smucse 5349/7349 network and system security introduction
Post on 19-Dec-2015
223 views
TRANSCRIPT
SMU CSE 5349/7349
Network and System Security
Introduction
SMU CSE 5349/7349
Information Security
• Computer security– Protect system resources– Protect data (dynamic/stored)
• Network security– Protect network resources– Protect exchanged dataSecurity = confidentiality + integrity
+ availability + authenticity
SMU CSE 5349/7349
Attacks
• Passive attacks– Affects data confidentiality– More difficult to detect, less harmful
• Active attacks– Affects data confidentiality, integrity,
and/or availability– Easier detection, more harmful
SMU CSE 5349/7349
Attacks (cont’d)
• Interruption• Interception• Modification• Fabrication
SMU CSE 5349/7349
Interruption
– An asset of the system is destroyed of becomes unavailable or unusable
– Attack on availability– Destruction of hardware– Cutting of a communication line– Disabling the file management
system
SMU CSE 5349/7349
Interception
– An unauthorized party gains access to an asset
– Attack on confidentiality– Wiretapping to capture data in a
network– Illicit copying of files or programs
SMU CSE 5349/7349
Modification– An unauthorized party not only
gains access but tampers with an asset
– Attack on integrity– Change values in a data file– Alter a program to make it perform
differently– Modify content of messages
transmitted on a network
SMU CSE 5349/7349
Fabrication– Unauthorized party inserts counterfeit
objects into the system– Attack on authenticity– Insertion of spurious messages in a
network– Addition of records to a file
SMU CSE 5349/7349
Network Security Services• Authentication
– validate authenticity claims (identity/data)
• Authorization– Enforce selective access (information/resources)
• Confidentiality– Prevent disclosure of data (entire message/selected
fields/traffic characteristics)
• Integrity– Prevent tampering of data (entire message/selected
fields)
• Non-repudiation– Proof of origin, proof of delivery
CIA
SMU CSE 5349/7349
Security Mechanisms
• Specific mechanisms– Access control list - resource protection
– Encryption – data confidentiality
– Digital signature – origin verification, non-repudiation
– Notarization – trusted third party assurance
– Traffic padding – traffic characteristic confidentiality
– Routing control – flow protection
SMU CSE 5349/7349
Mechanisms (cont’d)
• Pervasive mechanisms– Event detection– Security audit trail– Security recovery
SMU CSE 5349/7349
Password Security
SMU CSE 5349/7349
System Security
• Two issues– Attack by unauthorized users– Attack by authorized users
• Solution– Unauthorized – authenticate– Authorized – access control
SMU CSE 5349/7349
Authentication
• UsualUser ID + passwd
– ID public, passwd private• When to authenticate
– Beginning of session– Periodically within session– After a pause– Beginning of sensitive operation
SMU CSE 5349/7349
Selection of Passwd
• Psychological issues– Disclosing passwd – social engineering– Difficulty in entering– Difficulty in remembering
• System issues– Targeted and general attacks– Multi-lateral security– User training
SMU CSE 5349/7349
Attacks on Passwd
• Attack on passwd entry– Interface design– Eavesdropping– Trusted path (ex. Ctrl-Alt-Del)– Passwd retry counters
• Timing attack• Attack on smart cards
• Attack on passwd storage– Audit trail– Need for one-way encryption
SMU CSE 5349/7349
Passwd Cracking
• Brute force attack– Use all combination of characters
• Knowledge of victim– Names, license plate numbers…
• Dictionary attack
SMU CSE 5349/7349
Defense
• Use different passwds for users/systems• No default passwds• Against brute force
– Longer passwds– More than letters and numbers– Case sensitive
• Against dictionary– No words– No “obvious” passwds
SMU CSE 5349/7349
System Defenses
• Run passwd filters to weed out weak ones
• Generate random passwds for users
• Enforce passwd life-time• Limit failed logins• Notifying history to users
SMU CSE 5349/7349
Salting the Passwd
• What happens if two users choose the same passwd?– Will result in same hash
• Add some random information (salt)to the passwd before hashing
• Makes it harder to crack
SMU CSE 5349/7349
Access Control
SMU CSE 5349/7349
Authentication vs. Access Control
• Authentication about who you are• Access control – who may do what
to what?• Major portion of security breaches
organized by authorized users
SMU CSE 5349/7349
Control Structures
• Formalism– Subjects, Objects, Access permissions– Access control matrix
• Example
SMU CSE 5349/7349
Capabilities and Access Control Lists (ACL)
• For large systems – Large number of subjects and objects– Control matrix very large and sparse
• Store the matrix rows and columns as linked lists– Rows – capabilities
• Columns - ACLs
SMU CSE 5349/7349
Capabilities
• What subject A is allowed to do• Whenever a new object is created, other
subjects may be given the capabilities to access it
SMU CSE 5349/7349
Intermediate Solutions
• Group permissions• Negative permissions• Protection rings• Permission trees
SMU CSE 5349/7349
Group Permissions
• Place number of users in a named group
• ACLs for groups
SMU CSE 5349/7349
Negative Permission
• To exclude specific permission from the group grant
SMU CSE 5349/7349
Protection Rings
• Assigning priority levels to objects and subjects– 0 kernel– 1 OS– 2 system utilities– 3 other programs
• Access decisions based on comparing the levels of Ss and Os.
SMU CSE 5349/7349
Hardware Protection
• Protection problem– Preventing one processor from
interfering with another• Confinement problem
– Preventing programs communicate outside the authorized channels
• Memory management – Reference monitor
SMU CSE 5349/7349
Security Processors
• Pentium 3 processor serial number• ARM (Acorn Risc Machine)• Smart cards• Protection of protection hardware
– Tamper resistance
SMU CSE 5349/7349
Attack (cont’d)
• Smashing the stack– Finger bug in UNIX– Does not check the length of the
input string– Trailing edge could be used to
overwrite the system stack– Want to be a root user?
SMU CSE 5349/7349
Cryptography
SMU CSE 5349/7349
Terminology
• Cryptography• Cryptanalysis• Cryptology• Plain text• Cipher text
SMU CSE 5349/7349
Historical Background
• Mono-alphabetic substitution– Caesar cipher
• Stream ciphersC= P + K mod 26
• One-time pad– Perfect secrecy (Shannon’s theorem)– No integrity
• Block codes– Playfair
• One-way functions
SMU CSE 5349/7349
Formal Classifications
• Type of operation– Substitution– Transposition
• Number of keys used– Symmetric (one key, private)– Asymmetric (two keys, public)
• Mode of plain text processing– Block vs. stream
SMU CSE 5349/7349
Cryptanalysis
• Attacks– Known plain text attack– Chosen plain text– Chosen cipher text
• Security– Unconditionally secure– Computationally secure
SMU CSE 5349/7349
Block Ciphers• Block of plain text converted into
block of cipher of equal length• Based on Fiestal block structure
– Unique transformation– Reversible
• Example• Small blocks vulnerable to attacks• Large blocks impractical to
implement
SMU CSE 5349/7349
Fiestal Cipher (FC)
• Based on product ciphers– Alternate substitutions and permutations
• Shannon’s proposal– Diffusion
• Dissipate plain text statistics into long-range cipher statistics
• Example: Averaging operation on characters• A permutation on binary bits followed by some
operations
– Confusion• To make the deduction of the key difficult
SMU CSE 5349/7349
FC Structure
• Multiple rounds– Round function (based on the round key)– Substitution (XOR)– Permutation (Exchange of halves)
• Parameters– Block size (64 bits)– Key size (128 bits)– Number of rounds (16)– Sub-key generation algorithm– Round function
SMU CSE 5349/7349
DES
Plaintext
Encrypt withsecret key
Ciphertext
Plaintext
Decrypt withsecret key
SMU CSE 5349/7349
DES• Currently the most widely used
block cipher in the world • IBM’s LUCIFER was the precursor• One of the largest users of the DES
is the banking industry, particularly with EFT
• Although the standard is public, the design criteria used are classified
SMU CSE 5349/7349
DES Security• Recent analysis has shown that DES is
well designed (diffusion & confusion)• Rapid advances in computing speed
though have rendered the 56 bit key susceptible to exhaustive key search – 1997 on a large network of computers in a
few months – 1998 on dedicated h/w in a few days – 1999 above combined in 22hrs!
• DES also theoretically broken using Differential or Linear Cryptanalysis
• In practice, unlikely to be a problem yet
SMU CSE 5349/7349
Overview of DES Encryption
• Basic process consists of: – An initial permutation (IP) – 16 rounds of a complex key
dependent calculation F– A final permutation, being the inverse
of IP
SMU CSE 5349/7349
• 64-bit key (56-bits + 8-bit parity)• 16 rounds
Initial permutation
Round 1
Round 2
Round 16
56-bitkey
Final permutation
…
+
F
Li – 1 Ri – 1
Ri
Ki
Li
• Each Round
SMU CSE 5349/7349
Initial Permutation
• No improvement in security, cipher gets more complex
58, 50, 42, 34, 26, 18, 10, 2,60, 52, 44, 36, 28, 20, 12, 4,62, 54, 46, 38, 30, 22, 14, 6,57, 49, 41, 33, 25, 17, 9, 1,59, 51, 43, 35, 27, 19, 11, 3, 61, 53, 45, 37, 29, 21, 13, 5,63, 55, 47, 39, 31, 23, 15, 7
SMU CSE 5349/7349
DES Key Generation
• Sub-keys used in each round are formed by – An initial permutation of the key (PC1)
which selects 56-bits in two 28-bit halves – 16 stages consisting of:
• selecting 24-bits from each half • permuting them by PC2 for use in function f, • rotating each half separately either 1 or 2 places
depending on the key rotation schedule KS
• Can be described functionally as: SKi = PC2(KS(PC1(Key),i))
SMU CSE 5349/7349
Expansion Function E
• Expands RH side data input from 32 to 48 bits by duplicating some bits
• Specifically split input into 8 groups of 4 bits
• Duplicate bits from either side to form groups of 6 bits
SMU CSE 5349/7349
Substitution (S) Boxes
• 8 S-boxes, each of which maps 6 bits to 4 bits
• Each S-box is actually 4 little 4 bit boxes
• Outer bits 1 & 6 (row bits) select one of the 4 rows
• Inner bits 2-5 (col bits) are substituted for 4 others
SMU CSE 5349/7349
DES Decryption
• To decrypt a block of data must unwind all steps of data computation
• With Feistel design, same as just doing encryption steps again
• Except that must use subkeys in reverse order (SK16 first, then SK15 etc.)
SMU CSE 5349/7349
Avalanche Effect
• Desirable that a small change either in the plain-text or key produces a large change in the cipher
• DES shows strong avalanche
SMU CSE 5349/7349
Advanced Encryption Standard
AES
SMU CSE 5349/7349
Origins of AES
• In 1999, NIST issued a new standard that said 3DES should be used– 168-bit key length– Algorithm is the same as DES
• 3DES had drawbacks– Algorithm is sluggish in software– Only uses 64-bit block size
SMU CSE 5349/7349
Origins of AES (Cont’d)
• In 1997, NIST issued a CFP for AES– security strength >= 3DES– improved efficiency– must be a symmetric block cipher
(128-bit)– key lengths of 128, 192, and 256 bits
SMU CSE 5349/7349
Origins of AES (cont’d)
• First round of evaluation– 15 proposed algorithms accepted
• Second round– 5 proposed algorithms accepted
• Rijndael, Serpent, 2fish, RC6, and MARS
• Final Standard - November 2001– Rijndael selected as AES algorithm
SMU CSE 5349/7349
The AES Cipher• Block length is 128 bits• Key length is 128, 192, or 256 bits• NOT a Feistel structure
• Processes entire block in parallel during each round using substitutions and permutations
• The key that is provided as input is expanded
• Array of forty-four 32-bit words (w[i])• Four distinct words serve as round key (128 bits)
SMU CSE 5349/7349
Key/Block Size
Key Size (words/bytes/bits)
4/16/128 6/24/192 8/32/256
Plaintext block size (words/bytes/bits)
4/16/128 4/16/128 4/16/128
Number of rounds 10 12 14
Round key size (words/bytes/bits)
4/16/128 4/16/128 4/16/128
Expanded key size (words/bytes)
44/176 52/208 60/240
SMU CSE 5349/7349
Add Round Key
Inverse mix cols
Add round key
Inverse sub bytes
Inverse shift rows
Add round key
Mix Columns
Shift Rows
Add Round Key
Inverse sub bytes
Inverse shift rows
Inverse mix cols
Add round key
Inverse sub bytes
Inverse shift rows
Add round key
Substitute Bytes
Add round key
Shift Rows
Substitute Bytes
Add round key
Substitute Bytes
Shift Rows
Mix Columns
Expand Key
.
.
.
.
.
.
w[0,3]
w[4,7]
w[36,39]
w[40,43]
Plaintext Plaintext
Ciphertext Ciphertext
Rou
nd 1
Rou
nd 9
Rou
nd 1
0R
ound
1
Rou
nd 9
Rou
nd 1
0
SMU CSE 5349/7349
Encryption Rounds– Four different stages (1 permutation,
3 substitution)• Substitute bytes- Uses S-box to perform
byte by byte substitution of the block• Shift rows- A simple permutation• Mix columns- Substitution over GF(28)• Add round key- bitwise XOR of current
block and portion of expanded key
– For both encryption and decryption:• Start with add round key followed by nine
rounds of four stages, plus tenth round of three stages
SMU CSE 5349/7349
Round Features– Only Add round key makes use of the key
• All other stages reversible without knowledge of key
– Add round key alone is not formidable• The other three stages add diffusion, confusion,
and nonlinearity
– Each stage is reversible • SB, SR and MC use inverse function• ARK uses XOR
– Decryption uses expanded keys in reverse order
SMU CSE 5349/7349
Substitute Bytes
• Forward Substitute Byte Transformation• Uses table lookup (S-box) to perform
permutation– Has all 256 8-bit values
• Each byte of state mapped to new byte:– Leftmost 4 bits = row– Rightmost 4 bits = column
SMU CSE 5349/7349
SB Transformation
x
y
s3,1
s2,1
s0,0
s1,2
s3,3
s2,3
s1,3
s0,2 s0,3
s2,2
s3,0 s3,2
s2,0
s1,0 s1,1
s0,1
s0,0 s0,1
s1,0
s2,0
s3,0
s1,1
s2,1
s3,1
s0,2
s1,2
s2,2
s3,2
s0,3
s1,3
s2,3
s3,3
S-Box
SMU CSE 5349/7349
SB (cont’d)
• Inverse– The inverse substitute byte
transformation– Makes use of an inverse S-box
• Rationale– S-box designed to be resistant to
cryptanalytic attacks– Output cannot be described as a
simple mathematical function of input
SMU CSE 5349/7349
Shift Row Transformation
• First row- not altered• Second row- 1 byte circular left
shift• Third row- 2 byte circular left shift• Fourth row- 3 byte circular left shift
SMU CSE 5349/7349
SR Transformation
s0,0
s1,3
s3,2
s2,0
s1,0
s0,2 s0,3
s2,0
s3,3 s3,1
s2,2
s1,1 s1,2
s0,1s0,0
s1,2
s3,3
s2,3
s1,3
s0,2 s0,3
s2,2
s3,0 s3,2
s2,0
s1,0 s1,1
s0,1
s2,1 s2,3
s3,1 s3,0
SMU CSE 5349/7349
SR (cont’d)
• Inverse– Performs the circular shifts in the
opposite direction
• Rationale– Transformation ensures that the 4
bytes of one column are spread out to four different columns
SMU CSE 5349/7349
Mix Column Transformation
• Operates on each column individually– Each byte of a column is mapped to a new
value that is a function of all four bytes– Each element in product matrix is sum of
products of elements of one row and one column
– Additions and multiplications performed in GF(28)
SMU CSE 5349/7349
Mix column transformation
s0,0
s1,2
s3,3
s2,3
s1,3
s0,2 s0,3
s2,2
s3,0 s3,2
s2,0
s1,0 s1,1
s0,1s0,0
s1,2
s3,3
s2,3
s1,3
s0,2 s0,3
s2,2
s3,0 s3,2
s2,0
s1,0 s1,1
s0,1
2113
3211
1321
1132
s2,1
s3,1
s2,1
s3,1
SMU CSE 5349/7349
Mix Columns (cont’d)• Inverse
– Uses the inverse transform matrix to reverse the mix column transformation
• Rationale– Ensures a good mixing among the
bytes of each column– Combined with shift rows ensures that
all output bits depend on all input bits
SMU CSE 5349/7349
Add Round Key
• 128 bits of state are bitwise XORed with the 128 bits of the round key
• Column-wise operation between the 4 bytes of state and one word of round key – Byte level operation
SMU CSE 5349/7349
Add Round Key Transformation
s0,0
s1,2
s3,3
s2,3
s1,3
s0,2 s0,3
s2,2
s3,0 s3,2
s2,0
s1,0 s1,1
s0,1 s0,0
s1,2
s3,3
s2,3
s1,3
s0,2 s0,3
s2,2
s3,0 s3,2
s2,0
s1,0 s1,1
s0,1
=XOR wi wi+1 wi+2 wi+3s2,1
s3,1
s2,1
s3,1
SMU CSE 5349/7349
Add Round Key
• Inverse– Identical to the forward add round
key transformation
• Rationale– Complexity of round key expansion
ensures security
SMU CSE 5349/7349
AES Key Expansion
• Key Expansion Algorithm– Takes as input 4-word (16-byte) key– Produces linear array of 44 words
(176 bytes)– Provides 4-word round key for 10
rounds of cipher + 1 additional Add round key
SMU CSE 5349/7349
AES Key Expansionk0
k15
k14
k13
k12k4
k11
k9
k8
k5k1
k2
k3
k6
k7
k10
gw0 w1 w2 w3
w4 w5 w6 w7
Function g:
1. One-byte circular left shift on a word so [b0, b1, b2, b3] is now [b1, b2, b3, b0]
2. Byte substitution using S-box
3. XOR 1 & 2 with a round constant
SMU CSE 5349/7349
Decryption
• Not identical to encryption• Equivalent structure exists• May need different
implementations if encryption and decryption are needed
• Quite often only encryption needed– Digest
SMU CSE 5349/7349
Modern Stream Ciphers
SMU CSE 5349/7349
Block vs. Stream• Block ciphers
– process plaintext in relatively large blocks(e.g. n64 bits)
– The same function is used to encrypt successive blocks memory less
• Stream ciphers– process plaintext in small blocks, and the
encryption function may vary as plaintext is processed have memory
– sometimes called state ciphers since encryption depends on not only the key and plaintext, but also on the current state.
SMU CSE 5349/7349
One-Time Pad
• Provably secure– Key generated independently and randomly
– no integrity checks– Key as long as the plain text– Must never ever reuse a stream key
• If two messages encrypted by XOR with same key can combine these to remove effect of key giving a book cipher
C1i = M1i ⊕ Ki
C2i = M2i ⊕ Ki
C1i ⊕ C2i = M1i ⊕ Ki ⊕ M2i ⊕ Ki = M1i ⊕ M2i
SMU CSE 5349/7349
Pseudo Random Generators
• Compromise to computationally secure– Instead of random, use pseudo random
sequence based on a short key– the generated stream must be:
• statistically random (knowing part of seq not enough)
– PRG may be controlled just by key influencing:– next-state function (output feedback mode)– output function (counter mode)
– PRG may be controlled both by data and key:– output function (cipher feedback mode)
SMU CSE 5349/7349
Synchronous Stream Ciphers
• Keystream generated independently of plaintext and of ciphertext
f
g
si
hk
si+1
zi
mi
ci
f
g
si
h-1k
si+1
zi
ci
SMU CSE 5349/7349
Synchronous Ciphers (cont’d)
– Both sender and receiver must be synchronized using same key and operating at the same position
• If sync. is lost due to inserted or deleted ciphertext, decryption fails
• No error propagation: A modified ciphertext during transmission does not affect the decryption of other ciphertext digits.
– Active attacks: the insertion, deletion, or replay of ciphertext digits by an active adversary causes immediate loss of synchronization
SMU CSE 5349/7349
Self-synchronizing Ciphers
• Key-stream generated as a function of the key and a fixed number of previous ciphertext digits
g hkzi
mi
ci
…
SMU CSE 5349/7349
Linear Feedback Shift Registers
• LFSRS– Well-suited to hardware
implementation– Can produce sequences of large
period– Can produce sequences with good
statistical properties c1 c2 Cl
SMU CSE 5349/7349
LFSRs (cont’d)
• Balanced, non-linear, correlation immune
NonlinearCombiner Function F
LFSR-L1
LFSR-L2
LFSR-Ln
output
SMU CSE 5349/7349
General SC Criteria• Long period with no repetitions • Statistically random • Large linear complexity (based on size of
equiv LFSR) • Correlation immunity (have tradeoff with
linear complexity) • Confusion (output bits depend on all key
bits) • Diffusion • Use of highly non-linear Boolean functions
SMU CSE 5349/7349
RC4
• Proprietary cipher owned by RSA • Variable key size, byte-oriented stream
cipher • Widely used (web SSL/TLS, wireless WEP) • Key forms random permutation of all 8-
bit values • Uses that permutation to scramble input
info processed one byte at a time
SMU CSE 5349/7349
RC4 Key Schedule
• Starts with an array S of numbers: 0..255
• S forms internal state of the cipher • given a key k of length l bytes
for i = 0 to 255 doS[i] = i
j = 0
for i = 0 to 255 do j = (j + S[i] + k[i mod l]) (mod 256)
swap (S[i], S[j])
SMU CSE 5349/7349
Stream Generation
• Encryption continues shuffling array valuesi = j = 0
for each message byte Mi
i = (i + 1) (mod 256)j = (j + S[i]) (mod 256)swap(S[i], S[j])t = (S[i] + S[j]) (mod 256)
Ci = Mi XOR S[t]
SMU CSE 5349/7349
RC4 Security Issues
• First group of outputs correlate with key
• Should discard first 256 outputs • Should never reuse a key • After a few GB, see some values
occurring slightly too often
SMU CSE 5349/7349
WEP Encryption
• Mobile station shares key with Access Point
• Transmitting a message M– Compute checksum of M and append it to M
Generate keystream using RC4(IV,Key) Xor <M,C(M)> with keystream Transmit IV and cipher text
• Upon receiving, reverse steps
SMU CSE 5349/7349
WEP(cont’d)
• Key length = 40. IV length = 24
Message CRC
Keystream = RC(IV,k)
Cipher TextIV
XOR
SMU CSE 5349/7349
A5 Algorithm• Stream cipher used to encrypt GSM
phones • Has several variants (A5, A5/1, A5/2) • A5/1 uses 3 LFSRs of 19, 22 and 23 bits
using sparse feedback polys – all have been broken (A5/2 in Aug99, A5/1 in
Apr 2000) - basic attack has complexity 240 – guess state of LFSRs 1 & 2, try to determine
3 from keystream – real problem is registers are too small &
feedback polys are sparse
SMU CSE 5349/7349
Public-Key Cryptography
Asymmetric Encryption
SMU CSE 5349/7349
Private-Key Encryption
• Traditional private/secret/single key cryptography uses one key shared by both sender and receiver
• If this key is disclosed, communications are compromised
• Symmetric, parties are equal • Does not protect sender from receiver
forging a message & claiming is sent by sender
SMU CSE 5349/7349
Public-Key Cryptography• Involves the use of two keys:
– A public-key, which may be known by anybody, and can be used to encrypt messages, and verify signatures
– A private-key, known only to the recipient, used to decrypt messages, and sign (create) signatures
• Asymmetric, parties are not equal • Clever application of number theory • Single most significant advance in the
3000 year history of cryptography
SMU CSE 5349/7349
Basic Principle• Public-key is easily computed from the
private key and other information about the cipher (a polynomial time (P-time) problem)
• However, knowing the public-key and public description of the cipher, it is still computationally infeasible to compute the private key (an NP-time problem)
• Public-key may be distributed to anyone wishing to communicate securely with its owner – Secure distribution of the public-key is a
non-trivial problem
SMU CSE 5349/7349
Classes of Public-key Algorithms• Public-key distribution schemes (PKDS)• Public-key encryption (PKE)
– Used to encrypt any arbitrary message – Anyone can use the public-key to encrypt a
message – Owner uses the private-key to decrypt the
messages – any public-key encryption scheme can be
used as a PKDS by using the session key as the message
• Signature schemes– Encrypt with Prv key and verify with pub key
SMU CSE 5349/7349
Diffie-Hellman Key Exchange
• One of the first public key systems– Mainly used for key exchange– Do not do any encryption as such– Modified versions used in IPsec
(Will talk more about it when we discuss key distribution)
SMU CSE 5349/7349
RSA Scheme
• Best known and widely regarded as most practical public-key scheme
• Proposed by Rivest, Shamir & Adleman (RSA) in 1977
• Based on exponentiation in a finite (Galois) field over integers modulo a prime
• Security relies on the difficulty of calculating factors of large numbers
SMU CSE 5349/7349
RSA Setup• First, each user generates their
public/private key pair by: – Selecting two large primes at random (~100
digit), p, q – Computing their system modulus N=p.q – Selecting at random the encryption key e,
where e<N, gcd(e,ø(N))=1 – Solving the following congruence to find the
decryption key d: e.d=1 mod ø(N) and 0<=d<=N
• Public encryption key ={e,N} • Private decryption key ={d,p,q}
SMU CSE 5349/7349
RSA Parameter Selection• Choose large p, q • Choose the encryption exponent e
to be a small number – Typically e may be the same for all
users– Originally a value of 3 was suggested – Now regarded as too small – 65535 is often used – Note that the decryption exponent d
will then be large
SMU CSE 5349/7349
Sample RSA• Choose modulus N=11*47=517 • Compute ø(N) = (p-1)(q-1) = 10*46 = 460 • Choose encryption exponent 3 • Check GCD(3,ø(N)) = GCD(3,460) = 1 • Compute decryption exponent d by
solving: e.d=1 mod ø(N) where 0<=d<=N d=Inverse(3,460)=307
• Public key is: K=(3,517) • Private key is: K-1=(307,11,47)
SMU CSE 5349/7349
Example (cont’d)
• Given message M = 26 • Encryption: C = 263 mod 517 =
515 • Decryption: M = 515307 mod 517
= 26
SMU CSE 5349/7349
How Does it Work?
• Euler’s theorem• The multiplicative group for Zn, denoted
with Z*n, is the subset of elements of Zn relatively prime with n
• The totient function of n, denoted with Φ(n), is the size of Z*n
• For each element x of Z*n, we have x Φ(n) mod n = 1
SMU CSE 5349/7349
Totient for RSA “n”
For primes, p and q: n = pq, (n) = (pq) – Numbers which are not relatively prime
– p, 2p, 3p, …, (q – 1)p ; q-1 of them-q, 2q, 3q, …, (p – 1)q ; p-1 of them
(n) = pq – 1 – (q – 1) – (p – 1)
= pq – (p + q) + 1
= (p – 1) (q – 1) = (p) (q)
SMU CSE 5349/7349
Encryption/Decryption
• C = M e mod n (Encryption)• Decryption:
– C d mod n= M ed mod n= M kΦ(n)+1 mod n= M (It’s easy to see that when M does
not divide n)
SMU CSE 5349/7349
Security of RSA
• Brute force– Trying all possible private keys
• Mathematical attacks– Equivalent factoring product of two
primes• Timing attacks
– Based on the running time of the decryption algorithm
SMU CSE 5349/7349
Attacks on Protocol
• Chosen cipher-text attack• Common modulus attack• Low encryption/decryption
modulus attack