Data Security and Cryptology, IX

Asymmetric Cryptoalgorithms. RSA

Data Security and Cryptology, IX

Asymmetric Cryptoalgorithms. RSA

October 29th, 2014

Valdo Praust 

mois@mois.ee

Lecture Course in Estonian IT CollegeAutumn 2014 

  

October 29th, 2014

Valdo Praust 

mois@mois.ee

Lecture Course in Estonian IT CollegeAutumn 2014 

  

Main Types of Cryptoalgorithms

Main Types of Cryptoalgorithms

1. Symmetric cryptoalgorithms or secret-key crypotoalgorithms are traditional (historical) cryptoalgorithms

2. Asymmetric cryptoalgorithms or public-key crypotoalgorithms are widely spread within last 30 years

3. Cryptographic message digests and similar constructions

4. Special-purpose algorithms for proofing, authentication etc

Secret-Key Cryptoalgorithm: Fields of Use

• transmitting of confidential information using some (interceptable) networks

• secure storing of confidential information (with an appropriate key management system)

• secure erasing of confidential data• generating a good white noise

Secret-Key Cryptoalgorithm

Is considered to be practically secure if the following two conditons are satisfied: • The key is at least 80 bit long (for a

long-time or ehnaced security at least 128 bit long)

• There aren’t known effective cryptoanalytic methods

Secret-key cryptoalgorithm (salajase võtmega krüptoalgoritm) or symmetric cryptoalgorithm (sümmeetriline krüptoalgorithm) is such a cryptoalgorithm where the same secret key is used both for enciphering and deciphering purposes

Secret-key cryptoalgorithm (salajase võtmega krüptoalgoritm) or symmetric cryptoalgorithm (sümmeetriline krüptoalgorithm) is such a cryptoalgorithm where the same secret key is used both for enciphering and deciphering purposes

Secret-Key Cryptoalgorithm

Secret-Key Cryptoalgorithm – Possibility to Break

Secret-key cryptoalgorithm is considered to be practically enough secure when the keylength is at least 80 bits (for enhanced security cases 128 bits)

Secret-key cryptoalgorithm is considered to be practically enough secure when the keylength is at least 80 bits (for enhanced security cases 128 bits)

DES is already considered insecure because its keylenght is only 56 bits (until 2005 it was allowed to use DES is triple mode as 3DES)

Additionally to sufficient keylenght the effective cryptoanalytic attacks must not be known

Most-Of-Spread Algorithms, I

1. AES (keylength 128, 192 or 256 bits). Is international de facto commercial standard since 2001, involves estimatedly 70-80% from all symmetric cryptoalgorithm usages

2. IDEA (keylenght 128 bits). Switzerland, late 1980s

3. CAST5 or CAST-128 (keylenght from 40 to 128 bits). 1996, Carlisle Adams and Stafford Tavares

Most-Of-Spread Algorithms, II

4. Blowfish (variable keylenght up to 448 bits). Bruce Schneier, 1990s

5. RC4. Stream cipher, keylenght between 40 and 256 bits, from 1987

6. DES (keylenght 56 bits). Has been U.S. commercial standard from 1977 and was widely used in all around the world. NB! Today isn’t consideres secure because of short keylenght!

Block and Stream CiphersSymmetric cryptoalgorithm can be divided into block ciphers and stream ciphers. Block ciphers are much more spread than stream ciphers

Symmetric cryptoalgorithm can be divided into block ciphers and stream ciphers. Block ciphers are much more spread than stream ciphers

• Block cipher (plokkšiffer) is an enciphering method where plaintext is divided into the blocks of certain lenght and these blocks are encrypted separately. How and if the encryption result of one block is related from the prevoius blocks is determined by the block cipher mode, which is currently used

• Stream cipher (jadašiffer) is a method where there is generated a key sequence (võtmejada) from a given secret key. Encryption process is an ordinary XOR operation between plaintext and key sequence

AES: Main Facts• Is the main commercial secret-key

cryptoalgorithm (70-80% from all use cases)• Has won in the AES Competition, before it was

known as a Rijndael• Has three different versions with different

strenght (with different key lenghts)

• Is a block cipher with a block lenght of 128, 192 or 256 bits cosequently

• Uses a key which lenght is equal to the block lenght - consequently 128, 192 or 256 bits

• Authors are Joan Daemen and Vincent Rijmen Belgium

• key schedule calculation (võtmejaotusarvutus), which founds 16 48-bit subkeys (alamvõtmed) from 56-bit initial key

• initial permutation (algpermutatsioon)

• 16 rounds (raund), each of them using one subkey

• final permutation (lõpp-permutatsioon)

Retrospective View — DES

DES is a typical iterative block cipher, consisting of the following parts:

• Can be performed by 256 operations – is is already feasible for contemporary computers (mainframe computers)

• There’s possible to construct a special parallel “breaking machine” consisting of a lot of chips, which cost (AD 2013) is less than 100 000 and is able to break DES about within one second

• The cost and breaking time are related together (more expensive machine is able to break faster)

DES – Exhaustive Search

• Alternative 1 (highly recommended): to use other symmetric algorithm, especially AES

• Alternative 2 (unrecommended, only use as emergency option): to use triple DES or 3DES (kolmekordne DES), with a keylenght of 168 bits and which is not yet broken in practice

DES - Recommendations for Practice

Last version of DES standad FIPS PUB 46-3 (October 1999) determines only usage of triple DES, but the standard was valid only until 2005

Last version of DES standad FIPS PUB 46-3 (October 1999) determines only usage of triple DES, but the standard was valid only until 2005

There are also other symmetric algorithms which are not considered here (both older and newer algorithms)

Other Symmetric Algorithms?

If it’s necessary to use them, it must be taken account:• If the effective keylenght is not less

than 80 (128) bits• If there aren’t known effective

cryptanalytic means• If the algorithms is published at least

3-4 years ago

If it’s necessary to use them, it must be taken account:• If the effective keylenght is not less

than 80 (128) bits• If there aren’t known effective

cryptanalytic means• If the algorithms is published at least

3-4 years ago

Public-Key CryptoalgorithmPublic-Key Cryptoalgorithm

 

These keys are generated by a mathematical algrothm and are mathematically related to each other but there’s impossible in practice to found from one key another

 

Public-key cryptoalgorithm (avaliku võtmega krüptoalgoritm) or asymmetric cryptoalgorithm (asümmeetriline krüptoalgoritm) uses two keys – if we encrypt by one key, we can decrypt it later by another key

Public-key cryptoalgorithm (avaliku võtmega krüptoalgoritm) or asymmetric cryptoalgorithm (asümmeetriline krüptoalgoritm) uses two keys – if we encrypt by one key, we can decrypt it later by another key

Public-Key Cryptoalgorithm: Keys

Public-Key Cryptoalgorithm: Keys

 

 

Keys of public-key cryptoalgorithm are called usually public key and private key (avalik võti ja privaatvõti)

Keys of public-key cryptoalgorithm are called usually public key and private key (avalik võti ja privaatvõti)

• Public key is usually known for all parties (is public)

• Private key is usually known only by a subject or a keypair owner (people, software, server, company, chipcard etc)

Public-Key Cryptoalgorithm: Usage

 

• For a key exchanging purposes. We can transmit a symmetric cryptoalgorithm’s key in an encrypted manner without any tamper-proof channel. We only need that a public key must be really public

• For ensuring the integrity. This is the main usage of public-key cryptoalgorithm (and even the main field of contemporary cryptography)

• Public-key cryptoalgorithm gives a basic idea of a digital signature (digisignatuur, digiallkiri)

Public-Key Cryptoalgorithm: Key Exchange

Public-Key Cryptoalgorithm: an Idea of Digital Signing

Public Key Algorithms: A StoryPublic Key Algorithms: A Story

• Appeared in late 1970s, earlier were not known

• Was invited mainly by : Diffie, Hellmann, Shamir, Adleman, Rivest

• Wide usage began since 1980s

• Is the main mechanism for ensuring digital data integrity, serving also as a basis of digital signature as a legal tool

Most-of-Spread Public-Key Cryptoalgorithm: RSA

Most-of-Spread Public-Key Cryptoalgorithm: RSA

 

For RSA it is easy to calculate the public key from private key, but it’s practically impossible (infeasible) to calculate the private key from public key

Public and private key are mathematically related to each other, but finding the private key from public key needs millions of years or even more

The most-of-spread public-key cryptoalgorithm is RSA

RSA is considered to be practically secure with no less than 1024-bit keylenght, for a long-time security there’s preferred 2048-bit keylenght

The most-of-spread public-key cryptoalgorithm is RSA

RSA is considered to be practically secure with no less than 1024-bit keylenght, for a long-time security there’s preferred 2048-bit keylenght

Specificies of RSA Specificies of RSA • Was invented by Rivest, Shamir and Adleman

in 1978

• Security of RSA is based on a fact that factorization of a number with big factors is an infeasible (practically unsolvable) task

• Ensures practical security, doesn’t ensure theoretical security

• Breaking usually needs millions of years (depends on a keylenght)

• Is very widely spread in all around the world• (most-of-spread public-key algoroithm)

Keys of RSAKeys of RSA

Diifferently from the symmetric cryptoalgorithms the arbitrary bitstream can’t be considered as a key. Keys must be generated by a special key generating algorithm

Such an “information redundancy” is the reason why the keys are so long with the comparison of symmetric cryptoalgorithm keys (considered to be practically secure since 1024/2028-bit keylenght)

RSA supports an arbitrary keylenght

Most-of-spread keys are the full powers of 2 (512), 1024, 2048, 4096 etc bits long

RSA supports an arbitrary keylenght

Most-of-spread keys are the full powers of 2 (512), 1024, 2048, 4096 etc bits long

Mathematical background of RSA, IMathematical background of RSA, I

Algorithm is called polynomial (with a polynomial complexity), if for a task of lenght N the solution time is proportional to Nk with some fixed integer k

Polynomial algorithm is usually considered as a good algorithm: by the growing of N the solution time doesn’t grow very fast

Exponential (exponential complexity) algorithms are much more worst: for a task lenght N the solution time is proportional to value 2N

Exponential complexity algorithms are considered to be infeasible (practically unsolvable)

Exponential complexity algorithms are considered to be infeasible (practically unsolvable)

Mathematical background of RSA, IIMathematical background of RSA, IIMost of practically usable algorithms are polynomial or good: for them is known a polynomial (time complexity) solving algorithm

For a couple of problems the polynomial algorithm isn’t known – these problems are infeasible (practically unsolvable)

Example 1: factorization of a composite number with big factors (lenght of task is log N, there’s necessary to examine N1/2 variants)

Example 2: finding a discrete logarithm:

a = gn (mod p), find a g by a given a, n and p (prime)

Security properties of RSA is based on these two facts (examples)

Security properties of RSA is based on these two facts (examples)

What is a ”Good” Algorithm and a “Good” Problem?

What is a ”Good” Algorithm and a “Good” Problem?

 

Such an algorithms are called polynomial complexity algorithms (polünomiaalse keerukusega algoritmid)

These problems for which such algorithms are known are called polynomial complexity problems (polünomiaalse keerukusega ülesanded)

Edmonds’ postulate (1965): algoritm is considered to be good, if it’s time complexity can be represented by a polynome O(nk) from an input (task lenght), where k is some integer

Why the Limit of ”Goodness” Is Just a Polynom?

Why the Limit of ”Goodness” Is Just a Polynom?

 

• Polynoms are closed in the amount of adding and multiplication: the sum and/or product of polynoms is always again a polynom:

O(nk) + O(nl) = O(nmax{k,l})

O(nk) x O(nl) = O(nk+l)

• All digital computers are polynomiallyrelated together

• Non-polynoms (factorial, exponent) will grow drastically faster than polynoms

 

Exponential functions reach to extremly big numbers from a certain value of argument

If it will happen for a small input, then these tasks must be considered as practically infeasible

• Two big primes p ja q (for 1024-bit key 512-bit long) are generated

• Their sum (called RSA module) is calculated n = p • q

• Such a number e was chosen that it is relatively prime to (p-1)(q-1)

• Such a number d was chosen, that d • e = 1 mod (p-1)(q-1)

• Pair (n, e) is a public key• Triple (p, q, d) is a private key

RSA Keypair GenerationRSA Keypair Generation

• It’s possible to encipher numbers (texts) which are less than pq bits (for a 512-bit p and q 1023 bits or 309 decimal digits)

• Enciphering process is a discrete exponent

Y = Cip(X) = Xd (mod n)

• Deciphering is also a discrete exponent

X = Decip(Y) = Ye (mod n)

besause

(Xd)e = X (mod n)

regarding fact that d and e have a property

d • e = 1 mod (p-1)(q-1)

RSA Enciphering/DecipheringRSA Enciphering/Deciphering

Why RSA Is Practically Secure?Why RSA Is Practically Secure?

• In order to know d, he/she must know both p and q (by the definition)

• There’s infeasible to calculate p and q from n: a polynomial algorithm isn’t known for factorization

Statement 1: who knows public key (n, e) and plaintext X, but doesn’t know d, p and q, cannot calculate Y

Y = Cip(X) = Xd (mod n)

without p, q and d, i.e. can’t encipher

Statement 1: who knows public key (n, e) and plaintext X, but doesn’t know d, p and q, cannot calculate Y

Y = Cip(X) = Xd (mod n)

without p, q and d, i.e. can’t encipher

• Because of X = Yd (mod n), there’s necessary to find d

• Finding of d assumes that there are known p and q or discrete logarithm can be calculated in practice

Why RSA Is Practically Secure?Why RSA Is Practically Secure?

Statement 2: who know public key (n, e) and ciphertext

Y = Cip(X) = Xe (mod n)

but doesn’t know d, p , q and X, can’t find a plaintext X

Statement 2: who know public key (n, e) and ciphertext

Y = Cip(X) = Xe (mod n)

but doesn’t know d, p , q and X, can’t find a plaintext X

• The security of RSA is practical – theoretically all is computable (by an exponential amount of calculations) but in practice it’s infeasible

• From private key it’s very simple to find a public key

• It’s infeasible to find a private key from a private key

• Without having a private key it’s infeasible to encrypt so, that it is decryptable by a public key

• If the message is encrypted by a public key, it’s infeasible to decrypt it by a public key

Practical Security of RSAPractical Security of RSA

• e is public exponent (avalik eksponent)

• d is secret exponent or private exponent (salajane eksponent, privaatne eksponent)

• Such a function which inverse function is infeasible, is called an one-way function (ühesuunaline funktsioon). Examples: multiplying of two primes versus factorization; discrete exponent versus discrete logarithm

• Such an one-way function which will be feasible for knowing some additional information, is called a trapdoor one-way function (salauksega ühesuunaline funktsioon). RSA is just a trapdoor one-way function

RSA: Main ConceptsRSA: Main Concepts

Most of these tests is based on a famous Euler-Fermat’ theorem: if a and n are relatively prime, then

aΦ(n) = 1 (mod n)

where Φ(n) is the different number of these numbers which are less than n and are relatively primes accoring to n. If n is a prime, then

Φ(n) = n-1

Base of this fact the primality test serie can be generated

RSA: Finding PrimesRSA: Finding Primes

There exist practically usable prime number generators. Usually a random number is generated and its primality is tested

There exist practically usable prime number generators. Usually a random number is generated and its primality is tested

• For finding of an appropriate e there are also some tests which ensure that it will relatively prime with (p-1)(q-1)

• Greater common factor can be checked by an Euklidean algorithm

• Other calculations (enciphering and deciphering) is a question of realising of modular arithmetics (can be done fast both in hardware and software)

RSA: Practical Details of Algorithm

RSA: Practical Details of Algorithm

• Enciphering and deciphering which use modular arithmtics are quite fast

• Despite of these fact the RSA is slower from symmertrial algroithms (AES, IDEA, Blowfish etc) some thousand times

• Keypair generation is much more slower from enciphering/deciphering. However, it can be realized even in software within a couple of seconds

RSA: Practical PropertiesRSA: Practical Properties

• p = 61, q = 53 (primes)• n = pq = 3233• (p-1)(q-1) = 60 x 52 = 3120• Choose e = 17 (relatively prime with 3120 )• Find d = e-1 (mod (p-1)(q-1)) = 17–1 (mod 3120) =

2753• Public key is (3233, 17)• Private key is (61, 53, 2753)• Enciphering of plaintext X = 123

Y = Xe (mod n) = 12317 (mod 3233) = 855• Deciphering:

X=Yd (mod n) = 8552753 (mod 3233) = 123

An Example (With Small Numbers)An Example (With Small Numbers)

• RSA supports any keylenght (lenght of pq)

• RSA is considered to be practically secure from 1024-bit keylenght, for a long-term security from 2048-bit keylenght

• Most-of-used values of keylenght are (512, 768), 1024, 2048 and 4096 bits (two first of them are already practically insecure)

• 1024-bit key: there’s a composite number of 310 decimal digits which has two 155-digit prime factors

Secure Usage of RSASecure Usage of RSA

• Factorization of 70-digit number needs from typical personal computer some minutes

• Factorization of 100-digit number – less than a day

• 140-digit number was factozed in 1996 within 5 years by a common efforts of many computers

• The biggest factorized number (AD 2009) is a 232-digit number (768-bit number)

Cryptanalysis of RSA, ICryptanalysis of RSA, I

• Factorization of 300-digit number (1024-bit RSA) needs some millions of years (even if we involve cloud computing possibilities)

• It is doubted, that after 5-10 years the 1024-bit RSA might be practically insecure. But 2048/4096-bit RSA probably still remain secure

• A powerful quantum computer can also factorize RSA with a small keylenght, but not yet the RSA with 1024-bit keylenght

Cryptanalysis of RSA, IICryptanalysis of RSA, II

• Has been for a long time patented in U.S. Patent #4,405,829 was issued in September 20th, 1983

• Patent has expired after 17 years, i.e. in 2000

• Description of algorithm is public, also a couple of different software realizations (some of them with a source code)

• Hardware realizations are usually hundreds of times faster than software realizations

Practical Aspects of RSAPractical Aspects of RSA

• If we use RSA for a key exchange purpose, we must only encrypt the symmetric algorithm key

• If we use RSA for a digital signature (integrity) purposes then it was always used together with cryprographic hash algorithms. Therefore, only hash value is actually encrypted (signed) by RSA

Collaboration of RSA with Symmetric Cryptoalgoriothms

Collaboration of RSA with Symmetric Cryptoalgoriothms

RSA is unsuitable for the encrytion of long plaintexts

RSA is unsuitable for the encrytion of long plaintexts

• ElGamal• DSS• Diffie-Hellmann• LUC• XTR

Other Public-Key CryptoalgoriothmsOther Public-Key

Cryptoalgoriothms

RSA is clearly more popular from them (involving about 80-90% of all usages)

RSA is clearly more popular from them (involving about 80-90% of all usages)