CHAPTER 5: PUBLIC KEY SYSTEMS

1
CHAPTER 5 PUBLIC KEY SYSTEMS Secret
(symmetric) key systems have been used for
centuries. Have worked well in many cases and
failed in others. Two problems have been
persistent Key distribution doesnt scale
well. Authentication (ensuring the message is
authentic). These two problems led to the
development by Diffie and Hellman of the first
idea for a public key system. A public key
system does not require secret key distribution
and it can also be used for authentication.
2

• Public Key Systems - In the Beginning
• Authenticating a message needs to provide a
  function similar to a
• written signature that authenticates a letter,
  contract, or legal paper.
• This problem has been around for some time.
• Two independent efforts led to the solution to
  this problem and, by
• serendipity, solved the key exchange problem.
• Challenge/response systems for aircraft
  identification.
• 2. One-way functions for storing computer
  passwords.

3
Challenge-Response Systems Problem
1 Requirement Distinguish between friendly and
hostile aircraft for radar fire control
systems. Radar issues an electronic challenge to
each aircraft. Return of correct information
identified the aircraft as friendly or
hostile. If challenge stayed constant, the
hostile force could record the interchange and
play it back (masquerade response). Solution
Use an encrypted random challenge. The aircraft
receives the challenge, encrypts it with a
secret key and sends it back. OK as long as the
key is kept secret or the adversary has not
broken the encryption algorithm. Re-play was
foiled by a per challenge random number in the
response. Key were changed often (daily) to
prevent brute force key breakage.
4
Challenge - Response
Decrypt Random Number
Secret Key
Add ID to Random Number
Random Number
Encrypted Random Number
Secret Key
Encrypted ID Random Number
5
Stored Passwords Problem 2 Requirement
Protect files containing passwords stored on a
multi-user computer system. The file contains
multiple passwords and, if compromised, allow
any user to masquerade as any other
user. Solution Dont store passwords in the
file. Instead, the file contains the results of
a computation that used passwords as input and
performed a translation using a one-way function.
One-way functions are easy to compute, but hard
to invert. Only the output of the one way
function was stored. Access to the table did not
reveal the password, only the output of the
one-way function. As long as it is very hard to
determine the password given the one-way
function access is secure.
6
A One-Way Function Example - Parity Given a
block of characters compute the bit-by-bit
EXOR 01101011 10000000 10110001 10101110 0010
0110 00000000 01111000 11111111 10101010 1111111
1 00101110 00101110 (parity block) In this
case two different strings (think password) have
created the same parity block. Many different
strings would create the same parity block and
there is no way to recover the original string.
At best we could compute all possible strings
that produce the result and try them one at a
time until one works (brute force in some form
will always work if it is computationally
tractable) .
7
Synergy at Work Challenge-response systems
protect against eavesdropping and re-play, while
one-way functions dont reveal secret
information. Diffie and Hellman saw that these
two capabilities could be combined in a modified
one-way function - called a trap-door function
allows someone possessing secret information to
invert the one-way function. In a conventional
one-way function (known as a hash
algorithm) F(P) Q is easily computed F is
the one-way function, P is the password, Q is
the result. The advantage is It is
computationally infeasible to find P, given F
and Q (like recovering the characters in the
parity example).
8
Diffies Modifications Construct a new one-way
function FT, meaning a one-way function with a
trap door such that FT(P) Q is easy (as
before) P cannot be recovered knowing FT and Q,
as before, but P can be recovered by knowing a
secret part of FT and Q. This is the core of the
Diffie/Hellman public key exchange
algorithm. Diffie/Hellman generated the theory
for this in 1976, but did not provide an
implementation. Rivest, Shamir, and Adleman of
MIT published the first implementation that has
become widely used (RSA algorithm).
9
Public Key Systems Concept FT is an algorithm
that uses a two-part key (2 keys). One key is
public, the other is private. Either key can
encrypt and its trap-door counterpart will
decrypt. Two modes are 1. Encrypt with the
public key, decrypt with the private key. 2.
Encrypt with the private key and decrypt with the
public key. Public keys can be made widely know
(published openly) Private keys must be kept
secret. This also means users can exchange
public keys over insecure channels solving the
key exchange problem.
10
Secret/Public Key Systems Compared

• Same algorithm key used to encrypt/decrypt by
  sender receiver.
• Both sides keep key secret.
• Knowing the algorithm, key length, and access to
  ciphertext is not sufficient to determine the
  key.
• The system must resist ciphertext, key, and
  algorithmic attacks.

• Same algorithm is used to encrypt and decrypt,
  but one key encrypts and a 2nd, different key,
  decrypts.
• One key must be kept secret (private key).
• Knowing the algorithm, key length, one of the
  keys, and access to ciphertext is not sufficient
  to determine the other key.
• Must resist ciphertext, key, algorithmic
  attacks.

11

• Public Key Applications
• Expanded capability compared to secret key
  systems. Uses are
• 1. Encryption/decryption of short messages (but,
  speed is an issue).
• 2. Authentication (user/user, user/system,
  system/system).
• 3. Key exchanges (e.g., use public keys to
  exchange a secret key).
• 4. Non-repudiation (assurance of origin and/or
  receipt).
• 5. Integrity assurance (information
  stored/transmitted has not
• changed) .
• Assume 2 participants, Alice Bob. In all cases,
  Alice Bob
• Independently generate two keys to be used for
  messages they
• want to send and receive.
• 2. Publish their public keys so they are easily
  accessible.
• 3. Keep their private keys secret.

12
Public Key Applications - Confidentiality
Alice Transmission Channel
Bob Encrypt mA using eB
cA(message from Alice) Decrypt cA using
dB Decrypt mB using dA cB(message from Bob)
Encrypt mB using eA Not Used for long messages -
Much slower that secret key systems. Ok for short
messages Like symmetric key exchanges.
13
Public Key Applications - Unilateral
Authentication
Alice encrypts a message using her private key
(Hello, this is Alice). Bob decrypts the message
with Alice's public key. If Alice has kept her
private key secret, Bob is assured that Alice is
the author of the message - (see next slide for
exceptions).
14
Unilateral Authentication Exception 1 Evil
Eavesdropper Eve can pose as Alice how is Bob
to know?
Secret Message
Secret Message
Decryption Algorithm
Encryption Algorithm
Bobs Private Key
Bobs Public Key
Receiver (Bob)
Sender (Eve posing As Alice)
Electronic Channel
15
Unilateral Authentication Exception
2 Man-in-the-middle attacks on Bob. If Eve is in
the message path she could intercept Alices
message encrypted with Alices private key. Then
Eve could Send a message to Bob containing
Eves public key, but saying it was Alices
public key (how is Bob to know which public
key is really Alices)? Open the message Alice
sent to Bob with Alices public key. Encrypt the
message with her private key and send to Bob. If
Bob opens it with the bogus Alice public key, he
has established communications with someone he
believes is Alice, but who isnt. This may sound
tortured, but man-in-the-middle attacks are real
in the world of cryptography and need to be
neutralized. How?
16
Public Key Applications - Mutual Authentication
How? Use a challenge/response
interchange. Assume Alices key pair is (ea, da)
and Bobs is (eb, db). ra rb are random
numbers generated by Alice Bob, respectively.
The es are the public keys, ds are the private
keys. The random numbers ra and rb are called
nonces. Nonce defined Occurring, used, or made
only once. This implies a one-time exchange of
random numbers. Since these numbers are
encrypted with a public key, only the holder of
the corresponding private key can open and view
the nonce. This needs to be done in a three-way
exchange, challenge - response
counterchallenge - response.
17
Mutual Authentication - Challenge/Response The
following shows a 4-way exchange, but the middle
2 exchanges can be combined. Bob can respond with
Alices nonce and include his own
challenge. Alice Transmission
Channel Bob Encrypt ra using eb eb(ra)? Decrypt
eb(ra) using db (save ra as ra) Decrypt using
da ? ea(ra) Encrypt ra using ea Test
ra ra Decrypt rb using da ?
ea(rb) Encrypt rb using ea

(save rb as rb) Encrypt rb using eb
eb(rb)? Decrypt rb using db

Test rb rb
18
Three-Way Challenge/Response
19
Public Key Applications - Key Exchange We can
exchange public keys since they do not have to be
kept secret. We may want to use a secret key
system for encrypting messages because the public
key system is slow when encrypting long
messages. Thus, the need for a secure key
exchange mechanism. Could also use a
Diffie/Hellman key exchange. In a public key
system, authenticate as before. Ideally, this is
mutual authentication. Then Alice or Bob can
initiate a key exchange. Alices proposes a key
and encrypts with Bobs public key (not Alices
private key, since anyone with access to Alices
public key could open the message), Bob decrypts
with his private key and affirms the choice with
Alice by return message.
20
Key Exchange
One additional element is needed. The original
message should include not only the key, but
must specify the encryption algorithm to be used
(e.g., DES, IDEA, etc.).
21

• Public Key Applications - Non-Repudiation of
  Origin
• A message encrypted with a private key must have
  originated from
• the owner of the private key unless the key has
  been compromised.
• During the original distribution, an adversaries
  key was submitted
• as representing Alices key - requirementfor a
  trusted key distributor.
• 2. After initial distribution, an adversary has
  broken or appropriated
• Alices private key.
• 1 establishes the requirement for an
  infrastructure for the trusted
• distribution of public keys - a public key
  infrastructure (PKI).
• 2 establishes the requirement for careful
  behavior and for a
• mechanism to validate that a particular key
  has/has not been
• compromised (another function of a PKI to be
  discussed later).

22
Public Key Applications - Non-Repudiation of
Receipt Tougher problem that requires a third
party. Assume Alice sends a message to Bob
encrypted with her private key. While this
ensures non-repudiation of source, it does
nothing for receipt. Can be handled by having
Bob acknowledge receipt to a third party. On
receipt, Bob encrypts a receipt message with his
private key and sends to a third party
acknowledging receipt. Since Bob is the sole
holder of his private key, the message must have
come from Bob. Bob could have acknowledged back
to Alice, but Alice would have had to retain the
encrypted message to show proof. A trusted third
party can validate and simply log the event,
even notify Alice.
23
Public Key Applications - Integrity
24
Public Key Applications - Integrity Digest is a
fingerprint of the document created by a hash
function. A hash function is a one-way function
that accepts as input a message of arbitrary
length and produces a much shorter digest of the
original document (typically 128 bits in
length). A hash function is also a keyless
transformation. The digest is computationally
hard (infeasible) to invert. Can be used to
ensure the integrity of stored or transmitted
information.
25
Public Key Algorithms Most widely used is
Rivest, Shamir, Aldelman (RSA) algorithm.
Variable key and block length, with key length
selected based on the strength required. A
common length is 512 bits blocks must be lt key
length. Strength is based on the difficulty of
factoring large prime numbers. It is easy to
multiple two large prime numbers p q together,
but given the product n (p x q) it is very
hard to find p or q. Keys are generated from
large primes (order 256 bits or larger) we call
p q, such that n (p x q) p q are kept
secret, n can be public.
26
Public Key Algorithms - RSA To create a public
key 1. Choose a number e, with e lt n and such
that e is relatively prime to (p-1)(q-1). That
is, (p-1)(q-1), e have no common factors
except 1 and themselves. p q are prime (e.g.,
13 23 are primes). n 13 x 23 299 (p - 1)
12 (q - 1) 22 (p - 1)(q - 1) 12 x 22 264 e
must be a number relatively prime to
264 Common factors of 264 are 1, 2, 3, 4, 6, 8,
11, 12, 22, 24, 33, 44, etc. from observation, 5
has no common factors with 264. Choose e 5
27
Public Key Algorithms - RSA The public key is
(e, n) (5, 299) . To create the private
key 2. Choose a 2nd number d, (private key)
e's multiplicative inverse (assumes a
multiplicative inverse exists - covered in next
chapter) Where de 1 mod ?(n) so the private
key is (d, n) and ?(n) (the totient of n) (p -
1)(q - 1) 264 5 x d 1 mod 264 or d 1
mod264/5 Numbers that satisfy this are n x 264
1 Try n 1 265/5 53 is an integer, the
private key is 53. Try n 2 528/5 105.6 is
not an integer, cant be used. The public key
is (5, 299) the private key is (53, 299)
28
Public Key Algorithms - RSA Encryption To
encrypt c me mod n Where c ciphertext m
message with m lt n (block message lt n) m
6 e public key 5 n (p x q) 299 c
65 mod 299 7776 mod 299 7776/299 Q is
26, R is 2 c 2 The private key (d, n) will
decrypt the message m cd mod n 253 mod 299
220 x 220 x 213 mod 299 m (1,048,576)(1,048,57
6)(8192) mod 299 R (282)(282)(119) m
9,463,356 mod 299 Q of 31,650, R of 6 So..m 6
29
Public Key Algorithms - RSA Digital
Signature Signing a message with m lt n s md
mod n Where m message to be signed d
private key n (p x q) Verified by m se mod
n e is the public key Note that encryption
decryption can be done in any order. Encrypt
with e, decrypt with d, provides confidentiality
Encrypt with d, decrypt with e, provides
signature
30
Public Key Algorithms - Requirements 1. It must
be possible to find n, e, and d such that med m
mod n n (p x q) requires finding two large
prime integers, p q, and multiplying them
together. Intensive, but not done often (only
when keys change). Finding e lt n means finding
a number that is relatively prime to Euler's
totient function which is exactly (p-1)(q-1).
This requires an algorithm to test for relative
primality (e.g., Euclid's algorithm). Finding d
means finding the multiplicative inverse of e.
This can be done using an extended version of
Euclid's algorithm.
31
Public Key Algorithms - Requirements 2. It must
be easy to compute me mod n and cd mod n. These
are powers of integers and is straightforward,
but is computationally intense because of the
size of the integers. 3. It must be infeasible
(hard) to find d given e n This is the basic
strength of RSA. It depends on the difficulty of
factoring n into p q to produce the ?(n) to
solve d e mod ?(n). The difficulty of
factoring n is based on the historical
work function which has been improving (getting
smaller) over time. Consequently, key are
getting longer to compensate.
32
Public Key Algorithms - Example 2 1. Select
two prime number, p 7, q 17 2. Compute n (p
x q) 7 x 17 119 3. Compute ?(n) (p - 1)(q -
1) (7 - 1)(17 - 1) 6 x 16 96 4. Select e
relatively prime to ?(n) 96, and lt n (meaning
the only common factors are 1 and the number
itself). Factors of 96 are 1, 2, 3, 4, 6, 8,
12, 16, 24, and 32 Try 5 which has factors, 1,
and 5 5. Find d such that de 1 mod n, and d lt
96 So, d x 5 1 mod 96
33
Public Key Algorithms - Example So, d (1 mod
96)/5, and numbers that produce 1 mod 96 are n
x 96 1 n 1 97, but 97/5 is not an
integer n 2 193, but 193/5 is not an
integer n 3 289, but 289/5 is not an
integer n 4 385, and 385/5 77 is an
integer Thus, the two keys are Public key e
(5, 119) Private key d (77, 119)
34
Public Key Algorithms - Example
Encrypt/Decrypt Encrypt - plaintext 19 with
key (5, 119) c me mod n c 195 mod 119 c
2,476,099/119 Q 20,807, R66 c 66 Decrypt
- ciphertext 66 with key (77, 119) m cd mod
n m 6677 mod 119 m 1.27x 10140/119 Q
1.06x 10138, R 19 QED
35
Public Key Algorithms - Strength of RSA Three
main attack scenarios 1. Brute force key search
attacks. 2. Algorithmic attacks that factor n
into p q 3. Timing attacks that measure
decryption time to infer information. Brute
force is the same problem discussed earlier for
secret key systems and depend of the power of
contemporary machines. Algorithmic attacks
require factoring n into large prime numbers, a
very difficult problem. In 1995, it took about
30,000 MIPS-Years to factor a 512 bit
number. But, the capability is getting better as
follows
36
Factoring Large Prime Numbers Year Decimal
Digits Bits MIPS-Years 1984 71 236
0.1 1988 106 352 140 1993 120 399
825 1994 129 429 5000 1995 119 395
250 1996 130 432 750 19991 140 462 200
0 19991 155 515 8000 Source (thru 1996)
http//www.certicom.com/ecc/wecc3.htm 1.
http//www.loria.fr/zimmerma/records/RSA155 Resu
lt n 515 bits is marginal, n should be at
least1024 bits.
37
Timing Attacks Relatively recent development.
1. Install a sniffer on the computer performing
the decryption. 2. Measure the bit-by-bit
decryption times. 3. Times will vary depending on
the values of the bits in the key and/or the
message being decrypted. 4. Requires extensive
measurements time, but will break a
key. Countermeasures include padding arithmetic
calculations to produce equal time (software),
inserting random delays in the arithmetic
calculations, or inserting random numbers in the
ciphertext before decrypting.
38
Public Key Algorithms - Summary Widely Used
for Authentication Integrity Non-repudiatio
n Digital signatures Key exchange Not
widely used for confidentiality service. Instead,
use public key to exchange a secret key for a
specific session. This is Secure Sockets Layer
(SSL) used in all web browsers. Next turn our
attention to the mathematics underlying public
key cryptography!