Professional Documents
Culture Documents
UNIT 3
PUBLIC KEY CRYPTOGRAPHY: Public Key Cryptography and RSA Principles– RSA Algorithm, Key
Management and other Public Key Cryptosystems Key Management, Diffie–Hellman Key Exchange, Elliptic
Curve Arithmetic – Elliptic Curve Cryptography – Pseudorandom Number Generation.
Asymmetric algorithms rely on one key for encryption and a different but related key for decryption. These
algorithms have the following important characteristic.
■ It is computationally infeasible to determine the decryption key given only knowledge of the cryptographic
algorithm and the encryption key.
In addition, some algorithms, such as RSA, also exhibit the following characteristic.
■ Either of the two related keys can be used for encryption, with the other used for decryption.
A public-key encryption scheme has six ingredients.
Ciphertext: This is the encrypted message produced as output. It depends on the plaintext and the key. For a
given message, two different keys will produce two different ciphertexts.
Decryption algorithm: This algorithm accepts the ciphertext and the matching key and produces the original
plaintext.
Public-key systems are characterized by the use of a cryptographic algorithm with two keys, one held private and
one available publicly. Depending on the application, the sender uses either the sender’s private key or the
receiver’s public key, or both, to perform some type of cryptographic function. In broad terms, we can classify
the use of public-key cryptosystems into three categories
■ Encryption/decryption: The sender encrypts a message with the recipient’s public key, and the recipient
decrypts the message with the recipient’s private key.
■ Digital signature: The sender “signs” a message with its private key. Signing is achieved by a cryptographic
algorithm applied to the message or to a small block of data that is a function of the message.
■ Key exchange: Two sides cooperate to exchange a session key, which is a secret key for symmetric encryption
generated for use for a particular transaction (or session) and valid for a short period of time. Several different
approaches are possible, involving the private key(s) of one or both parties.
Well, some algorithms implement all the three application and some implement one or two among these
applications. Below is the image showing you the details of algorithm possessing these applications.
To prevent the brute force attack the key size must be kept large enough so that it would be impractical
for an adversary to calculate the encryption and decryption. But the key size should not be so large such
that it would become impractical to compute practical encryption and decryption.
Another type of attack in public key cryptography is that the adversary would try to compute private key
knowing the public key.
One more type of attack is probable message attack. If an adversary knows that the encrypted message
from a particular sender is a 56-bit key. Then he would simply encrypt all possible 56-bit keys using the
sender’s public key as the public key is known to all. And then match all the encrypted messages with the
cipher text. This type of attack can be prevented by appending some random bits to the original message.
This algorithm was developed in 1977 by Ron Rivest, Adi Shamir, and Len Adleman at MIT and first
published in 1978.
The RSA scheme is a cipher in which the plaintext and ciphertext are integers between 0 and n - 1 for some n. A
typical size for n is 1024 bits, or 309 decimal digits. That is, n is less than 21024.
Explanation:
p=7
q = 11
Step 2: Multiply these numbers to find n = p x q, where n is called the modulus for encryption and decryption.
First, we calculate
n=pxq
n = 7 x 11
n = 77
Step 3: Choose a number e less that n, such that n is relatively prime to (p - 1) x (q -1). It means that e and (p -
1) x (q - 1) have no common factor except 1. Choose "e" such that 1<e < φ (n), e is prime to φ (n), gcd (e, d (n))
=1.
Second, we calculate
φ (n) = (p - 1) x (q-1)
φ (n) = (7 - 1) x (11 - 1)
φ (n) = 6 x 10
φ (n) = 60
Step 4: A plaintext message m is encrypted using public key <e, n>. To find ciphertext from the plain text
following formula is used to get ciphertext C.
To find ciphertext from the plain text following formula is used to get ciphertext C.
C = me mod n
C = 97 mod 77
Step 5: The private key is <d, n>. To determine the private key, we use the following formula d such that:
Step 6: A ciphertext message c is decrypted using private key <d, n>. To calculate plain text m from the
ciphertext c following formula is used to get plain text m.
m = cd mod n
m = 3743 mod 77
m=9
For symmetric encryption to work, the two parties to an exchange must share the same key, and that key must
be protected from access by others. Furthermore, frequent key changes are usually desirable to limit the amount
of data compromised if an attacker learns the key. Therefore, the strength of any cryptographic system rests with
the key distribution technique, a term that refers to the means of delivering a key to two parties who wish to
exchange data without allowing others to see the key. For two parties A and B, key distribution can be achieved
in a number of ways, as follows:
2. A third party can select the key and physically deliver it to A and B.
3. If A and B have previously and recently used a key, one party can transmit the new key to the other,
encrypted using the old key.
4. If A and B each has an encrypted connection to a third party C, C can deliver a key on the encrypted links
to A and B.
The key distribution concept can be deployed in a number of ways. A typical scenario is illustrated in below
Figure. The scenario assumes that each user shares a unique master key with the key distribution center (KDC).
Let us assume that user A wishes to establish a logical connection with B and requires a one-time session key to
protect the data transmitted over the connection.
A has a master key, Ka, known only to itself and the KDC; similarly, B shares the master key Kb with the KDC. The
following steps occur.
1. A issues a request to the KDC for a session key to protect a logical connection to B. The message includes the
identity of A and B and a unique identifier, N1, for this transaction, which we refer to as a nonce. The nonce may be a
timestamp, a counter, or a random number; the minimum requirement is that it differs with each request. Also, to
prevent masquerade, it should be difficult for an opponent to guess the nonce. Thus, a random number is a good
choice for a nonce.
2. The KDC responds with a message encrypted using Ka. Thus, A is the only one who can successfully read the
message, and A knows that it originated at the KDC.
It is not necessary to limit the key distribution function to a single KDC. Indeed, for very large networks, it
may not be practical to do so. As an alternative, a hierarchy of KDCs can be established. For example, there can
be local KDCs, each responsible for a small domain of the overall internetwork, such as a single LAN or a single
building. For communication among entities within the same local domain, the local KDC is responsible for key
distribution. If two entities in different domains desire a shared key, then the corresponding local KDCs can
communicate through a global KDC. In this case, any one of the three KDCs involved can actually select the
key. The hierarchical concept can be extended to three or even more layers, depending on the size of the user
population and the geographic scope of the internetwork. A hierarchical scheme minimizes the effort involved in
master key distribution, because most master keys are those shared by a local KDC with its local entities.
Furthermore, such a scheme limits the damage of a faulty or subverted KDC to its local area only.
The use of a key distribution center imposes the requirement that the KDC be trusted and be protected from
subversion. This requirement can be avoided if key distribution is fully decentralized. Although full
decentralization is not practical for larger networks using symmetric encryption only, it may be useful within a
local context.
A decentralized approach requires that each end system be able to communicate in a secure manner with all
potential partner end systems for purposes of session key distribution. Thus, there may need to be as many as
[n(n - 1)]/2 master keys for a configuration with n end systems.
Thus, although each node must maintain at most (n - 1) master keys, as many session keys as required may be
generated and used. Because the messages transferred using the master key are short, cryptanalysis is difficult.
As before, session keys are used for only a limited time to protect them.
In cryptography, it is a very tedious task to distribute the public and private keys between sender and
receiver. If the key is known to the third party (forger/eavesdropper) then the whole security mechanism
becomes worthless. So, there comes the need to secure the exchange of keys.
a. Public Announcement: Here the public key is broadcasted to everyone. The major weakness of this method
is a forgery. Anyone can create a key claiming to be someone else and broadcast it. Until forgery is discovered
can masquerade as claimed user.
b. Publicly Available Directory: In this type, the public key is stored in a public directory. Directories are
trusted here, with properties like Participant Registration, access and allow to modify values at any time,
contains entries like {name, public-key}. Directories can be accessed electronically still vulnerable to forgery
or tampering.
d. Public Certification: This time authority provides a certificate (which binds an identity to the public key)
to allow key exchange without real-time access to the public authority each time. The certificate is
accompanied by some other info such as period of validity, rights of use, etc. All of this content is signed by
the private key of the certificate authority and it can be verified by anyone possessing the authority’s public
key.
First sender and receiver both request CA for a certificate which contains a public key and other information
and then they can exchange these certificates and can start communication.
Diffie-Hellman key exchange raises numbers to a selected power to produce decryption keys. The
components of the keys are never directly transmitted, making the task of a would-be code breaker
mathematically overwhelming. The method doesn't share information during the key exchange. The two
parties have no prior knowledge of each other, but the two parties create a key together.
Diffie-Hellman key exchange is commonly found in security protocols, such as Transport Layer Security
(TLS), Secure Shell (SSH) and IP Security (IPsec). For example, in IPsec, the encryption method is used for
key generation and key rotation.
Even though Diffie-Hellman key exchange can be used for establishing both public and private keys, the
Rivest-Shamir-Adleman algorithm, or RSA algorithm, can also be used, since it's able to sign public key
certificates.
Once Alice and Bob have agreed on p and q in private, they choose positive whole-number personal
keys a and b. Both are less than the prime number modulus p. Neither user divulges their personal key to
anyone; ideally, they memorize these numbers and don't write them down or store them anywhere. Next,
a* = q mod p
a
b* = q mod p
b
The two users can share their public keys a* and b* over a communications medium assumed to be insecure,
such as the internet or a corporate wide area network. From these public keys, a number x can be generated
by either user on the basis of their own personal keys. Alice computes x using the following formula:
x = (b*) mod p
x = (a*) mod p
The value of x turns out to be the same according to either of the above two formulas. However, the personal
keys a and b, which are critical in the calculation of x, haven't been transmitted over a public medium.
Because it's a large and apparently random number, a potential hacker has almost no chance of correctly
guessing x, even with the help of a powerful computer to conduct millions of trials. The two users can,
therefore, in theory, communicate privately over a public medium with an encryption method of their choice
using the decryption key x.
Diffie-Hellman key exchange is also vulnerable to logjam attacks, specifically against the TLS protocol.
Logjam attacks downgrade TLS connections to 512-bit cryptography, enabling an attacker to read and
modify data that's passed through the connection. Diffie-Hellman key exchange can still be secure if
implemented correctly. For example, logjam attacks won't work with a 2,048-bit key.
From here, Alice and Bob each run a new function using the results they received from the opposite party,
their own secret number and the original prime value. Alice and Bob then arrive at a common shared secret
key that a third party can't deduce. Alice and Bob are now free to communicate without worrying about third
parties.
An elliptic curve is defined by an equation in two variables with coefficients. For cryptography, the variables
and coefficients are restricted to elements in a finite field, which results in the definition of a finite abelian group.
Elliptic curves in which the variables and coefficients are real numbers. This case is perhaps easier to visualize.
Such equations are said to be cubic, or of degree 3, because the highest exponent they contain is a 3. Also
included in the definition of an elliptic curve is a single element denoted O and called the point at infinity or the
zero point, which we discuss subsequently. To plot such a curve, we need to compute.
For given values of a and b, the plot consists of positive and negative values of y for each value of x. Thus, each
curve is symmetric about y = 0. The below diagram shows two examples of elliptic curves. As you can see, the
formula sometimes produces weirdlooking curves.
Now, consider the set of points E(a, b) consisting of all of the points (x, y) that satisfy Equation (10.1) together
with the element O. Using a different value of the pair (a, b) results in a different set E(a, b). Using this
terminology, the two curves in the below diagram depict the sets E(-1, 0) and E(1, 1), respectively.
Elliptic curve cryptography is used to implement public key cryptography. It was discovered by Victor Miller
of IBM and Neil Koblitz of the University of Washington in the year 1985. ECC popularly used an acronym for
Elliptic Curve Cryptography. It is based on the latest mathematics and delivers a relatively more secure
foundation than the first generation public key cryptography systems for example RSA.
Elliptic Curve Cryptography (ECC) is a key-based technique for encrypting data. ECC focuses on pairs of public
and private keys for decryption and encryption of web traffic.
ECC, an alternative technique to RSA, is a powerful cryptography approach. It generates security between key
pairs for public key encryption by using the mathematics of elliptic curves.
RSA does something similar with prime numbers instead of elliptic curves, but ECC has gradually been
growing in popularity recently due to its smaller key size and ability to maintain security. This trend will
probably continue as the demand on devices to remain secure increases due to the size of keys growing, drawing
on scarce mobile resources. This is why it is so important to understand elliptic curve cryptography in context.
In contrast to RSA, ECC bases its approach to public key cryptographic systems on how elliptic curves are
structured algebraically over finite fields. Therefore, ECC creates keys that are more difficult, mathematically, to
crack. For this reason, ECC is considered to be the next generation implementation of public key cryptography
and more secure than RSA.
It also makes sense to adopt ECC to maintain high levels of both performance and security. That’s because
ECC is increasingly in wider use as websites strive for greater online security in customer data and greater
An elliptic curve for current ECC purposes is a plane curve over a finite field which is made up of the points
satisfying the equation: y²=x³ + ax + b.
In this elliptic curve cryptography example, any point on the curve can be mirrored over the x-axis and the curve
will stay the same. Any non-vertical line will intersect the curve in three places or fewer.
Public-key cryptography works using algorithms that are easy to process in one direction and difficult to process
in the reverse direction. For example, RSA relies on the fact that multiplying prime numbers to get a larger
number is easy, while factoring huge numbers back to the original primes is much more difficult.
However, to remain secure, RSA needs keys that are 2048 bits or longer. This makes the process slow, and it also
means that key size is important.
Size is a serious advantage of elliptic curve cryptography, because it translates into more power for smaller,
mobile devices. It’s far simpler and requires less energy to factor than it is to solve for an elliptic curve discrete
logarithm, so for two keys of the same size, RSA’s factoring encryption is more vulnerable.
Using ECC, you can achieve the same security level using smaller keys. In a world where mobile devices must
do more and more cryptography with less computational power, ECC offers high security with faster, shorter
keys compared to RSA.
There are several potential vulnerabilities to elliptic curve cryptography, including side-channel attacks and
twist-security attacks. Both types aim to invalidate the ECC’s security for private keys.
Side-channel attacks including differential power attacks, fault analysis, simple power attacks, and simple timing
attacks, typically result in information leaks. Simple countermeasures exist for all types of side-channel attacks.
An additional type of elliptic curve attack is the twist-security attack or fault attack. Such attacks may include
invalid-curve attacks and small-subgroup attacks, and they may result in the private key of the victim leaking out.
Twist-security attacks are typically simply mitigated with careful parameter validation and curve choices.
Although there are certain ways to attack ECC, the advantages of elliptic curve cryptography for wireless
security mean it remains a more secure option.
An Elliptic Curve Digital Signature Algorithm (ECDSA) uses ECC keys to ensure each user is unique and every
transaction is secure. Although this kind of digital signing algorithm (DSA) offers a functionally
indistinguishable outcome as other DSAs, it uses the smaller keys you’d expect from ECC and therefore is more
efficient.
ECC is among the most commonly used implementation techniques for digital signatures in cryptocurrencies.
Both Bitcoin and Ethereum apply the Elliptic Curve Digital Signature Algorithm (ECDSA) specifically in
signing transactions. However, ECC is not used only in cryptocurrencies. It is a standard for encryption that will
be used by most web applications going forward due to its shorter key length and efficiency.
Avi’s software load balancer offers an elegant ECC solution. Avi fully supports termination of SSL– and
TLS-encrypted HTTPS traffic. Avi’s support for SSL/TLS has included support for both RSA and ECC keys
without the need for any proprietary hardware. See documentation for Elliptic Curve versus RSA Certificate
Priority within Avi.