M = C d mod n.
Transcription
M = C d mod n.
Cryptography & Network Security RSA Algorithm Ron Rivest, Adi Shamir and Len Adleman, who invented it in 1977 Used for both public key encryption and digital signatures Plain text is encrypted in blocks, each block having a binary value less than some number n. Block size <= log2(n); ,the block size is i bits, where 2i < n<= 2i+1 C = Me mod n M = Cd mod n = (Me)d mod n = Med mod n public key of KU = {e, n} private key of KR = {d, n} Requirements •It is possible to find values of e, d, n such that Med = M mod n for all M < n. •It is relatively easy to calculate mod Me and Cd for all values of M < n. •It is infeasible to determine d given e and n. Med = M mod n According to Euler’s theorem Given two prime numbers p & q and two integers n and m such that n = pq and 0 < m < n Arbitrary integer k mkΦ(n)+1=mk(p-1)(q-1)+1=m mod n p,q prime Φ(pq) = (p-1)(q-1) The preceding relationship holds if e and d are multiplicative inverses modulo Φ(n), where Φ(n) is the Euler totient function. ed = k Φ(n) + 1 This is equivalent to saying ed =1 mod Φ(n) d =e-1 mod Φ(n) That is, e and d are multiplicative inverses mod Φ(n). Equivalently, gcd(Φ(n),d) = 1. Ingredients of RSA p,q, two prime numbers n = pq e, with gcd(Φ(n),e) = 1;1 < e < Φ(n) d =e-1(mod Φ(n)) (private, chosen) (public, calculated) (public, chosen) (private, calculated) The private key consists of {d, n} and the public key consists of {e, n}. Suppose that user A has published its public key and that user B wishes to send the message M to A. Then B calculates C = Me mod n and transmits C. On receipt of this ciphertext, user A decrypts by calculating M = Cd mod n. • • • • Select two prime numbers, p = 17 and q = 11. Calculate n = pq = 17 x 11 = 187. Calculate Φ(n) = (p - 1)(q - 1) = 16 x 10 = 160. Select e such that e is relatively prime to Φ(n) = 160 and less than Φ(n) we choose e = 7. • Determine d such that de = 1 (mod 160) and d < 160. The correct value is d = 23, because 23 x 7 = 161 = 160 + 1; d can be calculated using the extended Euclid's algorithm RSA is usch slower than DES & Other Symmetric Cryptosystems The Security of RSA Four possible approaches to attacking the RSA algorithm: Brute force: This involves trying all possible private keys. Mathematical attacks: There are several approaches, all equivalent in effort to factoring the product of two primes. Timing attacks: These depend on the running time of the decryption algorithm. Chosen ciphertext attacks: This type of attack exploits properties of the RSA algorithm. The defense against the brute-force approach is the same for RSA as for other cryptosystems, use a large key space. Thus, the larger the number of bits in d, the better. The Factoring Problem • Three approaches to attacking RSA mathematically • Factor n into its two prime factors. • Enables calculation of f(n) = (p - 1) x (q - 1), which, in turn, enables determination of d e1 (mod f(n)). • Determine f(n) directly, enables determination of d e1 (mod f(n)). • Determine d directly, without first determining f(n). Example Illustration The resulting keys are public key PU = {7,187} and private key PR = {23,187}. Plain text input of M = 88. For encryption, calculate C = 887 mod 187. 887 mod 187 = [(884 mod 187) x (882 mod 187) x (881 mod 187)] mod 187 881 mod 187 = 88 882 mod 187 = 7744 mod 187 = 77 884 mod 187 = 59,969,536 mod 187 = 132 887 mod 187 = (88 x 77 x 132) mod 187 = 894,432 mod 187 = 11 For decryption, we calculate M = 1123 mod 187: 1123 mod 187 = [(111 mod 187) x (112 mod 187) x (114 mod 187) x (118 mod 187) x (118 mod 187)] mod 187 111 mod 187 = 11 112 mod 187 = 121 114 mod 187 = 14,641 mod 187 = 55 118 mod 187 = 214,358,881 mod 187 = 33 1123 mod 187 = (11 x 121 x 55 x 33 x 33) mod 187 = 79,720,245 mod 187 = 88 Key Management Distribution of Public Keys Public announcement - Publicly available directory 3. PUBLIC KEY AUTHORITY 4. PUBLIC CERTIFICATE Digital Signatures Message authentication protects two parties who exchange messages from any third party. Scenario An electronic funds transfer takes place, and the receiver increases the amount of funds transferred and claims that the larger amount had arrived from the sender. Not complete trust between sender and receiver DS have the following properties: It must verify the author and the date and time of the signature. It must to authenticate the contents at the time of the signature. It must be verifiable by third parties, to resolve disputes. On the basis of these properties, we can formulate the following requirements for a digital signature: •The signature must be a bit pattern that depends on the message being signed. •The signature must use some information unique to the sender, to prevent both forgery and denial. •It must be relatively easy to produce the digital signature. •It must be relatively easy to recognize and verify the digital signature. •It must be computationally infeasible to forge a digital signature, either by constructing a new message for an existing digital signature or by constructing a fraudulent digital signature for a given message. •It must be practical to retain a copy of the digital signature in storage. A secure hash function, embedded in a scheme satisfies these requirements. Direct Digital Signature The direct digital signature involves only the communicating parties (source, destination). A digital signature may be formed by encrypting the entire message with the sender's private key or by encrypting a hash code of the message with the sender's private key. Arbitrated Digital Signature Every signed message from a sender X to a receiver Y goes first to an arbiter A, who subjects the message and its signature to a number of tests to check its origin and content. The message is then dated and sent to Y with an indication that it has been verified to the satisfaction of the arbiter. Key Generation in RSA • Determining two prime numbers, p and q • Selecting either e or d and calculating the other One of the more efficient and popular algorithms, the Miller-Rabin algorithm Procedure for testing whether a given integer n is prime Perform some calculation that involves n and a randomly chosen integer a. If n "fails" the test, then n is not prime. If n "passes" the test, then n may be prime or nonprime. If n passes many such tests with many different randomly chosen values for a, then we can have high confidence that n is, in fact, prime. In summary, the procedure for picking a prime number is as follows. 1. Pick an odd integer n at random (e.g., using a pseudorandom number generator). 2. Pick an integer a < n at random. 3. Perform the probabilistic primality test, such as Miller-Rabin, with a as a parameter. If n fails the test, reject the value n and go to step 1. 4. If n has passed a sufficient number of tests, accept n; otherwise, go to step 2. Issues in RSA RSA Factoring Challenge - practical difficulty of factoring large integers and cracking RSA keys used in cryptography The smallest , a 100 decimal digit number called RSA-100 was factored by April 1, 1991 A primary application is for choosing the key length of the RSA public-key encryption scheme. The RSA numbers were generated on a computer with no network connection of any kind. The computer's hard drive was subsequently destroyed so that no record would exist, anywhere, of the solution to the factoring challenge. The first RSA numbers generated, from RSA-100 to RSA-500, were labeled according to their number of decimal digits DH Computation Issues Diffie–Hellman key exchange (D–H) is a cryptographic protocol that allows two parties that have no prior knowledge of each other to jointly establish a shared secret key over an insecure communications channel. This key can then be used to encrypt subsequent communications using a symmetric key cipher. Alice and Bob agree to use a prime number p=23 and base g=5. Alice chooses a secret integer a=6, then sends Bob A = ga mod p A = 56 mod 23 = 8. Bob chooses a secret integer b=15, then sends Alice B = gb mod p B = 515 mod 23 = 19. Alice computes s = B a mod p 196 mod 23 = 2. Bob computes s = A b mod p 815 mod 23 = 2. Elliptic curve cryptography (ECC) is an approach to public-key cryptography based on the algebraic structure of elliptic curves over finite fields. Elliptic curves are also used in several integer factorization algorithms that have applications in cryptography An elliptic curve is a plane curve which consists of the points satisfying the equation y^2 = x^3 + ax + b Several RSA-based protocols have been adapted to elliptic curves, replacing the group Zpq with an elliptic curve: * The Elliptic Curve Diffie-Hellman key agreement scheme is based on the DiffieHellman scheme, * The Elliptic Curve Digital Signature Algorithm is based on the Digital Signature Algorithm, * The ECMQV key agreement scheme is based on the MQV key agreement scheme. HASH Function in Cryptography A hash function H is a transformation that takes a variable-size input m and returns a fixed-size string, which is called the hash value h (that is, h = H(m)). Hash functions with just this property have a variety of general computational uses, but when employed in cryptography the hash functions are usually chosen to have some additional properties. The basic requirements for a cryptographic hash function are: * the input can be of any length, * the output has a fixed length, * H(x) is relatively easy to compute for any given x , * H(x) is one-way, * H(x) is collision-free. Used in digital signatures, message authentication codes (MACs). They can also be used as ordinary hash functions, to index data in hash tables; as fingerprints, to detect duplicate data or uniquely identify files A related application is password verification. Passwords are usually not stored in cleartext, instead in digest form. To authenticate a user, the password presented by the user is hashed and compared with the stored hash. This is sometimes referred to as one-way encryption. MD5 algorithm In cryptography, MD5 (Message-Digest algorithm 5) is a widely used cryptographic hash function with a 128-bit hash value. commonly used to check the integrity of files. MD5 processes a variable-length message into a fixed-length output of 128 bits. The input message is broken up into chunks of 512-bit blocks (sixteen 32-bit little endian integers) Chinese Remainder Theorem There are certain things whose number is unknown. Repeatedly divided by 3, the remainder is 2; by 5 the remainder is 3; and by 7 the remainder is 2. What will be the number? Suppose n1, n2, …, nk are positive integers which are pairwise coprime. Then, for any given integers a1,a2, …, ak, there exists an integer x solving the system of simultaneous congruences In mathematical way the problems can be stated as finding n, given its remainders of division by several numbers m1,m2,...,mk: n = n1 (mod m1) n = n2 (mod m2) ... n = nk (mod mk) Extended Euclidean algorithm is an extension to the Euclidean algorithm for finding the greatest common divisor (GCD) of integers a and b