 Last week we looked at RSA and we introduced the algorithm and we went through the example of how do we come up or why do we need these steps for generating the key that is if we say the algorithm is to encrypt is we take our plain text message and raise to the power of E mod n then we need to make sure that when we decrypt we get the correct plain text back and therefore we went through the steps for how do we generate the keys where the the values are the values of E the public exponent D the private exponent and N and we went through an example of using RSA we may see a few more examples of RSA today we've missed or skipped over some slides which we're going to return to and save a few more things about RSA what we went through last week I wrote a fair bit on the board but in this handout which you have in front of you as well at the end of the this set of lecture notes it describes or writes down some of that discussion from last week so if you didn't follow everything of how do we derive the keys in RSA then it's in these handouts here and there's some examples as well in the lecture notes so RSA can encrypt our data and different from symmetric key cryptography we have two different keys and importantly the two users do not need to exchange a secret beforehand because with RSA I have a public key and a private key as do other users I to encrypt it to encrypt a message to send to someone else I encrypt with their public key so there's no need for some secret exchange of keys before I send the message I just ask them for their public key and they publish it on a website and an email or give it to me somehow and I can encrypt and send confidential information to them so that's a very good feature of RSA and in general public key cryptography this independence of us as shared secret key and effective if we use long enough keys we'll talk about the length a bit later but if we use large enough values it's considered secure that is if our modulus n is large enough for example a 2048 bit number maybe recommended even a thousand bit number is considered secure in some cases if the numbers are large enough RSA is considered as secure and there are no no techniques that make it any less secure than our block ciphers like AES and triple deaths so what's the problem with RSA if we've got RSA why would we still need something like AES or triple deaths anyone have an idea what what may be wrong or problem with RSA if we say it's about as secure as the block ciphers why do we still need the block ciphers slow RSA is slow okay performance not really from security but it performs much worse than the block ciphers and that's a significant problem you have used in one of your homeworks you used open SSL which is in fact two things it's a program a command line program to encrypt using different ciphers and in fact do different security operations like it can generate RSA keys it's also a library in that if you write your own software you can call the open SSL function so you don't have to implement RSA you don't have to implement triple deaths your own software calls the the functions of open SSL and they implement it for you and one nice thing is that because it implements many different ciphers we can compare the performance it has a built-in speed test open SSL speed and we can either run it and it will test all possible ciphers but I don't want to wait for too long I'll just select some ciphers deaths AES RC4 remember we covered RC4 the first two deaths and AES are block ciphers RC4 is a stream cipher which should be faster than the block ciphers and we'll also add RSA there and what that does is open SL does some tests and you can see for three seconds it it encrypts using RC4 some some data in this case 16 16 byte 16 bytes of data and it just times how long counts how many encryptions it can do and at the end it's going to report some statistics of how fast each of those ciphers can be applied and it does for different combinations which one do you think is going to be the fastest of those four ciphers deaths AES RC4 RSA which one hand we'll have a vote you've got four options deaths AES RC4 RSA which one do you think is going to be the the fastest hands up for deaths okay AES no one RC4 anyone two or three people what about RSA or hopefully no because we just said RSA the problem with it is it's too slow let's have a look at the results and it takes some time it takes a lot of time in fact because it in fact it tries different key lengths with AES you can have different key lengths 128 bit key 192 bit key 256 bit key so it's done AES above it it's done deaths and RC4 it's doing RSA now RSA is a bit different because it's slow it's not normally used to encrypt large chunks of data it's only used to encrypt small pieces of data and that limits its application to not so much for encrypting messages but for authenticating messages to making sure that the message we receive is correct has not been modified and comes from the right person so with RSA the tests are slightly different they run for 10 seconds again RSA can have different length keys in fact it's normally the modulus and which is specified so a 512 bit modulus and a thousand and 24 bit and a 2048 and even tries 4096 the recommended values nowadays are a thousand and 24 and preferably even 2048 but the larger the value will see the much slower they are this gives some the summary statistics let's see if we can get it a bit nicer it's wrapped around but let's see and I'll just make notes of some of them on the board because there are many different values with the stream and block ciphers so RC4 des it also does triple des EDE 3 AES with the different key sizes the the open SL speed test tried different size of messages so encrypts a 16 byte message and then does it again and then again and again and it counts and then it did it for 64 byte messages let's just focus on the first column the 16 byte messages with let's try our first cipher that we covered des with 16 byte messages des using CBC the motor of operation this is 51,501 kilobytes per second that's the speed at which encrypt 51,000 kilobytes which is 51.5 megabytes per second so it's just encrypting a lot of data and the measurement here is saying using these small messages you can encrypt it about 51 megabytes of data per second okay let's look at the others des triple des EDE 3 means encrypt with des decrypt with des encrypt with des with different keys so the triple des here all right three des the speed is here 18,862 kilobytes 18 megabytes per second 18.9 megabytes per second approximately one third of single des because all triple des is really is applying single des three times therefore it's going to be three times as slow as single des okay we want to be able to encrypt more megabytes per second so des is of course approximately three times faster than triple des but triple des is more secure because it uses multiple keys that increases the key length the problem with single des is that uses a or it has effectively a 56 bit key to triple des increases the key length but at the expense of performance let's focus on AES with 128 bit key AES 128 bit key 80 megabytes per second 80.3 80.4 megabytes per second so AES which is about the same strength as triple des is about four times faster than triple des so there's the advantage of AES compared to des and triple des it's secure and fast compared to the others so AES was designed with their performance in mind so they designed the algorithmic considering that or trying to optimize so that also considers performance now there's some other things that are happening here although it's not shown some so my I ran this on my laptop which is a mobile Intel i7 processor some processors support AES instructions in hardware okay normally our encryption is done in in software so it's just encrypted in software on my computer but Intel have something called AES-NI I can't remember what NI means new instruction or I'll see if I can find during the break but it's a set of instructions that the processor executes that implements some parts of the AES algorithm in hardware which makes it much faster so if your CPU supports this feature and it's common in most recent Intel processors then instead of encrypting everything in in software it offloads some parts of the AES encryption some parts of the rounds to the the chip the processor and that does some encryption and speed things up so some ciphers are supported in hardware as well what else do we see so there are the three block ciphers we have different key lengths slows things down a bit you see with AES from 128 192 so increasing the key length decreases the speed that's a general trade-off the longer the key the more secure but the slower the encryption RC4 the stream cipher up the top 340 megabytes per second more than four times faster than AES in this case so that's the benefit of the stream ciphers in this case the speed you can even see if you use larger blocks that they increase in speed up to 600 650 megabytes per second so the stream cipher a bit stream ciphers are built for speed but as you saw in your exam there are some problems if you use the keys inappropriately in a stream cipher you shouldn't repeat the the key and the same plain text because you may be to this well from the cipher text you may be to discover the the plain text so you use initialization vectors in the right way to make sure the stream ciphers are secure last one and it's reported differently because RSA is not used to encrypt large blocks of data at once because it is slow what it's used and we haven't covered it yet but it's used to provide signatures to authenticate where this data came from so we have mentioned the fact that we can encrypt using the public key and then decrypt using the private key but we can also use the keys in the opposite direction encrypt something with the private key and send that message to our destination and then the destination can decrypt with their with with the sender's public key to verify where it came from so what I do is I encrypt the message with my private key send it to you you decrypt with my public key if it successfully decrypts it confirms that I encrypted it because only I could have encrypted it with the private key so that's an authentication feature it's the concept of me signing a message putting my signature to the message so that when someone receives it they assure it came from me not someone pretending to be me so open SL reports the time to sign a message that's at the sender I would sign the message I would send the message to someone else and the other person would verify the signature so the signature the signing part is performed using a private key and the verification part is performed using the public key so it reports both of them number of signatures per second let's focus say on a typical 1024 bit RSA 4000 signatures per second okay and it's only signing a small amount of data most likely I think in the order of 128 bit 16 bytes so if we compare to this column signing 435 times per second and if here we've got with the others we've got in the order of at least 20 or close to 20 megabytes per second 20 million bytes per second let's say each signature was just 16 bytes which I think is the typical size if we multiply about this by 16 what do we get 16 about 64 64 thousand bytes per second so roughly in the order of 64 kilobytes per second versus 20 megabytes per second so it's at least a thousand times slower than the block ciphers don't worry too much about the numbers the point is that okay here we're doing thousands per second here we're doing millions per second there are some slight differences in the size of the blocks that they operate on this 1024 is not the size of the data it's the length of the modulus and RSA is much slower when we have to sign data and verification is faster than signing so what is it about 10 at least 10 times faster in this case what's the difference between encrypt and decrypt operations in RSA if you look at them encrypt or the first one operation m to the power v mod n and the decrypt is the same operation the only thing that's different are the values and in practice the values of E and D normally E which is the public value is small and therefore taking some number and raising it to a small power to a small number is much faster than taking some number and raising it to a large exponent so normally is much smaller than D we'll talk about why later therefore when we encrypt or we are when we use E the public exponent using RSA it's much faster than we use D the private exponent because it's slower to raise a number to a large power than a small part and that's what's happening in the signature and verification in the signature part the sign what's happening is we're taking some value and raising to the power of D mod n and the verification is taking the receive value and raise to the power of E mod n and because E is usually much smaller than D the verification is usually much faster than the signing and that's what we see here that it's about ten times at least ten times faster with verifying and signing but in both cases much slower than the others all right so we need to be careful in terminology of signage decryption in RSA we can use in RSA we can use we can use the algorithm for confidentiality or authentication and when we use it for confidentiality it means we've got a message and we want to send it to someone such that no one else can read the message that's our normal form of secure communications that's the same as when we use des triple des and so on we take a message encrypt with a some key and send it when we're using RSA what we do we take our message to encrypt for confidentiality take our message and we raise it to the power and mod by n what do we raise it to the power of E more specific E of who we raise it to the power of the public E of the recipient okay that is if I want to encrypt something and send to you I need your value of the public key your value of E so what I do is I take the message I want to send raise it to the power of E mod n I get my ciphertext send the ciphertext and the receiver takes the ciphertext and uses the opposite value instead of E D the private value mod n and gets m back that's for confidentiality making sure the message is secret but we can use E and D in the opposite direction remember is the public value and D is private what I can do is I take a message I don't care if someone else sees the message what I want to make sure and especially the recipient wants to make sure that the message came from the person who they say they are so what I do is I create a message and I use I use the RSA algorithm and I use as the exponent D my private value only I have D and when I send that value of C to you what you do is you take my public key in particular my value of E and you take C raise it the power of E mod n and you get the original message back this is the authentication operation it's the receiver making sure that the message came from me because if someone else sent it if you try to decrypt using my public value my public E then it will only be successful if I encrypted it with my private D and the only person in the world that has my private value of D is me which confirms it must come from me if it's successful so yes this is the well this are these four operations are all the same it's the same equation we just change the variables or change that the the variables here so it's all take some value raise it to the some exponent mod n it's just in what order do we use them for confidentiality we use the public E and then the private D for authentication we use the private D of the source and then the public E of the source at the recipient authenticate and this is what's being done in this open SSL speed test we'll come back to this authentication we've got a few more topics on it in fact but try and understand the difference here between confidentiality and confirming that the message came from the right person in fact let's let's return and discuss that a bit more now the point here was that the speed stream ciphers are fastest RC4 in our case then block ciphers AES is is quite common in use today it's got fast software implementations and also some hardware support desk triple desk getting old in that they're much slower to use and public key cryptography is much much slower than symmetric key cryptography and that's the main limitation and hence in practice it's it's not very often used to encrypt files for example or to encrypt data as you're sending it across a network it's you mainly use for signing and verifying let's go back and talk about some general aspects of public key cryptography and to finish this topic and just make this concept of authentication and confidentiality clear so we're going backwards just repeat some things we've already said these two slides show this concept of encrypting with a public key and encrypting with a private key encrypting with the public key we use for confidentiality keeping the message secret so Bob has a message he wants to send to Alice he doesn't want anyone else to see that message so Bob encrypts that message using a public key encryption algorithm for example RSA it doesn't have to be using Alice's public key everyone knows Alice's public key ciphertext is sent if Darth intercepts then what can Darth the malicious user do then to decrypt successfully Darth needs needs to know Alice's private key and of course by definition Alice's private key is not known by anyone else except Alice so so long as you cannot determine the one key from another and that the algorithm is strong then someone who intercepts this ciphertext cannot get the original plain text unless they have the corresponding private key encrypted with Alice's public key it can only decrypt with Alice's private key and only Alice has that so only Alice can see the message that's confidentiality that's what we normally use our block ciphers for but it's slow when we use RSA if we want to encrypt last large messages what we commonly use RSA and public key cryptography for is this approach encrypting with the private key Bob has a message to send to Alice Bob doesn't care if someone else sees that message that's not the idea here the idea here is that when Alice receives a message she wants to be certain that came from Bob it didn't come from Darth pretending to be Bob so in this case Bob encrypts using his own private key and sends the ciphertext and something that's encrypted once one private key will only successfully decrypt with the corresponding public key so Alice thinking it came from Bob decrypts and it will decrypt successfully because if it was encrypted with Bob's private key Alice decrypts with Bob's public key which everyone knows and because it successfully decrypts Alice is certain that this message came from Bob what if some other user Darth our malicious user sent a message to Alice saying this is a message from Bob with the intention to fool Alice to thinking it came from Bob what can Darth do Darth cannot encrypt this message with Bob's private key okay because they don't have Bob's private key so the only thing that Darth could do would be to try and maybe encrypt some message with someone else's private key his own private private key so if Darth creates a message encrypts with his own private key sends to Alice saying this is from Bob then what Alice does to verify is Alice decrypts using Bob's public key and that will be unsuccessful because if it's encrypted with Darth's private key and Alice decrypts with Bob's public key that to the mismatching keys they're not from the same pair and therefore it will not successfully decrypt when you decrypt with the wrong key you'll get some indicator of that and then Alice will know this did not come from Bob it came from Bob if it successfully decrypts with Bob's public key if it doesn't it must have come from someone else or something went wrong and that way Alice will know that they have to somehow other and some other means confirm with Bob what's happening so this is for authenticating where the message came from confirming that the message came from Bob not from someone else you can combine the two this encrypting with a public key provides confidentiality encrypting with a private key provides authentication maybe you want both you want your message to be secret and you want to confirm where it came from then in fact you can combine the two take your message and encrypt with Alice's public key then encrypt with Bob's private key and send the result and then you do the two operations so you can combine that the operations together of course it makes it twice as slow because we need to do encrypt both side at the center twice and decrypt at the receiver twice so that's what the opener sells speed tested the signing and verifying this is just a different representation of those diagrams a more formal representation which shows the notation but the same idea for secrecy or confidentiality encrypt with a public key decrypt with a private key from the same key pair and the attacker krypton analyst here has the goal of trying to determine what X is what the message was if they can find the message that been successful and or find the private key if somehow they can find the private key of B then they defeat the system because it's no longer private and with authentication we encrypt with a private key and decrypt with the public key here there's no intention to find the message the message is sent in the clear we can find the message from the attackers point of view but if the attacker that analysts can find the private key then they defeat the security of the system and we can combine the two here encrypt with a private key of the source encrypt with a public key of the destination send the result Z and then decrypt with a private key of the destination and decrypt with a public key of the source for authentication so this provides both what do we say secrecy or confidentiality and authentication provides both of those services so public key cryptography can be used for different security services there are different algorithms here is a list of four common algorithms we've looked just the RSA it's maybe the most popular one maybe the most famous one but there are others it's something based on elliptic elliptic curve cryptography RSA uses modular arithmetic there's different types of arithmetic an elliptic curve some uses some different mathematics to form encryption Diffie-Hellman key exchange we will cover that one the way to exchange keys and the digital signature standard another way to sign things so just different algorithms RSA and elliptic curve can be used for encrypting data for confidentiality they're not commonly used for it but they can be they can be used for assigning information performing authentication and for key exchange which is a way to exchange a secret key from A to B via some network Diffie-Hellman is built for key exchange and we'll talk more about key exchange when we talk about Diffie-Hellman and how it works the digital signature standard was built not for encrypting or confidentiality but for signing things so they have different purposes these algorithms so what we need for public key cryptography to work we need to be able to generate keys so every user needs a pair of keys so the algorithm for generating the keys must be easy to perform by easy we mean can perform can operate in a matter of milliseconds okay so if I want to generate my key pair I need an algorithm and software to do that for me and it should be reasonably fast it shouldn't take forever note that the keys are related as we saw with RSA the keys the values of E and D are related some way it should be easy for some some user A if they know a public key and some message M to create the ciphertext okay they need to be able to encrypt apply the operation to encrypt and it should be easy for the other entity to decrypt so it should be easy to apply our algorithm using one key and apply the algorithm using the opposite key to get the same message back that that's normal requirements we must be able to encrypt and decrypt now for security so they are mainly for performance reasons for security what we need is that it's practically impossible or computationally infeasible for an attacker if they know the public key and they know the ciphertext C to determine the private key the ciphertext will be known C will be known it's sent across the network the public key PUB will be known because by definition it's public so if the attacker knows those two values we need an algorithm such that it's takes too long for them to determine what the private key is because we need the private key to remain private similar it should be computationally infeasible for the attacker to know to determine the message M okay if they know C and the public key then they shouldn't be able to find out what the original message was if I encrypt using my public key a message and I get a ciphertext I send that ciphertext if you can determine the message without knowing my private key then that's not secure and that's what this one's saying if you don't know if you know the public key and C you still should not be able to be able to determine M message now some of the algorithms RSA in particular has this property not all of them that we can use the keys in either order that is shown here if we encrypt if we take some message and encrypt with a private key and we decrypt with the public corresponding public key we get the original message back so we use the private key and then the public key or the other order if we have some message and encrypt with a public key and then decrypt with a corresponding private key we get the message back then that's a feature that's supported by some algorithms we can use the keys in either order not all algorithms support that RSA does because RSA that's what we have here encrypt with the private value decrypt with a public value or encrypt with the public value e decrypt with a private value d RSA we can do in either order so importantly for security an attacker cannot determine the private key nor find the message given the ciphertext assuming they know the public key in the algorithm now what's what algorithm what are the features of the algorithm to provide those security services all those requirements lead to some a need for some algorithm or a function that is considered or called a trapdoor one-way function so let's look at the the definition or the informal definition of such a function we need a function that performs our encryption and decryption we need to be able to find an inverse a unique inverse because we know when we encrypt and decrypt if we encrypt some value and get ciphertext and then decrypt that ciphertext we must get the same plain text back that's our normal requirement for security if we encrypt m and get c and then decrypt c we must get the same m back if we get a different m it doesn't work okay so we need a function such that there is a inverse and it's unique should be easy to calculate so that we can encrypt in reasonable time that the function must be simple to calculate but the inverse of the function so some function which we apply which is easy when we apply that function but when we do the inverse it should be hard to calculate unless some information is known so we need some function that takes some input x and return some output y this function is our is going to be our public key cryptography algorithm what are the requirements on that function that we can easily calculate this that we and defined here it's easy to calculate that function if what have we got I think there's a mistake here as well this should be x easy to calculate if k and x are known so if we have the the key k and the input x we can easily find why we need such a function but the inverse of that function f to the minus one if we know the input y and the same the key k we can apply the inverse and easy to get x which is equivalent to we will see our decrypt operation if we know the key it should be easy to encrypt that's what this one saying and the second one saying if we know the key it should be easy to decrypt that's all and decrypt is the inverse of the encrypt operation but it should be infeasible practically impossible to given why so why is known but the key is not to find x so decrypt if you don't know the key that should be impossible so these are similar requirements that we've said for all of our sites so what do we mean by easy what's in in feasible well there are different ways to measure that one of them you look at the computational complexity of the algorithm so choose a function that meets these requirements a common way to measure is to say that some function is easy if it can be solved in polynomial time as a function input so if it can only be solved in say exponential time then it's not considered easy so there is and I think you've seen in several in at least one other course computational complexity we can analyze algorithms and see how complex they are and give some big order or big o notation to indicate the complexity of different algorithms let's see what have we got RSA is one such algorithm that meets those requirements and we've gone through RSA what can an attacker do to try and beat public key cryptography they can try brute force attacks so if we have a key and the attacker doesn't know the key try and guess every possible value of the key try all possible values and we know the ways to prevent or at least make brute force attacks hard make the key large so make it such that the attacker must guess many times such it will take too long the problem so if we make the key large we can avoid brute force attacks but the problem and we started to see with all ciphers we make the key larger they become slower and it's especially for public key ciphers the larger the key the less efficiently algorithm we have still the results here with RSA here's were effectively it's n but indicator of the length of the of the key 512 bits up to 4,000 bits we see the speed significantly reduces increase the security of it make a brute force attack harder increasing this value makes the algorithm much slower just go back to that look at the numbers here we double the p-length or in fact it's the modulus here but double the length of the input and what have we got a factor of 4 8 times slower in that case so we need to manage and consider the trade-off between security preventing brute force attacks and performance efficiency and the result is that most cases public key cryptography is used only when encrypting a small amount of data because it's slow and therefore with a large amount of data it takes too long what other attack can a analysis do they try and determine the private key from the public key and we saw that last week when we looked at RSA with RSA we have a steps for determining e actually we we calculate n select e then determine d d is the private value if the attacker given e and n can find d then they'll break RSA with the algorithms available there are no known practical techniques to break those algorithms for RSA for Diffie-Hulman and so on so they rely on mathematics such that there are functions that it's takes too long to solve the equations for example discrete logarithms take long a long time factoring large numbers into their prime factors takes a long time calculating the totem cake takes a long time there are some other types of attacks the probable message attack is possible we'll see maybe later have an example but we try all possible values of the message m using a public key the public key is known so the attacker takes many different values of m using the public key and see if the value of c that they get matches the value that the other user has sent and if it does match that they know what m is so they can find the message it's an attack we try all possible plain text message it works if m is small okay then we can try all possible and the way to prevent that from work being successful is make m large and if you have a short message most algorithms can add some extra random data to that to make it much larger so there are simple ways to avoid such attacks so except on the special cases the algorithms of RSA DSS elliptic curve cryptography Diffie-Hulman are all considered secure and that there are no known general attacks there may be very specific attacks if you use the wrong values of the parameters but they can be easily avoided so they considered secure so long as the key lengths or the the parameter lengths are large enough we've covered how RSA works we've gone through the steps last week key generation after the break we'll have another example will give you some tasks on generating a key and in the quiz next week we'll have a quiz in the lecture next week you can generate a key and encrypt so we've seen examples last week we can apply of course RSA works on a single number m if we have a large amount of data we can just break it into blocks and this gives an example that okay if we have a large number we break it into n blocks and encrypt one at a time so that's a more more detailed example of applying RSA the numbers are a bit too big to go through in class what about the performance and some of the security aspects of RSA to finish with RSA we take some number m and raise to some exponent e or d and then mod by n how fast is it to perform such operations exponentiation generally is it is a slow procedure it takes a lot of time to take some large number and by large numbers we're talking about hundreds of bits in length and raised to some other large number if that other large number the exponent is also one hundreds of bits in length then we get a very very large number as an output and computers take a long time to perform that calculation but in fact when we're using modular arithmetic there are some properties of the arithmetic that make it relatively simple to calculate so one such property is that we can remember exponentiation really is multiplication multiple times 2 to the power of 3 is 2 times 2 times 2 so we can simplify the steps of exponentiation using some of the properties such as this property that if we have some some large number a thousand multiplied by 500 mod 200 is the same as a thousand mod 200 multiplied by 500 mod 200 or mod 200 and that makes things simpler because we're just doing a mod of a smaller number and we can break that down to to make it easier for your computer to calculate so even though we're using very large numbers it's possible for doing RSA encryption in reasonable time when we generate keys we need to choose a value of e remember the process is you have two random or two prime numbers p and q calculate n calculate the totion of n as p minus 1 times q minus 1 and then select e which is rent relatively prime with the totion of n how do you choose a value of e and remember is public is the value that we can tell everyone or you can choose different values but because it's public in fact you can use the same value multiple times different people can use the same value and some common values are equal to three so it doesn't have to be large 17 655 37 why these values using small values is good because when you take some message raise power of e mod n if e is small then this will be fast to implement because we're just taking some number raising it to a small power raising some large number to the power of three is much faster than raising this large number to the power of a very very large exponent okay so a small value makes it perform faster these other values help in some of the operations if you look at them in binary they contain only several values of binary one and many values of zero and you can start to use left shifts and perform the multiplication and exponentiation much fast much faster so there are some optimal values in terms of performance for e some values there are potential attacks but if you add some random padding that is increase the length of the message those attacks can be avoided so generally the value of e can be the same for multiple users so I have a public key my value of e is three you have a public key you can you also use the value of e would of three but we should have different values of our modulus and once we have a value of e then we there are algorithms for calculating d and d should be large although e can be small and fix d is our private value no one should be able to guess it so if you have a small value of d there's potential for attacks so generally d should be large and normally it's in the order of almost the same number of bits as n so if n is a thousand bits in length and d is close to a thousand bits in length with e is small there are algorithms for even if d is large how do we use d we take c raised with the power of d mod n if c is a large number say a thousand bit number and d is also another large number a thousand bit number we get a very large result here but again we can take advantage of some properties of modular arithmetic to make this manageable to calculate it's still manageable in reasonable time in the results we saw with open SSL using e we saw was the verify operation and using d was the sign operation I'm just going back signing is about 10 times slower than verifying because in this case I don't know what value of e was used but most likely it was a small value of e and a large value of d and it meant that this is faster than the signing of the other signing operation so there are some rules or some guidelines that the values of e you can use d can be calculated there are algorithms for calculating it and the other parameters that we choose a p and q they are the two prime numbers we start with they must be private so when I generate my own pair of keys I choose a two large prime numbers p and q they must be very large the reason they need to be large is because the attacker one of their objectives is to take n and factor it into its primes p and q if n is very large then that's considered impossible to do in reasonable time so if you make p and q very large you multiply them together then n will be very large and therefore an attacker cannot determine p and q from n very large again we'll see some examples but what was a number one of the more recent numbers the length of n of 768 bits so a value of 768 bits long of n took something like two years to factor into its primes p and q so make p and q large enough such that n is in the order of a thousand bits two thousand bits and it's considered secure it's not easy to find large prime numbers though and what normally happens is they algorithms choose large random odd numbers it may be prime it may not be maybe composite and then there are ways to test to to increase the chance that is a prime number so there are ways to get a very high probability that p and q are prime numbers how secure is it if you choose large enough d that it makes brute force attacks too slow except a large d makes the operation here slower sorry the signing operation the mathematical attacks which we mentioned last week were you either need to factor n into p and q it's two prime factors that's considered impossible if n is large enough you determine the totion event directly that problem is considered impossible if again n is large enough or you determine d for example by performing a discrete logarithm and discrete logarithms are considered impossible again if our numbers are larger there are no known ways if we use large enough numbers to perform those mathematical attacks most of the measures of security of rsa are based upon the size of n because the easiest of those attacks is factoring n into its prime numbers so that's how people measure how secure there are some very specific attacks timing attacks taking advantage of how long the implementation takes but there are usually countermeasures very easy countermeasures that will prevent those attacks so it's very easy to stop them let's just finish with some examples of how long it takes and the size of n this is a bit old this one's from the textbook but what have we got these are how long it takes to factor a large number n and here's the size of n in bits so 600 bit number a 2000 bit number and different algorithms have been used to try and factor we're not going to cover how they work I can't even I don't even remember the different sieves and this is the time measured in some number of operations to perform and so MIPS years in this case and we're talking about 10 to the power of 9 10 to the power of 10 MIPS years where MIPS is a measure of the the processor speed but more maybe more meaningful rsa the algorithm rsa the company who developed the algorithm had some competition where you win money if you factor large numbers and so there was some competition and you see over the years so the number of decimal digits and the approximate number of bits and for example in 1999 512 bit numbers so this is the length of n were managed to be factored into p and q how long to take the factor 8000 MIPS years so a measure of the amount of time and computation time to factor that and more recently 2005 663 bits and the most recent one which was part of the competition they've now stopped the competition 768 bits that is n 768 bits long it took approximately two years in real-time running multiple computers hundreds of computers at the same time trying to factor one number n into p and q it took about two years of real-time to factor the 768 bit and so if you've got it a thousand and 24 bit and it should take much much longer to be able to factor that given the known algorithms and if you have a 2048 bit and it's considered secure so it's just a matter of making making n long enough by choosing large enough p and q that brings us to the end of rsa what we'll do after the break is I'll give some examples and you'll have some some examples of a simple encryption and key generation with rsa and then if we have time after showing a few examples we'll look at another algorithm Diffie-Hellman key exchange we'll see how far we go let's have a break and at 240 we will continue with some examples