1

Public Key InfrastructuresPublic Key Infrastructures

Chapter 3Public Key Cryptography

Cryptography and ComputeralgebraVangelis KaratsiolisAlexander Wiesmaier

2

Encryption

plaintextplaintext plaintextplaintext

secret secret=

symmetric

decryptencrypt

3

Symmetric encryption schemes

Scheme Performance*

DES-ede 250 ms

RIJNDEAL (AES) 65 ms

RC6 78 ms

SERPENT 95 ms

IDEA 170 ms

MARS 80 ms

TWOFISH 100 ms

*) Encryption of 1 MByte on a Pentium 2.8 GHz, using the FlexiProvider (Java)

4

BUT: key exchange problem

n*(n-1)/2 keys ~ O(n2)

Internet: ∼ 1,574,313,184 users => 1,239,230,999,870,952,336 keys

From: http://www.internetworldstats.com/stats.htm

5

One solution

Key-Server

The key-server knows all secret keys!

6

Example

The authentication center (AC) in mobile communications knows all the keys. It stores them in a database.

From “IT-Sicherheit”, page 785, 800

7

Encryption

plaintextplaintext plaintextplaintextdecryptencrypt

public private

≠asymmetric

8

Key exchange problem solved!

Public-Key-Server

The server does not know any private information!

9

Public-Key-Server

Public Directory

Wiesmaier 13121311235912753192375134123

Karatsiolis 8422834964509823610263135768

... ...

mapping: names ↔ public keys

10

Asymmetric encryption schemes

Scheme Performance*

RSA (1024 bits) 6,6 s

RSA (2048 bits) 11.8 s

Disadvantage: Complex operations with big numbers

⇒ schemes are slow

*) Encryption of 1 MByte on a Pentium 2.8 GHz, using the FlexiProvider (Java)

11

Solution

plaintextplaintextdecryptencryptplaintextplaintext

decryptencrypt

symmetric session key

public secrethybrid

encryption

12

…using 200 digits provides a margin of safety against future developments…

RSA

published in 1978

13

RSA-200 factored in 2005

After 27 years

14

Security

Impossibility to factor the RSA module

21335625291600027351142759355194209132914767425698066864818245285802697571587504827160038792867188144217660057955934845800814958268691260056037643469790871613988653520618544234805258949423413033375605873213651488760386443075342912012970548900016706067393246389837569751517347745772076420507479301672647916792373351492517320962556245120580406546060184803670311182370599074873628794261731191112555208060025609009047888480639771734426254325175122847998160609602132860929278043535478577169570898641110787987645625919308715088016517131066837168489289581361754587749922998809128927098697538006934652117684098976045960758751

15

n = 2799783391122132787082946763872260162107044678695542853756000992932612840010760934567105295536085606 1822351910951365788637105954482006576775098580557613579098734950144178863178946295187237869221823983

was factored in May 2005:

p = 3532461934402770121272604978198464368671197400197625023649303468776121253679423200058547956528088349

q = 7925869954478333033347085841480059687737975857364219960734330341455767872818152135381409304740185467

Secret

16

Factors

Factors of 6?

Factors of 143?11, because 143 = 11*13

3, because 6 = 3*2

Factors of213356252916000273511427593551942091329147674256980668648182452858026975715875048271600387928671881442176600579559348458008149582686912600560376434697908716139886535206185442348052589494234130333756058732136514887603864430753429120129705489000167060673932463898375697515173477457720764205074793016726479167923733514925173209625562451205804065460601848036703111823705990748736287942617311911125552080600256090090478884806397717344262543251751228479981606096021328609292780435354785771695708986411107879876456259193087150880165171310668371684892895813617 54587749922998809128927098697538006934652117684098976045960758751

?

17

Fermat – Numbers (Pierre de Fermat, 1601-1665)

122 +=m

mF

F0 = 3

F1 = 5

F2 = 17

F3 = 257

F4 = 65537

F5 = 4294967297= 641*6700417

Difficult computational problem: factoring

18

Difficulty of factoring

Completely factored Fermat numbers

5 10 1732 Euler

6 20 1880 Landry, Le Lasseur

7 39 1970 Morrison, Brillhart

8 78 1980 Brent, Pollard

9 155 1990 Western, Lenstra, Manasse, u.a.

10 309 1995 Selfridge, Brillhart, Brent

11 617 1988 Cunningham, Brent, Morain

m Decimal digits

year discoverer

19

)1()log(log)(log ],[uu nnv

n evuL−

=

L vn [ , ]0

polynomial exponential

L vn[ , ]1

complexity

Number Field Sieve NFS 1990

1/3

Quadratic Sieve 1980

1/2

Computational complexity

20

number digits prize factored

RSA-100 100 Apr. 1991

RSA-110 110 Apr. 1992

RSA-120 120 Jun. 1993

RSA-129 129 $100 Apr. 1994

RSA-130 130 Apr. 10, 1996

RSA-140 140 Feb. 2, 1999

RSA-150 150 Apr. 16, 2004

RSA-155 155 Aug. 22, 1999

RSA-160 160 Apr. 1, 2003

RSA-200 200 May 9, 2005

RSA-576 174 $10,000 Dec. 3, 2003

RSA-640 193 $20,000 Nov. 4, 2005

RSA-704 212 $30,000 open

RSA-768 232 $50,000 open

RSA-896 270 $75,000 open

RSA-1024 309 $100,000 open

RSA-1536 463 $150,000 open

RSA-2048 617 $200,000 open

21

G group of points on an elliptic curve:

Existent Algorithms have exponential complexity

Small keys are possible

Discrete-Logarithm-Problem (DLP):

Solve gx = a

G Discrete Group

ax glog=

Difficult computational problem: DLP

22

ECC challengesECC Field Size Days Date

ECC2-79 79 352 1997ECC2-89 89 11278 1998

ECC2K-95 97 8637 1998ECC2-97 97 180448 1999

ECC2K-108 109 1.3x10^6 2000ECC2-109 109 2.1x10^7 2004ECCp-79 79 146 1997ECCp-89 89 4360 1998ECCp-97 97 71982 1998ECCp-109 109 9x10^7 2002

From www.certicom.com

23

factoring easy

(EC)DLP easy

all popular cryptosystems insecure

make

Quantum computers

24

Alternative: Short lattice vectors

25

Alternative: Short lattice vectors

26

100 8 min 3*103

200 2 h 2*105

300 9 h 4*106

400 27.7 h 1*108

450 2 d 4*108

Dimension Running Time LLL Length SV

Architekture: SunBlade 100 (C++)

Short vectors

27

Find difficult computational problems

Find correct security models

Find provable secure cryptosystems

Research challenges

28

Cryptographic hash functions

datadata hashfunction

hashvaluehashvalue

nh }1,0{}1,0{: * →

29

Easy

easy and fast to calculate

Scheme Performance*

SHA-1 50 msRIPEMD-160 48 msSHA-256 85 ms

*) Hashing of 1 MByte on a Pentium 2.8 GHz, using the FlexiProvider (Java)

30

One way

datadatahashvaluehashvalue

31

Collision resistant

datadata

hashfunction

hashvaluehashvalue

datadata

32

Message Authentication Code

valid /invalid

plaintextplaintext

secret

MACfunction

secret

MACfunction

plaintextplaintext

MACvalueMACvalue

33

MAC schemes

HMAC

CBC-MAC (3-DES, IDEA, other)

Two-Track-Mac

34

MAC applications

For securing the transport of a private key in software based solutionse.g. PKCS12, to protect the private key from tampering. The key is derived from a password.

In many protocols:

SSL/TLS, mobile communications, EId (EAC,PACE)

35

Message Authentication Code

symmetric scheme

⇒ fast

⇒ key exchange problem

36

Digital signature

valid /invalid

plaintextplaintext

sign verify

plaintextplaintext

SignatureSignature

private public

37

Digital signature

asymmetric scheme

⇒ slow

⇒ key exchange problem solved

38

Asymmetric signature schemes

Scheme Performance*

RSA (1024) 35 msec

DSA (1024) 32 msec

ECDSA (160) 38 msec

*) Creation of a signature on a Pentium 2,8 GHz,using the FlexiProvider (Java)

39

Standards

40

Reaching the security goals

Confidentiality

Integrity

Authenticity of Data

Entity Authentication

Non-Repudiation

→ sym. and asym. encryption

→ hash, MAC, digital signature

→ digital signature, MAC

→ digital signature, MAC

→ digital signature

41

Problem Exposition

42

Why PKI?

1) Keep the private key secret

2) How to know that the public key is correct

3) Key pair practically usable

=> PKI is needed

43

1) How do software vendors protect theirsignature key?

2) How does the PC know the correctverification key?

3) How to sign (algorithm?,…) and verify (key valid?,…)

44

Digitally signed updates:

45

How to authenticate public keys?