Lecture 5 Overview

Does DES Work? Differential Cryptanalysis Idea – Use two plaintext that barely differ – Study the difference in the corresponding cipher text – Collect the keys that could accomplish the change – Repeat 2 CS 450/650 – Lecture 5: DES

Cracking DES Diffie and Hellman then outlined a "brute force" attack on DES – By "brute force" is meant that you try as many of the 2 56 possible keys as you have to before decrypting the ciphertext into a sensible plaintext message – They proposed a special purpose "parallel computer using one million chips to try one million keys each" per second 3 CS 450/650 – Lecture 5: DES

Cracking DES (cont.) In 1998, Electronic Frontier Foundation spent $220K and built a machine that could go through the entire 56-bit DES key space in an average of 4.5 days – On July 17, 1998, they announced they had cracked a 56-bit key in 56 hours – The computer, called Deep Crack used 27 boards each containing 64 chips was capable of testing 90 billion keys a second 4 CS 450/650 – Lecture 5: DES

Cracking DES (cont.) In early 1999, Distributed. Net used the DES Cracker and a worldwide network of nearly 100K PCs to break DES in 22 hours – combined they were testing 245 billion keys per second This just serves to illustrate that any organization with moderate resources can break through DES with very little effort these days 5 CS 450/650 – Lecture 5: DES

Double DES E(k 1, E(k 2, M) ) – As strong as 57-bit key ! – Given message M and ciphertext c – Encrypt M with all possible keys 2 56 steps – Decrypt c with all possible keys and match M s 2 56 steps CS 450/650 Fundamentals of Integrated Computer Security 6

Triple DES – Two keys E(k 1, D(k 2, E(k 1, M) ) ) The first key is used to DES-encrypt the message The second key is used to DES-decrypt the encrypted message – Since the second key is not the right key, this decryption just scrambles the data further The twice-scrambled message is then encrypted again with the first key to yield the final ciphertext As strong as 80-bit key ! 7 CS 450/650 – Lecture 5: DES

Triple DES – Three keys E(k 3, D(k 2, E(k 1, M) ) ) The first key is used to DES-encrypt the message The second key is used to DES-decrypt the encrypted message – Since the second key is not the right key, this decryption just scrambles the data further The twice-scrambled message is then encrypted with the third key to yield the final ciphertext As strong as 112-bit key ! 8 CS 450/650 – Lecture 5: DES

Analysis of Algorithms Algorithms – Time Complexity – Space Complexity An algorithm whose time complexity is bounded by a polynomial is called a polynomial-time algorithm – An algorithm is considered to be efficient if it runs in polynomial time. CS 450/650 Lecture 5: Algorithm Background 9

Growth Rate  T(n) = O(f(n)): T is bounded above by f The growth rate of T(n) <= growth rate of f(n)  T(n) =  (g(n)): T is bounded below by g The growth rate of T(n) >= growth rate of g(n)  T(n) =  (h(n)): T is bounded both above and below by h The growth rate of T(n) = growth rate of h(n)  T(n) = o(p(n)): T is dominated by p The growth rate of T(n) < growth rate of p(n) 10 CS 450/650 Lecture 5: Algorithm Background

Time Complexity  C  O(n)  O(log n)  O(nlogn)  O(n 2 )  …  O(n k )  O(2 n )  O(k n )  O(n n ) 11 CS 450/650 Lecture 5: Algorithm Background Polynomial Exponential

P, NP, NP-hard, NP-complete A problem belongs to the class P if the problem can be solved by a polynomial-time algorithm A problem belongs to the class NP if the correctness of the problem’s solution can be verified by a polynomial- time algorithm A problem is NP-hard if it is as hard as any problem in NP – Existence of a polynomial-time algorithm for an NP-hard problem implies the existence of polynomial solutions for every problem in NP NP-complete problems are the NP-hard problems that are also in NP 12 CS 450/650 Lecture 5: Algorithm Background

Relationships between different classes NP P NP-complete NP-hard 13 CS 450/650 Lecture 5: Algorithm Background

Partitioning Problem Given a set of n integers, partition the integers into two subsets such that the difference between the sum of the elements in the two subsets is minimum – NP-complete 13, 37, 42, 59, 86, CS 450/650 Lecture 5: Algorithm Background Sum

Bin Packing Problem Suppose you are given n items of sizes s1, s2,..., sn All sizes satisfy 0  si  1 The problem is to pack these items in the fewest number of bins, – given that each bin has unit capacity – NP-hard 15 CS 450/650 Lecture 5: Algorithm Background

Lecture 6 RSA CS 450/650 Fundamentals of Integrated Computer Security Slides are modified from Hesham El-Rewini

RSA Invented by Cocks (GCHQ), independently, by Rivest, Shamir and Adleman (MIT) Two keys e and d used for Encryption and Decryption – The keys are interchangeable M = D(d, E(e, M) ) = D(e, E(d, M) ) – Public key encryption Based on problem of factoring large numbers – Not in NP-complete – Best known algorithm is exponential 17 CS 450/650 Lecture 6: RSA

RSA To encrypt message M compute – c = M e mod N To decrypt ciphertext c compute – M = c d mod N 18 CS 450/650 Lecture 6: RSA

Let p and q be two large prime numbers Let N = pq Choose e relatively prime to (p  1)(q  1) – a prime number larger than p-1 and q-1 Find d such that ed mod (p  1)(q  1) = 1 Key Choice 19 CS 450/650 Lecture 6: RSA

RSA Recall that e and N are public If attacker can factor N, he can use e to easily find d – since ed mod (p  1)(q  1) = 1 Factoring the modulus breaks RSA It is not known whether factoring is the only way to break RSA 20 CS 450/650 Lecture 6: RSA

Does RSA Really Work? Given c = M e mod N we must show – M = c d mod N = M ed mod N We’ll use Euler’s Theorem – If x is relatively prime to N then x  (N) mod N =1  (n): number of positive integers less than n that are relatively prime to n. If p is prime then,  (p) = p-1 21 CS 450/650 Lecture 6: RSA

Does RSA Really Work? Facts: – ed mod (p  1)(q  1) = 1 – ed = k(p  1)(q  1) + 1by definition of mod –  (N) = (p  1)(q  1) – Then ed  1 = k(p  1)(q  1) = k  (N) M ed = M (ed-1)+1 = M  M ed-1 = M  M k  (N) = M  (M  (N) ) k mod N = M  1 k mod N = M mod N 22 CS 450/650 Lecture 6: RSA

Example Select primes p=11, q=3. N = p* q = 11*3 = 33 Choose e = 3 check gcd(e, p-1) = gcd(3, 10) = 1 – i.e. 3 and 10 have no common factors except 1 check gcd(e, q-1) = gcd(3, 2) = 1 therefore gcd(e, (p-1)(q-1)) = gcd(3, 20) = 1 23 CS 450/650 Lecture 6: RSA

Example (cont.) p-1 * q-1 = 10 * 2 = 20 Compute d such that e * d mod (p-1)*(q-1) = 1 3 * d mod 20 = 1 d = 7 Public key = (N, e) = (33, 3) Private key = (N, d) = (33, 7) 24 CS 450/650 Lecture 6: RSA

Example (cont.) Now say we want to encrypt message m = 7 c = M e mod N = 7 3 mod 33 = 343 mod 33 = 13 – Hence the ciphertext c = 13 To check decryption, we compute M' = c d mod N = 13 7 mod 33 = 7 25 CS 450/650 Lecture 6: RSA

More Efficient RSA Modular exponentiation example – 5 20 = = 25 mod 35 A better way: repeated squaring – Note that 20 = 2  10, 10 = 2  5, 5 = 2  2 + 1, 2 = 1  2 – 5 1 = 5 mod 35 – 5 2 = (5 1 ) 2 = 5 2 = 25 mod 35 – 5 5 = (5 2 ) 2  5 1 = 25 2  5 = 3125 = 10 mod 35 – 5 10 = (5 5 ) 2 = 10 2 = 100 = 30 mod 35 – 5 20 = (5 10 ) 2 = 30 2 = 900 = 25 mod 35 No huge numbers and it’s efficient! CS 450/650 Lecture 6: RSA 26

RSA key-length strength RSA has challenges for different key-lengths – RSA-140 Factored in 1 month using 200 machines in 1999 – RSA-155 (512-bit) Factored in 3.7 months using 300 machines in 1999 – RSA-160 Factored in 20 days in 2003 – RSA-200 Factored in 18 month in 2005 – RSA-210, RSA-220, RSA-232, … RSA CS 450/650 Lecture 6: RSA

Group Work Find keys d and e for the RSA cryptosystem with p = 7 and q = 11 Solution – p*q = 77 – (p-1) * (q-1) = 60 – e = 37 – d = 13 – n = 13 * 37 = 481 = 1 mod CS 450/650 Lecture 6: RSA