Post on 06-May-2019
1
Public Key InfrastructuresPublic Key Infrastructures
Chapter 3Public Key Cryptography
Cryptography and Computeralgebra
Johannes Buchmann
2
Encryption
plaintextplaintext plaintextplaintext
secret secret=
symmetric
decryptencrypt
3
Symmetric encryption schemes
170 msIDEA
80 msMARS
100 msTWOFISH
78 msRC6
Performance*Scheme
95 msSERPENT
65 msRIJNDEAL (AES)
250 msDES-ede
*) Encryption of 1 MByte on a Pentium 2.8 GHz, using the FlexiProvider (Java)
4
BUT: key exchange problem
n*(n-1)/2 keys
Internet: ∼ 1,093,529,692 users => 1,195,807,187,285,614,864 keys
5
One solution
Key-Server
The key-server knows all secret keys!
6
Example
The authentication center (AC) in mobile communications knows all the keys. It stores them in a database.
From “IT-Sicherheit”, page 785, 800
7
Encryption
plaintextplaintext plaintextplaintextdecryptencrypt
public private
≠asymmetric
8
Key exchange problem solved!
Public-Key-Server
The server does not know any private information!
9
Public-Key-Server
......
8422834964509823610263135768Karatsiolis
13121311235912753192375134123Buchmann
Public Directory
mapping: names ↔ public keys
10
Asymmetric encryption schemes
6,6 sRSA (1024 bits)
Performance*Scheme
11.8 sRSA (2048 bits)
Disadvantage: Complex operations with big numbers
⇒ schemes are slow
*) Encryption of 1 MByte on a Pentium 2.8 GHz, using the FlexiProvider (Java)
11
Solution
plaintextplaintextdecryptencryptplaintextplaintext
decryptencrypt
symmetric session key
public secrethybrid
encryption
12
…using 200 digits provides a margin of safety against future developments…
RSA
published in 1978
13
RSA-200 factored in 2005
After 27 years
14
Security
Impossibility to factor the RSA module
21335625291600027351142759355194209132914767425698066864818245285802697571587504827160038792867188144217660057955934845800814958268691260056037643469790871613988653520618544234805258949423413033375605873213651488760386443075342912012970548900016706067393246389837569751517347745772076420507479301672647916792373351492517320962556245120580406546060184803670311182370599074873628794261731191112555208060025609009047888480639771734426254325175122847998160609602132860929278043535478577169570898641110787987645625919308715088016517131066837168489289581361754587749922998809128927098697538006934652117684098976045960758751
15
n = 2799783391122132787082946763872260162107044678695542853756000992932612840010760934567105295536085606 1822351910951365788637105954482006576775098580557613579098734950144178863178946295187237869221823983
was factored in May 2005:
p = 3532461934402770121272604978198464368671197400197625023649303468776121253679423200058547956528088349
q = 7925869954478333033347085841480059687737975857364219960734330341455767872818152135381409304740185467
Secret
16
Factors
Factors of 6?
Factors of 143?11, because 143 = 11*13
3, because 6 = 3*2
Factors of213356252916000273511427593551942091329147674256980668648182452858026975715875048271600387928671881442176600579559348458008149582686912600560376434697908716139886535206185442348052589494234130333756058732136514887603864430753429120129705489000167060673932463898375697515173477457720764205074793016726479167923733514925173209625562451205804065460601848036703111823705990748736287942617311911125552080600256090090478884806397717344262543251751228479981606096021328609292780435354785771695708986411107879876456259193087150880165171310668371684892895813617 54587749922998809128927098697538006934652117684098976045960758751
?
17
Fermat – Numbers (Pierre de Fermat, 1601-1665)
122 +=m
mF
F0 = 3
F1 = 5
F2 = 17
F3 = 257
F4 = 65537
F5 = 4294967297= 641*6700417
Difficult computational problem: factoring
18
Difficulty of factoring
Completely factored Fermat numbers
617
309
155
78
39
20
10
Cunningham, Brent, Morain198811
Selfridge, Brillhart, Brent199510
Western, Lenstra, Manasse, u.a.19909
Brent, Pollard19808
Morrison, Brillhart19707
Landry, Le Lasseur18806
Euler17325
Decimal digits
discovereryearm
19
L u v env n nu u
[ , ] (log ) (log log ) ( )
=−1
L vn [ , ]0
polynomial exponential
L vn[ , ]1
complexity
Number Field Sieve NFS 1990
1/3
Quadratic Sieve 1980
1/2
Computational complexity
20
open$200,000617RSA-2048
open$150,000463RSA-1536
open$100,000309RSA-1024
open$75,000270RSA-896
open$50,000232RSA-768
open$30,000212RSA-704
Nov. 4, 2005$20,000193RSA-640
Dec. 3, 2003$10,000174RSA-576
May 9, 2005200RSA-200
Apr. 1, 2003160RSA-160
Aug. 22, 1999155RSA-155
Apr. 16, 2004150RSA-150
Feb. 2, 1999140RSA-140
Apr. 10, 1996130RSA-130
Apr. 1994$100129RSA-129
Jun. 1993120RSA-120
Apr. 1992110RSA-110
Apr. 1991100RSA-100
factoredprizedigitsnumber
21
G group of points on an elliptic curve:
Exponential complexity
Small keys are possible
Discrete-Logarithm-Problem (DLP):
Solve gx = a
G Group
ax glog=
Difficult computational problem: DLP
22
ECC challenges
20029x10^7109ECCp-10919987198297ECCp-971998436089ECCp-89199714679ECCp-7920042.1x10^7109ECC2-10920001.3x10^6109ECC2K-108199918044897ECC2-971998863797ECC2K-9519981127889ECC2-89199735279ECC2-79DateDaysField SizeECC
From www.certicon.com
23
factoring easy
ECDLP easy
all popular cryptosystems insecure
make
Quantum computers
24
Alternative: Short lattice vectors
25
Alternative: Short lattice vectors
26
2 d
27.7 h
9 h
2 h
8 min
4*108450
1*108400
4*106300
2*105200
3*103100
Running Time LLL Length SV Dimension
Architekture: SunBlade 100 (C++)
Short vectors
27
Find difficult computational problems
Find correct security models
Find provable secure cryptosystems
Research challenges
28
Cryptographic hash functions
datadata hashfunction
hashvaluehashvalue
nh }1,0{}1,0{: * →
29
Easy
easy and fast to calculate
85 msSHA-256
Performance*Scheme
48 msRIPEMD-16050 msSHA-1
*) Hashing of 1 MByte on a Pentium 2.8 GHz, using the FlexiProvider (Java)
30
One way
datadatahashvaluehashvalue
31
Collision resistant
datadata
hashfunction
hashvaluehashvalue
datadata
32
Message Authentication Code
valid /invalid
plaintextplaintext
secret
MACfunction
secret
MACfunction
plaintextplaintext
MACvalueMACvalue
33
MAC schemes
HMAC
CBC-MAC (3-DES, IDEA, other)
Two-Track-Mac
34
MAC applications
For securing the transport of a private key in software based solutionse.g. PKCS12, to protect the private key from tampering. The key is derived from a password.
In many protocols:
SSL/TLS, mobile communications
35
Message Authentication Code
symmetric scheme
⇒ fast
⇒ key exchange problem
36
Digital signature
valid /invalid
plaintextplaintext
sign verify
plaintextplaintext
SignatureSignature
private public
37
Digital signature
asymmetric scheme
⇒ slow
⇒ key exchange problem solved
38
Asymmetric signature schemes
38 msecECDSA (160)
32 msecDSA (1024)
Performance*Scheme
35 msecRSA (1024)
*) Creation of a signature on a Pentium 2,8 GHz,using the FlexiProvider (Java)
39
Reaching the security goals
Confidentiality
Integrity
Authenticity of data
Entity Authentication
Non-repudiation
→ sym. and asym. encryption
→ hash, MAC, digital signature
→ digital signature, MAC
→ digital signature, MAC
→ digital signature
40
Problem Exposition
41
Why PKI?
1) Keep the private key secret
2) How to know that the public key is correct
=> PKI is needed
42
How do software vendors protect theirsignature key?
How does the PC know the correctverification key?
43
Digitally signed updates:
44
How to authenticate public keys?