week 7 public key cryptography
Download
Skip this Video
Download Presentation
Week 7: Public-Key Cryptography

Loading in 2 Seconds...

play fullscreen
1 / 94

Week 7: Public-Key Cryptography - PowerPoint PPT Presentation


  • 172 Views
  • Uploaded on

Week 7: Public-Key Cryptography. MSIS 525 Encryption and Authentication Systems Summer 2010. Topics. Public Key Encryption (PKE) PKE Math Symmetric Key Exchange Using PKE Distributing Public Keys Authentication Technologies MACs Hashes Digital Signatures. Public Key Encryption.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about ' Week 7: Public-Key Cryptography' - wyman


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
week 7 public key cryptography

Week 7: Public-Key Cryptography

MSIS 525

Encryption and Authentication Systems

Summer 2010

topics
Topics
  • Public Key Encryption (PKE)
  • PKE Math
  • Symmetric Key Exchange Using PKE
  • Distributing Public Keys
  • Authentication Technologies
    • MACs
    • Hashes
    • Digital Signatures
public key encryption
Public Key Encryption
  • Uses one key for encryption, and another for decryption
  • Applications
    • Encryption of short messages
      • like keys
    • Authentication
      • through digital signatures
pke for both simultaneously
PKE for both simultaneously

Alice

Bob

PRAlice

PUAlice

PRBob

PRBob

PUBob

pke is not
PKE is not ...
  • Suitable for encrypting long messages
  • Necessarily more secure than symmetric
  • Necessarily more efficient in distributing keys than symmetric

So don’t fall prey to these myths.

slide8
RSA
  • The most popular PKE system
  • Developed by Rivest, Shamir, and Adelman in 1977
  • Is a block cipher
  • Plaintext and ciphertext are treated as numbers between 0 and 2numbits–1
    • numbits typically >= 1024
rsa encryption and decryption
RSA Encryption and Decryption
  • Encryption has the form: C = Me mod n
  • Decryption has the form M = Cd mod n
  • n is the product of two primes, p and q
rsa what the two sides know
RSA: What the two sides know
  • Visibility for confidentiality:
    • sender knows e and n
    • receiver knows d and n (as the product p and q)
  • In other words, these are the keys:
    • public key = {e, n}
    • private key = {d, p, q}
example rsa by hand
Example: RSA by hand
  • Select primes: p=17 & q=11
  • Computen = pq =17×11=187
  • Compute ø(n)=(p–1)(q-1)=16×10=160
  • Select e : gcd(e,160)=1; choose e=7
  • Determine d: e-1 mod 160 and d < 160 Value is d=23 since 23×7=161= 1 mod 160(could also use http://cs.lewisu.edu/~klumpra/msis525/multinv.php)
  • Publish public key PU={7,187}
  • Keep secret private key PR={23,17,11}

KEY GENERATION

example rsa by hand1
Example: RSA by hand
  • given message M = 88 (note: 88<187)
  • encryption:

C = 887 mod 187 = 11

  • decryption:

M = 1123 mod 187 = 88

how hard is it to break rsa
How hard is it to break RSA?
  • The big concern –
    • attacker knows the public key e & n
    • can an attacker determine the private key d?
      • if he can, then he can determine M = Cd mod n
how hard is it to determine d
How hard is it to determine d?
  • To determine d
    • Need to factor n into p and q
      • No small task – n is a 309-digit number
    • So that he can determine f(n) = (p-1)(q-1)
    • So that we can determine d = e-1 mod f(n)
timing attacks
Timing Attacks
  • Alternative to brute force
  • Exploit timing variations in operations
    • eg. multiplying by small vs large number
    • Infer operand size based on time taken
  • RSA involves raising numbers to large powers
    • Can estimate size of exponent by how long it takes
  • Countermeasures
    • use constant exponentiation time
    • add random delays
rsa secure but
RSA Secure but ...
  • It’s slow
  • So, use it for exchanging short messages
    • like keys
issues
Issues
  • How can we speed up the arithmetic?
  • How do you find two large primes?
  • What the heck is f(n)?
basic operations mod n

Speeding up the math through knowledge of modular arithmetic

Basic operations mod n
  • (a+b) mod n = (a mod n + b mod n) mod n
  • (a*b) mod n = (a mod n * b mod n) mod n
  • y = -x mod n if and only if (y + x) mod n = 0
  • y = x-1 mod n if and only if (y * x) mod n = 1
examples
Examples
  • What is (8+4) mod 5?
  • What is (8*4) mod 5?
  • What is the additive inverse of 2 mod 5?
  • What is the multiplicative inverse of 2 mod 5?
example computing 11 23 mod 187
Example:Computing 1123 mod 187
  • 1123 mod 187 = [(111 mod 187) x (112 mod 187) x (114 mod 187) x (118 mod 187) x (118 mod 187) mod 187
  • 111 mod 187 = 11
  • 112 mod 187 = 121
  • 114mod 187=(121*121)mod 187 =55
  • 118mod 187 = (55*55)mod 187 = 33
  • 1123mod 187=(11*121*55*33*33) mod 187 = 88
chinese remainder theorem
Chinese Remainder Theorem
  • Makes it possible to reconstruct integers in a certain range from their remainders when divided by a pair of relatively prime numbers.
  • provided we know the factors, a very large number can be manipulated using smaller numbers
  • this will help the recipient compute M = Cd mod n, since n = p * q, and the recipient knows p and q
example crt
Example: CRT
  • Using residues 2 and 5, compute 7 + 8 mod 10.
    • 7 mod 2 = 1, 7 mod 5 = 2, so 7 is (1,2)
    • 8 mod 2 = 0, 8 mod 5 = 3, so 8 is (0,3)
    • (1,2) + (0,3) = (1,5)
    • So, we seek a number x < 10 such that x mod 2 = 1 mod 2 (i.e. 1) and x mod 5 = 5 mod 5 (i.e. 0)
    • That number is 5.
  • Sure enough, (7 + 8) mod 10 = 15 mod 10 = 5
another example crt
Another example: CRT
  • Using residues 2 and 5, compute 7 * 8 mod 10
    • 7 mod 2 = 1, 7 mod 5 = 2, so 7 is (1,2)
    • 8 mod 2 = 0, 8 mod 5 = 3, so 8 is (0,3)
    • (1,2) * (0,3) = (0,6)
    • So, we seek a number x < 10 with x mod 2 = 0 mod 2 and x mod 5 = 6 mod 5 = 1.
    • That number is 6
  • Sure enough (7*8) mod 10 = 56 mod 10 = 6
application of crt to encryption
Application of CRT to Encryption
  • RSA involves calculations modulo n, a product of primes p and q
    • n is huge ( >= 1024 bits long)
  • Because of CRT, calculations can be done on p and q instead
    • p and q are much smaller
      • thus, calculations are easier
determining the multiplicative inverse
Determining the multiplicative inverse
  • For large numbers, it can be difficult to determine the multiplicative inverse
    • but we have to: d = e-1 mod F(n)
  • You can use this tool instead:http://cs.lewisu.edu/~klumpra/msis525/multinv.php

This will find the inverse of 5 mod 7

here s the source code

Just in case you’re interested.

Here’s the source code:

<html>

<head>

<title>Find the multiplicative inverse in GF(p^n)</title>

</head>

<body>

<?php

function xGCD($a1,$a2,$a3,$b1,$b2,$b3) {

$q = 0;

$t1 = $t2 = $t3 = 0;

if ($b3 == 0) {

return 0;

}

if ($b3 == 1) {

return $b2;

}

$q = (int)($a3/$b3);

$t1 = $a1-$q*$b1;

$t2 = $a2-$q*$b2;

$t3 = $a3-$q*$b3;

return xGCD($b1,$b2,$b3,$t1,$t2,$t3);

}

$vars= $_REQUEST;

if (count($vars) > 0) {

$p = $vars["base"];

$n = $vars["exp"];

$num = $vars["num"];

$base = pow($p,$n);

$answer = xGCD(1,0,$base,0,1,$num%$base);

while ($answer < 0) {

$answer += $base;

}

print "Answer = $answer<br>";

}

?>

<form method="get">

Enter base p: <input type="text" name="base"></input><br>

Enter exponent n: <input type="text" name="exp"></input><br>

Enter number for which you want the inverse: <input type="text" name="num"></input><br>

<input type="submit" value="OK"></input>

<input type="reset" value="Clear"></input>

</form>

</body>

</html>

prime numbers
Prime numbers
  • First step in RSA: choose p and q prime
  • A prime number p is a positive integer having no divisors other than 1 and p
  • There are an infinite number of primes
theorems regarding primes
Theorems regarding primes
  • If p is a prime number and a is a positive integer not divisible by p, then ap-1 mod p = 1
  • If p is a prime number and a is a positive integer, then ap mod p = a mod p
examples1
Examples
  • What is 44 mod 5?
  • Here,a = 4p = 5
  • By the first theorem, ap-1 mod p = 1So, we know 45-1 mod 5 = 1
examples2
Examples
  • What is 45 mod 5?
  • Second theorem: ap mod p = a mod p.
  • So, the answer should be 4 mod 5, or 4.
  • Indeed: 45 = 1024, and 1024 mod 5 = 4
euler s totient function
Euler’s Totient Function
  • f(n) = # of positive integers between 1 and n that are relatively prime with n
  • Examples
what does relatively prime mean
What does “relatively prime” mean?
  • Two numbers are relatively prime if they have no factors in common
  • For example, 3 and 8 are relatively prime
  • Also, 4 and 15 are relatively prime
euler s totient function continued
Euler’s Totient Function (continued)
  • Theorem:f(p*q) = f(p)* f(q)
  • Also, if p is prime, then f(p) = p-1
  • So, if p and q are primes and p doesn’t equal q, thenf(p*q) = (p-1) * (q-1)
example properties of the totient
Example: Properties of the Totient
  • Again: If p and q are primes, then f(p*q) = (p-1) * (q-1)
  • f(6) = f(2*3) = (2-1) * (3-1) = 2
  • f(14) = f(2*7) = (2-1) * (7-1) = 6
euler s theorem
Euler’s Theorem
  • if a and n are relatively prime, then af(n) = 1 mod n
  • if a and n are relatively prime, then af(n)+1 = a mod n
  • Examples (with a = 3, n = 8)
    • Note that f(8) = 4
    • Then, 34 = 1 mod 8
    • Also, 35 = 3 mod 8

confirm these by computing 34 and 35

testing for primes
Testing for Primes
  • Public-key encryption requires finding very large prime numbers
  • There is no efficient way to do this
  • Simplest algorithm:for i = 2 up to square root of n if n mod i is 0 then n is not prime, so exit loopif you don’t find an i for which n mod i = 0, then n is prime
testing for primes miller rabin algorithm
Testing for Primes – Miller & Rabin Algorithm
  • Can say simply that a number is not prime
    • can’t say for sure whether a number is prime
  • However, if you repeat the algorithm t times, Probability(n is prime) > 1 – (1/4)t
  • Thus, if you repeat the test 10 times, the probability the number is prime > 99.9999%
distribution of primes
Distribution of Primes
  • Primes near n are spaced on the average one every 0.5*ln(n) integers
  • Thus, one has to test, on average, this many integers
  • For example, if a prime near 2200 is desired, need to test 0.5 * ln(2200) = 69numbers (on average)
review the rsa algorithm
Review: The RSA Algorithm

We’ve discussed how to speed up all of this.

now we ll talk about key exchange
Now we’ll talk about Key Exchange
  • First, how do you exchange symmetric keys using PKE technology?
    • This is the recommended application of PKE
    • Will present the most popular technique – Diffie Helman
  • Then, how do you exchange public keys?
    • Necessary for PKE to happen
symmetric key exchange
Symmetric Key Exchange
  • Last week, we saw a few different ways to exchange keys ...
    • Physical delivery
      • Directly from A to B
      • Third-party C distributes to A and B
    • Use of previous key
    • Key Distribution Center
    • Decentralized
centralized key distribution
Centralized Key Distribution

This is called Needham-Schroeder Protocol

limitation of kdc
Limitation of KDC
  • “What good would it do after all to develop impenetrable cryptosystems if their users were forced to share their keys with a KDC that could be compromised by either burglary or subpoena?” – Whitfield Diffie, co-creator of public-key encryption
decentralized key distribution
Decentralized Key Distribution
  • Each node must maintain (M-1) master keys
  • Messages sent with master keys are short
    • Unlikely to be compromised because there’s not a lot to glob on to.
limitation of decentralized approach
Limitation of Decentralized Approach
  • With M different participants, there are M(M-1)/2 different master keys to distribute
    • Doesn’t scale well
so we seek an alternative
So, we seek an alternative
  • One that doesn’t necessarily require trust in a third party
  • One that doesn’t require such a large up-front key distribution
will look at 3 approaches to distributing symmetric keys w pke
Will look at 3 approaches to distributing symmetric keys w/ PKE
  • Simple Key Distribution
  • Simple Key Distribution with Confidentiality and Authentication
  • Diffie-Hellman
simple key distribution

Symmetric Key Distribution Using PKE

Simple Key Distribution
  • Alice contacts Bob with her ID and public key
  • Bob generates a symmetric key and returns it to Alice (encrypted with her public key)
    • so that only she can read it with her private key
  • Susceptible to Man-in-the-middle attack
man in the middle attack
Man-in-the-Middle Attack
  • Alice generates {PUA, PRA} and transmits message intended for Bob consisting of PUA and IDA
  • Creep intercepts message, creates own public/private key pair {PUC,PRC}, and transmits PUC & IDA to Bob
  • Bob generates secret key KS and transmits E(PUC, KS)
  • Creep intercepts message, learns KS through D(PRC,E(PUC, KS))
  • Creep transmits E(PUA, KS) to Alice so that Alice doesn’t think anything is wrong

So, everybody – Alice, Bob, and Creep, know KS – bad news!

diffie hellman
Diffie-Hellman
  • An algorithmic approach to exchanging a secret key.
  • This is the most popular way
    • involves less overhead
primitive root

First need to understand …

Primitive Root
  • Let p be a prime. Then b is a primitive root for p if the powers of b,    1, b, b^2, b^3, ...include all of the residue classes mod p
  • i.e. first p-1 powers of b have to be different mod p.
  • Example: If p is 7, then 3 is a primitive root of p.
    • because the powers of 3 mod 7 are 1, 3, 2, 6, 4, 5
    • 2 is not: 1, 2, 4, 1, 2, 4, 1, 2, 4
  • Useful in Diffie-Hellman …
diffie hellman key exchange

Diffie-Hellman

Diffie-Hellman Key Exchange

Pre-select large prime q and a primitive root of q called a.

Then ...

example diffie hellman

Diffie-Hellman

Example: Diffie-Hellman
  • q = 11, a = 7
  • A selects XA = 9calculates YA= 79 mod 11 = 8
  • B selects XB = 5calculates YB = 75 mod 11 = 10
  • A calculates KS = YBXa mod q = 10
  • B calculates KS = YAXb mod q = 10

So, they have the same shared key!

so that s how you do symmetric key exchange with pke
So that’s how you do symmetric key exchange with PKE
  • How do you exchange the public keys themselves?
  • Several ways:
    • Public Announcement
    • Public Directory
    • Public Key Authority
    • Public Key Certificates
public announcement

Distribution of public keys

Public Announcement
  • Simple sharing of keys
  • Useful for small communities
  • Major weakness:
    • Bad guy can distribute false public key for Alice
public key directory

Distribution of public keys

Public Key Directory
  • Maintenance and distribution of the public directory is responsibility of some trusted authority
  • Authority maintains a directory with {name, public key} for each user
  • Each user registers public key with authority (in person or in some other secure way)
  • User may replace public key any time
  • Users can access directory electronically
    • Secure, authenticated channel to/from directory necessary
public key authority problems

Distribution of public keys

Public Key Authority: Problems
  • Seven messages are required!
    • The PK authority may become bottleneck
    • However, the first 5 can be spared if Alice and Bob cache (i.e. store locally) each other’s public keys
      • periodically refresh to ensure they are current
  • If the authority is compromised, then all the held public keys are compromised
method 4 public key certificate

Distribution of public keys

Method 4:Public-Key Certificate
  • Attempts to offload some of the responsibility of the central authority
  • A certificate identifies
    • a user
    • his or her public key
    • a time stamp
  • The certificate authority signs it and gives it back to user:

CA = PRauth[IDA, PUA, T]

x 509 certificates

Distribution of public keys

X.509 Certificates
  • Certificates have a standard format, defined by X.509.
  • Will investigate this format next week
where are we
Where are we?
  • We’ve spent most of the term talking about confidentiality
  • But what about
    • integrity?
    • authentication?
    • non-repudiation?
tools for these other purposes
Tools for these other purposes
  • MACs
  • Hashes
  • Digital Signatures
authentication integrity mechanisms
Authentication & Integrity Mechanisms
  • Symmetric Key:
    • Frame check sequence
    • Message Authentication Code
  • Public-Key
    • Message Digest provided by a hash
symmetric key authentication
Symmetric Key Authentication
  • if symmetric encryption is used then:
    • the very fact that the key is shared provides some authentication
  • But how do you recognize what is a valid message?
    • Requires that the message have a verifiable structure
provide such a structure by using
Provide such a structure by using
  • A Frame Check Sequence

F is some function that you pass the message through.

another option use a mac
Another option: use a MAC

Authentication only

Authentication & Confidentiality

properties of a mac
Properties of a MAC
  • a MAC is a cryptographic checksum

MAC = C(K,M)

    • condenses a variable-length message M
    • using a secret key K
    • to a fixed-sized authenticator
  • is a many-to-one function
    • potentially many messages have same MAC (i.e. they are summarized down to the same value)
    • but finding the message from the MAC needs to be very difficult
macs are actually harder to break than encryption
MACs are actually harder to break than encryption
  • The many-to-one nature makes it very difficult to recover the original message
  • Example:
    • Suppose 100-bit message, 10-bit MAC
    • There are then 2100 different messages, but only 210 different MACs to which they map
    • Thus, for any MAC, there are 2100/210 = 290 different messages that compile down to it
      • How in the world are you to know which message it actually was that led to that MAC?
an example of a mac data authentication algorithm
An Example of a MAC:Data Authentication Algorithm

MAC is too small to prevent birthday attack!

mac pros and cons
MAC pros and cons
  • Pro:
    • The code is much smaller than the message
    • The two-key approach gives us a way to authenticate separate from encrypting
  • Cons:
    • This is not a signature
      • The two parties share the key, so either could have sent it
    • Requires the sharing of secret keys
examples of mac is not a signature
Examples of “MAC is not a signature”

Suppose John sends an authenticated message to Mary

  • Mary may forge a different message and claim it came from John
  • John may deny sending the message, stating that Mary must have forged it
addressing mac s cons
Addressing MAC’s Cons
  • Logical choice:
    • investigate use of public-key encryption
pke provides both authentication confidentiality
PKE provides both authentication & confidentiality
  • Z = E(PUb, E(PRa,X))
  • X = D(PUa, D(PRb, Z))
drawback
Drawback
  • Again, the math:
    • Z = E(PUb, E(PRa,X))
    • X = D(PUa, D(PRb, Z))
  • Pretty darn slow
    • 4 public-key operations in all
alternative hash function
Alternative: Hash Function
  • Used for a similar purpose to a MAC
  • Just like a MAC
    • takes in variable-size message
    • produces fixed-size output
  • Unlike a MAC
    • does not use a key
so what if it doesn t use a key
So what if it doesn’t use a key?
  • Useful in situations where you can’t share a key conveniently
  • Good for digital signatures
overview of a hash
Overview of a hash:
  • condenses arbitrary message to fixed size

h = H(M)

  • output of hash is called a digest
  • the hash function is public
  • the hash function is one way
  • hash sensitive to changes in message
requirements for hash functions
Requirements for Hash Functions
  • can be applied to any sized message M
  • produces fixed-length output h
  • is easy to compute h=H(M) for any message M
  • given h is infeasible to find original message (one-way property)
  • given x is infeasible to find y such that H(y)=H(x) (weak collision resistance)
  • is infeasible to find any x,y such that H(y)=H(x) (strong collision resistance)
elements common to all hash functions
Elements common to all hash functions
  • input (message, file, etc.) viewed as a sequence of n-bit blocks
  • blocks are processed one at a time
  • Compression function reduces the blocks
  • end result is an n-bit hash function
illustration of these elements
Illustration of these elements

f is the compression function (where the “magic” happens)

simple hash proposals
Simple Hash Proposals
  • xor all m blocks together
    • Ci = bi1 xor bi2 xor ... xor bim
  • another option
    • initially set n-bit hash value to 0.
    • process each successive n-bit block as follows:
      • rotate the current hash to the left by one bit
      • xor the data block with the hash function
  • both of these are weak
    • because it is possible to determine how to craft a new message that gives the same hash code
could also use a block cipher as a hash
Could also use a block cipher as a hash
  • can use block ciphers as hash functions
    • Divide message into M fixed-size blocks
      • pad final block with 0’s if necessary
    • Set initial hash H0 to 0
    • compute: Hi = E [Mi, Hi-1] repeatedly
    • and use final block as the hash value
  • With DES, though, hash will be too small
    • because of birthday attack
summary
Summary
  • How public key encryption works
  • Mathematics behind PKE
  • Exchanging public keys
  • Authentication using MACs and Hashes
ad