- By
**wyman** - Follow User

- 172 Views
- Uploaded on

Download Presentation
## PowerPoint Slideshow about ' Week 7: Public-Key Cryptography' - wyman

**An Image/Link below is provided (as is) to download presentation**

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript

Topics

- Public Key Encryption (PKE)
- PKE Math
- Symmetric Key Exchange Using PKE
- Distributing Public Keys
- Authentication Technologies
- MACs
- Hashes
- Digital Signatures

Public Key Encryption

- Uses one key for encryption, and another for decryption
- Applications
- Encryption of short messages
- like keys
- Authentication
- through digital signatures

PKE is not ...

- Suitable for encrypting long messages
- Necessarily more secure than symmetric
- Necessarily more efficient in distributing keys than symmetric

So don’t fall prey to these myths.

RSA

- The most popular PKE system
- Developed by Rivest, Shamir, and Adelman in 1977
- Is a block cipher
- Plaintext and ciphertext are treated as numbers between 0 and 2numbits–1
- numbits typically >= 1024

RSA Encryption and Decryption

- Encryption has the form: C = Me mod n
- Decryption has the form M = Cd mod n
- n is the product of two primes, p and q

RSA: What the two sides know

- Visibility for confidentiality:
- sender knows e and n
- receiver knows d and n (as the product p and q)
- In other words, these are the keys:
- public key = {e, n}
- private key = {d, p, q}

Example: RSA by hand

- Select primes: p=17 & q=11
- Computen = pq =17×11=187
- Compute ø(n)=(p–1)(q-1)=16×10=160
- Select e : gcd(e,160)=1; choose e=7
- Determine d: e-1 mod 160 and d < 160 Value is d=23 since 23×7=161= 1 mod 160(could also use http://cs.lewisu.edu/~klumpra/msis525/multinv.php)
- Publish public key PU={7,187}
- Keep secret private key PR={23,17,11}

KEY GENERATION

Example: RSA by hand

- given message M = 88 (note: 88<187)
- encryption:

C = 887 mod 187 = 11

- decryption:

M = 1123 mod 187 = 88

How hard is it to break RSA?

- The big concern –
- attacker knows the public key e & n
- can an attacker determine the private key d?
- if he can, then he can determine M = Cd mod n

How hard is it to determine d?

- To determine d
- Need to factor n into p and q
- No small task – n is a 309-digit number
- So that he can determine f(n) = (p-1)(q-1)
- So that we can determine d = e-1 mod f(n)

Timing Attacks

- Alternative to brute force
- Exploit timing variations in operations
- eg. multiplying by small vs large number
- Infer operand size based on time taken
- RSA involves raising numbers to large powers
- Can estimate size of exponent by how long it takes
- Countermeasures
- use constant exponentiation time
- add random delays

RSA Secure but ...

- It’s slow
- So, use it for exchanging short messages
- like keys

Issues

- How can we speed up the arithmetic?
- How do you find two large primes?
- What the heck is f(n)?

Speeding up the math through knowledge of modular arithmetic

Basic operations mod n- (a+b) mod n = (a mod n + b mod n) mod n
- (a*b) mod n = (a mod n * b mod n) mod n
- y = -x mod n if and only if (y + x) mod n = 0
- y = x-1 mod n if and only if (y * x) mod n = 1

Examples

- What is (8+4) mod 5?
- What is (8*4) mod 5?
- What is the additive inverse of 2 mod 5?
- What is the multiplicative inverse of 2 mod 5?

How do you compute big powers?

- 1123 mod 187 = ???

Example:Computing 1123 mod 187

- 1123 mod 187 = [(111 mod 187) x (112 mod 187) x (114 mod 187) x (118 mod 187) x (118 mod 187) mod 187
- 111 mod 187 = 11
- 112 mod 187 = 121
- 114mod 187=(121*121)mod 187 =55
- 118mod 187 = (55*55)mod 187 = 33
- 1123mod 187=(11*121*55*33*33) mod 187 = 88

Chinese Remainder Theorem

- Makes it possible to reconstruct integers in a certain range from their remainders when divided by a pair of relatively prime numbers.
- provided we know the factors, a very large number can be manipulated using smaller numbers
- this will help the recipient compute M = Cd mod n, since n = p * q, and the recipient knows p and q

Example: CRT

- Using residues 2 and 5, compute 7 + 8 mod 10.
- 7 mod 2 = 1, 7 mod 5 = 2, so 7 is (1,2)
- 8 mod 2 = 0, 8 mod 5 = 3, so 8 is (0,3)
- (1,2) + (0,3) = (1,5)
- So, we seek a number x < 10 such that x mod 2 = 1 mod 2 (i.e. 1) and x mod 5 = 5 mod 5 (i.e. 0)
- That number is 5.
- Sure enough, (7 + 8) mod 10 = 15 mod 10 = 5

Another example: CRT

- Using residues 2 and 5, compute 7 * 8 mod 10
- 7 mod 2 = 1, 7 mod 5 = 2, so 7 is (1,2)
- 8 mod 2 = 0, 8 mod 5 = 3, so 8 is (0,3)
- (1,2) * (0,3) = (0,6)
- So, we seek a number x < 10 with x mod 2 = 0 mod 2 and x mod 5 = 6 mod 5 = 1.
- That number is 6
- Sure enough (7*8) mod 10 = 56 mod 10 = 6

Application of CRT to Encryption

- RSA involves calculations modulo n, a product of primes p and q
- n is huge ( >= 1024 bits long)
- Because of CRT, calculations can be done on p and q instead
- p and q are much smaller
- thus, calculations are easier

Determining the multiplicative inverse

- For large numbers, it can be difficult to determine the multiplicative inverse
- but we have to: d = e-1 mod F(n)
- You can use this tool instead:http://cs.lewisu.edu/~klumpra/msis525/multinv.php

This will find the inverse of 5 mod 7

Just in case you’re interested.

Here’s the source code:<html>

<head>

<title>Find the multiplicative inverse in GF(p^n)</title>

</head>

<body>

<?php

function xGCD($a1,$a2,$a3,$b1,$b2,$b3) {

$q = 0;

$t1 = $t2 = $t3 = 0;

if ($b3 == 0) {

return 0;

}

if ($b3 == 1) {

return $b2;

}

$q = (int)($a3/$b3);

$t1 = $a1-$q*$b1;

$t2 = $a2-$q*$b2;

$t3 = $a3-$q*$b3;

return xGCD($b1,$b2,$b3,$t1,$t2,$t3);

}

$vars= $_REQUEST;

if (count($vars) > 0) {

$p = $vars["base"];

$n = $vars["exp"];

$num = $vars["num"];

$base = pow($p,$n);

$answer = xGCD(1,0,$base,0,1,$num%$base);

while ($answer < 0) {

$answer += $base;

}

print "Answer = $answer<br>";

}

?>

<form method="get">

Enter base p: <input type="text" name="base"></input><br>

Enter exponent n: <input type="text" name="exp"></input><br>

Enter number for which you want the inverse: <input type="text" name="num"></input><br>

<input type="submit" value="OK"></input>

<input type="reset" value="Clear"></input>

</form>

</body>

</html>

Prime numbers

- First step in RSA: choose p and q prime
- A prime number p is a positive integer having no divisors other than 1 and p
- There are an infinite number of primes

Theorems regarding primes

- If p is a prime number and a is a positive integer not divisible by p, then ap-1 mod p = 1
- If p is a prime number and a is a positive integer, then ap mod p = a mod p

Examples

- What is 44 mod 5?
- Here,a = 4p = 5
- By the first theorem, ap-1 mod p = 1So, we know 45-1 mod 5 = 1

Examples

- What is 45 mod 5?
- Second theorem: ap mod p = a mod p.
- So, the answer should be 4 mod 5, or 4.
- Indeed: 45 = 1024, and 1024 mod 5 = 4

Euler’s Totient Function

- f(n) = # of positive integers between 1 and n that are relatively prime with n
- Examples

What does “relatively prime” mean?

- Two numbers are relatively prime if they have no factors in common
- For example, 3 and 8 are relatively prime
- Also, 4 and 15 are relatively prime

Euler’s Totient Function (continued)

- Theorem:f(p*q) = f(p)* f(q)
- Also, if p is prime, then f(p) = p-1
- So, if p and q are primes and p doesn’t equal q, thenf(p*q) = (p-1) * (q-1)

Example: Properties of the Totient

- Again: If p and q are primes, then f(p*q) = (p-1) * (q-1)
- f(6) = f(2*3) = (2-1) * (3-1) = 2
- f(14) = f(2*7) = (2-1) * (7-1) = 6

Euler’s Theorem

- if a and n are relatively prime, then af(n) = 1 mod n
- if a and n are relatively prime, then af(n)+1 = a mod n
- Examples (with a = 3, n = 8)
- Note that f(8) = 4
- Then, 34 = 1 mod 8
- Also, 35 = 3 mod 8

confirm these by computing 34 and 35

Testing for Primes

- Public-key encryption requires finding very large prime numbers
- There is no efficient way to do this
- Simplest algorithm:for i = 2 up to square root of n if n mod i is 0 then n is not prime, so exit loopif you don’t find an i for which n mod i = 0, then n is prime

Testing for Primes – Miller & Rabin Algorithm

- Can say simply that a number is not prime
- can’t say for sure whether a number is prime
- However, if you repeat the algorithm t times, Probability(n is prime) > 1 – (1/4)t
- Thus, if you repeat the test 10 times, the probability the number is prime > 99.9999%

Distribution of Primes

- Primes near n are spaced on the average one every 0.5*ln(n) integers
- Thus, one has to test, on average, this many integers
- For example, if a prime near 2200 is desired, need to test 0.5 * ln(2200) = 69numbers (on average)

Review: The RSA Algorithm

We’ve discussed how to speed up all of this.

Now we’ll talk about Key Exchange

- First, how do you exchange symmetric keys using PKE technology?
- This is the recommended application of PKE
- Will present the most popular technique – Diffie Helman
- Then, how do you exchange public keys?
- Necessary for PKE to happen

Symmetric Key Exchange

- Last week, we saw a few different ways to exchange keys ...
- Physical delivery
- Directly from A to B
- Third-party C distributes to A and B
- Use of previous key
- Key Distribution Center
- Decentralized

Centralized Key Distribution

This is called Needham-Schroeder Protocol

Limitation of KDC

- “What good would it do after all to develop impenetrable cryptosystems if their users were forced to share their keys with a KDC that could be compromised by either burglary or subpoena?” – Whitfield Diffie, co-creator of public-key encryption

Decentralized Key Distribution

- Each node must maintain (M-1) master keys
- Messages sent with master keys are short
- Unlikely to be compromised because there’s not a lot to glob on to.

Limitation of Decentralized Approach

- With M different participants, there are M(M-1)/2 different master keys to distribute
- Doesn’t scale well

So, we seek an alternative

- One that doesn’t necessarily require trust in a third party
- One that doesn’t require such a large up-front key distribution

Will look at 3 approaches to distributing symmetric keys w/ PKE

- Simple Key Distribution
- Simple Key Distribution with Confidentiality and Authentication
- Diffie-Hellman

Symmetric Key Distribution Using PKE

Simple Key Distribution- Alice contacts Bob with her ID and public key
- Bob generates a symmetric key and returns it to Alice (encrypted with her public key)
- so that only she can read it with her private key
- Susceptible to Man-in-the-middle attack

Man-in-the-Middle Attack

- Alice generates {PUA, PRA} and transmits message intended for Bob consisting of PUA and IDA
- Creep intercepts message, creates own public/private key pair {PUC,PRC}, and transmits PUC & IDA to Bob
- Bob generates secret key KS and transmits E(PUC, KS)
- Creep intercepts message, learns KS through D(PRC,E(PUC, KS))
- Creep transmits E(PUA, KS) to Alice so that Alice doesn’t think anything is wrong

So, everybody – Alice, Bob, and Creep, know KS – bad news!

Symmetric Key Distribution Using PKE

Secret Key Distribution withConfidentiality and AuthenticationLots of overhead!

Diffie-Hellman

- An algorithmic approach to exchanging a secret key.
- This is the most popular way
- involves less overhead

Primitive Root

- Let p be a prime. Then b is a primitive root for p if the powers of b, 1, b, b^2, b^3, ...include all of the residue classes mod p
- i.e. first p-1 powers of b have to be different mod p.
- Example: If p is 7, then 3 is a primitive root of p.
- because the powers of 3 mod 7 are 1, 3, 2, 6, 4, 5
- 2 is not: 1, 2, 4, 1, 2, 4, 1, 2, 4
- Useful in Diffie-Hellman …

Example: Diffie-Hellman

- q = 11, a = 7
- A selects XA = 9calculates YA= 79 mod 11 = 8
- B selects XB = 5calculates YB = 75 mod 11 = 10
- A calculates KS = YBXa mod q = 10
- B calculates KS = YAXb mod q = 10

So, they have the same shared key!

So that’s how you do symmetric key exchange with PKE

- How do you exchange the public keys themselves?
- Several ways:
- Public Announcement
- Public Directory
- Public Key Authority
- Public Key Certificates

Public Announcement

- Simple sharing of keys
- Useful for small communities
- Major weakness:
- Bad guy can distribute false public key for Alice

Public Key Directory

- Maintenance and distribution of the public directory is responsibility of some trusted authority
- Authority maintains a directory with {name, public key} for each user
- Each user registers public key with authority (in person or in some other secure way)
- User may replace public key any time
- Users can access directory electronically
- Secure, authenticated channel to/from directory necessary

Public Key Authority: Problems

- Seven messages are required!
- The PK authority may become bottleneck
- However, the first 5 can be spared if Alice and Bob cache (i.e. store locally) each other’s public keys
- periodically refresh to ensure they are current
- If the authority is compromised, then all the held public keys are compromised

Method 4:Public-Key Certificate

- Attempts to offload some of the responsibility of the central authority
- A certificate identifies
- a user
- his or her public key
- a time stamp
- The certificate authority signs it and gives it back to user:

CA = PRauth[IDA, PUA, T]

X.509 Certificates

- Certificates have a standard format, defined by X.509.
- Will investigate this format next week

Where are we?

- We’ve spent most of the term talking about confidentiality
- But what about
- integrity?
- authentication?
- non-repudiation?

Tools for these other purposes

- MACs
- Hashes
- Digital Signatures

Authentication & Integrity Mechanisms

- Symmetric Key:
- Frame check sequence
- Message Authentication Code
- Public-Key
- Message Digest provided by a hash

Symmetric Key Authentication

- if symmetric encryption is used then:
- the very fact that the key is shared provides some authentication
- But how do you recognize what is a valid message?
- Requires that the message have a verifiable structure

Provide such a structure by using

- A Frame Check Sequence

F is some function that you pass the message through.

Properties of a MAC

- a MAC is a cryptographic checksum

MAC = C(K,M)

- condenses a variable-length message M
- using a secret key K
- to a fixed-sized authenticator
- is a many-to-one function
- potentially many messages have same MAC (i.e. they are summarized down to the same value)
- but finding the message from the MAC needs to be very difficult

MACs are actually harder to break than encryption

- The many-to-one nature makes it very difficult to recover the original message
- Example:
- Suppose 100-bit message, 10-bit MAC
- There are then 2100 different messages, but only 210 different MACs to which they map
- Thus, for any MAC, there are 2100/210 = 290 different messages that compile down to it
- How in the world are you to know which message it actually was that led to that MAC?

An Example of a MAC:Data Authentication Algorithm

MAC is too small to prevent birthday attack!

MAC pros and cons

- Pro:
- The code is much smaller than the message
- The two-key approach gives us a way to authenticate separate from encrypting
- Cons:
- This is not a signature
- The two parties share the key, so either could have sent it
- Requires the sharing of secret keys

Examples of “MAC is not a signature”

Suppose John sends an authenticated message to Mary

- Mary may forge a different message and claim it came from John
- John may deny sending the message, stating that Mary must have forged it

Addressing MAC’s Cons

- Logical choice:
- investigate use of public-key encryption

PKE provides both authentication & confidentiality

- Z = E(PUb, E(PRa,X))
- X = D(PUa, D(PRb, Z))

Drawback

- Again, the math:
- Z = E(PUb, E(PRa,X))
- X = D(PUa, D(PRb, Z))
- Pretty darn slow
- 4 public-key operations in all

Alternative: Hash Function

- Used for a similar purpose to a MAC
- Just like a MAC
- takes in variable-size message
- produces fixed-size output
- Unlike a MAC
- does not use a key

So what if it doesn’t use a key?

- Useful in situations where you can’t share a key conveniently
- Good for digital signatures

Overview of a hash:

- condenses arbitrary message to fixed size

h = H(M)

- output of hash is called a digest
- the hash function is public
- the hash function is one way
- hash sensitive to changes in message

Requirements for Hash Functions

- can be applied to any sized message M
- produces fixed-length output h
- is easy to compute h=H(M) for any message M
- given h is infeasible to find original message (one-way property)
- given x is infeasible to find y such that H(y)=H(x) (weak collision resistance)
- is infeasible to find any x,y such that H(y)=H(x) (strong collision resistance)

Hash as Digital Signature

The signature

Elements common to all hash functions

- input (message, file, etc.) viewed as a sequence of n-bit blocks
- blocks are processed one at a time
- Compression function reduces the blocks
- end result is an n-bit hash function

Illustration of these elements

f is the compression function (where the “magic” happens)

Simple Hash Proposals

- xor all m blocks together
- Ci = bi1 xor bi2 xor ... xor bim
- another option
- initially set n-bit hash value to 0.
- process each successive n-bit block as follows:
- rotate the current hash to the left by one bit
- xor the data block with the hash function
- both of these are weak
- because it is possible to determine how to craft a new message that gives the same hash code

Could also use a block cipher as a hash

- can use block ciphers as hash functions
- Divide message into M fixed-size blocks
- pad final block with 0’s if necessary
- Set initial hash H0 to 0
- compute: Hi = E [Mi, Hi-1] repeatedly
- and use final block as the hash value
- With DES, though, hash will be too small
- because of birthday attack

Summary

- How public key encryption works
- Mathematics behind PKE
- Exchanging public keys
- Authentication using MACs and Hashes

Download Presentation

Connecting to Server..