This preview shows page 1. Sign up to view the full content.
Unformatted text preview: Cryptography and Network Security
TECH 6350 Session 3 Number Theory, and
Public Key Ciphers
Manuel Mogollon
m_mogollon@verizon.net Graduate School of Management
Information Assurance
University of Dallas
M. Mogollon – 08/02  0 0 Session 3 Contents
• Number Theory and Finite Arithmetic
—
—
—
— Counting in modulo p Arithmetic
Congruence Arithmetic
Fermat’s Theorem
Euler’s Theorem • Confidentiality using PublicKey Ciphers
— PohligHellman Algorithm
— The RSA Algorithm
— ElGamal Algorithm • Key Management Using Exponentiation Ciphers
— The DiffieHellman Key Agreement
— RSA Key Transport Number Theory Exponentiation Ciphers PublicKey Ciphers Key Management DH / RSA
M. Mogollon – 01/08  1 • When we read a book about the history of cryptography, we find out that all the advances in
cryptography were made by individuals who, among other things, were great mathematicians.
• Number theory is an ancient and fascinating branch of mathematics that plays an important role in
publickey crypto systems. Knowing certain basic concepts of number theory, such as modular
arithmetic, and congruence, is necessary for an understanding of PublicKey cryptosystems.
• The mathematics of PublicKey is based on raising large numbers to a very large power. Microsoft
Excel cannot perform the operation of raising 1000 to the power of 1000 because the result is too
large. So how it is possible in the RSA PublicKey encryption algorithm to raise a large number,
200 digits or even larger, to the power of another 200 digit number? The only way is by using
modular arithmetic.
• In this session, the basic concepts of number theory and congruence arithmetic are described to be
able to understand PublicKey theory. Then, the most used PublicKey Ciphers, PohligHellman
Algorithm, RSA Algorithm, ElGamal algorithm and DiffieHellman, will be presented. 1 The Set of Real Numbers
Symbol Number
System Description Examples N Natural
Numbers Counting numbers (also called
positive integers). 1, 2, 3, 4, 5, ….. Z Integers Set of natural numbers, their
negatives, and zero. .., 2, 1, 0, 1, 2, … Q Rational Any number that can be
represented as a/b, where and
a and b are integers and b ≠
0. 7, 2/5, 0, ¾, 5.42 R Real Number Theory Set of all rational and irrational 7, 2/5, 0, 1, ¾,
numbers.
5.42, 2 , 5 , π Exponentiation Ciphers PublicKey Ciphers Key Management DH / RSA
M. Mogollon – 01/08  2 • The set of real numbers shown in the table is not generally applicable to cryptography because in
arithmetic, information is lost through roundoff errors, or truncation in integer division, and, also,
because real numbers are infinite fields.
• In cryptography, only the set of natural numbers, are used. Besides, it is necessary to have cyclic
groups, numbers that are finite 2 Finite Fields
• Finite fields are fields that are finite.
• A field is a set of numbers in which the usual mathematical operations (addition, subtraction, multiplication, and division by
nonzero quantities) are possible; these operations follow the
usual commutative, associative, and distributive laws. • Real numbers, rational numbers (fractions), and complex
numbers are elements of infinite fields. • A discrete logarithm (DL) and elliptic curve (EC) cryptography
schemes are always based on computations in a finite field in
which there are only a finite number of quantities. • For cryptography applications, the finite fields that are usually
used are the field of characteristic (congruences). • The finite field used in DL and EC are the field of prime characteristic Fp and the field of characteristic two F2m. The
finite field is also denoted as GF(q) Number Theory Exponentiation Ciphers PublicKey Ciphers Key Management DH / RSA
M. Mogollon – 01/08  3 • When we talk about the time during the day, we use civilian or military time. Civilian time goes
from 0 to 12 and military time from 0 to 24. Those are finite fields, from 0 to 12 and from 0 to
24. There is no 14:00 in civilian time, or 27:00 in military time. In civilian time, after 12 you
return to 1, and in military time, after 24 you return to 1.
• In cryptography it is necessary to have cyclic groups and this can be achieved using
congruences.
• An integer field modulo q, denoted Zq, has a finite number q of elements on it. 3 Finite Fields
• Characteristic Prime Finite Fields
—The finite field Fp is the prime finite field containing p elements. If
p is an odd prime number, then there is a unique field Fp that
consists of the set of integers
{0, 1, 2 ,..., p – 1}. • Characteristic Two Finite Fields
—A characteristic two finite field (also known as a binary finite field)
is a finite field whose number of elements is 2m. If m is a positive
integer greater than 1, the binary finite field F2m consists of the 2m
possible bit strings of length m.
—For example, F23 = {000, 001, 010, 011, 100, 101, 110, 111} Number Theory Exponentiation Ciphers PublicKey Ciphers Key Management DH / RSA
M. Mogollon – 01/08  4 4 Principle of Counting
• The number of possible outcomes from which several procedures can be performed
together is the product of n1 . n2 x n3 . ... nn. Where n1 is the number of possible way
procedure 1 can have, and so on. • Suppose a password contains two distinct lower case letters and three numbers, but
the first number can’t be zero.
— Letters variations are 26, and 25, (distinct letters).
— Number variations are 9, 10, 10.
— Total number of passwords of possible passwords are 26 x 25 x 9 x 10 x 10 • At another company, the guidelines might be to use eight uppercase letters, lower
case letters, or numbers, in any order. Now for each entry there are 26 + 26 + 10
possibilities and the total password space is 62 . 62 . 62 . 62 . 62 . 62 . 62 . 62 = 628. • When talking about bits there are two possibilities, 0 and 1.
— For four bits there are 2 x 2 x 2 x 2 possibilities
— For 128 bits there are 2128 possibilities. Exponentiation examples
— 2 x 2 x 2 x 2 = 24
— (2 x 2 x 2 x 2 ) x (2 x 2 x 2 ) = 24 x 23 = 2(4+3) = 27
— (2 x 2 x 2 x 2 x 2) / (2 x 2 x 2 ) = 25 / 23 = 2(53) = 22 Number Theory Exponentiation Ciphers PublicKey Ciphers Key Management DH / RSA
M. Mogollon – 01/08  5 • A procedure can be performed in n1 different ways, a second procedure in n2, a third procedure in
n3 different ways, and so forth. The number of ways the three procedures can be performed
together is the product of n1 . n2 . n3. This counting principle is used in passwords to determine the
number of possible ways a password can be selected.
• Suppose that a company’s security policy states that a password should have four lowercase
letters followed by four numbers, in that order. There are 26 lowercase letters and 10 possible
numbers, 0 to 9. The password space is 26 . 26 . 26 . 26 . 10 . 10 . 10 . 10 = 4,569,760,000. At
another company, the guidelines might be to use eight uppercase letters, lower case letters, or
numbers, in any order. Now for each entry there are 26 + 26 + 10 possibilities and the total
password space is 62 . 62 . 62 . 62 . 62 . 62 . 62 . 62 = 628, for a total of 8.39 x 1017.
• When talking about keys in cryptography, they are normally defined in numbers of bits. For
example, a block encryption algorithm has a key of 128 bits; in this case, there are only two
choices, either a 1 or a 0. Using the counting principle, the total number of possibilities is 2 . 2 . 2 .
2 . 2 . … = 2128 = 3.40282 x 1038.
• Exponentiation is used in encryption to describe the key size, and in public key to raise a number
to a power. It is necessary to understand the following basic concepts about exponentiation:
• 2 x 2 x 2 x 2 = 24
• (2 x 2 x 2 x 2 ) x (2 x 2 x 2 ) = 24 x 23 = 2(4+3) = 27
• (2 x 2 x 2 x 2 x 2) / (2 x 2 x 2 ) = 25 / 23 = 2(53) = 22 5 Number Theory and Finite Arithmetic
• Number Theory plays an important role in PublicKey
crypto systems. • It is necessary to understand only certain basic
concepts of Number Theory, such as modular
arithmetic and congruence as they are related to a
PublicKey crypto system. Number Theory Exponentiation Ciphers PublicKey Ciphers Key Management DH / RSA
M. Mogollon – 01/08  6 6 Counting in Modular Arithmetic
• Add 9h, 43m, 25s and 4h, 26m, 50s
Hours Minutes Seconds 9 43 25 4 26 50    13 69 75 (13 + 1  12) (69 + 1  60) (75  60) 2 10 15 • When we added the seconds and minutes in the example above,
we used 60 as a modulo, so we can say that (25 + 50) = 15 (mod
60); 15 is the remainder left, after 75 is divided by 60. • Calculation of modulo returns the remainder after a number is
divided by a divisor. Number Theory Exponentiation Ciphers PublicKey Ciphers Key Management DH / RSA
M. Mogollon – 01/08  7 • If I leave at 9:00 am and the trip takes six hours, at what time will I arrive to my destination?
Anyone will answer at 3:00 pm. If I ask, probe it mathematically, some people will not know, but
others will say 9 + 6 – 12 = 3, without knowing that they are adding the numbers using modulo 12. 7 Congruence Arithmetic
The notion of congruence arithmetic (modulo arithmetic) was introduced by
Gauss; it is a form of arithmetic in which only the remainders after division by a
specific integer, are used. If a is divided by p and has a remainder b, it can be
said that a is congruent to b, modulo p. For example let’s say that:
a = (k . p) + b
32 = (6 . 5) + 2
and if a = 32 is divided by p = 5, the result will be k = 6 with a remainder of b = 2.
This congruence is expressed as follows:
a ≡ b mod p 32 ≡ 2 mod 5 and it is read,
a is congruent to b, modulo p 32 is congruent to 2 modulo 5 Another way to read the expression is to say that
a is equivalent to b, modulo p 32 is equivalent to 2, modulo 5 Congruences with the same modulo can be added, subtracted, or multiplied. Number Theory Exponentiation Ciphers PublicKey Ciphers Key Management DH / RSA
M. Mogollon – 01/08  8 8 Congruence – Addition and Subtraction
Addition
If a ≡ b mod p and c ≡ d mod p, then (a + c) ≡ (b + d) mod p.
For example, 32 ≡ 2 mod 5 and 49 ≡ 4 mod 5,
then,
(32 + 49) ≡ (2 + 4) mod 5 or 81 ≡ 6 mod 5 ≡ 1 mod 5.
Subtraction
If a ≡ b mod p and c ≡ d mod p, then (a  c) ≡ (b  d) mod p.
For example, a = 49 ≡ 4 mod 5 and c = 32 ≡ 2 mod 5,
then, (49  32) ≡ (4  2) mod 5 or 17 ≡ 2 mod 5.
Or for a = 32 ≡ 2 mod 5 and c = 49 ≡ 4 mod 5 and
then 32 – 49 ≡ (2  4) mod 5, or 17 ≡ 2 mod 5 = 2 mod 5 = 3 mod 5 Number Theory Exponentiation Ciphers PublicKey Ciphers Key Management DH / RSA
M. Mogollon – 01/08  9 • When a congruence is negative, add the modulo to get a positive number.
• If I arrived to my destination at 3:00 and the trip took six hours, at what time did I leave?
3 mod 12 – 6 mod 12 = 3 mod 12 = (12 – 3 ) mod 12 = 9 mod 12. 9 Addition in Modulo p
(a + b + c) mod p = a (mod p) + b (mod p) + c (mod p).
Example: Add the following three large numbers, and then find the
modulo 8191 of the result.
We can add them first and find the modulo:
58,736,593,765
15,345,786,365
1,763,785,786
75,846,165,916 (mod 8191) = 4,171 (mod 8191) Otherwise, we can find the modulo of each number and then add the
results of each moduloadded number:
58,736,593,765 (mod 8191) = 5,786 (mod 8191)
15,345,786,365 (mod 8191) = 5,202 (mod 8191)
1,763,785,786 (mod 8191) = 1,374 (mod 8191)
12,362 (mod 8191)
4,171 (mod 8191) Number Theory Exponentiation Ciphers PublicKey Ciphers Key Management DH / RSA
M. Mogollon – 01/08  10 10 Congruence – Multiplication
Both sides of a congruence can be multiplied by the same number, just as
both sides of an algebraic equation can be multiplied by the same number.
If
a ≡ b mod p
then, for any value of c
(a . c ) ≡ (b . c) mod p
Example: For 32 ≡ 2 (mod 5)
and c = 11:
(32 . 11) ≡ (2 . 11) (mod 5)
352 ≡ 22 (mod 5) ≡ 2 (mod 5)
Also, if
a
then,
(a . c)
Example: For 32
then, (32 . 49)
1568
Number Theory ≡
≡
≡
≡
≡ b mod p
and c ≡ d mod p,
(b . d) mod p.
2 (mod 5) and 49 ≡ 4 (mod 5),
(2 . 4) (mod 5),
8 (mod 5) ≡ 3 (mod 5). Exponentiation Ciphers PublicKey Ciphers Key Management DH / RSA
M. Mogollon – 01/08  11 11 Congruence – Exponentiation
Both sides of a congruence can be raised to the same exponent
just as both sides of an equation can be raised to the same
exponent.
For any value of r,
r
a ≡ b mod p
r Example: For 32
323
32,768 Number Theory ≡ 2 mod 5 and r = 3:
≡ 23 mod 5
≡ 8 mod 5
≡ 3 mod 5 Exponentiation Ciphers PublicKey Ciphers Key Management DH / RSA
M. Mogollon – 01/08  12 12 Exponentiation in Modulo p
(an) mod p = am1 (mod p) x am2 (mod p) x am3 (mod p) x . . . . .
Where, n = m1 + m2 + m3 + …. Problem: Find 56118 mod 8191
Convert 118 decimal to 118 binary.
118 (decimal) =
(binary)
56118 = 1 1 1 0 5664 5632 5616 1 1 564 0 562 56118 mod 8191 = 5664 mod 8191 x 5632 mod 8191 5616 mod 8191 x
564 mod 8191 x 562 mod 8191
56118 mod 8191 = 7388 mod 8191 Number Theory Exponentiation Ciphers PublicKey Ciphers Key Management DH / RSA
M. Mogollon – 01/08  13 13 Congruence – Canceling
The rule for canceling a congruence by an integer is a
little more complicated than multiplication.
If
(a . c ) ≡ (b . c) mod p
then
p
a ≡ b mod [
(c, p)
where (c, p) is the greatest common divisor of c and p.
If c and p are relatively prime, then the gcd (c, p) = 1.
Example:
58 . 100 ≡ 100 mod 380
gcd (100, 380) = 20
Then,
58 ≡ 1 mod 380 / 20 ≡ 1 mod 19
Number Theory Exponentiation Ciphers PublicKey Ciphers Key Management DH / RSA
M. Mogollon – 01/08  14 14 Fermat’s Theorem
• Fermat’s Theorem indicates that if p is prime and a is not
divisible by p (a and p are relatively prime) then, a p 1 (a a p 1 ) ≡ 1 mod p
k p 1 ≡ 1 mod p 6 a = (k * p) + 1 p 1 mod p ≡ 1 6 ≡ 1 mod 7 7 1 ≡ 1 mod 7 6 • These properties can be used to exponentiate a to a large
number. Having the restriction on a and p, it is possible to write,
669 (mod 17) ≡ (617  1)4 mod 17 . 65 (mod 17)
669 (mod 17) ≡ . 65 (mod 17) ≡ 7 (mod 17) 1 • A faster way to do the exponentiation is to apply modulo (p  1)
to the exponent and say that if n ≡ m mod (p  1), then an ≡ am
mod p. In the example before:
a = 6, m = 69, p = 17, n = 69 mod (171) = 5; then, 65 = 669 mod (17  1) = 65 (mod 17) = 7 (mod 17)
Number Theory Exponentiation Ciphers PublicKey Ciphers Key Management DH / RSA
M. Mogollon – 01/08  15 15 Euler’s Theorem
Euler's Theorem states that: a where ϕ (p) a = (k * p) + 1 ϕ (p) = 1 mod p 1. a and p are relatively prime, gcd (a, p) = 1.
2. ϕ (p) is the Euler totien function which is equal to the number of integers relatively prime to p in the range 1 ..... (p  1). For
example, for p = 15, the relative prime numbers are 1, 2, 4, 7, 8,
11, 13, 14; so ϕ (15) = 8. In general,
a.
b.
c.
d. If p is a prime, then
If p is a prime, then
If p and q are primes, then
If p is a prime, for p2, then ϕ (p)
=
ϕ (pk) =
ϕ (p . q) =
ϕ (p2) = (p  1)
(pk  pk  1)
(p  1)(q  1)
p(p  1) 3. If g.c.d (p, q) = 1, the Euler totien function is multiplicative
denoting ϕ (pq) = ϕ (p) * ϕ (q) Number Theory Exponentiation Ciphers PublicKey Ciphers Key Management DH / RSA
M. Mogollon – 01/08  16 • If two numbers have only the factor 1 and 1 in common, they are said to be relative prime.
• In the range {1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14} which of these numbers are relative prime
to 15? 15 = 3 x 5, so 3, 6, 9, 5, and 10 are not relative prime to 15. Therefore, 1, 2, 4, 7, 8, 11, 13,
and 14 are relative prime to 15. 16 Euler’s Theorem
Using the equation a ϕ (p) = 1 mod p it is possible to exponentiate a to a large number by reducing the
exponent.
Example: For a = 2, p = 15, and ϕ (15) = 8:
222 (mod 15) ≡ [28 (mod 15)] . [28 (mod 15)] . [26 (mod 15)] 222 (mod 15) ≡ 1 [26 (mod 15)] 222 (mod 15) ≡ 4 (mod 15) . 1 . Even if a is not relatively prime with p, it is possible to reduce the
exponent to modulo ϕ (p), except in the case of exponents reduced to 0.
For example, for a = 3, p = 15, and ϕ (15) = 8:
322 (mod 15) ≡ [38 (mod 15)] . [38 (mod 15)] .
322 (mod 15) ≡ 322 (mod 15) ≡ Number Theory 1 . 1 . [36 (mod 15)]
[36 (mod 15)] 9 (mod 15) Exponentiation Ciphers PublicKey Ciphers Key Management DH / RSA
M. Mogollon – 01/08  17 17 Exponentiation Ciphers
a = (k * p) + 1 a = (k * p) + b
a ≡ b mod p If b = 1, then r
r
a ≡ b mod p a ≡ 1 mod p
r
a ≡ 1 mod p Fermat’s Theorem indicates that if p is prime and a is not
divisible by p (a and p are relatively prime) then, a p1 = (k * p) + 1 ( a p 1 ) ≡ 1 mod p
k Number Theory Exponentiation Ciphers a p1 ≡ 1 mod p a p1 mod p ≡ 1 PublicKey Ciphers Key Management DH / RSA
M. Mogollon – 01/08  18 • Two numbers are relatively prime if they have no common factor other than 1 and −1. 18 Exponentiation Cipher
r
According to a r ≡ b mod p , equation aϕ (p) = 1 mod p
k ϕ (p) = 1k mod p = 1 mod p can be written as a and from equation (a * c) ≡ (b * c) mod p it follows that a . a k ϕ (p ) = a . 1 mod p or, a k ϕ (p) + 1 = a mod p E* D
which can be written as a = a mod p where, E * D = k ϕ (p) + 1 which can be written as E * D = 1 [ mod ϕ(p) ]
or,
Number Theory E * D [ mod ϕ(p) ] = 1 Exponentiation Ciphers PublicKey Ciphers Key Management DH / RSA
M. Mogollon – 01/08  19 19 Exponentiation Cipher – Cont.
In E * D [ mod ϕ(p) ] = 1 the reciprocal of the number E is the inverse or multiplicative
inverse of D. Normally, E is selected first and then the
corresponding D must be found.
By symmetry, the exponents E and D are commutative and
mutual inverses, so it is possible to say that
can be written as a E * D = a mod p a E * D mod p = a
D E* D
mod p = [ a E mod p] mod p
a
Replacing “a” for “M” message, the equation can be written as M E * D mod p = M
D [ M E mod p] mod p = M
Number Theory Exponentiation Ciphers PublicKey Ciphers Key Management DH / RSA
M. Mogollon – 01/08  20 20 Exponentiation Cipher – Cont.
In D [ M E mod p] mod p = M The equation illustrates that if M the plaintext is enciphered with the
following algorithm {(plaintext)E (mod p)} to produce a ciphertext,
and that if at the receiver’s end, the ciphertext is deciphered using
the algorithm [(Ciphertext)D] (mod p), the same plaintext M will be
obtained.
In other words, by raising the ciphertext to the Dth power and
reducing it modulo p, the plaintext will be recovered. This can be
written as follows:
C = E mod p
M M = C D mod p where M is the plaintext, C is the ciphertext, and E and D are
the enciphering and deciphering keys.
Exponentiation ciphers encipher a message block by computing the
exponential according to above equations.
Number Theory Exponentiation Ciphers PublicKey Ciphers Key Management DH / RSA
M. Mogollon – 01/08  21 21 What is PublicKey Cryptography ?
publickey cryptography / (1) An
encryption method that uses a pair of
keys, one public and one private.
Messages encoded with either one can
be decoded by the other. Also called
asymmetric encryption. (2) Algorithms
used to prove the authenticity of the
message originator and to exchange
keys. Number Theory Exponentiation Ciphers PublicKey Ciphers Key Management DH / RSA
M. Mogollon – 01/08  22 22 Types of Publickey Cryptography
• Exponentiation ciphers
—RSA. • Discrete logarithm systems
—ElGamal publickey encryption, Digital Signature Algorithm (DSA),
DiffieHellman key Agreement. • Elliptic curve cryptography. Number Theory Exponentiation Ciphers PublicKey Ciphers Key Management DH / RSA
M. Mogollon – 01/08  23 23 Exponentiation Algorithms
Pub Key E Pair Key
Generator Initial Crypto
Variable Priv Key D Message ϕEncipher
E * D [ mod (p) ] = 1
M C = MPub E (mod p) Receiver Exponential crypto algorithms encipher
messages according to the following
formula:
P ub E P riv The exponents Pub and Priv are
mathematically related by: D mod E * D [ mod ϕ(p) ] = 1 p M =C
mod p
M being the plaintext and C the
being
ciphertext.
Number Theory M = CPriv D (mod p) Message M Sender C=M Decipher Exponentiation Ciphers Pub * Priv [ mod ϕ (p) ] = 1 PublicKey Ciphers Key Management DH / RSA
M. Mogollon – 01/08  24 • An exponentiation cipher is a technique in which the encryption and decryption processes involve
raising plaintext and ciphertext messages to specific powers. DiffieHellman, PohligHellman,
RSA, ElGamal, and many others are all exponentiation ciphers, each one implemented in a slightly
different way.
• By definition, a publickey cipher is a oneway crypto system, so, from this point of view, all
exponentiation ciphers are publickey cryptosystems. However, from the standpoint that the
enciphering key can be made public, not all exponentiation ciphers are public. For the sake of
discussion, this distinction will be kept, the term exponentiation cipher used for all, and public key
reserved for use with those cryptosystems in which the enciphering key can be made public.
• Exponentiation ciphers encipher a message block by computing the exponential according to
equation C = MPubE mod p, M = CPrivD mod p
• Note that the sender needs to have the receiver’s public key to be able to encipher the message.
Because the receiver is the only one with the private key, he will be the only one able to decipher
the message.
• The two keys in Public Key systems, called Private Key and Public Key, are mathematically
related. One is the multiplicative inverse of the other, like when we say (7) * (1/7) = 1.
• Note the in symmetric encryption algorithm, the key is called secret key, so when talking about
exponentiation ciphers, don’t call the private key, secret key. Vice versa, used the term secret key,
only to refer to symmetric encryption. 24 PohligHellman Exponentiation Algorithm
C=M Pub E M =C Priv D E * D = 1 [ mod ϕ (p) ] = 1 mod (p  1) mod p Pub * Priv = 1 [ mod ϕ (p) ] = 1 mod ( p − 1 ) mod p M is the clear message, C is the crypto message; E and D are the crypto
variables used to encipher and to decipher the message.
Example: p = 73, E = 29, D = 5 y M = 2;
E 29 C = M (mod p) = 2 (mod 73) = 4 (mod 73)
D
5
M = C (mod p) = 4 (mod 73) = 2 Mathematical Requirements
E * D [ mod ϕ (p) ] = 1
ϕ (p) = p − 1
29 * 5 mod 72 = 1 Number Theory Exponentiation Ciphers Recommendation:
p should be a large prime.
Keep E and D secret; PoligHellman
is not a Public Key system. PublicKey Ciphers Key Management DH / RSA
M. Mogollon – 01/08  25 • The PohligHellman algorithm is not a publickey system, but it is based on exponentiation. In the
PohligHellman algorithm, the modulo is chosen to be a large prime number p and the arithmetic is
performed in the Galois field GF(n). The enciphering and deciphering are carried out according to
the shown equations.
• Note: In exponentiation ciphers and publickey ciphers, large prime numbers should be used, but in
the examples given in class, small integers are used for clarity. 25 RSA Algorithm
C=M Pub D mod n P M = C riv D mod n
Where,
M = Plaintext
C = Ciphertext
Priv = Private Key (Decipher)
Pub = PublicKey (Encipher)
Public
n =p.q
The public key, Pub , and the modulo n are made public and the
private, Priv , is kept secret.
is
Example: p = 11, q = 31, n = 11 * 31 = 341
Pub = 53, Priv = 17 and M=2.
53 17 C = 253 (mod 341) = 8
Mathematical requirements: M = 817 (mod 341) = 2 Pub * Priv [ mod ϕ (n) ] = 1 ϕ (n) = ( p − 1) * ( q − 1)
53 * 17 mod 300 = 1
Number Theory Exponentiation Ciphers PublicKey Ciphers Key Management DH / RSA
M. Mogollon – 01/08  26 The following procedure describes how to select the public key (Pub) and the private key (Priv) in
the RSA algorithm:
• Select at random two large prime numbers, p , q.
• Make n, the modulo, equal to n = p . q
• Calculate Euler's function, ϕ (n) = ϕ (p . q) = (p  1)(q  1).
• Select a number Pub, and test it to verify that it is relatively prime to (n) by using Euclid's
algorithm.
• Find Priv so that it satisfies the equation ,
Pub . Priv = 1 mod ϕ (n), by calculating the multiplicative inverse of Pub using Euclid's
algorithm. The properties of ϕ (n) guarantee that if Pub is relatively prime to ϕ (n), then
there is always a multiplicative inverse, which, in our case, is Priv.
• Make n and Pub public; keep ϕ (n) and Priv secret. 26 ElGamal Algorithm
• A modification of the ElGamal digital signature can be used to
encipher messages. The public and private keys, or key pair, are
generated as follows: 1. Choose a prime p to be the modulo and choose two random numbers g
and PrivA = a that are less than p.
2. Calculate y A = g Priv A ( mod p )
3. The public key consist of yA, g, and p. • Suppose Alice wishes to send a message m to Bob. Alice first
generates a random number k less than p, then she computes
y1 = g k ( mod p )
k y2 = m y A ( mod p ) • Alice sends Y1 and Y2 to Bob. Upon receiving the ciphertext, Bob
deciphers the message by computing
y3 = y1 ( p − 1 − Pr iv A ) ( mod p ) and then m, the message, by calculating
m = y3 y 2 ( mod p )
Number Theory Exponentiation Ciphers PublicKey Ciphers Key Management DH / RSA
M. Mogollon – 01/08  27 • ElGamal encryption is a simple variant on noninteractive DiffieHellman. The recipient publishes
g, p, and yA = gx mod p. The sender picks a random number k, computes y1 = gk mod p, and the
shared secret z = yAk mod p = y1x mod p = gx*k mod p, then sends y1 and z*m mod p to the recipient,
where m is the message.
• There are two computations to encipher the message and two to decipher the message. Also, note
that the two formulas to decipher the message are different than the two formulas to encipher the
message. In RSA public key, there is only one formula to encipher and one formula to decipher;
both formulas are the same. 27 ElGamal Algorithm
• Example*
1. Alice selects the prime p = 2357 to be the modulo, and two
random numbers g = 2, and PrivA = a = 1751.
2. Alice calculates y A = g Priv A ( mod p ) = 21751 ( mod 2357 ) = 1185 3. Alice’s message m = 2035 and random number k = 1520.
4. Alice computes y1 = 21520 ( mod 2357 ) = 1430
y 2 = 2035 . 1185 1520 ( mod 2357 ) = 697 5. Alice sends (y1 and y2) to Bob.
6. Upon receiving the ciphertext, Bob deciphers the message by
computing
y = y ( p − 1 − Pr iv ) ( mod p ) = 1430 ( 2357 − 1 − 1751) ( mod 2357 ) = 872
3 1 A 7. And then m, the message, by calculating
m = y3 y 2 ( mod p ) = 872 . 697 ( mod 2357 ) = 2035
Note: Values from (Menezes, Oorschot, Vanstone 1996). Applied Cryptography Handbook
Number Theory Exponentiation Ciphers PublicKey Ciphers Key Management DH / RSA
M. Mogollon – 01/08  28 28 Public Key Encryption
Sender (Alice) Receiver (Bob) Alice’s Private
Key Alice’s Public
Key Encipher Decipher Alice’s Public
Key Alice’s Private
Key Encipher Decipher Bob’s Public
Key Bob’s Private
Key Encipher Decipher Bob’s Private
Key Bob’s Public
Key Encipher Decipher Number Theory Exponentiation Ciphers NonRepudiation of Origin (Authenticity)
Anyone who has Alice’s public key will be
able to decipher the message. Alice cannot
deny that she sent the message.
Bob will not be able to decipher the message
because he doesn’t have Alice’s private key. Confidentiality ─ Bob will be the only one
able to decipher the message because only he
has his private key. Enciphering is not possible because Alice
doesn’t have Bob’s private key.
PublicKey Ciphers Key Management DH / RSA
M. Mogollon – 01/08  29 • When using public key, a message can be enciphered either with the public key or with the private
key. The figure above shows the different ways in which a message that Alice is sending to Bob
can be enciphered. 29 Key Management
• Conventional crypto networks using symmetric cryptosystems
typically have a Key Distribution Center (KDC) to distribute or
load the keys into each of the crypto units. • There are three ways to send information about the secret key
needed to decipher a message:
— PreShared Secret Keys – The secret keys are loaded into both parties’
crypto systems beforehand, and it is only necessary to define which of
the secret keys was used to encipher the message.
— Transport and Wrapping Keys – A secret key can be sent by transporting
the key using public key algorithms or by wrapping the key using
symmetric key algorithms.
— Key Agreement – A key agreement algorithm allows a sender and a
receiver to share a secret key computed from publickey algorithms. Number Theory Exponentiation Ciphers PublicKey Ciphers Key Management DH / RSA
M. Mogollon – 01/08  30 • Conventional crypto networks using symmetric cryptosystems typically have a Key Distribution
Center (KDC) to distribute or load the keys into each of the crypto units. Secret keys are then
sent using a secure channel such as a courier, but there is no way to know if the courier has
compromised the keys to an unauthorized person who wants to read the messages in the network.
Security may increase if the keys are loaded into the equipment before it is deployed; however, it
is very difficult and inconvenient to bring the equipment to the Key Distribution Center (KDC) in
order to change the keys. The problem is compounded if a new key for each day —or for each
session— is desired. • There are three ways to send information about the secret key needed to decipher a message:
1. PreShared Secret Keys
2. Transport and Wrapping Keys
3. Key Agreement 30 PreShared Secret Keys The secret keys have been
loaded in both servers, so only
the name associated with the
key needs to be sent. Web Service
Web
Requester Web Service
Provider Secret Key Table Secret Key Table Key Name Secret Key Secret Key Key Name Key Name Type of Encryption
Algorithm Type of Encryption
Algorithm Number Theory Exponentiation Ciphers PublicKey Ciphers Key Management DH / RSA
M. Mogollon – 01/08  31 • The secret keys are preloaded into both parties’ crypto systems, and it is only necessary to define
which of the secret keys was used to encipher the message. In general, every loaded secret key is
associated with a name; therefore, only the name associated with the key needs to be sent to the
recipient. • In the drawing above, only the key name is sent. 31 Encrypted Key – Transporting the Key Web Service
Web
Requester Use a public key algorithm to
transport the session key Web Service
Provider Session
Key Number Theory RSAESv1.5 or
RSAESOAEP
.Algorithm RSAESv1.5 or
RSAESOAEP
.Algorithm Enciphering Service
Provider’s
Public Key Session
Key Deciphering Exponentiation Ciphers PublicKey Ciphers Service
Provider’s
Private Key Key Management DH / RSA
M. Mogollon – 01/08  32 • A secret key can be sent by transporting the key using publickey algorithms or by wrapping the
key using symmetric key algorithms.
• Key transport algorithms are publickey encryption algorithms particularly specified for encrypting
and decrypting keys.
• RFC 2437 recommends RSAOAEP for all new applications because it includes plaintext
awareness. Optimal Asymmetric Encryption Padding (OAEP) is a method for encoding messages
developed by Mihir Bellare and Phil Rogaway.
• The session key is transported as a message.
• Alice encrypts the session key using Bob's public key and she sends it to Bob as an encrypted
message.
• Bob uses his private key to decipher the message and gets the session key. 32 Wrapping the Key
Use shared keyencryptingkey to
wrap (encipher) a session key Web Service
Requester Web Service
Provider Shared keyencrypting key Shared KeyEncrypting Key Session
key Decipher Encipher
Session key
Block 1 + + 3DES
or
AES 3DES
or
AES Enciphered
Session key
Block 1 Shared keyencrypting
key Session key
Block n Enciphered
Session key
Block n IV Number Theory Enciphered
Session key
Block n +
Use 3DES or AES to
encipher and decipher a
session key Exponentiation Ciphers Session
key
PublicKey Ciphers Enciphered
Session key
Block 1 + 3DES
or
AES 3DES
or
AES Session key
Block n Session key
Block 1 Key Management IV Shared keyencrypting
key DH / RSA
M. Mogollon – 01/08  33 • Symmetric keywrap algorithms are algorithms especially specified for wrapping, enciphering and
deciphering, symmetric keys. Both parties need to share a keyencryptingkey that it is used to
wrap (encipher) the key that is going to be used to encipher the information. In crypto analysis, the
more a key is used, the higher the probability that it could be broken. By using a keyencryptingkey to wrap keys, then the KEK will be used a fewer number of times than if it is used to encipher
messages.
• Keys are encrypted using 3DES or AES. 33 Key Agreement Use DiffieHellman to calculate
ZZ and RFC2631 Key
Agreement Method to generate
key material, as required. Web Service
Requester Web Service
Provider DiffieHellman
Key Exchange DiffieHellman
Key Exchange Pre Master Key
(ZZ) Pre Master Key
(ZZ) Key Material
Generation Key Material
Generation Session
Key Session
Key Number Theory Exponentiation Ciphers PublicKey Ciphers Key Management DH / RSA
M. Mogollon – 01/08  34 • A key agreement algorithm allows a sender and a receiver to share a secret key computed from
public key algorithms. Normally, the shared secret key is not used as a key, but instead, is used to
arrive at key material.
• DiffieHellman is used for key agreement. 34 DiffieHellman Key Agreement System
1. Sender and receiver, Alice and Bob, agree on fixed constants, p
and g, which do not need to be kept secret; p is a large prime
number, and g is any integer between 0 and p  1.
(p  1) / 2 should be a prime. 2. When communication between Alice and Bob is established,
they randomly generate a secret number: PrivA and PrivB. 3. Alice and Bob generate their corresponding public numbers:
Priv
Pub A = g A ( mod p ) Priv
PubB = g B ( mod p ) 4. Alice and Bob exchange PubA and PubB over the nonsecure
channel. 5. Alice and Bob compute ZZ, the session key, by
Priv
ZZ = Pub A B ( mod p )
6. Alice and Bob use ZZ as their secret key, and load it into their
key generators to secure their communications. Priv
ZZ = Pub B A ( mod p ) Number Theory Exponentiation Ciphers PublicKey Ciphers Key Management DH / RSA
M. Mogollon – 01/08  35 • Another process in number theory that has a oneway property is raising a number to a power in a
large finite field. When working with real numbers, finding y = gx is as easy as finding x = logg y.
But when a finite group such as GF(p) is used, exponentiation becomes a oneway process for a
large prime p. Given g and x, it is easy to compute y = gx mod p, but how x = logg y mod p can be
compute when log has a different but analogous meaning than before? This type of logarithm is
called discrete logarithm, and it is computationally difficult to compute discrete logarithms in
GF(p) if p is chosen such that p  1 has at least one large prime factor. If p  1 has only small prime
factors, then computing discrete logarithms is easy.
• The DiffieHellman algorithm, which is based on the discrete logarithm problem, can be used to
agree on keys between two units that want to establish secure communications. 35 DiffieHellman Key Agreement System Alice
g and p are large
integers
Priv A = Random large
integer Pub A g and p do not need
to be secret g Pr iv A (mod p) = PubA Bob
g and p are large
integers
Priv B = Random large
integer PubB Priv
ZZ = Pub B A ( mod p ) Pub B = g Pr iv B (mod p) Priv
ZZ = Pub A B ( mod p ) Bob’s ZZ = Alice’s ZZ Alice’s ZZ = Bob’ZZ Both units use ZZ as the Session Key to encipher the message.
Number Theory Exponentiation Ciphers PublicKey Ciphers Key Management DH / RSA
M. Mogollon – 01/08  36 The math is simply:
• Alice and Bob agree on two large numbers, p (prime modulo) and g (base), such that g is less than
p, but greater than 1. These integers don’t have to be secret, and they can even be common among
a group of users.
• Both units randomly generate a secret integer: PrivA y PrivB
• Both units generate their corresponding public key numbers, PubA y PubB according to:
PubA = g Priv
A (mod p) PubB = g Priv
B (mod p) • Both units exchange the public keys, PubA y PubB
• Both units calculate ZZ, the session key, according to the following formula:
ZZ = PubB Priv A (mod p) ZZ = PubA PrivB (mod p)
• Both units use ZZ as the session key to encipher the message. 36 DiffieHellman Key Agreement System
Sender and receiver agree on the
same group or pair of g and p. g=12 p= 47 PrivA= 3 Pub A = 12 3 (mod 47) = 36 g and p do not need
to be secret
36 14 g= 12 p= 47 PrivB=5
Pub B =12 5 (mod 47) =14 Z =14 3 (mod 47) =18 Z ' = 36 5 (mod 47) =18 18 18 Both units use 18 as the Session Key to encipher the message.
Number Theory Exponentiation Ciphers PublicKey Ciphers Key Management DH / RSA
M. Mogollon – 01/08  37 • Alice and Bob end up with the same crypto key, 18, but they do not have control of the key that
was generated.
• This procedure is good for a link encryption, server to client, in which one unit establishes
communications with another, but it cannot be used when a secure message is broadcasted to
several units.
• If the user wants to compartmentalize his crypto network, several p's and g's should be used,
with one set designated for each of his crypto organizations; These sets should then be stored in the
crypto units and kept secret.
• Whenever a key exchange is established, the sender and receiver agree on the corresponding p and
g numbers.
• In IPSec IKE (Internet Key Exchange), for example the Group representation “2” is used for a
1024 bit modulus.
• If the Group field is “2”, then the receiving unit knows that
g=2
p=
1797693134862315907708391567937874531978602960487560117064444236841971802161
5851936894783379586492554150218056548598050364644054819923910005079287700335
5816639229553136239076508735759914822574862575007425302077447712589550957937
7784244424266173347276292993876687092056060502708108429076929320191281944676
27007
It has been rigorously verified that p is a prime. 37 DiffieHellman Key Agreement System
• No control over the generated session
key. • Subject to the ManintheMiddle attack. • No information about the parties’
identities. Solution to the ManintheMiddle attack • Subject to a clogging attack. It is
computationally intensive.  Establish authenticity between
parties with a certificate.
 Add a hash function (message
digest).
 Authenticate the identity of a
message with a digital
signature.
 Add a random component to
the agreed key. ManintheMiddle
Attack Alice Bob SA SB Spoofed by the ManinMan intheMiddle
theNumber Theory Exponentiation Ciphers PublicKey Ciphers Key Management DH / RSA
M. Mogollon – 01/08  38 • A problem with the DiffieHellman technique is that it can be spoofed. A spoofer can intercept
communications between Alice and Bob and make Alice believe that she is talking to Bob and, at
the same time, make Bob believe that he is taking to Alice when, in reality, both are talking to the
spoofer. The spoofer generates a secret number PrivS and computes
• PubS = a Priv S (mod p) • The spoofer intercepts PubA and transmits PubS to Bob. He also intercepts PubB and transmits
PubS to Alice. Bob computes a key based on PubS and PrivB; Alice computes a key based on PubS
and PrivA; the spoofer computes both keys. When Alice transmits enciphered data to Bob, this data
is decrypted by the spoofer and reencrypted for transmission to Bob. Alice and Bob establish
crypto communications with a key —or keys— supplied by the spoofer who is able to intercept the
messages and to read or to modify them at will.
• A way to avoid this problem is to combine the DiffieHellman algorithms with an unforgable
digital electronic signature or a certificate that provides user authentication. Another way is to
apply a hash function to the negotiated key and to present the result in the unit display. If the hash
function that appears in both units is the same, then there is no maninthemiddle. With the
digital signature, or with the hash function, Alice is sure that she is talking to Bob and not to the
spoofer. 38 RSA Key Transport
C=K Pub B mod n K =C Priv B mod n PubB
Receiver’s
n = p . q Public Key Sender’s Private Key Secret Key K C=KPubB mod n
Encipher K=CPrivB mod n
Decipher Secret Key K Receiver (Bob) Sender (Alice) • The secret key is transported as a message.
• Alice encrypts the secret key using Bob's public key and she sends it to Bob as an encrypted message.
• Bob uses his private key to decipher the message and gets the
secret key.
Number Theory Exponentiation Ciphers PublicKey Ciphers Key Management DH / RSA
M. Mogollon – 01/08  39 • The RSA public key cryptosystem can be used to transport an encrypting key. First, the sender’s
unit (Alice) randomly selects a session key and enciphers it using the receivers’s unit (Bob) public
key. Alice then sends the enciphered session key to Bob over a nonsecure channel. Bob deciphers
the session key with his own secret key. Because the deciphering private key is known only to
Bob, only Bob can decipher the session key. After exchanging the session key, both Alice and Bob
use the session key in a symmetric cryptosystem to securely communicate with each other. 39 RSA Problem
• The strength of the RSA algorithm is based on the fact that multiplying
two large primes to get n is far easier than, given n, find the two
primes; this is called a oneway property. • One approach a cryptanalyst might use to break an RSA algorithm is to
find p and q, the factors of n, calculate φ (n), and then calculate Priv
from φ (n) and Pub, using Euclid's algorithm. • The difficulty of computing Priv from the public information, φ (n) and
Pub, depends on the difficulty of factoring n or of deriving p and q from
n, because φ (n) = (p  1) * (q  1), φ (n) can only be found if p and q are
known. • When p and q are chosen so that n is a 200digit number, it seems to be
computationally infeasible for anyone, even using the fastest computer
available today, to break the RSA algorithm. • Today, RSA Data Security recommends using a 768bit RSA modulo for
personal use, 1024bits for corporate use, and 2048bits for protecting
extremely valuable data (RSA bulleting 10, 1999). Number Theory Exponentiation Ciphers PublicKey Ciphers Key Management DH / RSA
M. Mogollon – 01/08  40 • The strength of the RSA algorithm is based on the fact that multiplying two large primes to get n is
far easier than, given n, find the two primes; this is called a oneway property. One approach a
cryptanalyst might use to break an RSA algorithm is to find p and q, the factors of n, calculate φ
(n), and then calculate Priv from φ (n) and Pub, using Euclid's algorithm. The difficulty of
computing Priv from the public information, φ (n) and Pub, depends on the difficulty of factoring
n or of deriving p and q from n, because φ (n) = (p  1) * (q  1), φ (n) can only be found if p and q
are known. Since factoring large numbers is a very difficult problem, the difficulty of breaking the
RSA algorithm increases when n is a very large number. When p and q are chosen so that n is a
200digit number, it seems to be computationally infeasible for anyone, even using the fastest
computer available today, to break the RSA algorithm.
• Today, RSA Data Security recommends using a 768bit RSA modulo for personal use, 1024bits
for corporate use, and 2048bits for protecting extremely valuable data (RSA bulleting 10, 1999). 40 RSA Challenges
Number Month Number Month RSA100 April 1991 RSA110 April 1992 RSA120 June 1993 RSA129 April 1994 RSA130 April 1996 RSA140 February 1999 RSA155 August 1999 RSA160 April 2003 RSA576 December 2003 RSA640 November 2005 RSA704 Open Open Number Theory Exponentiation Ciphers RSA 768 PublicKey Ciphers Key Management DH / RSA
M. Mogollon – 01/08  41 41 Discrete Logarithmic Problem
• In the multiplicative group Zp* discrete logarithm (DiffieHellman, ElGamal, DSS), the following is the discrete
logarithm problem:
—Given elements y and x of the group, and a prime p, find a number k
such that y = gk mod p.
—For example, if y = 2, g = 8, and p = 341, then find k such that 2 ≡ 8k
mod 341.
—In DiffieHellman, y is the public key, g is a random number, p is the
modulo, and k is the private key that the cryptanalyst is trying to find
out. Which one is the correct Private Key?
Number Theory Exponentiation Ciphers PublicKey Ciphers Key Management DH / RSA
M. Mogollon – 01/08  42 • In the example above, the values 7, 17, 27, 37, 47, 57, 67, 77, ………207, 217, 227, 237, 247 are
mathematically correct private keys, but which one was the one used? This is what it is called the
discrete logarithm problem. 42 Combining Symmetric and Asymmetric
Ciphers
Client Web Server
Exchange (wrap / transport ) or agree
(DiffieHellman) on a premaster key. PreMaster Key PreMaster Key Master Key
Generation Integrity
(HMAC) Integrity
(HMAC) Encipher Master Key
Generation
Decipher Cleartext
Block Cleartext
Block Cleartext
Block Cleartext
Block + + + + Symmetric
Encryption Symmetric
Encryption Symmetric
Encryption Symmetric
Encryption Ciphertext
Block Ciphertext
Block Ciphertext
Block Ciphertext
Block IV Secret Key Number Theory Use a symmetric
algorithm to encipher
and decipher a secure
transaction. Exponentiation Ciphers PublicKey Ciphers Key Management IV Secret Key DH / RSA
M. Mogollon – 01/08  43 • In many instances, symmetric public cryptosystems, either public or exponentiation, are relatively
slow compared to classic symmetric cryptosystems. However, asymmetric cryptosystems can be
used for the secure and authenticated process of transporting or agreeing on a session key that will
be used to encipher the message. Therefore, it is not necessary to send the session key beforehand,
but it can be exchanged in a secure way over nonsecure public networks like the Internet.
• In most applications, asymmetric encryption algorithms (public key) are used to exchange, agree
upon, or transport a key and the symmetric algorithms used to encipher the data. Normally, the
shared or transported key is not used as a secret key or crypto variable key; instead, it is used as an
entropy source to generate random values for MACS, secret keys, and initialization values (IV)
required to encipher the data using symmetric algorithms like AES. The steps required to generate
a key used to encrypt the message depend on the protocol. 43 To Probe Further
• Koblitz, N. (1987). A course in Number Theory and Cryptography. New York: SpringerVerlag. • Ogilvy, C., Anderson, J. (1988). Excursion in Number Theory . New York: Dover Publications,
Inc. •
• Schneir, B. (1994). Applied Cryptography. New York: John Wiley & Sons. • Diffie W., Hellman M.E. (November 1976). New Directions in Cryptography. IEEE
Transactions on Information Theory, Vol. IT22, No. 6 • ElGamal, T.A. (July 1985). Public Key Cryptosystem and a Signature Scheme Based on
Discret Logarithms. IEEE Transactions on Information Theory, Vol. IT31. • Newman, D. B., Omura, J K., Pickholtz, R. L. (April 1987). Public Key Management for
Network Security. IEEE Network Magazine, Vol. 1, No. 2. • Pohlig S. C., Hellman M. E. (January, 1978). An improved algorithm for computing
logarithms in GF(p) and its cryptographic significance (pp106110). IEEE Transactions on
Information Theory, Vol IT24. •
• Pomerance, C. (Jan 23, 1987). Toward a new Factoring Record, Science News. Diffie, W. (May 1988). The first Ten Years of PublicKey Cryptography, (p. 560). Proceedings
of the IEEE, Vol.76, No.5. Rivest, R., Shamir, A., Adleman L. (1978). A Method for Obtaining Digital Signatures and
PublicKey Cryptosystem. Communications ACM, Vol. 21. Number Theory Exponentiation Ciphers PublicKey Ciphers Key Management DH / RSA
M. Mogollon – 01/08  44 44 ...
View
Full
Document
This note was uploaded on 05/26/2010 for the course TECH 6350 taught by Professor Mogollon during the Spring '10 term at University of Arkansas for Medical Sciences.
 Spring '10
 Mogollon

Click to edit the document details