Cryptography
Private-Key Cryptography traditional private/secret/single key cryptography uses one key shared by both sender and receiver if this key is disclosed communications are compromised also is symmetric, parties are equal hence does not protect sender from receiver forging a message & claiming is sent by sender
Private-Key Cryptography probably most significant advance in the 3000 year history of cryptography uses two keys – a public & a private key asymmetric since parties are not equal uses clever application of number theoretic concepts to function complements rather than replaces private key cryptography
Private-Key Cryptography public-key/two-key/asymmetric cryptography involves the use of two keys: a public-key, which may be known by anybody, and can be used to encrypt messages, and verify signatures a private-key, known only to the recipient, used to decrypt messages, and sign (create) signatures is asymmetric because those who encrypt messages or verify signatures cannot decrypt messages or create signatures
Private-Key Cryptography
Why Public-Key Cryptography? developed to address two key issues: key distribution – how to have secure communications in general without having to trust a KDC with your key digital signatures – how to verify a message comes intact from the claimed sender public invention due to Whitfield Diffie & Martin Hellman at Stanford in 1976 known earlier in classified community
Public-Key Characteristics Public-Key algorithms rely on two keys with the characteristics that it is: computationally infeasible to find decryption key knowing only algorithm & encryption key computationally easy to en/decrypt messages when the relevant (en/decrypt) key is known either of the two related keys can be used for encryption, with the other used for decryption (in some schemes)
Public-Key Applications can classify uses into 3 categories: encryption/decryption (provide secrecy) digital signatures (provide authentication) key exchange (of session keys) some algorithms are suitable for all uses, others are specific to one
Security of Public Key Schemes like private key schemes brute force exhaustive search attack is always theoretically possible but keys used are too large (>512bits) security relies on a large enough difference in difficulty between easy (en/decrypt) and hard (cryptanalyse) problems more generally the hard problem is known, its just made too hard to do in practise requires the use of very large numbers hence is slow compared to private key schemes
RSA by Ron Rivest, Adi Shamir and Len Adleman of MIT in 1977 best known & widely used public-key scheme Much of the underlying theory we will not be able to get to It’s beyond the scope of this course Much of why this all works won’t be taught It’s just an introduction to how it works
RSA based on exponentiation in a finite (Galois) field over integers modulo a prime nb. exponentiation takes O((log n)3) operations (easy) uses large integers (eg. 1024 bits) security due to cost of factoring large numbers nb. factorization takes O(e log n log log n) operations (hard)
Is that number prime? Use the Fermat primality test Given: n: the number to test for primality k: the number of times to test (the certainty) The algorithm is: repeat k times: pick a randomly in the range [1, n−1] if an−1 mod n ≠ 1 then return composite return probably prime
Is that number prime? The algorithm is: Let n = 105 repeat k times: pick a randomly in the range [1, n−1] if an−1 mod n ≠ 1 then return composite return probably prime Let n = 105 Iteration 1: a = 92: 92104 mod 105 = 1 Iteration 2: a = 84: 84104 mod 105 = 21 Therefore, 105 is composite
Is that number prime? The algorithm is: Let n = 101 repeat k times: pick a randomly in the range [1, n−1] if an−1 mod n ≠ 1 then return composite return probably prime Let n = 101 Iteration 1: a = 55: 55100 mod 101 = 1 Iteration 2: a = 60: 60100 mod 101 = 1 Iteration 3: a = 14: 14100 mod 101 = 1 Iteration 4: a = 73: 73100 mod 101 = 1 At this point, 101 has a (½)4 = 1/16 chance of still being composite
More on the Fermat primality test Each iteration halves the probability that the number is a composite Probability = (½)k If k = 100, probability it’s a composite is (½)100 = 1 in 1.2 1030 that the number is composite Greater chance of having a hardware error! Thus, k = 100 is a good value However, this is not certain! There are known numbers that are composite but will always report prime by this test Source: http://en.wikipedia.org/wiki/Fermat_primality_test
RSA Three parts: Key generation Encrypting a message Decrypting a message
Key generation steps Choose two random large prime numbers p ≠ q, and set n = p*q Choose an integer 1 < e < n which is relatively prime to (p-1)(q-1) Compute d such that d * e ≡ 1 (mod (p-1)(q-1)) Rephrased: d*e mod (p-1)(q-1) = 1 Destroy all records of p and q
Key generation, step 1 Choose two random large prime numbers p ≠ q In reality, 2048 bit numbers are recommended That’s 617 digits Note that the chance of a random odd 2048 bit number being prime is about 1/710 We can compute if a number is prime relatively quickly via the Fermat primality test We choose p = 107 and q = 97 Compute n = p*q n = 10379
Key generation, step 1 Practical considerations p and q should not be too close together (p-1) and (q-1) should not have small prime factors Use a good random number generator
Key generation, step 2 Choose an integer 1 < e < n which is relatively prime to (p-1)(q-1) There are algorithms to do this efficiently We aren’t going over them Easy way to do this: make e be a prime number It only has to be relatively prime to (p-1)(q-1), but can be fully prime
Key generation, step 2 Recall that p = 107 and q = 97 We choose e = 85 (p-1)(q-1) = 106*96 = 10176 = 26*3*53 We choose e = 85 85 = 5*17 gcd (85, 10176) = 1 Thus, 85 and 10176 are relatively prime
Key generation, step 3 Compute d such that: d * e ≡ 1 (mod (p-1)(q-1)) Rephrased: d*e mod (p-1)(q-1) = 1 There are algorithms to do this efficiently We aren’t going over them We choose d = 4669 4669*85 mod 10176 = 1
Key generation, step 4 Destroy all records of p and q If we know p and q, then we can compute the private encryption key from the public decryption key d * e ≡ 1 (mod (p-1)(q-1))
The keys We have n = p*q = 10379, e = 85, and d = 4669 The public key is (n,e) = (10379, 85) The private key is (n,d) = (10379, 4669) Thus, n is not private Only d is private In reality, d and e are 600 (or so) digit numbers Thus n is a 1200 (or so) digit number
Encrypting messages To encode a message: Encode the message m into a number Split the number into smaller numbers m < n Use the formula c = me mod n c is the ciphertext, and m is the message
Decrypting messages Use the formula m = cd mod n on each number Split the number into individual ASCII character numbers Decode the message into a string
modPow computation How to compute c = me mod n or m = cd mod n? Example: 45014669 mod 10379 = 4181 Other means: Java: use the BigInteger.modPow() method Perl: use the bmodpow function in the BigInt library Etc…
Why this works m = cd mod n c = me mod n cd ≡ (me)d ≡ med (mod n) Recall that: ed ≡ 1 (mod p-1) ed ≡ 1 (mod q-1) Thus, med ≡ m (mod p) med ≡ m (mod q) med ≡ m (mod pq) med ≡ m (mod n)
Cracking a message In order to decrypt a message, we must compute m = cd mod n n is known (part of the public key) c is known (the ciphertext) e is known (the encryption key) Thus, we must compute d with no other information Recall: choose an integer 1 < e < n which is relatively prime to (p-1)(q-1) Recall: Compute d such that: d*e mod (p-1)(q-1) = 1 Thus, we must factor the composite n into it’s component primes There is no efficient way to do this! We can, very easily, tell that n is composite, but we can’t tell what its factors are Once n is factored into p and q, we compute d as above Then we can decrypt c to obtain m
Cracking a message example In order to decrypt a message, we must compute m = cd mod n n = 10379 c is the ciphertext being cracked e = 85 In order to determine d, we need to factor n d*e mod (p-1)(q-1) = 1 We factor n into p and q: 97 and 107 This would not have been feasible with two large prime factors!!! d * 85 (mod (96)(106)) = 1 We then compute d as above, and crack the message
Signing a message Recall that we computed: d*e mod (p-1)(q-1) = 1 Note that d and e are interchangable! You can use either for the encryption key You can encrypt with either key! Thus, you must use the other key to decrypt
Signing a message To “sign” a message: Write a message, and determine the MD5 hash Encrypt the hash with your private (encryption) key Anybody can verify that you created the message because ONLY the public (encryption) key can decrypt the hash The hash is then verified against the message
Some of the Theory Fermat’s Theorem Euler Totient Function ø(n) Euler’s Theorem
Fermat's Theorem ap-1 mod p = 1 also known as Fermat’s Little Theorem where p is prime and gcd(a,p)=1 also known as Fermat’s Little Theorem useful in public key and primality testing
Euler Totient Function ø(n) when doing arithmetic modulo n complete set of residues is: 0..n-1 reduced set of residues is those numbers (residues) which are relatively prime to n eg for n=10, complete set of residues is {0,1,2,3,4,5,6,7,8,9} reduced set of residues is {1,3,7,9} number of elements in reduced set of residues is called the Euler Totient Function ø(n)
Euler Totient Function ø(n) to compute ø(n) need to count number of elements to be excluded in general need prime factorization, but for p (p prime) ø(p) = p-1 for p∙q (p,q prime) ø(p∙q) = (p-1)(q-1) eg. ø(37) = 36 ø(21) = (3–1)×(7–1) = 2×6 = 12
Euler's Theorem a generalisation of Fermat's Theorem aø(n)mod N = 1 where gcd(a,N)=1 eg. a=3;n=10; ø(10)=4; hence 34 = 81 = 1 mod 10 a=2;n=11; ø(11)=10; hence 210 = 1024 = 1 mod 11
Why RSA Works because of Euler's Theorem: aø(n)mod N = 1 in RSA have: where gcd(a,N)=1 in RSA have: N=p∙q ø(N)=(p-1)(q-1) carefully chosen e & d to be inverses mod ø(N) hence e∙d=1+k∙ø(N) for some k hence : Cd = (Me)d = M1+k∙ø(N) = M1∙(Mø(N))q = M1∙(1)q = M1 = M mod N
PGP and GnuPG Two applications which implement the RSA algorithm GnuPG Is open-source (thus it’s free) PGP was first, and written by Phil Zimmerman The US gov’t didn’t like PGP…
The US gov’t and war munitions
How to “crack” PGP Factoring n is not feasible Thus, “cracking” PGP is done by other means Intercepting the private key “Hacking” into the computer, stealing the computer, etc. Man-in-the-middle attack (next 2 slides) Etc.
Man-in-the-middle attack: “Normal” RSA communication What is your public key? My public key is 12345… What is your public key? My public key is 67890… Here’s message encrypted with 12345… Here’s a response encrypted with 67890…
What is your public key? What is your public key? My public key is 12345… My public key is abcde… What is your public key? What is your public key? Black has the private decryption key for abcde… My public key is 67890… My public key is vwxyz… Here’s message encrypted w/ abcde… Black has the private decryption key for vwxyz… Decrypts message with corresponding private key to abcde…; re-encrypts message with blue’s public key (12345…) Here’s message encrypted w/ 12345… Here’s response encrypted w /vwxyz… Decrypts message with corresponding private key to vwxyz…; re-encrypts message with yellow’s public key (67890…) Here’s response encrypted w/ 67890…
Other public key encryption methods Modular logarithms Developed by the US government, therefore not widely trusted Elliptic curves
Quantum computers A quantum computer could (in principle) factor n in reasonable time This would make RSA obsolete! Shown (in principle) by Peter Shor in 1993 You would need a new (quantum) encryption algorithm to encrypt your messages This is like saying, “in principle, you could program a computer to correctly predict the weather” A few years ago, IBM created a quantum computer that successfully factored 15 into 3 and 5 I bet the NSA is working on such a computer, also
Sources Wikipedia article has a lot of info on RSA and the related algorithms Those articles use different variable names Link at http://en.wikipedia.org/wiki/RSA