Modular Arithmetic RSA Analysis SSL/TLS Computer Security Modular Arithmetic RSA Analysis SSL/TLS
(a mod n) means the remainder of a divided by n. e.g. (15 mod 4) = 3
Definition: Modular equivalence of integers a and b a b [mod n] (a mod n) = (b mod n) a = b + kn for some integer k e.g., 15 7 [mod 4] Also written as a n b, and spoken “a is congruent to b modulo n” or “a and b are equivalent modulo n”
n induces a natural partition of the integers into n classes. a and b are said to be in the same “residue class” or “congruence class” exactly when a n b.
Residue Classes Mod 3: [0] = { …, -6, -3, 0, 3, 6, ..} [1] = { …, -5, -2, 1, 4, 7, ..} [2] = { …, -4, -1, 2, 5, 8, ..}
Fundamental lemma of plus, minus, and times modulo n: If (x n y) and (a n b). Then 1) x + a n y + b 2) x - a n y - b 3) x * a n y * b
A Unique Representation System Modulo n: We pick exactly one representative from each residue class. We do all our calculations using these representatives.
Perhaps the most convenient set of representatives: The reduced system modulo n: Zn = {0, 1, 2, …, n-1} Define operations +n and *n: a +n b = (a+b mod n) a *n b = (a*b mod n)
The reduced system modulo 3 Z3 = {0, 1, 2} Two binary, associative operators on Z3: +3 1 2 *3 1 2
Is there a fundamental lemma of division modulo n? cx n cy x n y ? This statement holds if c has a multiplicative inverse. cx n cy c-1cx n c-1cy x n y
When doesn’t c have an inverse? If GCD(c,n) > 1 (i.e., c shares a factor p>1 with n), then c does not have an inverse. c = k1p, n = k2p Proof by contradiction: Suppose that c has an inverse c-1. Then c*c-1= 1 + kn for some integer k. k1pc-1= 1 + kk2p p(k1c-1-kk2) = 1 But no multiple of p can be equal to 1.
Fundamental lemma of division modulo n. If GCD(c,n)=1, then ca n cb a n b Consider the set Zn* = {x Zn | GCD(x,n) =1} (multiplicative group of integers mod n) Multiplication over this set Zn* will have the cancellation property.
Z6 = {0, 1,2,3,4,5} Z6* = {1,5} + 1 2 3 4 5 * 1 2 3 4 5
Z12* = {0 ≤ x < 12 | gcd(x,12) = 1} = {1,5,7,11} *12 1 5 7 11
Z15* * 1 2 4 7 8 11 13 14
Z5* = {1,2,3,4} = Z5 \ {0} *5 1 2 3 4 For all primes p, Zp* = Zp \ {0}, since all 0 < x < p satisfy gcd(x,p) = 1
Euler Phi Function (n) Define (n) = size of Zn* = number of 1 ≤ k < n that are relatively prime to n. p prime Zp*= {1,2,3,…,p-1} (p) = p-1
Z12* = {0 ≤ x < 12 | gcd(x,12) = 1} = {1,5,7,11} (12) = 4 *12 1 5 7 11
Theorem: if p,q distinct primes then f(pq) = (p-1)(q-1) pq = # of numbers from 1 to pq p = # of multiples of q up to pq q = # of multiples of p up to pq 1 = # of multiple of both p and q up to pq f(pq) = pq – p – q + 1 = (p-1)(q-1)
Fundamental lemma of powers? If (a n b) Then xa n xb ? NO! (2 3 5) , but it is not the case that: 22 3 25 Notice that in xa, a is an integer indicating how many times to apply the multiplication operation, whereas x is an element in a multiplicative group. These are objects of different types.
Fermat’s Little Theorem Euler’s Theorem a Zn*, a(n) n 1 Fermat’s Little Theorem (special case) p prime, a Zp* ap-1 p 1
Fundamental lemma of powers. Suppose x Zn*, and a,b,n are naturals. If a (n) b Then xa n xb
RSA Invented by Rivest, Shamir and Adleman in 1978 Based on difficulty of factoring. Used to hide the size of a group Zn* since: Factoring has not been reduced to RSA an algorithm that generates m from c does not give an efficient algorithm for factoring On the other hand, factoring has been reduced to finding the private-key. there is an efficient algorithm for factoring given one that can find the private key.
RSA Public-key Cryptosystem What we need: p and q, primes of approximately the same size n = pq (n) = (p-1)(q-1) e Z (n) d = inv. of e in Z (n) i.e., d = e-1 mod (n) Public Key: (e,n) Private Key: d Encode: m Zn E(m) = me mod n Can you give an example in which solving the discrete log is simple? All finite groups are isomorphic to (Zn,+) so why isn’t it always easy? Decode: D(c) = cd mod n
RSA continued Why it works: D(c) = cd mod n = med mod n = m1 + k(p-1)(q-1) mod n = m1 + k (n) mod n = m(m (n))k mod n = m mod n = m (by Euler’s Theorem, if m and n are relatively prime, then m(n) mod n = 1 mod n) But wait… Page 25
What if m and n share a factor? Euler’s theorem doesn’t guarantee that mk(n) = 1 mod n Answer 1: It should be difficult to find an m that shares a factor with n, because this allows you to factor n using Euclid’s GCD algorithm! Answer 2: Special case, still works. Chinese Remainder Theorem: Suppose that n=pq, where p and q are relatively prime. Then for any integers a and b, there is a unique x (mod n) such that x = a mod p and x = b mod q. Special Case: If a=b, so that x = a mod p and x = a mod q, then x = a mod pq. Why? x = a mod pq satisfies both x = a mod p and x = a mod q, and there is only one such a! Page 26
What if m and n share a factor? Lemma: med = m mod p. If m = 0 mod p, then med = 0ed = 0 = m mod p. Otherwise, if m ≠ 0 mod p, then where by Fermat’s Little Theorem mp−1 = 1 mod p Similarly, med = m mod q. Therefore med = m mod pq CPS 290 Page 27
RSA computations To generate the keys, we need to Find two primes p and q. Generate candidates and use primality testing to filter them. Pick e such that GCD(e,(p-1)(q-1)) = 1. Find e-1 mod (p-1)(q-1) using Euclid’s algorithm. Takes time log2(n) To encode and decode Take me or cd. Use the power method. Takes time log(e) log2(n) and log(d) log2(n) . In practice e is selected to be small so that encoding is fast. CPS 290
Security of RSA Warning: Do not use this or any other algorithm naively! Possible security holes: Need to use “safe” primes p and q. In particular p-1 and q-1 should have large prime factors. p and q should not have the same number of digits. Can use a middle attack starting at sqrt(n). e cannot be too small Don’t use same n for different e’s. You should always “pad” CPS 290
RSA Performance Performance: (600Mhz PIII) (from: ssh toolkit): Algorithm Bits/key Mbits/sec RSA Keygen 1024 .35sec/key 2048 2.83sec/key RSA Encrypt 1786/sec 3.5 672/sec 1.2 RSA Decrypt 74/sec .074 12/sec .024 ElGamal Enc. 31/sec .031 ElGamal Dec. 61/sec .061 DES-cbc 56 95 twofish-cbc 128 140 Rijndael 180 CPS 290
Factoring in the Real World Quadratic Sieve (QS): Used in 1994 to factor a 129 digit (428-bit) number. 1600 Machines, 8 months. Number field Sieve (NFS): Used in 1999 to factor 155 digit (512-bit) number. 35 CPU years. At least 4x faster than QS Used in 2003-2005 to factor 200 digits (663 bits) 75 CPU years ($20K prize) CPS 290
Example of SSL (3.0) SSL (Secure Socket Layer) is the standard for the web (https). Protocol (somewhat simplified): Bob -> amazon.com B->A: client hello: protocol version, acceptable CipherSuites A->B: server hello: CipherSuite, session ID, |amazon.com|verisign B->A: key exchange, {masterkey}amazon’s public key A->B: server finish: ([amazon,prev-messages,masterkey])key1 B->A: client finish: ([bob,prev-messages,masterkey])key2 A->B: server message: (message1,[message1])key1 B->A: client message: (message2,[message2])key2 |h|issuer = Certificate = Issuer, <h,h’s public key, time stamp>issuer’s private key <…>private key = Digital signature {…}public key = Public-key encryption [..] = Secure Hash (…)key = Private-key encryption key1 and key2 are derived from random masterkey and session ID hand- shake data CPS 290
Server Name Issue The client expects the server to send a certificate matching the domain of the requested Web site. But the client doesn’t tell the server which Web site it is requesting -- not a problem if server hosts only one site. For servers hosting multiple secure Web sites, the “solution” is to assign multiple IP addresses to the network interface, one for each certificate. Akamai uses approximately 13M IPv4 addresses for this purpose. Better solution: “server name” extension in successor to SSL, TLS CPS 290
TLS Client Hello – TLS Version 1.0 (SSL 3.1) CPS 290
TLS Client Hello Message – Cipher Suite CPS 290
TLS Client Hello – Server Name Extension CPS 290
TLS Server Hello -- Cypher CPS 290
TLS Server Hello – Certificate CPS 290