360 likes | 437 Views
Public-Key Cryptography. Dr. Ron Rymon Efi Arazi School of Computer Science IDC, Herzliya. 2010/11. Pre-Requisites: Conventional Cryptography. Overview. Public Key Cryptography Crossword puzzles Diffie-Hellman RSA Elliptic Curves Digital Signatures
E N D
Public-Key Cryptography Dr. Ron Rymon Efi Arazi School of Computer Science IDC, Herzliya. 2010/11 Pre-Requisites: Conventional Cryptography
Overview • Public Key Cryptography • Crossword puzzles • Diffie-Hellman • RSA • Elliptic Curves • Digital Signatures • Key Management for Public-Key Cryptography
Public-Key Cryptography Main sources: Network Security Essential / Stallings Applied Cryptography / Schneier
Motivation • Until early 70s, cryptography was mostly owned by government and military • Key distribution is more manageable and better funded • Symmetric cryptography not ideal for commercialization • Enormous key distribution problem; most parties may never meet physically • Must ensure authentication, to avoid impersonation, fabrication • Few researchers (Diffie, Hellman, Merkle), in addition to the IBM group, started exploring Cryptography because they realized it is critical to the forthcoming digital world • Privacy • Effective commercial relations • Payment • Voting
Public-Key Cryptography • Idea: use separate keys to encrypt and decrypt • First proposed by Diffie and Hellman • Independently proposed by Merkle (1976) • Pair of keys for each user • generated by the user himself • Public key is advertised • Private key is kept secret, and is computationally infeasible to discover from the public key and ciphertexts • Each key can decrypt messages encrypted using the other key • Applications: • Encryption • Authentication (Digital Signature) • Key Exchange (to establish Session Key)
Crossword Puzzles • Ralph Merkle’s Key Exchange Algorithm • Alice generates MANY crossword puzzles and sends to Bob • Bob chooses ONE and solves it • The solution includes an identifier, and the key • Bob communicates the identifier to Alice • Alice and Bob communicate using the key • Important observation: Eve would have to solve ALL puzzles to identify the right one and the key. • First attempt, cumbersome, and not working, but very revolutionary at the time • Later, Merkle suggested to use NP-Hard problems • Hard to solve, but easy to check (e.g., knapsack). • Also proven inadequate later...
Diffie-Hellman Key Exchange • First public-key algorithm, based on the difficulty of computing discrete logarithms modulo n • Protocol: • Use key exchange protocol to establish session key • Use session key to encrypt actual communication • Algorithm: • Choose a large prime n, and a primitive root g Bob Alice X=gx mod n select x Y=gy mod n select y Compute K=Yx mod n K=gxy mod n Compute K=Xy mod n
Diffie-Hellman Protocol • DH does not offer authentication • Trudy can use a man-in-the-middle attack • Impersonating Alice to Bob and vice versa • Using his own key (or different keys) with each • Solution: establish a public directory • Each person publishes (g,n,gx) – this is the public key • Note: g,n may be different from one user to another • Make sure not to select x=0/1 mod n
Two-key Public-Key Encryption • Sender uses the public key of the receiver to encrypt • Receiver uses her private key to decrypt
Two-Key Public-key Authentication • The sender encrypts some message (e.g. a certificate) with his own private key • The receiver, by decrypting, verifies key possession
Public-Key Algorithms:The Requirements • It is computationally feasible to generate a pair of keys • It is computationally easy to encrypt using the public key • It is computationally easy to decrypt using the private key • It is computationally infeasible to compute the private key from the public key • It is computationally infeasible to recover the plaintext from the public key and ciphertext • Either of the keys can decrypt a message encrypted using the other key
RSA • Developed by Rivest, Shamir, and Adleman (1977) • Most widely used public key algorithm • Receives its security from the difficulty of factoring large numbers • Actually discovered first by UK GCHQ (Ellis and Cocks) in 1973 ! • Algorithm: • Works as a block cipher, where each plaintext/ciphertext block is integer between 0 and n (for some n=2k) • Each receiver chooses e, d • The values of e, and n are made public; d is kept secret • Encryption: C=Me mod n • Decryption: M=Cdmod n = Med mod n • Requisites: • Find e, d such that M=Med mod n, for all M<n • Make sure that d cannot be computed from n and e, not even if a ciphertext is available
RSA Keys and Key Generation • Select primes p and q, n=pq • (n)=(p-1)(q-1) ; Euler totient of n – number of integers between 1 and n that are relatively prime to n, i.e., {m | gcd(m,n)=1} • Select integer e<(n) such that gcd((n),e)=1 • Guarantees that e-1 exists • Calculate d such that d=e-1 mod (n), • Use Euler extended GCD algorithm • Now, for every M<n, we have • Med = M 1 mod (n) = M • Note: • The message could have been encrypted with d and decrypted by e
Recall Math Backgrounder • Fermat’s Little Theorem • For a prime p, ∀a such that 0<a<p, a(p-1)=1 mod p • Euler’s extension • For any n, ∀a such that 0<a<n, a (n) mod n = 1 mod n • For primes p,q, ∀a such that gcd(a,pq)=1, a(p-1)(q-1) = 1 mod pq • Hence, Med mod n = Mk(p-1)(q-1)+1 mod n = 1xM = M • To generate primes, use primality test • For a non-prime, Fermat’s theorem will usually fail on a random a • Carmichael numbers are rare exception, and if chosen decryption won’t work. Can reduce the probability by checking more a’s • Primes are dense enough (almost one of every k k-bit numbers) • GCD to select e takes O(log n) time • Calculate d=e-1mod (n) - Euler extended GCD. O(log n) • Exponentiation (Encrypt/Decrypt) takes O(log n) time • RSA gets its security from the difficulty of factoring n=pq
RSA Example • Key Generation • Select p=7, q=17, n=pq=119, (119)=96 • Select e=5; Calculate d=77 (77*5=385=1 mod 96)
Attacks on RSA Algorithm • If one could factor n, which is available, into p and q, then d could be calculated (as inverse of e), and then the message deciphered • If one could guess the value of (n)=(p-1)(q-1), even without factoring n, then again d could be computed as the inverse of e
Attacks on RSA Protocol • Chosen ciphertext attack • Attack: get sender to sign (decrypt) a chosen message • Inputs: original (unknown) ciphertext C=Me • Construct • X=Re mod n, for a random R • Y=XC mod n • Ask sender to sign Y, obtaining U=Yd mod n • Compute • T=R-1 mod n • TU mod n = R-1Yd mod n = R-1 Xd Cd mod n = Cd mod n = M • Exploits preservation of multiplication in group • Conclusion: • never sign a random message • sign only hashes • use different keys for encryption and signature
Other precautions when implementing RSA protocol • Do not use same n for multiple users • A third party can sometimes decipher if same message is encrypted using both encryption (public) keys, without needing the decryption (private) key • Always pad messages with random numbers, making sure that M is about same size as n • If e is small, there is an attack that uses e(e+1)/2 linearly dependent messages, and if messages are small its easier to find linearly dependent ones • Do not choose low values for e and d • For e, see above, and there is also attack on small d’s
Elliptic Curves Cryptography • ECC addresses the cost of exponentiation in DH and RSA • Use Abelian groups w/ addition defined on cubic equations • E.g., y2 = x3 + ax + b (for some a, b) • For R=P+Q, find third point of intersection on line that connects P and Q (use tangent line if P=Q). This is –R, and R is its mirror. • O is a point of infinity and is defined as O=P+(-P). As a result it is also the identity since P+O=P • Can also be defined over GF(p) • Consider Q=kP mod p • Easy to compute Q from k, P • Difficult to determine k from P, Q (except through brute force)
Elliptic Curves Key Exchange • Key Generation • Select/agree on cubic curve (p, a, b) --- public • Select a base point G with a high order n --- public • i.e., smallest n such that nG=O • Private key of Alice is an integer KA < n • Public key of Alice is KA*G • Key Exchange • Alice and Bob send public key to each other • Each of them multiplies the result by own private key • Agreed Key = KA* KB*G • Like DH but uses addition instead of exponentiation
Timing and Power Attacks • Ciphertext-only attack • No mathematical analysis • How it works • Measure the effort (time, power) to decrypt a message • Correlate the effort to the probability that certain key bits are on • Idea • Different algorithms work more on certain combinations of bit values • E.g., in RSA the exponentiation effort depends on the number of bits that are 1 • Solutions: • Idle computation to randomize & even out
Other Public-Key Algorithms • Merkle-Hellman Knapsack Algorithms • First public-key cryptography (not key exch) algorithm (1976) - patented • Encode a message as a series of solutions to knapsack problems (NP-Hard). Easy (superincreasing) knapsack serves as private key, and a hard knapsack as a public key. • Broken by Shamir and Zippel in 1980, showing a reconstruction of superincreasing knapsacks from the normal knapsacks • Rabin • Based on difficulty of finding square roots modulo n • Encryption is faster: C=M2 mod n (n=pq) • Decryption is a bit complicated and the plaintext has to be selected from 4 possibilities (also makes it difficult to use it for signature) • El Gamal • Based on difficulty of calculating discrete logarithms in a finite field • Elliptic Curves can be used to implement El Gamal and Diffie-Hellman faster
Digital Signatures Main sources: Network Security Essential / Stallings Applied Cryptography / Schneier
Public-Key Digital Signature • Same as authentication • The sender encrypts a message with his own private key • The receiver, by decrypting, verifies key possession
Digital Signatures • It is possible to use the entire message, encrypted with the private key, as the digital signature • But, this is computationally expensive • And, anyone can then decrypt the original message • Alternatively, a digest can be used • Should be short • Prevent decryption of the original message • Prevent modification of original message • Difficult to fake signature for • If message authentication (integrity) is needed, we may use the hash code of the message • If only source authentication is needed, a different message can be used (certificate)
Digital Signature Algorithm (DSA) • Proposed in 1991 by NIST as a standard (DSS) • Based on difficulty of computing discrete logarithms (like Diffie-Hellman and El Gamal) • Encountered resistance because RSA was already de-facto standard, and already drew significant investment • DSA cannot be used for encryption or key distribution • RSA is advantageous in most applications (exc. smart cards) • RSA is 10x faster in signature • DSA is faster in verification • Concerns about NSA backdoor (table can be built for some primes) • Key size was increased from 512 to 2048 and 3072 bits • In DSA, the key size needs to be 4 times the security level • DSA has an Elliptic Curve version • Faster to compute, and requires half the bits
Description of DSA • Parameters • p is a prime number with up to 1024 bits public key • q is a 160-bit factor of (p-1), and itself prime public key • g=h(p-1)/q mod p (h is random) public key • x is the private key and is smaller than q -- private key • y=gx mod p is part of the public key public key • Signature • Given a message M, generate a random k<q -- keep secret • Signature is a pair (r,s) • send r=(gk mod p) mod q signature • send s=k-1(H(M)+xr) mod q signature • If r=0 or s=0, choose a new k • Verification • Compute w=s-1 mod q • Compute u1=H(M)w mod q; u2=rw mod q • Compute v=(gu1*yu2 mod p) mod q • If v=r then the signature is verified verification
Key Generation in DSA • Generate q as a SHA on an arbitrary 160-bit string • If not prime, try another string • Use Rabin method for primality testing • To get (p-1) • Concatenate additional 160 bit numbers until you get to the right size (e.g., 1024) • Subtract the remainder after division by 2q • q is a factor from construction • Since p-1 is even, then 2 is also a factor • If p is not prime, repeat the process
One-Time Signatures (Merkle) • Key Generation • Let t = n + 1 + log n, where n is message size • Select random K1,… Kt (private key) • Let Vi=H(Ki) for a hash function H (public key) • Signature • Let C be the number of 0’s in message M • Let W = M || C, and let A1… At be W’s bits • Signature is (S1 … Su) such that Sj=Kl if Al is the jth 1-bit of W • Verification • Compute W as above • Compute H(Si) for each bit and compare to (properly indexed) Vj
Key Management for Public Key Cryptographic Protocols Main sources: Network Security Essential / Stallings Applied Cryptography / Schneier
Certificate Authority: Verifying the Public Key • How to ensure that Charles doesn’t pretend to be Bob by publishing a public-key for Bob. Then, using a Man-in-the-Middle attack, Charles can read the message and reencrypt-resend to Bob • Bob prepares certificate with his identifying information and his public key • The Certificate Authority (CA) verifies the details and sign Bob’s certificate • Bob can publish the signed certificate
More on (Public) Key Management • Alice may have more than one key • e.g., personal key and work key • Where shall Alice store her keys? • Alice may not want to trust her work administrator with her personal banking key • Distributed certification a la X.509 • CA certifies Agents who certify organizations who certify others • Distributed certification a la PGP • Alice will present her certificate with “introducers” who will vouch for her (“PKI parties”) • Key Escrow • US American Escrowed Encryption Standard suggests that private keys be broken in half and kept by two Government agencies • Clipper – for cellular phone encryption • Capstone – for computer communication
Cryptography Summary • Cryptography (and steganography) were always considered a strategic tool • Used mostly by governments and military organizations • Served to keep top secrets and in wars • Different generations were characterized by either the cryptographers or cryptanalysts winning the battle • Today, cryptographers seem certainly on top, with “unbreakable” ciphers (but, remember Vigenere’s unbreakable cipher…) • Must remember that cryptanalysis is not the only attack • It is usually the hardest way to break a message • May attack human weaknesses in crypto protocol • May attack communication, hosts, etc. • Much easier to get information using good old 3Bs: bribery, burglary, and bending