session_03_number_theory_&_public_key_090708

session_03_number_theory_&_public_key_090708 -...

Info iconThis preview shows page 1. Sign up to view the full content.

View Full Document Right Arrow Icon
This is the end of the preview. Sign up to access the rest of the document.

Unformatted text preview: Cryptography and Network Security TECH 6350 Session 3 Number Theory, and Public Key Ciphers Manuel Mogollon m_mogollon@verizon.net Graduate School of Management Information Assurance University of Dallas M. Mogollon – 08/02 - 0 0 Session 3 Contents • Number Theory and Finite Arithmetic — — — — Counting in modulo p Arithmetic Congruence Arithmetic Fermat’s Theorem Euler’s Theorem • Confidentiality using Public-Key Ciphers — Pohlig-Hellman Algorithm — The RSA Algorithm — ElGamal Algorithm • Key Management Using Exponentiation Ciphers — The Diffie-Hellman Key Agreement — RSA Key Transport Number Theory Exponentiation Ciphers Public-Key Ciphers Key Management DH / RSA M. Mogollon – 01/08 - 1 • When we read a book about the history of cryptography, we find out that all the advances in cryptography were made by individuals who, among other things, were great mathematicians. • Number theory is an ancient and fascinating branch of mathematics that plays an important role in public-key crypto systems. Knowing certain basic concepts of number theory, such as modular arithmetic, and congruence, is necessary for an understanding of Public-Key cryptosystems. • The mathematics of Public-Key is based on raising large numbers to a very large power. Microsoft Excel cannot perform the operation of raising 1000 to the power of 1000 because the result is too large. So how it is possible in the RSA Public-Key encryption algorithm to raise a large number, 200 digits or even larger, to the power of another 200 digit number? The only way is by using modular arithmetic. • In this session, the basic concepts of number theory and congruence arithmetic are described to be able to understand Public-Key theory. Then, the most used Public-Key Ciphers, Pohlig-Hellman Algorithm, RSA Algorithm, ElGamal algorithm and Diffie-Hellman, will be presented. 1 The Set of Real Numbers Symbol Number System Description Examples N Natural Numbers Counting numbers (also called positive integers). 1, 2, 3, 4, 5, ….. Z Integers Set of natural numbers, their negatives, and zero. .., -2, -1, 0, 1, 2, … Q Rational Any number that can be represented as a/b, where and a and b are integers and b ≠ 0. -7, -2/5, 0, ¾, 5.42 R Real Number Theory Set of all rational and irrational -7, -2/5, 0, 1, ¾, numbers. 5.42, 2 , 5 , π Exponentiation Ciphers Public-Key Ciphers Key Management DH / RSA M. Mogollon – 01/08 - 2 • The set of real numbers shown in the table is not generally applicable to cryptography because in arithmetic, information is lost through round-off errors, or truncation in integer division, and, also, because real numbers are infinite fields. • In cryptography, only the set of natural numbers, are used. Besides, it is necessary to have cyclic groups, numbers that are finite 2 Finite Fields • Finite fields are fields that are finite. • A field is a set of numbers in which the usual mathematical operations (addition, subtraction, multiplication, and division by nonzero quantities) are possible; these operations follow the usual commutative, associative, and distributive laws. • Real numbers, rational numbers (fractions), and complex numbers are elements of infinite fields. • A discrete logarithm (DL) and elliptic curve (EC) cryptography schemes are always based on computations in a finite field in which there are only a finite number of quantities. • For cryptography applications, the finite fields that are usually used are the field of characteristic (congruences). • The finite field used in DL and EC are the field of prime characteristic Fp and the field of characteristic two F2m. The finite field is also denoted as GF(q) Number Theory Exponentiation Ciphers Public-Key Ciphers Key Management DH / RSA M. Mogollon – 01/08 - 3 • When we talk about the time during the day, we use civilian or military time. Civilian time goes from 0 to 12 and military time from 0 to 24. Those are finite fields, from 0 to 12 and from 0 to 24. There is no 14:00 in civilian time, or 27:00 in military time. In civilian time, after 12 you return to 1, and in military time, after 24 you return to 1. • In cryptography it is necessary to have cyclic groups and this can be achieved using congruences. • An integer field modulo q, denoted Zq, has a finite number q of elements on it. 3 Finite Fields • Characteristic Prime Finite Fields —The finite field Fp is the prime finite field containing p elements. If p is an odd prime number, then there is a unique field Fp that consists of the set of integers {0, 1, 2 ,..., p – 1}. • Characteristic Two Finite Fields —A characteristic two finite field (also known as a binary finite field) is a finite field whose number of elements is 2m. If m is a positive integer greater than 1, the binary finite field F2m consists of the 2m possible bit strings of length m. —For example, F23 = {000, 001, 010, 011, 100, 101, 110, 111} Number Theory Exponentiation Ciphers Public-Key Ciphers Key Management DH / RSA M. Mogollon – 01/08 - 4 4 Principle of Counting • The number of possible outcomes from which several procedures can be performed together is the product of n1 . n2 x n3 . ... nn. Where n1 is the number of possible way procedure 1 can have, and so on. • Suppose a password contains two distinct lower case letters and three numbers, but the first number can’t be zero. — Letters variations are 26, and 25, (distinct letters). — Number variations are 9, 10, 10. — Total number of passwords of possible passwords are 26 x 25 x 9 x 10 x 10 • At another company, the guidelines might be to use eight upper-case letters, lower case letters, or numbers, in any order. Now for each entry there are 26 + 26 + 10 possibilities and the total password space is 62 . 62 . 62 . 62 . 62 . 62 . 62 . 62 = 628. • When talking about bits there are two possibilities, 0 and 1. — For four bits there are 2 x 2 x 2 x 2 possibilities — For 128 bits there are 2128 possibilities. Exponentiation examples — 2 x 2 x 2 x 2 = 24 — (2 x 2 x 2 x 2 ) x (2 x 2 x 2 ) = 24 x 23 = 2(4+3) = 27 — (2 x 2 x 2 x 2 x 2) / (2 x 2 x 2 ) = 25 / 23 = 2(5-3) = 22 Number Theory Exponentiation Ciphers Public-Key Ciphers Key Management DH / RSA M. Mogollon – 01/08 - 5 • A procedure can be performed in n1 different ways, a second procedure in n2, a third procedure in n3 different ways, and so forth. The number of ways the three procedures can be performed together is the product of n1 . n2 . n3. This counting principle is used in passwords to determine the number of possible ways a password can be selected. • Suppose that a company’s security policy states that a password should have four lower-case letters followed by four numbers, in that order. There are 26 lower-case letters and 10 possible numbers, 0 to 9. The password space is 26 . 26 . 26 . 26 . 10 . 10 . 10 . 10 = 4,569,760,000. At another company, the guidelines might be to use eight upper-case letters, lower case letters, or numbers, in any order. Now for each entry there are 26 + 26 + 10 possibilities and the total password space is 62 . 62 . 62 . 62 . 62 . 62 . 62 . 62 = 628, for a total of 8.39 x 1017. • When talking about keys in cryptography, they are normally defined in numbers of bits. For example, a block encryption algorithm has a key of 128 bits; in this case, there are only two choices, either a 1 or a 0. Using the counting principle, the total number of possibilities is 2 . 2 . 2 . 2 . 2 . … = 2128 = 3.40282 x 1038. • Exponentiation is used in encryption to describe the key size, and in public key to raise a number to a power. It is necessary to understand the following basic concepts about exponentiation: • 2 x 2 x 2 x 2 = 24 • (2 x 2 x 2 x 2 ) x (2 x 2 x 2 ) = 24 x 23 = 2(4+3) = 27 • (2 x 2 x 2 x 2 x 2) / (2 x 2 x 2 ) = 25 / 23 = 2(5-3) = 22 5 Number Theory and Finite Arithmetic • Number Theory plays an important role in Public-Key crypto systems. • It is necessary to understand only certain basic concepts of Number Theory, such as modular arithmetic and congruence as they are related to a Public-Key crypto system. Number Theory Exponentiation Ciphers Public-Key Ciphers Key Management DH / RSA M. Mogollon – 01/08 - 6 6 Counting in Modular Arithmetic • Add 9h, 43m, 25s and 4h, 26m, 50s Hours Minutes Seconds 9 43 25 4 26 50 ---- ----- ----- 13 69 75 (13 + 1 - 12) (69 + 1 - 60) (75 - 60) 2 10 15 • When we added the seconds and minutes in the example above, we used 60 as a modulo, so we can say that (25 + 50) = 15 (mod 60); 15 is the remainder left, after 75 is divided by 60. • Calculation of modulo returns the remainder after a number is divided by a divisor. Number Theory Exponentiation Ciphers Public-Key Ciphers Key Management DH / RSA M. Mogollon – 01/08 - 7 • If I leave at 9:00 am and the trip takes six hours, at what time will I arrive to my destination? Anyone will answer at 3:00 pm. If I ask, probe it mathematically, some people will not know, but others will say 9 + 6 – 12 = 3, without knowing that they are adding the numbers using modulo 12. 7 Congruence Arithmetic The notion of congruence arithmetic (modulo arithmetic) was introduced by Gauss; it is a form of arithmetic in which only the remainders after division by a specific integer, are used. If a is divided by p and has a remainder b, it can be said that a is congruent to b, modulo p. For example let’s say that: a = (k . p) + b 32 = (6 . 5) + 2 and if a = 32 is divided by p = 5, the result will be k = 6 with a remainder of b = 2. This congruence is expressed as follows: a ≡ b mod p 32 ≡ 2 mod 5 and it is read, a is congruent to b, modulo p 32 is congruent to 2 modulo 5 Another way to read the expression is to say that a is equivalent to b, modulo p 32 is equivalent to 2, modulo 5 Congruences with the same modulo can be added, subtracted, or multiplied. Number Theory Exponentiation Ciphers Public-Key Ciphers Key Management DH / RSA M. Mogollon – 01/08 - 8 8 Congruence – Addition and Subtraction Addition If a ≡ b mod p and c ≡ d mod p, then (a + c) ≡ (b + d) mod p. For example, 32 ≡ 2 mod 5 and 49 ≡ 4 mod 5, then, (32 + 49) ≡ (2 + 4) mod 5 or 81 ≡ 6 mod 5 ≡ 1 mod 5. Subtraction If a ≡ b mod p and c ≡ d mod p, then (a - c) ≡ (b - d) mod p. For example, a = 49 ≡ 4 mod 5 and c = 32 ≡ 2 mod 5, then, (49 - 32) ≡ (4 - 2) mod 5 or 17 ≡ 2 mod 5. Or for a = 32 ≡ 2 mod 5 and c = 49 ≡ 4 mod 5 and then 32 – 49 ≡ (2 - 4) mod 5, or -17 ≡ -2 mod 5 = -2 mod 5 = 3 mod 5 Number Theory Exponentiation Ciphers Public-Key Ciphers Key Management DH / RSA M. Mogollon – 01/08 - 9 • When a congruence is negative, add the modulo to get a positive number. • If I arrived to my destination at 3:00 and the trip took six hours, at what time did I leave? 3 mod 12 – 6 mod 12 = -3 mod 12 = (12 – 3 ) mod 12 = 9 mod 12. 9 Addition in Modulo p (a + b + c) mod p = a (mod p) + b (mod p) + c (mod p). Example: Add the following three large numbers, and then find the modulo 8191 of the result. We can add them first and find the modulo: 58,736,593,765 15,345,786,365 1,763,785,786 --------------------75,846,165,916 (mod 8191) = 4,171 (mod 8191) Otherwise, we can find the modulo of each number and then add the results of each modulo-added number: 58,736,593,765 (mod 8191) = 5,786 (mod 8191) 15,345,786,365 (mod 8191) = 5,202 (mod 8191) 1,763,785,786 (mod 8191) = 1,374 (mod 8191) -------------------------12,362 (mod 8191) 4,171 (mod 8191) Number Theory Exponentiation Ciphers Public-Key Ciphers Key Management DH / RSA M. Mogollon – 01/08 - 10 10 Congruence – Multiplication Both sides of a congruence can be multiplied by the same number, just as both sides of an algebraic equation can be multiplied by the same number. If a ≡ b mod p then, for any value of c (a . c ) ≡ (b . c) mod p Example: For 32 ≡ 2 (mod 5) and c = 11: (32 . 11) ≡ (2 . 11) (mod 5) 352 ≡ 22 (mod 5) ≡ 2 (mod 5) Also, if a then, (a . c) Example: For 32 then, (32 . 49) 1568 Number Theory ≡ ≡ ≡ ≡ ≡ b mod p and c ≡ d mod p, (b . d) mod p. 2 (mod 5) and 49 ≡ 4 (mod 5), (2 . 4) (mod 5), 8 (mod 5) ≡ 3 (mod 5). Exponentiation Ciphers Public-Key Ciphers Key Management DH / RSA M. Mogollon – 01/08 - 11 11 Congruence – Exponentiation Both sides of a congruence can be raised to the same exponent just as both sides of an equation can be raised to the same exponent. For any value of r, r a ≡ b mod p r Example: For 32 323 32,768 Number Theory ≡ 2 mod 5 and r = 3: ≡ 23 mod 5 ≡ 8 mod 5 ≡ 3 mod 5 Exponentiation Ciphers Public-Key Ciphers Key Management DH / RSA M. Mogollon – 01/08 - 12 12 Exponentiation in Modulo p (an) mod p = am1 (mod p) x am2 (mod p) x am3 (mod p) x . . . . . Where, n = m1 + m2 + m3 + …. Problem: Find 56118 mod 8191 Convert 118 decimal to 118 binary. 118 (decimal) = (binary) 56118 = 1 1 1 0 5664 5632 5616 1 1 564 0 562 56118 mod 8191 = 5664 mod 8191 x 5632 mod 8191 5616 mod 8191 x 564 mod 8191 x 562 mod 8191 56118 mod 8191 = 7388 mod 8191 Number Theory Exponentiation Ciphers Public-Key Ciphers Key Management DH / RSA M. Mogollon – 01/08 - 13 13 Congruence – Canceling The rule for canceling a congruence by an integer is a little more complicated than multiplication. If (a . c ) ≡ (b . c) mod p then p a ≡ b mod [ (c, p) where (c, p) is the greatest common divisor of c and p. If c and p are relatively prime, then the gcd (c, p) = 1. Example: 58 . 100 ≡ 100 mod 380 gcd (100, 380) = 20 Then, 58 ≡ 1 mod 380 / 20 ≡ 1 mod 19 Number Theory Exponentiation Ciphers Public-Key Ciphers Key Management DH / RSA M. Mogollon – 01/08 - 14 14 Fermat’s Theorem • Fermat’s Theorem indicates that if p is prime and a is not divisible by p (a and p are relatively prime) then, a p -1 (a a p -1 ) ≡ 1 mod p k p -1 ≡ 1 mod p 6 a = (k * p) + 1 p -1 mod p ≡ 1 6 ≡ 1 mod 7 7 -1 ≡ 1 mod 7 6 • These properties can be used to exponentiate a to a large number. Having the restriction on a and p, it is possible to write, 669 (mod 17) ≡ (617 - 1)4 mod 17 . 65 (mod 17) 669 (mod 17) ≡ . 65 (mod 17) ≡ 7 (mod 17) 1 • A faster way to do the exponentiation is to apply modulo (p - 1) to the exponent and say that if n ≡ m mod (p - 1), then an ≡ am mod p. In the example before: a = 6, m = 69, p = 17, n = 69 mod (17-1) = 5; then, 65 = 669 mod (17 - 1) = 65 (mod 17) = 7 (mod 17) Number Theory Exponentiation Ciphers Public-Key Ciphers Key Management DH / RSA M. Mogollon – 01/08 - 15 15 Euler’s Theorem Euler's Theorem states that: a where ϕ (p) a = (k * p) + 1 ϕ (p) = 1 mod p 1. a and p are relatively prime, gcd (a, p) = 1. 2. ϕ (p) is the Euler totien function which is equal to the number of integers relatively prime to p in the range 1 ..... (p - 1). For example, for p = 15, the relative prime numbers are 1, 2, 4, 7, 8, 11, 13, 14; so ϕ (15) = 8. In general, a. b. c. d. If p is a prime, then If p is a prime, then If p and q are primes, then If p is a prime, for p2, then ϕ (p) = ϕ (pk) = ϕ (p . q) = ϕ (p2) = (p - 1) (pk - pk - 1) (p - 1)(q - 1) p(p - 1) 3. If g.c.d (p, q) = 1, the Euler totien function is multiplicative denoting ϕ (pq) = ϕ (p) * ϕ (q) Number Theory Exponentiation Ciphers Public-Key Ciphers Key Management DH / RSA M. Mogollon – 01/08 - 16 • If two numbers have only the factor 1 and -1 in common, they are said to be relative prime. • In the range {1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14} which of these numbers are relative prime to 15? 15 = 3 x 5, so 3, 6, 9, 5, and 10 are not relative prime to 15. Therefore, 1, 2, 4, 7, 8, 11, 13, and 14 are relative prime to 15. 16 Euler’s Theorem Using the equation a ϕ (p) = 1 mod p it is possible to exponentiate a to a large number by reducing the exponent. Example: For a = 2, p = 15, and ϕ (15) = 8: 222 (mod 15) ≡ [28 (mod 15)] . [28 (mod 15)] . [26 (mod 15)] 222 (mod 15) ≡ 1 [26 (mod 15)] 222 (mod 15) ≡ 4 (mod 15) . 1 . Even if a is not relatively prime with p, it is possible to reduce the exponent to modulo ϕ (p), except in the case of exponents reduced to 0. For example, for a = 3, p = 15, and ϕ (15) = 8: 322 (mod 15) ≡ [38 (mod 15)] . [38 (mod 15)] . 322 (mod 15) ≡ 322 (mod 15) ≡ Number Theory 1 . 1 . [36 (mod 15)] [36 (mod 15)] 9 (mod 15) Exponentiation Ciphers Public-Key Ciphers Key Management DH / RSA M. Mogollon – 01/08 - 17 17 Exponentiation Ciphers a = (k * p) + 1 a = (k * p) + b a ≡ b mod p If b = 1, then r r a ≡ b mod p a ≡ 1 mod p r a ≡ 1 mod p Fermat’s Theorem indicates that if p is prime and a is not divisible by p (a and p are relatively prime) then, a p-1 = (k * p) + 1 ( a p -1 ) ≡ 1 mod p k Number Theory Exponentiation Ciphers a p-1 ≡ 1 mod p a p-1 mod p ≡ 1 Public-Key Ciphers Key Management DH / RSA M. Mogollon – 01/08 - 18 • Two numbers are relatively prime if they have no common factor other than 1 and −1. 18 Exponentiation Cipher r According to a r ≡ b mod p , equation aϕ (p) = 1 mod p k ϕ (p) = 1k mod p = 1 mod p can be written as a and from equation (a * c) ≡ (b * c) mod p it follows that a . a k ϕ (p ) = a . 1 mod p or, a k ϕ (p) + 1 = a mod p E* D which can be written as a = a mod p where, E * D = k ϕ (p) + 1 which can be written as E * D = 1 [ mod ϕ(p) ] or, Number Theory E * D [ mod ϕ(p) ] = 1 Exponentiation Ciphers Public-Key Ciphers Key Management DH / RSA M. Mogollon – 01/08 - 19 19 Exponentiation Cipher – Cont. In E * D [ mod ϕ(p) ] = 1 the reciprocal of the number E is the inverse or multiplicative inverse of D. Normally, E is selected first and then the corresponding D must be found. By symmetry, the exponents E and D are commutative and mutual inverses, so it is possible to say that can be written as a E * D = a mod p a E * D mod p = a D E* D mod p = [ a E mod p] mod p a Replacing “a” for “M” message, the equation can be written as M E * D mod p = M D [ M E mod p] mod p = M Number Theory Exponentiation Ciphers Public-Key Ciphers Key Management DH / RSA M. Mogollon – 01/08 - 20 20 Exponentiation Cipher – Cont. In D [ M E mod p] mod p = M The equation illustrates that if M the plaintext is enciphered with the following algorithm {(plaintext)E (mod p)} to produce a ciphertext, and that if at the receiver’s end, the ciphertext is deciphered using the algorithm [(Ciphertext)D] (mod p), the same plaintext M will be obtained. In other words, by raising the ciphertext to the Dth power and reducing it modulo p, the plaintext will be recovered. This can be written as follows: C = E mod p M M = C D mod p where M is the plaintext, C is the ciphertext, and E and D are the enciphering and deciphering keys. Exponentiation ciphers encipher a message block by computing the exponential according to above equations. Number Theory Exponentiation Ciphers Public-Key Ciphers Key Management DH / RSA M. Mogollon – 01/08 - 21 21 What is Public-Key Cryptography ? public-key cryptography / (1) An encryption method that uses a pair of keys, one public and one private. Messages encoded with either one can be decoded by the other. Also called asymmetric encryption. (2) Algorithms used to prove the authenticity of the message originator and to exchange keys. Number Theory Exponentiation Ciphers Public-Key Ciphers Key Management DH / RSA M. Mogollon – 01/08 - 22 22 Types of Public-key Cryptography • Exponentiation ciphers —RSA. • Discrete logarithm systems —ElGamal public-key encryption, Digital Signature Algorithm (DSA), Diffie-Hellman key Agreement. • Elliptic curve cryptography. Number Theory Exponentiation Ciphers Public-Key Ciphers Key Management DH / RSA M. Mogollon – 01/08 - 23 23 Exponentiation Algorithms Pub Key E Pair Key Generator Initial Crypto Variable Priv Key D Message ϕEncipher E * D [ mod (p) ] = 1 M C = MPub E (mod p) Receiver Exponential crypto algorithms encipher messages according to the following formula: P ub E P riv The exponents Pub and Priv are mathematically related by: D mod E * D [ mod ϕ(p) ] = 1 p M =C mod p M being the plaintext and C the being ciphertext. Number Theory M = CPriv D (mod p) Message M Sender C=M Decipher Exponentiation Ciphers Pub * Priv [ mod ϕ (p) ] = 1 Public-Key Ciphers Key Management DH / RSA M. Mogollon – 01/08 - 24 • An exponentiation cipher is a technique in which the encryption and decryption processes involve raising plaintext and ciphertext messages to specific powers. Diffie-Hellman, Pohlig-Hellman, RSA, ElGamal, and many others are all exponentiation ciphers, each one implemented in a slightly different way. • By definition, a public-key cipher is a one-way crypto system, so, from this point of view, all exponentiation ciphers are public-key cryptosystems. However, from the standpoint that the enciphering key can be made public, not all exponentiation ciphers are public. For the sake of discussion, this distinction will be kept, the term exponentiation cipher used for all, and public key reserved for use with those cryptosystems in which the enciphering key can be made public. • Exponentiation ciphers encipher a message block by computing the exponential according to equation C = MPubE mod p, M = CPrivD mod p • Note that the sender needs to have the receiver’s public key to be able to encipher the message. Because the receiver is the only one with the private key, he will be the only one able to decipher the message. • The two keys in Public Key systems, called Private Key and Public Key, are mathematically related. One is the multiplicative inverse of the other, like when we say (7) * (1/7) = 1. • Note the in symmetric encryption algorithm, the key is called secret key, so when talking about exponentiation ciphers, don’t call the private key, secret key. Vice versa, used the term secret key, only to refer to symmetric encryption. 24 Pohlig-Hellman Exponentiation Algorithm C=M Pub E M =C Priv D E * D = 1 [ mod ϕ (p) ] = 1 mod (p - 1) mod p Pub * Priv = 1 [ mod ϕ (p) ] = 1 mod ( p − 1 ) mod p M is the clear message, C is the crypto message; E and D are the crypto variables used to encipher and to decipher the message. Example: p = 73, E = 29, D = 5 y M = 2; E 29 C = M (mod p) = 2 (mod 73) = 4 (mod 73) D 5 M = C (mod p) = 4 (mod 73) = 2 Mathematical Requirements E * D [ mod ϕ (p) ] = 1 ϕ (p) = p − 1 29 * 5 mod 72 = 1 Number Theory Exponentiation Ciphers Recommendation: p should be a large prime. Keep E and D secret; Polig-Hellman is not a Public Key system. Public-Key Ciphers Key Management DH / RSA M. Mogollon – 01/08 - 25 • The Pohlig-Hellman algorithm is not a public-key system, but it is based on exponentiation. In the Pohlig-Hellman algorithm, the modulo is chosen to be a large prime number p and the arithmetic is performed in the Galois field GF(n). The enciphering and deciphering are carried out according to the shown equations. • Note: In exponentiation ciphers and public-key ciphers, large prime numbers should be used, but in the examples given in class, small integers are used for clarity. 25 RSA Algorithm C=M Pub D mod n P M = C riv D mod n Where, M = Plaintext C = Ciphertext Priv = Private Key (Decipher) Pub = Public-Key (Encipher) Public n =p.q The public key, Pub , and the modulo n are made public and the private, Priv , is kept secret. is Example: p = 11, q = 31, n = 11 * 31 = 341 Pub = 53, Priv = 17 and M=2. 53 17 C = 253 (mod 341) = 8 Mathematical requirements: M = 817 (mod 341) = 2 Pub * Priv [ mod ϕ (n) ] = 1 ϕ (n) = ( p − 1) * ( q − 1) 53 * 17 mod 300 = 1 Number Theory Exponentiation Ciphers Public-Key Ciphers Key Management DH / RSA M. Mogollon – 01/08 - 26 The following procedure describes how to select the public key (Pub) and the private key (Priv) in the RSA algorithm: • Select at random two large prime numbers, p , q. • Make n, the modulo, equal to n = p . q • Calculate Euler's function, ϕ (n) = ϕ (p . q) = (p - 1)(q - 1). • Select a number Pub, and test it to verify that it is relatively prime to (n) by using Euclid's algorithm. • Find Priv so that it satisfies the equation , Pub . Priv = 1 mod ϕ (n), by calculating the multiplicative inverse of Pub using Euclid's algorithm. The properties of ϕ (n) guarantee that if Pub is relatively prime to ϕ (n), then there is always a multiplicative inverse, which, in our case, is Priv. • Make n and Pub public; keep ϕ (n) and Priv secret. 26 ElGamal Algorithm • A modification of the ElGamal digital signature can be used to encipher messages. The public and private keys, or key pair, are generated as follows: 1. Choose a prime p to be the modulo and choose two random numbers g and PrivA = a that are less than p. 2. Calculate y A = g Priv A ( mod p ) 3. The public key consist of yA, g, and p. • Suppose Alice wishes to send a message m to Bob. Alice first generates a random number k less than p, then she computes y1 = g k ( mod p ) k y2 = m y A ( mod p ) • Alice sends Y1 and Y2 to Bob. Upon receiving the ciphertext, Bob deciphers the message by computing y3 = y1 ( p − 1 − Pr iv A ) ( mod p ) and then m, the message, by calculating m = y3 y 2 ( mod p ) Number Theory Exponentiation Ciphers Public-Key Ciphers Key Management DH / RSA M. Mogollon – 01/08 - 27 • ElGamal encryption is a simple variant on non-interactive Diffie-Hellman. The recipient publishes g, p, and yA = gx mod p. The sender picks a random number k, computes y1 = gk mod p, and the shared secret z = yAk mod p = y1x mod p = gx*k mod p, then sends y1 and z*m mod p to the recipient, where m is the message. • There are two computations to encipher the message and two to decipher the message. Also, note that the two formulas to decipher the message are different than the two formulas to encipher the message. In RSA public key, there is only one formula to encipher and one formula to decipher; both formulas are the same. 27 ElGamal Algorithm • Example* 1. Alice selects the prime p = 2357 to be the modulo, and two random numbers g = 2, and PrivA = a = 1751. 2. Alice calculates y A = g Priv A ( mod p ) = 21751 ( mod 2357 ) = 1185 3. Alice’s message m = 2035 and random number k = 1520. 4. Alice computes y1 = 21520 ( mod 2357 ) = 1430 y 2 = 2035 . 1185 1520 ( mod 2357 ) = 697 5. Alice sends (y1 and y2) to Bob. 6. Upon receiving the ciphertext, Bob deciphers the message by computing y = y ( p − 1 − Pr iv ) ( mod p ) = 1430 ( 2357 − 1 − 1751) ( mod 2357 ) = 872 3 1 A 7. And then m, the message, by calculating m = y3 y 2 ( mod p ) = 872 . 697 ( mod 2357 ) = 2035 Note: Values from (Menezes, Oorschot, Vanstone 1996). Applied Cryptography Handbook Number Theory Exponentiation Ciphers Public-Key Ciphers Key Management DH / RSA M. Mogollon – 01/08 - 28 28 Public Key Encryption Sender (Alice) Receiver (Bob) Alice’s Private Key Alice’s Public Key Encipher Decipher Alice’s Public Key Alice’s Private Key Encipher Decipher Bob’s Public Key Bob’s Private Key Encipher Decipher Bob’s Private Key Bob’s Public Key Encipher Decipher Number Theory Exponentiation Ciphers Non-Repudiation of Origin (Authenticity) Anyone who has Alice’s public key will be able to decipher the message. Alice cannot deny that she sent the message. Bob will not be able to decipher the message because he doesn’t have Alice’s private key. Confidentiality ─ Bob will be the only one able to decipher the message because only he has his private key. Enciphering is not possible because Alice doesn’t have Bob’s private key. Public-Key Ciphers Key Management DH / RSA M. Mogollon – 01/08 - 29 • When using public key, a message can be enciphered either with the public key or with the private key. The figure above shows the different ways in which a message that Alice is sending to Bob can be enciphered. 29 Key Management • Conventional crypto networks using symmetric cryptosystems typically have a Key Distribution Center (KDC) to distribute or load the keys into each of the crypto units. • There are three ways to send information about the secret key needed to decipher a message: — Pre-Shared Secret Keys – The secret keys are loaded into both parties’ crypto systems beforehand, and it is only necessary to define which of the secret keys was used to encipher the message. — Transport and Wrapping Keys – A secret key can be sent by transporting the key using public key algorithms or by wrapping the key using symmetric key algorithms. — Key Agreement – A key agreement algorithm allows a sender and a receiver to share a secret key computed from public-key algorithms. Number Theory Exponentiation Ciphers Public-Key Ciphers Key Management DH / RSA M. Mogollon – 01/08 - 30 • Conventional crypto networks using symmetric cryptosystems typically have a Key Distribution Center (KDC) to distribute or load the keys into each of the crypto units. Secret keys are then sent using a secure channel such as a courier, but there is no way to know if the courier has compromised the keys to an unauthorized person who wants to read the messages in the network. Security may increase if the keys are loaded into the equipment before it is deployed; however, it is very difficult and inconvenient to bring the equipment to the Key Distribution Center (KDC) in order to change the keys. The problem is compounded if a new key for each day —or for each session— is desired. • There are three ways to send information about the secret key needed to decipher a message: 1. Pre-Shared Secret Keys 2. Transport and Wrapping Keys 3. Key Agreement 30 Pre-Shared Secret Keys The secret keys have been loaded in both servers, so only the name associated with the key needs to be sent. Web Service Web Requester Web Service Provider Secret Key Table Secret Key Table Key Name Secret Key Secret Key Key Name Key Name Type of Encryption Algorithm Type of Encryption Algorithm Number Theory Exponentiation Ciphers Public-Key Ciphers Key Management DH / RSA M. Mogollon – 01/08 - 31 • The secret keys are pre-loaded into both parties’ crypto systems, and it is only necessary to define which of the secret keys was used to encipher the message. In general, every loaded secret key is associated with a name; therefore, only the name associated with the key needs to be sent to the recipient. • In the drawing above, only the key name is sent. 31 Encrypted Key – Transporting the Key Web Service Web Requester Use a public key algorithm to transport the session key Web Service Provider Session Key Number Theory RSAES-v1.5 or RSAES-OAEP .Algorithm RSAES-v1.5 or RSAES-OAEP .Algorithm Enciphering Service Provider’s Public Key Session Key Deciphering Exponentiation Ciphers Public-Key Ciphers Service Provider’s Private Key Key Management DH / RSA M. Mogollon – 01/08 - 32 • A secret key can be sent by transporting the key using public-key algorithms or by wrapping the key using symmetric key algorithms. • Key transport algorithms are public-key encryption algorithms particularly specified for encrypting and decrypting keys. • RFC 2437 recommends RSA-OAEP for all new applications because it includes plain-text awareness. Optimal Asymmetric Encryption Padding (OAEP) is a method for encoding messages developed by Mihir Bellare and Phil Rogaway. • The session key is transported as a message. • Alice encrypts the session key using Bob's public key and she sends it to Bob as an encrypted message. • Bob uses his private key to decipher the message and gets the session key. 32 Wrapping the Key Use shared key-encrypting-key to wrap (encipher) a session key Web Service Requester Web Service Provider Shared key-encrypting key Shared Key-Encrypting Key Session key Decipher Encipher Session key Block 1 + + 3DES or AES 3DES or AES Enciphered Session key Block 1 Shared keyencrypting key Session key Block n Enciphered Session key Block n IV Number Theory Enciphered Session key Block n + Use 3DES or AES to encipher and decipher a session key Exponentiation Ciphers Session key Public-Key Ciphers Enciphered Session key Block 1 + 3DES or AES 3DES or AES Session key Block n Session key Block 1 Key Management IV Shared keyencrypting key DH / RSA M. Mogollon – 01/08 - 33 • Symmetric key-wrap algorithms are algorithms especially specified for wrapping, enciphering and deciphering, symmetric keys. Both parties need to share a key-encrypting-key that it is used to wrap (encipher) the key that is going to be used to encipher the information. In crypto analysis, the more a key is used, the higher the probability that it could be broken. By using a key-encryptingkey to wrap keys, then the KEK will be used a fewer number of times than if it is used to encipher messages. • Keys are encrypted using 3DES or AES. 33 Key Agreement Use Diffie-Hellman to calculate ZZ and RFC-2631 Key Agreement Method to generate key material, as required. Web Service Requester Web Service Provider Diffie-Hellman Key Exchange Diffie-Hellman Key Exchange Pre Master Key (ZZ) Pre Master Key (ZZ) Key Material Generation Key Material Generation Session Key Session Key Number Theory Exponentiation Ciphers Public-Key Ciphers Key Management DH / RSA M. Mogollon – 01/08 - 34 • A key agreement algorithm allows a sender and a receiver to share a secret key computed from public key algorithms. Normally, the shared secret key is not used as a key, but instead, is used to arrive at key material. • Diffie-Hellman is used for key agreement. 34 Diffie-Hellman Key Agreement System 1. Sender and receiver, Alice and Bob, agree on fixed constants, p and g, which do not need to be kept secret; p is a large prime number, and g is any integer between 0 and p - 1. (p - 1) / 2 should be a prime. 2. When communication between Alice and Bob is established, they randomly generate a secret number: PrivA and PrivB. 3. Alice and Bob generate their corresponding public numbers: Priv Pub A = g A ( mod p ) Priv PubB = g B ( mod p ) 4. Alice and Bob exchange PubA and PubB over the non-secure channel. 5. Alice and Bob compute ZZ, the session key, by Priv ZZ = Pub A B ( mod p ) 6. Alice and Bob use ZZ as their secret key, and load it into their key generators to secure their communications. Priv ZZ = Pub B A ( mod p ) Number Theory Exponentiation Ciphers Public-Key Ciphers Key Management DH / RSA M. Mogollon – 01/08 - 35 • Another process in number theory that has a one-way property is raising a number to a power in a large finite field. When working with real numbers, finding y = gx is as easy as finding x = logg y. But when a finite group such as GF(p) is used, exponentiation becomes a one-way process for a large prime p. Given g and x, it is easy to compute y = gx mod p, but how x = logg y mod p can be compute when log has a different but analogous meaning than before? This type of logarithm is called discrete logarithm, and it is computationally difficult to compute discrete logarithms in GF(p) if p is chosen such that p - 1 has at least one large prime factor. If p - 1 has only small prime factors, then computing discrete logarithms is easy. • The Diffie-Hellman algorithm, which is based on the discrete logarithm problem, can be used to agree on keys between two units that want to establish secure communications. 35 Diffie-Hellman Key Agreement System Alice g and p are large integers Priv A = Random large integer Pub A g and p do not need to be secret g Pr iv A (mod p) = PubA Bob g and p are large integers Priv B = Random large integer PubB Priv ZZ = Pub B A ( mod p ) Pub B = g Pr iv B (mod p) Priv ZZ = Pub A B ( mod p ) Bob’s ZZ = Alice’s ZZ Alice’s ZZ = Bob’ZZ Both units use ZZ as the Session Key to encipher the message. Number Theory Exponentiation Ciphers Public-Key Ciphers Key Management DH / RSA M. Mogollon – 01/08 - 36 The math is simply: • Alice and Bob agree on two large numbers, p (prime modulo) and g (base), such that g is less than p, but greater than 1. These integers don’t have to be secret, and they can even be common among a group of users. • Both units randomly generate a secret integer: PrivA y PrivB • Both units generate their corresponding public key numbers, PubA y PubB according to: PubA = g Priv A (mod p) PubB = g Priv B (mod p) • Both units exchange the public keys, PubA y PubB • Both units calculate ZZ, the session key, according to the following formula: ZZ = PubB Priv A (mod p) ZZ = PubA PrivB (mod p) • Both units use ZZ as the session key to encipher the message. 36 Diffie-Hellman Key Agreement System Sender and receiver agree on the same group or pair of g and p. g=12 p= 47 PrivA= 3 Pub A = 12 3 (mod 47) = 36 g and p do not need to be secret 36 14 g= 12 p= 47 PrivB=5 Pub B =12 5 (mod 47) =14 Z =14 3 (mod 47) =18 Z ' = 36 5 (mod 47) =18 18 18 Both units use 18 as the Session Key to encipher the message. Number Theory Exponentiation Ciphers Public-Key Ciphers Key Management DH / RSA M. Mogollon – 01/08 - 37 • Alice and Bob end up with the same crypto key, 18, but they do not have control of the key that was generated. • This procedure is good for a link encryption, server to client, in which one unit establishes communications with another, but it cannot be used when a secure message is broadcasted to several units. • If the user wants to compartmentalize his crypto network, several p's and g's should be used, with one set designated for each of his crypto organizations; These sets should then be stored in the crypto units and kept secret. • Whenever a key exchange is established, the sender and receiver agree on the corresponding p and g numbers. • In IPSec IKE (Internet Key Exchange), for example the Group representation “2” is used for a 1024 bit modulus. • If the Group field is “2”, then the receiving unit knows that g=2 p= 1797693134862315907708391567937874531978602960487560117064444236841971802161 5851936894783379586492554150218056548598050364644054819923910005079287700335 5816639229553136239076508735759914822574862575007425302077447712589550957937 7784244424266173347276292993876687092056060502708108429076929320191281944676 27007 It has been rigorously verified that p is a prime. 37 Diffie-Hellman Key Agreement System • No control over the generated session key. • Subject to the Man-in-the-Middle attack. • No information about the parties’ identities. Solution to the Man-in-theMiddle attack • Subject to a clogging attack. It is computationally intensive. - Establish authenticity between parties with a certificate. - Add a hash function (message digest). - Authenticate the identity of a message with a digital signature. - Add a random component to the agreed key. Man-in-the-Middle Attack Alice Bob SA SB Spoofed by the Man-inMan- inthe-Middle theNumber Theory Exponentiation Ciphers Public-Key Ciphers Key Management DH / RSA M. Mogollon – 01/08 - 38 • A problem with the Diffie-Hellman technique is that it can be spoofed. A spoofer can intercept communications between Alice and Bob and make Alice believe that she is talking to Bob and, at the same time, make Bob believe that he is taking to Alice when, in reality, both are talking to the spoofer. The spoofer generates a secret number PrivS and computes • PubS = a Priv S (mod p) • The spoofer intercepts PubA and transmits PubS to Bob. He also intercepts PubB and transmits PubS to Alice. Bob computes a key based on PubS and PrivB; Alice computes a key based on PubS and PrivA; the spoofer computes both keys. When Alice transmits enciphered data to Bob, this data is decrypted by the spoofer and re-encrypted for transmission to Bob. Alice and Bob establish crypto communications with a key —or keys— supplied by the spoofer who is able to intercept the messages and to read or to modify them at will. • A way to avoid this problem is to combine the Diffie-Hellman algorithms with an unforgable digital electronic signature or a certificate that provides user authentication. Another way is to apply a hash function to the negotiated key and to present the result in the unit display. If the hash function that appears in both units is the same, then there is no man-in-the-middle. With the digital signature, or with the hash function, Alice is sure that she is talking to Bob and not to the spoofer. 38 RSA Key Transport C=K Pub B mod n K =C Priv B mod n PubB Receiver’s n = p . q Public Key Sender’s Private Key Secret Key K C=KPubB mod n Encipher K=CPrivB mod n Decipher Secret Key K Receiver (Bob) Sender (Alice) • The secret key is transported as a message. • Alice encrypts the secret key using Bob's public key and she sends it to Bob as an encrypted message. • Bob uses his private key to decipher the message and gets the secret key. Number Theory Exponentiation Ciphers Public-Key Ciphers Key Management DH / RSA M. Mogollon – 01/08 - 39 • The RSA public key cryptosystem can be used to transport an encrypting key. First, the sender’s unit (Alice) randomly selects a session key and enciphers it using the receivers’s unit (Bob) public key. Alice then sends the enciphered session key to Bob over a non-secure channel. Bob deciphers the session key with his own secret key. Because the deciphering private key is known only to Bob, only Bob can decipher the session key. After exchanging the session key, both Alice and Bob use the session key in a symmetric cryptosystem to securely communicate with each other. 39 RSA Problem • The strength of the RSA algorithm is based on the fact that multiplying two large primes to get n is far easier than, given n, find the two primes; this is called a one-way property. • One approach a cryptanalyst might use to break an RSA algorithm is to find p and q, the factors of n, calculate φ (n), and then calculate Priv from φ (n) and Pub, using Euclid's algorithm. • The difficulty of computing Priv from the public information, φ (n) and Pub, depends on the difficulty of factoring n or of deriving p and q from n, because φ (n) = (p - 1) * (q - 1), φ (n) can only be found if p and q are known. • When p and q are chosen so that n is a 200-digit number, it seems to be computationally infeasible for anyone, even using the fastest computer available today, to break the RSA algorithm. • Today, RSA Data Security recommends using a 768-bit RSA modulo for personal use, 1024-bits for corporate use, and 2048-bits for protecting extremely valuable data (RSA bulleting 10, 1999). Number Theory Exponentiation Ciphers Public-Key Ciphers Key Management DH / RSA M. Mogollon – 01/08 - 40 • The strength of the RSA algorithm is based on the fact that multiplying two large primes to get n is far easier than, given n, find the two primes; this is called a one-way property. One approach a cryptanalyst might use to break an RSA algorithm is to find p and q, the factors of n, calculate φ (n), and then calculate Priv from φ (n) and Pub, using Euclid's algorithm. The difficulty of computing Priv from the public information, φ (n) and Pub, depends on the difficulty of factoring n or of deriving p and q from n, because φ (n) = (p - 1) * (q - 1), φ (n) can only be found if p and q are known. Since factoring large numbers is a very difficult problem, the difficulty of breaking the RSA algorithm increases when n is a very large number. When p and q are chosen so that n is a 200-digit number, it seems to be computa-tionally infeasible for anyone, even using the fastest computer available today, to break the RSA algorithm. • Today, RSA Data Security recommends using a 768-bit RSA modulo for personal use, 1024-bits for corporate use, and 2048-bits for protecting extremely valuable data (RSA bulleting 10, 1999). 40 RSA Challenges Number Month Number Month RSA-100 April 1991 RSA-110 April 1992 RSA-120 June 1993 RSA-129 April 1994 RSA-130 April 1996 RSA-140 February 1999 RSA-155 August 1999 RSA-160 April 2003 RSA-576 December 2003 RSA-640 November 2005 RSA-704 Open Open Number Theory Exponentiation Ciphers RSA 768 Public-Key Ciphers Key Management DH / RSA M. Mogollon – 01/08 - 41 41 Discrete Logarithmic Problem • In the multiplicative group Zp* discrete logarithm (DiffieHellman, ElGamal, DSS), the following is the discrete logarithm problem: —Given elements y and x of the group, and a prime p, find a number k such that y = gk mod p. —For example, if y = 2, g = 8, and p = 341, then find k such that 2 ≡ 8k mod 341. —In Diffie-Hellman, y is the public key, g is a random number, p is the modulo, and k is the private key that the cryptanalyst is trying to find out. Which one is the correct Private Key? Number Theory Exponentiation Ciphers Public-Key Ciphers Key Management DH / RSA M. Mogollon – 01/08 - 42 • In the example above, the values 7, 17, 27, 37, 47, 57, 67, 77, ………207, 217, 227, 237, 247 are mathematically correct private keys, but which one was the one used? This is what it is called the discrete logarithm problem. 42 Combining Symmetric and Asymmetric Ciphers Client Web Server Exchange (wrap / transport ) or agree (Diffie-Hellman) on a pre-master key. PreMaster Key PreMaster Key Master Key Generation Integrity (HMAC) Integrity (HMAC) Encipher Master Key Generation Decipher Cleartext Block Cleartext Block Cleartext Block Cleartext Block + + + + Symmetric Encryption Symmetric Encryption Symmetric Encryption Symmetric Encryption Ciphertext Block Ciphertext Block Ciphertext Block Ciphertext Block IV Secret Key Number Theory Use a symmetric algorithm to encipher and decipher a secure transaction. Exponentiation Ciphers Public-Key Ciphers Key Management IV Secret Key DH / RSA M. Mogollon – 01/08 - 43 • In many instances, symmetric public cryptosystems, either public or exponentiation, are relatively slow compared to classic symmetric cryptosystems. However, asymmetric crypto-systems can be used for the secure and authenticated process of transporting or agreeing on a session key that will be used to encipher the message. Therefore, it is not necessary to send the session key beforehand, but it can be exchanged in a secure way over non-secure public networks like the Internet. • In most applications, asymmetric encryption algorithms (public key) are used to exchange, agree upon, or transport a key and the symmetric algorithms used to encipher the data. Normally, the shared or transported key is not used as a secret key or crypto variable key; instead, it is used as an entropy source to generate random values for MACS, secret keys, and initialization values (IV) required to encipher the data using symmetric algorithms like AES. The steps required to generate a key used to encrypt the message depend on the protocol. 43 To Probe Further • Koblitz, N. (1987). A course in Number Theory and Cryptography. New York: SpringerVerlag. • Ogilvy, C., Anderson, J. (1988). Excursion in Number Theory . New York: Dover Publications, Inc. • • Schneir, B. (1994). Applied Cryptography. New York: John Wiley & Sons. • Diffie W., Hellman M.E. (November 1976). New Directions in Cryptography. IEEE Transactions on Information Theory, Vol. IT-22, No. 6 • ElGamal, T.A. (July 1985). Public Key Cryptosystem and a Signature Scheme Based on Discret Logarithms. IEEE Transactions on Information Theory, Vol. IT-31. • Newman, D. B., Omura, J K., Pickholtz, R. L. (April 1987). Public Key Management for Network Security. IEEE Network Magazine, Vol. 1, No. 2. • Pohlig S. C., Hellman M. E. (January, 1978). An improved algorithm for computing logarithms in GF(p) and its cryptographic significance (pp106-110). IEEE Transactions on Information Theory, Vol IT-24. • • Pomerance, C. (Jan 23, 1987). Toward a new Factoring Record, Science News. Diffie, W. (May 1988). The first Ten Years of Public-Key Cryptography, (p. 560). Proceedings of the IEEE, Vol.76, No.5. Rivest, R., Shamir, A., Adleman L. (1978). A Method for Obtaining Digital Signatures and Public-Key Cryptosystem. Communications ACM, Vol. 21. Number Theory Exponentiation Ciphers Public-Key Ciphers Key Management DH / RSA M. Mogollon – 01/08 - 44 44 ...
View Full Document

This note was uploaded on 05/26/2010 for the course TECH 6350 taught by Professor Mogollon during the Spring '10 term at University of Arkansas for Medical Sciences.

Ask a homework question - tutors are online