1 / 37

Public Key Cryptography Diffie-Hellman, Discrete Log, RSA

Diffie-Hellman Key Exchange, Discrete Log Problem Public Key Crypto RSA. Public Key Cryptography Diffie-Hellman, Discrete Log, RSA. CSCI283 Fall 2005 GWU. Diffie-Hellman Key Exchange. Diffie-Hellman Key Exchange. Protocol for exchanging secret key over public channel.

raine
Download Presentation

Public Key Cryptography Diffie-Hellman, Discrete Log, RSA

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Diffie-Hellman Key Exchange, Discrete Log Problem • Public Key Crypto • RSA Public Key CryptographyDiffie-Hellman, Discrete Log, RSA CSCI283 Fall 2005 GWU

  2. Diffie-Hellman Key Exchange

  3. Diffie-Hellman Key Exchange • Protocol for exchanging secret key over public channel. • Select global parameters p, n and . p is prime and  is of order n in Zp*. These parameters are public and known to all. CS283/Fall05/GWU/Vora/PKC Some slides from Bishop's set

  4. Diffie-Hellman Key Exchange contd. • Alice privately selects random b and sends to Bob b mod p. • Bob privately selects random c and sends to Alice c mod p. • Alice and Bob privately compute bc mod p which is their shared secret. • An observer Oscar can compute bc if he knows either c or b or can solve the discrete log problem. • This is a key agreement protocol. CS283/Fall05/GWU/Vora/PKC Some slides from Bishop's set

  5. Diffie-Hellman is based on the hardness of the Discrete Log problem: • Given a multiplicative group G, an element  G such that o() = n, and an element  <> • Find the unique integer x, 0  x  n-1 such that  = x x denoted as log • Not known to be doable in polynomial time, however exponentiation is. CS283/Fall05/GWU/Vora/PKC Some slides from Bishop's set

  6. An attack Diffie-Hellman key exchange is susceptible to a man-in-the-middle attack. • Mallory captures b and c in transmission and replaces with own b’ and c’. • Essentially runs two Diffie-Hellman’s. One with Alice and one with Bob. CS283/Fall05/GWU/Vora/PKC Some slides from Bishop's set

  7. Public-Key Cryptography

  8. Diffie-Hellman propose Public Key Cryptography • Computationally easy to encrypt/decrypt given key • Computationally infeasible to derive private key from public key • Computationally infeasible to determine private key from a chosen-plaintext attack • Look at DH key exchange as PKC CS283/Fall05/GWU/Vora/PKC Some slides from Bishop's set

  9. How does Alice send Bob the decryption key in private key crypto? • If Alice wants it such that anyone can decrypt her messages, but know that they came from her • Suppose she could make the decryption key available in a public place • This would require that the decryption key should not give any information on the encryption key, in particular it should not be equal to it CS283/Fall05/GWU/Vora/PKC Some slides from Bishop's set

  10. How does Alice send Bob the decryption key in private key crypto? contd • If she wants it so that only Bob can read her messages, and Bob is ok with anyone sending him messages in this way • Suppose Bob makes his encryption key available publicly • No one should be able to compute the decryption key from the encryption key • This is the dual of the previous case CS283/Fall05/GWU/Vora/PKC Some slides from Bishop's set

  11. Public Key Cryptography Two injective functions f and g such that fg=I i.e. messages encrypted with one can be decrypted with the other; functions include association with key f cannot be used to find g and vice versa One is made public, the other kept private Encryption with public function provides confidential transmission, decryption with public function provides authentication CS283/Fall05/GWU/Vora/PKC Some slides from Bishop's set

  12. RSA

  13. Background • Totient function (n) • Number of positive integers less than n and relatively prime to n • Relatively prime means with no factors in common with n • Example: (10) = 4 • 1, 3, 7, 9 are relatively prime to 10 • Example: (21) = 12 • 1, 2, 4, 5, 8, 10, 11, 13, 16, 17, 19, 20 are relatively prime to 21 CS283/Fall05/GWU/Vora/PKC Some slides from Bishop's set

  14. RSACocks (’73), Rivest, Shamir, Adleman (’76) n = pq, p and q (large) primes P = C = Zn K = {(n, p, q, a, b}: ab  1 mod (n)} Public key: (n, a); Private key: (b) fK(m) = ma mod n gK(m) = mb mod n fK and gK are inverses (we won’t show this, it is not straightforward) CS283/Fall05/GWU/Vora/PKC Some slides from Bishop's set

  15. RSA: Key generation Find p and q (two large random primes) n pq (n)  (p-1)(q-1) Choose random a invertible mod (n) s.t 1 < a < (n) i.e. a s.t gcd(a, (n)) = 1 Use Euclidean algorithm to find a-1mod (n) Without p and q cannot determine (n) One key: (n, a) other key (n, b); Example CS283/Fall05/GWU/Vora/PKC Some slides from Bishop's set

  16. Example • Take p = 7, q = 11, so n = 77 and (n) = 60 • Alice chooses e = 17, making d = 53 • Bob wants to send Alice secret message HELLO (07 04 11 11 14) • 0717 mod 77 = 28 • 0417 mod 77 = 16 • 1117 mod 77 = 44 • 1117 mod 77 = 44 • 1417 mod 77 = 42 • Bob sends 28 16 44 44 42 CS283/Fall05/GWU/Vora/PKC Some slides from Bishop's set

  17. Example • Alice receives 28 16 44 44 42 • Alice uses private key, d = 53, to decrypt message: • 2853 mod 77 = 07 • 1653 mod 77 = 04 • 4453 mod 77 = 11 • 4453 mod 77 = 11 • 4253 mod 77 = 14 • Alice translates message to letters to read HELLO • No one else could read it, as only Alice knows her private key and that is needed for decryption • The letters could not have been changed in transit, as no one else has Bob’s private key CS283/Fall05/GWU/Vora/PKC Some slides from Bishop's set

  18. Warnings Encipher message in blocks considerably larger than the examples here • If 1 character per block, RSA can be broken using statistical attacks (just like classical cryptosystems) • Attacker cannot alter letters, but can rearrange them and alter message meaning Example: reverse enciphered message of text ON to get NO CS283/Fall05/GWU/Vora/PKC Some slides from Bishop's set

  19. Encryption of blocks of symbols Block ABCD…, each symbol is base N (e.g. N=2, 16) Convert a block of a few symbols to an integer mod n RSA encrypt Convert back to base N Example. Problem if short strings encrypted with RSA, hence pad short strings with random characters. CS283/Fall05/GWU/Vora/PKC Some slides from Bishop's set

  20. Security of RSAIs it based on hardness of factoring n? • It is not known if: • factoring a product of two primes into its prime components is • solvable in polynomial time • NP-complete • there are other trapdoors to RSA, i.e. other ways of breaking it in general • Factoring is an easy problem in the quantum computing model. CS283/Fall05/GWU/Vora/PKC Some slides from Bishop's set

  21. Security Services • Confidentiality • Only the owner of the private key knows it, so text enciphered with public key cannot be read by anyone except the owner of the private key • Authentication • Only the owner of the private key knows it, so text enciphered with private key must have been generated by the owner CS283/Fall05/GWU/Vora/PKC Some slides from Bishop's set

  22. More Security Services • Integrity • Enciphered letters cannot be changed undetectably without knowing private key • Non-Repudiation • Message enciphered with private key came from someone who knew it CS283/Fall05/GWU/Vora/PKC Some slides from Bishop's set

  23. Secure Hash

  24. The problems crypto addresses • Confidentiality/secrecy/privacy • How to keep a message secret so it can be read only by a chosen person • Use encryption • Integrity • How to determine a string of symbols has not been changed since it was created • ? CS283/Fall05/GWU/Vora/PKC Some slides from Bishop's set

  25. Integrity • Alice sends message x to Bob. She fears Oscar will manipulate it along the way, and Bob will get an incorrect message. • She could encrypt it using a key Oscar did not have, but is that overkill when she does not need to prevent Oscar from reading it? • But maybe she could tell Bob something else about the message so he would know if something was terribly wrong: parity, last bit, a particular bit, etc. CS283/Fall05/GWU/Vora/PKC Some slides from Bishop's set

  26. In general, she could use a hash function h: X  Y y = h(x) |X| > |Y| i.e.  x, x’ s.t x  x’ and h(x) = h(x’) • Used in storage tables • E.g.: h(x) = last bit, parity, smallest prime factor CS283/Fall05/GWU/Vora/PKC Some slides from Bishop's set

  27. Checksums/hashes • Mathematical function to generate a set of k bits from a set of n bits (where k ≤ n). • k is smaller then n except in unusual circumstances • Example: ASCII parity bit • ASCII has 7 bits; 8th bit is “parity” • Even parity: even number of 1 bits • Odd parity: odd number of 1 bits CS283/Fall05/GWU/Vora/PKC Some slides from Bishop's set

  28. Example Use • Bob receives “10111101” as bits. • Sender is using even parity; 6 1 bits, so character was received correctly • Note: could be garbled, but 2 bits would need to have been changed to preserve parity • Sender is using odd parity; even number of 1 bits, so character was not received correctly CS283/Fall05/GWU/Vora/PKC Some slides from Bishop's set

  29. h(x) sent with x • Both Bob and Alice can create h(x) given x • Alice sends (x, h(x)) • Bob receives (x’,y’), he checks if y’ = h(x’). • If so, he assumes x’ is what Alice sent CS283/Fall05/GWU/Vora/PKC Some slides from Bishop's set

  30. In either case, what can the attacker do? • If he can compute h(x), he can: • try to find x’ s.t. h(x) = h(x’). • If he knows h, and can influence Alice, he can • try to get her to send an x that she likes such that h(x) = h(x’) for an x’ he likes. • If he doesn’t, he hopes for the best. CS283/Fall05/GWU/Vora/PKC Some slides from Bishop's set

  31. Hence require an h “secure” in the following ways: • Secure wrt second image requires that the following problem is “difficult”: • Given an xX, find x’ X s.t x’  x but h(x’) = h(x) • Secure wrt collision requires that the following problem is “difficult”: • Find x, x’ X s.t x’  x but h(x’) = h(x) • The above should be true even if h(x1), h(x2).. h(xn) are known CS283/Fall05/GWU/Vora/PKC Some slides from Bishop's set

  32. In general, h is a secure-hash, or a one-way function Easy to compute in one direction, hard in the other. Can we recall one such function? CS283/Fall05/GWU/Vora/PKC Some slides from Bishop's set

  33. Definition Cryptographic checksum h: AB: • For any xA, h(x) is easy to compute • For any yB, it is computationally infeasible to find xA such that h(x) = y • It is computationally infeasible to find two inputs x, xA such that x ≠ x and h(x) = h(x) CS283/Fall05/GWU/Vora/PKC Some slides from Bishop's set

  34. Keys • Keyed cryptographic checksum: requires cryptographic key • DES in chaining mode: encipher message, use last n bits. Requires a key to encipher, so it is a keyed cryptographic checksum. • Keyless cryptographic checksum: requires no cryptographic key • MD5 and SHA-1 are best known; others include MD4, HAVAL, and Snefru CS283/Fall05/GWU/Vora/PKC Some slides from Bishop's set

  35. HMAC • Keyed cryptographic checksums from keyless ones • h keyless cryptographic checksum function that takes data in blocks of b bytes and outputs blocks of l bytes. k is cryptographic key of length b bytes • If short, pad with 0 bytes; if long, hash to length b • ipad is 00110110 repeated b times; opad is 01011100 repeated b times HMAC-h(k, m) = h(k opad || h(k ipad || m)) CS283/Fall05/GWU/Vora/PKC Some slides from Bishop's set

  36. Digital Signatures

  37. For non-repudiation A digital signature authenticates both the origin and the contents of a message in a manner that is provable to a disinterested third party Encrypt message digest (computed using a secure hash) with public key CS283/Fall05/GWU/Vora/PKC Some slides from Bishop's set

More Related