CryptographySecurity

1
Chapter 9 PKCryptography and RSA

• 9.1 Principles of Public-Key Cryptosystems
• 9.2 The RSA Algorithm

2
9.1 Public-Key Cryptography

• public-key/two-key/asymmetric cryptography
  involves the use of two keys
• a public-key, which may be known by anybody, and
  can be used to encrypt messages, and verify
  signatures
• a private-key, known only to the recipient, used
  to decrypt messages, and sign (create) signatures
• is asymmetric because
• those who encrypt messages or verify signatures
  cannot decrypt messages or create signatures

3
Why Public-Key Cryptography?

• Solve two difficult problems of secret-key
  cryptosystems
• Problem I Key distribution
• Goal need no key establishment between two users
  and no key distribution center, which knows the
  secret keys of users
• Problem II Digital signature (universal
  authentication)
• Goal wide spread commercial use

4
(No Transcript)
5
(No Transcript)
6
Public-Key Characteristics

• Public-Key algorithms rely on two keys with the
  characteristics that it is
• computationally infeasible to find decryption key
  knowing only algorithm encryption key
• computationally easy to en/decrypt messages when
  the relevant (en/decrypt) key is known
• either of the two related keys can be used for
  encryption, with the other used for decryption
  (in some schemes)

7
Public-Key Cryptosystems
8
Public-Key Applications

• can classify uses into 3 categories
• encryption/decryption (provide secrecy)
• digital signatures (provide authentication)
• key exchange (of session keys)
• some algorithms are suitable for all uses, others
  are specific to one

9
Public-key encryption

• Key generation each (end) user X generates a
  pair of keys (KUX, KRX)
• User X keeps secret his decryption key KRX
• User X publishes his encryption key KUX in
  public directory
• When a user Y wishes to send message M to X, it
  encrypts M with Xs public key KUX as CE(KUX,
  M).NOTE every one can encrypt messages
• When X received the ciphertext C, it uses KRX to
  compute the plaintext MD(KRX, C)

10
Public-key encryption (cont.)

• Key generation algorithm (probabilistic)
  security parameter ? a key pair
• Encryption algorithm E public key ?
  plaintext ? ciphertext
• Decryption algorithm D private key ?
  ciphertext ? plaintext
• Equation MD(KRX, E(KUX, M))

11
Security requirements

• Hard tasks
• Given KUX, it is hard to compute KRX
• Given KUX, E, D and a ciphertext C, it is hard to
  compute MD(KRX, C)
• Secure against the chosen ciphertext attack
• Given KUX, E, D, a ciphertext C
• Allow queries of chosen ciphertexts query Ci and
  obtain MiD(KRX, Ci), Ci?C
• It is hard to compute MD(KRX, C)
• NOTE the attacker can mount chosen plaintext
  attack by itself

12
Comparison
13
Digital signature

• Key generation each (end) user X generates a
  pair of keys (KUX, KRX)
• User X keeps secret his signing key KRX
• User X publishes his verification key KUX in
  public directory
• When user X wishes to sign (authenticate) a
  message M, it uses KRX to compute a signature
  SSign(KRX, M)
• When Y wishes to verify S, it uses KUX to check
  validity of Verify(KUX, M, S)NOTE every one can
  verify signatures

14
Digital signature (cont.)

• Key generation algorithm (probabilistic)
  security parameter ? a key pair
• Signing algorithm Sig public key ?
  plaintext ? ciphertext
• Decryption algorithm Ver private key ?
  ciphertext ? plaintext
• Equation Ver(KUX, M, Sig(KRX, M))true
  if and only if (KUX. KRX) is a key pair

15
9.2 RSA

• by Rivest, Shamir Adleman of MIT in 1977
• RSA US. Patent 4,405,829 expired in 9/20/2000
• best known widely used public-key scheme
• based on exponentiation in a finite (Galois)
  field over integers modulo a prime
• nb. exponentiation takes O((log n)3) operations
  (easy)
• uses large integers (eg. 1024 bits)
• security due to cost of factoring large numbers
• nb. factorization takes O(e log n log log n)
  operations (hard)

16
RSA public-key system

• Key generation algorithm
• Input k
• Randomly generate two primes p and q of length
  k/2 bits
• Compute npq (n is k-bit long)
• Randomly select e, 2?e??(n)-1, withgcd(e,
  ?(n))1 (Note ?(n)(p-1)(q-1))
• Compute de-1 mod ?(n)
• KU(e, n), KR(d, n)
• (Note (1) p, q are not needed any more (2)
  e and d are symmetric, ie. ed-1 mod ?(n))

17
RSA public-key system (cont.)

• Encryption algorithm E
• Input ((e,n), M) (0?M?n-1)
• Compute CMe mod n
• Output(C).
• Decryption algorithm D
• Input ((d,n), C) (0?C?n-1)
• Compute MCd mod n
• Output(M).

18
RSA public-key system (cont.)

• Why it works ?
• Fact edr??(n)1
• Eulers theorem a?(n) mod n1 for a?Zn
• Case I M?Zn (i.e. p?n, q?n) D((d,n),
  E((e,n),M)) (Me mod n)d mod n Med mod n
  Mr??(n)1 mod n (M?(n) mod n)r M mod n 1r ? M
  mod n M

19
RSA public-key system (cont.)

• Case II Mbp, 0?b?q-1
• Since gcd(bp,q)1, (bp)r?(n) mod
  q(bp)r(p-1)?(q) mod q1.
• Thus, (bp)r?(n) zq1
• D((d,n), E((e,n), M)) (Me mod n)d mod n
  (bp)r?(n)1 mod n (bp)r?(n)bp mod n
  (zq1)bp mod n zbpqbp mod n bp M
• Case III Mcq, 0?c?p-1 the same as case II

20
RSA example

• Randomly select two primes p7, q17
• Calculate npq717119
• Calculate ?(n)(p-1)(q-1)96
• Randomly select e5, since gcd(e,?(n))1
• Calculate de-1 mod ?(n)77
• Public key KU(5, 119)
• Private key KR(77, 119)

21
RSA example (cont.)
22
RSA computational aspects

• Recall (Chap 8) Randomly select primes
• Prime density the number of primes less than n
  ?(n) ? n / ln(n)
• For example, the prime density ?(10150) ?
  10150 / ln(10150) ? 10150 / 345
• To find a prime of 150 digits
• (A) Randomly generate a 150-digit number n
• (B) If RPT(n)n is prime, then n is prime with
  high probability, else go to (A)
• In average, it need try 345 times

23
RSA computational aspects

• Compute de-1 mod ?(n)
• Recall Chap 4 Extended Euclids algorithm
• Find (a,b) such that aeb?(n)1
• Then, a e-1 mod ?(n)
• Encryption/decryption
• Modular exponentiation
• ab mod n

24
RSA security

• Brute force
• Try all possible decryption keys 1, 2, , d
• d must be large d gt n1/4

25
RSA security (cont.)

• Factorization of npq
• npq is at least 1024-bit long for security

Note 129 digits gt 1600 stations require 8
months to factorize Now powerful
computers require less time
26
RSA-challenge

• RSA-129(N) 11438162575788886766923577997614661201
  02182967212423625625618429357069352457338978305971
  23563958705058989075147599290026879543541
• p34905295108476509491478496199038981334177646
  38493387843990820577
• q327691329932667095499619881908344614131776429679
  92942539798288533

27
RSA security (cont.)

• To counter factorization, we need select strong
  prime for p and q
• npq is at least 1024-bit long
• p and q differ in a few digits
• p-1 and q-1 must have large prime factors, in
  particular, we choose p2p1 and q2q1, where
  p and q are prime
• gcd(p-1, q-1) must be small

28
RSA security (cont.)

• Timing attack
• A ciphertext-only attack
• By naive implementation, the time for decrypting
  a ciphertext depends on the number of 1s in d
• We can measure the response time of a decryption
  to guess what d is.
• Check if di1 then t?ta mod n. For some t and
  a, the execution time is very slow

29
RSA security (cont.)

• Modular exponentiation algorithm
• Input m, d, n (m, dltn, ddkdk-1d1)
• Output md mod n
• t?1
• For ik to 1
• t?tt mod n
• if di1 then t?tm mod n
• Return(t)

30
RSA security (cont.)

• Countermeasures for timing attack
• Constant exponentiation time
• Random delay
• Blinding of ciphertext
• Compute CC ? re mod n
• Compute MCd mod n
• Compute MM ? r-1 mod n

31
RSA security (cont.)

• Two users cannot use the same n
• (n, e1), (n, d1)
• (n, e2), (n, d2)
• Given (n, e1, d1, e2), one can compute d2 with
  d2d2 (mod ?(n))
• Compute e1d1-1k??(n)
• Compute d2e2-1 mod k??(n)
• Thus, d2d2 (mod ?(n))
• Note Each user has different public-key KU(e,
  n) and private key KR(d, n)

32
f
33
Designing a protocol

• Problem there are n participants who want to
  establish a secure conference, thus any legal
  participant may know the other participants
  sending messages, but no unauthorized user may
  decrypt the messages.
• Pre-conditions/requirements
• Each participant has a key pair (KU, KR), where
  KU(e, n), KR(d, n) and de-1 mod ?(n). (Note
  each participant has different key pair)
• There is a chairman who is responsible for
  distributing a conference key and authenticating
  other participants.
• Another requirement is that each participant may
  confirm the other participants joining the
  conference really.
• Goal
• Designing a protocol
• Analyzing the protocol (Communication and
  Computation costs)
• Security analysis
• For simplification You may assume that there
  only are 3 participants.