1 / 34

Public Key Cryptography and Cryptographic Hashes

Public Key Cryptography and Cryptographic Hashes. Public-Key Cryptography. Slide #9- 2. Public Key Cryptography. Two keys Private key known only to individual Public key available to anyone Idea Confidentiality: encipher using public key, decipher using private key

kyrie
Download Presentation

Public Key Cryptography and Cryptographic Hashes

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Public Key Cryptography and Cryptographic Hashes

  2. Public-Key Cryptography Slide #9-2

  3. Public Key Cryptography Two keys Private key known only to individual Public key available to anyone Idea Confidentiality: encipher using public key, decipher using private key Integrity/authentication: encipher using private key, decipher using public one Slide #9-3

  4. Requirements It must be computationally easy to encipher or decipher a message given the appropriate key It must be computationally infeasible to derive the private key from the public key It must be computationally infeasible to determine the private key from a chosen plaintext attack Slide #9-4

  5. General Facts about Public Key Systems Public Key Systems are much slower than Symmetric Key Systems RSA 100 to 1000 times slower than DES Generally used in conjunction with a symmetric system for bulk encryption Public Key Systems are based on “hard problems Factoring large numbers, discrete logarithms, elliptic curves Only a handful of public key systems perform both encryption and signatures Slide #9-5

  6. Graduate Extra-Unit Project • Survey paper: • Pick a topic that interests you • Collect 10+ references (I can help) • Write a 10-page survey paper about them • Research project: • Propose a research project • Collect background references • Write 10-page project report • May have a partner • Proposal due: March 8 (a week from Thursday)

  7. Other announcements • Jodie Boyer will teach next lecture • Will talk about key management • No office hours next week • Available by appointment, except for Monday • Exam grading mistake • If you lost a point for listing an environmental threat, you can get it back

  8. Modular Arithmetic • a  b (mod n) if a - b = k * n, for some integer k • Also write: (a mod n) = b, where b is the unique integer 0 <= b < n such that a  b (mod n) • Most arithmetic rules hold true: ((a mod n) + (b mod n)) mod n) = (a + b mod n) ((a mod n) * (b mod n)) mod n)= (a * b mod n) ((a mod n) + (-a mod n)) mod n) = 0 • Inverse: • For many a, can find a-1 (an integer) such that a * a-1 mod n = 1 • Necessary condition: gcd(a,n) = 1

  9. Examples • 5 mod 2 = 1 • (7 mod 2 + 8 mod 2) mod 2 = 1 + 0 mod 2 = 1 = 15 mod 2 • (7 mod 2) * (8 mod 2) mod 2 = 1 * 0 mod 2 = 0 = 56 mod 2 • Working mod 13: • 1-1 = 1 • 2-1 = 7 (2 * 7 = 13 + 1) • 3-1 = 9 (3 * 9 = 13*2 + 1)

  10. Totient Function • (aka Euler  function) • (n) = # of integers x, 0 < x < n, such that gcd(x,n) = 1 • E.g. • (10) = 4 (1, 3, 7, 9) • (11) = 10 (1, 2, 3, 4, 5, 6, 7, 8, 9, 10) • In general: • (p) = p-1 for any prime • (ab) = (a) * (b) if gcd(a,b) = 1

  11. Euler’s Theorem • a(n)  1 (mod n) if gcd(a,n) = 1 • E.g. 34= 81  1 (mod 10) • Special case: Fermat’s theorem • ap  a (mod p) for prime p

  12. RSA • Invented by Rivest, Shamir, Adelman in 1977 • Best known, widely used algorithm • RSA was patented, licensed until 2000 • Helped start RSA Security • Holds very popular RSA conference every year • Spun off Verisign

  13. RSA algorithm • Pick two (large) primes, p and q • Let n = pq. Then (n) = (p-1)(q-1) • Pick e coprime with (n), and find d such that • e*d  1 (mod (n)) • Public key: (n,e), Private key: d • Encryption: C = Me mod n • Decryption: • M’  Cd  Med  Mk(n)+1  M (mod n)

  14. Example • p = 11, q = 17 • n = 187, (n) = 10*16 = 160 • Let e = 3, then d = 107 (107 * 3 = 321) • (can find this using Euclidian algorithm) • M = 29 • C = 293 = 24389 = 79 (mod 187) • M’ = 79107 = 111198458817782001560345203757362612455385730171461711652460776161878666503078037332114481897840666397054046667342677228042126488058019906317675811153792810865237482705174079886893643689363009468423234159 = 29 (mod 187)

  15. Modular Exponentiation • Don’t need to compute huge numbers • 293 (mod 187) = (292 mod 187) * 29 mod 187 = (841 mod 187) * 29 mod 187 = 93*29 mod 187 = 2697 mod 187 = 79 • Even better: square/multiply • M11 = ((M2)2*M)2*M • This is reasonably fast • Only 1000 or so times slower than DES

  16. RSA security • Charlie knows e, n, and receives Me (mod n) • How to find M? • Best known way is to factor n • Find p and q, find (n), find d • No proof that there isn’t a faster way • Factoring n is believed to be hard • Best algorithm is GNFS • Complexity is sub-exponential but superpolynomial • Largest factored number had 663 bits • (About 75-CPU years on an 2.2 GHz Opteron) • 1024 bits generally considered intractable for the foreseeable future

  17. RSA Security • Note: RSA as described is insecure! • Why? • Deterministic encryption: Me = M’e if and only if M=M’ • Even worse than in the symmetric case because Charlie can try many possibilities for M • Semantic security • Adversary picks m1 and m2 and is provided with Encrypt(mi), must guess i • Requires randomized encryption

  18. Padding • Introduce randomness to message • P = r || M, where r is random • Encryption: Pe • Decryption: (Pe)d, discard random prefix • Actually, still not secure but we’ll get back to this later

  19. Hybrid Encryption • How do we encrypt messages longer than 1024 bits? • Break into blocks, use RSA on each block (slow, potentially insecure) • Use a hybrid between RSA and AES • Pick random key K • Send: RSAEncrypt(K), AES-CBC-Encrypt(K, M) • Must ensure K is random!

  20. RSA Signatures • RSA is symmetric • RSADec(RSAEnc(M)) = RSAEnc(RSADec(M)) = Med (mod n) = M • To “sign” a message, Alice computes S = Md (mod n) • Bob verifies that Se = Med = M (mod n) • No one other than Alice could have generated S • Not even Bob • Bob can show S to third parties (non-repudiation)

  21. Hash functions • How do we sign messages longer than 1024 bits? • Use a hash function • Hash function: public function h(x) that is: • One way: easy to find y=h(x), hard to find x given y • Collision resistant: hard to find x1, x2 such that h(x1) = h(x2) • Compresses input: takes 1-“infinity” bits, outputs a fixed number (128, 160)

  22. Hash Functions • One-way functions: • RSA is an example; if p and q are not public, then f(x) = xe (mod n) is one way • Another example: f(x) = xa (mod p) where p is prime is believed to be one way even if p is public • Actual hash functions are much faster • Collision resistant • Not collision-free; collisions exist but are hard to find • Birthday paradox: can find a collision in an n-bit hash function after 2n/2 tries • n has to be large

  23. Hash functions in signatures • Alice sends RSASign(h(M)) • Bob computes h(M), verifies signature • Security: • Bob cannot generate a signature because: • He can’t produce a signature on a chosen message • He can’t solve h(M) = S’e for M because h is one way • Alice is nevertheless committed to her signature • Cannot find M1, M2 such that h(M1) = h(M2)

  24. Hash functions • MD5 • Designed by Ron Rivest in 1991 • 128 bits output (too short for current use) • Problems existed since 1993, practical attacks developed in 2005 • Can be broken on a single notebook within minutes • SHA • Family of functions: SHA-1[60], SHA-224,-256,-384,-512 • Designed by the NSA, published in 1993 • Recently broken: can find collisions in 263 steps • Current recommendation: use SHA-256 (newer) • Hash contest • NIST started a Hash Function contests modeled after AES

  25. MAC • Message Authentication Codes • Symmetric key equivalent to signatures • Often called “keyed hash” • Alice & Bob share K • Alice sends M,C=MAC(K, M) • Bob gets (M’,C’), verifies C’=MAC(K,M) • Properties • Impossible to compute MAC(K,M) without knowing K • Why not use MAC = Encrypt? • Does this provide non-repudiation?

  26. HMAC and CBC-MAC • HMAC: • Simple construction: H(K || M) • More secure: H((K xor opad) || h((K xor ipad) || M) • HMAC with SHA1 is still secure • CBC-MAC • Encrypt M with CBC, using IV=0 • Output last ciphertext, Cn • Better: CBC-MAC(length(M) || M) to avoid truncation attacks

  27. Other uses of hash functions • Secure padding: Optimal Asymmetric Encryption Pad • Normal padding subject to attacks: flip some bits in (r||M)e, might get plausible message • OAEP uses hash functions to make this difficult • Pad(M) = (M || pad) xor h(seed) • RSA-Encrypt(Pad(M) || (seed xor h(Pad(M)))

  28. RSA-PSS • “Padding” for signatures

  29. Diffie-Hellman • The first public key algorithm • A key exchange algorithm, not for encryption or decryption • Set up: p prime, g is coprime with p • Alice -> Bob: gx (mod p), x random • Bob -> Alice: gy (mod p), y random • Alice and Bob compute: • (gx)y = (gy)x • Establish a secret key over a public channel

  30. Example: • p=23, g=5 • Alice picks x=6, sends Bob • 56 mod 23 = 8 • Bob picks y=15, sends Bob • 515 mod 23 = 19 • Alice computes: • 196 mod 23 = 2 • Bob computes: • 815 mod 23 = 2

  31. Diffie-Hellman Security • Charlie has gx, gy needs to find gxy • Called “Diffie-Hellman Problem” • Fastest way: find x given gx • I.e. take logg x (mod p) • Discrete Logarithm Problem • Fastest known way is super-polynomial

  32. ElGamal Encryption • Diffie-Hellman can be turned into a PK encryption algorithm • Effectively: PK = first half of exchange, Encryption = second half of exchange • Public key: h=gx, private key: x • Encryption: • c1 = gr • c2 = m*hr • Decryption • c2/(c1x)

  33. Digital Signature Algorithm • As before, public key: h=gx, private key: x • Also have: q such that gq = 1 • Signature: • r = (gk mod p) mod q • s = (k-1(m+xr)) mod q • Verification • w = s-1 mod q • u1 = m*w mod q • u2 = r*w mod q • v= (gu1*yu2 mod p) mod q = r • Proof: • v = gmwyrw = gmwgrwx = gw(m+rx) = g(m+rx)/s = gk

  34. Key Points • Public key algorithms allow new services: • A single, public key for encryption • Digital signatures • Authenticated key exchange • Must be careful how they are used • Padding, hash functions • Hash functions are a useful tool • New ones are needed! • MACs are necessary for integrity

More Related