1 / 94

# Week 7: Public-Key Cryptography - PowerPoint PPT Presentation

Week 7: Public-Key Cryptography. MSIS 525 Encryption and Authentication Systems Summer 2010. Topics. Public Key Encryption (PKE) PKE Math Symmetric Key Exchange Using PKE Distributing Public Keys Authentication Technologies MACs Hashes Digital Signatures. Public Key Encryption.

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.

## PowerPoint Slideshow about ' Week 7: Public-Key Cryptography' - wyman

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

### Week 7: Public-Key Cryptography

MSIS 525

Encryption and Authentication Systems

Summer 2010

• Public Key Encryption (PKE)

• PKE Math

• Symmetric Key Exchange Using PKE

• Distributing Public Keys

• Authentication Technologies

• MACs

• Hashes

• Digital Signatures

• Uses one key for encryption, and another for decryption

• Applications

• Encryption of short messages

• like keys

• Authentication

• through digital signatures

Alice

Bob

Alice

Bob

Alice

Bob

PRAlice

PUAlice

PRBob

PRBob

PUBob

• Suitable for encrypting long messages

• Necessarily more secure than symmetric

• Necessarily more efficient in distributing keys than symmetric

So don’t fall prey to these myths.

• The most popular PKE system

• Developed by Rivest, Shamir, and Adelman in 1977

• Is a block cipher

• Plaintext and ciphertext are treated as numbers between 0 and 2numbits–1

• numbits typically >= 1024

• Encryption has the form: C = Me mod n

• Decryption has the form M = Cd mod n

• n is the product of two primes, p and q

• Visibility for confidentiality:

• sender knows e and n

• receiver knows d and n (as the product p and q)

• In other words, these are the keys:

• public key = {e, n}

• private key = {d, p, q}

• Select primes: p=17 & q=11

• Computen = pq =17×11=187

• Compute ø(n)=(p–1)(q-1)=16×10=160

• Select e : gcd(e,160)=1; choose e=7

• Determine d: e-1 mod 160 and d < 160 Value is d=23 since 23×7=161= 1 mod 160(could also use http://cs.lewisu.edu/~klumpra/msis525/multinv.php)

• Publish public key PU={7,187}

• Keep secret private key PR={23,17,11}

KEY GENERATION

Example: RSA by hand

• given message M = 88 (note: 88<187)

• encryption:

C = 887 mod 187 = 11

• decryption:

M = 1123 mod 187 = 88

• The big concern –

• attacker knows the public key e & n

• can an attacker determine the private key d?

• if he can, then he can determine M = Cd mod n

• To determine d

• Need to factor n into p and q

• No small task – n is a 309-digit number

• So that he can determine f(n) = (p-1)(q-1)

• So that we can determine d = e-1 mod f(n)

• Alternative to brute force

• Exploit timing variations in operations

• eg. multiplying by small vs large number

• Infer operand size based on time taken

• RSA involves raising numbers to large powers

• Can estimate size of exponent by how long it takes

• Countermeasures

• use constant exponentiation time

• It’s slow

• So, use it for exchanging short messages

• like keys

• How can we speed up the arithmetic?

• How do you find two large primes?

• What the heck is f(n)?

Speeding up the math through knowledge of modular arithmetic

Basic operations mod n

• (a+b) mod n = (a mod n + b mod n) mod n

• (a*b) mod n = (a mod n * b mod n) mod n

• y = -x mod n if and only if (y + x) mod n = 0

• y = x-1 mod n if and only if (y * x) mod n = 1

• What is (8+4) mod 5?

• What is (8*4) mod 5?

• What is the additive inverse of 2 mod 5?

• What is the multiplicative inverse of 2 mod 5?

• 1123 mod 187 = ???

Example:Computing 1123 mod 187

• 1123 mod 187 = [(111 mod 187) x (112 mod 187) x (114 mod 187) x (118 mod 187) x (118 mod 187) mod 187

• 111 mod 187 = 11

• 112 mod 187 = 121

• 114mod 187=(121*121)mod 187 =55

• 118mod 187 = (55*55)mod 187 = 33

• 1123mod 187=(11*121*55*33*33) mod 187 = 88

• Makes it possible to reconstruct integers in a certain range from their remainders when divided by a pair of relatively prime numbers.

• provided we know the factors, a very large number can be manipulated using smaller numbers

• this will help the recipient compute M = Cd mod n, since n = p * q, and the recipient knows p and q

• Using residues 2 and 5, compute 7 + 8 mod 10.

• 7 mod 2 = 1, 7 mod 5 = 2, so 7 is (1,2)

• 8 mod 2 = 0, 8 mod 5 = 3, so 8 is (0,3)

• (1,2) + (0,3) = (1,5)

• So, we seek a number x < 10 such that x mod 2 = 1 mod 2 (i.e. 1) and x mod 5 = 5 mod 5 (i.e. 0)

• That number is 5.

• Sure enough, (7 + 8) mod 10 = 15 mod 10 = 5

• Using residues 2 and 5, compute 7 * 8 mod 10

• 7 mod 2 = 1, 7 mod 5 = 2, so 7 is (1,2)

• 8 mod 2 = 0, 8 mod 5 = 3, so 8 is (0,3)

• (1,2) * (0,3) = (0,6)

• So, we seek a number x < 10 with x mod 2 = 0 mod 2 and x mod 5 = 6 mod 5 = 1.

• That number is 6

• Sure enough (7*8) mod 10 = 56 mod 10 = 6

• RSA involves calculations modulo n, a product of primes p and q

• n is huge ( >= 1024 bits long)

• Because of CRT, calculations can be done on p and q instead

• p and q are much smaller

• thus, calculations are easier

Determining the multiplicative inverse

• For large numbers, it can be difficult to determine the multiplicative inverse

• but we have to: d = e-1 mod F(n)

• You can use this tool instead:http://cs.lewisu.edu/~klumpra/msis525/multinv.php

This will find the inverse of 5 mod 7

Here’s the source code:

<html>

<title>Find the multiplicative inverse in GF(p^n)</title>

<body>

<?php

function xGCD(\$a1,\$a2,\$a3,\$b1,\$b2,\$b3) {

\$q = 0;

\$t1 = \$t2 = \$t3 = 0;

if (\$b3 == 0) {

return 0;

}

if (\$b3 == 1) {

return \$b2;

}

\$q = (int)(\$a3/\$b3);

\$t1 = \$a1-\$q*\$b1;

\$t2 = \$a2-\$q*\$b2;

\$t3 = \$a3-\$q*\$b3;

return xGCD(\$b1,\$b2,\$b3,\$t1,\$t2,\$t3);

}

\$vars= \$_REQUEST;

if (count(\$vars) > 0) {

\$p = \$vars["base"];

\$n = \$vars["exp"];

\$num = \$vars["num"];

\$base = pow(\$p,\$n);

}

}

?>

<form method="get">

Enter base p: <input type="text" name="base"></input><br>

Enter exponent n: <input type="text" name="exp"></input><br>

Enter number for which you want the inverse: <input type="text" name="num"></input><br>

<input type="submit" value="OK"></input>

<input type="reset" value="Clear"></input>

</form>

</body>

</html>

• First step in RSA: choose p and q prime

• A prime number p is a positive integer having no divisors other than 1 and p

• There are an infinite number of primes

• If p is a prime number and a is a positive integer not divisible by p, then ap-1 mod p = 1

• If p is a prime number and a is a positive integer, then ap mod p = a mod p

• What is 44 mod 5?

• Here,a = 4p = 5

• By the first theorem, ap-1 mod p = 1So, we know 45-1 mod 5 = 1

• What is 45 mod 5?

• Second theorem: ap mod p = a mod p.

• So, the answer should be 4 mod 5, or 4.

• Indeed: 45 = 1024, and 1024 mod 5 = 4

• f(n) = # of positive integers between 1 and n that are relatively prime with n

• Examples

• Two numbers are relatively prime if they have no factors in common

• For example, 3 and 8 are relatively prime

• Also, 4 and 15 are relatively prime

• Theorem:f(p*q) = f(p)* f(q)

• Also, if p is prime, then f(p) = p-1

• So, if p and q are primes and p doesn’t equal q, thenf(p*q) = (p-1) * (q-1)

• Again: If p and q are primes, then f(p*q) = (p-1) * (q-1)

• f(6) = f(2*3) = (2-1) * (3-1) = 2

• f(14) = f(2*7) = (2-1) * (7-1) = 6

• if a and n are relatively prime, then af(n) = 1 mod n

• if a and n are relatively prime, then af(n)+1 = a mod n

• Examples (with a = 3, n = 8)

• Note that f(8) = 4

• Then, 34 = 1 mod 8

• Also, 35 = 3 mod 8

confirm these by computing 34 and 35

• Public-key encryption requires finding very large prime numbers

• There is no efficient way to do this

• Simplest algorithm:for i = 2 up to square root of n if n mod i is 0 then n is not prime, so exit loopif you don’t find an i for which n mod i = 0, then n is prime

Testing for Primes – Miller & Rabin Algorithm

• Can say simply that a number is not prime

• can’t say for sure whether a number is prime

• However, if you repeat the algorithm t times, Probability(n is prime) > 1 – (1/4)t

• Thus, if you repeat the test 10 times, the probability the number is prime > 99.9999%

• Primes near n are spaced on the average one every 0.5*ln(n) integers

• Thus, one has to test, on average, this many integers

• For example, if a prime near 2200 is desired, need to test 0.5 * ln(2200) = 69numbers (on average)

We’ve discussed how to speed up all of this.

• First, how do you exchange symmetric keys using PKE technology?

• This is the recommended application of PKE

• Will present the most popular technique – Diffie Helman

• Then, how do you exchange public keys?

• Necessary for PKE to happen

• Last week, we saw a few different ways to exchange keys ...

• Physical delivery

• Directly from A to B

• Third-party C distributes to A and B

• Use of previous key

• Key Distribution Center

• Decentralized

This is called Needham-Schroeder Protocol

• “What good would it do after all to develop impenetrable cryptosystems if their users were forced to share their keys with a KDC that could be compromised by either burglary or subpoena?” – Whitfield Diffie, co-creator of public-key encryption

• Each node must maintain (M-1) master keys

• Messages sent with master keys are short

• Unlikely to be compromised because there’s not a lot to glob on to.

• With M different participants, there are M(M-1)/2 different master keys to distribute

• Doesn’t scale well

• One that doesn’t necessarily require trust in a third party

• One that doesn’t require such a large up-front key distribution

• Simple Key Distribution

• Simple Key Distribution with Confidentiality and Authentication

• Diffie-Hellman

Simple Key Distribution

• Alice contacts Bob with her ID and public key

• Bob generates a symmetric key and returns it to Alice (encrypted with her public key)

• so that only she can read it with her private key

• Susceptible to Man-in-the-middle attack

• Alice generates {PUA, PRA} and transmits message intended for Bob consisting of PUA and IDA

• Creep intercepts message, creates own public/private key pair {PUC,PRC}, and transmits PUC & IDA to Bob

• Bob generates secret key KS and transmits E(PUC, KS)

• Creep intercepts message, learns KS through D(PRC,E(PUC, KS))

• Creep transmits E(PUA, KS) to Alice so that Alice doesn’t think anything is wrong

So, everybody – Alice, Bob, and Creep, know KS – bad news!

Secret Key Distribution withConfidentiality and Authentication

• An algorithmic approach to exchanging a secret key.

• This is the most popular way

Primitive Root

• Let p be a prime. Then b is a primitive root for p if the powers of b,    1, b, b^2, b^3, ...include all of the residue classes mod p

• i.e. first p-1 powers of b have to be different mod p.

• Example: If p is 7, then 3 is a primitive root of p.

• because the powers of 3 mod 7 are 1, 3, 2, 6, 4, 5

• 2 is not: 1, 2, 4, 1, 2, 4, 1, 2, 4

• Useful in Diffie-Hellman …

Diffie-Hellman Key Exchange

Pre-select large prime q and a primitive root of q called a.

Then ...

Example: Diffie-Hellman

• q = 11, a = 7

• A selects XA = 9calculates YA= 79 mod 11 = 8

• B selects XB = 5calculates YB = 75 mod 11 = 10

• A calculates KS = YBXa mod q = 10

• B calculates KS = YAXb mod q = 10

So, they have the same shared key!

• How do you exchange the public keys themselves?

• Several ways:

• Public Announcement

• Public Directory

• Public Key Authority

• Public Key Certificates

Method 1:Public Announcement

Public Announcement

• Simple sharing of keys

• Useful for small communities

• Major weakness:

• Bad guy can distribute false public key for Alice

Method 2:Public Key Directory

Public Key Directory

• Maintenance and distribution of the public directory is responsibility of some trusted authority

• Authority maintains a directory with {name, public key} for each user

• Each user registers public key with authority (in person or in some other secure way)

• User may replace public key any time

• Users can access directory electronically

• Secure, authenticated channel to/from directory necessary

Public Key Directory Example

http://pgp.mit.edu/

Method 3:Public Key Authority

Public Key Authority: Problems

• Seven messages are required!

• The PK authority may become bottleneck

• However, the first 5 can be spared if Alice and Bob cache (i.e. store locally) each other’s public keys

• periodically refresh to ensure they are current

• If the authority is compromised, then all the held public keys are compromised

Method 4:Public-Key Certificate

• Attempts to offload some of the responsibility of the central authority

• A certificate identifies

• a user

• his or her public key

• a time stamp

• The certificate authority signs it and gives it back to user:

CA = PRauth[IDA, PUA, T]

Public-Key Certificate

X.509 Certificates

• Certificates have a standard format, defined by X.509.

• Will investigate this format next week

• We’ve spent most of the term talking about confidentiality

• integrity?

• authentication?

• non-repudiation?

• MACs

• Hashes

• Digital Signatures

• Symmetric Key:

• Frame check sequence

• Message Authentication Code

• Public-Key

• Message Digest provided by a hash

• if symmetric encryption is used then:

• the very fact that the key is shared provides some authentication

• But how do you recognize what is a valid message?

• Requires that the message have a verifiable structure

• A Frame Check Sequence

F is some function that you pass the message through.

Authentication only

Authentication & Confidentiality

• a MAC is a cryptographic checksum

MAC = C(K,M)

• condenses a variable-length message M

• using a secret key K

• to a fixed-sized authenticator

• is a many-to-one function

• potentially many messages have same MAC (i.e. they are summarized down to the same value)

• but finding the message from the MAC needs to be very difficult

• The many-to-one nature makes it very difficult to recover the original message

• Example:

• Suppose 100-bit message, 10-bit MAC

• There are then 2100 different messages, but only 210 different MACs to which they map

• Thus, for any MAC, there are 2100/210 = 290 different messages that compile down to it

• How in the world are you to know which message it actually was that led to that MAC?

An Example of a MAC: PKEData Authentication Algorithm

MAC is too small to prevent birthday attack!

• Pro:

• The code is much smaller than the message

• The two-key approach gives us a way to authenticate separate from encrypting

• Cons:

• This is not a signature

• The two parties share the key, so either could have sent it

• Requires the sharing of secret keys

Examples of PKE“MAC is not a signature”

Suppose John sends an authenticated message to Mary

• Mary may forge a different message and claim it came from John

• John may deny sending the message, stating that Mary must have forged it

• Logical choice:

• investigate use of public-key encryption

• Z = E(PUb, E(PRa,X))

• X = D(PUa, D(PRb, Z))

Drawback PKE

• Again, the math:

• Z = E(PUb, E(PRa,X))

• X = D(PUa, D(PRb, Z))

• Pretty darn slow

• 4 public-key operations in all

• Used for a similar purpose to a MAC

• Just like a MAC

• takes in variable-size message

• produces fixed-size output

• Unlike a MAC

• does not use a key

• Useful in situations where you can’t share a key conveniently

• Good for digital signatures

• condenses arbitrary message to fixed size

h = H(M)

• output of hash is called a digest

• the hash function is public

• the hash function is one way

• hash sensitive to changes in message

• can be applied to any sized message M

• produces fixed-length output h

• is easy to compute h=H(M) for any message M

• given h is infeasible to find original message (one-way property)

• given x is infeasible to find y such that H(y)=H(x) (weak collision resistance)

• is infeasible to find any x,y such that H(y)=H(x) (strong collision resistance)

The signature

Hash as PKEDigital Signature + Encryption

Elements common to all PKEhash functions

• input (message, file, etc.) viewed as a sequence of n-bit blocks

• blocks are processed one at a time

• Compression function reduces the blocks

• end result is an n-bit hash function

f is the compression function (where the “magic” happens)

• xor all m blocks together

• Ci = bi1 xor bi2 xor ... xor bim

• another option

• initially set n-bit hash value to 0.

• process each successive n-bit block as follows:

• rotate the current hash to the left by one bit

• xor the data block with the hash function

• both of these are weak

• because it is possible to determine how to craft a new message that gives the same hash code

Could also use a block cipher PKEas a hash

• can use block ciphers as hash functions

• Divide message into M fixed-size blocks

• pad final block with 0’s if necessary

• Set initial hash H0 to 0

• compute: Hi = E [Mi, Hi-1] repeatedly

• and use final block as the hash value

• With DES, though, hash will be too small

• because of birthday attack

Summary PKE

• How public key encryption works

• Mathematics behind PKE

• Exchanging public keys

• Authentication using MACs and Hashes