Public Key Cryptosystems: Theory & Practice Overview

ISA 562 Information Security Theory & Practice Public Key Cryptosystem Chapter 9 of Bishop’s Book

Outline • Background • Diffie-Hellman • RSA • Cryptographic Checksums

History • Concept conceived by Diffie and Hellman in 1976 • Rivest, Shamir and Adleman (RSA) were first to describe a public key system in 1978 • Merkle and Hellman published a different solution later in 1978 (broken by Shamir)

The Big Picture Plain- text Plain- text Ciphertext Encryption Algorithm Decryption Algorithm INSECURE CHANNEL A B B's Public Key B's Private Key RELIABLE CHANNEL B's Public Key

The Basic Idea • Confidentiality: encipher using public key, decipher using private key • Integrity/authentication: encipher using private key, decipher using public key Plain- text Plain- text Ciphertext Encryption Algorithm Decryption Algorithm ‘Signature’ B's Public Key B's Private Key B A

Requirements • The keys and algorithms must meet these requirements • Must be computationally easy to encipher or decipher • Must be computationally infeasible to derive the private key from the public key • Must be computationally infeasible to determine the private key from a chosen plaintext attack • Different from those of secret key cryptosystem except the first requirement • Why another cryptosystem?

Motivation 1- Key Distribution Problem • In a secret key cryptosystem, the secret key must be transmitted via a secure channel • Inconvenient • n parties want to communicate with each other, how many keys need to be transmitted? • Insecure • Is the secure channel really secure? • Public key cryptosystem solves the problem • Public key known by everyone – telephone directory • Privacy key is never transmitted

Motivation 2- Digital Signature • In a secret key cryptosystem, authentication and non-repudiation may be difficult • Authentication • You must share a secret key with someone in order to verify his signature • Non-repudiation • “I didn’t sign it. You did since you also have the key” • Public key cryptosystem solves the problem • Verification of signature needs only the public key • One is solely responsible for his private key

Required number theory • If a = b + kn for some integer k • We write b = a mod n (namely, a is congruent to b modulo n, and b is the residue of a modulo n) • Examples: 2 = 12 mod 5, 2 = 12 mod 10, 0 = 12 mod 6 • Properties(a O b) mod n = ((a mod n) O (b mod n)) mod n where O is +, -, * • 35 mod 7 = (3*3*3*3*3 mod 7) = ((3*3 mod 7)*(3*3 mod 7)*(3 mod 7))mod 7 • Needed when enciphering/deciphering

More of the same… • A prime numberis a positive integer having exactly one positive divisor other than 1. E.g. 3, 5, 7, 11, 13… • a and b are relatively prime if they have no common positive factors other than 1. E.g. 1 and 2, 2 and 3, 3 and 4, but not 2 and 4 • The totient function (n) gives the number of integers between 1 and n-1 that are relatively prime to n. E.g. (10) = 4 (1,3,7,9 are relatively prime to 10)

Still More Math • Euler's Totient Theorem • 1 = a (n) mod n, where a and n are relatively prime • Example: 3 (10) mod 10= 3 4 mod 10 = 81 mod 10 10 (3) mod 3= 10 2 mod 3 = 100 mod 3 • Fermat’s Little Theorem • a p-1=1 mod p, where p is prime and relatively prime to a • Notice (p) = p-1

Diffie-Hellman Key Exchange Scheme • Proposed in 1976 as the first public key algorithm (predates RSA) • Allows users to agree on a secret key over insecure channels with no prior communication • The secret key can thus be used to encrypt or decrypt message (e.g., SSL 3.0, IPsec) A B K Insecure Channel

Discrete Logarithm Problem • D-H is based on the discrete logarithm problem • Given integers n and g and prime number p, compute k such that n = g k mod p • In general computationally infeasible • Choices for g and p are critical • Both p and (p–1)/2 should be prime • p should be large (at least 512 bits, possibly 1028 bits) • g should be a primitive rootmod p

agree on p and g with 1 < g < p B A Choose x X = gxmod p B A Y = gymod p Choose y computes k = Yx mod p computes k’ = Xy mod p B A k=k’=gxy mod p knows p, g, X, and Y, but not x or y or k Diffie-Hellman Key Exchange Scheme

Quiz • p = 7 and g = 5 • Alice • chooses x = 2 • and send X = ? • Bob • chooses y = 3 • and send Y = ? • Shared key: • k= ? • k’ = ? • (gxy mod p = ? )

Man-in-the-middle Attack K1 K2 C B A active intruder K1 A B K2 A B

RSA In Summary • Choose public key (n,e) • Compute private key (n,d) • Encryption C = Me mod n • Decryption M = Cd mod n • Underlying theory – Euler's Totient Theorem Key Generation

Key Generation • Choose 2 large (512 bit) prime numbers p and q • Compute n = p * q • Choose e relatively prime to (p-1)*(q-1) • Compute d such that 1 = e*d mod (p-1)*(q-1) • Publish (n,e) and keep (n,d) (discard p, q)

Key Generation (Cont’d) • Large primes can be found efficiently using probabilistic algorithms due to Solvay and Strassen • d can be computed using the Extended Euclidean Algorithm (Textbook 31.2) • Care must be exercised in choosing p and q, otherwise insecurities may result (p-1, p+1, q-1, q+1 should have large prime factors)

Key Generation - Example • p = 7, q = 11, so n = 77 and (p-1)(q-1) = 60 • Alice chooses e = 17, computing d = 53 (17*53=901) • publish (77,17) and keep (77,53) secret

Encryption/Decription • Encryption C = Me mod n • Decryption M = Cd mod n • Underlying theory • Cd mod n = (Me mod n)d mod n = Med mod n = M1 mod (p-1)*(q-1) mod n = M (p-1)*(q-1)*i + 1 mod n = (1i *M) mod n (by Fermat’s Little Theorem) = M mod n = M (require M<n; M relatively prime to n)

Example: Encryption • p = 7, q = 11, n = 77 • Alice chooses e = 17, making d = 53 • Bob wants to send Alice secret message HELLO (07 04 11 11 14) • 0717 mod 77 = 28 • 0417 mod 77 = 16 • 1117 mod 77 = 44 • 1117 mod 77 = 44 • 1417 mod 77 = 42 • Bob sends 28 16 44 44 42

Example: Decryption • Alice receives 28 16 44 44 42 • Alice uses private key, d = 53, to decrypt message: • 2853 mod 77 = 07 • 1653 mod 77 = 04 • 4453 mod 77 = 11 • 4453 mod 77 = 11 • 4253 mod 77 = 14 • Alice translates 07 04 11 11 14 to HELLO • No one else could read it, as only Alice knows her private key and that is needed for decryption

Digital Signatures in RSA • RSA has an important property, not shared by other public key systems • Encryption and decryption are symmetric • Encryption followed by decryption yields the original message • (Me mod n)d mod n = M • Decryption followed by encryption also yields the original message • (Md mod n)e mod n = M • Because e and d are symmetric in e*d = 1 mod (p-1)*(q-1)

Digital Signatures in RSA Plaintext M’ ? Plaintext M Plaintext M M d mod n C e mod n Ciphertext C (signature) A's Public Key e A's Private Key d A B RELIABLE CHANNEL

Compared To Encryption in RSA Plaintext M Plaintext M M e mod n C d mod n Ciphertext C A B B's Private Key d B's Public Key e RELIABLE CHANNEL

Signature and Encryption A B Encrypted Signed Plaintext Signed Plaintext Signed Plaintext Plain- text Plain- text D E D E B's Private Key A's Private Key A's Public Key B's Public Key

Signature and Encryption • We could do the encryption first followed by the signature. • Signature first has the advantage that the signature can be verified by parties other than B.

Example: Sign • Take p = 7, q = 11, n = 77 • Alice chooses e = 17, making d = 53 • Alice wants to send Bob message HELLO (07 04 11 11 14) so Bob knows it is from Alice, and it has not been modified in transit • 0753 mod 77 = 35 • 0453 mod 77 = 09 • 1153 mod 77 = 44 • 1153 mod 77 = 44 • 1453 mod 77 = 49 • Alice sends 35 09 44 44 49

Example: Verify • Bob receives 35 09 44 44 49 • Bob uses Alice’s public key, e = 17, n = 77, to decrypt message: • 3517 mod 77 = 07 • 0917 mod 77 = 04 • 4417 mod 77 = 11 • 4417 mod 77 = 11 • 4917 mod 77 = 14 • Bob translates 07 04 11 11 14 to HELLO • (Assume) only Alice has her private key, so no one else could have been able to create a correct signature • The (deciphered) signature matches the transmitted plaintext, so the plaintext is not altered

Example: Both • Alice wants to send Bob message HELLO both enciphered and signed • Alice’s keys: public (17, 77); private: 53 • Bob’s keys: public: (37, 77); private: 13 • Alice does (does she encipher first or sign first?) • (0753 mod 77)37 mod 77 = 07 • (0453 mod 77)37 mod 77 = 37 • (1153 mod 77)37 mod 77 = 44 • (1153 mod 77)37 mod 77 = 44 • (1453 mod 77)37 mod 77 = 14 • Alice sends 07 37 44 44 14 • What would Bob do upon receiving the message?

Security of RSA • Cryptanalysis is to compute d while knowing (e, n) • such that e*d = 1 mod (p-1)(q-1), and n=pq, for some p and q (the factorization is unique) • If factorization of n into p*q is known, this is easy (Extended Euclidean Algorithm). Otherwise, it is hard. • Therefore security of RSA is no better than complexity of the factoring problem • Is the factoring problem provably hard (e.g., undecidable)? No • However, the possibility of an easy factoring method is believed to be remote.

RSA Versus DES • Fastest implementations of RSA can encrypt kilobits/second • Fastest implementations of DES can encrypt megabits/second • It is often proposed that RSA be used for secure exchange of DES keys • This 1000-fold difference in speed is likely to remain independent of technology advances • Matters more in wireless/ad hoc/sensor network

RSA Versus DES • Key size of RSA is selected by the user • Many implementations choose n to be 154 digits (512 bits) so the key (n,e) is 1024 bits • Key size of DES is 64 bits (56 bits plus 8 parity bits)

RSA Key Size • key size should be chosen conservatively • cryptographers can stay ahead of (factorization) cryptanalysts by increasing the key size • Until 1989 factorization attacks were based on "high school mathematics." Since then sophisticated attacks have extended factorization to larger numbers (usually of a specific form). • At present it appears that 130 digit numbers can be factored in several months using lots of idle workstations.

One-way Hash Functions • Also known as message digest • A function H(M) = m satisfies • (Fixed length): M can be of any length, whereas m is of fixed length • (One-way): computing H(M)=m is easy, but computing H-1(m)=M is computationally infeasible • (Collision-free): in two forms • Weak collision-freedom: given any M, difficult to find another M’ such that H(M)=H(M’) • Strong collision-freedom: difficult to find any M and M’ such that H(M)=H(M’)

Why Those Requirements? • Many applications store H(p) instead of a password p • Fixed length:cannot guess the length of p from H(p) (and H(p) is easier to store) • One-way: the administrator cannot learn p of others • Collision-free: cannot submit incorrect p matching H(p) • Most applications sign H(M) instead of M

Example • ASCII parity bit • ASCII has 7 bits; 8th bit is “parity” • Even parity: even number of 1 bits • Odd parity: odd number of 1 bits • Bob receives “10111101” • If sender is using even parity; six ‘1’ bits, so character was received correctly • Note: could be garbled, but 2 bits would need to have been changed to match parity bit • If sender is using odd parity; even number of 1 bits, so character was not received correctly

Hash Functions In Practice • DES based hash functions tend to produce 64 bit digest which cannot be strong • CCITT X.509 (proven insecure) • Merkle's Snefru: 2-pass version proven insecure; 4-pass version unproven • Jueneman's methods: broken and refined and broken and refined • NIST Secure Hash Algorithm • RSA: MD2, MD4, MD5, SHA-0, SHA-1, SHA-2 (SHA-224, SHA-256, SHA-384, and SHA-512 )

“Hash Functions Broken” ? • Crypto 2004 Rump session reported attacks on MD4, MD5 and SHA-0 • MD4’s attacks are done by hands • Crypto 2005 reported attacks on full SHA-1 • Should we panic? Xiaoyun Wang’s webpage: http://www.infosec.sdu.edu.cn/people/wangxiaoyun.htm

“Hash Functions Broken” ? (Cont’d) • Nature of the results • Algorithm that finds collision faster than theoretic bound • MD5 about one hour; SHA-1 263 vs 280 (theoretically) • Yes, the results disprove those functions to be strong collision-free • No, they do not give you a password from its hash • Brute force attacks do (refer to http://passcracking.com/) • Whether you should panic or not depends on what you use the hash functions for Xiaoyun Wang’s webpage: http://www.infosec.sdu.edu.cn/people/wangxiaoyun.htm

Hash Functions Vs MAC • Send a message M together with its hash h=H(M), so the recipient can verify M by comparing H(M) with the received h • Attack: If anyone in the middle can replace M with M’ and h with h’=H(M’), the recipient won’t detect this • Keyed hash functions • Also known as message authentication codes (MAC) • Example: DES in CBC mode: use a key to encipher message in CBC mode and use last n bits as the MAC value.

HMAC • Build MAC from keyless hash functions • Encryption algorithms cannot be exported • h : keyless hash function • k : a cryptographic key k padded with 0 • Ipad: 00110110 repeated • Opad: 01011100 repeated • HMAC h(k, m) = h(k  opad || h(k ipad || m)) •  exclusive or, || concatenation

Key Points • Public key cryptosystems has two keys • Diffie-Hellman exchanges secret key via insecure channel • RSA can be used for confidentiality and integrity • Cryptographic Checksums are keyed hash functions

Public Key Cryptosystems: Theory & Practice Overview