15CS434E NETWORK SECURITY

UNIT-I / RAJESH BABU 1

UNIT II PUBLIC KEY CRYPTOGRAPHY

• Mathematical Background for Cryptography

• Fermat’s and Euler’s Theorems, Testing for Primality
• Public Key Cryptography and RSA
• Discrete Logarithm and its application
• Elliptic Curve Cryptography

2
Mathematical Background for
Cryptography
Fermat’s and Euler’s Theorems,
Testing for Primality
 Prime Numbers
 prime numbers only have divisors of 1 and self
 they cannot be written as a product of other numbers
 note: 1 is prime, but is generally not of interest
 eg. 2,3,5,7 are prime, 4,6,8,9,10 are not
 prime numbers are central to number theory
 list of prime number less than 200 is:
2 3 5 7 11 13 17 19 23 29 31 37 41 43 47 53 59
61 67 71 73 79 83 89 97 101 103 107 109 113 127
131 137 139 149 151 157 163 167 173 179 181 191
193 197 199
 Prime Factorisation
to factor a number n is to write it as a product
of other numbers: n=a x b x c
note that factoring a number is relatively hard
compared to multiplying the factors together
to generate the number
the prime factorisation of a number n is when
its written as a product of primes
eg. 91=7x13 ; 3600=24x32x52
 Relatively Prime Numbers & GCD
• two numbers a, b are relatively prime if have no
common divisors apart from 1
– eg. 8 & 15 are relatively prime since factors of 8 are 1,2,4,8
and of 15 are 1,3,5,15 and 1 is the only common factor
• conversely can determine the greatest common
divisor by comparing their prime factorizations and
using least powers
– eg. 300=21x31x52 18=21x32 hence
GCD(18,300)=21x31x50=6
 Fermat's Theorem
• ap-1 = 1 (mod p)
– where p is prime and gcd(a,p)=1
• also known as Fermat’s Little Theorem
• also have: ap = a (mod p)
• useful in public key and primality testing
 Euler Totient Function ø(n)
• when doing arithmetic modulo n
• complete set of residues is: 0..n-1
• reduced set of residues is those numbers (residues)
which are relatively prime to n
– eg for n=10,
– complete set of residues is {0,1,2,3,4,5,6,7,8,9}
– reduced set of residues is {1,3,7,9}
• number of elements in reduced set of residues is
called the Euler Totient Function ø(n)
 Euler Totient Function ø(n)
• to compute ø(n) need to count number of
residues to be excluded
• in general need prime factorization, but
– for p (p prime) ø(p)=p-1
– for p.q (p,q prime) ø(p.q)=(p-1)x(q-1)
• eg.
ø(37) = 36
ø(21) = (3–1)x(7–1) = 2x6 = 12
 Euler's Theorem
• a generalisation of Fermat's Theorem
• aø(n) = 1 (mod n)
– for any a,n where gcd(a,n)=1
• eg.
a=3;n=10; ø(10)=4;
hence 34 = 81 = 1 mod 10
a=2;n=11; ø(11)=10;
hence 210 = 1024 = 1 mod 11
• also have: aø(n)+1 = a (mod n)
 Primality Testing
 often need to find large prime numbers
 traditionally sieve using trial division
 ie. divide by all numbers (primes) in turn less than the
square root of the number
 only works for small numbers
 alternatively can use statistical primality tests based
on properties of primes
 for which all primes numbers satisfy property
 but some composite numbers, called pseudo-primes, also
satisfy the property
 can use a slower deterministic primality test
PUBLIC KEY CRYPTOGRAPHY
AND RSA

UNIT-I / RAJESH BABU 12

 Private-Key Cryptography
traditional private/secret/single key
cryptography uses one key
shared by both sender and receiver
if this key is disclosed communications are
compromised
also is symmetric, parties are equal
hence does not protect sender from receiver
forging a message & claiming is sent by sender
 Public-Key Cryptography
• probably most significant advance in the 3000
year history of cryptography
• uses two keys – a public & a private key
• asymmetric since parties are not equal
• uses clever application of number theoretic
concepts to function
• complements rather than replaces private key
crypto
 Why Public-Key Cryptography?
• developed to address two key issues:
– key distribution – how to have secure
communications in general without having to trust
a KDC with your key
– digital signatures – how to verify a message
comes intact from the claimed sender
• public invention due to Whitfield Diffie &
Martin Hellman at Stanford Uni in 1976
– known earlier in classified community
 Public-Key Cryptography
• public-key/two-key/asymmetric cryptography involves
the use of two keys:
– a public-key, which may be known by anybody, and can be
used to encrypt messages, and verify signatures
– a related private-key, known only to the recipient, used to
decrypt messages, and sign (create) signatures
• infeasible to determine private key from public
• is asymmetric because
– those who encrypt messages or verify signatures cannot
decrypt messages or create signatures
Public-Key Cryptography
Symmetric vs Public-Key
Public-Key Cryptosystems
 Public-Key Applications
• can classify uses into 3 categories:
– encryption/decryption (provide secrecy)
– digital signatures (provide authentication)
– key exchange (of session keys)
• some algorithms are suitable for all uses,
others are specific to one
 Public-Key Requirements
• Public-Key algorithms rely on two keys where:
– it is computationally infeasible to find decryption key
knowing only algorithm & encryption key
– it is computationally easy to en/decrypt messages when
the relevant (en/decrypt) key is known
– either of the two related keys can be used for encryption,
with the other used for decryption (for some algorithms)
• these are formidable requirements which only
a few algorithms have satisfied
 Public-Key Requirements
• need a trapdoor one-way function
• one-way function has
– Y = f(X) easy
– X = f–1(Y) infeasible
• a trap-door one-way function has
– Y = fk(X) easy, if k and X are known
– X = fk–1(Y) easy, if k and Y are known
– X = fk–1(Y) infeasible, if Y known but k not known
• a practical public-key scheme depends on a
suitable trap-door one-way function
 Security of Public Key Schemes
 like private key schemes brute force exhaustive
search attack is always theoretically possible
 but keys used are too large (>512bits)
 security relies on a large enough difference in
difficulty between easy (en/decrypt) and hard
(cryptanalyse) problems
 more generally the hard problem is known, but is
made hard enough to be impractical to break
 requires the use of very large numbers
 hence is slow compared to private key schemes
 RSA
 by Rivest, Shamir & Adleman of MIT in 1977
 best known & widely used public-key scheme
 based on exponentiation in a finite (Galois) field over
integers modulo a prime
 nb. exponentiation takes O((log n)3) operations (easy)
 uses large integers (eg. 1024 bits)
 security due to cost of factoring large numbers
 nb. factorization takes O(e log n log log n) operations (hard)
 RSA En/decryption
• to encrypt a message M the sender:
– obtains public key of recipient PU={e,n}
– computes: C = Me mod n, where 0≤M<n
• to decrypt the ciphertext C the owner:
– uses their private key PR={d,n}
– computes: M = Cd mod n
• note that the message M must be smaller
than the modulus n (block if needed)
 RSA Key Setup
• each user generates a public/private key pair by:
• selecting two large primes at random: p, q
• computing their system modulus n=p.q
– note ø(n)=(p-1)(q-1)
• selecting at random the encryption key e
– where 1<e<ø(n), gcd(e,ø(n))=1
• solve following equation to find decryption key d
– e.d=1 mod ø(n) and 0≤d≤n
• publish their public encryption key: PU={e,n}
• keep secret private decryption key: PR={d,n}
 Why RSA Works
• because of Euler's Theorem:
– aø(n)mod n = 1 where gcd(a,n)=1
• in RSA have:
– n=p.q
– ø(n)=(p-1)(q-1)
– carefully chose e & d to be inverses mod ø(n)
– hence e.d=1+k.ø(n) for some k
• hence :
Cd = Me.d = M1+k.ø(n) = M1.(Mø(n))k
= M1.(1)k = M1 = M mod n
 RSA Example - Key Setup
1. Select primes: p=17 & q=11
2. Calculate n = pq =17 x 11=187
3. Calculate ø(n)=(p–1)(q-1)=16x10=160
4. Select e: gcd(e,160)=1; choose e=7
5. Determine d: de=1 mod 160 and d < 160
Value is d=23 since 23x7=161= 10x160+1
6. Publish public key PU={7,187}
7. Keep secret private key PR={23,187}
 RSA Example - En/Decryption
sample RSA encryption/decryption is:
given message M = 88 (nb. 88<187)
encryption:
C = 887 mod 187 = 11
decryption:
M = 1123 mod 187 = 88
 Exponentiation
• can use the Square and Multiply Algorithm
• a fast, efficient algorithm for exponentiation
• concept is based on repeatedly squaring base
• and multiplying in the ones that are needed to
compute the result
• look at binary representation of exponent
• only takes O(log2 n) multiples for number n
– eg. 75 = 74.71 = 3.7 = 10 mod 11
– eg. 3129 = 3128.31 = 5.3 = 4 mod 11
 Exponentiation
c = 0; f = 1
for i = k downto 0
do c = 2 x c
f = (f x f) mod n
if bi == 1 then
c = c + 1
f = (f x a) mod n
return f
 Efficient Encryption
• encryption uses exponentiation to power e
• hence if e small, this will be faster
– often choose e=65537 (216-1)
– also see choices of e=3 or e=17
• but if e too small (eg e=3) can attack
– using Chinese remainder theorem & 3 messages
with different modulii
• if e fixed must ensure gcd(e,ø(n))=1
– ie reject any p or q not relatively prime to e
 Efficient Decryption
• decryption uses exponentiation to power d
– this is likely large, insecure if not
• can use the Chinese Remainder Theorem
(CRT) to compute mod p & q separately. then
combine to get desired answer
– approx 4 times faster than doing directly
• only owner of private key who knows values
of p & q can use this technique
 RSA Key Generation
• users of RSA must:
– determine two primes at random - p, q
– select either e or d and compute the other
• primes p,q must not be easily derived from
modulus n=p.q
– means must be sufficiently large
– typically guess and use probabilistic test
• exponents e, d are inverses, so use Inverse
algorithm to compute the other
 RSA Security
• possible approaches to attacking RSA are:
– brute force key search - infeasible given size of
numbers
– mathematical attacks - based on difficulty of
computing ø(n), by factoring modulus n
– timing attacks - on running of decryption
– chosen ciphertext attacks - given properties of RSA
 Factoring Problem
• mathematical approach takes 3 forms:
– factor n=p.q, hence compute ø(n) and then d
– determine ø(n) directly and compute d
– find d directly
• currently believe all equivalent to factoring
– have seen slow improvements over the years
• as of May-05 best is 200 decimal digits (663) bit with LS
– biggest improvement comes from improved algorithm
• cf QS to GHFS to LS
– currently assume 1024-2048 bit RSA is secure
• ensure p, q of similar size and matching other constraints
Progress in Factoring
Progress in
Factoring
 Timing Attacks
• developed by Paul Kocher in mid-1990’s
• exploit timing variations in operations
– eg. multiplying by small vs large number
– or IF's varying which instructions executed
• infer operand size based on time taken
• RSA exploits time taken in exponentiation
• countermeasures
– use constant exponentiation time
– add random delays
– blind values used in calculations
 Chosen Ciphertext Attacks
• RSA is vulnerable to a Chosen Ciphertext
Attack (CCA)
• attackers chooses ciphertexts & gets
decrypted plaintext back
• choose ciphertext to exploit properties of RSA
to provide info to help cryptanalysis
• can counter with random pad of plaintext
• or use Optimal Asymmetric Encryption
Padding (OASP)
 Optimal
Asymmetric
Encryption
Padding
(OASP)
DISCRETE LOGARITHMS AND
PRIMITIVE ROOTS

UNIT-I / RAJESH BABU 42

 Primitive Roots
• from Euler’s theorem have aø(n)mod n=1
• consider am=1 (mod n), GCD(a,n)=1
– must exist for m = ø(n) but may be smaller
– once powers reach m, cycle will repeat
• if smallest is m = ø(n) then a is called a primitive
root
• if p is prime, then successive powers of a "generate"
the group mod p
• these are useful but relatively hard to find
Powers mod 19
 Discrete Logarithms
• the inverse problem to exponentiation is to find the
discrete logarithm of a number modulo p
• that is to find i such that b = ai (mod p)
• this is written as i = dloga b (mod p)
• if a is a primitive root then it always exists, otherwise
it may not, eg.
x = log3 4 mod 13 has no answer
x = log2 3 mod 13 = 4 by trying successive powers
• whilst exponentiation is relatively easy, finding
discrete logarithms is generally a hard problem
Discrete Logarithms mod 19
KEY MANAGEMENT AND ECC

UNIT-I / RAJESH BABU 47

 Key Management
• public-key encryption helps address key
distribution problems
• distribution of public keys
• use of public-key encryption to distribute
secret keys
 Distribution of Public Keys
• can be considered as using one of:
– Public announcement
– Publicly available directory
– Public-key authority
– Public-key certificates
 Public Announcement
• users distribute public keys to recipients or
broadcast to community at large
– eg. append PGP keys to email messages or post to
news groups or email list
• major weakness is forgery
– anyone can create a key claiming to be someone
else and broadcast it
– until forgery is discovered can masquerade as
claimed user for authentication
 Publicly Available Directory
• can obtain greater security by registering keys
with a public directory
• directory must be trusted with properties:
– contains {name, public-key} entries
– participants register securely with directory
– participants can replace key at any time
– directory is periodically published
– directory can be accessed electronically
• still vulnerable to tampering or forgery
Public-Key Authority
 Public-Key Authority
• improve security by tightening control over
distribution of keys from directory
• requires users to know public key for the
directory
• then users interact with directory to obtain
any desired public key securely
– does require real-time access to directory when
keys are needed
 Public-Key Certificates
• The public-key authority could be a bottleneck in the
system.
– must appeal to the authority for the key of every other
user
• certificates allow key exchange without real-time
access to public-key authority
• a certificate binds identity to public key
• with all contents signed by a trusted Public-Key or
Certificate Authority (CA)
– Certifies the identity
– Only the CA can make the certificates
Public-Key Certificates
 Public-Key Distribution of Secret Keys
• public-key algorithms are slow
• so usually want to use private-key encryption
to protect message contents
• hence need a session key
• have several alternatives for negotiating a
suitable session using public-key
 Simple Secret Key Distribution
• proposed by Merkle in 1979
– A generates a new temporary public key pair
– A sends B the public key and their identity
– B generates a session key K sends it to A
encrypted using the supplied public key
– A decrypts the session key and both use
• problem is that an opponent can intercept and
impersonate both halves of protocol
– The scenario
 Public-Key Distribution of Secret Keys
• First securely exchanged public-keys using a
previous method
 Diffie-Hellman Key Exchange
• first public-key type scheme proposed
– For key distribution only
• by Diffie & Hellman in 1976 along with the
exposition of public key concepts
– note: now know that James Ellis (UK CESG)
secretly proposed the concept in 1970
• is a practical method for public exchange of a
secret key
• used in a number of commercial products
 Diffie-Hellman Key Exchange
• a public-key distribution scheme
– cannot be used to exchange an arbitrary message
– rather it can establish a common key
– known only to the two participants
• value of key depends on the participants (and their
private and public key information)
• based on exponentiation in a finite (Galois) field
(modulo a prime or a polynomial) - easy
• security relies on the difficulty of computing discrete
logarithms (similar to factoring) – hard
 Diffie-Hellman Setup
• all users agree on global parameters:
– large prime integer or polynomial q
– α a primitive root mod q
• each user (eg. A) generates their key
– chooses a secret key (number): xA < q
xA
– compute their public key: yA = α mod q
• each user makes public that key yA
 Diffie-Hellman Key Exchange
• shared session key for users A & B is K:
xB
K = yA mod q (which B can compute)
xA
K = yB mod q (which A can compute)
(example)
• K is used as session key in private-key encryption
scheme between Alice and Bob
• if Alice and Bob subsequently communicate, they will
have the same key as before, unless they choose
new public-keys
• attacker needs an x, must solve discrete log
 Diffie-Hellman Example
• users Alice & Bob who wish to swap keys:
• agree on prime q=353 and α=3
• select random secret keys:
– A chooses xA=97, B chooses xB=233
• compute public keys:
97
– yA=3 mod 353 = 40 (Alice)
233
– yB=3 mod 353 = 248 (Bob)
• compute shared session key as:
x 97
KAB= yB A mod 353 = 248 = 160 (Alice)
x 233
KAB= yA B mod 353 = 40 = 160 (Bob)
 Elliptic Curve Cryptography
• majority of public-key crypto (RSA, D-H) use
either integer or polynomial arithmetic with
very large numbers/polynomials
• imposes a significant load in storing and
processing keys and messages
• an alternative is to use elliptic curves
• offers same security with smaller bit sizes
 Real Elliptic Curves
• an elliptic curve is defined by an equation in two
variables x & y, with coefficients
• consider a cubic elliptic curve of form
– y2 = x3 + ax + b
– where x,y,a,b are all real numbers
– also define zero point O
• have addition operation for elliptic curve
– Q+R is reflection of intersection R
– Closed form for additions
• (10.3) and (10.4) P.300-301
Real Elliptic Addition
Rule 1-5 in P.300
 Finite Elliptic Curves
• Elliptic curve cryptography uses curves whose
variables & coefficients are finite integers
• have two families commonly used:
– prime curves Ep(a,b) defined over Zp
• y2 mod p = (x3+ax+b) mod p
• use integers modulo a prime for both variables and coeff
• best in software
– Closed form of additions: P.303
– Example: P=(3,10), Q=(9,7), in E23(1,1)
• P+Q = (17,20)
• 2P = (7,12)
All points on E23(1,1)
 Finite Elliptic Curves
• have two families commonly used:
– binary curves E2m(a,b) defined over GF(2m)
• use polynomials with binary coefficients
• best in hardware
– Take a slightly different form of the equation
– Different close forms for addition (P.304)
 Elliptic Curve Cryptography
• ECC addition is analog of multiply
• ECC repeated addition is analog of exponentiation
• need “hard” problem equiv to discrete log
– Q=kP, where Q,P are points in an elliptic curve
– is “easy” to compute Q given k,P
– but “hard” to find k given Q,P
– known as the elliptic curve logarithm problem
• Certicom example: E23(9,17) (P.305)
– k could be so large as to make brute-force fail
 ECC Key Exchange
• can do key exchange similar to D-H
• users select a suitable curve Ep(a,b)
– Either a prime curve, or a binary curve
• select base point G=(x1,y1) with large order n s.t.
nG=O
• A & B select private keys nA<n, nB<n
• compute public keys: PA=nA×G, PB=nB×G
• compute shared key: K=nA×PB, K=nB×PA
– same since K=nA×nB×G
• Example: P.305
 ECC Encryption/Decryption
• select suitable curve & point G as in D-H
• encode any message M as a point on the elliptic
curve Pm=(x,y)
• each user chooses private key nA<n
• and computes public key PA=nA×G
• to encrypt pick random k: Cm={kG, Pm+k Pb},
• decrypt Cm compute:
Pm+kPb–nB(kG) = Pm+k(nBG)–nB(kG) = Pm
• Example: P.307
 ECC Security
• relies on elliptic curve logarithm problem
• fastest method is “Pollard rho method”
• compared to factoring, can use much smaller
key sizes than with RSA etc
• for equivalent key lengths computations are
roughly equivalent
• hence for similar security ECC offers significant
computational advantages