Outline

ISA 662
Internet Security Protocols

Some Math Essentials & History

Asymmetric signatures and key exchange
Asymmetric encryption
Symmetric MACs

Lecture 2

ISA 662

Beauty of Mathematics

Prime Numbers (I)

Percentage

Demonstration
Pick a number from 10 to 99
At the 2 digits, for example:
If you chose 51, you would add 5+1=6
Then subtract the result from the original number
So 51-6=45
(Demonstration shown in class)

x/(ln x - 1)

Percentage

168

16.8%

169

16.9%

10,000

1,229

12.3%

1,218

12.2%

100,000

9,592

9.6%

9,512

9.5%

1,000,000

78,498

7.8%

78,030

7.8%

10,000,000

664,579

6.6%

661,459

6.6%
5.7%

100,000,000

5,761,455

5.8%

5,740,304

1,000,000,000

50,847,534

5.1%

50,701,542

5.1%

10,000,000,000

455,052,511

4.6%

454,011,971

4.5%

Prime numbers thin out as the numbers get larger

There are 25 primes <100, so density is 1 in 4.
Ten digit number, density is 1 in 23.
Hundred digit number, density is 1 in 230.

Division (I)

Percentage

1,000

Division (II)

(also called counting numbers)

Division (III)

Common Divisors (I)

Common Divisors (II)

Eulers Totient Function (I)

Leonhard Euler
Swiss mathematician and physicist
First to use the term function.
Lived in the 1700s

in Z

Totient function (n): |Zn*|

number of integers less than n and relatively prime to n

If n is prime, (n)=n-1
If n=pq, and p, q are primes, (n)=(p-1)(q-1)
If p is prime and k>0, (pk) =(p-1) pk-1

Eulers Totient Function (II)

10

Motivation 1- Key Distribution Problem

Examples:

In a secret key cryptosystem, the secret key must be

transmitted via a secure channel
Inconvenient

(7)= 7*(1-(1/7))=6 {1,2,3,4,5,6}

Or (7) =7-1=6, because 7 is prime

n parties want to communicate with each other, how many keys

total keys are needed and how many other keys must each n
store?

(10)= 10*(1-(1/2)*(1-(1/5))=4 {1,3,7,9}

(18)= 18*(1-(1/2)*(1-(1/3))=6 {1,5,7,11,13,17}

n entities There will be n(n-1) / 2 keys total

Each entity has to store n-1 keys

Insecure
(21)= 21*(1-(1/3)*(1-(1/7))=12
{1,2,4,5,8,10,11,13,16,17,19,20}
Or (21)= (3.7)= (3). (7)= 2.6 = 12

Is the secure channel really secure?

Public key cryptosystem solves the problem

Public key known by everyone telephone directory
Privacy key is never transmitted
11

12

How many Symmetric Keys needed?

Administration Problems:
Adding new entities
Removing existing entities
Changing keys

Total
Keys

Keys
Stored

10

15

21

28

36

10

45

11

55

10

12

66

11

13

78

12

14

91

13

15

105

14

Motivation 2- Digital Signature

In a secret key cryptosystem, authentication and
non-repudiation may be difficult
Authentication
You must share a secret key with someone in order to
verify his signature

Non-repudiation
I didnt sign it. You did since you also have the key

Public key cryptosystem solves the problem

Verification of signature needs only the public key
One is solely responsible for his private key
13

14

Public Key Algorithms

Requirements for Public-Key Algorithms

Public key algorithms covered in this class

It is computationally easy to

RSA: encryption and digital signature

Diffie-Hellman: key exchange
DSA: digital signature

Number theory underlies most of public key

algorithms.

generate a (public, private) key pair.

to generate a ciphertext using the public key.
to decrypt the ciphertext using the private key.
to sign with the private key.
to verify the signature with the public key.

It is computationally infeasible to
determine the private key from the public key.
recover the message from the ciphertext and the public key.
forge a signature.

15

The Basic Idea

The Big Picture

Plaintext

Encryption
Algorithm

16

Ciphertext
INSECURE CHANNEL

Decryption
Algorithm

A
A

Plaintext

B
B
B's Public Key

Confidentiality: encipher using public key,

decipher using private key
Integrity/authentication: encipher using private
key, decipher using public key
Plaintext

B's Private Key

RE
L

IAB
LE
C

Encryption
Algorithm

Ciphertext

Decryption
Algorithm

Plaintext

Signature
HA
NN
EL

B's Public Key

17

A
A

B's Public Key

B's Private Key

B
B
18

Public Key Model

Public Key Encryption

19

Public Key Signatures

20

Use of Public-Key Cryptosystems

Encryption/decryption
The sender encrypts a message with the receivers public key
Only the receiver can decrypt the message.

Digital signature
The sender signs a message with its private key.
Authentication and non-repudiation

Key exchange
Two sides cooperate to exchange a session key.
Secret key cryptosystems are often used with the session key.

21

22

Goals of Public-Key Cryptanalysis

Public-Key Cryptanalysis

Given the public key, cipher text, signature, to

Brute-force attack
Try all possible keys

find out the private key

find out the message encrypted
forge the signature

Derivation of private key from public key

Try to find the relationship between the public key and the
private key and compute the private key from the public one.

Probable-message attack
The public key is known.
Encrypt all possible messages
Try to find a match between the ciphertext and one of the above
encrypted messages.
Example: Prof. sends encrypted messages of letter grades to his
students based on their public key.

23

24

History of Public-Key Schemes

Revolution in Cryptography

1976 Diffie & Hellman suggested the public-key model

for encryption and signatures
1976 Diffie & Hellman developed public-key protocol
for key-exchange based on Discrete Log Problem
1977- Rivest, Shamir, Adelman developed RSA publickey scheme for encryption and signatures based on the
Number Factoring Problem
1980s- El-Gamal developed public-key protocols for
encryption and signatures based on Discrete Log Problem

Diffie & Hellman sought to solve 2 problems

Find a secure way to distribute keys in the public
Provide digital signature for document

Public key cryptography is based on rigorous

mathematical theory, rather than substitutions and
permutations.
It is asymmetric requires two different keys:
private key & public key

25

Diffie-Hellman Key Exchange (I)

26

Diffie-Hellman Key Exchange (II)

Published in
W. Diffie and ME Hellman, "New Directions in Cryptography",
in IEEE Transactions on Information Theory, IT-22 no 6
(November 1976) p. 644-654

The first public key algorithm

Allows two users to agree on a secret key over public
channel
No encryption, decryption, nor authentication
Whats involved?
p is a large prime number (about 512 bits), g < p and g is a
primitive root of p.
p and g are publicly known

27

Diffie-Hellman Key Exchange (III)

28

Diffie-Hellman Man-in-the-middle

29

30

Diffie-Hellman Example

Hard Number Theory Problems

Alice and Bob want to establish a shared secret key

Have agree on the value n=353 (prime) and g=3
Select the random secret values:
Alice chooses Xa=97, Bob chooses Xb=233
Derive the public keys:

T = gs mod p

Ta= gXa mod n = 397 mod 353 = 40 (Alices)

Tb= gXb mod n = 3233 mod 353 = 248 (Bobs)
Derive the shared secret key
K = TbXa mod n = 24897 mod 353 = 160 (Alices)
K = TaXb mod n = 40233 mod 353 = 160 (Bobs)

Another difficult number theory problem, it is to compute

the product of two primes p and q to obtain n=pq. But it is
difficult to factor the composite number n into its two
prime factors p and q.

Given T, g, p, it is computationally infeasible to compute the

value of s (discrete logarithm)
This is the basis of the Diffie-Hellman, El-Gamal, and DSS
Public-Key Schemes.

This is the basis of the RSA Public-Key scheme

31

32

Diffie-Hellman Scheme

Diffie-Hellman in Phone Book Mode

Security factors

DH is subject to active man-in-the-middle attack

because their public key-component may be intercepted
and substituted
Phone book mode allows everyone to generate the
public key-component in advance and publish them
through other reliable means
All communicating parties agree on their common <g,
p>
Essential requirement: authenticity of the public key.

Discrete logarithm very difficult.

Shared key (the secret) itself never transmitted.

Disadvantages:
Expensive exponential operation
Cannot be used to encrypt anything.
No authentication, so you can not sign anything.

33

RSA (Rivest, Shamir, Adleman)

34

Number Factoring

Published in
R. Rivest, A. Shamir, and L. Adleman, "A Method for Obtaining
Digital Signatures and Public-Key Cryptosystems", CACM 21,
pp. 120--126, Feb. 1978
The first public key encryption and signature system

Support both public key encryption and digital signature.

Assumption/theoretical basis:
Factorization of large primes is hard.

Variable key length (usually 1024 bits).

Variable plaintext block size.
Plaintext must be smaller than the key.
Ciphertext block size is the same as the key length.

How about Tomorrows computers?

35

36

Quantum Computing

The RSA Algorithm

A classical computer has a memory made up of bits, where each bit holds either
a one or a zero. The device computes by manipulating those bits, i.e. by
transporting these bits from memory to (possibly a suite of) logic gates and
back. A quantum computer maintains a set of qubits.

To generate key pair:

A qubit can hold a one, or a zero, or a superposition of these. A quantum

computer operates by manipulating those qubits, i.e. by transporting these bits
from memory to (possibly a suite of) quantum logic gates and back.

Qubits for a quantum computer can be implemented using particles with two
spin states: "up" and "down"; in fact any system, possessing an observable
quantity A which is conserved under time evolution and such that A has at least
two discrete and sufficiently spaced consecutive eigenvalues, is a suitable
candidate for implementing a qubit.

Pick large primes p and q

Let n = p*q, keep p and q to yourself!
For public key, choose e that is relatively prime to (n)
=(p-1)(q-1).
public key = <e,n>
For private key, find d that is the multiplicative inverse
of e mod (n), i.e., e*d = 1 mod (n)
Private key = <d,n>.

Information Source: Wikipedia

37

38

How Does RSA Work?

An Example

Given pubKey = <e, n> and privKey = <d, n>

Message = m

encryption: c = me mod n, m < n

decryption: m = cd mod n
signature: s = md mod n, m < n
verification: m = se mod n

Choose p = 7 and q = 17.

Compute n = p*q= 119.
Compute (n)=(p-1)(q-1)=96.
Select e = 5, which is relatively prime to (n).
Compute d = _77_such that e*d=1 mod (n).
Public key: <5,119>
Private key: <77,119>
Message = 19
Encryption: 195 mod 119 = 66
Decryption: 6677 mod 119 = 19.

39

40

Example: Encryption

Example: Decryption

p = 7, q = 11, n = 77
Alice chooses e = 17, making d = 53
Bob wants to send Alice secret message HELLO
(07 04 11 11 14)

Alice receives 28 16 44 44 42
Alice uses private key, d = 53, to decrypt
message:

0717

mod 77 = 28
0417 mod 77 = 16
1117 mod 77 = 44
1117 mod 77 = 44
1417 mod 77 = 42

2853 mod 77 = 07
1653 mod 77 = 04
4453 mod 77 = 11
4453 mod 77 = 11
4253 mod 77 = 14

Alice translates 07 04 11 11 14 to HELLO

Bob sends 28 16 44 44 42
41

No one else could read it, as only Alice knows her

private key and that is needed for decryption

42

Digital Signatures in RSA

Digital Signatures in RSA

RSA has an important property, not shared by

other public key systems
Encryption and decryption are symmetric

Plaintext
M

Plaintext
M
e

C mod n

M mod n

Encryption followed by decryption yields the original

message
(Me mod n)d mod n = M
Decryption followed by encryption also yields the
original message
(Md mod n)e mod n = M
Because e and d are symmetric in
e*d = 1 mod (p-1)*(q-1)

Ciphertext C
(signature)

A's Public Key e

A's Private Key d

A
A

Plaintext
M

B
B

RELIABLE CHANNEL

43

Compared To Encryption in RSA

Plaintext
M

Signature and Encryption

Plaintext
M

M e mod n

Ciphertext C

44

C d mod n

A
A

A
A
Plaintext
D

B
B
B's Public Key e

B
B

Encrypted
Signed
Plaintext

Signed
Plaintext

Signed
Plaintext

Plaintext

B's Public
Key

B's Private
Key

A's Public
Key

B's Private Key d

A's Private
Key

RELIABLE CHANNEL
45

46

Example: Sign

Example: Verify

Take p = 7, q = 11, n = 77
Alice chooses e = 17, making d = 53
Alice wants to send Bob message HELLO (07 04
11 11 14) so Bob knows it is from Alice, and it
has not been modified in transit

Bob receives 35 09 44 44 49
Bob uses Alices public key, e = 17, n = 77, to decrypt
message:

0753 mod 77 = 35
0453 mod 77 = 09
1153 mod 77 = 44
1153 mod 77 = 44
1453 mod 77 = 49

3517 mod 77 = 07
0917 mod 77 = 04
4417 mod 77 = 11
4417 mod 77 = 11
4917 mod 77 = 14

Bob translates 07 04 11 11 14 to HELLO

Alice sends 35 09 44 44 49
47

(Assume) only Alice has her private key, so no one else could
have been able to create a correct signature
The (deciphered) signature matches the transmitted plaintext, so
the plaintext is not altered
48

Example: Both

Class Exercise

Alice wants to send Bob message HELLO both

enciphered and signed

1. Find primes p and q so that 12-bit plaintext

blocks could be encrypted with RSA.
2. Decrypt the ciphertext C=4 using RSA with the
private key {d=7, p=3, q=7}

Alices keys: public (17, 77); private: 53

Bobs keys: public: (37, 77); private: 13

Alice does (does she encipher first or sign first?)

(0753 mod 77)37 mod 77 = 07

(0453 mod 77)37 mod 77 = 37
(1153 mod 77)37 mod 77 = 44
(1153 mod 77)37 mod 77 = 44
(1453 mod 77)37 mod 77 = 14

Alice sends 07 37 44 44 14
What would Bob do upon receiving the message?
49

50

Class Exercise

RSA KEY SIZE

1. Find primes p and q so that 12-bit plaintext

blocks could be encrypted with RSA.

In August 1999 a group using 300 workstations and PCs

was able to factor 512-bit number in 7 months.
RSA Laboratories currently recommends key sizes of
1024 bits for corporate use and 2048 bits for extremely
valuable keys like the root key pair used by a certifying
authority (rsasecurity.com)
What does an RSA-155 number look like?

The primes P*Q must be > or = to 212=4096.

So let P=67 and Q=71 so P x Q = 4,757

2. Decrypt the ciphertext C=4 using RSA with the

private key {d=7, p=3, q=7}

N=p*q
N=7*3=21
M=C^d mod n
M=4^7 mod 21
M=4
51

52

RSA-155 Number

Finding Large Prime Numbers

10263959282974110577205419657399759007165678080380668
334193352190711307779
*
1066034883801684548209272203600187867920795857598929
22270608237193062808643.
=
10941738641570527421809707322040357612003732945449
20599091384213147634998428893478471799725789126733
24976257528997818337970765372440271467435315933543
33897

Good news
Infinite number of prime numbers
Bad news
The prime number ratio decreases as the prime number gets
big 
Brute-force
Try to divide n by 2,,n1/2
Impractical for large number!!!
No known practical method to determine if a given large
number is prime 
However fast probabilistic primality test exists.
That is, determine if a larger number is likely to be a prime.

53

54

Finding Large Prime Numbers (Contd)

The Security of RSA

Primality test

Attacks against RSA

Randomly pick 0<a<n, see if an-1 mod n=1?

If an-1 mod n1, n is not prime for sure
If an-1 mod n=1, n is very likely to be prime.
The false positive rate is 10-13 for 100 digit number

Brute force: Try all possible private keys

Can be defeated by using a large key space

Mathematical attacks
Factor n into n=p*q.
Determine (n) directly: equivalent to factoring n.
Determine d directly: at least as difficult as factoring n.

Exist n>0 such that an-1 mod n=1 for all 0<a<n

Implication
We may (with small probability) choose some nonprime numbers for p & q, which would fail RSA
operations (encryption/decryption,
signature/verification)
55

56

The Security of RSA (Contd)

RSA Versus DES

Factoring large integer is very hard!

But if you can factor big number n then given public key
<e,n>, you can find d, and hence the private key by:

Fastest implementations of RSA can encrypt

kilobits/second
Fastest implementations of DES can encrypt
megabits/second
It is often proposed that RSA be used for secure
exchange of DES keys
This 1000-fold difference in speed is likely to
remain independent of technology advances

Knowing factors p, q, such that, n = p*q

Then (n) =(p-1)(q-1)
Then d such that e*d = 1 mod (n)

Ways to make n difficult to factor

p and q should differ in length by only a few digits

Both (p-1) and (q-1) should contain a large prime factor
gcd(p-1, q-1) should be small.
d > n1/4.

57

Digital Signature Standard (DSS)

58

Efficiency of signature schemes

By NIST
Related to El Gamal
Use SHA (SHA-1) to generate the hash value and
Digital Signature Algorithm (DSA) to generate
the digital signature.
Faster for the signer, but not for the verifier:
Potential application: smart cards

59

60

10

Summary-Key required lengths

One-way Hash Functions

Also known as message digest
A function H(M) = m satisfies
(Fixed length): M can be of any length, whereas m is of
fixed length
(One-way): computing H(M)=m is easy, but
computing H-1(m)=M is computationally infeasible
(Collision-free): in two forms
Weak collision-freedom: given any M, difficult to find
another M such that H(M)=H(M)
Strong collision-freedom: difficult to find any M and M
such that H(M)=H(M)
61

62

Why Those Requirements?

Hash Functions Broken ?

Many applications store H(p) instead of a password

p

Crypto 2004 Rump session reported attacks on

MD4, MD5 and SHA-0

Fixed length: cannot guess the length of p from H(p) (and

H(p) is easier to store)
One-way: the administrator cannot learn p of others
Collision-free: cannot submit incorrect p matching H(p)

MD4s attacks are done by hands

Crypto 2005 reported attacks on full SHA-1

Should we panic?

Most applications sign H(M) instead of M

63

Hash Functions Broken ? (Contd)

Xiaoyun Wangs webpage: http://www.infosec.sdu.edu.cn/people/wangxiaoyun.htm

64

MESSAGE AUTHENTICATION CODES

Nature of the results

INSECURE CHANNEL

Algorithm that finds collision faster than theoretic bound

MD5 about one hour; SHA-1

263

vs

Plaintext + MAC

280 (theoretically)

Plaintext

Yes, the results disprove those functions to be strong

collision-free
No, they do not give you a password from its hash
Brute force attacks do (refer to http://passcracking.com/)

Whether you should panic or not depends on what

you use the hash functions for

Yes/No
MAC
Algorithm M

Verification
Algorithm V

A
A

B
B
K

MAC = MD of plaintext + K
Xiaoyun Wangs webpage: http://www.infosec.sdu.edu.cn/people/wangxiaoyun.htm

65

66

11

Hash Functions Vs MAC

HMAC

Send a message M together with its hash h=H(M),

so the recipient can verify M by comparing H(M)
with the received h

HMAC is a keyed-hash message authentication code, which

is a type of message authentication code (MAC)
As with any MAC, it may be used to simultaneously verify
both the data integrity and the authenticity of a message.

Attack: If anyone in the middle can replace M with M

and h with h=H(M), the recipient wont detect this

Keyed hash functions

Also known as message authentication codes (MAC)
Example: DES in CBC mode: use a key to encipher
message in CBC mode and use last n bits as the MAC
value.
67

h : hash function
K : a secret key k padded with extra 0s to the block size of
the hash function
opad=0x5c5c..5c5c (outer padding )and
ipad=0x3636..3636 (inner padding) are two one-block
long hexadecimal constants.
exclusive or, || concatenation
68

Example of HMAC use

Key Points

A pizza restaurant that suffers from attackers that

place bogus Internet orders may insist that all its
customers deposit a secret key with the restaurant.
Along with an order, a customer must supply the
order's HMAC digest, computed using the
customer's secret key. The restaurant, knowing the
customer's secret key, can then verify that the order
originated from the stated customer and has not
been tampered with. (wiki example)

Public key cryptosystems has two keys

Diffie-Hellman exchanges secret key via insecure
channel
RSA can be used for confidentiality and integrity
Cryptographic Checksums are keyed hash functions

69

70

12