Which key should Alice use for encrypting messages to Bob with an asymmetric cipher?

RSA algorithm is a type of asymmetric encryption algorithm. It is an asymmetric algorithm because it requires two keys, that is, a private key and a public key for the encryption process. The public key is known to everyone as the name suggests while the private key is known to the sender and receiver only.

(a)

Calculate n which is the product of p and q, that is, n = p * q.

n = 11 * 23

= 253

The public key is the combination of the values of n and e and thus the required public key is (147, 253).

(b)

Calculate the value of (p - 1)*(q - 1) by substituting 11 for p and 23 for q into the expression

(p - 1)(q - 10) = (11 - 1)(23 - 1)

= 10 * 22

= 220

Calculate the value of d by substituting 220 for (p - 1)*(q - 1) into the formula e.d mod { (p-1) * (q-1) } = 1.

147 * d mod 220 = 1

The value of 147 * d mod 220 is 1 for d = 3 as 147*3 = 441 and 441 mod 220 is 1.

In RSA, the private key is of the form (d, n), and thus the required private key is (3, 253)

(b)

Encrypt the plain text message m which is equal to 4 using the formula c = m^e mod n. C represents the corresponding encrypted message for the plain text m.

c = 4^147 mod 253

= 49

So the encrypted message is 49

(c)

The encrypted message is c = 49, decrypt the message to obatine the actual plain message using the formula m = c^d mod n.

m = 49^3 mod 253

= 1,17,649 mod 253

= 4

The message obtained after decryption is 4 is is equal to the actual message sent.

The message can only be deciphered by Alice because the message is deciphered using the private key d which is not known to everyone and is only known to Alice. RSA algorithm is a kind of asymmetric encryption algorithm that uses both private and public keys for encryption and description for plain text. In this encryption algorithm, the public key is a public component that is known to everyone but the private key is a private component that is only known to the sender and receiver. In the provided scenario, the private key is known to Alice only and that’s why only Alice can decipher the messages sent by Bob.

Asymmetric cryptography also uses mathematical permutations to encrypt a plain text message, but it uses two different permutations, still known as keys, to encrypt and decrypt messages. With asymmetric cryptography, a public key that can be shared with anyone gets used to encrypt messages while a private key that’s known only by the recipient gets used to decrypt messages.  

Nội dung chính Show

• 11. Public-Key (Asymmetric) Encryption
• 11.1. Overview
• 11.2. Trapdoor One-way Functions
• 11.3. RSA Encryption
• 11.4. El Gamal encryption
• 11.5. Public Key Distribution
• 11.6. Session Keys
• Which of the following would Alice use to encrypt a message to Bob if she is using asymmetric encryption?
• When Alice sends a message to Bob what key will she use to encrypt the message?
• How can Alice send Bob a message in a way that assures Bob that the message came from Alice?
• When Alice wants to send confidential email to bob How do they share a symmetric private key?

Critically, it should be relatively easy to compute the public key from the private key but nearly impossible to do the reverse and generate the private key from the public key. Three popular mathematical permutations, known as RSA, ECC and Diffie-Hellman, accomplish this today. Each uses different algorithms but they all rely on the same basic principles. For instance, the RSA 2048 bit algorithm randomly generates two prime numbers that are each 1024 bits long and then multiplies them together. The answer to that equation is the public key, while the two prime numbers that created the answer are the private key. 

How exactly does this all work? Let’s say Alice wants to send a private message to Bob. Bob can share his public key with Alice, which she then uses to encrypt her message. Once the message gets encrypted, only Bob’s private key can decrypt it. This means that as long as Bob ensures no one else has his private key, then no one can read the encrypted message 

The above example offers a more secure way to encrypt messages compared to symmetric cryptography; however, asymmetric cryptography also powers additional, more advanced use cases.  

Consider digital signatures. In this case, Bob might want to send a message to Alice and add a digital signature so she can verify it was in fact Bob who sent it. He can do so by encrypting a signature using his private key. When Alice receives the message, she can use Bob’s public key to verify that Bob (or someone with Bob’s private key) sent the message and that the message was not modified in transit (because if it does get modified, the verification will fail). 

It’s important to note that all of these examples are one-way. To reverse any of them (e.g. so Bob can send private messages to Alice and Alice can send messages to Bob that contain her digital signature), Alice needs her own private key and must share the corresponding public key with Bob. 

11. Public-Key (Asymmetric) Encryption

11.1. Overview

Previously we saw symmetric-key encryption, where Alice and Bob share a secret key \(K\) and use the same key to encrypt and decrypt messages. However, symmetric-key cryptography can be inconvenient to use, because it requires Alice and Bob to coordinate somehow and establish the shared secret key. Asymmetric cryptography, also known as public-key cryptography, is designed to address this problem.

In a public-key cryptosystem, the recipient Bob has a publicly available key, his public key, that everyone can access. When Alice wishes to send him a message, she uses his public key to encrypt her message. Bob also has a secret key, his private key, that lets him decrypt these messages. Bob publishes his public key but does not tell anyone his private key (not even Alice).

Public-key cryptography provides a nice way to help with the key management problem. Alice can pick a secret key \(K\) for some symmetric-key cryptosystem, then encrypt \(K\) under Bob’s public key and send Bob the resulting ciphertext. Bob can decrypt using his private key and recover \(K\). Then Alice and Bob can communicate using a symmetric-key cryptosystem, with \(K\) as their shared key, from there on.

11.2. Trapdoor One-way Functions

Public-key cryptography relies on a close variant of the one-way function. Recall from the previous section that a one-way function is a function \(f\) such that given \(x\), it is easy to compute \(f(x)\), but given \(y\), it is hard to find a value \(x\) such that \(f(x)=y\).

A trapdoor one-way function is a function \(f\) that is one-way, but also has a special backdoor that enables someone who knows the backdoor to invert the function. As before, given \(x\), it is easy to compute \(f(x)\), but given only \(y\), it is hard to find a value \(x\) such that \(f(x) = y\). However, given both \(y\) and the special backdoor \(K\), it is now easy to compute \(x\) such that \(f(x) = y\).

A trapdoor one-way function can be used to construct a public encryption scheme as follows. Bob has a public key \(PK\) and a secret key \(SK\). He distributes \(PK\) to everyone, but does not share \(SK\) with anyone. We will use the trapdoor one-way function \(f(x)\) as the encryption function.

Given the public key \(PK\) and a plaintext message \(x\), it is computationally easy to compute the encryption of the message: \(y = f(x)\).

Given a ciphertext \(y\) and only the public key \(PK\), it is hard to find the plaintext message \(x\) where \(f(x) = y\). However, given ciphertext \(y\) and the secret key \(SK\), it becomes computationally easy to find the plaintext message \(x\) such that \(y=f(x)\), i.e., it is easy to compute \(f^{-1}(y)\).

We can view the private key as “unlocking” the trapdoor. Given the private key \(SK\), it becomes easy to compute the decryption \(f^{-1}\), and it remains easy to compute the encryption \(f\).

Here are two examples of trapdoor functions that will help us build public encryption schemes:

• RSA Hardness: Suppose \(n=pq\), i.e. \(n\) is the product of two large primes \(p\) and \(q\). Given \(c = m^e \pmod{n}\) and \(e\), it is computationally hard to find \(m\). However, with the factorization of \(n\) (i.e. \(p\) or \(q\)), it becomes easy to find \(m\).

• Discrete log problem: Suppose \(p\) is a large prime and \(g\) is a generator. Given \(g\), \(p\), \(A = g^a \pmod{p}\), and \(B = g^b \pmod{p}\), it is computationally hard to find \(g^{ab} \pmod{p}\). However, with \(a\) or \(b\), it becomes easy to find \(g^{ab} \pmod{p}\).

11.3. RSA Encryption

Under construction

For now, you can refer to these notes from CS 70 for a detailed proof of RSA encryption. For this class, you won’t need to remember the proof of why RSA works. All you need to remember is that we use the public key to encrypt messages, we use the corresponding private key to decrypt messages, and an attacker cannot break RSA encryption unless they can factor large primes, which is believed to be hard.

There is a tricky flaw in the RSA scheme described in the CS 70 notes. The scheme is deterministic, so it is not IND-CPA secure. Sending the same message multiple times causes information leakage, because an adversary can see when the same message is sent. This basic variant of RSA might work for encrypting “random” messages, but it is not IND-CPA secure. As a result, we have to add some randomness to make the RSA scheme resistant to information leakage.

RSA introduces randomness into the scheme through a padding mode. Despite the name, RSA padding modes are more similar to the IVs in block cipher modes than the padding in block cipher modes. Unlike block cipher padding, public-key padding is not a deterministic algorithm for extending a message. Instead, public-key padding is a tool for mixing in some randomness so that the ciphertext output “looks random,” but can still be decrypted to retrieve the original plaintext.

One common padding scheme is OAEP (Optimal Asymmetric Encryption Padding). This scheme effectively generates a random symmetric key, uses the random key to scramble the message, and encrypts both the scrambled message and the random key. To recover the original message, the attacker has to recover both the scrambled message and the random key in order to reverse the scrambling process.

11.4. El Gamal encryption

The Diffie-Hellman protocol doesn’t quite deliver public-key encryption directly. It allows Alice and Bob to agree on a shared secret that they could use as a symmetric key, but it doesn’t let Alice and Bob control what the shared secret is. For example, in the Diffie-Hellman protocol we saw, where Alice and Bob each choose random secrets, the shared secret is also a random value. Diffie-Hellman on its own does not let Alice and Bob send encrypted messages to each other. However, there is a slight variation on Diffie-Hellman that would allow Alice and Bob to exchange encrypted messages.

In 1985, a cryptographer by the name of Taher Elgamal invented a public-key encryption algorithm based on Diffie-Hellman. We will present a simplified form of El Gamal encryption scheme. El Gamal encryption works as follows.

The public system parameters are a large prime \(p\) and a value \(g\) satisfying \(1

Now, suppose Alice has a message \(m\) (in the range \(1\ldots p-1\)) she wants to send to Bob, and suppose Alice knows that Bob’s public key is \(B\). To encrypt the message \(m\) to Bob, Alice picks a random value \(r\) (in the range \(0\ldots p-2\)), and forms the ciphertext

\[(g^r \bmod p, m \times B^r \bmod p).\]

Note that the ciphertext is a pair of numbers, each number in the range \(0\ldots p-1\).

How does Bob decrypt? Well, let’s say that Bob receives a ciphertext of the form \((R,S)\). To decrypt it, Bob computes

\[R^{-b} \times S \bmod p,\]

and the result is the message \(m\) Alice sent him.

Why does this decryption procedure work? If \(R=g^r \bmod p\) and \(S = m \times B^r \bmod p\) (as should be the case if Alice encrypted the message \(m\) properly), then

\[R^{-b} \times S = (g^r)^{-b} \times (m \times B^r) = g^{-rb} \times m \times g^{br} = m \pmod p.\]

If you squint your eyes just right, you might notice that El Gamal encryption is basically Diffie-Hellman, tweaked slightly. It’s a Diffie-Hellman key exchange, where Bob uses his long-term public key \(B\) and where Alice uses a fresh new public key \(R=g^r \bmod p\) chosen anew just for this exchange. They derive a shared key \(K=g^{rb}=B^r=R^b \pmod p\). Then, Alice encrypts her message \(m\) by multiplying it by the shared key \(K\) modulo \(p\).

That last step is in effect a funny kind of one-time pad, where we use multiplication modulo \(p\) instead of xor: here \(K\) is the key material for the one-time pad, and \(m\) is the message, and the ciphertext is \(S=m \times K = m \times B^r \pmod p\). Since Alice chooses a new value \(r\) independently for each message she encrypts, we can see that the key material is indeed used only once. And a one-time pad using modular multiplication is just as secure as xor, for essentially the same reason that a one-time pad with xor is secure: given any ciphertext \(S\) and a hypothesized message \(m\), there is exactly one key \(K\) that is consistent with this hypothesis (i.e., exactly one value of \(K\) satisfying \(S = m \times K \bmod p\)).

Another way you can view El Gamal is using the discrete log trapdoor one-way function defined above: Alice encrypts the message with \(B^r = g^{br} \pmod{p}\). Given only \(g\), \(p\), \(R = g^r \pmod{p}\), and \(B = g^b \pmod{p}\), it is hard for an attacker to learn \(g^{-br} \pmod{p}\) and decrypt the message. However, with Bob’s secret key \(b\), Bob can easily calculate \(g^{-br} \pmod{p}\) and decrypt the message.

Note that for technical reasons that we won’t go into, this simplified El Gamal scheme is actually not semantically secure. With some tweaks, the scheme can be made semantically secure. Interested readers can read more at this link.

Here is a summary of El Gamal encryption:

• System parameters: a 2048-bit prime \(p\), and a value \(g\) in the range \(2\ldots p-2\). Both are arbitrary, fixed, and public.

• Key generation: Bob picks \(b\) in the range \(0\ldots p-2\) randomly, and computes \(B=g^b \bmod p\). His public key is \(B\) and his private key is \(b\).

• Encryption: \(E_B(m) = (g^r \bmod p, m \times B^r \bmod p)\) where \(r\) is chosen randomly from \(0\ldots p-2\).

• Decryption: \(D_b(R,S) = R^{-b} \times S \bmod p\).

11.5. Public Key Distribution

This all sounds great—almost too good to be true. We have a way for a pair of strangers who have never met each other in person to communicate securely with each other. Unfortunately, it is indeed too good to be true. There is a slight catch. The catch is that if Alice and Bob want to communicate securely using these public-key methods, they need some way to securely learn each others’ public key. The algorithms presented here don’t help Alice figure out what is Bob’s public key; she’s on her own for that.

You might think all Bob needs to do is broadcast his public key, for Alice’s benefit. However, that’s not secure against active attacks. Attila the attacker could broadcast his own public key, pretending to be Bob: he could send a spoofed broadcast message that appears to be from Bob, but that contains a public key that Attila generated. If Alice trustingly uses that public key to encrypt messages to Bob, then Attila will be able to intercept Alice’s encrypted messages and decrypt them using the private key Attila chose.

What this illustrates is that Alice needs a way to obtain Bob’s public key through some channel that she is confident cannot be tampered with. That channel does not need to protect the confidentiality of Bob’s public key, but it does need to ensure the integrity of Bob’s public key. It’s a bit tricky to achieve this.

One possibility is for Alice and Bob to meet in person, in advance, and exchange public keys. Some computer security conferences have “key-signing parties” where like-minded security folks do just that. In a similar vein, some cryptographers print their public key on their business cards. However, this still requires Alice and Bob to meet in person in advance. Can we do any better? We’ll soon see some methods that help somewhat with that problem.

11.6. Session Keys

There is a problem with public key: it is slow. It is very, very slow. When encrypting a single message with a 2048b RSA key, the RSA algorithm requires exponentiation of a 2048b number to a 2048b power, modulo a 2048b number. Additionally, some public key schemes only really work to encrypt “random” messages. For example, RSA without OAEP leaks when the same message is sent twice, so it is only secure if every message sent consists of random bits. In the simplified El Gamal scheme shown in these notes, it is easy for an attacker to substitute the message \(M' = 2M\). If the messages have meaning, this can be a problem.

Because public key schemes are expensive and difficult to make IND-CPA secure, we tend to only use public key cryptography to distribute one or more session keys. Session keys are the keys used to actually encrypt and authenticate the message. To send a message, Alice first generates a random set of session keys. Often, we generate several different session keys for different purposes. For example, we may generate one key for encryption algorithms and another key for MAC algorithms. We may also generate one key to encrypt messages from Alice to Bob, and another key to encrypt messages from Bob to Alice. (If we need different keys for each message direction and different keys for encryption and MAC, we would need a total of four symmetric keys.) Alice then encrypts the message using a symmetric algorithm with the session keys (such as AES-128-CBC-HMAC-SHA-256 1) and encrypts the random session keys with Bob’s public key. When he receives the ciphertext, Bob first decrypts the session keys and then uses the session keys to decrypt the original message.

Which of the following would Alice use to encrypt a message to Bob if she is using asymmetric encryption?

Alice can use her own Private Key to encrypt the message. Which makes it so the only key in the world that can decrypt her message is her Public key — which she knows Bob (and anyone else) has access to. The message is sent to Bob, who then uses Alice's Public Key to decrypt the message.

When Alice sends a message to Bob what key will she use to encrypt the message?

If Alice sends Bob a message and that message is encrypted with two keys simultaneously: a symmetric key (Ks) and Bob's public key. The symmetric key (Ks) is also sent to Bob, encrypted with the private key of Alice.

How can Alice send Bob a message in a way that assures Bob that the message came from Alice?

Alice wants to send Bob a message. She wants to assure data confidentiality, so she'll use asymmetric encryption to send it. She used Bob's public key to encrypt the message.

Symmetric-Key Encryption Instead, Alice arranges to meet Bob at a nearby bar to give him one of the keys. It's inconvenient, but she only has to do it once. After Alice gets home she uses her key to lock her message into the lockbox. Then she sends the lockbox to Bob.

What key does Alice use to encrypt to Bob?

Which key is used for asymmetric encryption?

Which type of crypto key can be used to encrypt a message from Alice to Bob where only Bob can be expected to decrypt it?

How many key are used for asymmetric key cipher?

What is Alice's public key?