Epayment Security II - Carnegie Mellon University
Download
Report
Transcript Epayment Security II - Carnegie Mellon University
Electronic Payment Systems
20-763
Lecture 6
Epayment Security II
20-763 ELECTRONIC PAYMENT SYSTEMS
FALL 2001
COPYRIGHT © 2001 MICHAEL I. SHAMOS
Digital Signature
• Message digest encrypted with signer’s private key
MESSAGE (LONG)
USE SHA TO PRODUCE HASH (MESSAGE DIGEST)
HASH
ENCRYPT HASH WITH SIGNER’S PRIVATE KEY
PRIVATE KEY
SIG
APPEND SIGNATURE TO MESSAGE; SEND BOTH
SIG
MESSAGE (LONG)
Recipient decrypts SIG with signer’s public key.
Recipient computes the message digest.
If it matches the SIG, the SIG is genuine
AND the message has not been altered!
20-763 ELECTRONIC PAYMENT SYSTEMS
FALL 2001
COPYRIGHT © 2001 MICHAEL I. SHAMOS
Cryptographic Notation
{ A, B, C, D }
means
strings A, B, C and D concatenated together
SKSENDER( A )
means
string A encrypted with SENDER’s secret key
PKBANK( B )
means
string B encrypted with BANK’s public key
H(A)
means
one-way hash of string A
20-763 ELECTRONIC PAYMENT SYSTEMS
FALL 2001
COPYRIGHT © 2001 MICHAEL I. SHAMOS
Dual Signatures
• Links two messages securely but allows only one party to read
each. Used in SET.
MESSAGE 1
MESSAGE 2
HASH 1 & 2
WITH SHA
DIGEST 1
DIGEST 2
CONCATENATE DIGESTS
TOGETHER
HASH WITH SHA TO
CREATE NEW DIGEST
NEW DIGEST
ENCRYPT NEW DIGEST
WITH SIGNER’S PRIVATE KEY
PRIVATE KEY
DUAL SIGNATURE
20-763 ELECTRONIC PAYMENT SYSTEMS
FALL 2001
COPYRIGHT © 2001 MICHAEL I. SHAMOS
Using Dual Signatures
• Alice wants to send Message 1 to Bob and Message 2 to Carol
• Message 1 is order info; Message 2 is payment info
• Alice encrypts Message 1 with Bob’s public key; Message 2 with
Carol’s public key
• Both Bob and Carol must be convinced that the messages are
linked and unaltered
• Alice sends { PKBOB(Message 1), PKCAROL (Message 2), DualSig}
to both Bob and Carol
• Bob hashes PKBOB(Message 1), concatenates with PKCAROL
(Message 2), and hashes again to give the dual hash
• Bob decrypts the dual signature with Alice’s public key
• If the new hash and the decrypted signature match, all is OK
20-763 ELECTRONIC PAYMENT SYSTEMS
FALL 2001
COPYRIGHT © 2001 MICHAEL I. SHAMOS
Dual Signatures on Plaintext
• Alice wants to send Message 1 to Bob and Message 2 to Carol in
plaintext
• Bob can’t see Message 2; Carol can’t see Message 1
• Both Bob and Carol must be convinced that the messages are
linked and unaltered
• Alice sends Bob { Message 1, Digest 2, Dual Signature}
• Bob hashes Message 1, concatenates with Digest2 and hashes
• Bob decrypts the dual signature with Alice’s public key
• If the new hash and the decrypted signature match, all is OK
• Now Bob can send Carol Digest 2 and ask if she got the
message corresponding to it!
• (Carol got { Message 2, Digest 1, Dual Signature} )
20-763 ELECTRONIC PAYMENT SYSTEMS
FALL 2001
COPYRIGHT © 2001 MICHAEL I. SHAMOS
Blind Signatures
• Alice wants Bob to sign message M without being able
to read it. Bob’s public key is (e, n).
• Alice chooses a random number k between 1 and n
• Alice computes b = (M • ke) mod n (the “blinded”
message) and sends it to Bob to sign
• Bob can’t read it since he doesn’t know k or ke
• Bob signs with his private key (d, n) by computing
bd mod n = (M • ke)d mod n = Md ked mod n = Mdk mod n
• Now Alice divides the signed message by k to get
Md mod n, just as if Bob had signed M in the first place
20-763 ELECTRONIC PAYMENT SYSTEMS
FALL 2001
COPYRIGHT © 2001 MICHAEL I. SHAMOS
Protocol Failure
• A “secure” cryptosystem is not secure if used carelessly
• Protocols must be followed carefully or a “protocol
failure” occurs
• Example: “common modulus” failure
• Bob and Carol have the same public-key modulus n
with encryption exponents eBOB and eCAROL having no
common factor
• Alice sends the same plaintext M to both Bob and Carol
• Bob gets yBOB = MeBOB mod n
• Carol gets yCAROL = MeCAROL mod n
• If Eve intercepts both, she can read the message
• SOLUTION: NEVER SEND THE SAME MESSAGE TWICE
20-763 ELECTRONIC PAYMENT SYSTEMS
FALL 2001
COPYRIGHT © 2001 MICHAEL I. SHAMOS
Protocol Failure
• Eve computes
c1 = eBOB-1 mod eCAROL
c2 = (c1 eBOB - 1 )/ eCAROL
M = yBOBc1 ( yCAROLc2 )-1 mod n
= (MeBOB)c1 ((MeCAROL)c2)-1 mod n
= (MeBOB)c1 ((MeCAROL)(c1eBOB-1)/eCAROL)-1 mod n
= (MeBOB)c1 (M(c1eBOB-1))-1 mod n
= M (Mc1eBOB -1) (M(c1eBOB-1))-1 mod n
= M mod n
• So Eve recovers the original message!
20-763 ELECTRONIC PAYMENT SYSTEMS
FALL 2001
COPYRIGHT © 2001 MICHAEL I. SHAMOS
Trapdoor Functions for Cryptogrpahy
• Any one-way trapdoor function f(x) can be used for
public-key cryptography
• Alice wants to send message m to Bob
• Bob’s public key e is a parameter to the trapdoor
function fe(x) (the inverse fe -1(x) is easy to compute
knowing Bob’s private key d but difficult without d)
• Alice computes fe(m), sends it to Bob
• Bob computes fe -1(fe(m)) = m (easy if d is known)
• Eavesdropper Eve can’t compute m = fe -1(fe(m))
without the trapdoor d to find the inverse fe -1
20-763 ELECTRONIC PAYMENT SYSTEMS
FALL 2001
COPYRIGHT © 2001 MICHAEL I. SHAMOS
Discrete Logarithms
• If ab = c, we say that logac = b
• Example: 232 = 4294927296 so log2(4294927296) = 32
• Computing ab and logac are both easy for real numbers
• In a finite field, it is easy to calculate c = ab mod p but
given c, a and p it is very difficult to find b
• This is the “discrete logarithm” problem
• Analogy: Given x it is easy to find two real numbers y, z
such that x = y•z
• Given an integer n it is hard to find two integers p, q
such that n = p•q
20-763 ELECTRONIC PAYMENT SYSTEMS
FALL 2001
COPYRIGHT © 2001 MICHAEL I. SHAMOS
Diffie-Hellman Key Exchange
• Object: allow Alice and Bob to exchange a secret key
• Protocol has two public parameters: a prime p and a
number g < p such that given 0 < n < p there is some k
such that gk = n (g is called a generator)
• Alice and Bob generate random private values a, b
between 1 and p-2
• Alice’s public value is ga (mod p); Bob’s is gb (mod p)
• Alice and Bob share their public values
• Alice computes (gb)a (mod p) = gba
• Bob computes (ga)b (mod p) = gab = gba
• Let key = gab. Now both Alice and Bob have it.
• No one else can compute it -- they don’t know a or b
20-763 ELECTRONIC PAYMENT SYSTEMS
FALL 2001
COPYRIGHT © 2001 MICHAEL I. SHAMOS
El Gamal Encryption
• Based on the discrete logarithm
• Bob’s public key is (p, q, r)
• Bob’s private key is s such that r = qs mod p
• Alice sends Bob the message m by picking a random
secret number k and sending
(a, b) = (qk mod p, mrk mod p)
• Bob computes
b (as )-1 mod p = mrk (qks)-1 = mqks (qks)-1 = m
• (Bob knows s; nobody else can do this)
20-763 ELECTRONIC PAYMENT SYSTEMS
FALL 2001
COPYRIGHT © 2001 MICHAEL I. SHAMOS
Elliptic Curve Cryptography (ECC)
• An elliptic curve is the set of points (x, y) satisfying
y2 + axy + by = x3 + cx2 + dx + e
An elliptic curve has the property that a
line drawn between two points of the curve
intersects the curve at a single point.
(Warning: need to include the point at infinity.)
x
This allows us to define P + Q so that the sum
is always another point on the curve.
y
If the sum P + Q is always on the curve, so are
the points P, P + P, P + P + P, . . .
= P, 2P, 3P, 4P, . . .
ONLINE TUTORIAL
20-763 ELECTRONIC PAYMENT SYSTEMS
FALL 2001
COPYRIGHT © 2001 MICHAEL I. SHAMOS
Elliptic Curve Operations
The point at infinity O
is an identity element
for addition
SOURCE: INTEGRITY SCIENCES
20-763 ELECTRONIC PAYMENT SYSTEMS
FALL 2001
COPYRIGHT © 2001 MICHAEL I. SHAMOS
Elliptic Curves Over Finite Fields
• Select a large prime number p
• Choose two non-negative integers a and b with
4a2 + 27b2 0 (mod p)
• The pairs (x, y) with x, y < p that satisfy
y2 = x3 + ax + b (mod p) are the elliptic group mod p
– addition is closed and associative (x + y) + z = x + (y + z)
– there is an identity element O such that x + O = x
– every element x has an inverse x-1 such that x + x-1 = O
• If y = k x (mod p), then given k and x it is easy to find y
but given x and y it is computationally hard to find k
• So elliptic curves can be used for cryptography
20-763 ELECTRONIC PAYMENT SYSTEMS
FALL 2001
COPYRIGHT © 2001 MICHAEL I. SHAMOS
Elliptic Curves for El Gamal
• Multiplication in the elliptic group corresponds to exponentiation
of real numbers
• Solving y = k x (mod p) for k in the elliptic group is similar to
solving c = ab (mod p) for b in El Gamal (discrete logarithm)
• Choose a special point g of the group (called a generator)
• Bob’s private key is s; Bob’s public key is (g, s g)
Can’t find s
from g and sg
• A plaintext message m is transformed to a point x in the group
• Alice encrypts x by picking a random value k and sending
(k g, x + k s g)
g and sg are public; Alice knows x and k
• Bob decrypts by computing (x + k s g) - (k g) s = x
Alice sent him these
20-763 ELECTRONIC PAYMENT SYSTEMS
FALL 2001
Bob knows s (his private key)
COPYRIGHT © 2001 MICHAEL I. SHAMOS
Security of ECC versus RSA
ECC Advantages
1. The elliptic curve logarithm
problem is harder than the
discrete logarithm problem.
2. Key size in ECC is much
smaller for a given security
level.
3. ECC is complicated; fewer
people understand it.
4. ECC is not patented.
GRAPHIC: RICHARD SOUTHERN
20-763 ELECTRONIC PAYMENT SYSTEMS
FALL 2001
COPYRIGHT © 2001 MICHAEL I. SHAMOS
Major Ideas
• Digital signature = message digest encrypted with signer’s private
key
• Dual signature: two people sign a document without being able to
read the other person’s content
• Blind signature: one person signs a document without being able
to read it
• Any trapdoor function can be used for public-key cryptography
• Great care must be used with public-key systems to avoid
protocol failure (allowing cracking through mistakes)
• Elliptic-curve cryptography (ECC) is replacing RSA
– Shorter keys for the same level of security
20-763 ELECTRONIC PAYMENT SYSTEMS
FALL 2001
COPYRIGHT © 2001 MICHAEL I. SHAMOS
Q&A
20-763 ELECTRONIC PAYMENT SYSTEMS
FALL 2001
COPYRIGHT © 2001 MICHAEL I. SHAMOS