Introduction to applied cryptography and network security · Introduction to applied cryptography...

Introduction to applied cryptography andnetwork security

Kanglin Chen

23.09.2009

Fachbereich 03Mathematik/Informatik

Outline

1 Symmetric cryptosystems

2 Asymmetric cryptosystems

3 Digital signatures

2 / 20Symmetric cryptosystems Asymmetric cryptosystems Digital signatures

http://www.uni-bremen.de


Motivation

Modern cryptograpic techni-ques are used in

E-buisness

digitally sign documents

copyright protection

Goals of Crytography

Only authorized people should be able to read the data (not openfor everyone)

Is a user really the one he pretends to be? (digital signature)

Anonymity of sender and receiver for third parties (digital signaturenot readable)




Motivation

Modern cryptograpic techni-ques are used in

E-buisness

digitally sign documents

copyright protectionGoals of Crytography

Only authorized people should be able to read the data (not openfor everyone)

Is a user really the one he pretends to be? (digital signature)

Anonymity of sender and receiver for third parties (digital signaturenot readable)




Cryptosystems

De�nition

An cryptosystem is a tuple (P, C,K, E ,D) with following properties:

1 P is called the plaintext space. Its elements are called plaintexts.

2 C is called the ciphertext space. Its elements are called ciphertexts.

3 K is called the key space. Its elements are called keys.

4 E = Ek : k ∈ K is a family of functions Ek : P → C. Its elements arecalled encryption functions.

5 D = Dk : k ∈ K is a family of functions Dk : C → P. Its elementsare called decryption functions.

6 For each e ∈ K, there is d ∈ K such that Dd(Ee(p)) = p for allp ∈ P.




Symmetric cryptosystems

De�nition

If in a cryptosystem the encryption key e is always equal to the

decryption key d , or if d can be easily computed from e, then the

cryptosystem is called symmetric.

For example: We correspond letters A,· · · ,Z to numbers

Σ = {0, · · · , 25}. For e ∈ Z26, the encryption function Ee is

Ee : Σ→ Σ, x 7→ (x + e) mod 26.

Analogously, for d ∈ Z26 the decryption function Dd is

Dd : Σ→ Σ, x 7→ (x − d) mod 26.

The decryption key for the encryption key e is d = e.





De�nition

If in a cryptosystem the encryption key e is always equal to the

decryption key d , or if d can be easily computed from e, then the

cryptosystem is called symmetric.

For example: We correspond letters A,· · · ,Z to numbers

Σ = {0, · · · , 25}. For e ∈ Z26, the encryption function Ee is

Ee : Σ→ Σ, x 7→ (x + e) mod 26.

Analogously, for d ∈ Z26 the decryption function Dd is

Dd : Σ→ Σ, x 7→ (x − d) mod 26.

The decryption key for the encryption key e is d = e.





Story

Alice wants to send an encrypted message to Bob, then she uses an

encryption key and Bob uses the corresponding decryption key to

recover the plaintext. And Oscar is a attacker, he can listen on

messages between Alice and Bob.

If Alice and Bob use a symmetric cryptosystem, they must

exchange the secret key e before they start their communication.

Secure key exchange is a major problem.

Solution: Asymmetric cryptosystems





Story













Story












Asymmetric cryptosystems

De�nition

In asymmetric cryptosystems, the keys d and e are distinct, and

computation of d from e is infeasible. If Bob wants to receive

encrypted messages, he publishes an encryption key e and keeps the

descryption key d secret. Anybody can use e to encrypt messages

for Bob. Therefore, e is called the public key. But only Bob can

decrypt the messages, so d is called the private key. Asymmetric

cryptosystems are also called public-private-key cryptosystems.

Problem: How to generate such key pairing (d , e)?




Asymmetric cryptosystems

De�nition

In asymmetric cryptosystems, the keys d and e are distinct, and

computation of d from e is infeasible. If Bob wants to receive

encrypted messages, he publishes an encryption key e and keeps the

descryption key d secret. Anybody can use e to encrypt messages

for Bob. Therefore, e is called the public key. But only Bob can

decrypt the messages, so d is called the private key. Asymmetric

cryptosystems are also called public-private-key cryptosystems.

Problem: How to generate such key pairing (d , e)?




RSA algorithm

The RSA algorithm was publicly described in 1978 by Ron Rivest,

Adi Shamir, and Leonard Adleman at Massachusetts Institute of

Technology.




RSA algorithm

Bob generates randomly and independently two large prime

numbers (more than 1024 bits) p and q and computes the product

n = pq.

public key (n, e): e (free choose) is prime to (p − 1)(q − 1).

private key (n, d): d satis�es [d × e = 1] mod (p − 1)(q − 1).

encryption: C = Me mod n.

decryption: M = Cd mod n.

where M is a plaintext and C is a ciphertext.




RSA algorithm

Bob generates randomly and independently two large prime

numbers (more than 1024 bits) p and q and computes the product

n = pq.

public key (n, e): e (free choose) is prime to (p − 1)(q − 1).

private key (n, d): d satis�es [d × e = 1] mod (p − 1)(q − 1).

encryption: C = Me mod n.

decryption: M = Cd mod n.

where M is a plaintext and C is a ciphertext.




ExampleAssume p = 3, q = 11, n = 33. f (p, q) = (p − 1)(q − 1) = 20.Set e = 3, then from [e × d = 1] mod f (p, q) implies d = 7.public key (e, n) = (3, 33) and private key (d , n) = (7, 33).

Alphabet k e yASCII 11 05 25

Encryption

C (1) = M(1)e mod n = 113 mod 33 = 11

C (2) = M(2)e mod n = 053 mod 33 = 26

C (3) = M(3)e mod n = 253 mod 33 = 16

Decryption

M(1) = C (1)d mod n = 117 mod 33 = 11

M(2) = C (2)d mod n = 267 mod 33 = 05

M(3) = C (3)d mod n = 167 mod 33 = 25




RSA and factoring

It is proven that computing d from (n, e) is as di�cult as �nding

the prime factors p and q of n. But it is still an open problem if

decrypting the RSA ciphertexts is as di�cult as factoring integers.

The main problem of RSA algorithms is how to generate the

su�ciently large (normally more than 1024 bits) prime number

quickly.




RSA and factoring

It is proven that computing d from (n, e) is as di�cult as �nding

the prime factors p and q of n. But it is still an open problem if

decrypting the RSA ciphertexts is as di�cult as factoring integers.

The main problem of RSA algorithms is how to generate the

su�ciently large (normally more than 1024 bits) prime number

quickly.




Prime numbers generator

Fermat's little theorem

If n is a prime number, then for all a ∈ Z with 1 ≤ a ≤ n − 1 yields

an−1 mod n = 1.

Carmichael number

A positive composite integer n is a Carmichael number if and only

if n is square-free, and for each prime divisors p of n, it is true that

the integer p − 1 divides n − 1.

For example: The smallest Carmichael number is 561 = 3 · 11 · 17.







an−1 mod n = 1.

Carmichael number











an−1 mod n = 1.

Carmichael number








Miller-Radin TestThere is no analog of Carmichael numbers for the Miller-Radin test.Let n be an odd, positive integer and let

s = max {r ∈ N : 2r divides n − 1} ,

so 2s is the largest power of 2 that divides n − 1. Set d = (n − 1)/2s .

Theorem

If n is a prime and if a is an integer that is prime to n, then we have either

[ad = 1] mod n (1)

or there exists r in the set {0, 1, · · · , s − 1} with

[a2r

d = −1] mod n (2)




Miller-Radin Test

If n is a prime, then at least one of the conditions of the theorem

holds. Therefore, if we �nd an integer a that is prime to n and that

satis�es neither (1) nor (2) for some r ∈ {0, · · · , s − 1}, then n is

proven composite. Such an integer is called a witness for the

compositeness of n.

Theorem

If n ≥ 3 is an odd composite number, then the set{1, · · · , n − 1}contains at most (n − 1)/4 numbers that are prime to n and not

witnesses for the compositeness of n.




Miller-Radin Test

If n is a prime, then at least one of the conditions of the theorem

holds. Therefore, if we �nd an integer a that is prime to n and that

satis�es neither (1) nor (2) for some r ∈ {0, · · · , s − 1}, then n is

proven composite. Such an integer is called a witness for the

compositeness of n.

Theorem

If n ≥ 3 is an odd composite number, then the set{1, · · · , n − 1}contains at most (n − 1)/4 numbers that are prime to n and not

witnesses for the compositeness of n.




Miller-Radin Test

From previous theorem we know the probability that n is

compositve and we do not �nd a witeness is at most 1/4.To apply the Miller-Radin test to an odd, positive integer n, we

choose a random number a ∈ {2, 3, · · · , n − 1}. If gcd(a, n) > 1,

then n is composite. Otherwise, we compute ad , a2d , · · · , a2s−1d .Ifwe �nd a witness for the compositeness of n, then we have proven

that n is composite.

If n pass the Miller-Radin test for t times, then the probability that

n is a composite, is at most (1/4)t . For t = 10, the probability is at

most 1/220. This is very unlikely.




Digital signatures

Problem: How can Bob know that the ciphertext really come from

Alice?

In many situations, electronic documents also must be signed. For

example, electronic contracts, electronic bank transactions.

Solution: signature with one-way hash functions.




Digital signatures

Problem: How can Bob know that the ciphertext really come from

Alice?

In many situations, electronic documents also must be signed. For

example, electronic contracts, electronic bank transactions.

Solution: signature with one-way hash functions.




Signature with one-way hash functions

De�nition

By a one-way hash function, we mean a map

H : Σm → Σn, M 7→ H(M) = h,m > n m, n ∈ N,

with the following properties:

1 For a given M it is easy to compute h.

2 For a given h it is di�cult to compute a M with H(M) = h.

3 For a given M it is di�cult to compute a M̄ with H(M) = H(M̄).

In principle, the one-way hash function gives a unique ��ngerprint�of M.




Signature with one-way hash functions

De�nition

By a one-way hash function, we mean a map

H : Σm → Σn, M 7→ H(M) = h,m > n m, n ∈ N,

with the following properties:

1 For a given M it is easy to compute h.

2 For a given h it is di�cult to compute a M with H(M) = h.

3 For a given M it is di�cult to compute a M̄ with H(M) = H(M̄).

In principle, the one-way hash function gives a unique ��ngerprint�of M.




Example of one-way hash functions

If p is a randomly chosen 1024−bit prime and g a primitive root

mod p, then the function

f : {0, · · · , p − 1} → {1, · · · , p − 1} , x 7→ g x mod p is easy to

compute by fast exponentiation, but an e�cient inversion function

is not known because it is di�cult to compute discrete logarithms.




Combine (a)symmetric cryptosystems and digitalsignatures

Alice has a symmetric crytosystem (SC), the corresponding key

(K), a public key (AUK) and a private key (ARK).

Bob has a public key (BUK) and a private key (BRK).

Procedure:

Alice: plaintext DSC−→ciphertext DC;key K

BUK−→key KB;

DC,KBhash−→ H

ARK−→HA;

DC, KB, HA−→Bob.

Bob: DC,KBhash−→H;HA

AUK−→ H̄;

If H̄ =H, then it's from Alice, otherwise, not.

KBBRK−→K;DC

K−→D.








Procedure:

Alice: plaintext DSC−→ciphertext DC;

key KBUK−→key KB;

DC,KBhash−→ H

ARK−→HA;



AUK−→ H̄;


KBBRK−→K;DC

K−→D.








Procedure:


BUK−→key KB;

DC,KBhash−→ H

ARK−→HA;



AUK−→ H̄;


KBBRK−→K;DC

K−→D.








Procedure:


BUK−→key KB;

DC,KBhash−→ H

ARK−→HA;



AUK−→ H̄;


KBBRK−→K;DC

K−→D.








Procedure:


BUK−→key KB;

DC,KBhash−→ H

ARK−→HA;



AUK−→ H̄;


KBBRK−→K;DC

K−→D.








Procedure:


BUK−→key KB;

DC,KBhash−→ H

ARK−→HA;


Bob: DC,KBhash−→H;

HAAUK−→ H̄;


KBBRK−→K;DC

K−→D.








Procedure:


BUK−→key KB;

DC,KBhash−→ H

ARK−→HA;



AUK−→ H̄;


KBBRK−→K;DC

K−→D.








Procedure:


BUK−→key KB;

DC,KBhash−→ H

ARK−→HA;



AUK−→ H̄;


KBBRK−→K;DC

K−→D.








Procedure:


BUK−→key KB;

DC,KBhash−→ H

ARK−→HA;



AUK−→ H̄;


KBBRK−→K;

DCK−→D.








Procedure:


BUK−→key KB;

DC,KBhash−→ H

ARK−→HA;



AUK−→ H̄;


KBBRK−→K;DC

K−→D.




Thank you for your attention!



Date post:	17-Oct-2020
Category:	Documents
Upload:	others
View:	6 times
Download:	1 times

Introduction to applied cryptography and network security · Introduction to applied cryptography...

Documents