Public Key Cryptography

1
Public Key Cryptography

• Tom Horton
• Alfred C. Weaver
• CS453 Electronic Commerce

2
References

• Chap. 12 of Treese and Stewart textbook
• Web articles on PGP, GPG, Phil Zimmerman
• Bruce Schneier, Applied Cryptography, John
  Wiley Sons
• Andrew Tanenbaum, Computer Networks,
  Prentice-Hall
• Jim Kurose and Keith Ross, Computer Networking,
  Addison-Wesley

3
Overview of PKC

• Also known as using asymmetric keys
• A pair of keys
• (Can think of this as one long key in two parts)
• One used for encryption, the other for decryption
• One publicly accessible, the other private to one
  person
• Algorithms / Systems
• RSA (Rivest, Shamir, Adelman)
• DSA (Digital Signature Algorithm)
• PGP, OpenPGP, GPG (Gnus PGP)
• ssh, sftp
• SSL

4
Public Key Cryptography
5
Mailbox Analogy

• Part of the system is public yet secure
• Mailbox with slot
• Public everyone can access it and leave info
• Secure info not accessible to anyone except
• Usefully accessing the info requires a private
  key
• The recipient has something personal to get to
  the data and read it
• Matches common use (shown in slide) Sending
  encrypted information to someone
• Other ways to use this

6
(No Transcript)
7
Public Key Cryptography

• Key is some large number (string of bits)
• Key has two parts, one public, one private
• Public key is well-known
• Trusted agents verify the public key
• Private key is a secret forever
• Key is arbitrarily large
• Encrypt with receivers public key
• Decrypt with receivers private key

8
Public Key Cryptography

• 1. Choose two large primes, p and q
• 2. Compute n (p)(q)
• 3. Compute z (p-1)(q-1)
• 4. Choose d such that it is relatively
  prime to z (no common divisor)
• 5. Find e such that (e)(d) modulo z 1
• 6. Public key is (e,n)
• 7. Private key is (d,n)

9
Public Key Cryptography

• 8. To encrypt plaintext message m, compute c me
  mod n
• 9. To decrypt ciphertext message c, compute m
  cd mod n.

10
PKC Example

• 1. Choose two (large) primes, p and q
• p 3 and q 11
• 2. Compute n (p)(q)
• n (3)(11) 33
• 3. Compute z (p-1)(q-1)
• z (2)(10) 20
• 4. Choose d such that it is relatively prime to z
  (no common divisor)
• choose d 7
• 7 and 20 have no common divisor

11
PKC Example

• 5. Find e such that (e)(d) modulo z 1
• find e such that 7e mod 20 1
• one solution is e 3
• 6. Public key is (e,n)
• public key (3, 33)
• 7. Private key is (d,n)
• private key is (7, 33)

12
PKC Example

• 8. To encrypt plaintext message m, compute c me
  mod n
• c m3 mod 33
• note require m lt n
• 9. To decrypt ciphertext message c, compute m
  cd mod n
• m c7 mod 33

13
PKC Example

• Encode letter S as 19 just because it is the
  19th letter of the alphabet, so plaintext message
  m S 19
• Of course we could use any other encoding, say
  ASCII
• Encryption (e3)
• c me mod n 193 mod 33
• c 6,859 mod 33 28
• Decryption (d7)
• m cd mod n 287 mod 33
• m 13,492,928,512 mod 33 19

14
Work an Example
1. Choose two (not so large) primes, p and q
p 47 and q 71
3337 n
2. n (p)(q) (47)(71)
3220 z
3. z (p-1)(q-1) (46)(70)
4. Choose e (or d) such that it is relatively
prime to z (i.e., e and z share no common
divisors)
e5? 3220/5644 no
e23? 3220/23140 no
e35? 3220/3592 no
e79? 3220 and 79 share no divisors ... yes
15
Work an Example
5. Choose d such that (e)(d) modulo z 1
So 79d mod z 1 now what?
Compute candidate values of d
d 1019 or 4239 or 7459 or ...
6. Public key (e, n) (79, 3337)
7. Private key (d, n) (1019, 3337)
16
Work an Example
8. Encrypt c me mod n
Let the message m 3
c 379 mod 3337 4926960980478197443869440340212
776567 mod 3337 158
17
(No Transcript)
18
Work an Example
9. Decrypt m cd mod n
m 1581019 mod 3337 m 3
19
(No Transcript)
20
Now Do This One
m 12871283761287623450982346231237462836428 e
98982347326723847658728742384782347823477 d
87385671910957210238457823842398472397471 n
91239128371982491824912873918237918239183 What is
me mod n? What is cd mod n?
123981203981297532739456374587469898274502399 1298
37129837923593045734658264927341204389245 98723947
2934729375923457935793457938573947593 981239123912
371982749128379357935793579872391 8934598734958732
94573298572986798256984569873 98734737347760982349
7243958713057312409857753 134957831294709246798570
398422362456698987987 2390482038509234860958603968
40958609832492398 20389579386793867938759385739272
0020204230...
21
Public Key Cryptography

• Now imagine that p and q are hundreds of digits
  long!
• Power of PKC based upon the difficulty of
  factoring large numbers
• Commercial firms provide
• choice of p and q
• suitable e and d
• software for large integer arithmetic
• registration of keys to a particular entity

22
(No Transcript)
23
RSA Implementation

• Java implementation of the RSA version of public
  key cryptography
• http//intercom.virginia.edu/crypto/crypto.html

24
Public Key Symmetric Key

• Public key algorithms are slow when used with
  large numbers
• Commercial practice
• generate random symmetric key for each message or
  session
• use symmetric key techniques to encrypt
  message(s)
• encrypt the random symmetric key using PKC
• provide recipient with encrypted symmetric key,
  signed with a digital signature, and a signature
  certificate

25
Digital Signatures

• Digital signatures use PKC techniques to sign a
  message, proving the authenticity of the sender
• Sender encrypts some message with his private key
• Receiver consults a certification authority to
  verify senders public key
• Receiver uses senders verified public key to
  decrypt senders message

26
Digital Signatures
Original Plaintext
Ciphertext
Plaintext
Encryption
Decryption
Encryption with Senders Private Key
Decryption with Senders Public Key
27
Digital Signatures

• ciphertext (message)private-key mod n
• message (ciphertext)public-key mod n
• In other words, reverse the use of e and d
  from PKC
• But, PKC is slow when the keys are large
• So instead, take a hash of the message and sign
  that

28
Digital Signatures

• Message m ABCDE
• Let hash be mod 10 sum of bytes
• hash(m) (6566676869) mod 10
• 335 mod 10 5
• If any byte of message changes, there is a 1 in
  10 change that we will catch it
• Poor choice of h, but illustrative
• Later we learn how to make a good hash function

29
Digital Signatures

• Sender computes hash H of plaintext
• Sender encrypts hash with his private key
• digsig (H)private mod n
• Receiver decrypts the digsig with senders public
  key
• Hdecrypted (digsig)public mod n
• Receiver recovers the plaintext of the message
  from its ciphertext (however thats done)
• Receiver uses same hash function on recovered
  plaintext to get computed hash value, Hcomputed
• If Hcomputed Hdecrypted, then with probability
  p the plaintext was not altered enroute, and with
  probability 1 the hash was signed by the owner of
  the public key
• How do we make p vanishingly small? (soon)

30
Still Not Done

• PKC is very, very powerful
• So is symmetric key if key is long
• But there are still ways to attack the process,
  if not the algorithm

31
Bob Talks to Alice
3. Bob encrypts with Alices public key
5. Alice decrypts with Alices private key
6. Alice encrypts with Bobs public key
8. Bob decrypts with Bobs private key
Bob and Alice are now communicating securely ---
or are they?
32
Risks
Bob
Alice
Mallory replaces Alice's and Bob's public key
with her own records data and re-encrypts
it with the other person's purported public key
Mallory
33
How Secure is Symmetric Key Cryptography?

• DES is toast
• Known that DES can be broken in a few hours, and
  probably in just minutes or seconds
• If DES can be broken in one second, then 128-bit
  AES takes 119 trillion years
• 3DES (168 bits) takes longer
• 256-bit AES takes far longer
• This assumes there are no trap doors (and no
  reason to suspect there are any)

34
How Secure is Public Key Cryptography?

• As secure as you wish it to be
• Moores Law says that computing power doubles at
  no increase in cost every 18 months
• Approximately true since 1976
• As computing power progresses, increase key
  length
• But beware distributed computing!
• Make sure key is much, much longer than any one
  machine can solve, because many computers might
  be working on it

35
How Secure is Modern Crypto?

• For now, crypto provides very serious protection
  for electronic commerce transactions when using
• symmetric keys of length gt 128 bits
• public keys of length gt 1024 bits
• If cryptography is so strong, why is this not a
  completely solved problem?

36
Key Management

• Crypto is strong so criminals, hackers, and the
  government go after key management
• If the keys are not secure, the communication is
  not secure
• The threat to modern cryptography is key
  management
• key distribution
• key revocation
• key storage
• key theft

37
Digital Signature
Senders data
Hash algorithm (SHA-1, MD5)
Hash code (message digest)
Timestamp
PKC encryption
Senders private key
Validate with senders public key
Digital signature
Timestamp
38
Hash Code

• What makes a good hash code?
• Recall why we use it
• the hash code is digitally signed (rather than
  the message itself) for computational economy
• the hash code is used to prove message integrity
• hash(P) hash ( D ( E ( P) ) )

39
Characteristics

• One-way hash function H operates on arbitrary
  length message M and returns a fixed length hash
  value, hH(M)
• Many functions can do that
• Our goals are
• given M, easy to compute h
• given h, difficult to compute M s.t. H(M)h
• given M, hard to find M such that H(M) H(M)

40
Hash Codes (Message Digests)
One example scheme 01011111 . 11 01001110 .
10 00100001 . 01 01001001 . 11 11010100 .
10 11110000 . 11 10001011 . 00
File for which you wish to prove integrity (M)
H exclusive-OR
h 11010110 ... 10 H(M)
41
Discussion

• Let the hash function H() be the n-bit wide
  exclusive-or of the message M.
• Is that a good hash function?
• Advantages?
• Disadvantages?

42
Discuss
What if H(M) is a 16-bit wide exclusive OR? M
I will buy your house for 1,000,000 M base 2
01100101 01101100 00101010
01101010 ..... H(M)
10010100 01010110 Premise If I use EX-OR as
hash, and digitally sign the hash value, then
neither you nor I can change the contract because
doing so would change the hash, and thus
H(D(E(P))) ! H(P). Is that true?
43
Cheating with Digital Signatures

• 1. Change 1,000,000 to 1
• 2. Hash is only 16 bits wide.
• 3. There are only 216 hash values.
• 4. Start generating other variations on the
• message that are merely cosmetic,
• e.g., replace space with space-backspace-space,
  or
• replace .ltCRgt with .ltspacegtltCRgt
• 5. If this were a contract with gt16 lines, making
  or not
• making one change on each of 16 lines would
  produce
• gt216 variations of the document.
• 6. Not all 216 hash values are necessarily
  present---this
• just shows that it is relatively easy to produce
  a
• large number of variants quickly and easily
• and automatically!

44
Cheating with Digital Signatures

• So take the original document and digitally sign
  it.
• Take a version of the altered document where
  H(M)H(M) and sign that one also.
• Present your check for 1.
• Go to court to enforce the digitally signed
  contract M where the price is 1.

45
Lessons

• Lesson 1 H(M) needs to produce a lot more than
  16 bits. Target 128 or 256.
• Lesson 2 And while were at it, lets stir the
  bits when computing H(M) so that hash bits are a
  function of more than just a single column of
  bits. Want each hash bit hi to be a function of
  many input bits (as with DES).

46
Real-world crypto hash functions

• MD5 and SHA-1 commonly used
• Supported in libraries (e.g. PHP)
• Wikipedia
• http//en.wikipedia.org/wiki/Cryptographic_hash_fu
  nction
• http//en.wikipedia.org/wiki/MD5
• http//en.wikipedia.org/wiki/SHA_hash_functions
• Bruce Schneier, Applied Cryptography, pages
  436-441.

47
Tools

• Gnu PGP
• OpenSSL
• More info on this later
• Language libraries
• E.g. PGP
• Commercial vendors or groups
• E.g. www.bouncycastle.org

48
Another Bit of History

• The Clipper Chip
• Promoted by the US Government from 1993-96
• http//en.wikipedia.org/wiki/Clipper_chip
• A encryption chip
• To be installed in devices doing voice
  transmission
• Skipjack algorithm developed by NSA
• Government agency holds private keys in escrow
• If an agency established its authority, it
  could be given the key

49
Threats on encryption

• Distributed computing (grid computing) on the
  scale of the Internet
• Quantum computing

50
(No Transcript)
51
Pretty Good Privacy

• PGP designed by Phillip Zimmerman for electronic
  mail
• Uses three known techniques
• IDEA for encrypting email message
• International Data Exchange Algorithm
• block cipher with 64-bit blocks
• similar in concept but different in details from
  DES
• uses 128-bit keys
• patented, but free for non-commercial use

52
Controversies

• Was released overseas
• Zimmerman says not by him
• US Government investigated him for 3 years under
  the Arms Export Control Act
• Dropped in 1996
• Use of RSA patents
• PGP eventually became a company
• Open PGP
• Use by non-government groups
• Dissidents, terrorists, etc.

53
PGP

• RSA public key encryption
• permits keys up to 2,047 bits in length
• Digital signatures use MD5 as the one-way hash
  function
• PGP generates a random 128-bit symmetric key,
  used by IDEA for each email message
• PGP generates its own public/private key pairs
• Keys are stored locally using a hashed pass phrase

54
Hashed Pass Phrase

• Access to the private key is granted by providing
  the pass phrase (not password)
• Should be on the order of 100 characters
• Issues with a pass phrase
• whats the chance of guessing a 100 character
  phrase?
• Is it 2(1008)?

55
Hashed Pass Phrase

• People dont want to type 100 characters, so they
  are typically shorter
• Can you remember ndjehrkanf48ahdmmdh3jnqlkfyebnek
  fjnanrb9roakfn63nfgaprektnvcgesiwm?
• Dictionary attacks (common words)
• Personal knowledge attacks (spouse, children,
  pets, birthdays, anniversaries)
• Cultural bias (English)
• Subject bias (computing, accounting)

56
PGP

• PGP does not use conventional certificates (too
  expensive)
• Instead,
• users generate and distribute their own public
  keys
• sign each others public keys
• save trusted public keys on public-key ring
• users build a web of trust
• users determine how much to trust

57
PGP Comments

• PGP is very powerful for email
• runs on many platforms
• available free from www.pgpi.org
• But
• no key revocation authority
• no foolproof way to withdraw a compromised key
• maybe there are some residual concerns over a
  prior government lawsuit (now resolved) against
  Phil Zimmerman

58
(No Transcript)