CHAPTER THREE

Public Key Cryptography, Digital

Signature and Certificates

1
 Outline
• Public and Private Keys
• Public Key Cryptography
• RSA Security
• Diffie-Hellman Algorithm
• Message authentication, Security
requirements
• Digital Signature Using Public Key
• Digital Signature Using Message Digest
• Digital certificates
• Distribution of public keys
2
 Asymmetric Encryption

• When data is encrypted

with one key, the other Decrypt
Encrypt
key must be used to
decrypt the data
– And vice versa

Decrypt Encrypt

3
 Public and Private Keys
• With asymmetric encryption each user can be
assigned a key pair: a private and public key

Private key is Public key is

known only to given away to
owner the world

4
 Public and Private keys…
• Anything encrypted with
the private key can only
be decrypted with the
public key Encrypt
• And vice versa
• Since the private key is
known only to the owner,
this is very powerful…
• Overcomes the problem
of looking for secured Decrypt
channel.

5
 Public Key Cryptography…
Public key Cryptography
• One of the encryption or decryption key is made
public depends on the use of the key.
 If Abe wants to send a confidential message to Selam
 He encrypts the message using Selam’s public key
 Send the message
 Selam will then decode it using her own private key
 On the other hand, if Selam needs to make sure that a
message sent by Abe really comes from him, how can she
make that?

6
 Public Key Cryptography…
• Using digital signature
 Abe has to first encrypt a digital signature using his private
key.
 Then encrypt the message (signature included) with
Selam’s public key.
 Send the encrypted message to Selam.

 Selam decrypts the message using her private key.

 Selam then decrypts the signature using Abe’s public key.

 If successful, she insures that it comes from Abe.

7
 Public Key Cryptography…
• The communication link shows how public-key encryption can
be used to provide both confidentiality and authentication at the
same time.
– Confidentiality means that we want to protect a message from
eavesdroppers.
– Authentication means that the recipient needs a guarantee as to the
identity of the sender.

8
Public Key Cryptography: classification
• We can classify the use of public-key cryptosystems
into three categories:
• Encryption/decryption: The sender encrypts a message
with the recipient's public key.
• Digital signature: The sender "signs" a message with its
private key.
– Signing is achieved by a cryptographic algorithm applied to the
message or to a small block of data that is a function of the
message.
• Key exchange: Two sides cooperate to exchange a
session key.
– Several different approaches are possible, involving the private
key(s) of one or both parties.
9
 Public Key Cryptography and RSA
RSA

• RSA is from Rivesh, Shamir and Aldermen

• Principle: No mathematical method is yet known to efficiently
find the prime factors of large numbers.
• In RSA, the private and public keys are constructed from very
large prime numbers (consists of hundred of decimal digits)
One of the keys can be made public.
• Breaking RSA is equivalent to finding the prime factors: this is
know to be computationally infeasible. (NP-hard)
• It is only the person who has produced the keys from the
prime number can easily decrypt the messages.
10
 Asymmetric RSA
• The RSA algorithm
- Used for both public key encryption and digital signatures.
- Security is based on the difficulty of factoring large integers.

• Major Activities
- Key Generation
- Encryption
- Digital signature
- Decryption
- Signature verification

11
 Asymmetric RSA
Key Generation Algorithm
1. Generate two large random primes, p and q
2. Compute n = pq and (φ) phi = (p-1)(q-1)
3. Choose an integer e, 1 < e < φ, such that gcd(e, phi) = 1
4. Compute the secret exponent d, 1 < d < φ, such that
d = e-1 mod φ , i.e. φ divides (ed-1)
5. The public key is (n, e) and the private key is (n, d).
 Keep all the values d, p, q and φ secret
 n is known as the modulus
 e is known as the public exponent or encryption exponent
 d is known as the secret exponent or decryption exponent.

12
 Asymmetric RSA
Encryption and Decryption
Encryption
• Sender A does the following
- Obtains the recipient B's public key (n, e)
- Represents the plaintext message as a positive integer m
- Computes the ciphertext c = me mod n
- Sends the ciphertext c to B

Decryption
• Recipient B does the following
- Uses his private key (n, d) to compute m = cd mod n
- Extracts the plaintext from the message representative m
13
 Asymmetric RSA
Digital signature and signature verification
Digital signature
• Sender A does the following
- Creates a message digest of the information to be sent
- Represents this digest as an integer m between 0 and n - 1
- Uses his/her private key (n, d) to compute the signature
s = md mod n.
- Sends this signature s to the recipient, B.
Signature verification
• Recipient B does the following
- Uses sender A's public key (n, e) to compute integer v = se mod n
- Extracts the message digest from this integer
- Independently computes the message digest of the information that has been
signed
- If both message digests are identical, the signature is valid
14
 Asymmetric RSA
Key Generation example
1. Select primes p=11, q=3.
2. n = pq = 11*3 = 33
phi = (p-1)(q-1) = 10*2 = 20

3. Choose e=3
Check gcd(e, p-1) = gcd(3, 10) = 1 (i.e. 3 and 10 are relatively prime -
have no common factors except 1) and check gcd(e, q-1) = gcd(3, 2) =
1,
therefore gcd(e, phi) = gcd(e, (p-1)(q-1)) = gcd(3, 20) = 1

4. Compute d (1<d<phi) such that d = e -1

mod phi = 3-1 mod 20
i.e. find a value for d such that phi divides ed-1 (20 divides 3d-1)
Simple testing (d = 2, 3 ...) gives d = 7
Check: ed-1 = 3*7 - 1 = 20, which is divisible by phi (20).

5. Public key = (n, e) = (33, 3)

Private key = (n, d) = (33, 7)
15
 Asymmetric RSA
Encryption and Decryption example

• Given
Public key = (n, e) = (33, 3)
Private key = (n, d) = (33, 7)

Encryption
• Now say we want to encrypt the message m = 7
- c = me mod n = 73 mod 33 = 343 mod 33 = 13
- Hence the ciphertext c = 13

Decryption
• To check decryption we compute
- m = cd mod n = 137 mod 33 = 7
16
 RSA Example - Key Setup

1. Select primes: p=17 & q=11

2. Calculate n = pq =17 x 11=187
3. Calculate ø(n)=(p–1)(q-1)=16x10=160
4. Select e: gcd(e,160)=1; choose e=7
5. Determine d: de=1 mod 160 and d < 160
Value is d=23 since 160 divides 7x23-1
6. Publish public key PU={7,187}
7. Keep secret private key PR={23,187}
17
 RSA Example 3 - En/Decryption

 sample RSA encryption/decryption is:

 given message M = 88 (nb. 88<187)
 encryption:
C = 887 mod 187 = 11
 decryption:
M = 1123 mod 187 = 88

18
 RSA
Algorithm
Summary

19
 The Security of RSA
• Approaches to attack the RSA algorithm are:
• Brute force: This involves trying all possible private keys.

• Mathematical attacks: There are several approaches, all

equivalent in effort to factoring the product of two primes.
– Factor n into its two prime factors. This enables calculation of
ø(n) = (p-1) x (q-1), which, in turn, enables determination of
d = e-1 (mod ø(n)).

– Determine ø(n) directly, without first determining p and q.

Again, this enables determination of d = e-1 (mod ø(n)).

– Determine d directly, without first determining ø(n).

20
The Diffie-Hellman Algorithm for generating
a shared secret session key

• The first public key scheme was invented by Diffie and

Hellman.
• Though it could not be used to send messages, it could
establish secret keys for use in secret key
cryptosystems.
• An eavesdropper “tapping the line” would be unable to
determine what the generated key was.

21
Diffie-Hellman Key Exchange Algorithm
• a public-key distribution scheme
– cannot be used to exchange an arbitrary message
– rather it can establish a common key
– known only to the two participants
• value of key depends on the participants (and their
private and public key information)
• based on exponentiation in a finite field (modulo a
prime or a polynomial) - easy
• security relies on the difficulty of computing discrete
logarithms (similar to factoring) – hard

22
The Diffie-Hellman Algorithm for generating
a shared secret session key
• The pair of numbers (q, α) is public.
• This pair of numbers may be used for several runs of the
protocol.
• These two numbers may even stay the same for a large
number of users for a long period of time.
• Subsequently, A and B use the algorithm described below
to calculate their public keys that are then made available
by each party to the other:
– We will denote A’s and B’s private keys by XA and XB.
– And their public keys by YA and YB.
– In other words, X stands for private and Y for public.
23
The Diffie-Hellman Algorithm for generating
a shared secret session key
• A selects a random number XA from the set {1, 2, . . . , q − 2} to
serve as his/her private key.
• A then calculates a public-key integer YA that is guaranteed to exist:
YA = αXA mod q
• A makes the public key YA available to B.
• Similarly, B selects a random number XB from the set
{1, 2, . . . , q − 2} to serve as his/her private key.
• B then calculates an integer YB that serves his/her public key:
YB = αXB mod q
• B makes the public-key YB available to A.
24
The Diffie-Hellman Algorithm for generating
a shared secret session key
• A now calculates the secret key K from his/her private
key XA and B’s public key YB :

K = (YB)XA mod q

• B carries out a similar calculation for locally generating

the shared secret key K from his/her private key XB and
A’s public key YA :

K = (YA)XB mod q
25
 Diffie-Hellman Key Exchange
• shared session key for users A & B is KAB:
xA.xB
KAB = α mod q
xB
=y A mod q (which B can compute)
xA
=y B mod q (which A can compute)
• KAB is used as session key in private-key encryption
scheme between Alice and Bob
• if Alice and Bob subsequently communicate, they will
have the same key as before, unless they choose
new public-keys
• attacker needs an x, must solve discrete log
26
 Diffie-Hellman Example
• users Alice & Bob who wish to swap keys:
• agree on prime q=353 and α=3
• select random secret keys:
– A chooses xA=97, B chooses xB=233
• compute public keys:
– yA=397 mod 353 = 40 (Alice)
– yB=3233 mod 353 = 248 (Bob)
• compute shared session key as:
xA 97
KAB= yB mod 353 = 248 mod 353= 160 (Alice)
xB 233
KAB= yA mod 353 = 40 mod 353= 160 (Bob)
27
 The Diffie-Hellman Algorithm with key
exchange

• The seemingly magical thing about the DH protocol is

that:
– an eavesdropper having access to the public keys for both A
and B would still not be able to figure out the secret key K.
– it allows two parties A and B to create a shared secret K
without either party having to send it directly to the other.

28
 The Diffie-Hellman Algorithm Security

• The difficulty of determining the secret shared key K from the

publicly available q, α , YA, and YB is sometimes referred to as
the Computational Diffie-Hellman Assumption.

• Is this enough to compute the K value? No! In order to compute

K, the eavesdropper must do either of two things:
– Raise αXA to the XB power (mod q), which he cannot do because
he does not know XB, or
– Raise αXB to the XA power (mod q), which he cannot do because
he does not know XA.

29
 The Diffie-Hellman Algorithm Security

• Even if you accept the security of DH on the basis of the diffi-

culty of solving the discrete logarithm problem, the DH protocol
possesses a number of vulnerabilities.
• If interested, see the publication “Security Issues in the Diffie-
Hellman Key Agreement Protocol” by Raymond and Stiglic for a
list of these vulnerabilities.
• One of the most serious vulnerabilities of DH is man-in-the-
middle attack.

30
Digital Signatures and Digital
Certificates

31
 Message Authentication
• Up till now, we have been concerned with protecting
message content (i.e secrecy) by encrypting the message.

• Will now consider:

– how to protect message integrity (ie protection from
modification), as well as
– confirming the identity of the sender.

• generally this is the problem of message authentication,

• In eCommerce applications it is more important than
secrecy.

32
 Message Authentication…
• Message authentication is concerned with:
– Protecting the integrity of a message
– Validating identity of originator
– Non-repudiation of origin (dispute resolution)

• Electronic equivalent of a signature on a message.

• First, we will consider the security requirements
• Then two alternative functions used:
– message encryption
– hash function

33
 Security Requirements
• In the context of communications across a network, the
following attacks can be identified:
• Disclosure: Release of message contents to any person or
process not possessing the appropriate cryptographic key.

• Traffic analysis: Discovery of the pattern of traffic between

parties.

• Masquerade: Insertion of messages into the network from a

fraudulent source.
– This includes the creation of messages by an opponent that are
supposed to come from an authorized entity.

34
 Security Requirements
• Content modification: Changes to the contents of a
message, including insertion, deletion, transposition, and
modification.

• Sequence modification: Any modification to a sequence of

messages between parties, including insertion, deletion,
and reordering.

• Timing modification: Delay or replay of messages.

• Source repudiation: Denial of transmission of message by

source.

• Destination repudiation: Denial of receipt of message by

destination.
35
 Security Requirements
• disclosure Belongs to message confidentiality, and are
handled using the encryption techniques already
• traffic analysis discussed.

• The remaining requirements belong

• masquerade
• content modification
• sequence modification
• timing modification
• source repudiation
• destination repudiation
in the realm of message
authentication.
• This addresses the issue of ensuring
that a message comes from the
assumed source and has not been
altered.
• The use of a digital signature can
also address issues of repudiation.
• It may also address sequencing and
timeliness.

36
 Message Encryption

• Message encryption by itself also provides a

measure of authentication.

• If symmetric encryption is used then:

– receiver know sender must have created it
– since only sender and receiver know the key used
– Encryption of a message by a sender's private key
also provides a form of authentication.

– E.g. DES,3DES,...
37
 Message Encryption…

• If public-key encryption is used:

– encryption provides no confidence of sender
– since anyone potentially knows public-key
– however if
• sender signs message using their private-key
• then encrypts with recipients public key
• have both secrecy and authentication
– E.g. RSA

38
 Authentication using session-key
• If a message is being encrypted using a session key known
only to the sender and receiver, then the message may
also be authenticated.
– since only sender or receiver could have created it
– any interference will corrupt the message
– but this does not provide non-repudiation since it is
impossible to prove who created the message
• E.g. DH

39
 Digital Signature
• Digital signatures allow the world
to verify I created a piece of data
– e.g. email, code

• Digital signatures are created by encrypting a hash

of the data with my private key
• The resulting encrypted data is the signature
• This hash can then only be decrypted by my public
key

40
 Why Digital Signatures?

• To provide Authenticity, Integrity and Non-

repudiation to electronic documents

• To use the Internet as the safe and secure

medium for any data exchange between two
users

41
 Digital Signature using pubic key
cryptography (RSA)
• RSA may be used directly as a digital signature scheme
– given an RSA scheme {(e,n), (d,n)}
• To sign a message, compute:
– s = md(mod n)
• To verify a signature, compute:
– m = se(mod n) = me.d(mod n)
• Thus know the message was signed by the owner of the
public-key.
• More commonly use a hash function to create a separate
Message Digest (MD) which is then signed.

42
 Digital Signatures – Authentication
using hash function
• Abe calculates the hash of the
message: a 128 bit value based on
Abe
the content of the message
• Abe encrypts the hash using his
private key: the encrypted hash is Hash A message
the digital signature. message

• Abe sends the signed message to Digital Signature

Digital Signature
Kebe.
• Kebe calculates the hash of the
message
• Decrypts A with Abe’s public key. Kebe

• If hashes equal: Abe’s keys

1. hash A is from Hash B
message
Abe’s private key; =?

• 2. message wasn’t Hash A Digital Signature

modified; public private 43

 Digital Certificates
• Abe’s digital signature is useful to Kebe if:
1. Abe’s private key is not compromised – keep these safe!!!
2. Kebe has Abe’s public key

• How can Kebe be sure that Abe’s public key is really

Abe’s public key and not someone else’s?
– A third party establishes the correspondence between public
key and owner’s identity.
– Both Kebe and Abe trust this third party

The “third party” is called a Certification Authority (CA).

CA

44
 Certificate Authorities for authenticating
your public key
• A certificate issued by a certificate authority (CA)
authenticates your public key.
– A certificate is your public key signed by the CA’s private key.
• A certificate assigned to a user consists of:
– The user’s public key,
– the identifier of the key owner,
– a time stamp (in the form of a period of validity), etc.,

• The whole block encrypted with the CA’s private key.

• Encryption of the block with the CA’s private key is referred
to as the CA having signed the certificate.

45
 Digital Certificates
• Types of Digital Certificates
– site certificates
• used to authenticate web servers
– personal certificates
• used to authenticate individual users
– software publishers certificates
• used to authenticate executable
– CA certificates
• used to authenticate CA’s public keys

– All certificates have the common format standard of

X.509v3
46
 s t
L a
h e
T