1 / 25

CSCE 715: Network Systems Security

CSCE 715: Network Systems Security. Chin-Tser Huang huangct@cse.sc.edu University of South Carolina. Distribute Secret Keys Using Asymmetric Encryption. Can use previous methods to obtain public key of other party

kuper
Download Presentation

CSCE 715: Network Systems Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. CSCE 715:Network Systems Security Chin-Tser Huang huangct@cse.sc.edu University of South Carolina

  2. Distribute Secret KeysUsing Asymmetric Encryption • Can use previous methods to obtain public key of other party • Although public key can be used for confidentiality or authentication, asymmetric encryption algorithms are too slow • So usually want to use symmetric encryption to protect message contents • Can use asymmetric encryption to set up a session key

  3. Simple Secret Key Distribution • Proposed by Merkle in 1979 • A generates a new temporary public key pair • A sends B the public key and A’s identity • B generates a session key Ks and sends encrypted Ks (using A’s public key) to A • A decrypts message to recover Ks and both use

  4. Problem with Simple Secret Key Distribution • An adversary can intercept and impersonate both parties of protocol • A generates a new temporary public key pair {KUa, KRa} and sends KUa || IDa to B • Adversary E intercepts this message and sends KUe || IDa to B • B generates a session key Ks and sends encrypted Ks (using E’s public key) • E intercepts message, recovers Ks and sends encrypted Ks (using A’s public key) to A • A decrypts message to recover Ks and both A and B unaware of existence of E

  5. Distribute Secret KeysUsing Asymmetric Encryption • if A and B have securely exchanged public-keys ?

  6. Problem with Previous Scenario • Message (4) is not protected by N2 • An adversary can intercept message (4) and replay an old message or insert a fabricated message

  7. Order of Encryption Matters • What can be wrong with the following protocol? AB: N BA: EKUa[EKRb[Ks||N]] • An adversary sitting between A and B can get a copy of secret key Ks without being caught by A and B!

  8. Diffie-Hellman Key Exchange • First publicly proposed public-key type scheme • By Diffie and Hellman in 1976 along with advent of public key concepts • A practical method for public exchange of secret key • Used in a number of commercial products

  9. Diffie-Hellman Key Exchange • Use to set up a secret key that can be used for symmetric encryption • cannot be used to exchange an arbitrary message • Value of key depends on the participants (and their private and public key information) • Based on exponentiation in a finite (Galois) field (modulo a prime or a polynomial) – easy • Security relies on the difficulty of computing discrete logarithms (similar to factoring) – hard

  10. Primitive Roots • From Euler’s theorem: aø(n) mod n=1 • Consider am mod n=1, GCD(a,n)=1 • must exist for m= ø(n) but may be smaller • once powers reach m, cycle will repeat • If smallest is m= ø(n) then a is called a primitive root • if p is prime and a is a primitive root of p, then successive powers of a “generate” the group mod p • Not every integer has primitive roots

  11. Primitive Root Example: Power of Integers Modulo 19

  12. Discrete Logarithms • Inverse problem to exponentiation is to find the discrete logarithm of a number modulo p • Namely find x where ax = b mod p • Written as x=loga b mod p or x=dloga,p(b) • If a is a primitive root of p then discrete logarithm always exists, otherwise may not • 3x = 4 mod 13 has no answer • 2x = 3 mod 13 has an answer 4 • While exponentiation is relatively easy, finding discrete logarithms is generally a hard problem

  13. Diffie-Hellman Setup • All users agree on global parameters • large prime integer or polynomial q • α which is a primitive root mod q • Each user (e.g. A) generates its key • choose a private key (number): xA < q • compute its public key: yA = αxA mod q • Each user publishes its public key

  14. Diffie-Hellman Key Exchange • Shared session key for users A and B is KAB: KAB = αxA.xB mod q = yAxB mod q (which B can compute) = yBxA mod q (which A can compute) • KAB is used as session key in symmetric encryption scheme between A and B • Attacker needs xA or xB, which requires solving discrete log

  15. Diffie-Hellman Example • Given Alice and Bob who wish to swap keys • Agree on prime q=353 and α=3 • Select random secret keys: • A chooses xA=97, B chooses xB=233 • Compute public keys: • yA=397 mod 353 = 40 (Alice) • yB=3233 mod 353 = 248 (Bob) • Compute shared session key as: KAB= yBxA mod 353 = 24897 = 160 (Alice) KAB= yAxB mod 353 = 40233 = 160 (Bob)

  16. Elliptic Curve Cryptography • Majority of public-key crypto (RSA, D-H) use either integer or polynomial arithmetic with very large numbers/polynomials • Imposes a significant load in storing and processing keys and messages • An alternative is to use elliptic curves • Offers same security with smaller bit sizes

  17. Real Elliptic Curves • An elliptic curve is defined by an equation in two variables x and y, with coefficients • Consider a cubic elliptic curve of form • y2 = x3 + ax + b • where x, y, a, b are all real numbers • also define zero point O • Have addition operation for elliptic curve • geometrically, sum of P+Q is reflection of intersection R

  18. Real Elliptic Curve Example

  19. Finite Elliptic Curves • Elliptic curve cryptography uses curves whose variables and coefficients are finite • Two families are commonly used • prime curves Ep(a,b) defined over Zp • use integers modulo a prime • best in software • binary curves E2m(a,b) defined over GF(2m) • use polynomials with binary coefficients • best in hardware

  20. Elliptic Curve Cryptography • ECC addition is analog of modulo multiply • ECC repeated addition is analog of modulo exponentiation • Need a “hard” problem equivalent to discrete logarithm • Q=kP, where Q, P belong to a prime curve • is “easy” to compute Q given k, P • but “hard” to find k given Q, P • known as the elliptic curve logarithm problem • Certicom example: E23(9,17)

  21. ECC Diffie-Hellman • Can do key exchange analogous to D-H • Users select a suitable curve Ep(a,b) • Select base point G=(x1, y1) with large order n s.t. nG=O • A and B select private keys nA<n, nB<n • Compute public keys: PA=nA×G, PB=nB×G • Compute shared key: K=nA×PB,K=nB×PA • same since K=nA×nB×G

  22. ECC Encryption/Decryption • Must first encode any message M as a point on the elliptic curve Pm • Select suitable curve and point G as in D-H • Each user chooses private key nA<n and computes public key PA=nA×G • To encrypt Pm: Cm={kG, Pm+kPB}, k random • To decrypt Cm: Pm+kPB–nB(kG) = Pm+k(nBG)–nB(kG) = Pm

  23. ECC Security • Relies on elliptic curve logarithm problem • Fastest method is “Pollard rho method” • Compared to factoring, ECC can use much smaller key sizes than with RSA • For equivalent key lengths computations are roughly equivalent • Hence for similar security ECC offers significant computational advantages

  24. Comparable Key Sizes 1

  25. Next Class • Message authentication • Hashing functions • Message digests • Read Chapters 11 and 12

More Related