9 need K ( ) and K ( ) such that B.. given public key K, it should be impossible to compute private key K Requirements: 1 2 RSA: Rivest, Shamir, Adelson algorithm B + - K (K (m)) = m B B - + B + B -
10 x mod n = remainder of x when divide by n Facts: [(a mod n) + (b mod n)] mod n = (a+b) mod n [(a mod n) - (b mod n)] mod n = (a-b) mod n [(a mod n) * (b mod n)] mod n = (a*b) mod n Thus (a mod n) d mod n = a d mod n Example: x=14, n=10, d=2: (x mod n) d mod n = 4 2 mod 10 = 6 x d = 14 2 = 196 x d mod 10 = 6
11 A message is a bit pattern. A bit pattern can be uniquely represented by an integer number. Thus encrypting a message is equivalent to encrypting a number. Example m= 10010001. This message is uniquely represented by the decimal number 145. To encrypt m, we encrypt the corresponding number, which gives a new number (the cyphertext).
12 1. Choose two large prime numbers p, q. (e.g., 1024 bits each) 2. Compute n = pq, z = (p-1)(q-1) 3. Choose e (with e<n) that has no common factors with z. (e, z are “relatively prime”). 4. Choose d such that ed-1 is exactly divisible by z. (in other words: ed mod z = 1 ). 5. Public key is (n,e). Private key is (n,d). K B + K B -
13 0. Given (n,e) and (n,d) as computed above 1. To encrypt message m (<n), compute c = m mod n e 2. To decrypt received bit pattern, c, compute m = c mod n d m = (m mod n) e mod n d Magic happens! c
14 Bob chooses p=5, q=7. Then n=35, z=24. e=5 (so e, z relatively prime). d=29 (so ed-1 exactly divisible by z). bit pattern m m e c = m mod n e 0000l000 12 24832 17 c m = c mod n d 17 481968572106750915091411825223071697 12 c d encrypt: decrypt: Encrypting 8-bit messages.
15 Must show that c d mod n = m where c = m e mod n Fact: for any x and y: x y mod n = x (y mod z) mod n – where n= pq and z = (p-1)(q-1) Thus, c d mod n = (m e mod n) d mod n = m ed mod n = m (ed mod z) mod n = m 1 mod n = m
16 The following property will be very useful later: K ( K (m) ) = m B B - + K ( K (m) ) B B + - = use public key first, followed by private key use private key first, followed by public key Result is the same!
17 Follows directly from modular arithmetic: (m e mod n) d mod n = m ed mod n = m de mod n = (m d mod n) e mod n K ( K (m) ) = m B B - + K ( K (m) ) B B + - = Why ?
18 Suppose you know Bob’s public key (n, e). How hard is it to determine d? Essentially need to find factors of n without knowing the two factors p and q. Fact: factoring a big number is hard. Generating RSA keys r Have to find big primes p and q r Approach: make good guess then apply testing rules (see Kaufman)
Most common hash functions are MD5 and SHA-1 A hash function maps a message of an arbitrary length to a m-bit output output known as the fingerprint or the message digest
23 large message m H: Hash function H(m) digital signature (encrypt) Bob’s private key K B - + Bob sends digitally signed message: Alice verifies signature and integrity of digitally signed message: K B (H(m)) - encrypted msg digest K B (H(m)) - encrypted msg digest large message m H: Hash function H(m) digital signature (decrypt) H(m) Bob’s public key K B + equal ?
24 Suppose Alice receives msg m, digital signature K B (m) Alice verifies m signed by Bob by applying Bob’s public key K B to K B (m) then checks K B (K B (m) ) = m. If K B (K B (m) ) = m, whoever signed m must have used Bob’s private key. + + - - - - + Alice thus verifies that: üBob signed m. üNo one else signed m. üBob signed m and not m’. Non-repudiation: Alice can take m, and signature K B (m) to court and prove that Bob signed m. -
Hash Functions 25 Data X = (X 0,X 1,X 2,…,X n-1 ), each X i is a byte Suppose hash is –h(X) = X 0 +X 1 +X 2 +…+X n-1 Is this secure? Example: X = (10101010,00001111) Hash is 10111001 But so is hash of Y = (00001111,10101010) Easy to find collisions, so not secure…
Hash Functions 26 Data X = (X 0,X 1,X 2,…,X n-1 ) Suppose hash is –h(X) = nX 0 +(n-1)X 1 +(n-2)X 2 +…+1 X n-1 Is this hash secure? At least h(10101010,00001111) h(00001111,10101010) But hash of (00000001,00001111) is same as hash of (00000000,00010001) Not too secure, need security requirements
CS526Fall 2011/Topic 527 Given a function h:X Y, then we say that h is: preimage resistant (one-way): if given y Y it is computationally infeasible to find a value x X such that h(x) = y 2-nd preimage resistant (weak collision resistant): if given x X it is computationally infeasible to find a value x’ X, such that x’ x and h(x’) = h(x) collision resistant (strong collision resistant): if it is computationally infeasible to find two distinct values x’, x X, such that h(x’) = h(x)
CS526Fall 2011/Topic 528 MD5 – output 128 bits – collision resistance completely broken by researchers in China in 2004 SHA1 – output 160 bits – no collision found yet, but method exist to find collisions in less than 2^80 – considered insecure for collision resistance SHA2 (SHA-224, SHA-256, SHA-384, SHA-512) – outputs 224, 256, 384, and 512 bits, respectively – No real security concerns yet
CS526Fall 2011/Topic 529 Message is divided into fixed-size blocks and padded Uses a compression function f, which takes a chaining variable (of size of hash output) and a message block, and outputs the next chaining variable Final chaining variable is the hash value