Block 4: Public Key Cryptography

Objectives

You should:

1. Be able to describe how public key systems simplify key distribution.

2. Understand how public key systems use trapdoor functions to realize cryptographic transformations with separate encrypting and decrypting keys.

3. Know how the Diffie-Hellman key exchange algorithm enables the secure exchange of secret keys over a network.

4. Know how generate keys for the RSA system and how to encipher and decipher messages with this system.

5. Be able to describe how certificate authorities assure the validity of public keys

6. Be able to describe how public key systems are used for digital signatures and identification.

7. Understand how hash functions are used for digital signatures and be aware of current concerns about the security of SHA-1.

1

Public Key Cryptosystems

Introduced by Diffie and Hellman in 1976, they get around the problem of distributing keys.

In a secret key system: either the encryption and decryption keys are the same or it is very easy to obtain the decryption key from the encryption key.

In a public key system: it is very difficult to obtain the decryption key from the encryption key, so the encryption keys can be made public avoiding the key distribution problem.

The user has a pair of related keys: a public (encrypting) key, which is available to anyone, and its corresponding private (decrypting) key which is kept secret.

The security of the system depends on the computational infeasibility of inverting the encrypting transformation without knowledge of the secret key since the cryptanalyst has all the information needed to attack the system.

The encrypting transformation should be a trapdoor one-way function.

Note: unicity distance is irrelevant to public key systems since the cryptanalyst knows the encryption key. Using the encryption key the cryptanalyst may perform any chosen plaintext attack.

2

A public key system has separate encrypting (public) and decrypting (secret) keys p and s and possibly different encrypting and decrypting transformations E and D, where

D s, E p,m m

E p,D s,m m

but

A public key cryptosystem must therefore have the following properties:

Generation of "random" pairs of keys p and s must be feasible.

The computation of and must be feasible.

Without knowledge of s it must be infeasible to compute m from and p, also computing s from p must be infeasible.

This means that we must discover an efficient way to construct a trapdoor one-way function.

Secret key systems provide a degree of message authentication automatically – only someone with knowledge of the secret key may create a message decipherable using the public key.

3

In public key systems anyone with knowledge of Bob's public key may create a message decipherable using Bob’s secret key.

If message authentication is required then it must be done in addition to encrypting the message.

4

Diffie-Hellman Key Exchange algorithm

In their seminal paper Diffie and Hellman proposed a method for the secure exchange of secret keys over a network.

This method was later shown to provide the basis for public key cryptography.

The algorithm works as follows:

Alice and Bob agree on a large prime number n and a generator g, mod n. with g < n.

The numbers n and g can be publicly known.

Alice picks an integer x with 0 < x < n randomly. Alice computes A = gx mod n.

Alice sends Bob g, n, A.

Bob picks an integer y with 0 < y < n randomly. Bob computes B = gy mod n.

Bob sends Alice B.

Alice takes Bob’s number and calculates Bx

Bob takes Alice’s number and calculates Ay

Both calculations yield gxy mod n. This is the secret key.

5

A cryptanalyst would have to take a discrete logarithm to identify the key. For large n this is considered infeasible.

A pictorial representation of this algorithm is:

For an excellent demonstration of this key exchange protocol from the CrypTool pull down menu choose:

Indiv.Procedures/Protocols/Diffie-Hellman Demonstration

Diffie-Hellman key exchange is used by WAP Class 1

6

The Discrete Logarithm Problem

The groups formed by the integers mod n contain elements known as generators that produce all the other members when raised to a power contained within the group.

Example: mod 7 has elements 1 to 6 (plus 0)

If we consider the elements raised to powers 1 to 6

X X2 x3 X4 x5 x6

1 1 1 1 1 1

2 4 1 2 4 1

3 2 6 4 5 1 G

4 2 1 4 2 1

5 4 6 2 3 1 G

6 1 6 1 6 1

For a generator g there is a unique x such that y=gx(mod n)

Given a number n, its discrete logarithm to the base b, mod m, is a number x such that bx(mod m) = n.

Finding x is a difficult problem and discrete logarithms exist only for certain b and m.

Examples

7

In mod 7 arithmetic:

as ,

does not exist, and

as 4 is not a generator

The difficulty of computing discrete logarithms is similar to factoring. For a large modulus this problem is hard.

8

Digital Signatures

Since any user of a public key system can use Bob's public key to encrypt a message for Bob, he has no way of checking the identity of the sender of a message.

Suppose Alice wants to send a message to Bob and arrange that Bob can verify that it indeed came from her.

She takes the signature message she wishes to send and decrypts it using her secret key to obtain a digital signature, which can be attached to the original message. She then sends both to Bob ( ).

Bob (or anyone else) can reconstitute the original message from the digital signature by encrypting it with Alice's public key, ( ).

He may then check that the original message is equal to the encrypted signature.

Only Alice could have generated the signature, since knowledge of her secret key is necessary to generate it.

Thus Bob can be sure the message came from Alice. He can also prove this to a third party.

9

So Alice obtains

Alice sends

Bob obtains

and checks that

This process is very costly in communication bandwidth so another option is to compute a one-way hash of the original message to produce a message digest, encrypt the message digest and send that instead.

The digest should be sufficiently long to prevent an exhaustive attack (at least 160 bits, possibly more) and should depend on the entire message.

10

The Birthday ParadoxWhen you put 20 people in a room and each of the 20 people asks each of the other 19 people about their birthdays:

Each individual person only has a small (less than 5%) chance of success, but each person is trying it 19 times. That increases the probability dramatically.

If you want to calculate the exact probability, let's say you have a big wall calendar with all 365 days on it.

o You walk in and put a big X on your birthday.

o The next person who walks in has only a 364 possible open days available, so the probability of the two dates not colliding is 364/365.

o The next person has only 363 open days, so the probability of not colliding is 363/365.

If you multiply the probabilities for all 20 people not colliding, then you get:

364/365 * 363/365 * … 365-20+1/365 = Chances of no collisions

The probability of collisions is 1 minus that number.

(Approx. 0.5)

11

The Birthday Attack

Use at least a 160 bit digest to prevent a birthday attack. Suppose we are using digital signatures to enforce a contract I do not wish to honour.

I write two versions of the contract, say “I will pay you £1000” and “I will pay you £1”.

Suppose the key size is 128 bits.

I generate 264 variations of each contract (e.g. by inserting or removing spaces, punctuation, etc.), and compute a digest for each; giving a total of 2128 pairs of digest values for a total of 264+1 digest computations.

Amongst these 2128 pairs, there is almost certainly one pair for which the digest values are equal (if not, I generate a few more).

I then have two different contracts each with the same digest value.

I give one to you “I will pay you £1000” and keep the other “I will pay you £1”.

When you try to prove that I have promised you £1000 I produce the other contract and claim that you must have stolen my key.

Thus a digest of length n can be circumvented with digest computations and blocks of memory.

12

This attack is demonstrated to some extent in CrypTool.

From the pull down menu choose:

Analysis/Hash/Attack on the Hash Value of the Digital Signature

13

I will pay £1000

I will pay £1

Generate many punctuation variations

Same Hash Output

Brief history of the most popular hashing functions

In 1990, Ron Rivest invented the hash function MD4.

In 1992, he improved on MD4 and developed another hash function: MD5.

In 1993, the National Security Agency published a hash function very similar to MD5, called SHA (Secure Hash Algorithm).

Then, in 1995, citing a newly discovered weakness that it refused to elaborate on, the NSA made a change to SHA.

The new algorithm was called SHA-1.

Today, the most popular hash function is SHA-1, with MD5 still being used in older applications.

14

Typical hash functions are:

Message Digest 5 (MD5): It takes as input a message of arbitrary length and pads the message until it is a multiple of 512 bits long.

The padded input is processed in 512-bit blocks to produce a 128-bit value (the hash code).

As the computer power available to potential attackers has increased, concerns have arisen over the vulnerability of 128-bit hash codes to birthday attack.

Concerns have also arisen about the vulnerability of MD5 to cryptanalysis.

Secure Hash Algorithm (SHA-1): a hash function developed by the US National Institute of Standards and Technology (NIST) and published as a federal standard in 1993.

A revised version was published in 1995 that is generally referred to as SHA-1.

It takes as input a message of less than 264 bits and processes it in 512-bit blocks to produce a 160-bit hash code.

SHA-1 has the desired property that every bit of the hash code is a function of every bit of the input.

15

RIPEMD-160: A hash function developed under the European Union’s RACE Integrity Primitives Evaluation project.

Similar in structure to SHA-1 it processes a message of arbitrary length in 512-bit blocks to produce a 160-bit hash code.

Federal Information Processing Standards (FIPS) 180-2, 1 August 2002, included SHA-1 and three new hash functions known as SHA-256, SHA-384 and SHA-512.

The suffixes refer to the sizes of the message digests produced by the hash functions in bits.

The new hash functions have a more complicated description than SHA-1.

On 29 February 2004 the standard was amended to include SHA-224.

16

An attack on SHA-1

In February 2005, three Chinese cryptographers showed that SHA-1 is not collision-free (Xiaoyun Wang, Yiqun Lisa Yin, and Hongbo Yu, mostly from Shandong University in China).

That is, they developed an algorithm for finding collisions faster than brute force (the birthday attack).

The Chinese researchers analysis shows that collisions of SHA1 can be found with complexity less than 2^69 hash operations.

This is the first attack on the full 80-step SHA1 with complexity less than the 2^80 theoretical bound.

The Chinese researchers expect that real collisions of SHA1 reduced to 70-steps can be found using today’s supercomputers.

For the average Internet user, this news was not a cause for panic.

No one is going to be breaking digital signatures but it's time to migrate away from SHA-1.

Luckily, there are alternatives.

The National Institute of Standards and Technology already has standards for longer -- and harder to break -- hash functions: SHA-224, SHA-256, SHA-384, and SHA-512.

17

These are collectively known as SHA-2.

Current developments in attacking SHA-1

At Crypto 2005 (The 25th Annual International Cryptology Conference August 14-18, 2005, Santa Barbara, California, USA) Adi Shamir announced new results of Xiaoyun Wang, one of the original team of Chinese researchers who announced an attack on SHA-1, together with Andrew Yao and Frances Yao.

Shamir presented few details but revealed that the time complexity of the new attack is 2^63 and stated that he expected Wang and her students to improve on this result over the next few months.

There is no reason to believe that 2^63 is anything like a lower limit.

An attack that's faster than 2^64 is a significant milestone.

Massive computations have already been done with complexity 2^64. Now that the SHA-1 collision search is clearly feasible, some research group will try to implement it.

Writing working software will both uncover hidden problems with the attack, and illuminate hidden improvements.

18

While a paper describing an attack against SHA-1 is damaging, software that produces actual collisions is even more so.

NIST plans

Although No attacks have been reported on the SHA-2 variants but they are algorithmically similar to SHA-1 and so efforts are underway to develop improved alternative hashing algorithms.

An open competition for a new SHA-3 function was announced in the Federal Register on November 2, 2007. "NIST is initiating an effort to develop one or more additional hash algorithms through a public competition, similar to the development process for the Advanced Encryption Standard (AES)."

Submissions are due October 31, 2008 and the announcement of a winner and publication of the new standard are scheduled to take place in 2012.

19

Identification

Cryptographic algorithms have a third basic application in addition to encryption and digital signatures, identification.

The primary use of identification is for access control.

Cryptographic algorithms used for identification are used within identification protocols which enable the prover, Bob, to prove to the verifier, Alice, their identity.

In a challenge response identification system if the prover, Bob, wants to identify himself to the verifier, Alice, then Bob must respond correctly to a question, or challenge, from Alice.

o Bob responds to the challenge by computing a response using a secret key and sending it to Alice.

o If the challenge response system is based on symmetric key cryptography, Alice verifies the response using the same secret key.

o If the system is based on public key cryptography, Alice verifies the response using the public key that corresponds to the secret key Bob used.

20

Suppose Alice and Bob agree a secret key by which they may identify themselves to each other:

o If Bob wants to identify himself to Alice he asks Alice for a random number, he then encrypts this random number with the secret key and sends the cipher text to Alice who decrypts the cipher text with the secret key and compares the result with the number she sent.

o If there is a match then she accepts this as proof of identity.

Public-key cryptography may be used for identification as follows:

o If Bob wants to identify himself to Alice he asks Alice for a random number, he then encrypts this random number with his private key and sends the cipher text to Alice who decrypts the cipher text using Bob’s public key and compares the result with the number she sent.

o If there is a match then she accepts this as proof of identity. For this challenge response system to work Alice must be sure that she has the authentic public key of Bob.

21

Public Key Infrastructures

It must not be possible for public keys to be falsified or abused and the secrecy of private keys must be must be assured.

This is achieved through public key infrastructures (PKIs).

Personal Security Environments

If Bob wants to use a public key system he needs separate key pairs for each purpose for which he wants to use the system, encryption, digital signature, and identification, or the system is insecure.

If one key pair is used for digital signature and identification an attacker can pretend they want a check on identity.

The attacker can send a random number for Bob to encrypt with his private key that is generated by computing the hash of a document, when Bob encrypts this with his private key he is in fact signing the document.

Bob must securely store his private keys in a personal security environment (PSE) that the keys must never leave.

Because of this the PSE must do all digital signing, identification and decryption with the private keys.

The PSE may generate the key pairs to be used. However, this requires resources such as, in the case of RSA keys, the facility to generate large prime numbers.

22

Therefore, it may be more sensible to use a trusted third party to generate the key pairs.

However, the third party will then automatically know the private keys used which can be considered a drawback.

A software PSE is only as secure as the underlying operating system and all operating systems are to some extent vulnerable to attack.

Furthermore, a simple software PSE may only be an encrypted file that can be accessed by entering a password that is used to decrypt the file.

In this case, the PSE is only as secure as the password that is used.

Therefore, a hardware PSE should be used for all applications where a high level of security is essential.

A hardware PSE is more formally referred to as a Hardware Storage Module (HSM), for an introduction to the HSM including a list of some of the products on the market see chapter 8 of Austin, T., PKI, Wiley, 2001.

A PSE can be implemented on a smart card, which is just a form of HSM.

It is very difficult to manipulate the software or hardware of a smart card.

However, the processing capabilities of smart cards are very limited so they cannot be used to encrypt or decrypt documents.

23

Instead they are used to encrypt or decrypt session keys that are passed to and from a PC via a smart card reader.

These session keys are the secret keys of symmetric key algorithms, encryption or decryption using these keys is done on the PC.

Even when a PSE is implement on a smart card a severe security problem remains.

When the user wants to sign a document the PC computes the hash of the document and then passes the hash to smart card for signing.

An attacker can manipulate the software on the PC so that this hash value is replaced with the hash of another document that is then passed to the smart card for signing.

This is the representation problem for signatures.

This problem must be solved if handwritten signatures are ever to be replaced by digital signatures.

One solution is for the user to see the hash they are signing but this requires the smart card to have a display, one possibility is to incorporate the smart card into a mobile phone.

Certification Authorities

24

The users of a public key system must be sure of the validity of the public keys they use.

If an attacker can substitute their public key for that of some other person they can decrypt documents addressed to that person.

This problem is usually solved by associating each user of the system with a trusted third party called a certificate authority (CA).

This requires that each user trust their CA and knows the public key of their CA.

Each new user of the system must register with a CA.

o On registration the new user provides the CA with their name and other relevant data.

The CA verifies the new user’s information before generating a certificate that connects the new user to their public keys and signing the certificate with the private key of the CA.

25

A certificate will contain the following information:

1. The user name

2. The public keys of the user

3. The algorithms in which the public keys are used

4. The serial number of the certificate

5. The dates of the beginning and end of the validity of the certificate

6. The name of the certificate authority

7. Restrictions that apply to the use of the certificate

The X.509 standard is a scheme for formatting public key certificates that is used in most network security applications including IPSec, SSL, SET and S/MIME.

The CA stores the generated certificate and the corresponding user name in a directory into which only it is allowed to write.

All the registered users of the CA have read only access to the directory.

Once a user has been registered and their public keys certified, if the CA generated the key pairs of the user, the CA will transmit the private keys to the PSE of the user.

The public key of the CA and the certificate of the user may also be stored in the PSE of the user.

26

Some public and private keys have to be stored in archives after they have expired.

As long a signature generated by a private signature key may have to be verified the CA must store the corresponding public key.

As long as documents encrypted by a public encryption key may have to be read the corresponding private key must be stored in the PSE of its user.

If the CA generated the key pairs of the user the user must be provided with new private keys by the CA before the old ones expire, this may be done using variants of the Diffie-Hellman key exchange protocol.

CrypTool provides a demonstration of digital signature generation that requires you to generate a public key certificate that contains the public signature key to be used to check the signature.

From the pull down menu choose:

Digital Signatures/PKI/Signature Demonstration

27

Certificates sometimes have to be invalidated before they have expired.

If someone looses a smart card which contains their private signature key the corresponding public verification key must be invalidated so that if the smart card is discovered by a dishonest person that person cannot use the private signature key.

A CA stores all its invalidated certificates in its certificate revocation list (CRL), which is part of its directory.

o The CRL contains the serial number of the invalidated certificate and the date it was invalidated.

o It may also contain other information such as the reason the certificate was invalidated.

o The CA signs each entry in its CRL with its private signature key.

If the user of a CA wants to know a public key of an individual or organisation registered with the same CA they simply obtain the certificate containing the public key from the directory of the CA and verify the certificate using the public key of the CA.

A user may keep certificates they use regularly in their PSE, keeping a ‘key-ring’.

However, if they do this they must regularly check the validity of those certificates.

28

If the user of a CA wants to know a public key of an individual or organisation that is not registered with the same CA but is registered with another CA they will be able get the public key if they can obtain the certificate for the public signature key of the other CA from their own CA and validate it.

The certificate for the public key of the individual or organisation concerned can then be obtained directly from them or from the CA they are registered with.

This certificate can then be validated using the validated public signature key of the CA that issued it.

If the CA of the user does not have the certificate for the public key of the other CA it may be obtained using a certificate chain, that is, indirectly through a succession of certificate authorities.

29

RSA (Rivest, Shamir, and Adleman)

The RSA public key cryptosystem is named after its discoverers.

A user's public and secret keys in RSA are constructed from three positive integers n, p and s where p < n and s < n.

The pair is public key and the pair is secret key.

Message to be encrypted must be split into blocks, so that no block, when interpreted as a non-negative integer m could possibly be larger than n.

Each block may be interpreted as a non-negative integer by treating it as the binary expansion of a natural number. To encrypt plaintext m to obtain ciphertext c, we compute

To recover the plaintext m we compute

Of course we cannot use just any values for n, p and s and we shall see next how to choose them so that RSA is hard to attack and encryption and decryption are mutual inverses.

Generating RSA Keys

30

1. Randomly select two large primes q and .

2. Let n = qr.

3. Randomly choose an integer p coprime to , where i.e. p has no common factors with .

4. Compute s such that .

5. Publish as your public key.

6. Record as your secret key.

Explanation of Step 3In step 4 we need to compute the multiplicative inverse of p modulo , this only exists if p is coprime to .

In the case of RSA, we know that n is the product of two primes q and r, so

Example: RSA Encryption and Decryption

Let , , and . We encrypt and decrypt two ASCII characters: 19 and 91.

31

A pictorial representation of RSA encryption and decryption is provided below. In the figure a single letter M = 19 is encrypted then decrypted.

How Secure is RSA?

RSA is known to be no harder than factoring.

An efficient algorithm for factoring would make RSA insecure since it would then be easy to obtain q and r and to compute s from p.

While factoring is not known to be intractable there is currently little prospect of an efficient algorithm for factoring and the problem has been the subject of intensive study for many years.

32

However, RSA is not known to be as hard as factoring and it is possible there is an attack that does not involve factoring.

This appears unlikely as time passes as RSA has survived intense investigation for 20 years.

In 1994 a 129-digit key RSA-129 was factorised and groups throughout the World are constantly seeking to extend their success to larger numbers. RSA-140 and RSA-155 were factorised in 1999.

RSA-155 is 512 bits. Standard RSA keys are 1024 bits.

RSA-200 was factorised by the group of Prof. Jens Franke at the University of Bonn in 2005.

The calculations took 17 months

It has been suggested that 1024-bit RSA keys by will be factored by 2022.

The GISA (German Information Security Agency) recommended the usage of 2048-bit keys from 2006 onwards.

How RSA is used

In the late 1970s most common general-purpose computers were too weak to generate good RSA encryption and putting RSA on a chip was too complicated.

33

The first significant users of RSA cryptography were a small software company called Iris Associates funded by the spreadsheet company Lotus Development Corp.

Iris’s product, Notes, was the first example of groupware, a program meant to be used by many people over a network.

Notes assumed users would exchange all their messages, including the confidential ones, over a network.

This posed the problems of how to prevent someone sending an email pretending to be someone else and how to prevent someone reading the email as it passed through an intermediate machine.

Iris solved these problems through a sophisticated use of RSA: a hybrid system, using the public key method to encrypt the symmetric keys of a conventional cryptosystem.

That is, RSA was used as a key-exchange algorithm and DES was used encrypt the message content.

In practice, RSA encryption and decryption are too slow to be used to encrypt messages; currently the standard RSA key is 1024 bits long.

34

Other Public Key Systems

Prior to the mid-1980s it was believed that the Diffie-Hellman key exchange algorithm could only provide a way for two parties to agree upon secret keys.

However, in the mid-1980s a company called Cylink established that clever use of the Diffie-Hellman key exchange algorithm provided for privacy and authentication.

Recently elliptic curve cryptography (ECC) has begun to challenge RSA.

Its prime advantage is that it appears to offer the same level of security for a far smaller key length reducing the processing overhead.

This is particularly beneficial for applications on devices with comparatively limited processing power such as wireless devices and smartcards.

Currently, most chips on smart cards cannot process keys exceeding 1024 bits

A digital signature can be processed 10-times faster with ECC than with RSA.

However, verification of a given signature is still more efficient with RSA than with ECC.

Thin clients like smart cards usually have to store the (long) secret key and have to process a digital signature rather than

35

verify one.

There is a clear advantage in using ECC in terms of efficiency.

RSA public key cryptography is too computationally expensive for mobile phones so WAP uses Elliptic Curve Cryptography (ECC) by default.

Nowadays, the major problem with ECC-implementations is the lack of standardization.

This causes problems in interoperability

Furthermore, ECC products have only begun to appear recently and therefore only recently has there been sustained interest in trying to find cryptographic weaknesses in ECC.

Consequently, there is less confidence in the security of ECC than RSA.

ECC is fundamentally more difficult to understand than RSA and beyond the scope of this course.

36