360 likes | 492 Views
Public Key Cryptography. Public Key Cryptography. why we might want to consider an alternative to a secret key system using key distribution, and what we're looking for in public key cryptography. Problem of Key Distribution. there is one difficultly inherent in all KDC mechanisms.
E N D
Public Key Cryptography • why we might want to consider an alternative to a secret key system using key distribution, and • what we're looking for in public key cryptography.
Problem of Key Distribution • there is one difficultly inherent in all KDC mechanisms. • it seems like you must already have agreed on a key in order to securely distribute the next key • it won't work after your system has been compromised (when you have to start over again) • it won't work initially (when you have not yet agreed on a key). • You move the vulnerability away from "people trying to figure out a message" to the KDCs.
Problem of Key Distribution • However, we can imagine a physical solution to the problem • "Alice sends a secret to Bob, but they don't share a key", which is identical to the two problems mentioned above
Solution • Alice puts a secret in a box, which she locks with her own lock. Only Alice has the key to this lock. • Alice then ships the box to Bob. • Bob adds his own lock to this box in parallel, so that now the box has two locks • Bob then ships the box back to Alice. • Alice, knowing that the box is secure with Bob's lock, then takes her own lock off the box (with her key). • Alice sends the box back to Bob • Bob then removes his lock and receives the secret (which could have been a new shared key).
Solution • We have successfully shared a secret without exposing it • We did not possess a shared key initially • We don't care who is able to actually lock our mechanism • We want to make sure that only somebody with a key can unlock it • It should be cheap to unlock our mechanism with the key, but very expensive to try to unlock it without the key
Solution • In a mathematical sense • What we're looking for is called a 1-way trap-door function • To apply this idea to a cryptosystem, we would want an encryption mechanism that is a 1-way function • easy to compute but hard to invert • Our decryption of this resulting value should be easy if you know about the trap door
Solution • Diffie - Hellman Key Exchange • allows two principals to agree on a shared key even though they exchange messages in public • In the protocol, there is no authentication • either side could be be spoofed by an active wiretapper • The protocol can easily be extended into one that does also implement the necessary authentication.
Diffie - Hellman Key Exchange • The first step is to choose a large prime number p (around 512 bits). • The second is to choose an integer g where g < p (with some other technical restrictions.) • At this point, A can compute: • (TB)SA = (gSB mod p)SA = (gSB)SA mod p = ((gSBSA) mod p). • Similarly B can compute : • (TA)SB = . . . = ((gSASB) mod p). • Therefore, ((gSASB) mod p) = ((gSBSA) mod p) is the final shared key.
Diffie - Hellman Key Exchange • A wiretapper can see all the messages that are sent, • but can't do anything without having a fast way to compute logs in finite fields, which is assumed to be hard. • One problem with Diffie-Hellman is that it does not generalize to send arbitrary messages.
Physical Analogy for Diffie-Hellman Key Exchange • We have two principals,A and B, each with a 3-liter paint pot that contains 1-liter of yellow paint. We will use E to denote a passive wiretapper. We can assume that mixed paint cannot be deconstructed into original colors. • A adds to her 1 liter of yellow paint a secret color SA. B also adds to his 1 liter of yellow paint a secret color SB. • A and B swap pots. E is able to observe the 2, 2-liter mixtures be exchanged, but E cannot deduce what color was added to either mixture, E can only deduce the relative color balance in the combined 4 liter mixture: 2 * yellow + SA + SB (Y:Y:SA:SB). • A adds SA to B's pot. The result (Y:SA:SB) is the key. B adds SB to A's pot. The result (Y:SB:SA) is the key. Notice: A and B have computed the same key, but E gets a different one.
Public Key Cryptography • In public key cryptography, some keys are known to everyone, so it would seem that the key distribution problem vanishes • The basic idea of a public key cryptosystem is to have two keys: • a private (secret) key and • a public key. • Anyone can know the public key
Public Key Cryptography • Plaintext to a principal B is encrypted using B's public key. • B decrypts the enciphered text using its private key. • As long as B is the only one who knows the private key, then only B can decrypt messages encrypted under B's public key.
Public Key Cryptography • Some public key cryptography schemes also allow plaintext to be run through the decryption algorithm (using the private key). • What is produced is referred to as signed text and it can be "deciphered" using the public key • Only the possessor of a private key can create text that is decipherable using the public key. • The functionality of signed text cannot be replicated using secret key/symmetric cryptography.
Public Key Cryptography • Public key cryptography is usually much slower than secret key cryptography • it is rarely used to encrypt an entire message. • a message is encrypted using shared key cryptography (with a secret key). • That secret key is then encrypted using public key cryptography • the encrypted message and key are sent. • This is called hybrid encryption • can allow for complex structures in implementing our secrecy requirements
History of Public Key Cryptography (United States) • 1975: Diffie imagines asymmetric cryptography (Diffie + Hellman) • 1976: Diffie-Hellman key exchange • April 1977: RSA (Rivest, Shamir, Adelman) (United Kingdom • 1969: Government Communications Headquarters (GCHQ) - succesor to Bletchly Park - asks James Ellis to look into the key distribution problem. Ellis recalls a Bell Labs report about adding noise to a signal, transmitting it, and then removing the noise. • 1973: Clifford Cocks (recent Cambridge Math Ph.D) joins GCHQ. He hears about Ellis idea and searches for a suitable function, and he thinks of RSA. GCHQ now could do public key encryption. • January 1974: Malcolm Williamson, in an effort to try to break Cock's work, discovers Diffie-Hellman.
Uses of Public-Key Cryptography • secrecy, • authentication, and • digital signatures
Uses of Public-Key Cryptography • Secrecy is obtained when principal A encrypts a message m using B's public key. Thereafter, the only way to decrypt m is to know the private key of B. (see Figure below)
Uses of Public-Key Cryptography In secret key cryptography, doing authentication requires having a different key for each pair of principals; in public key cryptography, each principal needs to know just its own private key. An example of a public-key authentication protocol is:
Uses of Public-Key Cryptography • Digital signatures are used to prove that a message was generated by a particular principal. • Assume that the cryptosystem has the additional property wherein a message m "decrypted" under a private key, and then "encrypted" using the corresponding public key produces m. • To create a signed message, A will encrypt a message using its own private key and send that encrypted message to B. • B looks up A's public key and uses it to decrypt the message. • This is not completely practical since it requires running the decryption on an entire message, which can be expensive. • A solution is to compute a hash of the message and signthat.
Uses of Public-Key Cryptography • A hash is a function that digests information. It takes a message as input and outputs a short bit string (say, 128 bits). • An example of a 1-bit hash would be a function that returns the parity of the message.
Uses of Public-Key Cryptography • Think of a hash as a succint summary of a message that has four properties: • It is computationally infeasible to determine the input message m based on the digest of that message hash(m), which means the digest must convey no information about the original message • It is infeasible to find any message with a given digest value, which means we can't attack by replacing a message m1 with another message m2 with the same hash value
Uses of Public-Key Cryptography • Think of a hash as a succint summary of a message that has four properties: • It is infeasible to find 2 messages with a given hash. If we don't have this property, then it is possible a person could sign a message, then the signature could be cut and pasted on to another message with the same hash. • And finally, changing even 1-bit of the input gets completely different output, so that syntactically similar messages generate very different outputs and it is not likely that two bit-strings with the same hash value could be mistaken for each other.
Uses of Public-Key Cryptography • These properties make a message-text substitution attack difficult given a hash. • Suppose that message m is sent along with a signed hash value for m. • The properties of the hash function would make it difficult for an attacker to substitute another meaningful message that has the same hash value as the original.
Uses of Public-Key Cryptography We can easily have multiple signatures as well as build up a chain of signatures which establishes a valid history. This chaining of signatures can be used to prove such a claim as "Alice had signed the message when I got it.".
Examples of Public-Key Cryptosystems • Merkle's Puzzles • one of the first public key cryptographic systems to be described • It allows A and B to agree on a secret key • Principal A invents a million keys and a million puzzles, where each puzzle encodes a different one of the keys • Each puzzle is assumed to take at least two minutes to solve and fit into 96 bits • A sends these puzzles to B • B then picks a puzzle at random and solves it • B encrypts a pre-arranged string (say 0000) with the key from the puzzle it solved • B sends this encrypted string back to A. A trys each of the million keys on the message it receives from B • The one that decrypts the message and obtains the pre-arranged string is the secret key that A will use henceforth to communicate with B.
Examples of Public-Key Cryptosystems • Merkle's Puzzles • A wiretapper C could steal the million puzzles. • However, C would need to crack all million of the puzzles in order to discover the secret key. • If the wiretapper didn't know the pre-arranged string, then it can't even use a known-plaintext attack. • Since cracking each puzzle requires at least 2 minutes, the wiretapper would need on average 330 days to find the key.
Examples of Public-Key Cryptosystems • RSA • RSA (Rivest Shamir Adelman) • RSA is usually used to encrypt a private key and then send that with along with a message encrypted by the private key. • It uses a variable key length (usually 512 bits) and a variable block size that is not greater than the key length.
Examples of Public-Key Cryptosystems • RSA works as follows • Choose two large primes (say, 256 bits each) p and q. These must be kept secret. • Compute n = p*q. The number n is not secret. This systems works under the assumption that factoring n is computationally intractable. • Chose e such that e is relatively prime to (has no common factors other than 1 with) (p-1)*(q-1). The number e is usually chosen to be small. 3 and 64437 are popular. • The public key is the pair (e, n). Note that e doesn't have to be secret. The private key is (d, n) where d is the multiplicative inverse of e mod (p-1)(q-1).
Examples of Public-Key CryptosystemsRSA • To encrypt a message m, compute me mod n and send the result as ciphertext. • To decrypt ciphertext c: m = cd mod n. • RSA can also be used for digital signatures. • To sign a message m: s = md mod n. To check a signature: m = se mod n. • A lot of number theory is needed to prove that this technique works. • One necessary theorem is: m = (me mod n)d mod n.
Examples of Public-Key Cryptosystems Certification Authorities (Public Key Infrastructure) • KDC is no longer necessary • How can one principal learn the public key another? • How does one principal know they have the right public key and haven't been spoofed by an intruder? • It turns out that some sort of server is still needed to certify which public keys belong to whom.
Examples of Public-Key Cryptosystems • A certification authority (CA) is a trusted server that generates certificates of the form {name, public key}CA where CA is the certification authority's signature (private) key • All hosts are preconfigured with the certification authority's public key • any host can check the signature on these certificates • CA is more attractive than a KDC because a CA it doesn't need to be on-line. • Certificates can be stored anyplace and forwarded anywhere as they are needed.
Examples of Public-Key Cryptosystems • One problem is that if a principal's private key is compromised, then all those certificates (wherever they are) will cause the wrong public key to be used. • Since there isn't a single authority that everyone trusts, updating all those certificates is not feasible. • A solution is to require that certificates have expiration dates. • This will limit damage but not rule it out entirely.