7/25/2019 ch09 (1) (1)

1/26

Cryptography and NetworkSecurity

Chapter 9

Fourth Edition

by William Stallings

Lecture slides by Lawrie

Brown

7/25/2019 ch09 (1) (1)

2/26

Priate!"ey Cryptography

traditional private/secret/singlekeycryptography uses onekey

shared by both sender and receier

i# this key is disclosedcommunications are compromised

also is symmetric$ parties are e%ual

hence does not protect sender #romreceier #orging a message &claiming is sent by sender

7/25/2019 ch09 (1) (1)

3/26

Public!"ey Cryptography

probably most signi'cant adance in the())) year history o# cryptography

uses twokeys * a public & a priate key

asymmetricsince parties are note%ual

uses cleer application o# numbertheoretic concepts to #unction

complements rather thanreplacespriate key crypto

7/25/2019 ch09 (1) (1)

4/26

Why Public!"eyCryptography+

deeloped to address two key issues, key distribution* how to hae secure

communications in general without

haing to trust a "-C with your key digital signatures* how to eri#y a

message comes intact #rom the claimedsender

public inention due to Whit'eld-i.e & /artin 0ellman at Stan#ord1ni in 2934

known earlier in classi'ed community

7/25/2019 ch09 (1) (1)

5/26

Public!"ey Cryptography

public-key/two-key/asymmetriccryptography inoles the use o# twokeys, a public-key$ which may be known by anybody$

and can be used to encrypt messages$ and

verify signatures a private-key$ known only to the recipient$ used

to decrypt messages$ and sign5create6signatures

is asymmetricbecause those who encrypt messages or eri#y signatures

cannotdecrypt messages or create signatures

7/25/2019 ch09 (1) (1)

6/26

Public!"ey Cryptography

7/25/2019 ch09 (1) (1)

7/26

Public!"ey Characteristics

Public!"ey algorithms rely on two keyswhere,

it is computationally in#easible to 'nd

decryption key knowing only algorithm &encryption key

it is computationally easy to en7decryptmessages when the releant 5en7decrypt6 key

is known either o# the two related keys can be used #or

encryption$ with the other used #or decryption5#or some algorithms6

7/25/2019 ch09 (1) (1)

8/26

Public!"ey Cryptosystems

7/25/2019 ch09 (1) (1)

9/26

Public!"ey 8pplications

can classi#y uses into ( categories,

encryption/decryption5proidesecrecy6

digital signatures5proideauthentication6

key exchange5o# session keys6

some algorithms are suitable #or alluses$ others are speci'c to one

7/25/2019 ch09 (1) (1)

10/26

Security o# Public "eySchemes

like priate key schemes brute #orceexhaustive searchattack is alwaystheoretically possible

but keys used are too large 5:2;bits6

security relies on a large enoughdi

7/25/2019 ch09 (1) (1)

11/26

=S8

by =iest$ Shamir & 8dleman o# />? in 2933

best known & widely used public!key scheme

based on e@ponentiation in a 'nite 5Aalois6 'eld

oer integers modulo a prime nb e@ponentiation takes 55log n6(6 operations 5easy6

uses large integers 5eg 2);D bits6

security due to cost o# #actoring large numbers

nb #actoriation takes 5e log n log log n6 operations 5hard6

7/25/2019 ch09 (1) (1)

12/26

=S8 "ey Setup

each user generates a public7priate key pairby,

selecting two large primes at random ! p, q

computing their system modulus n=p.q note (n)=(p-1)(q-1)

selecting at random the encryption key e where 2e

7/25/2019 ch09 (1) (1)

13/26

=S8 1se

to encrypt a message / the sender,

obtains public keyo# recipient PU={e,n}

computes, C = Memod n$ where 0M

7/25/2019 ch09 (1) (1)

14/26

Why =S8 Works

because o# EulerJs ?heorem, a(n)mod n = 1 where gcd(a,n)=1

in =S8 hae,

n=p.q (n)=(p-1)(q-1) care#ully chose e& dto be inerses mod (n) hence e.d=1+k.(n)#or some k

hence ,Cd= Me.d = M1+k.(n)= M1.(M(n))k

= M1.(1)k= M1= M mod n

7/25/2019 ch09 (1) (1)

15/26

=S8 E@ample ! "ey Setup

2 Select primes,p=1 ! q=11

; Computen =pq =1 " 11=1#

( Compute(n)=(p1)(q-1)=1$ "

10=1$0D Select e,gcd(e,1$0)=1% choose e=

: -etermine d,de=1 mod 1$0and d < 1$0Kalue is d=&'since &'"=1$1= 10"1$0+1

4 Publish public key PU={,1#}

3 "eep secret priate key PR={&',1#}

7/25/2019 ch09 (1) (1)

16/26

=S8 E@ample !En7-ecryption

sample =S8 encryption7decryption is,

gien message M = ##5nb ##

7/25/2019 ch09 (1) (1)

17/26

E@ponentiation

can use the S%uare and /ultiply 8lgorithm

a #ast$ e.cient algorithm #or e@ponentiation

concept is based on repeatedly s%uaring base

and multiplying in the ones that are neededto compute the result

look at binary representation o# e@ponent

only takes 5log;n6 multiples #or number n

eg = .1= '. = 10 mod 11

eg '1&*= '1.'1= .' = mod 11

7/25/2019 ch09 (1) (1)

18/26

E@ponentiation

c = 0; f = 1

for i = k downto 0

do c = 2 x c

f = (f x f) mod n

if bi== 1then

c = c + 1

f = (f x a) mod n

return f

7/25/2019 ch09 (1) (1)

19/26

E.cient Encryption

encryption uses e@ponentiation to powere

hence i# e small$ this will be #aster

o#ten choose eG4::(3 5;24!26 also see choices o# eG( or eG23

but i# e too small 5eg eG(6 can attack using Chinese remainder theorem & (

messages with di

7/25/2019 ch09 (1) (1)

20/26

E.cient -ecryption

decryption uses e@ponentiation topower d this is likely large$ insecure i# not

can use the Chinese =emainder?heorem 5C=?6 to compute mod p & %separately then combine to get desiredanswer appro@ D times #aster than doing directly

only owner o# priate key who knowsalues o# p & % can use this techni%ue

7/25/2019 ch09 (1) (1)

21/26

=S8 "ey Aeneration

users o# =S8 must, determine two primes at random ! p, q

select either eor dand compute the other

primes p,qmust not be easily deried#rom modulus n=p.q means must be su.ciently large

typically guess and use probabilistic test

e@ponents e$ d are inerses$ so use>nerse algorithm to compute the other

7/25/2019 ch09 (1) (1)

22/26

=S8 Security

possible approaches to attacking =S8are,

brute #orce key search 5in#easible gien

sie o# numbers6 mathematical attacks 5based on di.culty

o# computing M5n6$ by #actoring modulus n6

timing attacks 5on running o# decryption6 chosen cipherte@t attacks 5gien

properties o# =S86

7/25/2019 ch09 (1) (1)

23/26

Factoring Problem

mathematical approach takes ( #orms, #actor n=p.q$ hence compute (n)and then d

determine (n)directly and compute d

'nd d directly

currently beliee all e%uialent to #actoring hae seen slow improements oer the years

as o# /ay!): best is ;)) decimal digits 544(6 bit with LS

biggest improement comes #rom improed

algorithm c# S to A0FS to LS

currently assume 2);D!;)DO bit =S8 is secure ensure p$ % o# similar sie and matching other constraints

7/25/2019 ch09 (1) (1)

24/26

?iming 8ttacks

deeloped by Paul "ocher in mid!299)s

e@ploit timing ariations in operations eg multiplying by small s large number

or >FJs arying which instructions e@ecuted in#er operand sie based on time taken

=S8 e@ploits time taken in e@ponentiation

countermeasures use constant e@ponentiation time

add random delays

blind alues used in calculations

7/25/2019 ch09 (1) (1)

25/26

Chosen Cipherte@t 8ttacks

Q =S8 is ulnerable to a ChosenCipherte@t 8ttack 5CC86

Q attackers chooses cipherte@ts & gets

decrypted plainte@t backQ choose cipherte@t to e@ploit properties

o# =S8 to proide in#o to helpcryptanalysis

Q can counter with random pad o#plainte@t

Q or use ptimal 8symmetric EncryptionPadding 58SP6

7/25/2019 ch09 (1) (1)

26/26

Summary

hae considered,

principles o# public!key cryptography

=S8 algorithm$ implementation$ security