Slides for lecture 7
Download
Report
Transcript Slides for lecture 7
CMSC 414
Computer and Network Security
Lecture 7
Jonathan Katz
Public-key cryptography
The public-key setting
A party (Alice) generates a public key along with
a matching secret key (aka private key)
The public key is widely distributed, and is
assumed to be known to anyone (Bob) who wants
to communicate with Alice
– We will discuss later how this can be ensured
Alice’s public key is also known to the attacker!
Alice’s secret key remains secret
Bob may or may not have a public key of his own
The public-key setting
pk
c = Encpk(m)
pk
c = Encpk(m)
Private- vs. public-key I
Disadvantages of private-key cryptography
– Need to securely share keys
• What if this is not possible?
• Difficult to distribute/manage keys in a large organization
• Private-key crypto requires private+authenticated channel to
share keys; public-key crypto requires authenticated channel
– Consider communication in an n-party network: each
party must store n-1 secret keys
– Inapplicable in open systems (i.e., e-commerce)
• Need to know in advance the parties with whom you will
communicate
• Not suited for “many-to-one” communication
Private- vs. public-key II
Why study private-key setting at all?
– Private-key is orders of magnitude more efficient
– Private-key still has domains of applicability
• Military settings, disk encryption, …
• Bidirectional, “one-to-one” authenticated communication
– Public-key crypto is “harder” to get right
• Need stronger assumptions, easier to attack
– Can combine private-key primitives with public-key
techniques to get the best of both (for encryption)
• So still need to understand the private-key setting!
– Can distribute keys using trusted entities (KDCs)
Private- vs. public-key III
Public-key cryptography is not a cure-all
– Still requires authenticated distribution of public keys
• May (sometimes) be just as hard as sharing a key
• Technically speaking, requires only an authenticated channel
instead of an authenticated + private channel
– Not clear with whom you are communicating (unless
the sender has a public key)
– Can be too inefficient for certain applications
Cryptographic primitives
Private-key setting
Public-key setting
Confidentiality
Private-key
encryption
Public-key
encryption
Integrity
Message
authentication codes
Digital signature
schemes
Public-key encryption
Key-generation algorithm: randomized algorithm
that outputs (pk, sk)
Encryption algorithm:
– Takes a public key and a message (plaintext), and
outputs a ciphertext; c Epk(m)
Decryption algorithm:
– Takes a private key and a ciphertext, and outputs a
message (or perhaps an error); m = Dsk(c)
Correctness: for all (pk, sk), Dsk(Epk(m)) = m
Security?
Just as in the case of private-key encryption, but
the attacker gets to see the public key pk
– For all m0, m1, no adversary running in time T, given pk
and an encryption of m0 or m1, can determine the
encrypted message with probability better than 1/2 +
Public-key encryption must be randomized (even
to achieve security against ciphertext-only attacks)
In the public-key setting, security against
ciphertext-only attacks implies security against
chosen-plaintext attacks
– And security for encryption of multiple messages
El Gamal encryption
We have already (essentially) seen one encryption
scheme:
Receiver
p, g
Sender
p, g, hA = gx
hA = g.x mod p
c = (KBA m) mod p
hB, c
hB = gy mod p
KAB = (hB)x
KBA = (hA)y
El Gamal encryption
(Some aspects of the actual scheme are simplified)
Key generation
– Choose a large prime p, and an element g Zp*
– Choose random x {0, …, p-2}, set h=gx
– The public key is (p, g, h), and the private key is x
Encryption
– View the message m as an element of Zp*
– Choose random r {0, …, p-2}
– The ciphertext is (gr, hr m)
To decrypt ciphertext (c1, c2) output c2/c1x
Security?
Security of El Gamal encryption is equivalent to
the decisional Diffie-Hellman assumption
Best known algorithm for decisional Diffie-
Hellman in Zp* runs in time ≈ exp(log p1/3)
– So if p is a 1024-bit prime, best current attack on El
Gamal encryption requires time ≈ 260
In other groups, the Diffie-Hellman problem is
currently ‘harder’
– E.g., for elliptic curve groups, best current algorithms
require time exp(log |G|/2)
– Can use ~120-bit group elements to get 260 security
RSA background
N=pq, p and q distinct, odd primes
(N) = (p-1)(q-1)
– Easy to compute (N) given the factorization of N
– Hard to compute (N) without the factorization of N
Fact: for all x ZN*, it holds that x(N) = 1 mod N
– Proof: take CMSC 456!
If ed=1 mod (N), then for all x it holds that
(xe)d = x mod N
I.e., given d, we can compute eth roots
We have an asymmetry!
Let e be relatively prime to (N)
– Needed so that ed=1 mod (N) has a solution
Given e and the factors of N, can compute d and
hence compute eth roots
Without the factorization of N, no apparent way to
compute eth roots
Let’s use this to encrypt…
Hardness of computing eth roots?
The RSA problem:
– Given N, e, and c, compute c1/e mod N
If factoring is easy, then the RSA problem is easy
We know of no other way to solve the RSA
problem besides factoring N
– But we do not know how to prove that the RSA
problem is as hard as factoring
The upshot: we believe factoring is hard, and we
believe the RSA problem is hard
How hard is factoring?
Best current algorithms for factoring N=pq a
product of two equal-length primes, run in time
≈ exp(log N1/3)
So need |N| ≈ 1024 for reasonable security
Currently |N| ≈ 2048 recommended for good
security margins
RSA key generation
Generate random primes p, q of sufficient length
Compute N=pq and (N) = (p-1)(q-1)
Compute e and d such that ed = 1 mod (N)
– e must be relatively prime to (N)
– Typical choice: e = 3; other choices possible
Public key = (N, e); private key = (N, d)
“Textbook RSA” encryption
Public key (N, e); private key (N, d)
To encrypt a message m ZN*, compute
c = me mod N
To decrypt a ciphertext c, compute m = cd mod N
Correctness clearly holds…
…what about security?
Textbook RSA is insecure!
It is deterministic!
Furthermore, it can be shown that the ciphertext
leaks specific information about the plaintext
Padded RSA
Introduce randomization…
Public key (N, e); private key (N, d)
– Say |N| = 1024 bits
To encrypt m {0,1}895,
– Choose random r {0,1}128
– Compute c = (r | m)e mod N
Decryption done in the natural way…
Essentially this is standardized as PKCS #1 v1.5
(since superseded)