d886f0aa1ee584dc5076f9232c8819ab.ppt
- Количество слайдов: 45
Chapter 10 Key Management; Other Public Key Cryptosystems
Key Management • public-key encryption helps address key distribution problems • have two aspects of this: – distribution of public keys – use of public-key encryption to distribute secret keys
Distribution of Public Keys • can be considered as using one of: – Public announcement of public keys – Publicly available directory – Public-key authority – Public-key certificates
Public Announcement • users distribute public keys to recipients or broadcast to community at large – eg. append PGP keys to email messages or post to news groups or email list • major weakness is forgery – anyone can create a key claiming to be someone else and broadcast it – until forgery is discovered can masquerade as claimed user
Publicly Available Directory • can obtain greater security by registering keys with a public directory • directory must be trusted with properties: – contains {name, public-key} entries – participants register securely with directory – participants can replace key at any time – directory is periodically published – directory can be accessed electronically • still vulnerable to tampering or forgery
Public-Key Authority • improve security by tightening control over distribution of keys from directory • has properties of directory • and requires users to know public key for the directory • then users interact with directory to obtain any desired public key securely – does require real-time access to directory when keys are needed
Public-Key Authority
Public-Key Certificates • certificates allow key exchange without real-time access to public-key authority • a certificate binds identity to public key – usually with other info such as period of validity, rights of use etc • with all contents signed by a trusted Public-Key or Certificate Authority (CA) • can be verified by anyone who knows the public-key authorities public-key
Public-Key Certificates
Public-Key Distribution of Secret Keys • • use previous methods to obtain public-key can use for secrecy or authentication but public-key algorithms are slow so usually want to use private-key encryption to protect message contents • hence need a session key • have several alternatives for negotiating a suitable session
Simple Secret Key Distribution • proposed by Merkle in 1979 – A generates a new temporary public key pair – A sends B the public key and their identity – B generates a session key K sends it to A encrypted using the supplied public key – A decrypts the session key and both use • problem is that an opponent can intercept and impersonate both halves of protocol
Simple Secret Key Distribution
Public-Key Distribution of Secret Keys • if have securely exchanged public-keys:
Diffie-Hellman Key Exchange • first public-key type scheme proposed • by Diffie & Hellman in 1976 along with the exposition of public key concepts – note: now know that James Ellis (UK CESG) secretly proposed the concept in 1970 • is a practical method for public exchange of a secret key • used in a number of commercial products
Diffie-Hellman Key Exchange • a public-key distribution scheme – cannot be used to exchange an arbitrary message – rather it can establish a common key – known only to the two participants • value of key depends on the participants (and their private and public key information) • based on exponentiation in a finite (Galois) field (modulo a prime or a polynomial) - easy • security relies on the difficulty of computing discrete logarithms (similar to factoring) – hard
Diffie-Hellman Example • users Alice & Bob who wish to swap keys: • agree on prime q=353 and α=3 • select random secret keys: – A chooses x. A=97, B chooses x. B=233 • compute public keys: 97 – y. A=3 mod 353 = 40 (Alice) 233 – y. B=3 mod 353 = 248 (Bob) • compute shared session key as: x 97 KAB= y. B A mod 353 = 248 = 160 x 233 KAB= y. A B mod 353 = 40 = 160 (Alice) (Bob)
El. Gamal Public Key Cryptosystem • security relies on the difficulty of computing discrete logarithms (similar to factoring) – hard • User Alice wants to send a message m to Bob • Bob: q - prime number - a primitive root of q X - private key = X mod q – public key • Alice: – – Downloads ( , q, ) Chooses a secret random integer k Encryption: r k mod q; t km mod q Send (r, t)=( k, km) to Alice • Bob: – Decryption: t/r. X = m
Elliptic Curve Cryptography • majority of public-key crypto (RSA, D-H) use either integer or polynomial arithmetic with very large numbers/polynomials • imposes a significant load in storing and processing keys and messages • an alternative is to use elliptic curves • offers same security with smaller bit sizes • Certain conventional systems with a 4096 -bit key size can be replaced by 313 -bit elliptic curve system.
Elliptic Curves Over Real Number • an elliptic curve is defined by an equation in two variables x & y, with coefficients • consider a cubic elliptic curve E(a, b) of – – y 2 = x 3 + ax + b 4 a 3 + 27 b 2 0 to form a group where x, y, a, b are all real numbers O: the point at infinity (or be called as zero point) • have addition operation for elliptic curve – geometrically sum of P+Q is reflection of the line L through P and Q intersecting E – If P=Q then L is the tangent line of P
Elliptic Curves Over Real Number • O: point at infinity (or be called as zero point) • O: additive identity – O = -O – P+O=P • • • P=(x, y), -P=(x, -y); P+(-P)=O P=(x, 0), 2 P=O, 3 P=P, 4 P=O, … P+Q+R=O P, Q, R are collinear Associative: (P+Q)+R=P+(Q+R) Commutative: P+Q=Q+P
Elliptic Curves Over Real Number E(a, b)= y 2 = x 3 + ax + b P 1=(x 1, y 1), P 2=(x 2, y 2), P 1+P 2=P 3=(x 3, y 3) x 3=m 2 -x 1 -x 2 y 3=m(x 1 -x 3)-y 1 if P 1 P 2 then m=(y 2 -y 1)/(x 2 -x 1) if P 1=P 2 then m=(3 x 12 + a)/2 y 1 If m= then P 3=O
Finite Elliptic Curves • Elliptic curve cryptography uses curves whose variables & coefficients are finite • have two families commonly used: – prime curves Ep(a, b) defined over Zp • use integers modulo a prime • best in software – binary curves E 2 m(a, b) defined over GF(2 n) • use polynomials with binary coefficients • best in hardware
Elliptic Curves over Zp prime curves Ep(a, b) defined over Zp – y 2 mod p = (x 3 + ax + b) mod p – a, b: nonnegative integer and less than p – (4 a 3 + 27 b 2) mod p 0 to form a group – P(x, y): x and y are nonnegative integers and less than p – (x, y) Ep(a, b) (x, -y) Ep(a, b)
Elliptic Curves over Zp prime curves Ep(a, b): y 2 = (x 3 + ax + b) – For each x (0 x<p), calculate (x 3 + ax + b) mod p – if (x 3 + ax + b) is a square mod p then there are two square roots: y and –y. i. e. (x, y) Ep&(x, y) Ep Ex: E 23(1, 1): y 2 = (x 3 + x + 1) mod 23 The number of points N Ep is bounded by For large p, N is approximately equal to p+1 points.
Elliptic Curves Over Zp Ep(a, b): y 2 = x 3 + ax + b (mod p), p 5 is prime P 1=(x 1, y 1), P 2=(x 2, y 2), P 1+P 2=P 3=(x 3, y 3) x 3=(m 2 -x 1 -x 2 ) mod p y 3=(m(x 1 -x 3)-y 1) mod p if P 1 P 2 then m=((y 2 -y 1)/(x 2 -x 1)) mod p if P 1=P 2 then m=((3 x 12 + a)/2 y 1) mod p If m= then P 3=O
Elliptic Curves Over Zp E 23(1, 1): y 2 = x 3 + x + 1 (mod 23) P 1=(3, 10), P 2=(9, 7), P 1+P 2=(m 2 -x 1 -x 2 , m(x 1 -x 3)-y 1)=(17, 20) m=(y 2 -y 1)/(x 2 -x 1)=7 -10/9 -3=-1/2=11 P 1=(3, 10), P 2=(3, 10), P 1+P 2=(m 2 -x 1 -x 2 , m(x 1 -x 3)-y 1)=(7, 12) m=(3 x 12 + a)/2 y 1=(3*32 + 1)/2*10=1/4=6
Elliptic Curve Cryptography • ECC addition is analog of modulo multiply • ECC multiplication is analog of modulo exponentiation
Elliptic Curve Cryptography • ECC – given k, P, find Q=k. P EASY – given Q, P, find k HARD – known as the elliptic curve logarithm problem • RSA – Given two primes p, q, find N=p*q EASY – Given N, find p, q HARD – known as factoring problem • Diffle-Hellman – Given p, k, find q=pk EASY – Given q, p find k HARD – known as discrete logarithm problem
ECC Diffie-Hellman • can do key exchange analogous to D-H • users select a suitable curve Ep(a, b) • select a base point (Generator) G=(x 1, y 1) with large order n s. t. n. G=O • A & B select private keys n. A<n, n. B<n • compute public keys: PA=n. A×G, PB=n. B×G • compute shared key: K=n. A×PB, K=n. B×PA – same since K=n. A×n. B×G
ECC Diffie-Hellman E 211(0, -4): y 2 = x 3 - 4 (mod 211) G=(2, 2) 240 G=O n. A=121, n. B=203 compute public keys: PA=n. A×G=(115, 48) PB=n. B×G=(130, 203) compute shared key: K=n. A×PB =(161, 69) K=n. B×PA =(161, 69)
ECC Encryption/Decryption • several alternatives, will consider simplest • must first encode any message M as a point on the elliptic curve Pm • select suitable curve & point G as in D-H • each user chooses private key n. A<n • and computes public key PA=n. A*G • to encrypt Pm : Cm={k. G, Pm+k*Pb}, k random • to decrypt Cm : Pm+k. Pb–n. B(k. G) = Pm+k(n. BG)–n. B(k. G) = Pm
El. Gamal using ECC Encryption/Decryption E 11(1, 6): y 2 = x 3 + x + 6 (mod 11) G=(2, 7) M=(10, 9) n. A=7, PA=n. A*G=(7, 2) to encrypt M : k=3 Cm={k. G, M+k*PA}={(8, 3), (10, 2)} To decrypt Cm : M+k. PA–n. A(k. G)=(10, 2)–(3, 5)=(10, 2)+(3, 6)=(10, 9)
Menezes-Vanstone ECC Encryption/Decryption • • • M =(m 1, m 2) select suitable curve & point G as in D-H each user chooses private key n. A<n and computes public key PA=n. A*G to encrypt M : Cm={k. G, c 1, c 2}, k random k. PA=(x, y)=k*n. A*G c 1 =x*m 1 mod p c 2 =y*m 2 mod p • to decrypt Cm : k. G*n. A =(x, y) (x-1, y-1) (c 1*x-1, c 2*y-1)= (m 1, m 2) = M
Menezes-Vanstone ECC Encryption/Decryption E 11(1, 6): y 2 = x 3 + x + 6 (mod 11); G=(2, 7); M=(9, 1) n. A=7, PA=n. A*G=(7, 2) to encrypt M : k=6 Cm={k. G, c 1, c 2}= {(7, 9), 6, 3} k. G=6(2, 7)=(7, 9) k. PA=6(7, 2)=(8, 3) c 1 =x*m 1 mod p = 8*9 mod 11=6 c 2 =y*m 2 mod p = 3*1 mod 11=3 to decrypt Cm : k. G*n. A =7(7, 9)=(8, 3) (x-1, y-1)=(7, 4) (c 1*x-1, c 2*y-1)=(6*7, 4*3)=(9, 1)
ECC Security • relies on elliptic curve logarithm problem • fastest method is “Pollard rho method” • compared to factoring, can use much smaller key sizes than with RSA etc • for equivalent key lengths computations are roughly equivalent • hence for similar security ECC offers significant computational advantages
d886f0aa1ee584dc5076f9232c8819ab.ppt