250 likes | 391 Views
CSCE 715: Network Systems Security. Chin-Tser Huang huangct@cse.sc.edu University of South Carolina. Distribute Secret Keys Using Asymmetric Encryption. Can use previous methods to obtain public key of other party
E N D
CSCE 715:Network Systems Security Chin-Tser Huang huangct@cse.sc.edu University of South Carolina
Distribute Secret KeysUsing Asymmetric Encryption • Can use previous methods to obtain public key of other party • Although public key can be used for confidentiality or authentication, asymmetric encryption algorithms are too slow • So usually want to use symmetric encryption to protect message contents • Can use asymmetric encryption to set up a session key
Simple Secret Key Distribution • Proposed by Merkle in 1979 • A generates a new temporary public key pair • A sends B the public key and A’s identity • B generates a session key Ks and sends encrypted Ks (using A’s public key) to A • A decrypts message to recover Ks and both use
Problem with Simple Secret Key Distribution • An adversary can intercept and impersonate both parties of protocol • A generates a new temporary public key pair {KUa, KRa} and sends KUa || IDa to B • Adversary E intercepts this message and sends KUe || IDa to B • B generates a session key Ks and sends encrypted Ks (using E’s public key) • E intercepts message, recovers Ks and sends encrypted Ks (using A’s public key) to A • A decrypts message to recover Ks and both A and B unaware of existence of E
Distribute Secret KeysUsing Asymmetric Encryption • if A and B have securely exchanged public-keys ?
Problem with Previous Scenario • Message (4) is not protected by N2 • An adversary can intercept message (4) and replay an old message or insert a fabricated message
Order of Encryption Matters • What can be wrong with the following protocol? AB: N BA: EKUa[EKRb[Ks||N]] • An adversary sitting between A and B can get a copy of secret key Ks without being caught by A and B!
Diffie-Hellman Key Exchange • First publicly proposed public-key type scheme • By Diffie and Hellman in 1976 along with advent of public key concepts • A practical method for public exchange of secret key • Used in a number of commercial products
Diffie-Hellman Key Exchange • Use to set up a secret key that can be used for symmetric encryption • cannot be used to exchange an arbitrary message • Value of key depends on the participants (and their private and public key information) • Based on exponentiation in a finite (Galois) field (modulo a prime or a polynomial) – easy • Security relies on the difficulty of computing discrete logarithms (similar to factoring) – hard
Primitive Roots • From Euler’s theorem: aø(n) mod n=1 • Consider am mod n=1, GCD(a,n)=1 • must exist for m= ø(n) but may be smaller • once powers reach m, cycle will repeat • If smallest is m= ø(n) then a is called a primitive root • if p is prime and a is a primitive root of p, then successive powers of a “generate” the group mod p • Not every integer has primitive roots
Discrete Logarithms • Inverse problem to exponentiation is to find the discrete logarithm of a number modulo p • Namely find x where ax = b mod p • Written as x=loga b mod p or x=dloga,p(b) • If a is a primitive root of p then discrete logarithm always exists, otherwise may not • 3x = 4 mod 13 has no answer • 2x = 3 mod 13 has an answer 4 • While exponentiation is relatively easy, finding discrete logarithms is generally a hard problem
Diffie-Hellman Setup • All users agree on global parameters • large prime integer or polynomial q • α which is a primitive root mod q • Each user (e.g. A) generates its key • choose a private key (number): xA < q • compute its public key: yA = αxA mod q • Each user publishes its public key
Diffie-Hellman Key Exchange • Shared session key for users A and B is KAB: KAB = αxA.xB mod q = yAxB mod q (which B can compute) = yBxA mod q (which A can compute) • KAB is used as session key in symmetric encryption scheme between A and B • Attacker needs xA or xB, which requires solving discrete log
Diffie-Hellman Example • Given Alice and Bob who wish to swap keys • Agree on prime q=353 and α=3 • Select random secret keys: • A chooses xA=97, B chooses xB=233 • Compute public keys: • yA=397 mod 353 = 40 (Alice) • yB=3233 mod 353 = 248 (Bob) • Compute shared session key as: KAB= yBxA mod 353 = 24897 = 160 (Alice) KAB= yAxB mod 353 = 40233 = 160 (Bob)
Elliptic Curve Cryptography • Majority of public-key crypto (RSA, D-H) use either integer or polynomial arithmetic with very large numbers/polynomials • Imposes a significant load in storing and processing keys and messages • An alternative is to use elliptic curves • Offers same security with smaller bit sizes
Real Elliptic Curves • An elliptic curve is defined by an equation in two variables x and y, with coefficients • Consider a cubic elliptic curve of form • y2 = x3 + ax + b • where x, y, a, b are all real numbers • also define zero point O • Have addition operation for elliptic curve • geometrically, sum of P+Q is reflection of intersection R
Finite Elliptic Curves • Elliptic curve cryptography uses curves whose variables and coefficients are finite • Two families are commonly used • prime curves Ep(a,b) defined over Zp • use integers modulo a prime • best in software • binary curves E2m(a,b) defined over GF(2m) • use polynomials with binary coefficients • best in hardware
Elliptic Curve Cryptography • ECC addition is analog of modulo multiply • ECC repeated addition is analog of modulo exponentiation • Need a “hard” problem equivalent to discrete logarithm • Q=kP, where Q, P belong to a prime curve • is “easy” to compute Q given k, P • but “hard” to find k given Q, P • known as the elliptic curve logarithm problem • Certicom example: E23(9,17)
ECC Diffie-Hellman • Can do key exchange analogous to D-H • Users select a suitable curve Ep(a,b) • Select base point G=(x1, y1) with large order n s.t. nG=O • A and B select private keys nA<n, nB<n • Compute public keys: PA=nA×G, PB=nB×G • Compute shared key: K=nA×PB,K=nB×PA • same since K=nA×nB×G
ECC Encryption/Decryption • Must first encode any message M as a point on the elliptic curve Pm • Select suitable curve and point G as in D-H • Each user chooses private key nA<n and computes public key PA=nA×G • To encrypt Pm: Cm={kG, Pm+kPB}, k random • To decrypt Cm: Pm+kPB–nB(kG) = Pm+k(nBG)–nB(kG) = Pm
ECC Security • Relies on elliptic curve logarithm problem • Fastest method is “Pollard rho method” • Compared to factoring, ECC can use much smaller key sizes than with RSA • For equivalent key lengths computations are roughly equivalent • Hence for similar security ECC offers significant computational advantages
Next Class • Message authentication • Hashing functions • Message digests • Read Chapters 11 and 12