190 likes | 382 Views
Internet Security 1 ( IntSi1 ). 4 Public Key Cryptography. Prof. Dr. Andreas Steffen Institute for Internet Technologies and Applications (ITA). Secure Network Protocols. Confidentiality. Data Integrity. Authentication. Non-Repudiation. Digital Signatures. Encryption. MACs MICs.
E N D
Internet Security 1 (IntSi1) 4 Public KeyCryptography Prof. Dr. Andreas SteffenInstitute for Internet Technologies and Applications (ITA)
Secure Network Protocols Confidentiality DataIntegrity Authentication Non-Repudiation Digital Signatures Encryption MACsMICs ChallengeResponse SmartCards Symmetric KeyCryptography MessageDigests IVs Nonces Secret Keys Public KeyCryptography BlockCiphers Stream Ciphers HashFunctions PseudoRandom RandomSources EllipticCurves DHRSA Cryptographical Building Blocks
KAB, KAC, KAD, KAE, KAF Alice Fred Bob KAF, KBF, KCF, KDF, KEF KAB, KBC, KBD, KBE, KBF KAE, KBE, KCE, KDE, KEF KAC, KBC, KCD, KCE, KCF Edna Carol KAD, KBD, KCD, KDE, KDF Dave The Secure Key Distribution Problem secure distributionof n2/2 keys
Alice KA KB KC KD KE KE PublicDirectory Fred Bob Alice : KABob : KBCarol : KCDave : KDEdna : KEFred : KF Edna Carol public distribution of n keys Dave Public Key Distribution System
KB Trap Door Alice Bob C = fKB(P) P = f-1KB(C,TB) Encryption withone-way function Joe P = f-1KB(C) Public Key Cryptography • The Inventors • Whitfield Diffie and Martin Hellman 1976 • Ralph Merkle 1978 Computation of inverse function is extremely expensive One-way functionsare often based on well-knownhard problems
Internet Security 1 (IntSi1) 4.1 RSA Public KeyCryptosystem
RSA Public Key Cryptosystem • The Inventors • R - Ron Rivest • S - Adi Shamir • A - Leonard Adleman • The One-Way Function • The exponentiation function y = f(x) = xe mod ncan be computed with reasonable effort. • Its inverse x = f -1(y) is extremely difficult to compute. • The Hard Problem Securing the Trap Door • The RSA public key algorithm is based on the well-known hard problem of factoring a large number into its prime factorsthat has beenstudied over many centuries.
Step 2: Compute the product n = p·q • Step 4: Compute the unique inversed = e-1 mod (p-1)(q-1) • The equation d·emod(p-1)(q-1)= 1can be solved using the Euclidian algorithm. RSA Public Key CryptosystemKey Generation Algorithm • Step 1: Choosetworandom large prime numberspandq • Formaximumsecurity, choosepandqofaboutequallength,e.g. 1024 … 1536 bitseach. • Step 3: Choose a random integere < (p-1)(q-1) • The numberseand(p-1)(q-1) must berelatively prime, i.e.theyshould not sharecommon prime factors.
ResultofPrimalityTest not prime is prime random number is a 100 % 0.1 % composite number 0 % 99.9 % prime number RSA Public Key CryptosystemHow to find large random prime numbers • Thereare10305primes 1024bits in lengthorless. • Thereareonly 1077atoms in theuniverse. • The chancethattwopeoplechoosethe same prime factorsforkeygenerationisthereforeneartonil ! • Toprovethat a randomlychosennumberisreally prime youwouldhavetofactor it. Try smallfactors (3, 5, 7, 11, ...) • ProbabilisticPrimality Tests (e.g. Miller–Rabin) • After passing 5 tests, assume a random number to be prime
e d e·d e·d mod 20 3 7 21 1 7 3 21 1 9 9 81 1 11 11 121 1 13 17 221 1 17 13 221 1 19 19 361 1 RSA Public Key CryptosystemKey Generation Example • p = 3, q = 11: n = p·q = 33 • (p-1)·(q-1) = 2 · 10 = 2 · 2 · 5 = 20 • thepublicexponente must berelatively prime to (p-1)·(q-1) , i.e. itcannotcontainanyfactorsof 2 and 5 all possible choices forthe exponents e and d
RSA Public Key CryptosystemPublic and Private Keys • Public Key:modulusnandpublic exponente • Publish n and e in a public directory, so that anybody wanting to send you a confidential message can retrieve it. • Private Key:modulusnandprivate exponentd • The private exponent d is your secret. It should be protected either by storing it in a tamper-proof smart card or when stored on a disk by encrypting it with a symmetric cipher secured by a secret passphrase of your choice. • The primesp and q that were used for key generation are often kept as part of the private key, because their smaller size (i.e. half the length of the modulus n) allow an efficient implementation of the private key operations (Montgomery multiplication).
Encryption of a plaintext block x: y = xe mod n • The sender uses the public key of the recipient to encrypt x < n. • Decryption of a ciphertext block y: x = yd mod n • The recipient uses her private key to recover the plaintext block x RSA Public Key CryptosystemEncryption and Decryption • Without proof: yd =(xe)d=xe·d=xm·(p-1)·(q-1) + 1=x1= x(modn) • Encryption and Decryption are symmetric operations • The order of the exponentiation with the public exponent e and the private exponent d can be exchanged.
Encryption with Public Key n = 33, e = 13 • Decryption with Private Key n = 33, d = 17 RSA Public Key CryptosystemFast ExponentiationExample • e = 1·23+ 1·22+0·21+1·20 • e = 1·8+ 1·4+0·2+1·1 • y = xe =(x8)1·(x4)1·(x2)0·(x)1 mod n • y = x8·x4·x mod n • x2 = x·xmod n, x4 = x2·x2 mod n, x8 = x4·x4 modn • d = 1·24+ 0·23+ 0·22+0·21+1·20 • d = 1·16+ 0·8+ 0·4+0·2+1·1 • x = yd =(y16)1·(y8)0·(y4)0·(y2)0·(y)1 mod n • x = y16·y mod n • y2 = y·ymod n, y4 = y2·y2 mod n, y8 = y4·y4 mod n, y16 = y8·y8 mod n
RSA Public Key CryptosystemPlaintext to Ciphertext Mapping • n = 33, e = 13, d = 17 y = xe mod n x y x y x y x y x y 0 0 8 17 16 4 24 30 32 32 1 1 9 3 17 29 25 16 2 8 10 10 18 24 26 20 3 27 11 11 19 28 27 15 4 31 12 12 20 14 28 7 5 26 13 19 21 21 29 2 6 18 14 5 22 22 30 6 7 13 15 9 23 23 31 25
The RSA–768 Challenge • The Effort • 768bitnumber (232 digits) factored in December 2009 • Sievingsteptook 2 years on a clusterofseveralhundredcomputers. • Sieving on a singlecore 2.2 GHz Opteronprocessorwith 2 GB of RAM wouldhavetaken 1500 years. • 1024modulusisabout 1000 timeshardertofactor. 1230186684530117755130494958384962720772853569595334792197322452151726400507263657518745202199786469389956474942774063845925192557326303453731548268507917026122142913461670429214311602221240479274737794080665351419597459856902143413 = ? = 33478071698956898786044169848212690817704794983713768568912431388982883793878002287614711652531743087737814467999489 * 36746043666799590428244633799627952632279158164343087642676032283815739666511279233373417143396810270092798736308917
Cryptographics Strength of RSA Keys • Assumed effort: 40 million dollardays = 40M x 1 day = 100k x 400 days • 56 bits in 1982 RSA: 366 … 527 bits • 64 bits in 1994 RSA: 639 … 746 bits • 72 bits in 2006 RSA: 1007 … 1012 bits • 76 bits in 2012 RSA: 1164 … 1229 bits • 80 bits in 2018 RSA: 1329 … 1478 bits • 88 bits in 2030 RSA: 1698 … 2063 bits • 96 bits in 2042 RSA: 2124 … 2770 bits • 104 bits in 2054 RSA: 2608 … 3607 bits • 112 bits in 2066 RSA: 3154 … 4582 bits • 120 bits in 2078 RSA: 3764 … 5701 bits • 128 bits in 2090 RSA: 4440 … 6974 bits www.keylength.com
Internet Security 1 (IntSi1) 4.2 Diffie HellmanKey Exchange Algorithm
The Diffie–Hellman Key-Exchange AlgorithmGenerating a Common Secret Key • Alice and Bob agree on a large prime modulus n, a primitive element g and the one-way function y = f(x) = gx mod n. • The integersn and g are not secret and can be published. • Alice chooses a large random integer a and sends BobA = ga mod n • Bob chooses a large random integerband sends AliceB = gb mod n • Alice computess = Ba mod n = gba mod n • Bob computess = Ab mod n = gab mod n • Alice and Bob share now the secret keys = gab mod n • Since computing the inverse x = f-1(y) is extremely difficult, no one listening to the key-exchange can compute the secret key s from the values A, B, n and g.
Prime modulus: n = 31Primitive element: g = 3 y = gx mod n x 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 y 1 3 9 27 19 26 16 17 20 29 25 13 8 24 10 30 x 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 y 28 22 4 12 5 15 14 11 2 6 18 23 7 21 1 A: a = 8 A = 38 mod 31 = 20 s = 168 mod 31 = 4 B: b = 6 B = 36 mod 31 = 16 s = 206 mod 31 = 4 The Diffie–Hellman Key-Exchange AlgorithmPractical Example