Cryptograph

y and
Network
Security
Seventh Edition, Global Edition
by William Stallings

© 2017 Pearson Education, Ltd., All rights reserved.

 Chapter 9
Public Key Cryptography and RSA

© 2017 Pearson Education, Ltd., All rights reserved.

 Table 9.1
Terminology Related to Asymmetric
Encryption

Source: Glossary of Key Information Security Terms, NIST IR 7298 [KISS06]

© 2017 Pearson Education, Ltd., All rights reserved.

 Misconceptions Concerning
Public-Key Encryption
• Public-key encryption is more secure from
cryptanalysis than symmetric encryption
• Public-key encryption is a general-purpose
technique that has made symmetric
encryption obsolete
• There is a feeling that key distribution is
trivial when using public-key encryption,
compared to the cumbersome handshaking
involved with key distribution centers for
symmetric encryption
© 2017 Pearson Education, Ltd., All rights reserved.
 Principles of Public-Key
Cryptosystems
• The concept of public-key cryptography evolved
from an attempt to attack two of the most difficult
problems
Key
associated with symmetric encryption:
distribution
• How to have secure communications in general
without having to trust a KDC with your key
Digital
signatures
• How to verify that a message comes intact from the
claimed sender
• Whitfield Diffie and Martin Hellman from Stanford
University achieved a breakthrough in 1976 by
coming up with a method that addressed both
problems and was radically different from all
previous approaches to cryptography
© 2017 Pearson Education, Ltd., All rights reserved.
Public-Key Cryptosystems
• A public-key encryption scheme has six ingredients:

Decrypti
Encryption Public Private Cipherte on
Plaintext
algorithm key key xt algorith
m
Accepts
The
the
readabl
ciphert
e The ext and
messag Performs scrambl
Used for Used for the
e or various ed
encrypti encrypti matchi
data transfor messag
on or on or ng key
that is ma-tions e
decrypti decrypti produce and
fed into on the
on on d as produc
the plaintext
output es the
algorit
original
hm as
plainte
input
xt

© 2017 Pearson Education, Ltd., All rights reserved.

© 2017 Pearson Education, Ltd., All rights reserved.
 Table 9.2
Conventional and Public-Key
Encryption

© 2017 Pearson Education, Ltd., All rights reserved.

 Public-Key Cryptosystem:
Secrecy

© 2017 Pearson Education, Ltd., All rights reserved.

 Public-Key Cryptosystem:
Authentication

© 2017 Pearson Education, Ltd., All rights reserved.

 Public-Key Cryptosystem:
Authentication and Secrecy

© 2017 Pearson Education, Ltd., All rights reserved.

 Applications for Public-Key
Cryptosystems
• Public-key cryptosystems can be classified
into three categories:

Encryption/ • The sender encrypts a

decryption message with the
recipient’s public key
• The sender “signs” a
Digital signature message with its private
key
• Two sides cooperate to
Key exchange exchange a session key

• Some algorithms are suitable for all three

applications, whereas others can be used
only for one or two
© 2017 Pearson Education, Ltd., All rights reserved.
 Table 9.3
Applications for Public-Key
Cryptosystems

Table 9.3 Applications for Public-Key Cryptosystems

© 2017 Pearson Education, Ltd., All rights reserved.

 Public-Key
Requirements
• Conditions that these algorithms must fulfill:
• It is computationally easy for a party B to generate a
pair (public-key PUb, private key PRb)
• It is computationally easy for a sender A, knowing the
public key and the message to be encrypted, to
generate the corresponding ciphertext
• It is computationally easy for the receiver B to decrypt
the resulting ciphertext using the private key to
recover the original message
• It is computationally infeasible for an adversary,
knowing the public key, to determine the private key
• It is computationally infeasible for an adversary,
knowing the public key and a ciphertext, to recover the
original message
• The two keys can be applied in either order
© 2017 Pearson Education, Ltd., All rights reserved.
 Public-Key
Requirements
• Need a trap-door one-way function
• A one-way function is one that maps a domain into a range
such that every function value has a unique inverse, with
the condition that the calculation of the function is easy,
whereas the calculation of the inverse is infeasible
• Y = f(X) easy
• X = f–1(Y) infeasible

• A trap-door one-way function is a family of invertible

functions fk, such that
• Y = fk(X) easy, if k and X are known
• X = fk–1(Y) easy, if k and Y are known
• X = fk–1(Y) infeasible, if Y known but k not known

• A practical public-key scheme depends on a suitable trap-

door one-way function
© 2017 Pearson Education, Ltd., All rights reserved.
 Public-Key
Cryptanalysis
• A public-key encryption scheme is vulnerable to a brute-force
attack
• Countermeasure: use large keys
• Key size must be small enough for practical encryption and
decryption
• Key sizes that have been proposed result in
encryption/decryption speeds that are too slow for general-
purpose use
• Public-key encryption is currently confined to key management
and signature applications

• Another form of attack is to find some way to compute the

private key given the public key
• To date it has not been mathematically proven that this form of
attack is infeasible for a particular public-key algorithm

• Finally, there is a probable-message attack

• This attack can be thwarted by appending some random
bitsAllto
© 2017 Pearson Education, Ltd., simple
rights messages
reserved.
 Rivest-Shamir-
Adleman (RSA)
Algorithm
• Developed in 1977 at MIT by Ron
Rivest, Adi Shamir & Len Adleman

• Most widely used general-purpose

approach to public-key encryption

• Is a cipher in which the plaintext and

ciphertext are integers between 0 and
n – 1 for some n
• A typical size for n is 1024 bits, or 309
decimal digits
© 2017 Pearson Education, Ltd., All rights reserved.
 RSA Algorithm
• RSA makes use of an expression with exponentials

• Plaintext is encrypted in blocks with each block having a

binary value less than some number n
• Encryption and decryption are of the following form, for
some plaintext block M and ciphertext block C
C = Me mod n
M = Cd mod n = (Me)d mod n = Med mod n

• Both sender and receiver must know the value of n

• The sender knows the value of e, and only the receiver

knows the value of d

• This is a public-key encryption algorithm with a public

key of PU={e,n} and a private key of PR={d,n}
© 2017 Pearson Education, Ltd., All rights reserved.
 Algorithm
Requirements
• For this algorithm to be satisfactory
for public-key encryption, the following
requirements must be met:
1. It is possible to find values of e, d, n
such that Med mod n = M
for all M < n

2. It is relatively easy to calculate Me

mod n and Cd mod n for all
values of M < n

3. It is infeasible to determine d given

eEducation, Ltd., All rights reserved.
© 2017 Pearson and n
© 2017 Pearson Education, Ltd., All rights reserved.
© 2017 Pearson Education, Ltd., All
rights reserved.
 Example of RSA
Algorithm

© 2017 Pearson Education, Ltd., All rights reserved.

© 2017 Pearson Education, Ltd., All rights reserved.
 Exponentiation in
Modular Arithmetic
• Both encryption and decryption in RSA
involve raising an integer to an integer
power, mod n

• Can make use of a property of modular

arithmetic:

[(a mod n) x (b mod n)] mod n =(a x b)

mod n

• With RSA you are dealing with

potentially large exponents so
© 2017 Pearson Education, Ltd., All rights reserved.
© 2017 Pearson Education, Ltd., All rights reserved.
 Table 9.4

© 2017 Pearson Education, Ltd., All rights reserved.

© 2017 Pearson Education, Ltd., All
rights reserved.
 Efficient Operation
Using the Public Key
• To speed up the operation of the RSA
algorithm using the public key, a specific
choice of e is usually made

• The most common choice is 65537 (216 +

1)
• Two other popular choices are e=3 and
e=17
• Each of these choices has only two 1 bits,
so the number of multiplications required
to perform exponentiation is minimized
•Education,
© 2017 Pearson With Ltd., a very
All rights small public key, such as e =
reserved.
 Efficient Operation
Using the Private Key
• Decryption uses exponentiation to power d
• A small value of d is vulnerable to a brute-
force attack and to other forms of
cryptanalysis

• Can use the Chinese Remainder Theorem

(CRT) to speed up computation
• The quantities d mod (p – 1) and d mod (q –
1) can be precalculated
• End result is that the calculation is
approximately four times as fast as
evaluating M = Cd mod n directly
© 2017 Pearson Education, Ltd., All rights reserved.
 Key Generation
• Before the application • Because the value of n
of the public-key = pq will be known to
cryptosystem each any potential
participant must adversary, primes must
generate a pair of be chosen from a
keys: sufficiently large set
• Determine two prime • The method used for
numbers p and q finding large primes
• Select either e or d must be reasonably
and calculate the efficient
other

© 2017 Pearson Education, Ltd., All rights reserved.

 Procedure for Picking
a Prime Number
• Pick an odd integer n at random

• Pick an integer a < n at random

• Perform the probabilistic primality test

with a as a parameter. If n fails the
test, reject the value n and go to step
1

• If n has passed a sufficient number of

tests, accept n; otherwise, go to step 2
© 2017 Pearson Education, Ltd., All rights reserved.
 The Security of RSA
Brute
force Mathematical
Chosen • Involves attacks
ciphertext trying all • There are
attacks possible several
• This type of private approaches, all
attack exploits keys equivalent in
properties of effort to
the RSA factoring the
algorithm
Five product of two
possible primes
approac
Hardware fault- hes to
based attack attackin
• This involves g RSA Timing attacks
inducing are: • These depend
hardware faults on the running
in the processor time of the
that is decryption
generating algorithm
digital
signatures
© 2017 Pearson Education, Ltd., All rights reserved.
 Factoring Problem
• We can identify three approaches to
attacking RSA mathematically:
• Factor n into its two prime factors. This
enables calculation of ø(n) = (p – 1) x (q
– 1), which in turn enables
determination of d = e-1 (mod ø(n))
• Determine ø(n) directly without first
determining p and q. Again this enables
determination of d = e-1 (mod ø(n))
• Determine d directly without first
determining ø(n)
© 2017 Pearson Education, Ltd., All rights reserved.
 Table 9.5 Progress in RSA Factorization
© 2017 Pearson Education, Ltd., All rights reserved.
© 2017 Pearson Education, Ltd., All rights reserved.
 Timing Attacks
• Paul Kocher, a cryptographic consultant,
demonstrated that a snooper can
determine a private key by keeping track of
how long a computer takes to decipher
messages
• Are applicable not just to RSA but to other
public-key cryptography systems
• Are alarming for two reasons:
• It comes from a completely unexpected
direction
• It is a ciphertext-only attack
© 2017 Pearson Education, Ltd., All rights reserved.
 Countermeasures

Constant Random delay Blinding

exponentiation • Better performance • Multiply the ciphertext
time could be achieved by by a random number
• Ensure that all adding a random before performing
delay to the exponentiation; this
exponentiations take exponentiation process prevents the
the same amount of algorithm to confuse attacker from knowing
time before returning the timing attack what ciphertext bits
a result; this is a are being processed
simple fix but does inside the computer
degrade performance and therefore prevents
the bit-by-bit analysis
essential to the timing
attack

© 2017 Pearson Education, Ltd., All rights reserved.

 Fault-Based Attack
• An attack on a processor that is generating RSA
digital signatures
• Induces faults in the signature computation by
reducing the power to the processor
• The faults cause the software to produce invalid
signatures which can then be analyzed by the attacker
to recover the private key

• The attack algorithm involves inducing single-bit

errors and observing the results

• While worthy of consideration, this attack does not

appear to be a serious threat to RSA
• It requires that the attacker have physical access to
the target machine and is able to directly control the
input power to the processor
© 2017 Pearson Education, Ltd., All rights reserved.
Chosen Ciphertext Attack
(CCA)
• The adversary chooses a number of ciphertexts and
is then given the corresponding plaintexts,
decrypted with the target’s private key
• Thus the adversary could select a plaintext, encrypt
it with the target’s public key, and then be able to
get the plaintext back by having it decrypted with
the private key
• The adversary exploits properties of RSA and selects
blocks of data that, when processed using the
target’s private key, yield information needed for
cryptanalysis

• To counter such attacks, RSA Security Inc.

recommends modifying the plaintext using a
procedure known as optimal asymmetric
encryption
© 2017 Pearson Education, padding
Ltd., All rights reserved. (OAEP)
 Optimal
Asymmetric
Encryption
Padding
(OAEP)

© 2017 Pearson Education, Ltd., All rights reserved.

 • Public-key • The RSA algorithm
cryptosystems
• Description of the
• Applications for algorithm
public-key • Computational
cryptosystems aspects
• Security of RSA
• Requirements for
public-key
cryptography

• Public-key
cryptanalysis
© 2017 Pearson Education, Ltd., All rights reserved.