The RSA algorithm encrypts data. If you feed your plaintext to the algo- rithm along with the public key, you get ciphertext as a result. With the digital envelope, the plaintext is the session key. It’s certainly possible to use RSA to encrypt data other than a session key, but RSA is not as fast as the symmetric algorithms. For example, RC4 (probably the fastest sym- metric algorithm in wide use today) will encrypt data at a rate 700 times faster than 1,024-bit RSA (1,024 bits is the most commonly used RSA key size). RC5 (one of the fastest block ciphers) is about 500 times faster.
NOTE:
Incidentally, the R in RC4 and RC5 is the same R as in RSA.
So the best way to use RSA is to create a digital envelope. For example, Pao-Chi can generate a random or pseudo-random 128-bit RC4 key, use it to encrypt his e-mail message to Gwen, and then use Gwen’s RSA public key to encrypt the RC4 key. Encrypting the RC4 key (16 bytes) will take only a few milliseconds on most platforms. Pao-Chi’s message to Gwen consists of two parts: the encrypted session key and the encrypted bulk data (see Figure 4-10). Gwen separates the two components, uses her RSA private key to decrypt the session key, and then uses that decrypted RC4 key to decrypt the bulk data.
Chapter 4
98
Figure 4-9 A one-way function with a trap door. Performing operations in one direction is easy, but reversing the steps is difficult unless you know the secret trap doorTEAM
FLY
An RSA public key consists of two numbers: a modulus and a public exponent. The private key is made up of the same modulus and a private exponent (see Figure 4-11). The modulus, incidentally, is the product of two very large prime numbers. (A prime number, or prime, cannot be evenly divided; for example, 3, 5, 7, 13, and 17 are primes.) In the crypto- graphic literature, these numbers are usually given the romantic names
n,e,and d, where nis the modulus,eis the public exponent, and dis the private exponent. Equally poetic are the names for the two primes that make up the modulus:pand q.
When you generate an RSA key pair (or rather, when the program you’re running generates an RSA key pair), you decide on a public expo- nent e, find two large primes pand qthat work with the eyou’ve chosen, multiply pand qto get the modulus n, and finally compute your private In Pao-Chi’s
message, the encrypted session key comes first and the encrypted bulk data follows
exponent dbased on e,p,and q. Then you throw away pand q(see Figure 4-12). Incidentally, finding large primes is easy using the Fermat test (in the 1600s, Pierre de Fermat discovered interesting things about numbers, one of which led to a test of primality). Furthermore, researchers have shown in the Prime Number Theorem that there are more primes of 512 bits or fewer than there are atoms in the known universe. This means that we’ll never “run out” of primes, and the probability that two people will pick the same prime are so small that we can safely assume it will never happen.
Suppose that Satomi, our attacker, wants to determine Gwen’s private key. If Satomi knows the key, she can open Pao-Chi’s digital envelope. She must figure out nand d. Because the public key is, well, public, she knows
Chapter 4
100
Figure 4-11
A 1,024-bit RSA key pair. The number nis the modulus,eis the public exponent, and dis the private exponent
nbecause it’s part of the public key. So really, all she has to do is figure out
d. It turns out that dis simply the inverse of emodulo (n). Satomi knows what eis, so all she has to do is find (n) and perform a modular inverse function. That’s very easy to do using the Extended Euclidean Algorithm.
NOTE:
Here’s an interesting bit of history. Euclid published his algorithm in about 400 BCE, but researchers have concluded that he didn’t invent it. It’s believed that the algorithm had been around for about 200 years before Euclid presented it. Who was the true inventor? No one knows, but there is a lesson to be learned from this anonymous mathematician: If you get a good idea, publish!
By the way,(n) is known as Euler’s phi-function (is the Greek letter
phi, pronounced “fee”). Leonhard Euler (pronounced “Oiler”) was an 18th- century mathematician who noticed some interesting things about num- bers. For example, if nis the product of those two primes pand q, then
(n) is (p ⫺1)(q ⫺1). That’s “the quantity pminus 1 times the quantity q
minus 1” (see the FAQ on the accompanying CD for more details).
(2) Find p , q (3) Multiply to getn (4) Findd (5) Destroyp , q PRNG Fermat test p , q p , q n = p qx Extended Euclid d
Not all primes work with the public exponent you choose; you may have to reject some primes before finding two compatible numbers
e p q, ,
Generating an RSA public and private key pair
So Satomi’s problem, which began as “find d” and was reduced to “find
(n),” has now been further reduced to “find pand q.” She knows nand knows that p⫻q⫽ n, so all she has to do is factor n, which is the hard problem at the foundation of the RSA algorithm.
In other words, in RSA, the one-way function is multiplication. That’s right, multiplication. You’re probably thinking, “That’s not one-way. To reverse multiplication, all you have to do is divide.” That’s true—if you know what to divide by. But if someone multiplies two numbers and tells you the result, can you determine the original two numbers? That’s known as factoring, and it happens to be difficult.
Suppose n is 35. What are p and q? That’s easy—they’re 5 and 7 because 5 ⫻ 7 ⫽ 35. The numbers 5 and 7 are the prime factors of 35. When you break 35 into its prime factors, you’re factoring.
Now suppose n is 893. Factor that. (The answer is given in the next paragraph.) If you factored 893, you probably discovered that it was a lit- tle more time-consuming than factoring 35. The longer the number, the more time it takes to factor it. Researchers have written computer pro- grams to factor numbers. For those programs, factoring 893 would be triv- ial. But just as with humans, it takes these programs longer to factor bigger numbers. You can pick a number so big that the amount of time it would take to factor, even for the fastest computers, would be prohibitive. Remember Satomi’s problem? If she finds pand q, she can compute (n). With (n) and e,she can determine d. When she has d,she can open Pao- Chi’s digital envelope. Because p⫻q⫽nand because she knows what nis (remember, that’s part of the public key), all she has to do is factor n—and that’s how factoring can break RSA. (The answer from the preceding para- graph is 19 and 47.) Because the modulus (that’s n) is the number Satomi needs to factor, we’ll say that the size of the modulus is the size of the RSA key. Hence, an RSA key that uses a modulus of 1,024 bits is a 1,024-bit key. No one has been able to factor big numbers in a reasonable amount of time. How big is big? Currently, the most commonly used RSA key size is 1,024 bits. The record for factoring (as of December 2000) is 512 bits. In that case,pand qwere each 256 bits long. It took a team using 292 off-the- shelf computers a little more than five months to do the job. With a brute force attack, each time you add a bit to the key size, you double the time it takes to break. But with the technique used by the current factoring champions, each time you add a bit to the number, you don’t quite double the time to factor. Each added bit makes the program run about 1.035 to 1.036 times longer. So if a 512-bit key is broken in five months, a 1,024-bit key can be broken in about 3 to 30 million years (see Figure 4-13).
Chapter 4
102
You may wonder why the modulus has to be the product of two primes. Why can’t the modulus itself be a prime number? The reason is that for a prime number p,(p) is (p⫺ 1). Because your modulus is public, if the modulus were p, a prime number, any attacker would be able to find (p); it’s simple subtraction. Armed with (p), an attacker can easily find d.
Incidentally, Satomi has a couple of brute force opportunities. First, she could try to find dby trying every value it could possibly be. Fortunately,
dis a number as big as the modulus. For a 1,024-bit RSA private key,dis 1,024 bits long (maybe a bit or two smaller). No, brute force on dis not an option. A second possibility is to find por q. Satomi could get a number b
(call it bfor brute force candidate) and then compute n ⫼b(ndivided by
b). If that doesn’t work (bdoes not divide nevenly; there is a remainder), she tries another b. She keeps trying until she finds a bthat works (one that divides n evenly). That b will be one of the factors of n. And the answer to n ⫼bis the other factor. Satomi would then have pand q. But the factors of nare half the size of the modulus (see “Technical Note: Mul- tiPrime RSA”). For a 1,024-bit RSA key,p and q are 512 bits each. So Satomi would be trying a brute force attack on a 512-bit number, and In a popular
1,024-bit RSA key, the modulus is 1,024 bits, built by multiplying two 512-bit primes
Chapter 4