COMP3441/9441, Lecture 5, session 1 2013 - cse.unsw.edu.aumeyden/3441/w5.pdf · COMP3441/9441,...
Transcript of COMP3441/9441, Lecture 5, session 1 2013 - cse.unsw.edu.aumeyden/3441/w5.pdf · COMP3441/9441,...
COMP3441/9441, Lecture 5,
session 1 2013
Ron van der Meyden
(University of New South WalesSydney, Australia)
April 8, 2013
R. van der Meyden COMP3441/9441, Lecture 5, session 1 2013
Overview
I Key distribution
I Public Key Cryptography
I Signatures
I Public Key Infrastructure
I Computational Complexity and Public Key Cryptography
R. van der Meyden COMP3441/9441, Lecture 5, session 1 2013
Key Distribution: the problem
Alice and Bob, who have never met, wish to communicateover an insecure line. Eve, an eavesdropper, is listening in onthe line. To use shared key cryptography, they need toestablish a shared key. How can they do this?
R. van der Meyden COMP3441/9441, Lecture 5, session 1 2013
A non-solution
A −→ B: K
A −→ B: EK (M)
B knows K ,EK (M), computes DK (EK (M)) = M
Problem: E also knows K ,EK (M), so can compute M
R. van der Meyden COMP3441/9441, Lecture 5, session 1 2013
An idea suggesting the problem is solvable
Suppose that EKA(EKB
(M) = EKB(EKA
(M))
A −→ B: EKA(M)
B −→ A: EKB(EKA
(M))
A knows KA,EKB(EKA
(M)), computes
DKA(EKB
(EKA(M))) = DKA
(EKA(EKB
(M)))EKB
(M)
A −→ B: EKB(M)
B knows KB ,EKB(M), computes DKB
(EKB(M)) = M
R. van der Meyden COMP3441/9441, Lecture 5, session 1 2013
Eve knows EKA(M), EKB
(EKA(M)), EKB
(M) and should not beable to compute M from this.
Problem: It is hard to find a good cipher E such thatEKA
(EKB(M)) = EKB
(EKA(M))
(Implementable if A and B are communicating by snail mailand each has a padlock.)
R. van der Meyden COMP3441/9441, Lecture 5, session 1 2013
Modular Arithmetic
Let x , y , n be integers, n > 0.
x ≡ y mod n if there exists an integer k such thatx = k · n + y .
For every integer x , there is an integer y ∈ {0, 1, . . . , n − 1}such that x ≡ y mod n. Write this y as x mod n.
R. van der Meyden COMP3441/9441, Lecture 5, session 1 2013
If x ≡ x ′ mod n and y ≡ y ′ mod n then
I x + y ≡ x ′ + y ′ mod n
I x · y ≡ x ′ · y ′ mod n
I xy ≡ (x ′)y mod n
NB: it does not follow that xy ≡ xy ′ mod n.Example: x = 2, y = 1, y ′ = 4, n = 3
R. van der Meyden COMP3441/9441, Lecture 5, session 1 2013
Diffie-Hellman-Merkle’s solution
Let q be a natural number and 2 ≤ a ≤ q − 1
I A generates a number XA, B generates XB
I A −→ B: aXA mod q
I B −→ A: aXB mod q
A knows XA and aXB mod q and computes
(aXB mod q)XA mod q = aXA·XB mod q
B knows XB and aXA mod q and computes
(aXA mod q)XB mod q = aXA·XB mod q
shared key is aXA·XB mod q
R. van der Meyden COMP3441/9441, Lecture 5, session 1 2013
E knows aXA mod q and aXB mod q.
No efficient way to compute aXA·XB mod q from these isknown.
In particular, no efficient way is known to compute the discretelogarithm: i.e., given a, b, q, solve ax ≡ b mod q for x .
R. van der Meyden COMP3441/9441, Lecture 5, session 1 2013
Note: to increase Eve’s set of possible candidates for aXA·XB ,want ax mod q to have a large set of possible values as xvaries.
Question: How can we ensure this set is large? How largecan it be, as a function of q?
R. van der Meyden COMP3441/9441, Lecture 5, session 1 2013
Some Number Theory
A natural number n > 1 is prime if it has no divisors otherthan 1 and n.
Some facts:
Euclid: There exist an infinite number of primes.
Prime Factorization: Every number n > 1 can be written ina unique way as a product
n = pm11 . . . pmk
k
where p1 < . . . < pm are primes.
R. van der Meyden COMP3441/9441, Lecture 5, session 1 2013
Generators
a is a generator modulo n if a, a2, a3, . . . , an−1 mod nincludes all numbers 1, 2, 3, . . . , n − 1 mod n
Fact: If q is prime then generators mod q exist.
Example: 2 and 3 are generators mod 5 (and the only ones)
So: in the Diffie-Hellman-Merkle protocol, we choose q to bea prime, and choose a to be a generator mod q, giving q − 1different possible key values.
R. van der Meyden COMP3441/9441, Lecture 5, session 1 2013
Finding Primes
Prime Number Theorem: The number of primes less thann is about n
ln n
So, if we need a random prime of length m bits, a randomguess has probability
1/ ln(2m) = 1/(m ln 2) > 1/m
of finding a prime.
Implementations use this strategy: guess and verify (until youfind one)
R. van der Meyden COMP3441/9441, Lecture 5, session 1 2013
Primality testing
How to test that an m bit number q is prime?
Brute force: for all numbers x ≤ √q, test if q is divisible by x(cost = 2m/2 checks, so not feasible)
In 2002, primality testing was shown to be computable inpolynomial time:
Manindra Agrawal, Neeraj Kayal, Nitin Saxena, PRIMES is inP, Annals of Mathematics 160 (2004), no. 2, pp. 781793
Current best algorithm (Lenstra and Pomerance) takes timeO(((ln n)6)).
R. van der Meyden COMP3441/9441, Lecture 5, session 1 2013
Probabilistic Primality testing
Prior to 2002, the approach used was based on probabilisticalgorithms, that run efficiently, with a high probability ofreturning the correct answer.
(Examples: algorithms by Miller & Rabin, and by Solovay &Strassen.)
Since the polynomial time algorithms are more difficult toimplement, the probabilistic ones are still in use.
R. van der Meyden COMP3441/9441, Lecture 5, session 1 2013
A public key cryptosystem is
I a pair of efficiently computable encryption and decryptionfunctions E , D (parameterized by a key K )
I an efficient way of generating a pair of keys K , K−1 sothat
I DK−1(EK (M)) = M for all messages M, andI it is hard to compute K−1 from K .
R. van der Meyden COMP3441/9441, Lecture 5, session 1 2013
Given a public key cryptosystem, even in the presence of aneavesdropper, A can securely send M to B by
B generates K ,K−1
B −→ A: K
A −→ B: EK (M)
B knows K−1, EK (M), and computes DK−1(EK (M)) = M
E does not know K−1 so cannot easily do this.
R. van der Meyden COMP3441/9441, Lecture 5, session 1 2013
Comments
I A public key cryptosystem must be able to withstandadaptive chosen plaintext cryptanalysis
Eve learns K so can compute
EK (M1), EK (M2), . . .
for messages M1, M2, . . . of Eve’s choosing.
I If the message space is small, Eve can mount a bruteforce attack:
Fix: pad messages with a long random string N :
B −→ A: KA −→ B: EK (M,N)
R. van der Meyden COMP3441/9441, Lecture 5, session 1 2013
Some history of public key cryptography
I Merkle 1975, public key cryptography: a weak systemrequiring O(n) messages and having an attack of O(n2)
I 1976 Diffie & Hellman: key exchange
I Merkle and Hellman (1978): a system based onknapsacks, since cracked
I Rivest Shamir and Adleman (1978): RSA, most widelyadopted system
R. van der Meyden COMP3441/9441, Lecture 5, session 1 2013
Later revelations
Classified work at GCHQ (Govt Comms HQ, UK) revealed in1997:
I 1970: James Ellis invented public-key cryptography
I 1973: Clifford Cocks invented (essentially) RSA
I 1973: Malcolm Williamson, invented Diffie-Helman keyexchange
There have also been claims from NSA in 1997 they knewabout it in 1960’s, motivated by requirements of a 1962Kennedy nuclear arms memo. (But no details released yet.)
R. van der Meyden COMP3441/9441, Lecture 5, session 1 2013
More Number Theory
n and m are relatively prime if their only common divisor is 1.
Theorem: if a and n are relatively prime then there exists aunique number b mod n such that ab ≡ 1 mod n.
In this case we can write b as a−1, so we have a · a−1 ≡ 1mod n.
R. van der Meyden COMP3441/9441, Lecture 5, session 1 2013
Proof: Uniqueness first: suppose that for two numbers1 ≤ b1, b2 < n we have ab1 ≡ ab2 mod n.
Then n divides ab1 − ab2 = a(b1 − b2).
Since a and n are relatively prime, n divides b1 − b2, sob1 ≡ b2 mod n, and in fact we must have b1 = b2 since bothare less than n.
Now consider a.1 mod n, a.2 mod n, ..., a.(n− 1) mod n.
They are all different, by the above. None can be 0. (Else, ndivides ab, so divides b < n.) So by the pigeon hole principle,one of these numbers must equal 1.
Pigeon hole principle: If there are K pigeons sitting in Kholes, at most one per hole, then every hole has a pigeon in it!
R. van der Meyden COMP3441/9441, Lecture 5, session 1 2013
Fermat’s Little Theorem (FLT): If p is prime and1 ≤ a ≤ p − 1 then ap−1 ≡ 1 mod p
R. van der Meyden COMP3441/9441, Lecture 5, session 1 2013
The reduced set of residues mod n is the set of numbersx ∈ {1, . . . , n − 1} such that x and n are relatively prime.
Euler’s totient function: φ(n) is the size of the reduced set ofresidues mod n
Euler’s generalization of Fermat’s little theorem: If aand n are relatively prime, then aφ(n) ≡ 1 mod n.
Fact: If n = p · q where p and q are prime, thenφ(n) = (p − 1) · (q − 1)
R. van der Meyden COMP3441/9441, Lecture 5, session 1 2013
RSA Public Keys
I De facto standard for public key cryptography
I Widely used, e.g., in web browsers
I standardized in 1990’s for finance applications inAustralia, France(USA: resistance due to patents, NSA attempts to limituse)
I patented in US, expired Sept 20, 2000
I not proved secure, but has withstood extensivecryptanalysis
R. van der Meyden COMP3441/9441, Lecture 5, session 1 2013
I Choose two random primes p and q, Define n = p · q.
I Choose e such that e and (p − 1) · (q − 1) are relativelyprime.
I Let d be a solution of
ed ≡ 1 mod (p − 1) · (q − 1)
Discard p, q.
Public encryption key K = (e, n) EK (M) = Me mod n
Private decryption key K−1 = (d , n) DK−1(M) = Md mod n
(where M is represented as a number < n)
R. van der Meyden COMP3441/9441, Lecture 5, session 1 2013
By choice, there exists k such that ed = k(p − 1)(q − 1) + 1.
Fact: For all M and k we have that p dividesMk(p−1)(q−1)+1 −M
Proof: this is obvious if p divides M .
Suppose p does not divide M , then by FLT, Mp−1 ≡ 1 mod pso
Mk(p−1)(q−1) ≡ (M (p−1))k(q−1) mod p≡ (1)k(q−1) mod p≡ 1 mod p
SoMk(p−1)(q−1)+1 ≡ M mod p
i.e. p divides Mk(p−1)(q−1)+1 −M .
R. van der Meyden COMP3441/9441, Lecture 5, session 1 2013
Similarly, for all M , we have that q divides Mk(p−1)(q−1)+1−M
Since p and q are distinct primes, for all M , we have thatpq = n divides Mk(p−1)(q−1)+1 −M , i.e.
Mk(p−1)(q−1)+1 ≡ M mod n
Thus:
DK−1(EK (M)) = (Me mod n)d mod n= (Me)d mod n= Me·d mod n= Mk·(p−1)·(q−1)+1 mod n= M
R. van der Meyden COMP3441/9441, Lecture 5, session 1 2013
Solving x · y ≡ 1 mod m
Apply the extended Euclid algorithm
Algorithm GCD(a,b): % assumption: a > bif b= 0 then return (a,1,0)
else let q = a div blet (d,k,l) = GCD(b, a mod b)return (d,l, k-lq)
If m and x are relatively prime and m > x , andGCD(m, x) = (1, i , j) then x · j ≡ 1 mod m
R. van der Meyden COMP3441/9441, Lecture 5, session 1 2013
Computing Exponentiation
Remark: we can compute a2k
mod n in O(k) multiplications:
a2 mod n = a · a mod n
a4 mod n = a2 · a2 mod n...
a2k
mod n = a2k−1 · a2k−1
mod n
If x = x0 + x1 · 2 + x2 · 22 + . . . + xk · 2k is the binarydecomposition of x then
ax mod n = Πi=1...k: xi=1 a2i
So k + log2k multiplications suffice to compute ax mod n
R. van der Meyden COMP3441/9441, Lecture 5, session 1 2013
Security of RSA
RSA has withstood cryptanalysis, but
I it has not been proved to be secure
I factoring n would suffice to compute d . Factorization isthought not to be NP-complete.
I in theory, factorization can be done efficiently on aquantum computer
I it is not known that factorization is the only way to crackRSA.
R. van der Meyden COMP3441/9441, Lecture 5, session 1 2013
Key Size Issues
How large should the modulus n be in bits?
Computers & factorization algorithms keep getting faster.
US restricted export to modulus 512 bits until Jan 2000
Aug 1999 - 512 bit modulus cracked in 7 months using 300workstations
May 2005 - 663 bit modulus cracked by the equivalent of 75years work for a single 2.2 GHz Opteron-based computer.
R. van der Meyden COMP3441/9441, Lecture 5, session 1 2013
Key Size Issues
2009: 768 bit modulus cracked in 6.5 months using 80processors. (T. Kleinjung et alhttp://eprint.iacr.org/2010/006.pdf)
a 1024-bit RSA modulus is still about one thousand times harder to factor than a 768-bit one. Ifwe are optimistic, it may be possible to factor a 1024-bit RSA modulus within the next decade bymeans of an academic effort on the same limited scale as the effort presented here. From apractical security point of view this is not a big deal, given that standards recommend phasingout such moduli by the end of the year 2010 (cf. [28,29]). See also [22].
Another conclusion from our work is that we can confidently say that if we restrict ourselves to anopen community, academic effort as ours and unless something dramatic happens in factoring, wewill not be able to factor a 1024-bit RSA modulus within the next five years (cf. [30]). Afterthat, all bets are off.
stay tuned:http://en.wikipedia.org/wiki/RSA_Factoring_Challenge
Exercise: what is the modulus size in websites you visit usinghttps?
R. van der Meyden COMP3441/9441, Lecture 5, session 1 2013
Mallory’s (man in the middle) attack on public keys
Alice Mallory Bob
I Alice −→ Bob: Hey Bob, I’ve got a really juicy secret totell you, what’s your public key?
I Bob −→ Alice (Mallory): Hi Alice, Its KB , Regards, Bob
I Mallory (Bob) −→ Alice: Hi Alice, Its KM , Regards, Bob
I Alice −→ Bob (Mallory): {Secret}KM
I Mallory decrypts using K−1M , reads Secret
I Mallory (Alice) −→ Bob: {Secret}KB
R. van der Meyden COMP3441/9441, Lecture 5, session 1 2013
Mallory’s (man in the middle) attack on public keys
Alice Mallory Bob
I Alice −→ Bob: Hey Bob, I’ve got a really juicy secret totell you, what’s your public key?
I Bob −→ Alice (Mallory): Hi Alice, Its KB , Regards, Bob
I Mallory (Bob) −→ Alice: Hi Alice, Its KM , Regards, Bob
I Alice −→ Bob (Mallory): {Secret}KM
I Mallory decrypts using K−1M , reads Secret
I Mallory (Alice) −→ Bob: {Secret}KB
R. van der Meyden COMP3441/9441, Lecture 5, session 1 2013
Mallory’s (man in the middle) attack on public keys
Alice Mallory Bob
I Alice −→ Bob: Hey Bob, I’ve got a really juicy secret totell you, what’s your public key?
I Bob −→ Alice (Mallory): Hi Alice, Its KB , Regards, Bob
I Mallory (Bob) −→ Alice: Hi Alice, Its KM , Regards, Bob
I Alice −→ Bob (Mallory): {Secret}KM
I Mallory decrypts using K−1M , reads Secret
I Mallory (Alice) −→ Bob: {Secret}KB
R. van der Meyden COMP3441/9441, Lecture 5, session 1 2013
Mallory’s (man in the middle) attack on public keys
Alice Mallory Bob
I Alice −→ Bob: Hey Bob, I’ve got a really juicy secret totell you, what’s your public key?
I Bob −→ Alice (Mallory): Hi Alice, Its KB , Regards, Bob
I Mallory (Bob) −→ Alice: Hi Alice, Its KM , Regards, Bob
I Alice −→ Bob (Mallory): {Secret}KM
I Mallory decrypts using K−1M , reads Secret
I Mallory (Alice) −→ Bob: {Secret}KB
R. van der Meyden COMP3441/9441, Lecture 5, session 1 2013
Mallory’s (man in the middle) attack on public keys
Alice Mallory Bob
I Alice −→ Bob: Hey Bob, I’ve got a really juicy secret totell you, what’s your public key?
I Bob −→ Alice (Mallory): Hi Alice, Its KB , Regards, Bob
I Mallory (Bob) −→ Alice: Hi Alice, Its KM , Regards, Bob
I Alice −→ Bob (Mallory): {Secret}KM
I Mallory decrypts using K−1M , reads Secret
I Mallory (Alice) −→ Bob: {Secret}KB
R. van der Meyden COMP3441/9441, Lecture 5, session 1 2013
Mallory’s (man in the middle) attack on public keys
Alice Mallory Bob
I Alice −→ Bob: Hey Bob, I’ve got a really juicy secret totell you, what’s your public key?
I Bob −→ Alice (Mallory): Hi Alice, Its KB , Regards, Bob
I Mallory (Bob) −→ Alice: Hi Alice, Its KM , Regards, Bob
I Alice −→ Bob (Mallory): {Secret}KM
I Mallory decrypts using K−1M , reads Secret
I Mallory (Alice) −→ Bob: {Secret}KB
R. van der Meyden COMP3441/9441, Lecture 5, session 1 2013
The attack from Alice’s viewpoint
I Alice −→ Bob?: Hey Bob, I’ve got a really juicy secretto tell you, what’s your public key?
I Bob? −→ Alice: Hi Alice, Its KM , Regards, Bob
I Alice −→ Bob?: {Secret}KM
R. van der Meyden COMP3441/9441, Lecture 5, session 1 2013
The attack from Bobs viewpoint
I Alice? −→ Bob: Hey Bob, I’ve got a really juicy secretto tell you, what’s your public key?
I Bob −→ Alice?: Hi Alice, Its KB , Regards, Bob
I Alice? −→ Bob: {Secret}KB
R. van der Meyden COMP3441/9441, Lecture 5, session 1 2013
Diffie/Hellman’s solution:
A secure online directory D serving Public key requests.
I each user trusts D
I each user has a shared key with D
I n users→ use n secure channels to get n2 secure channels
Kohnfelder’s solution: Signed certificates for offlinename-key binding validation
R. van der Meyden COMP3441/9441, Lecture 5, session 1 2013
Real World Certificates
“A document containing a certified statement, especially as tothe truth of something”
I Birth certificates
I Marriage certificates
I Degree certificates
I Doctors certificates
R. van der Meyden COMP3441/9441, Lecture 5, session 1 2013
(Basic) Public Key Certificates
The information:
I Subject: name of person/entity holding the key,
I Public Key: key value
I Certificate Authority Name: a name N
Signed using N’s signature key
R. van der Meyden COMP3441/9441, Lecture 5, session 1 2013
Certificate Distribution Methods
Certificate gets integrity and verifiability from the signature, sodoes not need secure storage/transmission.Can be distributed
I Along with the signed document
I As part of a protocol (e.g. SSL)
I using directory Services (e.g. X.500, LDAP)
I on web-pages
I using finger
I by email ...
R. van der Meyden COMP3441/9441, Lecture 5, session 1 2013
Public Key Certificate Standards
Aspects to be standardised:
I Certificate Syntax
I Certificate Semantics
I Rules for Operation of certificate infrastructure
I Legal Issues, Liability
R. van der Meyden COMP3441/9441, Lecture 5, session 1 2013
X.509 (version 3) certificate structure
I Certificate Version
I Certificate Serial Number
I CA’s signature algorithm ID
I CA’s X.500 name
I Validity period
I Subjects X.500 name
I Subjects Public Key information (AlgorithmIdentifier,Public Key value)
I (optional) Issuer unique identifier
I (optional) subject unique identifier
I (optional) Extension fields
R. van der Meyden COMP3441/9441, Lecture 5, session 1 2013
X.500 names
X.500: an ITU/ISO standard (1984-1988) for directory services
Vision: everyperson/company/division/computer/peripheral/deviceassigned a distinguished name for use in directories
X.500 names constructed from Attributes
E.g. {Country=Australia, Organisation=University of NewSouth Wales, Department=Computer Science andEngineering, Name=John Smith }
R. van der Meyden COMP3441/9441, Lecture 5, session 1 2013