1 / 27

15-349 Introduction to Computer and Network Security

15-349 Introduction to Computer and Network Security. Iliano Cervesato 2 September 2008 – Public-key Encryption. Where we are. Course intro Cryptography Intro to crypto Modern crypto Symmetric encryption Asymmetric encryption Beyond encryption Cryptographic protocols

keith
Download Presentation

15-349 Introduction to Computer and Network Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. 15-349Introduction to Computer and Network Security Iliano Cervesato 2 September 2008 – Public-key Encryption

  2. Where we are • Course intro • Cryptography • Intro to crypto • Modern crypto • Symmetric encryption • Asymmetric encryption • Beyond encryption • Cryptographic protocols • Attacking protocols • Program/OS security & trust • Networks security • Beyond technology

  3. Outline • Public-key cryptography – motivations • The Merkle-Hellman encryption algorithm • The knapsack problem • How Merkle-Hellman works • Cryptoanalysis • Basic number theory • Modular arithmetic • Primality and inverses • The El Gamal encryption scheme • The discrete logarithm problem • RSA • The factorization problem • RSA cryptographic challenges

  4. Asymmetric Encryption – Review Encryption box Decryption box Ciphertext Ciphertext Dk (Ek(m)) = m E M X D M X Cleartext k-1 k Cleartext Public data k Public key Private key -1

  5. Motivations • Can 2 keys be better than 1? • How do we make data public? • Why bother? • Key management problem • Added flexibility • E.g., digital signatures

  6. A1 A5 A2 A4 A3 Naïve Key Management Principals A1, …, An want to talk • Each pair needs a key • n(n-1)/2 keys • Keys must be established • Physical exchange • Secure channel • …

  7. A1 k1 A5 k5 A2 KDC k2 k4 k3 A4 A3 Improved Solution Centralized key-distribution center • n key pairs needed • However • KDC must be trusted • KDC is single point of failure • Still n direct exchanges … if Ai wants to talk to Aj … • Ai KDC: “connect me to Aj” • KDC generates new key kij • KDC  Ai: Eki(kij) • KDC  Aj: Ekj(kij, “Ai wants to talk”) Still naïve • KDC online all the time

  8. Public-Key Solution Public data A1 k1… Ai ki… A1 k-11 • Pair (ki, ki-1) for each Ai • ki’s are published • Phonebook • Simple setup • Ai generates (ki, ki-1) • Ai publishes ki • … details later • Secure web sites would be impossible without • https Ai k-1i

  9. The Knapsack problem • Given objects of size s1, s2, … sn, is it possible to completely fill a knapsack of size s? • Is there binary vector v such that Si visi = s ? • NP-complete • What if si+1 > Sj<i sj ? • Easy: O(n) • Super-increasing knapsack • Hmm, this feels like encryption material … for (i=n; i > 0; i--) { if (s > si) s = s – si } return (s == 0)

  10. Merkle-Hellman Encryption • Pick • a super-increasing sequence S = (s1,s2,…,sn) • a prime p >sn100-200 digits long • a multiplier w • (S, w) is the private key • Compute • hi = wsi mod p • H = (h1, h2, …, hn) is the public key • Encryption of binary m • x = Si himi • Attacker has to solve general knapsack in H – hard • Decryption of x • Multiply x by w-1 • Solve super-increasing knapsack problem in S – easy

  11. Cryptanalysis of Merkel-Hellman • Scheme based on a special instance of knapsack problem • modular knapsack generated from super-increasing sequence • Not as hard as general knapsack • If p is known • If s1 can be found, all si can be found • Can deduce w and p from H • Try successive values of w and observe where whi rolls over • Right w is where they all roll over at the same time

  12. Number Theory – Divisors Z is a ring • Z = {…, -1, 0, 1, …} • + is commutative, associative and invertible w.r.t. 0 • * is commutative, associative with identity 1 • a|b if c. ac = b • E.g., 3|6 • E.g., 3|10 • gcd(a, b) = largest d  Zs.t. d|a and d|b • E.g. gcd(18,15) = 3 • Modular arithmetic • a = b mod n if c. an + c = b • Zn = {0, …, n-1} • All operations modulo n • Also a ring Euclid’s algorithm Given a > b • r0 = b, r1 = a • ri-2 = qiri-1 + ri • When rn+1 = 0, set gcd(a,b) = rn • u,v. gcd(a,b) = ua + vb

  13. Number Theory – Prime numbers • p>1 prime if 1 and p are its only divisors • E.g. 3, 5, 7, … • p and q are relatively prime if gcd(p,q) = 1 • E.g. 4 and 5 are relative primes • There are infinitely many primes

  14. Arithmetic Modulo a Prime • p prime number • For us, at least 1024 bits (~ 300 digits) • Zp = {0, 1, …, p-1} • Addition and multiplication are modulo p • Exponentiation is iterated multiplication • x is the inverse of y  0 if xy = 1 mod p • All non-null elements of Zp are invertible • x-1 = xp-2 mod p • We can solve linearequations in Z*p • If ax = b mod p, then x = bap-2 mod p • Z*p = {1, …, p-1} • Contains all invertible elements of Zp • Zp = Z*p U {0} Zp is aGalois field Fermat’s little theorem If a  0, then ap-1 = 1 mod p

  15. Computing in Zp • Let n be the length of p • Usually around 1024 bits • Addition in Zp done in O(n) • Multiplication is O(n2) • Clever (and practical) algorithms achieve O(n1.7) • Same for inverse • xr mod p computed in O((log r) n2) • Repeated squares • E.g.: g23 = g10111 = g . g2. g4 . g16 (7 multiplications) • Addition chains • Saves 20% in average (but shortest chain is NP-complete) • g, g2, g3, g5, g10, g20, g23 (6 multiplications)

  16. Complexity in Zp • Easy problems • Generating p • Addition, multiplication, exponentiation • Inversion, solving linear equations • Problems believed to be hard • DL: Discrete logarithm • Given g and x  Zp, find r s.t. x = gr mod p • DH: Diffie-Hellman • Given g, gr, gs Zp, find grs mod p • Note • DL implies DH • Unknown if DH implies DL • Best known attack on DL requires space and O(2n) time

  17. Diffie-Hellman Key Exchange Public data p, g A B • Choose random a1  a  p-1 • send ga mod p • Receive gb mod p • (gb)a = gab mod p • k = f(gab) ga mod p • Receive ga mod p • Choose random b1  b  p-1 • Send gb mod p • (ga)b = gab mod p • k = f(gab) gb mod p

  18. Diffie-Hellman Key Exchange [2] • Allows 2 principals to produce a shared secret • Without secure channel or physical exchange • Without a key distribution center • f is typically a hash function • Agreed upon in advance • However, no authentication • Can be fixed with some infrastructure • Security relies on hardness of DH

  19. El Gamal Encryption Scheme Public data A1 p1 ,g1,g1a1… Ai pi ,gi,giai… secret m  ZpB to B A wants to send • Security rests on hardness of DL • Criticisms • Transmitted message double of m • Public data has to be managed • Very slow (~10Kb/sec vs. 250Kb/s of DES) A B aA aB • Choose random a • Send gBa,gBaBa m mod pB gBa, gBaBa m mod pB • Receive gBa,gBaBa m mod pB • (gBa)aB = gBaBamod pB • ComputegB-aBa mod pB • gB-aBagBaBa m mod pB= m

  20. Arithmetic Modulo a Composite • n natural number • For us, typically 1024 bits or ~ 300 digits • Typically n = pq, with p and q primes • Zn = {0, 1, …, n-1} • x is inverse of y  0 if xy = 1 mod n • x has inverse iff gcd(x,n) = 1 • ux + vn = 1 by Euclid’s algorithm so x-1 = u • Works also in Zp where more efficient than x-1 = xp-2 • We can solve linear equations in Zn • Z*n = {x : gcd(x,n) = 1} • Contains all invertible elements of Zn

  21. Euler’s Totient Function • f(n) is the number of positive integers relatively prime to n • f(n) is the size of Z*n • If n = Pipiei,then f(n) = Pipiei-1(pi-1) • If n=pq,then f(n) = (p-1)(q-1) = n – p – q – 1 • a is invertible with inverse af(n)-1 Euler’s theorem If a  Z*n, then af(n) = 1 mod n

  22. Computing in Zn • Easy problems • Generating p • Addition, multiplication, exponentiation • Inversion, solving linear equations • Hard problems • Factoring • Given n, find p,q s.t. n = pq

  23. The set-up of RSA • n = pq • n is the product of 2 (large) primes • By Euler’s theorem, f(n) = (p – 1)(q – 1) • Select e and d such that (me)d = m • How? • Pick e relative prime to f(n) • E.g., a prime greater than f(n) • By Fermat’s theorem, compute d = ef(n)-1 • ed = 1 mod f(n) • ed = kf(n) + 1 = k(p-1)(q-1) + 1 = k’(p-1) + 1 • Now: • mp-1 = 1 mod p • mk’f(n) = 1 mod p • mk’f(n)+1 = m mod p • med = m mod p

  24. RSA [Rivest,Shamir,Adelman ’76] ni = piqi eidi = 1 mod f(ni) Public data A1 n1 ,e1 … Ai ni ,ei… A wants to sendsecret m  ZnB to B • Security of RSA rests on • Hard to factorize n = pq • Hard to compute f(n) from n • Factoring implies RSA • Unknown if RSA implies factoring A B pA,qA,dA pB,qB,dB meB mod nB • Send meB mod nB • Receive meB mod nB • (meB)dBmod nB= meBdBmod nB= mkf(nB)+1mod nB= (mf(nB))k mmod nB= (1)k mmod nB= mmod nB

  25. Attacks on RSA • Small d for fast decryption • But easy to crack if d < (n1/4)/3 [Wiener] • d should be at least 1080 • Small e for fast encryption • If m sent to more than e recipients, then m easily extracted • Popular e = 216 + 1 • Same message should not be sent more than 216 + 1 times • Modify message (still dangerous) • Timing attacks • Time to compute md mod n for many m can reveal d • Homomorphic properties of RSA • If ci = mie mod n (i=1,2), then c1c2 = (m1m2)e mod n • Easy chosen plaintext attack • Eliminated in standards based on RSA

  26. RSA Cryptographic Challenges • Factoring given primes set as challenge by RSA Labs • http://www.rsa.com/rsalabs/ • RSA-ddd: challenge in digits • RSA-bbb: challenge in bits • RSA-140: 1999 in 1 month • RSA-155: 1999 in 4 months • RSA-160: 2003 in 20 days • RSA-200: 2005 in 18 months • Challenges no longer active

  27. Key length • Public-key crypto has very long keys • 1024, 2048, 4096 are common • Is it more secure than symmetric crypto? • 56, 128, 192, 256 • Key lengths don’t compare! • 1024  80 bit • 2048  112 bit • 3072  128 bit • 7680  192 bit • 15,360  256 bit

More Related