Practical assessment week 9 and 10
1. RSA cryptosystem “scholar” approach.
Let us take nN, and compute it as n=pq, where p and q are distinct large primes selected
randomly.
Than compute (n) = (p-1)(q-1) and choose randomly (here will have a problem) a natural
odd number e with the property that e  1 such that gcd(e, (n))=1.
Now determine dN with the property that ed ≡ 1 (mod (n)).
The property can be rewritten as (me)d ≡ m (mod n) for all integers m.
RSA key Generation
Input: – an integer k > 0;
Output:–(N, e, d) with N a k bits number and, if needed,(p,q);
Begin:
Compute randomly a prime p of k/2 bits;
Compute randomly a prime q of k/2 bits;
Compute N = p q and ϕ(N) = (p − 1)(q − 1);
Compute (or choose) an integer e with GCD(e, ϕ(n)) = 1;
Compute d = e−1 mod ϕ(N) ;
Return (N, e, d) and, if needed, (p, q);
End
Key generation. To participate in the RSA cryptosystem, Bob must first generate a public and
private key. He only needs to do this once, even if he plans to use the system many times.
 Select two large prime numbers p and q at random.
 Compute n = p × q.
e d
 Select two integers e and d such that (m ) ≡ m (mod n) for all integers m.
As an example, we might choose the following parameters, although in practice we would
need to use much larger integers to guarantee security.
p
n
e
d
=
=
=
=
11, q = 29
11 * 29 = 319
3
187
Encryption. Alice wants to send an N-bit secret message m to Bob. She obtains Bob's public
key (e, n) from the Internet. Then she encrypts the message m using the encryption function
E(m) = me (mod n), and sends E(m) to Bob.
m
= 100
E(m) = 1003 (mod 319)
= 254
Decryption. Bob receives the encrypted message c from Alice. Bob recalls his private key (d,
n). Then he decrypts the ciphertext by applying the decryption function D(c) = cd (mod n).
Since Bob knows d, he can compute this function.
c
= 254
D(c) = 254187 (mod 319) = 100
2. Implementing the RSA cryptosystem some hints
(1) Browse the available Recommendations from national agencies (NSA, NIST, FIPS, BSI,
aso);
(2) Compare Recommendations and Implementations in open source software (OpenSSL,
PolarSSL, GnuPG, libgcrypt, aso)
(3) Use Big integers (Java, .Net), or Lint: Large Integer Object Library (C++) or Long
integer programming by Ajren K. Lenstra (C)
(4) Use Sophie Germaine prime (a prime number p is a Sophie Germain prime if 2p + 1 is
also prime)
(5) Doing modular exponentiation: ab (mod c). For large numbers is better to use repeated
squaring that uses the following recurrence to compute ab mod n:
1. if b is zero: 1
2. if b is even: (ab/2 * ab/2) mod n
3. if b is odd: (a * ab/2 * ab/2) mod n
This is analogous to the following recurrence for multiplication.
4. if b is zero: 1
5. if b is even: (a * b/2) + (a * b/2)
6. if b is odd: (a * b/2) + (a * b/2) + a
(6) Computing a random prime. To generate the key, we must have a method for generating a
random N-bit prime, say N = 1024. One idea is to choose an N-bit integer at random and
check if it is prime. If it is, then stop; otherwise repeat until you stumble upon one that is
prime.
(7) Generating random numbers. The Java library SecureRandom is a pseudo-random
number generator that generates cryptographically secure random numbers or use the
real-time atmospheric noise or a hardware random number generator
(8) Computing the private exponent. One final challenge is choosing the public and private
keys. In practice it is common use e = 65,537 as the public key. Unfortunately FIPS in
2009 suggest to select e prior to generating the primes p and q, and that the exponent e
shall be an odd positive integer such that: 216< e < 2256. A unique d always exists when
gcd(e, (p-1)(q-1)) = 1. We can use an extension of Euclid's algorithm to verify that. Here
is an example about how GnuPG v1.2.3 compute e after the computation of p and q
(where (n) = (p-1)(q-1)).
do
…
if
ϕ(N) ≠ 0 mod (41)
then e = 41;
else If ϕ(N) ≠ 0 mod (257)
then e = 257;
Else
e = 65537;
while GCD(e, ϕ(N)) ≠ 1 : e = e + 2;
Another approach used by RSA in libgcrypt 1.4.4 where e ≥ 65537 and complies with
ANS X9.31 (lcm stands from least common multiple):
Input: — an integer k = 1024 + 256s > 0;
Output: — (N, e, d) with N a k bit number
Begin:
e = 65537;
Compute randomly a prime p of k/2 bits;
Compute randomly a prime q of k/2 bits;
Compute N = p*q and ϕ(N) = (p − 1)*(q − 1);
Compute λ(N) = lcm(p − 1, q − 1) = ϕ(N)/gcd(p − 1, q − 1)
While GCD(e, λ(N)) ≠ 1 e = e + 2;
Compute d = e−1mod f ;
End.
(9) Beginning with 2006 NSA recommend that RSA can be used with a 2048-bit modulus to
protect classified information up to the SECRET level but just until transition to the use
of elliptic curve cryptography.
(10) Regarding d we also have some constraints. The private exponent d is computed
generally after e (duality). We must avoid small values for d. It is recommended to use
private exponents of k bits (see RSA key generation algorithm).
(11) NIST in 2009 requires that the auxiliary of p − 1, p + 1, q − 1, and q + 1 and also p and q
have to be provable primes (and greater than 2100)
(12) Also NIST in 2008: recommend that RSA authentication keys length must be 1024 or
2048 bits and 2048 bits after. Also a certificate authority – CA must use 2048, 3072, or
4096 bits for RSA
3. RSA Attacks
Here we have a few common attacks to the RSA cryptosystem:
 Factoring. If you use key with the length over 1024 bits this will not be a problem
 Improper usage. The RSA system can also be broken if it is used improperly. For
example, if Bob decides to use a small private exponent to lessen his computational
burden for decryption, then he is sacrificing security. Another mistake is to allow two
participants to share the same modulus n (even if neither party knows how to factor n).
For example, suppose Bob and Ben have (d1, e1) and (d2, e2) for their private and public
exponents, respectively, but they are both using n as their modulus. Then it is possible for
either party to discover the other's private exponent (Simmon's attack).
 Side channel attack. Exploit physical information leaked from machine, including
electromagnetic emanations, power consumption, diffuse visible light from CRT displays,
and acoustic emanations. For example, in a timing attack Eve gleans information about
Bob's private key by measuring the amount of time it takes for Bob to exponentiate. If
Bob is using a highly optimized exponentiation routine, then Eve can discover enough
information to reveal Bob's private key. Recently, Dan Boneh showed how to use this
technique to break SSL on a LAN.
4. Jobs
1. Write a program to generate a key pair for use with the RSA cryptosystem, determine two
N/2 bit primes p and q. Set e = 65537, compute n = (p-1)(q-1), and find a number d such
that (e * d) % n == 0. Assuming gcd(e, n) = 1, the inverse d will exist.
2. Write a program to Generate public and private RSA keys using Sophie Germain primes
3. Write a program to Generate public and private RSA keys using Sophie Germain primes
and an good random generator
4. Write a program to Generate public and private RSA keys using Sophie Germain primes
and libgcrypt approach a good random generator.
5. Write a program to Generate public and private RSA keys using Sophie Germain primes
and libgcrypt approach a good random generator make time measurements for each part
of the program.
5. Homework
Using the random functions for large numbers available on at least three compilers make
some measurements regarding the number distribution on some chosen intervals between the
random function available in crypto-library and the others. The measurements may be
computed separately but on the same intervals and the results gathered and processed into an
excel file
References
http://pajhome.org.uk/crypt/rsa/implementation.html
http://introcs.cs.princeton.edu/java/78crypto/
http://www.win.tue.nl/~klenstra/
http://primes.utm.edu/primes/
http://en.wikipedia.org/wiki/Sophie_Germain_prime
http://www.random.org/randomness/
http://en.wikipedia.org/wiki/Hardware_random_number_generator
Matt Bishop, Computer Security: Art and Science, Addison-Wesley Professional, 2003
http://csrc.nist.gov/publications/drafts/800-57-part3
http://csrc.nist.gov/publications/nistpubs/800-89/SP-800-89
http://www.ietf.org/rfc/rfc3280.txt
http://en.wikipedia.org/wiki/X.509#Structure_of_a_certificate
http://www.algorithmist.com/index.php/Repeated_Squaring
http://www.di-mgt.com.au/rsa_alg.html
http://www.nsa.gov/ia/programs/suiteb_cryptography/index.shtml