You are on page 1of 21

# Outline

1
2

CSc 466/566
Computer Security
3
4

## 7 : Cryptography Public Key

Version: 2012/02/15 16:15:24

## Department of Computer Science

University of Arizona

5
collberg@gmail.com
c 2012 Christian Collberg

Christian Collberg

6
1/83

## History of Public Key Cryptography

Introduction
RSA
Algorithm
Example
Correctness
Security
GPG
Elgamal
Algorithm
Example
Correctness
Security
Diffie-Hellman Key Exchange
Diffie-Hellman Key Exchange
Example
Correctness
Security
Summary

Introduction

2/83

Public-key Algorithms

## Definition (Public-key Algorithms)

RSA Conference 2011-Opening-Giants Among Us:

## Public-key cryptographic algorithms use different keys for

encryption and decryption.

## Adventures of Alice & Bob - Alice Gets Lost:

EPB (M) = C

DSB (C ) = M
DSB (EPB (M)) = M

Introduction

3/83

Introduction

4/83

## Key-management is the main problem with symmetric

algorithms Bob and Alice have to somehow agree on a key
to use.

Bob

Alice

## In public key cryptosystems there are two keys, a public one

used for encryption and and private one for decryption.
plaintext

## Alice and Bob agree on a public key cryptosystem.

Bob sends Alice his public key, or Alice gets it from a public
database.

Alice encrypts her plaintext using Bobs public key and sends
it to Bob.

Introduction

PB

5/83

Alice
SA , PA

PA , PC

PA , PB

PB , PC PA , PD

Carol
SC , PC

Eve

decrypt

plaintext

SB

Introduction

6/83

## In practice, public key cryptosystems are not used to encrypt

messages they are simply too slow.

Bob
SB , PB

## Instead, public key cryptosystems are used to encrypt

keys for symmetric cryptosystems . These are called
session keys , and are discarded once the communication
session is over.

PB , PD
1

## Alice generates a session key K , encrypts it with Bobs public

key, and sends it to Bob.

Bob decrypts the message using his private key to get the
session key K .

## Both Alice and Bob communicate by encrypting their

messages using K .

SD , PD

## Advantages : n key pairs to communicate between n parties.

Disadvantages : Ciphers (RSA,. . . ) are slow; keys are large
Introduction

ciphertext

A Hybrid Protocol

Dave
PC , PD

encrypt

7/83

Introduction

8/83

## Hybrid Encryption Protocol. . .

Outline
1
2

Bob

Alice

3
4

encrypt

EPB (K )

PB

decrypt

SB
5

encrypt
K

EK (M)

decrypt

K
6

Introduction

9/83

RSA

Introduction
RSA
Algorithm
Example
Correctness
Security
GPG
Elgamal
Algorithm
Example
Correctness
Security
Diffie-Hellman Key Exchange
Diffie-Hellman Key Exchange
Example
Correctness
Security
Summary

RSA

10/83

RSA: Algorithm

## Bob (Key generation):

Generate two large random primes p and q.
Compute n = pq.
Select a small odd integer e relatively prime with (n).
4 Compute (n) = (p 1)(q 1).
5 Compute d = e 1 mod (n).
1
2
3

## RSA is the best know public-key cryptosystem. Its security is

based on the (believed) difficulty of factoring large numbers.
Plaintexts and ciphertexts are large numbers (1000s of bits).

## PB = (e, n) is Bobs RSA public key.

SB = (d, n) is Bob RSA private key.

exponentiation.

1
2

## Get Bobs public key PB = (e, n).

Compute C = M e mod n.

## Bob (decrypt a message C received from Alice):

1

RSA

11/83

RSA

Compute M = C d mod n.
12/83

## How should we choose e?

It doesnt matter for security; everybody could use the same e.
It matters for performance: 3, 17, or 65537 are good choices.

## Select two primes: p = 47 and q = 71.

Compute n = pq = 3337.

Select e = 79.

Compute

## You can only encrypt messages M < n. Thus, to encrypt

larger messages you need to break them into pieces, each < n.

exponentiation.

= 1019

RSA

13/83

1
2

RSA

14/83

## RSA Example: Decryption

Encrypt M = 6882326879666683.
Break up M into 3-digit blocks:
m = h688, 232, 687, 966, 668, 003i

= e 1 mod (n)

## Note the padding at the end.

Encrypt each block:

## Decrypt each block:

m1 = c1d mod n
= 15701019 mod 3337

c1 = m1e mod n

= 688

## = 68879 mod 3337

= 1570
We get:
c = h1570, 2756, 2091, 2276, 2423, 158i

RSA

15/83

RSA

16/83

## Alice is telling Bob that he should use a pair of the form

(3, n)
Show the result of encrypting M = 4 using the public key
(e, n) = (3, 77) in the RSA cryptosystem.

or
(16385, n)
as his RSA public key if he wants people to encrypt messages
for him from their cell phones.
As usual, n = pq, for two large primes, p and q.
What is the justification for Alices advice?

RSA

17/83

RSA

18/83

RSA Correctness
We have
C

= M e mod n

M = C d mod n.
1

Encrypt M = 88.

## To show correctness we have to show that decryption of the

ciphertext actually gets the plaintext back, i.e that, for all
M<n
C d mod n = (M e )d mod n
= M ed mod n
= M

RSA

19/83

RSA

20/83

d

= e 1 mod (n)

## from which we can conclude that

M (n) mod n = 1 follows from Eulers theorem.

ed mod (n) = 1
ed

Theorem (Euler)

= k(n) + 1

n > 0, then
x (n) mod n = 1

## Case 1, M is relatively prime to n:

C d mod n = M ed mod n
= M k(n)+1 mod n
= M (M (n) )k mod n
= M 1k mod n
= M mod n
= M
RSA

21/83

RSA

22/83

## RSA Correctness: Case 2. . .

We have that
(n) = (pq) = (p)(q)
By Eulers theorem we have that

## Assume that M is not relatively prime to n, i.e. M has some

factor in common with n, since M < n.
There are two cases:
1
2

## M k(n) mod q = M k(p)(q) mod q

= (M k(p) )(q) mod q
= 1

## M is relatively prime with q and M = ip, or

M is relatively prime with p and M = iq.

## We consider only the first case, the second is similar.

M k(n) = 1 + hq
Multiply both sides by M
M M k(n) = M(1 + hq)
M k(n)+1 = M + Mhq

RSA

23/83

RSA

24/83

RSA Security

## We can now prove Case 2, for M = ip:

d

C mod n = M
= M

ed

Summary:
Compute n = pq, p and q prime.
Select a small odd integer e relatively prime with (n).
Compute (n) = (p 1)(q 1).
4 Compute d = e 1 mod (n).
5 PB = (e, n) is Bobs RSA public key.
6 SB = (d, n) is Bob RSA private key.

mod n

k(n)+1

1
2
3

mod n

= (M + Mhq) mod n
= (M + (ip)hq) mod n
= (M + (ih)pq) mod n

## Since Alice knows Bobs PB , she knows e and n.

= (M + (ih)n) mod n

If she can compute d from e and n, she has Bobs private key.

## If she knew (n) = (p 1)(q 1) she could compute

d = e 1 mod (n) using Euclids algorithm.

= M mod n
= M

RSA

25/83

## If enough time has passed The scheme is secure!

RSA

26/83

RSA Security. . .

## If we can factor n, we can find p and q and the scheme is

broken.
As far as we know, factoring is hard.

1
2

RSA

## It took 5 years to break the Merkle-Hellman cryptosystem.

It took 10 years to break the Chor-Rivest cryptosystem.

27/83

RSA

28/83

## RSA Factoring Challenge. . .

Name :
RSA576
Digits :
174
188198812 92 0 60 7 96 3 83 8 69 7 23 9 46 1 65 0 43 9 8 07 1 63 5 63 3 79 4 17 3 82 7 00 7 63 3 56 4 22
988859715 23 4 66 5 48 5 31 9 06 0 60 6 50 4 74 3 04 5 3 17 3 88 0 11 3 03 3 96 7 16 1 99 6 92 3 21 2 05
7340318795 50 6 56 9 96 22 1 30 5 16 87 5 93 0 76 5 02 57 0 59

## The factoring research team of F. Bahr, M. Boehm, J. Franke,

T. Kleinjung continued its productivity with a successful
factorization of the challenge number RSA-640, reported on
November 2, 2005.
The factors are:

## On December 3, 2003, a team of researchers in Germany and

several other countries reported a successful factorization of
the challenge number RSA-576.
The factors are

1900871281 66 4 82 2 11 3 12 6 85 15 7 39 3 54 1 39 7 54 7 18 9 67 8 99 68
5154936666 38 5 39 0 88 0 27 10 3 80 2 10 4 49 8 95 7 19 1 26 14 6 55 7 1

47277214610 7 43 5 30 2 53 6 22 30 7 19 7 30 4 82 24 6 32 9 14 6 95
30209711645 9 85 2 17 11 3 05 2 07 11 2 56 3 63 5 90 39 7 52 7

RSA

## RSA Factoring Challenge. . .

RSA

Name :
RSA1536
Digits :
463
184769970 32 1 17 4 14 7 43 0 68 3 56 2 0 20 0 16 4 40 3 01 8 54 9 33 8 66 3 4 1 0 1 71 4 71 7 85 7 74 9 10 6 5 1
696711161 24 9 85 9 33 7 68 4 30 5 43 5 7 44 5 85 6 16 0 61 5 44 5 71 7 94 0 5 2 2 2 97 1 77 3 25 2 46 6 09 6 0 6
469460712 49 6 23 7 20 4 42 0 22 2 69 7 5 67 5 66 8 73 7 84 2 75 6 23 8 95 0 8 7 6 4 67 8 44 0 93 3 28 5 15 7 4 9
657884341 50 8 84 7 55 2 82 9 81 8 67 2 6 45 1 33 9 86 3 36 4 93 1 90 8 08 4 6 7 1 9 90 4 31 8 74 3 81 2 83 3 6 3
502795470 28 2 65 3 29 7 80 2 93 4 91 6 1 55 8 11 8 81 0 49 8 44 9 08 3 19 5 4 5 0 0 98 4 83 9 37 7 52 2 72 5 7 0
525785919 44 9 93 8 70 0 73 6 95 7 55 6 8 84 3 69 3 38 1 27 7 96 1 30 8 92 3 0 3 9 2 56 9 69 5 25 3 26 1 62 0 8 2
3676490316 03 6 55 1 37 14 4 79 1 39 3 23 47 1 69 5 66 9 88 06 9

Name :
RSA768
Digits :
232
123018668 45 3 01 1 77 5 51 3 04 9 49 5 8 38 4 96 2 72 0 77 2 85 3 56 9 59 5 33 4 7 92 1 97 3 22 4 52 1 51 7 2
640050726 36 5 75 1 87 4 52 0 21 9 97 8 6 46 9 38 9 95 6 47 4 94 2 77 4 06 3 84 5 9 25 1 92 5 57 3 26 3 03 4 5
373154826 85 0 79 1 70 2 61 2 21 4 29 1 3 46 1 67 0 42 9 21 4 31 1 60 2 22 1 2 4 0 4 79 2 74 7 37 7 94 0 80 6 6 5
351419597459 85 69 0 21 43 41 3

Name :
RSA2048
Digits :
617
251959084 75 6 57 8 93 4 94 0 27 1 83 2 4 00 4 83 9 85 7 14 2 92 8 21 2 62 0 4 0 3 2 02 7 77 7 13 7 83 6 04 3 6 6
202070759 55 5 62 6 40 1 85 2 58 8 07 8 4 40 6 91 8 29 0 64 1 24 9 51 5 08 2 1 8 9 2 98 5 59 1 49 1 76 1 84 5 0 2
808489120 07 2 84 4 99 2 68 7 39 2 80 7 2 87 7 76 7 35 9 71 4 18 3 47 2 70 2 6 1 8 9 63 7 50 1 49 7 18 2 46 9 1 1
650776133 79 8 59 0 95 7 00 0 97 3 30 4 5 97 4 88 0 84 2 84 0 17 9 74 2 91 0 0 6 4 2 45 8 69 1 81 7 19 5 11 8 7 4
612151517 26 5 46 3 22 8 22 1 68 6 99 8 7 54 9 18 2 42 2 43 3 63 7 25 9 08 5 1 4 1 8 65 4 62 0 43 5 76 7 98 4 2 3
387184774 44 7 92 0 73 9 93 4 23 6 58 4 8 23 8 24 2 81 1 98 1 63 8 15 0 10 6 7 4 8 1 04 5 16 6 03 7 73 0 60 5 6 2
016196762 56 1 33 8 44 1 43 6 03 8 33 9 0 44 1 49 5 26 3 44 3 21 9 01 1 46 5 7 5 4 4 45 4 17 8 42 4 02 0 92 4 6 1
651572335 07 7 87 0 77 4 98 1 71 2 57 7 2 46 7 96 2 92 6 38 6 35 6 37 3 28 9 9 1 2 1 54 8 31 4 38 1 67 8 99 8 8 5
0404453640 2 35 2 73 8 19 5 13 7 86 3 65 6 43 9 12 1 20 1 03 9 71 2 28 2 21 2 0 7 2 03 5 7

Name :
RSA896
Digits :
270
412023436 98 6 65 9 54 3 85 5 53 1 36 5 3 32 5 75 9 48 1 79 8 11 6 99 8 44 3 2 7 9 8 28 4 54 5 56 2 64 3 38 7 6 4
455652484 26 1 98 0 98 8 70 4 23 1 61 8 4 18 7 92 6 14 2 02 4 71 8 88 6 94 9 2 5 6 0 93 1 77 6 37 5 03 3 42 1 1 3
098239748 51 5 09 4 49 0 91 0 69 1 02 6 9 86 1 03 1 86 2 70 4 11 4 88 0 86 6 9 7 0 5 64 9 02 9 03 6 53 6 58 8 6 7
4337317208 1 31 0 41 0 51 9 08 6 4 25 4 79 3 28 2 60 1 39 1 25 7 62 4 03 3 94 6 37 3 26 9 39 1
Name :
RSA1024
Digits :
309
135066410 86 5 99 5 22 3 34 9 60 3 21 6 2 78 8 05 9 69 9 38 8 81 4 75 6 05 6 6 7 0 2 75 2 44 8 51 4 38 5 15 2 6 5
106048595 33 8 33 9 40 2 87 1 50 5 71 9 0 94 4 17 9 82 0 72 8 21 6 44 7 15 5 1 3 7 3 68 0 41 9 70 3 96 4 19 1 7 4
304649658 92 7 42 5 62 3 93 4 10 2 08 6 4 38 3 20 2 11 0 37 2 95 8 72 5 76 2 3 5 8 5 09 6 43 1 10 5 64 0 73 5 0 1
508187510 67 6 59 4 62 9 20 5 56 3 68 5 5 29 4 75 2 13 5 00 8 52 8 79 4 16 3 7 7 3 2 85 3 39 0 61 0 97 5 05 4 4 3
34999811150 05 69 7 72 36 8 90 92 75 6 3

RSA

30/83

## RSA Factoring Challenge. . .

Name :
RSA704
Digits :
212
740375634 79 5 61 7 12 8 28 0 46 7 96 0 97 4 29 5 7 31 4 25 9 31 8 88 8 92 3 12 8 90 8 49 3 62 3 2 63 8 97
276503402 82 6 62 7 68 9 19 9 64 1 96 2 51 1 78 4 3 99 5 89 4 33 0 50 2 12 7 58 5 37 0 11 8 96 8 0 98 2 86
733173273 10 8 93 0 90 0 5 52 5 05 1 16 8 77 0 6 32 9 90 7 23 9 63 8 07 8 6 71 0 08 6 09 6 96 2 5 37 9 34 6 50 5 63 7 96 3 5 9

## The effort took approximately 30 2.2GHz-Opteron-CPU years

according to the submitters, over five months of calendar time.
29/83

1634733645 80 9 25 3 84 8 44 3 13 3 88 3 86 50 9 08 5 98 4 17 8 36 7 00 3 30
9231218111 08 5 23 8 93 3 31 00 1 04 5 08 1 51 2 12 11 8 16 7 51 1 57 9

39807508642 4 06 4 93 7 39 7 12 55 0 05 5 03 8 64 91 1 99 0 64 3 62
34252670840 6 38 5 18 95 7 59 4 63 88 9 57 2 61 7 68 58 3 31 7

Name :
RSA640
Digits :
193
310741824 04 9 00 4 37 2 13 5 07 5 00 3 58 8 85 6 79 3 0 03 7 34 6 02 2 84 2 72 7 54 5 72 0 16 1 94 8 82
320644051 80 8 15 0 45 5 63 4 68 2 96 7 17 2 32 8 67 8 2 43 7 91 6 27 2 83 8 03 3 41 5 47 1 07 3 10 8 50
1919548529 0 07 3 37 7 2 48 2 27 8 35 2 57 4 23 8 64 5 40 1 46 9 17 3 66 0 24 7 76 5 23 4 66 0 9

http://www.rsa.com/rsalabs/node.asp?id=2093

31/83

RSA

32/83

Outline
1
2

and C2 .

## If C1 = C2 then we know that M1 = M2 !

Also, side-channel attacks are possible against RSA, for
example by measuring the time taken to encrypt.
5

6
RSA

33/83

Software GPG

Introduction
RSA
Algorithm
Example
Correctness
Security
GPG
Elgamal
Algorithm
Example
Correctness
Security
Diffie-Hellman Key Exchange
Diffie-Hellman Key Exchange
Example
Correctness
Security
Summary

GPG

34/83

> gpg --gen-key

## Please select what kind of key you want:

(1) RSA and RSA (default)
(2) DSA and Elgamal
(3) DSA (sign only)
(4) RSA (sign only)
What keysize do you want? (2048)
Key is valid for? (0)
Key does not expire at all
Real name: Bobby
Comment: recipient
You need a Passphrase to protect your secret key.
Enter passphrase: Bob rocks
Repeat passphrase: Bob rocks

Supported algorithms:
Pubkey: RSA, RSA-E, RSA-S, ELG-E, DSA
Cipher: 3DES, CAST5, BLOWFISH, AES, AES192,
AES256, TWOFISH, CAMELLIA128,
CAMELLIA192, CAMELLIA256
Hash: MD5, SHA1, RIPEMD160, SHA256, SHA384,
SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2
http://www.gnupg.org

GPG

35/83

GPG

36/83

## > gpg --gen-key

Please select what kind of key you want:
(1) RSA and RSA (default)
(2) DSA and Elgamal
(3) DSA (sign only)
(4) RSA (sign only)
What keysize do you want? (2048)
Key is valid for? (0)
Key does not expire at all
Real name: Alice
Comment: sender
You need a Passphrase to protect your secret key.
Enter passphrase: Alice is cute
Repeat passphrase: Alice is cute
GPG

## > gpg --armor --export Bobby

-----BEGIN GPG PUBLIC KEY BLOCK----Version: GnuPG v1.4.11 (Darwin)
EZCuPoxECIZ479k3YpBvZM2JC48Ht9j1kVnDPLCrongyRdSko0AwG7OYAyHWa7/U
SeGwjZ+0MUuM3SwqHdo1/0XS3P8LABTQNXtrQf9kF8UNLIaHr1IvBcae1K44MPL6
................................................................
EBHmAM7iiWgWI6/6qEmN46ZQEmoR86vWhQL3LQ6p/FUaBA==
=FZ78
-----END GPG PUBLIC KEY BLOCK-----

37/83

Encryption

GPG

38/83

Decryption

## We can encrypt a message using Bobbys key:

> cat message
Attack at dawn
> gpg --recipient bobby --armor --encrypt message
> cat message.asc
-----BEGIN PGP MESSAGE----Version: GnuPG v1.4.11 (Darwin)

Bobby can now decrypt the message using his private key:
> gpg --decrypt message.asc
You need a passphrase to unlock the secret key for
user: "Bobby (recipient) <bobby@gmail.com>"
2048-bit RSA key, ID D95291EF, created 2012-02-12
(main key ID 9974031B)

hQEMA97v9lbZUpHvAQf/a9QklXMiMzBWy5yyZBtNrg7FcrIqx+gXVVUXNN86tZtE
RF42elwU6QwamDzfcOHqp+3zeor4Y5xN+/pL91xti6uwFOhgGrCGJq//AfUKgQyk
MH2e4gR8Y1BuPm9b1c7uzXxRMMOUBBt75KquYGOBLybsP29ttD9iL/ZJl1zSPjSj
El7O0Gp7PqEBotStVOtuknYW/fX0zXndU8XNllKnsnZn21Xm0rMQcFMu8Do/tF5I
lRfTEcL4S9tV4vshgXhNSpTg9sZs1UZynvU2cJqyYkCtgT7TdtrK3fTa8UN+CYQv
U2QRnaNtFhYwBMonFqhefNzDqeZb+P0RqOuoDllYuNJRAViJ3CLjT7kwgBgRtNfY
RkGArQQmgrknW2jq/Y2GZTE8CC7pNXY8U3KYMl9hRA6U5fMp08ndFp8vowBbB2sw
zjxjSY7ZeIR2uwxdLYydtW4m
=B+JA
-----END PGP MESSAGE----GPG

## Enter passphrase: Bob rocks

gpg: encrypted with 2048-bit RSA key, ID D95291EF, created 2012-02-12
"Bobby (recipient) <bobby@gmail.com>"
Attack at dawn

39/83

GPG

40/83

The keyring

The keyring. . .

## > gpg --list-keys

/Users/collberg/.gnupg/pubring.gpg
---------------------------------pub
2048R/9974031B 2012-02-12
uid
Bobby (recipient) <bobby@gmail.com>
sub
2048R/D95291EF 2012-02-12

## > gpg --list-secret-keys

/Users/collberg/.gnupg/secring.gpg
---------------------------------sec
2048R/9974031B 2012-02-12
uid
Bobby (recipient) <bobby@gmail.com>
ssb
2048R/D95291EF 2012-02-12

pub
uid
sub

sec
uid
ssb

2048R/4EC8A0CB 2012-02-12
Alice (sender) <alice@gmail.com>
2048R/B901E082 2012-02-12

GPG

41/83

## Sign and Encrypt

2048R/4EC8A0CB 2012-02-12
Alice (sender) <alice@gmail.com>
2048R/B901E082 2012-02-12

GPG

42/83

## Bob can sign his message before sending it to Alice:

Alice can now decrypt the message and check the signature:

## > gpg -se --recipient alice --armor message

> gpg --decrypt message.asc
You need a passphrase to unlock the secret key for
user: "Bobby (recipient) <bobby@gmail.com>"
2048-bit RSA key, ID 9974031B, created 2012-02-12

## You need a passphrase to unlock the secret key for

user: "Alice (sender) <alice@gmail.com>"
2048-bit RSA key, ID B901E082,
created 2012-02-12 (main key ID 4EC8A0CB)

## > cat message.asc

-----BEGIN PGP MESSAGE----Version: GnuPG v1.4.11 (Darwin)

GPG

hQEMA7osp1S5AeCCAQgAsSqSs+Urf0f3KHTtP7cqTwugpcJ9oUAGkw/KQ0DHIE0v
................................................................
8XEAaCwZ8aZK1lXhqBSd/9hCm9Mup2NECihO8crVyff7NTWFyaTBeGAm10q3y46o
QpIgPbcdYZqIt8e/8wPU6xlMZUStzxBKLB+Rj/Zg35ZVioYL
=oiv8
-----END PGP MESSAGE-----

## gpg: encrypted with 2048-bit RSA key, ID B901E082, created 2012-02-12

"Alice (sender) <alice@gmail.com>"
Attack at dawn
gpg: Signature made Sat Feb 11 23:10:59 2012 MST
using RSA key ID 9974031B
gpg: Good signature from "Bobby (recipient) <bobby@gmail.com>"
43/83

GPG

44/83

Deleting Keys

## > gpg --cipher-algo=AES --armor --symmetric message

Enter passphrase: sultana
Repeat passphrase: sultana
> cat message.asc
-----BEGIN PGP MESSAGE----Version: GnuPG v1.4.11 (Darwin)

## > gpg --delete-secret-keys bobby

sec 2048R/9974031B 2012-02-12 Bobby (recipient) <bobby@gmail.com>
Delete this key from the keyring? (y/N) y
This is a secret key! - really delete? (y/N) y

jA0EBwMCgZ3PBfSZxJlg0ksBBooTMLEVQ2q9HkTR5y9FIoX9nbsyohrOXeQLFlcf
=UtI4
-----END PGP MESSAGE-----

## > gpg --delete-keys bobby

pub 2048R/9974031B 2012-02-12 Bobby (recipient) <bobby@gmail.com>

## > gpg message.asc

gpg: AES encrypted data
Enter passphrase: sultana
gpg: encrypted with 1 passphrase

## > cat message

Attack at dawn
GPG

45/83

Generating Primes

GPG

46/83

## Generate a prime number of the given number of bits:

Generate 100 (base64 encoded) random bytes:

## > gpg --gen-prime 1 16

C4B7
> gpg --gen-prime 1 1024
9D88B5E0AF1394459FB48B135B99C8BA8C50E5331C6226CBF6D70031
4A8CC84C7B363BE7DD7BBBB29E545D199339263F5FB2E9F1B84BA9D5
05B5B79858FC6149CF09E6C56D9730C3BD1E62B378C8DFAF4233B8DC
BA999A21EC9C4BF8C60AACDCBC607AC5

GPG

## > gpg --armour --gen-random 0 100

e0zAVl6jbe/Dma9VF20lMgZxE1RA4S8TwNwu6KP8+o1kjdtBm2
AjKFSVsj/d3zG/9KqmNj7j6symEUZ3e0fWZaWqLBxzJuSur5sK
C8omfPus2QtYJJNOgVbpJ7X9L4t1iNJtnw==

47/83

GPG

48/83

## > gpg --print-mds message

MD5
= 36 D1 A5 12 17 CD 34 FC 04 F5 6C C4 91 39 C7 59
SHA1
= 6DA4 473A 00CE 7AB6 7B6F 884D 1E75 6633 C21A 56DB
RMD160 = D1DE 4194 C0CD 3AED 30F3 38CD 68F3 800F CCF0 3B87
SHA224 = B4E94780 1AA1A9C3 418F72D8 651BA995 83284003
EBEE183A 589702EE
SHA256 = B83EF405 07696578 9D4BBDA7 D7932700 5F2AE6CB
A2696FDE 69694D12 AFE70E4A
SHA384 = 7AC39A0C 945844F1 1316BB46 C9FC7EEA E892A178
2D20E4CA E7BE686C 1A091C8C F1BBDFD1 3D42BEA2
88AF5A4F E3705474
SHA512 = 9CA1EB88 F064CB0D 536254B2 5755919F 45564276
96CA27A0 389E4817 53F81DC2 3222488D 7D11F3DD
C066B9E8 027F3870 395A2561 157DDC38 BD679D37
C2E361CC

GPG

other means (OR)

## Obtain private key of recipient.

http://www.schneier.com/paper-attacktrees-fig7.html

49/83

GPG

50/83

## Goal: Read a message encrypted with gpg. . .

Determine symmetric key by other means:
1 Fool sender into encrypting message using public key whose
private key is known (OR)

## Decrypt the message itself:

1 Break asymmetric encryption (OR)
1
2

Convince sender that fake key (with known private key) is the
key of the intended recipient
2 Convince sender to encrypt with more than one keythe real
key of the recipient and a key whose private key is known.
3 Have the message encrypted with a different public key in the
background, unbeknownst to the sender.
1

## Brute force break asymmetric encryption (OR)

Mathematically break asymmetric encryption (OR)
1 Break RSA (OR)
2 Factor RSA modulus/calculate Elgamal discrete log

## Cryptanalyze asymmetric encryption (OR)

1 General cryptanalysis of RSA/Elgamal (OR)
2 Exploit weakness in RSA/Elgamal (OR)
3 Timing attack on RSA/Elgamal

2
3
4

## Brute force break symmetric-key encryption

2 Cryptanalysis of symmetric-key encryption
1

## Determine state of randseed during encryption (OR)

Implant virus that alters the state of randseed. (OR)
3 Implant software that affects the choice of symmetric key.
1
2
6

GPG

## Have the recipient sign the encrypted publc key (OR)

Monitor the senders computer memory (OR)
Monitor the receivers computer memory (OR)
Determine key from pseudo-random number generator (OR)

51/83

GPG

52/83

GPG

53/83

GPG

## What immediately becomes apparent from the attack

tree is that breaking the RSA or IDEA encryption
algorithms are not the most profitable attacks against
PGP. There are many ways to read someones
PGP-encrypted messages without breaking the
cryptography. You can capture their screen when they
decrypt and read the messages (using a Trojan horse like
Back Orifice, a TEMPEST receiver, or a secret camera),
grab their private key after they enter a passphrase (Back
Orifice again, or a dedicated computer virus), recover
their passphrase (a keyboard sniffer, TEMPEST receiver,
or Back Orifice), or simply try to brute force their
passphrase (I can assure you that it will have much less
entropy than the 128-bit IDEA keys that it generates).
GPG

54/83

## In the scheme of things, the choice of algorithm and the

key length is probably the least important thing that
affects PGPs overall security. PGP not only has to be
secure, but it has to be used in an environment that
leverages that security without creating any new
insecurities.
http://www.schneier.com/paper-attacktrees-fig7.html

55/83

GPG

56/83

Outline
1
2

3
4

Elgamal

Introduction
RSA
Algorithm
Example
Correctness
Security
GPG
Elgamal
Algorithm
Example
Correctness
Security
Diffie-Hellman Key Exchange
Diffie-Hellman Key Exchange
Example
Correctness
Security
Summary

## The Elgamal cryptosystem relies on the inherent difficulty of

calculating discrete logarithms.
It is a probabilistic scheme:
a particular plaintext can be encrypted into multiple different
ciphertexts;
ciphertexts become twice the length of the plaintext.

Elgamal

57/83

Elgamal: Algorithm

Elgamal

58/83

## Bob (Key generation):

Pick a prime p.
Find a generator g for Zp .
3 Pick a random number x between 1 and p 2.
4 Compute y = g x mod p.
PB = (p, g , y ) is Bobs RSA public key.
SB = x is Bob RSA private key.
1
2

## Alice must choose a different random number k for every

message, or shell leak information.
Bob doesnt need to know the random value k to decrypt.
Each message has p 1 possible different encryptions.

## The division in the decryption can be avoided by use of

Lagranges theorem :

## Get Bobs public key PB = (p, g , y ).

2 Pick a random number k between 1 and p 2.
3 Compute the ciphertext C = (a, b):
1

a
b

=
=

M = b (ax )1 mod p

g k mod p
My k mod p

= b ap1x mod p

1
Elgamal

59/83

Elgamal

60/83

## We can make it easier by choosing a prime number with the

property that we can factor p 1.

## Then we can test that, for each prime factor pi of p 1:

Compute
y = g x mod p = 27 mod 13 = 11.

g (p1)/pi mod p 6= 1
If g is not a generator, then one of these powers will 6= 1.

Elgamal

61/83

Elgamal

a2
1
4
9
3
12
10
10
12
3
9
4
1

a3
1
8
1
12
8
8
5
5
1
12
5
12

a4
1
3
3
9
1
9
9
1
9
3
3
1

a5
1
6
9
10
5
2
11
8
3
4
7
12

a6
1
12
1
1
12
12
12
12
1
1
12
1

a7
1
11
3
4
8
7
6
5
9
10
2
12

Elgamal

62/83

## 2 is a primitive root modulo 13 because for each integer

i Z13 = {1, 2, 3, . . . , 12} theres an integer k, such that
i = 2k mod 13:
a1
1
2
3
4
5
6
7
8
9
10
11
12

a8
1
9
9
3
1
3
3
1
3
9
9
1

a9
1
5
1
12
5
5
8
8
1
12
8
12

a10
1
10
3
9
12
4
4
12
9
3
10
1

a11
1
7
9
10
8
11
2
5
3
4
6
12

## Encrypt the plaintext message M = 3.

Alice gets Bobs public key PB = (p, g , y ) = (13, 2, 11).
To encrypt:

a12
1
1
1
1
1
1
1
1
1
1
1
1

1
2

## Pick a random number k = 5:

Compute:
a
b

=
=

g k mod p = 25 mod 13 = 6
My k mod p = 3 115 mod 13 = 8

63/83

Elgamal

64/83

## Elgamal Example: Decryption

In-Class Exercise

## Pick a random number x = 9.

Compute

M = b (ax )1 mod p

y = g x mod p = 29 mod 13 = 5

= b ap1x mod p

= 8 61317 mod 13

## SB = x = 9 is Bob private key.

= 8 65 mod 13
= 3

Elgamal

65/83

Elgamal Correctness

k = 10.

Elgamal

66/83

Elgamal Security

We have that
a = g k mod p
b = My k mod p
y

= g x mod p

## The security of the scheme depends on the hardness of solving

the discrete logarithm problem.

We get

## b (ax )1 mod p = (My k ) ((g k )x )1 mod p

= (My k ) (g kx )1 mod p
= (M((g x )k ) (g kx )1 mod p
= Mg kx (g kx )1 mod p
= Mg kx g kx mod p
= M mod p
Elgamal

= M

67/83

Elgamal

68/83

Outline
1
2

3
4

Key Exchange

Introduction
RSA
Algorithm
Example
Correctness
Security
GPG
Elgamal
Algorithm
Example
Correctness
Security
Diffie-Hellman Key Exchange
Diffie-Hellman Key Exchange
Example
Correctness
Security
Summary

## A key exchange protocol (or key agreement protocol ) is a

way for parties to share a secret (such as a symmetric key)
over an insecure channel.
With an active adversary (who can modify messages) we
cant reliably share a secret.
With a passive adversary (who can only eavesdrop on
messages) we can share a secret.
A passive adversary is said to be honest but curious .

69/83

## Diffie-Hellman Key Exchange

Diffie-Hellman: Algorithm
1

1
2

Compute
X = g x mod p.

Send X to Bob.

## Based on modular exponentiation .

The secret K1 = K2 shared by Alice and Bob at the end of the
protocol would typically be a shared symmetric key.

4
5
71/83

## Pick p, a prime number.

Pick g , a generator for Zp .

Alice :
1

70/83

Bob :
1
2

Compute
Y = g y mod p.

Send Y to Alice

## Alice computes the secret: K1 = Y x mod p.

Bob computes the secret: K2 = X y mod p.

## Diffie-Hellman Key Exchange

72/83

Example

In-Class Exercise

## Pick g = 2, a generator for Z13 .

Alice :

Let p = 19.
Let g = 10.

Pick a random x = 3.
2 Compute X = g x mod p = 23 mod 13 = 8.
1
4

Bob :
1
2

## Let Alices secret x = 7.

Pick a random y = 7.
Compute Y = g y mod p = 27 mod 13 = 11.

Alice computes: K1 =

Bob computes: K2 =

K1 = K2 = 5.

Yx

Xy

mod p =
mod p =

113

87

mod 13 = 5.

Compute K1 .

Compute K2 .

mod 13 = 5.

## Diffie-Hellman Key Exchange

73/83

Diffie-Hellman Correctness

## Diffie-Hellman Key Exchange

74/83

Diffie-Hellman Correctness. . .
Alice has

K1 = Y x mod p
X

= (g y )x mod p

= g x mod p

= (g x )y mod p

K1 = Y x mod p.

= X y mod p

Y

Bob has

= g y mod p

K2 = X y mod p

K2 = X y mod p.

= (g x )y mod p
= X y mod p
K1 = K2 .

75/83

## Diffie-Hellman Key Exchange

76/83

Diffie-Hellman Security

## The security of the scheme depends on the hardness of solving

the discrete logarithm problem.

Alice :
1

Eve :
Intercept X = g x mod p from Alice.
Pick a number t in Zp .
3 Send T = g t mod p to Bob.

## Generally believed to be hard.

Diffie-Hellman Property :

1
2

Given
p, X = g x , Y = g y

Bob :
1

computing

K = g xy mod p

## Send Y = g y mod p to Alice

Eve :
Intercept Y = g y mod p from Bob.
Pick a number s in Zp .
3 Send S = g s mod p to Alice.
1
2

is thought to be hard.

77/83

78/83

7
8

## Alice : Send C = EK1 (M) to Bob

Eve :
Intercept C .
Decrypt:M = DK1 (C )
Re-encrypt:C = EK2 (M)
4 Send C to Bob
1

## Alice and Eve :

1

2
3

Compute K1 = g xS mod p

## Bob and Eve :

1

Compute K2 = g yT mod p

9
10

## Bob : Send C = EK2 (M) to Alice

Eve :
Intercept C .
Decrypt:M = DK2 (C )
3 Re-encrypt:C = EK1 (M)
4 Send C to Alice.
1
2

79/83

## Diffie-Hellman Key Exchange

80/83

Outline
1
2

3
4

Introduction
RSA
Algorithm
Example
Correctness
Security
GPG
Elgamal
Algorithm
Example
Correctness
Security
Diffie-Hellman Key Exchange
Diffie-Hellman Key Exchange
Example
Correctness
Security
Summary

Summary

## Chapter 8.1.1-8.1.5 in Introduction to Computer Security, by

Goodrich and Tamassia.

81/83

Acknowledgments
Additional material and exercises have also been collected from
these sources:

Summary

Cryptography.

## Bruce Schneier, Attack Trees, Dr. Dobbs Journal December

1999, http://www.schneier.com/paper-attacktrees-ddj-ft.html .

## Barthe, Gregoire, Beguelin, Hedin, Heraud, Olmedo, Verifiable

Security of Cryptographic Schemes,
http://www.irisa.fr/celtique/blazy/seminar/20110204.pdf .

http://homes.cerias.purdue.edu/~crisn/courses/cs355_Fall_2008/lect18.pdf
83/83

Summary

82/83