Emerging key-recovery-service
-
Upload
bear-stern-lehman-brothers -
Category
Investor Relations
-
view
70 -
download
0
Transcript of Emerging key-recovery-service
© RSA 1998
Why Standards?
• Many reasons:– interoperability– stability– assurance
• De facto or de jure?
RSA Data Security, Inc.
Emerging Standards for Public-Key Cryptography
SEIKO INSTRUMENTS PAGER PAL
© RSA 1998
Introduction
• As research matures, it can be made “standard”– ’70s and ’80s research in public-key
cryptography leads to standards in ’90s
• This talk is a snapshot of some of the standards efforts — and the interesting issues they raise
RSA Data Security, Inc.
SEIKO INSTRUMENTS PAGER PAL
Part I:
Survey of Standards Efforts
© RSA 1998
Outline
I. Survey of Standards Efforts
II. A General Model for Public-Key Standards
III. Strong Primes: A Recurring Technical Debate
IV. Some Research Motivated by Standards
© RSA 1998
Some Public-Key Standards Efforts
• ANSI X9F1
• IEEE P1363
• ISO/IEC JTC1 SC27
• US NIST
© RSA 1998
ANSI X9F1 Efforts
• Some ANSI documents (drafts)– X9.30DSA signatures– X9.31RSA/RW signatures (rDSA)– X9.42 DH/MQV key agreement– X9.44 RSA key transport– X9.62 elliptic curve signatures– X9.63 EC key agreement / transport– X9.79 prime generation
© RSA 1998
ANSI X9F1
• Financial Services / Data and Information Security / Cryptographic Tools
• Corporate membership
• Quarterly meetings in North America
• www.x9.org
© RSA 1998
IEEE P1363
• Standard Specifications for Public-Key Cryptography
• Sponsored by IEEE Microprocessor Standards Committee
• Individual participation
• Meetings mostly in North America
• grouper.ieee.org/groups/1363
SEIKO INSTRUMENTS PAGER PAL
© RSA 1998
© RSA 1998
IEEE P1363 Coverage
• Three types of technique:– key agreement, signature, encryption
• From three families:– DL: discrete logarithm– EC: elliptic curve– IF: integer factorization
• Also, number theory background, security considerations
SEIKO INSTRUMENTS PAGER PAL
© RSA 1998
© RSA 1998
IEEE P1363a
• Standard Specifications for Public-Key Cryptography: Additional Techniques
• In preparation
• More techniques, probably same families– identification likely to be added
SEIKO INSTRUMENTS PAGER PAL
© RSA 1998
© RSA 1998
ISO/IEC JTC1 SC27
• International Organization for Standardization / International Electrotechnical Commission / Information Technology / IT Security Techniques
• National representation, with experts
• Meetings throughout the world
• www.iso.ch
SEIKO INSTRUMENTS PAGER PAL
© RSA 1998
© RSA 1998
SC27 Efforts
• Some ISO/IEC documents– 9796 Signatures with message recovery– 9798 Entity authentication– 11770Key management– 13888Nonrepudiation– 14888Signatures with appendix
• Symmetric and public-key techniques
SEIKO INSTRUMENTS PAGER PAL
© RSA 1998
© RSA 1998
U.S. NIST FIPS
• National Institute of Standards and Technology– part of U.S. Department of Commerce
• Federal Information Processing Standards (FIPS)
• Computer Security Act (1987) gives charter for government cryptography standards
• www.nist.gov
SEIKO INSTRUMENTS PAGER PAL
© RSA 1998
© RSA 1998
NIST Efforts
• Some FIPS:– 186 Digital Signature Standard– 196 Entity Authentication– new Key Exchange / Agreement
• Others of interest:– 46-2 Data Encryption Standard– 180-1 Secure Hash Standard– new Advanced Encryption Standard
© RSA 1998
Comparing the Efforts
• Different goals:– ISO, IEEE: general building blocks– ANSI: US banking requirements– NIST: US government, commercial
• Coordination:– IEEE, ANSI technical convergence– NIST will accept ANSI signature standards for
government purposes– ISO TC68 adopts ANSI X9F1
© RSA 1998
Application Standards of Interest
• S/MIME: messaging
• SSL / TLS: communications
• SET: bank card payments
• PKIX: public-key infrastructure
© RSA 1998
RSA Laboratories’ PKCS
• Public-Key Cryptography Standards
• Informal, intervendor effort coordinated by RSA Laboratories
• Periodic workshops
• www.rsa.com/rsalabs/pubs/PKCS/
© RSA 1998
PKCS Efforts
• Revisions and new documents:– PKCS #1 RSA Cryptography
• v2.0 draft in review, includes Bellare-Rogaway OAEP
– PKCS #5 Password-Based Encryption– PKCS #13 Elliptic Curve Cryptography– PKCS #14 Pseudorandom Generation– PKCS #15(?) Smart Card File Formats
RSA Data Security, Inc.
SEIKO INSTRUMENTS PAGER PAL
Part II:
A General Model for Public-Key Standards
© RSA 1998
A General Model
• Framework with abstraction, generally following P1363
• Three levels:– primitives– schemes– protocols
• … plus key management
© RSA 1998
P1363 Naming Convention
• General form:– family type - instance
• where– family is DL, EC, IF
– type is one of:• SP: Signature Primitive
• SSA: Signature Scheme with Appendix
• etc.
– instance is a particular algorithm, e.g., DSA, DH, RSA
© RSA 1998
Primitives
• Basic mathematical operations
• Low-level implementation– e.g., crypto-accelerator, software module
• Computational security– enhanced when combined with additional
techniques in a scheme
© RSA 1998
Types of Primitive
• Secret value derivation– shared secret value from public key(s),
party’s private key(s)
• Signature and verification
• Encryption and decryption
© RSA 1998
Example: DLSP-DSA / DLVP-DSA
• DSA signature / verification primitives
• DLSP-DSA ((p, q, g, x), m):– r = (gk mod p) mod q, k random– s = k-1 (m + xr) mod q
• DLVP-DSA ((p, q, g, y), m, (r, s))– r =? (gm/s yr/s mod p) mod q
© RSA 1998
Primitives in P1363
• Secret Value Derivation– DH, MQV in DL, EC families
• Signature / Verification:– DSA, Nyberg-Rueppel in DL, EC families– RSA with and w/o absolute value– Rabin-Williams
• Encryption / Decryption:– RSA
© RSA 1998
Schemes
• Related operations combining primitives, additional techniques– a framework with options
• Medium-level implementation– e.g., cryptographic service library
• Complexity-theoretic security (ideally)– completed when appropriately applied in a
protocol
© RSA 1998
Types of Scheme
• Key agreement
• Signature– with appendix– with message recovery
• Encryption
• Identification (in P1363a)
© RSA 1998
Additional Techniques
• Encoding method– maps between message, data to be
processed by primitive– for signatures, encryption schemes
• Key derivation function– maps from shared secret value to key– for key agreement schemes
© RSA 1998
Example: DL/ECSSA
• DL/EC signature scheme– options: SP / VP / encoding method
• Signature operation (privKey, M):– S = SP (privKey, Encode (M))
• Verification operation (pubKey, M, S):– VP (pubKey, Encode (M), S) [DSA]– Encode (M) =? VP (pubKey, S) [NR]
© RSA 1998
Encoding Methods for Signatures
• DL/EC signatures– Hash (M)
• IF signatures with appendix– Pad || HashID || Hash (M)
• IF signatures wit h message recovery– ISO9796-1 (M)
© RSA 1998
Related Scheme Operations
• Domain parameter generation
• Domain parameter validation
• Key pair generation
• Public key validation
• Private key validation
© RSA 1998
Schemes in P1363
• Key agreement– three DL/EC generic: DH1, DH2, MQV
• Signature with appendix– DL/EC generic– IF generic
• Signature with message recovery– IF generic
• Encryption– IF generic
© RSA 1998
Protocols
• Sequence of operations to be performed by parties to achieve some security goal
• High-level implementation– applications, services
• “Real” security– but depends on implementation
considerations
• (No protocols in P1363)
© RSA 1998
Types of Protocol
• Key establishment– key agreement– key transport
• Entity authentication
• Data origin authentication
• Data confidentiality
RSA Data Security, Inc.
SEIKO INSTRUMENTS PAGER PAL
Part III:“Strong” Primes:
A Recurring Technical Debate
© RSA 1998
What is a “Strong” Prime?
• RSA key pair consists of– public key (n, e)– private key (n, d)– where n = pq, p and q are large primes, and
ed 1 mod (p-1)(q-1)
• A prime p is strong if p’, the largest factor of p-1, is large
• Are strong primes necessary?
© RSA 1998
Early ’80s: Yes
• Pollard’s p-1 method (1974) can factor n in about p’ operations, so p’ should be large
• Gordon (1984) gives method for generating RSA keys efficiently with strong prime factors– X.509 (1988) also mentions conditions
• Related conditions on p+1, p’-1, etc.
© RSA 1998
Late ’80s / Early ’90s: No
• Lenstra’s ECM (1987) can factor n in O(exp (2 ln p ln ln p)1/2) operations, so p should be large
• … but if p is large and random, then p’ will be large with high probability
• Rivest (unpublished) argues that strong primes don’t help– but don’t hurt either
© RSA 1998
Late ’90s: Maybe
• What about signature repudiation?– Dishonest user chooses n with weak prime
– Later, disavows signature, claiming that someone factored n by p-1 method
• ANSI X9.31 (1998) standardizes on strong primes for banking– also, generates primes as one-way function of
seed
• Still, are strong primes necessary?
RSA Data Security, Inc.
SEIKO INSTRUMENTS PAGER PAL
Part IV:Some Research Motivated By
Standards
© RSA 1998
Standards and Research
• Just as mature research is standardized, so standards efforts promote additional research
• Areas of research:– efficient implementation– cryptanalysis– components in the “framework”
© RSA 1998
Authenticated Encryption Schemes
• Problem:– Construct authenticated encryption
schemes for DL, EC, IF families with similar properties to OAEP, but with variable message length
• Several solutions proposed for P1363a
© RSA 1998
Model
• C = Encrypt (pubKey, M, P)
• M = Decrypt (privKey, C, P)– M message– C ciphertext– P encoding parameters
• M, C, P arbitrary length
© RSA 1998
Desired Properties
• One application of underlying primitive
• Plaintext-aware encryption– no partial information about M– cannot generate C without M
• hence, cannot modify M
• Binding of P to M– cannot modify P
• Weaker assumptions– i.e., not just random oracle model
© RSA 1998
OAEP for RSA
• As in P1363 (and PKCS #1 v2.0 draft):• Encrypt (pubKey, M, P):
– EM = Encode (M, P)– C = EP (pubKey, EM)
• Decrypt (privKey, C, P):– EM = DP (privKey, C)– M = Decode (EM, P)
• M, C bounded, P arbitrary length
© RSA 1998
OAEP Encoding
• Encode (M, P)– EM = maskedSeed || maskedDB where
• maskedSeed = seed G (maskedDB)
• maskedDB = DB G (seed)
• DB = H (P) || pad || M
• seed random
• H hash function, G mask generation function
• Decode (C, P): an exercise
© RSA 1998
Limitations
• EM must be shorter than RSA modulus, so length of M is bounded
• Assumes encryption primitive — but DL/EC only has secret value derivation primitive
• Relies on random oracle model for G
© RSA 1998
IF Encryption Ideas
1. Encrypt only part of EM (various)– removes bound on length of M– which part?
2. Construct G only partly from random oracle (Bellare, Rogaway 1996)
3. Add more “rounds” to OAEP (Johnson, Matyas, Peyravian 1996)
– may reduce assumptions, need for seed
© RSA 1998
DL/EC Encryption Ideas
• General: Generate shared secret value K as in key agreement scheme, combine with M, P
1. Encode M as in OAEP, exclusive-OR K with part of result (various)
2. Combine with MACs, reduced r.o. methods (Bellare, Rogaway 1996)
3. Combine with universal hash functions, mask generation (Zheng 1996)
© RSA 1998
Some Other Recent Results
• Security of “unified model” of DH key agreement (Blake-Wilson, Johnson, Menezes 1997)
• RSA key validation (Liskov, Silverman 1997)
• Storage-efficient basis conversion (Kaliski, Yin 1998)
© RSA 1998
Conclusions
• Research in cryptology and data security is leading to standards, and vice versa
• Several standards efforts for different sectors, but coordinated
• General model for public-key standards emerging
• … and some technical debate continues