Joshua Thijssen
September 18, 2013
180

# Alice & Bob: Public key cryptography 101

## Joshua Thijssen

September 18, 2013

## Transcript

1. Alice & Bob
Web & PHP Conference
16-18 Sep - San Jose - USA
Public key cryptography 101
1

2. 2
Joshua Thijssen
Freelance consultant, developer and
trainer @ NoxLogic
Founder of the Dutch Web Alliance
Development in PHP, Python, C, Java.
Email: [email protected]

3. 3

4. An introduction into public key cryptography
4

5. 5
Without this there would be
no internet as we know today
(really)

6. 6
But there are cracks.
(and they are bigger on the inside)

7. 7

8. An introduction into public key cryptography
8

9. Meet Alice,
and Bob.
9
Hi Bob!
Hello Alice!

10. early encryption algorithms
10
http://www.ﬂickr.com/photos/dpwk/1714014449/in/pool-1621478@N23/

11. ciphertext:
12, 1, 13, 5
“algorithm”:
A = 1, B = 2, C = 3, ...., Z = 26
=
L A M E
11
‣ SUBSTITUTION SCHEME

12. 12
ciphertext:
        
=
W I N G D I N G S
‣ SUBSTITUTION SCHEME

13. “algorithm”:
c = (m + k) mod 26
‣ CAESARIAN SHIFT
13
Message: C O D E
Ciphertext (key=1): D P E F
Ciphertext (key=2): E Q F G
Ciphertext (key=-1): B M C D
Ciphertext (key=0): C O D E
Ciphertext (key=26): C O D E
Ciphertext (key=52): C O D E

14. ➡ Key is too easy to guess.
➡ Key has to be send to Bob.
➡ Deterministic.
➡ Prone to frequency analysis.
14

15. ➡ The usage of every letter in the English (or
any other language) can be represented by
a percentage.
➡ ‘E’ is used 12.7% of the times in english
texts, the ‘Z’ only 0.074%.
➡ ‘E’ is used 17.4% of the times in german
texts, the ‘Q’ only 0.022%
15

16. gl 7291 i owioa okddilnk ylgm hiu uﬂm mk cwgukl bs i
dgegmiws okywm jkw i owgdf mvfs ngnl'm okddgm. mvfuf dﬂ
cwkdcmes fuoicfn jwkd i dixgdyd-ufoywgms umkoainf mk mvf
eku ilqfefu ylnfwqwkyln. mknis, umgee hilmfn bs mvf
qkrfwldﬂm, mvfs uywrgrf iu ukengfwu kj jkwmylf. gj sky virf i
cwkbefd, gj lk klf feuf oil vfec iln gj sky oil jgln mvfd., disbf sky
oil vgwf, mvf i- mﬁd.
16
Intercepted message:

17. 17
Let’s analyze:

18. 18

19. 19

20. In 1972 a crack commando unit was sent to prison by a
military court for a crime they didn't commit. These men
promptly escaped from a maximum-security stockade to the
Los Angeles underground. Today, still wanted by the
government, they survive as soldiers of fortune. If you have a
problem, if no one else can help and if you can ﬁnd them,
maybe you can hire, The A- Team.
20
http://gutenberg.spiegel.de/buch/3664/4
Decrypted message:

21. Determinism and the ability to apply
21

22. ➡ Previous examples were symmetrical encryptions.
➡ Same key is used for both encryption and decryption.
➡ Good symmetrical encryptions: AES, Blowﬁsh, (3)DES.
➡ They are fast and secure.
22

23. Q: How does Alice send over the key securely
to Bob? Everybody’s listening!
23

24. Another encryption system:
Asymmetrical encryption or public key encryption.
24

25. Two keys instead of one:
public key - available for everybody.
Can be published on your blog.
private key - For your eyes only!
25

26

27. It is NOT possible to decrypt the message
with same key that is used to encrypt.
27

28. Encrypt with public key:
- only private key (thus Alice) can decrypt.
- message is only for Alice = encryption
28
Encrypt with private key:
- only public key can decrypt.
- message is guaranteed coming for Alice = signing

29. Symmetrical
✓ quick.
✓ not resource intensive.
✓ useful for small and large
messages.
✗ need to send over the key
to the other side.
Asymmetrical
✓ no need to send over the
(whole) key.
✓ can be used for encryption
and validation (signing).
✗ very resource intensive.
✗ only useful for small messages.
29

30. 30
Q: How does Alice send over the key securely
to Bob? Everybody’s listening!
A: Use symmetrical encryption for the (large)
message and encrypt the key used with an
asymmetrical encryption method.

31. Hybrid
✓ quick
✓ not resource intensive
✓ useful for small and large messages
✓ safely exchange key data
31

32. But how does it work?
32

33. RSA
33
1978
Pierre de Fermat, Leonard Euler
17th - 18th century

34. Public key encryption works on the premise that it
is practically impossible to refactor a large number
back into 2 separate prime numbers
Prime number is only divisible by 1 and
itself: 2, 3, 5, 7, 11, 13, 17, 19 etc...
34

35. “large” number: p * q = 221
but we cannot calculate its
prime factors without brute force.
There is no “formula” (like e=mc2)
(13 and 17)
35

36. ➡ There is no proof that it’s impossible to refactor
quickly. But nowadays we have to assume it’s
possible by some, but not (yet) many.
➡ Brute-force decrypting is always lurking around
(quicker/more machines, better algorithms).
➡ Better (pubkey) algorithms already exists!
36

37. 37
This is mathness!
No, this is RSAAAA!

38. 38
➡ p = (large) prime number
➡ q = (large) prime number (but not too close to p)
➡ n = p . q (bit length of the RSA key)
➡ φ = (p-1) . (q-1) (the φ thingie is called phi)
➡ e = gcd(e, φ) = 1
➡ d = (d . e) mod φ = 1

39. Step 1: select primes P and Q
‣ P = 11
‣ Q = 3
P = ? | Q = ? | N = ? | Phi = ? | e = ? | d = ?
39

40. ➡ N = P . Q = 11 . 3 = 33
➡ φ = (11-1) . (3-1) = 10 . 2 = 20
Step 2: calculate N and Phi
40
33 decimal equals 100001 in binary == 6 bit key
P = 11 | Q = 3 | N = ? | Phi = ? | e = ? | d = ?

41. Step 3: ﬁnd e
‣ e = 3
‣ gcd(e, φ) = 1 ==> gcd(3, 20) = 1
41
Fermat number: 2 + 1
2
n
Fermat prime: Fermat nr that is also prime: 3, 5, 17, 257, 65537
Study shows that 98.5% of the time 65537 is used
P = 11 | Q = 3 | N = 33 | Phi = 20 | e = ? | d = ?

42. Step 4: ﬁnd d
‣ brute force: (e.d mod φ = 1)
‣ Extended Euclidean Algorithm gives 7
3 . 1 = 3 mod 20 = 3
3 . 2 = 6 mod 20 = 6
3 . 3 = 9 mod 20 = 9
3 . 4 = 12 mod 20 = 12
3 . 5 = 15 mod 20 = 15
3 . 6 = 18 mod 20 = 18
3 . 7 = 21 mod 20 = 1
3 . 8 = 24 mod 20 = 4
3 . 9 = 27 mod 20 = 7
3.10 = 30 mod 20 = 10
42
P = 11 | Q = 3 | N = 33 | Phi = 20 | e = 3 | d = ?

43. That’s it:
➡ public key = (n, e) = (33, 3)
➡ private key = (n, d) = (33, 7)
43

44. The actual math is much more complex since
we use very large numbers, but it all comes
down to these (relatively simple) calculations..
44

45. 45
jthijssen@debian-jth:~\$ openssl rsa -text -noout -in server.key
Private-Key: (256 bit)
modulus:
00:c2:d0:c4:1f:6f:78:16:82:d1:0c:dd:5a:af:de:f2:ff:31:c6:
9b:3b:9f:e8:24:2a:5c:06:56:ea:d7:7c:c6:19
publicExponent: 65537 (0x10001)
privateExponent:
22:8f:fd:2b:82:90:30:96:36:d6:6c:73:09:5e:a9:87:73:6e:
2d:d4:d5:78:fc:3b:20:ea:0d:02:e5:2b:cb:3d
prime1:
00:f0:49:fd:91:18:01:53:92:8f:87:d7:2b:c8:19:7d:17
prime2:
00:cf:8d:a1:3b:93:af:61:77:8f:c9:8f:1d:aa:8d:b4:4f
exponent1:
00:e1:d8:c9:89:bc:84:52:a6:a8:5d:47:32:91:6a:d3:95
exponent2:
5a:88:b1:fa:d5:d9:db:8f:16:a6:5a:0a:1b:ba:42:1b
coefficient:
n
e
d

46. Encrypting a message:
c = me mod n
Decrypting a message:
m = cd mod n
46

47. Encrypting a message: private key = (n,d) = (33, 7):
Decrypting a message: public key = (n,e) = (33, 3):
m = 13, 20, 15, 5
13^7 mod 33 = 7
20^7 mod 33 = 26
15^7 mod 33 = 27
5^7 mod 33 = 14
c = 7, 26, 27,14
47
c = 7, 26, 27,14
7^3 mod 33 = 13
26^3 mod 33 = 20
27^3 mod 33 = 15
14^3 mod 33 =5
m = 13, 20, 15, 5

48. ➡ A message is an “integer”
➡ A message must be between 2 and n-1.
➡ Deterministic, so we must use a padding
scheme to make it non-deterministic.
48

49. ➡ Public Key Cryptography Standard #1
➡ Pads data with (random) bytes up to n bits
in length (v1.5 or OAEP/v2.x).
➡ Got it ﬂaws and weaknesses too. Always
use the latest available version (v2.2)
49

The encoded message block, EMB, after encoding but before encryption, with random
E3FC9B2B475CD6944EF191E3F59545E671E474B555799FE3756099F044964038
After RSA encryption, the output is:
3D2AB25B1EB667A40F504CC4D778EC399A899C8790EDECEF062CD739492C9CE5
8B92B9ECF32AF4AAC7A61EAEC346449891F49A722378E008EFF0B0A8DBC6E621
EDC90CEC64CF34C640F5B36C48EE9322808AF8F4A0212B28715C76F3CB99AC7E
http://www.di-mgt.com.au/rsa_alg.html#pkcs1schemes 50

51. 51
Practical applications of PKE

52. http://torontoemerg.ﬁles.wordpress.com/2010/09/spam.gif
52

53. 53

54. ➡ Did Bill really send this email?
➡ Do we know for sure that nobody has read
this email (before it came to us?)
➡ Do we know for sure that the contents of
the message isn’t tampered with?
➡ We use signing!
Questions:
54

55. ➡ Signing a message means adding a signature
that authenticates the validity of a message.
➡ Like md5 or sha1, so when the message
changes, so will the signature.
➡ This works on the premise that Alice and
only Alice has the private key that can
create the signature.
Signing a message
55

56. http://en.wikipedia.org/wiki/File:Digital_Signature_diagram.svg 56

57. 57
➡ Signing is important!
➡ apt-get / yum install to verify/proof authenticity
➡ Does your git clone does that? Does “composer
install” does that? Does PEAR do that?

58. ➡ HTTP encapsulated by TLS (previously SSL).
➡ More or less: an encryption layer on top of http.
HTTPS
58

59. ➡ Actual encryption methodology is decided
by the browser and the server (highest
possible encryption used).
➡ Symmetric encryption (AES-256, others)
➡ But both sides needs the same key, so we
have the same problem as before: how do we
send over the key?
59

60. ➡ Key is exchanged in a public/private encrypted
communication.
➡ Which public key?
➡ It is stored inside the server’s SSL certiﬁcate
60

61. 61
jthijssen@debian-jth:~\$ openssl x509 -text -noout -in github.pem
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
04:7f:be:2e:4b:de:00:84:d2:ca:f8:e3:ec:fe:70:58
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance EV CA-1
Validity
Not Before: Jun 10 00:00:00 2013 GMT
Not After : Sep 2 12:00:00 2015 GMT
1.3.6.1.4.1.311.60.2.1.2=Delaware/serialNumber=5157550/street=548 4th Street/postalCode=94107, C=US, ST=California,
L=San Francisco, O=GitHub, Inc., CN=github.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:ed:d3:89:c3:5d:70:72:09:f3:33:4f:1a:72:74:
d9:b6:5a:95:50:bb:68:61:9f:f7:fb:1f:19:e1:da:
04:31:af:15:7c:1a:7f:f9:73:af:1d:e5:43:2b:56:
09:00:45:69:4a:e8:c4:5b:df:c2:77:52:51:19:5b:
d1:2b:d9:39:65:36:a0:32:19:1c:41:73:fb:32:b2:
3d:9f:98:ec:82:5b:0b:37:64:39:2c:b7:10:83:72:
cd:f0:ea:24:4b:fa:d9:94:2e:c3:85:15:39:a9:3a:
f6:88:da:f4:27:89:a6:95:4f:84:a2:37:4e:7c:25:
78:3a:c9:83:6d:02:17:95:78:7d:47:a8:55:83:ee:
13:c8:19:1a:b3:3c:f1:5f:fe:3b:02:e1:85:fb:11:
66:ab:09:5d:9f:4c:43:f0:c7:24:5e:29:72:28:ce:
d4:75:68:4f:24:72:29:ae:39:28:fc:df:8d:4f:4d:
83:73:74:0c:6f:11:9b:a7:dd:62:de:ff:e2:eb:17:
e6:ff:0c:bf:c0:2d:31:3b:d6:59:a2:f2:dd:87:4a:
48:7b:6d:33:11:14:4d:34:9f:32:38:f6:c8:19:9d:
f1:b6:3d:c5:46:ef:51:0b:8a:c6:33:ed:48:61:c4:
1d:17:1b:bd:7c:b6:67:e9:39:cf:a5:52:80:0a:f4:
ea:cd
Exponent: 65537 (0x10001)

62. ➡ Browser sends over its encryption methods.
➡ Server decides which one to use.
➡ Server send certiﬁcate(s).
➡ Client sends “session key” encrypted by the
public key found in the server certiﬁcate.
➡ Server and client uses the “session key” for
symmetrical encryption.
62

63. ➡ Thus: Public/private encryption is only used in
establishing a secondary (better!?) encryption.
➡ SSL/TLS is a separate talk (it’s way more complex
as this)
➡ http://www.moserware.com/2009/06/ﬁrst-few-
milliseconds-of-https.html
63

64. ➡ Public key authentication
➡ Because you suck at creating and/or
SSH
64

65. ➡ Easy for tools / scripts to connect
➡ Easy for you (no remembering passwords)
➡ More ﬁne grained security model.
65

66. 66
Some words of wisdom:
(free of charge)

67. ➡ Don’t “invent” your own encryption. It will
NOT be secure, and it WILL fail.
➡ Encryption is as strong as the weakest link,
which 9 out of 10 times will be you.
➡ Encryptions evolve. Do not use today what
you used 10 years ago.
➡ Every encryption will become obsolete!
➡ Always follow the best practices.
67

68. http://farm1.static.ﬂickr.com/73/163450213_18478d3aa6_d.jpg 68

69. 69