Public Key Algorithms 4/17/2017 M. Chatterjee
Modular Arithmetic Public key algorithms are based on modular arithmetic. Modular addition. Modular multiplication. Modular exponentiation. 4/17/2017 M. Chatterjee
Modular Addition Addition modulo (mod) K Poor cipher with (dk+dm) mod K, e.g., if K=10 and dk is the key. Additive inverse: addition mod K yields 0. “Decrypt” by adding inverse. 4/17/2017 M. Chatterjee
Modular Multiplication Multiplication modulo K Multiplicative inverse: multiplication mod K yields 1 Only some numbers have inverse Use Euclid’s algorithm to find inverse Given x, n, it finds y such that xy mod n = 1 All number relatively prime to n will have mod n multiplicative inverse 4/17/2017 M. Chatterjee
Totient Function x, m relative prime: no other common factor than 1 Totient function ø(n): number of integers less than n relatively prime to n if n is prime, ø(n)=n-1 if n=pq, and p, q are primes, ø(n)=(p-1)(q-1) 4/17/2017 M. Chatterjee
Modular Exponentiation xy mod n = xy mod ø(n) mod n if y = 1 mod ø(n) then xy mod n = x mod n 4/17/2017 M. Chatterjee
RSA (Rivest, Shamir, Adleman) The most popular one. Support both public key encryption and digital signature. Assumption/theoretical basis: Factoring a big number is hard. Variable key length (usually 512 bits). Variable plaintext block size. Plaintext must be “smaller” than the key. Ciphertext block size is the same as the key length. 4/17/2017 M. Chatterjee
What Is RSA? To generate key pair: Pick large primes (>= 256 bits each) p and q Let n = p*q, keep your p and q to yourself! For public key, choose e that is relatively prime to ø(n) =(p-1)(q-1), let pub = <e,n> For private key, find d that is the multiplicative inverse of e mod ø(n), i.e., e*d = 1 mod ø(n), let priv = <d,n> 4/17/2017 M. Chatterjee
How Does RSA Work? Given pub = <e, n> and priv = <d, n> encryption: c = me mod n, m < n decryption: m = cd mod n signature: s = md mod n, m < n verification: m = se mod n 4/17/2017 M. Chatterjee
Why Does RSA Work? Given pub = <e, n> and priv = <d, n> n =p*q, ø(n) =(p-1)(q-1) e*d = 1 mod ø(n) xed = x mod n encryption: c = me mod n decryption: m = cd mod n = med mod n = m mod n = m Why???????? 4/17/2017 M. Chatterjee
What is Fermat’s theorem??? e*d = 1 mod ø(n) So e*d = 1 + kø(n) …med mod n = m 1 + kø(n) m (m kø(n) mod n) = m ???? What is Fermat’s theorem??? 4/17/2017 M. Chatterjee
Why Is RSA Secure? Factoring 512-bit number is very hard! But if you can factor big number n then given public key <e,n>, you can find d, hence the private key by: Knowing factors p, q, such that, n = p*q Then ø(n) =(p-1)(q-1) Then d such that e*d = 1 mod ø(n) 4/17/2017 M. Chatterjee
Attacks on RSA • Brute force key search • Mathematical attacks • Timing attacks 4/17/2017 M. Chatterjee
Math-Based Attacks Three possible approaches: – Factor n = pq – Determine F(n) – Find the private key d directly • All the above are equivalent to factoring n 4/17/2017 M. Chatterjee
Brute Force An adversary just tries all possible keys and keeps his fingers crossed that the right key is not the last key he will try ! 4/17/2017 M. Chatterjee
Timing Attacks By measuring the time required to perform decryption (exponentiation with the private key as exponent), an attacker can figure out the private key Possible countermeasures: – use constant exponentiation time – add random delays – blind values used in calculations 4/17/2017 M. Chatterjee
Other Attacks on RSA Small encryption exponent e E=3, Alice sends the message m to three people (public keys (e, n1), (e, n2), (e,n3)) An attacker can compute a solution to the following system x = c1 mod n1 x = c2 mod n2 x = c3 mod n3 Then, compute m from x = m3 Countermeasure: padding required 4/17/2017 M. Chatterjee
Forward Search Attack If message space is small, the attacker can create a dictionary of encrypted messages (public key known, encrypt all possible messages and store them) When the attacker ‘sees’ a message on the network, compares the encryptedmessages, so he finds out what particular message was encrypted 4/17/2017 M. Chatterjee
Small decryption exponent d Choosing a small exponent helps efficiency BUT If size of d is 1/4 size of n (in bits) and gcd(p-1,q-1) is small, there is a way to compute d only from e and n. Countermeasure: d should be about the same size as n. 4/17/2017 M. Chatterjee
Common modulus attack Each entity must choose its own modulus Assume Alice and Bob generated keys using the same modulus n, ((e1, n ), d1)) and ((e2, n), d2)) C1 = Me1 mod n, C2 = Me2 mod n (e1)a + (e2) b = 1 if gcd(e1,e2)=1 M = C1a C2 b mod n 4/17/2017 M. Chatterjee
Cycling attack Intercepted ciphertext: C C1 = Ce mod n C2 = C1e mod n Ck = Ck-1e mod n If Ck = C then stop P = Ck-1 4/17/2017 M. Chatterjee
Attacker Goals Total break: the attacker finds the key (the symmetric key for ciphers or the private key for public key cryptosystems); after that all ciphertexts can be decrypted. Partial break: with some probability , the adversary is able to decrypt previously unseen ciphertexts, without knowing the key. Or the adversary can find out info about the plaintext, just by looking at the ciphertext. Distinguishability: with probability > 0.5, the adversary can distinguish between encryption of two different plaintexts, or between an encryption and a random string. 4/17/2017 M. Chatterjee
Diffie-Hellman Key Exchange Shared key, public communication No authentication of partners What’s involved? P is a prime (about 512 bits), and g < p P and g are publicly known 4/17/2017 M. Chatterjee
4/17/2017 M. Chatterjee
Diffie-Hellman Key Exchange Procedure Alice Bob pick secret Sa randomly pick secret Sb randomly compute TA=gSa mod p compute TB=gSb mod p send TA to Bob send TB to Alice compute TBSa mod p compute TASb mod p Alice and Bob reached the same secret gSaSb mod p, which is then used as the shared key. 4/17/2017 M. Chatterjee
DH Security - Discrete Logarithm Is Hard T = gs mod p Conjecture: given T, g, p, it is extremely hard to compute the value of s (discrete logarithm) 4/17/2017 M. Chatterjee
Diffie-Hellman Scheme Security factors Discrete logarithm very difficult. Shared key (the secret) itself never transmitted. 4/17/2017 M. Chatterjee
Disadvantages: Expensive exponential operation DoS possible. The scheme itself cannot be used to encrypt anything – it is for secret key establishment. No authentication, so you can not sign anything … 4/17/2017 M. Chatterjee
Bucket Brigade Attack...Man In The Middle Alice Trudy Bob gSa=123 gSx =654 gSb =255 123 --> 654 --> <--654 <--255 654Sa=123Sx 255Sx=654Sb Trudy plays Bob to Alice and Alice to Bob 4/17/2017 M. Chatterjee
Diffie-Hellman in Phone Book Mode DH was subject to active man-in-the-middle attack because their public key-component was intercepted and substituted Phone book mode allows everyone to generate the public key-component in advance and publish them through other reliable means, e.g. <TB> for bob All communicating parties agree on their common <g, p> 4/17/2017 M. Chatterjee
Encryption With Diffie-Hellman Everyone computes and publishes <p, g, T> T=gS mod p Alice communicates with Bob: Alice Picks a random secret Sa Computes gbSa mod pb Use Kab = TbSa mod pb to encrypt message Send encrypted message along with gbSa mod pb 4/17/2017 M. Chatterjee
Bob (gbSa)Sb mod pb = (gbSb)Sa mod pb = TbSa mod pb = Kab Use Kab to decrypt 4/17/2017 M. Chatterjee