Cryptosystems, Hash Functions and Digital Signatures --- Lecture 4 ---

Information and Nework Security2 Outline n Why public key cryptography ? n General principles of public key cryptography n The RSA public key cryptosystem n One way hash functions n Digital signature

Information and Nework Security3 Private key cipher E Network or Storage Plain Text Cipher Text D Bob Secret Key Alice Secret Key Plain Text

Information and Nework Security4 Problems with private key ciphers n In order for Alice & Bob to be able to communicate securely using a private key cipher, such as DES, they have to have a shared key in the first place. çQuestion: What if they have never met before ? n Alice needs to keep 100 different keys if she wishes to communicate with 100 different people

Information and Nework Security5 Motivation of Public Key Cryptography n Is it possible for Alice & Bob, who have no shared secret key, to communicate securely ? n This led to the SINGLE MOST IMPORTANT discovery of public key communications: çDiffie & Hellman’s ideas of public key cryptography: çDiffie & Hellman’s ideas of public key cryptography:

Information and Nework Security6 Main ideas n Bob: ç publishes, say in Yellow/White pages, his lpublic (for encryption) key, and lencryption algorithm. çkeeps to himself lthe matching secret (for decryption) key.

Information and Nework Security7 Main ideas (2) n Alice: çLooks up the phone book, and finds out Bob’s lpublic key, and lencryption algorithm. çEncrypts a message using Bob’s public key and encryption algorithm. çsends the ciphertext to Bob.

Information and Nework Security8 Main ideas (3) n Bob: çReceives the ciphertext from Alice çDecrypts the ciphertext using his secret key, together with the decryption algorithm

Information and Nework Security9 Public Key Cryptosystem E Network Plain Text Cipher Text D Plain Text Alice Bob Bob: Public Key Directory (Yellow/White Pages) Secret Key

Information and Nework Security10 Main differences with DES n The public key is different from the secret key. n Infeasible for an attacker to find out the secret key from the public key. n No need for Alice & Bob to distribute a shared secret key beforehand ! n Only one pair of public and secret keys is required for each user !

Information and Nework Security11 Realising public key ciphers n The most famous system that implements Diffie & Hellman’s ideas on public key ciphers is due to çRonald Rivest çAdi Shamir çLeonard Adleman n This public key cryptosystem is called RSA.

Information and Nework Security12 Mathematical background Assume that we are working with non- negative integers: n Prime and composite numbers ça prime number is an integer that can be divided only by 1 and itself lE.g.2,3,5,7,11,13, 101, çall other integers are composite lE.g.4,6,8,9,10,12, ,

Information and Nework Security13 Mathematical background Modular operations n “remainder” ç13 mod 5 = 3, 1 mod 7 = 1 ç20 mod 5 = 0,32 mod 7 = 4 n modular exponentiation ç2 2 mod 3 = 1, 3 2 mod 3 = 0 ç2 2 mod 5 = 4, 10 2 mod 92 = 8 ç4 6 mod 10 = 6, 3 11 mod 10 = 7

Information and Nework Security14 Mathematical background n a is relative prime to b if the largest integer that divides both a & b is 1 çE.g: l any m (<>0) is relatively prime to a prime number l is 9 relatively prime to 10?

Information and Nework Security15 Mathematical background n Let ø(n) denote the total numbers that are less than n and relatively prime to n çIf n is a prime number then ø(n) = n – 1 çIf p, q are prime numbers and n=p*q, then l Ø(n) = Ø(p*q) = p*q – (p + q -1) = (p-1)*(q-1) - p & q are prime numbers => only multiples of p and q are not relatively prime to p*q - That is: there are (p + q – 1) multiples [0 is counted once] of p and q lE.g: p = 3; q=7; {0, 3, 7, 6, 9, 12, 14, 15, 18} are not relatively prime to p*q lØ(n) = ø(p*q) = 12 ; {1,2,4,5,8,10,11,13,16,17,19,20}

Information and Nework Security16 Mathematical background y & n are integers and y (mod ø(n)) = 1, for any x < n, x y mod n = x (1) y & n are integers and y (mod ø(n)) = 1, for any x < n, x y mod n = x (1) çE.g: ly=13 ; n=7; x = 4; lø(n) = 6; y mod ø(n) = 13 mod 6 = 1; lx y = 4 13; x y mod n = 4 13 mod 6 = 4 = x mod n;

Information and Nework Security17 Mathematical background The multiplicative inverse of x with modulo n is y such that: (x*y) mod n = 1 (2). The multiplicative inverse of x with modulo n is y such that: (x*y) mod n = 1 (2). n The above multiplicative inverse can be used to create a simple public key cipher: either x or y can be thought of as a secret key and the other is the public key. E.g: x=3; n=10; y=7; we have: (3*7) mod 10 = 1; ¥M =5 ; s3*5 (mod 10) = 5 ; 5*7 (mod 10) = 5 = M (message) ¥M =6 ; s3*6 (mod 10) = 8; 8*7 (mod 10) = 6 = M (message)

Information and Nework Security18 RSA Public Key Cryptosystem c= m e mod n Network Plain TextCipher Text Plain Text Alice Bob Bob: (e, n) Public Key Directory (Yellow/White Pages) public key: e & n secret key: d m= c d mod n

Information and Nework Security19 RSA (1) n Bob: çchooses 2 large prime numbers:p, q multiplies p and q:n = p*q çfinds out two numbers e & d such that (e * d) mod ø(n) = 1 [ similar to (2) ] (e * d) mod ø(n) = 1 [ similar to (2) ] Or (e * d) mod [(p-1)*(q-1)] = 1 çpublic key (published in the phone book) l2 numbers:(e, n) lencryption alg:modular exponentiation çsecret key:(d,n)

Information and Nework Security20 RSA (2) n Alice has a message m to be sent to Bob: çfinds out Bob’s public encryption key (e, n) çcalculates m e (mod n) -> c çsends the ciphertext c to Bob

Information and Nework Security21 RSA (3) n Bob: çreceives the ciphertext c from Alice çuses his matching secret decryption key d to calculate c d (mod n) -> m

Information and Nework Security22 RSA --- 1st small example (1) n Bob: çchooses 2 primes:p=5, q=11 multiplies p and q:n = p*q = 55 çfinds out two numbers e=3 & d=27 which satisfy (3 * 27) mod 40 = 1 çBob’s public key l2 numbers:(3, 55) lencryption alg:modular exponentiation çsecret key:(27,55)

Information and Nework Security23 RSA --- 1st small example (2) n Alice has a message m=13 to be sent to Bob: çfinds out Bob’s public encryption key (3, 55) çcalculates c: c = m e (mod n) = 13 3 (mod 55) = 2197 (mod 55) = 52 çsends the ciphertext c=52 to Bob

Information and Nework Security24 RSA --- 1st small example (3) n Bob: çreceives the ciphertext c=52 from Alice çuses his matching secret decryption key 27 to calculate m: m = (mod 55) = 13 (Alice’s message)

Information and Nework Security25 How does RSA work? n n = p*q => Ø(n) = Ø(p*q) = (p-1)*(q-1) n We choose d & e such that  (e * d) mod ø(n) = = 1 ; similar to (2)  for any m < n: m de = m mod n ; from (1)  an RSA encryption consists of taking m and raising it to e ; and decrypting the ciphertext by raising the result of the encrytion to d : lWe have ¥(a*b) mod n = [(a mod n) * (b mod n)] mod n; ¥a x mod n = [(a mod n)* (a mod n)* … (a mod n)] mod n ----x times of a mod n x times of a mod n--- = (a mod n) x mod n hence : (m e mod n) d mod n = ( m e ) d mod n = ( m ed ) mod n = m mod n = m [from (1)] hence : (m e mod n) d mod n = ( m e ) d mod n = ( m ed ) mod n = m mod n = m [from (1)]

Information and Nework Security26 Remarks on RSA n The message m has to be an integer between the range [1, n). n To encrypt long messages we can use modes of operation as for block private key ciphers, or a hybrid cryptosystem.

Information and Nework Security27 Why RSA is Secure n Attack Scenario: çMarvin wants to read Alice’s private message (m) intended to be read only by Bob. çHowever, Alice used RSA to encrypt m using Bob’s public key (e, n), into the ciphertext c = m e (mod n). çMarvin is a determined attacker and managed to intercept the ciphertext c on its way from Alice’s to Bob’s computer. çMarvin also looked up Bob’s public key (e,n) to help him in his attack.

Information and Nework Security28 Why RSA is Secure n Marvin now has (c,e,n) and wants to find out m. n How can Marvin proceed to find m? çApproach 1: If Marvin could also find out Bob’s secret key d, he could decrypt c into m in the same way as Bob does. lSuppose Bob guards his secret key d very well, what can Marvin do then? çApproach 2: Marvin knows that c = m e (mod n). He knows that m is a number between 1 and n-1. So he could use exhaustive search through all n possible messages m. l But if n is large this takes a long time!

Information and Nework Security29 Why RSA is Secure n Marvin’s Attack options (cont): çApproach 3: Marvin can try to compute Bob’s secret key d from (e,n) and then use Approach 1. l Remember that (e * d) mod ((p-1)*(q-1) ) = 1 l Marvin found in a ‘Number Theory’ book a very fast algorithm called EUCLID to solve the following problem: Given two numbers (r,s), the algorithm outputs a number x such that (r * x) mod s = 1.

Information and Nework Security30 Why RSA is Secure n Approach 3 is the most efficient known method Marvin can use to attack RSA! n The time taken for Marvin to execute the attack in Approach 3 is essentially the time to factorize n (n=p*q) into the prime factors p and q. n Therefore, we say that RSA is based on the factorization problem: While it is easy to multiply large primes together, ! n Therefore, we say that RSA is based on the factorization problem: While it is easy to multiply large primes together, it is computationally infeasible to factorize or split a large composite into its prime factors !

Information and Nework Security31 Why RSA is Secure n Therefore, when both p and q in RSA are of at least 155 digits, the product n=p*q is 310 digits. n Then no one can factorize n in less time than a few thousand years, not even Marvin!! n Thus the only person who can extract the plaintext m from the ciphertext c is Bob, as only he knows the secret decryption key d !

Information and Nework Security32 Marvin’s New Attack Idea n Instead of just eavesdropping, Marvin can try a more active attack! n Outline of the New Attack: çMarvin generates an RSA key pair lPublic key = Kpub_* = (N_*, e_*) lSecret key = Ksec_* = (N_, d_*) çMarvin sends the following to Alice, pretending to be Bob: lHi Alice, ¥Please use my new public key from now on to encrypt messages to me. My new public key is Kpub_*. ¥Yours sincerely, Bob. çMarvin decrypts any messages Alice sends to Bob (encrypted with Kpub_*), using Ksec_*.

Information and Nework Security33 Preventing Marvin’s Active Attack n The active attack works because: çAlice was tricked by Marvin into encrypting a message intended for Bob using a “fake” public key which is NOT Bob’s public key (in fact it was Marvin’s). n To prevent the attack: çBefore Alice encrypts a message for Bob, she must make sure she has Bob’s CORRECT public key (and not a fake one). çAlice needs a way of testing the truth of any “Bob’s key message” informing Alice of Bob’s Public Key. çNo one besides Bob should be able to produce such a message so that it will pass Alice’s Test.

Information and Nework Security34 Preventing Marvin’s Active Attack (2) n This is a setting where Alice and Bob have a message integrity security requirement! çIe. Alice and Bob want to prevent fabrication and/or modification of a “Bob’s key message” (a message informing Alice of Bob’s public key) by unautorised parties (like Marvin). n The main cryptographic tool used to achieve message integrity is “Authority Certificates”. n Later we will see how Digital Signatures can be used to prevent Marvin’s Attack!

Information and Nework Security35 Private key ciphers n Good points çin-expensive to use çfast çlow cost VLSI chips available n Bad points çkey distribution is a problem

Information and Nework Security36 Public key ciphers n Good points çkey distribution is NOT a problem n Bad points çrelatively expensive to use çrelatively slow çVLSI chips not available or relatively high cost

Information and Nework Security37 Combining 2 Type of Ciphers n In practice, we can çuse a public key cipher (such as RSA) to distribute keys çuse a private key cipher (such as DES) to encrypt and decrypt messages

Information and Nework Security38 The Need of Digital Signature n Social & business activities and their associated documents are becoming digital çdigital conferences çdigital contract signing çdigital cash payments, n Hand-written signatures are not applicable to digital data

Information and Nework Security39 Digital Signature (based on RSA) Public Key Directory (Yellow/White Pages) Bob: E Network Plain Text Bob Secret Key + Cathy Signature Accept if equal D Signature ? Public Key

Information and Nework Security40 Digital Signature (for short doc) Public Key Directory (Yellow/White Pages) Bob: (e, n) Network Plain Text Bob Secret Key d + Cathy Signature Accept if equal Signature ? Public Key (e, n) s = m d mod n t =s e mod n

Information and Nework Security41 RSA Signature --- an eg (1) n Bob: çchooses 2 primes:p=5, q=11 multiplies p and q:n = p*q = 55 çfinds out two numbers e=3 & d=27 which satisfy (3 * 27) mod 40 = 1 çBob’s public key l2 numbers:(3, 55) lencryption alg:modular exponentiation çsecret key:(27,55)

Information and Nework Security42 RSA Signature --- an eg (2) n Bob has a document m=19 to sign: çuses his secret key d=27 to calculate the digital signature of m=19: s = m d (mod n) = (mod 55) = 24 çappends 24 to 19. Now (m, s) = (19, 24) indicates that the doc is 19, and Bob’s signature on the doc is 24.

Information and Nework Security43 RSA Signature --- an eg. (3) n Cathy, a verifier: çreceives a pair (m,s)=(19, 24) çlooks up the phone book and finds out Bob’s public key (e, n)=(3, 55) çcalculatest = s e (mod n) = 24 3 (mod 55) = 19 çchecks whether t=m çconfirms that (19,24) is a genuinely signed document of Bob if t=m.

Information and Nework Security44 How about Long Documents ? n In the previous example, a document has to be an integer in [1,...,n) n To sign a very long document, we need a so called one-way hash algorithm n Instead of signing directly on a doc, we hash the doc first, and sign the hashed data which is normally short.

Information and Nework Security45 One-Way Hash Algorithm n A one-way hash algorithm hashes an input document into a condensed short output (say of 100 bits) çDenoting a one-way hash algorithm by H(.), we have: lInput: m - a binary string of any length lOutput: H(m) - a binary string of L bits, called the “hash of m under H”. lThe output length parameter L is fixed for a given one- way hash function H, leg ¥The one-way hash function “MD5” has L = 128 bits ¥The one-way hash function “SHA-1” has L = 160 bits

Information and Nework Security46 One-Way Hash Algorithm A document (of any length) A condensed short output, say of 100 bits

Information and Nework Security47 Properties of One-Way Hash Algorithm n A good one-way hash algorithm H needs to have these properties : ç1. Easy to Evaluate: lThe hashing algorithm should be fast lI.e. given any document m, the hashed value h = H(m) can be computed quickly. ç2. Hard to Reverse: lThere is no feasible algorithm to “reverse” a hashed value, lI.e. given any hashed value h, it is computationally infeasible to find any document m such that H(m) = h. çNOTE: An algorithm is called ‘One-Way’ if it has BOTH properties 1 and 2. ç3. Hard to find Collisions: lThere is no feasible algorithm to find two or more input documents which are hashed into the same condensed output, lI.e it is computationally infeasible to find any two documents m 1, m 2 such that H(m 1 )= H(m 2 ).

Information and Nework Security48 The One-way Property Hash value h (length= L bits) H Document m (any length) This direction is easy to compute! Hash value h (length= L bits) H Document m (any length) But this direction is infeasible to compute!

Information and Nework Security49 Finding Collision is Infeasible (same condensed output) I, Bob, will pay $1,000 to Alice. I, Bob, will pay $10,000 to Alice. HH Document m 1 Document m 2

Information and Nework Security50 Digital Signature (for long doc) Public Key Directory (Yellow/White Pages) Bob: Network Plain Text H 100 bits Bob Secret Key + H 100 bits Cathy Signature Accept if equal 1-way hash 100 bits Signature ? Public Key

Information and Nework Security51 Why Digital Signature ? n Unforgeable çtakes 1 billion years to forge ! n Un-deniable by the signatory n Universally verifiable n Differs from doc to doc n Easily implementable by çsoftware or çhardware or çsoftware + hardware

Information and Nework Security52 Unforgeable Digital Signature I, Bob, will pay $1,000 to Alice. a valid signature I, Bob, will pay $10,000 to Alice also a valid signature

Information and Nework Security53 Digital Signature -- summary n Three (3) steps are involved in digital signature çSetting up public and secret keys çSigning a document çVerifying a signature

Information and Nework Security54 Setting up Public & Secret Keys n Bob does the following çprepares a pair of public and secret keys çpublishes his public key in the public key file (such as an on-line phone book) çkeeps the secret key to himself n Note: çSetting up needs only to be done once !

Information and Nework Security55 Signing a Document n Once setting up is completed, Bob can sign a document (such as a contract, a cheque, a certificate,...) using the secret key n The pair of document & signature is a proof that Bob has signed the document.

Information and Nework Security56 Verifying a Signature n Any party, say Cathy, can verify the pair of document and signature, by using Bob’s public key in the public key file. n Important ! çCathy does NOT have to have public or secret key !