S. Erfani, ECE Dept., University of Windsor 0688-590-18 Network Security Public Key Cryptography 5.1 Introduction Public-key encryption finds use in message authentication and key distribution. In this chapter, we look at motivation for public-key encryption and then examine the most important public-key algorithms, namely, RSA and Diffie–Hellman. We introduce applications such as digital signatures. Note that if three users, Alice, Bob, and Casey want to exchange information securely, three keys required; call these keys kAB, kAC, kBC. If we add a fourth user, Dana, and establish channels with the other three users, another key is required, one to connect Dana to each of the existing three users. Each time we add a new user to a system of n users , n additional keys are needed. In general, an n-user system requires n x (n-1) / 2 keys. Therefore: a) As the number of users grows, the number of keys increases very rapidly. b) Determining and distributing these keys is a problem. c) Maintaining security for the keys already distributed and inventory them is a serious problem. Definition 1: Asymmetric Encryption System In this cryptosystem each user has two keys; a public key and a private key. The user publish the public key freely. The keys operate as inverse. Let kub be user’s public key, and let KRb be the corresponding private key. Then, P = dkRb (ekUb (P)) That is, a user can decrypt with a private key what someone else has encrypted with the corresponding public key. Futhermore, P = dkUb (ekRb (P)) The public-key cryptosystem is shown in Figure1 (below). There is a source Alice, which produces a message in plaintext, X = [X1, X2, ---, Xn]. Cryptanalyst Oct. 7, 2003 ^X 1 S. Erfani, ECE Dept., University of Windsor 0688-590-18 Network Security Source A Message Source X Destination B Encryption Algorithm Y Destination Decryption^KRb X Algorithm KRb KUb Key Pair Source Figure1: Public Key Cryptosystem The M elements of X are letters of alphabet. The message is intended for destination Bob. Bob generates a related pair of keys: a public key and a private key, KRb. KRb is known only to Bob, whereas KUb is publicly available and therefore accessible by Alice. With the message X and the encryption key KUb as input, Alice forms the ciphertext Y = [ Y1, Y2, -----, YM] Y= eKUb (X) The intended receiver, i.e., Bob, in procession of the matching private key, is able to invert the transformation: X = dKRb ( Y ) An opponent, Oscar, observing Y and having access to KU b but not having access to KRb or X, tries to recover X and/or KRb. It is also assumed that Oscar does have knowledge of the encryption and decryption algorithms. Thus, Oscar attempts to recover X and KR b by generating estimates X and KRb. 5.2 Authentication Using Public-Key CryptoSystem We mentioned earlier that either of the two related keys can be used for encryption, with the other being used for decryption. This enables an Oct. 7, 2003 2 S. Erfani, ECE Dept., University of Windsor 0688-590-18 Network Security effective authentication scheme to be implemented as shown in Fig 2 ( on the next page ). In this case Alice prepares a message to Bob and encrypt it using Alice’s private key before transmitting it : Y= eKRa (X) Cryptanalyst ^KRa Source A Message Source Destination B Encryption Algorithm X Y Decryption Algorithm Destination X KUa KRa Key Pair Source Figure2: Authentication using Public-Key Cryptosystem Bob can decrypt the message using Alice’s public key. Because the message was encrypted using Alice’s private key, only Alice could have prepared the message. Therefore, the entire encrypted message serves as a digital signature. In addition, it is impossible to alter the message without access to Alice’s private key, so the message is authenticated both in terms of source and in terms of data integrity. Oct. 7, 2003 3 S. Erfani, ECE Dept., University of Windsor 0688-590-18 Network Security Note 1: A more efficient way of achieving the same results is to encrypt a small block of hits that is a function of the plaintext. Such a block, called an authentication, must have the property that it is infeasible to change the plaintext document without changing the authentication. If the authentication is encrypted with the render’s private key, it serves as a signature that verifies origin, content and sequencing. Definition2 – Digital Signature The render signs a message with its private key. Signing is achieved by a cryptographic algorithm applied to the message or to a small block of data that is a function of the message. Note 2: As noticed, the authentication process just described does not provide confidentiality. That is, the message being sent is safe from alteration but not from eavesdropping. It is, however, possible to provide both the authentication and confidentiality by a double use of the publickey scheme, as described below. 5.3 Secrecy and Authentication Using Public Key Cryptosystem As shown in figure 3, in this case, we begin as before by encrypting a message, using the sender’s private key, KRa: Source A X Message source Destination B Y Encryption Algorithm Z Encryption Algorithm Y Decryption Algorithm X Decryption Algorithm Message Destination KRb KUb KRa Key Pair Source Key Pair Source KUa Figure 3. Secrecy and Authentication Oct. 7, 2003 4 S. Erfani, ECE Dept., University of Windsor Y= 0688-590-18 Network Security eKRa (X) This provides the digital signature. Next, we encrypt again, using the receiver’s public key, KUb: Z = eKUb (Y) = eKUb (eKRa (X)) The final ciphertext, Z, can be decrypted only by the intended receiver, who has alone the matching private key KRb and public key of the receiver, KUa: X = dKUa (Y) = dKUa (dKRb (Z)) Thus, confidentiality is provided. The disadvantage of this approach is that the public-key algorithm, which is complex, must be exercised four times than two in each communication. 5.4 Requirements for Public-Key cryptosystem The cryptosystem shown in figs. 1-3 depends on a cryptographic algorithm based on two related key, Driffine and Hellman postulated system without demonstrating that such algorithms exist. However, they did lay out the conditions that such algorithms must fulfill in their paper published in 1976 as: (1) It should be computationally easy for a party, Bob, to generate a pair (Public Key KUb, Private Key KRb). (2) It should be computationally easy for a sender Alice, knowing the public key and the message to be encrypted, M, to generate the corresponding ciphertext: C= e KUb (M) (3) It is computationally easy for the receiver Bob to decrypt the resulting ciphertext using the private key to recover the original message: M= dKRb (c) = dKRb (eKUb(M)) (4) it should be computationally infeasible for an opponent, Oscar, knowing the public key, KUb, to determine the private key, KRb. Oct. 7, 2003 5 S. Erfani, ECE Dept., University of Windsor 0688-590-18 Network Security (5) It should be computationally infeasible for an opponent, Oscar, knowing the public key, KUb and a ciphertext, C, to recover the original message, M. We added a 6th requirement that, although useful, is not necessary for all public-key applications: (6) The encryption and decryption function can be applied in either order: M= eKUb(dKRb (M)) Note 1: The requirements boils down to the need for a trap-door one-way function. A one-way function (not to be confused with one-way hash function!) is one that maps a domain into a range such that every function value has a unique inverse, such that the calculation of the function is infeasible: Y = f (x) easy X = f-1(Y) infeasible Note 2: Generally, easy is defined to mean a problem that can be solved in polynomial time as a function of input length. Such algorithms belong to the class P. Note 3: In general, we can say a problem is infeasible if the effort to solve it grows faster than polynomial time as s function of input size. Note 4: A trap-door one-way function is a family of invertible function f k(.), such that: Y = fk(X) easy, if k and X are known. X = fk-1(X) easy, if k and Y are known. X = fk-1(X) infeasible, if Y is known but k is not known. Note 5: The development of a practical public-key scheme depends on discovery of a suitable trap-door one-way function. Oct. 7, 2003 6