Cryptography and Network Security:
Principles and PracticeEighth Edition
Chapter 9
Public Key Cryptography and R S A
Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
Table 9.1 Terminology Related to Asymmetric
Encryption
Asymmetric Keys
Two related keys, a public key and a private key, that are used to perform
complementary operations, such as encryption and decryption or signature generation
and signature verification.
Public Key Certificate
A digital document issued and digitally signed by the private key of a Certification
Authority that binds the name of a subscriber to a public key. The certificate indicates
that the subscriber identified in the certificate has sole control and access to the
corresponding private key.
Public Key (Asymmetric) Cryptographic Algorithm
A cryptographic algorithm that uses two related keys, a public key and a private key.
The two keys have the property that deriving the private key from the public key is
computationally infeasible.
Public Key Infrastructure (PKI)
A set of policies, processes, server platforms, software and workstations used for the
purpose of administering certificates and public-private key pairs, including the ability to
issue, maintain, and revoke public key certificates.
Source: Glossary of Key Information Security Terms, NISTIR 7298.
Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
Misconceptions Concerning Public-
Key Encryption
• Public-key encryption is more secure from cryptanalysis
than symmetric encryption
• Public-key encryption is a general-purpose technique that
has made symmetric encryption obsolete
• There is a feeling that key distribution is trivial when using
public-key encryption, compared to the cumbersome
handshaking involved with key distribution centers for
symmetric encryption
Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
Principles of Public-Key Cryptosystems
• The concept of public-key cryptography evolved from an attempt
to attack two of the most difficult problems associated with
symmetric encryption:
• Key distribution
– How to have secure communications in general without
having to trust a K D C with your key
• Digital signatures
– How to verify that a message comes intact from the claimed
sender
• W hitfield Diffie and Martin Hellman from Stanford University
achieved a breakthrough in 1976 by coming up with a method
that addressed both problems and was radically different from
all previous approaches to cryptography
Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
Public-Key Cryptosystems
• A public-key encryption scheme has six ingredients:
• Plaintext
– The readable message or data that is fed into the algorithm as input
• Encryption algorithm
– Performs various transforma-tions on the plaintext
• Public key
– Used for encryption or decryption
• Private key
– Used for encryption or decryption
• Ciphertext
– The scrambled message produced as output
• Decryption algorithm
– Accepts the ciphertext and the matching key and produces the original plaintext
Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
Figure 9.1 Public-Key Cryptography (1 of 2)
Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
Figure 9.1 Public-Key Cryptography (2 of 2)
Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
Table 9.2 Conventional and Public-
key Encryption
Conventional Encryption Public-Key Encryption
Needed to Work:
1. The same algorithm with the same key is used for encryption and decryption.
2. The sender and receiver must share the
algorithm and the key.
Needed to Work:
1. One algorithm is used for encryption and a related algorithm for decryption with a pair of keys, one for encryption and one for
decryption.2. The sender and receiver must each have one
of the matched pair of keys (not the same one).
Needed for Security:
1. The key must be kept secret.2. It must be impossible or at least impractical
to decipher a message if the key is kept
secret.3. Knowledge of the algorithm plus samples of
ciphertext must be insufficient to determinethe key.
Needed for Security:
1. One of the two keys must be kept secret.2. It must be impossible or at least impractical
to decipher a message if one of the keys is
kept secret.3. Knowledge of the algorithm plus one of the
keys plus samples of ciphertext must be insufficient to determine the other key.
Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
Public-Key Cryptosystem: Confidentiality
Figure 9.2 Public-Key Cryptosystem: Confidentiality
Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
Public-Key Cryptosystem: Authentication
Figure 9.3 Public-Key Cryptosystem: Authentication
Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
Public-Key Cryptosystem:
Authentication and Secrecy
Figure 9.4 Public-Key Cryptosystem: Authentication and
Secrecy
Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
Applications for Public-Key
Cryptosystems
• Public-key cryptosystems can be classified into three
categories:
• Encryption/decryption
– The sender encrypts a message with the recipient’s public
key
• Digital signature
– The sender “signs” a message with its private key
• Key exchange
– Two sides cooperate to exchange a session key
• Some algorithms are suitable for all three applications, whereas
others can be used only for one or two
Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
Table 9.3 Applications for Public-Key
Cryptosystems
Algorithm Encryption/Decryption Digital
Signature
Key Exchange
RSA Yes Yes Yes
Elliptic Curve Yes Yes Yes
Diffie–Hellman No No Yes
DSS No Yes No
Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
Public-Key Requirements (1 of 2)
• Conditions that these algorithms must fulfill:
– It is computationally easy for a party B to generate a pair
(public-key P Ub, private key P Rb)
– It is computationally easy for a sender A, knowing the public
key and the message to be encrypted, to generate the
corresponding ciphertext
– It is computationally easy for the receiver B to decrypt the
resulting ciphertext using the private key to recover the
original message
– It is computationally infeasible for an adversary, knowing the
public key, to determine the private key
– It is computationally infeasible for an adversary, knowing the
public key and a ciphertext, to recover the original message
– The two keys can be applied in either order
Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
Public-Key Requirements (2 of 2)
• Need a trap-door one-way function
– A one-way function is one that maps a domain into a range such
that every function value has a unique inverse, with the condition
that the calculation of the function is easy, whereas the calculation
of the inverse is infeasible
▪ Y = f(X) easy
▪ X = f–1(Y) infeasible
• A trap-door one-way function is a family of invertible functions fk, such
that
– Y = fk(X) easy, if k and X are known
– X = fk–1(Y) easy, if k and Y are known
– X = fk–1(Y) infeasible, if Y known but k not known
• A practical public-key scheme depends on a suitable trap-door one-
way function
Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
Public-Key Cryptanalysis
• A public-key encryption scheme is vulnerable to a brute-force attack
– Countermeasure: use large keys
– Key size must be small enough for practical encryption and decryption
– Key sizes that have been proposed result in encryption/decryption speeds that are too slow for general-purpose use
– Public-key encryption is currently confined to key management and signature applications
• Another form of attack is to find some way to compute the private key given the public key
– To date it has not been mathematically proven that this form of attack is infeasible for a particular public-key algorithm
• Finally, there is a probable-message attack
– This attack can be thwarted by appending some random bits to simple messages
Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
Rivest-Shamir-Adleman (R S A)
Algorithm
• Developed in 1977 at M I T by Ron Rivest, Adi Shamir &
Len Adleman
• Most widely used general-purpose approach to public-key
encryption
• Is a cipher in which the plaintext and ciphertext are
integers between 0 and n – 1 for some n
– A typical size for n is 1024 bits, or 309 decimal digits
Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
R S A Algorithm
• RSA makes use of an expression with exponentials
• Plaintext is encrypted in blocks with each block having a binary
value less than some number n
• Encryption and decryption are of the following form, for some
plaintext block M and ciphertext block C
C = Me mod n
M = Cd mod n = (Me)d mod n = Med mod n
• Both sender and receiver must know the value of n
• The sender knows the value of e, and only the receiver knows
the value of d
• This is a public-key encryption algorithm with a public key of
PU={e,n} and a private key of PR={d,n}
Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
Algorithm Requirements
• For this algorithm to be satisfactory for public-key
encryption, the following requirements must be met:
1. It is possible to find values of e, d, n such that Med mod
n = M for all M < n
2. It is relatively easy to calculate Me mod n and Cd mod n
for all values of M < n
3. It is infeasible to determine d given e and n
Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
Figure 9.5 The R S A Algorithm
Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
Example of R S A Algorithm
Figure 9.6 Example of R S A Algorithm
Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
Figure 9.7 R S A Processing of
Multiple Blocks (1 of 2)
Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
Figure 9.7 R S A Processing of
Multiple Blocks (2 of 2)
Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
Exponentiation in Modular Arithmetic
• Both encryption and decryption in RSA involve raising an
integer to an integer power, mod n
• Can make use of a property of modular arithmetic:
[(a mod n) x (b mod n)] mod n =(a x b) mod n
• With RSA you are dealing with potentially large exponents
so efficiency of exponentiation is a consideration
Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
Figure 9.8 Algorithm for Computing
ab mod n
Note: The integer b is expressed as a binary number bkbk − 1…b0
Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
Table 9.4 Result of the Fast Modular
Exponentiation Algorithm for ab mod n, where a
= 7, b = 560 = 1000110000, and n = 561
I 9 8 7 6 5 4 3 2 1 0
Bi 1 0 0 0 1 1 0 0 0 0
C 1 2 4 8 17 35 70 140 280 560
F 7 49 157 526 160 241 298 166 67 1
Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
Efficient Operation Using the Public
Key
• To speed up the operation of the R S A algorithm using the
public key, a specific choice of e is usually made
• The most common choice is 65537 (216 + 1)
– Two other popular choices are e=3 and e=17
– Each of these choices has only two 1 bits, so the
number of multiplications required to perform
exponentiation is minimized
– With a very small public key, such as e = 3, R S A
becomes vulnerable to a simple attack
Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
Efficient Operation Using the Private
Key
• Decryption uses exponentiation to power d
– A small value of d is vulnerable to a brute-force attack
and to other forms of cryptanalysis
• Can use the Chinese Remainder Theorem (C R T) to speed
up computation
– The quantities d mod (p – 1) and d mod (q – 1) can be
precalculated
– End result is that the calculation is approximately four
times as fast as evaluating M = Cd mod n directly
Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
Key Generation
• Before the application of the public-key cryptosystem each
participant must generate a pair of keys:
– Determine two prime numbers p and q
– Select either e or d and calculate the other
• Because the value of n = pq will be known to any potential
adversary, primes must be chosen from a sufficiently large
set
– The method used for finding large primes must be
reasonably efficient
Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
Procedure for Picking a Prime
Number
• Pick an odd integer n at random
• Pick an integer a < n at random
• Perform the probabilistic primality test with a as a
parameter. If n fails the test, reject the value n and go to
step 1
• If n has passed a sufficient number of tests, accept n;
otherwise, go to step 2
Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
The Security of R S A
• Five possible approaches to attacking RSA are:
– Brute force
▪ Involves trying all possible private keys
– Mathematical attacks
▪ There are several approaches, all equivalent in effort to factoring the product of two primes
– Timing attacks
▪ These depend on the running time of the decryption algorithm
– Hardware fault-based attack
▪ This involves inducing hardware faults in the processor that is generating digital signatures
– Chosen ciphertext attacks
▪ This type of attack exploits properties of the RSA algorithm
Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
Factoring Problem
• We can identify three approaches to attacking RSA
mathematically:
– Factor n into its two prime factors. This enables
calculation of ø(n) = (p – 1) x (q – 1), which in turn
enables determination of d = e-1 (mod ø(n))
– Determine ø(n) directly without first determining p and
q. Again this enables determination of d = e-1 (mod
ø(n))
– Determine d directly without first determining ø(n)
Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
Timing Attacks
• Paul Kocher, a cryptographic consultant, demonstrated
that a snooper can determine a private key by keeping
track of how long a computer takes to decipher messages
• Are applicable not just to RSA but to other public-key
cryptography systems
• Are alarming for two reasons:
– It comes from a completely unexpected direction
– It is a ciphertext-only attack
Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
Countermeasures
• Constant exponentiation time
– Ensure that all exponentiations take the same amount of time before returning a result; this is a simple fix but does degrade performance
• Random delay
– Better performance could be achieved by adding a random delay to the exponentiation algorithm to confuse the timing attack
• Blinding
– Multiply the ciphertext by a random number before performing exponentiation; this process prevents the attacker from knowing what ciphertext bits are being processed inside the computer and therefore prevents the bit-by-bit analysis essential to the timing attack
Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
Fault-Based Attack
• An attack on a processor that is generating R S A digital
signatures
– Induces faults in the signature computation by reducing the
power to the processor
– The faults cause the software to produce invalid signatures
which can then be analyzed by the attacker to recover the
private key
• The attack algorithm involves inducing single-bit errors and
observing the results
• W hile worthy of consideration, this attack does not appear to be
a serious threat to R S A
– It requires that the attacker have physical access to the
target machine and is able to directly control the input power
to the processor
Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
Chosen Ciphertext Attack (C CA)
• The adversary chooses a number of ciphertexts and is
then given the corresponding plaintexts, decrypted with the
target’s private key
– Thus the adversary could select a plaintext, encrypt it
with the target’s public key, and then be able to get the
plaintext back by having it decrypted with the private
key
– The adversary exploits properties of R S A and selects
blocks of data that, when processed using the target’s
private key, yield information needed for cryptanalysis
• To counter such attacks, R S A Security Inc. recommends
modifying the plaintext using a procedure known as
optimal asymmetric encryption padding (O A E P)
Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
Figure 9.9 Encryption Using Optimal
Asymmetric Encryption Padding
(O A E P)
Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
Summary
• Present an overview of the basic principles of public-key
cryptosystems
• Explain the two distinct uses of public-key cryptosystems
• List and explain the requirements for a public-key cryptosystem
• Present an overview of the R S A algorithm
• Understand the timing attack
• Summarize the relevant issues related to the complexity of
algorithms
Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
Copyright
This work is protected by United States copyright laws and is
provided solely for the use of instructors in teaching their
courses and assessing student learning. Dissemination or sale of
any part of this work (including on the World Wide Web) will
destroy the integrity of the work and is not permitted. The work
and materials from it should never be made available to students
except by instructors using the accompanying text in their
classes. All recipients of this work are expected to abide by these
restrictions and to honor the intended pedagogical purposes and
the needs of other instructors who rely on these materials.