Public-Key Protocols

Microstrategy Course18 October 2013

David EvansUniversity of Virginiawww.cs.virginia.edu/evans

Day 3: Public Key Protocols

Engineering Cryptographic Applications

Engineering Crypto Applications 2

Recap: Symmetric Encryption

evans@virginia.edu

AES AESPlaintextCiphertext

PlaintextInsecure Channel

Key Key

Assuming we generate strong keys, use an appropriate cipher mode, and correctly implement a secure symmetric encryption primitive, we can securely encrypt long messages so even an adversary with $Quadrillions cannot learn anything interesting.

Alice Bob

Assumes a secret already shared between Alice and Bob.Amplifies that secret to send more data later.

Plan for Today

1. Key Agreement Protocols2. Solving the remote authentication problem

Asymmetric Encryption, Public-Key Protocols

evans@virginia.edu

petitions.govInsecure ChannelSecure Channel

Key Agreementevans@virginia.edu

Engineering Crypto Applications 5evans@virginia.edu

Asymmetric Key Agreement

Ralph Merkle (born 1952)

Merkle’s Puzzles

(1974)

Merkle’s Puzzles: Key Agreement

evans@virginia.edu

1. Generate N random keys: k0, …, kn-12. For each, send Eki(“key #” + i) in random order

Ek37(“key #” + 37) Ek82(“key #” + 82) Ek22(“key #” + 22) …

Merkle’s Puzzles: Key Agreement

3. Randomly select one of the received messages.

4. Try all possible keys until finding kx that decrypts the message to “key #x”

5. Send x (in clear) to AlicexShared secret kx

Security

evans@virginia.edu

5. Send x (in clear) to Alicex

Shared secret kx

Security

evans@virginia.edu

5. Send x (in clear) to Alicex

Shared secret kx

Suppose each key is 56 bits:Alice has to generate N keys and do N encryptionsBob has to do 256 max work to brute forceEve has to do ½N × 255 expected workSo, if 296 is infeasible, N = 242 could work

Can we do better?

evans@virginia.edu

CRYPTO 2009: Actually is impossible to do better!

Any scheme like this, even with perfect primitives, can be broken by an adversary who can do N 2 encryptions (where Alice and Bob do N encryptions).

To do better, we need some magic math!

Time for a Revolution!

evans@virginia.edu

“We stand today on the brink of a revolution in cryptography. The development of cheap digital hardware has freed it from the design limitations of mechanical computing and brought the cost of high grade cryptographic devices down to where they can be used in such commercial applications as remote cash dispensers and computer terminals. In turn, such applications create a need for new types of cryptographic systems which minimize the necessity of secure key distribution channels and supply the equivalent of a written signature. At the same time, theoretical developments in information theory and computer science show promise of providing provably secure cryptosystems, changing this ancient art into a science.”

Whit Diffie and Martin Hellman, November 1976.

Padlocked Boxes

RAlice’s Padlock

Alice’s Padlock Key

EA(M)Alice

Padlocked Boxes

Shady Sammy’s Slimy Shipping Service

Padlocked Boxes

Bob’s Padlock

Bob’s Padlock Key

EB( )EA(M)

Padlocked Boxes

Alice MST

BobAlice’s Padlock Key

EB(EA(M))

Bob’s Padlock Key

Padlocked Boxes

DA(EB(EA(M))) = EB(M)Alice

Bob’s Padlock Key

Padlocked Boxes

EB(M)Alice

Bob’s Padlock Key

Padlocked Boxes

Bob’s Padlock Key

“Padlocks” Key Agreement

• We relied on: DA(EB(EA(M))) = EB(M)• Is this true for AES?

• What operations is it true for?

evans@virginia.edu

No way! AES (and any strong symmetric primitive) must involve non-linear transformations that are not commutative.

Multiplication

Diffie-Hellman(-Merkle) Key Agreement

evans@virginia.edu

Martin HellmanWhit Diffie

Diffie-Hellman Key AgreementAlice Bob

1. Choose and publish: q (large prime number)

(primitive root of q)2. Generate random XA3. Send YA= XA mod q. 4. Generate random XB.

5. Send YB= XB mod q.K = (YB) XA mod q K = (YA)XB mod q

Key Agreement Requirements

Correctness: Both participants get the same key

Security: An eavesdropper cannot find K from all intercepted values

evans@virginia.edu

Key Agreement Correctness

evans@virginia.edu

K = (YB) XA mod q K = (YA)XB mod qYA= XA mod q YB= XB mod q

Key Agreement Correctness

evans@virginia.edu

K = (YB) XA mod q K = (YA)XB mod qYA= XA mod q YB= XB mod q= (XB mod q)XA mod q= (XBXA mod q) mod q= XBXA mod q

= (XA mod q)XB mod q= (XAXB mod q) mod q= XAXB mod qMultiplication commutes (just like the padlocks)!

SecurityAlice Bob

1. Choose and publish: q (large prime number)

(primitive root of q)2. Generate random XA3. Send YA= XA mod q. 4. Generate random XB.

5. Send YB= XB mod q.K = (YB) XA mod q K = (YA)XB mod qAn eavesdropper cannot find K from all intercepted values: q, , YA, YB

Primitive RootsAlice Bob

1. Choose and publish: q (large prime number) (primitive root of q)

2. Generate random XA3. Send YA= XA mod q. 4. Generate random XB.

5. Send YB= XB mod q.K = (YB) XA mod q K = (YA)XB mod q

is a primitive root of q if for all 1 n < q, there is some m, 1 m < q such that m = n mod q

All prime numbers have primitive roots.

Discrete logarithm problem: given , n, and q find the one 0 m < q such that

m = n mod qFor good choices of q, this is believed to be hard.

Security of Diffie-HellmanAlice Bob

1. Choose and publish: q (large prime number) (primitive root of q)

2. Generate random XA3. Send YA= XA mod q. 4. Generate random XB.

5. Send YB= XB mod q.K = (YB) XA mod q

Discrete logarithm problem: given , n, and q find the one 0 m < q such that

m = n mod qFor good choices of q, this is believed to be hard.

Eavesdropper cannot find K from intercepted values: q, , YA, YB If they could, could solve discrete log problem which is hard:

given YA= XA mod q find XA

What about Mallory?

Encrypt DecryptPlaintextCiphertext

Plaintext

Alice Bob

Mallory(active attacker)

Insecure Channel (e.g., the Internet)

evans@virginia.edu

Secure from Active Eavesdropper?Alice

Public: q,

YA= XA mod qBob

XBYB= XB mod qK = (YB) XA mod q K = (YA)XB mod q

Public: q,

YA= XA mod qBob

XBYB= XB mod qKAM = (YM) XA mod q KBM = (YM)XB mod q

Mallory(active attacker)YM= XM mod q

YM= XM mod q

Public: q,

YA= XA mod qBob

YM= XM mod q

KAM = (YA) XM mod qKBM = (YB) XM mod q

Public: q,

YA= XA mod qBob

YM= XM mod q

KAM = (YA) XM mod qKBM = (YB) XM mod q

Does D-H Solve This?

evans@virginia.edu

petitions.govInsecure Channel

How does TJ know he’s really talking to petitions.gov?How can he establish a secure channel to transmit password?

Asymmetric Cryptography

evans@virginia.edu

Asymmetry Required

evans@virginia.edu

Messages: everyone should be able to send Alice a message that only Alice can readSignatures: Bob should be able to verify Alice signed a message, but not impersonate Alice

Asymmetric Cryptosystem

evans@virginia.edu

E DPlaintextCiphertext

Alice Bob

Correctness: D(E(m)) = mSecurity: given E(m) and E , cannot learn anything interesting about m or D

Asymmetric Cryptosystem(with Kerckhoffs’ Principle)

evans@virginia.edu

Alice Bob

Correctness: DKUA(EKRA (m)) = mSecurity: given EKRA(m), E, KUA, and D,

cannot learn anything interesting about m or KRA.

KRA KUA

Providing AsymmetryNeed a function f that is:Easy to compute:

given x, easy to compute f (x)Hard to invert:

given f (x), hard to compute xHas a trap-door:

given f (x) and t, easy to compute x

evans@virginia.edu

No function (publicly) known with these properties until 1977…

Ron RivestLen Adleman Adi Shamir

RSA Cryptosystem

Ee(M ) = Me mod nDd(C ) = Cd mod n n = pq p, q are primed is relatively prime to (p – 1)(q – 1)ed 1 mod (p – 1)(q – 1)

evans@virginia.edu

Correctness of RSAEe(M ) = Me mod nDd(C ) = Cd mod n

evans@virginia.edu

Correctness of RSAEe(M ) = Me mod nDd(C ) = Cd mod n

evans@virginia.edu

Dd(Ee(M )) = (Me mod n)d mod n = Med mod n = MThis step depends on choosing e and d to have this property: uses Fermat’s little theorem and Euler’s Totient theorem

Bonus: Works in Both OrdersEe(M ) = Me mod nDd(C ) = Cd mod n

evans@virginia.edu

Ee (Dd(M )) = (Md mod n)e mod n = Mde mod n = M

Providing AsymmetryNeed a function f that is:Easy to compute:

given x, easy to compute f (x)Hard to invert:

given f (x), hard to compute xHas a trap-door:

given f (x) and t, easy to compute x

evans@virginia.edu

Does RSA satisfy these?

Easy (Enough) to ComputeEasy to compute:

given x, easy to compute f (x)

evans@virginia.edu

Ee(M ) = Me mod n

Easy (Enough) to Compute

evans@virginia.edu

Ee(M ) = Me mod nam +n = am × ana2b = ab × abCompute Me in about log2e multiplications

Be careful not to have a timing side channel though!

Hard to Invert

evans@virginia.edu

Given Ee(M ) and e and n, hard to compute M. If attacker can factor n = pq, easy to find d:d = e-1 mod (p – 1)(q – 1)All other attacks are equivalent to factoring n.

No one seems to know a fast way to factor, except with a quantum computer (and no one seems to yet know how to build a large one).

For reasonable security, n should be 2048 bits (comparable to 112-bit symmetric key) – believed sufficient until 2030.

Easy to Invert with Trapdoor

evans@virginia.edu

Ee(M ) = Me mod nDd(C ) = Cd mod n

Using RSA: Confidentiality

evans@virginia.edu

Alice Bob

KUBKRB

Private Key: KRB = d (private exponent)Bob’s Public Key: KUB = (n, e)

(modulus, public exponent)

Selects two large primes p, q Computes ed 1 mod (p – 1)(q – 1)Publishes n = pq and e, keeps d secret

Sends confidential messages to Bob using his public key

Over 1000x slower than AES! Only use when asymmetry is needed.

Using RSA: Signatures

evans@virginia.edu

Alice Bob

KUBKRB

Sends confidential messages to Bob using his public key

Using RSA: Signatures

evans@virginia.edu

E DVerified Message

Signed MessageMessage

Insecure Channel

Alice Bob

KUBKRB

Verifies message is from Bob using his public key

Elliptic Curve Asymmetric Cryptosystems

Elliptic curve discrete logarithm problem: given points P and Q on an elliptic curve, it is hard to find an integer k such that Q = kP (unless you know trapdoor).

evans@virginia.edu

y2 = x3 – 7 (mod p)

RSA ECC

Discovery1977

(previously discovered in 1969 by GHCQ and perhaps earlier

by NSA)

1985(adoption limited until ~2005)

“Hard” Problem Factoring Discrete Log on Elliptic Curve

Key Size (~112-bit) 2048 bits (768 bits broken) 224 bits (112 bits broken)

Backdoor Risk None Curves selected by NSA

Quantum Computing Risk

Known fast factoring algorithms (Shor’s)

Similar (variation of Shor’s algorithm solves Discrete Log)

Implementation Challenges

Avoiding weak keys, timing side channels

Fast operations on elliptic curves, leaks on invalid inputs

RSA ECC Lattice Ciphers

Discovery 1977 1985

(adoption limited until ~2005)

“Hard” Problem Factoring Discrete Log on

Elliptic CurveLattice Problems

(e.g., closest vector)Key Size

(~112-bit)2048 bits

(768 bits broken)224 bits

(112 bits broken) 1,000,000 bitsBackdoor

Risk None Curves selected by NSA Little

Quantum Computing

Known fast factoring

algorithms (Shor’s)

Similar (variation of Shor’s algorithm

solves Discrete Log)Only if P = NP

Implementation Challenges

Avoiding weak keys, timing side

channels

Fast operations on elliptic curves, leaks

on invalid inputsOnly simple arithmetic

(but 10Ks of them)

Applications of Asymmetric Cryptosystems

evans@virginia.edu

Using Asymmetry: Signatures

evans@virginia.edu

E DVerified Message

Signed MessageMessage

Insecure Channel

Alice Bob

KUBKRB

Generates KUB and KRB

Publishes KUBVerifies message is from Bob using his public key

Over 1000x slower than AES! (with both RSA and ECC)

What if we need to sign long (bigger than n ~ 2048 bits) messages?

Verified Message Message

Message Digests

evans@virginia.edu

E DVerified Message

Digest

Message

Alice Bob

KUBKRB

H is a cryptographic hash function:one-way: given H(x) cannot find preimage xstrong collision-resistant:

hard to find pair x and y where H(x) = H(y)

Authentication

evans@virginia.edu

petitions.govInsecure Channel

How does TJ know he’s really talking to petitions.gov?How can he establish a secure channel to transmit password?

Simple Login Protocol

evans@virginia.edu

petitions.gov

EKUpetitions(“tj” + password) DKRpetitions(c)

Eve can’t decrypt without KRpetitions.

Getting Public Keys

• Public keys only useful if you know you have the right one!• Secure on-line directory?

evans@virginia.edu

keys.gov

What is petitions.gov public key?

KUpetitions

Moving Directory Off-Line

evans@virginia.edu

TrustMe.com

Petitions

petitions.gov, KUPetitions

CP = KRTrustMe[“petitions.gov”, KUPetitions]

CPVerifies using KUTrustMe

Anyone use this?

evans@virginia.edu

SSL (Secure Sockets Layer)Simplified TLS Handshake Protocol

Client ServerHello

KRCA[Server Identity, KUS]Verify Certificate using KUCA

Check identity matches URL

Generate random K EKUS (K)

Decryptusing KRS

Secure channel using K

evans@virginia.edu

Client ServerHello

Generate random K

Decryptusing KRS

evans@virginia.edu

How did client get KUCA?

EKUS (K)

Certificates

evans@virginia.edu

VarySign.com

Petitions

CPVerifies using KUVarySign

How does VarySign decide if it should give certificate to requester?

CP = KRVarySign[“petitions.gov”, KUPetitions]

$1500 for 1 year $399

Limiting Damage

evans@virginia.edu

VarySign.com

Petitions

CP = KRVarySign [“petitions.gov”, cert ID, Expiration, KUPetitions]

Certificate Revocation

evans@virginia.edu

VarySign.com

Client

Petitions

CP = KRVarySign[“petitions.gov”, cert ID, Expiration, KUPetitions]

Certificate Revocation List (CRL)

<cert ID, date>…

CRL Checking

evans@virginia.edu

Mozilla Firefox

Google Chrome On-line checking is expensive and may fail

Attacker-in-the-middle can make it fail

Client ServerHello

Generate random K KUS [K]

Decryptusing KRS

evans@virginia.edu

EKUS (K)

Actual TLS has some extra steps:- Negotiate versions- Agree on which ciphers to use (many

options, but beware!)- Can authenticate client also

Summary

• Many useful applications require asymmetry– Confidentiality without shared key, signatures– Others we will cover next week

• Asymmetric cryptosystems can be built using hard problems in number theory with trapdoors: RSA (factoring), ECC (discrete log)

• Asymmetric ciphers are very expensive: need to combine with hashes and symmetric crypto

evans@virginia.edu

SSL Test

evans@virginia.edu

evans@virginia.eduMightBeEvil.com/crypto

Plan for Final Meeting:Applications of Asym Crypto

Secure ComputationFuture of Cryptosystems

open to requests!

evans@virginia.edu

Public-Key Protocols

Technology

Transcript of Public-Key Protocols

Security Content 1. Requirements of Security 2. Private Key, Public Key, Digital Signature 3. Security Protocols (SSL, SET) 4. Security Attack, Network.

Security in Open Environments. Overview Types of attacks and countermeasures Zero-knowledge protocols Public-key Infrastructure.

A Secure Framework and Related Protocols for …...Public Key Infrastructure (PKI), and Biometric Identification to develop a secure framework and related protocols for ubiquitous

pairing-based cryptosystems and key agreement protocols

Session key establishment protocols

Private Keys of Public Key Pairs and Zero-Knowledge Protocols Peter Landrock.

ERCOT Nodal Protocols - Electric Reliability Council …€¦ · Web viewERCOT Nodal Protocols – March 1, 20203-14 PUBLIC PUBLIC ERCOT Nodal Protocols – March 1, 2020 PUBLIC ERCOT

Authenticated Key Agreement Protocols: Security Models ......Augustin Sarr. Authenticated Key Agreement Protocols: Security Models, Analyses, and Designs. Mathematics [math]. Université

Fundamentals of Network Security 3. Network Security Protocols · 3. Network Security Protocols & Standards – In detail: public key infrastructure, TLS – Overview: Networking,

6 Public Key Cryptography - DCU School of Computinghamilton/teaching/CA4005/notes/PublicKey.pdf · CA4005: CRYPTOGRAPHY AND SECURITY PROTOCOLS 1 6 Public Key Cryptography 6.1 Public

On the Security of Public Key Protocols - Hebrew …dolev/pubs/dolev-yao-ieee-01056650.pdfDANNY DOLEV AND ANDREW c. YAO, MEMBER, IEEE Abstract-Recently the use of public key encryption

On the Security of Public Key Protocols - huji.ac.ildolev/pubs/dolev-yao-ieee... · 2006. 8. 16. · DOLEV AND YAO: SECURITY OF PUBLIC KEY PROTOCOLS This protocol is easy to break

Part04 key exchange protocols

[MS-CERSOD]: Certificate Services Protocols Overview... · 1.1.1 Public Key Cryptography Public key cryptography allows one entity to prove its identity to another and exchange encrypted

Protocols for Public-key Management

Compliant Cryptologic Protocols · allows the participants to obtain a certificate on their public key, without revealing the certificate or the public key to the certifier. The thesis

Public Key Cryptography & Password Protocols

Research Article Enhanced Key Management Protocols …downloads.hindawi.com/journals/misy/2015/627548.pdf · Research Article Enhanced Key Management Protocols for ... xed infrastructures.

Key Protocols Accessible On The Web

Secret-Key Agreement without Public-Key Cryptography … · 2017-08-25 · 457 protocols fall into two wide categories: (1) those based on public-key cryptogra- phy, and practically