@Yuan Xue CS 285 Network Security Public-Key Cryptography Yuan Xue Fall 2012
@Yuan Xue Motivation Two difficult problem associated with the secret- key crytosystem Key distribution Non-repudiation
@Yuan Xue Public-Key Cryptography Diffie and Hellman achieved an important breakthrough in The proposed scheme was radically different from all previous approaches to cryptography It uses a pair of different keys in contrast to one shared key in symmetric encryption. It is based on mathematical functions instead of substitution and permutation. The proposed scheme is called pubic-key (asymmetric) cryptography
@Yuan Xue History The scheme proposed by Diffie and Hellman is not a general-purpose encryption algorithm. It can only provide secure secret key exchange. Thus it presents a challenge for the cryptologists to design a general-purpose encryption algorithm that satisfies the public-key encryption requirements. One of the first responses to the challenge was developed in 1977 by Rivest, Shamir, Adleman at MIT, so called RSA.
@Yuan Xue Public-Key Cryptosystem Model Public-key cryptosystem uses a pair of different but related keys one is placed in a pubic register (public key) + the other is kept secret (private key). It is computationally infeasible for an opponent, knowing the public key KU, and the encryption and decryption algorithms E, D, to determine the companion private key KR. It is computationally infeasible for an opponent, knowing the public key KU and the ciphertext C which is encrypted via this key C = E(KU, P), to determine the plaintext P.
@Yuan Xue Essential Steps Generate a pair of keys A generates the public key K UA, and the private key K RA. Publish the public key, while keeping the private key secret. Users have the access to a collection of public keys from their communication parties. Use one of the above models to encrypt the message to achieve different security goals and deliver the message.
@Yuan Xue For practical use, the following features are also preferred in a public-key encryption algorithm. It is computationally easy to generate a pair of keys (public key and private key). It is computationally easy to encrypt a message using either public or private key, and decrypt it via the companion key.
@Yuan Xue Confidentiality
@Yuan Xue Source Authentication
@Yuan Xue Confidentiality + Authentication
@Yuan Xue Outline Mathematical Preliminary RSA algorithm description Why RSA works Why RSA is secure
@Yuan Xue Mathematical Preliminary -- Modular Addition
@Yuan Xue Mathematical Preliminary -- Modular Multiplication
@Yuan Xue Mathematical Preliminary -- Modular Exponentiation What is exponentiative inverse? Given K, whether K’’ can be efficiently found? Euler’s Theorem and totient function
@Yuan Xue RSA Algorithm
@Yuan Xue Implementing RSA Algorithm Generating RSA keys -- Finding big primes p and q There is no known practical way for absolutely determining that a number of large size is prime. There is test for determining that a number is probably prime (using Miller and Rabin) Procedure for picking a prime number p 1. Pick an odd random integer p 2. Perform the probabilistic primality test, if p fails the test, reject p and go to step 1 3. If p has passed a sufficient number of tests, accept p
@Yuan Xue Implementing RSA Algorithm Generating RSA keys -- Finding d and e Having a small constant e RSA is no less secure if e is always chosen to be the same number If e is chosen to be small, then the operation of encryption and signature verification is much more efficient. Popular values of e are 3 and Issues with value of 3 If message P is too small (smaller than n^(1/3)), then decrypting the message simply takes a cube root P needs to be large And more is a good choice = 2^(16) + 1
@Yuan Xue Using RSA Algorithm RSA is a block cipher The plaintext and ciphertext are represented as integers between 0 and n -1 for some n. i.e., the block size must be less than or equal to log 2 (n) When you create an RSA key pair, you specify a key length in bits. The key length of an RSA key specifies the number of bits in n. Typical choice of RSA key length 1024 bits, sufficient for many medium-security purposes such as web site logins; 2048 bits, high security applications
@Yuan Xue Attacks on RSA (I) If the message encrypted by the public key in RSA is guessable, then the attacker can encrypt all the possible messages with the public key and match the results with the ciphertext to derive the correct plaintext Solution: the plaintext messages in RSA needs to be padded with random bits
@Yuan Xue Public Key Cryptography Standard PKCS defines a set of standards for the information encoding in the usage of RSA so that various pitfalls with RSA can be avoided For example, PKCS #1 Defines a standard for formatting messages encrypted with RSA 02 At least 8 random nonzero octets 0data
@Yuan Xue Attacks on RSA (II) chosen-ciphertext attack To decrypt a ciphertext c = p e (mod n) 1) ask the holder of the private key to decrypt a ciphertext c' = cr e (mod n) for some value r chosen by the attacker. 2) c' is the encryption of pr (mod n). If the attacker is successful with the attack, he will learn pr (mod n) 3) derive the message p by multiplying pr with the modular inverse of r modulo n.
@Yuan Xue More attacks Timing attacks 1995: if the attacker Eve knows Alice's hardware in sufficient detail and is able to measure the decryption times for several known ciphertexts, she can deduce the decryption key d quickly. One way to thwart these attacks is to ensure that the decryption operation takes a constant amount of time for every ciphertext. However, this approach can significantly reduce performance. Instead, most RSA implementations use an alternate technique known as cryptographic blinding.cryptographic blinding Adaptive chosen ciphertext attacks 1998: against RSA-encrypted messages using the PKCS #1 v1 padding schemepadding scheme able to mount a practical attack against RSA implementations of the Secure Socket Layer protocol, and to recover session keys.Secure Socket Layer recommend the use of provably secure padding schemes such as Optimal Asymmetric Encryption Padding, and RSA Laboratories has released new versions of PKCS #1 that are not vulnerable to these attacks.Optimal Asymmetric Encryption Padding
@Yuan Xue Put RSA into practice -how to use RSA Using security tools (GnuPG; OpenSSL) Programming in Java Sample code: orithm orithm cryption.shtml cryption.shtml
@Yuan Xue Put RSA into practice -When to use RSA RSA seldom used in encrypting data Much slower than symmetric key encryption Typical use RSA encrypt secret keys (key distribution) AES encrypt data
@Yuan Xue Other Public-Key Algorithms Encryption/ Decryption Digital Signature Key Exchange RSA ECC (Elliptic Curve Cryptography) YYY Diffie-Hellman (will be discussed in key management) NNY DSA (will be discussed in digital signature) NYN
@Yuan Xue Readings Required Reading [WS] Recommended Reading [KPS] Further Reading RSA: Public-Key Cryptography Standards (PKCS) #1: RSA Cryptography Specifications Version 2.1: PKCS: ECC: [WS] ; [KPS] 6.7