1 Introduction to Computer Security Topic 2. Basic Cryptography (Part II)

2 AES (Advanced Encryption Standard) January 1997: NIST called for AES contest –Requirements Unclassified Publicly disclosed Available royalty-free for use worldwide Symmetric block cipher, for blocks of 128 bits Usable with key sizes of 128, 192, and 256 bits August 1998: 15 candidates submitted August 1999: 5 finalists Winning algorithm: Rijndael –Inventors: Vincent Rijmen and Joan Daemen (Dutch cryptographers) –The other four candidates are all security –Selection based on efficiency and implementation characteristics December 2001: AES adopted for use in the US government

3 Overview of AES Has a strong mathematical foundation Primarily use –Substitution, transposition, shift, XOR, and addition operations Use repeat rounds –9 rounds for keys of 128 bits –11 rounds for keys of 192 bits –13 rounds for keys of 256 bits Rijndael can use any key length that is the multiple of 64 –AES only recognizes 128, 192, and 256 Rijndael is defined for blocks of 128, 192, and 256 bits

4 AES Each round consists of –Byte substitution –Shift row –Mix column –Add subkey

5 AES (Cont’d) Representation –128 bits  16 bytes  matrix s[0,0]..s[3,3] Byte substitution –Input b –Take the multiplicative inverse of b in GF(2 8 ) defined by P=x 8 +x 4 +x 3 +x+1 Ensure each value appears exactly once –XOR the result with 0x63 ( )

6 AES (Cont’d) Shift row –Row i is rotated left (i  1) bytes Rijndael 256 bit blocks –Rows 3 and 4 are shifted an extra byte

7 AES (Cont’d) Mix column –Each column is multiplied by a matrix –Arithmetic operations performed in GF(2 8 ) Add subkey –XOR a variation of the key with the result so far

8 AES (Cont’d) Subkey generation –128 bit key represented as four 32-bit words w 1 w 2 w 3 w 4 –Transformation of w1 into w 1 ’ w 1 rotate one byte left Byte substitution XOR with a constant –The rest of the words are produced by XOR of the original word with w 1 ’ First key is the original key Each later variation is generated from the previous one

9 Strength of AES Backed up by sound mathematical foundation Undergone extensive cryptanalysis by independent cryptographers –No flaw found

Public-Key Cryptography public-key/two-key/asymmetric cryptography involves the use of two keys: –a public-key, which may be known by anybody, and can be used to encrypt messages, and verify signatures –a private-key, known only to the recipient, used to decrypt messages, and sign (create) signatures is asymmetric because –those who encrypt messages or verify signatures cannot decrypt messages or create signatures 10

Public-Key Cryptography 11

12 Public Key Cryptography (PKC) Requirements for Public-Key Algorithms –It is computationally easy to generate a pair of public key and private key –It is computationally easy to generate a ciphertext using the public key –It is computationally easy to decrypt the ciphertext using the private key –It is computationally infeasible to determine the private key from the public key –It is computationally infeasible to recover the message from the ciphertext and the public key

Public-Key Characteristics Public-Key algorithms rely on two keys with the characteristics that it is: –computationally infeasible to find decryption key knowing only algorithm & encryption key –computationally easy to en/decrypt messages when the relevant (en/decrypt) key is known –either of the two related keys can be used for encryption, with the other used for decryption (in some schemes) 13

Public-Key Applications can classify uses into 3 categories: –encryption/decryption (provide secrecy) –digital signatures (provide authentication) –key exchange (of session keys) some algorithms are suitable for all uses, others are specific to one 14

15 Public-Key Cryptanalysis Brute-force attack –Try all possible keys Derivation of private key from public key –Try to find the relationship between the public key and the private key and compute the private key from the public one Probable-message attack –The public key is known –Encrypt all possible messages –Try to find a match between the ciphertext and one of the above encrypted messages

16 RSA (Rivest, Shamir, Adleman) The most popular one Support both public key encryption and digital signature Assumption/theoretical basis: –Factorization of large integers is hard Variable key length (usually 1024 bits) Variable plaintext block size –Plaintext must be “smaller” than the key –Ciphertext block size is the same as the key length

RSA Key Setup each user generates a public/private key pair by: selecting two large primes at random - p, q computing their system modulus N=p.q –note ø(N)=(p-1)(q-1) selecting at random the encryption key e where 1< e<ø(N), gcd(e,ø(N))=1 solve following equation to find decryption key d –e.d=1 mod ø(N) and 0≤d≤N publish their public encryption key: KU={e,N} keep secret private decryption key: KR={d,p,q} 17

RSA Use to encrypt a message M the sender: –obtains public key of recipient KU={e,N} –computes: C=M e mod N, where 0≤M<N to decrypt the ciphertext C the owner: – uses their private key KR={d,p,q} –computes: M=C d mod N note that the message M must be smaller than the modulus N (block if needed) 18

Prime Numbers prime numbers only have divisors of 1 and self –they cannot be written as a product of other numbers –note: 1 is prime, but is generally not of interest eg. 2,3,5,7 are prime, 4,6,8,9,10 are not prime numbers are central to number theory list of prime number less than 200 is:

Prime Factorisation to factor a number n is to write it as a product of other numbers: n=a × b × c note that factoring a number is relatively hard compared to multiplying the factors together to generate the number the prime factorisation of a number n is when its written as a product of primes –eg. 91=7×13 ; 3600=2 4 ×3 2 ×5 2 20

Relatively Prime Numbers & GCD two numbers a, b are relatively prime if have no common divisors apart from 1 –eg. 8 & 15 are relatively prime since factors of 8 are 1,2,4,8 and of 15 are 1,3,5,15 and 1 is the only common factor conversely can determine the greatest common divisor by comparing their prime factorizations and using least powers –eg. 300=2 1 ×3 1 ×5 2 18=2 1 ×3 2 hence GCD(18,300)=2 1 ×3 1 ×5 0 =6 21

Euler Totient Function ø(n) when doing arithmetic modulo n complete set of residues is: 0..n-1 reduced set of residues is those numbers (residues) which are relatively prime to n –eg for n=10, –complete set of residues is {0,1,2,3,4,5,6,7,8,9} –reduced set of residues is {1,3,7,9} number of elements in reduced set of residues is called the Euler Totient Function ø(n) 22

RSA Example 1.Select primes: p=17 & q=11 2.Compute n = pq =17×11=187 3.Compute ø(n)=(p–1)(q-1)=16×10=160 4.Select e : gcd(e,160)=1; choose e=7 5.Determine d : de=1 mod 160 and d < 160 Value is d=23 since 23×7=161= 10× Publish public key KU={7,187} 7.Keep secret private key KR={23,17,11} 23

RSA Example cont sample RSA encryption/decryption is: given message M = 88 (nb. 88<187 ) encryption: C = 88 7 mod 187 = 11 decryption: M = mod 187 = 88 24

RSA Key Generation users of RSA must: –determine two primes at random - p, q –select either e or d and compute the other primes p,q must not be easily derived from modulus N=p.q –means must be sufficiently large –typically guess and use probabilistic test exponents e, d are inverses, so use Inverse algorithm to compute the other 25

RSA Security three approaches to attacking RSA: –brute force key search (infeasible given size of numbers) –mathematical attacks (based on difficulty of computing ø(N), by factoring modulus N) –timing attacks (on running of decryption) 26

Factoring Problem mathematical approach takes 3 forms: –factor N=p.q, hence find ø(N) and then d –determine ø(N) directly and find d –find d directly currently believe all equivalent to factoring –have seen slow improvements over the years as of Aug-99 best is 130 decimal digits (512) bit with GNFS –biggest improvement comes from improved algorithm cf “Quadratic Sieve” to “Generalized Number Field Sieve” –barring dramatic breakthrough bit RSA secure ensure p, q of similar size and matching other constraints 27

Timing Attacks developed in mid-1990’s exploit timing variations in operations –eg. multiplying by small vs large number –or IF's varying which instructions executed infer operand size based on time taken RSA exploits time taken in exponentiation countermeasures –use constant exponentiation time –add random delays –blind values used in calculations 28

Digital Signature 29

COMPARISON Let us begin by looking at the differences between conventional signatures and digital signatures. Inclusion Verification Method Relationship Duplicity Topics discussed in this section: 30

A conventional signature is included in the document; it is part of the document. But when we sign a document digitally, we send the signature as a separate document. Inclusion 31

For a conventional signature, when the recipient receives a document, she compares the signature on the document with the signature on file. For a digital signature, the recipient receives the message and the signature. The recipient needs to apply a verification technique to the combination of the message and the signature to verify the authenticity. Verification Method 32

For a conventional signature, there is normally a one-to- many relationship between a signature and documents. For a digital signature, there is a one-to-one relationship between a signature and a message. Relationship 33

In conventional signature, a copy of the signed document can be distinguished from the original one on file. In digital signature, there is no such distinction unless there is a factor of time on the document. Duplicity 34

PROCESS Figure 13.1 shows the digital signature process. The sender uses a signing algorithm to sign the message. The message and the signature are sent to the receiver. The receiver receives the message and the signature and applies the verifying algorithm to the combination. If the result is true, the message is accepted; otherwise, it is rejected. 35

The integrity of the message is preserved even if we sign the whole message because we cannot get the same signature if the message is changed. Message Integrity A digital signature provides message integrity. Note 36

13.37 Nonrepudiation Figure 2.1 Using a trusted center for nonrepudiation Nonrepudiation can be provided using a trusted party. Note

Confidentiality A digital signature does not provide privacy. If there is a need for privacy, another layer of encryption/decryption must be applied. Figure 2.2 Adding confidentiality to a digital signature scheme Note

RSA Digital Signature Scheme Figure 2.3 General idea behind the RSA digital signature scheme 39

Key Generation Key generation in the RSA digital signature scheme is exactly the same as key generation in the RSA Continued In the RSA digital signature scheme, d is private; e and n are public. Note 40

Signing and Verifying Continued Figure 2.3 RSA digital signature scheme 41

Continued As a trivial example, suppose that Alice chooses p = 823 and q = 953, and calculates n = The value of  (n) is Now she chooses e = 313 and calculates d = At this point key generation is complete. Now imagine that Alice wants to send a message with the value of M = to Bob. She uses her private exponent, , to sign the message: Example 13.1 Alice sends the message and the signature to Bob. Bob receives the message and the signature. He calculates Bob accepts the message because he has verified Alice’s signature. 42