1Chapter 4
Key Topics
• Asymmetric Key Cryptography– RSA
– ElGamal• Schnorr
• DSS
• Message Digest– MD5
– SHA-1
• Message Authentication Code (MAC)
2Chapter 4
Asymmetric Key Cryptography
Plain text
Encrypt with B’s public key
Plain text
Decrypt with B’s private key
Sender(A)
Netw
ork
Receiver(B)
Cipher text
Cipher text
3Chapter 4
Asymmetric Key Encryption
• Each user has a key pair (public and private), each user’s public key is accessible, but his private key is kept in secrecy.
• Two mainly usage :(Digital signature and confidential communication)– In confidential communication (CC):
• Sender (Alice) encrypts M with recipient’s (Bob) public key
• Recipient (Bob) decrypts C with its private key
4Chapter 4
– In digital signature (DS):• Provider: (Alice) signs M with his own private key
to produce the signature S.
• Prove: by each one, given text M and signature S , verify the signature S is indeed signed by Alice by using Alice’s public Key.
5Chapter 4
Asymmetric Key Example (CC)
• Consider a bank and its customers
• Customers encrypt their messages with bank’s public key
• Bank decrypts messages with its private key
6Chapter 4
Asymmetric Key Cryptography Example
Fig 4.3
Customer A
Customer B
Customer C
Bank’s public key
Bank’s public key
Bank’s public key
Bank’s private key
Bank
7Chapter 4
RSA (Rivest, Shamir, Adleman)
• World’s most popular Asymmetric Key Encryption algorithm
• Use formula like: ME mod n (n = p * q)• Key length ( belongs to Zn ) (n must more than
512 bits)• Block size (M) must smaller than the key length.• The cipher block size (C) is the same length as key
length.• RSA is much slower than DES, IDEA, and AES.
(but fast in two keys system)
8Chapter 4
RSA Algorithm
Fig 4.4
Alice send message to Bob (each one has a pair of key, call public and private key)
1. For user Bob, choose two large prime numbers PB and QB.
2. Calculate NB = PB x QB.
3. Select the public key (i.e. the encryption key) EB such that gcd (EB, (NB) )=1 , (NB)=
(PB – 1) x (QB – 1). public key is < EB , NB >4. Select the private key (i.e. the decryption key) DB such that the following equation is true: private key is < DB , NB >
EB x DB = 1 mod (NB)
5. For encryption, calculate the cipher text C from the plain text P as follows:C = PEB mod NB
6. Send C as the cipher text to the receiver.
7. For decryption, calculate the plain text P from the cipher text C as follows:P = CDB mod NB
9Chapter 4
Example of RSA
Bob (each one has a pair of key, call public and private key)
1. For user Bob, choose two large prime numbers PB =7 and QB =17.
2. Calculate NB = PB x QB. NB = 7 x 17 =119
3. Select the public key (i.e. the encryption key) EB =5 such that gcd (EB, (NB) )=1 , (NB)= (PB – 1) x (QB – 1), (NB)=96 . public key is < 5 , 119 >
4. Select the private key (i.e. the decryption key) DB =77 such that the following equation is true: private key is < 77 ,119 >
EB x DB = 1 mod (NB)
10Chapter 4
Alice send message to Bob. For simply, assume A = 1, B = 2 , and plain text is only character F.
AF F 6
65
Result modulo 119= 41
1 Alice find the Bob public key <5,119>
2. Compute 65 mod 119 , and send the result to Bob.
Encryption algorithm using the public key
B41 4177
Result modulo 1196 F
1. When got message from Alice that is cipher text, now 41.
2. Find one’s private key <77,119>, and compute 4177 mod
3. When get 6 means F.
Decryption algorithm using the private key
F
11Chapter 4
Why RSA is security
• One can find each one's public key < EB , NB > . Can we find the private key < DB, NB > through < EB , NB >
– To find DB , we need to know (NB )
Since DB x EB =1 mod (NB )
– Is (NB ) easy to find?
12Chapter 4
Symmetric v/s AsymmetricCharacteristic Symmetric Key Cryptography Asymmetric Key Cryptography
Key used for encryption / decryption
Same key is used for encryption and decryption
One key used for encryption and another, different key is used for decryption
Speed of encryption / decryption Very fast Slower
Size of resulting encrypted text Usually same as or less than the original clear text size
More than the original clear text size
Key agreement / exchange A big problem No problem at all
Number of keys required as compared to the number of participants in the message exchange
Equals about the square of the number of participants, so scalability is an issue
Same as the number of participants, so scales up quite well
Usage Mainly for encryption and decryption (confidentiality), cannot be used for digital signatures (integrity and non-repudiation checks)
Can be used for encryption and decryption (confidentiality) as well as for digital signatures (integrity and non-repudiation checks)
13Chapter 4
Digital Signature Concept
• Sender signs (encrypts )message M or its fingerprint with its private key to get the signature S.
• Verify:. Given M, and S, and signer’s public key, Guarantees that only the sender could have created this message
• Basis for Non-repudiation
14Chapter 4
Basis for Digital Signatures
Plain text
Sign (Encrypt ) with A’s private key
Proved S = S’ ?
Verify (Decrypt) with A’s public key
Sender(A)
Netw
ork
Receiver(B)
Signature on
Plain text
S S
M M S’
15Chapter 4
RSA for Digital SignatureAlice want to sign message M to everyone
(Assume user Alice has a key public key is < EA , NA > private key is < DA , NA >)
Sign: calculate the signature S from the plain text M as follows: S = MDA mod NA
Verify: when get signature S, message M , and Alice’s public key is < EA , NA > ,
calculate the plain text M from signature S as follows: (if plain text M is what they mean, correct)
M’ = SEA mod NA ( Check to see if M’=M)
16Chapter 4
ElGamal Signatures
• Parameters:– System parameters: p, g (Big prime p, p2512
and primitive root g order of g is (p).• g (p)=g0 =1 mod p
– User private key: x, 1<x<p-1– User public key: y=gx mod p
• Sign:for m, 1<m<p-1, random number k and gcd(k,p-1)=1. generate (r,s) as the signature:
17Chapter 4
r=gk mod p,
s=k-1(m-xr) mod p-1
(r,s) as the signature
• Verifying: (receive m,and its (r,s)) gm = yr rs mod p
18Chapter 4
Schnorr Signatures
• Parameters:– System parameters:
1. Big prime p, p2512
2. generating number g (g’s order q, q is prime and q 2160,i.e.,gq=1 mod
– User private key: x, 1<x<q– User public key: y=gx mod p
• Signing:1. random number k and find r=gk mod p
19Chapter 4
2. Find e=h(r,m)
3. Find s=(k-xe) mod q
(e,s) is the signature
• Verifying
1. Find r through gsye mod p
2. Verify h(r,m)=e?
20Chapter 4
Digital Signature Standard (DSS)
• 1991 NIST (National Institute of Standard and Technology) proposed a DSA for signature.
• Parameters:– System parameters: (p ,q, g)
1. Big prime p, p2512
2. generating prime q (q 2160,i.e.,gq=1 mod 3. find g such as g=hp-1/q mod p, h[1,p-1]4. h one way hashing function (SHA-1)
– User private-public key pair: (x,y) • Find x, as a private key 1<x<q• y=gx mod p, as public key
21Chapter 4
Sign: (r,s) plaintext m, 0<m<p, generate random number k, 0<k<q, find 1. r=(gk mod p) mod q2. s = k-1(h(m)+xr) mod q
Verify:t= s-1 mod q, r’=(gh(m)tyrt mod p) mod qVerify r’=r?
22Chapter 4
Message Digest Concept
• Summarize the message M into fixed bit size called digest or hashed value.– In Mathematic notation, f(M), h(M)
• Also called as Hash
• The digest of a message can uniquely represent the message but use much less bit. The bit size of the hashed value is fixed usually of 128~256 bit.
• Similar to finger print of a human
23Chapter 4
Message Digest Usage
• Mainly for Integrity– Others: MAC, Authentication
• For example: (The reason)– M: give me 100– C: hjwf nf 211 ( use m+1 mod 256)– Change cipher C to (modified): hjwf nf 21111– we decrypt changed C to M: give me 10000
24Chapter 4
A simple Case of Digest use ADD
Original number is 7391743Two numbers as a block73 91 74 30Operation (mod 100) ResultGiven a initial value I 0add with the block 1 73add with the block 2 64Given a initial value 3 38add with the block 4 68
Message digest is 68
25Chapter 4
Discuss ADD method
• Good sides:– Fixed length– Easy– One way (message digest, digest
message)
• Bad sides:– Easy to find the same digest with different
message.
26Chapter 4
More good hashing
Original number is 7391743
Operation ResultMultiply 7 by 3 21Discard first digit 1Multiply 1 by 9 9Multiply 9 by 1 9Multiply 9 by 7 63Discard first digit 3Multiply 3 by 4 12Discard first digit 2Multiply 2 by 3 6
Message digest is 6
Taiwan I.D. is p121282112
Final digital is the hashed value of all the preceding character.
Operation ResultHomework to find?
Message digest is 2
27Chapter 4
Message Digest Concept
Original data
101010101010101010
….
011101011011
Message Digest
Message digest algorithm
28Chapter 4
Message Digest Demands - 1
Original data
Message digest
algorithm
Message digest
Message digest for the same original data should be the same
29Chapter 4
Message Digest Demands - 2
Original data
Reverse Message digest
algorithm
Message digest
Must not be possible
30Chapter 4
Message Digest Demands - 3
Fig 4.22
Original data 1
Message digest
algorithm
Message digest 1
Original data 2
Message digest
algorithm
Message digest 2
These two message digests must be different
31Chapter 4
Message Digest Differences
• Even if the original messages differ minutely, message digests differ dramatically
• Basis for the guarantee of uniqueness
32Chapter 4
Message Digest Example
Please pay the newspaper bill today
Please pay the newspaper bill tomorrow
306706092A864886F70D010705A05A3058020100300906052B0E03021A0500303206092A864886F70D010701A0250423506C656173652070617920746865206E65777370617065722062696C6C20746F646179041479630AC8041BA
A1C40747F2FC29D881AEF92299B
Message
Message digest
Message
Message digest 306A06092A864886F70D010705A05D305B020100300906052B0E03021A0500303506092A864886F70D010701A0280426506C656173652070617920746865206E65777370617065722062696C6C20746F6D6F72726F7704146EE
C2E0DB9570A5AF6CEB631CE057AE830A87C5B
33Chapter 4
Message Digest Algorithms
• Basic principle: Take the original message, and reduce it to a smaller fingerprint
• Examples: MD5, SHA-1
• SHA-1 is considered stronger
34Chapter 4
MD5
• MD serial developed by Ron Rivest.MD, MD2, MD3, MD4, MD5, MD6,…
• Processed in 512-bit blocks (divided into 16 32-bit sub-blocks
• Output is a set of four 32-bit blocks, amount is 128-bit message digest.
35Chapter 4
How MD5 works?
• Padding– Filling message m into multiple of 512-bit
blocks
• Append length (in padding)
• Divide the input into 512-bit blocks
• Initialize chaining variables
• Process blocks
36Chapter 4
• Padding the original message into multiple of 512-bit
• Append Length in the final 64-bit of the padding block.
original message 1000…000 original length in bits
1~512 bits 64 bits
Multiple of 512 bits
37Chapter 4
• Divide the input into 512-bit blocks
Original message + padding block
block1 blocknblock2
512 bits 512 bits 512 bits
38Chapter 4
• Initial A, B, C,D value– A 0123456716 B 89ABCDEF16
– C FEDCBA8916 D 7654321016
block1 blocknblock2
512 bits 512 bits 512 bits
MD5 MD5 MD5MD5
A
B
C
D
A
B
C
D
39Chapter 4
Process inside MD5
• Operated at 32-bit based.
• Four rounds, And each round take up 16 steps. All 4*16 steps.
• There are another 64 constants called t[1],…t[64]
40Chapter 4
Conceptual view within one round
Constants t[1~64]
Register a b c d
Block into sub blocks
MD5 round 1 to round 4
• Round 1 to round 4 only differ in – 1)function, on process P– 2) input sequences of subblocks, M[0],..M[15]– 3) shift number of bits
41Chapter 4
• Input data: – 512-bit block M is divided into 16 sub block called M[0], M[1],…M[15],
another constants t[1],..t[64], and register a,b,c,d• Operation: (Perform round 1~4 step 1~16)
– Mainly operated on register a, b, c, d; after each step, registers are rotate-one-position-right exchanged (a, b,c, d) (d, a,b,c)
– Main processes: (for each step)• p1: process p on register b,c,d• p2: register a is added into p1’s result.• p3: sub block M[i] is added into p2’s result• p4: constant t[k] is added into p3’s result.• p5: the p4’s result is circular-left shifted by s bits• p6: register b is added into p5’s result• p7: p6’s result write into register a.
42Chapter 4
a = b+(( a + process p (b,c,d) + M[i] + t[k] )<<<s)
Fig 4.33
a b c d
Process P
Add
Addt[k]
Shift
Add
a b c d
Step 1
Step 2
Step 3
Step 4
Step 5
Step 6
AddM[i]
Step 7
43Chapter 4
44Chapter 4
Secure Hash Algorithm (SHA)
• NIST and NSA, developed in 1993. also called SHA-1
• Modified from MD serial hash function.– Five register a, b, c, d,e (four register in MD5)– 5 constants (64 constants 64 in MD5 )– Function changed
• Output is: 160 bits
45Chapter 4
Single SHA-1 Iteration
Fig 4.39
a b c d e
Process P
Add
s5 Add
Add W[t]
Add K[t]
a b c d e
46Chapter 4
Comparison of MD5 and SHA-1
Fig 4.42
Point of discussion MD5 SHA
Message digest length in bits
128 160
Attack to try and find the original message given a message digest
Requires 2128 operations to break in
Requires 2160 operations to break in, therefore more secure
Attack to try and find two messages producing the same message digest
Requires 264 operations to break in
Requires 280 operations to break in
Successful attacks so far There have been reported attempts to some extent (as we discussed earlier)
No such claims so far
Speed Faster (64 iterations, and 128-bit buffer)
Slower (80 iterations, and 160-bit buffer)
Software implementation Simple, does not need any large programs or complex tables
Simple, does not need any large programs or complex tables
47Chapter 4
Message Authentication Code (MAC)
• Make sure the message digest is sent by the sender (need to include the Secret between sender and receiver )
• MAC can ensure the message integrity and authentication, lack of confidentiality and non-repudiation
48Chapter 4
Message Authentication Code (MAC)
Fig 4.43
SENDER
(A)
M
H1
MAC
M
H1
Send
M
H2
MAC
R E C E I V E R
(B)
Compare
Step 1 Step 2 Step 3
Step 4
K K
49Chapter 4
Hash-based Message Authentication Code (HMAC)
• Basically use Hash function (MD5, SHA-1)
• Shared Secret key join with message M to form the a package to be hashed.
50Chapter 4
HMAC Concept
Key K
message digest algorithms such as MD5 or SHA-1
Original message
Message Digest
Hash fun-ction (MD5,
SHA-1)MAC
Final output
Key K
+
+
Key K
51Chapter 4
Complete HMAC OperationTransformed key (K)Key (K) ipad
XOR
S1 M
Message Digest algorithm
H
Transformed key (K) opad
XOR
S2 H
HMAC
Message Digest algorithm
120 bits512 bits
512 bits 00110110…
512 bits 01011010…
52Chapter 4
Appendix 1. Prime testing
• Miller-Rabin probability testing– Input n, and assume n=2st+1, t is odd number,
and s 1≧– Choose positive integer a:
• at ≠ 1mod n, and a2jt ≠ -1 mod n 0 j s-1≦ ≦• If a satisfy condition above n is not a prime
– Choose different a for k round.(if n pass k round than the probability of n is not a
prime is below 1-(1/4)k )
53Chapter 4
• prime determinate testing– Input n, – If n satisfy bn-1 =1 mod n and b(n-1/pi) ≠ 1 mod n
• b is positive integer, and pi is the prime factor of n
– then, n is prime
54Chapter 4
Determinate Prime number generation
• Demytko (prime number determinate generation)– Assume, pi+1=hipi+1 and satisfy the following:
• pi is an odd prime
• hi<4(pi+1), hi is even
• 2hipi =1 mod pi+1
• 2hi ≠ 1 mod pi+1
– Then, pi+1 is a prime