Bishop, Chapter 9 PublicKey Cryptography

1
Bishop, Chapter 9 Public-Key Cryptography

• The essential question how can you trust
  communication with a trusted partner, when the
  communication is taking place in an untrustworthy
  environment
• eavesdroppers want to intercept the message
• fraudsters want to change the message
• con artists want to assume the identity of the
  trusted partner
• scammers want to repudiate a message (either
  transmission or contents)
• Answer 1 is via a secret key Alice sends a
  message to Bob via a symmetric key cipher she
  and Bob share the key
• no eavesdropper can read the message
• nobody but Alice can send Bob a message
• nobody can change the message
• Alice can't claim she never sent the message

2
PK Problem Statement (cont.)

• Problems with the symmetric-key system
• the key exchange problem
• especially with somebody you don't already know
• overhead associated with setting up the keys
• appropriate (only?) when you need to have
  repeated secure exchanges with the same
  individual
• ATM transaction information
• diplomatic secrets

3
Key Exchange using Symmetric Cryptography

• Suppose we have a trusted third party (the Key
  Distribution Center, aka Trent). Alice and Bob
  have registered secret keys with Trent. Alice
  wants to send a message to Bob
• Alice contacts Trent and requests a session key
  for Bob
• Trent generates a random key (the session key).
  He encrypts it once with Alice's secret key and
  once with Bob's secret key, and sends both copies
  to Alice.
• Alice decrypts her copy of the session key
• Alice sends Bob his copy of the session key,
  which he decrypts
• Alice and Bob communicate using DES (or some
  other symmetric key method) and this session key
• Eve cannot read the messages because she does not
  know the session key (having seen it only in
  encrypted form)
• Problems with this approach?

4
Public-Key Encryption -- The Essential Idea

• Alice wants to send a message to Bob
• She finds Bob's public key in a database (some
  information about Bob also known to Eve)
• She encrypts the message using a combination of
• Bob's public key
• Alice's private key
• Bob receives the message and decrypts it using a
  combination of
• Bob's private key
• Alice's public key
• Note (in contrast to DES) that encryption and
  decryption are asymmetric in the information they
  require

5
The Required Mathematical Properties

• Asymmetry a function that is easy to compute in
  the "forward" direction, but is easy to compute
  in the inverse direction
• breaking a dinner plate is easy, putting it back
  together is hard
• exponentiation modulo a large prime number is
  easy logarithm modulo a large prime is hard
• multiplying two large primes is easy, breaking a
  large number into its prime factors is hard
• Trapdoor some additional information that
  enables the inverse operation
• taking a watch apart is easy, putting it back
  together is hard
• unless you have the assembly manual

6
Background Groups, Generators, and Primitive
Elements

• Let p be a large prime number (2000 bits 600
  digits)
• Recall how to add and multiply modulo p (suppose
  p7)
• 3 6 (mod p) 9 mod p 2
• 3 4 (mod p) 7 mod p 0
• 6 6 (mod p) 36 mod p (75 1) mod p 1
• Notice that there's no way that multiplication
  mod p can have result 0 provided
• operands are taken from the set 1, ... p-1
• p is prime
• The multiplicative group modulo p is
• the set 1, ..., p-1
• the "multiplication modulo p" operator
• (this set is closed under the multiplication
  operator)

7
Primitive Elements of a Group

• First consider some group (e.g. the
  multiplicative group modulo 7 from the previous
  slide a set and an operator)
• Consider a number g from the group, and the
  sequence g0, g1, g2, ...
• if p7 and g2, then we have 1, 2, 4, 1, 2, 4,
  ...
• if g3 we have 1, 3, 2, 6, 4, 5, 1, 3, 2, ...
• if g1 we have 1, 1, 1, 1, ...
• Because the set is closed under the operation,
  the sequence always falls in the set. And
  therefore, at some point the sequence must
  repeat.
• If g generates the entire set, g is a primitive
  element of the group
• if p is prime, a primitive element is guaranteed
  to exist
• (More later about finding good primes and
  generators as they apply to a particular
  encryption protocol.)

8
The Diffie-Hellman Key-Exchange Protocol

• Alice and Bob jointly and publicly choose a prime
  p and g, a primitive element in the
  multiplicative group mod p
• Alice chooses a random number x from 1, ..., p-1
  she remembers x but sends gx to Bob
• Bob likewise chooses a random number y from 1,
  ..., p-1 he remembers y but sends gy to Alice
• Alice calculates K gxy using the formula gxy
  gyx (gy)x
• Bob calculates K gxy using the formula gxy
  (gx)y
• Alice and Bob use K as their shared key
• Now, Eve knows p, g, gx, and gy. Does she know K
  too? Why or why not?

9
Why Does This Work?

• It's simply a one-way function.
• Computing gx (mod p) from x is easy (discrete
  exponentiation)
• Computing x from gx (mod p) is hard (depending on
  p)
• discrete logarithm is in general difficult, but
  is easier if, for example (p-1) is the product of
  small primes

10
DH and Man in the Middle Attacks

• MMA Eve intercepts all correspondence. To
  Alice she pretends to be Bob, and to Bob she
  pretends to be Alice. What can she do?

11
DH and positive authentication

• The real problem here is that Bob and Alice never
  have to verify their identities, and man in the
  middle works because the initial parameter
  exchange Several solutions
• Use a "public phone book" to store the gx and gy
  values. If positive verification is required for
  Bob and Alice to store their gz values, then B
  and A can be confident that they are
  corresponding using their real keys.
• Require positive identification in the sense that
• you are talking to Bob
• Bob knows the key k
• (how can Bob convince Alice that he knows k
  without actually revealing it?)

12
How Big Should the Prime Be?

• This mostly depends on how long you want your
  data to be secure for. (How long would it take a
  dedicated attacker with a lot of computing power
  to break the code, given a brute-force attack on
  many ciphertext examples?)
• General rule of thumb is that the attacker should
  have to make at least 2128 attempts, and in that
  case the prime should be about 6800 bits long
• this is almost certainly impossible for
  performance reasons
• (Another caution is not to confuse key size in
  symmetric-key systems with prime size in
  public-key systems.)
• General advice (J. Cryptography 2001)
• 2048 bits gets you to 2022 4096 lasts until
  2050
• at minimum a 650-digit number

13
Exercise for Today

• Alice (the left side of the room) has an
  important message to deliver to Bob (the right
  side of the room). Eve (the center of the room)
  is trying to intercept it
• The message will be delivered to Alice secretly
• Alice and Bob can have private conversations
  among themselves, but all conversations between
  Alice and Bob must be done in the presence of
  Eve, and likewise any paper passed between Alice
  and Bob must be given to Eve
• If Bob can decode the message in ½ hour, Bob and
  Alice get 10 extra credit points
• If Eve can decode the message in 24 hours, Eve
  gets 50 extra credit points

14
The Puzzle

• You want to send a diamond to your friend Alice.
• You and Alice both have an unlimited number of
  boxes, each with a combination lock. You know the
  combination of your boxes only, and Alice knows
  the combination of her boxes only. All boxes are
  initially open.
• The diamond will fit in any box, and boxes can
  hold other boxes
• You want to send a diamond to your friend Alice
• An open box invites Eve to steal its contents,
  but Eve will never steal a box (locked or
  otherwise)
• Devise a protocol involving sending boxes between
  you and Alice that allows the diamond to be
  delivered to Alice, and allows Alice but not Eve
  to get the diamond

15
The RSA Algorithm

• RSA and DH are similar in that they rely on a
  one-way function, but differ in that
• the one-way function is different
• RSA relies on "trapdoor" information as well
• For RSA
• numbers n and e are public n is a large number
  that is the product of two primes
• given a message m it's easy to encrypt by
  computing me (mod n) exponentiation modulo a
  large number is easy
• but it's difficult to to decrypt (recover m from
  me (mod n))logarithm modulo a large number is
  difficult
• unless you know the factorization of n, in which
  case it's easy
• but factoring large primes is hard

16
RSA Protocol

• Bob wants to receive a message from Alice
• Bob chooses two different large primes, p and q.
  Let n pq
• Bob chooses two different exponents e and d with
  the following property
• ed 1 mod ?(n) (p-1)(q-1)
• Bob publishes n and e, but keeps p, q, and d
  secret
• knowing n and e and any one of p, q, or d makes
  it easy to figure out the rest
• Alice encrypts her message m lt n by computing
• c me (mod n)
• Alice sends c to Bob, who decrypts it by
  computing
• m cd (mod n)

17
Simple Example

• Choose p 13, q 17, e 5

18
Why Does This Work?

• In other words, why is it that
• (me mod n)d mod n m
• Two hints
• (me mod n)d mod n med mod n
• for any a, if 1 ? a lt n-1 (and a and n are
  relatively prime), then a?(n) 1 mod n

19
Practical Issues in Choosing Parameters

• It's typical to choose a small e value (usually 3
  or 5), then compute d (which is not typically so
  conveniently small). But if e has a common
  factor with (p-1), no such d will exist. (You
  can easily check that p-1 is not divisible by 3,
  for example, and generate a new p if necessary.)
• For security purposes, the size of n should obey
  the same rules as for Diffie-Hellman (minimum
  2048 bits)
• The two primes p and q should be of roughly equal
  size, and (p-1) and (q-1) should not have many
  small factors, as it makes it easier to factor n

20
RSA and Signing a Message

• Suppose Alice wants to prove that she is sending
  a message m to Bob
• she needs her own key pair (t, u) where t is her
  public key and u is her private key
• (remember that when Alice is sending a message to
  Bob, he is responsible for generating the key
  pair)
• She computes and sends the "signature" s mu
• Bob uses Alice's pubic key to decrypt the
  signature m st mut
• as can anybody with access to Alice's private key
• Notice that signing a plaintext message is the
  same operation as decrypting a ciphertext
  message, so an easy way for Malloray to get the
  plaintext for a message that Alice wrote is to
  get her somehow to sign it
• as a result, it's common to use a different key
  pair for signing messages than is used for
  encrypting messages

21
More Details about Digital Signatures

• Encryption and signature can be combined
• Alice encrypts a message using Bob's public key
  v me
• Alice signs using her private key w vu
• Bob receives w and first verifies the signature
  using Alice's public key x wt vut v me
• Bob then decrypts using his private key m xd
  med
• It's unnecessary to sign the entire message
• Suppose we have a strong hash function h(m)
• Alice encrypts the message m for Bob r me
• Alice computes h h(m), and signs it s hu
• Alice sends both r and s to Bob
• Bob decrypts r, and "unsigns" s.
• He applies the same h function to his version of
  the document, and compares it to s
• What does he know if the two hash versions agree?
  Disagree?

22
Some Practical Problems in using RSA

• Short messages
• any message must be less than the key length
  (npq) (why?)
• keys can be made longer, but this has a strong
  effect on the time required to encrypt/decrypt
  the messages
• as a result, RSA is typically used for key
  exchange, not message exchange
• alternatively, messages can be broken into
  pieces, but then there is the danger of
  inter-message structure that can be exploited
• Composite structure
• if Alice has already signed two messages, m1 and
  m2, then in effect she has signed m3 m1m2 mod n
  (why?)
• Structure in very small messages
• if m and e are both small, then there is the
  possibility that me lt n which means no modular
  reduction takes place, and since e is known, m
  can be recovered simply by taking the eth root
• Regularity in the messages if e "structurally
  similar" messages are sent, the private key can
  be inferred

23
Summary / Moral on RSA

• Easy to understand, easy to implement
• Dual use encryption and authentication
• the standard for digital signatures in most
  countries / for most applications
• Orders of magnitude slower than best
  implementations of symmetric key algorithms
• Security of transmission depends on careful
  selection of key values
• Best for short (but not too short) messages