Studying the existing security criteria as well as studying and proposing new security criteria for RSA parameters are very necessary.. Objective of the research Studying overview to ma
Trang 1OF RSA CRYPTOSYSTEM AND APPLICATION
Speciality: Mathematical foundation for computer
and computing systems
SUMMARY OF MATHEMATICAL DOCTORAL THESIS
HA NOI-2011
Trang 2MILITARY INSTITUTE OF SCIENCE AND TECHNOLOGY
Supervisors:
1 Dr Leu Duc Tan
Reviewer 1: Asc Prof Dr Hoang Van Tao
Government Information Security Commission
Reviewer 2: Dr Tran Van Truong
Government Information Security Commission
Reviewer 3: Asc Prof Dr Đinh The Cuong
Le Quy Don Technical University
This thesis will be defended at the board of doctoral examination - Military Institute of Science and Technology at
…./…./…./2011
This thesis can be found at:
- Library of Military Institute of Science and Technology
- National Library of Vietnam
Trang 3INTRODUCTION
As with all other cryptographic primitives, the model and algorithm structure of RSA cryptosystem are public However, a difficult problem is that how selection and use of the system parameters for this cryptosystem so that it ensures security and effectiveness
Thus, security criteria construction for RSA parameters is still interested by many scientists Currently, there are many documents related to this area are published, for example ANSI X9.31, NIST 800-57, FIPS 186-3
However, along with the development of cryptography science, cryptanalysis science developed many new attacks to RSA cryptosystem Studying the existing security criteria as well as studying and proposing new security criteria for RSA parameters are very necessary
From the above practical requirements, choosing the topic “A
standard system for security parameters of RSA cryptosystem and application” for studying is reasonable
Objective of the research
Studying overview to master the knowledge of RSA cryptosystem and security criteria for the RSA parameters that have been published in the international standards; proposing new security criteria for RSA parameters (studying and supplementing the existing criteria as well proposing new standards); applying security RSA parameters for the Web security protocols
Object of the research
The thesis chooses RSA cryptosystem and the web security protocol for studying
Trang 4Contents of research
Study overview of RSA public key cryptosystem
Study and build the security criteria for RSA parameters
Build and install algorithms to generate security RSA parameters that satisfy above criteria
Study to apply the security RSA parameters for the web security protocols
Thesis organization
The thesis consists of three chapters, and following sections: introduction, conclusion, publication list and appendixes
New research contents of thesis
Propose and supplement quantification for the existing criteria
Propose new criteria to resist the cycling attack on RSA cryptosystem
Constructing, coding the algorithm to generate security RSA parameters and integrating into the certificate generating software under the X509 standard
Modifying Web browser software to ensure security for web transaction using security RSA parameters
Trang 5CHAPTER 1 OVERVIEW OF RSA PARAMETER CRITERIA
AND WEB SECURITY PROTOCOLS
To explain the necessary and build a foundation for implementing the thesis contents, this chapter will present some results of the related publications
1.1 DEFINITIONS AND SYMBOLS
Trivial Divisor: Divisors 1, -1, N and -N are called trivial
divisors of the integer number N
Prime Number: Integer N>1 is a prime number if it has trivial
divisors
Composite number: Integer N>1 is a composite number if it is
not prime number
Primality Certificate: Mathematic proof that a given number is
really prime number
Trial Division: Trial division of N is to check all prime numbers that are smaller than or equal as N1/2 to see if they divide N
Secure strength (secure_strength): A value related to the amount
of work (the number of operations) that is required to crack a cryptographic algorithm or a cryptosystem Namely, a cryptographic algorithm with given parameters is said to have the security level
secure_strength if cracking this algorithm requires at least
2security_strength operations
p , p , q , q are called auxiliary primes
Trang 61.2 RSA PUBLIC KEY ENCRYPTION
1.2.1 Key generation algorithm for RSA public key encryption
Step 1: Generate two large random (an distinct) prime p and q; Step 2: Compute N pq , ( )N lcm p( 1,q1);
Step 3: Select integer e, 1 e ( )N , such that
1.2.2 RSA public key encryption primitive
B encrypts a message mZ N* and A decrypts
Encryption: B uses public key (N, e) of A and encrypt
1.2.3 RSA signature primitive scheme
Entity A signs a message mZ N*, entity B check A’s signature for m
Signature generation: A uses secrete key (N, d) to generate
signature sm d(modN)for m
Signature verification: B uses A’s public key (N, e) to verify A’s signature for m; B computem ' se(mod N ), if m = m' return “valid signature”, otherwise return “invalid signature”
1.2.4 RSA-based cryptosystems
Nowadays, in information security applications, they always use formative RSA public key encryptions and RSA signature schemes
Trang 7In those schemes, they use set of the message preparation functions:G{ : g *N *N} Instead of direct calculation on
message m (primitives schemes), they calculate on xg m( ) with
gG
1.2.5 Security of RSA cryptosystem
Security of RSA cryptosystem based on the intractability of the
modulo N factorization problem
1.3 PRIME NUMBER GENERATION ALGORITHMS
1.3.1 Probabilistic primality tests
The thesis presents two probabilistic primality tests: Rabin primality test and Frobenius-Grantham primality test
Miller-1.3.2 Prime number generation methods
1.3.2.1 Using probabilistic tests
The thesis presents two prime number generation methods using
the probabilistic primality tests T: random choice of candidate and
incremental search method
1.3.2.2 Deterministic prime number generation algorithms
The thesis presents two deterministic prime number generation algorithms: Shawe-Taylor’s algorithm and Maurer’s algorithm
Trang 81.4 CRITERIA FOR RSA PARAMETERS
1.4.1 Criteria for RSA parameters are presented in ANSI X9.31
Criteria for the length of modulus
X9.31 recommends the length of modulus in bits: 1024+256s, s
is integer and s0
Criteria for primes: p, q
X9.31 presents 07 criteria for primes p and q, to create RSA
modulus
Criteria for public exponent e
e is positive integer, such that2 e 2nlen 160
Criteria for private exponent d
d=e-1 (mod lcm(p-1, q-1)) and such that d2512 128 s
1.4.2 Criteria for RSA parameters are presented in FIPS 186-3 and NIST 800-57
Minimum length of RSA modulus
NIST 800-57 recommends the minimum length of RSA modulus
in bits that RSA cryptosystem is secure until the years 2010, 2030 and after 2030
Criteria for primes: p, q
FIPS 186-3 presents 06 criteria for primes p and q, to create RSA
modulus
Criteria for public exponent e
FIPS 186-3 recommends public exponent e shall be selected prior to generating the primes p, q and e satisfy: 216 < e < 2256
Criteria for private exponent d
FIPS 186-3 recommends private exponent d shall be selected satisfying d > 2 nlen/2 , and d = e-1 mod (lcm((p-1), (q-1)))
Trang 91.4.3 Remarks
In three above introduced standards, only the standard ANSI X9.31 gives the mathematical foundation for the proposed criteria However, along with the time, the model technologies have been developed Therefore, study of theory basis to propose the correct quantification for each standard to be necessary
1.5 RSA CRYPTOSYSTEM AND WEB SECURE PROTOCOLS
RSA cryptosystem that used in web secure transaction through SSL/TLS protocol
1.5.1 Introduction about the SSL/TLS protocols
SSL Protocol is to provide security communication for between
client/server applications
1.5.2 SSL protocol version 3.0
SSL protocol version 3.0 has four main elements: handshake protocol, SSL record protocol, SSL alert protocol and SSL Change Cipher Spec Protocol
1.5.3 Session key computation in SSL protocol
Session key for communication will be calculated from elements: ClientHello.random, ServerHello.random, pre_master_secret In that pre_master_secret is encrypted under RSA public key cryptosystem
1.5.4 RSA cryptology system and secure web service
RSA public key cryptosystem is used in SSL secure protocol with the aim of authentication and session key establishment However, to apply the RSA parameter for high level security of the web secure protocol, we need to modify some cryptographic properties of these applications
Trang 10it better than those results, namely:
Based on studying the existing secure criteria for parameters of RSA cryptosystem to find out the necessary of carrying out, to improve quantification for the exist criteria, build new criteria to improve the secure for RSA cryptosystem
(The building and proposing secure criteria for the RSA parameters will be presented in chapter 2)
Introduce some prime number generation algorithms and their properties, choose a reasonable algorithm to build RSA parameters generation algorithm
Study SSL/TLS protocol and the role of RSA cryptosystem in the above secure protocols, evaluate the application ability of RSA parameters in web application, and then propose the solutions to build web applications that apply the security RSA parameter
(The algorithms construction and implementation to generate security RSA parameters as well as applying them for web secure protocol will be presented in chapter 3)
Trang 11CHAPTER 2 BUILDING STANDARD SYSTEM FOR SECURE PARAMETERS OF RSA CRYPTOSYSTEM
2.1 STUDYING THE EXISTING CRITERIA AND PROPOSING THE SUPPLEMENTATIONS
2.1.1 The security of RSA cryptosystem with the length of modulus
Definiton 2.1 "RSA Cryptosystem with the given length of
modulus in nlen bit is said to have secure level secure_strength (nlen) if using NFS method to factorize modulus, then complexity will
be 2 secure_strength(nlen)"
Table 2.1: The security of RSA cryptosystem
with the given length of modulus
Definition 2.2 RSA cryptography system with nlen bit modulus
is secure againsts a given attack if the complexity of this attack is bigger than 2 secure_strength(nlen)
2.1.2 A criterion for the length of RSA modulus
This thesis recommends the minimum length of RSA modulus with ensuring security until the years 2015, 2020 and 2025 as shown
in Table 2.3
Trang 12Table 2.3: Criteria for the minimum length of RSA modulus
To ensure that RSA cryptosystem can resist a generic attack that
uses NFS algorithm to factorize N
2.1.3 Criteria for primes p, q
2.1.3.1 Criteria for the prime number generation methods
Primes number p, q and auxiliary primes p 1 , p 2 , q 1 , q 2 are provable primes
Basis of proposal:
To ensure the correctness and security of RSA public key encryption and RSA signature schemes
2.1.3.2 Criteria for the length of auxiliary primes
The minimum length of auxiliary primes p 1 , p 2 , q 1 , q 2 (related to the length of modulus) such as in table 2.4:
Table 2.4: The minimum length of the auxiliary primes
Trang 13p-1 factoring attack, Williams’ p1 factoring attack and William p1
factoring modification attack
2.1.3.3 Criteria for the length of the primes p, q
p and q shall be selected randomly and satisfy:
2.1.3.4 Criteria for the length of |p-q|
Table 2.5: Criteria for the minimum length of |p-q|
2.1.3.5 Criteria for the length of prime factor of |p-q|
Prime factor of |p-q| with the minimum length in bit such as in Table 2.6
Trang 14Table 2.6: Criteria for the length of prime factor of |p-q|
2.1.4 Criteria for public exponent e and secrete exponent d
2.1.4.1 Current attacks related to the length of e
To minimize computation in encryption and signature verification we can select a small public exponent, for example e = 3,
65537 However, RSA cryptosystem easy to break such as the ways that Dan Boneh, Glenn Durfeepointed out
2.1.4.2 Attacks related to the length of d
Similar to the public exponent, to minimize the computation in decryption and signature generation, we can select the small private exponent However, RSA cryptosystem is easy to be broke through the attacks such as Wiener’ attack, Boneh and Durfee’s attack Boneh and Durfee’s attack is successful if satisfy the following inequality:
2.1.4.3 Criteria for e and d
The length of public exponent e at least 32 bit
The private exponent satisfies d N0.82
Trang 15Basis of proposal:
To prevent the attacks mentioned in 2.1.4.1 and 2.1.4.2
2.2 NEW CRITERIA AGAINST CYCLING ATTACS
2.2.1 RSA period and its properties
Definition 2.3 The least integer t>0 such that m e t(modN)m called RSA period of m and denoted by per(m)
Property 2.1 let t=per(m), if me t'(mod N) m, then t is divides t'
Lemma 2.2 let m*N and aord m N , then we have:
To be able to prevent the above attack, RSA parameters need be
N
M m per m B with B small enough
is rarely To acchieve this we can based on the result of Lemma 2.3
Trang 16Lemma 2.3 Let p and 1 q are prime factors of 1 p và 1 q ; 1
1
q ord e multiple
of q then we have: 11
1 1
1Prob m N :per m( ) B
Criteria for the minimum length of p11, q11
The minimum length of primes factors p 11 , q 11 of p 1 -1, and q 1 -1
2.3 SECURE CRITERIA FOR PROPOSED RSA PARAMETERS
Following are the collection of secure criteria for the RSA parameters proposed in this chapter
Trang 17Criterion N1 (criteria for the length of modulus):
The minimum length of RSA modulus that RSA cryptosystem until
secure by the years 2015, 2020 and 2025 as shown in Table 2.3
Criterion PQ1 (the first criterion for the primes p, q):
Primes number p, q and auxiliary primes p 1 , p 2 , q 1 , q 2 are provable primes
Criterion PQ2 (the second criterion for the primes p, q):
The minimum length of auxiliary primes p 1 , p 2 , q 1 , q 2 as shown
in table 2.4
Criterion PQ3 (the third criterion for the primes p, q):
p and q are selected randomly and satisfy:
( 2)(2nlen ) p q, (2nlen 1)
Criterion PQ4 (the fourth criterion for the primes p, q):
The minimum length of |p-q| as shown in table 2.5
Criterion PQ5 (the fifth criterion for the primes p, q):
Prime factor of |p-q| with the minimum length in bit as shown in Table 2.6
Criterion PQ6 (the sixth criterion for the primes p, q):
The minimum length of primes factors p 11 , q 11 of p 1 -1, and q 1 -1
as shown in table 2.7
Criterion D1 (criteria for the private exponent d)
The minimum length of the private exponent d as shown in table 2.13