360 likes | 561 Views
Public Key Cryptography and Cryptographic Hashes. Public-Key Cryptography. Slide #9- 2. Public Key Cryptography. Two keys Private key known only to individual Public key available to anyone Idea Confidentiality: encipher using public key, decipher using private key
E N D
Public-Key Cryptography Slide #9-2
Public Key Cryptography Two keys Private key known only to individual Public key available to anyone Idea Confidentiality: encipher using public key, decipher using private key Integrity/authentication: encipher using private key, decipher using public one Slide #9-3
Requirements It must be computationally easy to encipher or decipher a message given the appropriate key It must be computationally infeasible to derive the private key from the public key It must be computationally infeasible to determine the private key from a chosen plaintext attack Slide #9-4
General Facts about Public Key Systems Public Key Systems are much slower than Symmetric Key Systems RSA 100 to 1000 times slower than DES Generally used in conjunction with a symmetric system for bulk encryption Public Key Systems are based on “hard problems Factoring large numbers, discrete logarithms, elliptic curves Only a handful of public key systems perform both encryption and signatures Slide #9-5
Graduate Extra-Unit Project • Survey paper: • Pick a topic that interests you • Collect 10+ references (I can help) • Write a 10-page survey paper about them • Research project: • Propose a research project • Collect background references • Write 10-page project report • May have a partner • Proposal due: March 8 (a week from Thursday)
Other announcements • Jodie Boyer will teach next lecture • Will talk about key management • No office hours next week • Available by appointment, except for Monday • Exam grading mistake • If you lost a point for listing an environmental threat, you can get it back
Modular Arithmetic • a b (mod n) if a - b = k * n, for some integer k • Also write: (a mod n) = b, where b is the unique integer 0 <= b < n such that a b (mod n) • Most arithmetic rules hold true: ((a mod n) + (b mod n)) mod n) = (a + b mod n) ((a mod n) * (b mod n)) mod n)= (a * b mod n) ((a mod n) + (-a mod n)) mod n) = 0 • Inverse: • For many a, can find a-1 (an integer) such that a * a-1 mod n = 1 • Necessary condition: gcd(a,n) = 1
Examples • 5 mod 2 = 1 • (7 mod 2 + 8 mod 2) mod 2 = 1 + 0 mod 2 = 1 = 15 mod 2 • (7 mod 2) * (8 mod 2) mod 2 = 1 * 0 mod 2 = 0 = 56 mod 2 • Working mod 13: • 1-1 = 1 • 2-1 = 7 (2 * 7 = 13 + 1) • 3-1 = 9 (3 * 9 = 13*2 + 1)
Totient Function • (aka Euler function) • (n) = # of integers x, 0 < x < n, such that gcd(x,n) = 1 • E.g. • (10) = 4 (1, 3, 7, 9) • (11) = 10 (1, 2, 3, 4, 5, 6, 7, 8, 9, 10) • In general: • (p) = p-1 for any prime • (ab) = (a) * (b) if gcd(a,b) = 1
Euler’s Theorem • a(n) 1 (mod n) if gcd(a,n) = 1 • E.g. 34= 81 1 (mod 10) • Special case: Fermat’s theorem • ap a (mod p) for prime p
RSA • Invented by Rivest, Shamir, Adelman in 1977 • Best known, widely used algorithm • RSA was patented, licensed until 2000 • Helped start RSA Security • Holds very popular RSA conference every year • Spun off Verisign
RSA algorithm • Pick two (large) primes, p and q • Let n = pq. Then (n) = (p-1)(q-1) • Pick e coprime with (n), and find d such that • e*d 1 (mod (n)) • Public key: (n,e), Private key: d • Encryption: C = Me mod n • Decryption: • M’ Cd Med Mk(n)+1 M (mod n)
Example • p = 11, q = 17 • n = 187, (n) = 10*16 = 160 • Let e = 3, then d = 107 (107 * 3 = 321) • (can find this using Euclidian algorithm) • M = 29 • C = 293 = 24389 = 79 (mod 187) • M’ = 79107 = 111198458817782001560345203757362612455385730171461711652460776161878666503078037332114481897840666397054046667342677228042126488058019906317675811153792810865237482705174079886893643689363009468423234159 = 29 (mod 187)
Modular Exponentiation • Don’t need to compute huge numbers • 293 (mod 187) = (292 mod 187) * 29 mod 187 = (841 mod 187) * 29 mod 187 = 93*29 mod 187 = 2697 mod 187 = 79 • Even better: square/multiply • M11 = ((M2)2*M)2*M • This is reasonably fast • Only 1000 or so times slower than DES
RSA security • Charlie knows e, n, and receives Me (mod n) • How to find M? • Best known way is to factor n • Find p and q, find (n), find d • No proof that there isn’t a faster way • Factoring n is believed to be hard • Best algorithm is GNFS • Complexity is sub-exponential but superpolynomial • Largest factored number had 663 bits • (About 75-CPU years on an 2.2 GHz Opteron) • 1024 bits generally considered intractable for the foreseeable future
RSA Security • Note: RSA as described is insecure! • Why? • Deterministic encryption: Me = M’e if and only if M=M’ • Even worse than in the symmetric case because Charlie can try many possibilities for M • Semantic security • Adversary picks m1 and m2 and is provided with Encrypt(mi), must guess i • Requires randomized encryption
Padding • Introduce randomness to message • P = r || M, where r is random • Encryption: Pe • Decryption: (Pe)d, discard random prefix • Actually, still not secure but we’ll get back to this later
Hybrid Encryption • How do we encrypt messages longer than 1024 bits? • Break into blocks, use RSA on each block (slow, potentially insecure) • Use a hybrid between RSA and AES • Pick random key K • Send: RSAEncrypt(K), AES-CBC-Encrypt(K, M) • Must ensure K is random!
RSA Signatures • RSA is symmetric • RSADec(RSAEnc(M)) = RSAEnc(RSADec(M)) = Med (mod n) = M • To “sign” a message, Alice computes S = Md (mod n) • Bob verifies that Se = Med = M (mod n) • No one other than Alice could have generated S • Not even Bob • Bob can show S to third parties (non-repudiation)
Hash functions • How do we sign messages longer than 1024 bits? • Use a hash function • Hash function: public function h(x) that is: • One way: easy to find y=h(x), hard to find x given y • Collision resistant: hard to find x1, x2 such that h(x1) = h(x2) • Compresses input: takes 1-“infinity” bits, outputs a fixed number (128, 160)
Hash Functions • One-way functions: • RSA is an example; if p and q are not public, then f(x) = xe (mod n) is one way • Another example: f(x) = xa (mod p) where p is prime is believed to be one way even if p is public • Actual hash functions are much faster • Collision resistant • Not collision-free; collisions exist but are hard to find • Birthday paradox: can find a collision in an n-bit hash function after 2n/2 tries • n has to be large
Hash functions in signatures • Alice sends RSASign(h(M)) • Bob computes h(M), verifies signature • Security: • Bob cannot generate a signature because: • He can’t produce a signature on a chosen message • He can’t solve h(M) = S’e for M because h is one way • Alice is nevertheless committed to her signature • Cannot find M1, M2 such that h(M1) = h(M2)
Hash functions • MD5 • Designed by Ron Rivest in 1991 • 128 bits output (too short for current use) • Problems existed since 1993, practical attacks developed in 2005 • Can be broken on a single notebook within minutes • SHA • Family of functions: SHA-1[60], SHA-224,-256,-384,-512 • Designed by the NSA, published in 1993 • Recently broken: can find collisions in 263 steps • Current recommendation: use SHA-256 (newer) • Hash contest • NIST started a Hash Function contests modeled after AES
MAC • Message Authentication Codes • Symmetric key equivalent to signatures • Often called “keyed hash” • Alice & Bob share K • Alice sends M,C=MAC(K, M) • Bob gets (M’,C’), verifies C’=MAC(K,M) • Properties • Impossible to compute MAC(K,M) without knowing K • Why not use MAC = Encrypt? • Does this provide non-repudiation?
HMAC and CBC-MAC • HMAC: • Simple construction: H(K || M) • More secure: H((K xor opad) || h((K xor ipad) || M) • HMAC with SHA1 is still secure • CBC-MAC • Encrypt M with CBC, using IV=0 • Output last ciphertext, Cn • Better: CBC-MAC(length(M) || M) to avoid truncation attacks
Other uses of hash functions • Secure padding: Optimal Asymmetric Encryption Pad • Normal padding subject to attacks: flip some bits in (r||M)e, might get plausible message • OAEP uses hash functions to make this difficult • Pad(M) = (M || pad) xor h(seed) • RSA-Encrypt(Pad(M) || (seed xor h(Pad(M)))
RSA-PSS • “Padding” for signatures
Diffie-Hellman • The first public key algorithm • A key exchange algorithm, not for encryption or decryption • Set up: p prime, g is coprime with p • Alice -> Bob: gx (mod p), x random • Bob -> Alice: gy (mod p), y random • Alice and Bob compute: • (gx)y = (gy)x • Establish a secret key over a public channel
Example: • p=23, g=5 • Alice picks x=6, sends Bob • 56 mod 23 = 8 • Bob picks y=15, sends Bob • 515 mod 23 = 19 • Alice computes: • 196 mod 23 = 2 • Bob computes: • 815 mod 23 = 2
Diffie-Hellman Security • Charlie has gx, gy needs to find gxy • Called “Diffie-Hellman Problem” • Fastest way: find x given gx • I.e. take logg x (mod p) • Discrete Logarithm Problem • Fastest known way is super-polynomial
ElGamal Encryption • Diffie-Hellman can be turned into a PK encryption algorithm • Effectively: PK = first half of exchange, Encryption = second half of exchange • Public key: h=gx, private key: x • Encryption: • c1 = gr • c2 = m*hr • Decryption • c2/(c1x)
Digital Signature Algorithm • As before, public key: h=gx, private key: x • Also have: q such that gq = 1 • Signature: • r = (gk mod p) mod q • s = (k-1(m+xr)) mod q • Verification • w = s-1 mod q • u1 = m*w mod q • u2 = r*w mod q • v= (gu1*yu2 mod p) mod q = r • Proof: • v = gmwyrw = gmwgrwx = gw(m+rx) = g(m+rx)/s = gk
Key Points • Public key algorithms allow new services: • A single, public key for encryption • Digital signatures • Authenticated key exchange • Must be careful how they are used • Padding, hash functions • Hash functions are a useful tool • New ones are needed! • MACs are necessary for integrity