1 / 20

CS 5920 Applied Cryptography Spring 2014 Chapter 10 Other Public Key Cryptosystems

CS 5920 Applied Cryptography Spring 2014 Chapter 10 Other Public Key Cryptosystems. Cryptography and Network Security Fifth Edition, by William Stallings . Diffie-Hellman Key Exchange. the first published public-key algorithm

farrah-diaz
Download Presentation

CS 5920 Applied Cryptography Spring 2014 Chapter 10 Other Public Key Cryptosystems

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. CS 5920 Applied CryptographySpring 2014Chapter 10 Other Public Key Cryptosystems Cryptography and Network Security Fifth Edition, by William Stallings

  2. Diffie-Hellman Key Exchange • the first published public-key algorithm • by Diffie & Hellman in 1976 along with the exposition of public key concepts • note: now know that Williamson (UK CESG) secretly proposed the concept in 1970 • is a practical method for public exchange of a secret key • used in a number of commercial products

  3. Diffie-Hellman Key Exchange • enables two users to securely exchange a secretkey, which can be used for subsequent encryption • value of the secretkey depends on the participants (and their private and public key information) • security relies on • exponentiation in a finite (Galois) field (modulo a prime or a polynomial) is easy • computing discrete logarithms (similar to factoring) is hard recall: find i such that b = ai (mod p), written as i = dloga,p b if a is a primitive root of p then i always exists a, a2, a3, … , ap-1 (mod p) are distinct integers from 1 to p-1

  4. Diffie-Hellman Setup • all users agree on global parameters: • a large prime integer: q • a primitive root of q: a • suppose users A and B wish to exchange a secret key • user A • selects a random integer XA < q , computes YA = aXA mod q • user B independently • selects a random integer XB < q , computes YB = aXB mod q • each side keeps X as private key, makes Y as public key

  5. Diffie-Hellman Key Exchange • KAB is the exchanged secret key for users A & B: KAB =YBXA mod q //A can compute = (aXB mod q)XA mod q = (aXB)XA mod q =aXBXA mod q = (aXA)XB mod q = (aXA mod q)XB mod q =YAXB mod q //B can compute • A and B subsequently use KAB for symmetric encryption • attacker knows q,a,YA,YB;needs to know XAorXB • XA = dloga,qYA orXB = dloga,qYB hard for large numbers

  6. Diffie-Hellman Example • users Alice & Bob who wish to exchange a secret key: • agree on prime q=353 and a=3 (is a primitive root) • select random private keys: • A chooses XA=97, B chooses XB=233 • compute respective public keys: • YA=397 mod 353 = 40 (Alice) • YB=3233 mod 353 = 248 (Bob) • compute shared session key as: • KAB= YBXA mod 353 = 24897 = 160 (Alice) • KAB= YAXB mod 353 = 40233= 160 (Bob)

  7. Key Exchange Protocols • could be between two users A and B • could be between a group of users • both are vulnerable to a Man-in-the-Middle Attack

  8. Man-in-the-Middle Attack Darth: XD1 YD1 • KAD = YD2XA mod q = YAXD2 mod q • KBD = YBXD1 mod q = YD1XB mod q • Darth can eavesdrop or modify messages • due to the authenticity of two parties are not established • use public-key certificates and digital signatures to overcome Darth: XD2 YD2 Darth can just use one pair, i.e.,(XD1,YD1)=(XD2,YD2)

  9. ElGamal Cryptography • public-key cryptosystem related to D-H • so uses exponentiation in a finite (Galois) field • security depends on difficulty of computing discrete logarithms, as in D-H • very closely related to the D-H • used in a number of standards • DSS (digital signature standard) • S/MIME email standard

  10. ElGamal Setup • all users agree on global parameters: • a large prime integer: q • a primitive root of q: a • user B wants to securely send a message to user A • user A • selects a random integer XA<q-1 • computes YA = aXA mod q • A’ private key is XA; A’ public key is {q, a, YA}

  11. ElGamal Message Exchange • B encrypt a message to send to A computing • represent message M in range: 0 ≤ M ≤ q-1 • longer messages must be sent as blocks • choose a random integer k with 1 ≤ k ≤ q-1 • compute a one-time key K = YAk mod q • encrypt and send M as a pair of integers (C1,C2)where • C1 = ak mod q ; C2 = KM mod q • A then recovers message by • recovering key Kas K = C1XA mod q • computing M as M = C2K-1 mod q • Proof (K: same as in D-H; K-1: multiplicative inverse in GF(q))

  12. ElGamal Example • use field GF(19) q=19 and a=10(a primitive root) • Alice computes her key: • A chooses XA=5 & computes YA = 105 mod 19 = 3 • Bob send message M=17 as (11,5) by • choosing a random k=6 • computing K = YAk mod q = 36 mod 19 = 7 • computing C1 = ak mod q = 106 mod 19 = 11; C2 = KM mod q = 7*17 mod 19 = 5 • Alice recovers original message by computing: • recover K = C1XA mod q = 115 mod 19 = 7 • Compute multiplicative inverse K-1 = 7-1 = 11 • recover M = C2 K-1 mod q = 5*11 mod 19 = 17

  13. ElGamal Long Message Exchange • longer messages must be sent as blocks, and a unique value of k should be used for each block • otherwise, once one plaintext block, e.g, M1, is known by attackers, others can be computed. Let

  14. Elliptic Curve Cryptography (ECC) • the key length of RSA has increased over the years • a heavier processing load, especially on small devices • ECC offers same security as RSA, with smaller key size • ECC is newer, but not as well analyzed • can provide key exchange, encryption, digital signature • involves the use of an elliptic curve equation defined over a finite field (variables & coefficients are finite) • security depends on the difficulty of computing elliptic curve logarithm

  15. Comparable Key Sizes for Equivalent Security

  16. PRNG Algorithms (chap 7) • purpose-built algorithms • linear congruential generator • Blum Blum Shub (BBS) generator • RC4 (for stream cipher) • algorithms based on existing cryptographic algorithms, which essentially need to randomize input • based on symmetric block ciphers • based on asymmetric ciphers (chapter 10) • based on hash functions and MACs (chapter 12)

  17. Pseudorandom Number Generation (PRNG) based on Asymmetric Ciphers • asymmetric encryption algorithms produce apparently random output • hence can be used to build a pseudorandom number generator (PRNG) • much slower than symmetric algorithms • hence only use to generate a short pseudorandom bit sequence (e.g., session key)

  18. PRNG based on RSA • Micali-Schnorr PRNG using RSA • in ANSI X9.82 and ISO 18031 Similar to OFB mode used as PRNG A portion of output is used as feedback, ensuring unpredictability

  19. Six Requirements in Micali-Schnorr PRNG • n=pq //RSA, p and q are two primes • 1<e<ø(n), gcd(e,ø(n))=1 //RSA • re ≥ 2*N, N= floor(log2n)+1 • ensure exponentiation requires a full modular reduction • r ≥ 2*strength • strength is a value in {112, 128, 192, 256} • 2strenghis the amount of work to break the security • k, r are multiple of 8 //ease of implementation • k ≥ 8; r+k = N //all bits are used • r should be large to meet the requirements 3, 4 • k should be large to get more bits in each encryption • e.g., e=3, N=1024, re ≥ 2*N, r ≥ 683, k≤341

  20. Summary • have considered: • Diffie-Hellman key exchange • ElGamal cryptography • Elliptic Curve cryptography • Pseudorandom Number Generation (PRNG) based on Asymmetric Ciphers

More Related