390 likes | 837 Views
Diffie-Hellman Key Exchange, Discrete Log Problem Public Key Crypto RSA. Public Key Cryptography Diffie-Hellman, Discrete Log, RSA. CSCI283 Fall 2005 GWU. Diffie-Hellman Key Exchange. Diffie-Hellman Key Exchange. Protocol for exchanging secret key over public channel.
E N D
Diffie-Hellman Key Exchange, Discrete Log Problem • Public Key Crypto • RSA Public Key CryptographyDiffie-Hellman, Discrete Log, RSA CSCI283 Fall 2005 GWU
Diffie-Hellman Key Exchange • Protocol for exchanging secret key over public channel. • Select global parameters p, n and . p is prime and is of order n in Zp*. These parameters are public and known to all. CS283/Fall05/GWU/Vora/PKC Some slides from Bishop's set
Diffie-Hellman Key Exchange contd. • Alice privately selects random b and sends to Bob b mod p. • Bob privately selects random c and sends to Alice c mod p. • Alice and Bob privately compute bc mod p which is their shared secret. • An observer Oscar can compute bc if he knows either c or b or can solve the discrete log problem. • This is a key agreement protocol. CS283/Fall05/GWU/Vora/PKC Some slides from Bishop's set
Diffie-Hellman is based on the hardness of the Discrete Log problem: • Given a multiplicative group G, an element G such that o() = n, and an element <> • Find the unique integer x, 0 x n-1 such that = x x denoted as log • Not known to be doable in polynomial time, however exponentiation is. CS283/Fall05/GWU/Vora/PKC Some slides from Bishop's set
An attack Diffie-Hellman key exchange is susceptible to a man-in-the-middle attack. • Mallory captures b and c in transmission and replaces with own b’ and c’. • Essentially runs two Diffie-Hellman’s. One with Alice and one with Bob. CS283/Fall05/GWU/Vora/PKC Some slides from Bishop's set
Diffie-Hellman propose Public Key Cryptography • Computationally easy to encrypt/decrypt given key • Computationally infeasible to derive private key from public key • Computationally infeasible to determine private key from a chosen-plaintext attack • Look at DH key exchange as PKC CS283/Fall05/GWU/Vora/PKC Some slides from Bishop's set
How does Alice send Bob the decryption key in private key crypto? • If Alice wants it such that anyone can decrypt her messages, but know that they came from her • Suppose she could make the decryption key available in a public place • This would require that the decryption key should not give any information on the encryption key, in particular it should not be equal to it CS283/Fall05/GWU/Vora/PKC Some slides from Bishop's set
How does Alice send Bob the decryption key in private key crypto? contd • If she wants it so that only Bob can read her messages, and Bob is ok with anyone sending him messages in this way • Suppose Bob makes his encryption key available publicly • No one should be able to compute the decryption key from the encryption key • This is the dual of the previous case CS283/Fall05/GWU/Vora/PKC Some slides from Bishop's set
Public Key Cryptography Two injective functions f and g such that fg=I i.e. messages encrypted with one can be decrypted with the other; functions include association with key f cannot be used to find g and vice versa One is made public, the other kept private Encryption with public function provides confidential transmission, decryption with public function provides authentication CS283/Fall05/GWU/Vora/PKC Some slides from Bishop's set
Background • Totient function (n) • Number of positive integers less than n and relatively prime to n • Relatively prime means with no factors in common with n • Example: (10) = 4 • 1, 3, 7, 9 are relatively prime to 10 • Example: (21) = 12 • 1, 2, 4, 5, 8, 10, 11, 13, 16, 17, 19, 20 are relatively prime to 21 CS283/Fall05/GWU/Vora/PKC Some slides from Bishop's set
RSACocks (’73), Rivest, Shamir, Adleman (’76) n = pq, p and q (large) primes P = C = Zn K = {(n, p, q, a, b}: ab 1 mod (n)} Public key: (n, a); Private key: (b) fK(m) = ma mod n gK(m) = mb mod n fK and gK are inverses (we won’t show this, it is not straightforward) CS283/Fall05/GWU/Vora/PKC Some slides from Bishop's set
RSA: Key generation Find p and q (two large random primes) n pq (n) (p-1)(q-1) Choose random a invertible mod (n) s.t 1 < a < (n) i.e. a s.t gcd(a, (n)) = 1 Use Euclidean algorithm to find a-1mod (n) Without p and q cannot determine (n) One key: (n, a) other key (n, b); Example CS283/Fall05/GWU/Vora/PKC Some slides from Bishop's set
Example • Take p = 7, q = 11, so n = 77 and (n) = 60 • Alice chooses e = 17, making d = 53 • Bob wants to send Alice secret message HELLO (07 04 11 11 14) • 0717 mod 77 = 28 • 0417 mod 77 = 16 • 1117 mod 77 = 44 • 1117 mod 77 = 44 • 1417 mod 77 = 42 • Bob sends 28 16 44 44 42 CS283/Fall05/GWU/Vora/PKC Some slides from Bishop's set
Example • Alice receives 28 16 44 44 42 • Alice uses private key, d = 53, to decrypt message: • 2853 mod 77 = 07 • 1653 mod 77 = 04 • 4453 mod 77 = 11 • 4453 mod 77 = 11 • 4253 mod 77 = 14 • Alice translates message to letters to read HELLO • No one else could read it, as only Alice knows her private key and that is needed for decryption • The letters could not have been changed in transit, as no one else has Bob’s private key CS283/Fall05/GWU/Vora/PKC Some slides from Bishop's set
Warnings Encipher message in blocks considerably larger than the examples here • If 1 character per block, RSA can be broken using statistical attacks (just like classical cryptosystems) • Attacker cannot alter letters, but can rearrange them and alter message meaning Example: reverse enciphered message of text ON to get NO CS283/Fall05/GWU/Vora/PKC Some slides from Bishop's set
Encryption of blocks of symbols Block ABCD…, each symbol is base N (e.g. N=2, 16) Convert a block of a few symbols to an integer mod n RSA encrypt Convert back to base N Example. Problem if short strings encrypted with RSA, hence pad short strings with random characters. CS283/Fall05/GWU/Vora/PKC Some slides from Bishop's set
Security of RSAIs it based on hardness of factoring n? • It is not known if: • factoring a product of two primes into its prime components is • solvable in polynomial time • NP-complete • there are other trapdoors to RSA, i.e. other ways of breaking it in general • Factoring is an easy problem in the quantum computing model. CS283/Fall05/GWU/Vora/PKC Some slides from Bishop's set
Security Services • Confidentiality • Only the owner of the private key knows it, so text enciphered with public key cannot be read by anyone except the owner of the private key • Authentication • Only the owner of the private key knows it, so text enciphered with private key must have been generated by the owner CS283/Fall05/GWU/Vora/PKC Some slides from Bishop's set
More Security Services • Integrity • Enciphered letters cannot be changed undetectably without knowing private key • Non-Repudiation • Message enciphered with private key came from someone who knew it CS283/Fall05/GWU/Vora/PKC Some slides from Bishop's set
The problems crypto addresses • Confidentiality/secrecy/privacy • How to keep a message secret so it can be read only by a chosen person • Use encryption • Integrity • How to determine a string of symbols has not been changed since it was created • ? CS283/Fall05/GWU/Vora/PKC Some slides from Bishop's set
Integrity • Alice sends message x to Bob. She fears Oscar will manipulate it along the way, and Bob will get an incorrect message. • She could encrypt it using a key Oscar did not have, but is that overkill when she does not need to prevent Oscar from reading it? • But maybe she could tell Bob something else about the message so he would know if something was terribly wrong: parity, last bit, a particular bit, etc. CS283/Fall05/GWU/Vora/PKC Some slides from Bishop's set
In general, she could use a hash function h: X Y y = h(x) |X| > |Y| i.e. x, x’ s.t x x’ and h(x) = h(x’) • Used in storage tables • E.g.: h(x) = last bit, parity, smallest prime factor CS283/Fall05/GWU/Vora/PKC Some slides from Bishop's set
Checksums/hashes • Mathematical function to generate a set of k bits from a set of n bits (where k ≤ n). • k is smaller then n except in unusual circumstances • Example: ASCII parity bit • ASCII has 7 bits; 8th bit is “parity” • Even parity: even number of 1 bits • Odd parity: odd number of 1 bits CS283/Fall05/GWU/Vora/PKC Some slides from Bishop's set
Example Use • Bob receives “10111101” as bits. • Sender is using even parity; 6 1 bits, so character was received correctly • Note: could be garbled, but 2 bits would need to have been changed to preserve parity • Sender is using odd parity; even number of 1 bits, so character was not received correctly CS283/Fall05/GWU/Vora/PKC Some slides from Bishop's set
h(x) sent with x • Both Bob and Alice can create h(x) given x • Alice sends (x, h(x)) • Bob receives (x’,y’), he checks if y’ = h(x’). • If so, he assumes x’ is what Alice sent CS283/Fall05/GWU/Vora/PKC Some slides from Bishop's set
In either case, what can the attacker do? • If he can compute h(x), he can: • try to find x’ s.t. h(x) = h(x’). • If he knows h, and can influence Alice, he can • try to get her to send an x that she likes such that h(x) = h(x’) for an x’ he likes. • If he doesn’t, he hopes for the best. CS283/Fall05/GWU/Vora/PKC Some slides from Bishop's set
Hence require an h “secure” in the following ways: • Secure wrt second image requires that the following problem is “difficult”: • Given an xX, find x’ X s.t x’ x but h(x’) = h(x) • Secure wrt collision requires that the following problem is “difficult”: • Find x, x’ X s.t x’ x but h(x’) = h(x) • The above should be true even if h(x1), h(x2).. h(xn) are known CS283/Fall05/GWU/Vora/PKC Some slides from Bishop's set
In general, h is a secure-hash, or a one-way function Easy to compute in one direction, hard in the other. Can we recall one such function? CS283/Fall05/GWU/Vora/PKC Some slides from Bishop's set
Definition Cryptographic checksum h: AB: • For any xA, h(x) is easy to compute • For any yB, it is computationally infeasible to find xA such that h(x) = y • It is computationally infeasible to find two inputs x, xA such that x ≠ x and h(x) = h(x) CS283/Fall05/GWU/Vora/PKC Some slides from Bishop's set
Keys • Keyed cryptographic checksum: requires cryptographic key • DES in chaining mode: encipher message, use last n bits. Requires a key to encipher, so it is a keyed cryptographic checksum. • Keyless cryptographic checksum: requires no cryptographic key • MD5 and SHA-1 are best known; others include MD4, HAVAL, and Snefru CS283/Fall05/GWU/Vora/PKC Some slides from Bishop's set
HMAC • Keyed cryptographic checksums from keyless ones • h keyless cryptographic checksum function that takes data in blocks of b bytes and outputs blocks of l bytes. k is cryptographic key of length b bytes • If short, pad with 0 bytes; if long, hash to length b • ipad is 00110110 repeated b times; opad is 01011100 repeated b times HMAC-h(k, m) = h(k opad || h(k ipad || m)) CS283/Fall05/GWU/Vora/PKC Some slides from Bishop's set
For non-repudiation A digital signature authenticates both the origin and the contents of a message in a manner that is provable to a disinterested third party Encrypt message digest (computed using a secure hash) with public key CS283/Fall05/GWU/Vora/PKC Some slides from Bishop's set