Public key cryptography RSA Algorithm Diffie-Hellman key exchange

Public-Key Cryptography traditional private/secret/single key cryptography uses one key Key is shared by both sender and receiver if the key is disclosed communications are compromised also known as symmetric, both parties are equal hence does not protect sender from receiver forging a message & claiming is sent by sender

Disadvantages of Classical Cryptography Requires secure transmission of key value Requires a separate key for each group of people that wishes to exchange encrypted messages (readable by any group member) For example, to have a separate key for each pair of people, 100 people would need 4950 different keys. Cumbersome Handshaking involved in KDC

Public-Key Cryptography probably most significant advance in the 3000 year history of cryptography uses two keys – a public key and a private key asymmetric since parties are not equal uses clever application of number theory concepts to function

Why Public-Key Cryptography? developed to address two key issues: key distribution – how to have secure communications in general without having to trust a KDC with your key digital signatures – how to verify a message comes intact from the claimed sender public invention due to Whitfield Diffie & Martin Hellman at Stanford U. in 1976

Key Distribution requires that Two communicants already share a key,which somehow has been distributed to them Use of a key distribution center Electronic messages and documents would need the equivalent of signatures used in paper documents.

Public-Key Cryptography public-key/two-key/asymmetric cryptography involves the use of two keys: a public-key, which may be known by anybody, and can be used to encrypt messages, and verify signatures a private-key, known only to the recipient, used to decrypt messages, and sign (create) signatures is asymmetric because those who encrypt messages or verify signatures cannot decrypt messages or create signatures

Public-Key Cryptography Encryption

Alice generates a key value (usually a number or pair of related numbers) which she makes public. Alice uses her public key (and some additional information) to determine a second key (her private key). Alice keeps her private key (and the additional information she used to construct it) secret.

Bob (or Carol, or anyone else) can use Alice’s public key to encrypt a message for Alice. Alice can use her private key to decrypt this message. No-one without access to Alice’s private key (or the information used to construct it) can easily decrypt the message

An Example: Internet Commerce Bob wants to use his credit card to buy some books from Alice over the Internet. Alice sends her public key to Bob. Bob uses this key to encrypt his credit-card number and sends the encrypted number to Alice. Alice uses her private key to decrypt this message (and get Bob’s credit-card number).

Authentication

Public-Key Cryptosystems

Public-Key Applications can classify uses into 3 categories: encryption/decryption (provide secrecy) digital signatures (provide authentication) key exchange (of session keys) some algorithms are suitable for all uses, others are specific to one

RSA Y Elliptic curve Diffie-Hellman N DSS Algorithm Encryption / Decryption Digital Signature Key Exchange RSA Y Elliptic curve Diffie-Hellman N DSS

THE RSA ALGORITHM Public key algorithm invented in 1977 by Ron Rivest, Adi Shamir & Leonard Adleman of MIT Best known & widely used public-key scheme Supports Encryption & Digital signatures Gets its security from integer factorization problem

Key Generation Generate two large random primes, p and q, of approximately equal size such that their product n = pq is of the required bit length, e.g. 1024 bits. Compute n = pq and phi φ(n) = (p-1)(q-1). Choose an integer e, 1 < e < φ(n), such that gcd(e, φ) = 1. Compute the secret exponent d, 1 < d < φ(n), such that ed ≡ 1 mod φ(n). The public key is (n, e) and the private key is (n, d). Keep all the values d, p, q and φ(n) secret. n is known as the modulus. e is known as the public exponent or encryption exponent or just the exponent. d is known as the secret exponent or decryption exponent.

Key Generation -detail Use a random process to select two large prime numbers p and q. Compute the product n = p*q. This number is called the modulus, and is made publicly available. RSA currently recommends a modulus that’s at least 768 bits long. Also compute the Euler totient φ(n) = φ(pq)= (p-1)*(q-1). Keep this number (as well as p and q) secret.

GCD & Relatively prime Two numbers a and b which have no common factors other than one are said to be coprime or relatively prime. For example, 4 and 9 are coprime but 15 and 25 are not. The greatest common divisor of two integers a and b is the largest integer that divides both numbers and is denoted by ‘gcd(a, b)’. For example, gcd(25, 15) = 5 and gcd(4, 9) = 1. a and b are coprime if and only if gcd(a, b) = 1.

Euler Totient i.e. for any prime p, φ(p) = p-1 φ(n) is the no. of positive integers less than n and relatively prime to n. e.g. φ(12)=4 as the four integers {1,5,7,11} are coprime to 12. φ(7)=6 as the 6 integers {1,2,3,4,5,6} are coprime to 7. i.e. for any prime p, φ(p) = p-1

Key Generation -detail Randomly choose a public key e that has no factors in common with φ(n)= (p-1)*(q-1). so that gcd(e, φ(n)) = 1, 1 < e < φ(n);[Euclid’s algorithm: gcd(a,b)=gcd(b,r) where r=a mod b e.g. gcd(18,12)=gcd(12,6)=gcd(6,0)=6 i.e. a = qb + r] Solve following equation to find decryption key d ,e.d ≡ 1 mod φ(n) and d < n; where d is the multiplicative inverse of e in mod φ(n);d ≡ e-1mod φ(n)

‘mod’ as a congruence relation: The notation ‘a ≡ b (mod n)’ means a and b have the same remainder when divided by n, or, equivalently, (a) n|a − b, or (b) a − b = nk for some integer k . We say that a is congruent to b modulo n, where n is the modulus of the congruence. The two ways of using ‘mod’ are related: a ≡ b (mod n) <==> a mod n = b mod n.

Compute a private key d so that e Compute a private key d so that e*d leaves a remainder of 1 when divided by φ(n) . Find a value for d such that φ(n) divides (ed-1). Note that d is easy to compute only if one knows the value of φ(n). This is essentially the same as knowing the values of p and q.

Using RSA publish their public encryption key: KU={e,n} keep secret private decryption key: KR={d,p,q} to encrypt a message M the sender: obtains public key of recipient KU={e,n} computes: C=Me mod n, where 0≤M<n to decrypt the ciphertext C the owner: uses their private key KR={d,p,q} computes: M=Cd mod n

RSA Example Select primes: p =17 & q =11 Compute n = pq =17×11=187 Select e : gcd(e,160)=1; choose e =7 Determine d: de=1 mod 160 and d < 160 Value is d=23 since 23×7=161= 1×160+1 Publish public key KU={7,187} Keep secret private key KR={23,17,11} Here walk through example using “trivial” sized numbers. Selecting primes requires the use of primality tests. Finding d as inverse of e mod ø(n) requires use of Inverse algorithm (see Ch4)

Use a property of modular arithmetic: (a x b) mod n = [ (a mod n) x (b mod n) ] mod n modulo of a product = modulo of the product of its multipliers’ modulos Strategy - reduce xy into xaxbxc where y=a+b+c using powers of 2 for a, b, c . Then apply above property

given message M = 88 (nb. 88<187) Encryption: C = 887 mod 187 = [(884 mod 187)( 882 mod 187)( 881 mod 187)] mod 187 881 mod 187 =88 882 mod 187 = 7744 mod 187 = 77 884 mod 187 = 59,969,536 mod 187=132 = (88 x 77 x 132) mod 187 = 894,432 mod 187 = 11

Decryption: M = 1123 mod(187) = [(111 mod 187)( 112 mod 187)( 114 mod 187)( 118 mod 187)( 118 mod 187)] mod (187) = (11 x 121 x 55 x 33 x 33) mod(187) = 88

Q. p=11,q=3 M=7

Comparison DES RSA Symmetric Key Encryption algorithm Block size – 64 bits Contains complex operations(S-boxes) Bit wise operations used (Shift and XOR) There are some operations on key 16 rounds of same operations Calculations are based on permutation Public Key Encryption algorithm Block size – 1024 bits Only mathematical calculations used No bit wise operations No operations on key. Consists a single round operation Calculations are based on ‘primitive logarithm’.

Security of RSA three approaches to attacking RSA: brute force key search –trying all possible keys; infeasible given size of numbers) mathematical attacks -, by factoring modulus N,the product of two primes; based on difficulty of computing ø(N) timing attacks –depend on running time of decryption algorithm.

Factoring problem Mathematical approach takes 3 forms: factor N = p.q, hence find ø(N) and then d determine ø(N) directly and find d find d directly, without first determining ø(N) Factoring challenge: First challenge which used a public key size (N) of 129 decimal digits (428 bits) was factored in April 1994 after 8 months of work. RSA Labs factoring challenge RSA-155 challenge:- 155 decimal/512bits length was factored in seven months during 1999. A group consisting of, among several others, Arjen K. Lenstra and Herman te Riele performed the necessary computations on 300 workstations and PCs This means that 512-bit keys no longer provide sufficient security for anything more than very short-term security needs.

It is not necessarily true that a large number is more difficult to factor than a smaller number. For example, the number 101000 is easy to factor, while the 155-digit number RSA-155 was factored after seven months of extensive computations. What is true in general is that a number with large prime factors is more difficult to factor than a number with small prime factors (still, the running time of some factoring algorithms depends on the size of the number only and not on the size of its prime factors). This is why the size of the modulus in the RSA algorithm determines how secure an actual use of the RSA cryptosystem is.

Key Size The key size should be greater than 1024 bits for a reasonable level of security for corporate use . Keys of size, say, 2048 bits should allow security for decades for very valuable keys. Less valuable information may well be encrypted using a 768-bit key

the RSA-155 factorization is 10941738641570527421809707322040357612003732945449205990913842131476349984288934784717997257891267332497625752899781833797076537244027146743531593354333897 =102639592829741105772054196573991675900716567808038066803341933521790711307779 * 106603488380168454820927220360012878679207958575989291522270608237193062808643.

How fast is RSA An "RSA operation," whether encrypting, decrypting, signing, or verifying is essentially a modular exponentiation. This computation is performed by a series of modular multiplications. Generally, symmetric encryption algorithms are much faster to execute on a computer than asymmetric ones. By comparison, DES and other block ciphers are much faster than the RSA algorithm. DES is generally at least 100 times as fast in software and between 1,000 and 10,000 times as fast in hardware, depending on the implementation. Implementations of the RSA algorithm will probably narrow the gap a bit in coming years, due to high demand, but block ciphers will get faster as well.

Diffie-Hellman Key Exchange Whittfield Diffie and Martin Hellman are called the inventors of Public Key Cryptography. Diffie-Hellman Key Exchange is the first Public Key Algorithm published in 1976. Depends on its effectiveness on the difficulty of computing discrete logarithms

Discrete Logarithms What is a logarithm? log10100 = 2 because 102 = 100 In general if logmb = a then ma = b Where m is called the base of the logarithm A discrete logarithm can be defined for integers only In fact we can define discrete logarithms mod p also where p is any prime number

b = a i mod p where 0<= i <=(p-1) Primitive Roots If x n = a then a is called the n-th root of x For any prime number p, if we have a number a such that powers of a mod p generate all the numbers between 1 to p-1 (in some permutation) then a is called a Primitive Root of p. Then for any integer b and a primitive root a of prime number p we can find a unique exponent i such that b = a i mod p where 0<= i <=(p-1) The exponent i is referred to as the discrete logarithm or index, of b for the base a, mod p. i = inda,p(b)

2 as primitive root 3 as primitive root m 1 2 3 4 5 6 7 8 9 10 2m mod 11 m 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 2m mod 19 3m mod 19

Discrete logarithm to base 2,modulo 11 2 as primitive root Discrete logarithm to base 2,modulo 11 m 1 2 3 4 5 6 7 8 9 10 2m mod 11 b 1 2 3 4 5 6 7 8 9 10 Ind2,11(b)

Diffie-Hellman Algorithm Five Parts Global Public Elements User A Key Generation User B Key Generation Generation of Secret Key by User A Generation of Secret Key by User B

Global Public Elements p Prime number g g < p and g is a primitive root of p The global public elements are also sometimes called the domain parameters

User A Key Generation Select private XA XA < p Calculate public YA YA = g XA mod p Keep X value private & make Y value public to other side

User B Key Generation Select private XB XB < p Calculate public YB YB = g XB mod p Keep X value private & make Y value public to other side

Generation of Secret Key by User A K = (YB)XA mod p

Generation of Secret Key by User B K = (YA)XB mod p

Diffie-Hellman Key Exchange Alice and Bob agree upon and make public two numbers g and p, where p is a prime and g is a primitive root mod p. Note: Anyone has access to these numbers. The Exchange: 1. Alice chooses a random number a (secret)and computes u =g a (mod p), and sends u to Bob. 2. Bob chooses a random number b (secret) and computes v= g b (mod p), and sends v to Alice. 3. Bob computes the key kb using secret b= u b mod p 4. Alice computes the key ka using secret a=v a mod p Now, both Alice and Bob have the same key, namely ka = kb = gab (mod p).

kb = u b mod p =(g a mod p)b mod p =(g a)b mod p by modular arithmetic = g ab mod p =(g b)a mod p =(g b mod p)a mod p = v a mod p = ka

Example Suppose Alice and Bob agree to use p = 47 and g = 5. Alice chooses a number between 0 and 46, say a = 18. Bob chooses a number between 0 and 46, say b = 22.

Example Alice publishes ga (mod p), i.e. u = 518 (mod 47) = 2. Bob publishes gb (mod p), i.e. v = 522 (mod 47) = 28. If Alice wants to know the secret key k, she takes Bob’s public number,v =28 and raises it to her private number, a = 18 (taking the result mod 47). This gives her: 2818 (mod 47) = 24.

Example If Bob wants to know the secret key, he takes Alice’s public number, u = 2, and raises it to his private number, b = 22 (taking the result mod 47). This gives him: 222 (mod 47) = 24. Thus, Alice and Bob have agreed upon a secret key, k = 24.

Security of DH exchange Opponent Eve has the following ingredients p,g,u,v to work with If Eve wants to compute k, then she would need either a or b. Otherwise, Eve would need to solve a Discrete Logarithm Problem. E.g. for attacking user B’s secret key,the opponent must compute b=indg,p(v) There is no known algorithm to accomplish this in a reasonable amount of time.With large nos. its impractical.

Man in the middle attack Susceptibility: If Eve can intercept u and v, it is possible for her to substitute her own u’ and v’. If she can intercept all communication between Alice and Bob, then she can substitute her own messages. In 1992, the exchange was modified to prevent the man-in-the-middle attack.

Example for m-i-t-m-a Alice wants to talk to Bob, sends her public key to Bob. But Eve intercepts it, and replaces Alice’s public key with hers. She sends this to Bob. Bob thinks Alice wants to talk to him. He sends his public key to her. But Eve intercepts and replaces! Then Eve sets up shared keys with both!

What to do? If the public keys are certified (e.g., VeriSign) then Alice and Bob verifies that they got the right public keys!

User Authentication: Alice encrypts the message, m, with her private key a, call it ma. ma = Ea (m) Alice encrypts ma with Bob’s public key, v, and sends the message to Bob. ma v = Ev (ma) Bob recovers ma using his private key b and recovers m by using Alice’s public key u. m = Du(Db(mav)) Thus, Bob is sure that only Alice could have sent the message.