Cryptography and
Cryptography and
Network Security
Network Security
Chapter 9
Chapter 9
Fifth Edition
Fifth Edition
by William Stallings
by William Stallings
Chapter 9 –
Chapter 9 –
Public Key
Public Key
Cryptography and RSA
Cryptography and RSA
Every Egyptian received two names, which were Every Egyptian received two names, which were
known respectively as the true name and the known respectively as the true name and the
good name, or the great name and the little good name, or the great name and the little
name; and while the good or little name was name; and while the good or little name was
made public, the true or great name appears to made public, the true or great name appears to
have been carefully concealed. have been carefully concealed.
—
Private-Key Cryptography
Private-Key Cryptography
traditional
traditional
private/secret/single key
private/secret/single key
cryptography uses
cryptography uses
one
one
key
key
shared by both sender and receiver
shared by both sender and receiver
if this key is disclosed communications are
if this key is disclosed communications are
compromised
compromised
also is
also is
symmetric
symmetric
, parties are equal
, parties are equal
hence does not protect sender from
hence does not protect sender from
receiver forging a message & claiming is
receiver forging a message & claiming is
Public-Key Cryptography
Public-Key Cryptography
probably most significant advance in the
probably most significant advance in the
3000 year history of cryptography
3000 year history of cryptography
uses
uses
two
two
keys – a public & a private key
keys – a public & a private key
asymmetric
asymmetric
since parties are
since parties are
not
not
equal
equal
uses clever application of number
uses clever application of number
theoretic concepts to function
theoretic concepts to function
complements
complements
rather than
rather than
replaces private
replaces private
Why Public-Key
Why Public-Key
Cryptography?
Cryptography?
developed to address two key issues:
developed to address two key issues:
key distributionkey distribution – how to have secure – how to have secure
communications in general without having to communications in general without having to
trust a KDC with your key trust a KDC with your key
digital signaturesdigital signatures – how to verify a message – how to verify a message
comes intact from the claimed sender comes intact from the claimed sender
public invention due to Whitfield Diffie &
public invention due to Whitfield Diffie &
Martin Hellman at Stanford Uni in 1976
Martin Hellman at Stanford Uni in 1976
Public-Key Cryptography
Public-Key Cryptography
public-key/two-key/asymmetricpublic-key/two-key/asymmetric cryptography cryptography
involves the use of
involves the use of twotwo keys: keys:
a a public-keypublic-key, which may be known by anybody, and can , which may be known by anybody, and can
be used to
be used to encrypt messagesencrypt messages, and , and verify signaturesverify signatures
a related a related private-keyprivate-key, known only to the recipient, used , known only to the recipient, used
to
to decrypt messagesdecrypt messages, and , and signsign (create) (create) signatures signatures
infeasible to determine private key from publicinfeasible to determine private key from public is is asymmetricasymmetric because because
those who encrypt messages or verify signatures those who encrypt messages or verify signatures cannotcannot
Public-Key Applications
Public-Key Applications
can classify uses into 3 categories:
can classify uses into 3 categories:
encryption/decryptionencryption/decryption (provide secrecy) (provide secrecy)
digital signaturesdigital signatures (provide authentication) (provide authentication)
key exchangekey exchange (of session keys) (of session keys)
some algorithms are suitable for all uses,
some algorithms are suitable for all uses,
Public-Key Requirements
Public-Key Requirements
Public-Key algorithms rely on two keys where:Public-Key algorithms rely on two keys where:
it is computationally infeasible to find decryption key it is computationally infeasible to find decryption key
knowing only algorithm & encryption key knowing only algorithm & encryption key
it is computationally easy to en/decrypt messages it is computationally easy to en/decrypt messages
when the relevant (en/decrypt) key is known when the relevant (en/decrypt) key is known
either of the two related keys can be used for either of the two related keys can be used for
encryption, with the other used for decryption (for encryption, with the other used for decryption (for some algorithms)
some algorithms)
these
these
are formidable requirements which
are formidable requirements which
Public-Key Requirements
Public-Key Requirements
need a trapdoor one-way function
need a trapdoor one-way function
one-way function has
one-way function has
Y = f(X) easy Y = f(X) easy
X = fX = f–1–1(Y) infeasible(Y) infeasible
a trap-door one-way function has
a trap-door one-way function has
Y = fY = f
k
k(X) easy, if k and X are known(X) easy, if k and X are known
X = fX = f
k
k–1–1(Y) easy, if k and Y are known(Y) easy, if k and Y are known
X = fX = f
k
k–1–1(Y) infeasible, if Y known but k not known(Y) infeasible, if Y known but k not known
a practical public-key scheme depends on
a practical public-key scheme depends on
a suitable trap-door one-way function
Security of Public Key Schemes
Security of Public Key Schemes
like private key schemes brute force like private key schemes brute force exhaustive exhaustive
search
search attack is always theoretically possible attack is always theoretically possible
but keys used are too large (>512bits) but keys used are too large (>512bits)
security relies on a security relies on a large enoughlarge enough difference in difference in
difficulty between
difficulty between easyeasy (en/decrypt) and (en/decrypt) and hardhard
(cryptanalyse) problems (cryptanalyse) problems
more generally the more generally the hardhard problem is known, but problem is known, but
is made hard enough to be impractical to break is made hard enough to be impractical to break
requires the use of requires the use of very large numbersvery large numbers
RSA
RSA
by Rivest, Shamir & Adleman of MIT in 1977 by Rivest, Shamir & Adleman of MIT in 1977
best known & widely used public-key scheme best known & widely used public-key scheme based on exponentiation in a finite (Galois) field based on exponentiation in a finite (Galois) field
over integers modulo a prime over integers modulo a prime
nb. exponentiation takes O((log n)nb. exponentiation takes O((log n)33) operations (easy) ) operations (easy) uses large integers (eg. 1024 bits)uses large integers (eg. 1024 bits)
security due to cost of factoring large numbers security due to cost of factoring large numbers
RSA En/decryption
RSA En/decryption
to encrypt a message M the sender:
to encrypt a message M the sender:
obtains obtains public keypublic key of recipient of recipient PU={e,n}PU={e,n} computes: computes: C = MC = Mee mod n mod n, where , where 00≤≤MM<<nn
to decrypt the ciphertext C the owner:
to decrypt the ciphertext C the owner:
uses their private key uses their private key PR={d,n}PR={d,n} computes: computes: M = CM = Cdd mod n mod n
note that the message M must be smaller
note that the message M must be smaller
RSA Key Setup
RSA Key Setup
each user generates a public/private key pair by: each user generates a public/private key pair by: selecting two large primes at random: selecting two large primes at random: p, qp, q
computing their system modulus computing their system modulus n=p.qn=p.q note note ø(n)=(p-1)(q-1)ø(n)=(p-1)(q-1)
selecting at random the encryption key selecting at random the encryption key ee
where where 1<e<ø(n), gcd(e,ø(n))=1 1<e<ø(n), gcd(e,ø(n))=1
solve following equation to find decryption key solve following equation to find decryption key dd
e.d=1 mod ø(n) and 0e.d=1 mod ø(n) and 0≤≤dd≤≤nn
Why RSA Works
Why RSA Works
because of Euler's Theorem:because of Euler's Theorem:
aaø(n)ø(n)mod n = 1 mod n = 1 where where gcd(a,n)=1gcd(a,n)=1 in RSA have:in RSA have:
n=p.qn=p.q
ø(n)=(p-1)(q-1)ø(n)=(p-1)(q-1)
carefully chose carefully chose ee & & dd to be inverses to be inverses mod ø(n)mod ø(n) hence hence e.d=1+k.ø(n)e.d=1+k.ø(n) for some for some kk
hence :hence :
C
Cdd = M = Me.d e.d = M= M1+k.ø(n)1+k.ø(n) = M = M11.(M.(Mø(n)ø(n)))kk
RSA Example - Key Setup
RSA Example - Key Setup
1.
1. Select primes: Select primes: pp=17 & =17 & qq=11=11
2.
2. CalculateCalculate n n = = pq pq =17=17 x x 11=18711=187
3.
3. CalculateCalculate ø(ø(nn)=()=(p–p–1)(1)(q-q-1)=161)=16xx10=16010=160
4.
4. Select Select ee:: gcd(e,160)=1; gcd(e,160)=1; choose choose ee=7=7
5.
5. Determine Determine dd:: de=de=1 mod 1601 mod 160 and and d d < 160< 160
Value is
Value is d=23d=23 since since 2323xx7=161= 107=161= 10xx160+1160+1
6.
6. Publish public key Publish public key PU={7,187}PU={7,187}
7.
RSA Example - En/Decryption
RSA Example - En/Decryption
sample RSA encryption/decryption is:
sample RSA encryption/decryption is:
given message
given message
M = 88
M = 88
(nb.
(nb.
88<187
88<187
)
)
encryption:
encryption:
C = 88
C = 8877 mod 187 = 11 mod 187 = 11
decryption:
decryption:
M = 11
Exponentiation
Exponentiation
can use the Square and Multiply Algorithmcan use the Square and Multiply Algorithm a fast, efficient algorithm for exponentiation a fast, efficient algorithm for exponentiation
concept is based on repeatedly squaring base concept is based on repeatedly squaring base and multiplying in the ones that are needed to and multiplying in the ones that are needed to
compute the result
compute the result
look at binary representation of exponent look at binary representation of exponent
only takes O(logonly takes O(log22 n) multiples for number n n) multiples for number n
Exponentiation
Exponentiation
c = 0; f = 1
c = 0; f = 1
for i = k downto 0
for i = k downto 0
do c = 2 x c
do c = 2 x c
f = (f x f) mod n
f = (f x f) mod n
if b
if b
ii== 1
== 1
then
then
c = c + 1
c = c + 1
f = (f x a) mod n
f = (f x a) mod n
return f
Efficient Encryption
Efficient Encryption
encryption uses exponentiation to power e
encryption uses exponentiation to power e
hence if e small, this will be faster
hence if e small, this will be faster
often choose e=65537 (2often choose e=65537 (21616-1)-1)
also see choices of e=3 or e=17also see choices of e=3 or e=17
but if e too small (eg e=3) can attack
but if e too small (eg e=3) can attack
using Chinese remainder theorem & 3 using Chinese remainder theorem & 3
messages with different modulii messages with different modulii
if e fixed must ensure
if e fixed must ensure
gcd(e,ø(n))=1
gcd(e,ø(n))=1
Efficient Decryption
Efficient Decryption
decryption uses exponentiation to power d
decryption uses exponentiation to power d
this is likely large, insecure if notthis is likely large, insecure if not
can use the Chinese Remainder Theorem
can use the Chinese Remainder Theorem
(CRT) to compute mod p & q separately.
(CRT) to compute mod p & q separately.
then combine to get desired answer
then combine to get desired answer
approx 4 times faster than doing directlyapprox 4 times faster than doing directly
only owner of private key who knows
only owner of private key who knows
RSA Key Generation
RSA Key Generation
users of RSA must:
users of RSA must:
determine two primes determine two primes at random - at random - p, qp, q select either select either ee or or dd and compute the other and compute the other
primes
primes
p,q
p,q
must not be easily derived
must not be easily derived
from modulus
from modulus
n=p.q
n=p.q
means must be sufficiently largemeans must be sufficiently large
typically guess and use probabilistic testtypically guess and use probabilistic test
exponents
exponents
e
e
,
,
d
d
are inverses, so use
are inverses, so use
RSA Security
RSA Security
possible approaches to attacking RSA are:
possible approaches to attacking RSA are:
brute force key search - infeasible given size brute force key search - infeasible given size
of numbers of numbers
mathematical attacks - based on difficulty of mathematical attacks - based on difficulty of
computing ø(n), by factoring modulus n computing ø(n), by factoring modulus n
timing attacks - on running of decryptiontiming attacks - on running of decryption
chosen ciphertext attacks - given properties of chosen ciphertext attacks - given properties of
Factoring Problem
Factoring Problem
mathematical approach takes 3 forms:mathematical approach takes 3 forms:
factor factor n=p.qn=p.q, hence compute , hence compute ø(n)ø(n) and then and then dd determine determine ø(n)ø(n) directly and directly and compute compute dd
find d directlyfind d directly
currently believe all equivalent to factoringcurrently believe all equivalent to factoring have seen slow improvements over the years have seen slow improvements over the years
• as of May-05 best is 200 decimal digits (663) bit with LS as of May-05 best is 200 decimal digits (663) bit with LS
biggest improvement comes from improved algorithmbiggest improvement comes from improved algorithm
• cf QS to GHFS to LScf QS to GHFS to LS
currently assume 1024-2048 bit RSA is securecurrently assume 1024-2048 bit RSA is secure
Progress in
Progress
Progress
in
in
Timing Attacks
Timing Attacks
developed by Paul Kocher in mid-1990’sdeveloped by Paul Kocher in mid-1990’s exploit timing variations in operationsexploit timing variations in operations
eg. multiplying by small vs large number eg. multiplying by small vs large number or IF's varying which instructions executedor IF's varying which instructions executed infer operand size based on time taken infer operand size based on time taken RSA exploits time taken in exponentiationRSA exploits time taken in exponentiation countermeasurescountermeasures
use constant exponentiation timeuse constant exponentiation time add random delaysadd random delays
Chosen Ciphertext Attacks
Chosen Ciphertext Attacks
•
RSA is vulnerable to a Chosen Ciphertext
RSA is vulnerable to a Chosen Ciphertext
Attack (CCA)
Attack (CCA)
•
attackers chooses ciphertexts & gets
attackers chooses ciphertexts & gets
decrypted plaintext back
decrypted plaintext back
•
choose ciphertext to exploit properties of
choose ciphertext to exploit properties of
RSA to provide info to help cryptanalysis
RSA to provide info to help cryptanalysis
•
can counter with random pad of plaintext
can counter with random pad of plaintext
•or use Optimal Asymmetric Encryption
or use Optimal Asymmetric Encryption
Optimal
Optimal
Asymmetric
Asymmetric
Encryption
Encryption
Padding
Padding
Summary
Summary
have considered:
have considered:
principles of public-key cryptographyprinciples of public-key cryptography