Upload
deepak-john
View
62
Download
8
Tags:
Embed Size (px)
Citation preview
MODULE 2 MCA-501 Computer Security ADMN 2012-‘15
Dept. of Computer Science And Applications, SJCET, Palai Page 28
2.1 ADVANCED ENCRYPTION STANDARD
Symmetric block cipher, designed by Rijmen-Daemen in Belgium and published by National
Institute of Standards and Technology (NIST) in December 2001.
Intended to replace DES and 3DES
DES is vulnerable to differential attacks
3DES has slow performances
NIST Evaluation Criteria
Security: The effort to crypt analyze an algorithm.
Cost: The algorithm should be practical in a wide range of applications.
Algorithm and Implementation Characteristics: Flexibility, simplicity etc.
SECURITY
Actual security: compared to other submitted algorithms (at the same key and block size).
Randomness: the extent to which the algorithm output is indistinguishable from a random
permutation on the input block.
Soundness: of the mathematical basis for the algorithm's security.
Other security factors: raised by the public during the evaluation process, including any attacks
which demonstrate that the actual security of the algorithm is less than the strength claimed by the
submitter.
COST
Licensing requirements: NIST intends that when the AES is issued, the algorithm(s) specified in
the AES shall be available on a worldwide, non-exclusive, royalty-free basis.
Computational efficiency: The evaluation of computational efficiency will be applicable to both
hardware and software implementations
Memory requirements: The memory required to implement a candidate algorithm for both
hardware and software implementations of the algorithm will also be considered during the
evaluation process.
ALGORITHM AND IMPLEMENTATION CHARACTERISTICS
Flexibility: Candidate algorithms with greater flexibility will meet the needs of more users than
less flexible ones,
Hardware and software suitability: A candidate algorithm shall not be restrictive in the sense that
It can only be implemented in hardware.
Simplicity: A candidate algorithm shall be judged according to relative simplicity of design.
MODULE 2 MCA-501 Computer Security ADMN 2012-‘15
Dept. of Computer Science And Applications, SJCET, Palai Page 29
Final evaluation criteria
General Security: To assess general security, NIST relied on the public security analysis conducted
by the cryptographic Community:
Software Implementations: The principal concerns in this category are execution speed,
performance across a variety of platforms, and variation of speed with key size.
Hardware Implementations: In some applications, such as smart cards, relatively small amounts of
random-access memory (RAM) and/or read-only memory (ROM) are available for such purposes as
code storage (generally in ROM);
Restricted-Space Environments: Like software, hardware implementations can be optimized for
speed or for size. However, in the case of hardware, size translates much more directly into cost
than is usually the case for software implementations.
Attacks on Implementations: The criterion of general security, discussed in the first bullet, is
concerned with cryptanalytic attacks that exploit mathematical properties of the algorithms. There is
another class of attacks that use physical measurements conducted during algorithm execution to
gather information about quantities such as keys.
Encryption vs. Decryption: This criterion deals with several issues related to considerations of both
encryption and decryption. If the encryption and decryption algorithms differ, then extra space is
needed for the decryption.
Key Agility: Key agility refers to the ability to change keys quickly and with a minimum of
resources.
Potential for Instruction-Level Parallelism: This criterion refers to the ability to exploit ILP features
in current and future processors.
Other versatility and Flexibility: indicates two areas that fall into this category. Parameter flexibility
includes ease of support for other key and block sizes and ease of increasing the number of rounds
in order to cope with newly discovered attacks. Implementation flexibility refers to the possibility
of optimizing cipher elements for particular environments.
AES Cipher
an iterative rather than Feistel cipher
processes data as block of 4 columns of 4 bytes
operates on entire data block in every round
designed to have:
resistance against known attacks
speed and code compactness on many CPUs
design simplicity
MODULE 2 MCA-501 Computer Security ADMN 2012-‘15
Dept. of Computer Science And Applications, SJCET, Palai Page 30
AES Structure
processes data as state array
Encryption/Decryption consists of 10 rounds of processing for 128-bit keys, 12 rounds for 192-bit
keys, and 14 rounds for 256-bit keys.
Except for the last round, all other rounds are identical.
Each round of processing includes
1. Byte substitution (1 S-box; byte to byte substitution)
2. Shift rows (permutation of bytes)
3. Mix columns (substitution using matrix multiply of groups)
4. Add Round Key (XOR state with a portion of expended K)
The order in which these four steps are executed is different for encryption and decryption
The input is a single 128 bit block both for decryption and encryption and is known as the in matrix
This block is copied into a state array which is modified at each stage of the algorithm and then
copied to an output matrix.
The key is expanded into an array of key schedule words (the w matrix).
Ordering of bytes within the in and w matrix is by column.
Fig 2.1 AES Encryption and Decryption
MODULE 2 MCA-501 Computer Security ADMN 2012-‘15
Dept. of Computer Science And Applications, SJCET, Palai Page 31
Fig 2.2 AES Data structures
Byte Substitution
a simple substitution of each byte
uses S-box to perform a byte-by-byte substitution of State
uses one table of 16x16 bytes containing a permutation of all 256 8-bit values
each byte of state is replaced by byte indexed by row (left 4-bits) & column (right 4-bits)
eg. byte {95} is replaced by byte in row 9 column 5
which has value {2A}
designed to be resistant to all known attacks
Fig 2.3 Byte substitution
MODULE 2 MCA-501 Computer Security ADMN 2012-‘15
Dept. of Computer Science And Applications, SJCET, Palai Page 32
Shift Rows
a circular byte shift in each row
1st row is unchanged
2nd
row does 1 byte circular shift to left
3rd row does 2 byte circular shift to left
4th row does 3 byte circular shift to left
decrypt inverts using shifts to right
since state is processed by columns, this step permutes bytes between the columns
Fig 2.4 Shift Rows
Mix Columns
The MixColumns transformation operates at the column level; it transforms each column of the
state to a new column.
Fig 2.5 Mix Columns
AddRoundKey
Adds a round key word with each state column matrix.
Each column in the state matrix is XORed with a different word.
Proceeds one column at a time.
The operation in AddRoundKey is matrix addition.
MODULE 2 MCA-501 Computer Security ADMN 2012-‘15
Dept. of Computer Science And Applications, SJCET, Palai Page 33
Fig 2.6 AddRoundkey
AES Key Expansion
create round keys for each round,
If the number of rounds is Nr, the key-expansion routine creates Nr + 1 128-bit round keys.
takes 128-bit (16-byte) key and expands into array of 44/52/60 32-bit words
start by copying key into first 4 words
Fig 2.7 words for each round
AES Decryption
AES decryption is not identical to encryption since steps done in reverse.
Decryption algorithm uses the expanded key in reverse order.
All functions are easily reversible and their inverse form is used in decryption
Analysis of AES
The AES is secure against all known attacks.
Various aspects of its design incorporate specific features that help provide security against specific
attacks.
There are apparently no known attacks on AES.
Implementation Aspects
• can efficiently implement on 8-bit CPU
– byte substitution works on bytes using a table of 256 entries
MODULE 2 MCA-501 Computer Security ADMN 2012-‘15
Dept. of Computer Science And Applications, SJCET, Palai Page 34
– shift rows is simple byte shifting
– add round key works on byte XORs
– mix columns requires matrix multiply in GF(28) which works on byte values, can be
simplified to use a table lookup
• can efficiently implement on 32-bit CPU
– redefine steps to use 32-bit words
– can pre-compute 4 tables of 256-words
– then each column in each round can be computed using 4 table lookups + 4 XORs
– at a cost of 16Kb to store tables
designers believe this very efficient implementation was a key factor in its selection as the AES
cipher
2.2 MULTIPLE ENCRYPTION AND TRIPLE DES
Double DES
The simplest form of multiple encryption has two encryption stages and two keys.
Encryption sequence: E-E
Decryption sequence: D-D
Given a plaintext P and two encryption keys K1 and K2, cipher text C is generated as
C = E (K2, E (K1, P))
For DES, this scheme apparently involves a key length of bits, resulting in a dramatic increase in
cryptographic strength. But we need to examine the algorithm more closely.
P = D(K1, D(K2, C))
and have “meet-in-the-middle” attack
since M = EK1(P) = DK2(C)
The attacker tries to break the two-part encryption method from both sides simultaneously, a
successful effort enables him to meet in the middle of the block cipher.
Fig 2.8 Double encryption
MODULE 2 MCA-501 Computer Security ADMN 2012-‘15
Dept. of Computer Science And Applications, SJCET, Palai Page 35
Triple DES with Two Keys
hence must use 3 encryptions
would seem to need 3 distinct keys
Encryption sequence: E-D-E
Decryption sequence: D-E-D
Fig 2.9 triple DES with two keys
but can use 2 keys with E-D-E sequence
C = EK1(DK2(EK1(P)))
P = D(K1, E(K2, D(K1, C)))
if K1=K2 then can work with single DES
standardized in ANSI X9.17 & ISO8732
no current known practical attacks
Triple DES with Three Keys
although are no practical attacks on two-key Triple-DES have some indications
can use Triple-DES with Three-Keys to avoid even these
Fig 2.10 Triple DES with three keys
C = EK3(DK2(EK1(P)))
P=DK1 (EK2 (EK3 (C)))
MODULE 2 MCA-501 Computer Security ADMN 2012-‘15
Dept. of Computer Science And Applications, SJCET, Palai Page 36
BLOCK CIPHER MODES OF OPERATION
NIST defines 5 possible modes to cover a wide variety of applications
1. Electronic CodeBook Mode (ECB)
2. Cipher Block Chaining Mode (CBC)
3. Cipher FeedBack Mode (CFB)
4. Output FeedBack Mode (OFB)
5. CounTeR Mode(CTR)
can be used with any block cipher
have block and stream modes
Fig 2.11 Block Cipher modes of operation
Electronic Code Book (ECB)
message is broken into independent blocks which are encrypted
each block is a value which is substituted, like a codebook,
each block is encoded independently of the other blocks
Ci = EK1 (Pi)
MODULE 2 MCA-501 Computer Security ADMN 2012-‘15
Dept. of Computer Science And Applications, SJCET, Palai Page 37
uses: secure transmission of single values
Fig 2.12 Electronic Codebook (ECB) Mode
Advantages and Limitations of ECB
message repetitions may show in cipher text
main use is sending a few blocks of data
Cipher Block Chaining (CBC)
message is broken into blocks
linked together in encryption operation
each previous cipher blocks is chained with current plaintext block,
use Initial Vector (IV) to start process
Ci = EK1 (Pi XOR Ci-1)
Ci-1 = IV
uses: bulk data encryption, authentication
MODULE 2 MCA-501 Computer Security ADMN 2012-‘15
Dept. of Computer Science And Applications, SJCET, Palai Page 38
Fig 2.13 Cipher Block Chaining (CFB) Mode
Advantages and Limitations of CBC
a cipher text block depends on all blocks before it
any change to a block affects all following cipher text blocks
need Initialization Vector (IV)
which must be known to sender & receiver
hence IV must either be a fixed value
or must be sent encrypted in ECB mode before rest of message
Stream Modes of Operation
block modes encrypt entire block
may need to operate on smaller units
real time data
convert block cipher into stream cipher
cipher feedback (CFB) mode
output feedback (OFB) mode
counter (CTR) mode
MODULE 2 MCA-501 Computer Security ADMN 2012-‘15
Dept. of Computer Science And Applications, SJCET, Palai Page 39
use block cipher as some form of pseudo-random number generator
Cipher Feed Back (CFB)
message is treated as a stream of bits
added to the output of the block cipher
result is feedback for next stage
standard allows any number of bit (1,8, 64 or 128 etc) to be feed back
denoted CFB-1, CFB-8, CFB-64, CFB-128 etc
Fig 2.14 CFB Mode
Ci = Pi XOR EK1 (Ci-1)
C-1 = IV
Advantages and Limitations of CFB
appropriate when data arrives in bits/bytes
most common stream mode
encryption mode used at both ends
MODULE 2 MCA-501 Computer Security ADMN 2012-‘15
Dept. of Computer Science And Applications, SJCET, Palai Page 40
Output Feed Back (OFB)
output of cipher is added to message
output is then feed back
feedback is independent of message
So feedback can be computed in advance
Fig 2.15 OFB mode
Ci = Pi XOR Oi
Oi = EK1(Oi-1)
Oi-1 = IV
Counter (CTR)
must have a different key & counter value for every plaintext block (never reused)
uses: high-speed network encryptions
MODULE 2 MCA-501 Computer Security ADMN 2012-‘15
Dept. of Computer Science And Applications, SJCET, Palai Page 41
Fig 2.16 CTR mode
Advantages and Limitations of CTR
efficiency
can do parallel encryptions in h/w or s/w
can preprocess in advance of need
random access to encrypted data blocks
provable security (good as other modes)
But must ensure never reuse key/counter values, otherwise could break.
STREAM CIPHERS AND RC4
Stream Cipher
Start with a secret key
process message bit by bit (as a stream)
have a pseudo random key stream
Combine the stream with the plaintext to produce the cipher text (typically by XOR)
MODULE 2 MCA-501 Computer Security ADMN 2012-‘15
Dept. of Computer Science And Applications, SJCET, Palai Page 42
Ci = Mi. XOR StreamKeyi
but must never reuse stream key
otherwise can recover messages
Fig 2.17 Stream cipher design
Stream Cipher Properties
some design considerations are:
long period with no repetitions
statistically random
depends on large enough key
properly designed, can be as secure as a block cipher
simpler & faster
RC4
A symmetric key encryption algorithm invented by Ron Rivest
Variable key size, byte-oriented stream cipher
Normally uses 64 bit and 128 bit key sizes.
Used in
SSL/TLS (Secure socket, transport layer security) between web browsers and servers,
IEEE 802.11 wirelss LAN std: WEP (Wired Equivalent Privacy), WPA (WiFi Protocol
Access) protocol
MODULE 2 MCA-501 Computer Security ADMN 2012-‘15
Dept. of Computer Science And Applications, SJCET, Palai Page 43
Fig 2.18 RC-4 block diagram
Consists of 2 parts:
Key Scheduling Algorithm (KSA):Generate State array
Pseudo-Random Generation Algorithm (PRGA):Generate keystream, XOR keystream with
the data to generate encrypted stream
The KSA
Use the secret key to initialize and permutation of state vector S, done in two steps
A variable-length key of from 1 to 256 bytes (8 to 2048 bits) is used to initialize a 256-byte state
vector S, with elements S[0],S[1], Á ,S[255].
At all times, S contains a permutation of all 8-bit numbers from 0 through 255.
MODULE 2 MCA-501 Computer Security ADMN 2012-‘15
Dept. of Computer Science And Applications, SJCET, Palai Page 44
The PRGA
Generate key stream k , one by one
XOR S[k] with next byte of message to encrypt/decrypt
Decryption using RC4
Use the same secret key as during the encryption phase.
Generate keystream by running the KSA and PRGA.
XOR keystream with the encrypted text to generate the plain text.
Logic is simple :
(A xor B) xor B = A
A = Plain Text or Data
B = KeyStream
RC4 Security
claimed secure against known attacks
since RC4 is a stream cipher, must never reuse a key
Confidentiality using Symmetric Encryption
Traditionally symmetric encryption is used to provide message confidentiality.
Placement of Encryption
have two major placement alternatives
link encryption
encryption occurs independently on every link
implies must decrypt traffic between links
requires many devices, but paired keys
end-to-end encryption
encryption occurs between original source and final destination
need devices at each end with shared keys
MODULE 2 MCA-501 Computer Security ADMN 2012-‘15
Dept. of Computer Science And Applications, SJCET, Palai Page 45
Fig 2.19 placement of encryption
Encryption function of the front-end processor (FEP)
Fig 2.20 FEP processing
On the host side, the FEP accepts packets. The user data portion of the packet is encrypted, while
the packet header bypasses the encryption process. The resulting packet is delivered to the network.
In the opposite direction, for packets arriving from the network, the user data portion is decrypted
and the entire packet is delivered to the host.
Red data are sensitive or classified data. Black data are encrypted data.
MODULE 2 MCA-501 Computer Security ADMN 2012-‘15
Dept. of Computer Science And Applications, SJCET, Palai Page 46
when using end-to-end encryption must leave headers in clear
so network can correctly route information
hence although contents protected, traffic pattern flows are not
ideally want both at once
end-to-end encryption protects data contents over entire path and provides authentication
link encryption protects traffic flows from monitoring
can place encryption function at various layers in OSI Reference Model
link encryption occurs at layers 1 or 2
end-to-end can occur at layers 3, 4, 6, 7
Traffic Confidentiality
Is related to the monitoring of communications flows between parties
link encryption approach
Network-layer headers (e.g., frame or cell header) are encrypted, reducing the opportunity for
traffic analysis.
It is still possible for an attacker to assess the amount of traffic on a network and to observe the
amount of traffic entering and leaving each end system.
traffic padding
An effective countermeasure to traffic analysis
Traffic padding produces cipher text output continuously, even in the absence of plaintext.
A continuous random data stream is generated. When plaintext is available, it is encrypted and
transmitted. When input plaintext is not present, random data are encrypted and transmitted
Fig 2.21 traffic padding
MODULE 2 MCA-501 Computer Security ADMN 2012-‘15
Dept. of Computer Science And Applications, SJCET, Palai Page 47
Key Distribution
symmetric schemes require both parties to share a common secret key issue is how to securely
distribute this key
system failure due to a break in the key distribution scheme
given parties A and B have various key distribution alternatives:
1. A can select key and physically deliver to B
2. third party can select & deliver key to A & B
3. if A & B have communicated previously can use previous key to encrypt a new key
4. if A & B have secure communications with a third party C, C can deliver key between A & B
Key Hierarchy
typically have a hierarchy of keys
session key
temporary key
used for encryption of data between users
for one logical session then discarded
master key
used to encrypt session keys
shared by user & key distribution center
Fig 2.22 key hierarchy
MODULE 2 MCA-501 Computer Security ADMN 2012-‘15
Dept. of Computer Science And Applications, SJCET, Palai Page 48
Key Distribution Scenario
Fig 2.23 key distribution scenario
1. A issues a request to the KDC for a session key to protect a logical connection to B. The message
includes the identity of A and B and a unique identifier, N1, for this transaction.
2. The KDC responds with a message encrypted using Ka Thus, A is the only one who can
successfully read the message. The message includes two items intended for A,
A one-time session key(Ks) to be used for the session
The original request message.
The message includes two items intended for B;
The one-time session key, Ks to be used for the session
An identifier of A (e.g., its network address), IDA
These two items are encrypted with Kb (the master key that the KDC shares with B). They are to be
sent to B to establish the connection and prove A's identity.
3. A stores the session key for use in the upcoming session and forwards to B the information that
originated at the KDC for B, namely, E(Kb, [Ks || IDA]).
MODULE 2 MCA-501 Computer Security ADMN 2012-‘15
Dept. of Computer Science And Applications, SJCET, Palai Page 49
4. Using the newly minted session key for encryption, B sends a identifier N2, to A.
5. Also using Ks, A responds with f(N2), where f is a function that performs some transformation on
N2 (e.g., adding one).
Key Distribution Issues
hierarchies of KDC’s required for large networks, but must trust each other
session key lifetimes should be limited for greater security
use of automatic key distribution on behalf of users,
use of decentralized key distribution
controlling key usage
Fig 2.24 automatic key distribution
Fig 2.25 decentralized key control
1. A issues a request to B for a session key and includes a identifier N1
2. B responds with a message that is encrypted using the shared master key (MKm). The response includes
the session key selected by B, an identifier of B, the value f(N1), and another identifier, N2.
MODULE 2 MCA-501 Computer Security ADMN 2012-‘15
Dept. of Computer Science And Applications, SJCET, Palai Page 50
3. Using the new session key, A returns f(N2) to B.
Random Numbers
many uses of random numbers in cryptography
used in authentication protocols
session keys
public key generation
in all cases its critical that these values be
statistically random, uniform distribution, independent
unpredictability of future values from previous values
Pseudo Random Number Generators (PRNGs)
use algorithmic techniques to create “random numbers”
although are not truly random
can pass many tests of “randomness”
Linear Congruential Generator
common iterative technique using:
Xn+1 = (a Xn + c) mod m
If m, a, c, and X0 are integers,
Using Block Ciphers as PRNGs
for cryptographic applications, can use a block cipher to generate random numbers
INTRODUCTION TO NUMBER THEORY
Prime Numbers
prime numbers only have divisors of 1 and self
Prime Factorisation
To factor a number n is to write it as a product of other numbers: n=a x b x c.
the prime factorisation of a number n is when its written as a product of primes
e.g. 91=71x13
1, 300=2
2x3
1x5
2
Relatively Prime Numbers & GCD
two numbers a, b are relatively prime if have no common divisors apart from 1
e.g. 8 & 15 are relatively prime since factors of 8 are 1,2,4,8 and of 15 are 1,3,5,15 and 1 is
the only common factor
can determine the greatest common divisor by comparing their prime factorizations and using least
powers
MODULE 2 MCA-501 Computer Security ADMN 2012-‘15
Dept. of Computer Science And Applications, SJCET, Palai Page 51
eg. 300=22x3
1x5
2 18=2
1x3
2 hence
GCD (18,300) =21x3
1x5
0=6
Fermat's Theorem
If p is prime and a is a positive integer not divisible by p, then
ap-1
≡ 1 (mod p) also ap ≡ p (mod p)
useful in public key and primality testing
Proof : Consider the set of positive integers less than p
: {1, 2, ...., p - 1} and multiply each element by a mod p, to get the set X
X= {a mod p, 2a mod p, ...(p - 1)a mod p}
i.e ap-1
(p - 1)! ≡ (p - 1)! (mod p)
We can cancel the ( P-1) ! term because it is relatively prime to P . This yields ap-1
≡ 1 (mod p)
Example:
ap-1
≡ 1 (mod p)
Example:
ap
≡ p (mod p)
Euler Totient Function ø(n)
Defined as the number of positive integers less than n and relatively prime to n.
for example n=10, when doing arithmetic modulo n
complete set of residues is(0….n-1)= {0,1,2,3,4,5,6,7,8,9}
reduced set of residues is numbers which are relatively prime to n= {1,3,7,9}
number of elements in reduced set of residues is called the Euler Totient Function ø(n)
MODULE 2 MCA-501 Computer Security ADMN 2012-‘15
Dept. of Computer Science And Applications, SJCET, Palai Page 52
Example:
Euler's Theorem
states that for every a and n that are relatively prime:
aø(n)
≡ 1 (mod n)
eg.
a=3;n=10; ø(10)=4;
Hence 34
= 81 = 1 mod 10
a=2;n=11; ø(11)=10;
Hence 210
= 1024 = 1 mod 11
Primality Testing
any positive odd integer n ≥ 3 can be expressed as
n - 1 = 2kq with k > 0, q odd
Miller-Rabin Algorithm
a test based on Fermat’s Theorem
The procedure TEST takes a candidate integer as input and returns the result composite if is
definitely not a prime, and the result inconclusive if may or may not be a prime.
Example 1: Prime number n=29
Then (n - 1) = 28 = 22(7) = 2
kq.
First, let us try a=10 .compute 107 mod 29 = 17, which is neither 1 nor 28, so we continue the test.
MODULE 2 MCA-501 Computer Security ADMN 2012-‘15
Dept. of Computer Science And Applications, SJCET, Palai Page 53
The next calculation finds that (107)2 mod 29 = 28, and the test returns inconclusive (i.e., 29 may be
prime).
Let’s try again with a=2 .We have the following calculations: 27 mod 29 = 12; 2
14 mod 29 = 28; and
the test again returns inconclusive.
If we perform the test for all integers in the range 1 through 28, we get the same inconclusive
result.
Example 2: composite number n = 13 * 17 = 221.
Then n-1 =220 = = 22(55) = 2
kq.
Let us try a=5. Then we have 555
mod 221 = 112, which is neither 1 nor 220
(555
)2 mod 221 = 168 .the test returns composite, indicating that 221 is definitely a composite
number.
Suppose we had selected a=21. Then we have 2155
mod 221 = 200;
(2155
)2 mod 221 = 220; and the test returns inconclusive, indicating that 221 may be prime.
In fact, of the 218 integers from 2 through 219, four of these will return an inconclusive result,
namely 21, 47, 174, and 200.
Chinese Remainder Theorem
used to speed up modulo computations
Theorem: Let m1,…,mn > 0 be relative prime. Then the system of equations x ≡ ai (mod mi) (for i=1
to n) has a unique solution modulo M = m1·…·mn.
Example: What’s x such that: x ≡ 2 (mod 3) ,x ≡ 3 (mod 5) and x ≡ 2 (mod 7)
So, a1 = 2, a2=3, a3=2 and m1 = 3 , m2=5, m3=7
Using the Chinese Remainder theorem:
M = 357 = 105
MODULE 2 MCA-501 Computer Security ADMN 2012-‘15
Dept. of Computer Science And Applications, SJCET, Palai Page 54
M1 = M/3 = 105/3 = 35 and M1 -1
= 2 (35 (mod 3))
M2 = M/5 = 105/5 = 21 and M2 -1
= 1 (21 (mod 5))
M3 = M/7 = 105/7=15 and M3 -1
= 1 (15 (mod 7))
So x ≡ a1 M1 M1 -1
+ a2 M2 M2 -1
+…………+ ak Mk Mk -1
(mod M)
≡ 2 × 2 × 35 + 3 × 1 × 21 + 2 × 1 × 15 = 233 ≡ 23 (mod 105)
So answer: x ≡ 23 (mod 105)
Public Key Cryptography and RSA
Public Key Cryptography
uses two keys – a public & a private key
asymmetric
developed to address two key issues:
key distribution – how to have secure communications in general without having to trust a
KDC with your key
digital signatures – how to verify a message comes intact from the claimed sender
public-key/two-key/asymmetric cryptography involves the use of two keys:
a public-key, which may be known by anybody, and can be used to encrypt messages, and
verify signatures
a private-key, known only to the recipient, used to decrypt messages, and sign (create)
signatures
is asymmetric because
those who encrypt messages or verify signatures cannot decrypt messages or create
signatures
Fig 2.26 public key encryption and decryption
MODULE 2 MCA-501 Computer Security ADMN 2012-‘15
Dept. of Computer Science And Applications, SJCET, Palai Page 55
1. Each user generates a pair of keys to be used for the encryption and decryption of messages.
2. Each user places one of the two keys in a public register or other accessible file. This is the public key.
The companion key is kept private. Each user maintains a collection of public keys obtained from others.
3. If Bob wishes to send a confidential message to Alice, Bob encrypts the message using Alice’s public
key.
4. When Alice receives the message, she decrypts it using her private key. No other recipient can decrypt
the message because only Alice knows Alice’s private key.
Fig 2.27 public key cryptosystem
Encrypting a message, using the sender’s private key. This provides the digital signature.
Encrypt again, using the receiver’s public key.
Final cipher text can be decrypted only by the intended receiver, who alone has the matching
private key.
Public-Key Characteristics
Public-Key algorithms rely on two keys where:
it is computationally infeasible to find decryption key knowing only algorithm & encryption
key
it is computationally easy to en/decrypt messages when the relevant (en/decrypt) key is
known
MODULE 2 MCA-501 Computer Security ADMN 2012-‘15
Dept. of Computer Science And Applications, SJCET, Palai Page 56
either of the two related keys can be used for encryption, with the other used for decryption
(for some algorithms)
Public-Key Applications
can classify uses into 3 categories:
encryption/decryption (provide secrecy)
digital signatures (provide authentication)
key exchange (of session keys)
some algorithms are suitable for all uses, others are specific to one
Security of Public Key Schemes
brute force exhaustive search attack is always theoretically possible
but keys used are too large (>512bits)
requires the use of very large numbers
hence is slow compared to private key schemes
RSA
by Rivest, Shamir & Adleman of MIT in 1977
best known & widely used public-key scheme
Is a block cipher in which the plaintext and cipher text are integers between 0 and n - 1 for some n.
Uses large integers (e.g. 1024 bits).
RSA makes use of an expression with exponentials.
Encryption and decryption are of the following form, for some plaintext block M and ciphertext
block C.
C = Me mod n
M = Cd mod n = (M
e )
d mod n = M
ed mod n
RSA Key Setup
Each user generates a public/private key pair by:
selecting two large primes at random p, q
Computing their system modulus n= p. q
selecting at random the encryption key e
where 1<e<ø(n), gcd (e, ø(n))=1
note ø(n)=(p-1)(q-1)
solve following equation to find decryption key d
e.d=1 mod ø(n) and 0≤d≤n
publish their public encryption key: PU={e,n}
MODULE 2 MCA-501 Computer Security ADMN 2012-‘15
Dept. of Computer Science And Applications, SJCET, Palai Page 57
keep secret private decryption key: PR={d,n}
RSA Use
to encrypt a message M the sender:
obtains public key of recipient PU={e,n}
computes: C = Me mod n, where 0≤M<n
to decrypt the ciphertext C the owner:
uses their private key PR={d,n}
computes: M = Cd mod n
RSA Example - Key Setup
1. Select primes: p=17 & q=11
2. Compute n = pq =17 x 11=187
3. Compute ø(n)=(p–1)(q-1)=16 x 10=160
4. Select e: gcd(e,160)=1; choose e=7
5. Determine d: de=1 mod 160 and d < 160 Value is d=23 since 23x7=161= 10x160+1
6. Publish public key PU={7,187}
7. Keep secret private key PR={23,187}
RSA Example - En/Decryption
sample RSA encryption/decryption is:
given message M = 88
encryption:
C = 887 mod 187 = 11
decryption:
M = 1123
mod 187 = 88
Fig 2.28 example of RSA encryption and decryption
Exponentiation
can use the Square and Multiply Algorithm
a fast, efficient algorithm for exponentiation
MODULE 2 MCA-501 Computer Security ADMN 2012-‘15
Dept. of Computer Science And Applications, SJCET, Palai Page 58
concept is based on repeatedly squaring base and multiplying in the ones that are needed to
compute the result
x11
mod n=[(x mod n) × (x2 mod n) × (x
4 mod n) × (x
8 mod n)] mod n
e.g. 75 = 7
1 mod 11 × 7
4 mod 11 = 21 mod 11 = 10 mod 11
Efficient Encryption and Decryption
encryption and decryption uses exponentiation to power e and power d
hence if e and d are small, the system will be faster
but if e and d are too small ,its not safe
RSA Security
possible approaches to attacking RSA are:
brute force key search (infeasible given size of numbers)
Mathematical attacks.
timing attacks (on running of decryption)
chosen ciphertext attacks (given properties of RSA)
Factoring Problem
mathematical approach takes 3 forms:
MODULE 2 MCA-501 Computer Security ADMN 2012-‘15
Dept. of Computer Science And Applications, SJCET, Palai Page 59
factor n=p.q, hence compute ø(n) and then d
determine ø(n) directly and compute d
find d directly
Timing Attacks
exploit timing variations in operations
eg. multiplying by small vs large number
countermeasures
use constant exponentiation time
add random delays
blind values used in calculations
Chosen Ciphertext Attacks
RSA is vulnerable to a Chosen Ciphertext Attack (CCA)
attackers chooses ciphertexts & gets decrypted plaintext back