Cryptography Public Key Cryptosystems Anita Jones CS451 Information Security Copyright(C) Anita Jones
Dec 24, 2015
CryptographyPublic Key Cryptosystems
Anita JonesCS451 Information Security
Copyright(C) Anita Jones
September, 2006
Public key encryption
The two problems to be solved: Key distribution Digital signature
Revolutionary new approach Based on math functions, not simple
operations on bit patterns
Asymmetric (Public Key) Encryption
Ralph Merkle, Martin Hellman, Whitfield Diffie (1977)
Len Adleman
Ronald Rivest Adi Shamir
September, 2006
Contributions
Diffie & Hellman showed that encryption with pairs of keys was possible
Rivest, Shamir & Adleman created a cost-effective method, and then commercialized it which make it readily accessible to users
September, 2006
A revolution of sorts
Diffie & Hellman (1976) sought to solve 2 problems: better way to distribute keys provide for a digital document signature
public key encryption is based on mathematical functions, not on substitution & permutation
asymmetric – two different keys it does not displace block ciphers (symmetric keys)
Why not? Because it costs too much
September, 2006
Basics
Each user generates a pair of keysEach user places one key in a publicly
accessible placeEach user keeps the other key secret
EKR(M) = C EKU(C) = M
Where, M = plaintext (message); C = ciphertextKR = restricted (private) key KU = unrestricted (public) key
September, 2006
Requirements for Public Key
Computationally EASY to generate a pair of keys (public KU, private KR) encrypt, given key KU & message M decrypt, given key KR & encrypted message, C
Computationally INFEASIBLE to determine private key KR, knowing public key KU recover original message (M), given public key KU
& ciphertext, C, for message M
September, 2006
First of two uses
Confidentiality A wants to send message to B A encrypts message with B’s public key A sends encrypted message to B B decrypts message with its private key
(and by the way, B’s public key will not “decrypt” the encrypted message)
September, 2006
Second of two uses
Authentication, or digital signature A wants to send message to B in a way that B can be assured
that A (and no one else) sent it A encrypts message with A’s private key (sign!) A sends encrypted/signed message to B B decrypts message with A’s public key B then knows that
only A could have sent it data integrity assured, once encrypted (if whole message is
encrypted)
How do you distribute the Public Key?
September, 2006
Digression
What does the receiver know about a message once it is “correctly” decrypted? Plaintext is readable, i.e. understandable If a “bit flipped”, then resulting plaintext is
unintelligible; remember “avalanche” property
Both the cryptanalyst and a legitimate receiver know when they decrypt and read plaintext
September, 2006
Comparisons – Preview *
Primary Source: Security in Computing, Pfleeger&Pfleeger, p. 75
Symmetric Asymmetric• 1 2
• Must be kept secret One secret; One public
• Crypto “workhorse”; Key distribution, authenticationsecrecy & integrity of data–single characters to blocks of data, messages, files
• Must be “out-of-band” Public key can be used to distribute other keys
• Fast - based on addition, Slow; complex mathematics (e.g. masks, and shifts exponentiation); typically 10,000 times slower than symmetric keys
• 40, 128, 256, 512 512, 1024, 2048
• DES, 3DES, AES, RSA, El Gamal, Merkle-Hellman, Blowfish, Twofish, IDEA Elliptic Curve
•# of Keys
•Protection of key
•Best Uses
•Key Distribution
•Speed
•Key Lengths
•Examples
September, 2006
Some Misconceptions about Symmetric vs Asymmetric encryption
One is superior to the other
Public key encryption replaces symmetric encryption
Public key encryption makes key distribution trivially easy
September, 2006
RSA (Rivest, Shamir, Adelman) Algorithm
plaintext and ciphertext are (considered) integers between 0 and n-1, some n
public KU = {e, n} and public KR = {d, n}
for plaintext M and ciphertext C C = Me mod n M = Cd mod n = (Me)d mod n = Med mod n
Why so prevalent? Because RSA Inc. commercialized it
September, 2006
RSA Important properties
There exists e, d, n such that
Med = M mod n for all M < n
Easy to calculate Me and Cd
for all values of M < n
Infeasible to determine d, given e and n
September, 2006
Modulo arithmetic – review
a mod n is the remainder of a divided by n
So, values of a mod n are all between 0 and n-1
24 mod 7 = 3 5 mod 7 = 5
a = b mod n means a mod n = b mod ni.e. give the same remainder
a=b mod n means a = b + kn (k negative or positive)
a and b are congruent mod n
24 mod 7 = 10 mod 7 = 3, so 24 =10 = 3 mod 7
September, 2006
RSA: computing e, n, and d
select 2 prime numbers p, q (p not = q)
calculate n = p * q (n is the modulus)
calculate ø(n) = (p-1) * (q-1)select e such that
e is relatively prime to ø(n) and 1 < e < ø(n)
determine d such that d * e = 1 mod ø(n)
September, 2006
RSA: computing e, n, and d
select prime numbers p = 7, q = 17calculate n = p * q = 119calculate ø(n) = (p-1) * (q-1) = 6 * 16 = 96select e = 5 such that
e is relative prime to ø(n) and e < ø(n)
determine d = 77 such that d * e = 1 mod ø(n) and d < ø(n) 5 * 77 = 385 = 4 * 96 + 1
September, 2006
RSA: applying e, n, and d
KU = {5, 119} and KR = {77, 119} let plaintext M = 19Encryption C = Me mod n
C = EKU(19) = 195 mod 119 = 2,476,099 mod 119
= 66
Decryption M = Cd mod n M = DKR(66) = 6677 mod 119
= <big number> mod 119 = 19 mod 119 = 19
September, 2006
RSA -- getting parameters “right”
need to choose suitably large p, q e is usually chosen to be smalltypically e may be the same for all users originally a value of 3 was suggested, but
it is regarded as too small currently216 -1 = 65535 is typical used the decryption exponent d will be large
September, 2006
Practical aspects of RSA
So why is RSA so much slower than DES? today’s computer’s can't directly handle
numbers larger than 32- or 64-bits
need multiple precision arithmetic requiring libraries to handle large numbers
September, 2006
Is Public Key Crypto Secure?
A 128 bit key would be a number between 1 and 340,282,366,920,938,000,000,000,000,000,000,000,000
How many prime numbers are between 1 and this number? approximately n / ln(n) which is about 2^128 / ln( 2^128 ) =
3,835,341,275,459,350,000,000,000,000,000,000,000
How long would it take to find all of these prime numbers if you could calculate one trillion of these numbers per second? More than 121,617,874,031,562,000 years (i.e., about 10 million times
longer than the universe has existed so far.) Reference: http://www.livinginternet.com/?i/is_crypt_pkc_inv.htm
Answer – Yes, but know its limitations (e.g. plaintext attacks, block sizes, etc.)
September, 2006
Speeding up RSA
modulo arithmetic permits reducing intermediate results, because(a*b) mod n = [(a mod n)*(b mod n)]mod n
195 mod 119 = 2,476,099 mod 119 = ? = [(191 mod 119) * ( 192 mod 119) * (192 mod 119)] mod 119 Note: 192 mod 119 = 361 mod 119 = 4 195 mod 119 = [19 * 4 * 4] mod 119 = 304 mod 119 = 66
September, 2006
Speeding up RSA
usual multiplication takes O(n2) bit opsfaster technique: Schonhage-Strassen Integer
Multiplication Algorithm: breaks each integer into blocks, & uses them as coefficients of a
polynomial evaluates these polynomials at suitable points, & multiplies the
resultant values interpolates these values to form the coefficients of the product
polynomial combines the coefficients to form the product of the original
integer
September, 2006
Attacks on RSA
Brute force – try all possible private keys Depends on length of the key
Mathematical attack – factor n into its two primes
Timing attack – use measurement of the decryption time to guess values
September, 2006
RSA security rests on factoring
security of RSA is assumed to rest on the difficulty of computing ø(n), i.e. finding (p-1), (q-1)
best known theoretical factoring algorithms take years (assume 1 binary op per nanosec) when number of decimal digits in n exceed 100
so, 1024 + bits looks secure for now
September, 2006
Breaking RSA
RSA inventors offered $100 reward for finding a plaintext sentence enciphered via RSA
public key had 129 decimal digits (~ 428 bits)RSA predicted 40 quadrillion years was
needed1994 -- a group claimed the prize after 8
months of work (1600 computers used)
September, 2006
Elliptic Curve Cryptography
RSA challenger – uses fewer bits than RSA, so is computationally cheaper
Based on cubic equations of form: y2 + axy + by = x3 +cx2 + dx + e … real a, b, c, d, eDefine a form of addition on points on curve -
multiple additions are the counterpart of modular exponentiation in RSA
Less experience, so it is not as trusted as RSA
September, 2006
Applications
September, 2006
Digital Signature
Construct that authenticates both the origin & content of a message In a manner that is provable to a third party
E.g. A sends EA-R [M]; B has EA-U [M], M
where M = EA-U [EA-R [M]] Repudiation problem: A says “My key was stolen”
September, 2006
Key Distribution
A sends/posts A’s public keyAll others can see it
Forgery problem: Z posts a key and says that it is A’s public key Z can read what others send to A Until A alerts others to the forged key
September, 2006
Public Key Certificate
Create a trusted third party Key distribution center (KDC) or certificate authority
(CA) Maintains a registry of user keys Creates certificates: [ID of A, A’s public key] Certificate signed by CA
Encrypted with KDC’s private key
Use: user gives CA the user’s public key User obtains certificate; publishes certificate Assumed valid until user informs CA that key is invalid
September, 2006
Key distribution -- using certificates
A and B register with the CA
A and B exchange certificates
A creates secret (shared) session key
A encrypts session key with A’s private key
A then encrypts with B’s public key
A sends to B
September, 2006
We need a more formal way of describing these exchanges!
Let’s talk about security protocols!
September, 2006
Backups
September, 2006
Why?
Why should it be the case that if M is plaintext & C is ciphertext
& if C = Me mod n, that
M = Cd mod n = (Me)d mod n = Med mod n,
I.e. what makes us think that there even exists an e and d such that Med mod n = M?
September, 2006
Theory behind RSA
if n = pq where p, q are primes, then: xø(n) = 1 mod n for all x not divisible by p or q, ie gcd(x,ø(n))=1 where ø(n)=(p-1)(q-1) RSA chooses e & d to be inverses mod ø(n) ie e*d=1+q*ø(n) therefore M = Cd = Med = M1+q*ø(n) = M1 *(M ø(n) )q = M1*(1)q = M1 mod N
September, 2006
Speeding up RSA (cont)
Discrete Fourier Transform, & the Convolution Theorem are used to speed up the interpolation stage
results in multiplying in O(n log n) bit ops (versus O(n2)
special hardware is a possibility