Sie sind auf Seite 1von 13

Submitted by:Name:-Sachin Kumar Sharma Rollo:- RD1E30A13 Reg no:- 11009126

Submitted by:MR. Puneet Kumar Kaushal


Key generation algorithm Encryption Decryption Digital signing Signature verification Key length Theory and proof of the RSA algorithm Weaknesses in RSA Simple example of RSA encryption Possible Attacks on RSA:o Searching the Message Space o Guessing d o Cycle Attack o Common Modulus o Faulty Encryption o Low Exponent Conclusion Reference

RSA Algorithm
The RSA algorithm is named after Ron Rivest, Adi Shamir and Len Adleman, who invented it in 1977 [RIVE78]. The basic technique was first discovered in 1973 by Clifford Cocks [COCK73] of CESG (part of the British GCHQ) but this was a secret until 1997. The patent taken out by RSA Labs has expired. The RSA algorithm can be used for both public key encryption and digital signatures. Its security is based on the difficulty of factoring large integers. RSA is an algorithm for public-key cryptography that is based on the presumed difficulty of factoring large integers, the factoring problem. RSA stands for o Ron Rivest, o Adi Shamir o Leonard Adleman, who first publicly described the algorithm in 1977. Clifford Cocks, an English mathematician, had developed an equivalent system in 1973, but it was classified until 1997.

RSA-based Cryptographic Schemes

The RSA algorithm was invented by Ronald L. Rivest, Adi Shamir, and Leonard Adleman in 1977. This page has a collection of links to RSA-related documents on this web site. There are a variety of different cryptographic schemes and protocols based on the RSA algorithm in products all over the world; RSA Laboratories recommends the RSAES-OAEP encryption scheme and the RSASSA-PSS signature scheme with appendix for new applications. RSAES-OAEP (RSA Encryption Scheme - Optimal Asymmetric EncryptionPadding) is a public-key encryption scheme combining the RSA algorithm with the OAEP method. The inventors of OAEP are Mihir Bellare and Phillip Rogaway, with enhancements by Don B. Johnson and Stephen M. Matyas. RSASSA-PSS (RSA Signature Scheme with Appendix - Probabilistic SignatureScheme) is an asymmetric signature scheme with appendix combining the RSA algorithm with the PSS encoding method. The inventors of the PSS encoding method are Mihir Bellare and Phillip Rogaway. During efforts to adopt RSASSA-PSS into the P1363a standards effort, certain adaptations to the original version of RSA-PSS were made by Bellare and Rogaway and also by Burt Kaliski (the editor of IEEE P1363a) to facilitate implementation and integration into existing protocols.

Key Generation Algorithm

1. Generate two large random primes, p and q, of approximately equal size such that their product n = pq is of the required bit length, e.g. 1024 bits. 2. Compute n = pq and () phi = (p-1)(q-1). 3. Choose an integer e, 1 < e < phi, such that gcd(e, phi) = 1. 4. Compute the secret exponent d, 1 < d < phi, such that ed 1 (mod phi). 5. The public key is (n, e) and the private key is (n, d). Keep all the values d, p, q and phi secret.

n is known as the modulus. e is known as the public exponent or encryption exponent or just the exponent. d is known as the secret exponent or decryption exponent.

Sender A does the following:1. 2. 3. 4. Obtains the recipient B's public key (n, e). Represents the plaintext message as a positive integer m Computes the cipher text c = me mod n. Sends the cipher text c to B.

Recipient B does the following:1. Uses his private key (n, d) to compute m = cd mod n. 2. Extracts the plaintext from the message representative m.

An Example of the RSA Algorithm

P = 61 <- first prime number (destroy this after computing E and D) Q = 53 <- second prime number (destroy this after computing E and D) PQ = 3233 <- modulus (give this to others) E = 17 <- public exponent (give this to others) D = 2753 <- private exponent (keep this secret!)

Your public key is (E,PQ). Your private key is D. The encryption function is: Encrypt (T) = (T^E) mod PQ = (T^17) mod 3233 The decryption function is: Decrypt(C) = (C^D) mod PQ

= (C^2753) mod 3233 To encrypt the plaintext value 123, do this: Encrypt (123) = (123^17) mod 3233 = 337587917446653715596592958817679803 mod 3233 = 855 To decrypt the ciphertext value 855, do this: Decrypt (855) = (855^2753) mod 3233 = 123

Digital signing
1. 2. 3. 4. Sender A does the following:Creates a message digest of the information to be sent. Represents this digest as an integer m between 0 and n-1. [See note 5]. Uses her private key (n, d) to compute the signature s = md mod n. Sends this signature s to the recipient, B.

Signature verification
Recipient B does the following:1. Uses sender A's public key (n, e) to compute integer v = se mod n. 2. Extracts the message digest from this integer. 3. Independently computes the message digest of the information that has been signed. 4. If both message digests are identical, the signature is valid.

Key length
When we talk about the key length of an RSA key, we are referring to the length of the modulus, n, in bits. The minimum recommended key length for a secure RSA transmission is currently 1024 bits. A key length of 512 bits is now no longer considered secure, although cracking it is still not a trivial task for the likes of you and me. The longer your information is needed to be kept secure, the longer the key you should use. Keep up to date with the latest recommendations in the security journals. There is small one area of confusion in defining the key length. One convention is that the key length is the position of the most significant bit in n that has value '1', where the least significant bit is at position 1. Equivalently, key length = ceiling(log2(n+1)). The other convention, sometimes used, is that the key length is the number of bytes needed to store n multiplied by eight, i.e. ceiling(log256(n+1)). The key used in the RSA Example paper is an example. In hex form the modulus is
0A C0 D0 01 66 01 53 14 79 C6 B3 A1 1D 27 E3 DF C6 10 78 E6 98 27 2A 7C 81 00 1D DC 68 75 E5 9A DE 14 DC 9A 7A 29 5A F5 B7 42 F4 5D 74 E1 EB 65 19 9A E9 56 BB 8D 94 20 7F 8C 68 BB B0 51 17 AB

The most significant byte 0x0A in binary is 00001010'B. The most significant bit is at position 508, so its key length is 508 bits. On the other hand, this value needs 64 bytes to store it, so the key length could also be referred to by some as 64 x 8 = 512 bits. We prefer the former method. You can get into difficulties with the X9.31 method for signatures if you use the latter convention.

Minimum key lengths

The following table is taken from NIST's Recommendation for Key Management. It shows the recommended comparable key sizes for symmetrical block ciphers (AES and Triple DES) and the RSA algorithm. That is, the key length you would need to use to have comparable security. Symmetric key Comparable RSA key Comparable hash algorithm length function 2TDEA* 1024 SHA-1 3TDEA 2048 SHA-224 AES-128 3072 SHA-256 AES-192 7680 SHA-384 AES-256 15360 SHA-512 * 2TDEA is 2-key triple DES - see What's two-key triple DES encryption. Bits of security 80 112 128 192 256

Note just how huge (and impractical) an RSA key needs to be for comparable security with AES-192 or AES-256 (although these two algorithms have had some weaknesses exposed recently; AES-128 is unaffected). The above table is a few years old now and may be out of date. Existing cryptographic algorithms only get weaker as attacks get better.

Theory and proof of the RSA algorithm

Every man and his dog seems to have a proof of the RSA algorithm out there, all requiring varying degrees of understanding of number theory. This is our version of a proof of the RSA algorithm, re-written October 2006 and some hints on understanding it.

A very simple example of RSA encryption

This is an extremely simple example using numbers you can work out on a pocket calculator (those of you over the age of 35 45 can probably even do it by hand). 1. Select primes p=11, q=3.

2. n = pq = 11.3 = 33 phi = (p-1)(q-1) = 10.2 = 20 3. Choose e=3 Check gcd(e, p-1) = gcd(3, 10) = 1 (i.e. 3 and 10 have no common factors except 1), and check gcd(e, q-1) = gcd(3, 2) = 1 therefore gcd(e, phi) = gcd(e, (p-1)(q-1)) = gcd(3, 20) = 1 4. Compute d such that ed 1 (mod phi) i.e. compute d = e-1 mod phi = 3-1 mod 20 i.e. find a value for d such that phi divides (ed-1) i.e. find d such that 20 divides 3d-1. Simple testing (d = 1, 2, ...) gives d = 7 Check: ed-1 = 3.7 - 1 = 20, which is divisible by phi. 5. Public key = (n, e) = (33, 3) Private key = (n, d) = (33, 7). This is actually the smallest possible value for the modulus n for which the RSA algorithm works. Now say we want to encrypt the message m = 7, c = me mod n = 73 mod 33 = 343 mod 33 = 13. Hence the ciphertext c = 13. To check decryption we compute m' = cd mod n = 137 mod 33 = 7. Note that we don't have to calculate the full value of 13 to the power 7 here. We can make use of the fact that a = bc mod n = (b mod n).(c mod n) mod n so we can break down a potentially large number into its components and combine the results of easier, smaller calculations to calculate the final value. One way of calculating m' is as follows:m' = 137 mod 33 = 13(3+3+1) mod 33 = 133.133.13 mod 33 = (133 mod 33).(133 mod 33).(13 mod 33) mod 33 = (2197 mod 33).(2197 mod 33).(13 mod 33) mod 33 = 19.19.13 mod 33 = 4693 mod 33 = 7. Now if we calculate the ciphertext c for all the possible values of m (0 to 32), we get
m c 0 0 1 1 2 3 4 5 6 7 8 8 27 31 26 18 13 17 9 10 11 12 13 14 15 16 3 10 11 12 19 5 9 4

m 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 c 29 24 28 14 21 22 23 30 16 20 15 7 2 6 25 32

Note that all 33 values of m (0 to 32) map to a unique code c in the same range in a sort of random manner. In this case we have nine values of m that map to the same value of c - these are known as unconcealed messages. m = 0, 1 and n-1 will always do this for any n, no matter how large. But in practice, higher values shouldn't be a problem when we use large values for n in the order of several hundred bits.

If we wanted to use this system to keep secrets, we could let A=2, B=3, ..., Z=27. (We specifically avoid 0 and 1 here for the reason given above). Thus the plaintext message "HELLOWORLD" would be represented by the set of integers m1, m2, ...

Using our table above, we obtain ciphertext integers c1, c2, ...

Note that this example is no more secure than using a simple Caesar substitution cipher, but it serves to illustrate a simple example of the mechanics of RSA encryption. Remember that calculating me mod n is easy, but calculating the inverse c-e mod n is very difficult, well, for large n's anyway. However, if we can factor n into its prime factors p and q, the solution becomes easy again, even for large n's. Obviously, if we can get hold of the secret exponent d, the solution is easy, too.

Weaknesses in RSA o Small encryption exponent

If you use a small exponent like e=3 and send the same message to different recipients and just use the RSA algorithm without adding random padding to the message, then an eavesdropper could recover the plaintext.

o Using the same key for encryption and signing

Given that the underlying mathematics is the same for encryption and signing, only in reverse, if an attacker can convince a key holder to sign an unformatted encrypted message using the same key then she gets the original.

o Acting as an oracle
There are techniques to recover the plaintext if a user just blindly returns the RSA transformation of the input. So don't do that.

o Using a common modulus for different users

Do not use the same modulus n with different (ei, di) pairs for different users in a group. Given his own pair (e1, d1), user 1 can factorize the common n into p and q and hence compute the private exponents di of all the other users.

o Small encryption exponent and small message

If you use e=3 and just encrypt a small message m without padding where m3 < n then your ciphertext c can easily be broken by simply computing its real cube root. For example, if we have the public key (n, e) = (25777, 3) and just encrypt the small message m = 10 then the ciphertext is c = 1000. The secure properties of RSA encryption only work if me > n.

1. Don't use the same RSA key for encryption and signing. 2. If using PKCS#v1.5 encoding, use e=0x10001 for your public exponent. 3. Always format your input before encrypting or signing. 4. Always add fresh random padding - at least 8 bytes - to your message before encrypting. 5. When decrypting, check the format of the decrypted block. If it is not as expected, return an error, not the decrypted string. 6. Similarly, when verifying a signature, if there is any error whatsoever, just respond with "Invalid Signature".

RSA is used in security protocols such as;

IPSEC/IKE - IP data security TLS/SSL - transport data security (web) PGP - email security SSH - terminal connection security SILC - conferencing service security Many many more...

A very simple example of RSA encryption

This is an extremely simple example using numbers you can work out on a pocket calculator (those of you over the age of 35 can probably even do it by hand on paper). 1. Select primes p=11, q=3. 2. n = p *q = 11.3 = 33 phi = (p-1) (q-1) = 10.2 = 20 3. Choose e=3 Check gcd(e, p-1) = gcd(3, 10) = 1 (i.e. 3 and 10 have no common factors except 1), and check gcd(e, q-1) = gcd(3, 2) = 1 therefore gcd(e, phi) = gcd(e, (p-1)(q-1)) = gcd(3, 20) = 1 4. Compute d such that ed 1 (mod phi) i.e. compute d = e^-1 mod phi = 3^-1 mod 20 i.e. find a value for d such that phi divides (ed-1) i.e. find d such that 20 divides 3d-1. Simple testing (d = 1, 2, ...) gives d = 7 Check: ed-1 = 3.7 - 1 = 20, which is divisible by phi. 5. Public key = (n, e) = (33, 3) Private key = (n, d) = (33, 7).

This is actually the smallest possible value for the modulus n for which the RSA algorithm works. Now say we want to encrypt the message m = 7, c = m^e mod n = 7^3 mod 33 = 343 mod 33 = 13. Hence the cipher text c = 13. To check decryption we compute m' = c^d mod n = 13^7 mod 33 = 7. Note that we don't have to calculate the full value of 13 to the power 7 here. We can make use of the fact that a = bc mod n = (b mod n).(c mod n) mod n so we can break down a potentially large number into its components and combine the results of easier, smaller calculations to calculate the final value.

Possible Attacks on RSA

The saying "A chain is no stronger than its weakest link" is a very suitable for describing attacks on cryptosystems. The attackers' instinct is to go for the weakest point of defense, and to exploit it. Sometimes the weakness may have appeared insignificant to the designer of the system, or maybe the cryptanalyst will discover something that was not seen by anyone before. The important thing to remember (and this has been proven time and time again in the history of cryptography) is that no matter how secure you think your system is, there may be something you have not considered. At the moment RSA seems to be extremely secure. It has survived over 20 years of scrutiny and is in widespread use throughout the world. The attack that is most often considered for RSA is the factoring of the public key. If this can be achieved, all messages written with the public key can be decrypted. The point is that with very large numbers, factoring takes an unreasonable amount of time . It has not been proven that breaking the RSA algorithm is equivalent to factoring large numbers (there may be another, easier method), but neither has it been proven that factoring is not equivalent. I mentioned before that a chain is only as strong as its weakest link. In cryptlogy terms, the links in the chain include key generation, key management, the cryptographic algorithm and the cryptographic protocol. If there is a weakness in any one of these areas, it undermines the entire system. Imagine an eavesdropper was able to generate session keys in the same order that an e-commerce site web server used to get credit card details securely from customers over the Internet; this would allow the eavesdropper to read all the transactions. The section on random number generators discusses this topic.

It's now time to get into the details of attacks on RSA.

Searching the Message Space

One of the seeming weaknesses of public key cryptography is that one has to give away to everybody the algorithm that encrypts the data. If the message space is small, then one could simply try to encrypt every possible message block, until a match is found with one of the ciphertext blocks. In practice this would be an insurmountable task because the block sizes are quite large.
Guessing d

Another possible attack is a known ciphertext attack. This time the attacker knows both the plaintext and ciphertext (they simply has to encrypt something). They then try to crack the key to discover the private exponent, d. Then the system has been broken completely and all further cipher texts can be decrypted. The problem with this attack is that it is slow. There are an enormous number of possible ds to try. This method is a factorizing algorithm as it allows us to factor n. Since factorizing is an intractable problem we know this is very difficult. This method is not the fastest way to factorize n. Therefore one is suggested to focus effort into using a more efficient algorithm specifically designed to factor n. This advice was given in the original paper.
Cycle Attack

This attack is very similar to the last. The idea is that we encrypt the ciphertext repeatedly, counting the iterations, until the original text appears. This number of re-cycles will decrypt any ciphertext. Again this method is very slow and for a large key it is not a practical attack. A generalization of the attack allows the modulus to be factored and it works faster the majority of the time. But even this will still have difficulty when a large key is used. Also the use of p -- strong primes aids the security. The bottom line is that the generalized form of the cipher attack is another factoring algorithm. It is not efficient, and therefore the attack is not good enough compared with modern factoring algorithms (e.g. Number Field Sieve). I noticed an improvement on this algorithm. The suggested way is to use the public exponent of the public key to re-encrypt the text. However any exponent should work so long as it is coprime to (p-1).(q-1)(where p, q are factors of the modulus). So I suggest using an exponent such as

216 + 1. This number has only two 1s in its binary representation. Using binary fast exponentiation, we use only 16 modular squarings and 1 modular multiplication. This is likely to be faster than the actual public exponent. The trouble is that we cannot be sure that it is coprime to (p-1). (q-1). In practice, many RSA systems use 2 16 + 1 as the encrypting exponent for its speed.

Common Modulus
One of the early weaknesses found was in a system of RSA where the users within an organization would share the public modulus. That is to say, the administration would choose the public modulus securely and generate pairs of encryption and decryption exponents (public and private keys) and distribute them all the employees/users. The reason for doing this is to make it convenient to manage and to write software for. However, Simmons shows how this would allow any eavesdropper to view any messages encrypted with two keys; for example when a memo is sent to several employees. DeLaurentis went further to demonstrate how the system was at even more risk from insiders, who could break the system completely, allowing them to view all messages and sign with anybody's key.
Faulty Encryption

Joye and Quisquater showed how to capitalise on the common modulus weakness due to a transient error when transmitting the public key. Consider the situation where an attacker, Malory, has access to the communication channel used by Alice and Bob. In other words, Malory can listen to anything that is transmitted, and can also change what is transmitted. Alice wishes to talk privately to Bob, but does not know his public key. She requests by sending an email, to which Bob replies. But during transmission, Malory is able to see the public key and decides to flip a single bit in the public exponent of Bob, changing (e,n) to (e',n). When Alice receives the faulty key, she encrypts the prepared message and sends it to Bob (Malory also gets it). But of course, Bob cannot decrypt it because the wrong key was used. So he lets Alice know and they agree to try again, starting with Bob re-sending his public key. This time Malory does not interfere. Alice sends the message again, this time encrypted with the correct public key. Malory now has two ciphertext, one encrypted with the faulty exponent and one with the correct one. She also knows both these exponents and the public modulus. Therefore she can now apply the common modulus attack to retrieve Alice's message, assuming that Alice was foolish enough to encrypt exactly the same message the second time.

A demonstration of the Common Modulus attack and the Faulty Encryption attack can be found in this Mathematical notebook.
Low Exponent

In the cycle attack section above, I suggested that the encrypting exponent could be chosen to make the system more efficient. Many RSA systems use e=3 to make encrypting faster. However, there is a vulnerability with this attack. If the same message is encrypted 3 times with different keys (that is same exponent, different moduli) then we can retrieve the message. The attack is based on the Chinese Remainder Theorem. See The Handbook of Applied Cryptography for an explanation and algorithm.

Conclusion To find the RSA:

n = pq, where p and q are distinct primes. phi, = (p-1)(q-1) e < n such that gcd(e, phi)=1 d = e-1 mod phi. c = me mod n, 1<m<n. m = cd mod n.

1. 2. 3. 4. 5. 6. [Wikipedia] [] sa=t&rct=j&q=&esrc=s&source=web&cd=1&cad=rja&ved=0CDEQFjAA & %2Fetudiants%2FMIGS2%2FFichiers%2FAnglais %2FExposeCeline.pdf&ei=oFNiUbnvLYn4rQfSr4HgAg&usg=AFQjCNE1 AoFgq82j2K45TsjugLfPVewAvg&sig2=aKnc5806Nhhziq4n1A0T3g&bvm= bv.44770516,d.bmk [A pdf file ] %20Documents/Security/RSA%20Algorithm_and_ClassParticipation.doc sa=t&rct=j&q=&esrc=s&source=web&cd=1&cad=rja&ved=0CDEQFjAA &

7. 8. 9.

%2520Algorithm_and_ClassParticipation.doc&ei=8VNiUc7oKYjrrQeBkY DQCg&usg=AFQjCNE1He9BrZ1HDqNn_IDanIxouR2ioQ&sig2=F1aNxlh EWzf0apkM5lt0Zw&bvm=bv.44770516,d.bmk [A doc file]