Outline

1 Introduction
2 RSA
CSc 466/566 Algorithm
Example
Correctness
Computer Security Security
3 GPG
4 Elgamal
7 : Cryptography — Public Key Algorithm
Version: 2012/02/15 16:15:24
Example
Department of Computer Science
Correctness
University of Arizona Security
5 Diffie-Hellman Key Exchange
[email protected]
c 2012 Christian Collberg
Copyright
Diffie-Hellman Key Exchange
Example
Correctness
Christian Collberg Security
6 Summary
1/83 Introduction 2/83

History of Public Key Cryptography Public-key Algorithms

Definition (Public-key Algorithms)

RSA Conference 2011-Opening-Giants Among Us: Public-key cryptographic algorithms use different keys for
http://www.youtube.com/watch?v=mvOsb9vNIWM&feature=related encryption and decryption.
Rivest, Shamir, Adleman - The RSA Algorithm Explained:
http://www.youtube.com/watch?v=b57zGAkNKIc Bob’s public key: PB
Bruce Schneier - Who are Alice & Bob?: Bob’s secret key: SB
http://www.youtube.com/watch?v=BuUSi_QvFLY&feature=related

Adventures of Alice & Bob - Alice Gets Lost: EPB (M) = C

http://www.youtube.com/watch?v=nULAC_g22So http://www.youtube.com/watch?v=nJB7a79ahGM DSB (C ) = M
DSB (EPB (M)) = M

Introduction 3/83 Introduction 4/83

Public Key Protocol Public Key Encryption Protocol. . .

Key-management is the main problem with symmetric

algorithms – Bob and Alice have to somehow agree on a key Alice Bob
to use.
In public key cryptosystems there are two keys, a public one
used for encryption and and private one for decryption.
plaintext encrypt ciphertext decrypt plaintext
1 Alice and Bob agree on a public key cryptosystem.
2 Bob sends Alice his public key, or Alice gets it from a public
PB SB
database. Eve
3 Alice encrypts her plaintext using Bob’s public key and sends
it to Bob.
4 Bob decrypts the message using his private key.

Introduction 5/83 Introduction 6/83

Public Key Encryption: Key Distribution A Hybrid Protocol

In practice, public key cryptosystems are not used to encrypt

Alice PA , PB Bob
messages – they are simply too slow.
SA , PA SB , PB
Instead, public key cryptosystems are used to encrypt
keys for symmetric cryptosystems . These are called
session keys , and are discarded once the communication
PA , PC PB , PC PA , PD PB , PD session is over.

1 Bob sends Alice his public key.

Carol Dave 2 Alice generates a session key K , encrypts it with Bob’s public
SC , PC SD , PD key, and sends it to Bob.
PC , PD
3 Bob decrypts the message using his private key to get the
session key K .
Advantages : n key pairs to communicate between n parties. 4 Both Alice and Bob communicate by encrypting their
Disadvantages : Ciphers (RSA,. . . ) are slow; keys are large messages using K .
Introduction 7/83 Introduction 8/83
Hybrid Encryption Protocol. . . Outline
1 Introduction
2 RSA
Algorithm
Alice Bob Example
Correctness
Security
3 GPG
4 Elgamal
K encrypt EPB (K ) decrypt K Algorithm
Example
Correctness
PB SB Security
5 Diffie-Hellman Key Exchange
encrypt EK (M) decrypt Diffie-Hellman Key Exchange
M M
Example
Correctness
K K Security
6 Summary
Introduction 9/83 RSA 10/83

RSA RSA: Algorithm

Bob (Key generation):

1 Generate two large random primes p and q.
2 Compute n = pq.
RSA is the best know public-key cryptosystem. Its security is
3 Select a small odd integer e relatively prime with φ(n).
4 Compute φ(n) = (p − 1)(q − 1).
based on the (believed) difficulty of factoring large numbers. 5 Compute d = e −1 mod φ(n).
Plaintexts and ciphertexts are large numbers (1000s of bits).
PB = (e, n) is Bob’s RSA public key.
Encryption and decryption is done using modular SB = (d, n) is Bob’ RSA private key.
exponentiation.
Alice (encrypt and send a message M to Bob):
1 Get Bob’s public key PB = (e, n).
2 Compute C = M e mod n.
Bob (decrypt a message C received from Alice):
1 Compute M = C d mod n.

RSA 11/83 RSA 12/83

RSA: Algorithm Notes RSA Example: Key Generations

1 Select two primes: p = 47 and q = 71.

How should we choose e? 2 Compute n = pq = 3337.
It doesn’t matter for security; everybody could use the same e. 3 Compute φ(n) = (p − 1)(q − 1) = 3220.
It matters for performance: 3, 17, or 65537 are good choices.
4 Select e = 79.
n is referred to as the modulus , since it’s the n of mod n. 5 Compute
You can only encrypt messages M < n. Thus, to encrypt
larger messages you need to break them into pieces, each < n. d = e −1 mod φ(n)
Throw away p, q, and φ(n) after the key generation stage. = 79−1 mod 3220
Encrypting and decrypting requires a single modular = 1019
exponentiation.
6 P = (79, 3337) is the RSA public key.
7 S = (1019, 3337) is the RSA private key.

RSA 13/83 RSA 14/83

RSA Example: Encryption RSA Example: Decryption

1 Encrypt M = 6882326879666683.
2 Break up M into 3-digit blocks:
m = h688, 232, 687, 966, 668, 003i
1 Decrypt each block:
Note the padding at the end.
3 Encrypt each block: m1 = c1d mod n
= 15701019 mod 3337
c1 = m1e mod n
= 688
= 68879 mod 3337
= 1570
We get:
c = h1570, 2756, 2091, 2276, 2423, 158i

RSA 15/83 RSA 16/83

In-Class Exercise: Goodrich & Tamassia R-8.18 In-Class Exercise: Goodrich & Tamassia R-8.20

Alice is telling Bob that he should use a pair of the form

(3, n)
Show the result of encrypting M = 4 using the public key or
(e, n) = (3, 77) in the RSA cryptosystem. (16385, n)
as his RSA public key if he wants people to encrypt messages
for him from their cell phones.
As usual, n = pq, for two large primes, p and q.
What is the justification for Alice’s advice?

RSA 17/83 RSA 18/83

In-Class Exercise: Stallings pp. 270-271 RSA Correctness

We have

C = M e mod n
M = C d mod n.
1 Generate an RSA key-pair using p = 17, q = 11, e = 7.
To show correctness we have to show that decryption of the
2 Encrypt M = 88.
ciphertext actually gets the plaintext back, i.e that, for all
3 Decrypt the result from 2. M<n

C d mod n = (M e )d mod n
= M ed mod n
= M

RSA 19/83 RSA 20/83

RSA Correctness: Case 1 RSA Correctness: Case 1. . .

From the key generation step we have

d = e −1 mod φ(n)
from which we can conclude that
ed mod φ(n) = 1 M φ(n) mod n = 1 follows from Euler’s theorem.
ed = kφ(n) + 1 Theorem (Euler)
Case 1, M is relatively prime to n: Let x be any positive integer that’s relatively prime to the integer
n > 0, then
C d mod n = M ed mod n
x φ(n) mod n = 1
= M kφ(n)+1 mod n
= M · (M φ(n) )k mod n
= M · 1k mod n
= M mod n
= M
RSA 21/83 RSA 22/83

RSA Correctness: Case 2 RSA Correctness: Case 2. . .

We have that
φ(n) = φ(pq) = φ(p)φ(q)
By Euler’s theorem we have that
Assume that M is not relatively prime to n, i.e. M has some
M kφ(n) mod q = M kφ(p)φ(q) mod q
factor in common with n, since M < n.
= (M kφ(p) )φ(q) mod q
There are two cases:
1 M is relatively prime with q and M = ip, or = 1
2 M is relatively prime with p and M = iq. Thus, for some integer h
We consider only the first case, the second is similar. M kφ(n) = 1 + hq
Multiply both sides by M
M · M kφ(n) = M(1 + hq)
M kφ(n)+1 = M + Mhq

RSA 23/83 RSA 24/83

RSA Correctness: Case 2. . . RSA Security

We can now prove Case 2, for M = ip:

Summary:
d ed Compute n = pq, p and q prime.
C mod n = M mod n 1
kφ(n)+1 2 Select a small odd integer e relatively prime with φ(n).
= M mod n 3 Compute φ(n) = (p − 1)(q − 1).
= (M + Mhq) mod n 4 Compute d = e −1 mod φ(n).
= (M + (ip)hq) mod n 5 PB = (e, n) is Bob’s RSA public key.
6 SB = (d, n) is Bob’ RSA private key.
= (M + (ih)pq) mod n
Since Alice knows Bob’s PB , she knows e and n.
= (M + (ih)n) mod n
If she can compute d from e and n, she has Bob’s private key.
= (M mod n) + ((ih)n mod n)
If she knew φ(n) = (p − 1)(q − 1) she could compute
= M mod n
d = e −1 mod φ(n) using Euclid’s algorithm.
= M
If she could factor n, she’d get p and q!

RSA 25/83 RSA 26/83

Security of Cryptosystems by Failed Cryptanalysis RSA Security. . .

1 Propose a cryptographic scheme.

2 If an attack is found, patch the scheme. GOTO 2. If we can factor n, we can find p and q and the scheme is
3 If enough time has passed ⇒ The scheme is secure! broken.
As far as we know, factoring is hard.
How long is enough? We need n to be large enough, 2,048 bits.
1 It took 5 years to break the Merkle-Hellman cryptosystem.
2 It took 10 years to break the Chor-Rivest cryptosystem.

RSA 27/83 RSA 28/83

RSA Factoring Challenge RSA Factoring Challenge. . .

✞ ☎
Name : RSA−640
http://www.rsa.com/rsalabs/node.asp?id=2093
Digits : 193
✞ ☎ 310741824 04 9 00 4 37 2 13 5 07 5 00 3 58 8 85 6 79 3 0 03 7 34 6 02 2 84 2 72 7 54 5 72 0 16 1 94 8 82
Name : RSA−576 320644051 80 8 15 0 45 5 63 4 68 2 96 7 17 2 32 8 67 8 2 43 7 91 6 27 2 83 8 03 3 41 5 47 1 07 3 10 8 50
Digits : 174 1919548529 0 07 3 37 7 2 48 2 27 8 35 2 57 4 23 8 64 5 40 1 46 9 17 3 66 0 24 7 76 5 23 4 66 0 9
188198812 92 0 60 7 96 3 83 8 69 7 23 9 46 1 65 0 43 9 8 07 1 63 5 63 3 79 4 17 3 82 7 00 7 63 3 56 4 22 ✝ ✆
988859715 23 4 66 5 48 5 31 9 06 0 60 6 50 4 74 3 04 5 3 17 3 88 0 11 3 03 3 96 7 16 1 99 6 92 3 21 2 05
7340318795 50 6 56 9 96 22 1 30 5 16 87 5 93 0 76 5 02 57 0 59
✝ ✆ The factoring research team of F. Bahr, M. Boehm, J. Franke,
T. Kleinjung continued its productivity with a successful
On December 3, 2003, a team of researchers in Germany and
factorization of the challenge number RSA-640, reported on
several other countries reported a successful factorization of
November 2, 2005.
the challenge number RSA-576.
The factors are:
The factors are ✞ ☎
✞ ☎ 1634733645 80 9 25 3 84 8 44 3 13 3 88 3 86 50 9 08 5 98 4 17 8 36 7 00 3 30
39807508642 4 06 4 93 7 39 7 12 55 0 05 5 03 8 64 91 1 99 0 64 3 62 9231218111 08 5 23 8 93 3 31 00 1 04 5 08 1 51 2 12 11 8 16 7 51 1 57 9
34252670840 6 38 5 18 95 7 59 4 63 88 9 57 2 61 7 68 58 3 31 7
1900871281 66 4 82 2 11 3 12 6 85 15 7 39 3 54 1 39 7 54 7 18 9 67 8 99 68
47277214610 7 43 5 30 2 53 6 22 30 7 19 7 30 4 82 24 6 32 9 14 6 95 5154936666 38 5 39 0 88 0 27 10 3 80 2 10 4 49 8 95 7 19 1 26 14 6 55 7 1
30209711645 9 85 2 17 11 3 05 2 07 11 2 56 3 63 5 90 39 7 52 7 ✝ ✆
✝ ✆
The effort took approximately 30 2.2GHz-Opteron-CPU years
according to the submitters, over five months of calendar time.
RSA 29/83 RSA 30/83

RSA Factoring Challenge. . . RSA Factoring Challenge. . .

✞ ☎
Name : RSA−704
Digits : 212 ✞ ☎
740375634 79 5 61 7 12 8 28 0 46 7 96 0 97 4 29 5 7 31 4 25 9 31 8 88 8 92 3 12 8 90 8 49 3 62 3 2 63 8 97 Name : RSA−1536
276503402 82 6 62 7 68 9 19 9 64 1 96 2 51 1 78 4 3 99 5 89 4 33 0 50 2 12 7 58 5 37 0 11 8 96 8 0 98 2 86 Digits : 463
733173273 10 8 93 0 90 0 5 52 5 05 1 16 8 77 0 6 32 9 90 7 23 9 63 8 07 8 6 71 0 08 6 09 6 96 2 5 37 9 34 6 50 5 63 7 96 3 5 9 184769970 32 1 17 4 14 7 43 0 68 3 56 2 0 20 0 16 4 40 3 01 8 54 9 33 8 66 3 4 1 0 1 71 4 71 7 85 7 74 9 10 6 5 1
696711161 24 9 85 9 33 7 68 4 30 5 43 5 7 44 5 85 6 16 0 61 5 44 5 71 7 94 0 5 2 2 2 97 1 77 3 25 2 46 6 09 6 0 6
Name : RSA−768 469460712 49 6 23 7 20 4 42 0 22 2 69 7 5 67 5 66 8 73 7 84 2 75 6 23 8 95 0 8 7 6 4 67 8 44 0 93 3 28 5 15 7 4 9
Digits : 232 657884341 50 8 84 7 55 2 82 9 81 8 67 2 6 45 1 33 9 86 3 36 4 93 1 90 8 08 4 6 7 1 9 90 4 31 8 74 3 81 2 83 3 6 3
123018668 45 3 01 1 77 5 51 3 04 9 49 5 8 38 4 96 2 72 0 77 2 85 3 56 9 59 5 33 4 7 92 1 97 3 22 4 52 1 51 7 2 502795470 28 2 65 3 29 7 80 2 93 4 91 6 1 55 8 11 8 81 0 49 8 44 9 08 3 19 5 4 5 0 0 98 4 83 9 37 7 52 2 72 5 7 0
640050726 36 5 75 1 87 4 52 0 21 9 97 8 6 46 9 38 9 95 6 47 4 94 2 77 4 06 3 84 5 9 25 1 92 5 57 3 26 3 03 4 5 525785919 44 9 93 8 70 0 73 6 95 7 55 6 8 84 3 69 3 38 1 27 7 96 1 30 8 92 3 0 3 9 2 56 9 69 5 25 3 26 1 62 0 8 2
373154826 85 0 79 1 70 2 61 2 21 4 29 1 3 46 1 67 0 42 9 21 4 31 1 60 2 22 1 2 4 0 4 79 2 74 7 37 7 94 0 80 6 6 5 3676490316 03 6 55 1 37 14 4 79 1 39 3 23 47 1 69 5 66 9 88 06 9
351419597459 85 69 0 21 43 41 3
Name : RSA−2048
Name : RSA−896 Digits : 617
Digits : 270 251959084 75 6 57 8 93 4 94 0 27 1 83 2 4 00 4 83 9 85 7 14 2 92 8 21 2 62 0 4 0 3 2 02 7 77 7 13 7 83 6 04 3 6 6
412023436 98 6 65 9 54 3 85 5 53 1 36 5 3 32 5 75 9 48 1 79 8 11 6 99 8 44 3 2 7 9 8 28 4 54 5 56 2 64 3 38 7 6 4 202070759 55 5 62 6 40 1 85 2 58 8 07 8 4 40 6 91 8 29 0 64 1 24 9 51 5 08 2 1 8 9 2 98 5 59 1 49 1 76 1 84 5 0 2
455652484 26 1 98 0 98 8 70 4 23 1 61 8 4 18 7 92 6 14 2 02 4 71 8 88 6 94 9 2 5 6 0 93 1 77 6 37 5 03 3 42 1 1 3 808489120 07 2 84 4 99 2 68 7 39 2 80 7 2 87 7 76 7 35 9 71 4 18 3 47 2 70 2 6 1 8 9 63 7 50 1 49 7 18 2 46 9 1 1
098239748 51 5 09 4 49 0 91 0 69 1 02 6 9 86 1 03 1 86 2 70 4 11 4 88 0 86 6 9 7 0 5 64 9 02 9 03 6 53 6 58 8 6 7 650776133 79 8 59 0 95 7 00 0 97 3 30 4 5 97 4 88 0 84 2 84 0 17 9 74 2 91 0 0 6 4 2 45 8 69 1 81 7 19 5 11 8 7 4
4337317208 1 31 0 41 0 51 9 08 6 4 25 4 79 3 28 2 60 1 39 1 25 7 62 4 03 3 94 6 37 3 26 9 39 1 612151517 26 5 46 3 22 8 22 1 68 6 99 8 7 54 9 18 2 42 2 43 3 63 7 25 9 08 5 1 4 1 8 65 4 62 0 43 5 76 7 98 4 2 3
387184774 44 7 92 0 73 9 93 4 23 6 58 4 8 23 8 24 2 81 1 98 1 63 8 15 0 10 6 7 4 8 1 04 5 16 6 03 7 73 0 60 5 6 2
Name : RSA−1024 016196762 56 1 33 8 44 1 43 6 03 8 33 9 0 44 1 49 5 26 3 44 3 21 9 01 1 46 5 7 5 4 4 45 4 17 8 42 4 02 0 92 4 6 1
Digits : 309 651572335 07 7 87 0 77 4 98 1 71 2 57 7 2 46 7 96 2 92 6 38 6 35 6 37 3 28 9 9 1 2 1 54 8 31 4 38 1 67 8 99 8 8 5
135066410 86 5 99 5 22 3 34 9 60 3 21 6 2 78 8 05 9 69 9 38 8 81 4 75 6 05 6 6 7 0 2 75 2 44 8 51 4 38 5 15 2 6 5 0404453640 2 35 2 73 8 19 5 13 7 86 3 65 6 43 9 12 1 20 1 03 9 71 2 28 2 21 2 0 7 2 03 5 7
106048595 33 8 33 9 40 2 87 1 50 5 71 9 0 94 4 17 9 82 0 72 8 21 6 44 7 15 5 1 3 7 3 68 0 41 9 70 3 96 4 19 1 7 4 ✝ ✆
304649658 92 7 42 5 62 3 93 4 10 2 08 6 4 38 3 20 2 11 0 37 2 95 8 72 5 76 2 3 5 8 5 09 6 43 1 10 5 64 0 73 5 0 1
508187510 67 6 59 4 62 9 20 5 56 3 68 5 5 29 4 75 2 13 5 00 8 52 8 79 4 16 3 7 7 3 2 85 3 39 0 61 0 97 5 05 4 4 3
34999811150 05 69 7 72 36 8 90 92 75 6 3
✝ ✆
RSA 31/83 RSA 32/83
RSA Security: How to use RSA Outline
1 Introduction
2 RSA
Algorithm
Example
Correctness
Two plaintexts M1 and M2 are encrypted into ciphertexts C1 Security
and C2 . 3 GPG
But, RSA is deterministic! 4 Elgamal
Algorithm
If C1 = C2 then we know that M1 = M2 !
Example
Also, side-channel attacks are possible against RSA, for Correctness
example by measuring the time taken to encrypt. Security
5 Diffie-Hellman Key Exchange
Diffie-Hellman Key Exchange
Example
Correctness
Security
6 Summary
RSA 33/83 GPG 34/83

Software – GPG Key generation: Bob

> gpg --gen-key

gpg is a public domain implementation of pgp. Please select what kind of key you want:
Supported algorithms: (1) RSA and RSA (default)
(2) DSA and Elgamal
Pubkey: RSA, RSA-E, RSA-S, ELG-E, DSA (3) DSA (sign only)
Cipher: 3DES, CAST5, BLOWFISH, AES, AES192, (4) RSA (sign only)
AES256, TWOFISH, CAMELLIA128, Your selection? 1
CAMELLIA192, CAMELLIA256 What keysize do you want? (2048)
Key is valid for? (0)
Hash: MD5, SHA1, RIPEMD160, SHA256, SHA384, Key does not expire at all
SHA512, SHA224 Real name: Bobby
Compression: Uncompressed, ZIP, ZLIB, BZIP2 Email address: [email protected]
Comment: recipient
http://www.gnupg.org . You need a Passphrase to protect your secret key.
Enter passphrase: Bob rocks
Repeat passphrase: Bob rocks

GPG 35/83 GPG 36/83

Key generation: Alice Exporting the Key

> gpg --gen-key

Please select what kind of key you want:

> gpg --armor --export Bobby
(1) RSA and RSA (default)
-----BEGIN GPG PUBLIC KEY BLOCK-----
(2) DSA and Elgamal
Version: GnuPG v1.4.11 (Darwin)
(3) DSA (sign only)
(4) RSA (sign only)
mQENBE83U28BCADTVOkHpNjWzk7yEzMhiNJcmOtmUYfn4hzgYTDsP2otI0UhfJ4q
Your selection? 1
EZCuPoxECIZ479k3YpBvZM2JC48Ht9j1kVnDPLCrongyRdSko0AwG7OYAyHWa7/U
What keysize do you want? (2048)
SeGwjZ+0MUuM3SwqHdo1/0XS3P8LABTQNXtrQf9kF8UNLIaHr1IvBcae1K44MPL6
Key is valid for? (0)
................................................................
Key does not expire at all
EBHmAM7iiWgWI6/6qEmN46ZQEmoR86vWhQL3LQ6p/FUaBA==
Real name: Alice
=FZ78
Email address: [email protected]
-----END GPG PUBLIC KEY BLOCK-----
Comment: sender
You need a Passphrase to protect your secret key.
Enter passphrase: Alice is cute
Repeat passphrase: Alice is cute

GPG 37/83 GPG 38/83

Encryption Decryption

We can encrypt a message using Bobby’s key:

> cat message Bobby can now decrypt the message using his private key:
Attack at dawn
> gpg --recipient bobby --armor --encrypt message > gpg --decrypt message.asc
> cat message.asc
-----BEGIN PGP MESSAGE----- You need a passphrase to unlock the secret key for
Version: GnuPG v1.4.11 (Darwin) user: "Bobby (recipient) <[email protected]>"
2048-bit RSA key, ID D95291EF, created 2012-02-12
hQEMA97v9lbZUpHvAQf/a9QklXMiMzBWy5yyZBtNrg7FcrIqx+gXVVUXNN86tZtE (main key ID 9974031B)
RF42elwU6QwamDzfcOHqp+3zeor4Y5xN+/pL91xti6uwFOhgGrCGJq//AfUKgQyk
MH2e4gR8Y1BuPm9b1c7uzXxRMMOUBBt75KquYGOBLybsP29ttD9iL/ZJl1zSPjSj Enter passphrase: Bob rocks
El7O0Gp7PqEBotStVOtuknYW/fX0zXndU8XNllKnsnZn21Xm0rMQcFMu8Do/tF5I
lRfTEcL4S9tV4vshgXhNSpTg9sZs1UZynvU2cJqyYkCtgT7TdtrK3fTa8UN+CYQv gpg: encrypted with 2048-bit RSA key, ID D95291EF, created 2012-02-12
U2QRnaNtFhYwBMonFqhefNzDqeZb+P0RqOuoDllYuNJRAViJ3CLjT7kwgBgRtNfY "Bobby (recipient) <[email protected]>"
RkGArQQmgrknW2jq/Y2GZTE8CC7pNXY8U3KYMl9hRA6U5fMp08ndFp8vowBbB2sw Attack at dawn
zjxjSY7ZeIR2uwxdLYydtW4m
=B+JA
-----END PGP MESSAGE-----
GPG 39/83 GPG 40/83
The keyring The keyring. . .

> gpg --list-keys > gpg --list-secret-keys

/Users/collberg/.gnupg/pubring.gpg /Users/collberg/.gnupg/secring.gpg
---------------------------------- ----------------------------------
pub 2048R/9974031B 2012-02-12 sec 2048R/9974031B 2012-02-12
uid Bobby (recipient) <[email protected]> uid Bobby (recipient) <[email protected]>
sub 2048R/D95291EF 2012-02-12 ssb 2048R/D95291EF 2012-02-12

pub 2048R/4EC8A0CB 2012-02-12 sec 2048R/4EC8A0CB 2012-02-12

uid Alice (sender) <[email protected]> uid Alice (sender) <[email protected]>
sub 2048R/B901E082 2012-02-12 ssb 2048R/B901E082 2012-02-12

GPG 41/83 GPG 42/83

Sign and Encrypt Check Signature and Decrypt

Bob can sign his message before sending it to Alice:
> gpg -se --recipient alice --armor message
You need a passphrase to unlock the secret key for
user: "Bobby (recipient) <[email protected]>"
2048-bit RSA key, ID 9974031B, created 2012-02-12
Enter passphrase: Bob rocks
Alice can now decrypt the message and check the signature:
> gpg --decrypt message.asc
You need a passphrase to unlock the secret key for
user: "Alice (sender) <[email protected]>"
2048-bit RSA key, ID B901E082,
created 2012-02-12 (main key ID 4EC8A0CB)

> cat message.asc Enter passphrase: Alice is cute

-----BEGIN PGP MESSAGE-----
Version: GnuPG v1.4.11 (Darwin) gpg: encrypted with 2048-bit RSA key, ID B901E082, created 2012-02-12
"Alice (sender) <[email protected]>"
hQEMA7osp1S5AeCCAQgAsSqSs+Urf0f3KHTtP7cqTwugpcJ9oUAGkw/KQ0DHIE0v Attack at dawn
................................................................ gpg: Signature made Sat Feb 11 23:10:59 2012 MST
8XEAaCwZ8aZK1lXhqBSd/9hCm9Mup2NECihO8crVyff7NTWFyaTBeGAm10q3y46o using RSA key ID 9974031B
QpIgPbcdYZqIt8e/8wPU6xlMZUStzxBKLB+Rj/Zg35ZVioYL gpg: Good signature from "Bobby (recipient) <[email protected]>"
=oiv8
GPG
-----END PGP MESSAGE----- 43/83 GPG 44/83
Symmetric Encryption Only Deleting Keys

> gpg --cipher-algo=AES --armor --symmetric message

Enter passphrase: sultana
Repeat passphrase: sultana
> cat message.asc > gpg --delete-secret-keys bobby
-----BEGIN PGP MESSAGE----- sec 2048R/9974031B 2012-02-12 Bobby (recipient) <[email protected]>
Version: GnuPG v1.4.11 (Darwin)
Delete this key from the keyring? (y/N) y
jA0EBwMCgZ3PBfSZxJlg0ksBBooTMLEVQ2q9HkTR5y9FIoX9nbsyohrOXeQLFlcf This is a secret key! - really delete? (y/N) y
wtWcg+dZvlMS6D7OE3wZCeW2LX50kYcU17MUc8wnJLDAzAdRqPAgDma+sP4=
=UtI4 > gpg --delete-keys bobby
-----END PGP MESSAGE----- pub 2048R/9974031B 2012-02-12 Bobby (recipient) <[email protected]>
> gpg message.asc Delete this key from the keyring? (y/N) y
gpg: AES encrypted data
Enter passphrase: sultana
gpg: encrypted with 1 passphrase

> cat message

Attack at dawn
GPG 45/83 GPG 46/83

Generating Primes Generating Random Numbers

Generate a prime number of the given number of bits:

Generate 100 (base64 encoded) random bytes:
> gpg --gen-prime 1 16
C4B7
> gpg --armour --gen-random 0 100
> gpg --gen-prime 1 1024
e0zAVl6jbe/Dma9VF20lMgZxE1RA4S8TwNwu6KP8+o1kjdtBm2
D34D4347ED013242EE06811BC561C6587D75ADE33D1BEC954D648E22
AjKFSVsj/d3zG/9KqmNj7j6symEUZ3e0fWZaWqLBxzJuSur5sK
9D88B5E0AF1394459FB48B135B99C8BA8C50E5331C6226CBF6D70031
C8omfPus2QtYJJNOgVbpJ7X9L4t1iNJtnw==
4A8CC84C7B363BE7DD7BBBB29E545D199339263F5FB2E9F1B84BA9D5
05B5B79858FC6149CF09E6C56D9730C3BD1E62B378C8DFAF4233B8DC
BA999A21EC9C4BF8C60AACDCBC607AC5

GPG 47/83 GPG 48/83

Print Message Digests
> gpg --print-mds message
MD5 = 36 D1 A5 12 17 CD 34 FC 04 F5 6C C4 91 39 C7 59
SHA1 = 6DA4 473A 00CE 7AB6 7B6F 884D 1E75 6633 C21A 56DB
RMD160 = D1DE 4194 C0CD 3AED 30F3 38CD 68F3 800F CCF0 3B87
SHA224 = B4E94780 1AA1A9C3 418F72D8 651BA995 83284003
EBEE183A 589702EE
SHA256 = B83EF405 07696578 9D4BBDA7 D7932700 5F2AE6CB
A2696FDE 69694D12 AFE70E4A
SHA384 = 7AC39A0C 945844F1 1316BB46 C9FC7EEA E892A178
2D20E4CA E7BE686C 1A091C8C F1BBDFD1 3D42BEA2
88AF5A4F E3705474
SHA512 = 9CA1EB88 F064CB0D 536254B2 5755919F 45564276
96CA27A0 389E4817 53F81DC2 3222488D 7D11F3DD
C066B9E8 027F3870 395A2561 157DDC38 BD679D37
C2E361CC
GPG
Goal: Read a message encrypted with gpg. . .
Decrypt the message itself:
1 Break asymmetric encryption (OR)
1 Brute force break asymmetric encryption (OR)
2 Mathematically break asymmetric encryption (OR)
1 Break RSA (OR)
2 Factor RSA modulus/calculate Elgamal discrete log
3 Cryptanalyze asymmetric encryption (OR)
1 General cryptanalysis of RSA/Elgamal (OR)
2 Exploit weakness in RSA/Elgamal (OR)
3 Timing attack on RSA/Elgamal
2 Break symmetric-key encryption
1 Brute force break symmetric-key encryption
2 Cryptanalysis of symmetric-key encryption
GPG
Goal: Read a message encrypted with gpg
1 Decrypt the message itself (OR)
2 Determine symmetric key used to encrypt the message by
other means (OR)
3 Get recipient to help decrypt message (OR)
4 Obtain private key of recipient.
http://www.schneier.com/paper-attacktrees-fig7.html
49/83 GPG 50/83
Goal: Read a message encrypted with gpg. . .
Determine symmetric key by other means:
1 Fool sender into encrypting message using public key whose
private key is known (OR)
1 Convince sender that fake key (with known private key) is the
key of the intended recipient
2 Convince sender to encrypt with more than one key—the real
key of the recipient and a key whose private key is known.
3 Have the message encrypted with a different public key in the
background, unbeknownst to the sender.
2 Have the recipient sign the encrypted publc key (OR)
3 Monitor the sender’s computer memory (OR)
4 Monitor the receiver’s computer memory (OR)
5 Determine key from pseudo-random number generator (OR)
1 Determine state of randseed during encryption (OR)
2 Implant virus that alters the state of randseed. (OR)
3 Implant software that affects the choice of symmetric key.
6 Implant virus that that exposes public key.
51/83 GPG 52/83
Goal: Read a message encrypted with gpg. . . Goal: Read a message encrypted with gpg. . .

Get recipient to help decrypt message: Obtain private key of recipient:

GPG 53/83 GPG 54/83

Goal: Read a message encrypted with PGP Goal: Read a message encrypted with PGP. . .

What immediately becomes apparent from the attack

tree is that breaking the RSA or IDEA encryption
algorithms are not the most profitable attacks against
PGP. There are many ways to read someone’s In the scheme of things, the choice of algorithm and the
PGP-encrypted messages without breaking the key length is probably the least important thing that
cryptography. You can capture their screen when they affects PGP’s overall security. PGP not only has to be
decrypt and read the messages (using a Trojan horse like secure, but it has to be used in an environment that
Back Orifice, a TEMPEST receiver, or a secret camera), leverages that security without creating any new
grab their private key after they enter a passphrase (Back insecurities.
Orifice again, or a dedicated computer virus), recover http://www.schneier.com/paper-attacktrees-fig7.html
their passphrase (a keyboard sniffer, TEMPEST receiver,
or Back Orifice), or simply try to brute force their
passphrase (I can assure you that it will have much less
entropy than the 128-bit IDEA keys that it generates).

GPG 55/83 GPG 56/83

Outline Elgamal
1 Introduction
2 RSA
Algorithm
Example
Correctness
Security The Elgamal cryptosystem relies on the inherent difficulty of
3 GPG calculating discrete logarithms.
4 Elgamal It is a probabilistic scheme:
Algorithm
a particular plaintext can be encrypted into multiple different
Example
ciphertexts;
Correctness
⇒ ciphertexts become twice the length of the plaintext.
Security
5 Diffie-Hellman Key Exchange
Diffie-Hellman Key Exchange
Example
Correctness
Security
6 Summary
Elgamal 57/83 Elgamal 58/83

Elgamal: Algorithm Elgamal: Algorithm Notes

Bob (Key generation):

1 Pick a prime p.
2 Find a generator g for Zp .
3 Pick a random number x between 1 and p − 2.
Alice must choose a different random number k for every
4 Compute y = g x mod p. message, or she’ll leak information.
PB = (p, g , y ) is Bob’s RSA public key. Bob doesn’t need to know the random value k to decrypt.
SB = x is Bob’ RSA private key. Each message has p − 1 possible different encryptions.
Alice (encrypt and send a message M to Bob):
The division in the decryption can be avoided by use of
1 Get Bob’s public key PB = (p, g , y ).
2 Pick a random number k between 1 and p − 2. Lagrange’s theorem :
3 Compute the ciphertext C = (a, b):
M = b · (ax )−1 mod p
a = g k mod p
= b · ap−1−x mod p
b = My k mod p

Bob (decrypt a message C = (a, b) received from Alice):

1 Compute M = b(ax )−1 mod p.
Elgamal 59/83 Elgamal 60/83
Elgamal: Finding the generator Elgamal Example: Key generation

Computing the generator is, in general, hard. 1 Pick a prime p = 13.

We can make it easier by choosing a prime number with the 2 Find a generator g = 2 for Z13 (see next slide).
property that we can factor p − 1. 3 Pick a random number x = 7.
Then we can test that, for each prime factor pi of p − 1: 4 Compute
y = g x mod p = 27 mod 13 = 11.
g (p−1)/pi mod p 6= 1
5 PB = (p, g , y ) = (13, 2, 11) is Bob’s public key.
If g is not a generator, then one of these powers will 6= 1. 6 SB = x = 7 is Bob’ private key.

Elgamal 61/83 Elgamal 62/83

Powers of Integers, Modulo 13 Elgamal Example: Encryption

2 is a primitive root modulo 13 because for each integer

i ∈ Z13 = {1, 2, 3, . . . , 12} there’s an integer k, such that
i = 2k mod 13: Encrypt the plaintext message M = 3.
a1 a2 a3 a4 a5 a6 a7 a8 a9 a10 a11 a12 Alice gets Bob’s public key PB = (p, g , y ) = (13, 2, 11).
1 1 1 1 1 1 1 1 1 1 1 1 To encrypt:
2 4 8 3 6 12 11 9 5 10 7 1 1 Pick a random number k = 5:
3 9 1 3 9 1 3 9 1 3 9 1 2 Compute:
4 3 12 9 10 1 4 3 12 9 10 1
a = g k mod p = 25 mod 13 = 6
5 12 8 1 5 12 8 1 5 12 8 1
6 10 8 9 2 12 7 3 5 4 11 1 b = My k mod p = 3 · 115 mod 13 = 8
7 10 5 9 11 12 6 3 8 4 2 1
8 12 5 1 8 12 5 1 8 12 5 1
9 3 1 9 3 1 9 3 1 9 3 1 The ciphertext C = (a, b) = (6, 8).
10 9 12 3 4 1 10 9 12 3 4 1
11 4 5 3 7 12 2 9 8 10 6 1
12 1 12 1 12 1 12 1 12 1 12 1
Elgamal 63/83 Elgamal 64/83
Elgamal Example: Decryption In-Class Exercise

Bob’s private key is SB = x = 7. Pick the prime p = 13.

Bob receives the ciphertext C = (a, b) = (6, 8) from Alice. Find the generator g = 2 for Z13 .
Bob computes the plaintext M: Pick a random number x = 9.
Compute
M = b · (ax )−1 mod p y = g x mod p = 29 mod 13 = 5
= b · ap−1−x mod p PB = (p, g , y ) = (13, 2, 5) is Bob’s public key.
= 8 · 613−1−7 mod 13 SB = x = 9 is Bob’ private key.
= 8 · 65 mod 13
= 3 1 Encrypt the message M = 11 using the random number
k = 10.
2 Decrypt the ciphertext from 1.

Elgamal 65/83 Elgamal 66/83

Elgamal Correctness Elgamal Security

Show that M = b · (ax )−1 mod p decrypts.

We have that
a = g k mod p
b = My k mod p
y = g x mod p The security of the scheme depends on the hardness of solving
We get the discrete logarithm problem.
Generally believed to be hard.
b · (ax )−1 mod p = (My k ) · ((g k )x )−1 mod p
= (My k ) · (g kx )−1 mod p
= (M((g x )k ) · (g kx )−1 mod p
= Mg kx · (g kx )−1 mod p
= Mg kx · g −kx mod p
= M mod p
Elgamal
= M 67/83 Elgamal 68/83
Outline Key Exchange
1 Introduction
2 RSA
Algorithm
Example
Correctness A key exchange protocol (or key agreement protocol ) is a
Security way for parties to share a secret (such as a symmetric key)
3 GPG over an insecure channel.
4 Elgamal With an active adversary (who can modify messages) we
Algorithm
can’t reliably share a secret.
Example
Correctness With a passive adversary (who can only eavesdrop on
Security messages) we can share a secret.
5 Diffie-Hellman Key Exchange A passive adversary is said to be honest but curious .
Diffie-Hellman Key Exchange
Example
Correctness
Security
6 Summary
Diffie-Hellman Key Exchange 69/83 Diffie-Hellman Key Exchange 70/83

Diffie-Hellman Key Exchange Diffie-Hellman: Algorithm

1 All parties (set-up):

1 Pick p, a prime number.
2 Pick g , a generator for Zp .
2 Alice :
1 Pick a random x ∈ Zp , x > 0.
A classic key exchange protocol. 2 Compute
Based on modular exponentiation . X = g x mod p.
The secret K1 = K2 shared by Alice and Bob at the end of the 3 Send X to Bob.
protocol would typically be a shared symmetric key. 3 Bob :
1 Pick a random y ∈ Zp , x > 0.
2 Compute
Y = g y mod p.
3 Send Y to Alice
4 Alice computes the secret: K1 = Y x mod p.
5 Bob computes the secret: K2 = X y mod p.
Diffie-Hellman Key Exchange 71/83 Diffie-Hellman Key Exchange 72/83
Example In-Class Exercise

1 Pick p = 13, a prime number.

2 Pick g = 2, a generator for Z13 .
Let p = 19.
3 Alice :
Let g = 10.
1 Pick a random x = 3.
2 Compute X = g x mod p = 23 mod 13 = 8. Let Alice’s secret x = 7.
4 Bob : Let Bob’s secret y = 15.
1 Pick a random y = 7.
2 Compute Y = g y mod p = 27 mod 13 = 11. 1 Compute K1 .
5 Alice computes: K1 = Yx mod p = 113 mod 13 = 5. 2 Compute K2 .
6 Bob computes: K2 = Xy mod p = 87 mod 13 = 5.
7 ⇒ K1 = K2 = 5.

Diffie-Hellman Key Exchange 73/83 Diffie-Hellman Key Exchange 74/83

Diffie-Hellman Correctness Diffie-Hellman Correctness. . .

Alice has
Alice has computed K1 = Y x mod p
X = g x mod p = (g y )x mod p
K1 = Y x mod p. = (g x )y mod p
= X y mod p
Bob has computed
Bob has
Y = g y mod p
K2 = X y mod p. K2 = X y mod p
= (g x )y mod p
= X y mod p

⇒ K1 = K2 .
Diffie-Hellman Key Exchange 75/83 Diffie-Hellman Key Exchange 76/83
Diffie-Hellman Security Diffie-Hellman: Man-In-The-Middle attack

1 Alice :
The security of the scheme depends on the hardness of solving 1 Send X = g X mod p to Bob.
the discrete logarithm problem. 2 Eve :
Generally believed to be hard. 1 Intercept X = g x mod p from Alice.
Diffie-Hellman Property : 2 Pick a number t in Zp .
3 Send T = g t mod p to Bob.
Given
p, X = g x , Y = g y 3 Bob :
1 Send Y = g y mod p to Alice
computing
K = g xy mod p 4 Eve :
1 Intercept Y = g y mod p from Bob.
is thought to be hard. Pick a number s in Zp .
2
3 Send S = g s mod p to Alice.

Diffie-Hellman Key Exchange 77/83 Diffie-Hellman Key Exchange 78/83

Diffie-Hellman: Man-In-The-Middle attack. . . Diffie-Hellman: Man-In-The-Middle attack. . .

7 Alice : Send C = EK1 (M) to Bob

8 Eve :
1 Intercept C .
5 Alice and Eve : 2 Decrypt:M = DK1 (C )
1 Compute K1 = g xS mod p 3 Re-encrypt:C ′ = EK2 (M)
6 Bob and Eve : 4 Send C ′ to Bob

1 Compute K2 = g yT mod p 9 Bob : Send C = EK2 (M) to Alice

10 Eve :
1 Intercept C .
2 Decrypt:M = DK2 (C )
3 Re-encrypt:C ′ = EK1 (M)
4 Send C ′ to Alice.

Diffie-Hellman Key Exchange 79/83 Diffie-Hellman Key Exchange 80/83

Outline Readings and References
1 Introduction
2 RSA
Algorithm
Example
Correctness
Security
3 GPG
4 Elgamal Chapter 8.1.1-8.1.5 in Introduction to Computer Security, by
Algorithm Goodrich and Tamassia.
Example
Correctness
Security
5 Diffie-Hellman Key Exchange
Diffie-Hellman Key Exchange
Example
Correctness
Security
6 Summary
Summary 81/83 Summary 82/83

Acknowledgments

Additional material and exercises have also been collected from

these sources:
1 Igor Crk and Scott Baker, 620—Fall 2003—Basic
Cryptography.
2 Bruce Schneier, Applied Cryptography.
3 Pfleeger and Pfleeger, Security in Computing.
4 William Stallings, Cryptography and Network Security.
5 Bruce Schneier, Attack Trees, Dr. Dobb’s Journal December
1999, http://www.schneier.com/paper-attacktrees-ddj-ft.html .
6 Barthe, Grégoire, Beguelin, Hedin, Heraud, Olmedo, Verifiable
Security of Cryptographic Schemes,
http://www.irisa.fr/celtique/blazy/seminar/20110204.pdf .

7 http://homes.cerias.purdue.edu/~crisn/courses/cs355_Fall_2008/lect18.pdf

Summary 83/83