Cryptography and

Cryptography and
Network Security
Network Security
Chapter 9
Chapter 9
Fifth Edition Fifth Edition
by William Stallings by William Stallings
Lecture slides by Lecture slides by Lawrie Lawrie Brown Brown
(with edits by RHB) (with edits by RHB)
Chapter 9 Chapter 9 Public Key Public Key
Cryptography and RSA Cryptography and RSA
Every Egyptian received two names, which were Every Egyptian received two names, which were
known respectively as the true name and the known respectively as the true name and the
good name, or the great name and the little good name, or the great name and the little
name; and while the good or little name was name; and while the good or little name was
made public, the true or great name appears to made public, the true or great name appears to
have been carefully concealed. have been carefully concealed.
The Golden Bough, The Golden Bough, Sir James George Frazer Sir James George Frazer
Outline Outline
will consider: will consider:
principles of public principles of public- -key cryptography key cryptography
RSA algorithm, implementation, security RSA algorithm, implementation, security
Private Private- -Key Cryptography Key Cryptography
traditional traditional private/secret/single key private/secret/single key
cryptography uses cryptography uses one one key key
shared by both sender and receiver shared by both sender and receiver
if this key is disclosed communications are if this key is disclosed communications are
compromised compromised
also is also is symmetric symmetric, parties are equal , parties are equal
hence does not protect sender from hence does not protect sender from
receiver forging a message and claiming receiver forging a message and claiming
it it s sent by sender (repudiation problem) s sent by sender (repudiation problem)
Public Public- -Key Cryptography Key Cryptography
probably most significant advance in the probably most significant advance in the
3000 year history of cryptography 3000 year history of cryptography
uses uses two two keys keys a public & a private key a public & a private key
asymmetric asymmetric since parties are since parties are not not equal equal
uses clever application of number uses clever application of number
theoretic concepts to function theoretic concepts to function
complements complements rather than rather than replaces private replaces private
key cryptography (efficiency reasons) key cryptography (efficiency reasons)
Why Public Why Public- -Key Cryptography? Key Cryptography?
developed to address two key issues: developed to address two key issues:
key distribution key distribution how to have secure how to have secure
communications in general without having to communications in general without having to
trust a KDC with your key trust a KDC with your key
digital signatures digital signatures how to verify a message how to verify a message
comes intact from the claimed sender comes intact from the claimed sender
public invention due to Whitfield public invention due to Whitfield Diffie Diffie & &
Martin Hellman at Stanford Martin Hellman at Stanford Uni Uni in 1976 in 1976
known earlier in classified community (NSA known earlier in classified community (NSA
(60 (60 s (claimed)), CESG (1970 (documented))) s (claimed)), CESG (1970 (documented)))
Public Public- -Key Cryptography Key Cryptography
public public- -key/two key/two- -key/asymmetric key/asymmetric cryptography cryptography
involves the use of involves the use of two two keys: keys:
a a public public- -key key, which may be known by anybody, and can , which may be known by anybody, and can
be used to be used to encrypt messages encrypt messages, and , and verify signatures verify signatures
a related a related private private- -key key, known only to the recipient, used , known only to the recipient, used
to to decrypt messages decrypt messages, and , and sign sign (create) (create) signatures signatures
infeasible to determine private key from public infeasible to determine private key from public
(requires solving a hard problem) (requires solving a hard problem)
is is asymmetric asymmetric because because
those who those who encrypt encrypt messages or messages or verify verify signatures signatures
cannot cannot decrypt decrypt messages or messages or create create signatures signatures
Public Public- -Key Cryptography Key Cryptography
Public Public- -Key Cryptography Key Cryptography Symmetric Symmetric vs vs Public Public- -Key Key
Public Public- -Key Cryptosystems Key Cryptosystems
Combining secrecy and authentication
Public Public- -Key Applications Key Applications
can classify uses into 3 categories: can classify uses into 3 categories:
encryption/decryption encryption/decryption (provide secrecy) (provide secrecy)
digital signatures digital signatures (provide authentication) (provide authentication)
key exchange key exchange (of session keys) (of session keys)
some algorithms are suitable for all uses, some algorithms are suitable for all uses,
others are specific to one others are specific to one
Public Public- -Key Requirements Key Requirements
Public Public- -Key algorithms rely on two keys where: Key algorithms rely on two keys where:
it is computationally infeasible to find decryption key it is computationally infeasible to find decryption key
knowing only algorithm & encryption key knowing only algorithm & encryption key
it is computationally easy to en/decrypt messages it is computationally easy to en/decrypt messages
when the relevant (en/decrypt) key is known when the relevant (en/decrypt) key is known
either of the two related keys can be used for either of the two related keys can be used for
encryption, with the other used for decryption (for encryption, with the other used for decryption (for
some algorithms) some algorithms)
these these are formidable requirements which are formidable requirements which
only a few algorithms have satisfied only a few algorithms have satisfied
Public Public- -Key Requirements Key Requirements
need a trapdoor one need a trapdoor one- -way function way function
one one- -way function has way function has
Y = Y = f(X f(X) easy ) easy
X = f X = f
1 1
(Y) infeasible (Y) infeasible
a trap a trap- -door one door one- -way function has way function has
Y = Y = f f
k k
(X (X) easy, if k and X are known ) easy, if k and X are known
X = X = f f
k k
1 1
(Y) easy, if k and Y are known (Y) easy, if k and Y are known
X = X = f f
k k
1 1
(Y) infeasible, if Y known but k not known (Y) infeasible, if Y known but k not known
a practical public a practical public- -key scheme depends on key scheme depends on
a suitable trap a suitable trap- -door one door one- -way function way function
Security of Public Key Schemes Security of Public Key Schemes
like private key schemes brute force like private key schemes brute force exhaustive exhaustive
search search attack is always theoretically possible attack is always theoretically possible
but keys used are too large but keys used are too large >512bits >512bits
(PK schemes are (PK schemes are generic generic and and super super- -
polynomial polynomial can always choose a bigger can always choose a bigger
instance, unlike block ciphers) instance, unlike block ciphers)
security relies on a security relies on a large enough large enough difference in difference in
difficulty between difficulty between easy easy (en/decrypt) and (en/decrypt) and hard hard
( (cryptanalyse cryptanalyse) problems ) problems
more generally the more generally the hard hard problem is problem is known known , but , but
is made hard enough to be impractical to break is made hard enough to be impractical to break
requires the use of requires the use of very large numbers very large numbers
hence is hence is slow slow compared to private key schemes compared to private key schemes
RSA RSA
by by Rivest Rivest, Shamir & , Shamir & Adleman Adleman of MIT in 1977 of MIT in 1977
best known & widely used public best known & widely used public- -key scheme key scheme
based on exponentiation in a finite (Galois) field based on exponentiation in a finite (Galois) field
over integers modulo a prime over integers modulo a prime
nb nb. exponentiation takes . exponentiation takes O((log O((log n) n)
3 3
) operations (easy) ) operations (easy)
uses large integers ( uses large integers (eg eg. 1024 bits) . 1024 bits)
security due to cost of factoring large numbers security due to cost of factoring large numbers
nb nb. factorization takes . factorization takes O(e O(e
log n log log n log log log n n
) operations ) operations
( (superpolynomial superpolynomial, hard) , hard)
RSA En/decryption RSA En/decryption
to encrypt a message to encrypt a message M M the sender: the sender:
obtains obtains public key public key of recipient of recipient PU PU = = { {e,n e,n} }
computes: computes: C C = = M M
e e
mod mod n n, where , where 0 0 M M < < n n
to decrypt the to decrypt the ciphertext ciphertext C the owner: C the owner:
uses their private key uses their private key PR PR = = { {d,n d,n} }
computes: computes: M M = = C C
d d
mod mod n n
note that the message note that the message M M must be smaller must be smaller
than the modulus than the modulus n n (block if needed) (block if needed)
RSA Key Setup RSA Key Setup
each user generates a public/private key pair by: each user generates a public/private key pair by:
selecting two large primes at random: selecting two large primes at random: p,q p,q
computing their system modulus computing their system modulus n n = = p.q p.q
note note (n (n) ) = = (p (p- -1)(q 1)(q- -1) 1)
selecting at random the encryption key selecting at random the encryption key e e
where where 1 1 < < e e < < (n (n), ), gcd(e, gcd(e, (n (n)) )) = = 1 1
solve following equation to find decryption key solve following equation to find decryption key d d
e.d e.d = = 1 mod 1 mod (n (n) and 0 ) and 0 d d n n
publish their public encryption key: publish their public encryption key: PU PU = = { {e,n e,n} }
keep secret private decryption key: keep secret private decryption key: PR PR = = { {d,n d,n} }
Why RSA Works Why RSA Works
because of Euler's Theorem: because of Euler's Theorem:
a a
(n (n) )
mod mod n n = = 1 1 where where GCD(a,n GCD(a,n) ) = = 1 1
in RSA have: in RSA have:
n n = = p.q p.q
(n (n) ) = = (p (p- -1)(q 1)(q- -1) 1)
carefully chose carefully chose e e and and d d to be inverses to be inverses mod mod (n (n) )
hence hence e.d e.d = = 1 1 + + k. k. (n (n) ) for some for some k k
hence : hence :
C C
d d
= = M M
e.d e.d
= = M M
1+k. 1+k. (n) (n)
= = M M
1 1
.(M .(M
(n) (n)
) )
k k
= = M M
1 1
.(1) .(1)
k k
= = M M
1 1
= = M M mod mod n n
(provided (provided M M and and n n coprime coprime (still OK if not)) (still OK if not))
RSA Example RSA Example - - Key Setup Key Setup
1. 1. Select primes: Select primes: p p = = 17 17 ; ; q q = = 11 11
2. 2. Calculate Calculate n n = = pq pq = = 17 17 x x 11 11 = = 187 187
3. 3. Calculate Calculate (n (n) ) = = (p (p 1)(q 1)(q- -1) 1) = = 16 16x x10 10 = = 160 160
4. 4. Select Select e e: : GCD(e,160) GCD(e,160) = = 1 1 ; ; choose choose e e = = 7 7
5. 5. Derive Derive d d: : de de = = 1 1 mod mod 160 160 and and d d < < 160 160
Get Get d d = = 23 23 since since 23 23x x7 7 = = 161 161 = = 10 10x x160+1 160+1
6. 6. Publish public key: Publish public key: PU PU = = {7,187} {7,187}
7. 7. Keep private key secret: Keep private key secret: PR PR = = {23, {23,187} 187}
RSA Example RSA Example - - En/Decryption En/Decryption
sample RSA encryption/decryption is: sample RSA encryption/decryption is:
given message given message M M = = 88 88 ( (nb nb. . 88 88 < < 187 187) )
encryption: encryption:
C C = = 88 88
7 7
mod mod 187 187 = = 11 11
decryption: decryption:
M M = = 11 11
23 23
mod mod 187 187 = = 88 88
Exponentiation Exponentiation
can use the Square and Multiply Algorithm can use the Square and Multiply Algorithm
a fast, efficient algorithm for exponentiation a fast, efficient algorithm for exponentiation
concept is based on repeatedly squaring base concept is based on repeatedly squaring base
and multiplying in the ones that are needed to and multiplying in the ones that are needed to
compute the result compute the result
look at binary representation of exponent look at binary representation of exponent
only takes O(log only takes O(log
2 2
n) multiples for number n n) multiples for number n
eg. eg. 7 7
5 5
= = 7 7
4 4
.7 .7
1 1
= = 3.7 3.7 = = 10 10 mod mod 11 11
eg. eg. 3 3
129 129
= = 3 3
128 128
.3 .3
1 1
= = 5.3 5.3 = = 4 4 mod mod 11 11
Exponentiation Exponentiation
Computing Computing a a
b b
mod mod n n
f = 1 f = 1
for i = k for i = k downto downto 0 0
do f = (f x f) mod n do f = (f x f) mod n
if b if b
i i
== 1 == 1 then then
f = (f x a) mod n f = (f x a) mod n
return f return f
Here, integer Here, integer b b is the is the bitstring bitstring b b
k k
b b
k k- -1 1
b b
0 0
Efficient Encryption Efficient Encryption
encryption uses exponentiation to power encryption uses exponentiation to power e e
hence if hence if e e small, this will be faster small, this will be faster
often choose often choose e e = = 65537 65537 (2 (2
16 16
- - 1) 1)
also see choices of also see choices of e e = = 3 3 or or e e = = 17 17
but if but if e e too small ( too small (eg eg. . e e = = 3 3) can attack ) can attack
using Chinese remainder theorem and 3 using Chinese remainder theorem and 3
messages with different messages with different moduli moduli
if if e e fixed must ensure fixed must ensure GCD(e, GCD(e, (n (n)) )) = = 1 1
ie ie reject any reject any p p or or q q where where p p- -1 1 or or q q- -1 1 are not are not
relatively prime to relatively prime to e e
Efficient Decryption Efficient Decryption
decryption uses exponentiation to power decryption uses exponentiation to power d d
this is likely large, insecure if not this is likely large, insecure if not
can use the Chinese Remainder Theorem can use the Chinese Remainder Theorem
(CRT) to compute (CRT) to compute mod mod p p and and mod mod q q
separately; then combine to get answer separately; then combine to get answer
approx 4 times faster than doing directly approx 4 times faster than doing directly
only owner of private key who knows only owner of private key who knows
values of values of p p and and q q can use this technique can use this technique
RSA Key Generation RSA Key Generation
users of RSA must: users of RSA must:
determine two primes determine two primes at random at random p,q p,q
select either select either e e or or d d and compute the other and compute the other
primes primes p,q p,q must not be easily derived must not be easily derived
from modulus from modulus n n = = p.q p.q
means must be sufficiently large means must be sufficiently large
typically guess and use probabilistic test typically guess and use probabilistic test
exponents exponents e,d e,d are inverses, so use are inverses, so use
Inverse algorithm to compute the other Inverse algorithm to compute the other
RSA Security RSA Security
possible approaches to attacking RSA are: possible approaches to attacking RSA are:
brute force key search brute force key search - - infeasible given size infeasible given size
of numbers of numbers
mathematical attacks mathematical attacks - - based on difficulty of based on difficulty of
computing computing ( (n n), by factoring modulus ), by factoring modulus n n
timing attacks timing attacks - - on running of decryption on running of decryption
chosen chosen ciphertext ciphertext attacks attacks - - given properties of given properties of
RSA RSA
Factoring Problem Factoring Problem
mathematical approach takes 3 forms: mathematical approach takes 3 forms:
factor factor n n = = p.q p.q, hence compute , hence compute (n (n) ) and then and then d d
determine determine (n (n) ) directly and directly and compute compute d d
find find d d directly directly
currently believe all equivalent to factoring currently believe all equivalent to factoring
have seen slow improvements over the years have seen slow improvements over the years
as of May as of May- -05 best is 200 decimal digits (663) bit with LS 05 best is 200 decimal digits (663) bit with LS
biggest improvement comes from improved algorithm biggest improvement comes from improved algorithm
cf cf QS to GNFS to LS QS to GNFS to LS
currently assume 1024 currently assume 1024- -2048 bit RSA is secure 2048 bit RSA is secure
ensure p, q of similar size and matching other constraints ensure p, q of similar size and matching other constraints
Progress in Progress in Factoring Factoring
Progress Progress
in in
Factoring Factoring
Timing Attacks Timing Attacks
developed by Paul Kocher in mid developed by Paul Kocher in mid- -1990 1990 s s
exploit timing variations in operations exploit timing variations in operations
eg. multiplying by small eg. multiplying by small vs vs large number large number
or or IF's IF's varying which instructions executed varying which instructions executed
infer operand size based on time taken infer operand size based on time taken
RSA exploits time taken in exponentiation RSA exploits time taken in exponentiation
countermeasures countermeasures
use constant exponentiation time use constant exponentiation time
add random delays add random delays
blind values used in calculations blind values used in calculations
Chosen Chosen Ciphertext Ciphertext Attacks Attacks
RSA is vulnerable to a Chosen RSA is vulnerable to a Chosen Ciphertext Ciphertext
Attack (CCA) Attack (CCA)
attacker chooses attacker chooses ciphertexts ciphertexts and gets and gets
decrypted plaintext back decrypted plaintext back
choose choose ciphertext ciphertext to exploit properties of to exploit properties of
RSA to provide info to help cryptanalysis RSA to provide info to help cryptanalysis
can counter with random pad of plaintext can counter with random pad of plaintext
or use Optimal Asymmetric Encryption or use Optimal Asymmetric Encryption
Padding (OASP) Padding (OASP)
Optimal Optimal
Asymmetric Asymmetric
Encryption Encryption
Padding Padding
(OASP) (OASP)