = 160 = 160 (Bob)(Bob)