1 / 33

Public-key encryption

Public-key encryption. Symmetric-key encryption. Invertible function Security depends on the shared secret – a particular key. Fast, highly secure Fine for repeated communication Poor fit for one-shot communication, signatures. Asymmetric-key (public key) encryption. The basic idea:

ady
Download Presentation

Public-key encryption

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Public-key encryption

  2. Symmetric-key encryption • Invertible function • Security depends on the shared secret – a particular key. • Fast, highly secure • Fine for repeated communication • Poor fit for one-shot communication, signatures

  3. Asymmetric-key(public key) encryption • The basic idea: • A user has two keys: a public key and a private key. • A message can be encrypted with the public key and decrypted with the private key to provide security. • A message can be encrypted with the private key and decrypted with the public key to provide signatures.

  4. One-way functions • Most common functions are invertible; for any F(x) = y, there is an F-1(y) = x. • Multiplication and division • DES • A function which is easy to compute in one direction, but hard to compute in the other, is known as a one-way function. • Hashing, modular arithmetic. • A one-way function that can be easily inverted with an additional piece of knowledge is called a trapdoor one-way function.

  5. One-way functions • Public key encryption is based on the existence of trapdoor one-way functions. • Encryption with the public key is easy. • Decryption is computationally hard. • Knowledge of the private key opens the trapdoor, making inversion easy. • Password systems also use one-way functions.

  6. Overview of RSA • RSA is the most common and well-known public key cryptosystem • Basic notation: a key pair (e,d) contains two keys: • e is the public key (used to encrypt documents) • d is the private key (used to decrypt documents) • M is the plaintext message. • Let R be the encryption function. • R(e,M) = C. R(d,C) = M. - encryption • R(d,M) = C’ R(e,C’) = M - signing • R(e,R(d,M)) = M = R(d,R(e,M)) • Same function is used for both operations.

  7. Modular Arithmetic • RSA’s security is based on modular arithmetic. • a = b (mod n) <-> there is a q such that a-b=qn • b is the remainder after dividing a by n • 23 = 3 (mod 5) • A set {0,1,…,n-1} is closed under modular addition and multiplication. • (a(mod n) + b(mod n))(mod n) = (a+b) (mod n) • (ab)(mod n) = (a(mod n) b(mod n))(mod n)

  8. Modular Arithmetic • Two numbers p and q are said to be relatively prime if their greatest common divisor is 1. • 5 and 17, 8 and 9, 10 and 21 • To compute gcd: • gcd(a,b) = gcd(b, a mod b) (Euclid, 300BC)

  9. Identities and Inverses • An identity is a number that maps a number to itself under some operation. • 0 in normal addition, 1 in multiplication. • An inverse is a number (within the input set) and maps a given number to the identity • X * 1/X, X + -X in integer math • We are particularly interested in multiplicative inverses for modular arithmetic. • (ab) = 1 (mod n)

  10. Multiplicative Inverses • 3 and 2 are multiplicative inverses mod 5. • 7 and 6 are multiplicative inverses mod 41. • 5 and 2 are multiplicative inverses mod 9. • For n > 1, if a and n are relatively prime, there is a unique x such that • ax = 1 (mod n)

  11. More preliminaries • Fermat’s Little Theorem: • If p is prime, then for all a: • ap-1 = 1 (mod p) • Chinese Remainder Thm (corollary) • If p and q are prime, then for all x and a: • x = a(mod p) and x = a(mod q) iff x=a mod(pq) • These are needed to prove RSA’s correctness.

  12. The RSA Algorithm • Pick two large (100 digit) primes p and q. • Let n = pq • Select a relatively small integer d that is prime to (p-1)(q-1) • Find e, the multiplicative inverse of d mod (p-1)(q-1) • (d,n) is the public key. To encrypt M, compute • En(M) = Me(mod n) • (e,n) is the private key. To decrypt C, compute • De(C) = Cd(mod n)

  13. RSA example • Let p = 11, q = 13 • n = pq = 143 • (p-1)(q-1) = 120 = 3 x 23 x 5 • Possible d: 7, 11, 13, 17, … (let’s use 7) • Find e: e*7 = 1(mod 120) = 103 • Public key: (7, 143) • Private key: (103, 143) • En(42) = 427 (mod 143) = 81 • De(81) = 81103(mod 143) = 42

  14. Correctness of RSA • To show RSA is correct, we must show that encryption and decryption are inverse functions: • En(De(M)) = De(En(M)) = M = Med (mod n) • Since d and e are multiplicative inverses, there is a k such that: • ed=1+ kn = 1 + k(p-1)(q-1) • Med = M1+k(p-1)(q-1) = M*(Mp-1)k(q-1) • By Fermat: Mp-1=1(mod p) • Med = M(1)k(q-1)(mod p) = M(mod p)

  15. Correctness of RSA • Med = M(1)k(q-1)(mod p) = M(mod p) • Med = M(1)k(q-1)(mod q) = M(mod q) • By Chinese Remainder Thm, we get: • M^{ed} = M (mod p) M (mod q) = M (mod pq) = M (mod n) • Therefore, RSA reproduces the original message and is correct.

  16. Strengths of RSA • No prior communication needed • Highly secure (for large enough keys) • Well-understood • Allows both encryption and signing

  17. Weaknesses of RSA • Large keys needed (1024 bits is current standard) • Relatively slow • Not suitable for very large messages • Public keys must still be distributed safely.

  18. Security of RSA • The security of RSA is dependent on the assumption that it’s difficult to generate the private key d from the public key e and the modulus n. • Equivalent to integer factorization problem. • This is how we got e and d in the first place. • Factoring is thought to be computationally hard. • No proof, though!

  19. Difficulty of Factoring • The fastest known factoring algorithm is the generalized number field sieve. • Sub-exponential time • Greater than polynomial space. • Some statistics:

  20. Security and Problem Difficulty • Another way to think about the problem is to ask how long a keylength will be secure, given Moore’s law: From the RSA labs factoring FAQ

  21. Security and Problem Difficulty • RSA-155 (512 bit asymmetric-key) broken in 1999. • Estimate: capability grows by ~4.25 digits per year. (approx.13-14 bits per year) • 1024-bit RSA should be “secure” until 2037. • Using Moore’s Law – 1024-bit is 7 million times harder than 512-bit • So, we need a 7 millionX speedup to crack 1024-bit RSA with the same relative computational power. • Also about 34 years. • Question: How long does your data need to be secure?

  22. Digital Signatures • Desirable properties of a digital signature: • A receiver must be able to validate the signature • The signature must not be forgeable • The signer must not be able to repudiate the signature. • Encrypt with private key, validate with public key. • For security and authenticity, encrypt the signed message with the receiver’s public key.

  23. Hash Functions • A hash function is a one-way function that maps a message M into a (typically smaller) hashed message H. • Sometimes this is called a fingerprint • Also sometimes a message digest. • Goals: • Non-invertible • fast • low collision rate

  24. Hash Functions • To sign a document, I compute its hash, encrypt that with my private key, and send the encrypted hash along with the original document as plaintext. • The receiver hashes the plaintext and then uses my public key to verify that I was the one who sent the document. • Can also detect tampering.

  25. Combining Public and Secret Keys • Public-key encryption is often used to synchronize secret session keys. • SSL uses this. • A generates a secret key and sends it to B, encrypted with B’s public key. • For handshaking, include a random number. • B decrypts the message and has the secret key. • For handshaking, B encrypts the random number with A’s public key and returns it.

  26. Authentication • A sends “Please authenticate me” to B • B creates a random message and signs it with A’s public key. • A decrypts the message with its private key, encrypts it with B’s public key, and returns it. • Only someone with A’s private key can do this. • Potential attack: B gets to pick a string that A will encrypt • This could yield information about A’s private key.

  27. Zero-knowledge Protocols • One application of public-key cryptography is zero-knowledge protocols. • Often, one party might want to prove something to another without revealing any information • Nuclear treaties • Bank balances • Sensitive information

  28. Zero-knowledge protocols • Alice wants to prove to Bob that she is Alice. • If she sends identification, Bob (or an eavesdropper) can use it. • Example: Authority chooses a number N=77, known by all. • Alice’s public ID: (58, 67) • Alice’s private ID: (9,10) • These are multiplicative inverses mod 77

  29. Zero-knowledge protocols • Alice chooses some random numbers and computes their square mod N. • {19, 24, 51} -> 192(mod 77) = 53, 242(mod 77) = 37, 512(mod 77) = 60 • Alice sends {53,37,60} to Bob. • Bob sends back a random 2x3 matrix of 1s and 0s. • 0 1 • 1 0 • 1 1

  30. Zero-knowledge protocols • Alice uses this grid, plus her original random numbers and her secret numbers, to compute: • 19 * 90 * 101 (mod 77) = 36 • 24 * 91 * 100 (mod 77) = 62 • 51 * 91 * 101 (mod 77) = 47 • She sends {36,62,47} to Bob.

  31. Zero-knowledge protocols • Bob verifies Alice’s identity by computing: • {58,67} are Alice’s public numbers • 36^2 *58^0 *67^1 (mod 77)= 53 • 62^2 *58^1 * 67^0 (mod 77) = 37 • 47^2 * 58^1 * 67^1 (mod 77) = 60 • Alice’s original numbers reappear! • (Actually, an attacker would have a 1 in 64 chance of guessing correctly …)

  32. Zero-knowledge protocols • In a real system, N would be very large • 160 digits. • Many more numbers would be generated. • This works because Alice’s secret numbers are multiplicative inverses of her public numbers mod N. • Also, Bob learns nothing that he didn’t know before.

  33. Summary • Public key encryption provides a flexible system for secure communication in open environments. • Based on one-way functions • Allows for both authentication and signing • Secure public key distribution remains a problem.

More Related