1 / 51

Emerging Standards for Public-Key Cryptography

? RSA 1998. Introduction. As research matures, it can be made ?standard"'70s and '80s research in public-key cryptography leads to standards in '90sThis talk is a snapshot of some of the standards efforts ? and the interesting issues they raise. ? RSA 1998. Outline. I. Survey of Standards Efforts

betty_james
Download Presentation

Emerging Standards for Public-Key Cryptography

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

    1. RSA Data Security, Inc. Emerging Standards for Public-Key Cryptography Burt Kaliski Chief Scientist, RSA Laboratories BRICS Summer School in Cryptology and Data Security July 20-24, 1998

    2. © RSA 1998 Introduction As research matures, it can be made “standard” ’70s and ’80s research in public-key cryptography leads to standards in ’90s This talk is a snapshot of some of the standards efforts — and the interesting issues they raise

    3. © RSA 1998 Outline I. Survey of Standards Efforts II. A General Model for Public-Key Standards III. Strong Primes: A Recurring Technical Debate IV. Some Research Motivated by Standards

    4. RSA Data Security, Inc. Part I: Survey of Standards Efforts

    5. © RSA 1998 Why Standards? Many reasons: interoperability stability assurance De facto or de jure?

    6. © RSA 1998 Some Public-Key Standards Efforts ANSI X9F1 IEEE P1363 ISO/IEC JTC1 SC27 US NIST

    7. © RSA 1998 ANSI X9F1 Financial Services / Data and Information Security / Cryptographic Tools Corporate membership Quarterly meetings in North America www.x9.org

    8. © RSA 1998 ANSI X9F1 Efforts Some ANSI documents (drafts) X9.30 DSA signatures X9.31 RSA/RW signatures (rDSA) X9.42 DH/MQV key agreement X9.44 RSA key transport X9.62 elliptic curve signatures X9.63 EC key agreement / transport X9.79 prime generation

    9. © RSA 1998 IEEE P1363 Standard Specifications for Public-Key Cryptography Sponsored by IEEE Microprocessor Standards Committee Individual participation Meetings mostly in North America grouper.ieee.org/groups/1363

    10. © RSA 1998 IEEE P1363 Coverage Three types of technique: key agreement, signature, encryption From three families: DL: discrete logarithm EC: elliptic curve IF: integer factorization Also, number theory background, security considerations

    11. © RSA 1998 IEEE P1363a Standard Specifications for Public-Key Cryptography: Additional Techniques In preparation More techniques, probably same families identification likely to be added

    12. © RSA 1998 ISO/IEC JTC1 SC27 International Organization for Standardization / International Electrotechnical Commission / Information Technology / IT Security Techniques National representation, with experts Meetings throughout the world www.iso.ch

    13. © RSA 1998 SC27 Efforts Some ISO/IEC documents 9796 Signatures with message recovery 9798 Entity authentication 11770 Key management 13888 Nonrepudiation 14888 Signatures with appendix Symmetric and public-key techniques

    14. © RSA 1998 U.S. NIST FIPS National Institute of Standards and Technology part of U.S. Department of Commerce Federal Information Processing Standards (FIPS) Computer Security Act (1987) gives charter for government cryptography standards www.nist.gov

    15. © RSA 1998 NIST Efforts Some FIPS: 186 Digital Signature Standard 196 Entity Authentication new Key Exchange / Agreement Others of interest: 46-2 Data Encryption Standard 180-1 Secure Hash Standard new Advanced Encryption Standard

    16. © RSA 1998 Comparing the Efforts Different goals: ISO, IEEE: general building blocks ANSI: US banking requirements NIST: US government, commercial Coordination: IEEE, ANSI technical convergence NIST will accept ANSI signature standards for government purposes ISO TC68 adopts ANSI X9F1

    17. © RSA 1998 Application Standards of Interest S/MIME: messaging SSL / TLS: communications SET: bank card payments PKIX: public-key infrastructure

    18. © RSA 1998 RSA Laboratories’ PKCS Public-Key Cryptography Standards Informal, intervendor effort coordinated by RSA Laboratories Periodic workshops www.rsa.com/rsalabs/pubs/PKCS/

    19. © RSA 1998 PKCS Efforts Revisions and new documents: PKCS #1 RSA Cryptography v2.0 draft in review, includes Bellare-Rogaway OAEP PKCS #5 Password-Based Encryption PKCS #13 Elliptic Curve Cryptography PKCS #14 Pseudorandom Generation PKCS #15(?) Smart Card File Formats

    20. RSA Data Security, Inc. Part II: A General Model for Public-Key Standards

    21. © RSA 1998 A General Model Framework with abstraction, generally following P1363 Three levels: primitives schemes protocols … plus key management

    22. © RSA 1998 P1363 Naming Convention General form: family type - instance where family is DL, EC, IF type is one of: SP: Signature Primitive SSA: Signature Scheme with Appendix etc. instance is a particular algorithm, e.g., DSA, DH, RSA

    23. © RSA 1998 Primitives Basic mathematical operations Low-level implementation e.g., crypto-accelerator, software module Computational security enhanced when combined with additional techniques in a scheme

    24. © RSA 1998 Types of Primitive Secret value derivation shared secret value from public key(s), party’s private key(s) Signature and verification Encryption and decryption

    25. © RSA 1998 Example: DLSP-DSA / DLVP-DSA DSA signature / verification primitives DLSP-DSA ((p, q, g, x), m): r = (gk mod p) mod q, k random s = k-1 (m + xr) mod q DLVP-DSA ((p, q, g, y), m, (r, s)) r =? (gm/s yr/s mod p) mod q

    26. © RSA 1998 Primitives in P1363 Secret Value Derivation DH, MQV in DL, EC families Signature / Verification: DSA, Nyberg-Rueppel in DL, EC families RSA with and w/o absolute value Rabin-Williams Encryption / Decryption: RSA

    27. © RSA 1998 Schemes Related operations combining primitives, additional techniques a framework with options Medium-level implementation e.g., cryptographic service library Complexity-theoretic security (ideally) completed when appropriately applied in a protocol

    28. © RSA 1998 Types of Scheme Key agreement Signature with appendix with message recovery Encryption Identification (in P1363a)

    29. © RSA 1998 Additional Techniques Encoding method maps between message, data to be processed by primitive for signatures, encryption schemes Key derivation function maps from shared secret value to key for key agreement schemes

    30. © RSA 1998 Example: DL/ECSSA DL/EC signature scheme options: SP / VP / encoding method Signature operation (privKey, M): S = SP (privKey, Encode (M)) Verification operation (pubKey, M, S): VP (pubKey, Encode (M), S) [DSA] Encode (M) =? VP (pubKey, S) [NR]

    31. © RSA 1998 Encoding Methods for Signatures DL/EC signatures Hash (M) IF signatures with appendix Pad || HashID || Hash (M) IF signatures wit h message recovery ISO9796-1 (M)

    32. © RSA 1998 Related Scheme Operations Domain parameter generation Domain parameter validation Key pair generation Public key validation Private key validation

    33. © RSA 1998 Schemes in P1363 Key agreement three DL/EC generic: DH1, DH2, MQV Signature with appendix DL/EC generic IF generic Signature with message recovery IF generic Encryption IF generic

    34. © RSA 1998 Protocols Sequence of operations to be performed by parties to achieve some security goal High-level implementation applications, services “Real” security but depends on implementation considerations (No protocols in P1363)

    35. © RSA 1998 Types of Protocol Key establishment key agreement key transport Entity authentication Data origin authentication Data confidentiality

    36. RSA Data Security, Inc. Part III: “Strong” Primes: A Recurring Technical Debate

    37. © RSA 1998 What is a “Strong” Prime? RSA key pair consists of public key (n, e) private key (n, d) where n = pq, p and q are large primes, and ed ? 1 mod (p-1)(q-1) A prime p is strong if p’, the largest factor of p-1, is large Are strong primes necessary?

    38. © RSA 1998 Early ’80s: Yes Pollard’s p-1 method (1974) can factor n in about p’ operations, so p’ should be large Gordon (1984) gives method for generating RSA keys efficiently with strong prime factors X.509 (1988) also mentions conditions Related conditions on p+1, p’-1, etc.

    39. © RSA 1998 Late ’80s / Early ’90s: No Lenstra’s ECM (1987) can factor n in O(exp (2 ln p ln ln p)1/2) operations, so p should be large … but if p is large and random, then p’ will be large with high probability Rivest (unpublished) argues that strong primes don’t help but don’t hurt either

    40. © RSA 1998 Late ’90s: Maybe What about signature repudiation? Dishonest user chooses n with weak prime Later, disavows signature, claiming that someone factored n by p-1 method ANSI X9.31 (1998) standardizes on strong primes for banking also, generates primes as one-way function of seed Still, are strong primes necessary?

    41. RSA Data Security, Inc. Part IV: Some Research Motivated By Standards

    42. © RSA 1998 Standards and Research Just as mature research is standardized, so standards efforts promote additional research Areas of research: efficient implementation cryptanalysis components in the “framework”

    43. © RSA 1998 Authenticated Encryption Schemes Problem: Construct authenticated encryption schemes for DL, EC, IF families with similar properties to OAEP, but with variable message length Several solutions proposed for P1363a

    44. © RSA 1998 Model C = Encrypt (pubKey, M, P) M = Decrypt (privKey, C, P) M message C ciphertext P encoding parameters M, C, P arbitrary length

    45. © RSA 1998 Desired Properties One application of underlying primitive Plaintext-aware encryption no partial information about M cannot generate C without M hence, cannot modify M Binding of P to M cannot modify P Weaker assumptions i.e., not just random oracle model

    46. © RSA 1998 OAEP for RSA As in P1363 (and PKCS #1 v2.0 draft): Encrypt (pubKey, M, P): EM = Encode (M, P) C = EP (pubKey, EM) Decrypt (privKey, C, P): EM = DP (privKey, C) M = Decode (EM, P) M, C bounded, P arbitrary length

    47. © RSA 1998 OAEP Encoding Encode (M, P) EM = maskedSeed || maskedDB where maskedSeed = seed ? G (maskedDB) maskedDB = DB ? G (seed) DB = H (P) || pad || M seed random H hash function, G mask generation function Decode (C, P): an exercise

    48. © RSA 1998 Limitations EM must be shorter than RSA modulus, so length of M is bounded Assumes encryption primitive — but DL/EC only has secret value derivation primitive Relies on random oracle model for G

    49. © RSA 1998 IF Encryption Ideas 1. Encrypt only part of EM (various) removes bound on length of M which part? 2. Construct G only partly from random oracle (Bellare, Rogaway 1996) 3. Add more “rounds” to OAEP (Johnson, Matyas, Peyravian 1996) may reduce assumptions, need for seed

    50. © RSA 1998 DL/EC Encryption Ideas General: Generate shared secret value K as in key agreement scheme, combine with M, P 1. Encode M as in OAEP, exclusive-OR K with part of result (various) 2. Combine with MACs, reduced r.o. methods (Bellare, Rogaway 1996) 3. Combine with universal hash functions, mask generation (Zheng 1996)

    51. © RSA 1998 Some Other Recent Results Security of “unified model” of DH key agreement (Blake-Wilson, Johnson, Menezes 1997) RSA key validation (Liskov, Silverman 1997) Storage-efficient basis conversion (Kaliski, Yin 1998)

    52. © RSA 1998 Conclusions Research in cryptology and data security is leading to standards, and vice versa Several standards efforts for different sectors, but coordinated General model for public-key standards emerging … and some technical debate continues

More Related