Post on 29-Dec-2015
Data Security and Cryptology, IX
Asymmetric Cryptoalgorithms. RSA
Data Security and Cryptology, IX
Asymmetric Cryptoalgorithms. RSA
October 29th, 2014
Valdo Praust
mois@mois.ee
Lecture Course in Estonian IT CollegeAutumn 2014
October 29th, 2014
Valdo Praust
mois@mois.ee
Lecture Course in Estonian IT CollegeAutumn 2014
Main Types of Cryptoalgorithms
Main Types of Cryptoalgorithms
1. Symmetric cryptoalgorithms or secret-key crypotoalgorithms are traditional (historical) cryptoalgorithms
2. Asymmetric cryptoalgorithms or public-key crypotoalgorithms are widely spread within last 30 years
3. Cryptographic message digests and similar constructions
4. Special-purpose algorithms for proofing, authentication etc
Secret-Key Cryptoalgorithm: Fields of Use
• transmitting of confidential information using some (interceptable) networks
• secure storing of confidential information (with an appropriate key management system)
• secure erasing of confidential data• generating a good white noise
Secret-Key Cryptoalgorithm
Is considered to be practically secure if the following two conditons are satisfied: • The key is at least 80 bit long (for a
long-time or ehnaced security at least 128 bit long)
• There aren’t known effective cryptoanalytic methods
Secret-key cryptoalgorithm (salajase võtmega krüptoalgoritm) or symmetric cryptoalgorithm (sümmeetriline krüptoalgorithm) is such a cryptoalgorithm where the same secret key is used both for enciphering and deciphering purposes
Secret-key cryptoalgorithm (salajase võtmega krüptoalgoritm) or symmetric cryptoalgorithm (sümmeetriline krüptoalgorithm) is such a cryptoalgorithm where the same secret key is used both for enciphering and deciphering purposes
Secret-Key Cryptoalgorithm – Possibility to Break
Secret-key cryptoalgorithm is considered to be practically enough secure when the keylength is at least 80 bits (for enhanced security cases 128 bits)
Secret-key cryptoalgorithm is considered to be practically enough secure when the keylength is at least 80 bits (for enhanced security cases 128 bits)
DES is already considered insecure because its keylenght is only 56 bits (until 2005 it was allowed to use DES is triple mode as 3DES)
Additionally to sufficient keylenght the effective cryptoanalytic attacks must not be known
Most-Of-Spread Algorithms, I
1. AES (keylength 128, 192 or 256 bits). Is international de facto commercial standard since 2001, involves estimatedly 70-80% from all symmetric cryptoalgorithm usages
2. IDEA (keylenght 128 bits). Switzerland, late 1980s
3. CAST5 or CAST-128 (keylenght from 40 to 128 bits). 1996, Carlisle Adams and Stafford Tavares
Most-Of-Spread Algorithms, II
4. Blowfish (variable keylenght up to 448 bits). Bruce Schneier, 1990s
5. RC4. Stream cipher, keylenght between 40 and 256 bits, from 1987
6. DES (keylenght 56 bits). Has been U.S. commercial standard from 1977 and was widely used in all around the world. NB! Today isn’t consideres secure because of short keylenght!
Block and Stream CiphersSymmetric cryptoalgorithm can be divided into block ciphers and stream ciphers. Block ciphers are much more spread than stream ciphers
Symmetric cryptoalgorithm can be divided into block ciphers and stream ciphers. Block ciphers are much more spread than stream ciphers
• Block cipher (plokkšiffer) is an enciphering method where plaintext is divided into the blocks of certain lenght and these blocks are encrypted separately. How and if the encryption result of one block is related from the prevoius blocks is determined by the block cipher mode, which is currently used
• Stream cipher (jadašiffer) is a method where there is generated a key sequence (võtmejada) from a given secret key. Encryption process is an ordinary XOR operation between plaintext and key sequence
AES: Main Facts• Is the main commercial secret-key
cryptoalgorithm (70-80% from all use cases)• Has won in the AES Competition, before it was
known as a Rijndael• Has three different versions with different
strenght (with different key lenghts)
• Is a block cipher with a block lenght of 128, 192 or 256 bits cosequently
• Uses a key which lenght is equal to the block lenght - consequently 128, 192 or 256 bits
• Authors are Joan Daemen and Vincent Rijmen Belgium
• key schedule calculation (võtmejaotusarvutus), which founds 16 48-bit subkeys (alamvõtmed) from 56-bit initial key
• initial permutation (algpermutatsioon)
• 16 rounds (raund), each of them using one subkey
• final permutation (lõpp-permutatsioon)
Retrospective View — DES
DES is a typical iterative block cipher, consisting of the following parts:
• Can be performed by 256 operations – is is already feasible for contemporary computers (mainframe computers)
• There’s possible to construct a special parallel “breaking machine” consisting of a lot of chips, which cost (AD 2013) is less than 100 000 and is able to break DES about within one second
• The cost and breaking time are related together (more expensive machine is able to break faster)
DES – Exhaustive Search
• Alternative 1 (highly recommended): to use other symmetric algorithm, especially AES
• Alternative 2 (unrecommended, only use as emergency option): to use triple DES or 3DES (kolmekordne DES), with a keylenght of 168 bits and which is not yet broken in practice
DES - Recommendations for Practice
Last version of DES standad FIPS PUB 46-3 (October 1999) determines only usage of triple DES, but the standard was valid only until 2005
Last version of DES standad FIPS PUB 46-3 (October 1999) determines only usage of triple DES, but the standard was valid only until 2005
There are also other symmetric algorithms which are not considered here (both older and newer algorithms)
Other Symmetric Algorithms?
If it’s necessary to use them, it must be taken account:• If the effective keylenght is not less
than 80 (128) bits• If there aren’t known effective
cryptanalytic means• If the algorithms is published at least
3-4 years ago
If it’s necessary to use them, it must be taken account:• If the effective keylenght is not less
than 80 (128) bits• If there aren’t known effective
cryptanalytic means• If the algorithms is published at least
3-4 years ago
Public-Key CryptoalgorithmPublic-Key Cryptoalgorithm
These keys are generated by a mathematical algrothm and are mathematically related to each other but there’s impossible in practice to found from one key another
Public-key cryptoalgorithm (avaliku võtmega krüptoalgoritm) or asymmetric cryptoalgorithm (asümmeetriline krüptoalgoritm) uses two keys – if we encrypt by one key, we can decrypt it later by another key
Public-key cryptoalgorithm (avaliku võtmega krüptoalgoritm) or asymmetric cryptoalgorithm (asümmeetriline krüptoalgoritm) uses two keys – if we encrypt by one key, we can decrypt it later by another key
Public-Key Cryptoalgorithm: Keys
Public-Key Cryptoalgorithm: Keys
Keys of public-key cryptoalgorithm are called usually public key and private key (avalik võti ja privaatvõti)
Keys of public-key cryptoalgorithm are called usually public key and private key (avalik võti ja privaatvõti)
• Public key is usually known for all parties (is public)
• Private key is usually known only by a subject or a keypair owner (people, software, server, company, chipcard etc)
Public-Key Cryptoalgorithm: Usage
• For a key exchanging purposes. We can transmit a symmetric cryptoalgorithm’s key in an encrypted manner without any tamper-proof channel. We only need that a public key must be really public
• For ensuring the integrity. This is the main usage of public-key cryptoalgorithm (and even the main field of contemporary cryptography)
• Public-key cryptoalgorithm gives a basic idea of a digital signature (digisignatuur, digiallkiri)
Public Key Algorithms: A StoryPublic Key Algorithms: A Story
• Appeared in late 1970s, earlier were not known
• Was invited mainly by : Diffie, Hellmann, Shamir, Adleman, Rivest
• Wide usage began since 1980s
• Is the main mechanism for ensuring digital data integrity, serving also as a basis of digital signature as a legal tool
Most-of-Spread Public-Key Cryptoalgorithm: RSA
Most-of-Spread Public-Key Cryptoalgorithm: RSA
For RSA it is easy to calculate the public key from private key, but it’s practically impossible (infeasible) to calculate the private key from public key
Public and private key are mathematically related to each other, but finding the private key from public key needs millions of years or even more
The most-of-spread public-key cryptoalgorithm is RSA
RSA is considered to be practically secure with no less than 1024-bit keylenght, for a long-time security there’s preferred 2048-bit keylenght
The most-of-spread public-key cryptoalgorithm is RSA
RSA is considered to be practically secure with no less than 1024-bit keylenght, for a long-time security there’s preferred 2048-bit keylenght
Specificies of RSA Specificies of RSA • Was invented by Rivest, Shamir and Adleman
in 1978
• Security of RSA is based on a fact that factorization of a number with big factors is an infeasible (practically unsolvable) task
• Ensures practical security, doesn’t ensure theoretical security
• Breaking usually needs millions of years (depends on a keylenght)
• Is very widely spread in all around the world• (most-of-spread public-key algoroithm)
Keys of RSAKeys of RSA
Diifferently from the symmetric cryptoalgorithms the arbitrary bitstream can’t be considered as a key. Keys must be generated by a special key generating algorithm
Such an “information redundancy” is the reason why the keys are so long with the comparison of symmetric cryptoalgorithm keys (considered to be practically secure since 1024/2028-bit keylenght)
RSA supports an arbitrary keylenght
Most-of-spread keys are the full powers of 2 (512), 1024, 2048, 4096 etc bits long
RSA supports an arbitrary keylenght
Most-of-spread keys are the full powers of 2 (512), 1024, 2048, 4096 etc bits long
Mathematical background of RSA, IMathematical background of RSA, I
Algorithm is called polynomial (with a polynomial complexity), if for a task of lenght N the solution time is proportional to Nk with some fixed integer k
Polynomial algorithm is usually considered as a good algorithm: by the growing of N the solution time doesn’t grow very fast
Exponential (exponential complexity) algorithms are much more worst: for a task lenght N the solution time is proportional to value 2N
Exponential complexity algorithms are considered to be infeasible (practically unsolvable)
Exponential complexity algorithms are considered to be infeasible (practically unsolvable)
Mathematical background of RSA, IIMathematical background of RSA, IIMost of practically usable algorithms are polynomial or good: for them is known a polynomial (time complexity) solving algorithm
For a couple of problems the polynomial algorithm isn’t known – these problems are infeasible (practically unsolvable)
Example 1: factorization of a composite number with big factors (lenght of task is log N, there’s necessary to examine N1/2 variants)
Example 2: finding a discrete logarithm:
a = gn (mod p), find a g by a given a, n and p (prime)
Security properties of RSA is based on these two facts (examples)
Security properties of RSA is based on these two facts (examples)
What is a ”Good” Algorithm and a “Good” Problem?
What is a ”Good” Algorithm and a “Good” Problem?
Such an algorithms are called polynomial complexity algorithms (polünomiaalse keerukusega algoritmid)
These problems for which such algorithms are known are called polynomial complexity problems (polünomiaalse keerukusega ülesanded)
Edmonds’ postulate (1965): algoritm is considered to be good, if it’s time complexity can be represented by a polynome O(nk) from an input (task lenght), where k is some integer
Why the Limit of ”Goodness” Is Just a Polynom?
Why the Limit of ”Goodness” Is Just a Polynom?
• Polynoms are closed in the amount of adding and multiplication: the sum and/or product of polynoms is always again a polynom:
O(nk) + O(nl) = O(nmax{k,l})
O(nk) x O(nl) = O(nk+l)
• All digital computers are polynomiallyrelated together
• Non-polynoms (factorial, exponent) will grow drastically faster than polynoms
Exponential functions reach to extremly big numbers from a certain value of argument
If it will happen for a small input, then these tasks must be considered as practically infeasible
• Two big primes p ja q (for 1024-bit key 512-bit long) are generated
• Their sum (called RSA module) is calculated n = p • q
• Such a number e was chosen that it is relatively prime to (p-1)(q-1)
• Such a number d was chosen, that d • e = 1 mod (p-1)(q-1)
• Pair (n, e) is a public key• Triple (p, q, d) is a private key
RSA Keypair GenerationRSA Keypair Generation
• It’s possible to encipher numbers (texts) which are less than pq bits (for a 512-bit p and q 1023 bits or 309 decimal digits)
• Enciphering process is a discrete exponent
Y = Cip(X) = Xd (mod n)
• Deciphering is also a discrete exponent
X = Decip(Y) = Ye (mod n)
besause
(Xd)e = X (mod n)
regarding fact that d and e have a property
d • e = 1 mod (p-1)(q-1)
RSA Enciphering/DecipheringRSA Enciphering/Deciphering
Why RSA Is Practically Secure?Why RSA Is Practically Secure?
• In order to know d, he/she must know both p and q (by the definition)
• There’s infeasible to calculate p and q from n: a polynomial algorithm isn’t known for factorization
Statement 1: who knows public key (n, e) and plaintext X, but doesn’t know d, p and q, cannot calculate Y
Y = Cip(X) = Xd (mod n)
without p, q and d, i.e. can’t encipher
Statement 1: who knows public key (n, e) and plaintext X, but doesn’t know d, p and q, cannot calculate Y
Y = Cip(X) = Xd (mod n)
without p, q and d, i.e. can’t encipher
• Because of X = Yd (mod n), there’s necessary to find d
• Finding of d assumes that there are known p and q or discrete logarithm can be calculated in practice
Why RSA Is Practically Secure?Why RSA Is Practically Secure?
Statement 2: who know public key (n, e) and ciphertext
Y = Cip(X) = Xe (mod n)
but doesn’t know d, p , q and X, can’t find a plaintext X
Statement 2: who know public key (n, e) and ciphertext
Y = Cip(X) = Xe (mod n)
but doesn’t know d, p , q and X, can’t find a plaintext X
• The security of RSA is practical – theoretically all is computable (by an exponential amount of calculations) but in practice it’s infeasible
• From private key it’s very simple to find a public key
• It’s infeasible to find a private key from a private key
• Without having a private key it’s infeasible to encrypt so, that it is decryptable by a public key
• If the message is encrypted by a public key, it’s infeasible to decrypt it by a public key
Practical Security of RSAPractical Security of RSA
• e is public exponent (avalik eksponent)
• d is secret exponent or private exponent (salajane eksponent, privaatne eksponent)
• Such a function which inverse function is infeasible, is called an one-way function (ühesuunaline funktsioon). Examples: multiplying of two primes versus factorization; discrete exponent versus discrete logarithm
• Such an one-way function which will be feasible for knowing some additional information, is called a trapdoor one-way function (salauksega ühesuunaline funktsioon). RSA is just a trapdoor one-way function
RSA: Main ConceptsRSA: Main Concepts
Most of these tests is based on a famous Euler-Fermat’ theorem: if a and n are relatively prime, then
aΦ(n) = 1 (mod n)
where Φ(n) is the different number of these numbers which are less than n and are relatively primes accoring to n. If n is a prime, then
Φ(n) = n-1
Base of this fact the primality test serie can be generated
RSA: Finding PrimesRSA: Finding Primes
There exist practically usable prime number generators. Usually a random number is generated and its primality is tested
There exist practically usable prime number generators. Usually a random number is generated and its primality is tested
• For finding of an appropriate e there are also some tests which ensure that it will relatively prime with (p-1)(q-1)
• Greater common factor can be checked by an Euklidean algorithm
• Other calculations (enciphering and deciphering) is a question of realising of modular arithmetics (can be done fast both in hardware and software)
RSA: Practical Details of Algorithm
RSA: Practical Details of Algorithm
• Enciphering and deciphering which use modular arithmtics are quite fast
• Despite of these fact the RSA is slower from symmertrial algroithms (AES, IDEA, Blowfish etc) some thousand times
• Keypair generation is much more slower from enciphering/deciphering. However, it can be realized even in software within a couple of seconds
RSA: Practical PropertiesRSA: Practical Properties
• p = 61, q = 53 (primes)• n = pq = 3233• (p-1)(q-1) = 60 x 52 = 3120• Choose e = 17 (relatively prime with 3120 )• Find d = e-1 (mod (p-1)(q-1)) = 17–1 (mod 3120) =
2753• Public key is (3233, 17)• Private key is (61, 53, 2753)• Enciphering of plaintext X = 123
Y = Xe (mod n) = 12317 (mod 3233) = 855• Deciphering:
X=Yd (mod n) = 8552753 (mod 3233) = 123
An Example (With Small Numbers)An Example (With Small Numbers)
• RSA supports any keylenght (lenght of pq)
• RSA is considered to be practically secure from 1024-bit keylenght, for a long-term security from 2048-bit keylenght
• Most-of-used values of keylenght are (512, 768), 1024, 2048 and 4096 bits (two first of them are already practically insecure)
• 1024-bit key: there’s a composite number of 310 decimal digits which has two 155-digit prime factors
Secure Usage of RSASecure Usage of RSA
• Factorization of 70-digit number needs from typical personal computer some minutes
• Factorization of 100-digit number – less than a day
• 140-digit number was factozed in 1996 within 5 years by a common efforts of many computers
• The biggest factorized number (AD 2009) is a 232-digit number (768-bit number)
Cryptanalysis of RSA, ICryptanalysis of RSA, I
• Factorization of 300-digit number (1024-bit RSA) needs some millions of years (even if we involve cloud computing possibilities)
• It is doubted, that after 5-10 years the 1024-bit RSA might be practically insecure. But 2048/4096-bit RSA probably still remain secure
• A powerful quantum computer can also factorize RSA with a small keylenght, but not yet the RSA with 1024-bit keylenght
Cryptanalysis of RSA, IICryptanalysis of RSA, II
• Has been for a long time patented in U.S. Patent #4,405,829 was issued in September 20th, 1983
• Patent has expired after 17 years, i.e. in 2000
• Description of algorithm is public, also a couple of different software realizations (some of them with a source code)
• Hardware realizations are usually hundreds of times faster than software realizations
Practical Aspects of RSAPractical Aspects of RSA
• If we use RSA for a key exchange purpose, we must only encrypt the symmetric algorithm key
• If we use RSA for a digital signature (integrity) purposes then it was always used together with cryprographic hash algorithms. Therefore, only hash value is actually encrypted (signed) by RSA
Collaboration of RSA with Symmetric Cryptoalgoriothms
Collaboration of RSA with Symmetric Cryptoalgoriothms
RSA is unsuitable for the encrytion of long plaintexts
RSA is unsuitable for the encrytion of long plaintexts