Outline
Public Key Algorithms
EE5723/EE4723
Spring 2012
Public Key Cryptography
symmetric key crypto
 requires
i
sender,
d
receiver know shared
secret key
 Q: how to agree on
key in first place
(particularly if never
“met”)?
EE5723/EE4723

Public Algorithm Introduction

RSA

Diffie-Hellman Public Algorithm
EE5723/EE4723
Spring 2012
Public key cryptography
+ Bob’s public
B key
K
public key cryptography




radically different
approach
sender, receiver do not
share secret key
public encryption key
known to all
private decryption key
known only to receiver
Spring 2012
K
plaintext
message, m
EE5723/EE4723
encryption ciphertext
algorithm
+
K (m)
B
- Bob’s private
B key
decryption plaintext
algorithm message
+
m = K B(K (m))
B
Spring 2012
1
Modular Arithmetic
Public key encryption algorithms
Requirements:
1
2

+
need KB ( ) and K ( ) such that
B
- +
K (K (m)) = m
B B
+
given public key K B, it should
.
.
be impossible to comp
compute
te
private key KB
RSA: Rivest, Shamir, Adelson algorithm
EE5723/EE4723
Spring 2012
Modular Addition

Addition modulo (mod) K
 Poor
cipher with (dk+dm) mod K,
K e.g.,
e g if K=10
and dk is the key (fig 6-1)

Additive inverse: addition mod K yields 0
 3’s
Public key algorithms are based on modular
arithmetic.
ith ti
 Modular
addition.
 Modular
multiplication.
p
 Modular
exponentiation.
EE5723/EE4723
Modular Multiplication

Multiplication modulo K

Multiplicative
p
inverse: multiplication
p
mod K
yields 1

Only some numbers have inverse (fig.6-2)

Use Euclid’s algorithm to find inverse
modular 10 additive inverse?
 Given
 Ref:

“Decrypt” by adding inverse
EE5723/EE4723
Spring 2012
Spring 2012

x,, n,, it finds y such that xy
y mod n = 1
Chapter 7 (p187-p190)
All number relatively prime to n will have
mod n multiplicative inverse (one-to-one)
EE5723/EE4723
Spring 2012
2
Totient Function


x, m relative prime: no other common factor
than 1
(Euler's) totient function ø(n): number of
integers less than n relatively prime to n
 if
 if

Number theory result (refer to figure 6
6-3)
3)
 xy
mod n = xy mod ø(n) mod n
n is prime, ø(n)=n-1
n=pq,
q and p,
p q are primes
primes, ø(n)=(p-1)(q-1)
ø(n)=(p 1)(q 1)
EE5723/EE4723
Spring 2012
RSA (Rivest, Shamir, Adleman)

The most popular public key cryptography algorithm.

Support both public key encryption and digital
signature.

Modular Exponentiation
Assumption/theoretical basis.
 Factoring
a big number is hard.

Variable key
y length
g ((usually
y 512 bits).
)

Variable plaintext block size.
 Plaintext
must be “smaller” than the key.
 Ciphertext block size is the same as the key length.
EE5723/EE4723
Spring 2012
EE5723/EE4723
Spring 2012
RSA: Choosing key Pairs
1. Choose two large prime numbers p, q.
(e.g., 1024 bits each)
2. Compute n = pq, ø(n) = (p-1)(q-1)
3. Choose e (with e<n) that has no common factors
with ø(n) . (e, ø(n) are “relatively prime”).
4. Choose d such that d is the multiplicative inverse
of e mod ø(n), i.e., e*d = 1 mod ø(n).
5. Public key is (n,e). Private key is (n,d).
-
+
KB
KB
EE5723/EE4723
Spring 2012
3
How Does RSA Work? - Encryption, decryption
0. Given (n,e) and (n,d) as computed above
1 To encrypt bit
1.
b pattern, m, compute
e
c = m e mod n (i.e., remainder when m is divided by n)
2. To decrypt received bit pattern, c, compute
RSA: Why is that
m = (m e mod n) d mod n
Useful number theory result: If p,q prime and
n = pq, then:
y
y mod (p-1)(q-1)
p
q
x mod n = x
mod n
e
(m mod n) d mod n = m edmod n
d
m = c d mod n (i.e., remainder when c is divided by n)
= m
ed mod (p-1)(q-1)
mod n
(using number theory result above)
1
= m mod n
Magic
m = (m e mod n) d mod n
happens!
c
(since we chose ed to be divisible by
(p-1)(q-1) with remainder 1 )
= m
EE5723/EE4723
Spring 2012
EE5723/EE4723
Spring 2012
RSA example:
RSA: another important property
Bob chooses p=5, q=7. Then n=35, z=24.
e=5 (so e, z relatively prime).
d=29 (so ed-1
ed 1 exactly divisible by z).
z)
The following property will be very useful for
digital signature
encrypt:
decrypt:
EE5723/EE4723
letter
m
me
l
12
248832
c
17
d
c
481968572106750915091411825223071697
Spring 2012
c = me mod n
17
m = cd mod n letter
12
l
-
+
B
B
+
B
B
K (K (m)) = m = K (K (m))
use public key
first, followed
first
by private key
use private key
first followed
first,
by public key
Result is the same!
EE5723/EE4723
Spring 2012
4
Digital Signatures
Digital Signatures
Simple digital signature for message m:

sender (Bob) digitally signs document, establishing
h is
he
i d
documentt owner/creator.
/
t

verifiable, non-forgeable: recipient (Alice) can prove
to someone that Bob, and no one else (including
Alice), must have signed document

Bob’s message, m
Oh, how I have missed
you. I think of you all the
time! …(blah blah blah)
Spring 2012
EE5723/EE4723
Digital Signatures (more)
Suppose Alice receives msg m, digital signature KB(m)

Alice verifies m signed by Bob by applying Bob’s public key
KB+ to KB-(m) then checks KB+(KB(m) ) = m
m.

- Bob’s private
B key
Public key
encryption
algorithm
-
K (m)
B
Bob’s message, m,
signed (encrypted)
with his private key
Spring 2012
Why Is RSA Secure?
-

K
Dear Alice
Bob
EE5723/EE4723
-
Bob signs m by encrypting with his private key KB,
creating
ti ““signed”
i
d” message, KB(m)
( )

Factoring 512-bit number is very hard!
 the
most commonly used key length for RSA
K+(K -(m)
If B B
) = m, whoever signed m must have used Bob’s
private key.
Alice thus verifies that:
 Bob signed m.
 No
N one else
l signed
i
d m.
 Bob signed m and not m’.
Non-repudiation:
 Alice can take m, and signature KB(m) to court and
prove that Bob signed m.
EE5723/EE4723
Spring 2012

But if you can factor big number n then given
public key <e,n>, you can find d, hence the
private key by:
 Knowing
factors p, q, such that, n = p*q
 Then ø(n) = (p-1)(q-1)
 Then d such that e*d = 1 mod ø(n)
EE5723/EE4723
Spring 2012
5
Diffie-Hellman Key Exchange
Diffie-Hellman Public Key Algorithm/Cryptosystem

Does neither encryption nor signature
 Actually
y
used for secret key
y establishment
 No authentication of partners though


Subject to man-in-the-middle-attack
What’s involved?
p
iis a llarge prime
i
((about
b t 512 bit
bits),
) g < p, w//
some restrictions
 p and g are publicly known, and agreed on by
Alice & Bob
EE5723/EE4723
Spring 2012
DH Security - Discrete Logarithm Is
Hard
 Procedure (g, p is known)
Alice
1) pick secret Sa randomly
1).
2). compute TA=gSamod p
send TA to Bob
3). compute TBSa mod p
 As a public key scheme, <p, g> are the basis of the public
key component for all parties,
key-component
parties Sa and Sb are private key for
Alice & Bob
 Alice and Bob reached the same secret gSaSb mod p, which
is then used as the shared key for the subsequent comm.
EE5723/EE4723
The discrete logarithm
g
p
problem: g
given an element
g in a finite group G and another element h G,
find an integer x such that gx mod p= h.
the solution to the problem 3x = 13 (mod 17) is 4,
because 34 = 81 = 13 (mod 17).
 e.g.,
Advantages:: Security factors
 Discrete
logarithm
g
veryy difficult.
 Shared key (the secret) itself never transmitted.

Disadvantages:
 Expensive


Conjecture: For T = gs mod p
 given
T, g, p, it is extremely hard to compute the value of
s (discrete logarithm)
EE5723/EE4723
Spring 2012
Spring 2012
Diffie-Hellman Scheme


Bob
1)
1). pick secret Sb randomly
2). compute TB=gSb mod p
send TB to Alice
3). compute TASb mod p
exponential operation
DoS possible.
 The
scheme itself cannot be used to encrypt anything –
it is for secret key establishment.
 No authentication, so you can not sign anything …
EE5723/EE4723
Spring 2012
6
Bucket Brigade Attack: Man-in-the-Middle
Alice
Trudy
y
Bob
gSa=123
gSx =654
gSb =255
123 -----------------> 654 ------------->
-----------------654
---------------255
Shared key K
Shared key K
ax
(gSb)Sx=255Sx= (gSx)Sb=654Sb
Trudy plays Bob to Alice and Alice to Bob
EE5723/EE4723

DH was subject to active man-in-the-middle attack because
their p
public key-component
y
p
was intercepted
p
and substituted

Phone book mode allows everyone to generate the public
key-component (e.g. TA=gSamod p, TB =gSbmod p), in
advance and publish them through other reliable means,
e.g. PKI

All communicating parties agree on their common <g,
<g p>

This does not solve authentication problem
 Reading assignment: section 6.4.2.2 on P169-170
bx
(gSx)Sa=654Sa = (gSa)Sx=123Sx

Diffie-Hellman in Phone Book Mode:
Defense Man-in-the-middle Attack
Spring 2012
EE5723/EE4723
Spring 2012
Encryption With Diffie-Hellman


To avoid active exchange prior to encryption
Everyone computes & publishes their own <p, g, T >
 T=g
T S

mod
d p, note:
t s is
i th
the private
i t key
k
Alice communicates w/ Bob:
 Alice (she agreed on gb, pb )
 Picks a random secret Sa
 Computes gbSa mod pb
 Use Kab = TbSa mod pb to encrypt message (e.g., w/ DES)
 Send encrypted message along w/ gbSa mod pb
 Bob
 (gbSa)Sb mod pb = (gbSb)Sa mod pb = TbSa mod pb = Kab
 Use Kab to decrypt
EE5723/EE4723
Spring 2012
7