Document

Download Report

Transcript Document 

IS 302: Information Security and Trust
Week 4: Asymmetric Encryption
2012
Review
• Symmetric block ciphers
–
–
–
–
DES
3-DES
AES
ECB, CBC
© Yingjiu Li 2007
2
key distribution and key
management
© Yingjiu Li 2007
3
Asymmetric Cryptosystem
Alice
Plaintext
P
Encryption
Algorithm E
e Bob d private
public
Ciphertext
C
Decryption
Algorithm D
Plaintext
P
• private key d Computationally infeasible public key e
• Encryption: C=E(e, P)
• Decryption: P=D(d, C)
© Yingjiu Li 2007
4
Asymmetric Encryption
Plaintext
Encrypt
Decrypt
Public key e
Private key d
Plaintext
© Yingjiu Li 2007
5
RSA
• RSA cryptosystem
– Rivest-Shamir-Adelman in 1978
– Turing award in 2002
© Yingjiu Li 2007
6
RSA Keys
• Public keys (n,e), private keys d
– n: a composite. n=pq, where p and q are large primes
– d: an integer, 2<d<n
– e: an integer, 2<e<n, s.t. for any number x, x=(xe mod n) d
mod n
© Yingjiu Li 2007
7
RSA Encryption/Decryption
• Encryption of P: C=Pe mod n
• Decryption of C: P=Cd mod n
– PKCS: P =plaintext+ random padding < n
– Why need random padding?
C=Pe mod n
d
n,e
Bob
n,e
insecure channel
Alice
d: Bob’s private key
n,e: Bob’s public key
© Yingjiu Li 2007
8
How to Choose Keys in RSA
•
•
•
•
•
•
•
Choose 2 large prime numbers p, q
Compute n=pq and φ=(p-1)(q-1)
Choose e relatively prime to φ
Compute d from φ and e such that e*d mod φ =1
Public: n, e
Private: p, q, φ, d
A Toy Example:
– Let p = 47, q = 71, then n = pq = 3337, φ=(p-1)(q-1) = 3220
– Let e =79, Note φ = 3220 = 22  5  7  23
– Solve d from d*79 mod 3220 =1, which gives d = 1019 (using
extended Euclidean algorithm)
– Let P = 688, then C =Pe mod n = 688^79 mod 3337 = 1570
– P = Cd mod n = 1570^1019 mod 3337
© Yingjiu Li 2007
9
RSA Demo
• Cryptool  indiv. Procedures  RSA
– Generate prime numbers
– Factorization of a number
• Cryptool  Encrypt/decrypt 
– RSA encryption (in blocks)
– RSA decryption
© Yingjiu Li 2007
10
RSA Key Size and Security
• key size  size of n
– n: 1024 bits (309 digits); 2048 bits (618 digits);
4096 bits
• Security  difficulty of
– Factorizing n=p*q p, q, φ, d
– A 512 bits (154 digits) n could be factored in
several months
© Yingjiu Li 2007
11
RSA Key Size and Security
• http://www.rsasecurity.com/rsalabs/node.as
p?id=2007
– By the year 2009, a machine that could break a
1024-bit RSA key in about a day would cost at
least $250 million
– For data that needs to be protected no later than
the year 2015, the table indicates that the RSA
key size should be at least 1024 bits. For data
that needs to be protected longer, the key size
should be at least 2048 bits.
© Yingjiu Li 2007
12
Asymmetric vs Symmetric
• Asymmetric
• Symmetric
– Key exchange over public
channel
– Scalable for multi-party
communication
– Key exchange must be done
over secure channel
– Non-scalable for multiparty communication
– Long keys
(e.g., 1024 bits)
– Slow implementation
– Relative short keys
(e.g., 128 bits)
– Fast implementation
• RSA software can encrypt
7.4~21.6 Kb/sec
• Fastest RSA hardware can
encrypt 1 Mb/sec
© Yingjiu Li 2007
• In software, DES is
generally 100 times faster
than RSA
• In hardware, DES is
between 1000 to 10,000
times faster
13
Scenario
• RSA is too slow, not suitable for large P
© Yingjiu Li 2007
14
Question
• Can we have a fast (as AES) and scalable
crypto-system without secure channel (as
RSA)?
–
–
–
–
–
–
Envelop encryption: combine AES and RSA
Es: AES encryption
Ds: AES decryption
k: AES key
Ea: RSA encryption
Da: RSA decryption
– (e,n): RSA public key; d: RSA private key
© Yingjiu Li 2007
15
Envelop Encryption (1)
• Alice selects a random session key (AES
key) k, and gets C1=Es(k,P) (using AES)
Mallory
Bob
© Yingjiu Li 2007
C1= Es(k,P)
Alice
16
Envelop Encryption (2)
• Alice uses Bob’s public key e,n to encrypt k
(using RSA), and gets C2=Ea(e,n,k)
Mallory
Bob
© Yingjiu Li 2007
C2=Ea(e,n,k)
C1= Es(k,P)
Alice
17
Communication
• Alice sends C1 and C2 together to Bob
Mallory
Bob
© Yingjiu Li 2007
C2=Ea(e,n,k)
C1= Es(k,P)
Alice
18
Envelop Decryption (1)
• Bob uses his private key d to decrypt C2
(using RSA) and gets k = Da(d,C2)
Mallory
Bob
C2=Ea(e,n,k)
C1= Es(k,P)
Alice
k=Da(d,C2)
© Yingjiu Li 2007
19
Envelop Decryption (2)
• Bob uses k to decrypt C1 (using AES) and
gets P=Ds(k,C1)
Mallory
Bob
C2=Ea(e,n,k)
Alice
k=Da(d,C2)
© Yingjiu Li 2007
C1= Es(k,P)
P=Ds(k,C1)
20
Demo
• Cryptool  Encrypt/Decrypt  Hybrid 
– RSA-AES encryption
– RSA-AES decryption
© Yingjiu Li 2007
21
Hands-on Exercise
• Download Lab.doc
• Generate RSA key pairs of 1024 and 2048
bits
– Instruction 2.1
• RSA encryption and decryption for small
file and large file
– Instruction 2.2
© Yingjiu Li 2007
22
Review
•
When we say the key length of RSA is 1024 bits, we mean
1)
•
2) p,q
3) e,d
Alice encrypts her message for Bob in RSA, which key should she
use in encryption?
1)
2)
3)
•
n
Alice’s private key
Alice’s public key
Bob’s public key
Alice encrypts her message for Bob in envelop encryption, which of
the following is true?
1)
2)
3)
Alice uses her private key to encrypt a session key, and uses the session
key to encrypt her message
Alice uses her public key to encrypt a session key, and uses the session
key to encrypt her message
Alice uses Bob’s public key to encrypt a session key, and uses the
session key to encrypt her message
© Yingjiu Li 2007
23
Assignment 1
• Submit hardcopy today
© Yingjiu Li 2007
24