250 likes | 418 Views
CSCE 715: Network Systems Security. Chin-Tser Huang huangct@cse.sc.edu University of South Carolina. RSA. Invented by Rivest, Shamir & Adleman of MIT in 1977 Best known and widely used public-key scheme Based on exponentiation in a finite (Galois) field over integers modulo a prime
E N D
CSCE 715:Network Systems Security Chin-Tser Huang huangct@cse.sc.edu University of South Carolina
RSA • Invented by Rivest, Shamir & Adleman of MIT in 1977 • Best known and widely used public-key scheme • Based on exponentiation in a finite (Galois) field over integers modulo a prime • exponentiation takes O((log n)3) operations (easy) • Use large integers (e.g. 1024 bits) • Security due to cost of factoring large numbers • factorization takes O(e log n log log n) operations (hard)
RSA Key Setup • Each user generates a public/private key pair by • select two large primes at random: p, q • compute their system modulus n=p·q • note ø(n)=(p-1)(q-1) • select at random the encryption key e • where 1<e<ø(n), gcd(e,ø(n))=1 • solve following equation to find decryption key d • e·d=1 mod ø(n) and 0≤d≤n • publish their public encryption key: KU= {e,n} • keep secret private decryption key: KR= {d,n}
RSA Usage • To encrypt a message M: • sender obtains public key of receiver KU={e,n} • computes: C=Me mod n, where 0≤M<n • To decrypt the ciphertext C: • receiver uses its private key KR={d,n} • computes: M=Cd mod n • Message M must be smaller than the modulus n (cut into blocks if needed)
Why RSA Works • Euler's Theorem: aø(n) mod n = 1 where gcd(a,n)=1 • In RSA, we have • n=p·q • ø(n)=(p-1)(q-1) • carefully chosen e and d to be inverses mod ø(n) • hence e·d=1+k·ø(n) for some k • Hence :Cd = (Me)d = M1+k·ø(n) = M1·(Mø(n))k = M1·(1)k = M1 = M mod n
RSA Example: Computing Keys • Select primes: p=17, q=11 • Compute n=pq=17×11=187 • Compute ø(n)=(p–1)(q-1)=16×10=160 • Select e:gcd(e,160)=1 and e<160 • choose e=7 • Determine d:de=1 mod 160 and d<160 • d=23 since 23×7=161=1×160+1 • Publish public key KU={7,187} • Keep secret private key KR={23,187}
RSA Example: Encryption and Decryption • Given message M = 88 (88<187) • Encryption: C = 887 mod 187 = 11 • Decryption: M = 1123 mod 187 = 88
Exponentiation • Use a property of modular arithmetic [(a mod n)(b mod n)]mod n = (ab)mod n • Use the Square and Multiply Algorithm to multiply the ones that are needed to compute the result • Look at binary representation of exponent • Only take O(log2 n) multiples for number n • e.g. 75 = 74·71 = 3·7 = 10 (mod 11) • e.g. 3129 = 3128·31 = 5·3 = 4 (mod 11)
RSA Key Generation • Users of RSA must: • determine two primes at random - p,q • select either e or d and compute the other • Primes p,qmust not be easily derived from modulus n=p·q • means p,qmust be sufficiently large • typically guess and use probabilistic test • Exponents e, d are multiplicative inverses, so use Inverse algorithm to compute the other
Security of RSA • Four approaches to attacking RSA • brute force key search (infeasible given size of numbers) • mathematical attacks (based on difficulty of computing ø(n), by factoring modulus n) • timing attacks (on running of decryption) • chosen ciphertext attacks (given properties of RSA)
Factoring Problem • Mathematical approach takes 3 forms: • factor n=p·q, hence find ø(n) and then d • determine ø(n) directly and find d • find d directly • Currently believe all equivalent to factoring • have seen slow improvements over the years • as of May-05 best is 200 decimal digits (663 bits) with LS • biggest improvement comes from improved algorithm • cf “Quadratic Sieve” to “Generalized Number Field Sieve” to “Lattice Sieve” • 1024+ bit RSA is secure barring dramatic breakthrough • ensure p, q of similar size and matching other constraints
Timing Attacks • Developed in mid-1990’s • Exploit timing variations in operations • e.g. multiplying by small vs large number • Infer operand size based on time taken • RSA exploits time taken in exponentiation • Countermeasures • use constant exponentiation time • add random delays • blind values used in calculations
Chosen Ciphertext Attacks • RSA is vulnerable to a Chosen Ciphertext Attack (CCA) • attackers chooses ciphertexts and gets decrypted plaintext back • choose ciphertext to exploit properties of RSA to provide info to help cryptanalysis • can counter with random pad of plaintext • or use Optimal Asymmetric Encryption Padding (OAEP)
Key Management • Asymmetric encryption helps address key distribution problems • Two aspects • distribution of public keys • use of public-key encryption to distribute secret keys
Distribution of Public Keys • Four alternatives of public key distribution • Public announcement • Publicly available directory • Public-key authority • Public-key certificates
Public Announcement • Users distribute public keys to recipients or broadcast to community at large • E.g. append PGP keys to email messages or post to news groups or email list • Major weakness is forgery • anyone can create a key claiming to be someone else’s and broadcast it • can masquerade as claimed user before forgery is discovered
Publicly Available Directory • Achieve greater security by registering keys with a public directory • Directory must be trusted with properties: • contains {name, public-key} entries • participants register securely with directory • participants can replace key at any time • directory is periodically published • directory can be accessed electronically • Still vulnerable to tampering or forgery
Public-Key Authority • Improve security by tightening control over distribution of keys from directory • Has properties of directory • Require users to know public key for the directory • Users can interact with directory to obtain any desired public key securely • require real-time access to directory when keys are needed
Public-Key Certificates • Certificates allow key exchange without real-time access to public-key authority • A certificate binds identity to public key • usually with other info such as period of validity, authorized rights, etc • With all contents signed by a trusted Public-Key or Certificate Authority (CA) • Can be verified by anyone who knows the CA’s public key
Distribute Secret KeysUsing Asymmetric Encryption • Can use previous methods to obtain public key of other party • Although public key can be used for confidentiality or authentication, asymmetric encryption algorithms are too slow • So usually want to use symmetric encryption to protect message contents • Can use asymmetric encryption to set up a session key
Simple Secret Key Distribution • Proposed by Merkle in 1979 • A generates a new temporary public key pair • A sends B the public key and A’s identity • B generates a session key Ks and sends encrypted Ks (using A’s public key) to A • A decrypts message to recover Ks and both use
Problem with Simple Secret Key Distribution • An adversary can intercept and impersonate both parties of protocol • A generates a new temporary public key pair {KUa, KRa} and sends KUa || IDa to B • Adversary E intercepts this message and sends KUe || IDa to B • B generates a session key Ks and sends encrypted Ks (using E’s public key) • E intercepts message, recovers Ks and sends encrypted Ks (using A’s public key) to A • A decrypts message to recover Ks and both A and B unaware of existence of E
Next Class • Key exchange • Diffie-Hellman key exchange protocol • Elliptic curve cryptography • Read Chapters 11 and 12