Joshua Thijssen
April 25, 2012
330

# Alice & Bob: Public key cryptography 101 - Mail.ru techforum 2012

April 25, 2012

## Transcript

1. Alice & Bob
Mail.ru techforum - 24 april 2012
Moskow - Russia
Public key cryptography 101
woensdag 25 april 12

2. Joshua Thijssen / Netherlands
Freelance consultant, developer and
Development in PHP, Python, Perl,
C, Java....
Email: [email protected]
2
woensdag 25 april 12

3. An introduction into public key cryptography
3
woensdag 25 april 12

4. 4
Without this there would be
no internet as we know today
(really)
woensdag 25 april 12

5. 5
woensdag 25 april 12

6. Meet Alice,
5
woensdag 25 april 12

7. Meet Alice,
and Bob.
5
Hi Bob!
Hello Alice!
woensdag 25 april 12

6
http://www.ﬂickr.com/photos/dpwk/1714014449/in/pool-1621478@N23/
woensdag 25 april 12

9. “algorithm”:
A = 1, B = 2, C = 3, ...., Z = 26
‣ SUBSTITUTION SCHEME
7
woensdag 25 april 12

10. ciphertext:
19, 5, 3, 18, 5, 20
“algorithm”:
A = 1, B = 2, C = 3, ...., Z = 26
‣ SUBSTITUTION SCHEME
7
woensdag 25 april 12

11. ciphertext:
19, 5, 3, 18, 5, 20
“algorithm”:
A = 1, B = 2, C = 3, ...., Z = 26
=
S E C R E T
‣ SUBSTITUTION SCHEME
7
woensdag 25 april 12

12. 8
‣ SUBSTITUTION SCHEME
woensdag 25 april 12

13. 8
ciphertext:

‣ SUBSTITUTION SCHEME
woensdag 25 april 12

14. 8
ciphertext:

=
W I N G D I N G S
‣ SUBSTITUTION SCHEME
woensdag 25 april 12

15. “algorithm”:
c = m + k mod 26
‣ CAESARIAN CIPHER or CAESARIAN SHIFT
9
woensdag 25 april 12

16. “algorithm”:
c = m + k mod 26
‣ CAESARIAN CIPHER or CAESARIAN SHIFT
9
Message: C O D E
woensdag 25 april 12

17. “algorithm”:
c = m + k mod 26
‣ CAESARIAN CIPHER or CAESARIAN SHIFT
9
Message: C O D E
Ciphertext (key=1): D P E F
woensdag 25 april 12

18. “algorithm”:
c = m + k mod 26
‣ CAESARIAN CIPHER or CAESARIAN SHIFT
9
Message: C O D E
Ciphertext (key=1): D P E F
Ciphertext (key=2): E Q F G
woensdag 25 april 12

19. “algorithm”:
c = m + k mod 26
‣ CAESARIAN CIPHER or CAESARIAN SHIFT
9
Message: C O D E
Ciphertext (key=1): D P E F
Ciphertext (key=2): E Q F G
Ciphertext (key=-1): B M C D
woensdag 25 april 12

20. “algorithm”:
c = m + k mod 26
‣ CAESARIAN CIPHER or CAESARIAN SHIFT
9
Message: C O D E
Ciphertext (key=1): D P E F
Ciphertext (key=2): E Q F G
Ciphertext (key=-1): B M C D
Ciphertext (key=0): C O D E
woensdag 25 april 12

21. “algorithm”:
c = m + k mod 26
‣ CAESARIAN CIPHER or CAESARIAN SHIFT
9
Message: C O D E
Ciphertext (key=1): D P E F
Ciphertext (key=2): E Q F G
Ciphertext (key=-1): B M C D
Ciphertext (key=0): C O D E
Ciphertext (key=26): C O D E
woensdag 25 april 12

22. “algorithm”:
c = m + k mod 26
‣ CAESARIAN CIPHER or CAESARIAN SHIFT
9
Message: C O D E
Ciphertext (key=1): D P E F
Ciphertext (key=2): E Q F G
Ciphertext (key=-1): B M C D
Ciphertext (key=0): C O D E
Ciphertext (key=26): C O D E
Ciphertext (key=52): C O D E
woensdag 25 april 12

23. ‣ FLAWS IN THESE CIPHERS
10
woensdag 25 april 12

24. ➡ Key is too easy to guess.
‣ FLAWS IN THESE CIPHERS
10
woensdag 25 april 12

25. ➡ Key is too easy to guess.
➡ Key has to be send to Bob.
‣ FLAWS IN THESE CIPHERS
10
woensdag 25 april 12

26. ➡ Key is too easy to guess.
➡ Key has to be send to Bob.
➡ Deterministic.
‣ FLAWS IN THESE CIPHERS
10
woensdag 25 april 12

27. ➡ Key is too easy to guess.
➡ Key has to be send to Bob.
➡ Deterministic.
➡ Prone to frequency analysis.
‣ FLAWS IN THESE CIPHERS
10
woensdag 25 april 12

28. 11
woensdag 25 april 12

29. ➡ The usage of every letter in the English (or
any other language) can be represented by
a percentage.
11
woensdag 25 april 12

30. ➡ The usage of every letter in the English (or
any other language) can be represented by
a percentage.
➡ ‘E’ is used 12.7% of the times in english
texts, the ‘Z’ only 0.074%.
11
woensdag 25 april 12

31. ➡ The usage of every letter in the English (or
any other language) can be represented by
a percentage.
➡ ‘E’ is used 12.7% of the times in english
texts, the ‘Z’ only 0.074%.
➡ ‘O’ is used 11.07% of the times in russian
texts, the ‘Ъ’ only 0.02%.
11
woensdag 25 april 12

32. http://www.gutenberg.org/cache/epub/14082/pg14082.txt
Once upon a midnight dreary, while I pondered, weak and weary,
Over many a quaint and curious volume of forgotten lore—
While I nodded, nearly napping, suddenly there came a tapping,
As of some one gently rapping—rapping at my chamber door.
"'Tis some visitor," I muttered, "tapping at my chamber door—
Only this and nothing more."
12
woensdag 25 april 12

33. A small bit of text can result in differences, but still there are
some letters we can deduce..
‣ “THE RAVEN”, FIRST PARAGRAPH
13
woensdag 25 april 12

34. We can deduce almost all letters just without even CARING
‣ “THE RAVEN”, ALL PARAGRAPHS
14
woensdag 25 april 12

35. ‣ FLAWS IN THESE CIPHERS
15
woensdag 25 april 12

36. ➡ Determinism and the ability to use
‣ FLAWS IN THESE CIPHERS
15
woensdag 25 april 12

37. ‣ SYMMETRICAL ALGORITHMS
16
woensdag 25 april 12

38. ➡ Previous examples were symmetrical encryptions.
‣ SYMMETRICAL ALGORITHMS
16
woensdag 25 april 12

39. ➡ Previous examples were symmetrical encryptions.
➡ Same key is used for both encryption and decryption.
‣ SYMMETRICAL ALGORITHMS
16
woensdag 25 april 12

40. ➡ Previous examples were symmetrical encryptions.
➡ Same key is used for both encryption and decryption.
➡ Good symmetrical encryptions: AES, Blowﬁsh, (3)DES
‣ SYMMETRICAL ALGORITHMS
16
woensdag 25 april 12

41. ‣ THE PROBLEM WITH SYMMETRICAL ALGORITHMS
17
woensdag 25 april 12

42. How does Alice send over the key securely
to Bob? Everybody’s listening!
‣ THE PROBLEM WITH SYMMETRICAL ALGORITHMS
17
woensdag 25 april 12

43. Another encryption system:
Asymmetrical encryption or public key encryption.
18
woensdag 25 april 12

44. Two keys instead of one:
public key - available for everybody.
Can be published on your blog.
private key - For your eyes only!
19
woensdag 25 april 12

‣ USES 2 KEYS INSTEAD OF ONE: A KEYPAIR
20
woensdag 25 april 12

46. It is NOT possible to decrypt the message
with same key that is used to encrypt.
21
woensdag 25 april 12

47. Encrypt with public key:
- only private key (thus Alice) can decrypt.
- message is only for Alice = encryption
22
woensdag 25 april 12

48. Encrypt with public key:
- only private key (thus Alice) can decrypt.
- message is only for Alice = encryption
22
Encrypt with private key:
- only public key can decrypt.
- message is guaranteed coming for Alice = signing
woensdag 25 april 12

49. Symmetrical
✓ quick.
✓ not resource intensive.
✓ useful for small and large
messages.
✗ need to send over the key
to the other side.
Asymmetrical
✓ no need to send over the
(whole) key.
✓ can be used for encryption
and validation (signing).
✗ very resource intensive.
✗ only useful for small messages.
23
woensdag 25 april 12

50. Use symmetrical encryption for the (large) message
and encrypt the key used with an asymmetrical
encryption method.
24
woensdag 25 april 12

51. Hybrid
✓ quick
✓ not resource intensive
✓ useful for small and large messages
✓ safely exchange key data
25
woensdag 25 april 12

52. +
http://www.zastavki.com/pictures/1152x864/2008/Animals_Cats_Small_cat_005241_.jpg
Hybrid
✓ quick
✓ not resource intensive
✓ useful for small and large messages
✓ safely exchange key data
25
woensdag 25 april 12

53. But how does it work?
26
woensdag 25 april 12

54. RSA
27
woensdag 25 april 12

55. RSA
27
woensdag 25 april 12

56. RSA
27
1978
woensdag 25 april 12

57. RSA
27
1978
Pierre de Fermat, Leonard Euler
17th - 18th century
woensdag 25 april 12

58. Public key encryption works on the premise that it
is practically impossible to refactor a large number
back into 2 separate prime numbers
28
woensdag 25 april 12

59. Public key encryption works on the premise that it
is practically impossible to refactor a large number
back into 2 separate prime numbers
Prime number is only divisible by 1 and
itself: 2, 3, 5, 7, 11, 13, 17, 19 etc...
28
woensdag 25 april 12

60. 29
woensdag 25 april 12

61. “large” number: 221
29
woensdag 25 april 12

62. “large” number: 221
but we cannot calculate its
prime factors without brute force.
There is no “formula” (like e=mc2)
29
woensdag 25 april 12

63. “large” number: 221
but we cannot calculate its
prime factors without brute force.
There is no “formula” (like e=mc2)
(13 and 17)
29
woensdag 25 april 12

64. 30
woensdag 25 april 12

65. ➡ There is no proof that it’s impossible to refactor
quickly (all tough it doesn’t look plausible)
30
woensdag 25 april 12

66. ➡ There is no proof that it’s impossible to refactor
quickly (all tough it doesn’t look plausible)
➡ Brute-force decrypting is always lurking around
(quicker machines, better algorithms).
30
woensdag 25 april 12

67. 31
The math
behind the curtain
woensdag 25 april 12

68. 32
woensdag 25 april 12

69. 32
➡ p = (large) prime number
woensdag 25 april 12

70. 32
➡ p = (large) prime number
➡ q = (large) prime number (but not too close to p)
woensdag 25 april 12

71. 32
➡ p = (large) prime number
➡ q = (large) prime number (but not too close to p)
➡ n = p . q (bit length of the RSA key)
woensdag 25 april 12

72. 32
➡ p = (large) prime number
➡ q = (large) prime number (but not too close to p)
➡ n = p . q (bit length of the RSA key)
➡ φ = (p-1) . (q-1) (the φ thingie is called phi)
woensdag 25 april 12

73. 32
➡ p = (large) prime number
➡ q = (large) prime number (but not too close to p)
➡ n = p . q (bit length of the RSA key)
➡ φ = (p-1) . (q-1) (the φ thingie is called phi)
➡ e = gcd(e, φ) = 1
woensdag 25 april 12

74. 32
➡ p = (large) prime number
➡ q = (large) prime number (but not too close to p)
➡ n = p . q (bit length of the RSA key)
➡ φ = (p-1) . (q-1) (the φ thingie is called phi)
➡ e = gcd(e, φ) = 1
➡ d = (d . e) mod φ = 1
woensdag 25 april 12

75. Step 1: select primes P and Q
‣ P = ? | Q = ? | N = ? | Phi = ? | e = ? | d = ? 33
woensdag 25 april 12

76. Step 1: select primes P and Q
‣ P = 11
‣ P = ? | Q = ? | N = ? | Phi = ? | e = ? | d = ? 33
woensdag 25 april 12

77. Step 1: select primes P and Q
‣ P = 11
‣ Q = 3
‣ P = ? | Q = ? | N = ? | Phi = ? | e = ? | d = ? 33
woensdag 25 april 12

78. Step 2: calculate N and Phi
‣ P = 11 | Q = 3 | N = ? | Phi = ? | e = ? | d = ? 34
woensdag 25 april 12

79. ➡ N = P . Q = 11 . 3 = 33
Step 2: calculate N and Phi
‣ P = 11 | Q = 3 | N = ? | Phi = ? | e = ? | d = ? 34
woensdag 25 april 12

80. ➡ N = P . Q = 11 . 3 = 33
➡ φ = (11-1) . (3-1) = 10 . 2 = 20
Step 2: calculate N and Phi
‣ P = 11 | Q = 3 | N = ? | Phi = ? | e = ? | d = ? 34
woensdag 25 april 12

81. ➡ N = P . Q = 11 . 3 = 33
➡ φ = (11-1) . (3-1) = 10 . 2 = 20
Step 2: calculate N and Phi
‣ P = 11 | Q = 3 | N = ? | Phi = ? | e = ? | d = ? 34
33 decimal is 100001 in binary == 6 bit key
woensdag 25 april 12

82. ➡ N = P . Q = 11 . 3 = 33
➡ φ = (11-1) . (3-1) = 10 . 2 = 20
Step 2: calculate N and Phi
‣ P = 11 | Q = 3 | N = ? | Phi = ? | e = ? | d = ? 34
There are 20 co primes for 33 : φ(33) = 20
33 decimal is 100001 in binary == 6 bit key
woensdag 25 april 12

83. Step 3: ﬁnd e
‣ P = 11 | Q = 3 | N = 33 | Phi = 20 | e = ? | d = ? 35
woensdag 25 april 12

84. Step 3: ﬁnd e
‣ e = 3
‣ P = 11 | Q = 3 | N = 33 | Phi = 20 | e = ? | d = ? 35
woensdag 25 april 12

85. Step 3: ﬁnd e
‣ e = 3
‣ gcd(e, φ) = 1 ==> gcd(3, 20) = 1
‣ P = 11 | Q = 3 | N = 33 | Phi = 20 | e = ? | d = ? 35
woensdag 25 april 12

86. Step 3: ﬁnd e
‣ e = 3
‣ gcd(e, φ) = 1 ==> gcd(3, 20) = 1
‣ P = 11 | Q = 3 | N = 33 | Phi = 20 | e = ? | d = ? 35
Fermat number: 2 + 1
2
n
woensdag 25 april 12

87. Step 3: ﬁnd e
‣ e = 3
‣ gcd(e, φ) = 1 ==> gcd(3, 20) = 1
‣ P = 11 | Q = 3 | N = 33 | Phi = 20 | e = ? | d = ? 35
Fermat number: 2 + 1
2
n
Fermat prime: Fermat that is prime: 3, 5, 17, 257, 65537
Study shows that 98.5% of the time 65537 is used
woensdag 25 april 12

88. ‣ P = 11 | Q = 3 | N = 33 | Phi = 20 | e = 3 | d = ?
Step 4: ﬁnd d
36
woensdag 25 april 12

89. ‣ P = 11 | Q = 3 | N = 33 | Phi = 20 | e = 3 | d = ?
Step 4: ﬁnd d
‣ Extended Euclidean Algorithm gives 7
36
woensdag 25 april 12

90. ‣ P = 11 | Q = 3 | N = 33 | Phi = 20 | e = 3 | d = ?
Step 4: ﬁnd d
‣ Extended Euclidean Algorithm gives 7
‣ brute force: (e.d mod φ = 1)
36
woensdag 25 april 12

91. ‣ P = 11 | Q = 3 | N = 33 | Phi = 20 | e = 3 | d = ?
Step 4: ﬁnd d
‣ Extended Euclidean Algorithm gives 7
‣ brute force: (e.d mod φ = 1)
3 . 1 = 3 mod 20 = 3
3 . 2 = 6 mod 20 = 6
3 . 3 = 9 mod 20 = 9
3 . 4 = 12 mod 20 = 12
3 . 5 = 15 mod 20 = 15
3 . 6 = 18 mod 20 = 18
3 . 7 = 21 mod 20 = 1
3 . 8 = 24 mod 20 = 4
3 . 9 = 27 mod 20 = 7
3.10 = 30 mod 20 = 10
36
woensdag 25 april 12

92. ‣ P = 11 | Q = 3 | N = 33 | Phi = 20 | e = 3 | d = 7 37
woensdag 25 april 12

93. That’s it:
➡ public key = (n, e) = (33, 3)
➡ private key = (n, d) = (33, 7)
‣ P = 11 | Q = 3 | N = 33 | Phi = 20 | e = 3 | d = 7 37
woensdag 25 april 12

94. The actual math is much more complex since
we use very large numbers, but it all comes
down to these (relatively simple) calculations..
38
woensdag 25 april 12

95. 39
jthijssen@debian-jth:~\$ openssl rsa -text -noout -in server.key
woensdag 25 april 12

96. 39
jthijssen@debian-jth:~\$ openssl rsa -text -noout -in server.key
Private-Key: (256 bit)
modulus:
00:c2:d0:c4:1f:6f:78:16:82:d1:0c:dd:5a:af:de:f2:ff:31:c6:
9b:3b:9f:e8:24:2a:5c:06:56:ea:d7:7c:c6:19
publicExponent: 65537 (0x10001)
privateExponent:
22:8f:fd:2b:82:90:30:96:36:d6:6c:73:09:5e:a9:87:73:6e:
2d:d4:d5:78:fc:3b:20:ea:0d:02:e5:2b:cb:3d
prime1:
00:f0:49:fd:91:18:01:53:92:8f:87:d7:2b:c8:19:7d:17
prime2:
00:cf:8d:a1:3b:93:af:61:77:8f:c9:8f:1d:aa:8d:b4:4f
exponent1:
00:e1:d8:c9:89:bc:84:52:a6:a8:5d:47:32:91:6a:d3:95
exponent2:
5a:88:b1:fa:d5:d9:db:8f:16:a6:5a:0a:1b:ba:42:1b
coefficient:
woensdag 25 april 12

97. 39
jthijssen@debian-jth:~\$ openssl rsa -text -noout -in server.key
n
e
d
p
q
d mod (p-1)
e mod (q-1)
(inverse q) mod p
Private-Key: (256 bit)
modulus:
00:c2:d0:c4:1f:6f:78:16:82:d1:0c:dd:5a:af:de:f2:ff:31:c6:
9b:3b:9f:e8:24:2a:5c:06:56:ea:d7:7c:c6:19
publicExponent: 65537 (0x10001)
privateExponent:
22:8f:fd:2b:82:90:30:96:36:d6:6c:73:09:5e:a9:87:73:6e:
2d:d4:d5:78:fc:3b:20:ea:0d:02:e5:2b:cb:3d
prime1:
00:f0:49:fd:91:18:01:53:92:8f:87:d7:2b:c8:19:7d:17
prime2:
00:cf:8d:a1:3b:93:af:61:77:8f:c9:8f:1d:aa:8d:b4:4f
exponent1:
00:e1:d8:c9:89:bc:84:52:a6:a8:5d:47:32:91:6a:d3:95
exponent2:
5a:88:b1:fa:d5:d9:db:8f:16:a6:5a:0a:1b:ba:42:1b
coefficient:
woensdag 25 april 12

98. Encrypting a message:
c = me mod n
Decrypting a message:
m = cd mod n
40
woensdag 25 april 12

99. Encrypting a message: private key = (n,d) = (33, 7):
Decrypting a message: public key = (n,e) = (33, 3):
m = 13, 20, 15, 5
13^7 mod 33 = 7
20^7 mod 33 = 26
15^7 mod 33 = 27
5^7 mod 33 = 14
c = 7, 26, 27,14
41
woensdag 25 april 12

100. Encrypting a message: private key = (n,d) = (33, 7):
Decrypting a message: public key = (n,e) = (33, 3):
m = 13, 20, 15, 5
13^7 mod 33 = 7
20^7 mod 33 = 26
15^7 mod 33 = 27
5^7 mod 33 = 14
c = 7, 26, 27,14
41
c = 7, 26, 27,14
7^3 mod 33 = 13
26^3 mod 33 = 20
27^3 mod 33 = 15
14^3 mod 33 =5
m = 13, 20, 15, 5
woensdag 25 april 12

101. 42
woensdag 25 april 12

102. ➡ A message is an “integer”
42
woensdag 25 april 12

103. ➡ A message is an “integer”
➡ A message must be between 2 and n-1.
42
woensdag 25 april 12

104. ➡ A message is an “integer”
➡ A message must be between 2 and n-1.
➡ Deterministic, so we must use a padding
scheme to make it non-deterministic.
42
woensdag 25 april 12

105. 43
woensdag 25 april 12

106. ➡ Public Key Cryptography Standard #1
43
woensdag 25 april 12

107. ➡ Public Key Cryptography Standard #1
➡ Pads data with (random) bytes up to n bits
in length (v1.5 or OAEP/v2.x).
43
woensdag 25 april 12

108. ➡ Public Key Cryptography Standard #1
➡ Pads data with (random) bytes up to n bits
in length (v1.5 or OAEP/v2.x).
➡ Got it ﬂaws and weaknesses too. Always
use the latest available version (v2.1)
43
woensdag 25 april 12

The encoded message block, EMB, after encoding but before encryption, with random
E3FC9B2B475CD6944EF191E3F59545E671E474B555799FE3756099F044964038
After RSA encryption, the output is:
3D2AB25B1EB667A40F504CC4D778EC399A899C8790EDECEF062CD739492C9CE5
8B92B9ECF32AF4AAC7A61EAEC346449891F49A722378E008EFF0B0A8DBC6E621
EDC90CEC64CF34C640F5B36C48EE9322808AF8F4A0212B28715C76F3CB99AC7E
http://www.di-mgt.com.au/rsa_alg.html#pkcs1schemes 44
woensdag 25 april 12

110. 45
Some words of wisdom:
(free of charge)
woensdag 25 april 12

111. 46
woensdag 25 april 12

112. ➡ Don’t “invent” your own encryption. It will
NOT be secure, and it WILL fail.
46
woensdag 25 april 12

113. ➡ Don’t “invent” your own encryption. It will
NOT be secure, and it WILL fail.
➡ Encryption is as strong as the weakest link,
which 9 out of 10 times will be you.
46
woensdag 25 april 12

114. ➡ Don’t “invent” your own encryption. It will
NOT be secure, and it WILL fail.
➡ Encryption is as strong as the weakest link,
which 9 out of 10 times will be you.
➡ Encryptions evolve. Do not use today what
you used 10 years ago.
46
woensdag 25 april 12

115. ➡ Don’t “invent” your own encryption. It will
NOT be secure, and it WILL fail.
➡ Encryption is as strong as the weakest link,
which 9 out of 10 times will be you.
➡ Encryptions evolve. Do not use today what
you used 10 years ago.
➡ Every encryption will become obsolete!
46
woensdag 25 april 12

116. ➡ Don’t “invent” your own encryption. It will
NOT be secure, and it WILL fail.
➡ Encryption is as strong as the weakest link,
which 9 out of 10 times will be you.
➡ Encryptions evolve. Do not use today what
you used 10 years ago.
➡ Every encryption will become obsolete!
➡ Always follow the best practices.
46
woensdag 25 april 12

117. http://farm1.static.ﬂickr.com/73/163450213_18478d3aa6_d.jpg
Questions?
47
woensdag 25 april 12

118. Thank you
48