Créer une présentation
Télécharger la présentation

Télécharger la présentation
## Pretty Good Privacy

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -

**PGP**• Based on “public key” cryptography • Binds public key to user name or email address • Authentication: “digital signature” used to verify identity of sender • integrity checking: used to detect whether a message has been altered since it was completed • Encryption: based on RSA/DSA • Decryption based on public key • Web of trust: third party vetting**Zimmerman, 1992**• As time goes on… • you accumulate keys from other “trusted” parties. • Others each choose their own trusted parties. • everyone gradually accumulates and distributes with their key certifying signatures from others • Expectation: anyone receiving it will trust at least one or two of the signatures. • emergence of a decentralized fault-tolerant web of confidence for all public keys.**Any agency wanting to read PGP messages would probably use**easier means than standard cryptanalysis, • e.g. rubber-hose cryptanalysis or black-bag cryptanalysis i.e. installing some form of trojan horse or keystroke logging software/hardware on the target computer to capture encrypted keyrings and their passwords. • The FBI has used this attack against PGP. • such vulnerabilities apply to any encryption software.**Criminal investigation of Zimmerman**• PGP encryption found its way outside the US. • Cryptosystems using keys > 40 bits were considered munitions by US export regulations; • PGP keys >= 128 bits. • Feb 1993: Zimmermann targeted by US Govt for "munitions export without a license". • Penalties … were substantial. • Zimmermann challenged these regulations in a curious way. • Published PGP source code as hardback book (MIT Press) • To build: buy the $60 book, scan pages using an OCR program, GNU C Compiler. PGP would thus be available anywhere in the world. • Export of munitions restricted; export of books is protected ( First Amendment). • US export regulations regarding cryptography remain in force, but were liberalized substantially …. PGP … can be exported internationally except to 7 specific countries and a named list of groups and individuals.**Mathematical Cryptography**• William S. Jevons,” The Principles of Science: A Treatise on Logic and Scientific Method,” (1890s) • observed many situations where 'direct' operation is “easy,” but ‘inverse' operation ‘hard’. • Example: encryption is easy; decryption is hard. • Jevons Ch 7: multiplication of integers is easy, finding (prime) factors of product is hard. • Jevons anticipated RSA Algorithm for public key cryptography**Primality test**• A primality test is an algorithm for determining whether an input number is prime. • As of 2008, factorization is a computationally hard problem, whereas primality testing is comparatively easy. • elliptic curve primality test O((log n)^6), • Based on believed, but unproven properties • 2002: Agrawal, Saxena and Kayal : • AKS primality test, Õ((log n)^6) • slower than probabilistic methods.**Greatest common divisor**• GCD(N,M) is the largest number that divides evenly into both N and M • P is prime if GCD(N,P)=1 for all N<P**Euclidean algorithm Eudoxus of Cnidus (about 375 BC),**• function gcd(a, b) • if a = 0 return b • while b ≠ 0 • if a > b a := a − b • else b := b − a • return a**[GCD(6251,1473)=]**• [1] • [3] • [7] • [11]**RSA 200**• RSA-200 = 2799783391122132787082946763872260162107044678695542853756000992932612840010 7609345671052955360856061822351910951365788637105954482006576775098580557613 579098734950144178863178946295187237869221823983 • RSA-200 = 3532461934402770121272604978198464368671197400197625023649303468776121253679 423200058547956528088349 × 7925869954478333033347085841480059687737975857364219960734330341455767872818 152135381409304740185467**How long to factor RSA 200?**• If a k-digit number is the product of two primes • No known algorithm can factor in polynomial time, i.e., that can factor it in time O(k^p) for some constant p. • There are algorithms faster than O((1+ε)^k) i.e., sub-exponential. • For a quantum computer, Peter Shor discovered an algorithm in 1994 that solves it in polynomial time O(N^3) and O(N) memory. • In 2001, the first 7-qubit quantum computer became the first to run Shor's algorithm. It factored the number 15 • GNFS: O(2^(N^(1/3))**Racing Mathematicians**• German Federal Agency for Information Technology Security (BSI) team • record for factorization of semiprimes ( RSA Factoring Challenge ) • On May 9, 2005, factored RSA-200, a 663-bit number (200 decimal digits), using the general number field sieve. • …later: RSA-640, a smaller number containing 193 decimal digits (640 bits), on November 4, 2005. • Both factorizations required several months of computer time using the combined power of 80 AMDOpteron CPUs.**Prime factorization theorem**• fundamental theorem of arithmetic : • every natural number > 1 can be written as a unique product of prime numbers. • Example: 6936=2^3 x 3 x 17^2 • No other way of writing 6936 as a product of prime powers • practically proved by Euclid, • first “ correct” proof in Disquisitiones Arithmeticae by Gauss.**Infinitude of primes**• 2, 3, 5, 7, 11, 13, 17, 19, 23, 29, 31, 37, 41, 43, 47, 53, 59, 61, 67, 71, 73, 79, 83, 89, 97 … • list of prime numbers**Euclid’s proof**• Consider any finite set of primes. Multiply all of them together and add 1 (see Euclid number). The resulting number is not divisible by any of the primes in the finite set we considered, because dividing by any of these would give a remainder of 1. Because all non-prime numbers can be decomposed into a product of underlying primes, then either this resultant number is prime itself, or there is a prime number or prime numbers which the resultant number could be decomposed into but are not in the original finite set of primes. Either way, there is at least one more prime that was not in the finite set we started with. This argument applies no matter what finite set we began with. So there are more primes than any given finite number.**[The number 2*3*5*7*11+1=2311 is prime]**• True • False**There are lots of primes**• Prime number theorem: the number of primes less than or equal to N is on the order of N divided by log N. • http://en.wikipedia.org/wiki/Prime_number_theorem**An example**• gcd(1071,1029) • =gcd(1029,42) (42= 1071 mod 1029 • =gcd(42,21) (21= 1029 mod 42) • =gcd(21,0) (0= 42 mod 21) • =21: since b=0, we return a**Simple; multiply numbers**• Difficult: factor numbers. • example 34537 x 99991=3453389167 (easy) • M=1459160519 = A xB • Find A and B (difficult) • Computer: check primes up to square-root (roughly 38000). • what if the number to be factored is not ten digits, but rather 400 digits? • square-root : 200 digits. • lifetime of universe: approx. 10^{18} seconds. • If computer could test one trillion factorizations per second, in the lifetime of the universe it could check 10^{30} possibilities. • But there are 10^{200} possibilities.**RSA outline**• find two huge prime numbers, p and q (about 200 digits) (private key), • N=pq public key. • Baby prime example • p=23 and q=41 • pq = (23)(41) = 943, the ``public key’’. • E: encryption key • E is relatively prime to (p-1)(q-1) = (22)(40) = 880, • E=7 is ok as public key • To encode the message number M=35. : • C = M^e (mod N) = 35^7 (mod 943) =64339296875 (mod 943) = 545 • The number C=545 is the encoding of M that is sent. • D: decryption key • ed = 1 { mod} (p-1)(q-1): • D=503 works, since 7*503 = 3521 = 4(880) + 1**Why decoding is “easy”**• Must calculate C^D (mod N) = 545^{503} (mod 943). • 503 = 256 + 128 + 64 + 32 + 16 + 4 + 2 + 1 so • 545^{503} = 545^{256+128+64+32+16+4+2+1} • = 545^{256}545^{128}… 545^1. • (mod 943) all the exponents that are powers of 2. • For example, 545^2 ( mod 943) = 545*545 = 297025 (mod 943) = 923 • Square again: 545^4 (mod 943) = (545^2)^2 ( mod} 943) • = 923*923 = 851929 (mod 943) = 400, and so on. • We obtain the following table: • 545^1 (mod 943) = 545 • 545^2 (mod} 943) =…= 18 • 545^{256} (mod 943) = 324 • So …545^{503} (mod 943) = 324*18*215*795*857*400*923*545 (mod 943) = 35=M !**Modular exponentiation**• Straightforward method c=b^e, given b = 4, e = 13, and m = 497: • c = 4^{13} mod{497} • calculator :4^13= 67,108,864. • modulo 497, get 445. • Calculators only have about 12 digits! • In cryptography, b at least 256 binary digits (77 decimal digits). • Example: b = 5 ^1076 and e = 17, • b is 77 digits in length and e is 2 digits in length, but the value be is 1309 decimal digits in length. • The method described above requires O(e) multiplications to complete.**Memory efficient modular exponentiation: Montgomery**reduction • Memory-efficient method • A second method to compute modular exponentiation requires more operations than the first method. Because the required memory footprint is substantially less, however, operations take less time than before. The end result is that the algorithm is faster. • This algorithm makes use of the fact that, given two integers a and b, the following two equations are equivalent: • c \equiv (a \cdotb) \pmod{m} • c \equiv ((a\ (\mbox{mod}\ m)) \cdot (b\ (\mbox{mod}\ m))) \pmod{m} • The algorithm is as follows: • 1. Set c = 1, e' = 0. • 2. Increase e' by 1. • 3. Set c \equiv (b \cdotc) \pmod{m}. • 4. If e' <e, goto step 2. Else, c contains the correct solution to c \equiv b^e \pmod{m}. • Note that in every pass through step 3, the equation c \equiv b^{e'} \pmod{m} holds true. When step 3 has been executed e times, then, c contains the answer that was sought. In summary, this algorithm basically counts up e' by ones until e' reaches e, doing a multiply by b and the modulo operation each time it adds one (to ensure the results stay small). • The example b = 4, e = 13, and m = 497 is presented again. The algorithm passes through step 3 thirteen times: • * e' = 1. c = (1 * 4) mod 497 = 4 mod 497 = 4. • * e' = 2. c = (4 * 4) mod 497 = 16 mod 497 = 16. • * e' = 3. c = (16 * 4) mod 497 = 64 mod 497 = 64. • * e' = 4. c = (64 * 4) mod 497 = 256 mod 497 = 256. • * e' = 5. c = (256 * 4) mod 497 = 1024 mod 497 = 30. • * e' = 6. c = (30 * 4) mod 497 = 120 mod 497 = 120. • * e' = 7. c = (120 * 4) mod 497 = 480 mod 497 = 480. • * e' = 8. c = (480 * 4) mod 497 = 1920 mod 497 = 429. • * e' = 9. c = (429 * 4) mod 497 = 1716 mod 497 = 225. • * e' = 10. c = (225 * 4) mod 497 = 900 mod 497 = 403. • * e' = 11. c = (403 * 4) mod 497 = 1612 mod 497 = 121. • * e' = 12. c = (121 * 4) mod 497 = 484 mod 497 = 484. • * e' = 13. c = (484 * 4) mod 497 = 1936 mod 497 = 445. • The final answer for c is therefore 445, as in the first method. • Like the first method, this requires O(e) multiplications to complete. However, since the numbers used in these calculations are much smaller than the numbers used in the first algorithm's calculations, the computation time decreases by a factor of at least O(e) in this method.**An efficient method: the right-to-left binary algorithm**• A third method drastically reduces both the number of operations and the memory footprint required to perform modular exponentiation. It is a combination of the previous method and a more general principle called exponentiation by squaring (also known as binary exponentiation). • First, it is required that the exponent e be converted to binary notation. That is, e can be written as: • e = \sum_{i=0}^{n-1} a_i 2^i • In such notation, the length of e is n bits. ai can take the value 0 or 1 for any i such that 0 ≤ i<n - 1. By definition, an - 1 = 1. • The value be can then be written as: • b^e = b^{\left( \sum_{i=0}^{n-1} a_i 2^i \right)} = \prod_{i=0}^{n-1} \left( b^{2^i} \right) ^ {a_i} • The solution c is therefore: • c \equiv \prod_{i=0}^{n-1} \left( b^{2^i} \right) ^ {a_i}\ (\mbox{mod}\ m) • The following example is in C# or C++ languages. Let the class Bignum represent an arbitrarily large positive integer. The inputs base, exponent, and modulus correspond to b, e, and m in the equations given above.**RSA history**• The algorithm was publicly described in 1977 by Ron Rivest, Adi Shamir, and Leonard Adleman at MIT; the letters RSA are the initials of their surnames, listed in the same order as on the paper.[1] • Clifford Cocks, a British mathematician working for the UK intelligence agency GCHQ, described an equivalent system in an internal document in 1973, but given the relatively expensive computers needed to implement it at the time, it was mostly considered a curiosity and, as far as is publicly known, was never deployed. His discovery, however, was not revealed until 1997 due to its top-secret classification, and Rivest, Shamir, and Adleman devised RSA independently of Cocks' work. • MIT was granted U.S. Patent 4,405,829 for a "Cryptographic communications system and method" that used the algorithm in 1983. The patent would have expired in 2003, but was released to the public domain by RSA on 21 September 2000. Since a paper describing the algorithm had been published in August 1977,[1] prior to the December 1977 filing date of the patent application, regulations in much of the rest of the world precluded patents elsewhere and only the US patent was granted. Had Cocks' work been publicly known, a patent in the US might not have been possible either.**Operation**• RSA involves a public key and a private key. The public key can be known to everyone and is used for encrypting messages. Messages encrypted with the public key can only be decrypted using the private key. The keys for the RSA algorithm are generated the following way: • 1. Choose two distinct large random prime numbers p and q • 2. Compute n = pq\, • * n\, is used as the modulus for both the public and private keys • 3. Compute the totient: \varphi(n) = (p-1)(q-1) \,. • 4. Choose an integer e such that 1 <e< \varphi(n), and e and \varphi (n) share no factors other than 1 (i.e. e and \varphi (n) are coprime) • * e is released as the public key exponent • 5. Compute d to satisfy the congruence relation de \equiv 1\pmod{\varphi(n)}; i.e. de = 1 + k\varphi(n) for some integer k. • * d is kept as the private key exponent • Notes on the above steps: • * Step 1: Numbers can be probabilistically tested for primality. • * Step 3: changed in PKCS#1 v2.0 to \lambda(n) = {\rm lcm}(p-1, q-1) \,, where lcm is the least common multiple, instead of \varphi(n) = (p-1)(q-1) \,. • * Step 4: A popular choice for the public exponents is e\, = 216 + 1 = 65537. Some applications choose smaller values such as e\, = 3, 5, 17 or 257 instead. This is done to make encryption and signature verification faster on small devices like smart cards but small public exponents can lead to greater security risks.[2] • * Steps 4 and 5 can be performed with the extended Euclidean algorithm; see modular arithmetic. • The public key consists of the modulus n\, and the public (or encryption) exponent e\,. The private key consists of the modulus n\, and the private (or decryption) exponent d\, which must be kept secret. • * For efficiency a different form of the private key can be stored: • op\, and q\,: the primes from the key generation, • od\mod (p - 1)\, and d\mod(q - 1)\,, • o q^{-1} \mod(p)\,. • * All parts of the private key must be kept secret in this form. p\, and q\, are sensitive since they are the factors of n\,, and allow computation of d\, given e\,. If p\, and q\, are not stored in this form of the private key then they are securely deleted along with other intermediate values from key generation. • * Although this form allows faster decryption and signing by using the Chinese Remainder Theorem, it is considerably less secure since it enables side channel attacks. This is a particular problem if implemented on smart cards, which benefit most from the improved efficiency. (Start with y = xemodn and let the card decrypt that. So it computes yd(modp) or yd(modq) whose results give some value z. Now, induce an error in one of the computations. Then gcd(z − x,n) will reveal p or q.) • [edit] Messages • [edit] Encryption: • Alice transmits her public key (n,e)\, to Bob and keeps the private key secret. Bob then wishes to send message M to Alice. • He first turns M into a number m\, <n\, by using an agreed-upon reversible protocol known as a padding scheme. He then computes the ciphertextc\, corresponding to: • c = m^e \mod{n} • This can be done quickly using the method of exponentiation by squaring. Bob then transmits c\, to Alice. • [edit] Decryption: • Alice can recover m\, from c\, by using her private key exponent d\, by the following computation: • m = c^d \mod{n}. • Given m\,, she can recover the original message M. • The above decryption procedure works because first • c^d \equiv (m^e)^d \equiv m^{ed}\pmod{n}. • Now, ed \equiv 1\pmod{(p - 1)(q - 1)}, and hence • ed \equiv 1\pmod{p - 1}\, and • ed \equiv 1\pmod{q - 1}\, • which can also be written as • ed = k (p - 1) + 1\, and • ed = h (q - 1) + 1\, • for proper values of k\, and h\,. If m\, is not a multiple of p\, then m\, and p\, are coprime because p\, is prime; so by Fermat's little theorem • m^{(p-1)} \equiv 1 \pmod{p} • and therefore, using the first expression for ed\,, • m^{ed} = m^{k (p-1) + 1} = (m^{p-1})^k m \equiv {1}^k m = m \pmod{p}\,. • If instead m\, is a multiple of p\,, then • m^{ed} \equiv 0^{ed} = 0 \equiv m \pmod{p}. • Using the second expression for ed\,, we similarly conclude that • m^{ed} \equiv m \pmod{q}\,. • Since p\, and q\, are distinct prime numbers, they are relatively prime to each other, so the fact that both primes divide med − m implies their product pq\, divides med − m, which means • m^{ed} \equiv m \pmod{pq}. • Thus, • c^d \equiv m \pmod{n}. • [edit] A worked example • Here is an example of RSA encryption and decryption. The parameters used here are artificially small, but one can also use OpenSSL to generate and examine a real keypair. • 1. Choose two prime numbers • p = 61 and q = 53 • 2. Compute n = pq \, • n = 61 * 53 = 3233 • 3. Compute the totient \varphi(n) = (p-1)(q-1) \, • \varphi(n) = (61 - 1)(53 - 1) = 3120\, • 4. Choose e> 1 coprime to 3120 • e = 17 • 5. Compute d\, such that de \equiv 1\pmod{\varphi(n)}\, e.g., by computing the modular multiplicative inverse of e modulo \varphi(n)\,: • d = 2753 • 17 * 2753 = 46801 = 1 + 15 * 3120. • The public key is (n = 3233, e = 17). For a padded message m\, the encryption function is: • c = m^e\mod {n} = m^{17} \mod {3233}. • The private key is (n = 3233, d = 2753). The decryption function is: • m = c^d\mod {n} = c^{2753} \mod {3233}. • For example, to encrypt m = 123, we calculate • c = 123^{17}\mod {3233} = 855. • To decrypt c = 855, we calculate • m = 855^{2753}\mod {3233} = 123. • Both of these calculations can be computed efficiently using the square-and-multiply algorithm for modular exponentiation.**As of 2005, the largest number factored by a general-purpose**factoring algorithm was 663 bits long (see RSA-200), using a state-of-the-art distributed implementation. RSA keys are typically 1024–2048 bits long. Some experts believe that 1024-bit keys may become breakable in the near term (though this is disputed); few see any way that 4096-bit keys could be broken in the foreseeable future. Therefore, it is generally presumed that RSA is secure if n is sufficiently large. If n is 256 bits or shorter, it can be factored in a few hours on a personal computer, using software already freely available. Keys of 512 bits (or less) have been shown to be practically breakable in 1999 when RSA-155 was factored by using several hundred computers. A theoretical hardware device named TWIRL and described by Shamir and Tromer in 2003 called into question the security of 1024 bit keys. It is currently recommended that n be at least 2048 bits long. • In 1994, Peter Shor published Shor's algorithm, showing that a quantum computer could in principle perform the factorization in polynomial time. However, quantum computation is still in the early stages of development and may never prove to be practical.**Is RSA safe?**• In 1994, Peter Shor published Shor's algorithm, showing that a quantum computer could in principle perform the factorization in polynomial time. However, quantum computation is still in the early stages of development and may never prove to be practical.