1 / 44

Public Key Encryption

Public Key Encryption. Terminology RSA Hash functions. Reading Assignment. Reading assignments for current lecture: Required: Pfleeger: 2.7, …, 2.12 Recommended :

moswen
Download Presentation

Public Key Encryption

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. CSCE 522 - Farkas Public Key Encryption • Terminology • RSA • Hash functions

  2. CSCE 522 - Farkas Reading Assignment • Reading assignments for current lecture: Required: • Pfleeger: 2.7, …, 2.12 Recommended: • Tom Simonite, MIT Technology Review: NSA Leak Leaves Crypto-math Intact but Highlights Known Workarounds, http://www.dfinews.com/news/2013/09/nsa-leak-leaves-crypto-math-intact-highlights-known-workarounds#.UjdU8X-d6So Lecture 6 CSCE 522 - Farkas 2

  3. CSCE 522 - Farkas Summary of Secret Key Encryption • Basic methods: • Substitution • Transposition • Security: secrecy of secret key

  4. CSCE 522 - Farkas Compare DES and AES

  5. CSCE 522 - Farkas Weakness of Secret Key Encryption • Secrecy of key • How to distribute the keys securely? • Large number of keys • N(N-1) / 2 • Other issues: no support for • Third party verification • Non-repudiation Can we provide other methods for confidentiality?

  6. Public-Key Encryption • Two keys – one is private one is public • Solves the key distribution problem (but need reliable channel) • Provides electronic signatures • Slower than secret-key encryption CSCE 522 - Farkas 6

  7. Public-Key Encryption • Needed for security: • One of the keys must be kept secret • Impossible (at least impractical) to decipher message if no other information is available • Knowledge of algorithm, one of the keys, and samples of ciphertext must be insufficient to determine the other key CSCE 522 - Farkas 7

  8. Confidentiality Insecure channel Ciphertext Plaintext Plaintext Encryption Alg. Decryption Alg. B Recipient A Sender B’s private key B’s public key (need reliable channel) CSCE 522 - Farkas 8

  9. Public Key Cryptosystem • Concept conceived by Diffie and Hellman in 1976 • Rivest, Shamir, and Adleman (RSA) describe a public key system in 1978 • Many proposals have been broken e.g., Merkle-Hellman proposal broken by Shamir • Serious candidates (public domain) • RSA • El Gamal CSCE 522 - Farkas 9

  10. CSCE 522 - Farkas RSA

  11. Notation C = E(KE-B, M) M = D(KD-B,C) KE-B: public key of B KD-B: private key of B E: encryption alg. D: decryption alg. M: plaintext C: ciphertext CSCE 522 - Farkas 11

  12. RSA • Both sender and receiver know n • Sender knows e • Only receiver knows d • Modulus: Remainder after division, i.e., if a mod n=b then a=c*n+b • Need: • Find values e,d,n such that • Easy to calculate Me, Cd for all M < n • Infeasible to determine d give e Med mod n = M mod n CSCE 522 - Farkas 12

  13. RSA • Public key: (n,e) • Private key: (n,d) • n is a 200 digit number • C = Me mod n • M = Cd mod n CSCE 522 - Farkas 13

  14. RSA Keys Generation of public and private keys • Choose 2 large (100 digit) prime numbers p and q • Compute n = p*q • Choose e > 1 relatively prime to (n) = (p-1)*(q-1) • Compute d such that e*d = 1 mod (p-1)*(q-1) • Publish (n,e) • Secret (n,d), p, q CSCE 522 - Farkas 14

  15. RSA Keys Example 1. • Choose 2 “large” prime numbers p=7, q=17 • Compute n=p*q 7*17=119 • Choose e relative prime to (p-1)*(q-1) 6*16=96, e=5 • Compute d = 5–1 mod 96=77 • Publish (5,119) • Keep (77,119), 7, 17 CSCE 522 - Farkas 15

  16. RSA Key Example 1 • Let M =19 • Encrypt 195 mod 119 = 2,476,099 mod 119 = 66 • Decrypt 6677 mod 119 = 19 mod 119 CSCE 522 - Farkas 16

  17. RSA Keys • Compute d such that e*d = 1 mod (p-1)*(q-1) • If factorization of n into p*q is known: Easy • Otherwise: Hard • How hard is it to compute d given (n,e)? • Don’t know BUT not harder than factoring n into p*q  Security of RSA is no better than the complexity of the factorization problem CSCE 522 - Farkas 17

  18. Digital Signatures in RSA • RSA Property: encryption and decryption are commutative • Encryption followed by decryption yields the original message (Me mod n)d mod n = M • Decryption followed by encryption yields the original message (Md mod n)e mod n = M • Cryptosystems that preserve message length have this property CSCE 522 - Farkas 18

  19. Digital Signatures in RSA Insecure channel Sign Verify Plaintext Signed plaintext Plaintext Decryption Alg. Encryption Alg. B A A’s private key A’s public key (need reliable channel) CSCE 522 - Farkas 19

  20. Signature and Encryption B Encrypted Signed Plaintext A Signed Plaintext Signed Plaintext Plaintext Plaintext D E D E B’s public key A’s public key B’s private key A’s private key CSCE 522 - Farkas 20

  21. Signature and Encryption • We could do the encryption first, followed by the signature. Adv. signature first: parties, other than B can verify the signature • DES can be used for encryption CSCE 522 - Farkas 21

  22. Non-repudiation • Requires notarized signature, involving a third party • Large system: hierarchies of notarization CSCE 522 - Farkas 22

  23. CSCE 522 - Farkas Hash Functions

  24. Hash Functions • Hash function h maps an input x of arbitrary length to a fixed length output h(x) (compression) • Accidental or intentional change to the data will change the hash value • Given h and x, h(x) is easy to compute (ease of computation) Lecture 8-9 CSCE 522 - Farkas 24

  25. Good Hash Function It is easy to compute the hash value for any given message It is infeasible to find a message that has a given hash (one-way property) It is infeasible to modify a message without changing its hash It is infeasible to find two different messages with the same hash (collision-free property) Lecture 8-9 CSCE 522 - Farkas 25

  26. Hash functions • Preimage resistant(one-way): if for all specified outputs, it is computationally infeasible to find any input that hashes to that output • Second-preimage resistent (weak collision resistant): if it is computationally infeasible to find any second input which has the same output as any specified input • Collision resistant(strong collision resistant): if it is computationally infeasible to find any two distinct inputs that has the same output Lecture 8-9 CSCE 522 - Farkas 26

  27. CSCE 522 - Farkas Use of Hash function • Message integrity • Message authentication (hash is signed) • Protect password files • Support for intrusion detection • Support for virus detection

  28. Hash Algorithms • Input of arbitrary length • Output size • Block size • Rounds • Bitwise operations: and, or, xor, not Lecture 8-9 CSCE 522 - Farkas 28

  29. SHA Security • SHA-1: in 2005 security flaws were identified • A possible mathematical weakness might exist • SHA-2: no attacks have yet been reported • SHA-2 variants are algorithmically similar to SHA-1 and so efforts are underway to develop improved alternatives • SHA-3: new hash standard is currently under development Lecture 8-9 CSCE 522 - Farkas 29

  30. SHA-2 Family • 2001: first published in the draft FIPS PUB 180-2 • 2002, 2004: FIPS PUB 180-2 modified • SHA-224, SHA-256, SHA-384, and SHA-512 Lecture 8-9 CSCE 522 - Farkas 30

  31. MD5 vs. SHA • Very similar • Security: SHA’s digest is 32 bits longer  without algorithm flaws SHA is more secure • Speed: SHA has more steps and produces 160-bit buffer  SHA slower • Simplicity and compactness: MD5 has more internal steps with varying buffer modification  SHA is simpler Lecture 8-9 CSCE 522 - Farkas 31

  32. Attacks • First preimage attack: given a hash h, find a message m such that hash(m) = h • Second preimage attack: given a fixed message m1, find a different message m2 such that hash(m2) = hash(m1) • Attack complexity: 2n (considered too high for a typical output size of n=160 bits) • Practical attacks: Collision attack Lecture 8-9 CSCE 522 - Farkas 32

  33. Collision Attack • Cryptographic attack • Based on probability theory • Given a function ƒ, the goal of the attack is to find two different inputs x1, x2 such that ƒ(x1) = ƒ(x2), (complexity is 2n/2) Lecture 8-9 CSCE 522 - Farkas 33

  34. Hash Functions • Message digest • Used for authenticity (sign hash value of a message) and integrity purposes • Algorithms: • MD2,MD4,MD5 (128), SHA0 (160) -- insecure • SHA1 (160) – theoretical collision attack • SHA-2, SHA-3 (256, 512, 1024) – OK Lecture 8-9 CSCE 522 - Farkas 34

  35. MD6 • MD6 was submitted to the NIST SHA-3 competition • July 1, 2009: Rivest posted a comment at NIST that MD6 is not yet ready to be candidated for SHA-3 • speed issues and • inability to supply a proof of security for a faster reduced-round version Lecture 8-9 CSCE 522 - Farkas 35

  36. Next Class • Protocol Analysis and hash CSCE 522 - Farkas 36

  37. CSCE 522 - Farkas How does it work? Chapter 12 Not required for tests

  38. Arithmetic • Identity i: x op i = x • Inverse: b is inverse of a under op if a op b = i • Prime numbers: p is prime if 1 < p and divisible by {1,p} only • Euclidean algorithm: if x divides a and b then x also divides a-(k*b) a-(k*b)=x*a1-(k*x*b1) =x*(a1-(k*b1)) =x*d CSCE 522 - Farkas 38

  39. Greatest common divisor • Given a > b, the greatest common divisor x=gcd(a,b) can be calculated as follows: • Rewrite a as a=m*b+r, where m=a/b and r is the remainder • If x divides a and b, it also divides r, therefore x=gcd(a,b)=gcd(b,r)  b=m’*r+ r’ • Continue until the remainder is zero CSCE 522 - Farkas 39

  40. Modular Arithmetic • Results stay in the underlying range of numbers • +,-,* can be applied before or after the modulus is taken with similar results • Modulus: remainder after division, that is if a mod n=b then a=c*n+b • Examples • 9 mod 3 = 0 • 12 mod 5 = 2 • 12 mod 10 = 2 CSCE 522 - Farkas 40

  41. Modular Arithmetic Properties: • Associative a+(b+c) mod n = (a+b)+c mod n a*(b*c) mod n = (a*b)*c mod n • Commutative a+b mod n = b+a mod n a*b mod n = b*a mod n • Distributive (a*(b+c)) mod n = ((a*b) mod n) + (a*c) mod n)) mod n • Existence of identities a+0 mod n = 0+a mod n = a a*1 mod n = 1*a mod n = a CSCE 522 - Farkas 41

  42. Modular Arithmetic Properties: • Existence of inverses a+(-a) mod n = 0 a*(a–1) mod n = 1 if a  0 (and gcd(a,n) = 1; see next slide) • Reducibility (a+b) mod n = ((a mod n) + (b mod n)) mod n (a*b) mod n = ((a mod n) * (b mod n)) mod n ae mod n = [i=1e (a mod n)] mod n CSCE 522 - Farkas 42

  43. Modular Arithmetic a–1 = x mod n has unique solution if a and n are relatively prime CSCE 522 - Farkas 43

  44. Fermat’s and Euler’s Theorem • Fermat’s Theorem: For any prime number p and any element a<p ap mod p = a or ap-1 mod p = 1 Inverse of a is x, such that ax mod p = 1 ax mod p = 1= ap-1 mod p x = ap-2 mod p • Euler’s theorem: if a and n are relative primes, then a(n) mod n = 1 = ax mod n x = a(n)-1 mod n • Example: inverse of 4 mod 5 4-1 mod 5 = 45-2 mod 5 = 64 mod 5 = 4 4*4 mod 5 = 16 mod 5 = 1 CSCE 522 - Farkas 44

More Related