Asymmetric Key Cryptography - FTP Directory Listing
Short Description
Download Asymmetric Key Cryptography - FTP Directory Listing...
Description
Mathematische Verfahren Prof. Dr. Eckhard Letsch
Asymmetric Key Cryptography Assignment
Hochschule Reutlingen MKI/Master -1
Submitted by:Khushdeep Noheria 16.01.2006 Matriculation No: 052455
Asymmetric Key Cryptography
1 2
3 4 5
6
7
WS-2005/06
Abstract ....................................................................................................................... 2 Introduction to Public-key cryptography .................................................................... 2 2.1 Public-Key Encryption........................................................................................ 3 2.1.1 Ciphers ........................................................................................................ 4 2.2 Digital Signatures................................................................................................ 6 2.2.1 Authenticity................................................................................................. 6 2.2.2 Integrity ....................................................................................................... 7 2.2.3 Non-repudiation .......................................................................................... 7 2.2.4 Implementation ........................................................................................... 7 2.3 Key Agreement Protocol..................................................................................... 8 2.3.1 Exponential key exchange .......................................................................... 8 2.3.2 Authentication ............................................................................................. 8 2.4 One-Way Functions ............................................................................................ 9 2.5 Comparison between Symmetric - Asymmetric Key Algorithms .................... 10 History....................................................................................................................... 11 Security ..................................................................................................................... 13 Applications .............................................................................................................. 13 5.1 Confidentiality .................................................................................................. 13 5.2 Authentication ................................................................................................... 14 Techniques in Asymmetric Key Cryptography ........................................................ 16 6.1 RSA Cryptosystem............................................................................................ 16 6.2 DSA Cryptosystem ........................................................................................... 23 6.2.1 Elliptic Curve DSA ................................................................................... 25 6.3 Elliptic curve cryptosystems ............................................................................. 26 6.4 Diffie-Hellman .................................................................................................. 28 6.4.1 Elliptic Curve Diffie-Hellman .................................................................. 32 6.5 ElGmal .............................................................................................................. 33 6.6 Merkle-Hellman ................................................................................................ 35 Protocols Using Asymmetric Key Algorithm ........................................................... 37 7.1 GPG................................................................................................................... 37 7.2 PGP ................................................................................................................... 39 7.3 Others ................................................................................................................ 43
Appendix A ....................................................................................................................... 44 A.1 Functions ................................................................................................................ 44 A.2 Modular arithmetic ................................................................................................. 45 A.3 Groups .................................................................................................................... 46 A.4 Fields and rings ...................................................................................................... 47 Appendix B Glossary ........................................................................................................ 49 Appendix C References .................................................................................................... 57
Khushdeep Noheria
Page 1
Asymmetric Key Cryptography
WS-2005/06
1 Abstract This report focuses on the topic Asymmetric key Cryptography (Public–Key Cryptography). This subject is very wide, but still it is tried to cover many of the topics related to it. Firstly, a brief introduction about Public–Key Cryptography is given and its related terms are discussed. Thereafter a brief history of Public Key is described. After history, comes the security issue related to public key cryptography and it is discussed in Chapter 4. On next, the applications and techniques of Asymmetric Key Cryptography like RSA, DSA and an unsuccessful algorithm such as Merkel-Hellman algorithm are detailed in chapter 5 and 6. In last chapter, protocols such as PGP (Pretty Good Privacy), GPG (Gnu Privacy Guard) using asymmetric key techniques are mentioned. In Appendix the basic mathematical concepts are discussed so that the different algorithms in the report are better understandable. Words are marked in blue colour are explained in the glossary.
2 Introduction to Public-key cryptography
Public key cryptography is a form of cryptography which generally allows users to communicate securely without having prior access to a shared secret key, by using a pair of cryptographic keys, designated as public key and private key, which are related mathematically. The term asymmetric key cryptography is a synonym for public key cryptography. In public key cryptography, the private key is generally kept secret, while the public key may be widely distributed. In a sense, one key "locks" a lock; while the other is required to unlock it. It should not be possible to deduce the private key of a pair given the public key. In traditional cryptography, the sender and receiver of a message know and use the same secret key; the sender uses the secret key to encrypt the message, and the receiver uses the same secret key to decrypt the message. This method is known as secret key or symmetric cryptography. The main challenge is getting the sender and receiver to agree on the secret key without anyone else finding out. If they are in separate physical locations, they must trust a courier, a phone system, or some other transmission medium to prevent the disclosure of the secret key. Anyone who overhears or intercepts the key in transit can later read, modify, and forge all messages encrypted or authenticated using that key. The generation, transmission and storage of keys is called key management. All cryptosystems must deal with key management issues. Because all keys in a secret-key cryptosystem must remain secret, secret-key cryptography often has difficulty providing secure key management, especially in open systems with a large number of users. Khushdeep Noheria
Page 2
Asymmetric Key Cryptography
WS-2005/06
In order to solve the key management problem, Whitfield Diffie and Martin Hellman introduced the concept of public-key cryptography in 1976. Public-key cryptosystems have two primary uses, encryption and digital signatures. In their system, each person gets a pair of keys, one called the public key and the other called the private key. The public key is published, while the private key is kept secret. The need for the sender and receiver to share secret information is eliminated; all communications involve only public keys, and no private key is ever transmitted or shared. In this system, it is no longer necessary to trust the security of some means of communications. The only requirement is that public keys be associated with their users in a trusted (authenticated) manner (for instance, in a trusted directory). Anyone can send a confidential message by just using public information, but the message can only be decrypted with a private key, which is in the sole possession of the intended recipient. Furthermore, public-key cryptography can be used not only for privacy (encryption), but also for authentication (digital signatures) and other various techniques. In a public-key cryptosystem, the private key is always linked mathematically to the public key. Therefore, it is always possible to attack a public-key system by deriving the private key from the public key. Typically, the defense against this is to make the problem of deriving the private key from the public key as difficult as possible. For instance, some public-key cryptosystems are designed such that deriving the private key from the public key requires the attacker to factor a large number, it this case it is computationally infeasible to perform the derivation. This is the idea behind the RSA public-key cryptosystem. There are many forms of public key cryptography, including: public key encryption — keeping a message secret from anyone that does not possess a specific private key. public key digital signature — allowing anyone to verify that a message was created with a specific private key. key agreement — generally, allowing two parties that may not initially share a secret key to agree on one. Typically, public key techniques are much more computationally intensive than purely symmetric algorithms, but the judicious use of these techniques enables a wide variety of applications.
2.1 Public-Key Encryption When Alice wishes to send a secret message to Bob, she looks up Bob's public key in a directory, uses it to encrypt the message and sends it off. Bob then uses his private key to decrypt the message and read it. No one listening in can decrypt the message. Anyone can send an encrypted message to Bob, but only Bob can read it (because only Bob knows Bob's private key).
Khushdeep Noheria
Page 3
Asymmetric Key Cryptography
WS-2005/06
In a secure asymmetric key encryption scheme, the decryption key should not be deducible from the encryption key. This is known as public-key encryption, since the encryption key can be published without compromising the security of encrypted messages. In the analogy above, Bob might publish instructions on how to make a lock ("public key"), but the lock is such that it is impossible (so far as is known) to deduce from these instructions how to make a key which will open that lock ("private key"). Those wishing to send messages to Bob use the public key to encrypt the message; Bob uses his private key to decrypt it. In cryptography, encryption is the process of obscuring information to make it unreadable without special knowledge. While encryption has been used to protect communications for centuries, only organizations and individuals with an extraordinary need for secrecy have made use of it. In the mid-1970s, strong encryption emerged from the sole preserve of secretive government agencies into the public domain, and is now employed in protecting widely-used systems, such as Internet e-commerce, mobile telephone networks and bank automatic teller machines. Encryption can be used to ensure secrecy, but other techniques are still needed to make communications secure, particularly to verify the integrity and authenticity of a message; for example, a message authentication code (MAC) or digital signatures. Another consideration is protection against traffic analysis.
2.1.1 Ciphers A cipher is an algorithm for performing encryption (and the reverse, decryption) — a series of well-defined steps that can be followed as a procedure. An alternative term is encipherment. The original information is known as plaintext, and the encrypted form as ciphertext. The ciphertext message contains all the information of the plaintext message, but is not in a format readable by a human or computer without the proper mechanism to decrypt it; it should resemble random gibberish to those not intended to read it. The operation of a cipher usually depends on a piece of auxiliary information, called a key or, in traditional NSA parlance, a cryptovariable. The encrypting procedure is varied depending on the key, which changes the detailed operation of the algorithm. A key must be selected before using a cipher to encrypt a message. Without the same key, it should be difficult, if not impossible, to decrypt the resulting ciphertext into readable plaintext. "Cipher" is alternatively spelled "cypher"; similarly "ciphertext" and "cyphertext", and so forth. The word descends from the Arabic word for zero: ṣifr or ر ِفص, ْ like (the Italian) zero (which remained in use for 0, the crucial innovation in positional Arabic versus Roman numerals) but soon was used for any decimal digit, even any number. While it may have come to mean encoding because that often involved numbers, a theory says conservative Catholic opponents of the Arabic (heathen) numerals equated it with any 'dark secret'.
Khushdeep Noheria
Page 4
Asymmetric Key Cryptography
WS-2005/06
Ciphers versus codes In non-technical usage, a "(secret) code" is the same thing as a cipher. Within technical discussions, however, they are distinguished into two concepts. Codes work at the level of meaning — that is, words or phrases are converted into something else. Ciphers, on the other hand, work at a lower level: the level of individual letters, small groups of letters, or, in modern schemes, individual bits. Some systems used both codes and ciphers in one system, using super-encipherment to increase the security. Historically, cryptography was split into a dichotomy of codes and ciphers, and coding had its own terminology, analogous to that for ciphers: "encoding, codetext, decoding" and so on. However, codes have a variety of drawbacks, including susceptibility to cryptanalysis and the difficulty of managing a cumbersome codebook. Because of this, codes have fallen into disuse in modern cryptography, and ciphers are the dominant technique. Types of cipher There are a variety of different types of encryption. Algorithms used earlier in the history of cryptography are substantially different from modern methods, and modern ciphers can be classified according to how they operate and whether they use one or two keys.
Historical pen and paper ciphers used in the past are sometimes known as classical ciphers. They include substitution ciphers and transposition ciphers. During the early 20th century, more sophisticated machines for encryption were used, rotor machines, which were more complex than previous schemes.
Khushdeep Noheria
Page 5
Asymmetric Key Cryptography
WS-2005/06
Encryption methods can be divided into symmetric key algorithms and asymmetric key algorithms. In a symmetric key algorithm (e.g., DES and AES), the sender and receiver must have a shared key set up in advance and kept secret from all other parties; the sender uses this key for encryption, and the receiver uses the same key for decryption. In an asymmetric key algorithm (e.g., RSA), there are two separate keys: a public key is published and enables any sender to perform encryption, while a private key is kept secret by the receiver and enables him to perform decryption. Symmetric key ciphers can be distinguished into two types, depending on whether they work on blocks of symbols usually of a fixed size (block ciphers), or on a continuous stream of symbols (stream ciphers).
2.2 Digital Signatures Digital signature (or public-key digital signature) is a type of method for authenticating digital information analogous to ordinary physical signatures on paper, but implemented using techniques from the field of public-key cryptography. A digital signature method generally defines two complementary algorithms, one for signing and the other for verification, and the output of the signing process is also called a digital signature. Digital signature has also been used as a broader term encompassing both public-key digital signature techniques and message authentication codes. Digital signatures differ in some respects from their physical counterparts. The term electronic signature, although sometimes used for the same thing, has a distinct meaning in common law: it refers to any of several, not necessarily cryptographic, mechanisms for identifying the originator of an electronic message. Electronic signatures have included cable and Telex addresses, as well as FAX transmission of handwritten signatures on a paper document. There are three common reasons for applying a digital signature to communications:
2.2.1 Authenticity Public-key cryptosystems allow anybody to send a message using the public key. A signature allows the recipient of a message to be confident that the sender is indeed who s/he claims to be. Of course the recipient cannot be 100% sure that the sender is indeed who s/he claims to be - the recipient can only be confident - since the cryptosystem may have been broken. The importance of authenticity is especially obvious in a financial context. For example, suppose a bank sends instructions from its branch offices to the central office in the form (a,b) where a is the account number and b is the amount to be credited to the account. A devious customer may deposit £100, observe the resulting transmission and repeatedly retransmit (a,b). This is known as a replay attack.
Khushdeep Noheria
Page 6
Asymmetric Key Cryptography
WS-2005/06
2.2.2 Integrity Both parties will always wish to be confident that a message has not been altered during transmission. The encryption makes it difficult for a third party to read a message, but that third party may still be able to alter it in a useful way. A popular example to illustrate this is the homomorphism attack: consider the same bank as above which sends instructions from its branch offices to the central office in the form (a,b) where a is the account number and b is the amount to be credited to the account. A devious customer may deposit £100, intercept the resulting transmission and then transmit (a,b3) to become an instant millionaire.
2.2.3 Non-repudiation In a cryptographic context, the word repudiation refers to the act of denying association with a message (ie claiming it was sent by a third party). The recipient of a message may insist that the sender attach a signature in order to prevent any later repudiation, since the recipient may show the message to a third party to prove its origin.
2.2.4 Implementation Digital signature schemes rely on public-key cryptography. In public-key cryptography, each user has a pair of keys: one public and one private. The public key is distributed freely, but the private key is kept secret and confidential; another requirement is that it should be infeasible to derive the private key from the public key. A general digital signature scheme consists of three algorithms: A key generation algorithm A signing algorithm A verification algorithm For example, consider the situation in which Bob sends a message to Alice and wants to be able to prove it came from him. Bob sends his message to Alice and attaches a digital signature. The digital signature is generated using Bob's private key, and takes the form of a simple numerical value (normally represented as a string of binary digits). On receipt, Alice can then check whether the message really came from Bob by running the verification algorithm on the message together with the signature and Bob's public key. If they match, then Alice can be confident that the message really was from Bob, because the signing algorithm is designed so that it is very difficult to forge a signature to match a given message (unless one has knowledge of the private key, which Bob has kept secret). More usually, for efficiency reasons, Bob first applies a cryptographic hash function to the message before signing. This makes the signature much shorter and thus saves time since hashing is generally much faster than signing in implementations. However, if the message digest algorithm is insecure (for example, if it is possible to generate hash collisions), then it might be feasible to forge digital signatures.
Khushdeep Noheria
Page 7
Asymmetric Key Cryptography
WS-2005/06
2.3 Key Agreement Protocol In cryptography, a key-agreement protocol is a protocol whereby two or more parties can agree on a key in such a way that both influence the outcome. If properly done, this precludes undesired third-parties from forcing a key choice on the agreeing parties. Protocols which are useful in practice also do not reveal to any eavesdropping party what key has been agreed upon.
2.3.1 Exponential key exchange The first publicly known (*) public-key agreement protocol that meets the above criteria was the Diffie-Hellman exponential key exchange, in which two people jointly exponentiate a generator with random numbers, in such a way that an eavesdropper has no way of guessing what the key is. However, exponential key exchange in and of itself does not specify any prior agreement or subsequent authentication between the participants. It has thus been described as an anonymous key agreement protocol.
2.3.2 Authentication Anonymous key exchange, like Diffie-Hellman, does not provide authentication of the parties, and is thus vulnerable to man in the middle (MITM) attack. A wide variety of cryptographic authentication schemes and protocols have been developed to provide authenticated key agreement to prevent man-in-the-middle and related attacks. These methods generally mathematically bind the agreed key to other agreed-upon data, such as: Public/private key pairs Shared secret keys Passwords Other tricks
Public keys A widely used mechanism for defeating such attacks is the use of digitally signed keys that must be integrity-assured: if Bob's key is signed by a trusted third party vouching for his identity, Alice can have considerable confidence that a signed key she receives is not an attempt to intercept by Mallory. When Alice and Bob have a public key infrastructure they may digitally sign an agreed Diffie-Hellman agreed key, or exchanged DiffieHellman public keys. Such signed keys, sometimes signed by a certificate authority, are one of the primary mechanisms used for secure web traffic (including HTTPS, SSL or Transport Layer Security protocols). Other specific examples are MQV and the ISAKMP component of the IPsec protocol suite for securing Internet Protocol communications. However, these systems require care in endorsing the match between identity information Khushdeep Noheria
Page 8
Asymmetric Key Cryptography
WS-2005/06
and public keys by certificate authorities in order to properly work. e.g. Hybrid systems use public keys cryptography to exchange secret keys which are then used in symmetric key cryptography systems.
Shared secret keys Secret key (symmetric) cryptograhy requires the initial exchange of a shared key in a manner that is private and integrity-assured. When done right, MITM attack is prevented. However, without the use of public key cryptography, one may be left with undesirable key management problems.
Passwords Password-authenticated key agreement protocols require the separate establishment of a password (which may be smaller than a key) in a manner that is both private and integrity-assured. These are designed to resist MITM and other active attacks on the password and the established keys. For example, DH-EKE, SPEKE, and SRP are password-authenticated variations of Diffie-Hellman.
Other tricks If one has an integrity-assured way to verify a shared-key over a public channel, one may engage in a Diffie-Hellman key exchange to derive a one-time shared key, and then subsequently authenticate that the keys match. One way is to use a voice-authenticated read-out of the key, as in PGPfone. Voice authentication, however, presumes that it is infeasible for a MITM to spoof one participant's voice to the other in real-time, which may be an undesirable assumption. Such protocols may be designed to work with even a small public value, such as a password. Variations on this theme have been proposed for Bluetooth pairing protocols. In an attempt to avoid using any additional out-of-band authentication factors, Davies and Price proposed the use of the Interlock Protocol of Ron Rivest and Adi Shamir, which has been subject to both attack and subsequent refinement.
2.4 One-Way Functions A one-way function is a mathematical function that is significantly easier to compute in one direction (the forward direction) than in the opposite direction (the inverse direction). It might be possible, for example, to compute the function in the forward direction in seconds but to compute its inverse could take months or years, if at all possible. A trapdoor one-way function is a one-way function for which the inverse direction is easy given a certain piece of information (the trapdoor), but difficult otherwise. Public-key cryptosystems are based on (presumed) trapdoor one-way functions. The public key gives information about the particular instance of the function; the private key gives information about the trapdoor. Whoever knows the trapdoor can compute the Khushdeep Noheria
Page 9
Asymmetric Key Cryptography
WS-2005/06
function easily in both directions, but anyone lacking the trapdoor can only perform the function easily in the forward direction. The forward direction is used for encryption and signature verification; the inverse direction is used for decryption and signature generation. In almost all public-key systems, the size of the key corresponds to the size of the inputs to the one-way function; the larger the key, the greater the difference between the efforts necessary to compute the function in the forward and inverse directions (for someone lacking the trapdoor). For a digital signature to be secure for years, for example, it is necessary to use a trapdoor one-way function with inputs large enough that someone without the trapdoor would need many years to compute the inverse function (that is, to generate a legitimate signature). All practical public-key cryptosystems are based on functions that are believed to be oneway, but no function has been proven to be so. This means it is theoretically possible to discover algorithms that can compute the inverse direction easily without a trapdoor for some of the one-way functions; this development would render any cryptosystem based on these one-way functions insecure and useless. On the other hand, further research in theoretical computer science may result in concrete lower bounds on the difficulty of inverting certain functions; this would be a landmark event with significant positive ramifications for cryptography.
2.5 Comparison between Symmetric - Asymmetric Key Algorithms Advantages and disadvantages of public-key cryptography compared with secretkey cryptography The primary advantage of public-key cryptography is increased security and convenience: private keys never need to be transmitted or revealed to anyone. In a secretkey system, by contrast, the secret keys must be transmitted (either manually or through a communication channel) since the same key is used for encryption and decryption. A serious concern is that there may be a chance that an enemy can discover the secret key during transmission. Another major advantage of public-key systems is that they can provide digital signatures that cannot be repudiated. Authentication via secret-key systems requires the sharing of some secret and sometimes requires trust of a third party as well. As a result, a sender can repudiate a previously authenticated message by claiming the shared secret was somehow compromised by one of the parties sharing the secret. For example, the Kerberos secretkey authentication system involves a central database that keeps copies of the secret keys of all users; an attack on the database would allow widespread forgery. Public-key authentication, on the other hand, prevents this type of repudiation; each user has sole responsibility for protecting his or her private key. This property of public-key authentication is often called non-repudiation.
Khushdeep Noheria
Page 10
Asymmetric Key Cryptography
WS-2005/06
A disadvantage of using public-key cryptography for encryption is speed. There are many secret-key encryption methods that are significantly faster than any currently available public-key encryption method. Nevertheless, public-key cryptography can be used with secret-key cryptography to get the best of both worlds. For encryption, the best solution is to combine public- and secret-key systems in order to get both the security advantages of public-key systems and the speed advantages of secret-key systems. Such a protocol is called a digital envelope. Public-key cryptography may be vulnerable to impersonation, even if users' private keys are not available. A successful attack on a certification authority will allow an adversary to impersonate whomever he or she chooses by using a public-key certificate from the compromised authority to bind a key of the adversary's choice to the name of another user. In some situations, public-key cryptography is not necessary and secret-key cryptography alone is sufficient. These include environments where secure secret key distribution can take place, for example, by users meeting in private. It also includes environments where a single authority knows and manages all the keys, for example, a closed banking system. Since the authority knows everyone's keys already, there is not much advantage for some to be "public" and others to be "private." Note, however, that such a system may become impractical if the number of users becomes large; there are not necessarily any such limitations in a public-key system. Public-key cryptography is usually not necessary in a single-user environment. For example, if you want to keep your personal files encrypted, you can do so with any secret key encryption algorithm using, say, your personal password as the secret key. In general, public-key cryptography is best suited for an open multi-user environment. Public-key cryptography is not meant to replace secret-key cryptography, but rather to supplement it, to make it more secure. The first use of public-key techniques was for secure key establishment in a secret-key system; this is still one of its primary functions. Secret-key cryptography remains extremely important and is the subject of much ongoing study and research.
3 History The history of cryptography dates back thousands of years. Until recent decades, it has been a history of classic cryptography — of methods of encryption that use pen and paper, or perhaps simple mechanical aids. In the early 20th century, the invention of complex mechanical and electromechanical machines, such as the Enigma rotor machine, provided more sophisticated and efficient means of encryption; and the subsequent introduction of electronics and computing has allowed elaborate schemes of still greater complexity.
Khushdeep Noheria
Page 11
Asymmetric Key Cryptography
WS-2005/06
The evolution of cryptography has been paralleled by the evolution of cryptanalysis — of the "breaking" of codes and ciphers. The discovery and application, early on, of frequency analysis to the reading of encrypted communications has on occasion altered the course of history. Thus the Zimmermann Telegram triggered the United States' entry into World War I; and Allied reading of Nazi Germany's ciphers may have shortened World War II by as much as two years. Until the 1970s, secure cryptography was largely the preserve of governments. Two events have since brought it squarely into the public domain: the creation of a public encryption standard (DES); and the invention of public-key cryptography. For most of the history of cryptography, a key had to be kept absolutely secret and would be agreed upon beforehand using a secure, but non-cryptographic, method; for example, a face-to-face meeting or a trusted courier. There are a number of significant practical difficulties in this approach to distributing keys. Public key cryptography was invented to address these drawbacks — with public key cryptography, users can communicate securely over an insecure channel without having to agree upon a shared key beforehand. The first invention of an asymmetric key algorithm was by Clifford Cocks, then a recent mathematics graduate and a new staff member at GCHQ in the UK, early in the 1970s. This fact was kept secret until 1997. An asymmetric key cryptosystem was published in 1976 by Whitfield Diffie and Martin Hellman, who, influenced by Ralph Merkle's work on public key distribution, disclosed a method of public key agreement. This method of exponential key exchange, which came to be known as Diffie-Hellman key exchange, was the first published practical method for establishing a shared secret key over an unprotected communications channel without using a prior shared secret. Merkle's public key agreement technique known as Merkle's Puzzles was published in 1978. The Cocks method was reinvented in 1977 by Rivest, Shamir and Adleman all then at MIT. The latter authors published their work in 1978, and the algorithm appropriately came to be known as RSA. RSA uses exponentiation modulo a product of two large primes to encrypt and decrypt, performing both public key encryption and public key digital signature, and its security is based on the presumed difficulty of factoring large integers. Since the 1970s, a large number and variety of encryption, digital signature, key agreement, and other techniques have been developed in the field of public key cryptography. The ElGamal cryptosystem (invented by Taher ElGamal then of Netscape) relies on the (similar, and related) difficulty of the discrete logarithm problem, as does the closely related DSA developed by the NSA and NIST. The introduction of elliptic curve cryptography by Neal Koblitz in the mid '80s has yielded a new family of analogous public key algorithms. Although mathematically more complex, elliptic curves appear to provide a more efficient way to leverage the discrete logarithm problem, particularly with respect to key size.
Khushdeep Noheria
Page 12
Asymmetric Key Cryptography
WS-2005/06
4 Security There is nothing especially more secure about asymmetric key algorithms than symmetric key algorithms. There are popular ones and unpopular ones. There are broken ones and ones that are, for now, not broken. Unfortunately, popularity is not a reliable indicator of security. Some algorithms have security proofs with various properties, and of varying quality. Many proofs claim that breaking an algorithm, with respect to some well-defined security goals, is equivalent to solving one of the more popular mathematical problems that are presumed to be intractable, like factoring large integers or finding discrete logarithms. And some proofs have been shown to be broken too. In general, none of these algorithms has been proved secure in as absolute a sense as the one-time pad has. As with all cryptographic algorithms, these algorithms must be chosen and used with care. In cryptography, the one-time pad (OTP) is the only theoretically unbreakable method of encryption: the plaintext is combined with a random "pad" the same length as the plaintext. The "pad" part of the name comes from early implementations of the key material as a pad of gummed paper (for easy concealment, the pad was often physically very small.
5 Applications The most known application of a public key encryption system is confidentiality; a message which a sender encrypts using the recipient's public key can only be decrypted by the recipient's paired private key. Public-key digital signature algorithms can be used for sender authentication. For instance, a user can encrypt a message with his own private key and send it. If another user can successfully decrypt it using the corresponding public key, this provides assurance that the first user (and no other) sent it. These characteristics are useful for many other, sometimes surprising, applications, like digital cash (Electronic money (also known as digital money, electronic currency, digital currency or internet money) refers to money which is only exchanged electronically. ), password authenticated key agreement, multi-party key agreement, etc.
5.1 Confidentiality Confidentiality has been defined by the International Organization for Standardization (ISO) as "ensuring that information is accessible only to those authorized to have access" and is one of the cornerstones of Information security. Confidentiality is one of the design goals for many cryptosystems, made possible in practice by the techniques of modern cryptography.
Khushdeep Noheria
Page 13
Asymmetric Key Cryptography
WS-2005/06
Confidentiality also refers to an ethical principle associated with several professions (eg, medicine, law, religion, journalism). In ethics, and (in some places) in law, some types of communication between a person and one of these professionals are "privileged" and may not be discussed or divulged to third parties. In those jurisdictions in which the law makes provision for such confidentiality, there are usually penalties for its violation. Confidentiality of information, enforced in an adaptation of military's classic "need-toknow" principle, forms the cornerstone of information security in today's corporates.
5.2 Authentication In computer security, authentication (Greek: αυθεντικός, from 'authentes'='author') is the process by which a computer, computer program, or another user attempts to confirm that the computer, computer program, or user from whom the second party has received some communication is, or is not, the claimed first party. A blind credential, in contrast, does not establish identity at all, but only a narrow right or status of the user or program. In a Web of trust "authentication" is a way to ensure users are who they say they are--that the user who attempts to perform functions in a system is in fact the user who is authorized to do so. To distinguish authentication from the closely related term authorization, the short-hand notations A1 (authentication) and A2 (authorization) are occasionally used. The problem of authorization is often thought to be identical to that of authentication; many widely adopted standard security protocols, obligatory regulations, and even statutes are based on this assumption. However, there are many cases in which these two problems are distinct. One familiar example is access control. A computer system supposed to be used only by those authorized must attempt to detect and exclude the unauthorized. Access to it is therefore usually controlled by insisting on an authentication procedure to establish with some established degree of confidence the identity of the user, thence granting those privileges as may be authorized to that identity. Common examples of access control involving authentication include: Withdrawing cash from an ATM. Controlling a remote computer over the Internet. Using an Internet banking system. However, note that much of the discussion on these topics is misleading because terms are used without precision. Part of this confusion may be due to the 'law enforcement' tone of much of the discussion. No computer, computer program, or computer user can 'confirm the identity' of another party. It is not possible to 'establish' or 'prove' an identity, either. There are tricky issues lurking under what appears to be a straightforward surface.
Khushdeep Noheria
Page 14
Asymmetric Key Cryptography
WS-2005/06
It is only possible to apply one or more tests which, if passed, have been previously declared to be sufficient to proceed. The problem is to determine which tests are sufficient, and many such are inadequate. There have been many instances of such tests having been spoofed successfully; they have by their failure shown themselves, inescapably, to be inadequate. Many people continue to regard the test(s) -- and the decision to regard success in passing them -- as acceptable, and blame their failure on 'sloppiness' or 'incompetence' on the part of someone. The problem is that the test was supposed to work in practice -- not under ideal conditions of no sloppiness or incompetence -- and did not. It is the test which has failed in such cases. Consider the very common case of a confirmation email which must be replied to in order to activate an online account of some kind. Since email can easily be arranged to go to or come from bogus and untraceable addresses, this is just about the least authentication possible. Success in passing this test means little, without regard to sloppiness or incompetence.
Multifactor authentication The methods by which a human can authenticate themselves are generally classified into three cases: Something about the user is (e.g., fingerprint or retinal pattern, DNA sequence (there are assorted definitions of what is sufficient), voice pattern (again several definitions), signature recognition or other biometric identifier) Something the user has (e.g., ID card, security token, software token or cell phone) Something the user knows (e.g., a password, a pass phrase or a personal identification number (PIN)) Sometimes a combination of methods is used, e.g., a bank card and a PIN, in which case the term 'two-factor authentication' is used. Historically, fingerprints have been used as the most authoritative method of authentication, but recent court cases in the US and elsewhere have raised fundamental doubts about fingerprint reliability. Other biometric methods are promising (retinal and fingerprint scans are an example), but have shown themselves to be easily spoofable in practice. In a computer data context, cryptographic methods have been developed (digital signature and challenge-response authentication) which are currently not spoofable if (and only if) the originator's key has not been compromised. That the originator (or anyone other than an attacker) knows (or doesn't know) about a compromise is irrelevant. It is not known whether these cryptographically based authentication methods are provably secure since unanticipated mathematical developments may make them vulnerable to attack in future. If that were to occur, it may call into question much of the authentication in the past. In particular, a digitally signed contract may be questioned when a new attack on the cryptography underlying the signature is discovered.
Khushdeep Noheria
Page 15
Asymmetric Key Cryptography
WS-2005/06
6 Techniques in Asymmetric Key Cryptography Cryptographic algorithms are the basic building blocks of cryptographic applications and protocols. This chapter presents most of the important encryption algorithms and a unsuccessful Algorithm.
6.1 RSA Cryptosystem In cryptography, RSA is an algorithm for public-key encryption. It was the first algorithm known to be suitable for signing as well as encryption, and one of the first great advances in public key cryptography. RSA is still widely used in electronic commerce protocols, and is believed to be secure given sufficiently long keys. History of RSA The algorithm was described in 1977 by Ron Rivest, Adi Shamir and Len Adleman at MIT; the letters RSA are the initials of their surnames. Clifford Cocks, a British mathematician working for GCHQ, described an equivalent system in an internal document in 1973. Given the relatively expensive computers needed to implement it at the time it was mostly considered a curiosity and, as far as is publicly known, was never deployed. His discovery, however, was not revealed until 1997 due to its top-secret classification. The algorithm was patented by MIT in 1983 in the United States of America as U.S. Patent 4,405,829. It expired on 21 September 2000. Since the algorithm had been published prior to patent application, regulations in much of the rest of the world precluded patents elsewhere. Had Cocks' work been publicly known, a patent in the US would not have been possible either. RSA Algorithm The RSA algorithm works as follows: Take two large primes, p and q, and compute their product n = pq; n is called the modulus. Choose a number, e, less than n and relatively prime to (p-1)(q-1), which means e and (p-1)(q-1) have no common factors except 1. Find another number d such that (ed 1) is divisible by (p-1)(q-1). The values e and d are called the public and private exponents, respectively. The public key is the pair (n, e); the private key is (n, d). The factors p and q may be destroyed or kept with the private key. It is currently difficult to obtain the private key d from the public key (n, e). However if one could factor n into p and q, then one could obtain the private key d. Thus the security
Khushdeep Noheria
Page 16
Asymmetric Key Cryptography
WS-2005/06
of the RSA system is based on the assumption that factoring is difficult. The discovery of an easy method of factoring would "break" RSA. Here is how the RSA system can be used for encryption and digital signatures (in practice, the actual use is slightly different;): Encryption Suppose Alice wants to send a message m to Bob. Alice creates the ciphertext c by exponentiating: c = me mod n, where e and n are Bob's public key. She sends c to Bob. To decrypt, Bob also exponentiates: m = cd mod n; the relationship between e and d ensures that Bob correctly recovers m. Since only Bob knows d, only Bob can decrypt this message. Digital Signature Suppose Alice wants to send a message m to Bob in such a way that Bob is assured the message is both authentic, has not been tampered with, and from Alice. Alice creates a digital signature s by exponentiating: s = md mod n, where d and n are Alice's private key. She sends m and s to Bob. To verify the signature, Bob exponentiates and checks that the message m is recovered: m = se mod n, where e and n are Alice's public key. Thus encryption and authentication take place without any sharing of private keys: each person uses only another's public key or their own private key. Anyone can send an encrypted message or verify a signed message, but only someone in possession of the correct private key can decrypt or sign a message. A working example of RSA Here is an example of RSA encryption and decryption. The parameters used here are artificially small, but you can also use OpenSSL to generate and examine a keypair. We let p = 61 — first prime number (to be kept secret or deleted securely) q = 53 — second prime number (to be kept secret or deleted securely) n = pq = — modulus (to be made public) 3233 e = 17 — public exponent (to be made public) d = 2753 — private exponent (to be kept secret) The public key is (e, n). The private key is d. The encryption function is: encrypt(m) = me mod n = m17 mod 3233 where m is the plaintext. The decryption function is: decrypt(c) = cd mod n = c2753 mod 3233 where c is the ciphertext.
Khushdeep Noheria
Page 17
Asymmetric Key Cryptography
WS-2005/06
To encrypt the plaintext value 123, we calculate encrypt(123) = 12317 mod 3233 = 855 To decrypt the ciphertext value 855, we calculate decrypt(855) = 8552753 mod 3233 = 123 Both of these computations can be done efficiently using the square-and-multiply algorithm for modular exponentiation.
Padding schemes When used in practice, RSA must be combined with some form of padding scheme, so that no values of M result in insecure ciphertexts. RSA used without padding may suffer from a number of potential problems: The values m = 0 or m = 1 always produce ciphertexts equal to 0 or 1 respectively, due to the properties of exponentiation. When encrypting with low encryption exponents (e.g., e = 3) and small values of the m, the (non-modular) result of me may be strictly less than the modulus n. In this case, ciphertexts may be easily decrypted by taking the eth root of the ciphertext with no regard to the modulus. Because RSA encryption is a deterministic encryption algorithm-- i.e., has no random component-- an attacker can successfully launch a chosen plaintext attack against the cryptosystem, building a dictionary by encrypting likely plaintexts under the public key, and storing the resulting ciphertexts. When matching ciphertexts are observed on a communication channel, the attacker can use this dictionary in order to learn the content of the message. In practice, the first two problems might arise when sending short ASCII messages, where m is the concatenation of one or more ASCII-encoded character(s). A message consisting of a single ASCII NUL character (whose numeric value is 0) would be encoded as m = 0, which produces a ciphertext of 0 regardless of what e and N are used. Likewise, a single ASCII SOH (whose numeric value is 1) would always produce a ciphertext of 1. For systems which conventionally use small values of e, such as 3, all single character ASCII messages encoded using this scheme would be insecure, since the largest m would have a value of 255, and 2553 is less than any reasonable modulus. Such plaintexts could be recovered by simply taking the cube root of the ciphertext. To avoid these problems, practical RSA implementations typically embed some form of structured, randomized padding into the value m before encrypting it. This padding ensures that m does not fall into the range of insecure plaintexts, and that a given message, once padded, will encrypt to one of a large number of different possible ciphertexts. The latter property can increase the cost of a dictionary attack beyond the capabilities of a reasonable attacker. Standards such as PKCS have been carefully designed to securely pad messages prior to RSA encryption. Because these schemes pad the plaintext m with some number of additional bits, the size of the un-padded message M must be somewhat smaller. RSA
Khushdeep Noheria
Page 18
Asymmetric Key Cryptography
WS-2005/06
padding schemes must be carefully designed so as to prevent sophisticated attacks which may be facilitated by a predictable message structure. Early versions of the PKCS standard used ad-hoc constructions, which were later found vulnerable to a practical adaptive chosen ciphertext attack. Modern constructions use secure techniques such as Optimal Asymmetric Encryption Padding (OAEP) to protect messages while preventing these attacks. The PKCS standard also incorporates processing schemes designed to provide additional security for RSA signatures, e.g., the Probabilistic Signature Scheme for RSA (RSA-PSS).
Signing messages RSA can also be used to sign a message. Suppose Alice wishes to send a signed message to Bob. She produces a hash value of the message, raises it to the power of d mod n (as she does when decrypting a message), and attaches it as a "signature" to the message. When Bob receives the signed message, he raises the signature to the power of e mod n (as he does when encrypting a message), and compares the resulting hash value with the message's actual hash value. If the two agree, he knows that the author of the message was in possession of Alice's secret key, and that the message has not been tampered with since. Note that secure padding schemes such as RSA-PSS are as essential for the security of message signing as they are for message encryption, and that the same key should never be used for both encryption and signing purposes.
Security The security of the RSA cryptosystem is based on two mathematical problems: the problem of factoring very large numbers, and the RSA problem. Full decryption of an RSA ciphertext is thought to be infeasible on the assumption that both of these problems are hard, i.e., no efficient algorithm exists for solving them. Providing security against partial decryption may require the addition of a secure padding scheme. The RSA problem is defined as the task of taking eth roots modulo a composite n: recovering a value m such that me=c mod n, where (e, n) is an RSA public key and c is an RSA ciphertext. Currently the most promising approach to solving the RSA problem is to factor the modulus n. With the ability to recover prime factors, an attacker can compute the secret exponent d from a public key (e, n), then decrypt c using the standard procedure. To accomplish this, an attacker factors n into p and q, and computes (p-1)(q-1) which allows the determination of d from e. No polynomial-time method for factoring large integers on a classical computer has yet been found, but it has not been proven that none exists. See integer factorization for a discussion of this problem. As of 2005, the largest number factored by general-purpose methods was 663 bits long, using state-of-the-art distributed methods. RSA keys are typically 1024–2048 bits long. Some experts believe that 1024-bit keys may become breakable in the near term (though this is disputed); few see any way that 4096-bit keys could be broken in the foreseeable
Khushdeep Noheria
Page 19
Asymmetric Key Cryptography
WS-2005/06
future. Therefore, it is generally presumed that RSA is secure if n is sufficiently large. If n is 256 bits or shorter, it can be factored in a few hours on a personal computer, using software already freely available. If n is 512 bits or shorter, it can be factored by several hundred computers as of 1999. A theoretical hardware device named TWIRL and described by Shamir and Tromer in 2003 called into question the security of 1024 bit keys. It is currently recommended that n be at least 2048 bits long. In 1993, Peter Shor published Shor's algorithm, showing that a quantum computer could in principle perform the factorization in polynomial time, rendering RSA and related algorithms obsolete. However, quantum computation is not expected to be developed to such a level until at least 2015 or beyond.
Practical considerations of RSA How to generate the Key: Finding the large primes p and q is usually done by testing random numbers of the right size with probabilistic primality tests which quickly eliminate virtually all non-primes. p and q should not be 'too close', lest the Fermat factorization for n be successful. Furthermore, if either p-1 or q-1 has only small prime factors, n can be factored quickly and these values of p or q should therefore be discarded as well. One should not employ a prime search method which gives any information whatsoever about the primes to the attacker. In particular, a good random number generator for the start value needs to be employed. Note that the requirement here is both 'random' and 'unpredictable'. These are not the same criteria; a number may have been chosen by a random process (ie, no pattern in the results), but if it is predictable in any manner (or even partially predicatable), the method used will result in loss of security. For example, the random number table published by the Rand Corp in the 1950s might very well be truly random, but it has been published and thus can serve an attacker as well. If the attacker can guess half of the digits of p or q, they can quickly compute the other half (shown by Coppersmith in 1997). It is important that the secret key d be large enough. Wiener showed in 1990 that if p is between q and 2q (which is quite typical) and d < n1/4/3, then d can be computed efficiently from n and e. Although values of e as low as 3 have been used in the past, low exponent RSA is also presently deprecated, for reasons including the unpadded plaintext vulnerability listed above. 65537 is a commonly used value for e, as it is considered large enough to avoid small exponent attacks, yet has a low enough hamming weight to facilitate efficient exponentiation.
Speed Comparison with symmetric crptosystems: RSA is much slower than DES (The Data Encryption Standard) and other symmetric cryptosystems. In practice, Bob typically encrypts a secret message with a symmetric Khushdeep Noheria
Page 20
Asymmetric Key Cryptography
WS-2005/06
algorithm, encrypts the (comparatively short) symmetric key with RSA, and transmits both the RSA-encrypted symmetric key and the symmetrically-encrypted message to Alice. This procedure raises additional security issues. For instance, it is of utmost importance to use a strong random number generator for the symmetric key, because otherwise Eve could bypass RSA by guessing the symmetric key.
How to distribute key: As with all ciphers, how RSA public keys are distributed is important to security. Key distribution must be secured against a man-in-the-middle attack. Suppose Eve has some way to give Bob arbitrary keys and make him believe they belong to Alice. Suppose further that Eve can intercept transmissions between Alice and Bob. Eve sends Bob her own public key, which Bob believes to be Alice's. Eve can then intercept any ciphertext sent by Bob, decrypt it with her own secret key, keep a copy of the message, encrypt the message with Alice's public key, and send the new ciphertext to Alice. In principle, neither Alice nor Bob would be able to detect Eve's presence. Defenses against such attacks are often based on digital certificates or other components of a public key infrastructure.
Timing attacks: Kocher described an ingenious new attack on RSA in 1995: if the attacker Eve knows Alice's hardware in sufficient detail and is able to measure the decryption times for several known ciphertexts, she can deduce the decryption key d quickly. This attack can also be applied against the RSA signature scheme. In 2003, Boneh and Brumley demonstrated a more practical attack capable of recovering RSA factorizations over a network connection (e.g., from a Secure Socket Layer (SSL)-enabled webserver). This attack takes advantage of information leaked by the Chinese Remainder Theorem optimization used by many RSA implementations. One way to thwart these attacks is to ensure that the decryption operation takes a constant amount of time for every ciphertext. However, this approach can significantly reduce performance. Instead, most RSA implementations use an alternate technique known as cryptographic blinding. RSA blinding makes use of the multiplicative property of RSA. Instead of computing cd mod n, Alice first chooses a secret random value r and computes (rec)d mod n. The result of this computation is rm mod n and so the effect of r can be removed by multiplying by its inverse. A new value of r is chosen for each ciphertext. With blinding applied, the decryption time is no longer correlated to the value of the input ciphertext and so the timing attack fails.
Adaptive chosen ciphertext attacks: In 1998, Daniel Bleichenbacher described the first practical adaptive chosen ciphertext attack, against RSA-encrypted messages using the PKCS #1 v1 padding scheme (a Khushdeep Noheria
Page 21
Asymmetric Key Cryptography
WS-2005/06
padding scheme randomizes and adds structure to an RSA-encrypted message, so it is possible to determine whether a decrypted message is valid.) Due to flaws with the PKCS #1 scheme, Bleichenbacher was able to mount a practical attack against RSA implementations of the Secure Socket Layer protocol, and to recover session keys. As a result of this work, cryptographers now recommend the use of provably secure padding schemes such as Optimal Asymmetric Encryption Padding, and RSA Laboratories has released new versions of PKCS #1 that are not vulnerable to these attacks. In End of the theory of RSA, following question arises: Is the RSA cryptosystem currently in use? The RSA system is currently used in a wide variety of products, platforms, and industries around the world. It is found in many commercial software products and is planned to be in many more. The RSA algorithm is built into current operating systems by Microsoft, Apple, Sun, and Novell. In hardware, the RSA algorithm can be found in secure telephones, on Ethernet network cards, and on smart cards. In addition, the algorithm is incorporated into all of the major protocols for secure Internet communications, including S/MIME, SSL, and S/WAN. It is also used internally in many institutions, including branches of the U.S. government, major corporations, national laboratories, and universities. At the time of this publication, technology using the RSA algorithm is licensed by over 700 companies. The estimated installed base of RSA BSAFE encryption technologies is around 500 million. The majority of these implementations include use of the RSA algorithm, making it by far the most widely used public-key cryptosystem in the world. Is the RSA system an official standard today? The RSA cryptosystem is part of many official standards worldwide. The ISO (International Standards Organization) 9796 standard lists RSA as a compatible cryptographic algorithm, as does the ITU-T X.509 security standard. The RSA system is part of the Society for Worldwide Interbank Financial Telecommunications (SWIFT) standard, the French financial industry's ETEBAC 5 standard, the ANSI X9.31 rDSA standard and the X9.44 draft standard for the U.S. banking industry. The Australian key management standard, AS2805.6.5.3, also specifies the RSA system. The RSA algorithm is found in Internet standards and proposed protocols including S/MIME, IPSec, and TLS (the Internet standards-track successor to SSL; as well as in the PKCS standard for the software industry. The OSI Implementers' Workshop (OIW) has issued implementers' agreements referring to PKCS, which includes RSA. A number of other standards are currently being developed and will be announced over the next few years; many are expected to include the RSA algorithm as either an endorsed or a recommended system for privacy and/or authentication. For example, IEEE P1363 and WAP WTLS includes the RSA system.
Khushdeep Noheria
Page 22
Asymmetric Key Cryptography
WS-2005/06
Is the RSA system a de facto standard? The RSA system is the most widely used public-key cryptosystem today and has often been called a de facto standard. Regardless of the official standards, the existence of a de facto standard is extremely important for the development of a digital economy. If one public-key system is used everywhere for authentication, then signed digital documents can be exchanged between users in different nations using different software on different platforms; this interoperability is necessary for a true digital economy to develop. Adoption of the RSA system has grown to the extent that standards are being written to accommodate it. When the leading vendors of U.S. financial industry were developing standards for digital signatures, they first developed ANSI X9.30 in 1997 to support the federal requirement of using the Digital Signature Standard. One year later they added ANSI X9.31, whose emphasis is on RSA digital signatures to support the de facto standard of financial institutions. The lack of secure authentication has been a major obstacle in achieving the promise that computers would replace paper; paper is still necessary almost everywhere for contracts, checks, official letters, legal documents, and identification. With this core of necessary paper transaction, it has not been feasible to evolve completely into a society based on electronic transactions. A digital signature is the exact tool necessary to convert the most essential paper-based documents to digital electronic media. Digital signatures make it possible for passports, college transcripts, wills, leases, checks and voter registration forms to exist in the electronic form; any paper version would just be a "copy" of the electronic original. The accepted standard for digital signatures has enabled all of this to happen.
6.2 DSA Cryptosystem The National Institute of Standards and Technology (NIST) published the Digital Signature Algorithm (DSA) in the Digital Signature Standard (DSS), which is a part of the U.S. government's Capstone project. DSS was selected by NIST, in cooperation with the NSA, to be the digital authentication standard of the U.S. government. The standard was issued in May 1994. DSA is based on the discrete logarithm problem and is related to signature schemes that were proposed by Schnorr and ElGamal. While the RSA system can be used for both encryption and digital signatures the DSA can only be used to provide digital signatures. In DSA, signature generation is faster than signature verification, whereas with the RSA algorithm, signature verification is very much faster than signature generation (if the public and private exponents, respectively, are chosen for this property, which is the usual case). It might be claimed that it is advantageous for signing to be the faster operation, but since in many applications a piece of digital information is signed once, but verified often, it may well be more advantageous to have faster verification. The
Khushdeep Noheria
Page 23
Asymmetric Key Cryptography
WS-2005/06
tradeoffs and issues involved have been explored by Wiener. There has been work by many authors including Naccache et al. on developing techniques to improve the efficiency of DSA, both for signing and verification. Although several aspects of DSA have been criticized since its announcement, it is being incorporated into a number of systems and specifications. Initial criticism focused on a few main issues: it lacked the flexibility of the RSA cryptosystem; verification of signatures with DSA was too slow; the existence of a second authentication mechanism was likely to cause hardship to computer hardware and software vendors, who had already standardized on the RSA algorithm; and that the process by which NIST chose DSA was too secretive and arbitrary, with too much influence wielded by the NSA. Other criticisms more related to the security of the scheme were addressed by NIST by modifying the original proposal. Key generation Choose a 160-bit prime q. Choose an L-bit prime p, such that p=qz+1 for some integer z and such that 512 ≤ L ≤ 1024 and L is divisible by 64. Note: FIPS-182-2, change notice 1 specifies that L should only assume the value 1024, and the forthcoming FIPS 186-3 (described, e.g., in SP 800-57) uses SHA-224, SHA-256, SHA-384, and SHA-512 as a hash function, q of size 224, 256, 384, and 512 bits, with L equal to 2048, 3072, 7680, and 15360, respectively. Choose h, where 1 < h < p − 1 such that g = hz mod p > 1. Choose x by some random method, where 0 < x < q. Calculate y = gx mod p. Public key is (p, q, g, y). Private key is x. Note that (p, q, g) can be shared between different users of the system, if desired. Signing Generate a random per message value k where 1 < k < q (this is known as a nonce) Calculate r = (gk mod p) mod q Calculate s = (k-1(SHA-1(m) + x*r)) mod q, where SHA-1(m) is the SHA-1 hash function applied to the message m The signature is (r,s) Verifying Calculate w = (s)-1 mod q Calculate u1 = (SHA-1(m)*w) mod q
Khushdeep Noheria
Page 24
Asymmetric Key Cryptography
WS-2005/06
Calculate u2 = (r*w) mod q Calculate v = ((gu1*yu2) mod p) mod q The signature is valid if v = r DSA is similar to the ElGamal signature scheme. Correctness of the algorithm The signature scheme is correct in the sense that the verifier will always accept genuine signatures. This can be shown as follows: From g = hz mod p follows gq ≡ hqz ≡ hp-1 ≡ 1 (mod p) by Fermat's little theorem. Since g>1 and q is prime it follows that g has order q. The signer computes
Thus
Since g has order q we have
Finally, the correctness of DSA follows from
6.2.1 Elliptic Curve DSA Elliptic Curve DSA (ECDSA) is a variant of the Digital Signature Algorithm (DSA) which operates on elliptic curve groups. The EC variant provides smaller key sizes for the same security level. On the other hand, the execution time is roughly the same and the signature size is exactly the same: 4t, where t is the security parameter. For example, DSA with 1024-bit p and 160-bit q and ECDSA over the 160-bit prime field both produce 320-bits signatures and need only few milliseconds for execution on a 2 GHz Pentium.
Khushdeep Noheria
Page 25
Asymmetric Key Cryptography
WS-2005/06
Signature generation algorithm Suppose Alice wants to send a signed message to Bob. Initially, the curve parameters (q,FR,a,b,G,n,h) must be agreed upon. Also, Alice must have a key pair suitable for elliptic curve cryptography, consisting of a private key dA (a randomly selected integer in the interval [1,n − 1]) and a public key QA (where QA = dAG). For Alice to sign a message m, she follows these steps: Calculate e = HASH(m), where HASH is a cryptographic hash function, such as SHA-1. Select a random integer k from [1,n − 1]. Calculate r = x1(mod n), where (x1,y1) = kG. If r = 0, go back to step 2. Calculate s = k − 1(e + dAr)(mod n). If s = 0, go back to step 2. The signature is the pair (r,s). Signature verification algorithm For Bob to authenticate Alice's signature, he must have a copy of her public key QA. He follows these steps: Verify that r and s are integers in [1,n − 1]. If not, the signature is invalid. Calculate e = HASH(m), where HASH is the same function used in the signature generation. Calculate w = s − 1(mod n). Calculate u1 = ew(mod n) and u2 = rw(mod n). Calculate (x1,y1) = u1G + u2QA. The signature is valid if x1 = r(mod n), invalid otherwise. Note that using Straus's algorithm (aka. Shamir's trick) a sum of two scalar multiplications u1G + u2QA can be calculated faster than with two scalar multiplications.
6.3 Elliptic curve cryptosystems Elliptic curve cryptography (ECC) is an approach to public-key cryptography based on the mathematics of elliptic curves. The use of elliptic curves in cryptography was suggested independently by Neal Koblitz and Victor Miller in 1985. The main benefit of ECC is that under certain situations it uses smaller keys than other methods — such as RSA — while providing an equivalent or higher level of security. Another benefit of ECC is that a bilinear map between groups can be defined, based on the Weil pairing or the Tate pairing; bilinear maps have recently found numerous applications in cryptography, for example identity-based encryption. One drawback, however, is that the implementation of encryption and decryption operations may take longer than in other schemes.
Khushdeep Noheria
Page 26
Asymmetric Key Cryptography
WS-2005/06
Key exchange There are several slightly different versions of elliptic curve cryptography, all of which rely on the widely believed difficulty of solving the discrete logarithm problem for the group of an elliptic curve over some finite field. Finite field The most popular finite fields for this are the integers modulo a prime number (see modular arithmetic) GF(p), or a Galois field of characteristic two GF(2m). The latter is more computationally efficient on dedicated hardware implementations, whereas the former is usually more efficient on general-purpose processors. Patent issues are also relevant. Galois fields of size of power of some other prime have also been proposed, but are considered a bit dubious among cryptanalysts. Given an elliptic curve E, and a field GF(q), we consider the abelian group of rational points E(q) of the form (x, y), where both x and y are in GF(q), and where the group operation "+" is defined on this curve based on the elliptic curves. We then define a second operation "*" | Z×E(q) → E(q): if P is some point in E(q), then we define 2*P = P + P, 3*P = 2*P + P = P + P + P, and so on. Note that given integers j and k, j*(k*P) = (j*k)*P = k*(j*P). The elliptic curve discrete logarithm problem (ECDLP) is then to determine the integer k, given points P and Q, and given that k*P = Q. It is believed that the usual discrete logarithm problem over the multiplicative group of a finite field (DLP) and ECDLP are not equivalent problems; and that ECDLP is significantly more difficult than DLP. In cryptographic use, a specific base point G is selected and published for use with the curve E(q). A private key k is selected as a random integer; and then the value P = k*G is published as the public key (note that the purported difficulty of ECDLP implies that k is hard to determine from P). If Alice and Bob have private keys kA and kB, and public keys PA and PB, then Alice can calculate kA*PB = (kA*kB)*G; and Bob can compute the same value as kB*PA = (kB*kA)*G. This allows the establishment of a "secret" value that both Alice and Bob can easily compute, but which is difficult for any third party to derive. In addition, Bob does not gain any new knowledge about kA during this transaction, so that Alice's private key remains private. Encryption The actual methods used to then encrypt messages between Alice and Bob based on this secret value are adaptations of older discrete logarithm cryptosystems originally described for use on other groups. These include: Diffie-Hellman — ECDH
Khushdeep Noheria
Page 27
Asymmetric Key Cryptography
WS-2005/06
MQV — ECMQV, ElGamal discrete log cryptosystem — ECElGamal DSA — ECDSA. Doing the group operations needed to run the system is slower for an ECC system than for a factorization system or modulo integer discrete log system of the same size. However, proponents of ECC systems believe that the ECDLP problem is significantly harder than the DLP or factorisation problems, and so equal security can be provided by much smaller key lengths using ECC, to the extent that it can actually be faster than, for instance, RSA. Published results to date tend to support this belief, but some experts are skeptical. ECC is widely regarded as the strongest asymmetric algorithm at a given key length, so may become useful over links that have very tight bandwidth requirements.
6.4 Diffie-Hellman Diffie-Hellman key exchange is a cryptographic protocol which allows two parties that have no prior knowledge of each other to jointly establish a shared secret key over an insecure communications channel. This key can then be used to encrypt subsequent communications using a symmetric key cipher. Synonyms of Diffie-Hellman key exchange include: Diffie-Hellman key agreement Diffie-Hellman key establishment Diffie-Hellman key negotiation exponential key exchange The scheme was first published publicly by Whitfield Diffie and Martin Hellman in 1976, although it later emerged that it had been discovered a few years earlier within GCHQ, the British signals intelligence agency, by Malcolm J. Williamson but was kept classified. In 2002, Hellman suggested the algorithm be called Diffie-Hellman-Merkle key exchange in recognition of Ralph Merkle's contribution to the invention of public-key cryptography (Hellman, 2002). Although Diffie-Hellman key agreement itself is an anonymous (non-authenticated) key agreement protocol, it provides the basis for a variety of authenticated protocols, and is used to provide perfect forward secrecy in TLS's ephemeral modes History Diffie-Hellman key agreement was invented in 1976 during a collaboration between Whitfield Diffie and Martin Hellman and was the first practical method for establishing a shared secret over an unprotected communications channel. Ralph Merkle's work on public key distribution was an influence. John Gill suggested application of the discrete logarithm problem. It had been discovered by Malcolm Williamson of GCHQ in the UK
Khushdeep Noheria
Page 28
Asymmetric Key Cryptography
WS-2005/06
some years previously, but GCHQ chose not make it public until 1997, by which time it had no influence on research in academia. The method was followed shortly afterwards by RSA, another implementation of public key cryptography using asymmetric algorithms. In 2002, Martin Hellman wrote:"The system...has since become known as Diffie-Hellman key exchange. While that system was first described in a paper by Diffie and me, it is a public key distribution system, a concept developed by Merkle, and hence should be called 'Diffie-Hellman-Merkle key exchange' if names are to be associated with it. I hope this small pulpit might help in that endeavor to recognize Merkle's equal contribution to the invention of public key cryptography." U.S. Patent 4,200,770, now expired, describes the algorithm and credits Hellman, Diffie, and Merkle as inventors Diffie-Hellman Algorithm The simplest, and original, implementation of the protocol uses the multiplicative group of integers modulo p, where p is prime and g is primitive mod p. Modulo (or mod) simply means that the integers between 1 and p − 1 are used with normal multiplication, exponentiation and division, except that after each operation the result keeps only the remainder after dividing by p. Here is an example of the protocol: Alice and Bob agree to use a prime number p=23 and base g=5. Alice chooses a secret integer a=6, then sends Bob (ga mod p) 56 mod 23 = 8. Bob chooses a secret integer b=15, then sends Alice (gb mod p) 515 mod 23 = 19. Alice computes (gb mod p)a mod p 196 mod 23 = 2. Bob computes (ga mod p)b mod p 815 mod 23 = 2. Both Alice and Bob have arrived at the same value, because gab and gba are equal. Note that only a, b, gab and gba are kept secret. All the other values are sent in the clear. Once Alice and Bob compute the shared secret they can use it as an encryption key, known only to them, for sending messages across the same open communications channel. Of course, much larger values of a,b, and p would be needed to make this example secure, since it is easy to try all the possible values of gab mod 23 (there will be, at most, 22 such values, even if a and b are large). If p was a prime of more than 300 digits, and a and b were at least 100 digits long, then even the best known algorithms for finding a given only g, p, and ga mod p (known as the discrete logarithm problem) would take longer than the lifetime of the universe to run. g need not be large at all, and in practice is usually either 2 or 5.
Khushdeep Noheria
Page 29
Asymmetric Key Cryptography
WS-2005/06
Here's a more general description of the protocol: Alice and Bob agree on a finite cyclic group G and a generating element g in G. (This is usually done long before the rest of the protocol; g is assumed to be known by all attackers.) We will write the group G multiplicatively. Alice picks a random natural number a and sends ga to Bob. Bob picks a random natural number b and sends gb to Alice. Alice computes (gb)a. Bob computes (ga)b. Both Alice and Bob are now in possession of the group element gab which can serve as the shared secret key. The values of (gb)a and (ga)b are the same because groups are power associative.
chart Here is a chart to help simplify who knows what. Let s = shared secret key. s = 2 let a = Alice's private key. a = 6 let b = Bob's private key. b = 15 let g = public base. g=5 let p = public (prime) number. p = 23 Alice knows: p = 23 base g = 5 a = 6 5^6 mod 23 = 8 5^b mod 23 = 19 19^6 mod 23 = 2 8^b mod 23 = 2 19^6 mod 23 = 8^b mod 23 s=2 Doesn't Know: b = 15
Khushdeep Noheria
Page 30
Asymmetric Key Cryptography
WS-2005/06
Bob Knows: p = 23 base g = 5 b = 15 5^15 mod 23 = 19 5^a mod 23 = 8 8^15 mod 23 = 2 19^a mod 23 = 2 8^15 mod 23 = 19^a mod 23 s=2 doesn't know: a = 6 Eve Knows: p = 23 base g = 5 5^a mod 23 = 8 5^b mod 23 = 19 19^a mod 23 = s 8^b mod 23 = s 19^a mod 23 = 8^b mod 23
Doesn't Know: a = 6, b = 15, s = 2 Note: It should be difficult for Alice to solve for Bob's private key or for Bob to solve for Alice's private key. If it isn't difficult for Alice to solve for Bob's private key (or vice versa), Eve may simply substitute her own private / public key pair, plug Bob's public key into her private key, produce a fake shared secret key, and solve for Bob's private key (and use that to solve for the shared secret key. Eve may attempt to choose a public / private key pair that will make it easy for her to solve for Bob's private key).
Security The protocol is considered secure against eavesdroppers if G and g are chosen properly. The eavesdropper ("Eve") must solve the Diffie-Hellman problem to obtain gab. This is
Khushdeep Noheria
Page 31
Asymmetric Key Cryptography
WS-2005/06
currently considered difficult. An efficient algorithm to solve the discrete logarithm problem would make it easy to compute a or b and solve the Diffie-Hellman problem, making this protocol insecure. The order of G should be prime or have a large prime factor to prevent use of the PohligHellman algorithm to obtain a or b. For this reason, a Sophie Germain prime q is sometimes used to calculate p=2q+1, called a safe prime, since the order of G is then only divisible by 2 and q. g is then sometimes chosen to generate the order q subgroup of G, rather than G, so that the Legendre symbol of ga never reveals the low order bit of a. If Alice and Bob use random number generators whose outputs are not completely random but can be predicted to some extent, then Eve's task is much easier. The secret integers a and b are discarded at the end of the session. Therefore, DiffieHellman key exchange by itself trivially achieves perfect forward secrecy because no long-term private keying material exists to be disclosed.
Authentication In the original description, the Diffie-Hellman exchange by itself does not provide authentication of the parties, and is thus vulnerable to man in the middle attack. The manin-the-middle may establish two distinct Diffie-Hellman keys, one with Alice and the other with Bob, and then try to masquerade as Alice to Bob and/or vice-versa, perhaps by decrypting and re-encrypting messages passed between them. Some method to authenticate these parties to each other is generally needed. A variety of cryptographic authentication solutions incorporate a Diffie-Hellman exchange. When Alice and Bob have a public key infrastructure they may digitally sign the agreed key, or ga and gb, as in MQV, STS and the IKE component of the IPsec protocol suite for securing Internet Protocol communications. When Alice and Bob share a password, they may use a password-authenticated key agreement form of DiffieHellman.
6.4.1 Elliptic Curve Diffie-Hellman Elliptic Curve Diffie-Hellman (ECDH) is a key agreement protocol that allows two parties to estabilish a shared secret key over an insecure channel. This key can then be used to encrypt subsequent communications using a symmetric key cipher. It is a variant of the Diffie-Hellman protocol using elliptic curve cryptography. Key establishment protocol Suppose Alice wants to establish a shared key with Bob, but the only channel available for them might be eavesdropped. Initially, the curve parameters (q,FR,a,b,G,n,h) must be agreed upon. Also, each party must have a key pair suitable for elliptic curve cryptography, consisting of a private key d (a randomly selected integer in the interval
Khushdeep Noheria
Page 32
Asymmetric Key Cryptography
WS-2005/06
[1,n − 1]) and a public key Q (where Q = dG). Let Alice's key pair be (dA,QA) and Bob's key pair be (dB,QB). Each party must have the other party's public key. Alice computes (xk,yk) = dAQB. Bob computes k = dBQA. The shared key is xk (the x coordinate of the point). The number calculated by both parties is equal, because dAQB = dAdBG = dBdAG = dBQA. The protocol is secure because nothing is disclosed (except for the public keys, which are not secret), and no party can derive the private key of the other unless it can solve the Elliptic Curve Discrete Logarithm Problem. The public keys are either static (and trusted, say via a certificate) or ephemeral. Ephemeral keys are not necessarily authenticated, so if authentication is wanted, it has to be obtained by other means. Static public keys provide neither forward secrecy nor keycompromise impersonation resilience, among other advanced security properties. Holders of static private keys should validate the other public key, and should apply a secure key derivation function to the raw Diffie-Hellman shared secret to avoid leaking information about the static private key.
6.5 ElGmal The ElGamal algorithm is an asymmetric key encryption algorithm for public key cryptography which is based on Diffie-Hellman key agreement. It was described by Taher Elgamal in 1984. The ElGamal algorithm is used in the free GNU Privacy Guard software, recent versions of PGP, and other cryptosystems. The Digital Signature Algorithm is a variant of the ElGamal signature scheme, which should not be confused with the ElGamal algorithm. ElGamal can be defined over any cyclic group G. Its security depends upon the difficulty of a certain problem in G related to computing discrete logarithms. The algorithm ElGamal consists of three components: the key generator, the encryption algorithm, and the decryption algorithm. The key generator works as follows: Alice generates an efficient description of a cyclic group G of order q with generator g. See below for specific examples of how this can be done. Alice chooses a random x from . Alice computes h = gx. Alice publishes h, along with the description of G,q,g, as her public key. Alice retains x as her secret key.
Khushdeep Noheria
Page 33
Asymmetric Key Cryptography
WS-2005/06
The encryption algorithm works as follows: to encrypt a message m to Alice under her public key (G,q,g,h), Bob converts m into an element of G. Bob chooses a random y from . Bob sends the ciphertext (c1,c2) to Alice.
, then calculates c1 = gy and
The decryption algorithm works as follows: to decrypt a ciphertext (c1,c2) with her secret key x, Alice computes
as the plaintext message.
The decryption algorithm produces the intended message, since
If the space of possible messages is larger than the size of G, then the message can be split into several pieces and each piece can be encrypted independently. Typically, however, a short key to a symmetric-key cipher is first encrypted under ElGamal, and the (much longer) intended message is encrypted more efficiently using the symmetric-key cipher — this is termed hybrid encryption. Security ElGamal is a simple example of a semantically secure asymmetric key encryption algorithm (under reasonable assumptions). It is probabilistic, meaning that a single plaintext can be encrypted to many possible ciphertexts, with the consequence that a general ElGamal encryption produces a 2:1 expansion in size from plaintext to ciphertext. ElGamal's security rests, in part, on the difficulty of solving the discrete logarithm problem in G. Specifically, if the discrete logarithm problem could be solved efficiently, then ElGamal would be broken. However, the security of ElGamal actually relies on the so-called Decisional Diffie-Hellman (DDH) assumption. This assumption is often stronger than the discrete log assumption, but is still believed to be true for many classes of groups. Generating the group G As described above, ElGamal can be defined over any cyclic group G, and is secure if a certain computational assumption (the "DDH Assumption") about that group is true. Unfortunately, the straightforward use of G = Zp for a prime p is insecure, because the
Khushdeep Noheria
Page 34
Asymmetric Key Cryptography
WS-2005/06
DDH Assumption is false in this group. In contrast, computing discrete logs is believed to be hard in Zp, but this is not enough for the security of ElGamal. The two most popular types of groups used in ElGamal are subgroups of Zp and groups defined over certain elliptic curves. Here is one popular way of choosing an appropriate subgroup of Zp which is believed to be secure: Choose a random large prime p such that p − 1 = kq for some small integer k and large prime q. This can be done, for example with k = 2, by first choosing a random large prime q and checking if p = 2q + 1 is prime. Choose a random element such that and gq = 1mod p, i.e. such that g is of order q. The group G is the subgroup of Zp generated by g, i.e. the set of kth residues mod p. When encrypting, care must be taken to properly encode the message m as an element of G, and not, say, as just an arbitrary element of Zp. Efficiency Encryption under ElGamal requires two exponentiations; however, these exponentiations are independent of the message and can be computed ahead of time if need be. Decryption only requires one exponentiation (plus one division, which is typically much faster). Unlike in the RSA and Rabin systems, ElGamal decryption cannot be sped up via the Chinese remainder theorem. Miscellaneous ElGamal is malleable in an extreme way: for example, given an encryption (c1,c2) of some (possibly unknown) message m, one can easily construct an encryption of the message 2m. Therefore ElGamal is not secure under chosen ciphertext attack. On the other hand, the Cramer-Shoup system (which is based on ElGamal) is secure under chosen ciphertext attack.
6.6 Merkle-Hellman Merkle-Hellman (MH) was one of the earliest public key cryptosystems invented by Ralph Merkle and Martin Hellman in 1978. Although its ideas are elegant, and far simpler than RSA, it has been broken. The Merkle-Hellman system is based on the subset sum problem (a special case of the knapsack problem): given a list of numbers and a third number, which is the sum of a subset of these numbers, determine the subset. In general, this problem is known to be NP-complete; however, there are some 'easy' instances which can be solved efficiently. The Merkle-Hellman scheme is based on transforming an easy instance into a difficult instance, and back again. However, the scheme was broken by
Khushdeep Noheria
Page 35
Asymmetric Key Cryptography
WS-2005/06
Adi Shamir, not by attacking the knapsack problem, but rather by breaking the conversion from an easy knapsack to a hard one. Merkle-Hellman Algorithm Key generation To encrypt n-bit messages, choose a superincreasing sequence w = (w1, w2, ..., wn) of n natural numbers (excluding zero). (A superincreasing sequence is a sequence in which every element is greater than the sum of all previous elements, eg {1, 2, 4, 8, 16} ) Pick a random integer q, such that
q≥
,
and a random integer, r, such that gcd(r,q) == 1. q must be chosen as such to ensure the uniqueness of the encrypted message, after modular arithmetic. If it is any smaller, more than one message (in plaintext) will encrypt to the same cryptotext, making decoding functionally impossible. r must be coprime to q or else it will not have an inverse mod q. The existence of the inverse of r is necessary so that decryption is possible. Now calculate the sequence β = (β1, β2, ..., βn) where βi = rwi (mod q). The public key is β, while the private key is (w, q, r). Encryption To encrypt an n-bit message α = (α1, α2, ..., αn), where αi is the i-th bit of the message and αi
{0, 1}, calculate
. The cryptogram then is c.
Khushdeep Noheria
Page 36
Asymmetric Key Cryptography
WS-2005/06
Decryption The key to decryption lies in somehow determining s = r-1 (mod q). s is the private key in this cryptosystem. You can now convert the NP-hard problem, extrapolating α from c (using an essentially randomly-filled knapsack), into the easy problem of extrapolating α using a super-increasing knapsack, which is solvable in linear time. The steps of decryption require that you calculate c' = c*s (mod q) and w = β*s (mod q). c' is still an encrypted form of α, but the knapsack which encrypts it is simply the superincreasing sequence, w. The super-increasing knapsack problem is easy to solve because of the structure of a super-increasing sequence. Take the largest element in w, say wk. If wk > c', then αk = 0, if wk≤c', then αk = 1. Then, subtract wk * αk from c', and repeat these steps until you have figured out α. When q is very large, it is very difficult to calculate s (it can take a long time, but the algorithm merely makes use of simple modular multiplication). The difficulty of determining s is why this was thought to be such an impossible cryptosystem to break.
7 Protocols Using Asymmetric Key Algorithm 7.1 GPG The GNU Privacy Guard (GnuPG or GPG) is a free software replacement for the PGP suite of cryptographic software, released under the GNU General Public License. It is a part of the Free Software Foundation's GNU software project, and has received major funding from the German Government. GPG is completely compliant with the IETF standard for OpenPGP. Current versions of PGP (and Veridis' Filecrypt) are interoperable with GPG and other OpenPGP-compliant systems. Although some older versions of PGP are also interoperable, not all features of newer software are supported by the older software. It is necessary for users to understand those incompatibilities and work around them. History GPG was initially developed by Werner Koch. Version 1.0.0 was released on September 7th, 1999. The German Federal Ministry of Economics and Technology has funded the documentation and the port to Microsoft Windows in 2000. Because GPG is an OpenPGP standard compliant system, the history of OpenPGP is of importance.Version 1.4.2 of the stable branch was announced on 27 July 2005, and version 1.9.19 of the development branch (with S/MIME support) was released on 12 September 2005.
Khushdeep Noheria
Page 37
Asymmetric Key Cryptography
WS-2005/06
Uses of GnuPG GPG is stable, production-quality software. It is frequently included in free operating systems, such as FreeBSD, OpenBSD, and NetBSD and nearly all distributions of GNU/Linux. Although the basic GPG program has a command line interface, there exist various frontends that provide it with a graphical user interface; for example, it has been integrated into EMail and Evolution, the graphical email clients found in the most popular Linux desktops KDE and GNOME. For GNOME, there is a graphical GPG front-end called Seahorse. A plugin known as Enigmail allows GPG to be integrated with Mozilla and Thunderbird, which works on Microsoft Windows as well as Linux and other operating systems. Web-based software such as Horde also makes use of it. Note that, because the plugin mechanism is not part of GPG itself and not specified by the Open PGP standard, and because neither the GPG nor Open PGP developers were involved in their development, it is possible that GPG's security benefits could be compromised or even lost as a result of using such auxiliaries. GPG can also be compiled for other platforms like Mac OS X and Windows. For Mac OS X, there is a free port called MacGPG which has been adapted to use the OS X user interface and its native class definitions. Cross compilation is not a trivial exercise, at least in part because security provisions vary with operating system and adapting to them is often tricky, but high quality compilers should routinely produce executables which will interoperate correctly with other GPG implementations. How GPG works GPG encrypts messages using asymmetric keypairs individually generated by GPG users. The resulting public keys can be exchanged with other users in a variety of ways, such as Internet key servers. They must always be exchanged carefully to prevent identity spoofing by corrupting public key ↔ 'owner' identity correspondences. It is also possible to add a cryptographic digital signature to a message, so the message integrity and sender can be verified, if a particular correspondence relied upon has not been corrupted. GPG does not use patented or otherwise restricted software or algorithms, including the IDEA encryption algorithm which has been present in PGP almost from the beginning. Instead, it uses a variety of other, non-patented algorithms such as ElGamal, CAST5, Triple DES, AES, Blowfish and Twofish. It is still possible to use IDEA in GPG by downloading a plugin for it, however this may require getting a license for some uses in some countries in which IDEA is patented. GPG is a hybrid encryption software program in that it uses a combination of conventional symmetric-key cryptography for speed, and public-key cryptography for ease of secure key exchange, typically by using the recipient's public key to encrypt a session key which is only used once. This mode of operation is part of the Open PGP standard and has been part of PGP from its first version.
Khushdeep Noheria
Page 38
Asymmetric Key Cryptography
WS-2005/06
Problems The OpenPGP standard specifies several methods of digitally signing messages. Due to an error in a change to GPG intended to make one of those methods more efficient, a security vulnerability was introduced (Nguyen, 2004). It affects only one method of digitally signing messages, only for some releases of GPG (1.0.2 through 1.2.3), and there were less than 1000 such keys listed on the key servers. Most people did not use this method, and were in any case discouraged from doing so, so the damage caused (if any, and none has been publicly reported) would appear to have been minimal. Support for this method has been removed from GPG versions released after this discovery (1.2.4 and later). GPG is a command-line based system, that is not written as an API which can be incorporated into other software. GPGME is an API wrapper around GPG which parses the output of GPG, and various graphical front-ends based on GPGME have been created. This requires an out-of-process call to the GPG executable for each GPGME API call. The approach is less than satisfactory because GPGME ends up parsing text output originally intended for human eyes. In general, GUI systems based on GPGME do not offer the robustness of software that calls true APIs (e.g. contrast WinPT with GnuPG to the PGP GUI: the latter uses API calls into its encryption routines). Other software wraps the command line in a Perl script (e.g. gpg-dialog) that is menu based and more user friendly.
7.2 PGP When it comes to Asymmetric cryptography the most popular and widely used application that comes to anyone's mind is PGP. PGP stands for “Pretty Good Privacy” and is the standard public key cryptography application used today. PGP is a computer program which provides cryptographic privacy and authentication. The first released version of PGP, by designer and developer Phil Zimmermann, became available in 1991. Subsequent versions have been developed by both Zimmerman and others. PGP has been sufficiently influential that its operating protocols and data formats have been standardised for interoperability among different versions of PGP and related software. Eventually, the PGP design was adopted as an Internet standards-track specification known as OpenPGP. OpenPGP is now an open standard followed by PGP, GNU Privacy Guard (GnuPG), Hushmail, Veridis, Authora, EasyByte Cryptocx, and others.
Khushdeep Noheria
Page 39
Asymmetric Key Cryptography
WS-2005/06
PGP and email While PGP can encrypt the content of any data (e.g., any computer file or message text), it is most commonly used for e-mail, which has no built-in security as originally implemented. PGP and S/MIME are two (incompatible) official email security systems which are currently NIST specified standards. PGP was originally used for email by converting an encrypted message into a special formatting (ASCII armor) to prevent changes during transmission. A more comprehensive integration of PGP with the MIME email standard is specified by RFC 3156. Plugins implementing PGP functionality are available for many popular e-mail applications (such as Outlook, Outlook Express, Eudora, Evolution, Mutt, Mozilla Thunderbird, Apple Mail, and many others). Several are included with many PGP distributions. From a security viewpoint, every such plugin is independent of PGP itself. Each might have implementation errors or interact insecurely with PGP or with other software. Using such plugins does not necessarily provide the same level of security as would standalone (and correct) use of PGP itself. Such add-ons can, at best, be equivalent to PGP in security; at worst, a plugin may reduce your actual security to nothing. Distinguishing amongst these cases is non-trivial even for the most cryptographically skilled and informed. The best advice for the ordinary user is always be careful and to regularly test the whole system by sending test messages to oneself or, better, to a partner who uses an independently installed and configured copy of PGP or compatible software. This will assure that there is at least end to end functionality, though more subtle bugs or damage may nevertheless still be present. This sort of check is especially important after any software change or upgrade. The safest use pattern is to manually encrypt and sign messages and email them manually; this evades such problems as automatic hidden transmission of message text copies unintended place via a network connection. As with all security considerations, however, ensuring the best possible security must necessarily be balanced against other system constraints and user needs. For instance, those who must use Microsoft Windows or Outlook or Internet Explorer will have a different security situation than those who use OpenBSD or FreeBSD and Firefox. Each must take different measures to maximize security. Whatever risks there may be in a quality security system such as PGP or its relatives, not using it is always riskier.
How PGP works PGP uses both public-key cryptography and symmetric key cryptography, and includes a system which binds the public keys to user identities. The first version of this system is generally known as a web of trust and continues in use. Later versions of PGP have included something more akin to a public key infrastructure (PKI).
Khushdeep Noheria
Page 40
Asymmetric Key Cryptography
WS-2005/06
PGP uses asymmetric key encryption algorithms. In these, the recipient must have previously generated a linked key pair, a public key and a private key. The sender uses the recipient's public key to encrypt a shared key (a secret key or conventional key) for a symmetric cipher algorithm. That key is used, finally, to encrypt the plaintext of a message. Many PGP users' public keys are available to all from the many PGP key servers around the world which act as mirror sites for each other. The recipient of a PGP-protected message decrypts it using the session key for a symmetric algorithm. That session key was, of course, included in the message in encrypted form and was itself decrypted using the recipient's private key. Use of two ciphers in this way is sensible because of the very considerable difference in operating speed between asymmetric key and symmetric key ciphers (the differences are often 1000+ times). There are also cryptographic vulnerabilities in when using asymmetric key algorithms when they are used to directly encrypt messages. A similar strategy is (by default) used to detect whether a message has been altered since it was completed, or (also by default) whether it was actually sent by the person/entity claimed to be the sender. To do both at once, the sender uses PGP to 'sign' the message with either the RSA or DSA signature algorithms. To do so, PGP computes a hash (also called a message digest) from the plaintext, and then creates the digital signature from that hash using the sender's private key. The message recipient computes a message digest over the recovered plaintext, and then uses the sender's public key and the signed message digest value with the signature algorithm. If the signature matches the received plaintext's message digest, it must be presumed (to a very high degree of confidence) that the message received has not been tampered with, either deliberately or accidentally, since it was properly signed. Both when encrypting messages and when verifying signatures, it is critical that the public key one uses to send messages to some person or entity actually does 'belong' to the intended recipient. Simply downloading a public key from somewhere is not overwhelming assurance of that association; deliberate (or accidental) spoofing is possible. PGP has always included provisions for distributing users' public keys in 'identity certificates' which are constructed cryptographically so that any tampering (or accidental garble) is readily detectable. But merely making a certificate effectively impossible to modify undetectably is also insufficient. It can prevent corruption only after the certificate has been created, not before. Users must also verify by some means that the public key in a certificate actually does belong to the person/entity claiming it. From its first release, PGP has included an internal certificate 'vetting scheme' to assist with this; it has been called a web of trust. A given public key (or more specifically, information binding a person to a key) may be digitally signed by a third party to attest the association between the person and the key. There are several levels of confidence that can be expressed in this signature; although many programs read and write this information, few (if any) incorporate the level of certification when calculating whether to trust a key.
Khushdeep Noheria
Page 41
Asymmetric Key Cryptography
WS-2005/06
In the (more recent) OpenPGP specification, trust signatures can be used to support creation of certificate authorities. A trust signature indicates both that the key belongs to its claimed owner and that the owner of the key is trustworthy to sign other keys at one level below their own. A level 0 signature is comparable to a web of trust signature, since only the validity of the key is certified. A level 1 signature is similar to the trust one has in a certificate authority because a key signed to level 1 is able to issue an unlimited number of level 0 signatures. A level 2 signature is highly analogous to the trust assumption users must rely on whenever they use the default certificate authority list in Internet Explorer; it allows the owner of the key to make other keys certificate authorities. PGP has also always included a way to cancel ('revoke') identity certificates which may have become invalid; this is, more or less, equivalent to the certificate revocation lists of more centralized PKI schemes. More recent PGP versions have also supported certificate expiration dates. The problem of correctly identifing a public key as belonging to some other user is not unique to PGP. All public key and private key cryptosystems have the same problem, if in slightly different guise, and no fully satisfactory solution is known. PGP's original scheme, at least, leaves the decision whether or not to use its endorsement/vetting system to the user, while most other PKI schemes do not, requiring instead that every certificate attested to by a central certificate authority be accepted as correct.
Security When used properly, PGP is believed to be capable of very high security. It is widely believed, within the cryptographic community, that -- if anyone -- only government agencies such as NSA might be capable of directly breaking properly produced, PGPprotected, messages. However, to the best of publicly available information, there is no known method for any entity to break PGP by cryptographic, computational means regardless of the version being employed. In 1996, cryptographer Bruce Schneier characterized an early version as being "the closest you're likely to get to military-grade encryption" (Applied Cryptography, 2nd ed., p587). In contrast to security systems/protocols like SSL which only protect data in transit over a network, PGP can also be used to protect data in long-term data storage such as disk files. Some products derived from PGP have been developed which streamlined such uses of the PGP security design, largely by Network Associates while it controlled PGP. Like all cryptography systems and software, the security of PGP can be lost by misuse or by indirect attacks which avoid hard cryptanalysis. In one case, the FBI obtained a court order permitting secret installation of keystroke logger software on a suspect's computer; when they harvested the information, they recovered his PGP passphrase and thereby gained access, by way of his PGP private key, to all his protected files and emails. He was subsequently tried and convicted.
Khushdeep Noheria
Page 42
Asymmetric Key Cryptography
WS-2005/06
Leaving aside such attacks, the cryptographic security of PGP depends on the assumption that the algorithms it uses are unbreakable by direct cryptanalysis with current equipment and techniques. For instance, in the original version of PGP the RSA algorithm was used to encrypt session keys; RSA's security depends upon the (generally presumed) one-way function nature of mathematical integer factoring. Now unknown integer factorization techniques have the potential, therefore, to make breaking RSA easier than now, or perhaps even trivially easy. Likewise the secret key algorithm originally used in PGP was IDEA, which might at some future time be found to have a previously unsuspected cryptanalytic flaw. Specific instances of PGP or IDEA insecurities -- if they exist -- are not publicly known. As current versions of PGP have added additional encryption algorithms, the degree of their cryptographic vulnerabilty varies. Clearly, since NSA, GCHQ and similar organizations do not discuss the state of their cryptanalytic knowledge, there exists a publicly unknown chance that one or more of them have discovered something which allows them to decrypt some PGP messages without access to the relevant private key. But this is, of course, true of every cryptographic system of any design and from any source, not just PGP. Since PGP now permits the use of several algorithms, current PGP messages are not equally susceptible to any potential breakthroughs against the original algorithms. However, there has been some speculation that the first released PGP version (using the RSA and IDEA algorithms) might have been broken. PGP's author, Phil Zimmerman, was criminally investigated for three years by the U.S. Government for having violated munitions control regulations in connection with the availability outside the US and Canada of PGP. The investigation was abruptly dropped. Zimmerman has publicly stated that the investigation might have been dropped because the U.S. government had found a way to break PGP messages of that period. On balance, it should be understood from the above discussion that the only currently credible entities with any credible chance of breaking PGP messages have access to government-level resources. The security of PGP encryption from direct cryptanalytic attack by anyone else is almost certainly quite strong. For more details please visit www.pgp.com
7.3 Others Examples of other protocols using asymmetric key algorithms include: IKE SSH Secure Socket Layer now implemented as an IETF standard -- TLS SILC
Khushdeep Noheria
Page 43
Asymmetric Key Cryptography
WS-2005/06
Appendix A Mathematical concepts The purpose of this Appendix is to give a brief description of some of the mathematical concepts mentioned in this document. For a more thorough treatment of modular arithmetic and basic number theory, consider any undergraduate textbook in elementary algebra. For more details on analysis and the theory of limits, consult any undergraduate textbook in analysis.
A.1 Functions A function f from a set A to a set B assigns to each element a in A a unique element b in B. For each element a Î A, the corresponding element in B assigned to a by f is denoted f(a); we say that a is mapped to f(a). The notation f :A ® B means that f is a function from A to B. Example Consider the set Z of integers. We may define a function f : Z ® Z such that f(x) = x2 for each x Î Z. For example, f(5) = 25. Let f : A ® B and g : B ® C be functions. The composition g °f of g and f is the function h : A® C defined as h(a) = g(f(a)) for each a Î A. Note, however, that ``f °g'' does not make sense unless A = C. Example Let N be the set of nonnegative numbers. With f : Z ® N defined as f(x) = x2 and g : N ® Z defined as g(y) = y-y2, we obtain that g °f : Z ®Z is the function h defined as
h(x) = g(x2) = x2 - x4.
A function f : A ® B is one-to-one or injective if f(a) = f(a¢) implies that a = a¢, that is, no two elements in A are mapped to the same element in B. The function f is onto or surjective if, for each b Î B, there exists an element a Î A such that f(a) = b. Finally, f is bijective if f is one-to-one and onto. Given a bijective function f : A ® B, the inverse f-1 of f is the unique function g : B ® A with the property that g °f(a) = a for all a Î A. A bijective function f : A ® A is a permutation of the set A. For any subset S of A, f(S) is the set of elements b such that f(a) = b for some a Î S. Note that f being surjective means that f(A) = B. The restriction of f to a subset S of A is the function fS : S ® B defined as fS(s) = f(s) for all s Î S.
Khushdeep Noheria
Page 44
Asymmetric Key Cryptography
WS-2005/06
Examples. The function f : Z ® Z defined as f(x) = x3 is injective, because x3 = y3 implies that x = y. However, f is not surjective; for example, there is no x such that f(x) = 2. Let |x| be the absolute value of x Î Z (for example, |-5| = |5| = 5). The function g : Z ®N defined as g(x) = |x| is surjective but not injective. Namely, for all x, the elements x and -x are mapped to the same element |x|. However, the restriction of g to N is injective and surjective, hence bijective. If A and B are finite sets of the same size, then a function f : A ® B is injective if and only if f is surjective.
A.2 Modular arithmetic Given integers a, b, and n with n > 0, we say that a and b are congruent modulo n if a-b is divisible by n, that is, if [(a-b)/( n)] is an integer. We write a ºb (mod n) if a and b are congruent modulo n>. Let a, b, c, and d be integers such that a ºc (mod n) and b ºd (mod n). It is not difficult to prove that a +b º c+d (mod n)
-(1)
a b º c d (mod n).
-(2)
and
Given a fixed integer n > 0, called the modulus, we may form congruence classes of integers modulo n. Each congruence class is formally a set of the form [a]: = a + n Z = { ¼, a-2n, a-n, a, a+n, a+2n, ¼}. By (1) and (2), addition and multiplication of congruence classes is well-defined. More precisely, we define [a]+[b] = [a+b] and [a] ·[b] = [ab]. It is convenient to identify the element [a] with the smallest nonnegative number a¢ such that a º a¢ (mod n) . This number a¢ will be denoted a mod n . For example, 13 mod 5 = 3. Let Zn denote the set of congruence classes modulo n. For example, Z5 = {0,1,2,3,4}. The greatest common divisor (gcd) of two integers m and n is the greatest positive integer d such that d divides both m and n. For example, gcd(91,52) = 13. The Euclid algorithm states that if gcd(m,n) = d, then there are integers r and s such that mr + ns = d. In particular, the equation
Khushdeep Noheria
Page 45
Asymmetric Key Cryptography
mx º b (mod n) Û mx = b (in Zn)
WS-2005/06
-(3)
has a solution x if and only if b is divisible by d. Let Zn* be the set of integers (congruence classes modulo n) k Î {1, ¼, n-1} with the property that gcd(k,n) = 1. For example, Z12* = {1,5,7,11}.
A.3 Groups Consider a prime number p. The procedures of adding elements in Zp and multiplying elements in Z*p share certain properties: Both operations are associative, that is, a + (b + c) = (a +b) + c and a (b c) = (a b) c. There is an additive identity 0 with the property that 0+a = a+0 = a for all a. The corresponding multiplicative identity is the element 1; 1 ·a = a ·1 = a. For each a Î Zp, there is a b such that a+b = 0; namely, b = -a has this property. By (3) in Section A.2, the equation ax = 1 has an integer solution x : = a-1 for each a Î Zp*. Namely, since p is a prime, gcd(a,p) = 1. The elements -a and a-1 are the additive and multiplicative inverses of a, respectively. Structures with these three properties have turned out to be of such a great importance that they have a name; they are called groups. Formally, a group consists of a set G (finite or infinite) together with a binary operation * : G ×G ® G called (group) multiplication. Note that ``* : G ×G ® G'' means that G is closed under multiplication, that is, the product a*b is in G for any two elements a, b in G. A group must satisfy the following axioms: The operation * is associative, that is, a*(b*c) = (a*b)*c for any a, b, c Î G. There exists an identity element e Î G such that a*e = e*a = a for each element a Î G. Each element a Î G has an inverse b Î G satisfying a*b = b*a = e = the identity. If, in addition, multiplication in G is commutative, that is, a*b = b*a for any two elements a,b Î G, then the group is abelian. A group is usually identified with its underlying set, unless the group operation is not clear from context. From now on, we will suppress the group operation * and simply write ab instead of a*b. For n ³ 1, gn means multiplication of g with itself n times (for example, g3 = ggg), while g-n is the inverse of gn. g0 is the identity element. Note that ga gb = ga+b for all integers a, b. A subgroup H of a group G is a group such that the set H is a subset of G. Any subset S of G generates a subgroup áS ñ of G consisting of all elements of the form
Khushdeep Noheria
Page 46
Asymmetric Key Cryptography
WS-2005/06
s1a1 ¼snan, where s1, ¼, sn are (not necessarily distinct) elements in S and a1, ¼, an are (not necessarily positive) integers. If G = ág ñ for some g Î G, then G is cyclic with generator g. This means that every element in G is of the form gk for some integer k. All cyclic groups are abelian. Examples The set Z of integers is a cyclic group under addition with generator 1. However, the set of nonzero integers is not a group under multiplication. Namely, for a ¹ ±1, there is no integer b such that ab = 1. The sets Q, R, and C of rational, real, and complex numbers are all abelian groups under addition. Moreover, Q*, R*, and C* (the above sets with 0 removed) are all abelian groups under multiplication. Namely, the inverse of a number x is 1/x. The set Zn is a cyclic group under addition. If n = ab is a composite number with a, b > 1, then the set {1, ¼,n-1} is not a group under multiplication modulo n. Namely, the product of a and b is equal to 0 modulo n, which implies that the set is not even closed under multiplication. However, the subset Zn* is a group under multiplication. If n is a prime, then Zp* is a cyclic group of order p-1. The set Z under subtraction is not a group. Namely, subtraction is not associative; a - (b-c) ¹ (a-b)-c unless c = 0. For a given set A, the set SA of permutations (bijective functions) p: A ® A is a group under composition °. For example, composition is associative, because p°(r°s) (a) = p(r(s(a))) = (p°r) °s(a). However, unless A consists of at most two elements, SA is not abelian. For example, with A = Z3, p(a) = a +1, and s(a) = 2 a, we have p°s(0) = p(s(0)) = p(0) = 1 ¹ 2 = s(1) = s(p(0)) = s°p(0).
A.4 Fields and rings One interesting observation from the examples in the previous section is that each of the sets Zp, R, Q, and C contains two different abelian group structures: the set itself under addition and the set of nonzero elements under multiplication. Structures satisfying this property together with an axiom about multiplication ``distributing'' over addition are called fields. Formally, a field consists of a set F together with two operations + : F ×F ® F and ·: F ×F ® F called addition and multiplication, respectively, such that the following axioms are satisfied.
Khushdeep Noheria
Page 47
Asymmetric Key Cryptography
WS-2005/06
F forms an abelian group under addition. F \{0} forms an abelian group under multiplication, where 0 is the identity in the additive abelian group áF, + ñ. Multiplication distributes over addition, that is, a ·(b+c) = a ·b + a ·c. For an integer n and a field element x, n ·x denotes the element obtained by adding x to itself n times; for example, 3·x = x+x+x. The characteristic of a field is the smallest positive integer p such that p ·1 = 0. If no such p exists, then the characteristic of the field is defined to be 0. The characteristic of a field is either a prime number or 0. If the characteristic of a field is 0, then the field is infinite. However, a field with nonzero characteristic might be either finite or infinite. Examples. The fields Q, R, and C of rational, real, and complex numbers, respectively, are fields of characteristic 0. The finite field Zp is a field of characteristic p. The number of elements in a finite field must be a power of a prime number. A classification theorem of the finite fields states that there is exactly one finite field (up to isomorphism; of size q for each prime power number q. Thus it makes sense talking about the field with q elements, which is traditionally denoted GF(q) (GF = Galois Field) or Fq. A ring R satisfies axioms (1) and (3), but instead of (2), multiplication in R is only required to be associative. If multiplication is commutative, then the ring is commutative. A nonzero element a in a ring is a zero divisor if there is a nonzero element b such that ab = 0. There are two main classes of commutative rings: Rings with no zero divisors. All fields and the ring Z of integers are of this kind. Rings with zero divisors. The ring Zn contains zero divisors if and only if n is composite. A polynomial in a ring R is a function f : R ® R of the form f(x) = a0 + a1 x + a2 x2 + ¼+ an xn, here a0, ¼, an are elements in the ring. A root of a polynomial is an element r such that f(r) = 0.
Khushdeep Noheria
Page 48
Asymmetric Key Cryptography
WS-2005/06
Appendix B Glossary Sr.No. 1 2 3
4
Keyword
Description
ATM automatic teller machines abelian group An abstract group with a commutative binary operation adaptive chosen ciphertext attack A version of the chosen-ciphertext attack where the cryptanalyst can choose ciphertexts dynamically. A cryptanalyst can mount an attack of this type in a scenario in which he or she has free use of a piece of decryption hardware, but is unable to extract the decryption key from it. AES The Advanced Encryption Standard that will replace DES (The Data Encryption Standard) around the turn of the century.
5 6 7 8
API Apple Mail ASCII ASCII armor
Application Programming Interface. is an email program made by Apple Computer included in Mac OS X. American Standard Code for Information Interchange is a term used to describe an encoding process, in which data in a binary format is transformed into a textual format.
9 10
asymmetric key algorithms attacker
Public key cryptography algorithms like RSA,DSA etc. is a malicious entity whose aim is to prevent the users of the cryptosystem from achieving their goal.
11
Authentication
The action of verifying information such as identity, ownership or authorization.
12
bilinear map
is a mathematical function of several vector variables that is linear in each variable.
13
Biometric
The science of using biological properties to identify individuals; for example, finger prints, a retina scan, and voice recognition.
14
blind credential
is a token asserting that someone qualifies under some criteria or has some status or right, without revealing "who" that person is — without including their name or address, for instance. It is used in maintaining medical privacy and increasingly for consumer privacy.
15
Blind signature scheme
Allows one party to have a second party sign a message without revealing any (or very little) information about the message to the second party
16
block ciphers
A symmetric cipher which encrypts a message by breaking it down into blocks and encrypting each block.
17 18
Blowfish Bluetooth
is a keyed, symmetric block cipher. is an industrial specification for wireless personal area networks (PANs).
19 20 21 22
Bogus CAST5 certificate authority challenge-response authentication
is something that is useless, bad or fake. is a block cipher used in a number of products. A person or organization that creates certificates. is a family of protocols in which one party presents a question ("challenge") and another party must provide a valid answer ("response") to be authenticated.
23
Chinese Remainder Theorem
is a theorem related to abstract algebra and number theory. More details: see any mathbook.
Khushdeep Noheria
Page 49
Asymmetric Key Cryptography
WS-2005/06
24
chosen plaintext attack
A form of cryptanalysis where the cryptanalyst may choose the plaintext to be encrypted.
25
ciphers
An encryption-decryption algorithm.
26 27 28
ciphertext classic cryptography classical ciphers
Encrypted data. classical ciphers were used in this cryptography. is a type of cipher used historically but which now have fallen, for the most part, into disuse.
29
Clifford Cocks
is a British mathematician and cryptographer at GCHQ who invented the widely-used encryption algorithm now commonly known as RSA
30 31 32
Code codebook computer security
is a method used to transform a message into an obscured form is a document used for implementing a code. is a field of computer science concerned with the control of risks related to computer use.
33
coprime
34 35
Cramer-Shoup system cryptanalysis
the integers a and b are said to be coprime or relatively prime if they have no common factor other than 1 and -1, or equivalently, if their greatest common divisor is 1. is an asymmetric key encryption algorithm for public key cryptography. The art and science of breaking encryption or any form of cryptography. See attack.
36
cryptographic hash function
is a hash function with certain additional security properties to make it suitable for use as a primitive in various information security.
37
cryptographic keys
A key is a piece of information that controls the operation of a cryptography algorithm.
38 39
cryptographic privacy cryptographic protocol
Privacy can be seen as an aspect of security is an abstract or concrete protocol that performs a security-related function and applies cryptographic methods.
40
Cryptography
The art and science of using mathematics to secure information and create a high degree of trust in the electronic realm.
41
cyclic group
42
is a group that can be generated by a single element, in the sense that the group has an element a (called a "generator" of the group) such that, when written multiplicatively, every element of the group is a power of a (or na when the notation is additive). Decisional Diffie-Hellman (DDH) is the assumption that a certain computational problem within a cyclic assumption group is hard.
43
DES
Data Encryption Standard, a block cipher developed by IBM and the U.S. government in the 1970's as an official standard.
44 45 46
deterministic encryption DH-EKE Diffie-Hellman key exchange
a deterministic algorithm Diffie-Hellman Encrypted Key Exchange A key exchange protocol allowing the participants to agree on a key over an insecure channel.
47
Diffie-Hellman problem
an open problem in number theory developed by Whitfield Diffie and Martin Hellman with implications for modern cryptography.
48 49 50
digital cash digital certificates digital envelope
electronic money is a certificate which uses a digital signature. A key exchange protocol that uses a public-key cryptosystem to encrypt a secret key for a secret-key cryptosystem.
51 52
digital signatures digitally signed
The encryption of a message digest with a private key. See digital signatures
Khushdeep Noheria
Page 50
Asymmetric Key Cryptography
WS-2005/06
53 54
digitally signed contract discrete logarithm
A contract that is digitally signed. Given two elements d, g in a group such that there is an integer r satisfying gr = d, r is called the discrete logarithm of d in the ``base'' g.
55
discrete logarithm problem
The problem of finding r such that gr = d, where d and g are elements in a given group. For some groups, the discrete logarithm problem is a hard problem used in public-key cryptography.
56
distributing keys
A key that is split up into many parts and shared (distributed) among different participants. See also secret sharing.
57
DNA
58 59 60 61 62 63
EasyByteCryptocx ECDSA ECElGamal ECMQV e-commerce electronic signature
Deoxyribonucleic acid (DNA) is a nucleic acid that contains the genetic instructions specifying the biological development of all cellular forms of life Cryptocx v6 is a fully OpenPGP compatible encryption component. Elliptic curve digital signature algorithm Elliptic curve EIGamal elliptic curve MQV Business transactions conducted over the Internet. is often used to mean either a signature imputed to a text via one or more of several electronic means, or cryptographic means to add nonrepudiation and message integrity features to a document.
64
ElGamal cryptosystem
65
ElGamal cryptosystem
66
ElGamal signature scheme
is a digital signature scheme which is based on the difficulty of computing discrete logarithms
67
elliptic curve cryptography (ECC)
is an approach to public-key cryptography based on the mathematics of elliptic curves.
68
Elliptic Curve Discrete Logarithm The problem of finding m such that m ·P = Q, where P and Q are two Problem points on an elliptic curve.
69
group
a group is a set, together with a binary operation, such as multiplication or addition.
70 71 72
elliptic curves email clients encryption
is a plane curve defined by an equation of the form y2 = x3 + a x + b. is a computer program that is used to read and send e-mail. The transformation of plaintext into an apparently less readable form (called ciphertext) through a mathematical process. The ciphertext may be read by anyone who has the key that decrypts (undoes the encryption) the ciphertext.
73
Enigma
was a portable cipher machine used to encrypt and decrypt secret messages.
74
Enigmail
is a public key encryption extension for versions of the Mozilla Application Suite and Mozilla Thunderbird running on Microsoft Windows or Unix-like operating systems
75
Eudora
is an email client that was once used widely on the Microsoft Windows and Macintosh operating systems.
76 77
Evolution exponentiate
Its user interface and functionality are similar to Microsoft Outlook. is a process generalized from repeated (or iterated) multiplication, in much the same way that multiplication is a process generalized from repeated addition.
Khushdeep Noheria
discrete
is an asymmetric key encryption algorithm for public key cryptography which is based on Diffie-Hellman key agreement. log is an asymmetric key encryption algorithm for public key cryptography.
Page 51
Asymmetric Key Cryptography
WS-2005/06
78
FBI
Federal Bureau of Investigation, a U.S. government law enforcement agency.
79 80
Fermat factorization Fermat's little theorem
Based on Fermat's little theorem states that if p is a prime number, then for any integer a, such that
81
finite field
82 83
FIPS-182-2, change notice 1 Firefox
84
free software
as defined by the Free Software Foundation, is software which can be used, copied, studied, modified and redistributed without restriction.
85 86
FreeBSD frequency analysis
is a Unix-like free software operating system. is the study of the frequency of letters or groups of letters in a ciphertext.
87
Galois field
A field with a finite number of elements. The size of a finite field must be a power of prime number.
88
GCHQ
The Government Communications Headquarters (GCHQ) is a British intelligence agency
89
generating element
In abstract algebra, a generating set of a group G is a subset S such that every element of G can be expressed as the product of finitely many elements of S and their inverses.
90 91 92
GNOME GNU General Public License GNU Privacy Guard
GNOME is the official desktop of the GNU Project is a free software license. is a free software replacement for the PGP suite of cryptographic software
93
hamming weight
Is of a string is its Hamming distance from the zero string (string consisting of all zeros) of the same length.
94
hash collisions
is a situation that occurs when two distinct inputs into a hash function produce identical outputs.
95 96
hash function hash value
A function that takes a variable sized input and has a fixed size output. A hash value (or simply hash), also called a message digest, is a number generated from a string of text.
97 98
Horde HTTPS
is a PHP-based Web application framework. HyperText Transfer Protocol (HTTP) is the primary method used to convey information on the World Wide Web.
99 100 101
Hushmail IDEA identity-based encryption
is a free webmail service which offers PGP-encrypted email International Data Encryption Algorithm (IDEA) is a block cipher. is a key authentication system in which the public key of a user is some unique information about the identity of the user (e.g. a user's email address).
102
IETF standard
Internet Engineering Task Force (IETF) is charged with developing and promoting Internet standards, in particular, those of the TCP/IP protocol suite.
Khushdeep Noheria
ap = a*(mod p) A mathematical structure consisting of a finite or infinite set F together with two binary operations called addition and multiplication. Typical examples include the set of real numbers, the set of rational numbers, and the set of integers modulo p. Fedral Information Processing Standard is a free, cross-platform, graphical web browser developed by the Mozilla Corporation.
Page 52
Asymmetric Key Cryptography
WS-2005/06
103
integer factorization
integer factorization problem is the problem of finding a non-trivial divisor of a composite number.
104
Interlock Protocol
as a method to expose a middle-man who might try to compromise two parties that use anonymous key agreement to secure their conversation.
105
Internet Protocol
is a data-oriented protocol used by source and destination hosts for communicating data across a packet-switched internetwork.
106
Internet standards-track
Internet standards evolve through a series of three maturation stages: proposed standard, draft standard, and standard. Collectively, these stages of evolution are known as the standards track.
107
Ipsec
IP security) is a standard for securing Internet Protocol (IP) communications by encrypting and/or authenticating all IP packets.
108 109 110
ISAKMP KDE Key
Internet Security Association and Key Management Protocol. K Desktop Environment A string of bits used widely in cryptography, allowing people to encrypt and decrypt data; a key can be used to perform other mathematical operations as well. Given a cipher, a key determines the mapping of the plaintext to the ciphertext.
111 112
key lengths key management
Also known as key size. The various processes that deal with the creation, distribution, authentication, and storage of keys.
113
key server
is a computer — typically running special software — which provides cryptographic keys to users or other programs.
114
key size
the key size (alternatively key length) is a measure of the number of possible keys which can be used in a cipher
115
Key pair
The full key information in a public-key cryptosystem, consisting of the public key and private key.
116
keystroke logger
is a diagnostic used in software development that captures the user's keystrokes
117 118
Kmail knapsack problem
is the email client of the KDE Desktop Environment. A problem that involves selecting a number of objects with given weights from a set, such that the sum of the weights is maximal but less than a pre-specified weight.
119 120 121
Legendre symbol Malleable man in the middle (MITM) attack
is used in connection with factorization and quadratic residues. is a term used in the analyses of cryptographic algorithms. is an attack in which an attacker is able to read, insert and modify at will, messages between two parties without either party knowing that the link between them has been compromised.
122 123
Merkle's Puzzles message authentication code
Merkle's Puzzles is an early construction for a public-key cryptosystem A MAC is a function that takes a variable length input and a key to produce a fixed-length output. See also hash-based MAC, streamcipher based MAC, and block-cipher based MAC.
124
message digest
A hash function takes a long string (or message) of any length as input and produces a fixed length string as output, sometimes termed a message digest or a digital fingerprint.
125 126
MIME MIT
Multipurpose Internet Mail Extensions. Massachusetts Institute of Technology
Khushdeep Noheria
Page 53
Asymmetric Key Cryptography
WS-2005/06
127
mobile telephone networks
The mobile phone communicates via a network of base stations which are in turn linked to the conventional telephone network.
128 129
modular exponentiation Mozilla
is a type of exponentiation performed over a modulus. is a trademark of the Mozilla Foundation and historically had been used internally as a codename for the Netscape Navigator web browser from its beginning.
130
MQV
Menezes-Qu-Vanstone) is an authenticated protocol for key agreement based on the Diffie-Hellman scheme.
131
multiplicative group
a group is a set, together with a binary operation, such as multiplication or addition.
132 133
Mutt need-to-know" principle
is a text-based email client for Unix-like systems. Classified information, which access is restricted by law or regulation to particular classes of people.
134
NetBSD
NetBSD was the second freely redistributable, open source version of the BSD
135
NIST
National Institute of Standards and Technology, a United States agency that produces security and cryptography related standards (as well as others); these standards are published as FIPS documents.
136 137
Nonce non-repudiation
means 'for the present time' or 'for a single occasion or purpose'. A property of a cryptosystem. Non-repudiation cryptosystems are those in which the users cannot deny actions they performed.
138
NP-complete
An NP problem is NP-complete if any other NP problem can be reduced to it in polynomial time.
139
NSA
140
one-time pad
National Security Agency. A security-conscious U. S. government agency whose mission is to decipher and monitor foreign communications. A secret-key cipher in which the key is a truly random sequence of bits that is as long as the message itself, and encryption is performed by XORing the message with the key. This is theoretically unbreakable.
141 142
open standard OpenBSD
are publicly available specifications for achieving a specific task OpenBSD is a freely available, BSD-based Unix-like operating system.
143
OpenPGP
the PGP design was adopted as an Internet standards-track specification known as OpenPGP
144 145
OpenSSL open source implementation of the SSL and TLS protocols. Optimal Asymmetric Encryption is a padding scheme often used together with RSA encryption. Padding
146 147
padding Parses
Extra bits concatenated with a key, password, or plaintext. parsing is the process of analyzing an input sequence (read from a file or a keyboard, for example) in order to determine its grammatical structure with respect to a given formal grammar.
148
pass phrase
is a sequence of words or other text used to control access to a computer system, program or data.
149
Password-authenticated agreement
150
PGP
Khushdeep Noheria
key is an interactive method for two or more parties to establish cryptographic keys based on one or more party's knowledge of a password. is a computer program which provides cryptographic privacy and authentication
Page 54
Asymmetric Key Cryptography
WS-2005/06
151
PGPfone
is a secure voice system based on the popular PGP encryption package.
152 153 154
PKCS plaintext Plugin
Public Key Cryptography Standards The data to be encrypted. is a computer program that can, or must, interact with another program to provide a certain, usually very specific, function.
155
Pohlig-Hellman algorithm
is an algorithm for the computation of discrete logarithms in a multiplicative group whose order is a smooth integer.
156 157
power associative primality tests
is a weak form of associativity. is a probabilistic test to determine if a number is composite or probably prime.
158
prime number
Any integer greater than 1 that is divisible only by 1 and itself. The first twelve primes are 2,3,5,7,11,13,17,19,23,29,31, and 37.
159
primitive
primitive root modulo n is a concept from modular arithmetic in number theory.
160
private key
In public-key cryptography, this key is the secret key. It is primarily used for decryption but is also used for encryption with digital signatures.
161 162 163
probabilistic Probabilistic Signature Scheme protocol
is an algorithm which is allowed to flip a truly random coin. A provably secure way of creating signatures using the RSA algorithm. A series of steps that two or more parties agree upon to complete a task.
164
public key
In public-key cryptography this key is made public to all, it is primarily used for encryption but can be used for verifying signatures.
165
public key infrastructure
is an arrangement which provides for third-party vetting of, and vouching for, user identities.
166
public-key (asymmetric key)
Cryptography based on methods involving a public key and a private key cryptography.
167
quantum computer
A theoretical computer based on ideas from quantum theory; theoretically it is capable of operating nondeterministically.
168
Rabin systems
is a primality test: an algorithm which determines whether a given number is prime.
169
random number generator
is a computational or physical device designed to generate a sequence of numbers that does not have any easily discernable pattern, so that the sequence can be treated as being random.
170 171
Repudiation Retinal
Is a inverse of non-repudiation. is a thin layer of cells at the back of the eyeball of vertebrates and some cephalopods.
172
RFC 3156
Request for Comments(RFC), a series of notes about the Internet, started in 1969 each RFC is designated by an RFC number.
173
rotor machines
is a electro-mechanical device used for encrypting and decrypting secret messages.
174
RSA algorithm
175
RSA-PSS
A public-key cryptosystem based on the factoring problem. RSA stands for Rivest, Shamir and Adleman, the developers of the RSA public-key cryptosystem and the founders of RSA Data Security (now RSA Security). is a signature scheme based on the RSA cryptosystem and provides increased security assurance.
Khushdeep Noheria
Page 55
Asymmetric Key Cryptography
WS-2005/06
176 177 178
S/MIME S/WAN safe prime
Secure Multipurpose Internet Mail Extensions. Secure Wide Area Network. A safe prime is a prime number of the form 2p + 1, where p is also a prime.
179
Seahorse
is a GNOME front-end application for managing PGP keys, written by Jacob Perkins.
180
secret key
In secret-key cryptography, this is the key used both for encryption and decryption.
181
security token
a hardware token or cryptographic token is a physical device that an authorized user of computer services is given to aid in authentication.
182
semantically secure
is a widely-used definition for security in an asymmetric key encryption algorithm.
183
session key
A key for symmetric-key cryptosystems which is used for the duration of one message or communication session
184 185
SHA-1 hash functions Shor's algorithm
is a set of related cryptographic hash functions is a quantum algorithm for factoring a number N in O((log N)3) time and O(log N) space
186
SILC
SILC (protocol) which provides secure conferencing services over the Internet.
187
software token
Unlike hardware tokens, software tokens run on you PC or on a separate multi-purpose device.
188
Sophie Germain prime
A prime number p is called a Sophie Germain prime if 2p + 1 is also prime.
189 190
SPEKE spoofing
Simple Password Exponential Key Exchange is also sometimes used to refer to header forgery, the insertion of false or misleading information in email or netnews headers.
191
square-and-multiply algorithm
is an algorithm used for the fast computation of large integer powers of a number x.
192 193
SRP SSL
Secure Remote Password Protocol Secure Socket Layer. A protocol used for secure Internet communications.
194
standard security protocols
is an abstract or concrete protocol that performs a security-related function and applies cryptographic methods.
195 196 197
stream ciphers STS Subgroups
A secret-key encryption algorithm that operates on a bit at a time. Station-to-Station (STS) protocol is a cryptographic key agreement. A subset H of a group (G,*) which remains a group when the operation * is restricted to H is called a subgroup of G.
198
subset sum problem
A problem where one is given a set of numbers and needs to find a subset that sums to a particular value.
199
substitution ciphers
is a method of encryption by which units of plaintext are substituted with ciphertext.
200
super-encipherment
refers to a situation where an encrypted message is then encrypted again using the same encryption system or a different system. This is also called cascading encryption.
201
symmetric key algorithms
are a class of algorithms for cryptography that use trivially related cryptographic keys for both decryption and encryption.
202
symmetric key cipher
An encryption algorithm that uses the same key is used for encryption as decryption.
Khushdeep Noheria
Page 56
Asymmetric Key Cryptography
WS-2005/06
203
symmetric(secret-key) cryptography
symmetric-key encryption are single-key and private-key encryption.
204 205
Telex Thunderbird
A global teleprinter network, called the Telex network, Thunderbird is a free, cross-platform email and news client developed by the Mozilla Foundation.
206 207
TLS traffic analysis
Transport Layer Security Protocol. Traffic analysis is the process of intercepting and examining messages in order to deduce information from patterns in communication
208
transposition ciphers
changes one character from the plaintext to another (to decrypt the reverse is done).
209
Trapdoor
210
Triple DES
A one-way function that has an easy-to-compute inverse if you know certain secret information. This secret information is called the trapdoor. is a block cipher formed from the Data Encryption Standard (DES) cipher by using it three times.
jj211
trusted third party
is an entity which facilitates interactions between two parties who both trust the third party
212
TWIRL
is a hypothetical hardware device designed to speed up the sieving step of the general number field sieve integer factorization algorithm.
213
two-factor authentication
is any authentication protocol that requires two independent ways to establish identity and privileges.
214
Twofish
is a symmetric key block cipher with a block size of 128 bits and key sizes up to 256 bits.
215
Web of trust
is a concept used in PGP, GnuPG, and other OpenPGP-compatible systems to establish the authenticity of the binding between a public key and a user.
216 217
web traffic Weil pairing
is the amount of data sent and received by visitors to a web site. is a construction of roots of unity by means of functions on an elliptic curve.
218
Zimmermann Telegram
was a telegram dispatched by the Foreign Secretary of the German Empire, Arthur Zimmermann.
Appendix C References Kryptografie in Theorie und Praxis by Albrecht Beutelspacher, Heike B. Neumann and Thomas Schwarzpaul Public-key cryptography From Wikipedia, the free encyclopedia RSA Laboratories www.RSAsecurity.com Cryptography Theory and Practice by Douglas R. Stinson About PGP www.PGP.com
Khushdeep Noheria
Page 57
View more...
Comments
