RSA Public Key Encryption 1 RSA Public Key Encryption 1 Ivor Page 2 One of the most important methods of providing secrecy and authenti- cation is encryption. Secrecy means the secure transmission of data to a specified recipient (without others being able to read the data) while authentication means that the recipient can be certain of who sent the data. In practice, it is usually possible for unintended others to receive encrypted messages, but it should be extremely time consuming (thou- sands of years in some cases) for unintended recipients to decrypt them. There is no perfect cipher - one that can never be broken - but it is possible to make the task of decrypting messages too costly in time for all practical purposes. 1 A Method for Obtaining Digital Signatures and Public Key Cryptosystems R. L. Rivest, A. Shamir, and L. Adleman. Communications of the ACM, Vol. 21, No. 2, February 1978 2University of Texas at Dallas RSA Public Key Encryption 2 There have been many famous ciphers that have frustrated attempts to crack them, but the digital computer has brought extremely powerful methods to the aid of cryptanalysts. The computer’s ability to enu- merate many possible cracking strategies in a very short time makes the problem of selecting tough ciphers much more difficult. We will study the Public Key Encryption System known as RSA after its in- ventors, Rivest, Shamir and Adleman. The most popular encryption system based on RSA and used by the public is Pretty Good Privacy (PGP). There is a free downloadable version of the software and there are companies that provide key pairs to users of these systems 3. A personal note of caution: You might choose to encrypt all your per- sonal email and data but, if you are sued, the court may ask you to decrypt it. Failure to do so is regarded as withholding evidence. It is better not to create messages that might embarrass you later. 3http://members.aol.com/netnavig/pgp.htm RSA Public Key Encryption 3 DES DES was introduced for use in U.S. unclassified government applica- tions in 1977. Since then it has come under criticism for ease of crack- ing. It uses a single well publicized algorithm for encryption and de- cryption. Secrecy is guarded by a single 56 bit key, known only to the sender and recipient. The algorithm partitions each message into 64 bit blocks and makes use of transpositions of groups of bits within each block and an Excusive OR function between the transposed bit sequence and the key. Many argue that the key length is too short and some hackers have published strategies for cracking DES on WEB sites. For more information on DES, RSA, and many other encryption tech- niques and security matters, consult the text by Dorothy and Robling Denning4. 4Cryptography and Data Security by Dorothy and Robling Denning, Addison Wesley, 1982, Reprinted with corrections, 1983. RSA Public Key Encryption 4 RSA Each agent A that wishes to communicate has two keys, a public key Ap, known to everyone with whom A communicates, and a secret key As,knownonlytoA. A user of an RSA encryption system will generally not memorize these keys. They will be stored in the agents’ computers. This means that physical security, usually implemented via passwords, is at least as important as the encryption system. Someone could maliciously login to As computer and send messages in As name or receive messages that should only be readable by A.Great care must be given to the selection and regular updating of passwords. Many password cracking systems try dictionary words and common names. People often use their dogs’ names or something equally easy to guess, or they leave their passwords written on notes in their desks. Agents also must not leave their computers logged in while they are not present. It takes only a few seconds for an experienced spy to compromise security. RSA Public Key Encryption 5 Secret communication with RSA When A wishes to send a secret message M to B, A uses B’s public key to encrypt the message, C = EBp (M), where C is the ciphertext. Agent B uses B s secret key to decrypt the message, M = DBs (M). Only B can read the message, but anyone possessing A’s public key could have sent it. Agent A Agent B Bp Bs Message M E D M ciphertext C Figure 1: Secret Communication with RSA Here E and D are the encryption and decryption algorithms. For RSA, the encryption and decryption algorithms are identical and are known to everyone, E = D.Wecallsuchsystemssymmetrical. RSA Public Key Encryption 6 Authenticated Communication with RSA When A wants to send a message to B signed by a digital signature, A encrypts the message using A s secret key, C = EAs (M)andB uses A’s public key to decrypt the message, M = EAp (C). Here, only A could have sent the message, but anyone possessing As public key can read the message. Agent A Agent B As Ap Message M E D M ciphertext C Figure 2: Authenticated Communication with RSA The use of RSA for authentication of the sender is often referred to as applying a Digital Signature. A digitally signs the message by encrypting it with As secret key. RSA Public Key Encryption 7 Secret and Authenticated Communication with RSA To incorporate both secrecy and authentication, A encrypts the mes- sage twice, once using As secret key, and once using B’s public key, C = EBp (EAs (M)). B does the symmetrically opposite operations on the ciphertext: M = EAp (EBs (C)). Agent A As Bp Message M E E ciphertext C Figure 3: Secret and Authenticated Communication with RSA RSA Public Key Encryption 8 RSA Encryption Algorithm A pair of integers (e, n) is used in the encryption process, and another pair (d, n) is used to decrypt the message. The value of n is publicly known. We represent message M as an integer between 0 and n − 1. If M is too large, it is broken up into blocks of the above size and each block is encrypted separately. If, for example, n has 128 bits, then any text message could be partitioned into blocks of 16 8 bit characters, and each block represented as an 128 bit binary number in base 2128. Then C = M e mod n To decrypt C, M = Cd mod n RSA Public Key Encryption 9 The numbers of bits in M and C are the same, |C| = |M|. Since e and d are large, more than 100 bits, the computations of M e and Cd might appear to be problematic. Since the blocks of the message M will have the same number of bits as n,raisingM to a large power would appear to require a huge integer with tens of thousands of bits. A result from number theory helps reduce the computational burden considerably: (a b) mod n =[(amodn) (bmodn)] mod n Where is one of {+, −, ∗}. Therefore all the calculations and intermediate results need only be computed mod n, i.e. no more bits than in n. RSA Public Key Encryption 10 The (public) encryption key is the pair (e, n) and the (private) decryp- tion key is the pair (d, n). Each agent has its own pair of keys. The value of n is the product of two large randomly chosen primes of size at least 100 decimal digits, n = pq Then d is chosen to be a large random integer that is coprime to (p − 1)(q − 1) and preferably larger than both p and q. Two integers a, b are coprime if their greatest common divisor is 1, GCD(a, b)=1. GCD(d, (p − 1)(q − 1)) = 1 Then e is computed from p, q,andd to be the multiplicative inverse of d, mod (p − 1)(q − 1): ed mod (p − 1)(q − 1) = 1 RSA Public Key Encryption 11 For the process to work, E(e,n) and E(d,n) must be inverse functions. Proof Euler’s generalization of a theorem by Fermat states that for any integer M coprime to n, M φ(n) mod n =1 where φ(n) is the Euler totient function giving the number of positive integers less than n which are coprime to n.Forprimep, φ(p)=p − 1; φ(n)=φ(pq)=φ(p)φ(q)=(p − 1)(q − 1). The theorem implies that if e and d can be chosen such that, ed mod φ(n)=1 then M e mod n and M d mod n must be inverse functions. If M ∈ [0,n−1] and edmodφ(n) such that GCD(M, n)=1,werequire that: (M e mod n)d mod n = M RSA Public Key Encryption 12 We start with: (M e mod n)d mod n = M ed mod n Now, ed mod φ(n) = 1 implies ed = kφ(n) + 1 for some integer k. Therefore M ed mod n = M kφ(n)+1 mod n = MMkφ(n) mod n = M(M kφ(n) mod n) mod n = M(1) mod n = M since M kφ(n) mod n =1 We have shown that, if ed mod φ(n) = 1 the encryption and decryption algorithms are inverses, as required. Now we show how to choose e and d. Yet another result from number theory states that, if e is coprime to φ(n), then e exists such that ed mod φ(n)=1. RSA Public Key Encryption 13 Any value coprime to φ(n) will do for d.Thene is found by a modified Euclid’s algorithm.