470 likes | 507 Views
Public Key Encryption. Terminology RSA Hash functions. Reading Assignment. Reading assignments for current lecture: Required: Pfleeger: 2.7, …, 2.12 Recommended :
E N D
CSCE 522 - Farkas Public Key Encryption • Terminology • RSA • Hash functions
CSCE 522 - Farkas Reading Assignment • Reading assignments for current lecture: Required: • Pfleeger: 2.7, …, 2.12 Recommended: • Tom Simonite, MIT Technology Review: NSA Leak Leaves Crypto-math Intact but Highlights Known Workarounds, http://www.dfinews.com/news/2013/09/nsa-leak-leaves-crypto-math-intact-highlights-known-workarounds#.UjdU8X-d6So Lecture 6 CSCE 522 - Farkas 2
CSCE 522 - Farkas Summary of Secret Key Encryption • Basic methods: • Substitution • Transposition • Security: secrecy of secret key
CSCE 522 - Farkas Compare DES and AES
CSCE 522 - Farkas Weakness of Secret Key Encryption • Secrecy of key • How to distribute the keys securely? • Large number of keys • N(N-1) / 2 • Other issues: no support for • Third party verification • Non-repudiation Can we provide other methods for confidentiality?
Public-Key Encryption • Two keys – one is private one is public • Solves the key distribution problem (but need reliable channel) • Provides electronic signatures • Slower than secret-key encryption CSCE 522 - Farkas 6
Public-Key Encryption • Needed for security: • One of the keys must be kept secret • Impossible (at least impractical) to decipher message if no other information is available • Knowledge of algorithm, one of the keys, and samples of ciphertext must be insufficient to determine the other key CSCE 522 - Farkas 7
Public Key Cryptosystem • Concept conceived by Diffie and Hellman in 1976 • Rivest, Shamir, and Adleman (RSA) describe a public key system in 1978 • Many proposals have been broken e.g., Merkle-Hellman proposal broken by Shamir • Serious candidates (public domain) • RSA • El Gamal CSCE 522 - Farkas 8
CSCE 522 - Farkas RSA Steps • Key generation • Key distribution • Encryption • Decryption
RSA Principle • Find large positive integers e, d, and n such that • 0 < M < n • Sender knows e • Only receiver knows d • Easy to calculate Me, Cd • Infeasible to determine d given e Med mod n = M mod n CSCE 522 - Farkas 11
RSA Keys Generation of public and private keys • Choose 2 large prime numbers p and q • Compute n = p*q • Choose e > 1 relatively prime to (n) = (p-1)*(q-1) • Compute d such that e*d = 1 mod (p-1)*(q-1) • Publish (n,e) • Secret (n,d), p, q CSCE 522 - Farkas 12
RSA Keys • Compute d such that e*d = 1 mod (p-1)*(q-1) • If factorization of n into p*q is known: Easy • Otherwise: Hard • How hard is it to compute d given (n,e)? • Don’t know BUT not harder than factoring n into p*q Security of RSA is no better than the complexity of the factorization problem CSCE 522 - Farkas 13
Confidentiality Insecure channel Ciphertext Plaintext Plaintext Encryption Alg. Decryption Alg. B Recipient A Sender B’s private key B’s public key (need reliable channel) CSCE 522 - Farkas 14
RSA • Public key: (n,e) • Private key: (n,d) • n is s large number • C = Me mod n • M = Cd mod n CSCE 522 - Farkas 15
Notation C = E(KE-B, M) M = D(KD-B,C) KE-B (KBpub ): public key of B KD-B (KBpriv ): private key of B E: encryption alg. D: decryption alg. M: plaintext C: ciphertext S: signature CSCE 522 - Farkas 16
Digital Signatures in RSA • RSA Property: encryption and decryption are commutative • Encryption followed by decryption yields the original message (Me mod n)d mod n = M • Decryption followed by encryption yields the original message (Md mod n)e mod n = M • Cryptosystems that preserve message length have this property CSCE 522 - Farkas 17
Digital Signatures in RSA Insecure channel Sign Verify Plaintext Signed plaintext Plaintext Decryption Alg. Encryption Alg. B A A’s private key A’s public key (need reliable channel) CSCE 522 - Farkas 18
Signature and Encryption B Encrypted Signed Plaintext A Signed Plaintext Signed Plaintext Plaintext Plaintext D E D E B’s public key A’s public key B’s private key A’s private key CSCE 522 - Farkas 19
Signature and Encryption • We could do the encryption first, followed by the signature. Adv. signature first: parties, other than B can verify the signature • DES can be used for encryption CSCE 522 - Farkas 20
Non-repudiation • Requires notarized signature, involving a third party • Large system: hierarchies of notarization CSCE 522 - Farkas 21
CSCE 522 - Farkas Hash Functions
Hash Functions • Hash function h maps an input x of arbitrary length to a fixed length output h(x) (compression) • Accidental or intentional change to the data will change the hash value • Given h and x, h(x) is easy to compute (ease of computation) Lecture 8-9 CSCE 522 - Farkas 23
Good Hash Function It is easy to compute the hash value for any given message It is infeasible to find a message that has a given hash (one-way property) It is infeasible to modify a message without changing its hash It is infeasible to find two different messages with the same hash (collision-free property) Lecture 8-9 CSCE 522 - Farkas 24
Hash functions • Preimage resistant(one-way): if for all specified outputs, it is computationally infeasible to find any input that hashes to that output • Second-preimage resistent (weak collision resistant): if it is computationally infeasible to find any second input which has the same output as any specified input • Collision resistant(strong collision resistant): if it is computationally infeasible to find any two distinct inputs that has the same output Lecture 8-9 CSCE 522 - Farkas 25
CSCE 522 - Farkas Use of Hash function • Message integrity • Message authentication (hash is signed) • Protect password files • Support for intrusion detection • Support for virus detection
Hash Algorithms • Input of arbitrary length • Output size • Block size • Rounds • Bitwise operations: and, or, xor, not Lecture 8-9 CSCE 522 - Farkas 27
SHA Security • SHA-1: in 2005 security flaws were identified • A possible mathematical weakness might exist • SHA-2: no attacks have yet been reported • SHA-2 variants are algorithmically similar to SHA-1 and so efforts are underway to develop improved alternatives • SHA-3: new hash standard is currently under development Lecture 8-9 CSCE 522 - Farkas 28
SHA-2 Family • 2001: first published in the draft FIPS PUB 180-2 • 2002, 2004: FIPS PUB 180-2 modified • SHA-224, SHA-256, SHA-384, and SHA-512 Lecture 8-9 CSCE 522 - Farkas 29
MD5 vs. SHA • Very similar • Security: SHA’s digest is 32 bits longer without algorithm flaws SHA is more secure • Speed: SHA has more steps and produces 160-bit buffer SHA slower • Simplicity and compactness: MD5 has more internal steps with varying buffer modification SHA is simpler Lecture 8-9 CSCE 522 - Farkas 30
Attacks • First preimage attack: given a hash h, find a message m such that hash(m) = h • Second preimage attack: given a fixed message m1, find a different message m2 such that hash(m2) = hash(m1) • Attack complexity: 2n (considered too high for a typical output size of n=160 bits) • Practical attacks: Collision attack Lecture 8-9 CSCE 522 - Farkas 31
Collision Attack • Cryptographic attack • Based on probability theory • Given a function ƒ, the goal of the attack is to find two different inputs x1, x2 such that ƒ(x1) = ƒ(x2), (complexity is 2n/2) Lecture 8-9 CSCE 522 - Farkas 32
Hash Functions • Message digest • Used for authenticity (sign hash value of a message) and integrity purposes • Algorithms: • MD2,MD4,MD5 (128), SHA0 (160) -- insecure • SHA1 (160) – theoretical collision attack • SHA-2, SHA-3 (256, 512, 1024) – OK Lecture 8-9 CSCE 522 - Farkas 33
MD6 • MD6 was submitted to the NIST SHA-3 competition • July 1, 2009: Rivest posted a comment at NIST that MD6 is not yet ready to be candidated for SHA-3 • speed issues and • inability to supply a proof of security for a faster reduced-round version Lecture 8-9 CSCE 522 - Farkas 34
Next Class • Protocol Analysis and hash CSCE 522 - Farkas 35
CSCE 522 - Farkas How does it work? Chapter 12 Not required for tests
Arithmetic • Identity i: x op i = x • Inverse: b is inverse of a under op if a op b = i • Prime numbers: p is prime if 1 < p and divisible by {1,p} only • Euclidean algorithm: if x divides a and b then x also divides a-(k*b) a-(k*b)=x*a1-(k*x*b1) =x*(a1-(k*b1)) =x*d CSCE 522 - Farkas 37
Greatest common divisor • Given a > b, the greatest common divisor x=gcd(a,b) can be calculated as follows: • Rewrite a as a=m*b+r, where m=a/b and r is the remainder • If x divides a and b, it also divides r, therefore x=gcd(a,b)=gcd(b,r) b=m’*r+ r’ • Continue until the remainder is zero CSCE 522 - Farkas 38
Modular Arithmetic • Results stay in the underlying range of numbers • +,-,* can be applied before or after the modulus is taken with similar results • Modulus: remainder after division, that is if a mod n=b then a=c*n+b • Examples • 9 mod 3 = 0 • 12 mod 5 = 2 • 12 mod 10 = 2 CSCE 522 - Farkas 39
Modular Arithmetic Properties: • Associative a+(b+c) mod n = (a+b)+c mod n a*(b*c) mod n = (a*b)*c mod n • Commutative a+b mod n = b+a mod n a*b mod n = b*a mod n • Distributive (a*(b+c)) mod n = ((a*b) mod n) + (a*c) mod n)) mod n • Existence of identities a+0 mod n = 0+a mod n = a a*1 mod n = 1*a mod n = a CSCE 522 - Farkas 40
Modular Arithmetic Properties: • Existence of inverses a+(-a) mod n = 0 a*(a–1) mod n = 1 if a 0 (and gcd(a,n) = 1; see next slide) • Reducibility (a+b) mod n = ((a mod n) + (b mod n)) mod n (a*b) mod n = ((a mod n) * (b mod n)) mod n ae mod n = [i=1e (a mod n)] mod n CSCE 522 - Farkas 41
Modular Arithmetic a–1 = x mod n has unique solution if a and n are relatively prime CSCE 522 - Farkas 42
Fermat’s and Euler’s Theorem • Fermat’s Theorem: For any prime number p and any element a<p ap mod p = a or ap-1 mod p = 1 Inverse of a is x, such that ax mod p = 1 ax mod p = 1= ap-1 mod p x = ap-2 mod p • Euler’s theorem: if a and n are relative primes, then a(n) mod n = 1 = ax mod n x = a(n)-1 mod n • Example: inverse of 4 mod 5 4-1 mod 5 = 45-2 mod 5 = 64 mod 5 = 4 4*4 mod 5 = 16 mod 5 = 1 CSCE 522 - Farkas 43