Public Key Algorithms 1
Public Key Algorithms It is necessary to know some number theory to really understand how and why public key algorithms work Most of the public key algorithms are based on modular arithmetic 2
Use of Public Key Cryptosystems Encryption/decryption Sender encrypts a message with the receiver s public key Only the receiver can decrypt the message Digital signature The sender signs a message with its private key Authentication and non-repudiation Key exchange Two sides cooperate to exchange a session key Secret key cryptosystems are often used with the session key 3
Modular Arithmetic Modular Addition Addition modulo (mod) n x mod n: the remainder of x when divided by n mod 10 addition 5+5 = 0 2+2 = 4 An additive inverse of x is the number that adds to x to get 0 4 s inverse (mod 10) is 6 Decrypt by adding inverse 4
Addition Modulo 10 5
Modular Multiplication Mod 10 multiplication table Multiplication by 1, 3, 7, 9 works as cipher Multiplicative inverse x -1 : y * x = 1 Use Euclid s Algorithm to find inverse 6
Totient Function x, m relative prime (rp) = no other common factor than 1 relatively prime prime (9 rp 10) totient function Φ(n): number of numbers less than n rp to n if n prime: {1, 2,, n-1}. Φ(n) = n-1 if n=p * q, p, q distinct prime => Φ(n) = (p-1)(q-1) 7
Modular Exponentiation (Exponentiation Modulo 10) 8
Modular Exponentiation Encryption: x 3 works, x 2 does not Exponential inverse y of x: (a x ) y = a Columns: 1=5, 2=6, 3=7 x y mod n = x( y mod Φ(n) ) mod n: the i th column is the same as the i+4 th column rp to 10 are {1, 3, 7, 9} Totient function Φ(n): number of numbers less than n relatively prime to n 9
RSA (Rivest, Shamir, Adleman) A very popular public key cryptographic algorithm Support public key encryption and digital signature Variable key length 512 bits, 1024 bits Variable plaintext block size Plaintext block must be smaller than the key length Ciphertext block size is the length of the key Ciphertext length = key length Much slower to compute than DES/IDEA Assumption/theoretical basis: Factoring a large number is practically impossible 10
RSA Algorithm To generate a public key and a corresponding private key Pick large primes p and q (around 256 bits) Let n=p*q (512 bits), factors p and q remain secret Public key: choose e that is relatively prime to ø(n) =(p- 1)(q-1), let pub = <e,n> Private key: find the number d that is the multiplicative inverse of e mod ø(n), i.e., e*d = 1 mod ø(n), let priv = <d,n> Encryption: of m < n, c = m e mod n Decryption: m = c d mod n Verification Sign: s = m d mod n Verify: m = s e mod n 11
RSA Example Bob chooses p=7, q=11. Then n=77, z= ø(n) =60. e=7 (so e, z relatively prime). d=43 (so ed-1 exactly divisible by z). encrypt: decrypt: m m e c = m e mod n 9 9 7 37 c c d m = c d mod n 37 37 43 9 12
Why Does RSA Work? Will decrypting an encrypted message get the original message back? Useful number theory result: If p,q prime and n = pq, then: y ymod (p-1)(q-1) x mod n = x mod n e (m mod n) d mod n = m ed mod n ed mod (p-1)(q-1) = m mod n (using number theory result above) 1 = m mod n (since we chose ed to be divisible by (p-1)(q-1) with remainder 1 ) = m 13
Why Does RSA Work? That is: will decrypting an encrypted message get the original message back? Given pub = <e, n> and priv = <d, n> n =p*q, ø(n) =(p-1)(q-1) de = 1 mod ø(n) For any x, x de = x mod n encryption: c = m e mod n decryption: m = c d mod n = m e d mod n = m mod n = m (since m < n) digital signature (similar) 14
Why is RSA Secure? Based on the Fundamental Tenet of Cryptography Factoring 512-bit number is very hard! If you can factor quickly, you can break RSA! But if you can factor big number n then given public key <e,n>, you can find d, hence the private key by: Knowing factors p, q, such that, n = p*q Then ø(n) =(p-1)(q-1) Then d such that e*d = 1 mod ø(n) 15
Diffie-Hellman Allows two individuals to agree on a shared key, public communication No authentication of partners Alice might be establishing a secret key with a bad guy What is involved? A large prime p, and g < p p and g are publicly known Alice and Bob choose random S A and S B, kept secret next slide.. 16
Diffie-Hellman Key Exchange Procedure Alice pick secret SA randomly compute TA=g S A mod p send TA to Bob compute TB S A mod p Bob pick secret SB randomly compute TB=g S B mod p send TB to Alice compute TA S B mod p Alice and Bob reached the same secret g S AS B mod p, which is then used as the shared key. not secure against bucket-brigade/man-in-the-middle attacks. 17
DH Security Discrete Logarithm is Hard T = g s mod p Given T, g, and p, it is computationally infeasible to compute the value of s (discrete logarithm) 18
The Bucket Brigade/Man-in-the-Middle Attack Mr. X plays Alice to Bob and Bob to Alice 19
Defense against Man-in-the-Middle Attack Diffie-Hellman in Phone Book Mode Have a somewhat permanent public and secret number Everyone has to agree on a common p and g Everyone generates the public key components and publish them through other reliable means, e.g., <Tb> for Bob Essential Requirement: authenticity of public key Authenticated Diffie-Hellman Alice and Bob know some sort of secret Use this secret to prove they generate their DH value Following DH exchange, transmit a hash of the agreed-upon shared DH value, name, and the pre-shared secret Following DH exchange, transmit a hash of the pre-shared secret and the DH value 20
Encryption with Diffie-Hellman To avoid the active exchange Everyone computes and publishes a public key <p, g, T> for the private key s T=g S mod p Alice communicates with Bob: Bob has published <p b, g b, T b > Alice Picks a random secret S a Computes g b Sa mod p b Use K ab = T b Sa mod p b (the encryption key) to encrypt message Send encrypted message along with g b Sa mod p b Bob (g b Sa ) Sb mod p b = (g b Sb ) Sa mod p b = T b Sa mod p b = K ab Use K ab to decrypt Essentially key distribution + encryption 21
Digital Signature Standard (DSS) By NIST Based on ElGamal Speeded up for signer rather than verifier: smart cards Use SHA-1 to generate the hash value and Digital Signature Algorithm (DSA) to generate the digital signature 22
DSS Algorithm 23
DSS Algorithm Calculate X -1 and d m 24
Why is DSA Secure? No revealing of the private key S Nobody should be able to generate a signature for a given message without knowing S Nobody should be able to generate a message that matches a given signature Nobody should be able to modify a signed message in a way that keeps the same signature valid Need a per-message secret number S m If S m is known, the private key S can be computed (X m S m d m )T m -1 mod q = S mod q (refer to step 6): the attacker can forge DSS signature If two messages share the same S m, the private key S can be revealed (X m X m ) -1 (d m -d m ) mod q = S m mod q (refer to step 6 ) => S m 25