RSA Public Key Encryption 1. Ivor Page 2

Transcription

1 RSA Public Key Encryption 1 RSA Public Key Encryption 1 Ivor Page 2 One of the most important methods of providing secrecy and authentication is encryption. Secrecy means the secure transmission of data to a specified recipient (without others being able to read the data) while authentication means that the recipient can be certain of who sent the data. In practice, it is usually possible for unintended others to receive encrypted messages, but it should be extremely time consuming (thousands of years in some cases) for unintended recipients to decrypt them. There is no perfect cipher - one that can never be broken - but it is possible to make the task of decrypting messages too costly in time for all practical purposes. There have been many famous ciphers that have frustrated attempts to crack them, but the digital computer has brought extremely powerful methods to the aid of cryptanalysts. The computer s ability to enumerate many possible cracking strategies in a very short time makes the problem of selecting tough ciphers much more difficult. We will study the Public Key Encryption System known as RSA after its inventors, Rivest, Shamir and Adleman. The most popular encryption system based on RSA and used by the public is Pretty Good Privacy (PGP). There is a free downloadable version of the software and there are companies that provide key pairs to users of these systems 3. A personal note of caution: You might choose to encrypt all your personal and data but, if you are sued, the court may ask you to decrypt it. Failure to do so is regarded as withholding evidence. It is better not to create messages that might embarrass you later. 1 A Method for Obtaining Digital Signatures and Public Key Cryptosystems R. L. Rivest, A. Shamir, and L. Adleman. Communications of the ACM, Vol. 21, No. 2, February 1978 University of Texas at Dallas 3

2 RSA Public Key Encryption 2 DES DES was introduced for use in U.S. unclassified government applications in Since then it has come under criticism for ease of cracking. It uses a single well publicized algorithm for encryption and decryption. Secrecy is guarded by a single 56 bit key, known only to the sender and recipient. The algorithm partitions each message into 64 bit blocks and makes use of transpositions of groups of bits within each block and an Excusive OR function between the transposed bit sequence and the key. Many argue that the key length is too short and some hackers have published strategies for cracking DES on WEB sites. For more information on DES, RSA, and many other encryption techniques and security matters, consult the text by Dorothy and Robling Denning 4. RSA Each agent A that wishes to communicate has two keys, a public key A p, knowntoeveryonewithwhoma communicates, and a secret key A s,known only to A. A user of an RSA encryption system will generally not memorize these keys. They will be stored in the agents computers. This means that physical security, usually implemented via passwords, is at least as important as the encryption system. Someone could maliciously login to A s computer and send messages in A s name or receive messages that should only be readable by A. Great care must be given to the selection and regular updating of passwords. Many password cracking systems try dictionary words and common names. People often use their dogs names or something equally easy to guess, or they leave their passwords written on notes in their desks. Agents also must not leave their computers logged in while they are not present. It takes only a few seconds for an experienced spy to compromise security. 4 Cryptography and Data Security by Dorothy and Robling Denning, Addison Wesley, 1982, Reprinted with corrections, 1983.

3 RSA Public Key Encryption 3 Secret communication with RSA When A wishes to send a secret message M to B, A uses B s public key to encrypt the message, C = E Bp (M), where C is the ciphertext. Agent B uses B s secret key to decrypt the message, M = D Bs (M). Only B can read the message, but anyone possessing A s public key could have sent it. Agent A Agent B B p B s Message M E ciphertext C D M Figure 1: Secret Communication with RSA Here E and D are the encryption and decryption algorithms. For RSA, the encryption and decryption algorithms are identical and are known to everyone, E = D. Wecallsuchsystemssymmetrical. Authenticated Communication with RSA When A wants to send a message to B signed by a digital signature, A encrypts the message using A s secret key, C = E As (M) andb uses A s public key to decrypt the message, M = E Ap (C). Here, only A could have sent the message, but anyone possessing A s public key can read the message. Agent A Agent B A s A p Message M E ciphertext C D M Figure 2: Authenticated Communication with RSA The use of RSA for authentication of the sender is often referred to as applying a Digital Signature. A digitally signs the message by encrypting it with A s secret key.

4 RSA Public Key Encryption 4 Secret and Authenticated Communication with RSA To incorporate both secrecy and authentication, A encrypts the message twice, once using A s secret key, and once using B s public key, C = E Bp (E As (M)). B does the symmetrically opposite operations on the ciphertext: M = E Ap (E Bs (C)). Agent A A s B p Message M E ciphertext C E Figure 3: Secret and Authenticated Communication with RSA RSA Encryption Algorithm A pair of integers (e, n) is used in the encryption process, and another pair (d, n) is used to decrypt the message. The value of n is publicly known. We represent message M as an integer between 0 and n 1. If M is too large, it is broken up into blocks of the above size and each block is encrypted separately. If, for example, n has 128 bits, then any text message could be partitioned into blocks of 16 8 bit characters, and each block represented as an 128 bit binary number in base Then C = M e mod n To decrypt C, M = C d mod n ThenumbersofbitsinM and C are the same, C = M. Since e and d are large, more than 100 bits, the computations of M e and C d might appear to be problematic. Since the blocks of the message M will have the same number of bits as n, raisingm to a large power would appear to require a huge integer with tens of thousands of bits.

5 RSA Public Key Encryption 5 A result from number theory helps reduce the computational burden considerably: (a b) mod n =[(amodn) (bmodn)] mod n Where is one of {+,,. Therefore all the calculations and intermediate results need only be computed mod n, i.e. no more bits than in n. The (public) encryption key is the pair (e, n) and the (private) decryption key is the pair (d, n). Each agent has its own pair of keys. The value of n is the product of two large randomly chosen primes of size at least 100 decimal digits, n = pq Then d is chosen to be a large random integer that is coprime to (p 1)(q 1) and preferably larger than both p and q. Two integers a, b are coprime if their greatest common divisor is 1, GCD(a, b) =1. GCD(d, (p 1)(q 1)) = 1 Then e is computed from p, q, and d to be the multiplicative inverse of d, mod (p 1)(q 1): ed mod (p 1)(q 1) = 1 For the process to work, E (e,n) and E (d,n) must be inverse functions. Proof Euler s generalization of a theorem by Fermat states that for any integer M coprime to n, M φ(n) mod n =1 where φ(n) is the Euler totient function giving the number of positive integers less than n which are coprime to n. Forprimep, φ(p) =p 1; φ(n) =φ(pq) = φ(p)φ(q) =(p 1)(q 1).

6 RSA Public Key Encryption 6 The theorem implies that if e and d can be chosen such that, ed mod φ(n) =1 then M e mod n and M d mod n must be inverse functions. If M [0,n 1] we require that: (M e mod n) d mod n = M We start with: (M e mod n) d mod n = M ed mod n Now, ed mod φ(n) = 1 implies ed = kφ(n) + 1 for some integer k. Therefore M ed mod n = M kφ(n)+1 mod n = MM kφ(n) mod n = M(M kφ(n) mod n) mod n = M(1) mod n = M since M kφ(n) mod n =1 We have shown that, if ed mod φ(n) = 1 the encryption and decryption algorithms are inverses, as required. Now we show how to choose e and d. Yet another result from number theory states that, if e is coprime to φ(n), then d exists such that ed mod φ(n) =1. Any value coprime to φ(n) will do for d. T hen e is found by a modified Euclid s algorithm. See the code below. We would have to use much bigger integers than long ints in a practical version. See the use of the modinverse function from JAVA s BigInteger package on page??.

7 RSA Public Key Encryption 7 long int modinverse(long int d, longintφ(n)) { long int g 0 = φ(n), g 1 = d, u 0 =1,v 0 =0,u 1 =0,v 1 =1,i=1; while(g i 0){ // g i = u i φ(n)+v i d long int y = g i 1 /g i ; g i+1 = g i 1 y g i ; u i+1 = u i 1 y u i ; v i+1 = v i 1 y v i ; i ++; long int x = v i 1 ; if(x 0) return x; return x + φ(n); Simple Example: Set p =17,q= 23, therefore n = pq = 391, and (p 1)(q 1) = 352. Pick d to be coprime to 352. Any prime will work, but it is preferable that d>pand d>q. We will choose d = 37. Then solve 37emod352 = 1 to obtain e = 333. (Other pairs are d =29,e= 85, and d =13,e= 27). The RSA paper suggests: p and q should differ in length by a few digits, Both p 1andq 1 should have large prime factors, and GCD(p 1,q 1) should be small. Our example only satisfies the first of these. Larger Example: In a slightly larger example, p =47q = 59, n = 2773, and φ(n) =(p 1)(q 1) = If d = 157 then e = 17. We can encode two letters per block if we use the numeric conversion, blank = 00, A=01, B=02,...,Z=26. Then the message ITS ALL GREEK TO ME becomes

8 RSA Public Key Encryption 8 Now since the Binary representation of e is 10001, we can raise each block M to the power e by just 5 multiplications: M 17 = (((M 2 ) 2 ) 2 ) 2 M. In general, computing M e takes at most 2 log 2 (e) multiplications and 2log 2 (e) divisions. For the first block, mod 2773 = 948. The ciphertext is: To break the code, since n is known, it is necessary to factor n into p and q, but n is expected to be of the order of 200 decimal digits. The fastest known factoring algorithm at the time of publication of the RSA paper would require in excess of operations. With a computer operating at the rate of 10 9 operations per second, the factorization would take seconds, or years. Note that there are fast probabilistic algorithms to test if a given number is prime. See the algorithm by Solovay and Strassen on page??. Itis,however, much more difficult to find factors of a huge number, even when it is certain that the number has exactly two factors. Efficient Encryption Algorithm Computing M e modn requires at most 2log 2 (e) multiplies and 2log 2 (e) divides using the following method: Let e k e k 1 e 0 be the binary representation of e; C =1; for(i = k; i>=0;i ) { C =(C C) mod n; if(e i == 1) C =(C M) mod n; Repeated squaring is used. Consider computing M 11 mod n. The binary representation of 11 is C = 1 initially and after each of the 4 iterations its value is Mmodn, M 2 mod n, M 5 mod n, andm 11 mod n.

9 RSA Public Key Encryption 9 Here is the algorithm in JAVA using the BigInteger package: BigInteger encryptblock(biginteger m, BigInteger e) { BigInteger c = new BigInteger("1"); // c = 1 int k = e.bitlength(); // nmbr of bits in e for(int i=k;i>=0;i--) { c = c.multiply(c); // c *= c c = c.mod(n); // c %= n if(e.testbit(i)) { // bit 0 is lsb c = c.multiply(m); // c *= m c = c.mod(n); // c %= n return c; The BigInteger package provides integers of arbitrary length. They grow in size as determined by the calculations. Choosing the Primes Each user must choose two large primes, p, andq. Their product, n = pq will be public. If n is to be of the order of 200 decimal digits, then p and q must each have about 100 digits. The Prime Number Theorem states that about one number in every (ln10 s )/2 numbers will be prime for numbers of s decimal digits. For 100 digit numbers, approximately one number in every 115 will be prime. This result is rather surprising. There are a lot of prime numbers! The density of primes does reduce with the number of digits, but rather slowly. To test a number b for primality, Rivest et. al. recommend the following probabilistic algorithm due to Solovay and Strassen. Pick a random value a in the range {1 b 1 Test if GCD(a, b) = 1 AND J(a, b)=a (b 1)/2 mod b The first clause tests whether a is a factor of b. Ifitisnot,thenGCD(a,b) will be 1. The second clause uses the Jacobi function shown on page??. If b is prime, the test is always true. If b is not prime then the test will yield false with probability of 1/2.

10 RSA Public Key Encryption 10 If the test holds true for 100 randomly chosen values of a, thenb is prime with probability 1 1/ The Jacobi function returns a value in {-1,1. If it returns -1, then the test fails since a (b 1)/2 cannot be negative. If the Jacobi function returns 1, we compute a (b 1)/2 modb using the repeated squaring algorithm that is used for encryption on page??. Computation of J(a, b) using long ints: long int Jacobi(long int a, long int b) { if(a==1) return 1; if(a%2==0) { // if(a is even) if(((b*b-1)/8)%2==0) return Jacobi(a/2,b); return -Jacobi(a/2,b); if(((a-1)*(b-1)/4)%2==0) return Jacobi(b%a,a); return -Jacobi(b%a,a); The Jacobi function returns a value in {-1,1. We could not use long ints in a real implementation since b is likely to be of size 100 decimal digits. The Solovay and Strassen algorithm is, however, built into the JAVA BigInteger package. See page??.

11 RSA Public Key Encryption 11 Here we choose the keys in JAVA using the BigInteger package: Random r = new Random(); BigInteger p,q,n,d,e,phi; p = new BigInteger(size,certainty,r); // uses Solovay and q = new BigInteger(size,certainty,r); // Strassen, see below n = new BigInteger(p.multiply(q)); int blocklength = n.bitlength(); boolean notdone = true; while(notdone) { d = new BigInteger(blocklength/2+2,certainty,r); if(d.compareto(p)>0 && d.compareto(q)>0) notdone = false; phi = new BigInteger (p.subtract(one).multiply(q.subtract(one))); e = new BigInteger(d.modInverse(phi)); Random r = new Random(); is not part of the BigInteger package, but is essential to our needs. It creates a random number generator r. p = new BigInteger(size,certainty,r); creates a new BigInteger (p is a reference to it) with random value of up to size bits that is prime with probability at least 1 1/2 certainty. int blocklength = n.bitlength(); gives the number of bits in n. d = new BigInteger(blocklength/2+2,certainty,r); computes a random integer of up to blocklength/2+2 bits in length. The while loop ensures that d is larger than p and q. phi = new BigInteger(p.subtract(one).multiply(q.subtract(one))); computes phi =(p 1)(q 1). And in: e = new BigInteger(d.modInverse(phi)); the modinverse function calculates e such that e*d mod(phi) = 1