module 2 network and computer security

MODULE 2 MCA-501 Computer Security ADMN 2012-‘15

Dept. of Computer Science And Applications, SJCET, Palai Page 28

2.1 ADVANCED ENCRYPTION STANDARD

Symmetric block cipher, designed by Rijmen-Daemen in Belgium and published by National

Institute of Standards and Technology (NIST) in December 2001.

Intended to replace DES and 3DES

DES is vulnerable to differential attacks

3DES has slow performances

NIST Evaluation Criteria

Security: The effort to crypt analyze an algorithm.

Cost: The algorithm should be practical in a wide range of applications.

Algorithm and Implementation Characteristics: Flexibility, simplicity etc.

SECURITY

Actual security: compared to other submitted algorithms (at the same key and block size).

Randomness: the extent to which the algorithm output is indistinguishable from a random

permutation on the input block.

Soundness: of the mathematical basis for the algorithm's security.

Other security factors: raised by the public during the evaluation process, including any attacks

which demonstrate that the actual security of the algorithm is less than the strength claimed by the

submitter.

COST

Licensing requirements: NIST intends that when the AES is issued, the algorithm(s) specified in

the AES shall be available on a worldwide, non-exclusive, royalty-free basis.

Computational efficiency: The evaluation of computational efficiency will be applicable to both

hardware and software implementations

Memory requirements: The memory required to implement a candidate algorithm for both

hardware and software implementations of the algorithm will also be considered during the

evaluation process.

ALGORITHM AND IMPLEMENTATION CHARACTERISTICS

Flexibility: Candidate algorithms with greater flexibility will meet the needs of more users than

less flexible ones,

Hardware and software suitability: A candidate algorithm shall not be restrictive in the sense that

It can only be implemented in hardware.

Simplicity: A candidate algorithm shall be judged according to relative simplicity of design.


Dept. of Computer Science And Applications, SJCET, Palai 9

Final evaluation criteria

General Security: To assess general security, NIST relied on the public security analysis conducted

by the cryptographic Community:

Software Implementations: The principal concerns in this category are execution speed,

performance across a variety of platforms, and variation of speed with key size.

Hardware Implementations: In some applications, such as smart cards, relatively small amounts of

random-access memory (RAM) and/or read-only memory (ROM) are available for such purposes as

code storage (generally in ROM);

Restricted-Space Environments: Like software, hardware implementations can be optimized for

speed or for size. However, in the case of hardware, size translates much more directly into cost

than is usually the case for software implementations.

Attacks on Implementations: The criterion of general security, discussed in the first bullet, is

concerned with cryptanalytic attacks that exploit mathematical properties of the algorithms. There is

another class of attacks that use physical measurements conducted during algorithm execution to

gather information about quantities such as keys.

Encryption vs. Decryption: This criterion deals with several issues related to considerations of both

encryption and decryption. If the encryption and decryption algorithms differ, then extra space is

needed for the decryption.

Key Agility: Key agility refers to the ability to change keys quickly and with a minimum of

resources.

Potential for Instruction-Level Parallelism: This criterion refers to the ability to exploit ILP features

in current and future processors.

Other versatility and Flexibility: indicates two areas that fall into this category. Parameter flexibility

includes ease of support for other key and block sizes and ease of increasing the number of rounds

in order to cope with newly discovered attacks. Implementation flexibility refers to the possibility

of optimizing cipher elements for particular environments.

AES Cipher

an iterative rather than Feistel cipher

processes data as block of 4 columns of 4 bytes

operates on entire data block in every round

designed to have:

resistance against known attacks

speed and code compactness on many CPUs

design simplicity


Dept. of Computer Science And Applications, SJCET, Palai 0

AES Structure

processes data as state array

Encryption/Decryption consists of 10 rounds of processing for 128-bit keys, 12 rounds for 192-bit

keys, and 14 rounds for 256-bit keys.

Except for the last round, all other rounds are identical.

Each round of processing includes

1. Byte substitution (1 S-box; byte to byte substitution)

2. Shift rows (permutation of bytes)

3. Mix columns (substitution using matrix multiply of groups)

4. Add Round Key (XOR state with a portion of expended K)

The order in which these four steps are executed is different for encryption and decryption

The input is a single 128 bit block both for decryption and encryption and is known as the in matrix

This block is copied into a state array which is modified at each stage of the algorithm and then

copied to an output matrix.

The key is expanded into an array of key schedule words (the w matrix).

Ordering of bytes within the in and w matrix is by column.

Fig 2.1 AES Encryption and Decryption



Fig 2.2 AES Data structures

Byte Substitution

a simple substitution of each byte

uses S-box to perform a byte-by-byte substitution of State

uses one table of 16x16 bytes containing a permutation of all 256 8-bit values

each byte of state is replaced by byte indexed by row (left 4-bits) & column (right 4-bits)

eg. byte {95} is replaced by byte in row 9 column 5

which has value {2A}

designed to be resistant to all known attacks

Fig 2.3 Byte substitution



Shift Rows

a circular byte shift in each row

1st row is unchanged

2nd

row does 1 byte circular shift to left

3rd row does 2 byte circular shift to left

4th row does 3 byte circular shift to left

decrypt inverts using shifts to right

since state is processed by columns, this step permutes bytes between the columns

Fig 2.4 Shift Rows

Mix Columns

The MixColumns transformation operates at the column level; it transforms each column of the

state to a new column.

Fig 2.5 Mix Columns

AddRoundKey

Adds a round key word with each state column matrix.

Each column in the state matrix is XORed with a different word.

Proceeds one column at a time.

The operation in AddRoundKey is matrix addition.



Fig 2.6 AddRoundkey

AES Key Expansion

create round keys for each round,

If the number of rounds is Nr, the key-expansion routine creates Nr + 1 128-bit round keys.

takes 128-bit (16-byte) key and expands into array of 44/52/60 32-bit words

start by copying key into first 4 words

Fig 2.7 words for each round

AES Decryption

AES decryption is not identical to encryption since steps done in reverse.

Decryption algorithm uses the expanded key in reverse order.

All functions are easily reversible and their inverse form is used in decryption

Analysis of AES

The AES is secure against all known attacks.

Various aspects of its design incorporate specific features that help provide security against specific

attacks.

There are apparently no known attacks on AES.

Implementation Aspects

• can efficiently implement on 8-bit CPU

– byte substitution works on bytes using a table of 256 entries



– shift rows is simple byte shifting

– add round key works on byte XORs

– mix columns requires matrix multiply in GF(28) which works on byte values, can be

simplified to use a table lookup

• can efficiently implement on 32-bit CPU

– redefine steps to use 32-bit words

– can pre-compute 4 tables of 256-words

– then each column in each round can be computed using 4 table lookups + 4 XORs

– at a cost of 16Kb to store tables

designers believe this very efficient implementation was a key factor in its selection as the AES

cipher

2.2 MULTIPLE ENCRYPTION AND TRIPLE DES

Double DES

The simplest form of multiple encryption has two encryption stages and two keys.

Encryption sequence: E-E

Decryption sequence: D-D

Given a plaintext P and two encryption keys K1 and K2, cipher text C is generated as

C = E (K2, E (K1, P))

For DES, this scheme apparently involves a key length of bits, resulting in a dramatic increase in

cryptographic strength. But we need to examine the algorithm more closely.

P = D(K1, D(K2, C))

and have “meet-in-the-middle” attack

since M = EK1(P) = DK2(C)

The attacker tries to break the two-part encryption method from both sides simultaneously, a

successful effort enables him to meet in the middle of the block cipher.

Fig 2.8 Double encryption



Triple DES with Two Keys

hence must use 3 encryptions

would seem to need 3 distinct keys

Encryption sequence: E-D-E

Decryption sequence: D-E-D

Fig 2.9 triple DES with two keys

but can use 2 keys with E-D-E sequence

C = EK1(DK2(EK1(P)))

P = D(K1, E(K2, D(K1, C)))

if K1=K2 then can work with single DES

standardized in ANSI X9.17 & ISO8732

no current known practical attacks

Triple DES with Three Keys

although are no practical attacks on two-key Triple-DES have some indications

can use Triple-DES with Three-Keys to avoid even these

Fig 2.10 Triple DES with three keys

C = EK3(DK2(EK1(P)))

P=DK1 (EK2 (EK3 (C)))



BLOCK CIPHER MODES OF OPERATION

NIST defines 5 possible modes to cover a wide variety of applications

1. Electronic CodeBook Mode (ECB)

2. Cipher Block Chaining Mode (CBC)

3. Cipher FeedBack Mode (CFB)

4. Output FeedBack Mode (OFB)

5. CounTeR Mode(CTR)

can be used with any block cipher

have block and stream modes

Fig 2.11 Block Cipher modes of operation

Electronic Code Book (ECB)

message is broken into independent blocks which are encrypted

each block is a value which is substituted, like a codebook,

each block is encoded independently of the other blocks

Ci = EK1 (Pi)



uses: secure transmission of single values

Fig 2.12 Electronic Codebook (ECB) Mode

Advantages and Limitations of ECB

message repetitions may show in cipher text

main use is sending a few blocks of data

Cipher Block Chaining (CBC)

message is broken into blocks

linked together in encryption operation

each previous cipher blocks is chained with current plaintext block,

use Initial Vector (IV) to start process

Ci = EK1 (Pi XOR Ci-1)

Ci-1 = IV

uses: bulk data encryption, authentication



Fig 2.13 Cipher Block Chaining (CFB) Mode

Advantages and Limitations of CBC

a cipher text block depends on all blocks before it

any change to a block affects all following cipher text blocks

need Initialization Vector (IV)

which must be known to sender & receiver

hence IV must either be a fixed value

or must be sent encrypted in ECB mode before rest of message

Stream Modes of Operation

block modes encrypt entire block

may need to operate on smaller units

real time data

convert block cipher into stream cipher

cipher feedback (CFB) mode

output feedback (OFB) mode

counter (CTR) mode



use block cipher as some form of pseudo-random number generator

Cipher Feed Back (CFB)

message is treated as a stream of bits

added to the output of the block cipher

result is feedback for next stage

standard allows any number of bit (1,8, 64 or 128 etc) to be feed back

denoted CFB-1, CFB-8, CFB-64, CFB-128 etc

Fig 2.14 CFB Mode

Ci = Pi XOR EK1 (Ci-1)

C-1 = IV

Advantages and Limitations of CFB

appropriate when data arrives in bits/bytes

most common stream mode

encryption mode used at both ends



Output Feed Back (OFB)

output of cipher is added to message

output is then feed back

feedback is independent of message

So feedback can be computed in advance

Fig 2.15 OFB mode

Ci = Pi XOR Oi

Oi = EK1(Oi-1)

Oi-1 = IV

Counter (CTR)

must have a different key & counter value for every plaintext block (never reused)

uses: high-speed network encryptions



Fig 2.16 CTR mode

Advantages and Limitations of CTR

efficiency

can do parallel encryptions in h/w or s/w

can preprocess in advance of need

random access to encrypted data blocks

provable security (good as other modes)

But must ensure never reuse key/counter values, otherwise could break.

STREAM CIPHERS AND RC4

Stream Cipher

Start with a secret key

process message bit by bit (as a stream)

have a pseudo random key stream

Combine the stream with the plaintext to produce the cipher text (typically by XOR)



Ci = Mi. XOR StreamKeyi

but must never reuse stream key

otherwise can recover messages

Fig 2.17 Stream cipher design

Stream Cipher Properties

some design considerations are:

long period with no repetitions

statistically random

depends on large enough key

properly designed, can be as secure as a block cipher

simpler & faster

RC4

A symmetric key encryption algorithm invented by Ron Rivest

Variable key size, byte-oriented stream cipher

Normally uses 64 bit and 128 bit key sizes.

Used in

SSL/TLS (Secure socket, transport layer security) between web browsers and servers,

IEEE 802.11 wirelss LAN std: WEP (Wired Equivalent Privacy), WPA (WiFi Protocol

Access) protocol



Fig 2.18 RC-4 block diagram

Consists of 2 parts:

Key Scheduling Algorithm (KSA):Generate State array

Pseudo-Random Generation Algorithm (PRGA):Generate keystream, XOR keystream with

the data to generate encrypted stream

The KSA

Use the secret key to initialize and permutation of state vector S, done in two steps

A variable-length key of from 1 to 256 bytes (8 to 2048 bits) is used to initialize a 256-byte state

vector S, with elements S[0],S[1], Á ,S[255].

At all times, S contains a permutation of all 8-bit numbers from 0 through 255.



The PRGA

Generate key stream k , one by one

XOR S[k] with next byte of message to encrypt/decrypt

Decryption using RC4

Use the same secret key as during the encryption phase.

Generate keystream by running the KSA and PRGA.

XOR keystream with the encrypted text to generate the plain text.

Logic is simple :

(A xor B) xor B = A

A = Plain Text or Data

B = KeyStream

RC4 Security

claimed secure against known attacks

since RC4 is a stream cipher, must never reuse a key

Confidentiality using Symmetric Encryption

Traditionally symmetric encryption is used to provide message confidentiality.

Placement of Encryption

have two major placement alternatives

link encryption

encryption occurs independently on every link

implies must decrypt traffic between links

requires many devices, but paired keys

end-to-end encryption

encryption occurs between original source and final destination

need devices at each end with shared keys



Fig 2.19 placement of encryption

Encryption function of the front-end processor (FEP)

Fig 2.20 FEP processing

On the host side, the FEP accepts packets. The user data portion of the packet is encrypted, while

the packet header bypasses the encryption process. The resulting packet is delivered to the network.

In the opposite direction, for packets arriving from the network, the user data portion is decrypted

and the entire packet is delivered to the host.

Red data are sensitive or classified data. Black data are encrypted data.



when using end-to-end encryption must leave headers in clear

so network can correctly route information

hence although contents protected, traffic pattern flows are not

ideally want both at once

end-to-end encryption protects data contents over entire path and provides authentication

link encryption protects traffic flows from monitoring

can place encryption function at various layers in OSI Reference Model

link encryption occurs at layers 1 or 2

end-to-end can occur at layers 3, 4, 6, 7

Traffic Confidentiality

Is related to the monitoring of communications flows between parties

link encryption approach

Network-layer headers (e.g., frame or cell header) are encrypted, reducing the opportunity for

traffic analysis.

It is still possible for an attacker to assess the amount of traffic on a network and to observe the

amount of traffic entering and leaving each end system.

traffic padding

An effective countermeasure to traffic analysis

Traffic padding produces cipher text output continuously, even in the absence of plaintext.

A continuous random data stream is generated. When plaintext is available, it is encrypted and

transmitted. When input plaintext is not present, random data are encrypted and transmitted

Fig 2.21 traffic padding



Key Distribution

symmetric schemes require both parties to share a common secret key issue is how to securely

distribute this key

system failure due to a break in the key distribution scheme

given parties A and B have various key distribution alternatives:

1. A can select key and physically deliver to B

2. third party can select & deliver key to A & B

3. if A & B have communicated previously can use previous key to encrypt a new key

4. if A & B have secure communications with a third party C, C can deliver key between A & B

Key Hierarchy

typically have a hierarchy of keys

session key

temporary key

used for encryption of data between users

for one logical session then discarded

master key

used to encrypt session keys

shared by user & key distribution center

Fig 2.22 key hierarchy



Key Distribution Scenario

Fig 2.23 key distribution scenario

1. A issues a request to the KDC for a session key to protect a logical connection to B. The message

includes the identity of A and B and a unique identifier, N1, for this transaction.

2. The KDC responds with a message encrypted using Ka Thus, A is the only one who can

successfully read the message. The message includes two items intended for A,

A one-time session key(Ks) to be used for the session

The original request message.

The message includes two items intended for B;

The one-time session key, Ks to be used for the session

An identifier of A (e.g., its network address), IDA

These two items are encrypted with Kb (the master key that the KDC shares with B). They are to be

sent to B to establish the connection and prove A's identity.

3. A stores the session key for use in the upcoming session and forwards to B the information that

originated at the KDC for B, namely, E(Kb, [Ks || IDA]).



4. Using the newly minted session key for encryption, B sends a identifier N2, to A.

5. Also using Ks, A responds with f(N2), where f is a function that performs some transformation on

N2 (e.g., adding one).

Key Distribution Issues

hierarchies of KDC’s required for large networks, but must trust each other

session key lifetimes should be limited for greater security

use of automatic key distribution on behalf of users,

use of decentralized key distribution

controlling key usage

Fig 2.24 automatic key distribution

Fig 2.25 decentralized key control

1. A issues a request to B for a session key and includes a identifier N1

2. B responds with a message that is encrypted using the shared master key (MKm). The response includes

the session key selected by B, an identifier of B, the value f(N1), and another identifier, N2.



3. Using the new session key, A returns f(N2) to B.

Random Numbers

many uses of random numbers in cryptography

used in authentication protocols

session keys

public key generation

in all cases its critical that these values be

statistically random, uniform distribution, independent

unpredictability of future values from previous values

Pseudo Random Number Generators (PRNGs)

use algorithmic techniques to create “random numbers”

although are not truly random

can pass many tests of “randomness”

Linear Congruential Generator

common iterative technique using:

Xn+1 = (a Xn + c) mod m

If m, a, c, and X0 are integers,

Using Block Ciphers as PRNGs

for cryptographic applications, can use a block cipher to generate random numbers

INTRODUCTION TO NUMBER THEORY

Prime Numbers

prime numbers only have divisors of 1 and self

Prime Factorisation

To factor a number n is to write it as a product of other numbers: n=a x b x c.

the prime factorisation of a number n is when its written as a product of primes

e.g. 91=71x13

1, 300=2

2x3

1x5

2

Relatively Prime Numbers & GCD

two numbers a, b are relatively prime if have no common divisors apart from 1

e.g. 8 & 15 are relatively prime since factors of 8 are 1,2,4,8 and of 15 are 1,3,5,15 and 1 is

the only common factor

can determine the greatest common divisor by comparing their prime factorizations and using least

powers



eg. 300=22x3

1x5

2 18=2

1x3

2 hence

GCD (18,300) =21x3

1x5

0=6

Fermat's Theorem

If p is prime and a is a positive integer not divisible by p, then

ap-1

≡ 1 (mod p) also ap ≡ p (mod p)

useful in public key and primality testing

Proof : Consider the set of positive integers less than p

: {1, 2, ...., p - 1} and multiply each element by a mod p, to get the set X

X= {a mod p, 2a mod p, ...(p - 1)a mod p}

i.e ap-1

(p - 1)! ≡ (p - 1)! (mod p)

We can cancel the ( P-1) ! term because it is relatively prime to P . This yields ap-1

≡ 1 (mod p)

Example:

ap-1

≡ 1 (mod p)

Example:

ap

≡ p (mod p)

Euler Totient Function ø(n)

Defined as the number of positive integers less than n and relatively prime to n.

for example n=10, when doing arithmetic modulo n

complete set of residues is(0….n-1)= {0,1,2,3,4,5,6,7,8,9}

reduced set of residues is numbers which are relatively prime to n= {1,3,7,9}

number of elements in reduced set of residues is called the Euler Totient Function ø(n)



Example:

Euler's Theorem

states that for every a and n that are relatively prime:

aø(n)

≡ 1 (mod n)

eg.

a=3;n=10; ø(10)=4;

Hence 34

= 81 = 1 mod 10

a=2;n=11; ø(11)=10;

Hence 210

= 1024 = 1 mod 11

Primality Testing

any positive odd integer n ≥ 3 can be expressed as

n - 1 = 2kq with k > 0, q odd

Miller-Rabin Algorithm

a test based on Fermat’s Theorem

The procedure TEST takes a candidate integer as input and returns the result composite if is

definitely not a prime, and the result inconclusive if may or may not be a prime.

Example 1: Prime number n=29

Then (n - 1) = 28 = 22(7) = 2

kq.

First, let us try a=10 .compute 107 mod 29 = 17, which is neither 1 nor 28, so we continue the test.



The next calculation finds that (107)2 mod 29 = 28, and the test returns inconclusive (i.e., 29 may be

prime).

Let’s try again with a=2 .We have the following calculations: 27 mod 29 = 12; 2

14 mod 29 = 28; and

the test again returns inconclusive.

If we perform the test for all integers in the range 1 through 28, we get the same inconclusive

result.

Example 2: composite number n = 13 * 17 = 221.

Then n-1 =220 = = 22(55) = 2

kq.

Let us try a=5. Then we have 555

mod 221 = 112, which is neither 1 nor 220

(555

)2 mod 221 = 168 .the test returns composite, indicating that 221 is definitely a composite

number.

Suppose we had selected a=21. Then we have 2155

mod 221 = 200;

(2155

)2 mod 221 = 220; and the test returns inconclusive, indicating that 221 may be prime.

In fact, of the 218 integers from 2 through 219, four of these will return an inconclusive result,

namely 21, 47, 174, and 200.

Chinese Remainder Theorem

used to speed up modulo computations

Theorem: Let m1,…,mn > 0 be relative prime. Then the system of equations x ≡ ai (mod mi) (for i=1

to n) has a unique solution modulo M = m1·…·mn.

Example: What’s x such that: x ≡ 2 (mod 3) ,x ≡ 3 (mod 5) and x ≡ 2 (mod 7)

So, a1 = 2, a2=3, a3=2 and m1 = 3 , m2=5, m3=7

Using the Chinese Remainder theorem:

M = 357 = 105



M1 = M/3 = 105/3 = 35 and M1 -1

= 2 (35 (mod 3))

M2 = M/5 = 105/5 = 21 and M2 -1

= 1 (21 (mod 5))

M3 = M/7 = 105/7=15 and M3 -1

= 1 (15 (mod 7))

So x ≡ a1 M1 M1 -1

+ a2 M2 M2 -1

+…………+ ak Mk Mk -1

(mod M)

≡ 2 × 2 × 35 + 3 × 1 × 21 + 2 × 1 × 15 = 233 ≡ 23 (mod 105)

So answer: x ≡ 23 (mod 105)

Public Key Cryptography and RSA

Public Key Cryptography

uses two keys – a public & a private key

asymmetric

developed to address two key issues:

key distribution – how to have secure communications in general without having to trust a

KDC with your key

digital signatures – how to verify a message comes intact from the claimed sender

public-key/two-key/asymmetric cryptography involves the use of two keys:

a public-key, which may be known by anybody, and can be used to encrypt messages, and

verify signatures

a private-key, known only to the recipient, used to decrypt messages, and sign (create)

signatures

is asymmetric because

those who encrypt messages or verify signatures cannot decrypt messages or create

signatures

Fig 2.26 public key encryption and decryption



1. Each user generates a pair of keys to be used for the encryption and decryption of messages.

2. Each user places one of the two keys in a public register or other accessible file. This is the public key.

The companion key is kept private. Each user maintains a collection of public keys obtained from others.

3. If Bob wishes to send a confidential message to Alice, Bob encrypts the message using Alice’s public

key.

4. When Alice receives the message, she decrypts it using her private key. No other recipient can decrypt

the message because only Alice knows Alice’s private key.

Fig 2.27 public key cryptosystem

Encrypting a message, using the sender’s private key. This provides the digital signature.

Encrypt again, using the receiver’s public key.

Final cipher text can be decrypted only by the intended receiver, who alone has the matching

private key.

Public-Key Characteristics

Public-Key algorithms rely on two keys where:

it is computationally infeasible to find decryption key knowing only algorithm & encryption

key

it is computationally easy to en/decrypt messages when the relevant (en/decrypt) key is

known



either of the two related keys can be used for encryption, with the other used for decryption

(for some algorithms)

Public-Key Applications

can classify uses into 3 categories:

encryption/decryption (provide secrecy)

digital signatures (provide authentication)

key exchange (of session keys)

some algorithms are suitable for all uses, others are specific to one

Security of Public Key Schemes

brute force exhaustive search attack is always theoretically possible

but keys used are too large (>512bits)

requires the use of very large numbers

hence is slow compared to private key schemes

RSA

by Rivest, Shamir & Adleman of MIT in 1977

best known & widely used public-key scheme

Is a block cipher in which the plaintext and cipher text are integers between 0 and n - 1 for some n.

Uses large integers (e.g. 1024 bits).

RSA makes use of an expression with exponentials.

Encryption and decryption are of the following form, for some plaintext block M and ciphertext

block C.

C = Me mod n

M = Cd mod n = (M

e )

d mod n = M

ed mod n

RSA Key Setup

Each user generates a public/private key pair by:

selecting two large primes at random p, q

Computing their system modulus n= p. q

selecting at random the encryption key e

where 1<e<ø(n), gcd (e, ø(n))=1

note ø(n)=(p-1)(q-1)

solve following equation to find decryption key d

e.d=1 mod ø(n) and 0≤d≤n

publish their public encryption key: PU={e,n}



keep secret private decryption key: PR={d,n}

RSA Use

to encrypt a message M the sender:

obtains public key of recipient PU={e,n}

computes: C = Me mod n, where 0≤M<n

to decrypt the ciphertext C the owner:

uses their private key PR={d,n}

computes: M = Cd mod n

RSA Example - Key Setup

1. Select primes: p=17 & q=11

2. Compute n = pq =17 x 11=187

3. Compute ø(n)=(p–1)(q-1)=16 x 10=160

4. Select e: gcd(e,160)=1; choose e=7

5. Determine d: de=1 mod 160 and d < 160 Value is d=23 since 23x7=161= 10x160+1

6. Publish public key PU={7,187}

7. Keep secret private key PR={23,187}

RSA Example - En/Decryption

sample RSA encryption/decryption is:

given message M = 88

encryption:

C = 887 mod 187 = 11

decryption:

M = 1123

mod 187 = 88

Fig 2.28 example of RSA encryption and decryption

Exponentiation

can use the Square and Multiply Algorithm

a fast, efficient algorithm for exponentiation



concept is based on repeatedly squaring base and multiplying in the ones that are needed to

compute the result

x11

mod n=[(x mod n) × (x2 mod n) × (x

4 mod n) × (x

8 mod n)] mod n

e.g. 75 = 7

1 mod 11 × 7

4 mod 11 = 21 mod 11 = 10 mod 11

Efficient Encryption and Decryption

encryption and decryption uses exponentiation to power e and power d

hence if e and d are small, the system will be faster

but if e and d are too small ,its not safe

RSA Security

possible approaches to attacking RSA are:

brute force key search (infeasible given size of numbers)

Mathematical attacks.

timing attacks (on running of decryption)

chosen ciphertext attacks (given properties of RSA)

Factoring Problem

mathematical approach takes 3 forms:



factor n=p.q, hence compute ø(n) and then d

determine ø(n) directly and compute d

find d directly

Timing Attacks

exploit timing variations in operations

eg. multiplying by small vs large number

countermeasures

use constant exponentiation time

add random delays

blind values used in calculations

Chosen Ciphertext Attacks

RSA is vulnerable to a Chosen Ciphertext Attack (CCA)

attackers chooses ciphertexts & gets decrypted plaintext back

module 2 network and computer security

Education

security actual security

algorithms security

hardware implementations

security factors

computer security admn

algorithm output

algorithm exe

criterion of general