ECE579S-Class 2_2012

ECE579S/2 #1WPI

ECE579S Computer & Network Security

Cryptography PrimerProfessor Richard A. Stanley, P.E.

Spring 2012© 2000-2012, Richard A. Stanley

ECE579S/2 #2WPI

Overview of the Cryptology Field


ECE579S/2 #3WPI

Types of Cryptosystems

• Symmetric key– Since times B.C.E. to today– Also called private key, which has become

confusing• Asymmetric key

– Invented in 1976– Also called public key systems

• Hybrid SystemsSpring 2012© 2000-2012, Richard A. Stanley

ECE579S/2 #4WPI

The Players

• Alice: commonly used to denote the sender of cryptographic traffic

• Bob: commonly used to indicate the recipient of that traffic

• Eve: an eavesdropper• Oscar: a generalized “bad guy”


ECE579S/2 #5WPI

Symmetric Key Cryptosystems• Problem Statement: Alice and Bob want to

communication over an un-secure channel (e.g., computer network, satellite link). They want to prevent Oscar (the bad guy) from listening.

• Solution: Use of private-key cryptosystems (these have been around since ancient times) such that if Oscar reads the encrypted version y of the message x over the unsecured channel, he will not be able to understand its content because x is what really was sent.


ECE579S/2 #6WPI

Symmetric Key CryptographyAlice

Shared private key

Bob

Alice’s message

Shared private key


ECE579S/2 #7WPI

Monoalphabetic Substitution Ciphers

• One of the oldest approaches• Simply replace one letter of the text

alphabet by another letter from the same alphabet (e.g. the English-language alphabet), one letter for one letter

• There are problems– Statistics– Key length


ECE579S/2 #8WPI

Modern Approaches

• Use computers or computer-based machines to simulate a key of very long length (key length >>> text length) to avoid key management problems

• Key these machines with short keys that can generate larger numbers to simulate a very long key

• There are also problems here


ECE579S/2 #9WPI

Enigma Perhaps the most famous

cipher machine in history.

This is an early model. Later testversions had as many as five rotors. Standard Kriegsmarine machines had

four rotors after about 1943.

Enigma was a tactical machine--designed for battlefield use.

Even today, Enigma would providedecent security…IF no errors

occurred on the part of the operators.Spring 2012© 2000-2012, Richard A. Stanley

ECE579S/2 #10WPI

Sigaba

Similar in theoryto Enigma.

Designed for strategic(fixed station) use; note

direct punching of teletypewriter paper

tape for transmission.


ECE579S/2 #11WPI

Symmetric Key Cryptosystems


ECE579S/2 #12WPI

Definitions


ECE579S/2 #13WPI

Kerckhoffs’ Principle

• Secrecy must reside solely in the key– It is assumed that the attacker knows the complete

details of the cryptographic algorithm and implementation

• A. Kerckhoffs was a 19th century Dutch cryptographer– Not to be confused with G. Kirchoff, a 19th century

German physicist whose name is attached to mesh circuit analysis techniques

• Ergo, Security by obscurity doesn’t work!Spring 2012© 2000-2012, Richard A. Stanley

ECE579S/2 #14WPI

Enigma and Sigaba

• Both illustrate the validity of Kerckhoff’s theorem

• Even when cryptanalysts were armed with a nearly perfect replication of the Enigma logic, brute-force keyspace search was useless for providing practical results

• The key needed to be discovered!


ECE579S/2 #15WPI

Simple Block Ciphers


ECE579S/2 #16WPI

Other Crypto Systems

• Substitution ciphers– Most famous is the Caesar cipher:

monoalphabetic substitution with offset = 3– Transposition ciphers in this group– Children’s decoders usually in this category

• Book ciphers• Codebooks


ECE579S/2 #17WPI

Problem Areas

• Languages have well-known statistics– E.g., “e” is most common letter in English– This can be exploited for cryptanalysis– Thus, substitution ciphers are not very secure– Similar problems plague book ciphers, etc.

• The only way to achieve true security is to make the ciphertext appear to be as random as possible


ECE579S/2 #18WPI

Letter Frequencies in EnglishIf this were arranged as a Pareto chart, it would quickly be obvious

that e,t,a are the three most common letters … usually


ECE579S/2 #19WPI

Modern Cryptography Uses Electronic Digital Systems

• Advantages:– Speed– Accuracy– Ability of using complex mathematics

• Disadvantages– Complex equipment– Electronic vulnerabilities– Key management


ECE579S/2 #20WPI

Symmetric Ciphers

• Have the same key at each end• Important that message length < cipher

length, otherwise statistics “bleed through”– This is what modern cipher machines emulate

• Billions of combinations possible• Keys changed frequently• Each circuit requires a key pair


ECE579S/2 #21WPI

Cipher Example (Mauborgne/Vernam)

• Encipher• Plain: 001 010 011 100 • +key: 111 011 010 101• Cipher: 110 001 001 001

• Decipher• Cipher: 110 001 001 001• +key: 111 011 010 101• Plain: 001 010 011 100

The ciphertext is simply the plain text added to the key,

modulo 2. This is a reversible process, as seen above.


ECE579S/2 #22WPI

One-Time Pad Ciphers

The One-Time Pad is unconditionally secure if, and only if, the keys are used only once.


ECE579S/2 #23WPI

OTP Remarks


ECE579S/2 #24WPI

One Time Pad


ECE579S/2 #25WPI

OTP Encryption• Only ONE provably secure cryptosystem

– One-time pad– Secure even if pad or operator captured– BUT…errors can lead to decryption– http://www.cia.gov/csi/books/venona/preface.htm


ECE579S/2 #26WPI

Why Use Anything Except One-time Pads?

• Speed of encipherment• Letters vs. numbers• Logistics• Usability• Error rates


ECE579S/2 #27WPI

How to Achieve Good Cryptography?

• Well-reviewed algorithms– So weaknesses cannot “hide” until after

implementation• Excellent key generation & management

– To maintain secrecy of the key• Algorithms that are sufficiently complex so

as to not permit feasible exhaustive attacks


ECE579S/2 #28WPI

Feistel Ciphers: Characteristics• Special class of iterated block ciphers • Ciphertext calculated from plaintext by

repeated application of the same transformation or round function

• Encryption and decryption are structurally identical (subkey order reversed for decryption)

• Fast, even in software implementation• Easily analyzed (i.e., deficiencies more

readily found by analysis)


ECE579S/2 #29WPI

Feistel Ciphers in Operation• Plaintext split into two halves• Round function f is applied to

one half using a subkey• Output of f is XOR’d with the

other half of the plaintext• Two halves are swapped• Process repeated for n rounds• No swap after last round


ECE579S/2 #30WPI

DES: Feistel Applied

• DES: Data Encryption Standard• Formal specification -- FIPS PUB 46-3, last

affirmed 25 October 1999 http://www.csrc.nist.gov/publications/fips/fips46-3/fips46-3.pdf

• Describes two cryptographic algorithms– DES– TDEA (commonly referred to as 3DES)

• DES based on IBM Lucifer cipher of 1974


ECE579S/2 #31WPI

DES Characteristics• 64-bit block cipher• 56-bit key, with additional 8 bits used for

error checking (odd parity on each byte)• Four operating modes (not unique to DES)

– Electronic Codebook (ECB)– Cipher Block Chaining (CBC)– Cipher Feedback (CFB)– Output Feedback (OFB)


ECE579S/2 #32WPI

Subkey Generation• Creating the subkeys in a Feistel cipher has

a major effect on the overall security of the algorithm– Possible to create weak keys– Changes in the subkey algorithm can result in

effectively different realizations of the algorithm

• DES is based on Feistel rounds, and uses a complex method of subkey generation


ECE579S/2 #33WPI

DES Enciphering Computation

Feistel round


ECE579S/2 #34WPI

Initial Permutation

Means the 1st bit in is the 58th bit out, etc. Read left to right, top to bottom.


ECE579S/2 #35WPI

Cipher Function, f(Rn,Kn)


ECE579S/2 #36WPI

How Can This Happen?

• Turn 32-bit plaintext into 48-bit output• Add to 48-bit key• Get 32-bit output• Why didn’t they just use 32 bits all the way through? ?Spring 2012© 2000-2012, Richard A. Stanley

ECE579S/2 #37WPI

Details

• E-function takes the input to the Feistel round and expands it to 48 bits

• S boxes (for substitution) permute bits to produce the proper output


ECE579S/2 #38

The Last Step

• Inverse permutation (IP-1) restores bit order after the 16 Feistel rounds

• If this were not done, the decrypted text would essentially be gibberish, although closer examination would show it to be an anagram of the input text


WPI

ECE579S/2 #39WPI

Key Scheduling


ECE579S/2 #40WPI

Principal Operating Modes(FIPS PUB 81)

• Electronic Code Book (ECB)– Encrypts one block at a time with selected key– Vulnerability: repeated plaintext can reveal

key, and then all cipher blocks can be decrypted• Cipher Block Chaining (CBC)

– Input to each block is the output of the previous block next plaintext block

– Initial block XOR’d with an Initialization Vector (IV)


ECE579S/2 #41WPI

ECB


ECE579S/2 #42WPI

CBC


ECE579S/2 #43WPI

Additional Modes -1

• Cipher Feedback Mode– previous ciphertext block encrypted and output

XOR’d with plaintext block to produce current ciphertext block

– can use feedback that is less than one full data block

– initialization vector used as “seed” for the process.


ECE579S/2 #44WPI

CFB


ECE579S/2 #45WPI

Additional Modes -2

• Output Feedback Mode (OFB)– similar to CFB mode except data XOR’d with

each plaintext block is generated independently of both the plaintext and ciphertext

– initialization vector s0 used as “seed” for a sequence of data blocks si

– each data block si derived from encryption of the previous data block si-1


ECE579S/2 #46WPI

OFB


ECE579S/2 #47WPI

Importance of DES• Ubiquitous, U.S. federal standard• When standardized, 56-bit key made cipher

computationally secure– This is no longer the case– DES has been broken using brute force attacks

in hours, using desktop PCs• Immediate fix: Triple Data Encryption

Algorithm (also called Triple DES, 3DES)


ECE579S/2 #48WPI

TDEA

Encryption

Decryption


ECE579S/2 #49WPI

TDEA Realities• Two keying options

– Three separate keys (as shown previous slide)– Two keys; EK1 = EK3

– Resultant key lengths of 168 or 112 bits• For mathematical reasons we won’t go into here,

3-key TDEA is only about twice as secure as DES, not 3 times as secure

• Implemented in hardware, 3-key TDEA can achieve throughputs approaching 1 Gbps


ECE579S/2 #50WPI

TDEA Advantages

• Thoroughly analyzed, unlikely to have any hidden vulnerabilities

• Much less vulnerable to brute force attack than DES

• Can be implemented in silicon, with very fast throughput


ECE579S/2 #51WPI

TDEA Disadvantages

• Algorithm produces slow software implementations

• Still limited to 64-bit block size• Trebles the key distribution problem of

DES


ECE579S/2 #52WPI

DES Decryption• As DES is a Feistel cipher, decryption uses

the same engine as does encryption• For decryption:

– The DES engine is precisely the same as the encryption engine -- it is not run in reverse (e.g. with the input coming in the “bottom”)

– Instead, the key schedule is run in reverse; i.e. the first subkey used is K16, then K15, etc., finishing with K1


ECE579S/2 #53WPI

DES Mathematics

• Only two functions used– XOR– Data permutation or shifting

• At the heart of the DES engine, inside the f-box, is a Vernam cipher machine!

• Vernam, by itself, is insecure. Why, then, is DES secure?


ECE579S/2 #54WPI

Symmetric Crypto Keys• Ideally, are purely random numbers• This is possible because:

– The keys are prepositioned at each end– Random numbers can be generated by capturing stellar

noise, diode shot noise, etc.– The parties need only agree on where in the key stream

to start– The key does not have to obey any mathematical

function other than randomness• Many implementations use pseudo-random

numbers, which are not truly randomSpring 2012© 2000-2012, Richard A. Stanley

ECE579S/2 #55WPI

AES: The Next Generation

• Advanced Encryption Standard (FIPS PUB 197)

– Established to counter weaknesses of DES– Adopted as U. S. standard November 26, 2001– Became effective May 26, 2002– Based on Rijndael algorithm

• Joan Daemen and Vincent Rijmen, Belgians, authors– Key lengths of 128, 192, and 256 bits– Block size of 128 bits


ECE579S/2 #56Spring 2008© 2000-2008, Richard A. Stanley

Why a New Crypto Standard?

• DES now vulnerable to brute force key search

• 3DES still viable option, but key management a problem

• Implementation speeds in software disappointing

• Need to have national crypto standard even more critical than in the 1970’s


Basic Facts about AES• Successor to DES• AES selection process was administered by NIST• Unlike DES, the AES selection was an open (i.e., public)

process• Likely to be the dominant secret-key algorithm in the next

decade• Main AES requirements by NIST:

– Block cipher with 128 I/O bits– Three key lengths must be supported: 128/192/256 bits– Security relative to other submitted algorithms– Efficient software and hardware implementations


Chronology of the AES Process• Development announced on January 2, 1997 by the

National Institute of Standards and Technology (NIST)• 15 candidate algorithms accepted on August 20th, 1998• 5 finalists announced August 9th, 1999

– Mars, IBM Corporation– RC6, RSA Laboratories– Rijndael, J. Daemen & V. Rijmen– Serpent, Eli Biham et al.– Twofish, B. Schneier et al.

• October 2nd, 2000, NIST chooses Rijndael as the AES

ECE579S/2 #59WPI

Rijndael Structure • Rijndael is not a Feistel cipher; rather, it

uses substitution boxes• “...typically part of the bits of the

intermediate state are simply transposed unchanged to another position”

• “...[each] round transformation is composed of three distinct invertible uniform transformations”


ECE579S/2 #60

Comparison of Contenders


ECE579S/2 #61

Rijndael Overview


ECE579S/2 #62

Block Size/Key Length

• Both block size and keylength of Rijndael are variable. Sizes shown below are the ones required by the AES Standard. The number of rounds (or iterations) is a function of the key length:


ECE579S/2 #63

Rijndael vs. AES

• AES utilizes a subset of Rijndael capabilities• Rijndael allows block sizes of 192 and 256 bits,

but AES does not permit these larger block sizes• If larger block sizes are used, the number of

rounds must be increased• So, AES is Rijndael, but Rijndael is not always

AES


ECE579S/2 #64

Important

• Rijndael does not have a Feistel structure• Feistel networks do not encrypt an entire

block per iteration (e.g., in DES, 64/2 = 32 bits are encrypted in one iteration)

• Rijndael encrypts all 128 bits in one iteration. As a consequence, Rijndael has a comparably small number of rounds


ECE579S/2 #65

Rijndael Structure

• Rijndael is a substitution-permutation network

• Rijndael uses three different types of layers• Each layer operates on all 128 bits of a

block


ECE579S/2 #66

Rijndael Layers

• Key Addition Layer: XORing of subkey.• Byte Substitution Layer: 8-by-8 SBox

substitution.• Diffusion Layer: provides diffusion over all

128 (or 192 or 256) block bits. It is split in two sub-layers:– ShiftRow Layer– MixColumn Layer


ECE579S/2 #67

Rijndael Block

Diagram (encryption)


ECE579S/2 #68

Operations

• ByteSubstitution Layer introduces confusion with a non-linear operation.

• ShiftRow and MixColumn stages form a linear Diffusion Layer


ECE579S/2 #69

A Walk Through Rijndael

• One must be very careful when using Wikipedia references. However, this one has been vetted and is accurate as at today:

• http://en.wikipedia.org/wiki/Advanced_Encryption_Standard

• We’ll look at the description of how Rijndael works in some detail


http://en.wikipedia.org/wiki/Advanced_Encryption_Standard

http://en.wikipedia.org/wiki/Advanced_Encryption_Standard

ECE579S/2 #70

Affine Transformation

• Mapping between two vector spaces consisting of a linear transformation followed by a translation: X Ax + b

• Preserves:– Co linearity between points, i.e., three points

which lie on a line continue to be collinear after the transformation

– Ratios of distances along a line


ECE579S/2 #71

Another View of Byte Substitution

• Splits the incoming 128 bits into 128/8 = 16 bytes.

• Each byte A is considered an element of GF(28) and undergoes the following substitution individually:

B = A-1 GF(28) where P(x) = x8 + x4 + x3 + x + 1


ECE579S/2 #72

Byte Substitution Affine Transformation


ECE579S/2 #73

All About C

• The vector C = (c7 ··· c0) (representing the field element c7x7 + ··· + c1x + c0) is the result of the substitution:

C = ByteSub(A)• The entire substitution can be realized as a look-up

in a 256x8-bit table with fixed entries• Unlike DES, Rijndael applies the same S-Box to

each byte


ECE579S/2 #74

Diffusion Layer

• Unlike the non-linear substitution layer, the diffusion layer performs a linear operationon input words A,B. That means: DIFF(A) DIFF(B) = DIFF(A + B)

• The diffusion layer consists of two sublayers:– ShiftRow SubLayer– MixColumn SubLayer


ECE579S/2 #75

ShiftRow SubLayer - 1

• Write an input word A as 128/8 = 16 bytes and order them in a square array:

• Input A = (a0, a1, …, a15)


ECE579S/2 #76

ShiftRow SubLayer – 2

• Shift cyclically row-wise as follows:


ECE579S/2 #77

MixColumn SubLayer

• Principle: each column of 4 bytes is individually transformed into another column

• How? Each 4-byte column is considered as a vector and multiplied by a 4x4 matrix. The matrix contains constant entries. Multiplication and addition of the coecients is done in GF(28)


ECE579S/2 #78

MixColumn SubLayer Matrices


ECE579S/2 #79

Rijndael Keys

• Analogous to DES, the key provided with AES is a seed key, which is processed within the system to produce round keys

• The procedure to generate separate round keys from the seed key is known as the Rijndael key schedule


ECE579S/2 #80

Key Addition Layer

• Simple bitwise XOR with a 128-bit subkey• AES (Rijndael) uses a key schedule to

expand a short key into a number of separate round keys. This is known as the Rijndael key schedule.

• http://en.wikipedia.org/wiki/Rijndael_key_schedule


http://en.wikipedia.org/wiki/Rijndael_key_schedule

http://en.wikipedia.org/wiki/Rijndael_key_schedule

ECE579S/2 #81

Rijndael Thoughts

• FIPS PUB 197 is the official standard• Based on what you have seen of how

encryption proceeds, can decryption proceed in the same way as for DES?


ECE579S/2 #82

Rijndael Block

Diagram (decryption)


ECE579S/2 #83

Rijndael Decryption

• Unlike DES and other Feistel ciphers, all of the Rijndael layers must actually be inverted

• How can this be accomplished?


ECE579S/2 #84WPI

AES’ Future

• Clearly intended to replace DES & TDEA• Designed for efficient software

implementation• Not yet as thoroughly analyzed as DES• Many implementations on the market


ECE579S/2 #85WPI

Breaking Symmetric Ciphers• Brute force

– Inelegant, but effective if enough computing power can be brought to bear

– If cipher is complex enough, this doesn’t work in a timely fashion

– Brute force always works in the long run• But in the long run, we are all dead

• Exploit errors– Same message enciphered in two codes– Plaintext attack– Exploit operator errors


ECE579S/2 #86WPI

Brute Force Attacks on Symmetric Cryptosystems

Assume a number N, having L decimal digits (N@10L).

Now posit a computer capable of 1010 divisions/second.

The computer can factor any N, using the trial division method,in approximately N0.5/1010 seconds.

If N has 100 digits, this process will require approximately1040 seconds.

However, the currently estimated age of the Universe isonly approximately 3.8 x 1017 seconds!


ECE579S/2 #87WPI

Key Types

• Permanent – Used for a fixed, prearranged period of time– Typically used for applications such as key

distribution, government communications, etc.• Session

– Valid only for current communications session– Destroyed after session terminates


ECE579S/2 #88WPI

Key Distribution Problem• Secret keys must be prepositioned at all locations

before secure communications can occur.– Which requires that the network topology must be

known a priori• How to do this?

– Secure physical transport– Secure electronic transport

• The search for a way to accomplish this led to the development of public key cryptography, which we will look at next


ECE579S/2 #89WPI

Asymmetric Cryptography Primer


ECE579S/2 #90WPI

Asymmetric Ciphers• Also known as public key cryptography• Until Diffie-Hellman in 1976, this concept

was heretical. It is still counterintuitive.• Key has two parts

– Public: everybody knows or can know– Private: only holder knows

• Based on large prime numbers


ECE579S/2 #91WPI

Asymmetric CryptographyAlice

Bob’s public key

Bob

Bob’s private key

Alice’s message


ECE579S/2 #92WPI

Curious Public Key Properties• The encryption function is one-way• The encryption process is fungible

– Can encrypt with public key and decrypt with private key, and vice versa

• So what?– How about using this approach to sign

documents?– Can a signed document be used for

authentication?Spring 2012© 2000-2012, Richard A. Stanley

ECE579S/2 #93WPI

The Original Goal

• Diffie and Hellman did not set out to invent a new kind of cryptography

• The goal was to find a way to establish symmetrical session keys without prior placement of the keys by some other means– i.e. to solve the key distribution problem

• This is still the primary use of the D-H exchange


ECE579S/2 #94WPI

But then...

• Diffie-Hellman key exchanges proved immensely useful

• Others found that there are other uses for this general crypto principle and algorithms were developed for encrypting data– RSA– El Gamal– etc.


ECE579S/2 #95WPI

Something Different

• Clearly, asymmetric crypto differs in a basic way from symmetric crypto– The keys are mathematically related, and

cannot be purely random numbers– The algorithms are quite different from the

universe of Feistel ciphers and S-boxes• Is this a replacement for symmetric crypto,

or a complement to it?Spring 2012© 2000-2012, Richard A. Stanley

ECE579S/2 #96WPI

Asymmetric Crypto Properties• The encryption function is one-way• The encryption process is fungible

– Can encrypt with public key and decrypt with private key, and vice versa

• So what?– Could this approach be used to sign

documents?– Can a signed document be used for

authentication?


ECE579S/2 #97WPI

How Does It Work?• Asymmetric cryptography is based on

modulus arithmetic• Modulus arithmetic makes it computation-

ally infeasible to recover the number whose modulus is stated, provided certain conditions are met

• You can cheat: the Windows calculator has a modulus arithmetic mode


ECE579S/2 #98WPI

Diffie-Hellman Key Exchange-1• Alice and Bob agree on a large prime, n and

g, where g is primitive mod n. These need not be kept secret

• Alice chooses a large random integer x and sends to Bob: X=gx mod n

• Bob chooses a large random integer y and sends to Alice: Y=gy mod n

• NB: x and y are never transmitted


ECE579S/2 #99WPI

Diffie-Hellman Key Exchange-2• Alice computes k=Yx mod n• Bob computes k’=Xy mod n• But k = k’ = gxy mod n • Therefore, Bob and Alice now have a secret

key, k, that they can share for confidential communications

• Eavesdroppers know only n, g, X, and Y, not x or y, which are required to compute k


ECE579S/2 #100WPI

Diffie-Hellman Security

• D-H security depends on the difficulty of factoring large numbers (size of n)

• It is computationally infeasible to recover x and y from the data known to an eavesdropper by any means other than exhaustive key search

• Caveats– n must be large– ((n-1)/2) should also be prime– g can be small -- even one digit


ECE579S/2 #101WPI

Diffie-Hellman Drawbacks• Slow!

– Computationally intensive– Requires several communications exchanges

• Example:– Using D-H to set up a session key in a cellular

telephone could take nearly one minute!• So, other key exchange protocols have been

established that are more efficient


ECE579S/2 #102WPI

Asymmetric Crypto Uses?

• Only good for key exchange?• As it turns out, NO

– Other algorithms useful for providing data secrecy, like symmetric cryptography

– Can be used to provide • confidentiality• integrity• authenticity


ECE579S/2 #103WPI

RSA Encryption Algorithm

• Ron Rivest, Adi Shamir, Len Adelman– First published 1978, from MIT– Block cipher, asymmetric key– Plain and cipher texts are integers between 0 and n-1,

for some n that is part of the keys• Like all asymmetric key systems, RSA depends

for security on the difficulty of factoring large numbers– There is a problem here


ECE579S/2 #104WPI

RSA Mechanics

• C = ciphertext– C = Me mod n

• M = plaintext– M = Cd mod n = (Me)d mod n = Med mod n

• Both parties know n, e• Only the receiving party knows d


ECE579S/2 #105WPI

Therefore...

• Public key: KU = {e,n}• Private key: KR = {d,n}• Requirements for this to work:

– e, d, n exist such that Med = M mod n for all M<n

– Easy to calculate Me and C for M<n– Infeasible to calculate d given e, n

• Computationally secure if e, n sufficiently large


ECE579S/2 #106WPI

Important Definitions• Euler’s totient function, (n)

– Defined as the number of positive integers < n and relatively prime to n

– Can show that if n=pq, p,q prime, (n) = (p-1)(q-1)

• Relatively prime numbers– a and b (integers) are relatively prime if they

have no prime factors in common• i.e. only common prime factor is unity


ECE579S/2 #107WPI

RSA Example

• Select two primes: p = 7, q = 17• Calculate n = pq = 7 x 17 = 119• Calculate (n) = (p-1)(q-1) = 6 x 16 = 96• Select e relatively prime to & less than (n)

– In this example e = 5• Calculate d = e-1 mod (n) = 77• KU = {5, 119} KR = {77, 119}

Public key Private key

This bit is perhaps unclear


ECE579S/2 #108WPI

Another View• d = e-1 mod (n) looks difficult, as e-1 < 1• Multiply both sides by e, which gives

de = 1 mod (n), where (n) = 96 in this case• e has been selected as being 5, therefore we

must now find the value for d that satisfies the above equation

• 77 is that value, as 5 x 77 = 1 mod 9677 x 5 = 385 = 4 x 96 + 1


ECE579S/2 #109WPI

RSA Encrypt/Decrypt

• Using KU, KR we have calculated, let M=19 (plaintext)– KU = {5, 119} KR = {77, 119}

• Encryption:– Me mod n = 195 mod 119 = 66 = C (ciphertext)

• Decryption– Cd mod n = 6677 mod 119 = 19 = M (plaintext)

• Q.E.D.

Public key e , n Private key d, n


ECE579S/2 #110WPI

RSA Importance

• Together with Diffie-Hellman, RSA is the most widely used asymmetric key algorithm

• RSA was patented by its inventors, but the patents expired in 2000

• RSA is now freely usable by anyone, and is widely incorporated into common products, such as web browsers, VPN devices, etc.


ECE579S/2 #111WPI

Breaking RSA• Discover the private key, d

– Easy to do if p and q, factors of n, are known– Hard part is factoring n– Factoring 200-digit n has been done

• Find eth roots mod n– Not known to be equivalent to factoring– No general methods known

• Brute force key search


ECE579S/2 #112WPI

Practical RSA Security

• Choose a sufficiently large n– 200 digits 663 bits, which has been factored

• 9 May 2005, Jens Franke, et al., Univ. of Bonn– So, choose n > 1000 bits (1024, 2048, 4096)– Evaluate how long security is required, as

longer keys require more computation, and are therefore slower to encrypt/decrypt

• Guard the private key carefully!


ECE579S/2 #113WPI

Why Do We Want to Do This?• Symmetric cryptography is fast• Asymmetric cryptography is slow

– As much as 1000X slower than symmetric• Therefore, we want to use the slow

asymmetric crypto -- which does not require prepositioning of keys -- to create and/or exchange symmetric session keys so that data can be exchanged quickly


ECE579S/2 #114WPI

Crypto Summary

• Both symmetric and asymmetric crypto have their uses in communications

• Symmetric keys can be purely random, but asymmetric keys are mathematically related

• Symmetric crypto is much faster than asymmetric, which leads to combining the types in practical applications


ECE579S/2 #115WPI

Cryptosystems Compared

• Symmetric key– Same key both ends– Key management a problem; requires secure

side channel– Fast– Message length < key length

• Asymmetric key– Two keys

• Public key, known to all• Private key, known to owner alone

– Key management less of a problem– Computationally intensive, so it is slow


ECE579S/2 #116WPI

Hashing: the Final Tool

• Encryption seeks to obscure plaintext with a key, so that the plaintext can be recovered

• Hash functions produce fixed-length output given variable-length input, such that the hash output will change substantially if even a single bit of the input is changed– Similar to checksum or CRC for data integrity– Depends on hash function being one-way


ECE579S/2 #117WPI

Hash Function Uses / Benefits

• Verify the integrity of a block of data– e.g. a message

• Faster to compute than encrypted version of input

• Always produces an output of known and fixed length– Useful in many applications


ECE579S/2 #118WPI

Hash Function Requirements

• Hash value h = H(x), where H is the hash function of some input x– Input x can be of any length– Output H(x) has fixed length– H(x) relatively easy to compute for any x– H(x) is one-way– H(x) is collision-free


ECE579S/2 #119WPI

Hashing Terms

• One way– H(x) is one way if it is computationally infeasible to

find x such that H(x) = h– i.e. H(x) is hard to invert

• Collisions– weakly collision-free: given x, computationally

infeasible to find y x such that H(x) = H(y)– strongly collision-free: computationally infeasible to

find any two messages x and y such that H(x) = H(y)


ECE579S/2 #120WPI

Hash Function Example

Source: RSA Laboratories, Inc.


ECE579S/2 #121WPI

Common Hash FunctionsAlgorithm MD2 MD4 MD5 SHA-1

Output length 128 bits 128 bits 128 bits 160 bits

Block size 128 bits 512 bits 512 bits 512 bits

Specification RFC 1319 RFC 1320 RFC 1321 FIPS 180-1


ECE579S/2 #122WPI

Types of Hash• “Standard”

– Message is input to the hash function– Hash calculated according to the standard– Same message always produces same hash

• Keyed, or secure, hash– Message is one input to the hash function– Secret key is another input– Output depends on both key and message


ECE579S/2 #123WPI

Broken Hashes• CRYPTO 2004 conference announced collisions in MD5

and other hash functions• Impact is that two messages can be found that produce the

same hash, although the hash cannot be chosen in advance– If hash collision on two different messages known, could generate

signature for first message but later claim second message was the one signed. This is a repudiation attack.

– If hash collision known on two different messages victim could sign one message. Signature also be valid for second message, which victim did not intend to sign. This is a chosen-message forgery.


ECE579S/2 #124WPI

Impact?

• Broken hashes should be used with great caution in signatures

• MD4 & MD5 are the most commonly used hashes for which collisions have been found to date

• Further progress in finding collisions could lead to serious problems in the digital signature area

• US Government now required to use new SHA series hashes with lengths of 256 and more bits (called SHA-256, SHA-384, etc.)


ECE579S/2 #125WPI

So What?

• Hash functions can be used to provide– Fast integrity check on data

• Asymmetric key cryptography can provide– Session key negotiation– User authentication (with some help)

• We now have all the cryptographic tools needed to provide confidentiality, integrity, and authentication


ECE579S/2 #126WPI

Homework• Read Bosworth, Chapter 7, if you haven’t done so already• Prove that decryption in a Feistel cipher can be done by

applying the encryption algorithm to the ciphertext, with the key schedule reversed. Note: a demonstration is NOT a proof.

• Suppose a sequence of plaintext blocks, x1…xn, yields the ciphertext sequence y1…yn. Suppose that one ciphertext block, say yi, is transmitted incorrectly. Show that the number of plaintext blocks that will be decrypted incorrectly is equal to one in ECB or EFB modes, and equal to two if CBC or CFB modes are used.


ECE579S-Class 2_2012

Documents

brute force

purely random

factoring

large random

key distribution

larger block

rijndael block

rijndael structure