Week 7: Public-Key Cryptography

Week 7: Public-Key CryptographyMSIS 525Encryption and Authentication SystemsSummer 2010

TopicsPublic Key Encryption (PKE)PKE MathSymmetric Key Exchange Using PKEDistributing Public KeysAuthentication TechnologiesMACsHashesDigital Signatures

Public Key EncryptionUses one key for encryption, and another for decryptionApplicationsEncryption of short messageslike keysAuthenticationthrough digital signatures

PKE for EncryptionBobAlice

PKE for AuthenticationBobAlice

PKE for both simultaneouslyBobAlicePRBobPRBobPUBobPUAlicePRAlice

PKE is not ...Suitable for encrypting long messagesNecessarily more secure than symmetricNecessarily more efficient in distributing keys than symmetricSo dont fall prey to these myths.

RSAThe most popular PKE systemDeveloped by Rivest, Shamir, and Adelman in 1977Is a block cipherPlaintext and ciphertext are treated as numbers between 0 and 2numbits1numbits typically >= 1024

RSA Encryption and DecryptionEncryption has the form: C = Me mod nDecryption has the form M = Cd mod nn is the product of two primes, p and q

RSA: What the two sides knowVisibility for confidentiality:sender knows e and nreceiver knows d and n (as the product p and q)In other words, these are the keys:public key = {e, n}private key = {d, p, q}

The RSA Algorithm

The RSA Algorithm

Example: RSA by handSelect primes: p=17 & q=11Compute n = pq =1711=187Compute (n)=(p1)(q-1)=1610=160Select e : gcd(e,160)=1; choose e=7Determine d: e-1 mod 160 and d < 160 Value is d=23 since 237=161= 1 mod 160 (could also use http://cs.lewisu.edu/~klumpra/msis525/multinv.php)Publish public key PU={7,187}Keep secret private key PR={23,17,11}

KEY GENERATION

How hard is it to break RSA?The big concern attacker knows the public key e & ncan an attacker determine the private key d?if he can, then he can determine M = Cd mod n

How hard is it to determine d?To determine dNeed to factor n into p and qNo small task n is a 309-digit numberSo that he can determine f(n) = (p-1)(q-1)So that we can determine d = e-1 mod f(n)

Progress in Factorization

Timing AttacksAlternative to brute forceExploit timing variations in operationseg. multiplying by small vs large number Infer operand size based on time taken RSA involves raising numbers to large powersCan estimate size of exponent by how long it takesCountermeasuresuse constant exponentiation timeadd random delays

RSA Secure but ...Its slow

So, use it for exchanging short messageslike keys

IssuesHow can we speed up the arithmetic?How do you find two large primes?What the heck is f(n)?

Basic operations mod n(a+b) mod n = (a mod n + b mod n) mod n(a*b) mod n = (a mod n * b mod n) mod ny = -x mod n if and only if (y + x) mod n = 0y = x-1 mod n if and only if (y * x) mod n = 1Speeding up the math through knowledge of modular arithmetic

ExamplesWhat is (8+4) mod 5?What is (8*4) mod 5?What is the additive inverse of 2 mod 5?What is the multiplicative inverse of 2 mod 5?

How do you compute big powers?1123 mod 187 = ???

Example:Computing 1123 mod 1871123 mod 187 = [(111 mod 187) x (112 mod 187) x (114 mod 187) x (118 mod 187) x (118 mod 187) mod 187111 mod 187 = 11112 mod 187 = 121114mod 187=(121*121)mod 187 =55118mod 187 = (55*55)mod 187 = 331123mod 187=(11*121*55*33*33) mod 187 = 88

Chinese Remainder TheoremMakes it possible to reconstruct integers in a certain range from their remainders when divided by a pair of relatively prime numbers.provided we know the factors, a very large number can be manipulated using smaller numbersthis will help the recipient compute M = Cd mod n, since n = p * q, and the recipient knows p and q

Example: CRTUsing residues 2 and 5, compute 7 + 8 mod 10.7 mod 2 = 1, 7 mod 5 = 2, so 7 is (1,2)8 mod 2 = 0, 8 mod 5 = 3, so 8 is (0,3)(1,2) + (0,3) = (1,5)So, we seek a number x < 10 such that x mod 2 = 1 mod 2 (i.e. 1) and x mod 5 = 5 mod 5 (i.e. 0)That number is 5.Sure enough, (7 + 8) mod 10 = 15 mod 10 = 5

Another example: CRTUsing residues 2 and 5, compute 7 * 8 mod 107 mod 2 = 1, 7 mod 5 = 2, so 7 is (1,2)8 mod 2 = 0, 8 mod 5 = 3, so 8 is (0,3)(1,2) * (0,3) = (0,6)So, we seek a number x < 10 with x mod 2 = 0 mod 2 and x mod 5 = 6 mod 5 = 1.That number is 6Sure enough (7*8) mod 10 = 56 mod 10 = 6

Application of CRT to EncryptionRSA involves calculations modulo n, a product of primes p and qn is huge ( >= 1024 bits long)Because of CRT, calculations can be done on p and q insteadp and q are much smallerthus, calculations are easier

Determining the multiplicative inverseFor large numbers, it can be difficult to determine the multiplicative inversebut we have to: d = e-1 mod F(n)You can use this tool instead: http://cs.lewisu.edu/~klumpra/msis525/multinv.php This will find the inverse of 5 mod 7

Heres the source code:

Find the multiplicative inverse in GF(p^n)

Enter base p: Enter exponent n: Enter number for which you want the inverse:

Just in case youre interested.

Prime numbersFirst step in RSA: choose p and q primeA prime number p is a positive integer having no divisors other than 1 and pThere are an infinite number of primes

Theorems regarding primesIf p is a prime number and a is a positive integer not divisible by p, then ap-1 mod p = 1If p is a prime number and a is a positive integer, then ap mod p = a mod p

ExamplesWhat is 44 mod 5?Here, a = 4 p = 5By the first theorem, ap-1 mod p = 1 So, we know 45-1 mod 5 = 1

ExamplesWhat is 45 mod 5?Second theorem: ap mod p = a mod p.So, the answer should be 4 mod 5, or 4.

Indeed: 45 = 1024, and 1024 mod 5 = 4

Eulers Totient Functionf(n) = # of positive integers between 1 and n that are relatively prime with nExamples

nRelatively prime with respect to nf(n) 61 and 5271, 2, 3, 4, 5, 66141, 3, 5, 9, 11, 136291, 2, 3, ..., 2828

What does relatively prime mean?Two numbers are relatively prime if they have no factors in commonFor example, 3 and 8 are relatively primeAlso, 4 and 15 are relatively prime

Eulers Totient Function (continued)Theorem: f(p*q) = f(p)* f(q) Also, if p is prime, then f(p) = p-1So, if p and q are primes and p doesnt equal q, then f(p*q) = (p-1) * (q-1)

Example: Properties of the TotientAgain: If p and q are primes, then f(p*q) = (p-1) * (q-1)f(6) = f(2*3) = (2-1) * (3-1) = 2f(14) = f(2*7) = (2-1) * (7-1) = 6

Eulers Theoremif a and n are relatively prime, then af(n) = 1 mod nif a and n are relatively prime, then af(n)+1 = a mod nExamples (with a = 3, n = 8)Note that f(8) = 4Then, 34 = 1 mod 8Also, 35 = 3 mod 8

confirm these by computing 34 and 35

Testing for PrimesPublic-key encryption requires finding very large prime numbersThere is no efficient way to do thisSimplest algorithm: for i = 2 up to square root of n if n mod i is 0 then n is not prime, so exit loop if you dont find an i for which n mod i = 0, then n is prime

Testing for Primes Miller & Rabin AlgorithmCan say simply that a number is not primecant say for sure whether a number is primeHowever, if you repeat the algorithm t times, Probability(n is prime) > 1 (1/4)tThus, if you repeat the test 10 times, the probability the number is prime > 99.9999%

Distribution of PrimesPrimes near n are spaced on the average one every 0.5*ln(n) integersThus, one has to test, on average, this many integersFor example, if a prime near 2200 is desired, need to test 0.5 * ln(2200) = 69 numbers (on average)

Review: The RSA AlgorithmWeve discussed how to speed up all of this.

Now well talk about Key ExchangeFirst, how do you exchange symmetric keys using PKE technology?This is the recommended application of PKEWill present the most popular technique Diffie HelmanThen, how do you exchange public keys?Necessary for PKE to happen

Symmetric Key ExchangeLast week, we saw a few different ways to exchange keys ...Physical deliveryDirectly from A to BThird-party C distributes to A and BUse of previous keyKey Distribution CenterDecentralized

Centralized Key DistributionThis is called Needham-Schroeder Protocol

Limitation of KDCWhat good would it do after all to develop impenetrable cryptosystems if their users were forced to share their keys with a KDC that could be compromised by either burglary or subpoena? Whitfield Diffie, co-creator of public-key encryption

Decentralized Key DistributionEach node must maintain (M-1) master keysMessages sent with master keys are shortUnlikely to be compromised because theres not a lot to glob on to.

Limitation of Decentralized ApproachWith M different participants, there are M(M-1)/2 different master keys to distributeDoesnt scale well

So, we seek an alternativeOne that doesnt necessarily require trust in a third partyOne that doesnt require such a large up-front key distribution

Will look at 3 approaches to distributing symmetric keys w/ PKESimple Key DistributionSimple Key Distribution with Confidentiality and AuthenticationDiffie-Hellman

Simple Key DistributionAlice contacts Bob with her ID and public keyBob generates a symmetric key and returns it to Alice (encrypted with her public key)so that only she can read it with her private keySusceptible to Man-in-the-middle attackSymmetric Key Distribution Using PKE

Man-in-the-Middle AttackAlice generates {PUA, PRA} and transmits message intended for Bob consisting of PUA and IDACreep intercepts message, creates own public/private key pair {PUC,PRC}, and transmits PUC & IDA to BobBob generates secret key KS and transmits E(PUC, KS)Creep intercepts message, learns KS through D(PRC,E(PUC, KS))Creep transmits E(PUA, KS) to Alice so that Alice doesnt think anything is wrongSo, everybody Alice, Bob, and Creep, know KS bad news!

Secret Key Distribution withConfidentiality and AuthenticationSymmetric Key Distribution Using PKELots of overhead!

Diffie-HellmanAn algorithmic approach to exchanging a secret key.This is the most popular wayinvolves less overhead

Primitive RootLet p be a prime. Then b is a primitive root for p if the powers of b, 1, b, b^2, b^3, ... include all of the residue classes mod p i.e. first p-1 powers of b have to be different mod p.Example: If p is 7, then 3 is a primitive root of p.because the powers of 3 mod 7 are 1, 3, 2, 6, 4, 5 2 is not: 1, 2, 4, 1, 2, 4, 1, 2, 4 Useful in Diffie-Hellman First need to understand

Diffie-Hellman Key ExchangeDiffie-HellmanPre-select large prime q and a primitive root of q called a.Then ...

Example: Diffie-Hellmanq = 11, a = 7A selects XA = 9 calculates YA= 79 mod 11 = 8B selects XB = 5 calculates YB = 75 mod 11 = 10A calculates KS = YBXa mod q = 10B calculates KS = YAXb mod q = 10So, they have the same shared key!Diffie-Hellman

So thats how you do symmetric key exchange with PKEHow do you exchange the public keys themselves?Several ways:Public AnnouncementPublic DirectoryPublic Key AuthorityPublic Key Certificates

Method 1:Public AnnouncementDistribution of public keys

Public AnnouncementSimple sharing of keysUseful for small communitiesMajor weakness: Bad guy can distribute false public key for AliceDistribution of public keys

Method 2:Public Key DirectoryDistribution of public keys

Public Key DirectoryMaintenance and distribution of the public directory is responsibility of some trusted authorityAuthority maintains a directory with {name, public key} for each userEach user registers public key with authority (in person or in some other secure way)User may replace public key any timeUsers can access directory electronicallySecure, authenticated channel to/from directory necessaryDistribution of public keys

Public Key Directory ExampleDistribution of public keyshttp://pgp.mit.edu/

Method 3:Public Key AuthorityDistribution of public keys

Public Key Authority: ProblemsSeven messages are required!The PK authority may become bottleneckHowever, the first 5 can be spared if Alice and Bob cache (i.e. store locally) each others public keysperiodically refresh to ensure they are currentIf the authority is compromised, then all the held public keys are compromised

Distribution of public keys

Method 4:Public-Key CertificateAttempts to offload some of the responsibility of the central authorityA certificate identifiesa userhis or her public keya time stampThe certificate authority signs it and gives it back to user:CA = PRauth[IDA, PUA, T]

Distribution of public keys

Public-Key CertificateDistribution of public keys

X.509 CertificatesCertificates have a standard format, defined by X.509.Will investigate this format next weekDistribution of public keys

Where are we?Weve spent most of the term talking about confidentialityBut what aboutintegrity?authentication?non-repudiation?

Tools for these other purposesMACsHashesDigital Signatures

Authentication & Integrity MechanismsSymmetric Key:Frame check sequenceMessage Authentication CodePublic-KeyMessage Digest provided by a hash

Symmetric Key Authenticationif symmetric encryption is used then:the very fact that the key is shared provides some authenticationBut how do you recognize what is a valid message?Requires that the message have a verifiable structure

Provide such a structure by using A Frame Check SequenceF is some function that you pass the message through.

Another option: use a MACAuthentication onlyAuthentication & Confidentiality

Properties of a MACa MAC is a cryptographic checksumMAC = C(K,M)condenses a variable-length message Musing a secret key Kto a fixed-sized authenticatoris a many-to-one functionpotentially many messages have same MAC (i.e. they are summarized down to the same value)but finding the message from the MAC needs to be very difficult

MACs are actually harder to break than encryptionThe many-to-one nature makes it very difficult to recover the original messageExample:Suppose 100-bit message, 10-bit MACThere are then 2100 different messages, but only 210 different MACs to which they mapThus, for any MAC, there are 2100/210 = 290 different messages that compile down to itHow in the world are you to know which message it actually was that led to that MAC?

An Example of a MAC:Data Authentication AlgorithmMAC is too small to prevent birthday attack!

MAC pros and consPro:The code is much smaller than the messageThe two-key approach gives us a way to authenticate separate from encryptingCons:This is not a signatureThe two parties share the key, so either could have sent itRequires the sharing of secret keys

Examples of MAC is not a signatureSuppose John sends an authenticated message to MaryMary may forge a different message and claim it came from JohnJohn may deny sending the message, stating that Mary must have forged it

Addressing MACs ConsLogical choice:investigate use of public-key encryption

PKE provides both authentication & confidentialityZ = E(PUb, E(PRa,X))X = D(PUa, D(PRb, Z))

DrawbackAgain, the math:Z = E(PUb, E(PRa,X))X = D(PUa, D(PRb, Z))Pretty darn slow4 public-key operations in all

Alternative: Hash FunctionUsed for a similar purpose to a MACJust like a MACtakes in variable-size messageproduces fixed-size outputUnlike a MACdoes not use a key

So what if it doesnt use a key?Useful in situations where you cant share a key convenientlyGood for digital signatures

Overview of a hash:condenses arbitrary message to fixed sizeh = H(M)output of hash is called a digestthe hash function is publicthe hash function is one wayhash sensitive to changes in message

Requirements for Hash Functionscan be applied to any sized message Mproduces fixed-length output his easy to compute h=H(M) for any message Mgiven h is infeasible to find original message (one-way property)given x is infeasible to find y such that H(y)=H(x) (weak collision resistance)is infeasible to find any x,y such that H(y)=H(x) (strong collision resistance)

Hash as Digital SignatureThe signature

Hash as Digital Signature + Encryption

Elements common to all hash functionsinput (message, file, etc.) viewed as a sequence of n-bit blocksblocks are processed one at a timeCompression function reduces the blocksend result is an n-bit hash function

Illustration of these elementsf is the compression function (where the magic happens)

Simple Hash Proposalsxor all m blocks togetherCi = bi1 xor bi2 xor ... xor bimanother optioninitially set n-bit hash value to 0.process each successive n-bit block as follows:rotate the current hash to the left by one bitxor the data block with the hash functionboth of these are weakbecause it is possible to determine how to craft a new message that gives the same hash code

Could also use a block cipher as a hashcan use block ciphers as hash functionsDivide message into M fixed-size blockspad final block with 0s if necessarySet initial hash H0 to 0compute: Hi = E [Mi, Hi-1] repeatedlyand use final block as the hash valueWith DES, though, hash will be too smallbecause of birthday attack

SummaryHow public key encryption worksMathematics behind PKEExchanging public keysAuthentication using MACs and Hashes

******Keep in mind, though PKEs confidentiality usage is usually limited to the exchange of keys, not of the message.*****Look at the formulas for encryption and decryption. The encryptor knows e and n, so computing C is easy. The decryptor knows d and n, so computing M is easy. Someone who doesnt know d would have a terribly hard time figuring M.

*Look at the formulas for encryption and decryption. The encryptor knows e and n, so computing C is easy. The decryptor knows d and n, so computing M is easy. Someone who doesnt know d would have a terribly hard time figuring M.

*phi(n) is the totient function. One of the theorems we will see is that, if n = pq, then phi(n) = phi(p)*phi(q). Another theorem said that, for a prime number p, phi(p) = p-1. That is why phi(n) = (p-1)(q-1).

In step 4, common choices for e are 3, 17, and 65537 (216-1). As explained on page 273, these choices have just 2 one bits in their binary representation, which reduces the amount of multiplication we have to do.

If you do pre-select e (say to be 65537), then you must make sure GCD(phi(n),e) = 1. The rules of the algorithm say that e and phi(n) must be relatively prime.

****Barring an unforeseen breakthrough, 1024+ bit RSA secure against factoring attack

*****Additive inverse problem:if x is additive inverse of 2 mod 5, then(2+x)mod5 = 0So, that means ... (2mod5 + xmod5)mod5 = 0 (2 + xmod5)mod5 = 0this is true if x = 3. So, 3 is the additive inverse of 2 in mod 5

Multiplicative inverse problem:x is the m.i. of 2 if (x*2)mod 5 = 1So(x mod 5 * 2 mod 5) mod 5 = 1(x mod 5 * 2) mod 5 = 1this works if x is 3. So, 3 is the mi of 2 in mod 5.**Remember: a * b mod n = (a mod n * b mod n) mod n. Thats where this approach comes from.***************A Useful Extension of Eulers Theorem:Given 2 prime numbers p and q, and three integers k, m, and n, with 0 < m < n = p*q then mk*phi(n)+1 = m mod nThis can be used in RSA to speed up the calculation of large powers

**The algorithm appears at the bottom of page 243 of Stallings

*ln = natural log. This is a function on most scientific calculators.*Look at the formulas for encryption and decryption. The encryptor knows e and n, so computing C is easy. The decryptor knows d and n, so computing M is easy. Someone who doesnt know d would have a terribly hard time figuring M.

***A wants to talk with B1. A sends the KDC the identities of itself and of B as well as a random number N1 called the nonce.2. KDC sends the session key KS, the identities of A and B, and the nonce each encrytped using As master key Ka. It also sends the session key and identity of A encrypted using Bs master key.3. A sends the session key and its identity to B encrypted using Bs master key.4. B responds by returning a new random number, the nonce N2, encrypted using the session key Ks.5. A responds by sending some function of N2 encrypted using the session key. (Often, f(N2) is just N2 + 1.

Steps 3, 4, and 5 are for authentication purposes.

********Lot of overhead**Remember residue class set of numbers that, when divided by a number, all give the same remainder.*****False public key -> i.e. his own******CA, the certificate for A, is a data structure that contains As id, As public key, and the time the certificate was created. The timestamp allows A to create a new key in case the old one gets compromised.

Its kinda like a credit card. The owner cancels the credit card number but is at risk until all participants know that the old card is obsolete. The timestamp can serve as kind of an expiration date. If the timestamp is old, the certificate is assumed obsolete.*******This shows just one possibility. You could also apply the function F after encypting the message.

Also, note that with TCP-based end-to-end encryption, in which all applications use the same key, you encrypt the TCP header (see figure 7.5 on page 208). That includes the sequence number. If an attacker messes around with it, they will probably destroy that sequence number, and the message will arrive not in the proper sequence, alerting you to the attack. In that way, the communications itself has provided an error code. Yowzer!***Another example: Suppose the message is 10 bits, and we use a 1-bit hash. There are then 2 to the 10 different messages, and these are hashed down to 1 of 2 different hash values. 2 raised to the 10th power is 1024. Thus, there are 1024/2 = 512 different messages that hash to the same hash value. How in the world are you supposed to know which message is the actual message that was sent. That's an example of how the many-to-one nature of hashes and MACS makes them difficult to decrypt. *Uses DES in cipher-block-chaining mode and identifies all or part of final block as a MACSpecificsChunk the data into 64-bit blocks (pad the last block if necessary)encrypt message using DES in CBC modeshared key K used as keySend just the final block as the MACor the leftmost M bits (16M64) of final blockWeakness: final MAC is now too small for securityonly 16 to 64 bits, which makes it prone to birthday attack*********The difference between weak collision resistance and strong collision resistance is subtle. Basically, strong collision resistance says that for any x and y, you cant find a collision with good probability

Strong collision resistance: For any message, it is computationally infeasible to find another message with the same MAC or hash. The only way to achieve this is to increase the bit size of the MAC or hash. *We said hashes were good for digital signatures. Well ... this picture illustrates how.*You can even authenticate without encrypting. Heres how:If party A and party B share a secret, A can append the secret to the message and hash it. He will transmit the message along with the hash of the message+secret to party B. When he receives the transmission, party B will take the message, merge it with the secret, pass it through the hash function, and compare the output with the hash of the message+secret he received. If they match, then the message was sent correctly. This is a way to transmit information in an authenticated way that avoids the overhead and resulting performance penalties associated with encryption. So, you get better performance, and you avoid having to deploy encryption/decryption if you don't want to.

****a 64-bit hash is not securebecause it falls to birthday attacksbirthday attack works like this:opponent generates 2m/2 variations of a valid message all with essentially the same meaningopponent also generates 2m/2 variations of a desired fraudulent messagetwo sets of messages are compared to find pair with same hash (probability > 0.5 by birthday paradox)have user sign the valid message, then substitute the forgery which will still have a valid signatureconclusion is that need to use larger MAC/hash160-bit minimum is now common

*