Introduction to applied cryptography andnetwork security
Kanglin Chen
23.09.2009
Fachbereich 03Mathematik/Informatik
Outline
1 Symmetric cryptosystems
2 Asymmetric cryptosystems
3 Digital signatures
2 / 20Symmetric cryptosystems Asymmetric cryptosystems Digital signatures
Fachbereich 03Mathematik/Informatik
Motivation
Modern cryptograpic techni-ques are used in
E-buisness
digitally sign documents
copyright protection
Goals of Crytography
Only authorized people should be able to read the data (not openfor everyone)
Is a user really the one he pretends to be? (digital signature)
Anonymity of sender and receiver for third parties (digital signaturenot readable)
3 / 20Symmetric cryptosystems Asymmetric cryptosystems Digital signatures
Fachbereich 03Mathematik/Informatik
Motivation
Modern cryptograpic techni-ques are used in
E-buisness
digitally sign documents
copyright protectionGoals of Crytography
Only authorized people should be able to read the data (not openfor everyone)
Is a user really the one he pretends to be? (digital signature)
Anonymity of sender and receiver for third parties (digital signaturenot readable)
3 / 20Symmetric cryptosystems Asymmetric cryptosystems Digital signatures
Fachbereich 03Mathematik/Informatik
Cryptosystems
De�nition
An cryptosystem is a tuple (P, C,K, E ,D) with following properties:
1 P is called the plaintext space. Its elements are called plaintexts.
2 C is called the ciphertext space. Its elements are called ciphertexts.
3 K is called the key space. Its elements are called keys.
4 E = Ek : k ∈ K is a family of functions Ek : P → C. Its elements arecalled encryption functions.
5 D = Dk : k ∈ K is a family of functions Dk : C → P. Its elementsare called decryption functions.
6 For each e ∈ K, there is d ∈ K such that Dd(Ee(p)) = p for allp ∈ P.
4 / 20Symmetric cryptosystems Asymmetric cryptosystems Digital signatures
Fachbereich 03Mathematik/Informatik
Symmetric cryptosystems
De�nition
If in a cryptosystem the encryption key e is always equal to the
decryption key d , or if d can be easily computed from e, then the
cryptosystem is called symmetric.
For example: We correspond letters A,· · · ,Z to numbers
Σ = {0, · · · , 25}. For e ∈ Z26, the encryption function Ee is
Ee : Σ→ Σ, x 7→ (x + e) mod 26.
Analogously, for d ∈ Z26 the decryption function Dd is
Dd : Σ→ Σ, x 7→ (x − d) mod 26.
The decryption key for the encryption key e is d = e.
5 / 20Symmetric cryptosystems Asymmetric cryptosystems Digital signatures
Fachbereich 03Mathematik/Informatik
Symmetric cryptosystems
De�nition
If in a cryptosystem the encryption key e is always equal to the
decryption key d , or if d can be easily computed from e, then the
cryptosystem is called symmetric.
For example: We correspond letters A,· · · ,Z to numbers
Σ = {0, · · · , 25}. For e ∈ Z26, the encryption function Ee is
Ee : Σ→ Σ, x 7→ (x + e) mod 26.
Analogously, for d ∈ Z26 the decryption function Dd is
Dd : Σ→ Σ, x 7→ (x − d) mod 26.
The decryption key for the encryption key e is d = e.
5 / 20Symmetric cryptosystems Asymmetric cryptosystems Digital signatures
Fachbereich 03Mathematik/Informatik
Symmetric cryptosystems
Story
Alice wants to send an encrypted message to Bob, then she uses an
encryption key and Bob uses the corresponding decryption key to
recover the plaintext. And Oscar is a attacker, he can listen on
messages between Alice and Bob.
If Alice and Bob use a symmetric cryptosystem, they must
exchange the secret key e before they start their communication.
Secure key exchange is a major problem.
Solution: Asymmetric cryptosystems
6 / 20Symmetric cryptosystems Asymmetric cryptosystems Digital signatures
Fachbereich 03Mathematik/Informatik
Symmetric cryptosystems
Story
Alice wants to send an encrypted message to Bob, then she uses an
encryption key and Bob uses the corresponding decryption key to
recover the plaintext. And Oscar is a attacker, he can listen on
messages between Alice and Bob.
If Alice and Bob use a symmetric cryptosystem, they must
exchange the secret key e before they start their communication.
Secure key exchange is a major problem.
Solution: Asymmetric cryptosystems
6 / 20Symmetric cryptosystems Asymmetric cryptosystems Digital signatures
Fachbereich 03Mathematik/Informatik
Symmetric cryptosystems
Story
Alice wants to send an encrypted message to Bob, then she uses an
encryption key and Bob uses the corresponding decryption key to
recover the plaintext. And Oscar is a attacker, he can listen on
messages between Alice and Bob.
If Alice and Bob use a symmetric cryptosystem, they must
exchange the secret key e before they start their communication.
Secure key exchange is a major problem.
Solution: Asymmetric cryptosystems
6 / 20Symmetric cryptosystems Asymmetric cryptosystems Digital signatures
Fachbereich 03Mathematik/Informatik
Asymmetric cryptosystems
De�nition
In asymmetric cryptosystems, the keys d and e are distinct, and
computation of d from e is infeasible. If Bob wants to receive
encrypted messages, he publishes an encryption key e and keeps the
descryption key d secret. Anybody can use e to encrypt messages
for Bob. Therefore, e is called the public key. But only Bob can
decrypt the messages, so d is called the private key. Asymmetric
cryptosystems are also called public-private-key cryptosystems.
Problem: How to generate such key pairing (d , e)?
7 / 20Symmetric cryptosystems Asymmetric cryptosystems Digital signatures
Fachbereich 03Mathematik/Informatik
Asymmetric cryptosystems
De�nition
In asymmetric cryptosystems, the keys d and e are distinct, and
computation of d from e is infeasible. If Bob wants to receive
encrypted messages, he publishes an encryption key e and keeps the
descryption key d secret. Anybody can use e to encrypt messages
for Bob. Therefore, e is called the public key. But only Bob can
decrypt the messages, so d is called the private key. Asymmetric
cryptosystems are also called public-private-key cryptosystems.
Problem: How to generate such key pairing (d , e)?
7 / 20Symmetric cryptosystems Asymmetric cryptosystems Digital signatures
Fachbereich 03Mathematik/Informatik
RSA algorithm
The RSA algorithm was publicly described in 1978 by Ron Rivest,
Adi Shamir, and Leonard Adleman at Massachusetts Institute of
Technology.
8 / 20Symmetric cryptosystems Asymmetric cryptosystems Digital signatures
Fachbereich 03Mathematik/Informatik
RSA algorithm
Bob generates randomly and independently two large prime
numbers (more than 1024 bits) p and q and computes the product
n = pq.
public key (n, e): e (free choose) is prime to (p − 1)(q − 1).
private key (n, d): d satis�es [d × e = 1] mod (p − 1)(q − 1).
encryption: C = Me mod n.
decryption: M = Cd mod n.
where M is a plaintext and C is a ciphertext.
9 / 20Symmetric cryptosystems Asymmetric cryptosystems Digital signatures
Fachbereich 03Mathematik/Informatik
RSA algorithm
Bob generates randomly and independently two large prime
numbers (more than 1024 bits) p and q and computes the product
n = pq.
public key (n, e): e (free choose) is prime to (p − 1)(q − 1).
private key (n, d): d satis�es [d × e = 1] mod (p − 1)(q − 1).
encryption: C = Me mod n.
decryption: M = Cd mod n.
where M is a plaintext and C is a ciphertext.
9 / 20Symmetric cryptosystems Asymmetric cryptosystems Digital signatures
Fachbereich 03Mathematik/Informatik
ExampleAssume p = 3, q = 11, n = 33. f (p, q) = (p − 1)(q − 1) = 20.Set e = 3, then from [e × d = 1] mod f (p, q) implies d = 7.public key (e, n) = (3, 33) and private key (d , n) = (7, 33).
Alphabet k e yASCII 11 05 25
Encryption
C (1) = M(1)e mod n = 113 mod 33 = 11
C (2) = M(2)e mod n = 053 mod 33 = 26
C (3) = M(3)e mod n = 253 mod 33 = 16
Decryption
M(1) = C (1)d mod n = 117 mod 33 = 11
M(2) = C (2)d mod n = 267 mod 33 = 05
M(3) = C (3)d mod n = 167 mod 33 = 25
10 / 20Symmetric cryptosystems Asymmetric cryptosystems Digital signatures
Fachbereich 03Mathematik/Informatik
RSA and factoring
It is proven that computing d from (n, e) is as di�cult as �nding
the prime factors p and q of n. But it is still an open problem if
decrypting the RSA ciphertexts is as di�cult as factoring integers.
The main problem of RSA algorithms is how to generate the
su�ciently large (normally more than 1024 bits) prime number
quickly.
11 / 20Symmetric cryptosystems Asymmetric cryptosystems Digital signatures
Fachbereich 03Mathematik/Informatik
RSA and factoring
It is proven that computing d from (n, e) is as di�cult as �nding
the prime factors p and q of n. But it is still an open problem if
decrypting the RSA ciphertexts is as di�cult as factoring integers.
The main problem of RSA algorithms is how to generate the
su�ciently large (normally more than 1024 bits) prime number
quickly.
11 / 20Symmetric cryptosystems Asymmetric cryptosystems Digital signatures
Fachbereich 03Mathematik/Informatik
Prime numbers generator
Fermat's little theorem
If n is a prime number, then for all a ∈ Z with 1 ≤ a ≤ n − 1 yields
an−1 mod n = 1.
Carmichael number
A positive composite integer n is a Carmichael number if and only
if n is square-free, and for each prime divisors p of n, it is true that
the integer p − 1 divides n − 1.
For example: The smallest Carmichael number is 561 = 3 · 11 · 17.
12 / 20Symmetric cryptosystems Asymmetric cryptosystems Digital signatures
Fachbereich 03Mathematik/Informatik
Prime numbers generator
Fermat's little theorem
If n is a prime number, then for all a ∈ Z with 1 ≤ a ≤ n − 1 yields
an−1 mod n = 1.
Carmichael number
A positive composite integer n is a Carmichael number if and only
if n is square-free, and for each prime divisors p of n, it is true that
the integer p − 1 divides n − 1.
For example: The smallest Carmichael number is 561 = 3 · 11 · 17.
12 / 20Symmetric cryptosystems Asymmetric cryptosystems Digital signatures
Fachbereich 03Mathematik/Informatik
Prime numbers generator
Fermat's little theorem
If n is a prime number, then for all a ∈ Z with 1 ≤ a ≤ n − 1 yields
an−1 mod n = 1.
Carmichael number
A positive composite integer n is a Carmichael number if and only
if n is square-free, and for each prime divisors p of n, it is true that
the integer p − 1 divides n − 1.
For example: The smallest Carmichael number is 561 = 3 · 11 · 17.
12 / 20Symmetric cryptosystems Asymmetric cryptosystems Digital signatures
Fachbereich 03Mathematik/Informatik
Miller-Radin TestThere is no analog of Carmichael numbers for the Miller-Radin test.Let n be an odd, positive integer and let
s = max {r ∈ N : 2r divides n − 1} ,
so 2s is the largest power of 2 that divides n − 1. Set d = (n − 1)/2s .
Theorem
If n is a prime and if a is an integer that is prime to n, then we have either
[ad = 1] mod n (1)
or there exists r in the set {0, 1, · · · , s − 1} with
[a2r
d = −1] mod n (2)
13 / 20Symmetric cryptosystems Asymmetric cryptosystems Digital signatures
Fachbereich 03Mathematik/Informatik
Miller-Radin Test
If n is a prime, then at least one of the conditions of the theorem
holds. Therefore, if we �nd an integer a that is prime to n and that
satis�es neither (1) nor (2) for some r ∈ {0, · · · , s − 1}, then n is
proven composite. Such an integer is called a witness for the
compositeness of n.
Theorem
If n ≥ 3 is an odd composite number, then the set{1, · · · , n − 1}contains at most (n − 1)/4 numbers that are prime to n and not
witnesses for the compositeness of n.
14 / 20Symmetric cryptosystems Asymmetric cryptosystems Digital signatures
Fachbereich 03Mathematik/Informatik
Miller-Radin Test
If n is a prime, then at least one of the conditions of the theorem
holds. Therefore, if we �nd an integer a that is prime to n and that
satis�es neither (1) nor (2) for some r ∈ {0, · · · , s − 1}, then n is
proven composite. Such an integer is called a witness for the
compositeness of n.
Theorem
If n ≥ 3 is an odd composite number, then the set{1, · · · , n − 1}contains at most (n − 1)/4 numbers that are prime to n and not
witnesses for the compositeness of n.
14 / 20Symmetric cryptosystems Asymmetric cryptosystems Digital signatures
Fachbereich 03Mathematik/Informatik
Miller-Radin Test
From previous theorem we know the probability that n is
compositve and we do not �nd a witeness is at most 1/4.To apply the Miller-Radin test to an odd, positive integer n, we
choose a random number a ∈ {2, 3, · · · , n − 1}. If gcd(a, n) > 1,
then n is composite. Otherwise, we compute ad , a2d , · · · , a2s−1d .Ifwe �nd a witness for the compositeness of n, then we have proven
that n is composite.
If n pass the Miller-Radin test for t times, then the probability that
n is a composite, is at most (1/4)t . For t = 10, the probability is at
most 1/220. This is very unlikely.
15 / 20Symmetric cryptosystems Asymmetric cryptosystems Digital signatures
Fachbereich 03Mathematik/Informatik
Digital signatures
Problem: How can Bob know that the ciphertext really come from
Alice?
In many situations, electronic documents also must be signed. For
example, electronic contracts, electronic bank transactions.
Solution: signature with one-way hash functions.
16 / 20Symmetric cryptosystems Asymmetric cryptosystems Digital signatures
Fachbereich 03Mathematik/Informatik
Digital signatures
Problem: How can Bob know that the ciphertext really come from
Alice?
In many situations, electronic documents also must be signed. For
example, electronic contracts, electronic bank transactions.
Solution: signature with one-way hash functions.
16 / 20Symmetric cryptosystems Asymmetric cryptosystems Digital signatures
Fachbereich 03Mathematik/Informatik
Signature with one-way hash functions
De�nition
By a one-way hash function, we mean a map
H : Σm → Σn, M 7→ H(M) = h,m > n m, n ∈ N,
with the following properties:
1 For a given M it is easy to compute h.
2 For a given h it is di�cult to compute a M with H(M) = h.
3 For a given M it is di�cult to compute a M̄ with H(M) = H(M̄).
In principle, the one-way hash function gives a unique ��ngerprint�of M.
17 / 20Symmetric cryptosystems Asymmetric cryptosystems Digital signatures
Fachbereich 03Mathematik/Informatik
Signature with one-way hash functions
De�nition
By a one-way hash function, we mean a map
H : Σm → Σn, M 7→ H(M) = h,m > n m, n ∈ N,
with the following properties:
1 For a given M it is easy to compute h.
2 For a given h it is di�cult to compute a M with H(M) = h.
3 For a given M it is di�cult to compute a M̄ with H(M) = H(M̄).
In principle, the one-way hash function gives a unique ��ngerprint�of M.
17 / 20Symmetric cryptosystems Asymmetric cryptosystems Digital signatures
Fachbereich 03Mathematik/Informatik
Example of one-way hash functions
If p is a randomly chosen 1024−bit prime and g a primitive root
mod p, then the function
f : {0, · · · , p − 1} → {1, · · · , p − 1} , x 7→ g x mod p is easy to
compute by fast exponentiation, but an e�cient inversion function
is not known because it is di�cult to compute discrete logarithms.
18 / 20Symmetric cryptosystems Asymmetric cryptosystems Digital signatures
Fachbereich 03Mathematik/Informatik
Combine (a)symmetric cryptosystems and digitalsignatures
Alice has a symmetric crytosystem (SC), the corresponding key
(K), a public key (AUK) and a private key (ARK).
Bob has a public key (BUK) and a private key (BRK).
Procedure:
Alice: plaintext DSC−→ciphertext DC;key K
BUK−→key KB;
DC,KBhash−→ H
ARK−→HA;
DC, KB, HA−→Bob.
Bob: DC,KBhash−→H;HA
AUK−→ H̄;
If H̄ =H, then it's from Alice, otherwise, not.
KBBRK−→K;DC
K−→D.
19 / 20Symmetric cryptosystems Asymmetric cryptosystems Digital signatures
Fachbereich 03Mathematik/Informatik
Combine (a)symmetric cryptosystems and digitalsignatures
Alice has a symmetric crytosystem (SC), the corresponding key
(K), a public key (AUK) and a private key (ARK).
Bob has a public key (BUK) and a private key (BRK).
Procedure:
Alice: plaintext DSC−→ciphertext DC;
key KBUK−→key KB;
DC,KBhash−→ H
ARK−→HA;
DC, KB, HA−→Bob.
Bob: DC,KBhash−→H;HA
AUK−→ H̄;
If H̄ =H, then it's from Alice, otherwise, not.
KBBRK−→K;DC
K−→D.
19 / 20Symmetric cryptosystems Asymmetric cryptosystems Digital signatures
Fachbereich 03Mathematik/Informatik
Combine (a)symmetric cryptosystems and digitalsignatures
Alice has a symmetric crytosystem (SC), the corresponding key
(K), a public key (AUK) and a private key (ARK).
Bob has a public key (BUK) and a private key (BRK).
Procedure:
Alice: plaintext DSC−→ciphertext DC;key K
BUK−→key KB;
DC,KBhash−→ H
ARK−→HA;
DC, KB, HA−→Bob.
Bob: DC,KBhash−→H;HA
AUK−→ H̄;
If H̄ =H, then it's from Alice, otherwise, not.
KBBRK−→K;DC
K−→D.
19 / 20Symmetric cryptosystems Asymmetric cryptosystems Digital signatures
Fachbereich 03Mathematik/Informatik
Combine (a)symmetric cryptosystems and digitalsignatures
Alice has a symmetric crytosystem (SC), the corresponding key
(K), a public key (AUK) and a private key (ARK).
Bob has a public key (BUK) and a private key (BRK).
Procedure:
Alice: plaintext DSC−→ciphertext DC;key K
BUK−→key KB;
DC,KBhash−→ H
ARK−→HA;
DC, KB, HA−→Bob.
Bob: DC,KBhash−→H;HA
AUK−→ H̄;
If H̄ =H, then it's from Alice, otherwise, not.
KBBRK−→K;DC
K−→D.
19 / 20Symmetric cryptosystems Asymmetric cryptosystems Digital signatures
Fachbereich 03Mathematik/Informatik
Combine (a)symmetric cryptosystems and digitalsignatures
Alice has a symmetric crytosystem (SC), the corresponding key
(K), a public key (AUK) and a private key (ARK).
Bob has a public key (BUK) and a private key (BRK).
Procedure:
Alice: plaintext DSC−→ciphertext DC;key K
BUK−→key KB;
DC,KBhash−→ H
ARK−→HA;
DC, KB, HA−→Bob.
Bob: DC,KBhash−→H;HA
AUK−→ H̄;
If H̄ =H, then it's from Alice, otherwise, not.
KBBRK−→K;DC
K−→D.
19 / 20Symmetric cryptosystems Asymmetric cryptosystems Digital signatures
Fachbereich 03Mathematik/Informatik
Combine (a)symmetric cryptosystems and digitalsignatures
Alice has a symmetric crytosystem (SC), the corresponding key
(K), a public key (AUK) and a private key (ARK).
Bob has a public key (BUK) and a private key (BRK).
Procedure:
Alice: plaintext DSC−→ciphertext DC;key K
BUK−→key KB;
DC,KBhash−→ H
ARK−→HA;
DC, KB, HA−→Bob.
Bob: DC,KBhash−→H;
HAAUK−→ H̄;
If H̄ =H, then it's from Alice, otherwise, not.
KBBRK−→K;DC
K−→D.
19 / 20Symmetric cryptosystems Asymmetric cryptosystems Digital signatures
Fachbereich 03Mathematik/Informatik
Combine (a)symmetric cryptosystems and digitalsignatures
Alice has a symmetric crytosystem (SC), the corresponding key
(K), a public key (AUK) and a private key (ARK).
Bob has a public key (BUK) and a private key (BRK).
Procedure:
Alice: plaintext DSC−→ciphertext DC;key K
BUK−→key KB;
DC,KBhash−→ H
ARK−→HA;
DC, KB, HA−→Bob.
Bob: DC,KBhash−→H;HA
AUK−→ H̄;
If H̄ =H, then it's from Alice, otherwise, not.
KBBRK−→K;DC
K−→D.
19 / 20Symmetric cryptosystems Asymmetric cryptosystems Digital signatures
Fachbereich 03Mathematik/Informatik
Combine (a)symmetric cryptosystems and digitalsignatures
Alice has a symmetric crytosystem (SC), the corresponding key
(K), a public key (AUK) and a private key (ARK).
Bob has a public key (BUK) and a private key (BRK).
Procedure:
Alice: plaintext DSC−→ciphertext DC;key K
BUK−→key KB;
DC,KBhash−→ H
ARK−→HA;
DC, KB, HA−→Bob.
Bob: DC,KBhash−→H;HA
AUK−→ H̄;
If H̄ =H, then it's from Alice, otherwise, not.
KBBRK−→K;DC
K−→D.
19 / 20Symmetric cryptosystems Asymmetric cryptosystems Digital signatures
Fachbereich 03Mathematik/Informatik
Combine (a)symmetric cryptosystems and digitalsignatures
Alice has a symmetric crytosystem (SC), the corresponding key
(K), a public key (AUK) and a private key (ARK).
Bob has a public key (BUK) and a private key (BRK).
Procedure:
Alice: plaintext DSC−→ciphertext DC;key K
BUK−→key KB;
DC,KBhash−→ H
ARK−→HA;
DC, KB, HA−→Bob.
Bob: DC,KBhash−→H;HA
AUK−→ H̄;
If H̄ =H, then it's from Alice, otherwise, not.
KBBRK−→K;
DCK−→D.
19 / 20Symmetric cryptosystems Asymmetric cryptosystems Digital signatures
Fachbereich 03Mathematik/Informatik
Combine (a)symmetric cryptosystems and digitalsignatures
Alice has a symmetric crytosystem (SC), the corresponding key
(K), a public key (AUK) and a private key (ARK).
Bob has a public key (BUK) and a private key (BRK).
Procedure:
Alice: plaintext DSC−→ciphertext DC;key K
BUK−→key KB;
DC,KBhash−→ H
ARK−→HA;
DC, KB, HA−→Bob.
Bob: DC,KBhash−→H;HA
AUK−→ H̄;
If H̄ =H, then it's from Alice, otherwise, not.
KBBRK−→K;DC
K−→D.
19 / 20Symmetric cryptosystems Asymmetric cryptosystems Digital signatures
Fachbereich 03Mathematik/Informatik
Thank you for your attention!
20 / 20Symmetric cryptosystems Asymmetric cryptosystems Digital signatures