1

ISA 562 Information Security Theory &

Practice

Public Key CryptosystemPublic Key CryptosystemChapter 9 of Bishop’s Book

2

          Outline

Background Diffie-Hellman RSA Cryptographic Checksums

3

          History

Concept conceived by Diffie and Hellman in 1976

Rivest, Shamir and Adleman (RSA) were first to describe a public key system in 1978

Merkle and Hellman published a different solution later in 1978 (broken by Shamir)

4

          The Big Picture

B's Public Key B's Private KeyRELIABLE CHANNEL

EncryptionAlgorithm

DecryptionAlgorithm

Plain-text

Plain-textCiphertext

INSECURE CHANNEL

A B

B's Public Key

5

          The Basic Idea

Confidentiality: encipher using public key, decipher using private key

Integrity/authentication: encipher using private key, decipher using public key

B's Public Key B's Private Key

EncryptionAlgorithm

DecryptionAlgorithm

Plain-text

Plain-textCiphertext

A B

‘Signature’

6

          Requirements

The keys and algorithms must meet these requirements Must be computationally easy to encipher or

decipher Must be computationally infeasible to derive the

private key from the public key Must be computationally infeasible to determine

the private key from a chosen plaintext attack

Different from those of secret key cryptosystem except the first requirement

Why another cryptosystem?

7

          Motivation 1- Key Distribution Problem

In a secret key cryptosystem, the secret key must be transmitted via a secure channel

Inconvenient n parties want to communicate with each other,

how many keys need to be transmitted? Insecure

Is the secure channel really secure?

Public key cryptosystem solves the problem Public key known by everyone – telephone

directory Privacy key is never transmitted

8

          Motivation 2- Digital Signature

In a secret key cryptosystem, authentication and non-repudiation may be difficult

Authentication You must share a secret key with someone in order

to verify his signature Non-repudiation

“I didn’t sign it. You did since you also have the key”

Public key cryptosystem solves the problem Verification of signature needs only the public key One is solely responsible for his private key

9

          Required number theory

If a = b + kn for some integer k We write b = a mod n (namely, a is congruent to b

modulo n, and b is the residue of a modulo n) Examples: 2 = 12 mod 5, 2 = 12 mod 10, 0 = 12 mod

6 Properties

(a O b) mod n = ((a mod n) O (b mod n)) mod n where O is +, -, *

35 mod 7 = (3*3*3*3*3 mod 7)

= ((3*3 mod 7)*(3*3 mod 7)*(3 mod 7))mod 7

Needed when enciphering/deciphering

10

          More of the same…

A prime number is a positive integer having exactly one positive divisor other than 1. E.g. 3, 5, 7, 11, 13…

a and b are relatively prime if they have no common positive factors other than 1. E.g. 1 and 2, 2 and 3, 3 and 4, but not 2 and 4

The totient function (n) gives the number of integers between 1 and n-1 that are relatively prime to n. E.g. (10) = 4 (1,3,7,9 are relatively prime to 10)

11

          Still More Math

Euler's Totient Theorem 1 = a (n) mod n, where a and n are relatively

prime Example: 3 (10) mod 10= 3 4 mod 10 = 81

mod 10 10 (3) mod 3= 10 2 mod 3 = 100

mod 3 Fermat’s Little Theorem

a p-1=1 mod p, where p is prime and relatively prime to a

Notice (p) = p-1

12

          Outline

Background Diffie-Hellman RSA Cryptographic Checksums

13

          Diffie-Hellman Key Exchange Scheme

Proposed in 1976 as the first public key algorithm (predates RSA)

Allows users to agree on a secret key over insecure channels with no prior communication

The secret key can thus be used to encrypt or decrypt message (e.g., SSL 3.0, IPsec)

KA BInsecure Channel

14

          Discrete Logarithm Problem

D-H is based on the discrete logarithm problem Given integers n and g and prime number p,

compute k such that n = g k mod p In general computationally infeasible Choices for g and p are critical

Both p and (p–1)/2 should be prime p should be large (at least 512 bits, possibly 1028 bits) g should be a primitive root mod p

15

          Diffie-Hellman Key Exchange Scheme

A Bagree on p and g with 1 < g < p

A BX = gx mod p

Y = gy mod p

Choose x

Choose y

A Bcomputes k = Yx mod p

computes k’ = Xy mod p

k=k’=gxy mod p

knows p, g, X, and Y, but not x or y or k

16

          Quiz

p = 7 and g = 5 Alice

chooses x = 2 and send X = ?

Bob chooses y = 3 and send Y = ?

Shared key: k= ? k’ = ? (gxy mod p = ? )

17

          Man-in-the-middle Attack

A BCactive intruder

K1 K2

A BK1

A BK2

18

          Outline

Background Diffie-Hellman RSA Cryptographic Checksums

19

          RSA In Summary

Choose public key (n,e) Compute private key (n,d)

Encryption C = Me mod n Decryption M = Cd mod n

Underlying theory – Euler's Totient Theorem

Key Generation

20

          Key Generation

Choose 2 large (512 bit) prime numbers p and q

Compute n = p * q

Choose e relatively prime to (p-1)*(q-1)

Compute d such that 1 = e*d mod (p-1)*(q-1)

Publish (n,e) and keep (n,d) (discard p, q)

21

          Key Generation (Cont’d)

Large primes can be found efficiently using probabilistic algorithms due to Solvay and Strassen

d can be computed using the Extended Euclidean Algorithm (Textbook 31.2)

Care must be exercised in choosing p and q, otherwise insecurities may result (p-1, p+1, q-1, q+1 should have large prime factors)

22

          Key Generation - Example

p = 7, q = 11, so n = 77 and (p-1)(q-1) = 60

Alice chooses e = 17, computing d = 53 (17*53=901)

publish (77,17) and keep (77,53) secret

23

          Encryption/Decription

Encryption C = Me mod n Decryption M = Cd mod n Underlying theory

Cd mod n = (Me mod n)d mod n = Med mod n

= M1 mod (p-1)*(q-1) mod n = M (p-1)*(q-1)*i + 1 mod n = (1i *M) mod n (by Fermat’s Little Theorem) = M mod n = M (require M<n; M relatively

prime to n)

24

          Example: Encryption

p = 7, q = 11, n = 77 Alice chooses e = 17, making d = 53 Bob wants to send Alice secret message

HELLO (07 04 11 11 14) 0717 mod 77 = 28 0417 mod 77 = 16 1117 mod 77 = 44 1117 mod 77 = 44 1417 mod 77 = 42

Bob sends 28 16 44 44 42

25

          Example: Decryption

Alice receives 28 16 44 44 42 Alice uses private key, d = 53, to decrypt

message: 2853 mod 77 = 07 1653 mod 77 = 04 4453 mod 77 = 11 4453 mod 77 = 11 4253 mod 77 = 14

Alice translates 07 04 11 11 14 to HELLO No one else could read it, as only Alice knows

her private key and that is needed for decryption

26

          Digital Signatures in RSA

RSA has an important property, not shared by other public key systems

Encryption and decryption are symmetric Encryption followed by decryption yields the

original message (Me mod n)d mod n = M Decryption followed by encryption also yields

the original message (Md mod n)e mod n = M Because e and d are symmetric in

e*d = 1 mod (p-1)*(q-1)

27

          Digital Signatures in RSA

M d mod n C e mod n

PlaintextM

Ciphertext C (signature)

A's Private Key d A's Public Key e

RELIABLE CHANNELA B

PlaintextM

PlaintextM’ ?

28

          Compared To Encryption in RSA

M e mod n C d mod nCiphertext C

B's Public Key e B's Private Key d

RELIABLE CHANNEL

A B

PlaintextM

PlaintextM

29

          Signature and Encryption

D

Plain-text

A's PrivateKey

A B

B's PublicKey

A's PublicKey

B's PrivateKey

E D E

Plain-text

SignedPlaintext

EncryptedSigned

PlaintextSigned

Plaintext

30

          Signature and Encryption

We could do the encryption first followed by the signature.

Signature first has the advantage that the signature can be verified by parties other than B.

31

          Example: Sign

Take p = 7, q = 11, n = 77 Alice chooses e = 17, making d = 53 Alice wants to send Bob message HELLO (07

04 11 11 14) so Bob knows it is from Alice, and it has not been modified in transit 0753 mod 77 = 35 0453 mod 77 = 09 1153 mod 77 = 44 1153 mod 77 = 44 1453 mod 77 = 49

Alice sends 35 09 44 44 49

32

          Example: Verify

Bob receives 35 09 44 44 49 Bob uses Alice’s public key, e = 17, n = 77, to

decrypt message: 3517 mod 77 = 07 0917 mod 77 = 04 4417 mod 77 = 11 4417 mod 77 = 11 4917 mod 77 = 14

Bob translates 07 04 11 11 14 to HELLO (Assume) only Alice has her private key, so no one else

could have been able to create a correct signature The (deciphered) signature matches the transmitted

plaintext, so the plaintext is not altered

33

          Example: Both

Alice wants to send Bob message HELLO both enciphered and signed

Alice’s keys: public (17, 77); private: 53 Bob’s keys: public: (37, 77); private: 13

Alice does (does she encipher first or sign first?) (0753 mod 77)37 mod 77 = 07 (0453 mod 77)37 mod 77 = 37 (1153 mod 77)37 mod 77 = 44 (1153 mod 77)37 mod 77 = 44 (1453 mod 77)37 mod 77 = 14

Alice sends 07 37 44 44 14 What would Bob do upon receiving the message?

34

          Security of RSA

Cryptanalysis is to compute d while knowing (e, n) such that e*d = 1 mod (p-1)(q-1), and n=pq, for

some p and q (the factorization is unique) If factorization of n into p*q is known, this is

easy (Extended Euclidean Algorithm). Otherwise, it is hard.

Therefore security of RSA is no better than complexity of the factoring problem

Is the factoring problem provably hard (e.g., undecidable)? No However, the possibility of an easy factoring method

is believed to be remote.

35

          

Fastest implementations of RSA can encrypt kilobits/second

Fastest implementations of DES can encrypt megabits/second

It is often proposed that RSA be used for secure exchange of DES keys

This 1000-fold difference in speed is likely to remain independent of technology advances

Matters more in wireless/ad hoc/sensor network

RSA Versus DES

36

          RSA Versus DES

Key size of RSA is selected by the user Many implementations choose n to be 154

digits (512 bits) so the key (n,e) is 1024 bits

Key size of DES is 64 bits (56 bits plus 8 parity bits)

37

          RSA Key Size

key size should be chosen conservatively cryptographers can stay ahead of

(factorization) cryptanalysts by increasing the key size

Until 1989 factorization attacks were based on "high school mathematics." Since then sophisticated attacks have extended factorization to larger numbers (usually of a specific form).

At present it appears that 130 digit numbers can be factored in several months using lots of idle workstations.

38

          Outline

Background Diffie-Hellman RSA Cryptographic Checksums

39

          One-way Hash Functions

Also known as message digest A function H(M) = m satisfies

(Fixed length): M can be of any length, whereas m is of fixed length

(One-way): computing H(M)=m is easy, but computing H-1(m)=M is computationally infeasible

(Collision-free): in two forms Weak collision-freedom: given any M, difficult to find

another M’ such that H(M)=H(M’) Strong collision-freedom: difficult to find any M and M’

such that H(M)=H(M’)

40

          Why Those Requirements?

Many applications store H(p) instead of a password p Fixed length: cannot guess the length of p from

H(p) (and H(p) is easier to store) One-way: the administrator cannot learn p of

others Collision-free: cannot submit incorrect p

matching H(p) Most applications sign H(M) instead of M

41

          Example

ASCII parity bit ASCII has 7 bits; 8th bit is “parity” Even parity: even number of 1 bits Odd parity: odd number of 1 bits

Bob receives “10111101” If sender is using even parity; six ‘1’ bits, so

character was received correctly Note: could be garbled, but 2 bits would need to

have been changed to match parity bit If sender is using odd parity; even number of 1

bits, so character was not received correctly

42

          Hash Functions In Practice

DES based hash functions tend to produce 64 bit digest which cannot be strong

CCITT X.509 (proven insecure) Merkle's Snefru: 2-pass version proven

insecure; 4-pass version unproven Jueneman's methods: broken and refined

and broken and refined NIST Secure Hash Algorithm RSA: MD2, MD4, MD5, SHA-0, SHA-1, SHA-2

(SHA-224, SHA-256, SHA-384, and SHA-512 )

43

          “Hash Functions Broken” ?

Crypto 2004 Rump session reported attacks on MD4, MD5 and SHA-0 MD4’s attacks are done by hands

Crypto 2005 reported attacks on full SHA-1 Should we panic?

Xiaoyun Wang’s webpage: http://www.infosec.sdu.edu.cn/people/wangxiaoyun.htm

44

          “Hash Functions Broken” ? (Cont’d)

Nature of the results Algorithm that finds collision faster than theoretic

bound MD5 about one hour; SHA-1 263 vs 280 (theoretically)

Yes, the results disprove those functions to be strong collision-free

No, they do not give you a password from its hash

Brute force attacks do (refer to http://passcracking.com/)

Whether you should panic or not depends on what you use the hash functions for

Xiaoyun Wang’s webpage: http://www.infosec.sdu.edu.cn/people/wangxiaoyun.htm

45

          Hash Functions Vs MAC

Send a message M together with its hash h=H(M), so the recipient can verify M by comparing H(M) with the received h Attack: If anyone in the middle can replace M

with M’ and h with h’=H(M’), the recipient won’t detect this

Keyed hash functions Also known as message authentication codes

(MAC) Example: DES in CBC mode: use a key to

encipher message in CBC mode and use last n bits as the MAC value.

46

          HMAC

Build MAC from keyless hash functions Encryption algorithms cannot be exported

h : keyless hash function k : a cryptographic key k padded with 0 Ipad: 00110110 repeated Opad: 01011100 repeated

HMAC h(k, m) = h(k opad || h(k ipad || m)) exclusive or, || concatenation

47

          Key Points

Public key cryptosystems has two keys Diffie-Hellman exchanges secret key via

insecure channel RSA can be used for confidentiality and

integrity Cryptographic Checksums are keyed hash

functions