Engineering College, Ajmer

CHAPTER- 1

INTRODUCTION
RSA is an algorithm for public-key cryptography that is based on the presumed difficulty of factoring large integers, the factoring problem. RSA stands for Ron Rivest, Adi Shamir and Leonard Adleman, who first publicly described the algorithm in 1977. Clifford Cocks, an English mathematician, had developed an equivalent system in 1973, but it was classified until 1997. A user of RSA creates and then publishes the product of two large prime numbers, along with an auxiliary value, as their public key. The prime factors must be kept secret. Anyone can use the public key to encrypt a message, but with currently published methods, if the public key is large enough, only someone with knowledge of the prime factors can feasibly decode the message.Whether breaking RSA encryption is as hard as factoring is an open question known as the RSA problem. Cryptography has been in practical use for a very long time. While it may well have been used previously, extant records indicate that the Spartans established the first system of military cryptography. As early as the fifth century B.C., they employed a device called the 'skytale' [which] consists of a staff of wood around which a strip of papyrus or leather or parchment is wrapped close-packed. The secret message is written on the parchment down the length of the staff; the parchment is then unwound and sent on its way. The existence of cryptography from this early a time, proves that there was a need for data security from a very long time. Cryptographic algorithms have been in existence from the time of Shakespeare (as mentioned in Julius Caesar). This is from where the Caesar algorithm gets its name from, wherein, a letter is encrypted by replacing it with a letter relative to its position in the alphabet. With an increase in the need for securing the data, the level of complexity involved to get through to encrypted data also increased. Algorithms with keys to encode and decode the data were developed.

Engineering College, Ajmer

CHAPTER- 2

HISTORY
The RSA algorithm was publicly described in 1977 by Ron Rivest, Adi Shamir, and Leonard Adleman at MIT; the letters RSA are the initials of their surnames, listed in the same order as on the paper. MIT was granted U.S. Patent 4,405,829 for a "Cryptographic communications system and method" that used the algorithm in 1983. The patent would have expired on September 21, 2000 (the term of patent was 17 years at the time), but the algorithm was released to the public domain by RSA Security on 6 September 2000, two weeks earlier. Since a paper describing the algorithm had been published in August 1977, prior to the December 1977 filing date of the patent application, regulations in much of the rest of the world precluded patents elsewhere and only the US patent was granted. Had Cocks' work been publicly known, a patent in the US might not have been possible, either. From the DWPI's abstract of the patent, The system includes a communications channel coupled to at least one terminal having an encoding device and to at least one terminal having a decoding device. A message-to-be-transferred is enciphered to ciphertext at the encoding terminal by encoding the message as a number M in a predetermined set. That number is then raised to a first predetermined power (associated with the intended receiver) and finally computed. The remainder or residue, C, is... computed when the exponentiated number is divided by the product of two predetermined prime numbers (associated with the intended receiver). Clifford Cocks, an English mathematician working for the UK intelligence agency GCHQ, described an equivalent system in an internal document in 1973, but given the relatively expensive computers needed to implement it at the time, it was mostly considered a curiosity and, as far as is publicly known, was never deployed. His discovery, however, was not revealed until 1998 due to its top-secret classification, and Rivest, Shamir, and Adleman devised RSA independently of Cocks' work.

Engineering College, Ajmer

CHAPTER- 3

OPERATIONS
3.1 Key generation: RSA involves a public key and a private key. The public key can be known to everyone and is used for encrypting messages. Messages encrypted with the public key can only be decrypted in a reasonable amount of time using the private key. The keys for the RSA algorithm are generated the following way: 1. Choose two distinct prime numbers p and q. For security purposes, the integers p and q should be chosen at random, and should be of similar bit-length. Prime integers can be efficiently found using a primality test. 2. Compute n = pq. n is used as the modulus for both the public and private keys. Its length, usually expressed in bits, is the key length. 3.Compute (n) = (p1)(q1), where is Euler's totient function. 4.Choose an integer e such that 1 < e < (n) and greatest common divisor gcd(e, (n)) = 1; i.e., e and (n) are coprime. e is released as the public key exponent. e having a short bit-length and small Hamming weight results in more efficient encryption most commonly 216 + 1 = 65,537. However, much smaller values of e (such as 3) have been shown to be less secure in some settings. 5.Determine d as d e1 (mod (n)), i.e., d is the multiplicative inverse of e (modulo (n)). This is more clearly stated as solve for d given de 1 (mod (n)) This is often computed using the extended Euclidean algorithm. d is kept as the private key exponent.

Engineering College, Ajmer

By construction, de 1 (mod (n)). The public key consists of the modulus n and the public (or encryption) exponent e. The private key consists of the modulus n and the private (or decryption) exponent d, which must be kept secret. p, q, and (n) must also be kept secret because they can be used to calculate d. An alternative, used by PKCS#1, is to choose d matching de 1 (mod ) with = lcm(p1, q1), where lcm is the least common multiple. Using instead of (n) allows more choices for d. can also be defined using the Carmichael function, (n). The ANSI X9.31 standard prescribes, IEEE 1363 describes, and PKCS#1 allows, that p and q match additional requirements: being strong primes, and being different enough that Fermat factorization fails.

3.2 Encryption: Alice transmits her public key (n, e) to Bob and keeps the private key secret. Bob then wishes to send message M to Alice. He first turns M into an integer m, such that 0 m < n by using an agreed-upon reversible protocol known as a padding scheme. He then computes the ciphertext c corresponding to C=M^e mod n. This can be done quickly using the method of exponentiation by squaring. Bob then transmits c to Alice. 3.3 Decryption: Alice can recover m from c by using her private key exponent d via computing M=C^d mod n. Given m, she can recover the original message M by reversing the padding scheme. In encryption and decryption algorithms, we have to compute M^e and C^d respectively. This can be accomplished by an algorithm that can compute

Engineering College, Ajmer

a^b (mod n) and is given belowc0; d1 for i k downto 0 do c 2*c d (d*d) mod n if bi =1 then c c+1 d (d*a) mod n return d The above algorithm computes a^ b mod n. Where k- the no of bits in binary representation of the number b . It means that first we convert the decimal number bInto binary number say b k bk1..............b0

, and apply the above algorithm.

3.4 Attacks against plain RSA: There are a number of attacks against plain RSA as described below.

When encrypting with low encryption exponents (e.g., e = 3) and small values of the m, (i.e., m < n1/e) the result of me is strictly less than the modulus n. In this case, ciphertexts can be easily decrypted by taking the eth root of the ciphertext over the integers.

If the same clear text message is sent to e or more recipients in an encrypted way, and the receivers share the same exponent e, but different p, q, and therefore n, then it is easy to decrypt the original clear text message via the Chinese remainder theorem. Johan Hstad noticed that this attack is possible even if the cleartexts are not equal, but the attacker knows a linear relation between them.This attack was later improved by Don Coppersmith.

Engineering College, Ajmer

Because RSA encryption is a deterministic encryption algorithm (i.e., has no random component) an attacker can successfully launch a chosen plaintext attack against the cryptosystem, by encrypting likely plaintexts under the public key and test if they are equal to the ciphertext. A cryptosystem is called semantically secure if an attacker cannot distinguish two encryptions from each other even if the attacker knows (or has chosen) the corresponding plaintexts. As described above, RSA without padding is not semantically secure.

RSA has the property that the product of two ciphertexts is equal to the encryption of the product of the respective plaintexts. That is m1em2e (m1m2)e (mod n). Because of this multiplicative property a chosen-ciphertext attack is possible. E.g., an attacker, who wants to know the decryption of a ciphertext c me (mod n) may ask the holder of the private key to decrypt an unsuspiciouslooking ciphertext c cre (mod n) for some value r chosen by the attacker. Because of the multiplicative property c is the encryption of mr (mod n). Hence, if the attacker is successful with the attack, he will learn mr (mod n) from which he can derive the message m by multiplying mr with the modular inverse of r modulo n.

3.5 Padding schemes: To avoid these problems, practical RSA implementations typically embed some form of structured, randomized padding into the value m before encrypting it. This padding ensures that m does not fall into the range of insecure plaintexts, and that a given message, once padded, will encrypt to one of a large number of different possible ciphertexts. Standards such as PKCS#1 have been carefully designed to securely pad messages prior to RSA encryption. Because these schemes pad the plaintext m with some number of additional bits, the size of the un-padded message M must be somewhat smaller. RSA padding schemes must be carefully designed so as to prevent sophisticated attacks which may be facilitated by a predictable message structure. Early versions of the PKCS#1 standard (up to version 1.5) used a construction that appears to make RSA semantically secure. However, at Eurocrypt 2000, Coron et al. showed that for some types of messages, this padding does not provide a high enough

Engineering College, Ajmer

level of security. Furthermore, at Crypto 1998, Bleichenbacher show that this version is vulnerable to a practical adaptive chosen ciphertext attack. Later versions of the standard include Optimal Asymmetric Encryption Padding (OAEP), which prevents these attacks. As such, OAEP should be used in any new application, and PKCS#1 v1.5 padding should be replaced wherever possible. The PKCS#1 standard also incorporates processing schemes designed to provide additional security for RSA signatures (e.g., the Probabilistic Signature Scheme for RSA/RSA-PSS). 3.6 Signing messages: Suppose Alice uses Bob's public key to send him an encrypted message. In the message, she can claim to be Alice but Bob has no way of verifying that the message was actually from Alice since anyone can use Bob's public key to send him encrypted messages. In order to verify the origin of a message, RSA can also be used to sign a message. Suppose Alice wishes to send a signed message to Bob. She can use her own private key to do so. She produces a hash value of the message, raises it to the power of d (modulo n) (as she does when decrypting a message), and attaches it as a "signature" to the message. When Bob receives the signed message, he uses the same hash algorithm in conjunction with Alice's public key. He raises the signature to the power of e (modulo n) (as he does when encrypting a message), and compares the resulting hash value with the message's actual hash value. If the two agree, he knows that the author of the message was in possession of Alice's private key, and that the message has not been tampered with since. Secure padding schemes such as RSA-PSS are as essential for the security of message signing as they are for message encryption. Two US patents on PSS were granted (USPTO 6266771 and USPTO 70360140); however, these patents expired on 24 July 2009 and 25 April 2010, respectively. Use of PSS no longer seems to be encumbered by patents. Note that the same RSA key-pair should never be used for both encryption and signing.

Engineering College, Ajmer

CHAPTER- 4

SECURITY AND PRACTICAL CONSIDERATIONS

4.1 Integer factorization and RSA problem: The security of the RSA cryptosystem is based on two mathematical problems: the problem of factoring large numbers and the RSA problem. Full decryption of an RSA ciphertext is thought to be infeasible on the assumption that both of these problems are hard, i.e., no efficient algorithm exists for solving them. Providing security against partial decryption may require the addition of a secure padding scheme. The RSA problem is defined as the task of taking eth roots modulo a composite n: recovering a value m such that c me (mod n), where (n, e) is an RSA public key and c is an RSA ciphertext. Currently the most promising approach to solving the RSA problem is to factor the modulus n. With the ability to recover prime factors, an attacker can compute the secret exponent d from a public key (n, e), then decrypt c using the standard procedure. To accomplish this, an attacker factors n into p and q, and computes (p1)(q1) which allows the determination of d from e. No polynomial-time method for factoring large integers on a classical computer has yet been found, but it has not been proven that none exists. See integer factorization for a discussion of this problem. Rivest, Shamir and Adleman note that Miller has shown that assuming the Extended Riemann Hypothesis (though others call it the Generalized Riemann Hypothesis) finding d from n and e is as hard as factoring n into p and q (up to a polynomial time difference).However, Rivest, Shamir and Adleman note that they have not found a proof that inverting RSA is equally hard as factoring. As of 2010, the largest (known) number factored by a general-purpose factoring algorithm was 768 bits long, using a state-of-the-art distributed implementation. RSA keys are typically 1024 to 2048 bits long. Some experts believe that 1024-bit keys may become breakable in the near future (though this is disputed); few see any way that 4096-bit keys could be broken in the foreseeable future. Therefore, it is generally presumed that RSA is secure if n is sufficiently large. If n is 300 bits or shorter, it can be factored in a few hours on a personal computer, using software already freely available. Keys of 512 bits have been shown to be practically breakable in 1999 when

Engineering College, Ajmer

RSA-155 was factored by using several hundred computers and are now factored in a few weeks using common hardware. Exploits using 512-bit code-signing certificates that may have been factored were reported in 2011. A theoretical hardware device named TWIRL and described by Shamir and Tromer in 2003 called into question the security of 1024 bit keys. It is currently recommended that n be at least 2048 bits long. 4.2 Faulty Key Generation: Finding the large primes p and q is usually done by testing random numbers of the right size with probabilistic primality tests which quickly eliminate virtually all nonprimes. Numbers p and q should not be 'too close', lest the Fermat factorization for n be successful, if pq, for instance is less than 2n1/4 (which for even small 1024-bit values of n is 31077) solving for p and q is trivial. Furthermore, if either p1 or q1 has only small prime factors, n can be factored quickly by Pollard's p1 algorithm, and these values of p or q should therefore be discarded as well. It is important that the private key d be large enough. Michael J. Wiener showed that if p is between q and 2q (which is quite typical) and d < n1/4/3, then d can be computed efficiently from n and e. There is no known attack against small public exponents such as e = 3, provided that proper padding is used. However, when no padding is used, or when the padding is improperly implemented, small public exponents have a greater risk of leading to an attack, such as the unpadded plaintext vulnerability listed above. 65537 is a commonly used value for e. This value can be regarded as a compromise between avoiding potential small exponent attacks and still allowing efficient encryptions (or signature verification). The NIST Special Publication on Computer Security (SP 80078 Rev 1 of August 2007) does not allow public exponents e smaller than 65537, but does not state a reason for this restriction. 4.3 Importance of strong random number generation:

Engineering College, Ajmer

A cryptographically strong random number generator, which has been properly seeded with adequate entropy, must be used to generate the primes p and q. An analysis comparing millions of public keys gathered from the Internet was recently carried out by Lenstra, Hughes, Augier, Bos, Kleinjung, and Wachter. They were able to factor 0.2% of the keys using only Euclid's algorithm.They exploited a weakness unique to cryptosystems based on integer factorization. If n = pq is one public key and n = pq is another, then if by chance p = p, then a simple computation of gcd(n,n) = p factors both n and n, totally compromising both keys. Lenstra et al. note that this problem can be minimized by using a strong random seed of bit-length twice the intended security level, or by employing a deterministic function to choose q given p, instead of choosing p and q independently. Nadia Heninger was part of a group that did a similar experiment. They used an idea of Daniel J. Bernstein to compute the GCD of each RSA key n against the product of all the other keys n they had found (a 729 million digit number), instead of computing each gcd(n,n) separately, thereby achieving a very significant speedup. (After one large division the gcd problem is of normal size.) Heninger says in her blog that the bad keys occurred almost entirely in embedded applications, including "firewalls, routers, VPN devices, remote server administration devices, printers, projectors, and VOIP phones" from over 30 manufactures. Heninger explains that the one-shared-prime problem uncovered by the two groups results from situations where the pseudorandom number generator is poorly seeded initially and then reseeded between the generation of the first and second primes. Using seeds of sufficiently high entropy obtained from key stroke timings or electronic diode noise or atmospheric noise from a radio receiver tuned between stations should solve the problem. Strong random number generation is important throughout every phase of public key cryptography. For instance, if a weak generator is used for the symmetric keys that are being distributed by RSA, then an eavesdropper could bypass the RSA and guess the symmetric keys directly. 4.4 Timing attacks: Kocher described a new attack on RSA in 1995: if the attacker Eve knows Alice's hardware in sufficient detail and is able to measure the decryption times for several known ciphertexts, she can deduce the decryption key d quickly. This attack can also

Engineering College, Ajmer

be applied against the RSA signature scheme. In 2003, Boneh and Brumley demonstrated a more practical attack capable of recovering RSA factorizations over a network connection (e.g., from a Secure Socket Layer (SSL)-enabled webserver) This attack takes advantage of information leaked by the Chinese remainder theorem optimization used by many RSA implementations. One way to thwart these attacks is to ensure that the decryption operation takes a constant amount of time for every ciphertext. However, this approach can significantly reduce performance. Instead, most RSA implementations use an alternate technique known as cryptographic blinding. RSA blinding makes use of the multiplicative property of RSA. Instead of computing cd (mod n), Alice first chooses a secret random value r and computes (rec)d (mod n). The result of this computation after applying Euler's Theorem is rcd (mod n) and so the effect of r can be removed by multiplying by its inverse. A new value of r is chosen for each ciphertext. With blinding applied, the decryption time is no longer correlated to the value of the input ciphertext and so the timing attack fails. 4.5 Adaptive chosen ciphertext attacks: In 1998, Daniel Bleichenbacher described the first practical adaptive chosen ciphertext attack, against RSA-encrypted messages using the PKCS #1 v1 padding scheme (a padding scheme randomizes and adds structure to an RSA-encrypted message, so it is possible to determine whether a decrypted message is valid). Due to flaws with the PKCS #1 scheme, Bleichenbacher was able to mount a practical attack against RSA implementations of the Secure Socket Layer protocol, and to recover session keys. As a result of this work, cryptographers now recommend the use of provably secure padding schemes such as Optimal Asymmetric Encryption Padding, and RSA Laboratories has released new versions of PKCS #1 that are not vulnerable to these attacks. 4.6 Side-channel analysis attacks: A side-channel attack using branch prediction analysis (BPA) has been described. Many processors use a branch predictor to determine whether a conditional branch in the instruction flow of a program is likely to be taken or not. Often these processors also implement simultaneous multithreading (SMT). Branch prediction analysis

Engineering College, Ajmer

attacks use a spy process to discover (statistically) the private key when processed with these processors. Simple Branch Prediction Analysis (SBPA) claims to improve BPA in a nonstatistical way. In their paper, "On the Power of Simple Branch Prediction Analysis",the authors of SBPA (Onur Aciicmez and Cetin Kaya Koc) claim to have discovered 508 out of 512 bits of an RSA key in 10 iterations. A power fault attack on RSA implementations has been described in 2010. The authors recovered the key by varying the CPU power voltage outside limits; this caused multiple power faults on the server.

Engineering College, Ajmer

CHAPTER- 5

PROOFS OF CORRECTNESS
5.1 Proof using Fermat's Little Theorem: The proof of the correctness of RSA is based on Fermat's little theorem. This theorem states that if p is prime and p does not divide an integer a then

We want to show that (me)d m (mod pq) for every integer m when p and q are distinct prime numbers and e and d are positive integers satisfying

We can write

for some nonnegative integer h. To check two numbers, like med and m, are congruent mod pq it suffices (and in fact is equivalent) to check they are congruent mod p and mod q separately. (This is part of the Chinese remainder theorem, although it is not the significant part of that theorem.) To show med m (mod p), we consider two cases: m 0 (mod p) and m 0 (mod p).

In the first case med is a multiple of p, so med 0 m (mod p). In the second case

where we used Fermat's little theorem to replace mp1 mod p with 1. The verification that med m (mod q) proceeds in a similar way, treating separately the cases m 0 (mod q) and m q in the second case. This completes the proof that, for any integer m, 0 (mod q), using Fermat's little theorem for modulus

Engineering College, Ajmer

5.2 Proof using Euler's Theorem: Although the original paper of Rivest, Shamir, and Adleman used Fermat's little theorem to explain why RSA works, it is common to find proofs that rely instead on Euler's theorem. We want to show that med m (mod n), where n = pq is a product of two different prime numbers and e and d are positive integers satisfying ed 1 (mod (n)). Since e and d are positive, we can write ed = 1 + h(n) for some nonnegative integer h. Assuming that m is relatively prime to n, we have

where the last congruence directly follows from Euler's theorem. When m is not relatively prime to n, the argument just given is invalid. This is highly improbable (only a proportion of 1/p + 1/q 1/(pq) numbers have this property), but even in this case the desired congruence is still true. Either m 0 (mod p) or m 0 (mod q), and these cases can be treated using the previous proof.

Engineering College, Ajmer

CHAPTER- 5

RSA ALGORITHM IMPLEMENTATION

#include<stdio.h> #include<string.h> #include<math.h> void main() { char a[]={"0ABCDEFGHIJKLMNOPQRSTUVWXYZ"}; int n,i,j,s,n2,k1,p,q,d,m1,e1,l5,z,p2[30],s1,c[30]; unsigned long int l3,m,l4,k2; double l2,l1,l6; float e,l; char p1[30]; clrscr(); printf("enter two prime numbers p and q\n"); scanf("%d %d",&p,&q); do{ n=p*q; if(n<26) { printf("\n n value is not large enough.\nplease select p, q value such that p*q is greater than 26");

Engineering College, Ajmer

scanf("%d %d",&p,&q);} } while(n<26); z=((p-1)*(q-1)); printf("enter the value of d:\n"); scanf("%d",&d); for(j=1;j<z;j++) { if((j*d)%z==1) break; } e=j; printf("%d %d %f\n",n,z,e); printf("ENCRYPTION-CIPHERTEXT"); printf("enter the plain text\n"); scanf("%s",p1); for(i=0;i<strlen(p1);i++) { for(j=1;j<strlen(a);j++) { if(a[j]==p1[i]) { s=j;

Engineering College, Ajmer

break; } else continue; } printf("%d",s); e1=(int)e; l1=pow(((double)s),((double)e1)); k2=fmod(l1,(double)n); printf("\n%lu\n",k2); c[i]=(int)k2; printf("cipher:%d\n",c[i]); } printf("\n"); for(i=0;i<strlen(p1);i++) { l2=(pow(((double)c[i]),((double)d))); m=fmod(l2,(double)n); m1=(int)m; printf(" %c\n",a[m1]);} getch(); }

Engineering College, Ajmer

RSA Output: Enter two prime numbers p and q 3 11 enter the value of d: 7 33 20 3.000000 ENCRYPTION-CIPHER TEXT enter the plain text SUZANNE 19 28 cipher:28 21 21 cipher:21 26 20 cipher:20 1 1 cipher:1 14 5 cipher:5 14 5 cipher:5 5 26 cipher:26 SUZANNE s

Engineering College, Ajmer

CHAPTER- 5

RSA ENCRYPTION
5.1 Public Key Cryptography: One of the biggest problems in cryptography is the distribution of keys. Suppose you live in the United States and want to pass information secretly to your friend in Europe.If you truly want to keep the information secret, you need to agree on some sort of key that you and he can use to encode/decode messages. But you dont want to keep using the same key, or you will make it easier and easier for others to crack your cipher.But its also a pain to get keys to your friend. If you mail them, they might be stolen. Ifyou send them cryptographically, and someone has broken your code, that person willalso have the next key. If you have to go to Europe regularly to handdeliver the nextkey, that is also expensive. If you hire some courier to deliver the new key, you have totrust the courier, et cetera.

5.1.1 How it works: The distinguishing technique used in public-key cryptography is the use of asymmetric key algorithms, where the key used to encrypt a message is not the same as the key used to decrypt it. Each user has a pair of cryptographic keys a public encryption key and a private decryption key. The publicly available encrypting-key is widely distributed, while the private decrypting-key is known only to the recipient. Messages are encrypted with the recipient's public key, and can be decrypted only with the corresponding private key. The keys are related mathematically, but the parameters are chosen so that determining the private key from the public key is either impossible or prohibitively expensive. The discovery of algorithms that could produce public/private key pairs revolutionized the practice of cryptography, beginning in the mid-1970s. In contrast, symmetric-key algorithms variations of which have been used for thousands of years use a single secret key, which must be shared and kept private by both the sender and the receiver, for both encryption and decryption. To use a symmetric encryption scheme, the sender and receiver must securely share a key in advance.

Engineering College, Ajmer

Because symmetric key algorithms are nearly always much less computationally intensive than asymmetric ones, it is common to exchange a key using a keyexchange algorithm, then transmit data using that key and a symmetric key algorithm. PGP and the SSL/TLS family of schemes use this procedures, and are thus called hybrid cryptosystems. 5.1.2 Description: The two main uses for public-key cryptography are:

Public-key encryption: a message encrypted with a recipient's public key cannot be decrypted by anyone except a possessor of the matching private key it is presumed that this will be the owner of that key and the person associated with the public key used. This is used to attempt to ensure confidentiality.

Digital signatures: a message signed with a sender's private key can be verified by anyone who has access to the sender's public key, thereby proving that the sender had access to the private key and, therefore, is likely to be the person associated with the public key used. This also ensures that the message has not been tampered with (on the question of authenticity, see also message digest).

An analogy to public-key encryption is that of a locked mail box with a mail slot. The mail slot is exposed and accessible to the public its location (the street address) is, in essence, the public key. Anyone knowing the street address can go to the door and drop a written message through the slot. However, only the person who possesses the key can open the mailbox and read the message. An analogy for digital signatures is the sealing of an envelope with a personal wax seal. The message can be opened by anyone, but the presence of the unique seal authenticates the sender. A central problem with the use of public-key cryptography is confidence (ideally, proof) that a particular public key is correct, and belongs to the person or entity claimed (i.e. is "authentic"), and has not been tampered with, or replaced by, a

Engineering College, Ajmer

malicious third party (a "man-in-the-middle"). The usual approach to this problem is to use a public-key infrastructure (PKI), in which one or more third parties known as certificate authorities certify ownership of key pairs. PGP, in addition to being a certificate authority structure, has used a scheme generally called the "web of trust", which decentralizes such authentication of public keys by a central mechanism, and substitutes individual endorsements of the link between user and public key. To date, no fully satisfactory solution to this "public key authentication problem" has been found.

5.1.3 Trap-Door Ciphers: But imagine the following situation. Suppose you have a special method of encoding and decoding that is one way in a sense. Imagine that the encoding is easy to do, but decoding is very difficult. Then anyone in the world can encode a message, but only one person can decode it. Such methods exist, and they are called one way ciphers or trap door ciphers. Heres how they work. For each cipher, there is a key for encoding and a different key for decoding. If you know the key for decoding, it is very easy to make the key for encoding, but it is almost impossible to do the oppositeto start with the encoding key and work out the decoding key. So to communicate with your friend in Europe, each of you has a trap door cipher. You make up a decoding key Da and generate the corresponding encoding key Ea. Your friend does exactly the same thing, but he makes up a decoding key Db and generates the corresponding encoding key Eb. You tell him Ea (but not Da) and he tells you Eb (but not Db). Then you can send him messages by encoding using Eb (which only he can decode) and vice-versahe encodes messages to you using Ea (which only you can decode, since youre the only person with access to Da). Now if you want to change to a new key, it is no big problem. Just make up new pairs and exchange the encoding keys. If the encoding keys are stolen, its not a big deal. The person who steals them can only encode messagesthey cant decode them. In fact, the encoding keys (sometimes called public keys) could just be published in 1 a well-known location. Its like saying, If you want to send me a private message, encode it using this key, and I will be the only person in the world who can read it.

Engineering College, Ajmer

But be sure to keep the decoding key (the private key) secret.

5.1.4 Certification: There is, of couse, a problem with the scheme above. Since the public keys are really public, anyone can forge a message to you. So your enemy can pretend to be your friend and send you a message just like your friend canthey both have access to the public key. Your enemys information can completely mislead you. So how can you be certain that a message that says it is from your friend is really from your friend? Here is one way to do it, assuming that you both have the public and private keys Ea, Eb, Da, and Db as discussed in the previous section. Suppose I wish to send my friend a message that only he can read, but in such a way that he is certain that the message is from me. Heres how to do it. I will take my name, and pretend that it is an encoded message, and decode it using Da. I am the only person who can do this, since I am the only person who knows Da. Then I include that text in the real message I wish to send, and I encode the whole messusing Eb, which only my friend knows how to decode. When he receives it, he will decode it using Db, and he will have a message with an additional piece of what looks to him like junk characters. The junk characters are what I got by decoding my name. So he simply encodes the junk using my public key Ea and makes certain that it is my name. Since I am the only one who knows how to make text that will encode to my name, he knows the message is from me. You can encode any text for certification, and in fact, you should probably change it with each message, but its easy to do. Your message to your friend would look like this:Attack at dawn. Here is my decoding of ABCDEFG: JDLEODK. To assure privacy, for each message, change the ABCDEFG and the corresponding JDLEODK.

5.1.5 Security: Some encryption schemes can be proven secure on the basis of the presumed difficulty of a mathematical problem, such as factoring the product of two large primes or computing discrete logarithms. Note that "secure" here has a precise mathematical meaning, and there are multiple different (meaningful) definitions of

Engineering College, Ajmer

what it means for an encryption scheme to be "secure". The "right" definition depends on the context in which the scheme will be deployed. The most obvious application of a public key encryption system is confidentiality a message that a sender encrypts using the recipient's public key can be decrypted only by the recipient's paired private key. This assumes, of course, that no flaw is discovered in the basic algorithm used. Another type of application in public-key cryptography is that of digital signature schemes. Digital signature schemes can be used for sender authentication and nonrepudiation. In such a scheme, a user who wants to send a message computes a digital signature for this message, and then sends this digital signature (together with the message) to the intended receiver. Digital signature schemes have the property that signatures can be computed only with the knowledge of the correct private key. To verify that a message has been signed by a user and has not been modified, the receiver needs to know only the corresponding public key. In some cases (e.g. RSA), there exist digital signature schemes with many similarities to encryption schemes. In other cases (e.g. DSA), the algorithm does not resemble any encryption scheme. To achieve both authentication and confidentiality, the sender can first sign the message using his private key and then encrypt both the message and the signature using the recipient's public key. These characteristics can be used to construct many other (sometimes surprising) cryptographic protocols and applications, such as digital cash, password-authenticated key agreement, multi-party key agreement, time-stamping services, non-repudiation protocols, etc.

Engineering College, Ajmer

Fig.5.1. Encryption Algorithm

5.2 RSA Encryption: OK, in the previous section we described what is meant by a trap-door cipher, but how do youmake one? One commonly used cipher of this formis called RSA Encryption,where RSA are the initials of the three creators: Rivest, Shamir, and Adleman. It is based on the following idea:It is very simply to multiply numbers together, especially with computers. But it can be very difficult to factor numbers. For example, if I ask you to multiply together 34537 and 99991, it is a simple matter to punch those numbers into a calculator and 3453389167. But the reverse problem is much harder. Suppose I give you the number 1459160519. Ill even tell you that I got it by multiplying together two integers. Can you tell me what they are? This is a very difficult problem. A computer can factor that number fairly quickly, but (although there are some tricks) it basically does it by trying most of the possible combinations. For any size number, the computer has to check something that is of the order of the size of the square-root of the number to be factored. In this case, that square-root is roughly 38000. Now it doesnt take a computer long to try out 38000 possibilities, but what if the number to be factored is not ten digits, but rather 400 digits? The square-root of a number with 400 digits is a number with 200 digits. The lifetime of the universe is

Engineering College, Ajmer

approximately 1018 seconds an 18 digit number. Assuming a computer could test one million factorizations per second, in the lifetime of the universe it could check 1024 possibilities. But for a 400 digit product, there are 10200 possibilties. This means the computer would have to run for 10176 times the life of the universe to factor the large number. It is, however, not too hard to check to see if a number is primein other words to check to see that it cannot be factored. If it is not prime, it is difficult to factor, but if it is prime, it is not hard to show it is prime. So RSA encryption works like this. I will find two huge prime numbers, p and q that have 100 or maybe 200 digits each. I will keep those two numbers secret (they are my private key), and I will multiply them together to make a number N = pq. That number N is basically my public key. It is relatively easy for me to get N; I just need to multiply my two numbers. But if you know N, it is basically impossible for you to find p and q. To get them, you need to factor N, which seems to be an incredibly difficult problem. But exactly how is N used to encode a message, and how are p and q used to decode it? Below is presented a complete example, but I will use tiny prime numbers so it is easy to follow the arithmetic. In a real RSA encryption system, keep in mind that the prime numbers are huge. In the following example, suppose that person A wants to make a public key, and that person B wants to use that key to send A a message. In this example, we will suppose that the message A sends to B is just a number. We assume that A and B have agreed on a method to encode text as numbers. Here are the steps: 1. Person A selects two prime numbers. We will use p = 23 and q = 41 for this example, but keep in mind that the real numbers person A should use should be much larger. 2. Person A multiplies p and q together to get pq = (23)(41) = 943. 943 is the public key, which he tells to person B (and to the rest of the world, if he wishes). 3. Person A also chooses another number e which must be relatively prime to (p 1)(q 1). In this case, (p 1)(q 1) = (22)(40) = 880, so e = 7 is fine. e is also part of the public key, so B also is told the value of e. 4. Now B knows enough to encode a message to A. Suppose, for this example, that the message is the numberM = 35.

Engineering College, Ajmer

5. B calculates the value of C = Me(mod N) = 357(mod 943). 6. 357 = 64339296875 and 64339296875(mod 943) = 545. The number 545 is the encoding that B sends to A. 7. Now A wants to decode 545. To do so, he needs to find a number d such that ed = 1(mod (p 1)(q 1)), or in this case, such that 7d = 1(mod 880). A solution is d = 503, since 7 _ 503 = 3521 = 4(880) + 1 = 1(mod 880). 8. To find the decoding, A must calculate Cd(mod N) = 545503(mod 943). This looks like it will be a horrible calculation, and at first it seems like it is, but notice that 503 = 256+128+64+32+16+4+2+1 (this is just the binary expansion of 503). So this means that 545503 = 545256+128+64+32+16+4+2+1 = 545256545128 5451. But since we only care about the result (mod 943), we can calculate all the partial results in that modulus, and by repeated squaring of 545, we can get all the exponents that are powers of 2. For example, 5452(mod 943) = 545 545 = 297025(mod 943) = 923. Then square again: 5454(mod 943) = (5452)2(mod 943) = 923 923 = 851929(mod 943) = 400, and so on. We obtain the following table: 5451(mod 943) = 545 5452(mod 943) = 923 5454(mod 943) = 400 5458(mod 943) = 633 54516(mod 943) = 857 54532(mod 943) = 795 54564(mod 943) = 215 545128(mod 943) = 18 545256(mod 943) = 324 So the result we want is: 545503(mod 943) = 324 18 215 795 857 400 923 545(mod 943) = 35. Using this tedious (but simple for a computer) calculation, A can decode Bs message and obtain the original message N = 35.

Engineering College, Ajmer

CONCLUSION
After the study, I find that RSA is a powerful and most widely used scheme for encryption / decryption and digital signature. It is more secure than that of DES and others. But as we know that the key length for secure RSA use has increased over recent years, and this has put a heavier processing load on applications using RSA. This burden has ramifications, especially for electronic commerce sites that conduct large numbers of transactions. Recently, a competing system has begun to challenge RSA: elliptic curve cryptography (ECC). The principal attraction of ECC, compared to RSA, is that it appears to offer equal security for a far smaller key size; thereby reducing processing overhead but the confidence level in ECC is not yet as high as that is in RSA. Also RSA is fundamentally easier to explain than that of ECC.

Engineering College, Ajmer