- 215 Views
- Uploaded on

Download Presentation
## PowerPoint Slideshow about 'Cryptosystems, Hash Functions and Digital Signatures' - ariella

**An Image/Link below is provided (as is) to download presentation**

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript

### Cryptosystems, Hash Functions and Digital Signatures

--- Lecture 4 ---

Outline

- Why public key cryptography ?
- General principles of public key cryptography
- The RSA public key cryptosystem
- One way hash functions
- Digital signature

Information and Nework Security

Private key cipher

Cipher Text

Cipher Text

Plain Text

Plain Text

D

Network

or Storage

E

Secret Key

Secret Key

Bob

Alice

Information and Nework Security

Problems with private key ciphers

- In order for Alice & Bob to be able to communicate securely using a private key cipher, such as DES, they have to have a shared key in the first place.
- Question: What if they have never met before ?
- Alice needs to keep 100 different keys if she wishes to communicate with 100 different people

Information and Nework Security

Motivation of Public Key Cryptography

- Is it possible for Alice & Bob, who have no shared secret key, to communicate securely ?
- This led to the SINGLE MOST IMPORTANT discovery of public key communications:
- Diffie & Hellman’s ideas of public key cryptography: <private-key, public-key>

Information and Nework Security

Main ideas

- Bob:
- publishes, say in Yellow/White pages, his
- public (for encryption) key, and
- encryption algorithm.
- keeps to himself
- the matching secret (for decryption) key.

Information and Nework Security

Main ideas (2)

- Alice:
- Looks up the phone book, and finds out Bob’s
- public key, and
- encryption algorithm.
- Encrypts a message using Bob’s public key and encryption algorithm.
- sends the ciphertext to Bob.

Information and Nework Security

Main ideas (3)

- Bob:
- Receives the ciphertext from Alice
- Decrypts the ciphertext using his secret key, together with the decryption algorithm

Information and Nework Security

Public Key Cryptosystem

Public Key Directory (Yellow/White Pages)

Bob:

Cipher Text

Cipher Text

Plain Text

Plain Text

D

E

Secret Key

Alice

Bob

Information and Nework Security

Main differences with DES

- The public key is different from the secret key.
- Infeasible for an attacker to find out the secret key from the public key.
- No need for Alice & Bob to distribute a shared secret key beforehand !
- Only one pair of public and secret keys is required for each user !

Information and Nework Security

Realising public key ciphers

- The most famous system that implements Diffie & Hellman’s ideas on public key ciphers is due to
- Ronald Rivest
- Adi Shamir
- Leonard Adleman
- This public key cryptosystem is called RSA.

Information and Nework Security

Mathematical background

Assume that we are working with non-negative integers:

- Prime and composite numbers
- a prime number is an integer that can be divided only by 1 and itself
- E.g. 2, 3, 5, 7, 11, 13, 101, ......
- all other integers are composite
- E.g. 4, 6, 8, 9, 10, 12, 523743960876432, 800164386535

Information and Nework Security

Mathematical background

Modular operations

- “remainder”
- 13 mod 5 = 3, 1 mod 7 = 1
- 20 mod 5 = 0, 32 mod 7 = 4
- modular exponentiation
- 22 mod 3 = 1, 32 mod 3 = 0
- 22 mod 5 = 4, 102 mod 92 = 8
- 46 mod 10 = 6, 311 mod 10 = 7

Information and Nework Security

Mathematical background

- a is relative prime to b if the largest integer that divides both a & b is 1
- E.g:
- any m (<>0) is relatively prime to a prime number
- is 9 relatively prime to 10?

Information and Nework Security

Mathematical background

- Let ø(n) denote the total numbers that are less thann and relatively prime to n
- If n is a prime number thenø(n) = n– 1
- If p, q are prime numbers and n=p*q, then
- Ø(n) = Ø(p*q) = p*q – (p + q -1) = (p-1)*(q-1)

- p & q are prime numbers => only multiples of p and q are not relatively prime to p*q

- That is: there are (p + q – 1) multiples [0 is counted once] of p and q

- E.g: p = 3; q=7; {0, 3, 7, 6, 9, 12, 14, 15, 18} are not relatively prime to p*q
- Ø(n) = ø(p*q) = 12 ; {1,2,4,5,8,10,11,13,16,17,19,20}

Information and Nework Security

Mathematical background

- y & n are integers and y (mod ø(n)) = 1, for any x < n, xymod n = x (1)
- E.g:
- y=13 ; n=7; x = 4;
- ø(n) = 6; y mod ø(n) = 13 mod 6 = 1;
- xy = 413;xy mod n = 413 mod 6 = 4 = x mod n;

Information and Nework Security

Mathematical background

- The multiplicative inverse of x with modulo n is y such that: (x*y) mod n = 1 (2).
- The above multiplicative inverse can be used to create a simple public key cipher: either x or y can be thought of as a secret key and the other is the public key.

E.g: x=3; n=10; y=7; we have: (3*7) mod 10 = 1;

- M =5 ;
- 3*5 (mod 10) = 5 ; 5*7 (mod 10) = 5 = M (message)
- M =6 ;
- 3*6 (mod 10) = 8; 8*7 (mod 10) = 6 = M (message)

Information and Nework Security

RSA Public Key Cryptosystem

Public Key Directory (Yellow/White Pages)

Bob: (e, n)

public key:

e & n

Plain Text

Cipher Text

Cipher Text

Plain Text

c=

m e mod n

m=

c d mod n

Alice

secret key: d

Bob

Information and Nework Security

RSA (1)

- Bob:
- chooses 2 large prime numbers: p, qmultiplies p and q: n = p*q
- finds out two numbers e & d such that
- (e * d) mod ø(n) = 1 [ similar to(2) ]

Or (e * d) mod [(p-1)*(q-1)] = 1

- public key (published in the phone book)
- 2 numbers: (e, n)
- encryption alg: modular exponentiation
- secret key: (d,n)

Information and Nework Security

RSA (2)

- Alice has a message m to be sent to Bob:
- finds out Bob’s public encryption key (e, n)
- calculatesme(mod n) -> c
- sends the ciphertext c to Bob

Information and Nework Security

RSA (3)

- Bob:
- receives the ciphertext c from Alice
- uses his matching secret decryption key d to calculate cd(mod n) -> m

Information and Nework Security

RSA --- 1st small example (1)

- Bob:
- chooses 2 primes: p=5, q=11multiplies p and q: n = p*q = 55
- finds out two numbers e=3 & d=27 which satisfy (3 * 27) mod 40 = 1
- Bob’s public key
- 2 numbers: (3, 55)
- encryption alg: modular exponentiation
- secret key: (27,55)

Information and Nework Security

RSA --- 1st small example (2)

- Alice has a message m=13 to be sent to Bob:
- finds out Bob’s public encryption key (3, 55)
- calculates c:c = me(mod n) = 133(mod 55) = 2197(mod 55) = 52
- sends the ciphertext c=52 to Bob

Information and Nework Security

RSA --- 1st small example (3)

- Bob:
- receives the ciphertext c=52 from Alice
- uses his matching secret decryption key 27 to calculate m:m = 5227(mod 55) = 13 (Alice’s message)

Information and Nework Security

How does RSA work?

- n = p*q => Ø(n) = Ø(p*q) =(p-1)*(q-1)
- We choose d & e such that
- (e * d) mod ø(n) = = 1 ; similar to(2)
- for any m < n: mde= m mod n ; from (1)
- an RSAencryption consists of taking m and raising it to e; and decrypting the ciphertext by raising the result of the encrytion to d:
- We have
- (a*b)mod n = [(a mod n) * (b mod n)] mod n;
- ax mod n = [(amod n)* (amod n)* … (amod n)] mod n

----x times of amod n---

= (amod n) x mod n

- hence : (me mod n) d mod n = (me)d mod n= (med) mod n = mmodn = m [from (1)]

Information and Nework Security

Remarks on RSA

- The message m has to be an integer between the range [1, n).
- To encrypt long messages we can use modes of operation as for block private key ciphers, or a hybrid cryptosystem.

Information and Nework Security

Why RSA is Secure

- Attack Scenario:
- Marvin wants to read Alice’s private message (m) intended to be read only by Bob.
- However, Alice used RSA to encrypt m using Bob’s public key (e, n), into the ciphertext c = me(mod n).
- Marvin is a determined attacker and managed to intercept the ciphertext c on its way from Alice’s to Bob’s computer.
- Marvin also looked up Bob’s public key (e,n) to help him in his attack.

Information and Nework Security

Why RSA is Secure

- Marvin now has (c,e,n) and wants to find out m.
- How can Marvin proceed to find m?
- Approach 1: If Marvin could also find out Bob’s secret key d, he could decrypt c into m in the same way as Bob does.
- Suppose Bob guards his secret key d very well, what can Marvin do then?
- Approach 2: Marvin knows that c = me(mod n). He knows that m is a number between 1 and n-1. So he could use exhaustive search through all n possible messages m.
- But if n is large this takes a long time!

Information and Nework Security

Why RSA is Secure

- Marvin’s Attack options (cont):
- Approach 3: Marvin can try to compute Bob’s secret key d from (e,n) and then use Approach 1.
- Remember that (e * d) mod ((p-1)*(q-1) ) = 1
- Marvin found in a ‘Number Theory’ book a very fast algorithm called EUCLID to solve the following problem: Given two numbers (r,s), the algorithm outputs a number x such that

(r * x) mod s = 1.

Information and Nework Security

Why RSA is Secure

- Approach 3 is the most efficient known method Marvin can use to attack RSA!
- The time taken for Marvin to execute the attack in Approach 3 is essentially the time to factorize n (n=p*q) into the prime factors p and q.
- Therefore, we say that RSA is based onthe factorization problem: While it is easy to multiply large primes together, it is computationally infeasible to factorize or split a large composite into its prime factors!

Information and Nework Security

Why RSA is Secure

- Therefore, when both p and q in RSA are of at least 155 digits, the product n=p*q is 310 digits.
- Then no one can factorize n in less time than a few thousand years, not even Marvin!!
- Thus the only person who can extract the plaintext m from the ciphertext c is Bob, as only he knows the secret decryption key d !

Information and Nework Security

- Instead of just eavesdropping, Marvin can try a more active attack!
- Outline of the New Attack:
- Marvin generates an RSA key pair
- Public key = Kpub_* = (N_*, e_*)
- Secret key = Ksec_* = (N_, d_*)
- Marvin sends the following email to Alice, pretending to be Bob:
- Hi Alice,
- Please use my new public key from now on to encrypt messages to me. My new public key is Kpub_*.
- Yours sincerely, Bob.
- Marvin decrypts any messages Alice sends to Bob (encrypted with Kpub_*), using Ksec_*.

Information and Nework Security

Preventing Marvin’s Active Attack

- The active attack works because:
- Alice was tricked by Marvin into encrypting a message intended for Bob using a “fake” public key which is NOT Bob’s public key (in fact it was Marvin’s).
- To prevent the attack:
- Before Alice encrypts a message for Bob, she must make sure she has Bob’s CORRECT public key (and not a fake one).
- Alice needs a way of testing the truth of any “Bob’s key message” informing Alice of Bob’s Public Key.
- No one besides Bob should be able to produce such a message so that it will pass Alice’s Test.

Information and Nework Security

Preventing Marvin’s Active Attack (2)

- This is a setting where Alice and Bob have a message integrity security requirement!
- Ie. Alice and Bob want to prevent fabrication and/or modification of a “Bob’s key message” (a message informing Alice of Bob’s public key) by unautorised parties (like Marvin).
- The main cryptographic tool used to achieve message integrity is “Authority Certificates”.
- Later we will see how Digital Signatures can be used to prevent Marvin’s Attack!

Information and Nework Security

Private key ciphers

- Good points
- in-expensive to use
- fast
- low cost VLSI chips available
- Bad points
- key distribution is a problem

Information and Nework Security

Public key ciphers

- Good points
- key distribution is NOT a problem
- Bad points
- relatively expensive to use
- relatively slow
- VLSI chips not available or relatively high cost

Information and Nework Security

Combining 2 Type of Ciphers

- In practice, we can
- use a public key cipher (such as RSA) to distribute keys
- use a private key cipher (such as DES) to encrypt and decrypt messages

Information and Nework Security

The Need of Digital Signature

- Social & business activities and their associated documents are becoming digital
- digital conferences
- digital contract signing
- digital cash payments, ......
- Hand-written signatures are not applicable to digital data

Information and Nework Security

Network

D

Digital Signature (based on RSA)Public Key Directory (Yellow/White Pages)

Bob:

Plain Text

Plain Text

Accept if equal

+

E

Signature

Signature

Secret Key

Bob

Cathy

Public Key

Information and Nework Security

Network

Digital Signature (for short doc)Public Key Directory (Yellow/White Pages)

Bob: (e, n)

Plain Text

Plain Text

Accept if equal

+

s =

md mod n

t =se mod n

Signature

Signature

Secret Key d

Cathy

Bob

Public Key (e, n)

Information and Nework Security

RSA Signature --- an eg (1)

- Bob:
- chooses 2 primes: p=5, q=11multiplies p and q: n = p*q = 55
- finds out two numbers e=3 & d=27 which satisfy (3 * 27) mod 40 = 1
- Bob’s public key
- 2 numbers: (3, 55)
- encryption alg: modular exponentiation
- secret key: (27,55)

Information and Nework Security

RSA Signature --- an eg (2)

- Bob has a document m=19 to sign:
- uses his secret key d=27 to calculate the digital signature of m=19:s = md(mod n) = 1927(mod 55) = 24
- appends 24 to 19. Now (m, s) = (19, 24) indicates that the doc is 19, and Bob’s signature on the doc is 24.

Information and Nework Security

RSA Signature --- an eg. (3)

- Cathy, a verifier:
- receives a pair (m,s)=(19, 24)
- looks up the phone book and finds out Bob’s public key (e, n)=(3, 55)
- calculates t = se(mod n) = 243(mod 55) = 19
- checks whether t=m
- confirms that (19,24) is a genuinely signed document of Bob if t=m.

Information and Nework Security

How about Long Documents ?

- In the previous example, a document has to be an integer in [1,...,n)
- To sign a very long document, we need a so called one-way hash algorithm
- Instead of signing directly on a doc, we hash the doc first, and sign the hashed data which is normally short.

Information and Nework Security

One-Way Hash Algorithm

- A one-way hash algorithm hashes an input document into a condensed short output (say of 100 bits)
- Denoting a one-way hash algorithm by H(.), we have:
- Input: m - a binary string of any length
- Output: H(m) - a binary string of L bits, called the “hash of m under H”.
- The output length parameter L is fixed for a given one-way hash function H,
- eg
- The one-way hash function “MD5” has L = 128 bits
- The one-way hash function “SHA-1” has L = 160 bits

Information and Nework Security

A condensed short output, say of 100 bits

One-Way Hash AlgorithmA document (of any length)

Information and Nework Security

Properties of One-Way Hash Algorithm

- A good one-way hash algorithm H needs to have these properties:
- 1. Easy to Evaluate:
- The hashing algorithm should be fast
- I.e. given any document m, the hashed value h = H(m) can be computed quickly.
- 2. Hard to Reverse:
- There is no feasible algorithm to “reverse” a hashed value,
- I.e. given any hashed value h, it is computationally infeasible to find any document m such that H(m) = h.
- NOTE: An algorithm is called ‘One-Way’ if it has BOTH properties 1 and 2.
- 3. Hard to find Collisions:
- There is no feasible algorithm to find two or more input documents which are hashed into the same condensed output,
- I.e it is computationally infeasible to find any two documents m1, m2 such that H(m1)= H(m2).

Information and Nework Security

The One-way Property

But this direction is infeasible to compute!

Document m

(any length)

Document m

(any length)

This direction is easy to compute!

H

H

Hash value h

(length= L bits)

Hash value h

(length= L bits)

Information and Nework Security

Finding Collision is Infeasible

I, Bob, will pay

$1,000 to Alice.

I, Bob, will pay

$10,000 to Alice.

Document m1

Document m2

H

H

(same condensed output)

Information and Nework Security

100 bits

H

?

Network

100 bits

100 bits

Digital Signature (for long doc)Public Key Directory (Yellow/White Pages)

Bob:

Plain Text

Plain Text

1-way hash

Accept if equal

+

Signature

Signature

Secret Key

Bob

Public Key

Cathy

Information and Nework Security

Why Digital Signature ?

- Unforgeable
- takes 1 billion years to forge !
- Un-deniable by the signatory
- Universally verifiable
- Differs from doc to doc
- Easily implementable by
- software or
- hardware or
- software + hardware

Information and Nework Security

Unforgeable Digital Signature

I, Bob, will pay

$1,000 to Alice.

I, Bob, will pay

$10,000 to Alice.

101001010

001001101

a valid signature

also a valid signature

Information and Nework Security

Digital Signature -- summary

- Three (3) steps are involved in digital signature
- Setting up public and secret keys
- Signing a document
- Verifying a signature

Information and Nework Security

Setting up Public & Secret Keys

- Bob does the following
- prepares a pair of public and secret keys
- publishes his public key in the public key file (such as an on-line phone book)
- keeps the secret key to himself
- Note:
- Setting up needs only to be done once !

Information and Nework Security

Signing a Document

- Once setting up is completed, Bob can sign a document (such as a contract, a cheque, a certificate, ...) using the secret key
- The pair of document & signature is a proof that Bob has signed the document.

Information and Nework Security

Verifying a Signature

- Any party, say Cathy, can verify the pair of document and signature, by using Bob’s public key in the public key file.
- Important !
- Cathy does NOT have to have public or secret key !

Information and Nework Security

Download Presentation

Connecting to Server..