Professional Documents
Culture Documents
Chapter 9 – Public Key Cryptography and
Cryptography and Network RSA
Security
Every Egyptian received two names, which were known
Chapter 9 respectively as the true name and the good name, or
g
the great name and the little name; and while the
good or little name was made public, the true or
Fifth Edition great name appears to have been carefully
by William Stallings concealed.
—The Golden Bough, Sir James George Frazer
Lecture slides by Lawrie Brown
Private‐Key Cryptography Public‐Key Cryptography
traditional private/secret/single key • probably most significant advance in the 3000
cryptography uses one key year history of cryptography
shared by both sender and receiver • uses two keys – a public & a private key
if this key is disclosed communications are
if this key is disclosed communications are • asymmetric i since parties are not
i i equal l
compromised
also is symmetric, parties are equal • uses clever application of number theoretic
concepts to function
hence does not protect sender from receiver
forging a message & claiming is sent by sender • complements rather than replaces private key
crypto
Why Public‐Key Cryptography? Public‐Key Cryptography
• developed to address two key issues: • public‐key/two‐key/asymmetric cryptography involves
the use of two keys:
– key distribution – how to have secure
– a public‐key, which may be known by anybody, and can be
communications in general without having to trust used to encrypt messages, and verify signatures
y
a KDC with your key y – a related private‐key, known only to the recipient, used to
a related private key known only to the recipient used to
– digital signatures – how to verify a message decrypt messages, and sign (create) signatures
comes intact from the claimed sender • infeasible to determine private key from public
• public invention due to Whitfield Diffie & • is asymmetric because
Martin Hellman at Stanford Uni in 1976 – those who encrypt messages or verify signatures cannot
– known earlier in classified community decrypt messages or create signatures
1
4/19/2010
Public‐Key Cryptography Symmetric vs Public‐Key
Public‐Key Cryptosystems Public‐Key Applications
• can classify uses into 3 categories:
– encryption/decryption (provide secrecy)
– digital signatures (provide authentication)
– key exchange
k h ( f
(of session keys)
i k )
• some algorithms are suitable for all uses,
others are specific to one
Public‐Key Requirements Public‐Key Requirements
• Public‐Key algorithms rely on two keys where:
• need a trapdoor one‐way function
– it is computationally infeasible to find decryption key • one‐way function has
knowing only algorithm & encryption key – Y = f(X) easy
– it is computationally easy to en/decrypt messages when – X = f–1(Y) infeasible
th
the relevant (en/decrypt) key is known
l t ( /d t) k i k
– either of the two related keys can be used for encryption,
• a trap‐door one‐way function has
with the other used for decryption (for some algorithms) – Y = fk(X) easy, if k and X are known
– X = fk–1(Y) easy, if k and Y are known
• these are formidable requirements which only
– X = fk–1(Y) infeasible, if Y known but k not known
a few algorithms have satisfied
• a practical public‐key scheme depends on a
suitable trap‐door one‐way function
2
4/19/2010
Security of Public Key Schemes RSA
like private key schemes brute force exhaustive
search attack is always theoretically possible by Rivest, Shamir & Adleman of MIT in 1977
but keys used are too large (>512bits) best known & widely used public‐key scheme
security relies on a large enough difference in based on exponentiation in a finite (Galois) field over
difficulty between easy (en/decrypt) and hard
difficulty between easy (en/decrypt) and hard integers modulo a prime
integers modulo a prime
(cryptanalyse) problems nb. exponentiation takes O((log n)3) operations (easy)
more generally the hard problem is known, but is uses large integers (eg. 1024 bits)
made hard enough to be impractical to break
security due to cost of factoring large numbers
requires the use of very large numbers
nb. factorization takes O(e log n log log n) operations (hard)
hence is slow compared to private key schemes
RSA En/decryption RSA Key Setup
• to encrypt a message M the sender: • each user generates a public/private key pair by:
– obtains public key of recipient PU={e,n} • selecting two large primes at random: p, q
– computes: C = Me mod n, where 0≤M<n • computing their system modulus n=p.q
– note ø(n)=(p-1)(q-1)
• to decrypt the ciphertext C the owner:
t d t th i h t t C th • selecting at random the encryption key e
– uses their private key PR={d,n} – where 1<e<ø(n), gcd(e,ø(n))=1
– computes: M = Cd mod n • solve following equation to find decryption key d
• note that the message M must be smaller – e.d=1 mod ø(n) and 0≤d≤n
than the modulus n (block if needed) • publish their public encryption key: PU={e,n}
• keep secret private decryption key: PR={d,n}
3
4/19/2010
Exponentiation Efficient Encryption
c = 0; f = 1 • encryption uses exponentiation to power e
for i = k downto 0 • hence if e small, this will be faster
do c = 2 x c – often choose e=65537 (216‐1)
f = (f x f) mod n – also see choices of e
also see choices of e=3
3 or e
or e=17
17
if bi == 1 then • but if e too small (eg e=3) can attack
– using Chinese remainder theorem & 3 messages
c = c + 1 with different modulii
f = (f x a) mod n • if e fixed must ensure gcd(e,ø(n))=1
return f – ie reject any p or q not relatively prime to e
Efficient Decryption RSA Key Generation
• decryption uses exponentiation to power d • users of RSA must:
– this is likely large, insecure if not – determine two primes at random ‐ p, q
• can use the Chinese Remainder Theorem – select either e or d and compute the other
(
(CRT) to compute mod p & q separately. then
) p p q p y • primes p,q must not be easily derived from
primes p,q must not be easily derived from
combine to get desired answer modulus n=p.q
– approx 4 times faster than doing directly – means must be sufficiently large
• only owner of private key who knows values – typically guess and use probabilistic test
of p & q can use this technique • exponents e, d are inverses, so use Inverse
algorithm to compute the other
4
4/19/2010
RSA Security Factoring Problem
• possible approaches to attacking RSA are: • mathematical approach takes 3 forms:
– factor n=p.q, hence compute ø(n) and then d
– brute force key search ‐ infeasible given size of
– determine ø(n) directly and compute d
numbers
– find d directly
– mathematical attacks
mathematical attacks ‐ based on difficulty of
based on difficulty of • currently believe all equivalent to factoring
tl b li ll i l tt f t i
computing ø(n), by factoring modulus n – have seen slow improvements over the years
– timing attacks ‐ on running of decryption • as of May‐05 best is 200 decimal digits (663) bit with LS
– biggest improvement comes from improved algorithm
– chosen ciphertext attacks ‐ given properties of RSA • cf QS to GHFS to LS
– currently assume 1024‐2048 bit RSA is secure
• ensure p, q of similar size and matching other constraints
Progress in Factoring
Progress in
Factoring
Timing Attacks Chosen Ciphertext Attacks
• developed by Paul Kocher in mid‐1990’s • RSA is vulnerable to a Chosen Ciphertext
• exploit timing variations in operations Attack (CCA)
– eg. multiplying by small vs large number • attackers chooses ciphertexts & gets
– or IF's varying which instructions executed decrypted plaintext back
yp p
• infer operand size based on time taken • choose ciphertext to exploit properties of RSA
• RSA exploits time taken in exponentiation to provide info to help cryptanalysis
• countermeasures • can counter with random pad of plaintext
– use constant exponentiation time • or use Optimal Asymmetric Encryption
– add random delays Padding (OASP)
– blind values used in calculations
5
4/19/2010
Summary
• have considered:
Optimal – principles of public‐key cryptography
Asymmetric – RSA algorithm, implementation, security
Encryption
Encryption
Padding
(OASP)