PUBLIC-KEY CRYPTOGRAPHY AND RSA – Chapter 9 PUBLIC-KEY CRYPTOGRAPHY AND RSA – Chapter 9 Principles Applications Requirements RSA Algorithm Description.

PUBLIC-KEY CRYPTOGRAPHY PUBLIC-KEY CRYPTOGRAPHY AND RSA – Chapter 9AND RSA – Chapter 9

• Principles Applications Requirements

• RSA Algorithm Description Security

PUBLIC-KEY CRYPTOGRAPHY PUBLIC-KEY CRYPTOGRAPHY (PKC) – A New Idea(PKC) – A New Idea

Historically – Symmetric-Key (one key) substitution (confusion) permutation (diffusion)

More Recently – Asymmetric-Key (two keys)

MISCONCEPTIONSMISCONCEPTIONS PKC vs Symmetric Encryption PKC vs Symmetric Encryption

• PKC more secure than symmetric encryp. WRONG!!

• PKC more useful than symmetric encryp. WRONG!! – PKC costly

• PKC doesn’t need complicated protocol WRONG!!

PKC - USESPKC - USES

• Key Management

• Signature

PKC – SIX INGREDIENTSPKC – SIX INGREDIENTS• Plaintext – input to encryp. algorithm output from decryp. algorithm• Encryp. Algorithm – acts on plaintext - controlled by public or private key• Public and Private Key - one for encryption - one for decryption• Ciphertext – output from encryp. algorithm input to decryp. algorithm• Decryp. Algorithm – acts on ciphertext - controlled by public or private key

PKC – STEPSPKC – STEPS1. Each user generates two related keys - PUBLIC and PRIVATE

2. Each user makes: public key PUBLIC private key PRIVATE access ALL public keys

3. BOB: Encr(plaintext,PUBLICAlice) ciphertext ALICE

4. ALICE: Decr(ciphertext,PRIVATEAlice)

PKC for a) ENCRYPTION b) AUTHENTICATION

P laintextinput

B ob s'spublic k ey

r ing

T r an smittedcipher text

P laintextou tputE n cryption algor ithm

(e.g., R SA )D ecryption algor ithm(r everse of encryption

algor ithm)

F igur e 9.1 P ublic-K ey C r yptogr aphy

J oy

M ike

M ike B ob

T ed

A lice

A lice's p ublick ey

A lice 's p r ivatek ey

(a) E ncryption

P laintextinput

T r an smittedcipher text

P laintextou tputE n cryption algor ithm

(e.g., R SA )D ecryption algor ithm(r everse of encryption

algor ithm)

B ob 's p r ivatek ey

B ob 's p ublickey

A lice'spublic k ey

r ing

J oyT ed

(b) A uthentication

At ANY TIME,

ANY Private/Public key pair can be changed.

Public key should be made public IMMEDIATELY

KEYS EASILY UPDATEDKEYS EASILY UPDATED

Symmetric-Key: One SECRET KEY

Asymmetric-Key (PKC): One PRIVATE KEY One PUBLIC KEY

CIPHER TERMINOLOGYCIPHER TERMINOLOGY

CONFIDENTIALITY

M essageSour ce

C r yptanalyst

K ey P airSour ce

D estinationX X

^

Y

K R b

K U b

F igur e 9.2 P ublic-K ey C r yptosystem: Secr ecy

E ncryptionA lgor ithm

DecryptionA lgor ithm

K R b

^X

Sour ce A D estination B

AUTHENTICATION (source)(Integrity/Signature)

M essageSour ce

C r yptanalyst

K ey P airSour ce

D estinationX X

^

Y

K R a

K R a

K U a

F igur e 9.3 P ublic-K ey C r yptosystem: A uthentication

E ncryptionA lgor ithm

DecryptionA lgor ithm

Sour ce A D estination B

CONFIDENTIALITY and AUTHENTICATION

M essageSour ce

M essageDest.

X

F igur e 9.4 P ublic-K ey C r yptosystem: Secr ecy and A uthentication

E ncryptionA lgor ithm

K ey P airSour ce

K U b K R b

Sour ce A Destination B

K ey P airSour ce

K R a K U a

Y E ncryptionA lgor ithm

Z DecryptionA lgor ithm

Y DecryptionA lgor ithm

X

• Encryp./Decryp. Sender encrypts with RECIPIENT’S PUBLIC key. Applied to ALL of message.• Digital Signature Sender signs with SENDER’S PRIVATE key. Applied to ALL or PART of message.• Key Exchange Uses one or more PRIVATE keys. Several approaches

APPLICATIONSAPPLICATIONS OF PKC OF PKC

Table 9.2

APPLICATIONS OF PKCAPPLICATIONS OF PKC

• Every value has an inverse

Y = F(X) X = F-1(Y)

• Y = F(X) - easy

• X = F-1(Y) - infeasible

easy – polynomial time (poly in message

length)

infeasible - > poly time (e.g. exp. in message

length)

ONE-WAY FUNCTIONONE-WAY FUNCTION

Y = fk(X) - easy if k and X

known

X = fk-1(Y) - easy if k and Y

known

X = fk-1(Y) - infeasible if only Y

known

TRAP-DOOR ONE-WAY TRAP-DOOR ONE-WAY FUNCTION (e.g. PKC)FUNCTION (e.g. PKC)

Brute-Force Attack Use LARGE keys

But,

PKC COMPLEXITY GROWS fast with

key size

So, PKC TOO COMPLEX encryp/decryp PKC only for key management and signature

PKC – THE PROBLEMPKC – THE PROBLEM OF KEY SIZE OF KEY SIZE

PKC: 1960’s (NSA) 1970 Ellis – CESG 1976 Diffie and Hellman

RSA: 1973 Cocks – CESG 1977 Rivest, Shamir, Adleman - MIT

RSA ALGORITHMRSA ALGORITHM

Plaintext and Ciphertext

integers between 0 and n-1

i.e. k bits, 2k < n <2k+1

Encryption: C = Me mod n

Decryption: M = Cd mod n = (Me)d mod

n

= Med

mod n

RSARSA

Sender knows n,e

Receiver knows n,d

PUBLIC key, KU = {e,n}

PRIVATE key, KR = {d}

RSA (continued)RSA (continued)

1. There exists e,d,n s.t. Med = M mod n

2. Easy to calculate Me and Cd given

{M,e} or {C,d}, resp.

3. Infeasible to find d given {e,n}

PKC REQUIREMENTSPKC REQUIREMENTS OF RSA OF RSA

p = 17, q = 11 n = p.q = 187

mod p = 17,

{1,6,62,63,64,65,66,67,68,69,610,611,612,613,61

4,615}

=

{1,6,2,12,4,7,8,14,16,11,15,5,13,10,9,3}

Mod p = 11

{1,2,4,8,5,10,9,7,3,6}

EXAMPLEEXAMPLE

57 = (6,2), 572 = (2,4), 573 = (12,8), 574

= (4,5)

EXAMPLE

We want number, g, between 1 and 186

s.t.

g mod 17

= 6, g mod 11 = 2

Use CRT:

g = 154.6 + 34.2 mod 187 =

57

EXAMPLEEXAMPLE Chinese Remainder Chinese Remainder TheoremTheorem

EXAMPLE RSA COMPUTATION

E ncr yption

plaintext88

plaintext88

cipher text1188 mod 187 = 11

K U = 7, 187

D ecr yption

F igur e 9.6 E xample of R SA A lgor ithm

711 mod 187 = 88

K R = 23, 187

23

• Brute-Force Attacks

– try all possible private

keys.

• Mathematical Attacks

- all equivalent to

factoring n.

• Timing Attacks

- depend on running

time of

decryption algorithm.

SECURITY OF RSASECURITY OF RSA

Table 9.3

Progress in FactorisationProgress in Factorisation

MIPS-years NEEDED TO FACTOR

10 22

10 20

10 18

10 16

10 14

10 12

10 10

108

106

104

102

100

MIP

S-y

ea

rs N

ee

de

d t

o F

ac

to

r

200018001600140012001000800600

B its

F igur e 9.9 M I P S-year s N eeded to F actor

G eneral N umb er F ield S ieve

Special N umb er F ield S ieve

For Decryption:

• Constant exponentiation time

• Random delay

• Blinding Generate random r C’ = Cre

M’ = C’d

M = M’r-1

TIMING ATTACKS ON RSATIMING ATTACKS ON RSA - countermeasures - countermeasures