Introduction to Cryptography and Security Mechanisms: Unit 5. Public-Key Encryption

Transcription

1 Introduction to Cryptography and Security Mechanisms: Unit 5 Public-Key Encryption

2 Learning Outcomes Explain the basic principles behind public-key cryptography Recognise the fundamental problems that need to be solved before public-key cryptography can be used effectively Describe a simple version of the RSA cryptosystem Describe a simple version of the the ElGamal cryptosystem Compare the basic properties of RSA, ElGamal and elliptic-curve-based approaches Identify the main uses of public-key cryptography 2

3 Sections 1. Public-key cryptography 2. RSA 3. ElGamal and elliptic-curve variants 4. Public-key cryptography in practice 3

4 1. Public-key cryptography

5 Symmetric assumptions Consider two entities who are communicating using a symmetric cryptosystem. 1. What do we assume they have done before communicating? 2. What assumption is being made about the relationship between them? 5

6 Public-key cryptosystem blueprint The keys used to encrypt and decrypt are different. Anyone who wants to be a receiver needs to publish an encryption key, which is known as the public key. Anyone who wants to be a receiver needs a unique decryption key, which is known as the private key. It should not be possible to deduce the private key from the public key It should not be possible to deduce the plaintext from knowledge of the ciphertext and the public key (encryption needs to be a one-way function ). 6

7 One-way functions A function is called a one-way function if it is: Easy to compute Hard to reverse Given input it is easy to compute the output Given output it is hard to determine the input 7

8 OWF: Multiplying two primes It is easy to take two prime numbers and multiply them together. If they are fairly small we can do this in our heads, on a piece of paper, or on a calculator......as they get bigger and bigger it is fairly easy to write a computer program to compute the product. Multiplication runs in polynomial time (it is easy ). 8

9 OWF: Multiplying two primes To factor: Comments 600 digit number 600 digit even number 9

10 OWF: Multiplying two primes Multiplication of two prime numbers is believed to be a one-way function. We say believed because nobody has been able to prove that it is hard to factorise (maybe one day someone will find a way of factorising efficiently.) 10

11 OWF: Modular exponentiation The process of exponentiation just means raising numbers to a power. Raising a to the power b, normally denoted a b just means multiplying a by itself b times. In other words: a b = a x a x a x x a Modular exponentiation means computing a b modulo some other number n. We tend to write this as a b mod n. Modular exponentiation is easy. 11

12 OWF: Modular exponentiation However, given a, n and a b mod n (when n is prime), calculating b is regarded by mathematicians as a hard problem. This difficult problem is often referred to as the discrete logarithm problem. In other words, given a number a and a prime number n, the function f(b) = a b mod n is believed to be a one-way function. 12

13 OWF: Modular square roots What is the square root of 1369? Propose a technique for finding the square root of 1369 that will generalise to any integer. 13

14 OWF: Modular square roots What is the square root of 14 module 43? Let s try 12 Let s try 11 14

15 OWFs and public-key encryption We have seen that the encryption process of a public-key cryptosystem requires a one way function. Why is a one way function not exactly what we want for a public-key cryptosystem? 15

16 2. RSA

17 RSA The RSA public-key cryptosystem was the first practical implementation of public key encryption discovered. It remains the most used public-key cryptosystem today. It is named after the three researchers Ron Rivest, Adi Shamir and Len Adleman who first published it. Make sure you are familiar with the concepts of modular arithmetic, and prime numbers. 17

18 Setting up RSA Let n be the product of two large primes p and q By large we typically mean at least 512 bits. Select a special number e greater than 1 and less than (p-1)(q-1) Precisely: there must be no numbers that divide neatly into e and into (p-1)(q-1), except for 1. Publish the pair of numbers (n,e) Compute the private key d from p, q and e 18

19 Computing the private key The private key d is computed to be the unique inverse of e modulo (p-1)(q-1). In other words, d is the unique number less than (p-1)(q-1) that when multiplied by e gives you 1 modulo (p-1)(q-1). Written mathematically: ed = 1 mod (p-1)(q-1) The Extended Euclidean Algorithm is the process that we need to follow in order to compute d. 19

20 Computing the private key Who is capable of running the Euclidean Algorithm to find the private key? 20

21 Choosing e Let s consider p=3 and q=7. What choices of e are acceptable? In this case (p-1)(q-1) = 2 x 6 = 12. Any suitable choice of e must have the property that there are no numbers that neatly divide into e and 12 except for 1 e=2: no good, since 2 divides both e and 12. This will be true for all multiples of 2, so e=4, e=6, e=8 and e=10 are not possible. e=3: no good, since 3 divides both e and 12. This will be true for all multiples of 3, so e=6 and e=9 are also not possible. The remaining choices are e=5, e=7 and e=11. Since no number divides into them and 12 other than 1, all these are possible. 21

22 Setting up RSA: example Step 1: Let p = 47 and q = 59. Thus n = 47 x 59 = 2773 Step 2: Select e = 17 Step 3: Publish (n,e) = (2773, 17) Step 4: (p-1) x (q-1) = 46 x 58 = 2668 Use the Euclidean Algorithm to compute the modular inverse of 17 modulo The result is d = 157 << Check: 17 x 157 = 2669 = 1(mod 2668) >> Public key is (2773,17) Private key is

23 Encryption and decryption The first job is to represent the plaintext as a series of numbers modulo n. The encryption process to obtain the ciphertext C from plaintext M is very simple: C = M e mod n The decryption process is also simple: M = C d mod n 23

24 Encryption and decryption: example Public key is (2773,17) Private key is 157 Plaintext block represented as a number: M = 31 Encryption using Public Key: C = (mod 2773) = 587 Decryption using Private Key: M = (mod 2773) = 31 24

25 Security of RSA There are two different strategies for trying to break RSA: 1. Trying to decrypt a ciphertext without knowledge of the private key 2. Trying to determine the private key 25

26 Decrypting ciphertext without the key The encryption process in RSA involves computing the function C = M e mod n, which is regarded as being easy. An attacker who observes this ciphertext, and has knowledge of e and n, needs to try to work out what M is. Computing M from C, e and n is regarded as a hard problem. Have we seen this one way function before? 26

27 Determining the private key Assuming that you know the public key of a user, what would you need to do in order to obtain the corresponding private key? 27

28 RSA security summary There are two one-way functions involved in the security of RSA. One-way function Description Encryption function determining a plaintext from an RSA ciphertext is believed to be as difficult as factoring Multiplication of two primes determining an RSA private key from an RSA public key is known to be as difficult as factoring 28

29 Length of an RSA modulus It is hard to compare the equivalent security parameters for symmetric key cryptosystems and RSA, however it is roughly believed that equivalent security strengths are: RSA modulus length Symmetric key length

30 RSA block size RSA operates on numbers modulo n. The process for encryption is thus: 1. Convert plaintext into numbers modulo n 2. Encrypt plaintext In this sense, RSA is a block cipher rather than a stream cipher. 1 - What is the block size of RSA? 2 - Can you use RSA with different modes of operation? 30

31 Implementing real RSA There are several attacks on specific instances of RSA, such as: Attacks when d is very small Attacks when e is very small Attacks if the same message is sent to many receivers with the same low e Side-channel attacks It is important to implement RSA according to standards PKCS#1v2 / RSA-OAEP 31

32 Probabilistic encryption In practice we want probabilistic encryption: if the same plaintext is encrypted with the same public key then the resulting ciphertext will be different each time This protects against an informed exhaustive plaintext search : make an informed guess of the plaintext encrypt the guess using the public key to see if it matches the observed ciphertext 32

33 RSA-OAEP h 1 and h 2 are two hash functions r is a random number s = (M 0..0 ) h 1 (r) t = r h 2 (s) C = (s t) e mod n How does Bob decrypt the message? 33

34 3. ElGamal and elliptic-curve variants

35 ElGamal We will also take a look at the ElGamal public-key cryptosystem for a number of reasons: To show that RSA is not the only public-key cryptosystem To exhibit a public-key cryptosystem based on a different one way function ElGamal is the basis for several well-known cryptographic primitives 35

36 Setting up ElGamal Let p be a large prime By large we mean here a prime rather typical in length to that of an RSA modulus Select a special number g The number g must be a primitive element modulo p. Choose a private key x This can be any number bigger than 1 and smaller than p-1 Compute public key y from x, p and g The public key y is g raised to the power of the private key x modulo p. In other words: y = g x mod p 36

37 Setting up ElGamal: example Step 1: Let p = 23 Step 2: Select a primitive element g = 11 Step 3: Choose a private key x = 6 Step 4: Compute y = 11 6 (mod 23) = 9 Public key is 9 Private key is 6 37

38 ElGamal encryption The first job is to represent the plaintext as a series of numbers modulo p. Then: 1. Generate a random number k 2. Compute two values C 1 and C 2, where C 1 = g k mod p and C 2 = My k mod p 3. Send the ciphertext C, which consists of the two separate values C 1 and C 2. 38

39 ElGamal encryption: example To encrypt M = 10 using Public key Generate a random number k = Compute C 1 = 11 3 mod 23 = 20 C 2 = 10 x 9 3 mod 23 = 10 x 16 = 160 mod 23 = Ciphertext C = (20, 22 ) 39

40 ElGamal decryption C 1 = g k mod p C 2 = My k mod p 1 - Use private key x to change C 1 into something useful: C 1x = (g k ) x mod p = (g x ) k = y k mod p 2 - Divide C 2 by C x 1 : C 2 / y k = (My k ) / y k = M mod p 40

41 ElGamal decryption: example To decrypt C = (20, 22 ) 1 - Compute 20 6 = 16 mod Compute 22 / 16 = 10 mod Plaintext = 10 41

42 Security of ElGamal Recall the two different strategies for trying to break RSA: 1. Trying to decrypt a ciphertext without knowledge of the private key 2. Trying to determine the private key What hard problems do you come across if you try to follow these two different strategies to break ElGamal? 42

43 ElGamal v RSA PROS of ElGamal CONS of ElGamal Does not rely on factorisation being hard Built in probabilistic encryption Message expansion 43

44 4. Public-key cryptography in practice

45 Restrictions on use Two issues restrict the use of public key encryption: Computational cost: Public-key encryption and decryption are relatively expensive operations Long-plaintext integrity issues: There are no modes of operation proposed for plaintexts longer than one block 45

46 Hybrid encryption Alice Bob Encrypt K using Bob s public key PKE PKBob (K) Decrypt using Bob s private key to recover K Encrypt the plaintext using K SE K (plaintext) Decrypt using K to recover the plaintext

47 Applications using RSA RSA is the default public-key encryption algorithm Supported by almost every major application of public-key cryptography: SSL/TLS SSH IPSec EMV etc 47

48 Applications using ElGamal ElGamal is not implemented widely However it forms the basis for a number of elliptic-curve variants of ElGamal: shorter keys than RSA attractive for applications where secure storage space is at a premium (smartcards, smart tokens, portable devices, ubiquitous computing) widely supported in cryptographic APIs 48

49 Key lengths RSA modulus n ElGamal group size p Elliptic curve equivalent

50 Summary Public-key cryptosystems provide the potential for two entities who do not have a direct trust relationship to employ cryptography Public-key encryption algorithms need to be trapdoor one-way functions RSA is a public-key cryptosystem whose security is believed to be based on the problem of factoring large numbers ElGamal is a public-key cryptosystem whose security is believed to be based on the discrete logarithm problem RSA and ElGamal elliptic curve variants are widely implemented Public-key cryptosystems are less efficient than most symmetric cryptosystems and, as a result, are usually used as part of a hybrid encryption process 50