csce 715 network systems security
Skip this Video
Download Presentation
CSCE 715: Network Systems Security

Loading in 2 Seconds...

play fullscreen
1 / 25

CSCE 715: Network Systems Security - PowerPoint PPT Presentation

  • Uploaded on

CSCE 715: Network Systems Security. Chin-Tser Huang [email protected] University of South Carolina. Distribute Secret Keys Using Asymmetric Encryption. Can use previous methods to obtain public key of other party

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'CSCE 715: Network Systems Security' - kuper

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
csce 715 network systems security

CSCE 715:Network Systems Security

Chin-Tser Huang

[email protected]

University of South Carolina

distribute secret keys using asymmetric encryption
Distribute Secret KeysUsing Asymmetric Encryption
  • Can use previous methods to obtain public key of other party
  • Although public key can be used for confidentiality or authentication, asymmetric encryption algorithms are too slow
  • So usually want to use symmetric encryption to protect message contents
  • Can use asymmetric encryption to set up a session key
simple secret key distribution
Simple Secret Key Distribution
  • Proposed by Merkle in 1979
    • A generates a new temporary public key pair
    • A sends B the public key and A’s identity
    • B generates a session key Ks and sends encrypted Ks (using A’s public key) to A
    • A decrypts message to recover Ks and both use
problem with simple secret key distribution
Problem with Simple Secret Key Distribution
  • An adversary can intercept and impersonate both parties of protocol
    • A generates a new temporary public key pair {KUa, KRa} and sends KUa || IDa to B
    • Adversary E intercepts this message and sends KUe || IDa to B
    • B generates a session key Ks and sends encrypted Ks (using E’s public key)
    • E intercepts message, recovers Ks and sends encrypted Ks (using A’s public key) to A
    • A decrypts message to recover Ks and both A and B unaware of existence of E
distribute secret keys using asymmetric encryption1
Distribute Secret KeysUsing Asymmetric Encryption
  • if A and B have securely exchanged public-keys


problem with previous scenario
Problem with Previous Scenario
  • Message (4) is not protected by N2
    • An adversary can intercept message (4) and replay an old message or insert a fabricated message
order of encryption matters
Order of Encryption Matters
  • What can be wrong with the following protocol?

AB: N

BA: EKUa[EKRb[Ks||N]]

  • An adversary sitting between A and B can get a copy of secret key Ks without being caught by A and B!
diffie hellman key exchange
Diffie-Hellman Key Exchange
  • First publicly proposed public-key type scheme
  • By Diffie and Hellman in 1976 along with advent of public key concepts
  • A practical method for public exchange of secret key
  • Used in a number of commercial products
diffie hellman key exchange1
Diffie-Hellman Key Exchange
  • Use to set up a secret key that can be used for symmetric encryption
    • cannot be used to exchange an arbitrary message
  • Value of key depends on the participants (and their private and public key information)
  • Based on exponentiation in a finite (Galois) field (modulo a prime or a polynomial) – easy
  • Security relies on the difficulty of computing discrete logarithms (similar to factoring) – hard
primitive roots
Primitive Roots
  • From Euler’s theorem: aø(n) mod n=1
  • Consider am mod n=1, GCD(a,n)=1
    • must exist for m= ø(n) but may be smaller
    • once powers reach m, cycle will repeat
  • If smallest is m= ø(n) then a is called a primitive root
  • if p is prime and a is a primitive root of p, then successive powers of a “generate” the group mod p
  • Not every integer has primitive roots
discrete logarithms
Discrete Logarithms
  • Inverse problem to exponentiation is to find the discrete logarithm of a number modulo p
  • Namely find x where ax = b mod p
  • Written as x=loga b mod p or x=dloga,p(b)
  • If a is a primitive root of p then discrete logarithm always exists, otherwise may not
    • 3x = 4 mod 13 has no answer
    • 2x = 3 mod 13 has an answer 4
  • While exponentiation is relatively easy, finding discrete logarithms is generally a hard problem
diffie hellman setup
Diffie-Hellman Setup
  • All users agree on global parameters
    • large prime integer or polynomial q
    • α which is a primitive root mod q
  • Each user (e.g. A) generates its key
    • choose a private key (number): xA < q
    • compute its public key: yA = αxA mod q
  • Each user publishes its public key
diffie hellman key exchange2
Diffie-Hellman Key Exchange
  • Shared session key for users A and B is KAB:

KAB = αxA.xB mod q

= yAxB mod q (which B can compute)

= yBxA mod q (which A can compute)

  • KAB is used as session key in symmetric encryption scheme between A and B
  • Attacker needs xA or xB, which requires solving discrete log
diffie hellman example
Diffie-Hellman Example
  • Given Alice and Bob who wish to swap keys
  • Agree on prime q=353 and α=3
  • Select random secret keys:
    • A chooses xA=97, B chooses xB=233
  • Compute public keys:
    • yA=397 mod 353 = 40 (Alice)
    • yB=3233 mod 353 = 248 (Bob)
  • Compute shared session key as:

KAB= yBxA mod 353 = 24897 = 160 (Alice)

KAB= yAxB mod 353 = 40233 = 160 (Bob)

elliptic curve cryptography
Elliptic Curve Cryptography
  • Majority of public-key crypto (RSA, D-H) use either integer or polynomial arithmetic with very large numbers/polynomials
  • Imposes a significant load in storing and processing keys and messages
  • An alternative is to use elliptic curves
  • Offers same security with smaller bit sizes
real elliptic curves
Real Elliptic Curves
  • An elliptic curve is defined by an equation in two variables x and y, with coefficients
  • Consider a cubic elliptic curve of form
    • y2 = x3 + ax + b
    • where x, y, a, b are all real numbers
    • also define zero point O
  • Have addition operation for elliptic curve
    • geometrically, sum of P+Q is reflection of intersection R
finite elliptic curves
Finite Elliptic Curves
  • Elliptic curve cryptography uses curves whose variables and coefficients are finite
  • Two families are commonly used
    • prime curves Ep(a,b) defined over Zp
      • use integers modulo a prime
      • best in software
    • binary curves E2m(a,b) defined over GF(2m)
      • use polynomials with binary coefficients
      • best in hardware
elliptic curve cryptography1
Elliptic Curve Cryptography
  • ECC addition is analog of modulo multiply
  • ECC repeated addition is analog of modulo exponentiation
  • Need a “hard” problem equivalent to discrete logarithm
    • Q=kP, where Q, P belong to a prime curve
    • is “easy” to compute Q given k, P
    • but “hard” to find k given Q, P
    • known as the elliptic curve logarithm problem
  • Certicom example: E23(9,17)
ecc diffie hellman
ECC Diffie-Hellman
  • Can do key exchange analogous to D-H
  • Users select a suitable curve Ep(a,b)
  • Select base point G=(x1, y1) with large order n s.t. nG=O
  • A and B select private keys nA
  • Compute public keys: PA=nA×G, PB=nB×G
  • Compute shared key: K=nA×PB,K=nB×PA
    • same since K=nA×nB×G
ecc encryption decryption
ECC Encryption/Decryption
  • Must first encode any message M as a point on the elliptic curve Pm
  • Select suitable curve and point G as in D-H
  • Each user chooses private key nA
  • To encrypt Pm:

Cm={kG, Pm+kPB}, k random

  • To decrypt Cm:

Pm+kPB–nB(kG) = Pm+k(nBG)–nB(kG) = Pm

ecc security
ECC Security
  • Relies on elliptic curve logarithm problem
  • Fastest method is “Pollard rho method”
  • Compared to factoring, ECC can use much smaller key sizes than with RSA
  • For equivalent key lengths computations are roughly equivalent
  • Hence for similar security ECC offers significant computational advantages
next class
Next Class
  • Message authentication
  • Hashing functions
  • Message digests
  • Read Chapters 11 and 12