Symmetric encryption schemes BUT: key exchange problem · RC6 78 ms SERPENT 95 ms IDEA 170 ms MARS...
Transcript of Symmetric encryption schemes BUT: key exchange problem · RC6 78 ms SERPENT 95 ms IDEA 170 ms MARS...
1
Public Key InfrastructuresPublic Key Infrastructures
Chapter 3Public Key Cryptography
Cryptography and ComputeralgebraVangelis KaratsiolisAlexander Wiesmaier
2
Encryption
plaintextplaintext plaintextplaintext
secret secret=
symmetric
decryptencrypt
3
Symmetric encryption schemes
Scheme Performance*
DES-ede 250 ms
RIJNDEAL (AES) 65 ms
RC6 78 ms
SERPENT 95 ms
IDEA 170 ms
MARS 80 ms
TWOFISH 100 ms
*) Encryption of 1 MByte on a Pentium 2.8 GHz, using the FlexiProvider (Java)
4
BUT: key exchange problem
n*(n-1)/2 keys ~ O(n2)
Internet: ∼ 1,574,313,184 users => 1,239,230,999,870,952,336 keys
From: http://www.internetworldstats.com/stats.htm
5
One solution
Key-Server
The key-server knows all secret keys!
6
Example
The authentication center (AC) in mobile communications knows all the keys. It stores them in a database.
From “IT-Sicherheit”, page 785, 800
7
Encryption
plaintextplaintext plaintextplaintextdecryptencrypt
public private
≠asymmetric
8
Key exchange problem solved!
Public-Key-Server
The server does not know any private information!
9
Public-Key-Server
Public Directory
Wiesmaier 13121311235912753192375134123
Karatsiolis 8422834964509823610263135768
... ...
mapping: names ↔ public keys
10
Asymmetric encryption schemes
Scheme Performance*
RSA (1024 bits) 6,6 s
RSA (2048 bits) 11.8 s
Disadvantage: Complex operations with big numbers
⇒ schemes are slow
*) Encryption of 1 MByte on a Pentium 2.8 GHz, using the FlexiProvider (Java)
11
Solution
plaintextplaintextdecryptencryptplaintextplaintext
decryptencrypt
symmetric session key
public secrethybrid
encryption
12
…using 200 digits provides a margin of safety against future developments…
RSA
published in 1978
13
RSA-200 factored in 2005
After 27 years
14
Security
Impossibility to factor the RSA module
21335625291600027351142759355194209132914767425698066864818245285802697571587504827160038792867188144217660057955934845800814958268691260056037643469790871613988653520618544234805258949423413033375605873213651488760386443075342912012970548900016706067393246389837569751517347745772076420507479301672647916792373351492517320962556245120580406546060184803670311182370599074873628794261731191112555208060025609009047888480639771734426254325175122847998160609602132860929278043535478577169570898641110787987645625919308715088016517131066837168489289581361754587749922998809128927098697538006934652117684098976045960758751
15
n = 2799783391122132787082946763872260162107044678695542853756000992932612840010760934567105295536085606 1822351910951365788637105954482006576775098580557613579098734950144178863178946295187237869221823983
was factored in May 2005:
p = 3532461934402770121272604978198464368671197400197625023649303468776121253679423200058547956528088349
q = 7925869954478333033347085841480059687737975857364219960734330341455767872818152135381409304740185467
Secret
16
Factors
Factors of 6?
Factors of 143?11, because 143 = 11*13
3, because 6 = 3*2
Factors of213356252916000273511427593551942091329147674256980668648182452858026975715875048271600387928671881442176600579559348458008149582686912600560376434697908716139886535206185442348052589494234130333756058732136514887603864430753429120129705489000167060673932463898375697515173477457720764205074793016726479167923733514925173209625562451205804065460601848036703111823705990748736287942617311911125552080600256090090478884806397717344262543251751228479981606096021328609292780435354785771695708986411107879876456259193087150880165171310668371684892895813617 54587749922998809128927098697538006934652117684098976045960758751
?
17
Fermat – Numbers (Pierre de Fermat, 1601-1665)
122 +=m
mF
F0 = 3
F1 = 5
F2 = 17
F3 = 257
F4 = 65537
F5 = 4294967297= 641*6700417
Difficult computational problem: factoring
18
Difficulty of factoring
Completely factored Fermat numbers
5 10 1732 Euler
6 20 1880 Landry, Le Lasseur
7 39 1970 Morrison, Brillhart
8 78 1980 Brent, Pollard
9 155 1990 Western, Lenstra, Manasse, u.a.
10 309 1995 Selfridge, Brillhart, Brent
11 617 1988 Cunningham, Brent, Morain
m Decimal digits
year discoverer
19
)1()log(log)(log ],[uu nnv
n evuL−
=
L vn [ , ]0
polynomial exponential
L vn[ , ]1
complexity
Number Field Sieve NFS 1990
1/3
Quadratic Sieve 1980
1/2
Computational complexity
20
number digits prize factored
RSA-100 100 Apr. 1991
RSA-110 110 Apr. 1992
RSA-120 120 Jun. 1993
RSA-129 129 $100 Apr. 1994
RSA-130 130 Apr. 10, 1996
RSA-140 140 Feb. 2, 1999
RSA-150 150 Apr. 16, 2004
RSA-155 155 Aug. 22, 1999
RSA-160 160 Apr. 1, 2003
RSA-200 200 May 9, 2005
RSA-576 174 $10,000 Dec. 3, 2003
RSA-640 193 $20,000 Nov. 4, 2005
RSA-704 212 $30,000 open
RSA-768 232 $50,000 open
RSA-896 270 $75,000 open
RSA-1024 309 $100,000 open
RSA-1536 463 $150,000 open
RSA-2048 617 $200,000 open
21
G group of points on an elliptic curve:
Existent Algorithms have exponential complexity
Small keys are possible
Discrete-Logarithm-Problem (DLP):
Solve gx = a
G Discrete Group
ax glog=
Difficult computational problem: DLP
22
ECC challengesECC Field Size Days Date
ECC2-79 79 352 1997ECC2-89 89 11278 1998
ECC2K-95 97 8637 1998ECC2-97 97 180448 1999
ECC2K-108 109 1.3x10^6 2000ECC2-109 109 2.1x10^7 2004ECCp-79 79 146 1997ECCp-89 89 4360 1998ECCp-97 97 71982 1998ECCp-109 109 9x10^7 2002
From www.certicom.com
23
factoring easy
(EC)DLP easy
all popular cryptosystems insecure
make
Quantum computers
24
Alternative: Short lattice vectors
25
Alternative: Short lattice vectors
26
100 8 min 3*103
200 2 h 2*105
300 9 h 4*106
400 27.7 h 1*108
450 2 d 4*108
Dimension Running Time LLL Length SV
Architekture: SunBlade 100 (C++)
Short vectors
27
Find difficult computational problems
Find correct security models
Find provable secure cryptosystems
Research challenges
28
Cryptographic hash functions
datadata hashfunction
hashvaluehashvalue
nh }1,0{}1,0{: * →
29
Easy
easy and fast to calculate
Scheme Performance*
SHA-1 50 msRIPEMD-160 48 msSHA-256 85 ms
*) Hashing of 1 MByte on a Pentium 2.8 GHz, using the FlexiProvider (Java)
30
One way
datadatahashvaluehashvalue
31
Collision resistant
datadata
hashfunction
hashvaluehashvalue
datadata
32
Message Authentication Code
valid /invalid
plaintextplaintext
secret
MACfunction
secret
MACfunction
plaintextplaintext
MACvalueMACvalue
33
MAC schemes
HMAC
CBC-MAC (3-DES, IDEA, other)
Two-Track-Mac
34
MAC applications
For securing the transport of a private key in software based solutionse.g. PKCS12, to protect the private key from tampering. The key is derived from a password.
In many protocols:
SSL/TLS, mobile communications, EId (EAC,PACE)
35
Message Authentication Code
symmetric scheme
⇒ fast
⇒ key exchange problem
36
Digital signature
valid /invalid
plaintextplaintext
sign verify
plaintextplaintext
SignatureSignature
private public
37
Digital signature
asymmetric scheme
⇒ slow
⇒ key exchange problem solved
38
Asymmetric signature schemes
Scheme Performance*
RSA (1024) 35 msec
DSA (1024) 32 msec
ECDSA (160) 38 msec
*) Creation of a signature on a Pentium 2,8 GHz,using the FlexiProvider (Java)
39
Standards
40
Reaching the security goals
Confidentiality
Integrity
Authenticity of Data
Entity Authentication
Non-Repudiation
→ sym. and asym. encryption
→ hash, MAC, digital signature
→ digital signature, MAC
→ digital signature, MAC
→ digital signature
41
Problem Exposition
42
Why PKI?
1) Keep the private key secret
2) How to know that the public key is correct
3) Key pair practically usable
=> PKI is needed
43
1) How do software vendors protect theirsignature key?
2) How does the PC know the correctverification key?
3) How to sign (algorithm?,…) and verify (key valid?,…)
44
Digitally signed updates:
45
How to authenticate public keys?