Week 4 - Friday. What did we talk about last time? Public key cryptography A little number...
-
Upload
clement-nash -
Category
Documents
-
view
215 -
download
0
Transcript of Week 4 - Friday. What did we talk about last time? Public key cryptography A little number...
![Page 1: Week 4 - Friday. What did we talk about last time? Public key cryptography A little number theory.](https://reader033.fdocuments.us/reader033/viewer/2022052708/5a4d1b647f8b9ab0599af5f9/html5/thumbnails/1.jpg)
CS363Week 4 - Friday
![Page 2: Week 4 - Friday. What did we talk about last time? Public key cryptography A little number theory.](https://reader033.fdocuments.us/reader033/viewer/2022052708/5a4d1b647f8b9ab0599af5f9/html5/thumbnails/2.jpg)
Last time
What did we talk about last time? Public key cryptography A little number theory
![Page 3: Week 4 - Friday. What did we talk about last time? Public key cryptography A little number theory.](https://reader033.fdocuments.us/reader033/viewer/2022052708/5a4d1b647f8b9ab0599af5f9/html5/thumbnails/3.jpg)
Questions?
![Page 4: Week 4 - Friday. What did we talk about last time? Public key cryptography A little number theory.](https://reader033.fdocuments.us/reader033/viewer/2022052708/5a4d1b647f8b9ab0599af5f9/html5/thumbnails/4.jpg)
Project 1
![Page 5: Week 4 - Friday. What did we talk about last time? Public key cryptography A little number theory.](https://reader033.fdocuments.us/reader033/viewer/2022052708/5a4d1b647f8b9ab0599af5f9/html5/thumbnails/5.jpg)
Kiefer Weis Presents
![Page 6: Week 4 - Friday. What did we talk about last time? Public key cryptography A little number theory.](https://reader033.fdocuments.us/reader033/viewer/2022052708/5a4d1b647f8b9ab0599af5f9/html5/thumbnails/6.jpg)
More Number Theory!
![Page 7: Week 4 - Friday. What did we talk about last time? Public key cryptography A little number theory.](https://reader033.fdocuments.us/reader033/viewer/2022052708/5a4d1b647f8b9ab0599af5f9/html5/thumbnails/7.jpg)
Fermat’s Little Theorem
If p is prime and a is a positive integer not divisible by p, then:
ap –1 1 (mod p)
![Page 8: Week 4 - Friday. What did we talk about last time? Public key cryptography A little number theory.](https://reader033.fdocuments.us/reader033/viewer/2022052708/5a4d1b647f8b9ab0599af5f9/html5/thumbnails/8.jpg)
Proof of Fermat's Theorem Assume a is positive and less than p Consider the sequence a, 2a, 3a, …, (p – 1)a If these are taken mod p, we will get:
1, 2, 3, …, p – 1 This bit is the least obvious part of the proof However (because p is prime) if you add any non-zero
element repeatedly, you will eventually get back to the starting point, covering all values (except 0) once
Multiplying this sequence together gives: a ∙ 2a ∙ 3a ∙ … ∙ (p – 1)a 1 ∙ 2 ∙ 3 ∙ … ∙ (p – 1) (mod
p) ap – 1(p – 1)! (p – 1)! (mod p) ap – 1 1 (mod p)
![Page 9: Week 4 - Friday. What did we talk about last time? Public key cryptography A little number theory.](https://reader033.fdocuments.us/reader033/viewer/2022052708/5a4d1b647f8b9ab0599af5f9/html5/thumbnails/9.jpg)
Euler's in the mix too
Euler’s totient function (n)(n) = the number of positive
integers less than n and relatively prime to n (including 1)
If p is prime, then (p) = p – 1 If we have two primes p and q
(which are different), then:(pq) = (p)∙(q) = (p – 1)(q – 1)
![Page 10: Week 4 - Friday. What did we talk about last time? Public key cryptography A little number theory.](https://reader033.fdocuments.us/reader033/viewer/2022052708/5a4d1b647f8b9ab0599af5f9/html5/thumbnails/10.jpg)
Take that, Fermat
Euler’s Theorem:For every a and n that are relatively prime,
a(n) 1 (mod n)
This generalizes Fermat’s Theorem because (p) = p – 1 if p is prime
Proof is messier
![Page 11: Week 4 - Friday. What did we talk about last time? Public key cryptography A little number theory.](https://reader033.fdocuments.us/reader033/viewer/2022052708/5a4d1b647f8b9ab0599af5f9/html5/thumbnails/11.jpg)
RSA
![Page 12: Week 4 - Friday. What did we talk about last time? Public key cryptography A little number theory.](https://reader033.fdocuments.us/reader033/viewer/2022052708/5a4d1b647f8b9ab0599af5f9/html5/thumbnails/12.jpg)
RSA Algorithm
Named for Rivest, Shamir, and Adleman
Take a plaintext M converted to an integer
Create an ciphertext C as follows:C = Me mod n
Decrypt C back into M as follows:M = Cd mod n = (Me)d mod n = Med mod n
![Page 13: Week 4 - Friday. What did we talk about last time? Public key cryptography A little number theory.](https://reader033.fdocuments.us/reader033/viewer/2022052708/5a4d1b647f8b9ab0599af5f9/html5/thumbnails/13.jpg)
The piecesTerm Details Source
M Message to be encrypted Sender
C Encrypted message Computed by sender
n Modulus, n = pq Known by everyonep Prime number Known by receiverq Prime number Known by receivere Encryption exponent Known by everyoned Decryption exponent Computed by
receiver(n) Totient of n Known by receiver
![Page 14: Week 4 - Friday. What did we talk about last time? Public key cryptography A little number theory.](https://reader033.fdocuments.us/reader033/viewer/2022052708/5a4d1b647f8b9ab0599af5f9/html5/thumbnails/14.jpg)
How it Works
To encrypt:C = Me mod n
e could be 3 and is often 65537, but is always publically known
To decrypt:M = Cd mod n = Med mod n
We get d by finding the multiplicative inverse of e mod (n)
So, ed 1 (mod (n))
![Page 15: Week 4 - Friday. What did we talk about last time? Public key cryptography A little number theory.](https://reader033.fdocuments.us/reader033/viewer/2022052708/5a4d1b647f8b9ab0599af5f9/html5/thumbnails/15.jpg)
Why it Works
We know that ed 1 (mod (n)) This means that ed = k(n) + 1 for
some nonnegative integer kMed = Mk(n) + 1 M∙(M(n))k (mod n) By Euler’s Theorem
M(n) 1 (mod n) So, M∙(M(n))k M (mod n)
![Page 16: Week 4 - Friday. What did we talk about last time? Public key cryptography A little number theory.](https://reader033.fdocuments.us/reader033/viewer/2022052708/5a4d1b647f8b9ab0599af5f9/html5/thumbnails/16.jpg)
An example
M = 26p = 17, q = 11, n = 187, e = 3C = M3 mod 187 = 185(n) = (p – 1)(q – 1) = 160d = e-1 mod 160 = 107Cd = 185107 mod 187 = 26 If you can trust my modular
arithmetic
![Page 17: Week 4 - Friday. What did we talk about last time? Public key cryptography A little number theory.](https://reader033.fdocuments.us/reader033/viewer/2022052708/5a4d1b647f8b9ab0599af5f9/html5/thumbnails/17.jpg)
Why it’s safe
You can’t compute the multiplicative inverse of e mod (n) unless you know what (n) is
If you know p and q, finding (n) is easy
Finding (n) is equivalent to finding p and q by factoring n
No one knows an efficient way to factor a large composite number
![Page 18: Week 4 - Friday. What did we talk about last time? Public key cryptography A little number theory.](https://reader033.fdocuments.us/reader033/viewer/2022052708/5a4d1b647f8b9ab0599af5f9/html5/thumbnails/18.jpg)
Future risks
Public key cryptography would come crashing down if Advances in number theory could make
RSA easy to break Quantum computers could make it easy
to factor large composites
![Page 19: Week 4 - Friday. What did we talk about last time? Public key cryptography A little number theory.](https://reader033.fdocuments.us/reader033/viewer/2022052708/5a4d1b647f8b9ab0599af5f9/html5/thumbnails/19.jpg)
Practical considerations Choose your primes carefully
p < q < 2p But, the primes can't be too close together either Some standards insist that p and q are strong
primes, meaning that p – 1 = 2m and p + 1 = 2n where m and n have large prime factors
There are ways to factor poorly chosen pairs of primes Pad your data carefully Take the example of a credit card number
If you know a credit card number is encrypted using RSA using a public n and an e of 3, how do you discover the credit card number?
![Page 20: Week 4 - Friday. What did we talk about last time? Public key cryptography A little number theory.](https://reader033.fdocuments.us/reader033/viewer/2022052708/5a4d1b647f8b9ab0599af5f9/html5/thumbnails/20.jpg)
Key Management
![Page 21: Week 4 - Friday. What did we talk about last time? Public key cryptography A little number theory.](https://reader033.fdocuments.us/reader033/viewer/2022052708/5a4d1b647f8b9ab0599af5f9/html5/thumbnails/21.jpg)
Key management Once you have great cryptographic
primitives, managing keys is still a problem How do you distribute new keys?
When you have a new user When old keys have been cracked or need to be
replaced How do you store keys? As with the One Time Pad, if you could
easily send secret keys confidentially, why not send messages the same way?
![Page 22: Week 4 - Friday. What did we talk about last time? Public key cryptography A little number theory.](https://reader033.fdocuments.us/reader033/viewer/2022052708/5a4d1b647f8b9ab0599af5f9/html5/thumbnails/22.jpg)
Notation for sending We will refer to several schemes for sending
data Let X and Y be parties and Z be a message { Z } k means message Z encrypted with key k Thus, our standard notation will be:
X Y: { Z } k Which means, X sends message Z, encrypted with
key k, to Y X and Y will be participants like Alice and Bob
and k will be a clearly labeled key A || B means concatenate message A with B
![Page 23: Week 4 - Friday. What did we talk about last time? Public key cryptography A little number theory.](https://reader033.fdocuments.us/reader033/viewer/2022052708/5a4d1b647f8b9ab0599af5f9/html5/thumbnails/23.jpg)
Kinds of keys
Typical to key exchanges is the idea of interchange keys and session keys
An interchange key is a key associated with a particular user over a (long) period of time
A session key is a key used for a particular set of communication events
Why have both kinds of keys?
![Page 24: Week 4 - Friday. What did we talk about last time? Public key cryptography A little number theory.](https://reader033.fdocuments.us/reader033/viewer/2022052708/5a4d1b647f8b9ab0599af5f9/html5/thumbnails/24.jpg)
Possible attacks using single keys If only a single key (instead of interchange and
session keys) were used, participants are more vulnerable to: Known plaintext attacks (and potentially chosen
plaintext attacks) Attacks requiring many copies of encrypted material
for comparison Replay attacks in which old encrypted data is sent
again from a malicious party Forward search attacks in which a user computes
many likely messages using a public key and thereby learns the contents of such a message when it is sent
![Page 25: Week 4 - Friday. What did we talk about last time? Public key cryptography A little number theory.](https://reader033.fdocuments.us/reader033/viewer/2022052708/5a4d1b647f8b9ab0599af5f9/html5/thumbnails/25.jpg)
Key exchange criteria
To be secure, a key exchange whose goal is to allow secret communication from Alice to Bob must meet this criteria:1. Alice and Bob cannot transmit their key
unencrypted2. Alice and Bob may decide to trust a
third party (Cathy or Trent)3. Cryptosystems and protocols must be
public, only the keys are secret
![Page 26: Week 4 - Friday. What did we talk about last time? Public key cryptography A little number theory.](https://reader033.fdocuments.us/reader033/viewer/2022052708/5a4d1b647f8b9ab0599af5f9/html5/thumbnails/26.jpg)
Classical exchange: Attempt 0 If Bob and Alice have no prior arrangements,
classical cryptosystems require a trusted third party Trent
Trent and Alice share a secret key kAlice and Trent and Bob share a secret key kBob
Here is the protocol:1. Alice Trent: {request session key to Bob} kAlice
2. Trent Alice: { ksession } kAlice || { ksession } kBob
3. Alice Bob: { ksession } kBob
![Page 27: Week 4 - Friday. What did we talk about last time? Public key cryptography A little number theory.](https://reader033.fdocuments.us/reader033/viewer/2022052708/5a4d1b647f8b9ab0599af5f9/html5/thumbnails/27.jpg)
What's the problem? Unfortunately, this protocol is vulnerable to a
replay attack (Evil user) Eve records { ksession } kBob sent in step
3 and also some message enciphered with ksession (such as "Deposit $500 in Dan's bank account")
Eve can send the session key to Bob and then send the replayed message
Maybe Eve is in cahoots with Dan to get him paid twice
Eve may or may not know the contents of the message she is sending
The real problem is no authentication
![Page 28: Week 4 - Friday. What did we talk about last time? Public key cryptography A little number theory.](https://reader033.fdocuments.us/reader033/viewer/2022052708/5a4d1b647f8b9ab0599af5f9/html5/thumbnails/28.jpg)
Needham-Schroeder: Attempt 1 We modify the protocol to add
random numbers (called nonces) and user names for authentication1. Alice Trent: { Alice || Bob || rand1 }
kAlice
2. Trent Alice: { Alice || Bob || rand1 || ksession || {Alice || ksession }kBob } kAlice
3. Alice Bob: { Alice || ksession }kBob
4. Bob Alice: { rand2 } ksession 5. Alice Bob: { rand2 – 1 } ksession
![Page 29: Week 4 - Friday. What did we talk about last time? Public key cryptography A little number theory.](https://reader033.fdocuments.us/reader033/viewer/2022052708/5a4d1b647f8b9ab0599af5f9/html5/thumbnails/29.jpg)
Problems with Needham-Schroeder Needham-Schroeder assumes that all keys are
secure Session keys may be less secure since they are
generated with some kind of (possibly predictable) pseudorandom generator
If Eve can recover a session key (maybe after a great deal of computational work), she can trick Bob into thinking she's Alice as follows:1. Eve Bob: { Alice || ksession }kBob
2. Bob Alice: { rand3 } ksession [intercepted by Eve]3. Eve Bob: { rand3 – 1 } ksession
![Page 30: Week 4 - Friday. What did we talk about last time? Public key cryptography A little number theory.](https://reader033.fdocuments.us/reader033/viewer/2022052708/5a4d1b647f8b9ab0599af5f9/html5/thumbnails/30.jpg)
Denning and Sacco: Attempt 2 Denning and Sacco use timestamps (T) to let
Bob detect the replay1. Alice Trent: { Alice || Bob || rand1 } kAlice
2. Trent Alice: { Alice || Bob || rand1 || ksession || {Alice || T || ksession }kBob } kAlice
3. Alice Bob: { Alice || T || ksession }kBob
4. Bob Alice: { rand2 } ksession 5. Alice Bob: { rand2 – 1 } ksession
Unfortunately, this system requires synchronized clocks and a useful definition of when timestamp T is "too old"
![Page 31: Week 4 - Friday. What did we talk about last time? Public key cryptography A little number theory.](https://reader033.fdocuments.us/reader033/viewer/2022052708/5a4d1b647f8b9ab0599af5f9/html5/thumbnails/31.jpg)
Otway-Rees: Attempt 3 The Otway-Rees protocol fixes these problem
by using a unique integer num to label each session1. Alice Bob: num || Alice || Bob || { rand1 || num ||
Alice || Bob } kAlice
2. Bob Trent: num || Alice || Bob || {rand1 || num || Alice || Bob } kAlice || { rand2 || num || Alice || Bob } kBob
3. Trent Bob: num || { rand1 || ksession } kAlice || { rand2 || ksession } kBob
4. Bob Alice: num || { rand1 || ksession } kAlice
![Page 32: Week 4 - Friday. What did we talk about last time? Public key cryptography A little number theory.](https://reader033.fdocuments.us/reader033/viewer/2022052708/5a4d1b647f8b9ab0599af5f9/html5/thumbnails/32.jpg)
Kerberos Strange as it seems, these key exchange protocols
are actually used Kerberos was created at MIT as a modified
Needham-Schroeder protocol (with timestamps) Originally used to control access to network services for
MIT students and staff Current versions of Windows use a modified version of
Kerberos for authentication Many Linux and Unix implementations have an
implementation of Kerberos Kerberos uses a central server that issues tickets to
users which give them the authority to access a service on some other server
![Page 33: Week 4 - Friday. What did we talk about last time? Public key cryptography A little number theory.](https://reader033.fdocuments.us/reader033/viewer/2022052708/5a4d1b647f8b9ab0599af5f9/html5/thumbnails/33.jpg)
Public Key Exchange
![Page 34: Week 4 - Friday. What did we talk about last time? Public key cryptography A little number theory.](https://reader033.fdocuments.us/reader033/viewer/2022052708/5a4d1b647f8b9ab0599af5f9/html5/thumbnails/34.jpg)
Public key exchange
Suddenly, the sun comes out! Public key exchanges should be
really easy The basic outline is:
1. Alice Bob: { ksession } eBob
eBob is Bob's public key Only Bob can read it, everything's
perfect! Except… There is still no authentication
![Page 35: Week 4 - Friday. What did we talk about last time? Public key cryptography A little number theory.](https://reader033.fdocuments.us/reader033/viewer/2022052708/5a4d1b647f8b9ab0599af5f9/html5/thumbnails/35.jpg)
Easily fixable
Alice only needs to encrypt the session key with her private key
That way, Bob will be able to decrypt it with her public key when it arrives
New protocol:1. Alice Bob: {{ ksession } dAlice }eBob
Any problems now?
![Page 36: Week 4 - Friday. What did we talk about last time? Public key cryptography A little number theory.](https://reader033.fdocuments.us/reader033/viewer/2022052708/5a4d1b647f8b9ab0599af5f9/html5/thumbnails/36.jpg)
(Wo)man in the middle A vulnerability arises if Alice needs to fetch
Bob's public key from a public server Peter Then, Eve can cause problems Attack:
1. Alice Peter: Send me Bob's key [intercepted by Eve]
2. Eve Peter: Send me Bob's key3. Peter Eve: eBob
4. Eve Alice: eEve
5. Alice Bob: { ksession } eEve [intercepted by Eve]6. Eve Bob { ksession } eBob
![Page 37: Week 4 - Friday. What did we talk about last time? Public key cryptography A little number theory.](https://reader033.fdocuments.us/reader033/viewer/2022052708/5a4d1b647f8b9ab0599af5f9/html5/thumbnails/37.jpg)
Key Infrastructure and Storage
![Page 38: Week 4 - Friday. What did we talk about last time? Public key cryptography A little number theory.](https://reader033.fdocuments.us/reader033/viewer/2022052708/5a4d1b647f8b9ab0599af5f9/html5/thumbnails/38.jpg)
Key problems The previous man in the middle attack
shows a significant problem How do we know whose public key is whose? We could sign a public key with a private
key, but then… We would still be dependent on knowing the
public key matching the private key used for signing
It's a massive chicken and egg or bootstrapping problem
![Page 39: Week 4 - Friday. What did we talk about last time? Public key cryptography A little number theory.](https://reader033.fdocuments.us/reader033/viewer/2022052708/5a4d1b647f8b9ab0599af5f9/html5/thumbnails/39.jpg)
Certificate signature chains A typical approach is to create a long chain of
individuals you trust Then, you can get the public key from someone
you trust who trusts someone else who… etc. This can be arranged in a tree layout, with a
central root certificate everyone knows and trusts This system is used by X.509
Alternatively, it can be arranged haphazardly, with an arbitrary web of trust This system is used by PGP, which incorporates
different levels of trust
![Page 40: Week 4 - Friday. What did we talk about last time? Public key cryptography A little number theory.](https://reader033.fdocuments.us/reader033/viewer/2022052708/5a4d1b647f8b9ab0599af5f9/html5/thumbnails/40.jpg)
Upcoming
![Page 41: Week 4 - Friday. What did we talk about last time? Public key cryptography A little number theory.](https://reader033.fdocuments.us/reader033/viewer/2022052708/5a4d1b647f8b9ab0599af5f9/html5/thumbnails/41.jpg)
Next time…
Finish key management Hash functions David Gallop presents
![Page 42: Week 4 - Friday. What did we talk about last time? Public key cryptography A little number theory.](https://reader033.fdocuments.us/reader033/viewer/2022052708/5a4d1b647f8b9ab0599af5f9/html5/thumbnails/42.jpg)
Reminders
Read section 12.4 Finish Project 1
Due tonight by midnight!