S. Erfani, ECE Dept.

, University of Windsor

0688-558-01 Network Security

Public Key Cryptography

5.1 Introduction Public-key encryption finds use in message authentication and key distribution. In this chapter, we look at motivation for public-key encryption and then examine the most important public-key algorithms, namely, RSA and DiffieHellman. We introduce applications such as digital signatures. Note that if three users, Alice, Bob, and Casey want to exchange information securely, three keys required; call these keys kAB, kAC, kBC. If we add a fourth user, Dana, and establish channels with the other three users, another key is required, one to connect Dana to each of the existing three users. Each time we add a new user to a system of n users , n additional keys are needed. In general, an n-user system requires n x (n-1) / 2 keys. Therefore: a) As the number of users grows, the number of keys increases very rapidly. b) Determining and distributing these keys is a problem. c) Maintaining security for the keys already distributed and inventory them is a serious problem.

Definition 1: Asymmetric Encryption System In this cryptosystem each user has two keys; a public key and a private key. The user publish the public key freely. The keys operate as inverse. Let kub be users public key, and let KRb be the corresponding private key. Then,

P = dkRb (ekUb (P))

That is, a user can decrypt with a private key what someone else has encrypted with the corresponding public key. Futhermore, P = dkUb (ekRb (P)) The public-key cryptosystem is shown in Figure1 (below). There is a source Alice, which produces a message in plaintext, X = [X1, X2, ---, Xn].

September, 2008

S. Erfani, ECE Dept., University of Windsor

0688-558-01 Network Security

Cryptanalyst

^X ^KRb

Source A
Message Source X Encryption Algorithm Y

Destination B
Decryption Algorithm X
Destination

KRb

KUb

Key Pair Source

Figure1: Public Key Cryptosystem

The M elements of X are letters of alphabet. The message is intended for destination Bob. Bob generates a related pair of keys: a public key and a private key, KRb. KRb is known only to Bob, whereas KUb is publicly available and therefore accessible by Alice. With the message X and the encryption key KUb as input, Alice forms the ciphertext Y = [ Y1, Y2, -----, YM] Y=

eKUb (X)

The intended receiver, i.e., Bob, in procession of the matching private key, is able to invert the transformation: X = dKRb ( Y ) An opponent, Oscar, observing Y and having access to KUb but not having access to KRb or X, tries to recover X and/or KRb. It is also assumed that Oscar does have knowledge of the encryption and

September, 2008

S. Erfani, ECE Dept., University of Windsor

0688-558-01 Network Security

decryption algorithms. Thus, Oscar attempts to recover X and KRb by generating estimates X and KRb. 5.2 Authentication Using Public-Key CryptoSystem

We mentioned earlier that either of the two related keys can be used for encryption, with the other being used for decryption. This enables an effective authentication scheme to be implemented as shown in Fig 2 ( on the next page ). In this case Alice prepares a message to Bob and encrypt it using Alices private key before transmitting it : Y=

eKRa (X)

Cryptanalyst ^KRa

Source A
Message Source X Encryption Algorithm Y

Destination B
Decryption Algorithm X
Destination

KUa KRa Key Pair Source

Figure2: Authentication using Public-Key Cryptosystem

September, 2008

S. Erfani, ECE Dept., University of Windsor

0688-558-01 Network Security

Bob can decrypt the message using Alices public key. Because the message was encrypted using Alices private key, only Alice could have prepared the message. Therefore, the entire encrypted message serves as a digital signature. In addition, it is impossible to alter the message without access to Alices private key, so the message is authenticated both in terms of source and in terms of data integrity.

Note 1: A more efficient way of achieving the same results is to encrypt a small block of hits that is a function of the plaintext. Such a block, called an authentication, must have the property that it is infeasible to change the plaintext document without changing the authentication. If the authentication is encrypted with the renders private key, it serves as a signature that verifies origin, content and sequencing. Definition2 Digital Signature The render signs a message with its private key. Signing is achieved by a cryptographic algorithm applied to the message or to a small block of data that is a function of the message. Note 2: As noticed, the authentication process just described does not provide confidentiality. That is, the message being sent is safe from alteration but not from eavesdropping. It is, however, possible to provide both the authentication and confidentiality by a double use of the publickey scheme, as described below. 5.3 Secrecy and Authentication Using Public Key Cryptosystem

As shown in figure 3, in this case, we begin as before by encrypting a message, using the senders private key, KRa: Source A Destination B

X
Message source Encryption Algorithm

Y
Encryption Algorithm

Z
Decryption Algorithm

Y
Decryption Algorithm

X
Message Destination

KRa

KUb

KRb Key Pair Source

September, 2008

S. Erfani, ECE Dept., University of Windsor

0688-558-01 Network Security

Figure 3. Secrecy and Authentication

Key Pair Source

KUa

Y=

eKRa (X)

This provides the digital signature. Next, we encrypt again, using the receivers public key, KUb: Z = eKUb (Y) = eKUb (eKRa (X)) The final ciphertext, Z, can be decrypted only by the intended receiver, who has alone the matching private key KRb and public key of the receiver, KUa: X = dKUa (Y) = dKUa (dKRb (Z)) Thus, confidentiality is provided. The disadvantage of this approach is that the public-key algorithm, which is complex, must be exercised four times than two in each communication. 5.4 Requirements for Public-Key cryptosystem

The cryptosystem shown in figs. 1-3 depends on a cryptographic algorithm based on two related key, Driffine and Hellman postulated system without demonstrating that such algorithms exist. However, they did lay out the conditions that such algorithms must fulfill in their paper published in 1976 as: (1) It should be computationally easy for a party, Bob, to generate a pair (Public Key KUb, Private Key KRb).

September, 2008

S. Erfani, ECE Dept., University of Windsor

0688-558-01 Network Security

(2) It should be computationally easy for a sender Alice, knowing the public key and the message to be encrypted, M, to generate the corresponding ciphertext:
C=

KUb (M)

(3) It is computationally easy for the receiver Bob to decrypt the resulting ciphertext using the private key to recover the original message: M=

dKRb (c) = dKRb (eKUb(M))

(4) it should be computationally infeasible for an opponent, Oscar, knowing the public key, KUb, to determine the private key, KRb. (5) It should be computationally infeasible for an opponent, Oscar, knowing the public key, KUb and a ciphertext, C, to recover the original message, M. We added a 6th requirement that, although useful, is not necessary for all public-key applications: (6) The encryption and decryption function can be applied in either order: M=

eKUb(dKRb (M))

Note 1: The requirements boils down to the need for a trap-door one-way function. A one-way function (not to be confused with one-way hash function!) is one that maps a domain into a range such that every function value has a unique inverse, such that the calculation of the function is infeasible: Y = f (x) X = f-1(Y) easy infeasible

Note 2: Generally, easy is defined to mean a problem that can be solved in polynomial time as a function of input length. Such algorithms belong to the class P. Note 3: In general, we can say a problem is infeasible if the effort to solve it grows faster than polynomial time as s function of input size. Note 4: A trap-door one-way function is a family of invertible function fk(.), such that:

September, 2008

S. Erfani, ECE Dept., University of Windsor

0688-558-01 Network Security

Y = fk(X) X = fk-1(X) X = fk-1(X)

easy, if k and X are known. easy, if k and Y are known. infeasible, if Y is known but k is not known.

Note 5: The development of a practical public-key scheme depends on discovery of a suitable trap-door one-way function.

September, 2008