Electronic Payment Systems 20-763 Lecture 6 Epayment Security II

20
-
763 ELECTRONIC PAYMENT SYSTEMS


FALL 2002

COPYRIGHT © 2002 MICHAEL I. SHAMOS

Electronic Payment Systems

20
-
763



Lecture 6

Epayment Security II



20
-
763 ELECTRONIC PAYMENT SYSTEMS


FALL 2002

COPYRIGHT © 2002 MICHAEL I. SHAMOS

Public
-
Key (Asymmetric) Encryption

1. USERS WANT TO


SEND PLAINTEXT


TO RECIPIENT WEBSITE

2. SENDERS USE SITE’S PUBLIC


KEY FOR ENCRYPTION

3. SITE USES ITS PRIVATE


KEY FOR DECRYPTION

4. ONLY WEBSITE CAN


DECRYPT THE CIPHERTEXT.


NO ONE ELSE KNOWS HOW

SOURCE: STEIN,
WEB SECURITY

20
-
763 ELECTRONIC PAYMENT SYSTEMS


FALL 2002

COPYRIGHT © 2002 MICHAEL I. SHAMOS

Public
-
Key Encryption

•
Alice wants to send Bob a secure message M.

•
Alice uses Bob’s public key to encrypt M.

•
Bob uses his private key to decrypt M.

•
Bob is the ONLY ONE who can do this,

so M is secure.

•
Problem: Anyone could have sent it. Was it really Alice?

ALICE’S

CLEAR

TEXT

ALICE’S

CODED

TEXT

ALICE’S

CODED

TEXT

ALICE’S

CLEAR

TEXT

TRANSM ISSION

BOB DECRYPTS WITH

HIS PRIVATE KEY

ALICE ENCRYPTS WITH

BOB’S PUBLIC KEY

BOB’S

PUBLIC
KEY

BOB’S

PRIVATE
KEY

20
-
763 ELECTRONIC PAYMENT SYSTEMS


FALL 2002

COPYRIGHT © 2002 MICHAEL I. SHAMOS

Digital Authentication

•
Alice wants to send Bob a message M so that Bob is sure Alice
is the sender.

•
Alice uses her own private key to encrypt M.

•
Bob uses Alice’s public key to decrypt M.

•
Alice is the ONLY ONE who could have sent it.

•
Problem 1: Anyone can read it! Problem 2: Replay attack!

ALICE’S

CLEAR

TEXT

ALICE’S

CODED

TEXT

ALICE’S

CODED

TEXT

ALICE’S

CLEAR

TEXT

TRANSM ISSION

BOB DECRYPTS WITH

ALICE’S PUBLIC KEY

ALICE ENCRYPTS WITH

HER PRIVATE KEY

ALICE’S

PRIVATE

KEY

ALICE’S

PUBLIC

KEY

20
-
763 ELECTRONIC PAYMENT SYSTEMS


FALL 2002

COPYRIGHT © 2002 MICHAEL I. SHAMOS

Secure Authenticated Messages

•
Alice must send Bob a
secret

&
authenticated

message M so
Bob is sure it was sent by Alice. Use
both

encryption and
signature.

ALICE’S

CODED

TEXT

ALICE’S

CODED

TEXT

(AUTHENTICATED)

ALICE’S

CLEAR

TEXT

BOB DECRYPTS WITH

ALICE’S PUBLIC KEY

ALICE ENCRYPTS WITH

HER PRIVATE KEY

ALICE ENCRYPTS WITH

BOB’S PUBLIC KEY

ALICE’S

CODED AND

SIGNED TEXT

ALICE’S

CODED AND

SIGNED TEXT

T

R

A

N

S

M

I

T

ALICE’S

CLEAR TEXT

(DECRYPTED AND

AUTHENTICATED)

BOB DECRYPTS WITH

HIS PRIVATE KEY

BOB’S PUBLIC

ALICE’S PUBLIC

BOB’S PRIVATE

ALICE’S PRIVATE

4 KEYS

NEEDED:

20
-
763 ELECTRONIC PAYMENT SYSTEMS


FALL 2002

COPYRIGHT © 2002 MICHAEL I. SHAMOS

One
-
Way Trapdoor Function

•
A function that is easy to compute

•
Computationally difficult to invert
without knowing the
secret

(the “trapdoor”)

•
Example:
f

(x, y) = x•y

•
Given
f

(x, y), it is difficult to find either x or y

•
Given
f

(x, y) and x (the secret), it is easy to find y

•
Any one
-
way trapdoor function can be used in public
-
key cryptography.


20
-
763 ELECTRONIC PAYMENT SYSTEMS


FALL 2002

COPYRIGHT © 2002 MICHAEL I. SHAMOS

Rivest
-
Shamir
-
Adelman (RSA)

•
It is easy to
multiply

two numbers but apparently hard
to
factor

a number into a product of two others.

•
Given p, q, it is easy to compute n = p • q

•
Example: p = 5453089; q = 3918067

•

Easy to find n = 21365568058963

•
Given n, hard to find two numbers p, q with p • q = n

•
Now suppose n = 7859112349338149


What are p and q such that p • q = n ?

•
Multiplication is a
one
-
way function

•
RSA exploits this fact in public
-
key encryption


20
-
763 ELECTRONIC PAYMENT SYSTEMS


FALL 2002

COPYRIGHT © 2002 MICHAEL I. SHAMOS

RSA Encryption

•
Select two large prime numbers p, q (e.g. 1024 bits)

•
Let n = p • q

•
Choose a small odd integer e that does not divide

m =
(p
-

1)(q
-

1). Then x
(p
-
1)(q
-
1)
= 1 (mod n)

•
Compute d = e
-
1
(mod m
)

–
That is, d • e gives remainder 1 when divided by m

–
Then x
e

•d
= x (mod n) (by Fermat’s “Little” Theorem)

•
Public key is the pair (e, n)

•
Private key is the pair (d, n)

•
Knowing (e, n) is of no help in finding d. Still need p
and q, which involves factoring n

20
-
763 ELECTRONIC PAYMENT SYSTEMS


FALL 2002

COPYRIGHT © 2002 MICHAEL I. SHAMOS

MULTIPLICATION

MOD 7


INVERSE OF 5 IS 3

Multiplicative Inverses

Over Finite Fields

•
The inverse e
-
1

of a number e satisfies e
-
1
• e = 1

•
The inverse of 5 is 1/5

•
If we only allow numbers from 0 to n
-
1 (mod n), then for special
values of n, each e has a unique inverse


6
•

2 = 12

WHEN DIVIDED BY 7

GIVES REMAINDER 5

EACH ROW EXCEPT

THE ZERO ROW

HAS EXACTLY ONE 1


EACH ELEMENT HAS

A UNIQUE INVERSE

20
-
763 ELECTRONIC PAYMENT SYSTEMS


FALL 2002

COPYRIGHT © 2002 MICHAEL I. SHAMOS

RSA Encryption

•
Message M is a
number


•
To encrypt message M using key (e, n):

•
Compute C(M) = M

e

(mod n)


•
To decrypt message C using key (d, n):

•
Compute P(C) = C

d

(mod n)




•
Note that P(C(M)) = C(P(M)) = (M

e
)
d
(mod n)


= M

e
•
d
(mod n) = M

because e
•
d = 1 and m = (p
-
1)(q
-
1)

•
DEMO


20
-
763 ELECTRONIC PAYMENT SYSTEMS


FALL 2002

COPYRIGHT © 2002 MICHAEL I. SHAMOS

RSA Example

p = 61; q = 53

n = pq = 3233 (
modulus
, can be given to others)

e = 17 (
public exponent
, can be given to others)

d = 2753 (
private exponent
, kept secret!)

PUBLIC KEY = (3233, 17)

PRIVATE KEY = (3233, 2753)


To encrypt 123, compute 123
17

(mod 3233) =


337587917446653715596592958817679803 mod 3233 = 855



To decrypt 855, compute 855
2753
(mod 3233) = 123


(intermediate value has 8072 digits)



SOURCE:
FRANCIS LITTERIO

37 digits

20
-
763 ELECTRONIC PAYMENT SYSTEMS


FALL 2002

COPYRIGHT © 2002 MICHAEL I. SHAMOS

Trapdoor Functions for Cryptogrpahy

•
Any one
-
way trapdoor function
f
(
x
) can be used for
public
-
key cryptography

•
Alice wants to send message m to Bob

•
Bob’s public key
e

is a parameter to the trapdoor
function
f
e
(
x
) (the inverse
f
e

-
1
(
x
) is easy to compute
knowing Bob’s private key d but difficult without
d
)

•
Alice computes
f
e
(
m
), sends it to Bob

•
Bob computes
f
e

-
1
(
f
e
(
m
)) =
m

(easy if
d

is known)

•
Eavesdropper Eve can’t compute
m

=
f
e

-
1
(
f
e
(
m
))
without the trapdoor
d

to find the inverse
f
e

-
1


20
-
763 ELECTRONIC PAYMENT SYSTEMS


FALL 2002

COPYRIGHT © 2002 MICHAEL I. SHAMOS

Digital Signatures

•
A handwritten signature is a function of the signer
only, not the message

•
Handwritten signatures can be copied and forged

•
The digital equivalent of a handwritten signature
would be
useless

in eCommerce

•
Must be able to

–
Compare it with the “real” signature; AND

–
Must be sure it isn’t copied or forged

•
How can A prove his identity over the Internet?



20
-
763 ELECTRONIC PAYMENT SYSTEMS


FALL 2002

COPYRIGHT © 2002 MICHAEL I. SHAMOS

Digital Signatures

•
A digital signature is a function of
both

the
signer

and
the
message

•
A digital signature is a digest of the message
encrypted with the signer’s private key



MESSAGE M (LONG)

HASH

SIG

USE SECURE HASH ALGORITHM (SHA)


TO PRODUCE HASH (MESSAGE DIGEST)

ENCRYPT HASH USING SIGNER’S PRIVATE KEY

PRIVATE KEY

OF MR. A

THIS IS THE DIGITAL SIGNATURE

OF MR. A ON MESSAGE M

20
-
763 ELECTRONIC PAYMENT SYSTEMS


FALL 2002

COPYRIGHT © 2002 MICHAEL I. SHAMOS

Authentication by Digital Signature

MESSAGE (LONG)

HASH

HASH

RECIPIENT USES SHA

TO COMPUTE HASH

RECIPIENT DECRYPTS SIG

WITH SIGNER’S PUBLIC KEY

MESSAGE (LONG)

SIG

IF HASHES ARE EQUAL, MESSAGE IS AUTHENTIC.

WHY? IF ANY BIT OF M OR SIG IS ALTERED, HASH CHANGES.

RECIPIENT RECEIVES SIG + MESSAGE

=?

20
-
763 ELECTRONIC PAYMENT SYSTEMS


FALL 2002

COPYRIGHT © 2002 MICHAEL I. SHAMOS

Digital Signature

•
Message digest encrypted with signer’s private key


MESSAGE (LONG)

SIG

APPEND SIGNATURE TO MESSAGE; SEND BOTH

MESSAGE (LONG)

HASH

SIG

USE SHA TO PRODUCE HASH (MESSAGE DIGEST)

ENCRYPT HASH WITH SIGNER’S PRIVATE KEY

Recipient decrypts SIG with signer’s public key.

Recipient computes the message digest.

If it matches the SIG, the SIG is genuine


AND the message has not been altered!

PRIVATE KEY

20
-
763 ELECTRONIC PAYMENT SYSTEMS


FALL 2002

COPYRIGHT © 2002 MICHAEL I. SHAMOS

Discrete Logarithms

•
If a
b

= c, we say that log
a
c = b

•
Example: 2
32
= 4294927296 so log
2
(4294927296) = 32

•
Computing a
b

and log
a
c are both easy for real numbers


•
In a finite field, it is easy to calculate c = a
b
mod p but
given c, a and p it is
very difficult

to find b

•
This is the “discrete logarithm” problem


•
Analogy: Given x it is easy to find two real numbers y, z
such that x = y
•
z

•
Given an integer n it is hard to find two
integers

p, q
such that n = p
•
q

20
-
763 ELECTRONIC PAYMENT SYSTEMS


FALL 2002

COPYRIGHT © 2002 MICHAEL I. SHAMOS

Diffie
-
Hellman Key Exchange

•
Object: allow Alice and Bob to exchange a secret key

•
Protocol has two public parameters: a prime p and a
number g < p such that given 0 < n < p there is some k
such that g
k

= n (g is called a
generator
)

•
Alice and Bob generate random private values a, b
between 1 and p
-
2

•
Alice’s public value is g
a

(mod p); Bob’s is g
b

(mod p)

•
Alice and Bob share their public values

•
Alice computes (g
b
)
a

(mod p) = g
ba

•
Bob computes (g
a
)
b

(mod p) = g
ab
=

g
ba

•
Let key = g
ab
. Now both Alice and Bob have it.

•
No one else can compute it
--

they don’t know a or b

20
-
763 ELECTRONIC PAYMENT SYSTEMS


FALL 2002

COPYRIGHT © 2002 MICHAEL I. SHAMOS

El Gamal Encryption

•
Based on the discrete logarithm


•
Bob’s public key is (p, q, r)

•
Bob’s private key is s such that r = q
s

mod p


•
Alice sends Bob the message m by picking a random
secret number k and sending


(a, b) = (q
k

mod p, mr
k
mod p)

•
Bob computes


b (a
s
)
-
1
mod p = mr
k
(q
ks
)
-
1

= mq
ks
(q
ks
)
-
1

= m


•
(Bob knows s; nobody else can do this)

20
-
763 ELECTRONIC PAYMENT SYSTEMS


FALL 2002

COPYRIGHT © 2002 MICHAEL I. SHAMOS

Elliptic Curve Cryptography (ECC)

•
An elliptic curve is the set of points (x, y) satisfying

y
2

+ axy + by = x
3

+ cx
2

+ dx + e


x

y

An elliptic curve has the property that a

line drawn between two points of the curve

intersects the curve at a single point.

(Warning: need to include the point at infinity.)


This allows us to define P + Q so that the sum

is always another point on the curve.


If the sum P + Q is always on the curve, so are

the points P, P + P, P + P + P, . . .

= P, 2P, 3P, 4P, . . .


ONLINE TUTORIAL

20
-
763 ELECTRONIC PAYMENT SYSTEMS


FALL 2002

COPYRIGHT © 2002 MICHAEL I. SHAMOS

Elliptic Curve Operations

SOURCE:
INTEGRITY SCIENCES


The point at infinity
O

is an identity element

for addition

20
-
763 ELECTRONIC PAYMENT SYSTEMS


FALL 2002

COPYRIGHT © 2002 MICHAEL I. SHAMOS

Elliptic Curves Over Finite Fields

•
Select a large prime number p

•
Choose two non
-
negative integers a and b with

4a
2

+ 27b
2


†
0 (mod p)

•
The pairs (x, y) with x, y < p that satisfy

y
2

= x
3

+ ax + b (mod p)

are the
elliptic group mod p

–
addition is closed and associative (x + y) + z = x + (y + z)

–
there is an identity element
O

such that x +
O

= x

–
every element x has an inverse x
-
1

such that x + x
-
1

=
O

•
If y = k x (mod p), then given k and x it is
easy

to find y


but given x and y it is
computationally hard

to find k

•
So elliptic curves can be used for cryptography


20
-
763 ELECTRONIC PAYMENT SYSTEMS


FALL 2002

COPYRIGHT © 2002 MICHAEL I. SHAMOS

Elliptic Curves for El Gamal

•
Multiplication in the elliptic group corresponds to exponentiation
of real numbers

•
Solving y = k x (mod p) for k in the elliptic group is similar to
solving c = a
b (
mod p) for b in El Gamal (discrete logarithm)

•
Choose a special point g of the group (called a generator)

•
Bob’s private key is s; Bob’s public key is (g, s

g)

•
A plaintext message m is transformed to a point x in the group

•
Alice encrypts x by picking a random value k and sending

(k

g, x + k

s

g)



•
Bob decrypts by computing (x + k

s

g)
-

(k

g)

s = x


Alice sent him these

Bob knows s (his private key)

g and sg are public; Alice knows x and k

Can’t find s

from g and sg

20
-
763 ELECTRONIC PAYMENT SYSTEMS


FALL 2002

COPYRIGHT © 2002 MICHAEL I. SHAMOS

Security of ECC versus RSA

GRAPHIC:
RICHARD SOUTHERN


ECC Advantages


1. The elliptic curve logarithm

problem is harder than the

discrete logarithm problem.


2. Key size in ECC is much

smaller for a given security

level.


3. ECC is complicated; fewer

people understand it.


4. ECC is not patented.

20
-
763 ELECTRONIC PAYMENT SYSTEMS


FALL 2002

COPYRIGHT © 2002 MICHAEL I. SHAMOS

Birthday Attacks

•
Dave’s birthday is Jan. 29. How many people must
be in a room for the probability to be > 1/2 that
someone else was born on Jan. 29?

•
Probability that 1 person was not born on Jan. 29 =

364/365.

•
Probability that
n

people were not born on Jan. 29 is
p(
n
) = (364/365)
n
. Now choose
n

so that p(
n
) < 0.5

•
log p(
n
) <
n

log (364/635)

•
n

> log(1/2)/log(364/365)


253

•
If
n

= 183 (half of 366), p(
n
) = 0.6053. Less then
40% chance that someone else has same birthday

20
-
763 ELECTRONIC PAYMENT SYSTEMS


FALL 2002

COPYRIGHT © 2002 MICHAEL I. SHAMOS

Birthday Probabilities

•
Suppose a year has
d

days. How many people must
be in a room for the probability to be > 1/2 that some
pair of people have the same birthday?

•
Label the people 1 …
n

•
Probability that person
i

has no birthday in common
with people 1 …
i
-
1 is (
d
-

i + 1
)/d, so



•
If
d

= 365 and
n

= 23, p(
n
)


0.4927

•
If
d

= 365 and
n

= 50, p(
n
)


0.0296

•
For large
d
, taking
n



1.17 gives
p(
n
)
> 1/2

20
-
763 ELECTRONIC PAYMENT SYSTEMS


FALL 2002

COPYRIGHT © 2002 MICHAEL I. SHAMOS

Attacking Hash Algorithms

•
If two strings M and M* can be found such that

H
(M) =
H
(M*) then a hash algorithm can be
compromised

•
Let M = PO for $100; M* = PO for $100,000

•
John digitally signs
H
(M), so it can’t be altered!

•
If
H
(M*) =
H
(M) then we can “prove” in court that John
signed the $100,000 PO

•
Birthday attack: If the hash length is
b

bits, then
d

= 2

b
;



= 2

b/2

•
Try about 2

b/2

small variations of the message. Prob.

~ 50% we will find one that hashes to the same value

•
If the digest is 64 bits, try 2
32

variations. Possible!

20
-
763 ELECTRONIC PAYMENT SYSTEMS


FALL 2002

COPYRIGHT © 2002 MICHAEL I. SHAMOS

Major Ideas

•
Digital signature = message digest encrypted with signer’s private
key

•
Dual signature: two people sign a document without being able to
read the other person’s content

•
Blind signature: one person signs a document without being able
to read it

•
Any trapdoor function can be used for public
-
key cryptography

•
Great care must be used with public
-
key systems to avoid
protocol failure (allowing cracking through mistakes)

•
Elliptic
-
curve cryptography (ECC) is replacing RSA

–
Shorter keys for the same level of security

20
-
763 ELECTRONIC PAYMENT SYSTEMS


FALL 2002

COPYRIGHT © 2002 MICHAEL I. SHAMOS

Q

A

&