CPIS 312 Chapter Four: PUBLIC KEY CRYPTO By Dr CPIS 312 Chapter Four: PUBLIC KEY CRYPTO By Dr. Daniyal Alghazzawi 2011 Term 2

Index A. Ciphers B. Classic B.1 Substitution e.g., Caesar Cipher B.2 Transposition e.g., Route Cipher B.3 Hybrid C. Modern C.1 Symmetric (Private Key) Stream Cipher e.g., RC4, A5/1 Block Cipher e.g., DES, AES C.2 Asymmetric (Public Key) e.g., RSA C.3 Hybrid

C. Terminology Symmetric uses same key for encryption and decryption process. To encrypt: C = E(K, P) To decrypt: P = D (K, E(K,P)) Asymmetric uses different key for encryption and decryption process. To encrypt: C = E (KE,P) To decrypt: P = D (KD, E (KE,P))

C.2. Public Key Cryptography 1. Public Key Encryption Algorithms Encryption and decryption keys come in pairs. The decryption key, KD, inverts the encryption of key KE, so that P = D(KD, E(KE,P)) A user has a pair of cryptographic keys - a public key and a private key. The private key is kept secret, while the public key may be widely distributed The keys are related mathematically, but the private key cannot be practically derived from the public key. Public key encryption is a much slower alternative to symmetric cryptography. Its based upon mathematical functions upon two pairs of numbers. For the well-known RSA algorithm, the security comes from the difficulty of factoring large numbers in Galois Fields. The two keys are linked in a mathematical way, such that knowing the public key tells you nothing about the private key. But knowing the private key allows you to unlock information encrypted with the public key. This may seem strange, and will require some thought and patience to understand. The previous paragraph is the ‘official’ history of public key cryptography. In the late 1990s, an unofficial history came to light. It turned out that in 1969, over five years before DH invented the idea, a cryptographer in MOD invented the concept of public-key cryptography (or non-secret encryption as he called it), and 1973 Clifford Cocks in MOD invented what is now called RSA. By 1974, Malcolm Williamson at MOD invented Diffie-Hellman key exchange.

Prime The prime is a natural number which has exactly two distinct natural number divisors: 1 and itself The first 15 prime numbers are: 2, 3, 5, 7, 11, 13, 17, 19, 23, 29, 31, 37, 41, 43, 47.

Coprime The integers a and b are said to be coprime or relatively prime if they have no common factor other than 1 and −1 (if their Greatest Common Divisor is 1) For example: 6 and 35 are coprime 6 and 27 are not coprime because they are both divisible by 3 A fast way to determine whether two numbers are coprime is given by the Euclidean algorithm that determine the greatest common divisor (GCD) of two elements.

C.2. Public Key Cryptography 2. Knapsack Problem Given a set of n weights W0,W1,...,Wn-1 and sum S, find a0, a1, . . . , an−1, where each ai  {0,1} so that S = a0W0+a1W1 +...+ an-1Wn-1

C.2. Public Key Cryptography 2. Knapsack Problem (Example1) Example of general Knapsack Weights (85, 13, 9, 7, 47, 27, 99, 86) Problem: Find subset that sums to S=172 a = (a0, a1, a2, a3, a4, a5, a6, a7)=(11001100) 85+13+47+27=172

C.2. Public Key Cryptography 2. Knapsack Problem (Example2) Example of super increasing Knapsack Weights (3, 6, 11, 25, 46, 95, 200, 411) Problem: Find subset that sums to S=309 a = (a0, a1, a2, a3, a4, a5, a6, a7) S<a7 so, a7=0, S>a6 so, a6=1 S=S-200=109 .......... a=10100110

C.2. Public Key Cryptography 2. Knapsack Problem General knapsack (GK) is hard to solve But superincreasing knapsack (SIK) is easy SIK each weight greater than the sum of all previous weights Example Weights (2,3,7,14,30,57,120,251) Problem: Find subset that sums to S=186 Work from largest to smallest weight Answer: 120+57+7+2=186

C.2. Public Key Cryptography 2. Knapsack Cryptosystem Steps used to construct a knapsack cryptosystem: Generate superincreasing knapsack (SIK) Convert SIK into “general” knapsack (GK) Public Key: GK Private Key: SIK plus conversion factors

C.2. Public Key Cryptography 2. Knapsack Cryptosystem Easy to encrypt with GK (public key) With private key (SIK plus conversion factors), easy to decrypt Without private key, very difficult problem must be solved to decrypt.

C.2. Public Key Cryptography 2. Knapsack Cryptosystem Choose the superincreasing knapsack Let (2, 3, 7, 14, 30, 57, 120, 251) (SIK) Convert the SIK into a GK (m=multiplier, n=modulus) Choose m = 41 and n = 491 with m, n relatively prime and n greater than sum of all elements of SIK General knapsack: 2  41 mod 491 = 82 3  41 mod 491 = 123 7  41 mod 491 = 287 14  41 mod 491 = 83 30  41 mod 491 = 248 57  41 mod 491 = 373 120  41 mod 491 = 10 251  41 mod 491 = 471 General knapsack: (82, 123, 287, 83, 248, 373, 10, 471)

C.2. Public Key Cryptography 2. Knapsack Example Private key: SIK together with the modular inverse of the conversion factor m (2, 3, 7, 14, 30, 57, 120, 251) m1 mod n =mn-2 mod n= 414912 mod 491 = 12 Example: Public key: (82, 123, 287, 83, 248, 373, 10, 471), n=491 Encrypt: M=150 we convert 150 to binary=10010110 82 + 83 + 373 + 10 = 548 Decrypt: c(m-1mod n) mod n=548 · 12 mod 491=193= (replace it on SIK)=10010110

C.2. Public Key Cryptography 2. Knapsack Weakness Trapdoor: Occurs when Convert SIK into GK using modular arithmetic One-way: GK is easy to encrypt, hard to solve; SIK easy to solve This knapsack cryptosystem is insecure: Broken in 1983 with Apple II computer The attack uses lattice reduction

Euclidean Algorithm The Euclidean algorithm is an algorithm to determine the greatest common divisor (GCD) of two elements. Using recursion, the algorithm can be expressed: function gcd(a, b) { if b = 0 return a else return gcd(b, a mod b) } For example: gcd(35,6) = gcd(6,5) = gcd(5,1)=gcd(1,0)=1 (This means that 35 and 6 are coprime) gcd(27,6) = gcd(6,3) = gcd(3,0) = 3 eu·clid·e·an تنطق يوكلديَن

Congruence Relation Two integers a and b are said to be “congruent modulo” n, if their difference a − b is an integer multiple of n. If this is the case, it is expressed as: a ≡ b (mod n) "a is congruent to b modulo n“ For example, 38 ≡ 14 (mod 12) 38 ≡ 2 (mod 12) -3 ≡ 2 (mod 5) con·gru·ence وتنطق كونجورونس

Euler's Totient Function The totient φ(n) of a positive integer n is defined to be the number of positive integers less than or equal to n that are coprime to n. To compute Euler's function for n: if n=p.q and p&q are distinct primes: φ(n) = φ(p.q) = (p-1)(q-1) For example, with the product ranging only over the distinct primes p dividing n وتنطق Oiler Ф(36) = 12 // 1, 5, 7, 11, 13, 17, 19, 23, 25, 29, 31, 35 Euler's Totient Function Values For n = 1 to 500, with Divisor Lists (http://www.geocities.com/primefan/Phi500.html)

C.2. Asymmetric Key Algorithms 3. RSA The algorithm was publicly described in 1977 , however, was not revealed until 1997 due to its top-secret classification. Rivest, Shamir, and Adleman devised RSA independently of Cocks' work. RSA involves a public key and a private key. The public key can be known to everyone and is used for encrypting messages. Messages encrypted with the public key can only be decrypted using the private key. Of all the public-key algorithms proposed over the years, RSA is by far the easiest to understand and implement. It is also the most popular. Named after the three inventors - Ron Rivest, Adi Shamir, and Leonard Adleman - it has withstood years of extensive cryptanalysis. Although the cryptanalysis nether proved nor disproved RSA’s security, it does suggest a confidence level in the algorithm. RSA was the world’s first public key encryption algorithm, and it has stood the text of time remarkably well. The previous paragraph is the ‘official’ history of public key cryptography. In the late 1990s, an unofficial history came to light. It turned out that in 1969, over five years before DH invented the idea, a cryptographer in MOD invented the concept of public-key cryptography (or non-secret encryption as he called it), and 1973 Clifford Cocks in MOD invented what is now called RSA. By 1974, Malcolm Williamson at MOD invented Diffie-Hellman key exchange.

C.2. Asymmetric Key Algorithms 3. RSA Choose two distinct large random prime numbers p and q Compute n=p.q n is used as the modulus for both the public and private keys Compute the totient: φ(n)=(p-1)(q-1) Choose an integer e such that 1<e<φ(n), and e and φ(n) share no factors other than 1; (i.e. e and φ(n) are coprime) e is released as the public key exponent Compute d to satisfy the congruence relation: d.e ≡ 1 (mod φ(n)); d is kept as the private key exponent Convert the message into an integer m <n. The ciphertext is then produced by raising the message to the power of the pubic exponent modulo the modulus. In the example, d is calculated such that: 5 * d - c * 96 =1 5*77 = 385 - 4*96 =1 Emphasise here that the process is very time consuming - key generation (condition = primes), exponentiation operation are all computationally expensive. The message could just as easily have been encrypted with d and decrypted with e. Now suppose Bob wishes to encrypt a message to Alice. He first looks up Alice’s public key and represents the message as a number M which is strictly less than the modulus n (the M number should be more or less the same size as n, but not greater than n - this is because we want to ensure that Me > n. Otherwise mod n does not do anything, and it is easy for an attacker to recover M by taking the integer eth root of C). The ciphertext is then produced by raising the message to the power of the public exponent modulo the public modulus. The standard procedure for how to do this conversion is specified in PKCS #1. -- pp33 in SSL and TLS. Public Key: (n, e) Private Key: (n,d) To encrypt message: c = me mod n To decrypt message: m = cd mod n

C.2. Asymmetric Key Algorithms 3. RSA - Example p = 11 q = 3 n = 11.3 = 33 φ(33) = (11-1)(3-1) = 20 e = 3 // 3 and 20 are coprime d = 7 // 3.7 ≡ 1 (mod 20) Question: Encrypt the message M=15? c = me mod n = 153 mod 33 = 9 m = cd mod n = 97 mod 33 = 15 Convert the message into an integer m <n. The ciphertext is then produced by raising the message to the power of the pubic exponent modulo the modulus. In the example, d is calculated such that: 5 * d - c * 96 =1 5*77 = 385 - 4*96 =1 Emphasise here that the process is very time consuming - key generation (condition = primes), exponentiation operation are all computationally expensive. The message could just as easily have been encrypted with d and decrypted with e. Now suppose Bob wishes to encrypt a message to Alice. He first looks up Alice’s public key and represents the message as a number M which is strictly less than the modulus n (the M number should be more or less the same size as n, but not greater than n - this is because we want to ensure that Me > n. Otherwise mod n does not do anything, and it is easy for an attacker to recover M by taking the integer eth root of C). The ciphertext is then produced by raising the message to the power of the public exponent modulo the public modulus. The standard procedure for how to do this conversion is specified in PKCS #1. -- pp33 in SSL and TLS.

C.2. Asymmetric Key Algorithms 3. RSA - Some Facts Security of RSA relies on difficulty of finding d given n and e. If one can factorise n, then he can find p and q, and hence calculated d. p and q should differ in length by only a few digits, and both should be on the order of 100 - 200 digits or even larger. n with 150 digits could be factored in about 1 year. factoring n with 200 digits could take about 1000 years (assuming about 1012 operations per second). For maximum security, lengths of p and q should be equal. Security of RSA relies on difficulty of finding d given n and e. If one can factorise n, then he can find p and q, and hence calculated d. Currently 400 bit numbers are the largest which can be factorised. p and q should differ in length by only a few digits, and both should be on the order of 1075 to 10100 n with 150 digits could be factored in about 1 year. factoring n with 200 digits could take about 1000 years (assuming about 1012 operations per second).

C.2. Asymmetric Key Algorithms 3. RSA - Some Facts Performance comparison with DES RSA is about 1000 times slower in hardware. RSA is about 100 times slower in software. It is not suited for encrypting long messages. Typically used for Encrypting session keys for conventional ciphers. Non-repudiation - digital signatures (see a future lecture). Smart cards which are RSA-capable have become available.

C.2. Asymmetric Key Algorithms 4. Diffie - Hellman FYI C.2. Asymmetric Key Algorithms 4. Diffie - Hellman Invented by Williamson (GCHQ) and, independently, by D and H (Stanford) A “key exchange” algorithm used to establish a shared symmetric key not for encrypting or signing Security rests on difficulty of discrete log problem: given g, p, and gk mod p find k

C.2. Asymmetric Key Algorithms 4. Diffie - Hellman FYI C.2. Asymmetric Key Algorithms 4. Diffie - Hellman Let p be prime, let g be a generator For any x  {1,2,…,p-1} there is n s.t. x = gn mod p Alice selects secret value a Bob selects secret value b Alice sends ga mod p to Bob Bob sends gb mod p to Alice Both compute shared secret gab mod p Shared secret can be used as symmetric key

C.2. Asymmetric Key Algorithms 4. Diffie - Hellman FYI C.2. Asymmetric Key Algorithms 4. Diffie - Hellman Suppose that Bob and Alice use gab mod p as a symmetric key Trudy can see ga mod p and gb mod p Note ga gb mod p = ga+b mod p  gab mod p If Trudy can find a or b, system is broken If Trudy can solve discrete log problem, then she can find a or b

C.2. Asymmetric Key Algorithms 4. Diffie - Hellman FYI C.2. Asymmetric Key Algorithms 4. Diffie - Hellman Public: g and p Secret: Alice’s exponent a, Bob’s exponent b Alice computes (gb)a = gba = gab mod p Bob computes (ga)b = gab mod p Could use K = gab mod p as symmetric key Alice, a Bob, b ga mod p gb mod p

C.2. Asymmetric Key Algorithms 4. Diffie - Hellman FYI C.2. Asymmetric Key Algorithms 4. Diffie - Hellman Subject to man-in-the-middle (MiM) attack Trudy shares secret gat mod p with Alice Trudy shares secret gbt mod p with Bob Alice and Bob don’t know Trudy exists! Alice, a Bob, b ga mod p gb mod p Trudy, t gt mod p

C.2. Asymmetric Key Algorithms 4. Diffie - Hellman FYI C.2. Asymmetric Key Algorithms 4. Diffie - Hellman How to prevent MiM attack? Encrypt DH exchange with symmetric key Encrypt DH exchange with public key Sign DH values with private key Other? You MUST be aware of MiM attack on Diffie-Hellman

C.2. Asymmetric Key Algorithms 5. Public Key Infrastructure (PKI) PKI is showing everything required to securely use public key crypto: A digital certificate, or public key certificate, that contains a user’s name along with the user’s public key. A digital certificate needs to be signed by one of the Certificate Authorities (CAs) – trusted third party- in order to verify the public key. A digital certificate needs to be added to the Certificate Revocation Lists (CRLs) if the private key is compromised.

C.2. Asymmetric Key Algorithms 6. Ways to use 1 2 3 Using a private key to encrypt (thus signing) a message; anyone can check the signature using the public key. Validity depends on private key security. Anyone can encrypt using the public key, but only the holder of the private key can decrypt. Secrecy depends on the secrecy of the private key. By combining your own private key with the other user's public key, you can calculate a shared secret that only the two of you know. The shared secret can be used as the key for a symmetric cipher.

C.2. Asymmetric Key Algorithms 7. Advantages Hybrid Cryptosystem: The primary advantage of symmetric key cryptography is efficiency (because there is no infrastructure, such as PKI). the primary advantage of public key cryptography is that no need to establish a shared key in advance. To achieve both advantage, use a hybrid cryptosystem, where public key crypto is used to establish a symmetric key. C={M}Alice: encrypt message M with Alice’s public key M=[C]Alice: decrypt ciphertext C with Alice’s private key

C.2. Asymmetric Key Algorithms 7. Advantages Integrity and non repudiation: With symmetric key crypto, a MAC provides for integrity. With public key crypto, a digital signature provides for integrity and non-repudiation. Scenario? Hints: Using a MAC, anyone can repudiate a transaction because the key is shared between the two sides. However, using a digital signature, no one can repudiate a transaction because the private key can be owned by only one.

C.2. Asymmetric Key Algorithms 7. Advantages Confidentiality and non repudiation: For confidentiality only, Alice can encrypt M with Bob’s public key  Alice will {M}Bob For integrity and non-repudiation only, Alice can sign M with her private key  Alice will [M]Alice To achieve all: Alice can sign the message M and encrypt the result:{[M]Alice}Bob Alice can encrypt M first and then sign the result: [{M}Bob]Alice C={M}Alice: encrypt message M with Alice’s public key M=[C]Alice: decrypt ciphertext C with Alice’s private key

Terms and Concepts Symmetric Ciphers Asymmetric Ciphers GK & SIK RSA PKI Shared key Repudiation