Download Public Key Cryptography: Concepts, Applications, and Attacks and more Thesis Introduction to Software Engineering in PDF only on Docsity!
Q 1. Define: Following a) Public key cryptography: Public-key cryptography is a cryptographic system that uses two separate keys, one of which is secret and the other one is public. The algorithms used for public key cryptography are based on mathematical functions. b) Abelian Group: A group G is an abelian group if for each ordered pair (a, b) of elements in G an element
(a. b) obeys the following axioms:
(A1) Closure: If a and b belong to G, then a. b is also in G.
(A2) Associative: a. (b. c) = (a. b). c for all a, b, c in G.
(A3) Identity element: There is an element e in such that for all a in G. a. e = e. a = a
(A4) Inverse element: For each a in G there is an element a’ in G such that a. a’ = a’. a = e.
(A5) Commutative: a. b = b. a for all a, b in G.
c) Elliptic curve: An elliptic curve is a smooth projective curve given by the following equation:
y^2 = x^3 + ax + b
An elliptic curve contains the set of all the points that satisfy the above equation and appoint at infinity O. O is also called identity element. d) Elliptic curve cryptography: Elliptic curve cryptography is the field of cryptography that makes use of elliptic curves in which the variables and coefficients are all restricted to elements of a finite field. Two families of elliptic curves are used in cryptographic applications: prime curves over Zp and binary curves over 2 m. Q 2. Draw and explain public key cryptosystem (encryption and authentication). A public-key encryption scheme has six ingredients. o Plaintext: This is the readable message or data that is fed into the algorithm as input. o Encryption algorithm: The encryption algorithm performs various transformations on the plaintext. o Public and private keys: This is a pair of keys that have been selected so that if one is used for encryption, the other is used for decryption. o Ciphertext: This is the scrambled message produced as output. It depends on the plaintext and the key o Decryption algorithm: This algorithm accepts the ciphertext and the matching key and produces the original plaintext. Encryption The essential steps are the following. o Each user generates a pair of keys to be used for the encryption and decryption of messages. o Each user places one of the two keys in a public register or other accessible file. This is the public key. The other key is kept private. o If A wishes to send a confidential message to B, A encrypts the message using B’s public key. o When B receives the message, it decrypts it using the private key. No other recipient can decrypt the message because only B knows B’s private key. o As long as a user’s private key remains protected and secret, incoming communication is secure. o At any time, a system can change its private key and publish the companion public key to replace its old public key. Suppose there is some source A that produces a message in plaintext, X = [X 1 , X 2 ,... ,XM] and sends it to B. B generates a related pair of keys: a public key, PUb, and a private key, PRb. PUb is publicly available and therefore accessible by A. With the message X and the encryption key PUb as input, A forms the ciphertext Y = [Y 1 , Y 2 ,... , YN]: Y = E(PUb, X)
Encryption using public key cryptography The intended receiver, having the matching private key, is able to decrypt the message: X = D(PRb, Y) An adversary, observing Y and having access to Pub only,may attempt to recover X and/or PRb. If the adversary is interested only in this particular message, then the focus of effort is to recover X by generating a plaintext estimate. Whereas if the adversary is interested in being able to read future messages as well, then he attempts
to recover PRb by generating an estimate.
Authentication However, the above scheme does not provide authentication of sender as, anyone having access to the public key can encrypt the message. Public-key encryption can be used to provide authentication in the following manner: o When A wishes to send a message to B where confidentiality is not needed but authentication is required, A encrypts the message using PRa. o Anyone having access to PUa can decrypt the message. However, one thing is sure that the message originated from A since no one except A could have encrypted the message using PRa. A prepares a message to B and encrypts it using A’s private key before transmitting it. Y = E(PRa, X) B can decrypt the message using A’s public key. X = D(PUa, Y) Because the message was encrypted using A’s private key, only A could have prepared the message. Therefore, the entire encrypted message serves as a digital signature. In addition, it is impossible to alter the message without access to A’s private key, so the message is authenticated both in terms of source and in terms of data integrity. However, the entire message needs to be stored to bring up in case of dispute. A more efficient way of achieving the same results is to encrypt a small block of bits that is a function of the document. Such a block, called an authenticator. It must have the property that it is infeasible to change the document without changing the authenticator. If the authenticator is encrypted with the sender’s private key, it serves as a signature.
However, public-key systems depend on the use of some sort of invertible mathematical function which is really time-consuming and increases overhead. Thus, there is a tradeoff. The key size must be large enough to make brute-force attack impractical but small enough for practical encryption and decryption. Secure keys are long enough to make encryption decryption really slow. Hence, public-key encryption is currently confined to key management and signature applications. Computation of private key from public key In this attack, some characteristics of algorithm are exploited to calculate the private key from public key. This attack needs many known or chosen plaintext-ciphertext pairs. Probable message attack In this attack, the opponent has some idea about the plaintext and he uses this information to find the private key Suppose that a message consists only a 56-bit DES key. An adversary could encrypt all possible 56-bit DES keys using the public key and could discover the encrypted key by matching the transmitted ciphertext. Thus, no matter how large the key size of the public-key scheme, the attack is reduced to a brute- force attack on a 56-bit key. This attack can be prevented by appending some random bits to such simple messages. Q 5. Give the steps of RSA algorithm and explain it with example. RSA algorithm processes plaintext blocks, with each block having a binary value less than some number n. The block size must be less than or equal to log 2 (n) + 1. Steps for RSA: o Select two large prime numbers p and q. o Calculate n = pq. o Calculate ϕ (n) = (p - 1)(q - 1). o Select e such that e is relatively prime to ϕ (n). o Compute d such that de ≡ 1 (mod ϕ (n)). RSA is a public key algorithm with public key PU = {e, n} and private key PR = {d, n}. Encryption and decryption are of the following form, for some plaintext block M and ciphertext block C:
C = M
e
mod n
M = Cd^ mod n
= (M
e
d
mod n
For the above equation to be true, d must be an inverse of e. D can be calculated from e using extended Euclid’s algorithm. Both sender and receiver must know the value of n. The sender knows the value of e, and only the receiver knows the value of d. Certain computational aspects need to be taken into account for RSA. o Use of modular arithmetic makes calculation practical: Both encryption and decryption in RSA involve calculating huge exponents, mod n. If the exponentiation is done over the integers and then reduced modulo n, the intermediate values would be extremely large. However, the following property of modular arithmetic: [(a mod n) * (b mod n)] mod n = (a * b) mod n] makes the calculation practical. o Efficiency of exponentiation: , RSA deals with very large exponents. But this operation can be implemented efficiently. Consider x^16. A straightforward approach requires multiplying x 16 times. But, the same can be achieved by only four multiplications - x^2 , (x^2 )^2 =x^4 , (x^4 )^2 =x^8 , (x^8 )^2 =x^16. o Efficient operation using the public key: To speed up the operation of the RSA algorithm using the public key, a specific choice of e is usually made. The most common choice is 65537 ( 16
RSA can also be subjected to various attacks like brute-force attack, various mathematical attacks, timing attacks and chosen ciphertext attacks. Some of these attacks exploit the mathematical characteristics of RSA. Example Let p = 1 7 and q = 11. n = pq = 1 7 X 11 = 187 ϕ(n) = (p-1)(q-1) = 16 X 10 = 160 let e be 7. d = e-^1 mod 160 = 23 (can be calculated by extended Euclid’s algorithm) Now, PU = { 7, 18 7 } and PR = { 23, 18 7 } If M = 88, then by RSA C = 887 mod 187 = [ 88 X 88^2 X 88^4 ] mod 187 = 11 Decryption Here, C = 11. By RSA, M = 11^23 mod 187 = [ 11 X 11^2 X 11^4 X 11^8 X 11^8 ] mod 187 = 88 Q 6. Write four possible approaches to attacking the RSA algorithm. Four possible approaches to attacking the RSA algorithm are Brute force This involves trying all possible private keys. The defense against this attack is to use a large key. However, the key should not be so large that it makes calculation too time consuming and hence impractical. Thus, there is a tradeoff between key size and security of RSA. Mathematical attacks There are three approaches to attacking RSA mathematically, all of which are equivalent in effort to the factoring the product of two primes. o Factor n into its two prime factors. This enables calculation of (n) = (p - 1)(q - 1), which in turn enables determination of d = e-^1 (mod (n)) o Determine (n) directly, without first determining p and q. Again, this enables determination of d = e-^1 (mod (n)). This is equivalent to factoring n. o Determine d directly, without first determining (n) which is at least as time-consuming as the factoring problem. Size of n should be considerably large. To avoid values of n that may be factored more easily, the o p and q should differ in length by only a few digits. o Both (p - 1) and (q - 1) should contain a large prime factor. o gcd(p - 1, q - 1) should be small. Timing attacks These depend on the running time of the decryption algorithm. It is a ciphertext only attack. In RSA, modular exponentiation is done bit by bit. Suppose the system uses a modular multiplication function that is very fast in almost all cases but in a few cases takes much more time than an entire average modular exponentiation.
Suppose the users A and B wish to exchange a key. User A selects a random private integer XA < q and computes public integer YA = α XA^ mod q. Similarly, user B independently selects a random private integer XB < q and computes public integer YB = α XB^ mod q. Each side keeps the X value private and makes the Y value available publicly to the other side. User A computes the key as K = (YB)XA^ mod q and user B computes the key as K = (YA)XB^ mod q. These two calculations produce identical results:
K = (YA)XB^ mod q
XA
mod q)
XB
mod q
= (αXA)XB^ mod q
= αXB^ XA^ mod q
XB
XA
mod q (by the rules of modular arithmetic)
= (αXB^ mod q)XA^ mod q
= (YB)
XA
mod q
The result is that the two sides have exchanged a secret value. Furthermore, because XA and XB are private, an adversary only has the following information: q, α, YA and YB. Thus, the adversary is forced to take a discrete logarithm to determine the key. For example, to determine the private key of user B, an adversary must compute
XB = dloga,q(YB)
The adversary can then calculate the key K. The security of the Diffie-Hellman key exchange lies in the fact that, while it is relatively easy to calculate exponentials modulo a prime, it is very difficult to calculate discrete logarithms. For large primes, calculating discrete logarithms is considered infeasible. Because only A and B can determine the key, no other user can read the message(confidentiality). Recipient B knows that only user A could have created a message using this key (authentication). However, the technique does not protect against replay attacks. One such example is Man-in-the- Middle Attack. Man-in-the-Middle Attack Suppose A and B wish to exchange keys, and E is the attacker. The attack proceeds as follows. o E generates two random private keys XE1 and and XE2 then computing the corresponding public keys YE1 and YE. o A transmits YA to B. o E intercepts YA and transmits YE1 to B.
o B receives YE1 and calculates K 1 = (YE 1 )XB^ mod q. o B transmits YB to A. o E intercepts YB and transmits YE2 to A. o A receives YE2 and calculates K 2 = (YE2)XA^ mod q. o E also calculates K 1 = (YB)XE^1 mod q and K 2 = (YA)XE2^ mod q At this point, B and A think that they share a secret key, but instead B and E share secret key and A and E share secret key. All future communication between B and A is compromised in the following way. o A sends an encrypted message M as E(K 2 , M). o E intercepts the encrypted message and decrypts it to recover M. o E sends E(K 1 , M) or E(K 1 , M’) to B , where M’ is any message. The key exchange protocol is vulnerable to such an attack because it does not authenticate the participants. This vulnerability can be overcome with the use of digital signatures and public-key certificates. Q 8. List and explain four general categories of schemes for the distribution of public keys. Various techniques for the distribution of public keys are: Public announcement of Public Keys If there is some broadly accepted public-key algorithm, such as RSA, any participant can send his or her public key to any other participant. Keys can also be broadcasted to the community at some public forum. Although this approach is convenient, it has a major weakness. o Anyone can forge such a public announcement. That is, some user could pretend to be user A and send a public key to another participant or broadcast such a public key o Also there is no limit on the number of keys generated and hence an illegitimate user may try generating many keys. Publicly Available Directory A greater degree of security can be achieved by maintaining a publicly available dynamic directory of public keys. Maintenance and distribution of the public directory would have to be the responsibility of some trusted organization. This scheme would include the following elements: o The authority maintains a directory with a {name, public key} entry for each participant. o Each participant registers a public key with the directory authority. Registration would have to be in person or by some form of secure authenticated communication. o A participant may replace the existing key with a new one at any time.
o Participants could also access the directory electronically.
This scheme is more secure than individual public announcements but still has vulnerabilities. If an adversary succeeds in obtaining or computing the private key of the directory authority, the adversary could pass counterfeit public keys and impersonate any participant and eavesdrop on
key. o Step 6: B sends a message to A encrypted with PUa and containing A's nonce ( N 1 ) as well as a new nonce generated by B ( N 2 ) o Because only B could have decrypted message step 3, the presence of N1 in message from B assures A that the correspondent is B. o A returns N 2 , encrypted using B's public key, to assure B that its correspondent is A. The initial four messages need be used only infrequently because both A and B can cache the other's public key for future use. Periodically, a user should request fresh copies of the public keys of its correspondents to ensure currency. The scenario has some drawbacks. o The public-key authority could be a bottleneck in the system. o Also the directory of names and public keys maintained by the authority is vulnerable to tampering. Public-Key Certificates This scheme uses certificates that can be used by participants to exchange keys without contacting a public-key authority. A certificate consists of a public key plus an identifier of the key owner, with the whole block signed by a trusted third party. The third party is a certificate authority, such as a government agency or a financial institution that is trusted by the user community. A user can present his or her public key to the authority in a secure manner, and obtain a certificate. The user can then publish the certificate. Anyone who needs this user's public key can obtain the certificate and verify that it is valid by way of the attached trusted signature. A participant can also convey its key information to another by transmitting its certificate. For participant A, the authority provides a certificate of the form
CA = E(PRauth, [T||IDA||PUa])
Where T is a timestamp. Any other participant can read and verify the certificate using the public key of authority ( PUauth ) Since the certificate is readable only using the authority's public key, this verifies that the certificate came from the certificate authority.
However, certain requirements need to be placed on this scheme: o Any participant can read a certificate to determine the name and public key of the certificate's owner. o Any participant can verify that the certificate originated from the certificate authority and is not counterfeit. o Only the certificate authority can create and update certificates. o Any participant can verify the currency of the certificate. The timestamp T validates the currency of the certificate. If at any time private key a user A is compromised by attacker E. then, A can apply for the new certificate for a new public-private key pair. A can send this new certificate to other correspondents. The presence of timestamp will help in determining the latest certificate. X.509 standard has become universally accepted for formatting public-key certificates. X.509 certificates are used in most network security applications like IP security, secure sockets layer (SSL), secure electronic transactions (SET), and S/MIME. Q 9. Explain the methods of distribution of secret keys using public key cryptography. Various schemes for distributing secret keys using public key cryptography are: Simple Secret Key Distribution If A wishes to communicate with B, then, o A generates a public/private key pair {PUa, PRa} and transmits a message to B consisting of PUa and an identifier of A, IDA. o B generates a secret key, Ks , and transmits it to A, encrypted with A's public key. o A decrypts the message with its private key to recover the secret key. o Because only A can decrypt the message, only A and B will know the identity of Ks. A discards PUa and PRa and B discards PUa. A and B can now securely communicate using conventional encryption and the session key Ks. At the completion of the exchange, both A and B discard Ks. This scheme is secure from eavesdropping but not against modification attacks. Man-in-the-middle attack is possible in this scheme. o A generates a public/private key pair {PUa, PRa} and transmits a message intended for B consisting of PUa and an identifier of A, IDA. o E intercepts the message, creates its own public/private key pair {PUe, PRe} and transmits PUe||IDA to B. o B generates a secret key, Ks , and transmits E(PUe, Ks). o E intercepts the message, and learns Ks by decrypting the message using PRe. o E transmits E(PUa, Ks) to A. Both A and B know Ks and are unaware that Ks has also been revealed to E. All the messages encrypted using Ks can be read by E also. Secret Key Distribution with Confidentiality and Authentication In this scheme the following steps occur: o A uses B's public key to encrypt a message to B containing an identifier of A ( IDA ) and a nonce ( N 1 ). o B encrypts a message with PUa and containing A's nonce ( N 1 ) as well as a new nonce generated by B ( N 2 ) and sends it to A. the presence of N 1 gives authentication of B. o A encrypts the nonce N 2 with PUb and sends to A. this step assures B that the correspondent is A.
o The two calculations in step 3 produce the same result because
nA x PB = nA x (nB x G) = nB x (nA x G) = nB x PA
To break this scheme, an attacker would need to be able to compute k, given G and kG, which is assumed hard. Computing private value n when public value P and G are known is the discrete logarithmic problem foe elliptic curves. Q 12. Explain the process of encryption-decryption using elliptic curves? Encode the plaintext message m to be sent as an x-y point Pm. Pm will be encrypted as a cipher text. All the encryption/decryption parameters, a point G and an elliptic group Eq (a, b) are selected.
User A selects a private key nA and generates a public key P A = nA x G.
To encrypt and send a message Pm to B, A chooses a random positive integer k and produces the cipher text Cm consisting of the pair of points:
Cm = {kG, Pm + kPB}
For decryption, o Multiply the first point or x-coordinate in the pair by receiver’s's secret key and subtract the result from the second point or y-coordinate.
Pm + kPB nB(kG) = Pm + k(nBG) nB(kG) = Pm
A has masked the message Pm by adding kPB to it.
Nobody but A knows the value of k, so even though PB is a public key, nobody can remove the mask kPB. However, message can be decrypted if the private key nB is known. For an attacker to recover the message, the attacker would have to compute k given G and kG or the elliptic curve logarithm problem , which is assumed hard.
