Public Key Cryptosystems

1
Public Key Cryptosystems

• Lecture 4
• Finish Lecture 3
• Modular Arithmetic
• Public Key Encryption

2
Reading assignment

• Reading assignments for September 9
• Required
• Pfleeger Ch 3.1, 3.2, 3.3, 3.4, 3.5, 3.6, 3.7
• (sections 3.4, 3.6, 3.7 understand only)
• Reading assignments for September 10
• Required
• Pfleeger Ch 4

3
Data Encryption Standards DES
4
DES Cycle
32 bits
32 bits
R i-1
L i-1( R i-2)
Expansion permutation
48 bits
48 bits
Permuted key
48 bits
32 bits
32 bits
R i
5
Modes of DES

• ECB Electronic Code Book
• CBC Cipher Block Chaining
• CFB Cipher FeedBack
• OFB Output FeedBack
• Part of NIST standard

6
ECB Mode
64 bit data
56 bit key
56 bit key
E
D
64 bit data
Good for small messages Identical data block will
be identically encrypted
7
CBC Mode
64 bit data
64 bit previous Ciphertext block

56 bit key
56 bit key
E
D
64 bit previous Ciphertext block

CnEkCn-1 ? Pn
64 bit data
Need initiation vector
8
CFB Mode
Needs initialization vector Adv can encipher one
character at a time Error propagation current
transf. next 8 characters
8, 8 bit blocks
8, 8 bit blocks
Left shift
56 bit key
56 bit key
E
D
Left shift


8 bit cipher text
8 bit plain text
8 bit plain text
9
OFB Mode
Needs initialization vector Adv can encipher one
character at a time Error propagation current
transfer only
8, 8 bit blocks
8, 8 bit blocks
Left shift
56 bit key
56 bit key
E
D
Left shift


8 bit cipher text
8 bit plain text
8 bit plain text
10
Advanced Encryption Standard (AES)

• Federal Information Processing Standard (FIPS) to
  be used by U.S. Government organizations
• Effective since May 26, 2002
• Replaces DES (triple DES remains)
• Rijndael (Rhine Dhal) algorithm (Joan Daemen
  and Vincent Rijmen)

11
Rijndael Algorithm

• Chosen for security, performance, efficiency,
  ease of implementation, and flexibility
• Block cipher (variable block and key length)
• Block size 128, 192, 256 bits
• Key size 128, 192, 256 bits

12
International Data Encryption Algorithm (IDEA)
(Read Only)

• Designed by X. Lai and J. Massey Swiss Federal
  Institute of Technology, 1990
• 64 bit block cipher
• Key size 128 bits
• Used by Pretty Good Privacy (PGP) to encrypt
  electronic mail

13
Design Principles

• Cryptographic strength
• Block size deter statistical analysis but easy
  to implement encryption
• Key length prevent exhaustive key search
• Confusion ciphertext should depend on the
  plaintext and key in a complicated way
• Diffusion each plaintext should influence every
  ciphertext bit to prevent statistical analysis

14
Other Secret Key Algorithms

• DESX modification of DES
• Blowfish fast, compact and simple block cipher.
  Variable key length up to 448 bits
• RC2 block cipher. Variable key length up to 2048
  bits
• RC4 stream cipher. Variable key length up to 448
  bits
• RC5 block cipher. Allows user defined key
  length, data block size, and number of encryption
  rounds.

15
Hash Functions

• Hash function h maps an input x of arbitrary
  length to a fixed length output h(x)
  (compression)
• Given h and x, h(x) is easy to compute (ease of
  computation)

16
Hash functions

• Preimage resistant (one-way) if for all
  specified outputs, it is computationally
  infeasible to find any input that hashes to that
  output
• Second-preimage resistent (weak collision
  resistant) if it is computationally infeasible
  to find any second input which has the same
  output as any specified input
• Collision resistant (strong collision resistant)
  if it is computationally infeasible to find any
  distinct inputs that has the same output

17
Hash Functions

• Message digest
• Used for authenticity and integrity purposes
• Algorithms
• SHA-1MD2,MD4,
• MD5

18
MD5 Message Digest Algorithm

• Input of arbitrary length
• Output 128 bits
• Block size 512 bits

19
MD5 Processing (Read Only)

• Append padding bits so length ? 448 mod 512
  (padded message 64 bits less than an integer
  multiplied by 512)
• Append length a 64-bit representation of the
  length of the original message (before the
  padding) ? total length of message k512 bits
• Initialize MD buffer 128-bit buffer holds
  intermediate and final results (4 32-bit
  registers, ABCD)

20
MD5 Processing

• Process message in 512-bit blocks
• 4 rounds of processing
• Similar structure but different logical function
• Each round takes the 512-bit input and values of
  ABCD and modifies ABCD
• Output from the last stage is a 128-bit digest

21
Strength of MD5

• Every bit of plain text influences every bit of
  the the hash code
• Complex repetition of the basic functions ?
  unlikely that two random messages would have
  similar regularities
• MD5 is as strong as possible for 128-bit digest
  (Rivests conjecture)
• Hasnt been disproved yet

22
Secure Hash Algorithm

• SHA was developed by National Institute of
  Standards and Technology
• 1993 Published as Federal Information Processing
  Standard (FIPS PUB 180)
• Input maximum length 264 bits
• Output 160-bit digest
• Block size 512-bit

23
MD5 v.s. SHA

• Very similar
• Security SHAs digest is 32 bits longer ?
  without algorithm flows SHA is more secure
• SpeedSHA has more steps and produces 160-bit
  buffer ? SHA slower
• Simplicity and compactness MD5 has more internal
  steps with varying buffer modification ? SHA is
  simplier

24
Summary Secret-Key Encryption

• Single, secret key
• Key distribution problem of secret key systems
• Establish key before communication
• Need n(n-1)/2 keys with n different parties
• Do NOT provide electronic signatures
• Faster than public-key encryption

25
Secret-Key Encryption

• Needed for security
• Secret key must be kept confidential
• Impossible (at least impractical) to decipher a
  message if no other information is available
• Knowledge of algorithm and samples of ciphertext
  must be insufficient to determine the key

26
Public-Key Encryption

• Two keys one is private one is public
• Solves the key distribution problem (but need
  reliable channel)
• Provides electronic signatures
• Slower than secret-key encryption

27
Public-Key Encryption

• Needed for security
• One of the keys must be kept secret
• Impossible (at least impractical) to decipher
  message if no other information is available
• Knowledge of algorithm, one of the keys, and
  samples of ciphertext must be insufficient to
  determine the other key

28
Arithmetic

• Identity i x op i x
• Inverse b is inverse of a under op if
• a op b i
• Prime numbers p is prime if 1 lt p and divisible
  by 1,p only
• Euclidean algorithm if x divides a and b then x
  also divides a-(kb)
• a-(kb)xa1-(kxb1)
• x(a1-(kb1))
• xd

29
Greatest common divisor

• Given a gt b, the greatest common divisor
  xgcd(a,b) can be calculated as follows
• Rewrite a as ambr, where ma/b and r is the
  remainder
• If x divides a and b, it also divides r,
  therefore xgcd(a,b)gcd(b,r) ? bmr r
• Continue until the remainder is zero

30
Modular Arithmetic

• Results stay in the underlying range of numbers
• ,-, can be applied before or after the modulus
  is taken with similar results
• Modulus remainder after division, that is if a
  mod nb then acnb
• Examples
• 9 mod 3 0
• 12 mod 5 2
• 12 mod 10 2

31
Modular Arithmetic

• Properties
• Associative
• a(bc) mod n (ab)c mod n
• a(bc) mod n (ab)c mod n
• Commutative
• ab mod n ba mod n
• ab mod n ba mod n
• Distributive
• (a(bc)) mod n ((ab) mod n) (ac) mod n))
  mod n
• Existence of identities
• a0 mod n 0a mod n a
• a1 mod n 1a mod n a

32
Modular Arithmetic

• Properties
• Existence of inverses
• a(-a) mod n 0
• a(a1) mod n 1 if a ? 0
• Reducibility
• (ab) mod n ((a mod n) (b mod n)) mod n
• (ab) mod n ((a mod n) (b mod n)) mod n
• ae mod n ?i1e (a mod n) mod n

33
Modular Arithmetic

• a1 x mod n
• has unique solution if a and n are
• relatively prime

34
Fermats and Euclids Theorem

• Fermats Theorem For any prime number p and any
  element altp
• ap mod p a or ap-1 mod p 1
• Inverse of a is x, such that
• ax mod p 1
• ax mod p 1 ap-1 mod p
• x ap-2 mod p
• Euclids theorem if a and n are relative primes,
  then
• a?(n) mod n 1 ax mod n
• x a?(n)-1 mod n
• Example inverse of 4 mod 5
• 4-1 mod 5 45-2 mod5 64 mod 5 4
• 44 mod 5 16 mod 5 1

35
Public Key Cryptosystem
Insecure channel
Plaintext
Ciphertext
Plaintext
Encryption Alg.
Decryption Alg.
B Recipient
A Sender
Bs private key
Bs public key
(need reliable channel)
36
Public Key Cryptosystem

• Concept conceived by Diffie and Hellman in 1976
• Rivest, Shamir, and Adleman (RSA) describe a
  public key system in 1978
• Many proposals have been broken
• e.g., Merkle-Hellman proposal broken by Shamir
• Serious candidates (public domain)
• RSA
• El Gamal

37
Notation

• C E(KE-B, M)
• M D(KD-B,C)
• KE-B public key of B
• KD-B private key of B
• E encryption alg.
• D decryption alg.
• M plaintext
• C ciphertext

38
RSA

• Public key (n,e)
• Secret key (n,d)
• n is a 200 digit number
• C Me mod n
• M Cd mod n

39
RSA

• Both sender and receiver know n
• Sender knows e
• Only receiver knows d
• Need
• Find values e,d,n s.t.
• Easy to calculate Me, Cd for all M lt n
• Infeasible to determine d give e

Med mod n M mod n
40
RSA Keys

• Generation of public and private keys
• Choose 2 large (100 digit) numbers p and q
• Compute n pq
• Choose e relatively prime to ?(n) (p-1)(q-1)
• Compute d such that ed 1 mod (p-1)(q-1)
• Publish (n,e)
• Secret (n,d), p, q

41
RSA Keys Example 1.

• Choose 2 large numbers
• p7, q17
• Compute npq
• 717119
• Choose relative prime to (p-1)(q-1)
• 61696, e5
• Compute d 51 mod 9677
• Publish (5,119)
• Keep (77,119), 7, 17

42
RSA Key Example 1

• Let M 19
• Encrypt
• 195 mod 119 2,476,099 mod 119 66
• Decrypt
• 6677 mod 119 19 mod 119

43
RSA Keys Example 2

• Choose 2 large numbers
• p47, q71
• Compute npq
• 47713337
• Choose relative prime to (p-1)(q-1)
• 46703220, e79
• Compute d 791 mod 32201019
• Publish (3337,79)
• Keep (3337,1019), 47, 71

44
RSA Keys

• Compute d such that ed 1 mod (p-1)(q-1)
• If factorization of n into pq is known Easy
• Otherwise Hard
• How hard is it to compute d given (n,e)?
• Dont know BUT not harder than factoring n into
  pq ? Security of RSA is no better than the
  complexity of the factoring problem

45
RSA versus DES

• RSA kilobits/second
• DES megabits/second
• ?
• DES is about 100 times faster than RSA
• RSA used for secure exchange of DES keys

46
RSA versus DES

• Key size
• RSA selected by user
• (usually n is 154 digit (512 bits) so key is
  1024 bits)
• DES 64 bits (56 effective)

47
Digital Signatures in RSA

• RSA Property encryption and decryption are
  commutative
• Encryption followed by decryption yields the
  original message
• (Me mod n)d mod n M
• Decryption followed by encryption yields the
  original message
• (Md mod n)e mod n M
• Cryptosystems that preserve message length have
  this property

48
Digital Signatures in RSA
Insecure channel
Sign
Verify
Plaintext
Signed plaintext
Plaintext
Encryption Alg.
Decryption Alg.
B
A
As public key
As private key
(need reliable channel)
49
Signature and Encryption
B
Encrypted Signed Plaintext
A
Signed Plaintext
Signed Plaintext
Plaintext
Plaintext
D
E
D
E
Bs public key
As public key
Bs private key
As private key
50
Signature and Encryption

• We could do the encryption first, followed by the
  signature.
• Adv. signature first parties, other than B can
  verify the signature
• DES can be used for encryption

51
Non-repudiation

• Requires notarized signature, involving a third
  party
• Large system hierarchies of notarization

52
Diffie-Hellman Key Exchange

• Proposed in 1976
• First public key alg.
• Allows group of users to agree on secret key over
  insecure channel
• Cannot be used to encrypt and decrypt messages

53
Diffie-Hellman Key Exchange

• Example
• A and B want to agree on shared secret key
• They agree on two large numbers n and g, such
  that 1ltgltn
• A choose random x and computes Xgx mod n and
  sends X to B
• B chooses random y and computes Ygy mod n and
  sends Y
• A computes k Yx mod n
• B computer k Xy mod n
• Note k k gyx mod n

54
Diffie-Hellman Key Exchange

• Requires no prior communication between A and B
• Security depends on difficulty of computing x
  given Xgx mod n
• Choices for g and n are critical both n and
  (n-1)/2 should be prime, n should be large
• Susceptible to intruder in the middle attack
  (active intruder)