Public-Key Encryption and Cryptography Stanton Vincent CSC 540: Social, Ethical, and Professional Issues in the Information Age Dr. Lyle April 2, 2015 Overview With the Information Age well amongst the population in this day and age, technology is the rave of the twenty-first century. Facebook, Twitter, and Pinterest are just a few examples of the importance society places on technology and social media. The amount of personal data and information is exuding from each individual on planet Earth because of the advancements of technology and the accessibility of it between people. However, with this much technological communication and private information flying across the internet, precautions must be made in order to secure this information and that each individuals’ right to privacy is fortified. Data encryption is one such way of fortifying an individuals’ amendments and privacy. Without encryption, hackers and other users of the internet could easily obtain an individuals’ data, some of which could be private and confidential like credit card numbers and social security identification numbers. If these were to ever find a place in the wrong hands, the consequences could be dire. Thus, data encryption exists to make sure that these scenarios never happen and to ensure high amounts of security on a persons’ data and communication over a technological channel. A Brief History Prior to the 1970s, symmetric-key cryptography had been the only cryptographic mode: parties involved in covert communications would agree on a shared secret key to encrypt and authenticate their exchanges. (Certicom) In 1974, Dr. Ralph Merkle created the basic idea of public-key encryption from his “quarter project”. From this project, the Public-Key Encryption and Cryptography seeds of public-key cryptography were sown, where the idea of keys could be publicly known while the contents of the information exchanges they relate to would remain essentially secure. (Certicom) Examples of Public-Key Encryption Asymmetric cryptography is also known as public-key cryptography. Symmetric cryptography works like a simple lockbox. The owner locks away something valuable in the box with a key so that none other may take it, but whomever has the key that unlocks the box has access to the valuable locked inside. Thus, only the owner of the key or someone who has a copy of the key can open the box. (Vryonis) Public-Key cryptography, or asymmetric cryptography, works a bit differently. Assume Anna has a lockbox with a very special key. The lock on her box has three states: A (locked), B (unlocked), and C (locked). Also, the box has two separate keys. The first can only turn clockwise, that is from A to B to C. The second key can only move counter-clockwise, that is from C to B to A. Anna picks the first key and keeps it for herself. This key is called the private key because only Anna has it. The second key is called the public key, which Anna makes a hundred copies of, but she can make however many she desires. Some of these public keys are given to her friends and family, while some are left on her desk at work, and she also hangs two of them by the door at her house. When someone asks for her business card, she also provides them with a public key. (Vryonis) 2 Public-Key Encryption and Cryptography Thus, Anna has her private key that turns from A to B to C, and everyone else has public keys that she provided which turn from C to B to A. With these keys, many interesting things are possible to execute. (Vryonis) Firstly, imagine Bill, who has a public key, wants to send Anna a very personal message. He puts the message in the lockbox and locks it with a copy of Anna’s public key. Since public keys turn counter-clockwise and Bill is locking the lockbox, the public key transitions the state from B to A. Now, only a private key can access the message inside the lockbox, since it is the only type of key that turns clockwise. Thus, only Anna can access the message from Bill. (Vryonis) The above example is the basic definition of public-key encryption. Everyone who has a public key can put documents or messages in the lockbox, lock it, i.e. encrypt it, and know that the only person who can unlock the box is the person who has the private key. (Vryonis) Secondly, suppose Anna puts a document in the lockbox and uses her private key to lock it. In other words, she changes the state from B to C. Now, anyone with Anna’s public key can access this document from Anna, since public keys turn counterclockwise. Everyone who owns Anna’s public key knows that this document came specifically from Anna, since they cannot open the lockbox by turning it clockwise. This is an example of a digital signature. (Vryonis) Realization of Public-Key Encryption Utilizing the above scenarios and examples, a realistic, modern definition and view of public-key encryption is given. Keys are just very large numbers with many 3 Public-Key Encryption and Cryptography digits. Users can keep their private key in a text file or in a special app. Public keys can be placed in an email signature or even a website. Instead of lockboxes, files are locked and unlocked by using apps and these keys. (Vryonis) If anyone encrypts a file with a public key, only the individual with a private key can decrypt it. Alternatively, if the owner of the private key encrypts a file, anyone with a public key can decrypt it. This use serves as a proof that the owner of the private key encrypted the file and, thus, digitally signed by the owner. This can be viewed as a memo created by a boss in which he/she passes it out to the employees with his/her personal signature on the memo. (Vryonis) Of course, there are scenarios where public-key encryption can get quite complicated. An owner of the private key can sign a file and then have someone use their public key in order to encrypt the file so that only the owner of the private key can read it. Also, one user, or even an organization, can digitally sign other users’ keys to verify their authenticity. Thus, as can be seen, public-key encryption can offer many encryption methods and schemas for many situations. Certainly, public-key encryption offers more complexity than symmetric encryption. (Vryonis) Algorithms Within the field of public-key encryption, there are many types of algorithms used. Some may be used for the encryption itself, while other algorithms can be used by hackers to decipher any encrypted message. Additionally, authentication algorithms exist to verify if a message has not been altered while on route to its intended recipient. Within the branch of encryption, the RSA (Rivest-Shamir-Adleman) algorithm is the most common public algorithm in use today with relation to public-key encryption. 4 Public-Key Encryption and Cryptography In fact, it has been used in Netscape’s Secure Sockets Layer Protocol (SSL) and even Microsoft’s Private Communications Technology (PCT). (ABCSEO) The great advantage of the RSA algorithm is it solves the key management problem. However, the RSA algorithm is not as efficient as the DES algorithm, which is the most widely used encryption algorithm in the world, with respects to time management. (Grabbe) Additionally, the RSA algorithm needs larger key sizes, around 1,024 bits instead of the weak 512, and it is more vulnerable to plaintext and timing attacks than other such algorithms. (ABCSEO) A Java program implementing the RSA algorithm is provided in the Appendix. As can be seen, this program uses BigIntegers as a means to a private key and public key. First, it outputs the original message before encryption. Then, it uses the private key to encrypt the message and gives the encrypted message as output. Then, it deciphers the encrypted message using a public key, or BigInteger, and then outputs the decrypted message. The output of the RSA program in Java is as follows: Plaintext: Yellow and Black Border Collies Ciphertext:983661698216665348264500637219746413051268559862444668803820 92592298117156395858773587836365994162585812681593121788553570784737987 90637852219720576465697138560292629947891863632967992128391246425929118 79604894764833996719794441027243301322294456488382598574520319705748029 2429589977355320433224626523346630 Plaintext: Yellow and Black Border Collies The entire purpose of encrypting messages is to ensure security and privacy towards individuals with private communications and data. However, with the successful 5 Public-Key Encryption and Cryptography fruition of data encryption also comes the successful fruition of the dark-side of encryption. Hackers have devised some algorithms to decrypt messages even though they may not have a public key. Examples of these attacks are Known-Plaintext attack, Man-in-the-Middle attack, and an Implementation attack, just to name a few. If the hacker has no information as to knowledge of the keys or portions of the data they are wishing to decrypt, they must revert to a Brute Force attack, using the Brute Force algorithm to find the exact number for a key. (ABCSEO) In a Known-Plaintext attack, the attacker knows some of the plaintext contained within the data and/or message. Thus, they use this information to work backwards in order to obtain they key used. A Man-in-the-Middle attack is when an attacker is between two communicators impersonating each party to the other, substituting their keys with their own. This type of attack is great at obtaining information flowing between two parties, but the attacker must obtain a key in some way, hacked or not. Finally, an Implementation attack occurs when the encryption algorithm used for the original message is badly implemented. Thus, the attacker uses this knowledge of implementation in order to obtain a key. Usually, encryption algorithms that utilize random number generators are extremely difficult to use an Implementation attack on. This type of attack was responsible for breaking Netscape’s Secure Sockets Layer Protocol. (ABCSEO) Finally, since attackers have many tools at their disposal to send, create, and alter encrypted messages and data, there are algorithms to determine if a message is indeed from the original, intended sender and/or has been manipulated with as it crossed the data channel. Signing a message with a private key may seem like the optimal choice, but 6 Public-Key Encryption and Cryptography signing long messages takes a considerable amount of time and is also slower than using a public key. Additionally, signing with a private key does not ensure that an encrypted message is not altered in some way. (ABCSEO) The solution to the above problems lies within a concept known as message digest. Message digest is a short, fixed-length string that is computed from the original message using some form of hashing algorithm. If a hashing algorithm can be devised with properties such that it is impossible to find another message that hashes to the same value, then it can be used to validate that the received message to which the hash is attached is the same as the sent one. There are many commonly used algorithms for generating message digests, such as MD2, MD4, and MD5, where MD stands for message digest. However, the most commonly used hash algorithm is known as the SHA, which stands for Secure Hash Algorithm. (ABCSEO) The SHA is a cryptographic hash algorithm published by the United States government. However, the algorithm is still quite new, so it is constantly being updated and fortified so that no faults occur within it. In the appendix, a Java program implementing the SHA-256 is provided. As can be seen, this program uses the SHA-256 hashing algorithm to generate a hash value for password “123456”. It provides two methods in order to hash the password into a hexadecimal value. The output of the program is as follows: (Kyong) Hex format : 8d969eef6ecad3c29a3a629280e686cf0c3f5d5a86aff3ca12020c923adc6c92 Hex format : 8d969eef6ecad3c29a3a629280e686cf0c3f5d5a86aff3ca12020c923adc6c92 7 Public-Key Encryption and Cryptography All-in-all, there exists many types of algorithms that are useful for encryption. Some are used for encryption itself, attacking encrypted messages, or even determining if a message has been tampered with. The field of encryption algorithms is still relatively new, so advancements are being made on a constant basis. There is still much to learn and implement within the field of encryption and its manipulative methods. PGP Of course, one does not have to manually create a code in order to enact a publickey encryption. There are several programs that exist just for the purpose of public-key encryption and security. For instance, PGP, which stands for Pretty Good Privacy, is a downloadable program that offers public-key encryption services at a price. PGP was free in the past, but now costs $85.00 for one license for one year. (Norton) However, the public is allowed to download the source code for peer review. (Zimmermann) Links are provided in the appendix for the source code address and the address to purchase PGP. PGP is a product aimed at consumers interested in keeping data and files from being read by the wrong people or out of the hands of those it doesn’t belong to. It offers services in file encryption, digital signatures, and even email. This amazing software encrypts and decrypts data just as the concept of public-key encryption does. However, PGP does offer the user to provide a digital signature, rather than encrypting an entire file or email, which is beneficial when they are lengthy. (Hoel) 8 Public-Key Encryption and Cryptography Conclusion As can be seen, the fields of encryption and cryptography, just like computer science, are expanding at an exponential rate. Discoveries are being made left and right, at a nearly constant basis. Public-key encryption offers every American their right to privacy and the fortification of the First Amendment of the Bill of Rights. Thus, it is vital and important to further advance the field so security and privacy attain an absolute maximum value to provide to every individual across the United States. So much so, that the right to privacy is never abused and taken advantage of ever again across the cyber channel and internet for any American. 9 Appendix RSA Algorithm Code in Java (Brodrick) (Johnston) //package atnf.atoms.mon.util; import java.math.BigInteger; import java.security.SecureRandom; /** * Simple RSA public key encryption algorithm implementation. * <P> * Taken from "Paj's" website: * <TT>http://pajhome.org.uk/crypt/rsa/implementation.html</TT> * <P> * Adapted by David Brodrick */ public class RSA { private BigInteger n, d, e; private int bitlen = 1024; /** Create an instance that can encrypt using someone elses public key. */ public RSA(BigInteger newn, BigInteger newe) { n = newn; e = newe; } /** Create an instance that can both encrypt and decrypt. */ public RSA(int bits) { bitlen = bits; SecureRandom r = new SecureRandom(); BigInteger p = new BigInteger(bitlen / 2, 100, r); i Appendix BigInteger q = new BigInteger(bitlen / 2, 100, r); n = p.multiply(q); BigInteger m = (p.subtract(BigInteger.ONE)).multiply(q .subtract(BigInteger.ONE)); e = new BigInteger("3"); while (m.gcd(e).intValue() > 1) { e = e.add(new BigInteger("2")); } d = e.modInverse(m); } /** Encrypt the given plaintext message. */ public synchronized String encrypt(String message) { return (new BigInteger(message.getBytes())).modPow(e, n).toString(); } /** Encrypt the given plaintext message. */ public synchronized BigInteger encrypt(BigInteger message) { return message.modPow(e, n); } /** Decrypt the given ciphertext message. */ public synchronized String decrypt(String message) { return new String((new BigInteger(message)).modPow(d, n).toByteArray()); } /** Decrypt the given ciphertext message. */ public synchronized BigInteger decrypt(BigInteger message) { return message.modPow(d, n); } /** Generate a new public and private key set. */ public synchronized void generateKeys() { ii Appendix SecureRandom r = new SecureRandom(); BigInteger p = new BigInteger(bitlen / 2, 100, r); BigInteger q = new BigInteger(bitlen / 2, 100, r); n = p.multiply(q); BigInteger m = (p.subtract(BigInteger.ONE)).multiply(q .subtract(BigInteger.ONE)); e = new BigInteger("3"); while (m.gcd(e).intValue() > 1) { e = e.add(new BigInteger("2")); } d = e.modInverse(m); } /** Return the modulus. */ public synchronized BigInteger getN() { return n; } /** Return the public key. */ public synchronized BigInteger getE() { return e; } /** Trivial test program. */ public static void main(String[] args) { RSA rsa = new RSA(1024); String text1 = "Yellow and Black Border Collies"; System.out.println("Plaintext: " + text1); BigInteger plaintext = new BigInteger(text1.getBytes()); BigInteger ciphertext = rsa.encrypt(plaintext); System.out.println("Ciphertext: " + ciphertext); iii Appendix plaintext = rsa.decrypt(ciphertext); String text2 = new String(plaintext.toByteArray()); System.out.println("Plaintext: " + text2); } } SHA-256 Algorithm Code in Java (Kyong) package com.mkyong.test; import java.security.MessageDigest; public class SHAHashingExample { public static void main(String[] args)throws Exception { String password = "123456"; MessageDigest md = MessageDigest.getInstance("SHA-256"); md.update(password.getBytes()); byte byteData[] = md.digest(); //convert the byte to hex format method 1 iv Appendix StringBuffer sb = new StringBuffer(); for (int i = 0; i < byteData.length; i++) { sb.append(Integer.toString((byteData[i] & 0xff) + 0x100, 16).substring(1)); } System.out.println("Hex format : " + sb.toString()); //convert the byte to hex format method 2 StringBuffer hexString = new StringBuffer(); for (int i=0;i<byteData.length;i++) { String hex=Integer.toHexString(0xff & byteData[i]); if(hex.length()==1) hexString.append('0'); hexString.append(hex); } System.out.println("Hex format : " + hexString.toString()); } } Link for PGP Purchase http://buy.symantec.com/estore/clp/productdetails/pk/endpoint-encryption Link for PGP Source Code http://www.symantec.com/connect/downloads/symantec-pgp-desktop-peer-review-source-code v Bibliography ABCSEO. Public-Key Algorithms. ABCSEO.com, 2006. Web. 2 Apr. 2015. Brodrick, David. Simple RSA public key encryption algorithm implementation. : RSA << Security << Java. Java2S, N.D. Web. 2 Apr. 2015. Certicom. The origins of public-key cryptography and ECC. Blackberry, N.D. Web. 1 Apr. 2015. Grabbe, J. Orlin. The DES Algorithm Illustrated. University of Berlin, N.D. Web. 2 Apr. 2015. Hoel, Jeremy. PGP for Everyday Use. SANS Institute, 3 Apr. 2015. Web. 3 Apr. 2015. Johnston, Paul. Java RSA Code. BSD, 13 Jul. 2009. Web. 2 Apr. 2015. Kyong, M. Java SHA Hashing Example. 24 Feb. 2010. Web. 2 Apr. 2015. Norton. Symantec Endpoint Encryption (powered by PGP Technology). Symantec, 2015. Web. 3 Apr. 2015. Vryonis, Panayotis. Explaining public-key cryptography to non-geeks. Longaccess, 27 Aug. 2013. Web. 1 Apr. 2015. Zimmermann, Philip. Where to get PGP. Philip Zimmermann & Associates LLC, N.D. Web. 3 Apr. 2015.