Transcript Lecture 5 Key Management and PublicKey Cryptography Stefan Dziembowski www.dziembowski.net MIM UW 9.11.12 ver 1.1 Plan 1.

Lecture 5
Key Management and PublicKey Cryptography
Stefan Dziembowski
www.dziembowski.net
MIM UW
9.11.12
ver 1.1
Plan
1. The problem of key distribution
2. The idea of Merkle, Diffie and Hellman
3. The solution of Rivest, Shamir and
Adleman
4. Public-Key Infrastructures
5. Identity-based encryption
How to distribute the cryptographic keys?
• If the users can meet in person beforehand –
it’s simple.
• But what to do if they cannot meet?
(a typical example: on-line shopping)
A naive solution:
give to every user Pi a separate key Kij to communicate
with every Pj
P2
P3
K12
K13
P4
K14
P1
K15
P5
In general:
a quadratic number of keys is needed
P2
P3
P4
P1
P5
Key Distribution Centers
Some server (a Key Distribution Center, KDC) “gives the
keys” to the users
–
–
–
–
–
feasible if the users are e.g. working in one company
infeasible on the internet
relies on the honesty of KDC
KDC needs to be permanently available
...
How to establish a key with a trusted
server?
key shared by Alice and
the server: KAS
key shared by Bob and
the server: KBS
server S
want to establish a
fresh session key
A
B
Not so trivial as it may seem!
Notation
{M}K – a message M encrypted and
authenticated with K
Formally:
K=(K0,K1)
{M}K = TagK0(EncK1(M)),EncK1(M))
An idea (1)
key shared by Alice and
the server: KAS
key shared by Bob and
the server: KBS
server S
(A,B)
selects a random KAB
{KAB} KAS
{KAB} KBS
{KAB} KBS , A
A
B
An attack
key shared by Alice and
the server: KAS
key shared by Bob and
the server: KBS
server S
(A,B)
selects a random KAB
{KAB} KAS
{KAB} KBS
{KAB} KBS , A
A
I’m
talking
to D
{KAB} KBS , D
B
An idea (2)
key shared by Alice and
the server: KAS
key shared by Bob and
the server: KBS
server S
(A,B)
selects a random KAB
{KAB , B} KAS
{KAB , A} KBS
{KAB , A} KBS
A
B
A replay attack
the adversary stores the
values that the server sent in
the previous session and
replays them.
So, the key is not fresh...
(A,B)
{KAB , B} KAS
{KAB , A} KBS
{KAB , A} KBS
A
B
How to protect against the replay attacks?
Nonce – “number used once”.
Nonce is a random number generated by one
party and returned to that party to show that
a message is newly generated.
An idea (3): Needham Schreoder 1972.
key shared by Alice and
the server: KAS
key shared by Bob and
the server: KBS
server S
A,B,NA
selects a random KAB
{KAB, B, NA , {KAB , A}KBS}KAS
{KAB , A} KBS
{NB} KAB
A
B
{NB - 1} KAB
An attack on Needham Schroeder
Assume that an old session key XAB is known to the adversary.
If e.g. XAB is used as one-time pad this may happen...
{XAB , A} KBS
{NB} XAB
{NB - 1} XAB
Bob
The final solution
key shared by Alice and
the server: KAS
key shared by Bob and
the server: KBS
server S
(A,B,NA,NB)
selects a random KAB
{KAB , B, NA} KAS
{KAB, A, NB} KBS
(B,NB)
A
{KAB , A, NB} KBS
B
Plan
1. The problem of key distribution
2. The idea of Merkle, Diffie and Hellman
3. The solution of Rivest, Shamir and
Adleman
4. Public-Key Infrastructure
5. Identity-based encryption
The solution without KDC
Public-Key Cryptography
Ralph Merkle (1974)
Whitfield Diffie and Martin Hellman (1976)
A little bit of history
• Diffie and Hellman were the first to publish a paper
containing the idea of the public-key cryptography:
W.Diffie and M.E.Hellman,
New directions in cryptography
IEEE Trans. Inform. Theory, IT-22, 6, 1976, pp.644-654.
• A similar idea was described by Ralph Merkle:
– in 1974 he described it in a project proposal for a Computer Security
course at UC Berkeley
(it was rejected)
– in 1975 he submitted it to the CACM journal (it was rejected)
(see http://www.merkle.com/1974/ )
• It 1997 the GCHQ (the British equivalent of the NSA) revealed
that they new it already in 1973.
The idea
pk can be public, and
only sk has to be kept
secret!
Instead of using one key k,
use 2 keys (pk,sk), where
That’s why it’s called:
public-key
cryptography
pk is used for encryption,
sk is used for decryption.
m
c := Enc(k,m)
Alice
k
c := Enc(pk,m)
pk
Dec(k,c)
Bob
k
Dec(sk,c)
sk
The same thing works for
authentication
•
•
this will be called
“signatures”
sk is used for computing a
tag,
pk is used for verifying
correctness of the tag.
m
Sign – the signing
algorithm
(m,t := Tag(k,m))
Alice
k
(m,t := Sign(sk,m))
sk
Vrfy(k,m,t)
Bob
k
Vrfy(pk,m,t)
pk
Anyone can send encrypted messages to
anyone else
4. P3 computes
Dec(sk3,m)
public register:
P2
P3
sk3
pk1
pk2
pk3
pk4
pk5
P4
2. reads pk3
P1
1. P1 wants to send m to P3
P5
Anyone can verify the signatures
P2
public register:
Sign(sk3,m)
P3
sk3
pk1
pk2
pk3
pk4
pk5
P4
2. reads pk3
P1
3. computes Vrfy(pk3,m)
P5
Advantages of the signature schemes
Digital signatures are:
1. publicly verifiable
2. transferable
3. provide non-repudiation
(we explain it on the next slides)
Look at the MACs...
k
m є {0,1}*
k
(m, t=Tagk(m))
Alice
Why shall I trust you?
Bob
Look, I got (m,t) from Alice
1. You could have created t yourself
(because you know k)
2. I don’t know k, so how can I verify
the tag?
Carol
Signatures are publicly-verifiable!
skA
m є {0,1}*
pkA
(m, σ =Signsk(m))
Alice
Bob
Look, I got (m,σ) from Alice
I can calculate
Vrfy(pkA,m,σ)
and check.
Carol
So, the signatures are transferable
Alice
skA
σ = Sign(sk3,m)
“Alice
signed m”
I believe it!
(m,σ)
pkA
P1
“Alice
signed m”
I believe it!
(m,σ)
pkA
P2
“Alice
signed m”
I believe it!
(m,σ)
pkA
pkA
P3
P4
Non-repudiation
skA
m є {0,1}*
pkA
(m, σ =Signsk(m))
Alice
Bob
“I’ve got (m,σ) from Alice”
It’s not true!
I never signed m!
Vrfy(pk,m,σ) = yes
so you cannot repudiate signing m...
Judge
Things that need to be discussed
•
•
•
•
Who maintains “the register”?
How to contact it securely?
How to revoke the key (if it is lost)?
...
We will discuss these
things later
(when we will be talking
about the Public-Key
Infrastructure)
But is it possible?
In “physical world”: yes!
Examples:
1. “normal” signatures
2. padlocks:
anyone can lock it
the key is needed to unlock
Diffie and Hellman (1976)
• Diffie and Hellman proposed the public key
cryptography in 1976.
• They just proposed the concept, not the
implementation.
• They have also shown a protocol for keyexchange.
The observation of Diffie and Hellman:
(pk, sk) – the key pair
plaintexts
public-key encryption:
Enc(pk,x)
ciphertexts
Dec(sk,y)
easy only if one knows sk
signature schemes:
tags
(“signatures”)
Looks similar...
Sign(sk,y)
Vrfy(pk,x)
messages
easy only if one knows sk
Trapdoor permutations (informal definition)
A family of permutations indexed by pk є keys :
{Encpk : X → X}pk є keys
such that for every key pk there exists a key sk, and:
this is
denoted
Decsk
Encpk
easy
X
• easy: one can compute Encpk-1
if one knows a trapdoor sk
• hard (otherwise)
X
How to encrypt a message m
encryption:
c := Encpk(m)
messages
decryption:
plaintexts
m := Decsk(c)
one can compute it
only if one knows sk
Warning: In general it’s not that simple. We will explain it later.
How to sign a message m
one can compute it
only if one knows sk
signing:
Decsk(m)
signatures
messages
verifying:
Encpk(m)
Warning: In general it’s not that simple. We will explain it later.
Plan
1. The problem of key distribution
2. The idea of Merkle, Diffie and Hellman
3. The solution of Rivest, Shamir and
Adleman
4. Public-Key Infrastructure
5. Identity-based encryption
Do such functions exist?
Yes: exponentiation modulo N, where N is a product of two large
primes.
Ron Rivest, Adi Shamir, and Leonard Adleman (1977)
RSA function is (conjectured to be) a trapdoor permutation!
The RSA function
N = pq, such that p and q are random primes,
and |p| = |q|
e – random such that gcd(e, (p-1)(q-1)) = 1
d – random such that ed = 1 (mod (p-1)(q-1))
pk := (N,e) sk := (N,d)
Encpk: ZN → ZN is defined as:
Encpk (m) = me mod N.
Decsk: ZN → ZN is defined as:
Decsk (c) = cd mod N.
Questions and doubts
N = pq, such that p and q are random primes,
and |p| = |q|
e – random such that gcd(e, (p-1)(q-1)) = 1
d – such that ed = 1 (mod (p-1)(q-1))
How large these primes
need to be?
How to sample them?
looks a bit strange...
pk := (N,e) sk := (N,d)
Encpk: ZN → ZN is defined as:
Encpk (m) = me mod N.
Decsk: ZN → ZN is defined as:
Decsk (c) = cd mod N.
We will address it later...
Can exponentiation be
done efficiently?
Encpk (1) = 1e mod N = 1
Oops...
encryption is
deterministic...
Is RSA secure?
Is RSA secure:
1. as an encryption scheme?
2. as a signature scheme?
The answer is not that simple.
First, we would need to define security!
We will do it on the next lectures.
Remember this slide?
public register:
P3
P2
pk1
sk3
sk2
pk2
pk3
pk4
pk5
P4
P1
sk4
sk1
P5
sk5
Question:
How to maintain the public register?
1. We start with the case when the public keys
are used for signing that is legally binding.
2. Then we consider other cases.
A problem
skA
pkA
m є {0,1}*
(m, σ =Signsk(m))
Alice
Bob
It’s not true!
I never signed m!
I got (m,σ) from Alice
Vrfy(pk,m,σ) = yes
so you cannot repudiate signing m...
But pk is not my public key!
Judge
Solution: certification authorities
A simplified view:
(pkCert,skCert)
comes with her ID and pkAlice
Certification Authority
Alice
checks the ID of Alice and
issues a certificate:
SignskCert(“pkAlice is a public key of Alice”)
Now, everyone can verify that pkAlice is a public key of Alice.
So Alice can attach it to every signature
really everyone?
What is needed to verify the certificate
To verify the certificate coming from Cert one needs:
1. to know the public key of the Cert
2. to trust Cert.
It is better if Cert also keeps a document:
“I, Alice certify that pkAlice is my public key”
with a written signature of Alice.
How does it look from the legal point of
view?
What matters at the end is if you can convince the judge.
Many countries have now a special law regulating these things.
In Poland:
Ustawa o podpisie elektronicznym, z dnia 18 września 2001 r.
(Dz.U.01.130.1450) 28 str. (ISIP), na podst. dyrektywy EU 1999/93/EC
This law defines the conditions to become an official
certification authority
A certificate issued by such an authority is called a qualified
certificate.
A signature obtained this way is called a qualified digital
signature.
The qualified signature is equivalent to the written one!
Polish Certificate Authorities:
•
•
•
•
•
Krajowa Izba Rozliczeniowa,
Polska Wytwórnia Papierów Wartościowych
Unizeto Technologies
MobiCert
Enigma S.O.I.
This list is maintained by Narodowe Centrum Certyfikacji NCCERT
So, what to do if you want to issue the
qualified signatures?
You have to go to one of this companies and get
a qualified certificate (it costs!).
The certificate is valid just for some given
period.
What if the secret key is lost?
1. In this case you have to revoke the
certificate.
Every authority maintains a list of revoked
certificates.
2. The certificates come with some insurance.
Plan
1. The problem of key distribution
2. The idea of Merkle, Diffie and Hellman
3. The solution of Rivest, Shamir and
Adleman
4. Public-Key Infrastructure
5. Identity-based encryption
In many case one doesn’t want to use the
qualified signatures
1.
The certificates cost.
2.
It’s risky to use them:
How do you know what your computer is really signing?
Computers have viruses, Trojan horses, etc.
You can use external (trusted) hardware but it should have a
display (so you can see what is signed).
Remember: qualified signatures are equivalent to the
written ones!
Practical solution
In many cases the qualified signatures are an overkill.
Instead, people use non-qualified signatures.
The certificates are distributed using a public-key
infrastructure (PKI).
Users can certify keys of the other users
knows pk2
knows pk3
P2
P1
pk1
P3
pk3
pk2
“trusts” P2
P2 certifies that pk3 is a public key of P3
signature of P2
P1 believes
that pk3 is a
public key of P3
this should be done only if P2 really met P3 in person and verified his identity
knows pk2
P1
pk1
knows pk3
P2
P3
pk3
pk2
knows pk4
P4
pk4
“trusts” P2
“trusts” P3
P2 certifies that pk3 is a public key of P3
signature of P2
P3 certifies that pk4 is a public key of P4
signature of P3
P1 believes
that pk4 is a
public key of P4
knows pk2
P1
pk1
knows pk3
P2
P3
pk3
pk2
knows pk4
P4
pk4
knows pk5
P5
pk4
“trusts” P2
“trusts” P3
This is called a
certificate chain
“trusts” P4
P2 certifies that pk3 is a public key of P3
signature of P2
P3 certifies that pk4 is a public key of P4
signature of P3
P4 certifies that pk5 is a public key of P5
signature of P4
P1 believes
that pk5 is a
public key of P5
A problem
knows pk2
P1
pk1
knows pk3
P2
P3
pk3
pk2
knows pk4
P4
pk4
“trusts” P2
“trusts” P3
What if P1 does not know P3?
How can he trust him?
Answer: P2 can recommend P3 to P1.
A question: is trust transitive?
Does:
P1
pk1
P2
P3
pk3
pk2
“trusts” P2
“trusts” P3
P2
P3
imply:
P1
pk1
pk3
pk2
“trusts” P3
?
Example
P1
pk1
P2
pk2
trusts that
P2 is a very
honest person
P1
pk1
P2
pk2
I can recommend P3
P3
pk3
trusts that
P3 is a very
honest person
P3
pk3
doesn’t trust that P3
is honest, because he thinks that
P2 is honest but naive
Moral
Trust is not transitive:
“P1 trusts in the certificates issued by P2”
is not the same as saying:
“P1 trusts that
if
P2 says you can trust the certificates issued by P3
then
one can trust the certificates issued by P3”
Recommendation levels
level 1 recommendation:
A: ”you can trusts in all the certificates issued by B”
level 2 recommendation:
A : “you can trust that all the level 1 recommendations issued by B”
level 3 recommendation:
B : “you can trust that all the level 2 recommendations issued by B”
and so on. . .
Recursively:
level i+1 recommendation:
A : “you can trust that all the level i recommendations issued by B”
Now, if:
P2
P1
P3
P4
P1 trusts
P2 issues
P3 issues
in all the recommendations
of level 2 issued by P2
a recommendation
of level 2 for P3
a recommendation
of level 1 for P4
then
P1
P2
P3
P4
trusts the certificates issued by P4
Of course the recommendations also need to be signed.
Starts to look complicated...
How is it solved in practice?
In popular standard is X.509 the recommendation is included
into a certificate.
Here the level of recommendations is bounded using a field
called basic constraints.
X.509 is used for example in SSL.
SSL is implemented is implemented in every popular webbrowser.
So, let’s look at it.
this field limits the
recommendation
depth
(here it’s unlimited)
Concrete example
Let’s go to the Banca Di Roma website
a certificate
chain
the second certificate was
signed by ”Verisign
Primary Authority” for
“Verisign Inc”.
(it’s not strange, we will
discuss it)
Look here
The third certificate
was issued by
Verisign Inc.
for
Banca di Roma
The typical picture
web browser knows these certificates
Verisign
DigiCert
Entrust
...
Implicit assumptions:
Verisign
Europe
Verisign
USA
Verisign
Italy
Banca di Roma
•
•
•
the author of the browser is honest,
the author of the browser is competent
nobody manipulated the browser
a certificate path
is it
always
true?
d1
CA1
cert1
d2
CA2
cert2
d3
CA3
cert3
certn-1
dn
All these certificates have to
have a flag “Is a Certification Authority”
switched on.
CAn
certn
client
Moreover:
each certi has a number di denoting a
maximal depth of certificate chain from
this point
(this limits the recommendation depth)
That is, we need to have:
di ≥ n - i
Is it so important to check it?
Yes!
For example: the last element in the chain can be
anybody (who paid to Verising for a certificate).
For sure we do not want to trust the certificates
issued by anyone.
So, what happens when a user contacts the
bank?
Alice
sends
(cert1,..., certn)
Bank
If Alice’s browser knows cert1 it can
verify the chain and read the public key of
the bank from certn
What happens if the certification path is
invalid?
For example if the first certificate in the path is
not known to the user.
Experiment: let’s delete the Verisign certificate
for the configuration of the browser...
What happens?
Other information that the certificats
contain
• information about the signature algorithm
• validity (dates)
• adress of the certificate revocation list
Another popular PKI
Pretty Good Privacy (PGP) – every user can act
as a certification authority.
Hence the name:
Web of Trust
Plan
1. The problem of key distribution
2. The idea of Merkle, Diffie and Hellman
3. The solution of Rivest, Shamir and
Adleman
4. Public-Key Infrastructures
5. Identity-based encryption
Identity based cryptography
Main idea:
the identifier ID of the user is it’s public key.
(e.g. ID = user’s email address).
message M
C = Enc(ID,M)
ID: [email protected]
question:
What is the private key?
Solution
central authority
secret key [email protected] :
Extract(SK, [email protected])
[email protected]
secret key of [email protected] :
holds a master
secret key SK
Extract(SK, [email protected])
[email protected]
secret key of [email protected] :
Extract(SK, [email protected])
sent over a secure link
[email protected]
How to decrypt
knows [email protected]
message M
C = Enc([email protected], M)
[email protected]
calculates
M=Dec(Skluigi, C)
ID-based encryption
Main advantage:
• no need for PKI
Drawbacks:
• users need to trust an authority,
• and they need to have a secure link to it,
• key revocation?
ID-based encrypion
Proposed by Adi Shamir in 1984.
(he only implemented the identity-based signatures)
First schemes were proposed by Boneh and Franklin
(2001) and, independently Cocks (2001).
In 2002 Boneh started a company
Voltage Security
that produces solutions based on his ID-based scheme.
©2012 by Stefan Dziembowski. Permission to make digital or hard copies of part or all of
this material is currently granted without fee provided that copies are made only for
personal or classroom use, are not distributed for profit or commercial advantage, and
that new copies bear this notice and the full citation.