CSE 127: Lecture 22

The topics covered in this lecture are: using crypto for security, RSA for encryption and message authentication, cracking keys, and modular exponentiation.

Using crypto for security

We have been discussing how we can use cryptographic tools to make insecure connections less susceptible to eavesdropping and tampering. Again, the three major parts of this are:

Confidentiality: Ensuring that others cannot eavesdrop on your data by obscuring it with encryption
Integrity: Ensuring that others have not changed the message by computing Message Authentication Codes (MACs) which are like a checksum of the data, but use encryption keys.
Accountability: Ensuring that people can be connected to their actions. Crypto can be used to verify identification publicly.

RSA for encryption and message authentication

For RSA encryption, we need four things: p, q, e, and d.

The p and q are large prime numbers, and n = p*q.
The public key is (e,n), where e is a number chosen randomly.
The private key is d, where e*d=1 mod phi(n), and phi(n)=(p-1)(q-1).
From Euler's theorem, we know that x^phi(n)=1 mod n.

If we are given a message m, we can encrypt and decrypt the message using the public and private keys of a user.
Encryption: Cipher text is computed by:

c = m^e mod n

Decryption: The original message is computed by:

p = c^d mod n

How do we know that the decrypted message p is the same as the original message m? We can use Euler's theorem:

(m^e)^d mod n
= m^de mod n
= m^1+k*phi(n) mod n
= m*(m^phi(n))^k mod n
= m*1^k mod n

We can also use RSA to cryptographically sign messages. We do this by computing a cryptographic hash (like MD5 or SHA1) on a message m to obtain a digest, which we'll call s. Then the signed digest is computed as r = s^d mod n. Then the public can verify that the message is properly signed if r^e mod n==s.

Normally you want to keep information about your keys private. However, if you know the factorization of n, then you have an advantage. You can use the Extended GCD. The EGCD is like the GCD, but it gives three outputs, w, z, and g. The value g = GCD(x,y), while EGCD also finds

w*x + z*y = g

So that if we ask for EGCD(e, phi(n)), we know that g=1 with high probability. (g=1 means that e and phi(n) are coprime. In the unlikely circumstance that g > 1, just choose another random e and try again.) and we get

w*e + z*phi(n) = g = 1

where w is the multiplicative inverse mod phi(n). We use w as the secret decryption exponent (usually called d).

Getting encryption keys

There are many systems with encryption keys that are embedded in hardware or hidden in software, away from users access. However, having physical access to the system makes it easier to find out what the encryption keys are. For example, Microsoft has a crypto API that allows applications to do crypto operations, but the applications cannot access the keys directly; instead they have something akin to file descriptors which point to the keys which the API hides. Additionally, the implementation of the library is modular, so that it may be filled by a third-party vendor's software or hardware.

If you wanted to get access to the crypto keys in the library, how could you do that? Having access to the system helps. It turns out that you can compute statistics on the time and/or power required for the processor to compute crypto routines by running the routines many times. Those statistics can give insight into finding the values of the keys. Next time we will see more on how this is done. Until then, here is the code to compute exponentiation mod n.

Modular exponentiation

The following code computes y = x^e mod n. Note that in this code, integers are larger than the typical "int"; they may be arbitrarily big (using special math libraries).

Int modexp(x, e, n) {
    Int y = 1, z = x;
    while (e != 0) {
        if (e is odd) {
            y = y * z mod n;
        }
        z = z * z mod n;
        e = e div 2;
    }
    return y;
}

bsy+cse127w02@cs.ucsd.edu, last updated Mon Mar 25 15:22:09 PST 2002. Copyright 2002 Bennet Yee.
email bsy.