Iss lecture 3

286 views

Published on

Published in: Technology, Health & Medicine
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
286
On SlideShare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
9
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • Pp. 287 for why the choice of these number in this way
  • Iss lecture 3

    1. 1. Information System SecurityInformation System SecurityLecture 3Lecture 3Asymmetric cryptographyAsymmetric cryptography
    2. 2. 22referencesreferences[1] K. Martin’s Lecture (www.rhul.ac.uk).[2] Cryptography and Network Security, By W. Stallings.Prentice Hall, 2003.[3] Handbook of applied Cryptography by A. Menezes, P.Van Oorschot and S. Vanstone. 5thprinting, 2001http://www.cacr.math.uwaterloo.ca/hac[4] Cryptography: A Very Short Introduction (Very ShortIntroduction S.), by Fred Piper and Sean Murphy, OxfordUniversity Press, 2002.
    3. 3. 33OutlineOutline Basic mathematical conceptsBasic mathematical concepts Public key cryptographyPublic key cryptography OWFOWF RSARSA ElGamalElGamal
    4. 4. 441. The modulo operation1. The modulo operation DefinitionDefinition– LetLet aa,, rr,, nn be integers and letbe integers and let mm > 0> 0– We writeWe write aa ≡≡ rr modmod nn ifif nn dividesdivides aa –– rr (or(or rr –– aa) and 0) and 0 ≤≤ rr << nn– nn is called theis called the modulusmodulus– rr is called theis called the remainderremainder Note thatNote that rr is positive or zerois positive or zero– Note thatNote that aa == nn..qq ++ rr wherewhere qq is another integer (is another integer (quotientquotient)) Example: 42Example: 42 ≡≡ 6 mod 96 mod 9– 9 divides 42 - 6 = 369 divides 42 - 6 = 36– 9 also divides 6 - 42 = -369 also divides 6 - 42 = -36– Note that 42= 9x4 + 6Note that 42= 9x4 + 6 ((qq = 4)= 4)
    5. 5. 55Number TheoryNumber Theory Natural numbersNatural numbers N = {1,2,3,…}N = {1,2,3,…} Whole numbersWhole numbers W = {0,1,2,3, …}W = {0,1,2,3, …} IntegersIntegers Z = {…,-2,-1,0,1,2,3, …}Z = {…,-2,-1,0,1,2,3, …} DivisorsDivisors– A numberA number bb is said to divideis said to divide aa ifif aa == mbmb for somefor some mm wherewhere aa,,bb,,mm ∈∈ ZZ– We write this asWe write this as bb||aa Read as “Read as “bb dividesdivides a”a”
    6. 6. 66DivisorsDivisors Some common propertiesSome common properties– IfIf aa|1|1,, aa = +1 or –1= +1 or –1– IfIf aa||bb andand bb||aa thenthen aa = += +bb or –or –bb– AnyAny bb ∈∈ ZZ divides 0 ifdivides 0 if bb ≠≠ 00– IfIf bb||gg andand bb||hh thenthen bb|(|(mg + nhmg + nh) where) where bb,,m,n,g,hm,n,g,h ∈∈ ZZ Examples:Examples:– The positive divisors of 42 are 1,2,3,6,7,14,21,42The positive divisors of 42 are 1,2,3,6,7,14,21,42– 3|6 and 3|21 => 3|213|6 and 3|21 => 3|21mm+6+6nn forfor m,nm,n ∈∈ ZZ
    7. 7. 77Prime NumbersPrime Numbers An integerAn integer pp is said to be a prime number if its only positiveis said to be a prime number if its only positivedivisors are 1 and itselfdivisors are 1 and itself– Examples 1, 3, 7, 11, ..Examples 1, 3, 7, 11, .. Any integer can be expressed as aAny integer can be expressed as a uniqueunique product of primeproduct of primenumbers raised to positive integral powersnumbers raised to positive integral powers– n=pn=p11ee11 pp22ee2…2…ppkkeekk //// n: ingterger, pn: ingterger, pii:prime, e:prime, e,,: positive integer: positive integer ExamplesExamples– 7569 = 3 x 3 x 29 x 29 = 37569 = 3 x 3 x 29 x 29 = 322x 29x 2922– 5886 = 2 x 27 x 109 = 2 x 35886 = 2 x 27 x 109 = 2 x 333x 109x 109 This process is calledThis process is called Prime FactorizationPrime Factorization
    8. 8. 88Greatest common divisorGreatest common divisor(GCD)(GCD) Definition: Greatest Common DivisorDefinition: Greatest Common Divisor– This is the largest divisor ofThis is the largest divisor of bothboth aa andand bb Given two integersGiven two integers aa andand bb, the positive integer, the positive integer cc is called theiris called theirGCD or greatest common divisor if and only ifGCD or greatest common divisor if and only if– cc || aa andand cc || bb– Any divisor of bothAny divisor of both aa andand bb also dividesalso divides cc Notation:Notation: gcd(a, b) = cgcd(a, b) = c Example:Example: gcd(49,63)gcd(49,63) = ?= ? gcd(a,b)=gcd(b, a mod b)gcd(a,b)=gcd(b, a mod b) Exception:Exception: gcd(0,0)=0gcd(0,0)=0
    9. 9. 99Relatively Prime NumbersRelatively Prime Numbers Two numbers are said to be relatively prime if theirTwo numbers are said to be relatively prime if their gcdgcd is 1is 1– Example: 63 and 22 are relatively primeExample: 63 and 22 are relatively prime How do you determine if two numbers are relatively prime?How do you determine if two numbers are relatively prime?– Find theirFind their gcdgcd oror– Find their prime factorsFind their prime factors If they do not have a common prime factor other than 1, they are relatively primeIf they do not have a common prime factor other than 1, they are relatively prime– Example: 63 = 9 x 7 = 3Example: 63 = 9 x 7 = 322x 7 and 22 = 11 x 2x 7 and 22 = 11 x 2
    10. 10. 1010Modular Arithmetic AgainModular Arithmetic Again We say thatWe say that aa ≡≡ bb modmod mm ifif mm || aa –– bb– Read as:Read as: aa isis congruentcongruent toto bb modulomodulo mm– mm is called theis called the modulusmodulus– Example: 27Example: 27 ≡≡ 2 mod 52 mod 5 Note thatNote that bb is theis the remainderremainder after dividingafter dividing aa byby mm– Example: 27Example: 27 ≡≡ 7 mod 5 and 77 mod 5 and 7 ≡≡ 2 mod 52 mod 5 aa ≡≡ bb modmod m => bm => b ≡≡ aa modmod mm– Example: 2Example: 2 ≡≡ 27 mod 527 mod 5 We usually consider theWe usually consider the smallest positive remaindersmallest positive remainder which iswhich issometimes called thesometimes called the residueresidue
    11. 11. 1111Modulo OperationModulo Operation The modulo operation “reduces” the infinite set of integers to aThe modulo operation “reduces” the infinite set of integers to afinite setfinite set Example: modulo 5 operationExample: modulo 5 operation– We have five setsWe have five sets {…,-10, -5, 0, 5, 10, …} =>{…,-10, -5, 0, 5, 10, …} => aa ≡≡ 0 mod 50 mod 5 {…,-9, -4, 1, 6, 11,…} =>{…,-9, -4, 1, 6, 11,…} => aa ≡≡ 1 mod 51 mod 5 {…,-8, -3, 2, 7, 12,…} =>{…,-8, -3, 2, 7, 12,…} => aa ≡≡ 2 mod 52 mod 5 {…,-7, -2, 3, 8, 13,…} =>{…,-7, -2, 3, 8, 13,…} => aa ≡≡ 3 mod 53 mod 5 {…,-6, -1, 4, 9, 14…} =>{…,-6, -1, 4, 9, 14…} => aa ≡≡ 4 mod 54 mod 5– The set of residues of integers modulo 5 has five elements {0,1,2,3,4} andThe set of residues of integers modulo 5 has five elements {0,1,2,3,4} andis denoted Zis denoted Z55..
    12. 12. 1212Euler phi (or totient) functionEuler phi (or totient) function ForFor nn ≥≥ 1,1, φφ(n)(n) : is the number of integers in [: is the number of integers in [1,n1,n] which are] which arerelatively prime torelatively prime to n //n // φφ(n)(n) is theis the Euler phiEuler phi oror totient functiontotient function IfIf pp is prime, thenis prime, then φφ(p)=p-1(p)=p-1 IfIf gcd(m,n)=1gcd(m,n)=1, then, then φφ(mn)=(mn)= φφ(m).(m).φφ(n)(n) Examples:Examples:φφ(21)=(21)= φφ(3).(3).φφ(7) = (3-1) * (7-1) =12(7) = (3-1) * (7-1) =12
    13. 13. 1313multiplicative groupmultiplicative group ZZnn** Definition: theDefinition: the multiplicative groupmultiplicative group ZZnn**of Zof Znn– ZZnn**={a={a∈∈ZZnn || gcd(a,n)=1}gcd(a,n)=1}– IfIf nn is prime thenis prime then ZZnn**={a={a∈∈ZZnn || 11 ≤≤ aa ≤≤ n-1}n-1}φφ(n)=(n)= ||ZZnn**|| LetLet nn ≥≥ 2 be an integer2 be an integer– Euler’s theoremEuler’s theorem:: IfIf gg ∈∈ ZZnn**thenthen ggφφ(n)(n)≡≡ 1 (mod n)1 (mod n)– IfIf nn is a product of distinct primes, and ifis a product of distinct primes, and if rr ≡≡ s mod (s mod (φφ(n))(n)),,thenthen ggrr≡≡ ggss(mod n)(mod n) for all integersfor all integers gg– i.e.,i.e., when working modulo anwhen working modulo an n,n, exponents can be reduced moduloexponents can be reduced modulo φφ(n)(n) LetLet pp be a prime nubmerbe a prime nubmer– Fermat’s theoremFermat’s theorem:: IfIf gcd(a,p)=1gcd(a,p)=1, then, then ggp-1p-1≡≡ 1 (mod p)1 (mod p)– IfIf rr ≡≡ s mod (p-1)s mod (p-1) , then, then ggrr≡≡ ggss(mod p)(mod p) for all integersfor all integers gg i.e.,i.e., when working modulo a primewhen working modulo a prime pp, exponents can be reduced modulo, exponents can be reduced modulo p-1p-1pp
    14. 14. 1414Generator ofGenerator of ZZnn** LetLet gg ∈∈ ZZnn**, the, the orderorder ofof gg is the least positive integeris the least positive integer tt such thatsuch thatggtt≡≡1 mod n1 mod n If the order ofIf the order of gg ∈∈ ZZnn**isis t,t, andand ggss≡≡1 (mod n),1 (mod n), thenthen tt dividesdivides ss– A particular case:A particular case: tt||φφ(n)(n) LetLet gg ∈∈ ZZnn**, if the order of, if the order of gg isis φφ(n),(n), thenthen gg is said to be ais said to be ageneratorgenerator or aor a primitive elementprimitive element ofof ZZnn**..– IfIf gg is a generator ofis a generator of ZZnn**, then, then ZZnn**={={ggiimod nmod n || 00 ≤≤ ii ≤≤ φφ(n) -1}(n) -1}
    15. 15. 15152. Public-key cryptography2. Public-key cryptography Called alsoCalled also asymmetric cryptographyasymmetric cryptography The keys used to encrypt and decrypt are different.The keys used to encrypt and decrypt are different. Anyone who wants to be a receiver needs to “publish” anAnyone who wants to be a receiver needs to “publish” anencryption key, which is known as theencryption key, which is known as the public key,public key, KUKU.. Anyone who wants to be a receiver needs a unique decryptionAnyone who wants to be a receiver needs a unique decryptionkey, which is known as thekey, which is known as the private key,private key, KRKR.. If B wants to send an enciphered text to A, B should knowsIf B wants to send an enciphered text to A, B should knows thetheencryption algorithmencryption algorithm and A’s public key.and A’s public key.
    16. 16. 1616Confidentiality via Public keyConfidentiality via Public keycryptographycryptography Alice wants to send a secret messageAlice wants to send a secret message mm to Bobto Bob Bob should have 2 keys: publicBob should have 2 keys: public KUKUbb and privateand private KRKRbb Prior to message encryption, Alice gets by some means anPrior to message encryption, Alice gets by some means anauthentic copy of Bob’s public key (authentic copy of Bob’s public key (i.e.,i.e., the encryption key)the encryption key)MessageSourceEncryption MessageSourceDecryptionm Ciphertext mAliceKey SourceKUKUbbKRKRbbBob
    17. 17. 1717Public-key cryptographyPublic-key cryptography It should not be possible to deduce the plaintext from knowledgeIt should not be possible to deduce the plaintext from knowledgeof the ciphertext and the public key.of the ciphertext and the public key. It should not be possible to deduce the private key fromIt should not be possible to deduce the private key fromknowledge of the public key.knowledge of the public key. Public-key cryptography is based onPublic-key cryptography is based on One-Way FunctionsOne-Way Functions
    18. 18. 18183. One-Way Functions (OWF)3. One-Way Functions (OWF) A one-way function is a function that is “easy” to compute and“difficult” to reverse Examples of OWF that we’ll use in this lecture to explainpublic-key systems:– Multiplication of two primes– Modular exponentiation
    19. 19. 1919OWF: Multiplying two primesOWF: Multiplying two primes Multiplication of two prime numbers is believed to be a one-wayfunction. Given two prime numbers p and q– It’s easy to find n=p.q– However, starting from n, it’s difficult to find p and q Is it prime factorization?
    20. 20. 2020OWF: Modular exponentaitionOWF: Modular exponentaition The process of exponentiation just means raising numbers to apower. Raising a to the power b, normally denoted abjust meansmultiplying a by itself b times. In other words:ab= a x a x a x … x a Modular exponentiation means computing abmodulo someother number n. We tend to write this asabmod n. Modular exponentiation is “easy”.
    21. 21. 2121OWF: Modular exponentaitionOWF: Modular exponentaition However, given a, and abmod n (when n is prime), calculating bis regarded by mathematicians as a hard problem. This difficult problem is often referred to as the discretelogarithm problem. In other words, given a number a and a prime number n, thefunctionf(b) = abmod nis believed to be a one-way function.
    22. 22. 22224. RSA4. RSA It is named after it inventors Ron Rivest, Adi Shamir and LenAdleman. Published in 1978 It is the most widely used public-key encryption algorithmtoday. It provides confidentiality and digital signatures. Its security is based on the difficulty of integer factorization
    23. 23. 2323RSA algorithmRSA algorithm (key generation for(key generation forRSA public-key encryption)RSA public-key encryption) Each entity A creates a public key and a corresponding privateEach entity A creates a public key and a corresponding privatekey by doing the followingkey by doing the following– Generate two large (at least 512 bits) primesGenerate two large (at least 512 bits) primes pp andand qq– ComputeCompute n=pqn=pq andand φφ(n)=(p-1)(q-1)(n)=(p-1)(q-1) ..– ChooseChoose ee << φφ relatively prime torelatively prime to φφ (i.e., gcd (e,(i.e., gcd (e, φφ)=1))=1)– ComputeCompute dd such thatsuch that ed moded mod φφ(n)(n) ≡≡ 11 A’s Public key: (A’s Public key: (ee,, nn) // to be published.) // to be published. A’s private key:A’s private key: dd ((oror ((dd,, nn)) // to be kept secretly by A)) // to be kept secretly by A Who is capable of computingWho is capable of computing dd??
    24. 24. 2424RSA Encryption/decryptionRSA Encryption/decryption Summary: B encrypts a messageSummary: B encrypts a message mm for A. Upon reception, Afor A. Upon reception, Adecrypts it using its private key.decrypts it using its private key. Encryption: B should do the followingEncryption: B should do the following– Obtain A’s authentic public keyObtain A’s authentic public key (n,e).(n,e).– Represent the message as an integer in the interval [Represent the message as an integer in the interval [0,n-10,n-1]]– ComputeCompute cc == mmeemodmod nn //// EncryptionEncryption– Send the ciphertext c to ASend the ciphertext c to A Decryption:Decryption: to recover plaintextto recover plaintext mm fromfrom cc, A does the following, A does the following– Use the private keyUse the private key dd to recoverto recover mm == ccddmodmod nn //// DecryptionDecryption How does B obtain A’s authentic key?How does B obtain A’s authentic key?
    25. 25. 2525Example: confidentialityExample: confidentiality TakeTake pp = 7,= 7, qq = 11, so= 11, so nn = 77 and= 77 and φφ(n)(n) = 60= 60 Say Bob chooses (Say Bob chooses (KUKUbb)) ee = 17= 17, making (, making (KRKRbb)) dd = 53= 53– 17 x 53 mod 60 = ?17 x 53 mod 60 = ? Alice wants to secretly send Bob the message HELLO [07 04 11Alice wants to secretly send Bob the message HELLO [07 04 1111 14]11 14]– 07071717mod 77 = 28mod 77 = 28– 04041717mod 77 = 16mod 77 = 16– 11111717mod 77 = 44mod 77 = 44– 11111717mod 77 = 44mod 77 = 44– 14141717mod 77 = 42mod 77 = 42 Alice sends ciphertext [28 16 44 44 42]Alice sends ciphertext [28 16 44 44 42]
    26. 26. 2626Example: confidentialityExample: confidentiality Bob receives [28 16 44 44 42]Bob receives [28 16 44 44 42] Bob uses private key (Bob uses private key (KRKRbb),), dd = 53= 53, to decrypt the message:, to decrypt the message:– 28285353mod 77 = 07mod 77 = 07 HH– 16165353mod 77 = 04mod 77 = 04 EE– 44445353mod 77 = 11mod 77 = 11 LL– 44445353mod 77 = 11mod 77 = 11 LL– 42425353mod 77 = 14mod 77 = 14 OO No one else could read it, as only Bob knows his private key andNo one else could read it, as only Bob knows his private key andthat is needed for decryptionthat is needed for decryption
    27. 27. 2727Attacking RSAAttacking RSA1.1. Trying to decrypt a ciphertext without knowledge of the privateTrying to decrypt a ciphertext without knowledge of the privatekeykey– The encryption process in RSA involves computing the function c =memod n, which is regarded as being easy– An attacker who observes this ciphertext c, and has knowledge of e andn, needs to try to work out what m is.– i.e., find m such that mmee= c mod n– In other words, find the ethroot of c mod n Computing m from c, e and n is regarded as a hard problem andknown as RSA problem.
    28. 28. 2828Attacking RSAAttacking RSA2. If the attacker knows the public key of a user (e,n), what wouldshe/he need to do in order to obtain the corresponding privatekey? He/she needs to find d such that ed moded mod φφ(n) = 1(n) = 1 i.e., needs to know p and q In other words, he/she must factor n (problem of prime factorization) Recommended size of n:– 768-bit is recommended– 1024-bit or larger is required for long term security– it is believed that factoring a 512 bit number is about as hard assearching for a 56 bit symmetric key.
    29. 29. 29295. El Gamal5. El Gamal ElGamal is another public-key encryption We will also take a look at the ElGamal public key ciphersystem for a number of reasons:– To show that RSA is not the only public key systemTo show that RSA is not the only public key system– To exhibit a public key system based on a different one way functionTo exhibit a public key system based on a different one way function– ElGamal is the basis for several well-known cryptosystemsElGamal is the basis for several well-known cryptosystems
    30. 30. 3030ElGamal algorithmElGamal algorithm (key generation)(key generation) Key generation for ElGamal public-key encryptionKey generation for ElGamal public-key encryption Each entityEach entity AA creates a public key and a corresponding privatecreates a public key and a corresponding privatekey.key.– Generate a large prime numberGenerate a large prime number pp (1024 bits)(1024 bits)– Generate a generatorGenerate a generator gg of the multiplicative groupof the multiplicative group ZZpp**of the integersof the integersmodulomodulo pp– Select a random integerSelect a random integer x, 1x, 1 ≤≤ xx ≤≤ p-2p-2– ComputeCompute y = gy = gxxmod pmod p– A’s public key isA’s public key is (p, g, y)(p, g, y) To be publishedTo be published– A’s private key isA’s private key is xx To be kept secret by ATo be kept secret by A
    31. 31. 3131ElGamal algorithmElGamal algorithm (key generation)(key generation) ExampleExample Step 1: Let p = 2357 Step 2: Select a generator g = 2 of Z2357* Step 3: Choose a private key x = 1751 Step 4: Compute y = 21751(mod 2357)= 1185 Public key is (2357,2,1185) Private key is 1751
    32. 32. 3232ElGamal algorithmElGamal algorithm (Encryption/decryption)(Encryption/decryption) Summary: B encrypts a messageSummary: B encrypts a message mm for A, which A decryptsfor A, which A decrypts Encryption: B should de the followingEncryption: B should de the following– Obtain A’s authentic public keyObtain A’s authentic public key (p, g, y).(p, g, y).– Represent the message as an integer in the interval [Represent the message as an integer in the interval [0,p-10,p-1]]– Select an integerSelect an integer k, 1k, 1 ≤≤ kk ≤≤ p-2p-2– ComputeCompute γγ=g=gkkmod pmod p andand δδ=m.(y)=m.(y)kkmod pmod p– Send the ciphertext c = (Send the ciphertext c = (γγ,, δδ) to) to AA DecryptionDecryption– A uses the private keyA uses the private key xx to computeto compute z=z= γγp-1-xp-1-xmod pmod p– A computesA computes z.z.δδ modmodp (=m)p (=m)
    33. 33. 3333ElGamal algorithmElGamal algorithm (Encryption/decryption)(Encryption/decryption) Encryption– To encrypt m = 2035 using Public key (2357,2,1185)– Generate a random number k = 1520– Compute γγ = 21520mod 2357 = 1430δδ = 2035 x 11851520mod 2357 =697– Ciphertext c = (1430 , 697) DecryptionDecryption– zz== γγp-1-xp-1-xmodmod pp = 1430= 1430605605mod 2357 =872mod 2357 =872– 872x697 mod 2357 = 2035872x697 mod 2357 = 2035
    34. 34. 3434ElGamal PropertiesElGamal Properties There is aThere is a message expansionmessage expansion by a factor of 2by a factor of 2– i.e.,i.e., the ciphertext is twice as long as the corresponding plaintextthe ciphertext is twice as long as the corresponding plaintext Requires a random number generator (k)Requires a random number generator (k) Relies on discrete algorithm problem,Relies on discrete algorithm problem, i.e.i.e., having, having y= gy= gxxmod pmod p it’s hard to findit’s hard to find xx (the private key)(the private key) ElGamal encryption is randomized (coming from the randomElGamal encryption is randomized (coming from the randomnumbernumber kk), RSA encryption is deterministic.), RSA encryption is deterministic. ElGamal is the basis of many other algorithms (ElGamal is the basis of many other algorithms (e.g.e.g., DSA), DSA)
    35. 35. 3535SummarySummary RSA is a public key encryption algorithm whose security isRSA is a public key encryption algorithm whose security isbelieved to be based on the problem of factoring large numbers.believed to be based on the problem of factoring large numbers. ElGamal is a public key encryption algorithm whose security isElGamal is a public key encryption algorithm whose security isbelieved to be based on the discrete logarithm problem.believed to be based on the discrete logarithm problem. RSA is generally favoured over ElGamal for practical ratherRSA is generally favoured over ElGamal for practical ratherthan security reasons.than security reasons. RSA and ElGamal areRSA and ElGamal are less efficient and fastless efficient and fast to operate than mostto operate than mostsymmetric encryption algorithms because they involve modularsymmetric encryption algorithms because they involve modularexponentiation.exponentiation.– Public key cryptography confined to key management and signaturePublic key cryptography confined to key management and signatureapplications.applications.

    ×