CSCI3381-Cryptography

Similar documents
Advanced Cryptography

The application of prime numbers to RSA encryption

Discrete Mathematics, Chapter 4: Number Theory and Cryptography

RSA Attacks. By Abdulaziz Alrasheed and Fatima

RSA Encryption. Tom Davis October 10, 2003

Cryptography and Network Security Department of Computer Science and Engineering Indian Institute of Technology Kharagpur

Basic Algorithms In Computer Algebra

Network Security. Computer Networking Lecture 08. March 19, HKU SPACE Community College. HKU SPACE CC CN Lecture 08 1/23

The Mathematics of the RSA Public-Key Cryptosystem

Public Key Cryptography: RSA and Lots of Number Theory

CIS 5371 Cryptography. 8. Encryption --

Principles of Public Key Cryptography. Applications of Public Key Cryptography. Security in Public Key Algorithms

CSC474/574 - Information Systems Security: Homework1 Solutions Sketch

Cryptography and Network Security Chapter 9

Elements of Applied Cryptography Public key encryption

1. The RSA algorithm In this chapter, we ll learn how the RSA algorithm works.

Overview of Public-Key Cryptography

Number Theory. Proof. Suppose otherwise. Then there would be a finite number n of primes, which we may

Cryptography: Authentication, Blind Signatures, and Digital Cash

Software Tool for Implementing RSA Algorithm

Outline. Computer Science 418. Digital Signatures: Observations. Digital Signatures: Definition. Definition 1 (Digital signature) Digital Signatures

Network Security. Abusayeed Saifullah. CS 5600 Computer Networks. These slides are adapted from Kurose and Ross 8-1

Secure Network Communication Part II II Public Key Cryptography. Public Key Cryptography

Notes on Network Security Prof. Hemant K. Soni

SECURITY IN NETWORKS

RSA and Primality Testing

Digital Signatures. Prof. Zeph Grunschlag

Public Key Cryptography and RSA. Review: Number Theory Basics

Computer Security: Principles and Practice

Digital signatures. Informal properties

Network Security. HIT Shimrit Tzur-David

Lecture 13 - Basic Number Theory.

Lecture 3: One-Way Encryption, RSA Example

An Introduction to the RSA Encryption Method

Elliptic Curve Cryptography Methods Debbie Roser Math\CS 4890

CIS 6930 Emerging Topics in Network Security. Topic 2. Network Security Primitives

Computing exponents modulo a number: Repeated squaring

Cryptographic hash functions and MACs Solved Exercises for Cryptographic Hash Functions and MACs

CSCE 465 Computer & Network Security

Mathematics of Internet Security. Keeping Eve The Eavesdropper Away From Your Credit Card Information

Network Security. Security Attacks. Normal flow: Interruption: 孫 宏 民 Phone: 國 立 清 華 大 學 資 訊 工 程 系 資 訊 安 全 實 驗 室

Cryptography and Network Security

Computer Networks. Network Security 1. Professor Richard Harris School of Engineering and Advanced Technology

1 Message Authentication

An Efficient Data Security in Cloud Computing Using the RSA Encryption Process Algorithm

Solutions to Problem Set 1

CHAPTER 5. Number Theory. 1. Integers and Division. Discussion

Some practice problems for midterm 2

Message Authentication Codes

Forward Secrecy: How to Secure SSL from Attacks by Government Agencies

Security in Distributed Systems. Network Security

Overview of Cryptographic Tools for Data Security. Murat Kantarcioglu

CRYPTOGRAPHY IN NETWORK SECURITY

8 Primes and Modular Arithmetic

Principles of Network Security

Chapter 7: Network security

Outline. CSc 466/566. Computer Security. 8 : Cryptography Digital Signatures. Digital Signatures. Digital Signatures... Christian Collberg

Public Key Cryptography. c Eli Biham - March 30, Public Key Cryptography

Network Security. Abusayeed Saifullah. CS 5600 Computer Networks. These slides are adapted from Kurose and Ross 8-1

Chapter 2 Homework 2-5, 7, 9-11, 13-18, 24. (9x + 2)(mod 26) y 1 1 (x 2)(mod 26) 3(x 2)(mod 26) U : y 1 = 3(20 2)(mod 26) 54(mod 26) 2(mod 26) c

Elliptic Curve Cryptography

Lecture 10: CPA Encryption, MACs, Hash Functions. 2 Recap of last lecture - PRGs for one time pads

Computer Networks 1 (Mạng Máy Tính 1) Lectured by: Dr. Phạm Trần Vũ MEng. Nguyễn CaoĐạt

CS 758: Cryptography / Network Security

MATH 168: FINAL PROJECT Troels Eriksen. 1 Introduction

Symmetric Key cryptosystem

CS 348: Computer Networks. - Security; 30 th - 31 st Oct Instructor: Sridhar Iyer IIT Bombay

Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur

A short primer on cryptography

Lecture 6 - Cryptography

Network Security. Gaurav Naik Gus Anderson. College of Engineering. Drexel University, Philadelphia, PA. Drexel University. College of Engineering

Symmetric Mechanisms for Authentication in IDRP

Number Theory and the RSA Public Key Cryptosystem

YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE

Lukasz Pater CMMS Administrator and Developer

Network Security. Security. Security Services. Crytographic algorithms. privacy authenticity Message integrity. Public key (RSA) Message digest (MD5)

Chair for Network Architectures and Services Department of Informatics TU München Prof. Carle. Network Security. Chapter 13

1 Digital Signatures. 1.1 The RSA Function: The eth Power Map on Z n. Crypto: Primitives and Protocols Lecture 6.

ANALYSIS OF RSA ALGORITHM USING GPU PROGRAMMING

U.C. Berkeley CS276: Cryptography Handout 0.1 Luca Trevisan January, Notes on Algebra

SECURITY IMPROVMENTS TO THE DIFFIE-HELLMAN SCHEMES

Number Theory and Cryptography using PARI/GP

Lecture 17: Re-encryption

Chapter 10. Network Security

Introduction to Encryption

Homework until Test #2

Public Key Cryptography in Practice. c Eli Biham - May 3, Public Key Cryptography in Practice (13)

A Proposal for Authenticated Key Recovery System 1

Public Key Cryptography Overview

Massachusetts Institute of Technology Handout : Network and Computer Security October 9, 2003 Professor Ronald L. Rivest.

1 Domain Extension for MACs

How To Know If A Message Is From A Person Or A Machine

CPSC 467b: Cryptography and Computer Security

Lecture 13: Factoring Integers

An Introduction to Cryptography and Digital Signatures

Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur

A Factoring and Discrete Logarithm based Cryptosystem

The Euclidean Algorithm

Network Security CS 5490/6490 Fall 2015 Lecture Notes 8/26/2015

1 Construction of CCA-secure encryption

Transcription:

CSCI3381-Cryptography Lecture 7: RSA October 9, 2014 Much of this is in Chapter 6 of the textbook. 1 General Issues in Public-key Cryptography In symmetric cryptography, Alice and Bob share a single key K known only to them. In a public-key cryptosystem, one participant (let s say Bob) has a pair of keys K pub and K priv, the public and private keys. K pub is known to everyone, and K priv only to Bob. If Alice wants to send a message M to Bob, she encrypts it using Bob s public key and sends him Bob decrypts it using his private key: C = E Kpub (M). M = D Kpriv (C). Of course, D Kpriv is required to invert E Kpub, and as usual, we assume that the algorithms E and D are known to everyone. However, no one should be able to determine K priv given the public key K pub. The public key is like a combination lock, distributed openly, and the private key is its combination, known only to one party. 1.1 Performance In principle, Bob and Alice could hold a two-way conversation, but Bob would need Alice s public key to encrypt and Alice would use her own private key to decrypt. In practice, this is not really done. While all the algorithms underlying 1

RSA and other public key systems are easy, they are still much more timeconsuming than symmetric block ciphers like AES and DES. The more common practice is this: Alice generates a key K for a symmetric cipher and encrypts it with Bob s public key; that is, she sends him E Kpub (K). Bob decrypts, and all subsequent communication in the session is done using the symmetric cipher and the shared key K. Note that you get a new key K with each session, but the public and private keys are long-term. 1.2 Randomization of plaintext Since the encryption key is public, an eavesdropper can tell whether intercepted ciphertext C is the encryption of a plaintext message M she just has to encrypt M with the public key and compare! For this reason, data to be encrypted with a public key is usually padded with a large number of random bits before encryption. So instead of sending E Kpub (M) to Bob, Alice sends E Kpub (M random stuff). Doing so thwarts this kind of chosen-plaintext attack, because every time M is encrypted, the ciphertext is different. It also is effective against many of the attacks on RSA described below. 1.3 Active attack Public-key cryptosystems are vulnerable to a man-in-the-middle attack. (This is not the same thing as the meet-in-the-middle attack we saw earlier.) Here the attacker let s call her Cruella is not a passive eavesdropper, but someone capable of sending and altering messages on the communciation link. Cruella establishes her own public-private key pair (K pub, K priv) and masquerades as Alice. Let s say Bob and Alice want to use the public-key algorithm to set up an encrypted session with a symmetric key K. Since Bob has Cruella s public key, he sends E K pub (K). This is intercepted by Cruella, who now shares the key K with Bob, who believes Cruella is Alice. Cruella generates a second symmetric key K, and uses Alice s 2

genuine public key K pub to send E Kpub (K ) to Alice, who believes the message came from Bob. Cruella now has secure links with both Alice and Bob. She receives messages from one party, decrypts them, alters them, and re-encrypts the altered message to the other party. Alice and Bob think they are talking to each other. Man-in-the-middle attacks are a real problem. To thwart them, it is necessary to establish some means of authenticating users to one another. (To be concrete about it, how do you know that website really belongs to Amazon?) We will discuss authentication and signature methods, as well as public-key infrastructure, a bit later in this course. In a sense, this forces us to bring back the Trusted Authority. 2 Security of RSA The RSA algorithm itself is described in the last set of notes, and at the beginning of Chapter 6 of the text. We saw that it works (because decryption really does undo encryption), and that it is easy (because all the steps can be carried out efficiently), but is it secure? Can an eavesdropper recover the plaintext message M from M e mod N? 2.1 Relation to hardness of factoring If Eve can factor the modulus N, then she can repeat the key-generation phase of RSA and recover the private key d. For this reason, breaking RSA is easier than brute-forcing the key. Even the most naïve algorithm for factoring requires searching through no more than N values, and the current best algorithms are far faster than this, having successfully factored (with massive effort) numbers of more than 700 bits. For this reason, RSA moduli are much longer than keys used with symmetric block ciphers: 1024 bits and 2048 bits are commonly-used values. Still, we believe that factoring is hard. Does this imply that breaking RSA is hard? In one sense, yes: We will prove that someone who possesses the private key d can factor N with an efficient probabilistic algorithm. So if factoring really is hard, then it is also hard to recover RSA private keys. This next piece, which describes the factoring algorithm, is a bit involved, and you can skip it on first reading. We will use the standard notations p, q, e, d, N for the values in the RSA algorithm. 3

Since ed 1 is a multiple of both p 1 and q 1, we have a ed 1 1 (mod N) for all a such that gcd(a, N) = 1. Now if a k mod N = 1 for all a relatively prime to N, then we have in particular ( 1) k mod N = 1, so k must be even. Secondly (we won t prove this), if a k mod N 1 for some a relatively prime to N, then this must be the case for at least half the a relatively prime to N. We can then proceed as follows: We initially set k = ed 1. For each k, sample a bunch of values a < N at random and check whether gcd(a, N) = 1. In the (very unlikely) event that you find gcd(a, N) 1, then the common factor will be a prime divisior of N and you re done. Otherwise, calculate a k mod N. If a k mod N = 1 for all the sampled a, then probably this holds for all a relatively prime to N, in light of our claim about the number of a for which this does not hold. Thus k is even, so replace it by k/2 and repeat. Eventually, we will arrive at values k and a such that a 2k mod N = 1, and a k mod N 1. This means that r = a k is a square root of 1 modulo N. There are four different square roots of 1, and they are the solutions to the congruences x ±1 (mod p) x ±1 (mod q). The Chinese Remainder Theorem tells us that all four solutions are different. If we find that r is 1 or -1, then we resample, trying out new values of a. Eventually we will find an r that is a square root of 1 modulo N different from ±1. We have N r 2 1 = (r 1)(r + 1). Since N divides neither r 1 nor r + 1, we must have p r 1 and q r 1, or vice-versa. Take the gcd of r 1 with N and you recover a prime factor. Here is an example to illustrate the algorithm. We take N = 8611 and e = 5, and somehow recover the private key d = 1685. We will use this to factor N. >>> N=8611 >>> e=5 >>> d=1685 >>> k=e*d-1 >>> As=[random.randint(2,N-1) for j in range(10)] >>> pows=[pow(a,k,n) for a in As] >>> pows [1, 1, 1, 1, 1, 1, 1, 1, 1, 1] 4

>>> k=k/2 >>> As=[random.randint(2,N-1) for j in range(10)] >>> pows=[pow(a,k,n) for a in As] >>> pows [1, 1, 1, 1, 1, 1, 1, 1, 5451, 1] We have found a square root of 1 modulo N, namely 5451, and it is not equal to either 1 or -1. For the next step, we can use either 5450 or 5452. Computing the gcd with N gives one prime factor of N, and simple division gives the other. >>> mrpt.extended_euclid(5450,n) (109, (-30, 19)) >>> N/109 79 >>> 109*79 8611 This result is to be taken as theoretical evidence for the security of RSA: We cannot recover the secret key d unless factoring is easy. (But see below and the next homework assignment for an attack based on this algorithm.) It does not address is the more fundamental question of whether recovering the plaintext from ciphertext is as hard as factoring. To my knowledge, this is an open question: we really don t know whether breaking RSA is as hard as factoring. Security of RSA is based on a stronger conjecture about computational complexity: RSA Conjecture. There is no easy algorithm which, given N, e, M e mod N where N is the product of two unknown primes p, q, and gcd(e, (p 1)(q 1)), computes M mod N. 2.2 Assorted attacks on RSA Here is a brief description of a number of attacks on RSA. Some of these can be prevented by random padding, others by following correct procedure in the generation of keys. You will get to try them all out on the next homework assignment. 2.2.1 Small message, small encryption exponent A common choice for the encryption exponent is e = 3. If we are encrypting a small message, say using a 1024-bit RSA modulus to encrypt a 56-bit DES key 5

M, then the ciphertext C satisfies C = M 3 mod N = M 3, because in this case M 3 < N. We recover M by taking the cube root, which can be done quickly. (Observe the important distinction between taking the cube root mod N, which is believed to be hard in general, and taking the exact cube root, which is easy.) 2.2.2 Small encryption exponent Again suppose that e = 3, and let us imagine that the same message M is sent to three different recipients, holding different public keys. We assume that the moduli N 1, N 2, N 3 of the keys are pairwise relatively prime (if not, we can factor two of the moduli and the game is up). So we have M 3 C i (mod N) i for i = 1, 2, 3. By the Chinese Remainder Theorem, there is a unique solution less than N 1, N 2, N 3, so this unique solution must be M 3. Once again, we take the cube root. 2.2.3 Two public keys with the same modulus Your employer is lazy about generating primes, so he gives everyone in the company a public-private key pair N, e, d with different e and d for each employee, but a single N. Using your own private key d you can factor N, as outlined above, and thus recover all your colleagues private keys. 2.2.4 Two public keys with the same modulus, again You notice that the public keys of two users have the same modulus but different encryption exponents e 1, e 2. If e 1, e 2 are relatively prime and the two users encrypt the same message M, then you can recover M from the intercepted ciphertexts C 1 = M e 1 mod N and C 2 = M e 2 mod N by writing 1 = ae 1 + be 2 and thus obtaining M = M ae 1+be 2 C1 a C2 b (mod N). 6

2.2.5 Two public keys with a common factor If N 1 N 2 are RSA moduli with a factor in common, taking the gcd reveals the factor. We thus factor N 1 and N 2 and can decrypt all the traffic encrypted with these public keys. (If you think this scenario, and the preceding ones, are far-fetched, see Mining Your P s and Q s: Detection of Widespread Weak Keys in Network Devices, by N. Heninger et. al., at https://factorable.net/weakkeys12.extended.pdf The authors observed many instances of common moduli and common factors in public keys obtained from the Internet). 2.2.6 Prime Factors too Close If p and q are too close together ( p q < N 1/4,) then there is an efficient algorithm for recovering p and q from N. This will be outlined in the next assignment. 2.2.7 Short Plaintext This is described in Section 6.2.2 of the textbook. If we encrypt a 56-bit DES key K using RSA, there is a good chance that K is the product of two integers x, y each less than 10 9. In this case the ciphertext C satisfies Cy e x e (mod N), and we can recover x, y with a meet-in-the-middle attack. 7

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information