1. Cryptography

2. Private-Key Cryptography
traditional private/secret/single key cryptography uses one key
shared by both sender and receiver
if this key is disclosed communications are compromised
also is symmetric, parties are equal
hence does not protect sender from receiver forging a message & claiming is sent by sender

3. Private-Key Cryptography
probably most significant advance in the year history of cryptography
uses two keys – a public & a private key
asymmetric since parties are not equal
uses clever application of number theoretic concepts to function
complements rather than replaces private key cryptography

4. Private-Key Cryptography
public-key/two-key/asymmetric cryptography involves the use of two keys:
a public-key, which may be known by anybody, and can be used to encrypt messages, and verify signatures
a private-key, known only to the recipient, used to decrypt messages, and sign (create) signatures
is asymmetric because
those who encrypt messages or verify signatures cannot decrypt messages or create signatures

5. Private-Key Cryptography

6. Why Public-Key Cryptography?
developed to address two key issues:
key distribution – how to have secure communications in general without having to trust a KDC with your key
digital signatures – how to verify a message comes intact from the claimed sender
public invention due to Whitfield Diffie & Martin Hellman at Stanford in 1976
known earlier in classified community

7. Public-Key Characteristics
Public-Key algorithms rely on two keys with the characteristics that it is:
computationally infeasible to find decryption key knowing only algorithm & encryption key
computationally easy to en/decrypt messages when the relevant (en/decrypt) key is known
either of the two related keys can be used for encryption, with the other used for decryption (in some schemes)

8. Public-Key Applications
can classify uses into 3 categories:
encryption/decryption (provide secrecy)
digital signatures (provide authentication)
key exchange (of session keys)
some algorithms are suitable for all uses, others are specific to one

9. Security of Public Key Schemes
like private key schemes brute force exhaustive search attack is always theoretically possible
but keys used are too large (>512bits)
security relies on a large enough difference in difficulty between easy (en/decrypt) and hard (cryptanalyse) problems
more generally the hard problem is known, its just made too hard to do in practise
requires the use of very large numbers
hence is slow compared to private key schemes

10. RSA by Ron Rivest, Adi Shamir and Len Adleman of MIT in 1977
best known & widely used public-key scheme
Much of the underlying theory we will not be able to get to
It’s beyond the scope of this course
Much of why this all works won’t be taught
It’s just an introduction to how it works

11. RSA
based on exponentiation in a finite (Galois) field over integers modulo a prime
nb. exponentiation takes O((log n)3) operations (easy)
uses large integers (eg bits)
security due to cost of factoring large numbers
nb. factorization takes O(e log n log log n) operations (hard)

12. Is that number prime? Use the Fermat primality test Given:
n: the number to test for primality
k: the number of times to test (the certainty)
The algorithm is:
repeat k times:
pick a randomly in the range [1, n−1]
if an−1 mod n ≠ 1 then return composite
return probably prime

13. Is that number prime? The algorithm is: Let n = 105
repeat k times:
pick a randomly in the range [1, n−1]
if an−1 mod n ≠ 1 then return composite
return probably prime
Let n = 105
Iteration 1: a = 92: mod 105 = 1
Iteration 2: a = 84: mod 105 = 21
Therefore, 105 is composite

14. Is that number prime? The algorithm is: Let n = 101
repeat k times:
pick a randomly in the range [1, n−1]
if an−1 mod n ≠ 1 then return composite
return probably prime
Let n = 101
Iteration 1: a = 55: mod 101 = 1
Iteration 2: a = 60: mod 101 = 1
Iteration 3: a = 14: mod 101 = 1
Iteration 4: a = 73: mod 101 = 1
At this point, 101 has a (½)4 = 1/16 chance of still being composite

15. More on the Fermat primality test
Each iteration halves the probability that the number is a composite
Probability = (½)k
If k = 100, probability it’s a composite is (½)100 = 1 in 1.2  1030 that the number is composite
Greater chance of having a hardware error!
Thus, k = 100 is a good value
However, this is not certain!
There are known numbers that are composite but will always report prime by this test
Source:

16. RSA Three parts: Key generation Encrypting a message
Decrypting a message

17. Key generation steps
Choose two random large prime numbers p ≠ q, and set n = p*q
Choose an integer 1 < e < n which is relatively prime to (p-1)(q-1)
Compute d such that d * e ≡ 1 (mod (p-1)(q-1))
Rephrased: d*e mod (p-1)(q-1) = 1
Destroy all records of p and q

18. Key generation, step 1 Choose two random large prime numbers p ≠ q
In reality, 2048 bit numbers are recommended
That’s  617 digits
Note that the chance of a random odd 2048 bit number being prime is about 1/710
We can compute if a number is prime relatively quickly via the Fermat primality test
We choose p = 107 and q = 97
Compute n = p*q
n = 10379

19. Key generation, step 1 Practical considerations
p and q should not be too close together
(p-1) and (q-1) should not have small prime factors
Use a good random number generator

20. Key generation, step 2
Choose an integer 1 < e < n which is relatively prime to (p-1)(q-1)
There are algorithms to do this efficiently
We aren’t going over them
Easy way to do this: make e be a prime number
It only has to be relatively prime to (p-1)(q-1), but can be fully prime

21. Key generation, step 2 Recall that p = 107 and q = 97 We choose e = 85
(p-1)(q-1) = 106*96 = = 26*3*53
We choose e = 85
85 = 5*17
gcd (85, 10176) = 1
Thus, 85 and are relatively prime

22. Key generation, step 3 Compute d such that: d * e ≡ 1 (mod (p-1)(q-1))
Rephrased: d*e mod (p-1)(q-1) = 1
There are algorithms to do this efficiently
We aren’t going over them
We choose d = 4669
4669*85 mod = 1

23. Key generation, step 4 Destroy all records of p and q
If we know p and q, then we can compute the private encryption key from the public decryption key
d * e ≡ 1 (mod (p-1)(q-1))

24. The keys We have n = p*q = 10379, e = 85, and d = 4669
The public key is (n,e) = (10379, 85)
The private key is (n,d) = (10379, 4669)
Thus, n is not private
Only d is private
In reality, d and e are 600 (or so) digit numbers
Thus n is a 1200 (or so) digit number

25. Encrypting messages To encode a message:
Encode the message m into a number
Split the number into smaller numbers m < n
Use the formula c = me mod n
c is the ciphertext, and m is the message

26. Decrypting messages Use the formula m = cd mod n on each number
Split the number into individual ASCII character numbers
Decode the message into a string

27. modPow computation How to compute c = me mod n or m = cd mod n?
Example: mod = 4181
Other means:
Java: use the BigInteger.modPow() method
Perl: use the bmodpow function in the BigInt library
Etc…

28. Why this works m = cd mod n c = me mod n cd ≡ (me)d ≡ med (mod n)
Recall that:
ed ≡ 1 (mod p-1)
ed ≡ 1 (mod q-1)
Thus,
med ≡ m (mod p)
med ≡ m (mod q)
med ≡ m (mod pq)
med ≡ m (mod n)

29. Cracking a message
In order to decrypt a message, we must compute m = cd mod n
n is known (part of the public key)
c is known (the ciphertext)
e is known (the encryption key)
Thus, we must compute d with no other information
Recall: choose an integer 1 < e < n which is relatively prime to (p-1)(q-1)
Recall: Compute d such that: d*e mod (p-1)(q-1) = 1
Thus, we must factor the composite n into it’s component primes
There is no efficient way to do this!
We can, very easily, tell that n is composite, but we can’t tell what its factors are
Once n is factored into p and q, we compute d as above
Then we can decrypt c to obtain m

30. Cracking a message example
In order to decrypt a message, we must compute m = cd mod n
n = 10379
c is the ciphertext being cracked
e = 85
In order to determine d, we need to factor n
d*e mod (p-1)(q-1) = 1
We factor n into p and q: 97 and 107
This would not have been feasible with two large prime factors!!!
d * 85 (mod (96)(106)) = 1
We then compute d as above, and crack the message

31. Signing a message Recall that we computed: d*e mod (p-1)(q-1) = 1
Note that d and e are interchangable!
You can use either for the encryption key
You can encrypt with either key!
Thus, you must use the other key to decrypt

32. Signing a message To “sign” a message:
Write a message, and determine the MD5 hash
Encrypt the hash with your private (encryption) key
Anybody can verify that you created the message because ONLY the public (encryption) key can decrypt the hash
The hash is then verified against the message

33. Some of the Theory Fermat’s Theorem Euler Totient Function ø(n)
Euler’s Theorem

34. Fermat's Theorem ap-1 mod p = 1 also known as Fermat’s Little Theorem
where p is prime and gcd(a,p)=1
also known as Fermat’s Little Theorem
useful in public key and primality testing

35. Euler Totient Function ø(n)
when doing arithmetic modulo n
complete set of residues is: 0..n-1
reduced set of residues is those numbers (residues) which are relatively prime to n
eg for n=10,
complete set of residues is {0,1,2,3,4,5,6,7,8,9}
reduced set of residues is {1,3,7,9}
number of elements in reduced set of residues is called the Euler Totient Function ø(n)

36. Euler Totient Function ø(n)
to compute ø(n) need to count number of elements to be excluded
in general need prime factorization, but
for p (p prime) ø(p) = p-1
for p∙q (p,q prime) ø(p∙q) = (p-1)(q-1)
eg.
ø(37) = 36
ø(21) = (3–1)×(7–1) = 2×6 = 12

37. Euler's Theorem a generalisation of Fermat's Theorem aø(n)mod N = 1
where gcd(a,N)=1
eg.
a=3;n=10; ø(10)=4;
hence 34 = 81 = 1 mod 10
a=2;n=11; ø(11)=10;
hence 210 = 1024 = 1 mod 11

38. Why RSA Works because of Euler's Theorem: aø(n)mod N = 1 in RSA have:
where gcd(a,N)=1
in RSA have:
N=p∙q
ø(N)=(p-1)(q-1)
carefully chosen e & d to be inverses mod ø(N)
hence e∙d=1+k∙ø(N) for some k
hence : Cd = (Me)d = M1+k∙ø(N) = M1∙(Mø(N))q = M1∙(1)q = M1 = M mod N

39. PGP and GnuPG Two applications which implement the RSA algorithm
GnuPG Is open-source (thus it’s free)
PGP was first, and written by Phil Zimmerman
The US gov’t didn’t like PGP…

40. The US gov’t and war munitions

41. How to “crack” PGP Factoring n is not feasible
Thus, “cracking” PGP is done by other means
Intercepting the private key
“Hacking” into the computer, stealing the computer, etc.
Man-in-the-middle attack (next 2 slides)
Etc.

42. Man-in-the-middle attack: “Normal” RSA communication
What is your public key?
My public key is 12345…
What is your public key?
My public key is 67890…
Here’s message encrypted with 12345…
Here’s a response encrypted with 67890…

43. What is your public key?
What is your public key?
My public key is 12345…
My public key is abcde…
What is your public key?
What is your public key?
Black has the
private decryption
key for abcde…
My public key is 67890…
My public key is vwxyz…
Here’s message encrypted w/ abcde…
Black has the
private decryption
key for vwxyz…
Decrypts message with corresponding private key to abcde…;
re-encrypts message with blue’s public key (12345…)
Here’s message encrypted w/ 12345…
Here’s response encrypted w /vwxyz…
Decrypts message with corresponding private key to vwxyz…;
re-encrypts message with yellow’s public key (67890…)
Here’s response encrypted w/ 67890…

44. Other public key encryption methods
Modular logarithms
Developed by the US government, therefore not widely trusted
Elliptic curves

45. Quantum computers
A quantum computer could (in principle) factor n in reasonable time
This would make RSA obsolete!
Shown (in principle) by Peter Shor in 1993
You would need a new (quantum) encryption algorithm to encrypt your messages
This is like saying, “in principle, you could program a computer to correctly predict the weather”
A few years ago, IBM created a quantum computer that successfully factored 15 into 3 and 5
I bet the NSA is working on such a computer, also

46. Sources
Wikipedia article has a lot of info on RSA and the related algorithms
Those articles use different variable names
Link at