240 likes | 366 Views
CMSC 414 Computer and Network Security Lecture 6. Jonathan Katz. Diffie-Hellman key exchange. Before describing the protocol, a brief detour through number theory… Modular arithmetic, Z p , Z p * Generators: e.g., 3 is a generator of Z 17 * , but 2 is not The discrete logarithm assumption.
E N D
CMSC 414Computer and Network SecurityLecture 6 Jonathan Katz
Diffie-Hellman key exchange • Before describing the protocol, a brief detour through number theory… • Modular arithmetic, Zp, Zp* • Generators: e.g., 3 is a generator of Z17*, but 2 is not • The discrete logarithm assumption
prime p, element g Zp* hA = gx mod p hB = gy mod p The Diffie-Hellman protocol KAB = (hB)x KBA = (hA)y
Security? • Consider security against a passive eavesdropper • We will cover stronger notions of security for key exchange in more detail later in the semester • Under the computational Diffie-Hellman (CDH) assumption, hard for eavesdropper to compute KAB = KBA • Not sufficient for security! • Can hash the key before using • Under the decisional Diffie-Hellman (DDH) assumption, the key KAB looks random to an eavesdropper
Technical notes • p and g must be chosen so that the CDH/DDH assumptions hold • Need to be chosen with care – in particular, g should be chosen as a generator of a subgroup of Zp* • Details in CMSC456 • Can use other groups • Elliptic curves are also popular • Modular exponentiation can be done quickly (in particular, in polynomial time) • But the naïve algorithm does not work!
Security against active attacks? • The basic Diffie-Hellman protocol we have shown is not secure against a ‘man-in-the-middle’ attack • In fact, impossible to achieve security against such an attacker unless some information is shared in advance • E.g., private-key setting • Or public-key setting (next)
The public-key setting • A party (Alice) generates a public key along with a matching secret key (aka private key) • The public key is widely distributed, and is assumed to be known to anyone (Bob) who wants to communicate with Alice • We will discuss later how this can be ensured • Alice’s public key is also known to the attacker! • Alice’s secret key remains secret • Bob may or may not have a public key of his own
pk c = Encpk(m) pk c = Encpk(m) The public-key setting
Private- vs. public-key I • Disadvantages of private-key cryptography • Need to securely share keys • What if this is not possible? • Need to know in advance the parties with whom you will communicate • Can be difficult to distribute/manage keys in a large organization • O(n2) keys needed for person-to-person communication in an n-party network • All these keys need to be stored securely • Inapplicable in open systems (think: e-commerce)
Private- vs. public-key II • Why study private-key at all? • Private-key is orders of magnitude more efficient • Private-key still has domains of applicability • Military settings, disk encryption, … • Public-key crypto is “harder” to get right • Need stronger assumptions, easier to attack • Can combine private-key primitives with public-key techniques to get the best of both (for encryption) • Still need to understand the private-key setting! • Can distribute keys using trusted entities (KDCs)
Private- vs. public-key III • Public-key cryptography is not a cure-all • Still requires secure distribution of public keys • May (sometimes) be just as hard as sharing a key • Technically speaking, requires only an authenticated channel instead of an authenticated + private channel • Not clear with whom you are communicating (unless the sender has a public key) • Can be too inefficient for certain applications
Functional definition • Key generation algorithm: randomized algorithm that outputs (pk, sk) • Encryption algorithm: • Takes a public key and a message (plaintext), and outputs a ciphertext; c Epk(m) • Decryption algorithm: • Takes a private key and a ciphertext, and outputs a message (or perhaps an error); m = Dsk(c) • Correctness: for all (pk, sk), Dsk(Epk(m)) = m
Security? • Just as in the case of private-key encryption, but the attacker gets to see the public key pk • That is: • For all m0, m1, no adversary running in time T, given pk and an encryption of m0 or m1, can determine the encrypted message with probability better than 1/2 + • Public-key encryption must be randomized (even to achieve security against ciphertext-only attacks) • In the public-key setting, security against ciphertext-only attacks implies security against chosen-plaintext attacks
p, g, hA = gx p, g hA = gx mod p c = (KBA. m) mod p hB = gy mod p hB, c El Gamal encryption • We have already (essentially) seen one encryption scheme: Receiver Sender KAB = (hB)x KBA = (hA)y
Security • If the DDH assumption holds, the El Gamal encryption scheme is secure against chosen-plaintext attacks
RSA background • N=pq, p and q distinct, odd primes • (N) = (p-1)(q-1) • Easy to compute (N) given the factorization of N • Hard to compute (N) without the factorization of N • Fact: for all x ZN*, it holds that x(N) = 1 mod N • Proof: take CMSC 456! • If ed=1 mod (N), then for all x it holds that (xe)d = x mod NI.e., this is a way to compute eth roots
We have an asymmetry! • Given d (which can be computed from e and the factorization of N), possible to compute eth roots • Without the factorization of N, no apparent way to compute eth roots
Hardness of computing eth roots? • The RSA problem: • Given N, e, and c, compute c1/e mod N • If factoring is easy, then the RSA problem is easy • We know of no other way to solve the RSA problem besides factoring N • But we do not know how to prove that the RSA problem is as hard as factoring • The upshot: we believe factoring is hard, and we believe the RSA problem is hard
We have an asymmetry! • Given d (which can be computed from e and the factorization of N), possible to compute eth roots • Without the factorization of N, no apparent way to compute eth roots • Let’s use this to encrypt…
RSA key generation • Generate random p, q of sufficient length • Compute N=pq and (N) = (p-1)(q-1) • Compute e and d such that ed = 1 mod (N) • e must be relatively prime to (N) • Typical choice: e = 3; other choices possible • Public key = (N, e); private key = (N, d)
“Textbook RSA” encryption • Public key (N, e); private key (N, d) • To encrypt a message m ZN*, compute c = me mod N • To decrypt a ciphertext c, compute m = cd mod N • Correctness clearly holds… • …what about security?