CSCE 790: Computer Network Security

Download Report

Transcript CSCE 790: Computer Network Security

CSCE 715:
Network Systems Security
Chin-Tser Huang
[email protected]
University of South Carolina
Key Management


Asymmetric encryption helps address
key distribution problems
Two aspects


distribution of public keys
use of public-key encryption to distribute
secret keys
9/19/2006
2
Distribution of Public Keys

Four alternatives of public key
distribution




Public announcement
Publicly available directory
Public-key authority
Public-key certificates
9/19/2006
3
Public Announcement

Users distribute public keys to recipients
or broadcast to community at large


E.g. append PGP keys to email messages
or post to news groups or email list
Major weakness is forgery


anyone can create a key claiming to be
someone else and broadcast it
can masquerade as claimed user before
forgery is discovered
9/19/2006
4
Publicly Available Directory


Achieve greater security by registering keys
with a public directory
Directory must be trusted with properties:






contains {name, public-key} entries
participants register securely with directory
participants can replace key at any time
directory is periodically published
directory can be accessed electronically
Still vulnerable to tampering or forgery
9/19/2006
5
Public-Key Authority




Improve security by tightening control over
distribution of keys from directory
Has properties of directory
Require users to know public key for the
directory
Users can interact with directory to obtain
any desired public key securely

require real-time access to directory when keys
are needed
9/19/2006
6
Public-Key Authority
9/19/2006
7
Public-Key Certificates


Certificates allow key exchange without realtime access to public-key authority
A certificate binds identity to public key



usually with other info such as period of validity,
authorized rights, etc
With all contents signed by a trusted PublicKey or Certificate Authority (CA)
Can be verified by anyone who knows the
CA’s public key
9/19/2006
8
Public-Key Certificates
9/19/2006
9
Distribute Secret Keys
Using Asymmetric Encryption




Can use previous methods to obtain public
key of other party
Although public key can be used for
confidentiality or authentication, asymmetric
encryption algorithms are too slow
So usually want to use symmetric encryption
to protect message contents
Can use asymmetric encryption to set up a
session key
9/19/2006
10
Simple Secret Key Distribution

Proposed by Merkle in 1979




A generates a new temporary public key pair
A sends B the public key and A’s identity
B generates a session key Ks and sends encrypted
Ks (using A’s public key) to A
A decrypts message to recover Ks and both use
9/19/2006
11
Problem with
Simple Secret Key Distribution

An adversary can intercept and impersonate
both parties of protocol





A generates a new temporary public key pair {KUa, KRa} and
sends KUa || IDa to B
Adversary E intercepts this message and sends KUe || IDa to
B
B generates a session key Ks and sends encrypted Ks (using
E’s public key)
E intercepts message, recovers Ks and sends encrypted Ks
(using A’s public key) to A
A decrypts message to recover Ks and both A and B unaware
of existence of E
9/19/2006
12
Distribute Secret Keys
Using Asymmetric Encryption

if A and B have securely exchanged public-keys
?
9/19/2006
13
Problem with Previous Scenario

Message (4) is not protected by N2

An adversary can intercept message
(4) and replay an old message or
insert a fabricated message
9/19/2006
14
Order of Encryption Matters

What can be wrong with the following
protocol?
AB: N
BA: EKUa[EKRb[Ks||N]]

An adversary sitting between A and B
can get a copy of secret key Ks without
being caught by A and B!
9/19/2006
15
Diffie-Hellman Key Exchange




First publicly proposed public-key type
scheme
By Diffie and Hellman in 1976 along
with advent of public key concepts
A practical method for public exchange
of secret key
Used in a number of commercial
products
9/19/2006
16
Diffie-Hellman Key Exchange

Use to set up a secret key that can be used for
symmetric encryption




cannot be used to exchange an arbitrary message
Value of key depends on the participants (and their
private and public key information)
Based on exponentiation in a finite (Galois) field
(modulo a prime or a polynomial) - easy
Security relies on the difficulty of computing discrete
logarithms (similar to factoring) – hard
9/19/2006
17
Primitive Roots


From Euler’s theorem: aø(n) mod n=1
Consider am mod n=1, GCD(a,n)=1





must exist for m= ø(n) but may be smaller
once powers reach m, cycle will repeat
If smallest is m= ø(n) then a is called a
primitive root
if p is prime and a is a primitive root of p,
then successive powers of a “generate” the
group mod p
Not every integer has primitive roots
9/19/2006
18
Primitive Root Example:
Power of Integers Modulo 19
9/19/2006
19
Discrete Logarithms





Inverse problem to exponentiation is to find the
discrete logarithm of a number modulo p
Namely find x where ax = b mod p
Written as x=loga b mod p or x=inda,p(b)
If a is a primitive root of p then discrete logarithm
always exists, otherwise may not
x = 4 mod 13 has no answer
 3
x = 3 mod 13 has an answer 4
 2
While exponentiation is relatively easy, finding
discrete logarithms is generally a hard problem
9/19/2006
20
Diffie-Hellman Setup

All users agree on global parameters



Each user (e.g. A) generates its key



large prime integer or polynomial q
α which is a primitive root mod q
choose a private key (number): xA < q
xA
compute its public key: yA = α mod q
Each user publishes its public key
9/19/2006
21
Diffie-Hellman Key Exchange

Shared session key for users A and B is KAB:
xA.xB
KAB = α
mod q
xB
= yA mod q (which B can compute)
xA
= yB mod q (which A can compute)


KAB is used as session key in symmetric
encryption scheme between A and B
Attacker needs xA or xB, which requires
solving discrete log
9/19/2006
22
Diffie-Hellman Example



Given Alice and Bob who wish to swap keys
Agree on prime q=353 and α=3
Select random secret keys:


Compute public keys:



A chooses xA=97, B chooses xB=233
97
yA=3 mod 353 = 40
(Alice)
233
yB=3
mod 353 = 248 (Bob)
Compute shared session key as:
xA
97
KAB= yB mod 353 = 248 = 160
xB
233
KAB= yA mod 353 = 40
= 160
9/19/2006
(Alice)
(Bob)
23
Elliptic Curve Cryptography




Majority of public-key crypto (RSA, D-H) use
either integer or polynomial arithmetic with
very large numbers/polynomials
Imposes a significant load in storing and
processing keys and messages
An alternative is to use elliptic curves
Offers same security with smaller bit sizes
9/19/2006
24
Real Elliptic Curves


An elliptic curve is defined by an equation in
two variables x and y, with coefficients
Consider a cubic elliptic curve of form




y2 = x3 + ax + b
where x, y, a, b are all real numbers
also define zero point O
Have addition operation for elliptic curve

geometrically, sum of P+Q is reflection of
intersection R
9/19/2006
25
Real Elliptic Curve Example
9/19/2006
26
Finite Elliptic Curves


Elliptic curve cryptography uses curves whose
variables and coefficients are finite
Two families are commonly used

prime curves Ep(a,b) defined over Zp



use integers modulo a prime
best in software
binary curves E2m(a,b) defined over GF(2m)


9/19/2006
use polynomials with binary coefficients
best in hardware
27
Elliptic Curve Cryptography



ECC addition is analog of modulo multiply
ECC repeated addition is analog of modulo
exponentiation
Need a “hard” problem equivalent to discrete
logarithm





Q=kP, where Q, P belong to a prime curve
is “easy” to compute Q given k, P
but “hard” to find k given Q, P
known as the elliptic curve logarithm problem
Certicom example: E23(9,17)
9/19/2006
28
ECC Diffie-Hellman






Can do key exchange analogous to D-H
Users select a suitable curve Ep(a,b)
Select base point G=(x1, y1) with large order
n s.t. nG=O
A and B select private keys nA<n, nB<n
Compute public keys: PA=nA×G, PB=nB×G
Compute shared key: K=nA×PB, K=nB×PA

same since K=nA×nB×G
9/19/2006
29
ECC Encryption/Decryption




Must first encode any message M as a point
on the elliptic curve Pm
Select suitable curve and point G as in D-H
Each user chooses private key nA<n and
computes public key PA=nA×G
To encrypt Pm:
Cm={kG, Pm+kPB}, k random

To decrypt Cm:
Pm+kPB–nB(kG) = Pm+k(nBG)–nB(kG) = Pm
9/19/2006
30
ECC Security





Relies on elliptic curve logarithm problem
Fastest method is “Pollard rho method”
Compared to factoring, can use much smaller
key sizes than with RSA etc
For equivalent key lengths computations are
roughly equivalent
Hence for similar security ECC offers
significant computational advantages
9/19/2006
31
Comparable Key Sizes
1
9/19/2006
32
Next Class



Hashing functions
Message digests
Read Chapters 11 and 12
9/19/2006
33