Public Key Encryption

Nikita Borisov — UIUC 1

Public Key EncryptionCS461/ECE422Spring 2012

Nikita Borisov — UIUC 2

Reading Material Text Chapters 2 and 21 Handbook of Applied Cryptography,

Chapter 8 http://www.cacr.math.uwaterloo.ca/hac/

Nikita Borisov — UIUC 3

Symmetric keys & Distribution Every pair of people must share a

secret key E.g.: Alice, Bob, Carol, David:KAB, KAC, KAD,KBC, KBD, KCD

How do you keep track of them all? O(N2) keys for N people

How do you exchange them? Must use a secure, out-of-band channel

Nikita Borisov — UIUC 4

Public Key Cryptography Cryptographers to

the rescue! Two keys:

Private key known only to owner

Public key available to anyone

One key pair per person ▪ O(N) keys

Merkle, Hellman, Diffie

Nikita Borisov — UIUC 5

Public Cryptography Functionality Public key encryption

Use public key to encrypt, private key to decrypt

RSA, ElGamal, ECIES Public key signatures (similar to

MAC) Use private key to sign, public key to

verify RSA, DSA, ECDSA

Symmetric key distribution Agree on a secret symmetric key over a

public channel Diffie-Hellman, ECDH, MQV, ECMQV

Nikita Borisov — UIUC 6Slide #9-6

Public-Key Cryptography

Nikita Borisov — UIUC 7Slide #9-7

General Facts about Public Key Systems Public Key Systems are much slower than

Symmetric Key Systems RSA 100 to 1000 times slower than DES.

10,000 times slower than AES? Generally used in conjunction with a symmetric

system for bulk encryption Public Key Systems are based on “hard”

problems Factoring large composites of primes, discrete

logarithms, elliptic curves Only a handful of public key systems

perform both encryption and signatures

Nikita Borisov — UIUC 8

Diffie-Hellman The first public key algorithm A key exchange algorithm, not for

encryption or decryption Set up: p prime, g is coprime with p Alice -> Bob: gx (mod p), x random Bob -> Alice: gy (mod p), y random Alice and Bob compute:

(gx)y = (gy)x

Establish a secret key over a public channel

Nikita Borisov — UIUC 9

Example: p=23, g=5 Alice picks x=6, sends Bob

56 mod 23 = 8 Bob picks y=15, sends Bob

515 mod 23 = 19 Alice computes:

196 mod 23 = 2 Bob computes:

815 mod 23 = 2

Nikita Borisov — UIUC 10

Diffie-Hellman Security Charlie has gx, gy needs to find gxy

Called “Diffie-Hellman Problem” Fastest way: find x given gx

I.e. take logg gx (mod p) Discrete Logarithm Problem Fastest known way is super-polynomial

Nikita Borisov — UIUC 11

Real public DH values For IPSec and SSL, there are a small

set of g's and p's published that all standard implementations support. Group 1 and 2▪ http://tools.ietf.org/html/rfc2409

Group 5 and newer proposed values▪ http://tools.ietf.org/html/draft-ietf-ipsec-ike-m

odp-groups-00

Nikita Borisov — UIUC 12

Diffie-Hellman and Man-in-the-Middle

Alice Bob

Eve

Nikita Borisov — UIUC 13Slide #9-13

RSA by Rivest, Shamir& Adleman of MIT in 1977 best known & widely used public-key

scheme based on exponentiation in a finite (Galois)

field over integers modulo a prime nb. exponentiation takes O((log n)3) operations

(easy) uses large integers (eg. 1024 bits) security due to cost of factoring large

numbers nb. factorization takes O(elog n log log n) operations

(hard)

Nikita Borisov — UIUC 14

Modular Arithmetic a mod b = x if for some k >= 0, bk +

x = a Associativity, Commutativity, and

Distributivity hold in Modular Arithmetic

Inverses also exist in modular arithmetic a + (-a) mod n = 0 a * a-1 mod n = 1

Nikita Borisov — UIUC 15

Modular Arithmetic Reducibility also holds

(a + b) mod n = (a mod n + b mod n) mod n

a * b mod n = ((a mod n) * b mod n) mod n

Fermat’s Thm: if p is any prime integer and a is an integer, then ap mod p = a Corollary: ap-1 mod p = 1 if a != 0 and a

is relatively prime to p

Nikita Borisov — UIUC 16Slide #9-16

Background Totient function (n)

Number of positive integers less than n and relatively prime to n▪ Relatively prime means with no factors in

common with n Example: (10) = ?

4 because 1, 3, 7, 9 are relatively prime to 10

Example: (p) = ? where p is a prime p-1 because all lower numbers are

relatively prime (pq) = (p-1)(q-1) when p, q are both

prime

Nikita Borisov — UIUC 17

Background Euler generalized Fermat’s Theorem

for composite numbers. Fermat's Thm ap-1=1 mod p if a != 0 Euler’s Thm: x(n)=1 mod n

Works for any n

Nikita Borisov — UIUC 18Slide #9-18

RSA Algorithm Choose two large prime numbers p,

q Let n = pq; then (n) = (p–1)(q–1) Choose e < n such that e is relatively

prime to (n). Compute d such that ed mod (n) = 1

Public key: (e, n); private key: d Encipher: C = Me mod n Decipher: M = Cd mod n Generically: F(V, x) = Vx mod n

Nikita Borisov — UIUC 19

Working through the equations C = RSA(M, e) = Me mod n M’ = RSA-1(C, d) M’ = (Me mod n)d mod n M’ = Med mod n

ed mod (n) = 1 ed = k* (n) + 1

M’ = (M mod n * Mk (n) mod n) mod n By Euler’s theorem (Mk)(n) mod n = 1

M’ = M mod n

Nikita Borisov — UIUC 20

Example p = 11, q = 17

n = 187, (n) = 10*16 = 160 Let e = 3, then d = 107 (107 * 3 =

321) (can find this using Euclidian algorithm)

M = 29 C = 293 = 24389 = 79 (mod 187) M’ = 79107 =

111198458817782001560345203757362612455385730171461711652460776161878666503078037332114481897840666397054046667342677228042126488058019906317675811153792810865237482705174079886893643689363009468423234159 = 29 (mod 187)

Nikita Borisov — UIUC 21

Modular Exponentiation Don’t need to compute huge

numbers 293 (mod 187) = (292 mod 187) * 29

mod 187 = (841 mod 187) * 29 mod 187 = 93*29 mod 187 = 2697 mod 187 = 79

Even better: square/multiply M11 = ((M2)2*M)2*M

This is reasonably fast Only 1000 or so times slower than DES

Nikita Borisov — UIUC 22

RSA security Charlie knows e, n, and receives Me (mod

n) How to find M?

Best known way is to factor n▪ Find p and q, find (n), find d▪ No proof that there isn’t a faster way

Factoring n is believed to be hard▪ Best algorithm is GNFS▪ Complexity is sub-exponential but superpolynomial▪ Largest factored number had 768 bits▪ (About 2000-CPU years on an 2.2 GHz Opteron)

▪ Current recommendations are to use 1500-2000 bits

Nikita Borisov — UIUC 23

RSA Security Note: RSA as described is insecure!

Why? Deterministic encryption: Me = M’e if

and only if M=M’ Even worse than in the symmetric case

because Charlie can try many possibilities for M

Semantic security Adversary picks m1 and m2 and is

provided with Encrypt(mi), must guess i Requires randomized encryption

Nikita Borisov — UIUC 24

Padding Introduce randomness to message

P = r || M, where r is random Encryption: Pe

Decryption: (Pe)d, discard random prefix (Actually, still not quite secure, see

RSA-OAEP for proper usage)

Nikita Borisov — UIUC 25

Hybrid Encryption How do we encrypt messages longer

than 1024 bits? Break into blocks, use RSA on each block

(slow, potentially insecure) Use a hybrid between RSA and AES

Pick random key K Send: RSAEncrypt(K), AES-CBC-

Encrypt(K, M) Must ensure K is random!

Nikita Borisov — UIUC 26

RSA Signatures RSA is symmetric

RSADec(RSAEnc(M)) = RSAEnc(RSADec(M)) = Med (mod n) = M

To “sign” a message, Alice computes S = Md (mod n) Bob verifies that Se = Med = M (mod n)

No one other than Alice could have generated S Not even Bob Bob can show S to third parties (non-

repudiation)

Nikita Borisov — UIUC 27

Hash functions How do we sign messages longer

than 1024 bits? Use a hash function

Nikita Borisov — UIUC 28

Hash functions in signatures Alice sends RSASign(h(M)) Bob computes h(M), verifies

signature Security:

Bob cannot generate a signature because:▪ He can’t produce a signature on a chosen

message▪ He can’t solve h(M) = S’e for M because h is

one way Alice is nevertheless committed to her

signature▪ Cannot find M1, M2 such that h(M1) = h(M2)

Nikita Borisov — UIUC 29

Key Points Public Key systems enable multiple

operations Confidentiality (key encryption) Integrity and nonrepudiation Symmetric key exchange

Slower than symmetric crypto, but still practical Especially in hybrid modes

Must be careful how they are used Padding, hash functions