Public Key Cryptosystems &

Digital Signatures
--- New era of secure
communications ---
 Outline

 Why public key cryptography ?

 General principles of public key
cryptography
 The RSA public key cryptosystem
 Digital signature
 Slides 12 to 25 for mathematically
inclined students (and will not be
covered in this subject)

CSE2500- System Security and Privacy 2

 Private key cipher

Plain Text Cipher Text Cipher Text Plain Text

Network D
E
or Storage

Secret Key Secret Key

Alice Bob

CSE2500- System Security and Privacy 3

 Problems with private key ciphers

 In order for Alice & Bob to be able to

communicate securely using a private
key cipher, such as DES, they have to
have a shared key in the first place.
 Question:
What if they have never met before ?
 Alice needs to keep 100 different keys
if she wishes to communicate with 100
different people
CSE2500- System Security and Privacy 4
 Motivation of Public Key Cryptography

 Is it possible for Alice & Bob, who

have no shared secret key, to
communicate securely ?
 This led to the SINGLE MOST
IMPORTANT discovery of public key
communications:
 Diffie & Hellman’s ideas of public key
cryptography: <private-key, public-key>

CSE2500- System Security and Privacy 5

 Main ideas

 Bob:
 publishes, say in Yellow/White pages, his
public (for encryption) key, and
encryption algorithm.
 keeps to himself
the matching secret (for decryption) key.

CSE2500- System Security and Privacy 6

 Main ideas (2)

 Alice:
 Looks up the phone book, and finds out
Bob’s
public key, and
encryption algorithm.
 Encrypts a message using Bob’s public
key and encryption algorithm.
 sends the ciphertext to Bob.

CSE2500- System Security and Privacy 7

 Main ideas (3)

 Bob:
 Receives the ciphertext from Alice
 Decrypts the ciphertext using his secret
key, together with the decryption
algorithm

CSE2500- System Security and Privacy 8

 Public Key Cryptosystem

Public Key Directory (Yellow/White Pages)

Bob:

Plain Text Cipher Text Cipher Text

Plain Text

E Network D

Secret Key
Alice
CSE2500- System Security and Privacy
Bob 9
 Main differences with DES

 The public key is different from the

secret key.
 Infeasible for an attacker to find out
the secret key from the public key.
 No need for Alice & Bob to distribute a
shared secret key beforehand !
 Only one pair of public and secret
keys is required for each user !

CSE2500- System Security and Privacy 10

 Realising public key ciphers

 The most famous system that

implements Diffie & Hellman’s ideas
on public key ciphers is due to
 Ronald Rivest
 Adi Shamir
 Leonard Adleman
 This public key cryptosystem is called
RSA.

CSE2500- System Security and Privacy 11

 Mathematical background

Assume that we are working with non-negative

integers:

 Prime and composite numbers

 a prime number is an integer that can be divided
only by 1 and itself
 E.g. 2, 3, 5, 7, 11, 13,
101, ......
 all other integers are composite
 E.g. 4, 6, 8, 9, 10, 12,
523743960876432, 800164386535

CSE2500- System Security and Privacy 12

 Mathematical background

Modular operations
 “remainder”
 13 mod 5 = 3, 1 mod 7 = 1
 20 mod 5 = 0, 32 mod 7 = 4
 modular exponentiation
 22 mod 3 = 1, 32 mod 3 = 0
 22 mod 5 = 4, 102 mod 92 = 8
 46 mod 10 = 6, 311 mod 10 = 7

CSE2500- System Security and Privacy 13

 Mathematical background

 a is relative prime to b if the largest

integer that divides both a & b is 1
 E.g:
 any m (<>0) is relatively prime to a prime
number
 is 9 relatively prime to 10?

CSE2500- System Security and Privacy 14

 Mathematical background

 Let ø(n) denote the total numbers that are

less than n and relatively prime to n
 If n is a prime number then ø(n) = n – 1
 If p, q are prime numbers and n=p*q, then
 Ø(n) = Ø(p*q) = p*q – (p + q -1) = (p-1)*(q-1)
- p & q are prime numbers => only multiples of p and q
are not relatively prime to p*q
- That is: there are (p + q – 1) multiples [0 is counted
once] of p and q
 E.g: p = 3; q=7; {0, 3, 7, 6, 9, 12, 14, 15, 18} are not
relatively prime to p*q
 Ø(n) = ø(p*q) = 12 ; {1,2,4,5,8,10,11,13,16,17,19,20}

CSE2500- System Security and Privacy 15

 Mathematical background

 y & n are integers and y (mod ø(n)) = 1,

for any x < n, xy mod n = x (1)

 E.g:
y=13 ; n=7; x = 4;
ø(n) = 6; y mod ø(n) = 13 mod 6 = 1;
xy = 413; xy mod n = 413 mod 7 = 4 = x mod n;

CSE2500- System Security and Privacy 16

 Mathematical background
 The multiplicative inverse of x with modulo n is y
such that: (x*y) mod n = 1 (2).

 The above multiplicative inverse can be used to

create a simple public key cipher: either x or y can
be thought of as a secret key and the other is the
public key.

E.g: x=3; n=10; y=7; we have: (3*7) mod 10 = 1;

 M =5 ;
 3*5 (mod 10) = 5 ; 5*7 (mod 10) = 5 = M (message)
 M =6 ;
 3*6 (mod 10) = 8; 8*7 (mod 10) = 6 = M (message)

CSE2500- System Security and Privacy 17

 RSA Public Key Cryptosystem
Public Key Directory (Yellow/White Pages)

Bob: (e, n)

public key:
e &n
Plain Text Cipher Text Cipher Text Plain Text

c= m=
Network
m e mod n c d mod n

Alice secret key: d

CSE2500- System Security and Privacy

Bob 18
 RSA (1)

 Bob:
 chooses 2 large prime numbers: p, q
multiplies p and q: n = p*q
 finds out two numbers e & d such that
 (e * d) mod ø(n) = 1 [ similar to (2) ]
Or (e * d) mod [(p-1)*(q-1)] = 1
 public key (published in the phone book)
2 numbers: (e, n)
encryption alg: modular exponentiation
 secret key: (d,n)

CSE2500- System Security and Privacy 19

 RSA (2)

 Alice has a message m to be sent to

Bob:
 finds out Bob’s public encryption key
(e, n)
 calculates
me (mod n) -> c
 sends the ciphertext c to Bob

CSE2500- System Security and Privacy 20

 RSA (3)

 Bob:
 receives the ciphertext c from Alice
 uses his matching secret decryption key
d to calculate
cd (mod n) -> m

CSE2500- System Security and Privacy 21

 RSA --- 1st small example (1)

 Bob:
 chooses 2 primes: p=5, q=11
multiplies p and q: n = p*q = 55
 finds out two numbers e=3 & d=27 which
satisfy
(3 * 27) mod 40 = 1
 Bob’s public key
2 numbers: (3, 55)
encryption alg: modular exponentiation
 secret key: (27,55)

CSE2500- System Security and Privacy 22

 RSA --- 1st small example (2)

 Alice has a message m=13 to be sent to

Bob:
 finds out Bob’s public encryption key
(3, 55)
 calculates c:
c = me (mod n)
= 133 (mod 55)
= 2197 (mod 55)
= 52
 sends the ciphertext c=52 to Bob

CSE2500- System Security and Privacy 23

 RSA --- 1st small example (3)

 Bob:
 receives the ciphertext c=52 from Alice
 uses his matching secret decryption key
27 to calculate m:
m = 5227 (mod 55)
= 13 (Alice’s message)

CSE2500- System Security and Privacy 24

 How does RSA work?

 n = p*q => Ø(n) = Ø(p*q) = (p-1)*(q-1)

 We choose d & e such that
 (e * d) mod ø(n) = = 1 ; similar to (2)
 for any m < n: mde = m mod n ; from (1)
 an RSA encryption consists of taking m and raising it
to e; and decrypting the ciphertext by raising the
result of the encrytion to d:
 We have (a*b) mod n = ((a mod n) * (b mod n)) mod n
 hence : (me mod n) d mod n = (me)d mod n = (med)
mod n = m mod n = m [from (1)]

CSE2500- System Security and Privacy 25

 Remarks on RSA

 The message m has to be an integer

between the range [1, n).
 To encrypt long messages we can use
modes of operation as for block
private key ciphers, or a hybrid
cryptosystem.

CSE2500- System Security and Privacy 26

 Why RSA is Secure

 Attack Scenario:
 Marvin wants to read Alice’s private message (m)
intended to be read only by Bob.
 However, Alice used RSA to encrypt m using
Bob’s public key (e, n), into the ciphertext c = me
(mod n).
 Marvin is a determined attacker and managed to
intercept the ciphertext c on its way from Alice’s
to Bob’s computer.
 Marvin also looked up Bob’s public key (e,n) to
help him in his attack.

CSE2500- System Security and Privacy 27

 Why RSA is Secure
 Marvin now has (c,e,n) and wants to find out m.
 How can Marvin proceed to find m?
 Approach 1: If Marvin could also find out Bob’s
secret key d, he could decrypt c into m in the
same way as Bob does.
 Suppose Bob guards his secret key d very well, what
can Marvin do then?
 Approach 2: Marvin knows that c = me (mod n).
He knows that m is a number between 0 and n-1.
So he could use exhaustive search through all n
possible messages m.
 But if n is large this takes a long time!

CSE2500- System Security and Privacy 28

 Why RSA is Secure

 Marvin’s Attack options (cont):

 Approach 3: Marvin can try to compute
Bob’s secret key d from (e,n) and then use
Approach 1.
 Remember that (e * d) mod ((p-1)*(q-1) ) = 1
 Marvin found in a ‘Number Theory’ book a very
fast algorithm called EUCLID to solve the
following problem: Given two numbers (r,s),
the algorithm outputs a number x such that
(r * x) mod s = 1.

CSE2500- System Security and Privacy 29

 Why RSA is Secure
 Approach 3 is the most efficient known method
Marvin can use to attack RSA!

 The time taken for Marvin to execute the attack in

Approach 3 is essentially the time to factorize
n=p*q into the prime factors p and q.

 Therefore, we say that RSA is based on

the factorization problem:
While it is easy to multiply large primes
together, it is computationally infeasible to factorize
or split a large composite into its prime factors !

CSE2500- System Security and Privacy 30

 Why RSA is Secure
 Therefore, when both p and q in RSA are of at
least 155 digits, the product n=p*q is 310
digits.

 Then no one can factorize n in less time than

a few thousand years, not even Marvin!!

 Thus the only person who can extract the

plaintext m from the ciphertext c is Bob, as
only he knows the secret decryption key d !

CSE2500- System Security and Privacy 31

 Marvin’s New Attack Idea
 Instead of just eavesdropping, Marvin can
try a more active attack!
 Outline of the New Attack:
 Marvin generates an RSA key pair
 Public key = Kpub_* = (N_*, e_*)
 Secret key = Ksec_* = d_*
 Marvin sends the following email to Alice,
pretending to be Bob:
 Hi Alice,
 Please use my new public key from now on to encrypt
messages to me. My new public key is Kpub_*.
 Yours sincerely, Bob.
 Marvin decrypts any messages Alice sends to
Bob
CSE2500- System Security and Privacy (encrypted with Kpub_*), using Ksec_*. 32
 Preventing Marvin’s Active Attack

 The active attack works because:

 Alice was tricked by Marvin into encrypting a
message intended for Bob using a “fake” public key
which is NOT Bob’s public key (in fact it was
Marvin’s).
 To prevent the attack:
 Before Alice encrypts a message for Bob, she must make sure
she has Bob’s CORRECT public key (and not a fake one).
 Alice needs a way of testing the truth of any “Bob’s key
message” informing Alice of Bob’s Public Key.
 No one besides Bob should be able to produce such a
message so that it will pass Alice’s Test.

CSE2500- System Security and Privacy 33

 Preventing Marvin’s Active Attack (2)

 This is a setting where Alice and Bob have a

message integrity security requirement!
 Ie. Alice and Bob want to prevent fabrication
and/or modification of a “Bob’s key message” (a
message informing Alice of Bob’s public key) by
unautorised parties (like Marvin).
 The main cryptographic tool used to achieve
message integrity is “Authority Certificates”.
 Later we will see how Digital Signatures can be
used to prevent Marvin’s Attack!

CSE2500- System Security and Privacy 34

 Private key ciphers

 Good points
 in-expensive to use
 fast
 low cost VLSI chips available
 Bad points
 key distribution is a problem

CSE2500- System Security and Privacy 35

 Public key ciphers

 Good points
 key distribution is NOT a problem
 Bad points
 relatively expensive to use
 relatively slow
 VLSI chips not available or relatively high
cost

CSE2500- System Security and Privacy 36

 Combining 2 Type of Ciphers

 In practice, we can
 use a public key cipher (such as RSA) to
distribute keys
 use a private key cipher (such as DES) to
encrypt and decrypt messages

CSE2500- System Security and Privacy 37

 The Need of Digital Signature

 Social & business activities and their

associated documents are becoming
digital
 digital conferences
 digital contract signing
 digital cash payments, ......
 Hand-written signatures are not
applicable to digital data

CSE2500- System Security and Privacy 38

 Digital Signature (based on RSA)

Public Key Directory (Yellow/White Pages)

Bob:

Plain Text

Plain Text

Network ? Accept if equal

+
E
D
Signature

Signature
Secret Key

Bob Cathy Public Key

CSE2500- System Security and Privacy 39
 Digital Signature (for short doc)

Public Key Directory (Yellow/White Pages)

Bob: (e, n)

Plain Text
Plain Text

+
? Accept if equal
s= Network

md mod n Signature t =se mod n

Signature
Secret Key d

Bob Cathy Public Key (e, n)

CSE2500- System Security and Privacy 40
 RSA Signature --- an eg (1)
 Bob:
 chooses 2 primes: p=5, q=11
multiplies p and q: n = p*q = 55
 finds out two numbers e=3 & d=27 which
satisfy
(3 * 27) mod 40 = 1
 Bob’s public key
2 numbers: (3, 55)
encryption alg: modular exponentiation
 secret key: (27,55)

CSE2500- System Security and Privacy 41

 RSA Signature --- an eg (2)

 Bob has a document m=19 to sign:

 uses his secret key d=27 to calculate the
digital signature of m=19:
s = md (mod n)
= 1927 (mod 55)
= 24
 appends 24 to 19. Now (m, s) = (19, 24)
indicates that the doc is 19, and Bob’s
signature on the doc is 24.

CSE2500- System Security and Privacy 42

 RSA Signature --- an eg. (3)
 Cathy, a verifier:
 receives a pair (m,s)=(19, 24)
 looks up the phone book and finds out
Bob’s public key (e, n)=(3, 55)
 calculates t = se (mod n)
= 243 (mod 55)
= 19
 checks whether t=m
 confirms that (19,24) is a genuinely
signed document of Bob if t=m.

CSE2500- System Security and Privacy 43

 How about Long Documents ?

 In the previous example, a document

has to be an integer in [0,...,n)
 To sign a very long document, we
need a so called one-way hash
algorithm
 Instead of signing directly on a doc,
we hash the doc first, and sign the
hashed data which is normally short.

CSE2500- System Security and Privacy 44

 One-Way Hash Algorithm
 A one-way hash algorithm hashes an input
document into a condensed short output
(say of 100 bits)
 Denoting a one-way hash algorithm by H(.), we have:
 Input: m - a binary string of any length
 Output: H(m) - a binary string of L bits, called the “hash
of m under H”.
 The output length parameter L is fixed for a given one-
way hash function H,
 eg
 The one-way hash function “MD5” has L = 128 bits
 The one-way hash function “SHA-1” has L = 160
bits

CSE2500- System Security and Privacy 45

 One-Way Hash Algorithm
Message (of any length)
ag
Mess
e

Hash of the message

CSE2500- System Security and Privacy
A condensed short output, say of 100 bits 46
 ag
Mess
e

Hash of Message

CSE2500- System Security and Privacy 47

 Properties of One-Way Hash Algorithm

 A good one-way hash algorithm H needs to

have these properties:
 1. Easy to Evaluate:
 The hashing algorithm should be fast
 I.e. given any document m, the hashed value h = H(m) can be computed
quickly.
 2. Hard to Reverse:
 There is no feasible algorithm to “reverse” a hashed value,
 I.e. given any hashed value h, it is computationally infeasible to find any
document m such that H(m) = h.
 NOTE: An algorithm is called ‘One-Way’ if it has BOTH properties 1 and 2.
 3. Hard to find Collisions:
 There is no feasible algorithm to find two or more input documents
which are hashed into the same condensed output,
 I.e it is computationally infeasible to find any two documents m1, m2
such that H(m1)= H(m2).

CSE2500- System Security and Privacy 48

 The One-way Property

Document m This Document m But this

direction is
(any length) direction is (any length) infeasible to
easy to
compute! compute!

H H

Hash value h Hash value h

(length= L bits) (length= L bits)
CSE2500- System Security and Privacy 49
 Finding Collision is Infeasible

Document I, Bob, I, Bob, Document

m1 will pay will pay m2
$1,000 $10,000
to Alice. to Alice.

H H

(same condensed output)

CSE2500- System Security and Privacy 50
 Digital Signature (for long doc)

Public Key Directory (Yellow/White Pages)

Bob:

Plain Text

Plain Text
H 100 bits
H 1-way hash
Accept if equal
100 bits
Network
+
?
Signature 100 bits

Secret Key Signature

Bob Cathy Public Key

CSE2500- System Security and Privacy 51
 Why Digital Signature ?
 Unforgeable
 takes 1 billion years to forge !
 Un-deniable by the signatory
 Universally verifiable
 Differs from doc to doc
 Easily implementable by
 software or
 hardware or
 software + hardware

CSE2500- System Security and Privacy 52

 Unforgeable Digital Signature

I, Bob, I, Bob,
will pay will pay
$1,000 $10,000
to Alice. to Alice.
101001010 001001101

a valid signature also a valid signature

CSE2500- System Security and Privacy 53
 Digital Signature -- summary

 Three (3) steps are involved in digital

signature
 Setting up public and secret keys
 Signing a document
 Verifying a signature

CSE2500- System Security and Privacy 54

 Setting up Public & Secret Keys

 Bob does the following

 prepares a pair of public and secret keys
 publishes his public key in the public key
file (such as an on-line phone book)
 keeps the secret key to himself
 Note:
 Setting up needs only to be done once !

CSE2500- System Security and Privacy 55

 Signing a Document

 Once setting up is completed, Bob

can sign a document (such as a
contract, a cheque, a certificate, ...)
using the secret key
 The pair of document & signature is a
proof that Bob has signed the
document.

CSE2500- System Security and Privacy 56

 Verifying a Signature

 Any party, say Cathy, can verify the

pair of document and signature, by
using Bob’s public key in the public
key file.
 Important !
 Cathy does NOT have to have public or
secret key !

CSE2500- System Security and Privacy 57