330 likes | 662 Views
Public-key encryption. Symmetric-key encryption. Invertible function Security depends on the shared secret – a particular key. Fast, highly secure Fine for repeated communication Poor fit for one-shot communication, signatures. Asymmetric-key (public key) encryption. The basic idea:
E N D
Symmetric-key encryption • Invertible function • Security depends on the shared secret – a particular key. • Fast, highly secure • Fine for repeated communication • Poor fit for one-shot communication, signatures
Asymmetric-key(public key) encryption • The basic idea: • A user has two keys: a public key and a private key. • A message can be encrypted with the public key and decrypted with the private key to provide security. • A message can be encrypted with the private key and decrypted with the public key to provide signatures.
One-way functions • Most common functions are invertible; for any F(x) = y, there is an F-1(y) = x. • Multiplication and division • DES • A function which is easy to compute in one direction, but hard to compute in the other, is known as a one-way function. • Hashing, modular arithmetic. • A one-way function that can be easily inverted with an additional piece of knowledge is called a trapdoor one-way function.
One-way functions • Public key encryption is based on the existence of trapdoor one-way functions. • Encryption with the public key is easy. • Decryption is computationally hard. • Knowledge of the private key opens the trapdoor, making inversion easy. • Password systems also use one-way functions.
Overview of RSA • RSA is the most common and well-known public key cryptosystem • Basic notation: a key pair (e,d) contains two keys: • e is the public key (used to encrypt documents) • d is the private key (used to decrypt documents) • M is the plaintext message. • Let R be the encryption function. • R(e,M) = C. R(d,C) = M. - encryption • R(d,M) = C’ R(e,C’) = M - signing • R(e,R(d,M)) = M = R(d,R(e,M)) • Same function is used for both operations.
Modular Arithmetic • RSA’s security is based on modular arithmetic. • a = b (mod n) <-> there is a q such that a-b=qn • b is the remainder after dividing a by n • 23 = 3 (mod 5) • A set {0,1,…,n-1} is closed under modular addition and multiplication. • (a(mod n) + b(mod n))(mod n) = (a+b) (mod n) • (ab)(mod n) = (a(mod n) b(mod n))(mod n)
Modular Arithmetic • Two numbers p and q are said to be relatively prime if their greatest common divisor is 1. • 5 and 17, 8 and 9, 10 and 21 • To compute gcd: • gcd(a,b) = gcd(b, a mod b) (Euclid, 300BC)
Identities and Inverses • An identity is a number that maps a number to itself under some operation. • 0 in normal addition, 1 in multiplication. • An inverse is a number (within the input set) and maps a given number to the identity • X * 1/X, X + -X in integer math • We are particularly interested in multiplicative inverses for modular arithmetic. • (ab) = 1 (mod n)
Multiplicative Inverses • 3 and 2 are multiplicative inverses mod 5. • 7 and 6 are multiplicative inverses mod 41. • 5 and 2 are multiplicative inverses mod 9. • For n > 1, if a and n are relatively prime, there is a unique x such that • ax = 1 (mod n)
More preliminaries • Fermat’s Little Theorem: • If p is prime, then for all a: • ap-1 = 1 (mod p) • Chinese Remainder Thm (corollary) • If p and q are prime, then for all x and a: • x = a(mod p) and x = a(mod q) iff x=a mod(pq) • These are needed to prove RSA’s correctness.
The RSA Algorithm • Pick two large (100 digit) primes p and q. • Let n = pq • Select a relatively small integer d that is prime to (p-1)(q-1) • Find e, the multiplicative inverse of d mod (p-1)(q-1) • (d,n) is the public key. To encrypt M, compute • En(M) = Me(mod n) • (e,n) is the private key. To decrypt C, compute • De(C) = Cd(mod n)
RSA example • Let p = 11, q = 13 • n = pq = 143 • (p-1)(q-1) = 120 = 3 x 23 x 5 • Possible d: 7, 11, 13, 17, … (let’s use 7) • Find e: e*7 = 1(mod 120) = 103 • Public key: (7, 143) • Private key: (103, 143) • En(42) = 427 (mod 143) = 81 • De(81) = 81103(mod 143) = 42
Correctness of RSA • To show RSA is correct, we must show that encryption and decryption are inverse functions: • En(De(M)) = De(En(M)) = M = Med (mod n) • Since d and e are multiplicative inverses, there is a k such that: • ed=1+ kn = 1 + k(p-1)(q-1) • Med = M1+k(p-1)(q-1) = M*(Mp-1)k(q-1) • By Fermat: Mp-1=1(mod p) • Med = M(1)k(q-1)(mod p) = M(mod p)
Correctness of RSA • Med = M(1)k(q-1)(mod p) = M(mod p) • Med = M(1)k(q-1)(mod q) = M(mod q) • By Chinese Remainder Thm, we get: • M^{ed} = M (mod p) M (mod q) = M (mod pq) = M (mod n) • Therefore, RSA reproduces the original message and is correct.
Strengths of RSA • No prior communication needed • Highly secure (for large enough keys) • Well-understood • Allows both encryption and signing
Weaknesses of RSA • Large keys needed (1024 bits is current standard) • Relatively slow • Not suitable for very large messages • Public keys must still be distributed safely.
Security of RSA • The security of RSA is dependent on the assumption that it’s difficult to generate the private key d from the public key e and the modulus n. • Equivalent to integer factorization problem. • This is how we got e and d in the first place. • Factoring is thought to be computationally hard. • No proof, though!
Difficulty of Factoring • The fastest known factoring algorithm is the generalized number field sieve. • Sub-exponential time • Greater than polynomial space. • Some statistics:
Security and Problem Difficulty • Another way to think about the problem is to ask how long a keylength will be secure, given Moore’s law: From the RSA labs factoring FAQ
Security and Problem Difficulty • RSA-155 (512 bit asymmetric-key) broken in 1999. • Estimate: capability grows by ~4.25 digits per year. (approx.13-14 bits per year) • 1024-bit RSA should be “secure” until 2037. • Using Moore’s Law – 1024-bit is 7 million times harder than 512-bit • So, we need a 7 millionX speedup to crack 1024-bit RSA with the same relative computational power. • Also about 34 years. • Question: How long does your data need to be secure?
Digital Signatures • Desirable properties of a digital signature: • A receiver must be able to validate the signature • The signature must not be forgeable • The signer must not be able to repudiate the signature. • Encrypt with private key, validate with public key. • For security and authenticity, encrypt the signed message with the receiver’s public key.
Hash Functions • A hash function is a one-way function that maps a message M into a (typically smaller) hashed message H. • Sometimes this is called a fingerprint • Also sometimes a message digest. • Goals: • Non-invertible • fast • low collision rate
Hash Functions • To sign a document, I compute its hash, encrypt that with my private key, and send the encrypted hash along with the original document as plaintext. • The receiver hashes the plaintext and then uses my public key to verify that I was the one who sent the document. • Can also detect tampering.
Combining Public and Secret Keys • Public-key encryption is often used to synchronize secret session keys. • SSL uses this. • A generates a secret key and sends it to B, encrypted with B’s public key. • For handshaking, include a random number. • B decrypts the message and has the secret key. • For handshaking, B encrypts the random number with A’s public key and returns it.
Authentication • A sends “Please authenticate me” to B • B creates a random message and signs it with A’s public key. • A decrypts the message with its private key, encrypts it with B’s public key, and returns it. • Only someone with A’s private key can do this. • Potential attack: B gets to pick a string that A will encrypt • This could yield information about A’s private key.
Zero-knowledge Protocols • One application of public-key cryptography is zero-knowledge protocols. • Often, one party might want to prove something to another without revealing any information • Nuclear treaties • Bank balances • Sensitive information
Zero-knowledge protocols • Alice wants to prove to Bob that she is Alice. • If she sends identification, Bob (or an eavesdropper) can use it. • Example: Authority chooses a number N=77, known by all. • Alice’s public ID: (58, 67) • Alice’s private ID: (9,10) • These are multiplicative inverses mod 77
Zero-knowledge protocols • Alice chooses some random numbers and computes their square mod N. • {19, 24, 51} -> 192(mod 77) = 53, 242(mod 77) = 37, 512(mod 77) = 60 • Alice sends {53,37,60} to Bob. • Bob sends back a random 2x3 matrix of 1s and 0s. • 0 1 • 1 0 • 1 1
Zero-knowledge protocols • Alice uses this grid, plus her original random numbers and her secret numbers, to compute: • 19 * 90 * 101 (mod 77) = 36 • 24 * 91 * 100 (mod 77) = 62 • 51 * 91 * 101 (mod 77) = 47 • She sends {36,62,47} to Bob.
Zero-knowledge protocols • Bob verifies Alice’s identity by computing: • {58,67} are Alice’s public numbers • 36^2 *58^0 *67^1 (mod 77)= 53 • 62^2 *58^1 * 67^0 (mod 77) = 37 • 47^2 * 58^1 * 67^1 (mod 77) = 60 • Alice’s original numbers reappear! • (Actually, an attacker would have a 1 in 64 chance of guessing correctly …)
Zero-knowledge protocols • In a real system, N would be very large • 160 digits. • Many more numbers would be generated. • This works because Alice’s secret numbers are multiplicative inverses of her public numbers mod N. • Also, Bob learns nothing that he didn’t know before.
Summary • Public key encryption provides a flexible system for secure communication in open environments. • Based on one-way functions • Allows for both authentication and signing • Secure public key distribution remains a problem.