1 / 25

Modern Cryptography Lecture 11

Modern Cryptography Lecture 11. Yongdae Kim. Admin Stuff. E-mail Subject should have [5471] in front, e.g. “[5471] Project proposal” CC TA: lin@cs.umn.edu Office hours Me: M 1:15 ~ 2:15, W 4:00 ~ 5:00 (and by appointment) TA: M 10:30 ~ 11:30, W 11:00 ~ 12:00 Work on projects

elvin
Download Presentation

Modern Cryptography Lecture 11

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Modern CryptographyLecture 11 Yongdae Kim

  2. Admin Stuff • E-mail • Subject should have [5471] in front, e.g. “[5471] Project proposal” • CC TA: lin@cs.umn.edu • Office hours • Me: M 1:15 ~ 2:15, W 4:00 ~ 5:00 (and by appointment) • TA: M 10:30 ~ 11:30, W 11:00 ~ 12:00 • Work on projects • 6th assignment is due 4/18 2:15 PM. • Check Calendar

  3. Recap • Math… • Proof techniques • Divisibility: a dividesb (a|b) if  c such that b = ac • GCD, LCM, relatively prime, existence of GCD • Eucledean Algorithm • d = gcd (a, b)   x, y such that d = a x + b y. • gcd(a, b) = gcd(a, b + ka) • Modular Arithmetic • a≡b (mod m) iff m | a-b iff a = b + mk for some k • a≡b (mod m), c≡d (mod m) a+c ≡(b+d) (mod m), ac ≡ bd (mod m) • gcd(a, n) =1  a has an arithmetic inverse modulo n. • Counting, probability, cardinality, … • Security Overview • one-way function if f(x) is easy to compute for all x  X, but it is computationally infeasible to find any x  X such that f(x) =y. • trapdoor one-way function if given trapdoor information, it becomes feasible to find an x  X such that f(x) =y.

  4. Recap • Cryptographic Primitives • SKE, PKE, Digital Signatures, Hash functions and MACs, Key Management through SKE, PKE • Block Ciphers • Modes of operation, meet-in-the-middle attack, Product cipher, Feistal cipher, DES • Hash function • Onewayness, weak/strong collision resistance, Birthday paradox • Merkle Damgard Construction • If the compression function is collision resistant, then strengthened Merkle-Damgård hash function is also collision resistant • Multi-collision attack, extension property • MAC • CBC-MAC, Secret prefix, Secret Suffix, HMAC • Authenticated Encryption

  5. Recap (cnt) • Advanced number theory • CRT, Euler theorem: If a  Zn* , then a f(n) =1 (mod n) • Cor: if r ´ s mod f(n) and (a, n)=1, then ar´ as (mod n) • Generator • If ordn(a) = f(n) then a is a generator of Zn*. • a is a generator iff a f(n)/p≠ 1 mod n for all p | f(n). • Let a  Zm* and ord(a) = h. Then ord(ak) = h/gcd(h, k). • RSA Encryption • n = pq, f(n) = (p-1)(q-1), gcd(f(n), e) = 1, ed 1 mod f(n) • A’s public key is (n, e); A’s private key is d • Encryption: compute c = me mod n, Decryption: m = cd mod n • RSA Security • Computing d from (n, e) and factoring n are computationally equivalent • n cannot be shared • Small encryption exponent e = 3 • Homomorphic property

  6. Recap (cnt) • Abstract Algebra • Group, cyclic groups, generator, group order, subgroup • Discrete logarithm problem • Diffie-Hellman • DLP vs. DHP, More efficient implementation (p, q, g) • Long-term vs. short-term Diffie-Hellman • ElGamal encryption • ElGamal vs. RSA encryption • RSA signature

  7. RSA Signature • Key generation n, p, q, e, d • Sign • Compute s = h(m)d mod n • Signature: (m, s) • Verify • Obtain authentic public key (n, e) • Verify h(m) = se mod n

  8. DSA (US Standard) • DSA Algorithm : key generation • select a prime q of 160 bits • 1024 bit p with q|p-1 • Select g’ in Zp*, and g = gk=g’(p-1)/q mod p, g1 • Select 1  x q-1, compute y= gx mod p • public key (p, q, g, y), private key x

  9. DSA (cont) • DSA signature generation • Select a random integer k, 0 < k < q • Compute r=(gk mod p) mod q • compute k-1 mod q • Compute s = k-1 (h(m) + xr) mod q • signature = (r, s) • DSA signature verification • Verify 0<r<q and 0<s<q, if not, invalid • Compute w= s-1mod q and h(m) • Compute u1=wh(m)mod q, u2=rw mod q • Compute v = (gu1yu2 mod p) mod q • Valid iff v=r

  10. DSA (cont) • H(m) = -xr + ks (mod q) • w h(m) + xrw = k mod q • u1 + x u2 = k mod q • (gu1 yu2 mod p) mod q = (gk mod p) mod q • Security of DSA • two distinct DL problems: ZP*, cyclic subgroup order q • Parameters: • q~160bits, p 768~1Kb, p, q, g can be system wide

  11. DSA (cont) • Performance • Signature Generation • One modular exponentiation • Several 160-bit operations (if p is 1024 bits) • The exponentiation can be precomputed • Verification • Two modular exponentiations

  12. Comparison: RSA vs. DSA • Speed • Signature generation • RSA • DSA • Signature verification • RSA • DSA • Memory • RSA • DSA • Which one do you want to use?

  13. Blind signature scheme • Chaum for Electronic Cash • Sender A; Signer B • B’s RSA public and private key are as usual. k is a random secret integer chosen by A, satisfying 0  k < n • Protocol actions • (blinding) A: comp m* = mke mod n, to B Note: (mke)d = mdk • (signing) B comp s* = (m*)d mod n, to A • (unblinding) A: computes s = k-1s* mod n

  14. Identification

  15. Basis of identification • Something known - passwords, PINs, keys… • a^*ehk3&(dAs • Something possessed - cards, handhelds… • Something inherent - biometrics

  16. PINs and keys • Long key on physical device (card), short PIN to remember • PIN unlocks long key • Need possession of both card and PIN • Provides two-level security (or two-factor authentication)

  17. Other password: graphical

  18. Lamport’s One Time Passwords • User has a secret w • Using a OWF h, create the password sequence: w, h(w), h(h(w)),…,ht(w) • Bob knows only h t(w) • Password for i -thidentification is: wi = h t-i (w) • Attacks • Pre-play attack - Eve intercepts an unused password and uses it later • Make sure you’re giving password to the right party • Bob must be authenticated

  19. Another one-time password • Stores actual passwords on system side • Alice and Bob share a password P • Alice: generate r, send to Bob: (r, h(r, P)) • Check: Bob computes h(r, P), from given r, and local copy of P. • Security • Works only if r is something that will only be accepted once (else replay attack!) • Any other?

  20. Challenge-response authentication • Alice is identified by a secret she possesses • Bob needs to know that Alice does indeed possess this secret • Alice provides responseto a time-variant challenge • Response depends on both secret and challenge • Using • Symmetric encryption • One way functions • Public key encryption • Digital signatures

  21. Challenge Response using SKE • Alice and Bob share a key K • Taxonomy • Unidirectional authentication using timestamps • Unidirectional authentication using random numbers • Mutual authentication using random numbers • Unilateral authentication using timestamps • Alice  Bob: EK(tA, B) • Bob decrypts and verified that timestamp is OK • Parameter Bprevents replay of same message in B  A direction

  22. Challenge Response using SKE • Unilateral authentication using random numbers • Bob  Alice: rb • Alice  Bob: EK(rb, B) • Bob checks to see if rb is the one it sent out • Also checks “B” - prevents reflection attack • rb must be non-repeating • Mutual authentication using random numbers • Bob  Alice: rb • Alice  Bob: EK(ra, rb, B) • Bob  Alice: EK(ra, rb) • Alice checks that ra, rb are the ones used earlier

  23. Challenge-response using OWF • Instead of encryption, used keyed MAC hK • Check: compute MAC from known quantities, and check with message • SKID3 • Bob  Alice: rb • Alice  Bob: ra, hK(ra, rb, B) • Bob  Alice: hK(ra, rb, A)

  24. Challenge-response using PKE • Mutual Authentication based on PK decryption • Alice  Bob: PB(rA, B) • Bob  Alice: PA(rA, rB) • Alice  Bob: rB

  25. Challenge-response using DS • Timestamp-based • Alice  Bob: certA, tA, B, SA(tA, B) • Bob checks: • Timestamp OK • Identifier “B” is its own • Signature is valid (after getting public key of Alice using certificate) • Mutual Authentication using Signatures • Bob  Alice: rB • Alice  Bob: certA, rA, B, SA(rA,rB,B) • Bob  Alice: certB, A, SB(rA,rB,A)

More Related