Information Security -- Part II Public-Key Encryption and Hash Functions

1
Information Security -- Part IIPublic-Key
Encryption and Hash Functions

• Frank Yeong-Sung Lin
• Information Management Department
• National Taiwan University

2
Principles of Public-Key Cryptosystems
3
Principles of Public-Key Cryptosystems (contd)

• Requirements for PKC
• easy for B (receiver) to generate KUb and KRb
• easy for A (sender) to calculate C EKUb(M)
• easy for B to calculate M DKRb(C)
  DKRb(EKUb(M))
• infeasible for an opponent to calculate KRb from
  KUb
• infeasible for an opponent to calculate M from C
  and KUb
• (useful but not necessary) M DKRb(EKUb(M))
  EKUb(DKRb(M)) (true for RSA and good for
  authentication)

4
Principles of Public-Key Cryptosystems (contd)
5
Principles of Public-Key Cryptosystems (contd)

• The idea of PKC was first proposed by Diffie and
  Hellman in 1976.
• Two keys (public and private) are needed.
• The difficulty of calculating f -1 is typically
  facilitated by
• factorization of large numbers
• resolution of NP-completeness
• calculation of discrete logarithms
• High complexity confines PKC to key management
  and signature applications

6
Principles of Public-Key Cryptosystems (contd)
7
Principles of Public-Key Cryptosystems (contd)
8
Principles of Public-Key Cryptosystems (contd)

• Comparison between conventional and public-key
  encryption

9
Principles of Public-Key Cryptosystems (contd)

• Applications for PKC
• encryption/decryption
• digital signature
• key exchange

10
Principles of Public-Key Cryptosystems (contd)
11
Principles of Public-Key Cryptosystems (contd)
12
Principles of Public-Key Cryptosystems (contd)
13
The RSA Algorithm

• Developed by Rivest, Shamir, and Adleman at MIT
  in 1978
• First well accepted and widely adopted PKC
  algorithm
• Security based on the difficulty of factoring
  large numbers
• Patent expired in 2001

14
The RSA Algorithm (contd)
15
The RSA Algorithm (contd)
16
The RSA Algorithm (contd)
17
The RSA Algorithm (contd)
18
The RSA Algorithm (contd)
Primes under 2000
19
The RSA Algorithm (contd)

• The above statement is referred to as the prime
  number theorem, which was proven in 1896 by
  Hadaward and Poussin.

20
The RSA Algorithm (contd)

• Whether there exists a simple formula to generate
  prime numbers?
• An ancient Chinese mathematician conjectured that
  if n divides 2n - 2 then n is prime. For n 3, 3
  divides 6 and n is prime. However, For n 341
  11 ? 31, n dives 2341 - 2.
• Mersenne suggested that if p is prime then Mp
  2p - 1 is prime. This type of primes are referred
  to as Mersenne primes. Unfortunately, for p 11,
  M11 211 -1 2047 23 ? 89.

21
The RSA Algorithm (contd)

• Fermat conjectured that if Fn 22n 1, where n
  is a non-negative integer, then Fn is prime. When
  n is less than or equal to 4, F0 3, F1 5, F2
  17, F3 257 and F4 65537 are all primes.
  However, F5 4294967297 641 ? 6700417 is not a
  prime number.
• n2 - 79n 1601 is valid only for n lt 80.
• There are an infinite number of primes of the
  form 4n 1 or 4n 3.
• There is no simple way so far to gererate prime
  numbers.

22
The RSA Algorithm (contd)
23
The RSA Algorithm (contd)

• Prime gap displacement between two consecutive
  prime numbers
• unbounded
• n!2, n!3, n!4,, n!n are not prime

24
The RSA Algorithm (contd)

• Formats Little Theorem (to be proven later) If
  p is prime and a is a positive integer not
  divisible by p, then
• a p-1 ? 1 mod p.
• Example a 7, p 19
• 72 49 ? 11 mod 19
• 74 121 ? 7 mod 19
• 78 49 ? 11 mod 19
• 716 121 ? 7 mod 19
• a p-1 718 7162 ? 7?11 ?
  1 mod 19

25
The RSA Algorithm (contd)
26
The RSA Algorithm (contd)

• A Mip for a non-negative integer i.
• A Mjq for a non-negative integer j.
• From the above two equations, ip jq.
• Then, i kq.
• Consequently, A Mip Mkpq. Q.E.D. (quod erat
  demonstrandum)

27
The RSA Algorithm (contd)
28
The RSA Algorithm (contd)

• Example 1
• Select two prime numbers, p 7 and q 17.
• Calculate n p ? q 7?17 119.
• Calculate F(n) (p-1)(q-1) 96.
• Select e such that e is relatively prime to F(n)
  96 and less than F(n) in this case, e 5.
• Determine d such that d ? e ? 1 mod 96 and d lt
  96.The correct value is d 77, because 77?5
  385 4?961.

29
The RSA Algorithm (contd)

30
The RSA Algorithm (contd)
31
The RSA Algorithm (contd)
32
The RSA Algorithm (contd)

• Key generation
• determining two large prime numbers, p and q
• selecting either e or d and calculating the other
• Probabilistic algorithm to generate primes
• 1 Pick an odd integer n at random.
• 2 Pick an integer a lt n at random.
• 3 Perform the probabilistic primality test,
  such as Miller-Rabin. If n fails the test, reject
  the value n and go to 1.
• 4 If n has passed a sufficient number of tests,
  accept n otherwise, go to 2.

33
The RSA Algorithm (contd)

• How may trials on the average are required to
  find a prime?
• from the prime number theory, primes near n are
  spaced on the average one every (ln n) integers
• even numbers can be immediately rejected
• for a prime on the order of 2200, about (ln
  2200)/2 70 trials are required
• To calculate e, what is the probability that a
  random number is relatively prime to F(n)? About
  0.6.

34
The RSA Algorithm (contd)

• For fixed length keys, how many primes can be
  chosen?
• for 64-bit keys, 264/ln 264 - 263/ln 263 ? 2.05
  ?1017
• for 128- and 256-bit keys, 1.9 ?1036 and 3.25
  ?1074, respectively, are available
• For fixed length keys, what is the probability
  that a randomly selected odd number a is prime?
• for 64-bit keys, 2.05 ?1017/(0.5 ?(264 - 263)) ?
  0.044
• (expectation value 1/0.044 ? 23)
• for 128- and 256-bit keys, 0.022 and 0.011,
  respectively

35
The RSA Algorithm (contd)

• The security of RSA
• brute force This involves trying all possible
  private keys.
• mathematical attacks There are several
  approaches, all equivalent in effect to factoring
  the product of two primes.
• timing attacks These depend on the running time
  of the decryption algorithm.

36
The RSA Algorithm (contd)

• To avoid brute force attacks, a large key space
  is required.
• To make n difficult to factor
• p and q should differ in length by only a few
  digits (both in the range of 1075 to 10100)
• both (p-1) and (q-1) should contain a large prime
  factor
• gcd(p-1,q-1) should be small
• should avoid e ltlt n and d lt n1/4

37
The RSA Algorithm (contd)

• To make n difficult to factor (contd)
• p and q should best be strong primes, where p is
  a strong prime if
• there exist two large primes p1 and p2 such that
  p1p-1 and p2p1
• there exist four large primes r1, s1, r2 and s2
  such that r1p1-1, s1p11, r2p2-1 and s2p21
• e should not be too small, e.g. for e 3 and C
  M3 mod n, if M3 lt n then M can be easily
  calculated

38
The RSA Algorithm (contd)
39
The RSA Algorithm (contd)

• Major threats
• the continuing increase in computing power (100
  or even 1000 MIPS machines are easily available)
• continuing refinement of factoring algorithms
  (from QS to GNFS and to SNFS)

40
The RSA Algorithm (contd)
41
The RSA Algorithm (contd)
42
The RSA Algorithm (contd)
43
Key Management

• The distribution of public keys
• public announcement
• publicly available directory
• public-key authority
• public-key certificates
• The use of public-key encryption to distribute
  secret keys
• simple secret key distribution
• secret key distribution with confidentiality and
  authentication

44
Key Management (contd)

• Public announcement

45
Key Management (contd)

• Public announcement (contd)
• advantages convenience
• disadvantages forgery of such a public
  announcement by anyone

46
Key Management (contd)

• Publicly available directory

47
Key Management (contd)

• Publicly available directory (contd)
• elements of the scheme
• name, public key entry for each participant in
  the directory
• in-person or secure registration
• on-demand entry update
• periodic publication of the directory
• availability of secure electronic access from the
  directory to participants
• advantages greater degree of security

48
Key Management (contd)

• Publicly available directory (contd)
• disadvantages
• need of a trusted entity or organization
• need of additional security mechanism from the
  directory authority to participants
• vulnerability of the private key of the directory
  authority (global-scaled disaster if the private
  key of the directory authority is compromised)
• vulnerability of the directory records

49
Key Management (contd)

• Public-key authority

50
Key Management (contd)

• Public-key authority (contd)
• stronger security for public-key distribution can
  be achieved by providing tighter control over the
  distribution of public keys from the directory
• each participant can verify the identity of the
  authority
• participants can verify identities of each other
• disadvantages
• bottleneck effect of the public-key authority
• vulnerability of the directory records

51
Key Management (contd)

• Public-key certificates

52
Key Management (contd)

• Public-key certificates (contd)
• to use certificates that can be used by
  participants to exchange keys without contacting
  a public-key authority
• requirements on the scheme
• any participant can read a certificate to
  determine the name and public key of the
  certificates owner
• any participant can verify that the certificate
  originated from the certificate authority and is
  not counterfeit
• only the certificate authority can create
  update certificates
• any participant can verify the currency of the
  certificate

53
Key Management (contd)

• Public-key certificates (contd)
• advantages
• to use certificates that can be used by
  participants to exchange keys without contacting
  a public-key authority
• in a way that is as reliable as if the key were
  obtained directly from a public-key authority
• no on-line bottleneck effect
• disadvantages need of a certificate authority

54
Key Management (contd)

• Simple secret key distribution

55
Key Management (contd)

• Simple secret key distribution (contd)
• advantages
• simplicity
• no keys stored before and after the communication
• security against eavesdropping
• disadvantages
• lack of authentication mechanism between
  participants
• vulnerability to an active attack (opponent
  active only in the process of obtaining Ks)
• leak of the secret key upon such active attacks

56
Key Management (contd)

• Secret key distribution with confidentiality and
  authentication

57
Key Management (contd)

• Secret key distribution with confidentiality and
  authentication (contd)
• provides protection against both active and
  passive attacks
• ensures both confidentiality and authentication
  in the exchange of a secret key
• public keys should be obtained a priori
• more complicated

58
Diffie-Hellman Key Exchange

• First public-key algorithm published
• Limited to key exchange
• Dependent for its effectiveness on the difficulty
  of computing discrete logarithm

59
Diffie-Hellman Key Exchange (contd)

• Define a primitive root of of a prime number p as
  one whose powers generate all the integers from 1
  to p-1.
• If a is a primitive root of the prime number p,
  then the numbers
• a mod p, a2 mod p, , ap-1 mod p
• are distinct and consist of the integers from
  1 to p-1 in some permutation.
• Not every number has a primitive root.

60
Diffie-Hellman Key Exchange (contd)

• For any integer b and a primitive root a of prime
  number p, one can find a unique exponent i such
  that
• b ai mod p, where 0 ? i ? (p-1).
• The exponent i is referred to as the discrete
  logarithm, or index, of b for the base a, mod p.
• This value is denoted as inda,p(b) (dloga,p(b)).

61
Diffie-Hellman Key Exchange (contd)
62
Diffie-Hellman Key Exchange (contd)

• Example
• q 97 and a primitive root a 5 is
  selected.
• XA 36 and XB 58 (both lt 97).
• YA 536 50 mod 97 and
• YB 558 44 mod 97.
• K (YB) XA mod 97 4436 mod 97 75 mod 97.
• K (YA) XB mod 97 5058 mod 97 75 mod 97.
• 75 cannot easily be computed by the opponent.

63
Diffie-Hellman Key Exchange (contd)

• How the algorithm works

64
Diffie-Hellman Key Exchange (contd)
65
Diffie-Hellman Key Exchange (contd)

• q, a, YA and YB are public.
• To attack the secrete key of user B, the opponent
  must compute
• XB inda,q(YB). YB aXB mod q.
• The effectiveness of this algorithm therefore
  depends on the difficulty of solving discrete
  logarithm.

66
Diffie-Hellman Key Exchange (contd)

• Bucket brigade (Man-in-the-middle) attack

Alice picks x
Trudy picks z
Bob picks y
1
q, ?, ? x mod q
2
q, ?, ? z mod q
Trudy
Alice
Bob
3
? z mod q
4
? y mod q

• (? xz mod q) becomes the secret key between Alice
  and Trudy, while (? yz mod q) becomes the secret
  key between Trudy and Bob.