- 73 Views
- Uploaded on
- Presentation posted in: General

CSCE 715: Network Systems Security

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

- Can use previous methods to obtain public key of other party
- Although public key can be used for confidentiality or authentication, asymmetric encryption algorithms are too slow
- So usually want to use symmetric encryption to protect message contents
- Can use asymmetric encryption to set up a session key

- Proposed by Merkle in 1979
- A generates a new temporary public key pair
- A sends B the public key and A’s identity
- B generates a session key Ks and sends encrypted Ks (using A’s public key) to A
- A decrypts message to recover Ks and both use

- An adversary can intercept and impersonate both parties of protocol
- A generates a new temporary public key pair {KUa, KRa} and sends KUa || IDa to B
- Adversary E intercepts this message and sends KUe || IDa to B
- B generates a session key Ks and sends encrypted Ks (using E’s public key)
- E intercepts message, recovers Ks and sends encrypted Ks (using A’s public key) to A
- A decrypts message to recover Ks and both A and B unaware of existence of E

- if A and B have securely exchanged public-keys

?

- Message (4) is not protected by N2
- An adversary can intercept message (4) and replay an old message or insert a fabricated message

- What can be wrong with the following protocol?
AB:N

BA:EKUa[EKRb[Ks||N]]

- An adversary sitting between A and B can get a copy of secret key Ks without being caught by A and B!

- First publicly proposed public-key type scheme
- By Diffie and Hellman in 1976 along with advent of public key concepts
- A practical method for public exchange of secret key
- Used in a number of commercial products

- Use to set up a secret key that can be used for symmetric encryption
- cannot be used to exchange an arbitrary message

- Value of key depends on the participants (and their private and public key information)
- Based on exponentiation in a finite (Galois) field (modulo a prime or a polynomial) – easy
- Security relies on the difficulty of computing discrete logarithms (similar to factoring) – hard

- From Euler’s theorem: aø(n) mod n=1
- Consider am mod n=1, GCD(a,n)=1
- must exist for m= ø(n) but may be smaller
- once powers reach m, cycle will repeat

- If smallest is m= ø(n) then a is called a primitive root
- if p is prime and a is a primitive root of p, then successive powers of a “generate” the group mod p
- Not every integer has primitive roots

- Inverse problem to exponentiation is to find the discrete logarithm of a number modulo p
- Namely find x where ax = b mod p
- Written as x=loga b mod p or x=dloga,p(b)
- If a is a primitive root of p then discrete logarithm always exists, otherwise may not
- 3x = 4 mod 13 has no answer
- 2x = 3 mod 13 has an answer 4

- While exponentiation is relatively easy, finding discrete logarithms is generally a hard problem

- All users agree on global parameters
- large prime integer or polynomial q
- α which is a primitive root mod q

- Each user (e.g. A) generates its key
- choose a private key (number): xA < q
- compute its public key: yA = αxA mod q

- Each user publishes its public key

- Shared session key for users A and B is KAB:
KAB = αxA.xB mod q

= yAxB mod q (which B can compute)

= yBxA mod q (which A can compute)

- KAB is used as session key in symmetric encryption scheme between A and B
- Attacker needs xA or xB, which requires solving discrete log

- Given Alice and Bob who wish to swap keys
- Agree on prime q=353 and α=3
- Select random secret keys:
- A chooses xA=97, B chooses xB=233

- Compute public keys:
- yA=397 mod 353 = 40(Alice)
- yB=3233 mod 353 = 248(Bob)

- Compute shared session key as:
KAB= yBxA mod 353 = 24897 = 160(Alice)

KAB= yAxB mod 353 = 40233 = 160(Bob)

- Majority of public-key crypto (RSA, D-H) use either integer or polynomial arithmetic with very large numbers/polynomials
- Imposes a significant load in storing and processing keys and messages
- An alternative is to use elliptic curves
- Offers same security with smaller bit sizes

- An elliptic curve is defined by an equation in two variables x and y, with coefficients
- Consider a cubic elliptic curve of form
- y2 = x3 + ax + b
- where x, y, a, b are all real numbers
- also define zero point O

- Have addition operation for elliptic curve
- geometrically, sum of P+Q is reflection of intersection R

- Elliptic curve cryptography uses curves whose variables and coefficients are finite
- Two families are commonly used
- prime curves Ep(a,b) defined over Zp
- use integers modulo a prime
- best in software

- binary curves E2m(a,b) defined over GF(2m)
- use polynomials with binary coefficients
- best in hardware

- prime curves Ep(a,b) defined over Zp

- ECC addition is analog of modulo multiply
- ECC repeated addition is analog of modulo exponentiation
- Need a “hard” problem equivalent to discrete logarithm
- Q=kP, where Q, P belong to a prime curve
- is “easy” to compute Q given k, P
- but “hard” to find k given Q, P
- known as the elliptic curve logarithm problem

- Certicom example: E23(9,17)

- Can do key exchange analogous to D-H
- Users select a suitable curve Ep(a,b)
- Select base point G=(x1, y1) with large order n s.t. nG=O
- A and B select private keys nA<n, nB<n
- Compute public keys: PA=nA×G, PB=nB×G
- Compute shared key: K=nA×PB,K=nB×PA
- same since K=nA×nB×G

- Must first encode any message M as a point on the elliptic curve Pm
- Select suitable curve and point G as in D-H
- Each user chooses private key nA<n and computes public key PA=nA×G
- To encrypt Pm:
Cm={kG, Pm+kPB}, k random

- To decrypt Cm:
Pm+kPB–nB(kG) = Pm+k(nBG)–nB(kG) = Pm

- Relies on elliptic curve logarithm problem
- Fastest method is “Pollard rho method”
- Compared to factoring, ECC can use much smaller key sizes than with RSA
- For equivalent key lengths computations are roughly equivalent
- Hence for similar security ECC offers significant computational advantages

1

- Message authentication
- Hashing functions
- Message digests
- Read Chapters 11 and 12