VIEWS: 22 PAGES: 100 POSTED ON: 8/27/2011 Public Domain
Cryptography NWS – Cryptography Prof. Dr. S. Heiss / 1 IT-Security: Threats Eavesdropping, Sniffing Spoofing, Replaying attacks Unauthorized Access, Impersonation Denial of Services (DoS) Misuse of resources C Charly A m B Alice Bob NWS – Cryptography Prof. Dr. S. Heiss / 2 IT-Security: Aims Confidentiality C Integrity I Availability A Authentication Access Control Non-Repudiation NWS – Cryptography Prof. Dr. S. Heiss / 3 IT-Security: Techniques Confidentiality Encryption Integrity MAC, MIC, Digital Signature Availability Filter, Firewall, Robust Impl. Authentication MAC, Key (physical token), Biometric identification Access Control Secure Configurations, Best Security Practices, Security awareness of users, Policies Non-Repudiation Digital Signature NWS – Cryptography Prof. Dr. S. Heiss / 4 Cryptographic Algorithms Symmetric Ciphers MACs (Message Authentication Code) Message Digests (Hash Functions) Cryptographic secure Pseudo Random Number Generators (PRNGs) Asymmetric Ciphers Digital Signatures Key derivation algorithms / schemes NWS – Cryptography Prof. Dr. S. Heiss / 5 Kerkhoff's Principle Kerckhoffs von Nieuwenhof (1835-1903): − The security of a cryptographic algorithm should not depend on its nondisclosure. − Today's best practice: Only use and implement well- known algorithms that have been thoroughly investi- gated by the community of international distinguished cryptographers. (E.g.: Contest for election of AES) − Do not rely on “Security by obscurity” ! NWS – Cryptography Prof. Dr. S. Heiss / 6 Symmetric Ciphers k Ek Dk NWS – Cryptography Prof. Dr. S. Heiss / 7 Symmetric Ciphers k k A B m Ek Dk c = Ek(m) NWS – Cryptography Prof. Dr. S. Heiss / 8 Symmetric Ciphers Key exchange: − Alice and Bob must share a secret key, which has to be exchanged over a secure channel, before it can be used to encrypt messages. Key storage: − Keys have to be securely managed and stored. NWS – Cryptography Prof. Dr. S. Heiss / 9 Symmetric Ciphers Aim of constructions of cipher algorithms: − No attack has a better performance than a Brute-Force attack. This means: The size of the key space |K| (number of possible keys) is directly proportional to the security of the algorithm. NWS – Cryptography Prof. Dr. S. Heiss / 10 Types of Symmetric Ciphers Stream ciphers Block ciphers Modes of operandi: − ECB (Electronic Codebook Modus) − CBC (Cipher Block Chaining Modus) − CFB (Cipher Feedback Modus) − OFB (Output Feedback Modus) NWS – Cryptography Prof. Dr. S. Heiss / 11 Symmetric Ciphers Stream Ciphers NWS – Cryptography Prof. Dr. S. Heiss / 12 One Time Pad (OTP) 1 1 1 0 0 1 0 1 0 0 0 0 m1 ... Plaintext (Bitstream) One Time Pad k (generated 1 1k 0 0 1 0 1 1 0 0Ek ... 0 1 by a true random process) 0 1 0 1 0 0 0 1 1 0 1 0 k... c = E (m) Ciphertext NWS – Cryptography Prof. Dr. S. Heiss / 13 One Time Pad (OTP) - Pros A truely randomly generated one time pad is the only cipher that guarantees absolut (provable) security. (The only information that can be deduced from eavesdropping is the length of the plaintext.) NWS – Cryptography Prof. Dr. S. Heiss / 14 One Time Pad (OTP) - Cons Key establishment The one time pad has to be exchanged over some other secure channel prior to its use. Key length The one time pad (key) has to be as long as the plaintext. Reusability Reusage of a one time pad is strictly prohibited, as it would allow an attack by statistical analysis. Key generation Costly, as a physicaly true random process has to be used. NWS – Cryptography Prof. Dr. S. Heiss / 15 Synchronous Stream Ciphers 1 1 1 0 0 1 0 1 0 0 0 0 m1 ... plaintext (bit stream) k є K = (F2)s 1 s k є K , where K is the k 0 1 0 ... 1 0 Ek key space 0 1 0 1 0 0 0 1 1 0 1 0 ... ciphertext NWS – Cryptography Prof. Dr. S. Heiss / 16 Additive Synchronous Stream Ciphers 1 m 1 0 0 1 0 1 0 0 0 0 1 1 ... 1 s k 0 1 0 ... 1 0 Ek 1 1 0 0 0 1 0 1 1 0 0 1 ... c = Ek(m) 0 1 0 1 0 0 0 1 1 0 1 0 ... NWS – Cryptography Prof. Dr. S. Heiss / 17 Additive Synchronous Stream Ciphers – Pros The keystream is independent of the plaintext. (Keystream can be precalculated.) Encryption is a simple (fast) XOR operation. Decryption = Encryption NWS – Cryptography Prof. Dr. S. Heiss / 18 Additive Synchronous Stream Ciphers – Cons Key establishment: The key has to be exchanged over some other secure channel prior to its use. Reusability: Reusage of the same key is strictly prohibited, as it compromises the encryption scheme. Integrity of data is not protected: Single bits can be switched by an attacker. NWS – Cryptography Prof. Dr. S. Heiss / 19 Construction of key stream generators 0 1 0 ... 1 0 k k: key bits 0 1 0 ... 1 0 seed seed: small truly random h: key scheduling algorithm h sequence 0 1 0 ... 1 0 s s: state bits f g 0 1 0 1 0 0 0 1 1 0 1 0 ... key stream pseudorandom bit sequence NWS – Cryptography Prof. Dr. S. Heiss / 20 Example: RC4 Stream Cipher Developed 1987 by Ron Rivest for RSA Data Security Inc. Anonymously disclosed in 1994 Specified in IEEE 802.11 to be used for WEP. NWS – Cryptography Prof. Dr. S. Heiss / 21 Example: RC4 Stream Cipher Usually used in a 8 bit Version: − State consists of 28 .8 bits (256 bytes S(0),..,S(255)) − Key consists of up to 256 bytes K0,K1,...,Kl-1 − The key scheduling algo. h=KSA(K) defines a permutation S є S256. − The state update function f switches two entries of S. − The pseudo random output generating functions f and g are denoted as PRGA. They do not take k as input. NWS – Cryptography Prof. Dr. S. Heiss / 22 Example: RC4 Stream Cipher 0 1 0 ... 1 0 k k: key ,...,K k: (K0,K1bits l-1) h h: key scheduling algorithm 0 1 0 ... 1 0 s // s: s: state bits (S(0),S(1),...,S(255)) Initialization: for( int i=0; i < 256; ++i ) 0 0 S(0) S(0) S[i] = (byte)i; int j = 0; f 1 S(1) g 1 S(1) // Scrambling: 2 2 S(2) S(2) 0 1 int i=0; 0 1 0 ... for( 0 1 0 0 0 1 1i<256; ++i ) { 0 S(3) 3 3 S(3) j = (j+S[i]+K[i%l]) & 0xff; key stream byte t = S[i]; j j S(j) S(j) S[i] = S[j]; S[j] = t; 255 S(255) 255 255 } NWS – Cryptography Prof. Dr. S. Heiss / 23 Example: RC4 Stream Cipher 1 ... 0 0 0S(0) 1 0 k k: key ,...,K k: (K0,K1bits l-1) i S(i) h h: key scheduling algorithm j S(j) i 0 1 0 ... 1j0 s 255 S(255) // Initialization: s: s: 0,S1,...,S255) (S state bits int i = 0; int j = 0; f g // f and g: byte prga() { 0 1= (i+1) 1 1 0 1 0 ... i 0 1 0 0 0 & 0xff; j = (j+S[i]) & 0xff; key t = S[i]; byte stream S[i] = S[j]; S[j] = t; return S[(S[i]+S[j])&0xff]; NWS – Cryptography } Prof. Dr. S. Heiss / 24 Symmetric Ciphers – Stream Ciphers Stream Ciphers based on LFSRs NWS – Cryptography Prof. Dr. S. Heiss / 25 Shift Registers LFSR = linear feedback shift register of length L : L-1 L-2 2 1 0 0 1 0 1 0 0 1 0 1 0 NWS – Cryptography Prof. Dr. S. Heiss / 26 Feedback Shift Registers LFSR = linear feedback shift register of length L : L-1 L-2 2 1 0 0 1 0 1 0 0 1 boolean function 0 1 0 NWS – Cryptography Prof. Dr. S. Heiss / 27 Linear Feedback Shift Registers LFSR = linear feedback shift register of length L : L-1 L-2 2 1 0 0 1 0 1 0 0 1 0 1 + 1.x 1 + 0.x 2 + 1.x L-2 + 0.x L-1 + 1.x L 1 Connection Polynomial : . c(x) = 1 + x + . . + x L-2 + x L є F2 [x] 0 NWS – Cryptography Prof. Dr. S. Heiss / 28 Properties of LFSRs Some facts about LFSR: (1) If (sL-1,sL-2,...,s1,s0) is the initial state of a LFSR with connection polynomial . c(x) = 1 + c1.x +. . + cL-1.x L-1 + cL.x L , then the output sequence (s0,s1,s2,...) is determined by the following recursion for j ≥ L : . sj = c1.sj-1 +. . + cL-1.sj-L+1 + cL.sj-L . NWS – Cryptography Prof. Dr. S. Heiss / 29 Properties of LFSRs (2) Every output sequence (s0,s1,s2,...) of a LFSR with connection polynomial .. c(x) = 1 + c1.x +. + cL-1.x L-1 + cL.x L , is periodic if and only if cL ≠ 0 . NWS – Cryptography Prof. Dr. S. Heiss / 30 Properties of LFSRs (3) If c(x) has degree L and is irreducible over F2 , then the period of every non-trivial output sequence is given by the smallest positive integer N , such that c(x) divides x N + 1 . (Remark: N is always a divisor of 2L-1 .) (4) If c(x) has degree L and is primitive over F2 , then the period of every non-trivial output sequence has maximal possible output length 2L-1 . NWS – Cryptography Prof. Dr. S. Heiss / 31 Properties of LFSRs (5) Output sequences (s0,s1,s2,...) of maximum-length LSFRs (m-sequences) have good statistical properties. But : (6) Knowledge of L output bits in a row allows the calculation of all following bits. This makes the keystream generated by the output of a LFSR vulnerable to known-plaintext attacks. NWS – Cryptography Prof. Dr. S. Heiss / 32 LFSRs in Key Stream Generators Breaking Linearity: - Usage of nonlinear combinations of the output sequences of several LFSRs. - Usage of nonlinear filtering functions on the output of a single LFSR - Usage of the output of LFSRs to control the clock of other LFSRs NWS – Cryptography Prof. Dr. S. Heiss / 33 Stream Cipher defined in Bluetooth (Bluetooth, 1.2, H 4.4) NWS – Cryptography Prof. Dr. S. Heiss / 34 Stream Cipher defined in Bluetooth (Bluetooth, 1.2, H 4.4) NWS – Cryptography Prof. Dr. S. Heiss / 35 Symmetric Ciphers Block Ciphers NWS – Cryptography Prof. Dr. S. Heiss / 36 Block Ciphers m n bit plaintext (block length n) k є K (key space K ) k Ek c = Ek(m) n bit cipher text NWS – Cryptography Prof. Dr. S. Heiss / 37 Block Ciphers 1 n 1 0 0 1 0 1 0 0 0 ... 0 0 0 m m є (F2)n (block) n bit Klartext (Blocklänge n ) k є K = (F2)s 1 s k є K (key space K ) k 0 1 0 ... 1 0 Ek E : K x (F2)n → (F2)n Ek : (F2)n → (F2)n 1 n 1 1 0 0 0 0 0 1 1 c = Ek(m) ... 1 0 1 n bit 2)n (cipher c є (FGeheimtext block) NWS – Cryptography Prof. Dr. S. Heiss / 38 Block Ciphers How many different block ciphers can be defined for the encryption of blocks of length n ? Why not use random permutations of the set of all 2n blocks of length n for the construction of block ciphers? NWS – Cryptography Prof. Dr. S. Heiss / 39 Design of Block Ciphers A block cipher shall exhibit the same statistical features as a random permutation of all 2n blocks of length n. Encryption and Decryption shall be efficiently implementable in SW and HW (runtime performance, memory requirements). Block ciphers are usually organized in rounds, where the following types of basic operations are repeatedly executed: − Permutations of the bits of a block. − Substitutions (S-Boxes) of values in subblocks. NWS – Cryptography Prof. Dr. S. Heiss / 40 Block Ciphers The length of plaintext data must be a multiple of n. − Padding operations are needed. Simply encrypting data block by block (ECB modus) may allow dictionary attacks. To prevent such attacks, use: − CBC modus − Random IV values ECB Electronic Code Book CBC Cipher Block Chaining IV Initialization Vector NWS – Cryptography Prof. Dr. S. Heiss / 41 ECB mode (Electronic Code Book) B1 B2 B3 Bn k Ek k Ek k Ek k Ek C1 C2 C3 Cn NWS – Cryptography Prof. Dr. S. Heiss / 42 CBC mode (Cipher Block Chaining) - Encryption B1 B2 B3 Bn IV k Ek k Ek k Ek k Ek C1 C2 C3 Cn NWS – Cryptography Prof. Dr. S. Heiss / 43 CBC mode (Cipher Block Chaining) - Decryption C1 C2 C3 Cn k Dk k Dk k Dk k Dk IV B1 B2 B3 Bn NWS – Cryptography Prof. Dr. S. Heiss / 44 CFB mode (Cipher Feedback) - Encryption IV k Ek k Ek k Ek k Ek B1 B2 B3 Bn C1 C2 C3 Cn NWS – Cryptography Prof. Dr. S. Heiss / 45 CFB mode (Cipher Feedback) - Decryption IV k Ek k Ek k Ek k Ek C1 C2 C3 Cn B1 B2 B3 Bn NWS – Cryptography Prof. Dr. S. Heiss / 46 OFB mode (Output Feedback) - Encryption IV k Ek k Ek k Ek k Ek B1 B2 B3 Bn C1 C2 C3 Cn NWS – Cryptography Prof. Dr. S. Heiss / 47 OFB mode (Output Feedback) - Decryption IV k Ek k Ek k Ek k Ek C1 C2 C3 Cn B1 B2 B3 Bn NWS – Cryptography Prof. Dr. S. Heiss / 48 CTR mode (Counter) - Encryption CTR CTR+1 CTR+2 CTR+n -1 k Ek k Ek k Ek k Ek B1 B2 B3 Bn C1 C2 C3 Cn NWS – Cryptography Prof. Dr. S. Heiss / 49 CTR mode (Counter) - Decryption CTR CTR+1 CTR+2 CTR+n -1 k Ek k Ek k Ek k Ek C1 C2 C3 Cn B1 B2 B3 Bn NWS – Cryptography Prof. Dr. S. Heiss / 50 Frequently used Block Ciphers DES (Data Encryption Standard) − Effective key length: 56 bit − Block length: 64 bit − Developed by IBM (Predecessor: Lucifer Algo.) − US Federal Standard FIPS 46, published 1977. − DES was/is specified in many standards to be used for cryptographic usages (ANSI-standards, HBCI, ...) − Main weakness: short key length NWS – Cryptography Prof. Dr. S. Heiss / 51 Frequently used Block Ciphers Triple-DES (3DES, DES-EDE) − Effective key length: 168 bit (EDE modus: 112 bit) − Effective security: 112 bit − Main weakness: Weak performance NWS – Cryptography Prof. Dr. S. Heiss / 52 Frequently used Block Ciphers AES (Advanced Encryption Standard) − Specified key lengths: 128, 192, 256 bit − Block length: 128 bit − Winning algorithm (Rijndal algorithm) from an international contest (organised by NIST). − US Federal Standard FIPS PUB 197, published 2001. NWS – Cryptography Prof. Dr. S. Heiss / 53 Hash Functions (Message Digest, Digital Fingerprint) H NWS – Cryptography Prof. Dr. S. Heiss / 54 Hash Functions m 0 1 1 .............. A Hash (Digital Fingerprint, Message Digest) H is a mapping of the set of all binary sequences of finite length H (m1,m2,m3,...) to the set of binary sequences of some fixed length n 0 1 0 ... 1 0 h = H(m) (h1,h2,...,hn) є (F2)n . NWS – Cryptography Prof. Dr. S. Heiss / 55 Hash Functions Preimage resistence: Given a sequence (h1,h2,...,hn) є (F2)n , it is practically impossible to find a sequence (s1,s2,s3,...) with H(s1,s2,s3,...) = (h1,h2,...,hn) . Collision resistence: It is practically not possible to find to sequences (s1,s2,s3,...) and (t1,t2,t3,...) with H(s1,s2,s3,...) = H(t1,t2,t3,...) . NWS – Cryptography Prof. Dr. S. Heiss / 56 Message digest – Integrity check m m' = m ? A B H H h = H(m) ? 0 1 0 ... 1 0 = 0 1 0 ... 1 0 (digital fingerprint) NWS – Cryptography Prof. Dr. S. Heiss / 57 Hash Functions - Applications Integrity checks − Example: Check of MD5 message digest after some file download Protection of secrets − Example: Password files Construction of PRNGs and stream ciphers Construction of MAC's (keyed hash) NWS – Cryptography Prof. Dr. S. Heiss / 58 Hash Functions – Important Examples MD5: n = 128 (RFC 1321, 1992) RIPMD-160 n = 160 (RIPEMD-160, ~1992) SHA-1: n = 160 (FIPS 180-1, 1993) SHA-256: n = 256 (FIPS 180-2, 2002) SHA-384: n = 384 (FIPS 180-2, 2002) SHA-512: n = 512 (FIPS 180-2, 2002) SHA-224: n = 224 (FIPS 180-2), 2002) NWS – Cryptography Prof. Dr. S. Heiss / 59 Iterated Hash Functions – General Model See: Handbook of Applied Cryptography, Chapter 9 NWS – Cryptography Prof. Dr. S. Heiss / 60 Hash Functions – Weaknesses Collisions for Hash Functions MD4, MD5, HAVAL-128 and RIPEMD, Xiaoyun Wang, Dengguo Feng, Xuejia Lai, Hongbo Yu, August 2004 (http://eprint.iacr.org/2004/199.pdf) NWS – Cryptography Prof. Dr. S. Heiss / 61 MAC Algorithms (Message Authentication Codes) MACk k NWS – Cryptography Prof. Dr. S. Heiss / 62 Message Authentication Codes m 0 1 1 .............. MACk k 0 1 0 ... 1 0 s = MACk(m) NWS – Cryptography Prof. Dr. S. Heiss / 63 Message Authentication Codes Hash algorithm, that depends on a key Protection of message authenticity within a (closed) group of users with a common secret key. Basic MAC methods: CBC MAC based on a symmetric block cipher HMAC (Hash MAC) based on a hash function MAC based on a ... ... symmetric algorithm kM NWS – Cryptography Prof. Dr. S. Heiss / 64 CBC MAC B1 B2 B3 Bn IV k Ek k Ek k Ek k Ek MACk (B1 | B2 | ... | Bn ) NWS – Cryptography Prof. Dr. S. Heiss / 65 HMAC RFC 2104 - Keyed-Hashing for Message Authentication Hash function H, using a compression function which compresses b bytes from the input per round. (Example: b = 64 for SHA-1.) Hash output length h (Example: h = 20 für SHA-1.) HMAC(data) = H( k XOR opad | H( k XOR ipad | data ) ) ipad = 0x36 | 0x36 | ... | 0x36 (b Bytes) opad = 0x5c | 0x5c | ... | 0x5c (b Bytes) NWS – Cryptography Prof. Dr. S. Heiss / 66 Asymmetric Cryptography (Public Key Cryptography) kpub kpriv NWS – Cryptography Prof. Dr. S. Heiss / 67 Asymmetric Cryptography Problem: Usage of symmetric ciphers require the exchange of secret keys over some secure channel. Basic Idea: Usage of a mathematical operation, whose inversion is not computational feasible (-> complexity theory) without the knowledge of a key value (trap door function). − Factorization of integers − Calculation of discrete logarithms in ℤp − Calculation of discrete logarithms in groups defined by elliptic curves over finite fields NWS – Cryptography Prof. Dr. S. Heiss / 68 Asymmetric Cryptography First published solutions: − W. Diffie, M.E. Hellman, New Directions in Cryptography, 1976 − R.C. Merkle, Secure Communication over Insecure Channels, 1978 − R.L. Rivest, A. Shamir, L.M. Adleman, A Method for Obtaining Digital Signatures and Public-Key Cryptosystems, 1978 NWS – Cryptography Prof. Dr. S. Heiss / 69 Asymmetric Cryptography Applications of public key cryptography: − Key derivation algorithms / schemes − Asymmetric Ciphers (encryption without a shared secret key) − Digital Signatures NWS – Cryptography Prof. Dr. S. Heiss / 70 Key Derivation kA,pub kA,priv kB,pub kB,priv 0 1 0 ... 1 0 0 1 0 ... 1 0 k = F( kA,priv, kB,pub ) k = F( kB,priv, kA,pub ) NWS – Cryptography Prof. Dr. S. Heiss / 71 Asymmetric Ciphers kpub kpriv A B m Ekpub Dkpriv c = Ekpub(m) NWS – Cryptography Prof. Dr. S. Heiss / 72 Digital Signature (Signing) kpub kpriv m B NWS – Cryptography Prof. Dr. S. Heiss / 73 Digital Signature (Verifying) kpub kpriv m A B Ok / False NWS – Cryptography Prof. Dr. S. Heiss / 74 Key Derivations kA,pub kA,priv kB,pub kB,priv 0 1 0 ... 1 0 0 1 0 ... 1 0 k = F( kA,priv, kB,pub ) k = F( kB,priv, kA,pub ) NWS – Cryptography Prof. Dr. S. Heiss / 75 Diffie-Hellman (DH) key derivation Key derivation scheme proposed by W. Diffie and M.E. Hellman in New Directions in Cryptography (1976). Based on the mathematical (computational) problem of finding discrete logarithms. Applications − IPsec-IKE (Internet Key Exchange), RFC 4306 − ... NWS – Cryptography Prof. Dr. S. Heiss / 76 Discrete Logarithms Let , b ∈ ℕ. n ∈ ℕ. DL-Problem: Exercise: Determine for a given power e c = b mod n the exponent e . = log b c. NWS – Cryptography Prof. Dr. S. Heiss / 77 Diffie-Hellman (DH) key derivation n ∈ ℕ primenumber b ∈ {2, 3,... ,n−2} beA mod n eA kA,priv beB mod n eB kB,priv 0 1 0 ... 1 0 0 1 0 ... 1 0 F( B A,priv, kB,pub k = (bek) eA mod n ) k = F( ekB,priv, kA,pub ) (b A) eB mod n NWS – Cryptography Prof. Dr. S. Heiss / 78 Diffie-Hellman (DH) key derivation n ∈ ℕ primenumber b ∈ {2, 3,... ,n−2} n -1 should have a big prime factor q, such that q divides the order of b. The order of b should be large. NWS – Cryptography Prof. Dr. S. Heiss / 79 Asymmetric Ciphers (Public Key Encryption Schemes) kpub kpriv NWS – Cryptography Prof. Dr. S. Heiss / 80 RSA public key encryption scheme Public key encryption scheme proposed by R.L. Rivest, A. Shamir, L.M. Adleman in A Method for Obtaining Digital Signatures and Public-Key Cryptosystems (1978) Depends on the mathematical (computational) problem of factorizing integers. Applications − SSL (Secure Socket Layer) / TLS (Transport Layer Security) − ... NWS – Cryptography Prof. Dr. S. Heiss / 81 Fermat's Lemma If p is a prime number and z any number coprime to p, i.e. gcd(p,z) = 1, then z(p-1) ≡ 1 (mod p) Sketch of proof: ➔ Put t = (1⋅2⋅3⋅...⋅(p-1)) mod p ➔ The mapping : ℤp ℤp, (x) = (x⋅z) mod p is bijectiv. ➔ It follows that t ≡ 1⋅2⋅3⋅...⋅(p-1) ≡ (1⋅z)⋅(2⋅z)⋅(3⋅z)⋅...⋅((p-1)⋅z) ≡ t⋅z (p-1) (mod p) NWS – Cryptography Prof. Dr. S. Heiss / 82 A consequence of Fermat's Lemma Let p, q prime numbers (p ≠ q) and r∈ℤ with r ≡ 1 (mod lcm( p-1, q-1 )). Then z r ≡ z (mod (p⋅q)) for all z∈ℤ. Proof: ➔ If z ≡ 0 (mod p), then z r ≡ 0 (mod p). ➔ If p does not divide z and r = 1 + n(p – 1), then z r = z⋅(z (p-1))n ≡ z (mod p). ➔ Similarly z r ≡ z (mod q). NWS – Cryptography Prof. Dr. S. Heiss / 83 Generation of an RSA key pair Chose two random primes p and q (> 2500) Put n = pq, v = lcm (p - 1, q - 1) Define a public exponent e with gcd( e, v ) = 1 Determine the private exponent d with ed ≡ 1 (mod v) Key pair (kpub, kpriv): kpub = (n,e) kpriv = (n,d) NWS – Cryptography Prof. Dr. S. Heiss / 84 RSA encryption and decryption Encryption of a message m (< n): kpub = (n,e) c = E(m) = me mod n Decryption of c: kpriv = (n,d) D(c) = cd mod n e⋅d ≡ 1 (mod v) and little Fermat: D(c) = cd mod n = (me)d mod n = med mod n NWS – Cryptography Prof. Dr. S. Heiss / 85 RSA encryption and decryption kpub kpriv A m Dkpriv (Ekpub (m)) = m B Ekpub Dkpriv c = Ekpub(m) NWS – Cryptography Prof. Dr. S. Heiss / 86 RSA signature algorithm Ekpub (Dkpriv (m)) = m A B m m<n ? = Ekpub Dkpriv s = md mod n NWS – Cryptography Prof. Dr. S. Heiss / 87 RSA signature algorithm Ekpub (Dkpriv (m)) = m m m<n A B ? = Ekpub Dkpriv s = md mod n NWS – Cryptography Prof. Dr. S. Heiss / 88 Generation of an RSA key pair Chose two random primes p and q (> 2500) Put n = pq, v = lcm (p - 1, q - 1) Define a public exponent e with gcd( e, v ) = 1 Determine the private exponent d with ed ≡ 1 (mod v) Key pair (kpub, kpriv): kpub = (n,e) kpriv = (n,d) NWS – Cryptography Prof. Dr. S. Heiss / 89 Generation of an RSA key pair with a given e Chose a public exponent e Chose two random primes p and q (> 2500) with gcd (e, p – 1) = gcd (e, q – 1) = 1. Put n = pq, v = lcm (p - 1, q - 1) Determine the private exponent d with ed ≡ 1 (mod v) Key pair (kpub, kpriv): kpub = (n,e) kpriv = (n,d) NWS – Cryptography Prof. Dr. S. Heiss / 90 Math for RSA key pair generation Chose a public exponent e Chose two random primes p and q (> 2500) with gcd (e, p – 1) = gcd (e, q – 1) = 1. Put n = pq, v = lcm (p - 1, q - 1) Determine the private exponent d with ed ≡ 1 (mod v) Key pair (kpub, kpriv): kpub = (n,e) kpriv = (n,d) NWS – Cryptography Prof. Dr. S. Heiss / 91 Math for RSA key pair generation Chose a public exponent e Chose two random primes p and q (> 2500) with gcd (e, p – 1) = gcd (e, q – 1) = 1. Put n = pq, v = lcm (p - 1, q - 1) Determine the private exponent d with ed ≡ 1 (mod v) Key pair (kpub, kpriv): kpub = (n,e) kpriv = (n,d) NWS – Cryptography Prof. Dr. S. Heiss / 92 Math for RSA key pair generation Chose a public exponent e Chose two random primes p and q (> 2500) with gcd (e, p – 1) = gcd (e, q – 1) = 1. Put n = pq, v = lcm (p - 1, q - 1) Determine the private exponent d with ed ≡ 1 (mod v) Key pair (kpub, kpriv): kpub = (n,e) kpriv = (n,d) NWS – Cryptography Prof. Dr. S. Heiss / 93 Math for RSA key pair generation Chose a public exponent e Chose two random primes p and q (> 2500) with gcd (e, p – 1) = gcd (e, q – 1) = 1. Put n = pq, v = lcm (p - 1, q - 1) Determine the private exponent d with ed ≡ 1 (mod v) Key pair (kpub, kpriv): kpub = (n,e) kpriv = (n,d) NWS – Cryptography Prof. Dr. S. Heiss / 94 Prime number theorem Euclid: There are infinitely many primes Prime number theorem limx→∞ π(x) / (x / ln(x)) = 1 − Conjectured by Gauss (1792) and Legendre (1798) − Chebyshev (1851): If convergent, then lim = 1 − Riemann (1859): Connection with Zeta function − 1896: Proofs of Hadamard and Poussin − 1949: Elementary proof of Selberg and Erdös NWS – Cryptography Prof. Dr. S. Heiss / 95 Prime number tests Deterministic tests − Sieve of Eratosthenes − Miller (1975) − Adleman, Pomerance, Rumley (1983) − Agrawal, Kayal, Saxena (2004) Probabilistic tests − Miller-Rabin − Solovay-Strassen − Goldwasser-Killian NWS – Cryptography Prof. Dr. S. Heiss / 96 Miller-Rabin prime number test Fermat's lemma If z is a natural number < p and z(p-1) ≡ 1 (mod p) , then p is not a prime number. Miller-Rabin If p is not a prime number, and z a randomly chosen number. Then with probability > ¾: z(p-1) ≡ 1 (mod p) or za ≡ -1 (mod p) and z2a ≡ 1 (mod p) for some a. NWS – Cryptography Prof. Dr. S. Heiss / 97 Math for RSA decryption Decryption of c: kpriv = (n,d) D(c) = cd mod n c and d are of size similar to n NWS – Cryptography Prof. Dr. S. Heiss / 98 Chinese remainder theorem (CRT) Assume p and q are coprime numbers. Then for every pair of numbers (a,b), there exists a unique non-negative integer x < pq with x ≡ a (mod p) and x ≡ b (mod q) . Extended Euclidean algorithm gives v,w with: 1 = vp + wq x = (vp)b + (wq)a (mod pq) satisfies claim Example: Find x with x ≡ 2 (mod 5) and x ≡ 4 (mod 7) 3⋅5 + (-2)⋅7 = 1, 15⋅4 - 14⋅2 = 32 NWS – Cryptography Prof. Dr. S. Heiss / 99 RSA CRT private key Substitute parameter d with ed ≡ 1 (mod v) by: − d1 with e.d1 ≡ 1 (mod (p-1)) ( d1 = d mod (p-1) ) − d2 with e.d2 ≡ 1 (mod (q-1)) ( d2 = d mod (q-1) ) − q* with q.q* ≡ 1 (mod p) RSA decryption of c = me mod (pq) : − m1 = cd1 mod p − m2 = cd2 mod q − m = m2 + q . [ q* (m1 – m2) mod p ] NWS – Cryptography Prof. Dr. S. Heiss / 100