Public-Key Cryptography Dr. Ron Rymon Efi Arazi School of Computer Science IDC, Herzliya. 2010/11 Pre-Requisites: Conventional Cryptography
Overview ¨ Public Key Cryptography – Crossword puzzles – Diffie-Hellman – RSA – Elliptic Curves ¨ Digital Signatures ¨ Key Management for Public-Key Cryptography
Public-Key Cryptography Main sources: Network Security Essential / Stallings Applied Cryptography / Schneier
Motivation ¨ Until early 70 s, cryptography was mostly owned by government and military – Key distribution is more manageable and better funded ¨ Symmetric cryptography not ideal for commercialization – Enormous key distribution problem; most parties may never meet physically – Must ensure authentication, to avoid impersonation, fabrication ¨ Few researchers (Diffie, Hellman, Merkle), in addition to the IBM group, started exploring Cryptography because they realized it is critical to the forthcoming digital world – – Privacy Effective commercial relations Payment Voting
Public-Key Cryptography ¨ Idea: use separate keys to encrypt and decrypt – First proposed by Diffie and Hellman – Independently proposed by Merkle (1976) ¨ Pair of keys for each user – generated by the user himself – Public key is advertised – Private key is kept secret, and is computationally infeasible to discover from the public key and ciphertexts – Each key can decrypt messages encrypted using the other key ¨ Applications: – Encryption – Authentication (Digital Signature) – Key Exchange (to establish Session Key)
Crossword Puzzles ¨ Ralph Merkle’s Key Exchange Algorithm – – – Alice generates MANY crossword puzzles and sends to Bob chooses ONE and solves it The solution includes an identifier, and the key Bob communicates the identifier to Alice and Bob communicate using the key – Important observation: Eve would have to solve ALL puzzles to identify the right one and the key. ¨ First attempt, cumbersome, and not working, but very revolutionary at the time ¨ Later, Merkle suggested to use NP-Hard problems – Hard to solve, but easy to check (e. g. , knapsack). – Also proven inadequate later. . .
Diffie-Hellman Key Exchange ¨ First public-key algorithm, based on the difficulty of computing discrete logarithms modulo n ¨ Protocol: – Use key exchange protocol to establish session key – Use session key to encrypt actual communication ¨ Algorithm: – Choose a large prime n, and a primitive root g Alice select x Compute K=Yx mod n X=gx mod Bob n Y=gy mod n K=gxy mod n select y Compute K=Xy mod n
Diffie-Hellman Protocol ¨ DH does not offer authentication ¨ Trudy can use a man-in-the-middle attack – Impersonating Alice to Bob and vice versa – Using his own key (or different keys) with each ¨ Solution: establish a public directory – Each person publishes (g, n, gx) – this is the public key – Note: g, n may be different from one user to another ¨ Make sure not to select x=0/1 mod n
Two-key Public-Key Encryption ¨ Sender uses the public key of the receiver to encrypt ¨ Receiver uses her private key to decrypt
Two-Key Public-key Authentication ¨ The sender encrypts some message (e. g. a certificate) with his own private key ¨ The receiver, by decrypting, verifies key possession
Public-Key Algorithms: The Requirements ¨ It is computationally feasible to generate a pair of keys ¨ It is computationally easy to encrypt using the public key ¨ It is computationally easy to decrypt using the private key ¨ It is computationally infeasible to compute the private key from the public key ¨ It is computationally infeasible to recover the plaintext from the public key and ciphertext ¨ Either of the keys can decrypt a message encrypted using the other key
RSA ¨ Developed by Rivest, Shamir, and Adleman (1977) – Most widely used public key algorithm – Receives its security from the difficulty of factoring large numbers – Actually discovered first by UK GCHQ (Ellis and Cocks) in 1973 ! ¨ Algorithm: – Works as a block cipher, where each plaintext/ciphertext block is integer between 0 and n (for some n=2 k) – Each receiver chooses e, d – The values of e, and n are made public; d is kept secret – Encryption: C=Me mod n – Decryption: M=Cd mod n = Med mod n ¨ Requisites: – Find e, d such that M=Med mod n, for all M<n – Make sure that d cannot be computed from n and e, not even if a ciphertext is available
RSA Keys and Key Generation ¨ Select primes p and q, n=pq – (n)=(p-1)(q-1) ; Euler totient of n – number of integers between 1 and n that are relatively prime to n, i. e. , {m | gcd(m, n)=1} ¨ Select integer e< (n) such that gcd( (n), e)=1 – Guarantees that e-1 exists ¨ Calculate d such that d=e-1 mod (n), – Use Euler extended GCD algorithm ¨ Now, for every M<n, we have – Med = M 1 mod (n) = M ¨ Note: – The message could have been encrypted with d and decrypted by e
Recall Math Backgrounder ¨ Fermat’s Little Theorem – For a prime p, ∀a such that 0<a<p, a(p-1)=1 mod p ¨ Euler’s extension – For any n, ∀a such that 0<a<n, a (n) mod n = 1 mod n – For primes p, q, ∀a such that gcd(a, pq)=1, a(p-1)(q-1) = 1 mod pq – Hence, Med mod n = Mk(p-1)(q-1)+1 mod n = 1 x. M = M ¨ To generate primes, use primality test – For a non-prime, Fermat’s theorem will usually fail on a random a • Carmichael numbers are rare exception, and if chosen decryption won’t work. Can reduce the probability by checking more a’s – Primes are dense enough (almost one of every k k-bit numbers) ¨ GCD to select e takes O(log n) time ¨ Calculate d=e-1 mod (n) - Euler extended GCD. O(log n) ¨ Exponentiation (Encrypt/Decrypt) takes O(log n) time ¨ RSA gets its security from the difficulty of factoring n=pq
RSA Example ¨ Key Generation – Select p=7, q=17, n=pq=119, (119)=96 – Select e=5; Calculate d=77 (77*5=385=1 mod 96)
Attacks on RSA Algorithm ¨ If one could factor n, which is available, into p and q, then d could be calculated (as inverse of e), and then the message deciphered ¨ If one could guess the value of (n)=(p-1)(q-1), even without factoring n, then again d could be computed as the inverse of e
Attacks on RSA Protocol ¨ Chosen ciphertext attack – Attack: get sender to sign (decrypt) a chosen message – Inputs: original (unknown) ciphertext C=Me – Construct • X=Re mod n, for a random R • Y=XC mod n – Ask sender to sign Y, obtaining U=Yd mod n – Compute • T=R-1 mod n • TU mod n = R-1 Yd mod n = R-1 Xd Cd mod n = M – Exploits preservation of multiplication in group ¨ Conclusion: – never sign a random message – sign only hashes – use different keys for encryption and signature
Other precautions when implementing RSA protocol ¨ Do not use same n for multiple users – A third party can sometimes decipher if same message is encrypted using both encryption (public) keys, without needing the decryption (private) key ¨ Always pad messages with random numbers, making sure that M is about same size as n – If e is small, there is an attack that uses e(e+1)/2 linearly dependent messages, and if messages are small its easier to find linearly dependent ones ¨ Do not choose low values for e and d – For e, see above, and there is also attack on small d’s
Elliptic Curves Cryptography ¨ ECC addresses the cost of exponentiation in DH and RSA ¨ Use Abelian groups w/ addition defined on cubic equations – E. g. , y 2 = x 3 + ax + b (for some a, b) – For R=P+Q, find third point of intersection on line that connects P and Q (use tangent line if P=Q). This is –R, and R is its mirror. – O is a point of infinity and is defined as O=P+(-P). As a result it is also the identity since P+O=P ¨ Can also be defined over GF(p) ¨ Consider Q=k. P mod p – Easy to compute Q from k, P – Difficult to determine k from P, Q (except through brute force)
Elliptic Curves Key Exchange ¨ Key Generation – Select/agree on cubic curve (p, a, b) --- public – Select a base point G with a high order n --- public • i. e. , smallest n such that n. G=O – Private key of Alice is an integer KA < n – Public key of Alice is KA*G ¨ Key Exchange – Alice and Bob send public key to each other – Each of them multiplies the result by own private key – Agreed Key = KA* KB*G – Like DH but uses addition instead of exponentiation
Timing and Power Attacks ¨ Ciphertext-only attack – No mathematical analysis ¨ How it works – Measure the effort (time, power) to decrypt a message – Correlate the effort to the probability that certain key bits are on ¨ Idea – Different algorithms work more on certain combinations of bit values – E. g. , in RSA the exponentiation effort depends on the number of bits that are 1 ¨ Solutions: – Idle computation to randomize & even out
Other Public-Key Algorithms ¨ Merkle-Hellman Knapsack Algorithms – First public-key cryptography (not key exch) algorithm (1976) - patented – Encode a message as a series of solutions to knapsack problems (NPHard). Easy (superincreasing) knapsack serves as private key, and a hard knapsack as a public key. – Broken by Shamir and Zippel in 1980, showing a reconstruction of superincreasing knapsacks from the normal knapsacks ¨ Rabin – Based on difficulty of finding square roots modulo n – Encryption is faster: C=M 2 mod n (n=pq) – Decryption is a bit complicated and the plaintext has to be selected from 4 possibilities (also makes it difficult to use it for signature) ¨ El Gamal – Based on difficulty of calculating discrete logarithms in a finite field – Elliptic Curves can be used to implement El Gamal and Diffie-Hellman faster
Digital Signatures Main sources: Network Security Essential / Stallings Applied Cryptography / Schneier
Public-Key Digital Signature ¨ Same as authentication – The sender encrypts a message with his own private key – The receiver, by decrypting, verifies key possession
Digital Signatures ¨ It is possible to use the entire message, encrypted with the private key, as the digital signature – But, this is computationally expensive – And, anyone can then decrypt the original message ¨ Alternatively, a digest can be used – – Should be short Prevent decryption of the original message Prevent modification of original message Difficult to fake signature for ¨ If message authentication (integrity) is needed, we may use the hash code of the message ¨ If only source authentication is needed, a different message can be used (certificate)
Digital Signature Algorithm (DSA) ¨ Proposed in 1991 by NIST as a standard (DSS) – Based on difficulty of computing discrete logarithms (like Diffie. Hellman and El Gamal) ¨ Encountered resistance because RSA was already de-facto standard, and already drew significant investment – DSA cannot be used for encryption or key distribution – RSA is advantageous in most applications (exc. smart cards) • RSA is 10 x faster in signature • DSA is faster in verification – Concerns about NSA backdoor (table can be built for some primes) ¨ Key size was increased from 512 to 2048 and 3072 bits – In DSA, the key size needs to be 4 times the security level ¨ DSA has an Elliptic Curve version – Faster to compute, and requires half the bits
Description of DSA ¨ Parameters – – – p is a prime number with up to 1024 bits q is a 160 -bit factor of (p-1), and itself prime g=h(p-1)/q mod p (h is random) x is the private key and is smaller than q y=gx mod p is part of the public key -- private key public key ¨ Signature – Given a message M, generate a random k<q – Signature is a pair (r, s) • send r=(gk mod p) mod q • send s=k-1(H(M)+xr) mod q • If r=0 or s=0, choose a new k -- keep secret signature ¨ Verification – – Compute w=s-1 mod q Compute u 1=H(M)w mod q; u 2=rw mod q Compute v=(gu 1*yu 2 mod p) mod q If v=r then the signature is verified verification
Key Generation in DSA ¨ Generate q as a SHA on an arbitrary 160 -bit string – If not prime, try another string – Use Rabin method for primality testing ¨ To get (p-1) – Concatenate additional 160 bit numbers until you get to the right size (e. g. , 1024) – Subtract the remainder after division by 2 q • q is a factor from construction • Since p-1 is even, then 2 is also a factor ¨ If p is not prime, repeat the process
One-Time Signatures (Merkle) ¨ Key Generation – Let t = n + 1 + log n, where n is message size – Select random K 1, … Kt (private key) – Let Vi=H(Ki) for a hash function H (public key) ¨ Signature – Let C be the number of 0’s in message M – Let W = M || C, and let A 1… At be W’s bits – Signature is (S 1 … Su) such that Sj=Kl if Al is the jth 1 -bit of W ¨ Verification – Compute W as above – Compute H(Si) for each bit and compare to (properly indexed) Vj
Key Management for Public Key Cryptographic Protocols Main sources: Network Security Essential / Stallings Applied Cryptography / Schneier
Certificate Authority: Verifying the Public Key ¨ How to ensure that Charles doesn’t pretend to be Bob by publishing a public-key for Bob. Then, using a Man-in-the-Middle attack, Charles can read the message and reencrypt-resend to Bob ¨ Bob prepares certificate with his identifying information and his public key ¨ The Certificate Authority (CA) verifies the details and sign Bob’s certificate ¨ Bob can publish the signed certificate
More on (Public) Key Management ¨ Alice may have more than one key – e. g. , personal key and work key ¨ Where shall Alice store her keys? – Alice may not want to trust her work administrator with her personal banking key ¨ Distributed certification a la X. 509 – CA certifies Agents who certify organizations who certify others ¨ Distributed certification a la PGP – Alice will present her certificate with “introducers” who will vouch for her (“PKI parties”) ¨ Key Escrow – US American Escrowed Encryption Standard suggests that private keys be broken in half and kept by two Government agencies – Clipper – for cellular phone encryption – Capstone – for computer communication
Summary
Cryptography Summary ¨ Cryptography (and steganography) were always considered a strategic tool – Used mostly by governments and military organizations – Served to keep top secrets and in wars ¨ Different generations were characterized by either the cryptographers or cryptanalysts winning the battle – Today, cryptographers seem certainly on top, with “unbreakable” ciphers (but, remember Vigenere’s unbreakable cipher…) ¨ Must remember that cryptanalysis is not the only attack – – It is usually the hardest way to break a message May attack human weaknesses in crypto protocol May attack communication, hosts, etc. Much easier to get information using good old 3 Bs: bribery, burglary, and bending
Скачать презентацию Public-Key Cryptography Dr Ron Rymon Efi Arazi School
00dc35901dbe176f802f235765aeee3a.ppt