Pkcs public key cryptography standards
1 / 64

PKCS ( Public-key cryptography standards ) - PowerPoint PPT Presentation

  • Uploaded on

PKCS ( Public-key cryptography standards ). Network Access Security Model. Confidentiality Protection from disclosure to unauthorized persons Integrity Maintaining data consistency Authentication Assurance of identity of person or originator of data Non-repudiation

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about ' PKCS ( Public-key cryptography standards )' - kalli

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Pkcs public key cryptography standards
PKCS (Public-key cryptography standards)

Security levels


Protection from disclosure to unauthorized persons


Maintaining data consistency


Assurance of identity of person or originator of data


Originator of communications can't deny it later


Identity combined with an access policy grants the rights to perform some action

Security Levels

Security building blocks

Encryption provides

confidentiality, can provide authentication and integrity protection

Checksums/hash algorithms provide

integrity protection, can provide authentication

Digital signatures provide

authentication, integrity protection, and non-repudiation

Security Building Blocks

Symetric Keys

Both parties share the same secret key

A major problem is securely distributing the key

DES - 56 bit key considered unsafe for financial purposes since 1998

3 DES uses three DES keys


Public/Private keys

One key is the mathematical inverse of the other

Private keys are known only to the owner

Public key are stored in public servers, usually in a X.509 certificate.

RSA (patent expires Sept 2000), Diffie-Hellman, DSA


Message digest
Message Digest

  • A message digest, also known as a one-way hash function, is a fixed length computionally unique identifier corresponding to a set of data. That is, each unit of data (a file, a buffer, etc.) will map to a particular short block, called a message digest. It is not random: digesting the same unit of data with the same digest algorithm will always produce the same short block.

  • A good message digest algorithm possesses the following qualities

    • The algorithm accepts any input data length.

    • The algorithm produces a fixed length output for any input data.

    • The digest does not reveal anything about the input that was used to generate it.

    • It is computationally infeasible to produce data that has a specific digest.

    • It is computationally infeasible to produce two different unit of data that produce the same digest.

Hash algorithms

Reduce variable-length input to fixed-length (128 or 160bit) output


Can't deduce input from output

Can't generate a given output

Can't find two inputs which produce the same output

Hash Algorithms

Hash algorithms1

Used to output

Produce fixed-length fingerprint of arbitrary-length data

Produce data checksums to enable detection of modifications

Distill passwords down to fixed-length encryption keys

Also called message digests or fingerprints

Hash Algorithms

Message authentication code mac

Hash algorithm + key to make hash value dependant on the key output

Most common form is HMAC (hash MAC)

hash( key, hash( key, data ))

Key affects both start and end of hashing process

Naming: hash + key = HMAC-hash


SHA-11 HMAC-SHA (recommended)

Message Authentication Code MAC

Digital signatures

Combines a hash with a digital signature algorithm output

To sign

hash the data

encrypt the hash with the sender's private key

send data signer’s name and signature

To verify

hash the data

decrypt the signature with the sender's public key

the result of which should match the hash

Digital Signatures

Digital signatures1
Digital Signatures output

  • A data string associating a message with an originating entity

    • Signature generation algorithm

    • Signature verification algorithm

    • Signature scheme

  • Used for authentication, integrity, and nonrepudiation

  • Public key certification is one of the most significant applications

Key exchange diffie hellman protocol

Machine A output


Key exchange: Diffie-Hellman protocol

1. Picks a  GF(p)at random

2. Computes TA = ga mod p

3. Sends TA

4. Receives TB

5. Computes KA = TBamod p

1. Picks b  GF(p) at random

2. Computes TB = gb mod p

3. Receives TA

4. Sends TB

5. Computes KB = TAbmod p

Where K = KA =KB, Because:

TBa= (gb)a= gba= gab= (ga)b= TAb mod p

Mensaje para anita en la jornada

Querida Anita de mi corazón: output

Quisiera pedirte que nuestro número primo sea 128903289023 y nuestra g23489.

Te quiere


Mensaje para Anita en La Jornada

Middle person attack
Middle-person attack. output

  • Consider the following scenario:


    ga = 8389 gx = 5876 gb = 9267

    8389 5876

    5876 9267

    Shared key KAX: Shared key KBX

    5876a = 8389x 9267x = 5876b

  • After this exchange, the middle-person attacker simply decrypts any

  • messages sent out by A or B, and then reads any possibly modifies

  • them before re-encrypting with the appropriate key and transmitting

  • them to the correct party.

  • Middle-person attack is possible due to the fact that DHC does not

  • authenticate the participants. Possible solutions are digital signatures

  • and other protocol variants.

Solution mutual authentication
Solution: Mutual authentication output

I am A, R1



R2, KAB {R1}


Reflection attack
Reflection attack output

I am A, R1



R2, KAB{R1}


  • I am A, R2



R3, KAB{R2}

Encryption across a packet switching network
Encryption across a outputpacket-switching network

Elements of pki

Certificate Authorities (CA) output

OpenSSL, Netscape, Verisign, Entrust, RSA Keon

Public/Private Key Pairs - Key management

x.509 Identity Certificates - Certificate management

LDAP servers

Elements of PKI

Public-key cryptography standards (PKCS) output

Owned by RSA and motivated to promote RSA

Created in early 1990’s

Numbered from PKCS1 to PKCS15

Some along the way have

lost interest

folded into other PKCS

taken over by other standards bodies

Continue to evolve


Rsa cryptosystem by layers
RSA cryptosystem by layers output

Protocols and Applications: SSL, TLS, WTLS, WAP, etc.

PKCS User Functions:PKCS1_OAEP_Encrypt, PKCS1_OAEP_Decrypt, PKCS1_v15_Sign,

PKCS Primitives: PKCS1_OAEP_Encode, PKCS1_OAEP_Decode, etc

RSA primitive Operations: Encryption: C = Me mod n, Decryption M = Cd mod n.

FPfinite field operations : Addition, Squaring, multiplication, inversion and exponentiation

Pkcs 1

RSA Cryptography Standard output

Version 2.0 onwards (1998)

RSA Encryption Standard

Version 1.5 (1993)


Pkcs 11

Specifies how to use the RSA algorithm securely for encryption and signature

Why do we need this?

Padding for encryption

Different schemes for signature


Pkcs 12

Chosen ciphertext attack based on multiplicative property of RSA

Attacker wishes to decrypt c

Choose r, compute c’ = c re mod n

Get victim to decrypt c’ giving cd r mod n

cd r  r-1 mod n = cd mod n

Padding destroys multiplicative property


Rsa encryption is deterministic
RSA encryption is RSA deterministic

We can check whether M is the message of C by C=Me mod n.

Attack example: C = (PIN)e mod n, where PIN is 4-digit number.

We can find M by a brute force attack within several 10 seconds.

=> We need a semantically secure cryptosystem!

Semantically secure: For two messages M0, M1, and C = Mb2 mod n,

attackers can not guess whether C is encryption of Mb (b=0,1).

An easy way is to pad M with random integer R like M||R, but no security proof!

Chosen ciphertext attack cca
Chosen Ciphertext Attack (CCA) RSA

Decryption oracle

ciphertext C


Information based on C,d

  • An attack example:

  • (0) We assume the decryption oracle computes Ad mod n for a request.

  • (1) Attacker computes A = ReC mod n for a random R in Zn, and sends A to the decryption oracle.

  • Decryption oracle computes B = Ad mod n and send B back to the attacker.

  • The attacker computes B/R = M mod n and get the message M.

There are several models, which are secure

against the chosen ciphertext attack

Side channel attacks
Side Channel Attacks RSA

Algorithm Binary exponentiation

Input: a in G, exponent d = (dk,dk-1,…,d0)

(dk is the most significant bit)

Output: c = ad in G

1. c = a;

2. For i = k-1 down to 0;

3. c = c2;

4. If di =1 then c = c*a;

5. Return c;

The time or the power to execute

c2and c*a are different

(side channel information).

Algorithm Coron’s exponentiation

Input: a in G, exponent d = (dk,dk-1,…,dl0)

Output: c = ad in G

1. c[0] = 1;

2. For i = k-1 down to 0;

3. c[0] = c[0]2;

4. c[1] = c[0]*a;

5. c[0] = c[di];

6. Return c[0];

Differential fault attack dfa
Differential Fault Attack RSA (DFA)

An attacker obtains a decryption which is computed in a wrong way.

M = Cd mod n


dq = d mod (q-1)

Mq =Cdq mod q

v = (Mq – Mp) p-1 mod q,

dp = d mod (p-1)

Mp = Cdp mod p



M = Mp + pv mod n.


In the RSA using the CRT, if an attacker can break the computation

of v (as v=0), then he/she can factor n by computing gcd(M-Mp,n)=p.

Klima rosa attack against pgp
Klima-Rosa attack against RSA PGP

PGP dose not encrypt the key file which includes n.

Decryption oracle

integer X

d, n’

Xd mod n’

An attacker can change the public key n to n’

The attacker can obtain Xd mod n’ for changed n’.

He/she can recover d by Silver-Pohlig-Hellman algorithm

Bleichenbacher s cca
Bleichenbacher’s CCA RSA

Decryption oracle

any integer C mod n


Cd∈ PKCS-format or not

PKCS-Format for a message m

most significant byte

least significant byte



random padding


message m

at least 8 bytes

Theorem (Bleichenbacher): Let n be a 1024-bit RSA modus. For a given C,

the value Cd mod n can be computed by about 220 accesses to the decryption

oracle, where d is the secret key.

Pkcs 13

Version 1.5, 1993 RSA

Encryption padding was found defective in 1998 by Bleichenbacher

Possible to generate valid ciphertext without knowing corresponding plaintext with reasonable probability of success (chosen ciphertext)


Pkcs 14

Uses Optimal asymmetric encryption protocol (OAEP) by Bellare-Rogoway 1994

provably secure in the random oracle model.

Informally, if hash functions are truly random, then an adversary who can recover such a message must be able to break RSA

plaintext-awareness: to construct a valid OAEP encoded message, an adversary must know the original plaintext

PKCS 1 version 1.5 padding continues to be allowed for backward compatibility

Accommodation for multi-prime RSA

Speed up private key operations


Pkcs 15

Cryptographic primitives Bellare-Rogoway 1994

Cryptographic scheme

Encryption scheme

Signature scheme

Signature with appendix: supported

Signature with message recovery: not supported

Encoding and decoding

Converting an integer message into an octet string for use in encryption or signature scheme and vice versa


Pkcs 16

Cryptographic primitives Bellare-Rogoway 1994

Encrypt RSAEP((n,e),m)

Decrypt RSADP((n,d),c)

Sign RSASP1((n,d),m)

Verify RSAVP1((n,e),s)

Basically exponentiation with differently named inputs!!


Pkcs 17

Encryption scheme Bellare-Rogoway 1994

Combines encryption primitive with an encryption encoding method

message  encoded message  integer message representative  encrypted message

Decryption scheme

Combines decryption primitive with a decryption decoding method

encrypted message  integer message representative  encoded message  message

Original version 1.5 scheme and new version 2.0 scheme


Pkcs 18

Encryption scheme Bellare-Rogoway 1994

Combines signature primitive with a signature encoding method.

message  encoded message  integer message representative  signature

Decryption scheme

Combines verification primitive with a verification decoding method

signature  integer message representative  encoded

message  message

Original version 1.5 scheme

Signature with appendix


Pkcs 19
PKCS 1 Bellare-Rogoway 1994

Pkcs data formatting

The data is an octet string Bellare-Rogoway 1994 D, where ||D|| ≤ k-11. BT is a single octet whose hex representation is either 00 or 01. PS is an octet string with ||PS|| = k -3-||D||. If BT = 00, then all octets in PS are 00; if BT=01, then all octets in PS are FF.

PKCS Data formatting

Pkcs data formatting1
PKCS Data formatting Bellare-Rogoway 1994

The formatted data block (called the encryption block) is:

EB = 00||BT||PS||00||D.

PKCS-Format for a message m

most significant byte

least significant byte



random padding


message m

at least 8 bytes

Pkcs data formatting2

The leading 00 block ensures that the octet string Bellare-Rogoway 1994 EB, when interpreted as an integer, is less than the modulus n.

If the block type is BT = 00, then either D must begin with a non-zero octet or its legth must be known, in order to permit unambiguous parsing of EB.

PKCS Data formatting

Pkcs data formatting3

If BT = 01, then unambiguous parsing is always possible. Bellare-Rogoway 1994

For the reason given in (iii), and to thwart certain potential attacks on the signature mechanism, BT = 01 is recommended.

PKCS Data formatting

Pkcs data formatting4

Example Bellare-Rogoway 1994 : Suppose that n is a 1024-bit modulus (so k = 128). If ||D|| = 20 octets, then ||PS|| = 105 octets, so that ||EB|| = 128 octets.

PKCS Data formatting

Signature process for pkcs 1

Message Hashing. Bellare-Rogoway 1994 Hash the message M using the selected message-digest algorithm to get the octet string MD.

Message Digest Encoding. MD and the hash algorithm identifier are combined into an ASN.1 (Abstract Syntax Notation) value and then BER-encoded (Basic Encoded Rules) to give an octec data string D.

Signature process for PKCS #1

Signature process for pkcs 11

Data block formatting. Bellare-Rogoway 1994 With data string input D, use the data formatting discussed previously to form octet string EB.

Octet-string2integer conversion. Let the octets ob EB be EB1|| EB1|| EB2||… ||EBk. Define EB’i to be the integer whose binary representation is the octet EBi (LSB bit is on the right).

Signature process for PKCS #1

Signature process for pkcs 12

RSA Computation. Bellare-Rogoway 1994 Compute s = md mod n.

Integer2octet-string conversion. Convert s to an octet string. The signature is S = ED.

Signature process for PKCS #1

Signature process for pkcs 13

1. Message Hashing Bellare-Rogoway 1994

2. Message Digest Encoding

3. Data block formatting

4. OctetString2integer conversion

5. RSA COmputation

6. Integer2octetString conversion

Signature process for PKCS #1



Verification process for pkcs 1

Octet-string2integer conversion Bellare-Rogoway 1994 .Reject S if the bit-length of S is not a multiple of 8. Convert S to an integer s as in step 4 of the signature process. Reject the signature is s > n.

RSA Computation. Compute m = se mod n.

Verification process for PKCS #1

Verification process for pkcs 11

Integer2octet-string conversion Bellare-Rogoway 1994 . Convert m to an octet string as in step 6 of the signature process.

Parsing. Parse EB into a block type BT, a padding string PS, and the data D.

Reject if EB cannot be parsed unambiguously.

Reject if BT is not one of 00 or 01.

Reject if PS consists of < 8 octets or is inconsistent with BT.

Verification process for PKCS #1

Verification process for pkcs 12

Data Decoding. Bellare-Rogoway 1994

BER-decode D to get a message digest MD and a hash algorithm identifier.

Reject if the hashing algorithm does not identify one of MD2 or MD5.

Message Digest and Comparison. Hash the message M using the selected message-digest algorithm to get the octet string MD’ and compare it with MD obtained in (5).

Verification process for PKCS #1

Verification process for pkcs 13

1. OctetString2integer conversion Bellare-Rogoway 1994

2. RSA Computation

3. Integer2octetString conversion

4. Parsing

5. Data Encoding

6. Message digesting and comparison

Verification process for PKCS #1

Signature and message


Pkcs 1 the future

Probabilistic signature scheme (PSS) Bellare-Rogoway 1994

Provably secure in random oracle model

Natural extension to message recovery

PKCS 1: The Future