Public-Key Cryptography RSA Rivest-Shamir-Adelmann Public-Key System Network Security Design Fundamentals ET-IDA-082 Lecture-10 Public-Key Cryptography RSA Rivest-Shamir-Adelmann Public-Key System 11.05.2016, v24 Prof. W. Adi
Lecture Outlines Historical Overview ! RSA Public-Key Encryption System RSA Public-Key Signature System RSA Security considerations
Conventional Cryptography till 1976 Secret Key systems Ciphering Sender De-Ciphering Receiver Y = E (Z,X) X E ( Z,X ) D ( Z,Y ) X Message Channel Message Secret Key Channel Z Secret Key = Z Z Public-Key system drops that part completely
Public-Key Secrecy System RSA 1978 (Rivest Shamir Adelmann) MIT, USA !! K-close K-open Trap-door One Way Function ! RSA secrecy system: Was published 1978 based mainly on Euler theorem and on the claim that Euler function for any integer m is only computable if the factorization of m is known and that factorization is considered as computationally unsolved problem For m = p1 p2 p3 .... pt e1 e2 e3 et (m) = m ( 1 - ) ( 1 - ) …… P2 1 P1
Basic Public Key Secrecy System (RSA system1978) RSA: Rivest-Shamir-Adleman, MIT, USA (Mechanical simulation: user A sends a message to B) All operations in Zm User A User B Public register Close Kc open Ko= Kc-1 ( )Kc (mod m) Kc M MKc.Ko = M (MKc)Ko Ko MKc
Conventional Public-Key Crypto-system (using asymmetric keys) Sender Receiver Y = E (Zp,X) X X E ( Zp,X ) D ( Zs,Y ) Message Channel Message Secret-Key Zs Public-Key Zp Public Directory Z.. Zp Z... Zs
( ) RSA-Lock (Hiding Function) Uses Exponentiation in the Ring Zm Where m = p.q , p and q are two large secret primes E M E (mod m) ENCRYPTION ( ) D M E (mod m) DECRYPTION ( M E )D mod (m) = M E. D mod (m) = M To get M, the following should hold: E . D = 1 or D = E-1 in the exponent That is E and D should be invertible modulo (m) ! Or gcd (E, (m) ) =1 Security Considerations: m is a large composite (m=p q), p and q are two large secret primes. To break the system (m) is required to compute D =E-1 modulo (m). However (m) can only be computed if p and q are known. Therefore, the system can only be broken if and only if m can be factored or (m) can be found somehow!
RSA Public Key Secrecy System 1978 Design Scheme of RSA Public Key Secrecy System 1978 Open directory USER A: Na = pa . qa open modulus of A pa . qa tow secret large primes (Na) = (pa-1).(qa -1) Ea = open Encryption key of A Da = Ea-1 [mod (Na) ] USER B: Nb = pb . qb open modulus of B pb . qb tow secret large primes (Nb) = (pb-1).(qb -1) Eb = open Encryption key of B Db = Eb-1 [mod (Nb) ] User A Na Ea User B Nb Eb Y= M mod Nb (Encrypt) Eb Condition: gcd [Ea , (Na) ] = 1 Condition: gcd [ Eb , (Nb) ] = 1 Number of possible keys = [(Na)] Number of possible keys = [(Nb)] A sends Message M to B: Db Eb Db = M mod Nb =M (Decrypt) Y
Public-Key Signature Scheme Signing Process Message M to be signed Verification Process Message M Signature Sa of user A Signed Message Public Directory Ea Verification Key for A Message Public-Key Signature Generator Signature Sa Encrypted Message by Da Secret Signature Key Da Check If decryption gives Message Reject Accept
Practical Public-Key Signature Scheme Signing Process Verification Process Message M to be signed Data Digest Compressor (Hash Function) Public Directory Ea Verification Key for A Message M Signature Sa of user A Signed Message Public-Key Signature Generator Signature Sa Secret Signature Key Da Check Reject Accept
RSA Public Key Signature System 1978 A signs Document M for B: Design Scheme of RSA Public Key Signature System 1978 User B Nb Eb User A Na Ea USER A: Na = pa . qa open modulus of A pa . qa two secret large primes (Na) = (pa-1).(qa -1) Ea = open Encryption key of A Da = Ea-1 [mod (Na) ] USER B: Nb = pb . qb open modulus of B pb . qb twosecret large primes (Nb) = (pb-1).(qb -1) Eb = open Encryption key of B Db = Eb-1 [mod (Nb) ] Open directory gcd [ Eb , (Nb) ] = 1 gcd [Ea , (Na) ] = 1 Ea Da A signs Document M for B: (M,S) Signed Message Da Ea = M mod Na=M´ (Verify M´=M)? M = S mod Na S If M´= M then the signature is true
Security design considerations of RSA Public-Key Encryption and Signature System Security considerations and RSA system facts: Based on the assumption that Integer Factoring is not efficiently computable Every user should find two large primes p and q and multiply them to get N which the user publishes as his open modulus. Both primes p and q are kept secret by the user. As the user knows p and q, he can compute Euler function (N)= (p.q)= (p-1)(q-1). The then seeks a random integer E, which should be invertible modulo (N) and publishes E as his open encryption key. The inverse of E modulo (N) is D and this is to be kept secret. 4. Caution: There is no evidence that no efficient algorithms can be found to break the system. 5. p-1 and q-1 should have large prime factor to make attacks more infeasible (p and q are “strong primes”).
Security of RSA Public Key System Is Exponentiation y = a x in Zm a One-Way Function ? Theoretically not (no proof that (m) is not computable if we do not know p and q !!) Practically and still yes if : m is a product of two strong primes! RSA system can be broken by: 1. Factoring m = p . q 2. Computing (m) somehow without factoring. (m) = (p -1)(q -1) = m - p - q + 1 s = (p + q) = m - (m) + 1 m = p . q p or q = ( s s2 - 4 m ) / 2 But factoring is computationally equivalent to computing Euler function (m) Proof:
Example: Construct RSA secrecy system using the two prime pairs 11, 5 and 3,11. Encrypt the message M=2 sent to user B. Let B signs M and send his signature back to A. Solution: Open directory USER A: Na = 11 x 5 open modulus of A pa . qa two secret large primes (Na) = (pa-1).(qa -1)=40 7= open Encryption key of A Da = 7-1 [mod 40) ] =23 USER B: Nb = 3. 11 open modulus of B pb . qb two secret large primes (Nb) = (pb-1).(qb -1) =20 3 = open Encryption key of B Db = Eb-1 [mod (Nb) ] =7 User A 55 7 User B 33 3 gcd [Ea , (Na) ] = 1 gcd [ Eb , (Nb) ] = 1 A sends Message M=5 to B: 3 Y = 26 Y = 5 mod 33= 26 (A Encrypts M) 7 26 mod 33 = 5 = M (Decrypt) Security Gap: Notice that anybody can decrypt S to disclose M! Any other solution? M’=143 mod 33 = 5 = M (Verify) S = 14 S= 57 mod 33 = 14 (B signes M)