Andreas Steffen, , 4-PublicKey.pptx 1 Internet Security 1 (IntSi1) Prof. Dr. Andreas Steffen Institute for Internet Technologies and Applications (ITA) 4 Public Key Cryptography

Andreas Steffen, , 4-PublicKey.pptx 2 Cryptographical Building Blocks Block Ciphers Stream Ciphers Symmetric Key Cryptography AuthenticationConfidentiality Encryption Hash Functions Challenge Response IVs MACs MICs Message Digests Nonces Pseudo Random Random Sources Secret Keys Smart Cards DH RSA Public Key Cryptography Elliptic Curves Digital Signatures Data Integrity Secure Network Protocols Non- Repudiation

Andreas Steffen, , 4-PublicKey.pptx 3 The Secure Key Distribution Problem Alice Bob Carol Dave Edna Fred K AB, K AC, K AD, K AE, K AF K AC, K BC, K CD, K CE, K CF K AB, K BC, K BD, K BE, K BF K AF, K BF, K CF, K DF, K EF K AE, K BE, K CE, K DE, K EF K AD, K BD, K CD, K DE, K DF secure distribution of n 2 /2 keys

Andreas Steffen, , 4-PublicKey.pptx 4 Public Key Distribution System Alice Bob Carol Dave Edna Fred KAKA KBKB KCKC KDKD KEKE KEKE public distribution of n keys Public Directory Alice : K A Bob : K B Carol : K C Dave : K D Edna : K E Fred : K F

Andreas Steffen, , 4-PublicKey.pptx 5 Public Key Cryptography The Inventors Whitfield Diffie and Martin Hellman 1976 Ralph Merkle 1978 C = f K B (P) Encryption with one-way function P = f -1 K B (C,T B ) Joe P = f -1 K B (C) AliceBob KBKB Computation of inverse function is extremely expensive Trap Door One-way functions are often based on well- known hard problems

Andreas Steffen, , 4-PublicKey.pptx 6 Internet Security 1 (IntSi1) 4.1 RSA Public Key Cryptosystem

Andreas Steffen, , 4-PublicKey.pptx 7 RSA Public Key Cryptosystem The Inventors R - Ron Rivest S - Adi Shamir A - Leonard Adleman The One-Way Function The exponentiation function y = f(x) = x e mod n can be computed with reasonable effort. Its inverse x = f -1 (y) is extremely difficult to compute. The Hard Problem Securing the Trap Door The RSA public key algorithm is based on the well-known hard problem of factoring a large number into its prime factors that has been studied over many centuries.

Andreas Steffen, , 4-PublicKey.pptx 8 RSA Public Key Cryptosystem Key Generation Algorithm Step 1: Choose two random large prime numbers p and q For maximum security, choose p and q of about equal length, e.g … 1536 bits each. Step 2: Compute the product n = p·q Step 3: Choose a random integer e < (p-1)(q-1) The numbers e and (p-1)(q-1) must be relatively prime, i.e. they should not share common prime factors. Step 4: Compute the unique inverse d = e -1 mod (p-1)(q-1) The equation d·e mod (p-1)(q-1) = 1 can be solved using the Euclidian algorithm.

Andreas Steffen, , 4-PublicKey.pptx 9 RSA Public Key Cryptosystem How to find large random prime numbers There are primes 1024 bits in length or less. There are only atoms in the universe. The chance that two people choose the same prime factors for key generation is therefore near to nil ! To prove that a randomly chosen number is really prime you would have to factor it. Try small factors (3, 5, 7, 11,...) Probabilistic Primality Tests (e.g. Miller–Rabin) After passing 5 tests, assume a random number to be prime is prime composite number 0 % 100 % 0.1 % not prime prime number99.9 % random number is a Result of Primality Test

Andreas Steffen, , 4-PublicKey.pptx 10 (p-1)·(q-1) = 2 · 10 = 2 · 2 · 5 = 20 RSA Public Key Cryptosystem Key Generation Example p = 3, q = 11: n = p·q = 33 the public exponent e must be relatively prime to (p-1)·(q-1), i.e. it cannot contain any factors of 2 and 5 e d e·d e·d mod all possible choices for the exponents e and d

Andreas Steffen, , 4-PublicKey.pptx 11 RSA Public Key Cryptosystem Public and Private Keys Public Key: modulus n and public exponent e Publish n and e in a public directory, so that anybody wanting to send you a confidential message can retrieve it. Private Key: modulus n and private exponent d The private exponent d is your secret. It should be protected either by storing it in a tamper-proof smart card or when stored on a disk by encrypting it with a symmetric cipher secured by a secret passphrase of your choice. The primes p and q that were used for key generation are often kept as part of the private key, because their smaller size (i.e. half the length of the modulus n) allow an efficient implementation of the private key operations (Montgomery multiplication).

Andreas Steffen, , 4-PublicKey.pptx 12 RSA Public Key Cryptosystem Encryption and Decryption Encryption of a plaintext block x: y = x e mod n The sender uses the public key of the recipient to encrypt x < n. Decryption of a ciphertext block y: x = y d mod n The recipient uses her private key to recover the plaintext block x y d = (x e ) d = x e·d = x m·(p-1)·(q-1) + 1 = x 1 = x (mod n) Without proof: Encryption and Decryption are symmetric operations The order of the exponentiation with the public exponent e and the private exponent d can be exchanged.

Andreas Steffen, , 4-PublicKey.pptx 13 e = 1· · · ·2 0 e = 1·8 + 1·4 + 0·2 + 1·1 y = x e =(x 8 ) 1 ·(x 4 ) 1 ·(x 2 ) 0 ·(x) 1 mod n y = x 8 ·x 4 ·x mod n x 2 = x·x mod n, x 4 = x 2 ·x 2 mod n, x 8 = x 4 ·x 4 mod n d = 1· · · · ·2 0 d = 1·16 + 0·8 + 0·4 + 0·2 + 1·1 x = y d =(y 16 ) 1 ·(y 8 ) 0 ·(y 4 ) 0 ·(y 2 ) 0 ·(y) 1 mod n x = y 16 ·y mod n y 2 = y·y mod n, y 4 = y 2 ·y 2 mod n, y 8 = y 4 ·y 4 mod n, y 16 = y 8 ·y 8 mod n RSA Public Key Cryptosystem Fast Exponentiation Example Encryption with Public Key n = 33, e = 13 Decryption with Private Key n = 33, d = 17

Andreas Steffen, , 4-PublicKey.pptx 14 RSA Public Key Cryptosystem Plaintext to Ciphertext Mapping n = 33, e = 13, d = 17 y = x e mod n x y x y x y x y x y

Andreas Steffen, , 4-PublicKey.pptx 15 The RSA–768 Challenge The Effort 768 bit number (232 digits) factored in December 2009 Sieving step took 2 years on a cluster of several hundred computers. Sieving on a single core 2.2 GHz Opteron processor with 2 GB of RAM would have taken 1500 years modulus is about 1000 times harder to factor = ? = *

Andreas Steffen, , 4-PublicKey.pptx 16 Assumed effort: 40 million dollardays = 40M x 1 day = 100k x 400 days 56 bits in 1982 RSA: 366 … 527 bits 64 bits in 1994 RSA: 639 … 746 bits 72 bits in 2006 RSA: 1007 … 1012 bits 76 bits in 2012 RSA: 1164 … 1229 bits 80 bits in 2018 RSA: 1329 … 1478 bits 88 bits in 2030 RSA: 1698 … 2063 bits 96 bits in 2042 RSA: 2124 … 2770 bits 104 bits in 2054 RSA: 2608 … 3607 bits 112 bits in 2066 RSA: 3154 … 4582 bits 120 bits in 2078 RSA: 3764 … 5701 bits 128 bits in 2090 RSA: 4440 … 6974 bits Cryptographics Strength of RSA Keys

Andreas Steffen, , 4-PublicKey.pptx 17 Internet Security 1 (IntSi1) 4.2 Diffie Hellman Key Exchange Algorithm

Andreas Steffen, , 4-PublicKey.pptx 18 The Diffie–Hellman Key-Exchange Algorithm Generating a Common Secret Key Alice and Bob agree on a large prime modulus n, a primitive element g and the one-way function y = f(x) = g x mod n. The integers n and g are not secret and can be published. Alice chooses a large random integer a and sends Bob A = g a mod n Bob chooses a large random integer b and sends Alice B = g b mod n Alice computes s = B a mod n = g ba mod n Bob computes s = A b mod n = g ab mod n Alice and Bob share now the secret key s = g ab mod n Since computing the inverse x = f -1 (y) is extremely difficult, no one listening to the key-exchange can compute the secret key s from the values A, B, n and g.

Andreas Steffen, , 4-PublicKey.pptx 19 The Diffie–Hellman Key-Exchange Algorithm Practical Example y = g x mod n Prime modulus: n = 31 Primitive element: g = 3 y x y x A: a = 8  A = 3 8 mod 31 = 20 B: b = 6  B = 3 6 mod 31 = 16 s = 20 6 mod 31 = 4 s = 16 8 mod 31 = 4