www1.idc.ac.il/compsec/public-key%20cryptography

innocentsickΤεχνίτη Νοημοσύνη και Ρομποτική

21 Νοε 2013 (πριν από 3 χρόνια και 6 μήνες)

67 εμφανίσεις

Public
-
Key Cryptography

Dr. Ron Rymon

Efi Arazi School of Computer Science

IDC, Herzliya. 2010/11

Pre
-
Requisites: Conventional Cryptography

Overview


Public Key Cryptography


Crossword puzzles


Diffie
-
Hellman


RSA


Elliptic Curves


Digital Signatures


Key Management for Public
-
Key
Cryptography

Public
-
Key Cryptography

Main sources: Network Security Essential / Stallings


Applied Cryptography / Schneier

Motivation


Until early 70s, cryptography was mostly owned by
government and military


Key distribution is more manageable and better funded



Symmetric cryptography not ideal for commercialization


Enormous key distribution problem; most parties may never meet
physically


Must ensure authentication, to avoid impersonation, fabrication



Few researchers (Diffie, Hellman, Merkle), in addition to
the IBM group, started exploring Cryptography because
they realized it is critical to the forthcoming digital world


Privacy


Effective commercial relations


Payment


Voting

Public
-
Key Cryptography


Idea: use separate keys to encrypt and decrypt


First proposed by Diffie and Hellman


Independently proposed by Merkle (1976)



Pair of keys for each user


generated by the user himself


Public key is advertised


Private key is kept secret, and is computationally infeasible to
discover from the public key and ciphertexts


Each key can decrypt messages encrypted using the other key



Applications:


Encryption


Authentication (Digital Signature)


Key Exchange (to establish Session Key)

Crossword Puzzles


Ralph Merkle’s Key Exchange Algorithm


Alice generates MANY crossword puzzles and sends to Bob


Bob chooses ONE and solves it


The solution includes an identifier, and the key


Bob communicates the identifier to Alice


Alice and Bob communicate using the key



Important observation: Eve would have to solve ALL puzzles
to identify the right one and the key.



First attempt, cumbersome, and not working, but very
revolutionary at the time


Later, Merkle suggested to use NP
-
Hard problems


Hard to solve, but easy to check (e.g., knapsack).


Also proven inadequate later...

Diffie
-
Hellman Key Exchange


First public
-
key algorithm, based on the difficulty of
computing discrete logarithms modulo n


Protocol:


Use key exchange protocol to establish session key


Use session key to encrypt actual communication


Algorithm:


Choose a large prime n, and a primitive root g

Alice

Bob

X=g
x
mod n

Y=g
y
mod n

select x

select y

Compute K=X
y

mod n

Compute K=Y
x

mod n

K=g
xy
mod n

Diffie
-
Hellman Protocol


DH does not offer authentication


Trudy can use a man
-
in
-
the
-
middle attack


Impersonating Alice to Bob and vice versa


Using his own key (or different keys) with each



Solution: establish a public directory


Each person publishes (g,n,
g
x
)


this is the public key


Note: g,n may be different from one user to another



Make sure not to select
x
=
0
/
1
mod
n

Two
-
key Public
-
Key Encryption


Sender uses the public key of the receiver to encrypt


Receiver uses her private key to decrypt

Two
-
Key Public
-
key Authentication


The sender encrypts some message (e.g. a certificate) with
his own private key


The receiver, by decrypting, verifies key possession

Public
-
Key Algorithms:

The Requirements


It is computationally feasible to generate a pair of keys



It is computationally easy to encrypt using the public key


It is computationally easy to decrypt using the private key



It is computationally infeasible to compute the private key
from the public key


It is computationally infeasible to recover the plaintext
from the public key and ciphertext


Either of the keys can decrypt a message encrypted using
the other key

RSA


Developed by Rivest, Shamir, and Adleman (
1977
)


Most widely used public key algorithm


Receives its security from the difficulty of factoring large numbers


Actually discovered first by UK GCHQ (Ellis and Cocks) in
1973
!



Algorithm:


Works as a block cipher, where each plaintext/ciphertext block is
integer between
0
and
n (for some n=
2
k
)


Each receiver chooses
e
,
d


The values of
e
, and
n

are made public;
d

is kept secret


Encryption: C=M
e

mod
n


Decryption: M=C
d

mod
n

= M
ed

mod
n



Requisites:


Find
e
,
d

such that M=M
ed

mod
n,
for all M<
n


Make sure that
d

cannot be computed from
n

and
e,
not even if a
ciphertext is available

RSA Keys and Key Generation


Select primes
p

and
q
,
n=pq



(n)=(
p
-
1)(
q
-
1) ; Euler totient of
n



number of integers between
1 and
n

that are relatively prime to

n
, i.e., {
m

|
gcd
(
m
,
n
)=1}



Select integer
e
<

(
n
) such that
gcd
(

(
n
),
e
)=1


Guarantees that
e
-
1
exists


Calculate
d

such that
d
=
e
-
1

mod

(
n)
,


Use Euler extended GCD algorithm



Now, for every M<n, we have


M
ed
= M
1 mod

(
n)

=
M



Note:


The message could have been encrypted with
d

and decrypted by
e

Recall Math Backgrounder


Fermat’s Little Theorem


For a prime
p
,

a

such that 0<
a
<p,
a
(p
-
1)
=1 mod
p


Euler’s extension


For any
n
,

a

such that 0<
a
<n,
a

(
n
)
mod
n

= 1 mod
n


For primes
p,q
,

a

such that
gcd
(
a
,
pq
)=1,
a
(p
-
1)(q
-
1)
= 1 mod
pq


Hence, M
ed

mod
n

= M
k(p
-
1)(q
-
1)+1

mod n = 1xM = M


To generate primes, use primality test


For a non
-
prime, Fermat’s theorem will usually fail on a random
a


Carmichael numbers are rare exception, and if chosen decryption won’t
work. Can reduce the probability by checking more
a
’s


Primes are dense enough (almost one of every k k
-
bit numbers)


GCD to select
e

takes O(
log n
) time


Calculate
d
=
e
-
1
mod

(
n)
-

Euler extended GCD. O(
log n
)


Exponentiation (Encrypt/Decrypt) takes O(
log n
) time



RSA gets its security from the difficulty of factoring
n=pq

RSA Example


Key Generation


Select
p
=7,
q
=17,
n
=
pq
=119,

(119)=96


Select
e
=5; Calculate
d
=77 (77*5=385=1 mod 96)

Attacks on RSA Algorithm


If one could factor
n,

which is available, into
p

and
q
, then
d

could be calculated (as inverse of
e
), and
then the message deciphered



If one could guess the value of

(
n
)=
(p
-
1
)(q
-
1
),

even without factoring n, then again
d

could be
computed as the inverse of
e


Attacks on RSA Protocol


Chosen ciphertext attack


Attack: get sender to sign (decrypt) a chosen message


Inputs: original (unknown) ciphertext C=M
e


Construct


X=R
e

mod n, for a random R


Y=XC mod n


Ask sender to sign Y, obtaining U=Y
d

mod n


Compute


T=R
-
1

mod n


TU mod n = R
-
1
Y
d

mod n = R
-
1

X
d

C
d

mod n = C
d

mod n = M


Exploits preservation of multiplication in group



Conclusion:


never sign a random message


sign only hashes


use different keys for encryption and signature

Other precautions when
implementing RSA protocol


Do not use same
n

for multiple users


A third party can sometimes decipher if same message is encrypted
using both encryption (public) keys, without needing the
decryption (private) key



Always pad messages with random numbers, making sure
that M is about same size as
n


If e is small, there is an attack that uses
e(e+1)/2

linearly
dependent messages, and if messages are small its easier to find
linearly dependent ones



Do not choose low values for
e

and
d


For e, see above, and there is also attack on small
d
’s

Elliptic Curves Cryptography


ECC addresses the cost of exponentiation in DH and RSA



Use Abelian groups w/ addition defined on cubic equations


E.g.,
y
2

=
x
3

+
ax

+
b
(for some
a, b
)


For R=P+Q, find third point of intersection
on line that connects P and Q (use tangent
line if P=Q). This is

R, and R is its mirror.


O is a point of infinity and is defined as
O=P+(
-
P). As a result it is also the identity
since P+O=P



Can also be defined over GF(p)


Consider Q=
k
P mod p


Easy to compute Q from
k
, P


Difficult to determine
k

from P, Q (except
through brute force)

Elliptic Curves Key Exchange


Key Generation


Select/agree on cubic curve (p, a, b)


---

public


Select a base point G with a high order n
---

public


i.e., smallest n such that nG=O


Private key of Alice is an integer K
A

< n


Public key of Alice is K
A
*G



Key Exchange


Alice and Bob send public key to each other


Each of them multiplies the result by own private key


Agreed Key = K
A
* K
B
*G


Like DH but uses addition instead of exponentiation

Timing and Power Attacks


Ciphertext
-
only attack


No mathematical analysis



How it works


Measure the effort (time, power) to decrypt a message


Correlate the effort to the probability that certain key bits
are on


Idea


Different algorithms work more on certain combinations
of bit values


E.g., in RSA the exponentiation effort depends on the
number of bits that are 1



Solutions:


Idle computation to randomize & even out

Other Public
-
Key Algorithms


Merkle
-
Hellman Knapsack Algorithms


First public
-
key cryptography (not key exch) algorithm (1976)
-

patented


Encode a message as a series of solutions to knapsack problems (NP
-
Hard). Easy (superincreasing) knapsack serves as private key, and a hard
knapsack as a public key.


Broken by Shamir and Zippel in 1980, showing a reconstruction of
superincreasing knapsacks from the normal knapsacks


Rabin


Based on difficulty of finding square roots modulo n


Encryption is faster: C=M
2

mod n (n=pq)


Decryption is a bit complicated and the plaintext has to be selected from 4
possibilities (also makes it difficult to use it for signature)



El Gamal


Based on difficulty of calculating discrete logarithms in a finite field


Elliptic Curves can be used to implement El Gamal and Diffie
-
Hellman
faster

Digital Signatures

Main sources: Network Security Essential / Stallings


Applied Cryptography / Schneier

Public
-
Key Digital Signature


Same as authentication


The sender encrypts a message with his own private key


The receiver, by decrypting, verifies key possession

Digital Signatures


It is possible to use the entire message, encrypted with the
private key, as the digital signature


But, this is computationally expensive


And, anyone can then decrypt the original message



Alternatively, a
digest

can be used


Should be short


Prevent decryption of the original message


Prevent modification of original message


Difficult to fake signature for



If message authentication (integrity) is needed, we may use
the hash code of the message


If only source authentication is needed, a different message
can be used (certificate)

Digital Signature Algorithm (DSA)


Proposed in 1991 by NIST as a standard (DSS)


Based on difficulty of computing discrete logarithms (like Diffie
-
Hellman and El Gamal)



Encountered resistance because RSA was already de
-
facto
standard, and already drew significant investment


DSA cannot be used for encryption or key distribution


RSA is advantageous in most applications (exc. smart cards)


RSA is 10x faster in signature


DSA is faster in verification


Concerns about NSA backdoor (table can be built for some
primes)



Key size was increased from 512 to 2048 and 3072 bits


In DSA, the key size needs to be 4 times the security level


DSA has an Elliptic Curve version


Faster to compute, and requires half the bits

Description of DSA


Parameters


p is a prime number with up to
1024
bits

public key


q is a
160
-
bit factor of (p
-
1
), and itself prime

public key


g=h
(p
-
1
)/q

mod p (h is random)


public key


x is the private key and is smaller than q

--

private key


y=g
x

mod p is part of the public key


public key


Signature


Given a message M, generate a random k<q

--

keep secret


Signature is a pair (r,s)


send r=(g
k

mod p) mod q


signature


send s=k
-
1
(H(M)+xr) mod q

signature


If r=
0
or s=
0
, choose a new k


Verification


Compute w=s
-
1

mod q


Compute u
1
=H(M)w mod q; u
2
=rw mod q


Compute v=(g
u
1
*y
u
2

mod p) mod q


If v=r then the signature is verified


verification

Key Generation in DSA


Generate
q

as a SHA on an arbitrary 160
-
bit string


If not prime, try another string


Use Rabin method for primality testing



To get (
p
-
1)


Concatenate additional 160 bit numbers until you get to
the right size (e.g., 1024)


Subtract the remainder after division by 2
q


q

is a factor from construction


Since
p
-
1 is even, then 2 is also a factor



If
p

is not prime, repeat the process

One
-
Time Signatures (Merkle)


Key Generation


Let t = n + 1 + log n, where n is message size


Select random K
1
,… K
t

(private key)


Let V
i
=H(K
i
) for a hash function H (public key)



Signature


Let C be the number of 0’s in message M


Let W = M || C, and let A
1
… A
t

be W’s bits


Signature is (S
1

… S
u
) such that S
j
=K
l

if A
l
is the jth 1
-
bit of W



Verification


Compute W as above


Compute H(S
i
) for each bit and compare to (properly indexed) V
j

Key Management for Public
Key Cryptographic Protocols

Main sources: Network Security Essential / Stallings


Applied Cryptography / Schneier

Certificate Authority: Verifying
the Public Key


How to ensure that Charles doesn’t pretend to be Bob by publishing a
public
-
key for Bob. Then, using a Man
-
in
-
the
-
Middle attack, Charles
can read the message and reencrypt
-
resend to Bob


Bob prepares certificate
with his identifying
information and his
public key


The Certificate Authority
(CA) verifies the details
and sign Bob’s certificate


Bob can publish the
signed certificate

More on (Public) Key Management


Alice may have more than one key


e.g., personal key and work key


Where shall Alice store her keys?


Alice may not want to trust her work administrator with her
personal banking key


Distributed certification a la X.509


CA certifies Agents who certify organizations who certify others


Distributed certification a la PGP


Alice will present her certificate with “introducers” who will
vouch for her (“PKI parties”)


Key Escrow


US American Escrowed Encryption Standard suggests that private
keys be broken in half and kept by two Government agencies


Clipper


for cellular phone encryption


Capstone


for computer communication

Summary

Cryptography Summary


Cryptography (and steganography) were always
considered a strategic tool


Used mostly by governments and military organizations


Served to keep top secrets and in wars



Different generations were characterized by either the
cryptographers or cryptanalysts winning the battle


Today, cryptographers seem certainly on top, with “unbreakable”
ciphers (but, remember Vigenere’s unbreakable cipher…)



Must remember that cryptanalysis is not the only attack


It is usually the
hardest

way to break a message


May attack human weaknesses in crypto protocol


May attack communication, hosts, etc.


Much easier to get information using good old
3
Bs: bribery,
burglary, and bending