Lecture 9 Overview. RSA Invented by Cocks (GCHQ), independently, by Rivest, Shamir and Adleman...

Lecture 9 Overview

RSA• Invented by Cocks (GCHQ), independently, by

Rivest, Shamir and Adleman (MIT)• Two keys e and d used for Encryption and

Decryption– The keys are interchangeable • M = D(d, E(e, M) ) = D(e, E(d, M) )

– Public key encryption• Based on problem of factoring large numbers– Not in NP-complete– Best known algorithm is exponential

2CS 450/650 Lecture 9: RSA

RSA• To encrypt message M compute– c = Me mod N

• To decrypt ciphertext c compute– M = cd mod N


• Let p and q be two large prime numbers• Let N = pq

• Choose e relatively prime to (p1)(q1)– a prime number larger than p-1 and q-1

• Find d such that ed mod (p1)(q1) = 1

Key Choice


RSA• Recall that e and N are public

• If attacker can factor N, he can use e to easily find d – since ed mod (p1)(q1) = 1

• Factoring the modulus breaks RSA• It is not known whether factoring is the only

way to break RSA5CS 450/650 Lecture 9: RSA

Does RSA Really Work?

• Given c = Me mod N we must show – M = cd mod N = Med mod N

• We’ll use Euler’s Theorem– If x is relatively prime to N then x(N) mod N =1• (n): number of positive integers less than n that are

relatively prime to n.• If p is prime then, (p) = p-1


Does RSA Really Work?• Facts: – ed mod (p 1)(q 1) = 1– ed = k(p 1)(q 1) + 1 by definition of mod– (N) = (p 1)(q 1)– Then ed 1 = k(p 1)(q 1) = k(N)

• Med = M(ed-1)+1 = MMed-1 = MMk(N) = M(M(N)) k mod N = M1 k mod N = M mod N


More Efficient RSA• Modular exponentiation example– 520 = 95367431640625 = 25 mod 35

• A better way: repeated squaring – Note that 20 = 2 10, 10 = 2 5, 5 = 2 2 + 1, 2 = 1 2– 51= 5 mod 35– 52= (51) 2 = 52 = 25 mod 35– 55= (52) 2 51 = 252 5 = 3125 = 10 mod 35– 510 = (55) 2 = 102 = 100 = 30 mod 35– 520 = (510) 2 = 302 = 900 = 25 mod 35

• No huge numbers and it’s efficient!

CS 450/650 Lecture 9: RSA 8

Symmetric vs AsymmetricSecret Key (Symmetric) Public Key (Asymmetric)

Number of keys 1 2

Protection of key Must be kept secret One key must be kept secret; the other can be freely exposed

Best uses Cryptographic workhorse; secrecy and integrity of datasingle characters to blocks of data, messages, files

Key exchange, authentication

Key distribution Must be out-of-band Public key can be used to distribute other keys

Speed Fast Slow; typically, 10,000 times slower than secret key

CS 450/650 Fundamentals of Integrated Computer Security 9

Lecture 10Cryptographic Hash Functions

CS 450/650

Fundamentals of Integrated Computer Security

Slides are modified from Hesham El-Rewini

Cryptographic Hash Functions• Message Digest Functions – Protect integrity– Create a message digest or fingerprint of a digital

document– MD4, MD5, SHA

• Message Authentication Codes (MACs) – Protect both integrity and authenticity– Produce fingerprints based on both a given

document and a secret key

CS 450/650 Lecture 10: Hash Functions 11

Message Digest Functions• Checksums fingerprint of a message– If message changes, checksum will not match

• Most checksums are good in detecting accidental changes made to a message– They are not designed to prevent an adversary

from intentionally changing a message resulting a message with the same checksum• Message digests are designed to protect against this

possibility


One-Way Hash Functions

Example• M = “Elvis”• H(M) = (“E” + “L” + “V” + “I” + “S”) mod 26• H(M) = (5 + 12 + 22 + 9 + 19) mod 26• H(M) = 67 mod 26• H(M) = 15

HHMM H(M) = H(M) = hh


Collision

Example• x = “Viva”• Y = “Vegas”• H(x) = H(y) = 2

HHxx H(x)H(x)

HHyy H(y) H(y) ==


Collision-resistant, One-way hash fnc.

• Given M, – it is easy to compute h

• Given any h, – it is hard to find any M such that H(M) = h

• Given M1, it is difficult to find M2 – such that H(M1) = H(M2)

• Functions that satisfy these criteria are called message digest – They produce a fixed-length digest (fingerprint)


Message Authentication Codes• A message authentication code (MAC) is a

key-dependent message digest function– MAC(M,k) = h


A MAC Based on a Block Cipher

M1

Encrypt

k

M1

Encrypt

k

XOR

M1

Encrypt

k

XOR

… MAC


Secure Hash Algorithm (SHA)

Secure Hash Algorithm (SHA)

• SHA-0 1993• SHA-1 1995• SHA-2 2002– SHA-224, SHA-256, SHA-384, SHA-512

SHA-1SHA-1A message A message composed of composed of b bitsb bits

160-bit 160-bit message message digestdigest

CS 450/650 Lecture 8: Secure Hash Algorithm 19

Step 1 -- Padding• Padding the total length of a padded

message is multiple of 512– Every message is padded even if its length is already

a multiple of 512• Padding is done by appending to the input– A single bit, 1– Enough additional bits, all 0, to make the final 512

block exactly 448 bits long– A 64-bit integer representing the length of the

original message in bits


Padding (cont.)

Message Message length1 0…0

64 bits

Multiple of 512

1 bit


Example• M = 01100010 11001010 1001 (20 bits)

• Padding is done by appending to the input– A single bit, 1– 427 0s– A 64-bit integer representing 20

• Pad(M) = 01100010 11001010 10011000 … 00010100

Example• Length of M = 500 bits

• Padding is done by appending to the input:– A single bit, 1– 459 0s– A 64-bit integer representing 500

• Length of Pad(M) = 1024 bits

Step 2 -- Dividing Pad(M)• Pad (M) = B1, B2, B3, …, Bn

• Each Bi denote a 512-bit block

• Each Bi is divided into 16 32-bit words– W0, W1, …, W15


Step 3 – Compute W16 – W79

• To Compute word Wj (16<=j<=79)

– Wj-3, Wj-8, Wj-14 , Wj-16 are XORed

– The result is circularly left shifted one bit


Initialize 32-bit words• A = H0 = 67452301

• B = H1 = EFCDAB89

• C = H2 = 98BADCFE

• D = H3 = 10325476

• E = H4 = C3D2E1F0

• K0 – K19 = 5A827999

• K20 – K39 = 6ED9EBA1

• K40 – K49 = 8F1BBCDC

• K60 – K79 = CA62C1D6


Step 5 – Loop For j = 0 … 79

TEMP = CircLeShift_5 (A) + fj(B,C,D) + E + Wj + Kj

E = D; D = C; C = CircLeShift_30(B); B = A; A = TEMP

Done

+ addition (ignore overflow)


Four functions • For j = 0 … 19 – fj(B,C,D) = (B AND C) OR (B AND D) OR (C AND D)

• For j = 20 … 39 – fj(B,C,D) = (B XOR C XOR D)

• For j = 40 … 59 – fj(B,C,D) = (B AND C) OR ((NOT B) AND D)

• For j = 60 … 79 – fj(B,C,D) = (B XOR C XOR D)


Step 6 – Final • H0 = H0 + A

• H1 = H1 + B

• H2 = H2 + C

• H3 = H3 + D

• H4 = H4 + E


Done• Once these steps have been performed on

each 512-bit block (B1, B2, …, Bn) of the padded message, – the 160-bit message digest is given by

H0 H1 H2 H3 H4


SHAOutput

size (bits)

Internal state size

(bits)

Block size

(bits)

Max message size (bits)

Word size

(bits)Rounds Operations Collisions

found

SHA-0 160 160 512 264 − 1 32 80 +, and, or, xor, rot Yes

SHA-1 160 160 512 264 − 1 32 80 +, and, or, xor, rot

None (251 attack)

SHA-2

256/224 256 512 264 − 1 32 64 +, and, or, xor, shr, rot None

512/384 512 1024 2128 − 1 64 80 +, and, or, xor, shr, rot None


Lecture 9 Overview. RSA Invented by Cocks (GCHQ), independently, by Rivest, Shamir and Adleman...

Documents

Transcript of Lecture 9 Overview. RSA Invented by Cocks (GCHQ), independently, by Rivest, Shamir and Adleman...