 # Public Key Algorithms 4/17/2017 M. Chatterjee.

## Presentation on theme: "Public Key Algorithms 4/17/2017 M. Chatterjee."— Presentation transcript:

Public Key Algorithms 4/17/2017 M. Chatterjee

Modular Arithmetic Public key algorithms are based on modular arithmetic. Modular addition. Modular multiplication. Modular exponentiation. 4/17/2017 M. Chatterjee

Poor cipher with (dk+dm) mod K, e.g., if K=10 and dk is the key. Additive inverse: addition mod K yields 0. “Decrypt” by adding inverse. 4/17/2017 M. Chatterjee

Modular Multiplication
Multiplication modulo K Multiplicative inverse: multiplication mod K yields 1 Only some numbers have inverse Use Euclid’s algorithm to find inverse Given x, n, it finds y such that xy mod n = 1 All number relatively prime to n will have mod n multiplicative inverse 4/17/2017 M. Chatterjee

Totient Function x, m relative prime: no other common factor than 1
Totient function ø(n): number of integers less than n relatively prime to n if n is prime, ø(n)=n-1 if n=pq, and p, q are primes, ø(n)=(p-1)(q-1) 4/17/2017 M. Chatterjee

Modular Exponentiation
xy mod n = xy mod ø(n) mod n if y = 1 mod ø(n) then xy mod n = x mod n 4/17/2017 M. Chatterjee

The most popular one. Support both public key encryption and digital signature. Assumption/theoretical basis: Factoring a big number is hard. Variable key length (usually 512 bits). Variable plaintext block size. Plaintext must be “smaller” than the key. Ciphertext block size is the same as the key length. 4/17/2017 M. Chatterjee

What Is RSA? To generate key pair:
Pick large primes (>= 256 bits each) p and q Let n = p*q, keep your p and q to yourself! For public key, choose e that is relatively prime to ø(n) =(p-1)(q-1), let pub = <e,n> For private key, find d that is the multiplicative inverse of e mod ø(n), i.e., e*d = 1 mod ø(n), let priv = <d,n> 4/17/2017 M. Chatterjee

How Does RSA Work? Given pub = <e, n> and priv = <d, n>
encryption: c = me mod n, m < n decryption: m = cd mod n signature: s = md mod n, m < n verification: m = se mod n 4/17/2017 M. Chatterjee

Why Does RSA Work? Given pub = <e, n> and priv = <d, n>
n =p*q, ø(n) =(p-1)(q-1) e*d = 1 mod ø(n) xed = x mod n encryption: c = me mod n decryption: m = cd mod n = med mod n = m mod n = m Why???????? 4/17/2017 M. Chatterjee

What is Fermat’s theorem???
e*d = 1 mod ø(n) So e*d = 1 + kø(n) …med mod n = m 1 + kø(n) m (m kø(n) mod n) = m ???? What is Fermat’s theorem??? 4/17/2017 M. Chatterjee

Why Is RSA Secure? Factoring 512-bit number is very hard!
But if you can factor big number n then given public key <e,n>, you can find d, hence the private key by: Knowing factors p, q, such that, n = p*q Then ø(n) =(p-1)(q-1) Then d such that e*d = 1 mod ø(n) 4/17/2017 M. Chatterjee

Attacks on RSA • Brute force key search • Mathematical attacks
• Timing attacks 4/17/2017 M. Chatterjee

Math-Based Attacks Three possible approaches: – Factor n = pq
– Determine F(n) – Find the private key d directly • All the above are equivalent to factoring n 4/17/2017 M. Chatterjee

Brute Force An adversary just tries all possible
keys and keeps his fingers crossed that the right key is not the last key he will try ! 4/17/2017 M. Chatterjee

Timing Attacks By measuring the time required to perform
decryption (exponentiation with the private key as exponent), an attacker can figure out the private key Possible countermeasures: – use constant exponentiation time – add random delays – blind values used in calculations 4/17/2017 M. Chatterjee

Other Attacks on RSA Small encryption exponent e
E=3, Alice sends the message m to three people (public keys (e, n1), (e, n2), (e,n3)) An attacker can compute a solution to the following system x = c1 mod n1 x = c2 mod n2 x = c3 mod n3 Then, compute m from x = m3 Countermeasure: padding required 4/17/2017 M. Chatterjee

Forward Search Attack If message space is small, the attacker can
create a dictionary of encrypted messages (public key known, encrypt all possible messages and store them) When the attacker ‘sees’ a message on the network, compares the encryptedmessages, so he finds out what particular message was encrypted 4/17/2017 M. Chatterjee

Small decryption exponent d
Choosing a small exponent helps efficiency BUT If size of d is 1/4 size of n (in bits) and gcd(p-1,q-1) is small, there is a way to compute d only from e and n. Countermeasure: d should be about the same size as n. 4/17/2017 M. Chatterjee

Common modulus attack Each entity must choose its own modulus
Assume Alice and Bob generated keys using the same modulus n, ((e1, n ), d1)) and ((e2, n), d2)) C1 = Me1 mod n, C2 = Me2 mod n (e1)a + (e2) b = 1 if gcd(e1,e2)=1 M = C1a C2 b mod n 4/17/2017 M. Chatterjee

Cycling attack Intercepted ciphertext: C C1 = Ce mod n C2 = C1e mod n
Ck = Ck-1e mod n If Ck = C then stop P = Ck-1 4/17/2017 M. Chatterjee

Attacker Goals Total break: the attacker finds the key (the
symmetric key for ciphers or the private key for public key cryptosystems); after that all ciphertexts can be decrypted. Partial break: with some probability , the adversary is able to decrypt previously unseen ciphertexts, without knowing the key. Or the adversary can find out info about the plaintext, just by looking at the ciphertext. Distinguishability: with probability > 0.5, the adversary can distinguish between encryption of two different plaintexts, or between an encryption and a random string. 4/17/2017 M. Chatterjee

Diffie-Hellman Key Exchange
Shared key, public communication No authentication of partners What’s involved? P is a prime (about 512 bits), and g < p P and g are publicly known 4/17/2017 M. Chatterjee

4/17/2017 M. Chatterjee

Diffie-Hellman Key Exchange
Procedure Alice Bob pick secret Sa randomly pick secret Sb randomly compute TA=gSa mod p compute TB=gSb mod p send TA to Bob send TB to Alice compute TBSa mod p compute TASb mod p Alice and Bob reached the same secret gSaSb mod p, which is then used as the shared key. 4/17/2017 M. Chatterjee

DH Security - Discrete Logarithm Is Hard
T = gs mod p Conjecture: given T, g, p, it is extremely hard to compute the value of s (discrete logarithm) 4/17/2017 M. Chatterjee

Diffie-Hellman Scheme
Security factors Discrete logarithm very difficult. Shared key (the secret) itself never transmitted. 4/17/2017 M. Chatterjee

DoS possible. The scheme itself cannot be used to encrypt anything – it is for secret key establishment. No authentication, so you can not sign anything … 4/17/2017 M. Chatterjee

Bucket Brigade Attack...Man In The Middle
Alice Trudy Bob gSa=123 gSx =654 gSb =255 123 --> > < <--255 654Sa=123Sx Sx=654Sb Trudy plays Bob to Alice and Alice to Bob 4/17/2017 M. Chatterjee

Diffie-Hellman in Phone Book Mode
DH was subject to active man-in-the-middle attack because their public key-component was intercepted and substituted Phone book mode allows everyone to generate the public key-component in advance and publish them through other reliable means, e.g. <TB> for bob All communicating parties agree on their common <g, p> 4/17/2017 M. Chatterjee

Encryption With Diffie-Hellman
Everyone computes and publishes <p, g, T> T=gS mod p Alice communicates with Bob: Alice Picks a random secret Sa Computes gbSa mod pb Use Kab = TbSa mod pb to encrypt message Send encrypted message along with gbSa mod pb 4/17/2017 M. Chatterjee

Bob (gbSa)Sb mod pb = (gbSb)Sa mod pb = TbSa mod pb = Kab
Use Kab to decrypt 4/17/2017 M. Chatterjee