Cryptography

andNetwork
Security
Sixth
Edition by
William
Stallings
 Chapter 9
Public Key Cryptography
and RSA
 Module 2

Public-Key Cryptography and RSA: Principles of public-

key cryptosystems. Public-key cryptosystems. Applications
for public-key cryptosystems, requirements for public-key
cryptosystems. public-key cryptanalysis. The RSA
algorithm, description of the algorithm, computational
aspects, the security of RSA.
Other Public-Key Cryptosystems: Diffie-Hellman key
exchange, The algorithm, key exchange protocols, man in
the middle attack, Elgamal Cryptographic systems.
Textbook 1: Chapter 9, 10

3
 Misconceptions
Concerning Public-
Key Encryption
• Public-key encryption is more
secure from cryptanalysis than
symmetric encryption
• Public-key encryption is a general-
purpose technique that has made
symmetric encryption obsolete
• There is a feeling that key distribution is
trivial when using public-key
encryption, compared to the
cumbersome handshaking
4 involved with
 Table
9.1 to Asymmetric
Terminology Related
Encryption

5
Source: Glossary of Key Information Security Terms, NIST IR 7298
 Principles of Public-
Key
Cryptosystems
• The concept of public-key cryptography
evolved from an attempt to attack two of the
most difficult problems associated with
symmetric encryption:
Key distribution
• How to have secure communications in general
without having to trust a KDC with your key

Digital signatures
• How to verify that a message comes intact from
the claimed sender

• Whitfield Diffie and Martin Hellman from

Stanford University achieved a breakthrough in
1976 by coming up with a method that
addressed both problems 6 and was radically
 Public-Key
•Cryptosystems
A public-key encryption scheme has six
ingredients:
Encryp Decryp
Priva Cipher
Plaint tio n Public tio n
te tex
ext algorit key algorit
key t
hm hm

Accep
The
T tsthe
t
readabl
rea Perfor
Pe ciphert
cip
Used
Us Used
Us The
T
mee
d rfvms
ar an
he ext
s i for
een for
een scrambl
scr d the
messag various cr cr a ed and
tran encryp encryp
e or
or ma
stransfo den n
tio n n
tio
de me
messag
pro
data
dint t d matchi
tc
pro
o
that
tha is rm
-plai cr or cr or s e dke key
ng
decryp decryp produc
as
ifed
talg
as -ations
atio
n y and
orit
tio n tio n oed as g
produc
i into
or non the output
the plaintex es
plaithe
algorit t original
n
hm as 7
input plainte
 Public-Key

Cryptograp
hy

8
 Table 9.2
Conventional and Public-Key
Encryption

9
Public-Key Cryptosystem:
Secrecy

10
Public-Key Cryptosystem:
Authentication

11
 Public-Key
Cryptosystem:
Authentication and
Secrecy

12
Applications for Public-
Key
Cryptosystems
• Public-key cryptosystems can be classified
into three categories:
• The sender encrypts a
Encryption/ message with the
decryption recipient’s public key
• The sender “signs” a
Digital signature message with its private
key
• Two sides
Key exchange cooperate to
exchange a session
key
• Some algorithms are suitable for all three
applications, whereas others can be
usedoronly for
one 13
 Table
9.3Public-Key
Applications for
Cryptosystems

Table 9.3 Applications for Public-Key

Cryptosystems

14
Public-Key
Requirements
• Conditions that these algorithms must fulfill:
• It is computationally easy for a party B to
generate a pair (public-key PUb, private key
PRb)
• It is computationally easy for a sender A, knowing
the public key and the message to be encrypted,
to generate the corresponding ciphertext
• It is computationally easy for the receiver B to
decrypt the resulting ciphertext using the
private key to recover the original message
• It is computationally infeasible for an adversary,
knowing the public key, to determine the private
key
• It is computationally infeasible for an adversary,
knowing the public key 15and a ciphertext, to
 Public-Key
Requirements
• Need a trap-door one-way function
• A one-way function is one that maps a domain into a
range such that every function value has a unique
inverse, with the condition that the calculation of the
function is easy, whereas the calculation of the inverse
is infeasible
• Y = f(X) easy
• X = f–1(Y) infeasible

• A trap-door one-way function is a family of invertible

functions fk, such that
• Y = fk(X) easy, if k and X are known
• X = fk–1(Y) easy, if k and Y are known
• X = fk–1(Y) infeasible, if Y known but k not known

• A practical public-key scheme depends on a

suitable trap-door one-way function
16
 Public-Key
Cryptanalysis
• A public-key encryption scheme is vulnerable to a brute-
force attack
• Countermeasure: use large keys
• Key size must be small enough for practical encryption and
decryption
• Key sizes that have been proposed result in
encryption/decryption speeds that are too slow for
general-purpose use
• Public-key encryption is currently confined (‫قي‬:‫ ) رصت‬to
key management and signature applications

• Another form of attack is to find some way to compute

the private key given the public key
• Finally,
• To datethere
it hasisnot
a probable-message
been mathematicallyattack
proven that this form
• This attack
of attack is can be thwarted
infeasible by appending
for a particular bit
public-key algorithm
some
to random
simple 17
s
messages
 Rivest-Shamir-
Adleman (RSA)
• Scheme
Developed in 1977 at MIT by Ron
Rivest, Adi Shamir & Len
Adleman
• Invented by Clifford Cocks (GCHQ)

• Most widely used general-

purpose approach to public-
key encryption
• Is a cipher in which the plaintext and
ciphertext are integers between and ()
for some
18
•
RSA
Algorithm

19
RSA
Algorithm

20
Algorithm
Requirements

21
Does RSA Really
Work?

22
23
Simple RSA
Example

24
Simple RSA
Example

25
Example of RSA
Algorithm

26
Example of RSA
Algorithm

27
28
Exponentiation in
Modular
Arithmetic

29
 More Efficient
• RSA
Modular exponentiation
•example
520 = 95367431640625 = 25 mod 35
• A better way: repeated
• squaring
• 20 = 10100 base 2
• (1, 10, 101, 1010, 10100) = (1, 2, 5, 10, 20)
• Note that 2 = 1 2, 5 = 2  2 + 1, 10 = 2  5, 20 = 2 
• 10
• 51= 5 mod 35
• 52= (51)2 = 52 = 25 mod 35
• 55= (52)2  51 = 252  5 = 3125 = 10 mod 35
• 510 = (55)2 = 102 = 100 = 30 mod 35
520 = (510)2 = 302 = 900 = 2530mod 35
31
Table

9.4

32
Efficient Operation
Using the Public
Key

33
 RSA vulnerable
to a attack with a
very small
• Suppose three users who all use the value but
•
have unique values of, namely ().
• If user A sends the same encrypted
message to all
three users, then the three ciphertexts are
• , , and
• It is likely
Using that to
the CRT , and are pairwise relatively
• prime.
compute
. Accordingly, the attacker need only compute the
cube root of . (cube root attack)
• This attack can be countered by adding a
unique pseudorandom bit string as padding
to each instance of 34
Efficient Operation
Using the
Private Key

35
Key
Generation

36
 Procedure for
Picking a Prime
• Number
The Procedure for Picking a Prime
1.Number
Pick an odd integer at random
2. Pick an integer at random
3. Perform the probabilistic primality test
with as a parameter. If
fails the test, reject the value
and go to step 1
4. If n has passed a sufficient number of
• Ontests, accept
average, ; would have to test on
one
otherwise,
the order ofgo to step 2
37
 The Security of
RSA Brute
force
Chosen • Involves Mathematical
ciphertext trying all attacks
attacks possible • There are
• This type of private several
attack keys approaches, all
exploits equivalent in
properties of Five effort to
the RSA possible factoring the
algorithm approac product of two
primes
hes to
Hardware fault- attackin
based attack g RSA Timing attacks
• This involves are:
inducing • These depend
hardware faults on the running
in the processor time of the
that is decryption
generating algorithm
38
digital
Factoring
Problem

39
 Ta
bl
e
9.5
Table 9.5 Progress in RSA
Factorization 40
 Other
Constrains
••To speed up RSA decryption use small
private key ()

then RSA is
•Boneh
Wiener’87: if then RSA is insecure.
insecure can be
&Durfee’98: if
• Suggested constraints
found
onfrom ()
and .
Insecure: private
• and should differ in length by only a few
key
digits.
• For -bit key, both and should be to
1. Both () and () should contain a large
prime factor 42
Timing
Attacks

43
 Countermeasu
res
Constant Random delay
exponentiation time •Better performance
•Ensure that all could be achieved by
exponentiations take adding a random
the same amount of delay to the
time before returning exponentiation
a result; this is a algorithm to confuse
simple fix but does the timing attack
degrade performance
44
Blinding
•Multiply the ciphertext
by a random number
before performing
exponentiation; this
process prevents the
attacker from knowing
what ciphertext bits
are being processed
inside the computer
and therefore prevents
the bit- by-bit analysis
essential to the timing
attack
 Fault-Based
Attack
• An attack on a processor that is generating RSA digital
signatures
• Induces faults in the signature computation by reducing
the power to the processor
• The faults cause the software to produce invalid
signatures which can then be analyzed by the
attacker to recover the private key

• The attack algorithm involves inducing single-bit

errors and observing the results
• While worthy of consideration, this attack does not
appear to be a serious threat to RSA
• It requires that the attacker have physical access to
the target machine and is able to directly control
45
the input power to the processor
 Chosen Ciphertext
Attack (CCA)
• The adversary chooses a number of
ciphertexts and is then given the
corresponding plaintexts, decrypted with
the target’s private key
• Thus the adversary could select a plaintext,
encrypt it with the target’s public key, and
then be able to get the plaintext back by
having it decrypted with the private key
• The adversary exploits properties of RSA
and selects blocks of data that, when
processed using the target’s private key,
yield information needed for cryptanalysis
46
 A simple example
of a CCA
• E(PU, M1)against RSA
x E(PU, M2) = E(PU, [M1 x M2])
• We can dcrypt C = Me mod n using a CCA as
follows.
1. Compute X = (C x 2e ) mod n.
2. Submit X as a chosen ciphertext and receive back Y
= Xd mod n.
But now note that
X = (C mod n) x (2e mod n)
= (Me mod n) x (2e mod n)
= (2M)e mod n
• Therefore, Y = (2M) mod n. From this, we can
47
deduce M.
 Optimal Asymmetric
Encryption Padding
• To(OAEP)
counter such attacks, RSA
Security Inc. recommends modifying
the plaintext using a procedure
known as optimal asymmetric
encryption padding (OAEP)

48
 Optimal
Asymmetric
Encryption
Padding
(OAEP)
PKCS1 OAE
v2.0: P

49
 Summa
ry
• Public-key • The RSA
cryptosyste algorithm
ms
• Description of
• Applications for the algorithm
public- key • Computatio
cryptosystems nal aspects
• Security of
• Requirements RSA
for public-key
cryptography

• Public-key
50
cryptanalysis