410 likes | 630 Views
IE MS5710 Pu blic key cryptosystems. 19 Feb 20 12 Prof. CHAN Yuen-Yan, Rosanna Department of Information Engineering The Chinese University of Hong Kong. Private-Key Cryptography. traditional private/secret/single key cryptography uses one key
E N D
IEMS5710Public key cryptosystems 19 Feb 2012 Prof. CHAN Yuen-Yan, Rosanna Department of Information Engineering The Chinese University of Hong Kong
Private-Key Cryptography traditional private/secret/single key cryptography uses one key Shared (known) by both sender and receiver if this key is disclosed communications are compromised also called symmetrickey cryptography Key distribution is a main issue– how to securely “pre-share” the key? IEMS5710 - Lecture 4
Private-Key Cryptography Key distribution / management problem in symmetric key cryptography keys required = (p*(p-1))/2: IEMS5710 - Lecture 4
Public-Key Cryptography uses two keys – a public & a private key Also known asasymmetrickey cryptography uses number theory to achieve desirable properties Public-key cryptography does not replace private key cryptography, but complements the later IEMS5710 - Lecture 4
Public-Key Cryptography Public-key/asymmetric cryptography involves the use of two keys: a public-key, which may be known by anybody, and can be used to encrypt messages(and verify signatures teach next week!) a related private-key, known only to the recipient, used to decrypt messages, (and sign (create) signaturesteach next week!) Infeasible to determine private key from public It is asymmetric because those who encrypt messages (or verify signatures)cannot decrypt messages or create signatures IEMS5710 - Lecture 4
Public-Key Applications can classify uses into 3 categories: encryption/decryption (provide secrecy) digital signatures (provide authentication) key exchange (of session keys) some algorithms are suitable for all uses, others are specific to one IEMS5710 - Lecture 4
Public-Key Cryptosystems – a typical scenario Digital signing Algorithm Signature verification Algorithm IEMS5710 - Lecture 4
Public-Key Requirements Public-Key algorithms rely on two keys where: it is computationally infeasible to find decryption key knowing only algorithm & encryption key it is computationally easy to en/decrypt messages when the relevant (en/decrypt) key is known either of the two related keys can be used for encryption, with the other used for decryption (for same set of algorithms) these are difficult requirements which only a few algorithms have satisfied IEMS5710 - Lecture 4
Public-Key Requirements IEMS5710 - Lecture 4 • Mathematically, public-key cryptosystems need a trapdoor one-way function • one-way function has • Y = f(X) easy • X = f–1(Y) infeasible • a trap-door one-way function has • Y = fk(X) easy, if k and X are known • X = fk–1(Y) easy, if k and Y are known • X = fk–1(Y) infeasible, if Y known but k not known • a practical public-key scheme depends on a suitable trap-door one-way function
CryptographyPublic Key Cryptography • Integer Factorization Given N = p*q where p and q are two large primes, find p (or find q) • The largest known prime dated December 2005 is 230402457-1 • consists of 9152052 digits • The largest known prime dated August 2008 is 243112609-1 • about 12.9 million digits • Discrete Log:y = gx mod p Given y, g, and p, find x • where p is prime and g is a “generator” (i.e., g1, g2, g3, … generates all values < p). • RSA Problem:c = me mod n Given c, e, and n, find m • Where n = pq for primes p and q • i.e. given the ciphertext, encryption key, and the RSA modulus, find the plaintext message • Related to integer factorization and discrete log IEMS5710 - Lecture 4
Notions of Security • Absolute security • The system or algorithm is impossible to break • Impossible in practice! • E.g. for a password, we cannot eliminate the chance that someone break it by wild guess (brute force attack) • E.g. such chance = 2-k for a k-digit binary password • Computational security • Security is expressed in terms of the computational power required to break the system (in terms of time, cost, and technology)E.g. For 1024-bit RSA key • A machine that could break a 1024-bit RSA key in about a day would cost at least $250 million • Using year 2000 computer technology, would take about 3,000,000 years to break a 1024-bit RSA key • Public-key cryptosystems security is computational security IEMS5710 - Lecture 4
RSA Created by Rivest, Shamir & Adleman of MIT in 1978 best known & widely used public-key scheme based on exponentiation in a finite (Galois) field over integers modulo a prime uses large integers (e.g. 1024 bits) security due to cost of factoring large numbers IEMS5710 - Lecture 4
RSA En/decryption With the public and private key pair (PU and PR) to encrypt a message M, the sender: obtains public key of receiverPU={e,n} computes: C = Me mod n, where 0≤M<n to decrypt the ciphertext C, the receiver: uses the private key PR={d,n} computes: M = Cd mod n note that the message M must be smaller than the modulus n (break down into blocks if necessary) IEMS5710 - Lecture 4
RSA Key Setup Generates a public/private key pair by: selecting two large primes at random: p, q computing the system modulus n=pq note ø(n)=(p-1)(q-1) selecting at random the encryption key e where 1<e<ø(n), gcd(e,ø(n))=1 solve following equation to find decryption key d ed=1 mod ø(n) and 0≤d≤n publish the public encryption key: PU={e,n} keep secret private decryption key: PR={d,n} IEMS5710 - Lecture 4
Why RSA Works because of Euler's Theorem: aø(n)mod n = 1 where gcd(a,n)=1 in RSA have: n=pq ø(n)=(p-1)(q-1) choose e & d to be inverses modø(n) hence ed=1+kø(n) for some k hence :Cd = Me.d = M1+k.ø(n) = M1.(Mø(n))k M1.(1)k M1 M mod n IEMS5710 - Lecture 4
RSA Example - Key Setup Select primes: p=17 & q=11 Calculate n = pq =17 x 11=187 Calculate ø(n)=(p–1)(q-1)=16x10=160 Select e:gcd(e,160)=1; choose e=7 Determine d:de=1 mod 160 and d < 160 Value is d=23 since 23x7=161= 10x160+1 Publish public key PU={7,187} Keep secret private key PR={23,187} IEMS5710 - Lecture 4
RSA Example - En/Decryption sample RSA encryption/decryption is: given message M = 88 (nb. 88<187) encryption: C = 887 mod 187 = 11 decryption: M = 1123 mod 187 = 88 IEMS5710 - Lecture 4
Factoring Problem mathematical approach takes 3 forms: find d directly determine ø(n) directly and compute d factor n=p.q, hence compute ø(n) and then d currently believe all equivalent to factoring have seen slow improvements over the years biggest improvement comes from improved algorithm As of May-05 best is up to 200 decimal digits (663) bit currently assume 1024-2048 bit RSA is secure ensure p, q of similar size and matching other constraints IEMS5710 - Lecture 4
Timing Attacks developed by Paul Kocher in mid-1990’s exploit timing variations in operations eg. multiplying by small vs large number or integer factorizations varying which instructions executed infer operand size based on time taken RSA exploits time taken in exponentiation countermeasures use constant exponentiation time (e.g. return the results later) add random delays to the algorithms blind valuesused in calculations (multiply the ciphertext by a random number before exponentiation) IEMS5710 - Lecture 4
Chosen Ciphertext Attacks • RSA is vulnerable to a Chosen Ciphertext Attack (CCA) • attackers chooses ciphertexts & gets decrypted plaintext back (e.g. by exploiting the careless private key owners) • choose ciphertext to exploit properties of RSA to provide info to help cryptanalysis • To decrypt C = Me mod n • Compute X = (C X 2e) mod n • Submit X as a chosen ciphertext (e.g. asking for RSA digital signature, RSA signing is same as RSA encryption with private key) and receiver back Y = Xd mod n • Here, Xd = (Cd mod n) X (2ed mod n) = (M mod n) X 2 mod n; therefore can easily obtain M IEMS5710 - Lecture 4
CryptographyPublic Key Cryptography Diffie-Hellman Key Exchange • Named for Whitfield Diffie and Martin Hellman • Diffie, W., and Hellman, M. New directions in cryptography. IEEE Trans. Inform. Theory IT-22, 6 (Nov. 1976), 644-654. • The first formal literature of public key cryptosystems • Use to establish a shared key between two communicating parties • No shared secret is required • Strength lies in the difficulty of determining the discrete logarithm IEMS5710 - Lecture 4
CryptographyPublic Key Cryptography Diffie-Hellman Key Exchange • Common information: finite integer field Zp and a primitive element g in Zp • Zp consists of integers {0, 1, 2, 3, …., p-1} • Alice chooses X, computes and sends gX mod p to Bob • Bob chooses Y, computes and sends gY mod p to Alice • The shared key is gXY mod p. Alice does not know Y and Bob does not know X gX mod p Y X gY mod p Shared key = gXY mod p IEMS5710 - Lecture 4
CryptographyPublic Key Cryptography • Security of Diffie-Hellman • For Alice, given X and solve Y from gXY mod p is a discrete log problem. Similar for Bob IEMS5710 - Lecture 4
CryptographyPublic Key Cryptography Diffie-Hellman Key Exchange • Let’s try it out! • Given g = 3 and p = 17 • Pair up yourselves into groups of 2 • Perform Diffie-Hellman key exchange among yourselves For your reference, some figures in real world implementation: IEMS5710 - Lecture 4
DIffie-Hellman Key Exchange: man-in-the-middle attack IEMS5710 - Lecture 4
CryptographyPublic Key Cryptography Diffie-Hellman Key Exchange – Man-in-the-middle Attack • Let’s try it out! • Given g = 3 and p = 7 • Pair up yourselves into groups of 3 • Act as Alice, Bob, and Eve respectively • Perform Diffie-Hellman key exchange with man-in-the-middle among yourselves IEMS5710 - Lecture 4
Fixing man-in-the-middle attack: Station-to-station key exchange IEMS5710 - Lecture 4
Elliptic Curve Cryptography • ECC is an asymmetric cryptosystem based on the elliptic curve discrete log problem • Elliptic curves – a special kind of curves (think about the hyperbola curves you have learnt in high school) • ECC uses elliptic curve over finite fields • ECC is more efficient • Time to crack 163-bit ECC ~ time to crack 1024-bit RSA • Size of the cryptanalysis (cracking) problem • RSA: the length of the modulus that must be factored • ECC: the number of points N in the group IEMS5710 - Lecture 4
Real Elliptic Curves an elliptic curve is defined by an equation in two variables x & y, with coefficients consider a cubic elliptic curve of form y2 = x3 + ax + b where x,y,a,b are all real numbers also define zero point O consider set of points E(a,b) that satisfy have addition operation for elliptic curve geometrically sum of P+Q is reflection of the intersection R IEMS5710 - Lecture 4
Elliptic Curve Cryptography Elliptic Curve Cryptosystem • Elliptic curves have these forms y2 =x3 – ax + b y2 =x3 – ax + b (mod p) • Plus a point at infinity O • Addition of two points P = (xP,yP) and Q = (xQ,yQ) P + Q = R where s = (yP - yQ) / (xP - xQ) xR = s2 - xP - xQ and yR = -yP + s(xP - xR) • Point multiplication nP = P + P + … + P (n times) IEMS5710 - Lecture 4
Finite Elliptic Curves Elliptic curve cryptography uses curves whose variables & coefficients are finite have two families commonly used: prime curves Ep(a,b) defined over Zp use integers modulo a prime binary curves E2m(a,b) defined over GF(2n) use polynomials with binary coefficients best in hardware IEMS5710 - Lecture 4
Elliptic Curve Cryptography Elliptic Curve Discrete Logarithm Problem • The ECC relies upon the difficulty of the Elliptic Curve Discrete Logarithm Problem (ECDLP) • Scalar multiplication of a point nP = P + P + … P (n number of Ps) • The ECDLP is based upon the intractability of scalar multiplication products • Given xP and P, it is difficult to find x • In real applications, x will be large enough such that it is difficult to be determine by adding point by point IEMS5710 - Lecture 4
Elliptic Curve Cryptography ECC addition is analog of modulo multiply ECC repeated addition is analog of modulo exponentiation The ECC “hard” (one way trapdoor) problem: Q=kP, where Q,P belong to a prime curve is “easy” to compute Q given k,P but “hard” to find k given Q,P known as the elliptic curve logarithm problem IEMS5710 - Lecture 4
CryptographyPublic Key Cryptography Elliptic Curve Cryptosystem • Key Generation • Choose a generator point G on the curve E • Choose an integer s < n and compute P = sG • The public key is G, E, P • The private key is s IEMS5710 - Lecture 4
ECC Diffie-Hellman can do key exchange analogous to D-H users select a suitable curve Eq(a,b) select base point G=(x1,y1) with large order n s.t. nG=O A & B select private keys nA<n, nB<n compute public keys: PA=nAG, PB=nBG compute shared key: K=nAPB,K=nBPA same since K=nAnBG attacker would need to find k, hard IEMS5710 - Lecture 4
CryptographyPublic Key Cryptography Elliptic Curve Cryptosystem • Encryption • For a message m, map it to the curve and obtain a message point M • Generate a random number k • Ciphertext C = [cx, cy] = [kG, kP+M] • Decryption • With the private key s, compute cy – scx Note: M+kP–s(kG) = M+k(sG)–s(kG) = M IEMS5710 - Lecture 4
ECC Security relies on elliptic curve logarithm problem compared to factoring, can use much smaller key sizes than with RSA etc for equivalent key lengths computations are roughly equivalent hence for similar security ECC offers significant computational advantages E.g. suitable for mobile devices and devices with relatively limited computational power IEMS5710 - Lecture 4
Comparable Key Sizes for Equivalent Security IEMS5710 - Lecture 4
References • William Stallings, Cryptography and Network Security Principles and Practices, 5/e, Pearson • Chapter 9 • Chapter 10 IEMS5710 - Lecture 4