420 likes | 737 Views
Asymmetric cryptography (aka Public key cryptography). (Slides by Jaap-Henk Hoepman & Jeroen Doumen). Contents. Why public key cryptography Some systems Diffie-Helman RSA Applications Authentication Key-management Certificates / PKI. Many symmetric keys needed. Bob. Carol. Zeke.
E N D
Asymmetric cryptography(aka Public key cryptography) (Slides by Jaap-Henk Hoepman & Jeroen Doumen)
Contents • Why public key cryptography • Some systems • Diffie-Helman • RSA • Applications • Authentication • Key-management • Certificates / PKI
Many symmetric keys needed Bob Carol Zeke To send to Alice, everyone needs a different key To receive, Alice needs all these keys Alice
Diversified keys • Reducing Alice’s keyring: • Alice keeps only a master key K • Alice gives every other person i a derived key • So Bob’s key is • Still a key distribution problem
Asymmetric keys • Private key k (lower case!) • Held privately by the user • Used to decrypt • Public key K (upper case!) • Distributed to all • Used to encrypt • Requirement • Private key not derivable from public key • Public key not useful to decrypt
Encryption • Alice • generates random symmetric key s • encrypts s with the public key KB of Bob: RSA_E(KB,s) • encrypts the message with s: AES_E(s,m) • Sends Bob RSA_E(KB,s), AES_E(s,m) • Bob • Decrypts RSA(KB,s) using private key kB to get s • Decrypts AES(s,m) using s to get m
Digital signatures • Alice • Generates a hash h=h(m) of the message • Signs h using her private key kA: s=RSA_D(kA,h) • Same as decrypting h… • Sends m and s to Bob • Bob • Computes h=h(m) from m • Decrypts s=RSA_D(kA,h) to h’ using Alice’s public key KA • Checks that h and h’ are the same
History • NSA (US): 1960’s (?) • CESG (UK): 1970 • James Ellis, classified report • Diffie & Hellman: 1976
Definitions of security • Two definitions • Information theoretical (aka unconditional) • Impractical • Computational • Breaking the cipher is a mathematically hard problem
What is a `break’ • Weak definition • Hard to derive plaintext from ciphertext without the key • Strong definition • Hard to guess a single plaintext bit from a ciphertext without the key
One time pad • Vernam’s one time pad is information theoretically secure Why? plaintext bits key bits Bitwise xor ciphertext bits Note: random key equally long as message
What is a hard problem (1) • Algorithm can run on short or long instances • The running time depends on the length of the instance • Example: Sorting 10 numbers takes less time than sorting 10000 numbers • For some problems we know how many steps any algorithm will have to take to solve an instance of size n • Sorting n numbers always takes n log n steps • Very hard to prove
What is a hard problem (2) • A hard problem is a problem that requires at least an exponential number of steps to solve • I.e. more than a polynomial number of steps • No hard problems known!! • But for some problems all known solutions take (sub)exponential time • Factoring a product of two primes • Computing the discrete logarithm
Math • Computing modulo n • Groups • Generator g (e.g. 2 in the multiplicative group Z*13 below) • (Probably…) hard problems • Factoring an integer • Computing the discrete logarithm
Diffie Helman key exchange • Invented by Diffie & Helman in 1976 • First publication on public key crypto • Key exchange only • No encryption/signatures • Key sizes: ~1024 bits • Based on the difficulty of finding a discrete logarithm • Given prime p and a,b compute i
Diffie Helman • Public values • Prime p • Generator a < p • Alice • Randomly picks x < p • Sends • Receives r and sets • Bob • Randomly picks y < p • Sends • Receives r and sets
About the keys • Alice key equals • Bobs key equals • Eavesdropper sees • Vulnerable to man-in-the-middle attack
RSA • Invented by Rivest, Shamir and Adleman in 1978 • First “public” public key system, • Most popular • Patent expired September 2000 • Large keys (1024 bits or more)
Primes and such • Gcd(a,b): greatest common divisor • Euler’s totient function • the number of integers x < n for which gcd(x,n)=1 • For primes p, • Euler’s theorem • If gcd(a,n)=1 then • Holds even if n=pq (and gcd(a,n) <> 1)
RSA Algorithm • Pick two large primes p,q and set n = p,q • Pick e,d such that • Destroy p,q • Public key: (e, n) • Private key: (d, n) • Encrypt P: • Decrypt C:
RSA Example • p=7 and q=17, so n=119 and • Pick e with gcd(e, 96)=1, e.g. e=5 • Compute d with ed = 1 mod 96. Then d=77 • Verify: 77*5=385=4*96+1 • Encrypting M=19: • Ciphertext is 66 • Decrypting 66 • Yields 19
RSA: Why it works Euler:
RSA: why it is secure • If you know p,q, it is easy to find e,d such that • If you don’t know p,q but only n, then finding d given e (or vice versa) is as hard as finding p,q given n (I.e. factoring) • Because computing is hard
RSA: common settings • p,q must be roughly the same size • Or else factoring n=pq is easier • On the other hand p-q must be sufficiently large • Or else for a small constant c, and hence factoring n is easy by trying all c
Special properties • E(m*m’)=E(m)*E(m’) mod n • Add redundancy to sign messages • Blinding with a random r • Hide message to be signed from signer • Anonymous money
RSA: Sign vs encrypt • RSA can be used to sign messages or to encrypt messages • Always use separate keypairs for signing and encryption • Otherwise decrypting a message is equivalent to signing this message
Authentication: goals • Prevent spoofing attacks • know where messages come from • know who you are sending messages to • Control access to systems • Many users have access to your machine remotely
On-line authentication • Challenge response • Verifier V sends random challenge • Prover P signs the challenge and returns it to the verifier • Works • With symmetric keys • Provided only P,V have knowledge of this key • And this key is only used to authenticate P to V (and not vice versa) • With asymmetric keys • Provided only P knows private key and V knows P’s public key
Key management • Difficult to get right • Two key classes • Short-term session keys • Long-term keys • Long term keys used for • Authentication • Confidentiality • Establish session keys • Protect stored data
Problems • Distributing keys • Get public keys • Distribute your public key • Establish a shared key • Confidentiality • Authenticity • Key storage • Tampering • Key revocation • Killing keys • Checking key status
Distributing keys Alice Bob Private key Public key
(Wo)man-in-the-middle attack Eve Alice Bob
Certification Authority • Signs public keys • This is a certificate • Prevents man in the middle attack • Protocol • Alice requests key for Bob from CA • CA sends Bob’s certificate • Alice verifies CA certificate • Uses key in certificate to encrypt message to Bob
Certificate • “A statement signed by a principal which the principal believes to be true at the time of signing” • And for which it assumes responsibility, liability,…. • Several types • Identity • Attribute • Limited validity period
Identity certificate • CA binds key to ‘end entity’ (or principal) • A person • A role • An organisation • A pseudonym • A bank account • … • Depends on the CA policy
Properties • Nobody can forge a certificate • Requires private key CA • Everybody can verify certificate • Requires public key CA • Problem: • How to obtain/verify CA public key • Out-of-band verification
Obtaining a certificate (1) • How to obtain a certificate for your key pair • Alice signs public key and her identity with her private key • Proves possession of private key • Protects information in transit • CA verifies signature and identity information • Verisign: email adres
Obtaining a certificate (2) • CA creates certificate by signing Alice’s public key and identity • Alice verifies certificate • Check that CA did not alter key or ID • Alice or CA publish certificate
Key length • Length of key determines security • The time and cost required by adversary to break the system • Required key length depends on level of security needed • Specify security as the number of years confidentiality/integrity must be maintained
Hypotheses • 56 bit DES key was strong enough in 1982 • Breaking it requires 500,000 Mips Years • 1 Mips Year = 20 hours on 450Mhz Pentium II • Computing power per $ doubles every 18 months • Variant of Moore’s law • Every 10 years, 100 times more computing power for the same amount of money • Budget of organisations doubles every 10 years • Computing power required to breaking an asymmetric algorithm halves every 18 months