Public Key Cryptography Public Key Algorithms • Readings – Sections 6.3 - 6.6 1
Public Key Cryptography
Public Key Algorithms
• Readings
– Sections 6.3 - 6.6
1
Applications of Public Key Cryptosystems
• Confidentiality: encryption and decryption– Sender encrypts message using recipient’s public key
– Only intended recipient can decrypt
• Authentication and non-repudiation: digital signature– Sender signs message with its private key
– Recipient can verify using sender’s public key
• Key exchange– Both sides cooperate to exchange shared key for symmetric
key system
• Different public key systems provide different functionalities – RSA for all three applications
– Diffie-Hellman only for key exchange
• Two main applications of public key systems today– Digital signature and key exchange
2
The RSA Algorithm
• Rivest, Shamir, Adleman, 1978, MIT
• Variable key size, common to use 1024 bits
• Generating RSA keys is based on finding multiplicative inverses of large numbers (modulo), which is not hard
• Generating RSA ciphertext is based on modulo exponentiation, which is not hard
• RSA's strength is based on difficulty of factoring large numbers and the RSA problem, WHICH ARE HARD
• There may be other trap doors in RSA, but none have been found yet.
3
The RSA Algorithm
Choosing public and private keys
• Let k be the key length then choose two large prime
numbers p and q of bit lengths k/2, for example 512
bits each. Let n = pq.
• Choose e < n with e relatively prime to (n). The
public key is <e,n>
– (n) = (p-1)(q-1)
• Find multiplicative inverse d of e mod (n). The
private key is <d,n>
– Can be solved by Euclid’s algorithm
4
RSA Operations
Encryption and Decryption
• Encryption – for a message m < n,
– c = me mod n (c is the ciphertext)
• Decryption – given the ciphertext c,
– compute cd mod n
• Note that cd mod n = med mod n = m since d was
chosen so that ed = 1 + k (n) and we are simply
using Euler’s (extension) theorem
• Confidentiality
– Only Bob can decrypt the message
5
Alice Bob{M}
bob_public
RSA Operations
Signature and Verification
• signature – for a message m < n,
– s = md mod n (s is the signature)
• Signature verification – given the signature s,
– compute se mod n
• Note that se mod n = med mod n = m. Also anyone
can verify the signature using the public key.
• Non-repudiation and authentication
– Alice cannot deny that she sent the message
6
Alice Bob[M]
alice_private
Back to One Way Functions:
an example of encryption / decryption
• Let n be a very large number
• Let the plaintext be viewed as M < n
• To get the ciphertext, we do the following:
C = Me mod n
• Example
Let (e,n) be (7, 187) and M be 88
Then C = 887 mod 187 = 11
• (d,n) = (23,187) and 187 = 17 X 11– (n) = 16 X 10 = 160
– ed = 23 X 7 = 161
• Then M = 1123 mod 187 = 88
7
RSA (Better) Example
1. Select two large primes, 2357 and 2551.
8
2. Multiply them to get n = 6012707
3. Select e = 3674911, relatively prime to (n)= 600780
4. d = 422191 is the multiplicative inverse of e mod (n)
5. Encrypt m = 5234673 < n as
c = me mod n
= 52346733674911 mod 6012707
= 3650502
6. Decrypt c as, m = c d mod n
= 3650502 422191 mod 6012707
= 5234673
Some Aspects of RSA
1. It's strength is based on the difficulty of factoring large
numbers and the RSA problem
2. It is much more computationally intensive than DES,
IDEA, AES, etc.
3. It has avoidable weaknesses– If there are a limited number of plaintext messages used in
practice, can compute all the corresponding ciphertext
messages and compare
– Encrypting small messages (say the value of e used is 3). Then
can recover using cube root
– Smooth number threat – product of small primes
– Need to pad properly
9
An Attack on RSA
1. An intruder, X intercepts a message (m) intended for
Alice encrypted under Alice's public key (e):
(m)e mod n
2. The intruder generates a value x, computes:
xeme mod n = (xm)e mod n
and sends it to Alice
3. Alice decrypts the message to attain the value:
xm mod n, which appears to be garbage
4. If Alice disposes of the "garbage" carelessly, the intruder
can recover it and compute:
(xmx-1) mod n = m
10
RSA Conclusions
• RSA is the “gold standard” in public key crypto
• Provides encryption and signatures
• Has stood the test of time
– Virtually unchanged since its invention
11
Sign and Encrypt vs. Encrypt and Sign
• Suppose we want both confidentiality and non-
repudiation
• We can sign and encrypt…
• …or encrypt and sign
• Does the order matter?
12
Public Key Notation
• Sign message M with Alice’s private key: [M]Alice
• Encrypt message M with Alice’s public key: {M}Alice
• Then
{[M]Alice}Alice = M
[{M}Alice]Alice = M
13
Confidentiality and Non-repudiation
• Suppose that we want confidentiality and non-
repudiation
• Can public key crypto achieve both?
• Alice sends message to Bob
– Sign and encrypt {[M]Alice}Bob
– Encrypt and sign [{M}Bob]Alice
• Can the order possibly matter?
14
Sign and Encrypt
Alice Bob
{[M]Alice
}Bob
Q:What is the problem?
A: Charlie misunderstands crypto!
Charlie
{[M]Alice
}Charlie
M = “I love you”
15
Encrypt and Sign
Alice Bob
[{M}Bob
]Alice
Note that Charlie cannot decrypt M
Q:What is the problem?
A: Bob misunderstands crypto!
Charlie
[{M}Bob
]Charlie
M = “My theory, which is mine….”
16
Diffie-Hellman Algorithm
• Oldest public key system in use
• Limited functionality– Allows Alice and Bob to agree on a shared key even though
all messages are exchanged in public
– The shared secret can subsequently be used for encrypting / decrypting using other systems
• Security strength– based on the difficulty of the discrete logarithm problem
• Weakness – No authentication as a basic element of DH
17
Discrete Logarithms
• Let y = gx mod p
• x is said to be the (discrete) logarithm of y, with base
g.
• It is easy to compute y, given g, x, and p.
• It is very difficult to find x, given g, p, and y. This
difficulty is the same order as that of factoring large
primes.
18
Diffie-Hellman Key Exchange
• Choose a large prime p and g < p. These can be publicly known to all. (some restrictions on g and p for additional security)
1. Alice and Bob “randomly” choose 512 bit numbers a and b respectively - these are their individual private keys.
2. Alice computes TA = ga mod p, Bob computes TB = gb mod p
3. Alice and Bob exchange the values TA and TB
4. Alice computes TBa mod p and Bob computes TA
b mod p
5. They have both computed the same number, the shared secret key
TBa =(gb)a = gba = gab = TA
b mod p
19
20
Basic Diffie-Hellman
A B
pgu a mod
pgv b mod
abb guK baa gvK
Alice’ Secret is a.
Bob’s Secret is b.
.
21
Diffie-Hellman Example
• Alice and Bob agree to use a prime number p=23 and base g=5.
• Alice chooses a secret integer a=6, then sends Bob (ga mod p)– 56 mod 23 = 8.
• Bob chooses a secret integer b=15, then sends Alice (gb mod p) – 515 mod 23 = 19.
• Alice computes (gb mod p)a mod p – 196 mod 23 = 2.
• Bob computes (ga mod p)b mod p – 815 mod 23 = 2.
22
Man-in-the-middle (MiM) Attack
Alice Bob
g x
K1 g xs
Trudy
gs
g z
g y
K2 gzy
Trudy negotiates keys with Alice and Bob and encrypts and
decrypts with the appropriate shared keys
Diffie-Hellman
• How to prevent MiM attack?
– Encrypt DH exchange with pre-shared secret
– Encrypt DH exchange with public key
– Sign DH values with private key
– Other?
• You MUST be aware of MiM attack on Diffie-Hellman
23
24
Adding Authentication
Alice Bob
u g x modp
v g yM modp
K uy gxy
K v xM1
g xy
Here, gM = PAlice , the public key of Alice.
Only Alice could compute her half of the secret key.
Therefore this protocol can be used to authenticate Alice.
Diffie-Hellman Conclusions
• Simple and elegant
• Widely used
• Has several clever uses
– For example, to make weak PIN-based authentication
protocol much stronger
• Man-in-the-middle is serious issue
25
Intro to ElGamal
• Similar to Diffie-Hellman algorithm
1. Alice and Bob agree on a large (512 bits) prime pand a number g < p with some restrictions on the g. (Operations are all mod p)
2. Alice chooses a large random number a (her private key) and computes and publishes her public key TA = ga
3. To transmit a message M, Bob selects a large random number r (private), and computes and sends to Alice: C = (gr , Mgar )
4. Alice computes gar , then g-ar, and finally M = M(gar)(g-ar)
26
27
ElGamal Encryption and Decryption
• To encrypt m in [1, p-1] for user Bob:
– public key TA = ga mod p, private key a
• Compute a random value r
• Compute:
(A, B) = (gr mod p, m TAr mod p)
• To decrypt, Bob computes:
m = B(A-a) mod p
ElGamal Example
28
ga mod p = 3
gr mod p = 3
gar mod p = 9
Mgar mod p = 10
g-ar mod p = 5
g = 5
p = 11
a = 2
r = 7
M = 6
Mgar * g-ar mod p = 6
DSS: Digital Signature Standard
• Proposed by NIST
• The algorithm is known as DSA
– Digital Signature Algorithm
• Based on ElGamal
29
30
Digital Signature Algorithm (DSA) Keys
• Generate large prime p = kq + 1, for prime q (public)
– p originally 512 bits, today 1024 or more
– q originally 160 bits (still safer today).
– This is an expensive operation
• Generator g such that gq = 1 mod p (public)
– Take h [1, p - 1]; set g = h(p-1)/q mod p
• Choose public-private key pair: <T, S>
– S random in [1, q ]; T = gS mod p
• Public information is p, q, g, T.
• Private information is S
31
Signing with DSA
• Generate a per-message public/private key pair:
– Choose random Sm
– <Tm, Sm> : Tm = (gSm mod p) mod q
• dm = digest of message m (e.g., SHA-1)
• Compute the signature
– X = Sm-1 (dm + S Tm) mod q
• The signing pair is (Tm , X)
• Information sent: m, Tm,, X
32
Verifying the DSA
• Calculate the inverse of X:
– X-1 mod q
• Calculate dm from the message m
• Compute x = dm X-1 mod q
• Compute y = Tm X-1 mod q
• Compute z = ( gxTy mod p) mod q
• If z = Tm verification succeeds.
• Why does it work?
• Why is it secure?
Reading Assignment
• Sections 9.1 – 9.6
• Chapter 10
• Paper 9
33