Network Security Tutorial-16 Design Fundamentals PGP ET-IDA-082 03.07.2019, v6 Prof. W. Adi

P1: PGP Authentication and Confidentiality: A PGP-based security system as shown in fig.1 is setup such that an appropriate prime number p = 4 q + 1 = 4 · 43 + 1 = 173 is generated for GF(P), where q=41 is a prime. Prove that p is a prime according to Pocklington’s theorem. Prove that the element α=2 is primitive in GF(173) and compute the probability that a randomly selected element is primitive in GF(173). Setup ElGamal public key crypto-system for public key encryption and ElGamal signature in DSA constellation over GF(173) for sender A and receiver B as shown in Fig. 1. Use Xa=12 and Xb=18 . Use the primitive element “α” and compute the corresponding public keys for A and B. Use the random R=k=9 for encryption and signature and use a session key KS =7. Select any necessary parameters to let the system work. The message M= 345792 is sent. Use the hash function H (M) = (M mod 100) mod 32 and state all necessary computations for all framed symbols in Fig. 1. MH: Unterscheidet sich der Font auf dieser Folie absichtlich von den anderen? Exam 2012

PGP Message with Confidentiality & Authentication Ks: Session Key PRa: A’s Private key for PK scheme PUa: A’s Public key for PK scheme EP : Public Key Encryption DP : Public Key Decryption EC: Symmetric Encryption DC: Symmetric Decryption H : Hash Function || : Concatenation Z : Compression (not applied) MD: Message Digest A: Sender H(M)=MD Signed Message Z=1 PE(PUb, Ks) PE(PRa, MD) B: Emfänger PE(PUb, Ks) PE(PRa, MD) Message MD is ciphered using key PRa Ks MD Z-1=1 Fig. 1 MD

Solution: 1. Prove that p is a prime according to Pocklington’s theorem. N = R . F + 1 = 4 . 43 + 1 = 173, F = 43 and R =4. Is 173 a prime? Proof: 1. gcd ( a (N-1)/ pj –1 , N ) = gcd ( 2172/43 –1 , 173 ) = gcd (15 , 173 ) = 1 is true 2. a N-1 = 1 ( mod N )  2172= 1 (mod 173) is true 3. F > 173 => 43 > 13,15 is true As all conditions 1, 2 and 3 are all true  173 is prime 2. Prove that the element α=2 is primitive in GF(173) and compute the probability that a randomly selected element is primitive in GF(173). Possible multiplicative orders are the divisors of of φ (173) =172 that is => 1, 2, 4, 43, 86, 172 Checking if the element 2 is a primitive one: 2 1 ≠ 1 , 2 2 ≠ 1 , 24 = 16≠ 1, 243 =80 ≠1, 286 =-1 ≠1 Ord (2) = 172  2 is a primitive element # of all non-zero elements 173 – 1 =172 # of primitive elements: φ ( 172 ) = φ ( 22 . 43 ) = 22 . 43 (1-1/2) (1 -1/43) = 84 P( element=primitive ) = ( 84 / 172 ) . 100 = 48.8% 4

ElGamal Digital Signature Algorithm in DSA, Standard form (1994) 3. Setup ElGamal public key crypto-system for public key encryption and ElGamal signature in DSA constellation over GF(173) for sender A and receiver B as shown in Fig. 1. Use Xa=12 and Xb=18 . Use the primitive element “α” and compute the corresponding public keys for A and B. Use the random R=k=9 for encryption and signature and use a session key KS =7. Select any necessary parameters to let the system work. ElGamal Digital Signature Algorithm in DSA, Standard form (1994) public directory User A signs M Verifier β=24 =16 is element in GF(173) with order q, where q = 43 Xa = 12 Secret Key of A  Xa = ya p, q, , ya ya =  Xb = 117 public key of A M or H(M) If M S r k -1 ( M + r . Xa ) in GF(q) = S Rq(M . S -1 ) Rq(r . S -1) Rp[β . ya ] = U k Rq[ Rp(βk) ] = r r = Rq( U ) M= H(M) = 28 q= 43, k=9 k-1= -19 mod q = 24 Then M is authentic S= k -1 ( M + r . Xa ) in GF(43) Signed Message Rq[ Rp(βk) ] = r FIG (2)

3. User A encrypts M = Ks = 7 to B =2 primitive element in GF(173) User B receives =2 primitive element in GF(173) Xa = 12 secret key of A  Xa=212 = 117 Xb =18 secret key of B  Xb=218 = 49 Ya =  Xa = 117 public key of A Yb =  Xb = 49 public key of B C 86 x 159 mod 173 = 7= Ks X X M= Ks = 7 C = M . Z = 7 x 37 = 86 / m Z = 2 18.9 mod 172 = 2 162 = 37 yb (49)9 r = 2 9= 166 r Z-1 =r -Xb = (166) 154 = 159 2 9 -Xb =- 18 R=9 Random Generator : R = 0 ... p-1 a new R is needed for every message Xb = (173-1) – 18 = 154 FIG (3)

4. The message M= 345792 is sent. Use the hash function H (M) = (M mod 100) mod 32 and state all necessary computations for all framed symbols in Fig. 1. H(M) = M mod 100 mod 32 H(M) = 345792 mod 100 mod 32 = 28 Referring to Fig (2) PRa =Xa = 12 q= 43, K=9, K-1= -19= 24 M= 28 Rq[ Rp(βk) ] = r S= k -1 ( M + r . Xa ) in GF(q) r = R43[ R173(169) ] = 23 S= 24 ( 28 + 23 . 12 ) mod 43 = 29 Referring to Fig (3) Message M = Ks=7 Ks = M = 7 in Fig. (3) R = 9 PUb = Yb= 49 = 218 r=2 9 mod 173 = 166 PE(PUb, KS) = KS (yb )R mod 173 = (7) (49)9 mod 173 = 86 PRb = Xb= 18 PUa =Ya= 117

P2: PGP Authentication and Confidentiality: Design a RSA public-key solution for P1. Use the hash-mapping as MD=H(M) = [ ∑ mi2 mod 100 ] mod 83, where mi are the message parts each having two digits, M = 21 35 86 2. Let a trusted authority TA create its RSA signature scheme and sign the public keys of A and B. Generate the certificates for both public keys and show how to verify them. 1. PGP messages: Setup RSA Parameters for A and B All selected public keys should be at least larger than the hash value 83, and also larger than the value of any two digits, that is 99. USER A: Na = pa . qa = 17x 11= 187 open modulus of A pa . qa = 17 ,11 two secret primes (Na) = (pa-1).(qa -1) = (17-1)(11-1) = 160 Ea = open Encryption key of A =7 Da = Ea-1 [mod (Na) ] = 7-1 mod 160 = 23 Open Directory Na = 187 Ea= 7 MH: Unterscheidet sich der Font auf dieser Folie absichtlich von den anderen? USER B: Nb = pb . qb = 19 x 7 = 133 open modulus of B pb . qb = 19 ,7 two secret primes (Nb) = (pb-1).(qb -1) = (19-1)(7-1) = 108 Eb = open Encryption key of B =11 Db = Eb-1 [mod (Nb) ] = 11-1 mod 108 = -49 Db = -49+108 = 59 Open Directory Nb = 133 Eb= 11

PGP Message with Confidentiality & Authentication Ks: Session Key PRa: A’s Private key for PK scheme PUa: A’s Public key for PK scheme EP : Public Key Encryption DP : Public Key Decryption EC: Symmetric Encryption DC: Symmetric Decryption H : Hash Function || : Concatenation Z : Compression (not applied) MD: Message Digest A: Sender H(M)=MD Signed Message Z=1 PE(PUb, Ks) PE(PRa, MD) B: Emfänger PE(PUb, Ks) PE(PRa, MD) Message MD is ciphered using key PRa Ks MD’ Fig. 4 Z-1=1 MD Mr

Referring to Fig (4) Sender A Encrypting Ks 4. The message M= 345792 is sent. Use the hash function [ ∑ mi2 mod 100 ] mod 83, where mi are the message parts each having two digits and M = 21 35 86 and state all necessary computations for all framed symbols in Fig. 4. Referring to Fig (4) m1=21  m12 mod 100=41 m2=35  m22 mod 100=25  m3=86  m32 mod 100=96 Computing MD=H(M) MD= H(M) = [ ∑ mi2 mod 100 ] mod 83 MD = [41+25+96] mod 83 = 79 Sender A PRa = Da = 23 PUa = Ea =7 - EP[PRa, H(M) ] = [23, 79] = 7923 mod 187= 173 M || EP[PRa, H(M) ] =213586 ||173 Encrypting Ks Message M = Ks=7 PUb = Yb= 11 Nb = 133 - PE(PUb, KS) = (KS )Pub mod 133 = (7)11 mod 133 = 49

Receiver B Computing Ks PRb = 59 Nb = 133 Computing MD‘ PUa = 7 Ks= DP [ PRb, PE(PUb, Ks) ] = [59, 49] = 4959 mod 133 = 7 Computing MD‘ PUa = 7 Na = 187 MD’ = DP{ PUa, EP[PRa, H(M) ] } = [7, 173] = 1737 mod 187 = 79 Decrypted hash digest from the signature of A Compare : MD = H (Mr) <?=> MD‘ B computes the hash value of the received message Mr, MD = H (Mr) = 79 m1=21  m12 mod 100=41 m2=35  m22 mod 100=25  m3=86  m32 mod 100=96 MD = H(Mr) = [ ∑ mi2 mod 100 ] mod 83 MD = [41+25+96] mod 83 = 79

TA creates ist own RSA setup 2. Certificates for the public keys of A and B TA creates ist own RSA setup RSA setup for TA: Na = pa . qa = 17x 19= 323 open modulus of TA pa . qa = 17 ,19 two secret primes (Na) = (pa-1).(qa -1) = (17-1)(19-1) = 288 Eta = open Encryption key of TA =55 Dta = Eta-1 [mod (Na) ] = 55-1 mod 288 = -89= 199 TA’s signing secret key is: Dta = 199 TA Open Directory Na = 323 Ea= 55 Certificate for user A public key Assume the name of A = 12 35 Ea= PUa = 7 Na = 187 Info of A‘s certificate: Inf-A = A || Ea || Na Info of A‘s certificate: Inf-A = 12 35 7 187 Cert A = Inf-A , { H(Inf-A) }TA = 12 35 7 187, 13 mod 323 = 12 35 7 187 , 13199 mod 323 =12 35 7 187 , 89 Dta That is Cert A = 12 35 7 187 , 89 H(Inf-A) = [ ∑ mi2 mod 100 ] mod 83 H(Inf-A) = [122 +352+712 + 872] mod 100 mod 83 = (44 + 25 + 41 + 69) mod 83 = 13 Verify certificate of user A Check if : H(Inf-A) = 8955 mod 323 H(12 35 7 187 ) = 13 this true, that is the public key of A is authentic