Public - Key Cryptography Dr. Ron Rymon

Download Report

Transcript Public - Key Cryptography Dr. Ron Rymon

Public-Key Cryptography
Dr. Ron Rymon
Efi Arazi School of Computer Science
IDC, Herzliya. 2010/11
Pre-Requisites: Conventional Cryptography
Overview
 Public Key Cryptography
– Crossword puzzles
– Diffie-Hellman
– RSA
– Elliptic Curves
 Digital Signatures
 Key Management for Public-Key
Cryptography
Public-Key Cryptography
Main sources: Network Security Essential / Stallings
Applied Cryptography / Schneier
Motivation
 Until early 70s, cryptography was mostly owned by
government and military
– Key distribution is more manageable and better funded
 Symmetric cryptography not ideal for commercialization
– Enormous key distribution problem; most parties may never meet
physically
– Must ensure authentication, to avoid impersonation, fabrication
 Few researchers (Diffie, Hellman, Merkle), in addition to
the IBM group, started exploring Cryptography because
they realized it is critical to the forthcoming digital world
–
–
–
–
Privacy
Effective commercial relations
Payment
Voting
Public-Key Cryptography
 Idea: use separate keys to encrypt and decrypt
– First proposed by Diffie and Hellman
– Independently proposed by Merkle (1976)
 Pair of keys for each user
– generated by the user himself
– Public key is advertised
– Private key is kept secret, and is computationally infeasible to
discover from the public key and ciphertexts
– Each key can decrypt messages encrypted using the other key
 Applications:
– Encryption
– Authentication (Digital Signature)
– Key Exchange (to establish Session Key)
Crossword Puzzles
 Ralph Merkle’s Key Exchange Algorithm
–
–
–
–
–
Alice generates MANY crossword puzzles and sends to Bob
Bob chooses ONE and solves it
The solution includes an identifier, and the key
Bob communicates the identifier to Alice
Alice and Bob communicate using the key
– Important observation: Eve would have to solve ALL puzzles
to identify the right one and the key.
 First attempt, cumbersome, and not working, but very
revolutionary at the time
 Later, Merkle suggested to use NP-Hard problems
– Hard to solve, but easy to check (e.g., knapsack).
– Also proven inadequate later...
Diffie-Hellman Key Exchange
 First public-key algorithm, based on the difficulty of
computing discrete logarithms modulo n
 Protocol:
– Use key exchange protocol to establish session key
– Use session key to encrypt actual communication
 Algorithm:
– Choose a large prime n, and a primitive root g
Alice
X=gx mod
Bob
n
select x
Y=gy mod n
Compute K=Yx mod n
K=gxy mod n
select y
Compute K=Xy mod n
Diffie-Hellman Protocol
 DH does not offer authentication
 Trudy can use a man-in-the-middle attack
– Impersonating Alice to Bob and vice versa
– Using his own key (or different keys) with each
 Solution: establish a public directory
– Each person publishes (g,n,gx) – this is the public key
– Note: g,n may be different from one user to another
 Make sure not to select x=0/1 mod n
Two-key Public-Key Encryption
 Sender uses the public key of the receiver to encrypt
 Receiver uses her private key to decrypt
Two-Key Public-key Authentication
 The sender encrypts some message (e.g. a certificate) with
his own private key
 The receiver, by decrypting, verifies key possession
Public-Key Algorithms:
The Requirements
 It is computationally feasible to generate a pair of keys
 It is computationally easy to encrypt using the public key
 It is computationally easy to decrypt using the private key
 It is computationally infeasible to compute the private key
from the public key
 It is computationally infeasible to recover the plaintext
from the public key and ciphertext
 Either of the keys can decrypt a message encrypted using
the other key
RSA
 Developed by Rivest, Shamir, and Adleman (1977)
– Most widely used public key algorithm
– Receives its security from the difficulty of factoring large numbers
– Actually discovered first by UK GCHQ (Ellis and Cocks) in 1973 !
 Algorithm:
– Works as a block cipher, where each plaintext/ciphertext block is
integer between 0 and n (for some n=2k)
– Each receiver chooses e, d
– The values of e, and n are made public; d is kept secret
– Encryption: C=Me mod n
– Decryption: M=Cd mod n = Med mod n
 Requisites:
– Find e, d such that M=Med mod n, for all M<n
– Make sure that d cannot be computed from n and e, not even if a
ciphertext is available
RSA Keys and Key Generation
 Select primes p and q, n=pq
– (n)=(p-1)(q-1) ; Euler totient of n – number of integers between
1 and n that are relatively prime to n, i.e., {m | gcd(m,n)=1}
 Select integer e<(n) such that gcd((n),e)=1
– Guarantees that e-1 exists
 Calculate d such that d=e-1 mod (n),
– Use Euler extended GCD algorithm
 Now, for every M<n, we have
– Med = M 1 mod (n) = M
 Note:
– The message could have been encrypted with d and decrypted by e
Recall Math Backgrounder
 Fermat’s Little Theorem
– For a prime p, ∀a such that 0<a<p, a(p-1)=1 mod p
 Euler’s extension
– For any n, ∀a such that 0<a<n, a (n) mod n = 1 mod n
– For primes p,q, ∀a such that gcd(a,pq)=1, a(p-1)(q-1) = 1 mod pq
– Hence, Med mod n = Mk(p-1)(q-1)+1 mod n = 1xM = M
 To generate primes, use primality test
– For a non-prime, Fermat’s theorem will usually fail on a random a
• Carmichael numbers are rare exception, and if chosen decryption won’t
work. Can reduce the probability by checking more a’s
– Primes are dense enough (almost one of every k k-bit numbers)
 GCD to select e takes O(log n) time
 Calculate d=e-1mod (n) - Euler extended GCD. O(log n)
 Exponentiation (Encrypt/Decrypt) takes O(log n) time
 RSA gets its security from the difficulty of factoring n=pq
RSA Example
 Key Generation
– Select p=7, q=17, n=pq=119, (119)=96
– Select e=5; Calculate d=77 (77*5=385=1 mod 96)
Attacks on RSA Algorithm
 If one could factor n, which is available, into p and
q, then d could be calculated (as inverse of e), and
then the message deciphered
 If one could guess the value of (n)=(p-1)(q-1),
even without factoring n, then again d could be
computed as the inverse of e
Attacks on RSA Protocol
 Chosen ciphertext attack
– Attack: get sender to sign (decrypt) a chosen message
– Inputs: original (unknown) ciphertext C=Me
– Construct
• X=Re mod n, for a random R
• Y=XC mod n
– Ask sender to sign Y, obtaining U=Yd mod n
– Compute
• T=R-1 mod n
• TU mod n = R-1Yd mod n = R-1 Xd Cd mod n = Cd mod n = M
– Exploits preservation of multiplication in group
 Conclusion:
– never sign a random message
– sign only hashes
– use different keys for encryption and signature
Other precautions when
implementing RSA protocol
 Do not use same n for multiple users
– A third party can sometimes decipher if same message is encrypted
using both encryption (public) keys, without needing the
decryption (private) key
 Always pad messages with random numbers, making sure
that M is about same size as n
– If e is small, there is an attack that uses e(e+1)/2 linearly
dependent messages, and if messages are small its easier to find
linearly dependent ones
 Do not choose low values for e and d
– For e, see above, and there is also attack on small d’s
Elliptic Curves Cryptography
 ECC addresses the cost of exponentiation in DH and RSA
 Use Abelian groups w/ addition defined on cubic equations
– E.g., y2 = x3 + ax + b (for some a, b)
– For R=P+Q, find third point of intersection
on line that connects P and Q (use tangent
line if P=Q). This is –R, and R is its mirror.
– O is a point of infinity and is defined as
O=P+(-P). As a result it is also the identity
since P+O=P
 Can also be defined over GF(p)
 Consider Q=kP mod p
– Easy to compute Q from k, P
– Difficult to determine k from P, Q (except
through brute force)
Elliptic Curves Key Exchange
 Key Generation
– Select/agree on cubic curve (p, a, b)
--- public
– Select a base point G with a high order n --- public
• i.e., smallest n such that nG=O
– Private key of Alice is an integer KA < n
– Public key of Alice is KA*G
 Key Exchange
– Alice and Bob send public key to each other
– Each of them multiplies the result by own private key
– Agreed Key = KA* KB*G
– Like DH but uses addition instead of exponentiation
Timing and Power Attacks
 Ciphertext-only attack
– No mathematical analysis
 How it works
– Measure the effort (time, power) to decrypt a message
– Correlate the effort to the probability that certain key bits
are on
 Idea
– Different algorithms work more on certain combinations
of bit values
– E.g., in RSA the exponentiation effort depends on the
number of bits that are 1
 Solutions:
– Idle computation to randomize & even out
Other Public-Key Algorithms
 Merkle-Hellman Knapsack Algorithms
– First public-key cryptography (not key exch) algorithm (1976) - patented
– Encode a message as a series of solutions to knapsack problems (NPHard). Easy (superincreasing) knapsack serves as private key, and a hard
knapsack as a public key.
– Broken by Shamir and Zippel in 1980, showing a reconstruction of
superincreasing knapsacks from the normal knapsacks
 Rabin
– Based on difficulty of finding square roots modulo n
– Encryption is faster: C=M2 mod n (n=pq)
– Decryption is a bit complicated and the plaintext has to be selected from 4
possibilities (also makes it difficult to use it for signature)
 El Gamal
– Based on difficulty of calculating discrete logarithms in a finite field
– Elliptic Curves can be used to implement El Gamal and Diffie-Hellman
faster
Digital Signatures
Main sources: Network Security Essential / Stallings
Applied Cryptography / Schneier
Public-Key Digital Signature
 Same as authentication
– The sender encrypts a message with his own private key
– The receiver, by decrypting, verifies key possession
Digital Signatures
 It is possible to use the entire message, encrypted with the
private key, as the digital signature
– But, this is computationally expensive
– And, anyone can then decrypt the original message
 Alternatively, a digest can be used
–
–
–
–
Should be short
Prevent decryption of the original message
Prevent modification of original message
Difficult to fake signature for
 If message authentication (integrity) is needed, we may use
the hash code of the message
 If only source authentication is needed, a different message
can be used (certificate)
Digital Signature Algorithm (DSA)
 Proposed in 1991 by NIST as a standard (DSS)
– Based on difficulty of computing discrete logarithms (like DiffieHellman and El Gamal)
 Encountered resistance because RSA was already de-facto
standard, and already drew significant investment
– DSA cannot be used for encryption or key distribution
– RSA is advantageous in most applications (exc. smart cards)
• RSA is 10x faster in signature
• DSA is faster in verification
– Concerns about NSA backdoor (table can be built for some
primes)
 Key size was increased from 512 to 2048 and 3072 bits
– In DSA, the key size needs to be 4 times the security level
 DSA has an Elliptic Curve version
– Faster to compute, and requires half the bits
Description of DSA
 Parameters
–
–
–
–
–
p is a prime number with up to 1024 bits
q is a 160-bit factor of (p-1), and itself prime
g=h(p-1)/q mod p (h is random)
x is the private key and is smaller than q
y=gx mod p is part of the public key
public key
public key
public key
-- private key
public key
 Signature
– Given a message M, generate a random k<q
– Signature is a pair (r,s)
• send r=(gk mod p) mod q
• send s=k-1(H(M)+xr) mod q
• If r=0 or s=0, choose a new k
-- keep secret
signature
signature
 Verification
–
–
–
–
Compute w=s-1 mod q
Compute u1=H(M)w mod q; u2=rw mod q
Compute v=(gu1*yu2 mod p) mod q
If v=r then the signature is verified
verification
Key Generation in DSA
 Generate q as a SHA on an arbitrary 160-bit string
– If not prime, try another string
– Use Rabin method for primality testing
 To get (p-1)
– Concatenate additional 160 bit numbers until you get to
the right size (e.g., 1024)
– Subtract the remainder after division by 2q
• q is a factor from construction
• Since p-1 is even, then 2 is also a factor
 If p is not prime, repeat the process
One-Time Signatures (Merkle)
 Key Generation
– Let t = n + 1 + log n, where n is message size
– Select random K1,… Kt (private key)
– Let Vi=H(Ki) for a hash function H (public key)
 Signature
– Let C be the number of 0’s in message M
– Let W = M || C, and let A1… At be W’s bits
– Signature is (S1 … Su) such that Sj=Kl if Al is the jth 1-bit of W
 Verification
– Compute W as above
– Compute H(Si) for each bit and compare to (properly indexed) Vj
Key Management for Public
Key Cryptographic Protocols
Main sources: Network Security Essential / Stallings
Applied Cryptography / Schneier
Certificate Authority: Verifying
the Public Key
 How to ensure that Charles doesn’t pretend to be Bob by publishing a
public-key for Bob. Then, using a Man-in-the-Middle attack, Charles
can read the message and reencrypt-resend to Bob
 Bob prepares certificate
with his identifying
information and his
public key
 The Certificate Authority
(CA) verifies the details
and sign Bob’s certificate
 Bob can publish the
signed certificate
More on (Public) Key Management
 Alice may have more than one key
– e.g., personal key and work key
 Where shall Alice store her keys?
– Alice may not want to trust her work administrator with her
personal banking key
 Distributed certification a la X.509
– CA certifies Agents who certify organizations who certify others
 Distributed certification a la PGP
– Alice will present her certificate with “introducers” who will
vouch for her (“PKI parties”)
 Key Escrow
– US American Escrowed Encryption Standard suggests that private
keys be broken in half and kept by two Government agencies
– Clipper – for cellular phone encryption
– Capstone – for computer communication
Summary
Cryptography Summary
 Cryptography (and steganography) were always
considered a strategic tool
– Used mostly by governments and military organizations
– Served to keep top secrets and in wars
 Different generations were characterized by either the
cryptographers or cryptanalysts winning the battle
– Today, cryptographers seem certainly on top, with “unbreakable”
ciphers (but, remember Vigenere’s unbreakable cipher…)
 Must remember that cryptanalysis is not the only attack
–
–
–
–
It is usually the hardest way to break a message
May attack human weaknesses in crypto protocol
May attack communication, hosts, etc.
Much easier to get information using good old 3Bs: bribery,
burglary, and bending