Public Key Cryptography Public Key Algorithms · The RSA Algorithm Choosing public and private keys • Let k be the key length then choose two large prime numbers p and q of bit

Public Key Cryptography

Public Key Algorithms

• Readings

– Sections 6.3 - 6.6

1

Applications of Public Key Cryptosystems

• Confidentiality: encryption and decryption– Sender encrypts message using recipient’s public key

– Only intended recipient can decrypt

• Authentication and non-repudiation: digital signature– Sender signs message with its private key

– Recipient can verify using sender’s public key

• Key exchange– Both sides cooperate to exchange shared key for symmetric

key system

• Different public key systems provide different functionalities – RSA for all three applications

– Diffie-Hellman only for key exchange

• Two main applications of public key systems today– Digital signature and key exchange

2

The RSA Algorithm

• Rivest, Shamir, Adleman, 1978, MIT

• Variable key size, common to use 1024 bits

• Generating RSA keys is based on finding multiplicative inverses of large numbers (modulo), which is not hard

• Generating RSA ciphertext is based on modulo exponentiation, which is not hard

• RSA's strength is based on difficulty of factoring large numbers and the RSA problem, WHICH ARE HARD

• There may be other trap doors in RSA, but none have been found yet.

3

The RSA Algorithm

Choosing public and private keys

• Let k be the key length then choose two large prime

numbers p and q of bit lengths k/2, for example 512

bits each. Let n = pq.

• Choose e < n with e relatively prime to (n). The

public key is <e,n>

– (n) = (p-1)(q-1)

• Find multiplicative inverse d of e mod (n). The

private key is <d,n>

– Can be solved by Euclid’s algorithm

4

RSA Operations

Encryption and Decryption

• Encryption – for a message m < n,

– c = me mod n (c is the ciphertext)

• Decryption – given the ciphertext c,

– compute cd mod n

• Note that cd mod n = med mod n = m since d was

chosen so that ed = 1 + k (n) and we are simply

using Euler’s (extension) theorem

• Confidentiality

– Only Bob can decrypt the message

5

Alice Bob{M}

bob_public

RSA Operations

Signature and Verification

• signature – for a message m < n,

– s = md mod n (s is the signature)

• Signature verification – given the signature s,

– compute se mod n

• Note that se mod n = med mod n = m. Also anyone

can verify the signature using the public key.

• Non-repudiation and authentication

– Alice cannot deny that she sent the message

6

Alice Bob[M]

alice_private

Back to One Way Functions:

an example of encryption / decryption

• Let n be a very large number

• Let the plaintext be viewed as M < n

• To get the ciphertext, we do the following:

C = Me mod n

• Example

Let (e,n) be (7, 187) and M be 88

Then C = 887 mod 187 = 11

• (d,n) = (23,187) and 187 = 17 X 11– (n) = 16 X 10 = 160

– ed = 23 X 7 = 161

• Then M = 1123 mod 187 = 88

7

RSA (Better) Example

1. Select two large primes, 2357 and 2551.

8

2. Multiply them to get n = 6012707

3. Select e = 3674911, relatively prime to (n)= 600780

4. d = 422191 is the multiplicative inverse of e mod (n)

5. Encrypt m = 5234673 < n as

c = me mod n

= 52346733674911 mod 6012707

= 3650502

6. Decrypt c as, m = c d mod n

= 3650502 422191 mod 6012707

= 5234673

Some Aspects of RSA

1. It's strength is based on the difficulty of factoring large

numbers and the RSA problem

2. It is much more computationally intensive than DES,

IDEA, AES, etc.

3. It has avoidable weaknesses– If there are a limited number of plaintext messages used in

practice, can compute all the corresponding ciphertext

messages and compare

– Encrypting small messages (say the value of e used is 3). Then

can recover using cube root

– Smooth number threat – product of small primes

– Need to pad properly

9

An Attack on RSA

1. An intruder, X intercepts a message (m) intended for

Alice encrypted under Alice's public key (e):

(m)e mod n

2. The intruder generates a value x, computes:

xeme mod n = (xm)e mod n

and sends it to Alice

3. Alice decrypts the message to attain the value:

xm mod n, which appears to be garbage

4. If Alice disposes of the "garbage" carelessly, the intruder

can recover it and compute:

(xmx-1) mod n = m

10

RSA Conclusions

• RSA is the “gold standard” in public key crypto

• Provides encryption and signatures

• Has stood the test of time

– Virtually unchanged since its invention

11

Sign and Encrypt vs. Encrypt and Sign

• Suppose we want both confidentiality and non-

repudiation

• We can sign and encrypt…

• …or encrypt and sign

• Does the order matter?

12

Public Key Notation

• Sign message M with Alice’s private key: [M]Alice

• Encrypt message M with Alice’s public key: {M}Alice

• Then

{[M]Alice}Alice = M

[{M}Alice]Alice = M

13

Confidentiality and Non-repudiation

• Suppose that we want confidentiality and non-

repudiation

• Can public key crypto achieve both?

• Alice sends message to Bob

– Sign and encrypt {[M]Alice}Bob

– Encrypt and sign [{M}Bob]Alice

• Can the order possibly matter?

14

Sign and Encrypt

Alice Bob

{[M]Alice

}Bob

Q:What is the problem?

A: Charlie misunderstands crypto!

Charlie

{[M]Alice

}Charlie

M = “I love you”

15

Encrypt and Sign

Alice Bob

[{M}Bob

]Alice

Note that Charlie cannot decrypt M

Q:What is the problem?

A: Bob misunderstands crypto!

Charlie

[{M}Bob

]Charlie

M = “My theory, which is mine….”

16

Diffie-Hellman Algorithm

• Oldest public key system in use

• Limited functionality– Allows Alice and Bob to agree on a shared key even though

all messages are exchanged in public

– The shared secret can subsequently be used for encrypting / decrypting using other systems

• Security strength– based on the difficulty of the discrete logarithm problem

• Weakness – No authentication as a basic element of DH

17

Discrete Logarithms

• Let y = gx mod p

• x is said to be the (discrete) logarithm of y, with base

g.

• It is easy to compute y, given g, x, and p.

• It is very difficult to find x, given g, p, and y. This

difficulty is the same order as that of factoring large

primes.

18

Diffie-Hellman Key Exchange

• Choose a large prime p and g < p. These can be publicly known to all. (some restrictions on g and p for additional security)

1. Alice and Bob “randomly” choose 512 bit numbers a and b respectively - these are their individual private keys.

2. Alice computes TA = ga mod p, Bob computes TB = gb mod p

3. Alice and Bob exchange the values TA and TB

4. Alice computes TBa mod p and Bob computes TA

b mod p

5. They have both computed the same number, the shared secret key

TBa =(gb)a = gba = gab = TA

b mod p

19

20

Basic Diffie-Hellman

A B

pgu a mod

pgv b mod

abb guK baa gvK

Alice’ Secret is a.

Bob’s Secret is b.

.

21

Diffie-Hellman Example

• Alice and Bob agree to use a prime number p=23 and base g=5.

• Alice chooses a secret integer a=6, then sends Bob (ga mod p)– 56 mod 23 = 8.

• Bob chooses a secret integer b=15, then sends Alice (gb mod p) – 515 mod 23 = 19.

• Alice computes (gb mod p)a mod p – 196 mod 23 = 2.

• Bob computes (ga mod p)b mod p – 815 mod 23 = 2.

22

Man-in-the-middle (MiM) Attack

Alice Bob

g x

K1 g xs

Trudy

gs

g z

g y

K2 gzy

Trudy negotiates keys with Alice and Bob and encrypts and

decrypts with the appropriate shared keys

Diffie-Hellman

• How to prevent MiM attack?

– Encrypt DH exchange with pre-shared secret

– Encrypt DH exchange with public key

– Sign DH values with private key

– Other?

• You MUST be aware of MiM attack on Diffie-Hellman

23

24

Adding Authentication

Alice Bob

u g x modp

v g yM modp

K uy gxy

K v xM1

g xy

Here, gM = PAlice , the public key of Alice.

Only Alice could compute her half of the secret key.

Therefore this protocol can be used to authenticate Alice.

Diffie-Hellman Conclusions

• Simple and elegant

• Widely used

• Has several clever uses

– For example, to make weak PIN-based authentication

protocol much stronger

• Man-in-the-middle is serious issue

25

Intro to ElGamal

• Similar to Diffie-Hellman algorithm

1. Alice and Bob agree on a large (512 bits) prime pand a number g < p with some restrictions on the g. (Operations are all mod p)

2. Alice chooses a large random number a (her private key) and computes and publishes her public key TA = ga

3. To transmit a message M, Bob selects a large random number r (private), and computes and sends to Alice: C = (gr , Mgar )

4. Alice computes gar , then g-ar, and finally M = M(gar)(g-ar)

26

27

ElGamal Encryption and Decryption

• To encrypt m in [1, p-1] for user Bob:

– public key TA = ga mod p, private key a

• Compute a random value r

• Compute:

(A, B) = (gr mod p, m TAr mod p)

• To decrypt, Bob computes:

m = B(A-a) mod p

ElGamal Example

28

ga mod p = 3

gr mod p = 3

gar mod p = 9

Mgar mod p = 10

g-ar mod p = 5

g = 5

p = 11

a = 2

r = 7

M = 6

Mgar * g-ar mod p = 6

DSS: Digital Signature Standard

• Proposed by NIST

• The algorithm is known as DSA

– Digital Signature Algorithm

• Based on ElGamal

29

30

Digital Signature Algorithm (DSA) Keys

• Generate large prime p = kq + 1, for prime q (public)

– p originally 512 bits, today 1024 or more

– q originally 160 bits (still safer today).

– This is an expensive operation

• Generator g such that gq = 1 mod p (public)

– Take h [1, p - 1]; set g = h(p-1)/q mod p

• Choose public-private key pair: <T, S>

– S random in [1, q ]; T = gS mod p

• Public information is p, q, g, T.

• Private information is S

31

Signing with DSA

• Generate a per-message public/private key pair:

– Choose random Sm

– <Tm, Sm> : Tm = (gSm mod p) mod q

• dm = digest of message m (e.g., SHA-1)

• Compute the signature

– X = Sm-1 (dm + S Tm) mod q

• The signing pair is (Tm , X)

• Information sent: m, Tm,, X

32

Verifying the DSA

• Calculate the inverse of X:

– X-1 mod q

• Calculate dm from the message m

• Compute x = dm X-1 mod q

• Compute y = Tm X-1 mod q

• Compute z = ( gxTy mod p) mod q

• If z = Tm verification succeeds.

• Why does it work?

• Why is it secure?

Reading Assignment

• Sections 9.1 – 9.6

• Chapter 10

• Paper 9

33