Post on 06-Jan-2018
description
1
ISA 562 Information Security Theory &
Practice
Public Key CryptosystemPublic Key CryptosystemChapter 9 of Bishop’s Book
2
Outline
Background Diffie-Hellman RSA Cryptographic Checksums
3
History
Concept conceived by Diffie and Hellman in 1976
Rivest, Shamir and Adleman (RSA) were first to describe a public key system in 1978
Merkle and Hellman published a different solution later in 1978 (broken by Shamir)
4
The Big Picture
B's Public Key B's Private KeyRELIABLE CHANNEL
EncryptionAlgorithm
DecryptionAlgorithm
Plain-text
Plain-textCiphertext
INSECURE CHANNEL
A B
B's Public Key
5
The Basic Idea
Confidentiality: encipher using public key, decipher using private key
Integrity/authentication: encipher using private key, decipher using public key
B's Public Key B's Private Key
EncryptionAlgorithm
DecryptionAlgorithm
Plain-text
Plain-textCiphertext
A B
‘Signature’
6
Requirements
The keys and algorithms must meet these requirements Must be computationally easy to encipher or
decipher Must be computationally infeasible to derive the
private key from the public key Must be computationally infeasible to determine
the private key from a chosen plaintext attack
Different from those of secret key cryptosystem except the first requirement
Why another cryptosystem?
7
Motivation 1- Key Distribution Problem
In a secret key cryptosystem, the secret key must be transmitted via a secure channel
Inconvenient n parties want to communicate with each other,
how many keys need to be transmitted? Insecure
Is the secure channel really secure?
Public key cryptosystem solves the problem Public key known by everyone – telephone
directory Privacy key is never transmitted
8
Motivation 2- Digital Signature
In a secret key cryptosystem, authentication and non-repudiation may be difficult
Authentication You must share a secret key with someone in order
to verify his signature Non-repudiation
“I didn’t sign it. You did since you also have the key”
Public key cryptosystem solves the problem Verification of signature needs only the public key One is solely responsible for his private key
9
Required number theory
If a = b + kn for some integer k We write b = a mod n (namely, a is congruent to b
modulo n, and b is the residue of a modulo n) Examples: 2 = 12 mod 5, 2 = 12 mod 10, 0 = 12 mod
6 Properties
(a O b) mod n = ((a mod n) O (b mod n)) mod n where O is +, -, *
35 mod 7 = (3*3*3*3*3 mod 7)
= ((3*3 mod 7)*(3*3 mod 7)*(3 mod 7))mod 7
Needed when enciphering/deciphering
10
More of the same…
A prime number is a positive integer having exactly one positive divisor other than 1. E.g. 3, 5, 7, 11, 13…
a and b are relatively prime if they have no common positive factors other than 1. E.g. 1 and 2, 2 and 3, 3 and 4, but not 2 and 4
The totient function (n) gives the number of integers between 1 and n-1 that are relatively prime to n. E.g. (10) = 4 (1,3,7,9 are relatively prime to 10)
11
Still More Math
Euler's Totient Theorem 1 = a (n) mod n, where a and n are relatively
prime Example: 3 (10) mod 10= 3 4 mod 10 = 81
mod 10 10 (3) mod 3= 10 2 mod 3 = 100
mod 3 Fermat’s Little Theorem
a p-1=1 mod p, where p is prime and relatively prime to a
Notice (p) = p-1
12
Outline
Background Diffie-Hellman RSA Cryptographic Checksums
13
Diffie-Hellman Key Exchange Scheme
Proposed in 1976 as the first public key algorithm (predates RSA)
Allows users to agree on a secret key over insecure channels with no prior communication
The secret key can thus be used to encrypt or decrypt message (e.g., SSL 3.0, IPsec)
KA BInsecure Channel
14
Discrete Logarithm Problem
D-H is based on the discrete logarithm problem Given integers n and g and prime number p,
compute k such that n = g k mod p In general computationally infeasible Choices for g and p are critical
Both p and (p–1)/2 should be prime p should be large (at least 512 bits, possibly 1028 bits) g should be a primitive root mod p
15
Diffie-Hellman Key Exchange Scheme
A Bagree on p and g with 1 < g < p
A BX = gx mod p
Y = gy mod p
Choose x
Choose y
A Bcomputes k = Yx mod p
computes k’ = Xy mod p
k=k’=gxy mod p
knows p, g, X, and Y, but not x or y or k
16
Quiz
p = 7 and g = 5 Alice
chooses x = 2 and send X = ?
Bob chooses y = 3 and send Y = ?
Shared key: k= ? k’ = ? (gxy mod p = ? )
17
Man-in-the-middle Attack
A BCactive intruder
K1 K2
A BK1
A BK2
18
Outline
Background Diffie-Hellman RSA Cryptographic Checksums
19
RSA In Summary
Choose public key (n,e) Compute private key (n,d)
Encryption C = Me mod n Decryption M = Cd mod n
Underlying theory – Euler's Totient Theorem
Key Generation
20
Key Generation
Choose 2 large (512 bit) prime numbers p and q
Compute n = p * q
Choose e relatively prime to (p-1)*(q-1)
Compute d such that 1 = e*d mod (p-1)*(q-1)
Publish (n,e) and keep (n,d) (discard p, q)
21
Key Generation (Cont’d)
Large primes can be found efficiently using probabilistic algorithms due to Solvay and Strassen
d can be computed using the Extended Euclidean Algorithm (Textbook 31.2)
Care must be exercised in choosing p and q, otherwise insecurities may result (p-1, p+1, q-1, q+1 should have large prime factors)
22
Key Generation - Example
p = 7, q = 11, so n = 77 and (p-1)(q-1) = 60
Alice chooses e = 17, computing d = 53 (17*53=901)
publish (77,17) and keep (77,53) secret
23
Encryption/Decription
Encryption C = Me mod n Decryption M = Cd mod n Underlying theory
Cd mod n = (Me mod n)d mod n = Med mod n
= M1 mod (p-1)*(q-1) mod n = M (p-1)*(q-1)*i + 1 mod n = (1i *M) mod n (by Fermat’s Little Theorem) = M mod n = M (require M<n; M relatively
prime to n)
24
Example: Encryption
p = 7, q = 11, n = 77 Alice chooses e = 17, making d = 53 Bob wants to send Alice secret message
HELLO (07 04 11 11 14) 0717 mod 77 = 28 0417 mod 77 = 16 1117 mod 77 = 44 1117 mod 77 = 44 1417 mod 77 = 42
Bob sends 28 16 44 44 42
25
Example: Decryption
Alice receives 28 16 44 44 42 Alice uses private key, d = 53, to decrypt
message: 2853 mod 77 = 07 1653 mod 77 = 04 4453 mod 77 = 11 4453 mod 77 = 11 4253 mod 77 = 14
Alice translates 07 04 11 11 14 to HELLO No one else could read it, as only Alice knows
her private key and that is needed for decryption
26
Digital Signatures in RSA
RSA has an important property, not shared by other public key systems
Encryption and decryption are symmetric Encryption followed by decryption yields the
original message (Me mod n)d mod n = M Decryption followed by encryption also yields
the original message (Md mod n)e mod n = M Because e and d are symmetric in
e*d = 1 mod (p-1)*(q-1)
27
Digital Signatures in RSA
M d mod n C e mod n
PlaintextM
Ciphertext C (signature)
A's Private Key d A's Public Key e
RELIABLE CHANNELA B
PlaintextM
PlaintextM’ ?
28
Compared To Encryption in RSA
M e mod n C d mod nCiphertext C
B's Public Key e B's Private Key d
RELIABLE CHANNEL
A B
PlaintextM
PlaintextM
29
Signature and Encryption
D
Plain-text
A's PrivateKey
A B
B's PublicKey
A's PublicKey
B's PrivateKey
E D E
Plain-text
SignedPlaintext
EncryptedSigned
PlaintextSigned
Plaintext
30
Signature and Encryption
We could do the encryption first followed by the signature.
Signature first has the advantage that the signature can be verified by parties other than B.
31
Example: Sign
Take p = 7, q = 11, n = 77 Alice chooses e = 17, making d = 53 Alice wants to send Bob message HELLO (07
04 11 11 14) so Bob knows it is from Alice, and it has not been modified in transit 0753 mod 77 = 35 0453 mod 77 = 09 1153 mod 77 = 44 1153 mod 77 = 44 1453 mod 77 = 49
Alice sends 35 09 44 44 49
32
Example: Verify
Bob receives 35 09 44 44 49 Bob uses Alice’s public key, e = 17, n = 77, to
decrypt message: 3517 mod 77 = 07 0917 mod 77 = 04 4417 mod 77 = 11 4417 mod 77 = 11 4917 mod 77 = 14
Bob translates 07 04 11 11 14 to HELLO (Assume) only Alice has her private key, so no one else
could have been able to create a correct signature The (deciphered) signature matches the transmitted
plaintext, so the plaintext is not altered
33
Example: Both
Alice wants to send Bob message HELLO both enciphered and signed
Alice’s keys: public (17, 77); private: 53 Bob’s keys: public: (37, 77); private: 13
Alice does (does she encipher first or sign first?) (0753 mod 77)37 mod 77 = 07 (0453 mod 77)37 mod 77 = 37 (1153 mod 77)37 mod 77 = 44 (1153 mod 77)37 mod 77 = 44 (1453 mod 77)37 mod 77 = 14
Alice sends 07 37 44 44 14 What would Bob do upon receiving the message?
34
Security of RSA
Cryptanalysis is to compute d while knowing (e, n) such that e*d = 1 mod (p-1)(q-1), and n=pq, for
some p and q (the factorization is unique) If factorization of n into p*q is known, this is
easy (Extended Euclidean Algorithm). Otherwise, it is hard.
Therefore security of RSA is no better than complexity of the factoring problem
Is the factoring problem provably hard (e.g., undecidable)? No However, the possibility of an easy factoring method
is believed to be remote.
35
Fastest implementations of RSA can encrypt kilobits/second
Fastest implementations of DES can encrypt megabits/second
It is often proposed that RSA be used for secure exchange of DES keys
This 1000-fold difference in speed is likely to remain independent of technology advances
Matters more in wireless/ad hoc/sensor network
RSA Versus DES
36
RSA Versus DES
Key size of RSA is selected by the user Many implementations choose n to be 154
digits (512 bits) so the key (n,e) is 1024 bits
Key size of DES is 64 bits (56 bits plus 8 parity bits)
37
RSA Key Size
key size should be chosen conservatively cryptographers can stay ahead of
(factorization) cryptanalysts by increasing the key size
Until 1989 factorization attacks were based on "high school mathematics." Since then sophisticated attacks have extended factorization to larger numbers (usually of a specific form).
At present it appears that 130 digit numbers can be factored in several months using lots of idle workstations.
38
Outline
Background Diffie-Hellman RSA Cryptographic Checksums
39
One-way Hash Functions
Also known as message digest A function H(M) = m satisfies
(Fixed length): M can be of any length, whereas m is of fixed length
(One-way): computing H(M)=m is easy, but computing H-1(m)=M is computationally infeasible
(Collision-free): in two forms Weak collision-freedom: given any M, difficult to find
another M’ such that H(M)=H(M’) Strong collision-freedom: difficult to find any M and M’
such that H(M)=H(M’)
40
Why Those Requirements?
Many applications store H(p) instead of a password p Fixed length: cannot guess the length of p from
H(p) (and H(p) is easier to store) One-way: the administrator cannot learn p of
others Collision-free: cannot submit incorrect p
matching H(p) Most applications sign H(M) instead of M
41
Example
ASCII parity bit ASCII has 7 bits; 8th bit is “parity” Even parity: even number of 1 bits Odd parity: odd number of 1 bits
Bob receives “10111101” If sender is using even parity; six ‘1’ bits, so
character was received correctly Note: could be garbled, but 2 bits would need to
have been changed to match parity bit If sender is using odd parity; even number of 1
bits, so character was not received correctly
42
Hash Functions In Practice
DES based hash functions tend to produce 64 bit digest which cannot be strong
CCITT X.509 (proven insecure) Merkle's Snefru: 2-pass version proven
insecure; 4-pass version unproven Jueneman's methods: broken and refined
and broken and refined NIST Secure Hash Algorithm RSA: MD2, MD4, MD5, SHA-0, SHA-1, SHA-2
(SHA-224, SHA-256, SHA-384, and SHA-512 )
43
“Hash Functions Broken” ?
Crypto 2004 Rump session reported attacks on MD4, MD5 and SHA-0 MD4’s attacks are done by hands
Crypto 2005 reported attacks on full SHA-1 Should we panic?
Xiaoyun Wang’s webpage: http://www.infosec.sdu.edu.cn/people/wangxiaoyun.htm
44
“Hash Functions Broken” ? (Cont’d)
Nature of the results Algorithm that finds collision faster than theoretic
bound MD5 about one hour; SHA-1 263 vs 280 (theoretically)
Yes, the results disprove those functions to be strong collision-free
No, they do not give you a password from its hash
Brute force attacks do (refer to http://passcracking.com/)
Whether you should panic or not depends on what you use the hash functions for
Xiaoyun Wang’s webpage: http://www.infosec.sdu.edu.cn/people/wangxiaoyun.htm
45
Hash Functions Vs MAC
Send a message M together with its hash h=H(M), so the recipient can verify M by comparing H(M) with the received h Attack: If anyone in the middle can replace M
with M’ and h with h’=H(M’), the recipient won’t detect this
Keyed hash functions Also known as message authentication codes
(MAC) Example: DES in CBC mode: use a key to
encipher message in CBC mode and use last n bits as the MAC value.
46
HMAC
Build MAC from keyless hash functions Encryption algorithms cannot be exported
h : keyless hash function k : a cryptographic key k padded with 0 Ipad: 00110110 repeated Opad: 01011100 repeated
HMAC h(k, m) = h(k opad || h(k ipad || m)) exclusive or, || concatenation
47
Key Points
Public key cryptosystems has two keys Diffie-Hellman exchanges secret key via
insecure channel RSA can be used for confidentiality and
integrity Cryptographic Checksums are keyed hash
functions