Document 7388399

Download Report

Transcript Document 7388399

Public Key Cryptography
Tom Horton
Alfred C. Weaver
CS453 Electronic Commerce
1
References





Chap. 12 of Treese and Stewart textbook
Web articles on PGP, GPG, Phil Zimmerman
Bruce Schneier, “Applied Cryptography,” John
Wiley & Sons
Andrew Tanenbaum, “Computer Networks,”
Prentice-Hall
Jim Kurose and Keith Ross, “Computer
Networking,” Addison-Wesley
2
Overview of PKC


Also known as using asymmetric keys
A pair of keys




(Can think of this as one long key in two parts)
One used for encryption, the other for decryption
One publicly accessible, the other private to one person
Algorithms / Systems





RSA (Rivest, Shamir, Adelman)
DSA (Digital Signature Algorithm)
PGP, OpenPGP, GPG (Gnu’s PGP)
ssh, sftp
SSL
3
Public Key Cryptography
Plaintext
Encryption
Encryption with
Receiver’s Public
Key
Ciphertext
Decryption
Original
Plaintext
Decryption with
Receiver’s Private
Key
4
Mailbox Analogy

Part of the system is public yet secure




Usefully accessing the info requires a private
key


Mailbox with slot
Public: everyone can access it and leave info
Secure: info not accessible to anyone except
The recipient has something personal to get to the
data and read it
Matches common use (shown in slide):
Sending encrypted information to someone

Other ways to use this
5
6
Public Key Cryptography








Key is some large number (string of bits)
Key has two parts, one public, one private
Public key is well-known
Trusted agents verify the public key
Private key is a secret forever
Key is arbitrarily large
Encrypt with receiver’s public key
Decrypt with receiver’s private key
7
Public Key Cryptography







1. Choose two large primes, p and q
2. Compute n = (p)(q)
3. Compute z = (p-1)(q-1)
4. Choose d such that it is relatively
prime to z (no common divisor)
5. Find e such that (e)(d) modulo z = 1
6. Public key is (e,n)
7. Private key is (d,n)
8
Public Key Cryptography


8. To encrypt plaintext message m, compute
c = me mod n
9. To decrypt ciphertext message c, compute
m = cd mod n.
9
PKC Example

1. Choose two (large) primes, p and q


2. Compute n = (p)(q)


n = (3)(11) = 33
3. Compute z = (p-1)(q-1)


p = 3 and q = 11
z = (2)(10) = 20
4. Choose d such that it is relatively prime to
z (no common divisor)


choose d = 7
7 and 20 have no common divisor
10
PKC Example

5. Find e such that (e)(d) modulo z = 1



6. Public key is (e,n)


find e such that 7e mod 20 = 1
one solution is e = 3
public key = (3, 33)
7. Private key is (d,n)

private key is (7, 33)
11
PKC Example

8. To encrypt plaintext message m, compute
c = me mod n



c = m3 mod 33
note: require m < n
9. To decrypt ciphertext message c, compute
m = cd mod n

m = c7 mod 33
12
PKC Example



Encode letter “S” as 19 just because it is the 19th
letter of the alphabet, so plaintext message m = “S”
= 19
Of course we could use any other encoding, say
ASCII
Encryption (e=3):



c = me mod n = 193 mod 33
c = 6,859 mod 33 = 28
Decryption (d=7):


m = cd mod n = 287 mod 33
m = 13,492,928,512 mod 33 = 19
13
Work an Example
1. Choose two (not so large) primes, p and q
p = 47 and q = 71
2. n = (p)(q) = (47)(71) = 3337 = n
3. z = (p-1)(q-1) = (46)(70) = 3220 = z
4. Choose e (or d) such that it is relatively prime to z
(i.e., e and z share no common divisors)
e=5? 3220/5=644 no
e=23? 3220/23=140 no
e=35? 3220/35=92
no
e=79? 3220 and 79 share no divisors ... yes
14
Work an Example
5. Choose d such that (e)(d) modulo z = 1
So: 79d mod z = 1 now what?
Compute candidate values of d
d = 1019 or 4239 or 7459 or ...
6. Public key = (e, n) = (79, 3337)
7. Private key = (d, n) = (1019, 3337)
15
Work an Example
8. Encrypt: c = me mod n
Let the message = m = 3
c = 379 mod 3337
= 4926960980478197443869440340212776567 mod 3337
= 158
16
17
Work an Example
9. Decrypt: m = cd mod n
m = 1581019 mod 3337
m=3
18
19
Now Do This One
m = 12871283761287623450982346231237462836428
e = 98982347326723847658728742384782347823477
d = 87385671910957210238457823842398472397471
n = 91239128371982491824912873918237918239183
What is me mod n? What is cd mod n?
123981203981297532739456374587469898274502399
129837129837923593045734658264927341204389245
987239472934729375923457935793457938573947593
981239123912371982749128379357935793579872391
893459873495873294573298572986798256984569873
987347373477609823497243958713057312409857753
134957831294709246798570398422362456698987987
239048203850923486095860396840958609832492398
203895793867938679387593857392720020204230... 20
Public Key Cryptography



Now imagine that p and q are hundreds of
digits long!
Power of PKC based upon the difficulty of
factoring large numbers
Commercial firms provide:




choice of p and q
suitable e and d
software for large integer arithmetic
registration of keys to a particular entity
21
22
RSA Implementation


Java implementation of the RSA version of public
key cryptography
http://intercom.virginia.edu/crypto/crypto.html
23
Public Key + Symmetric Key


Public key algorithms are slow when used
with large numbers
Commercial practice:




generate random symmetric key for each message
or session
use symmetric key techniques to encrypt
message(s)
encrypt the random symmetric key using PKC
provide recipient with encrypted symmetric key,
signed with a digital signature, and a signature
certificate
24
Digital Signatures




Digital signatures use PKC techniques to sign
a message, proving the authenticity of the
sender
Sender encrypts some message with his
private key
Receiver consults a certification authority to
verify sender’s public key
Receiver uses sender’s verified public key to
decrypt sender’s message
25
Digital Signatures
Plaintext
Encryption
Encryption with
Sender’s Private
Key
Ciphertext
Decryption
Original
Plaintext
Decryption with
Sender’s Public
Key
26
Digital Signatures





ciphertext = (message)private-key mod n
message = (ciphertext)public-key mod n
In other words, reverse the use of “e” and
“d” from PKC
But, PKC is slow when the keys are large
So instead, take a “hash” of the message and
sign that
27
Digital Signatures







Message = m = “ABCDE”
Let hash be mod 10 sum of bytes
hash(m) = (65+66+67+68+69) mod 10
= 335 mod 10 = 5
If any byte of message changes, there is a 1
in 10 change that we will catch it
Poor choice of h, but illustrative
Later we learn how to make a good hash
function
28
Digital Signatures









Sender computes hash H of plaintext
Sender encrypts hash with his private key
digsig = (H)private mod n
Receiver decrypts the digsig with sender’s public key
Hdecrypted = (digsig)public mod n
Receiver recovers the plaintext of the message from its
ciphertext (however that’s done)
Receiver uses same hash function on recovered plaintext
to get computed hash value, Hcomputed
If Hcomputed = Hdecrypted, then with probability p the
plaintext was not altered enroute, and with probability 1
the hash was signed by the owner of the public key
How do we make p vanishingly small? (soon)
29
Still Not Done



PKC is very, very powerful
So is symmetric key if key is long
But there are still ways to attack the process,
if not the algorithm
30
Bob Talks to Alice
1. Bob sends his public key
2. Alice sends her public key
3. Bob encrypts with
Alice’s public key
4. Bob sends encrypted
message to Alice
5. Alice decrypts with Alice’s private key
6. Alice encrypts with Bob’s public key
7. Alice sends encrypted message to Bob
8. Bob decrypts with Bob’s private key
Bob and Alice are now communicating
securely --- or are they?
31
Risks
Bob
Mallory
Alice
Mallory replaces Alice's and
Bob's public key with her own;
records data and re-encrypts it
with the other person's
purported public key
32
How Secure is Symmetric Key Cryptography?






DES is toast
Known that DES can be broken in a few
hours, and probably in just minutes or
seconds
If DES can be broken in one second, then
128-bit AES takes 119 trillion years
3DES (168 bits) takes longer
256-bit AES takes far longer
This assumes there are no trap doors (and no
reason to suspect there are any)
33
How Secure is Public Key Cryptography?






As secure as you wish it to be
Moore’s Law says that computing power doubles at
no increase in cost every 18 months
Approximately true since 1976
As computing power progresses, increase key length
But beware distributed computing!
Make sure key is much, much longer than any one
machine can solve, because many computers might
be working on it
34
How Secure is Modern Crypto?

For now, crypto provides very serious
protection for electronic commerce
transactions when using



symmetric keys of length >= 128 bits
public keys of length >= 1024 bits
If cryptography is so strong, why is this not a
completely solved problem?
35
Key Management



Crypto is strong – so criminals, hackers, and
the government go after key management
If the keys are not secure, the communication
is not secure
The threat to modern cryptography is key
management




key
key
key
key
distribution
revocation
storage
theft
36
Digital Signature
Sender’s data
Hash algorithm (SHA-1, MD5)
Hash code (message digest)
Timestamp
PKC encryption
Sender’s private key
Digital signature
Validate with sender’s
public key
Timestamp
37
Hash Code


What makes a good hash code?
Recall why we use it:



the hash code is digitally signed (rather than the
message itself) for computational economy
the hash code is used to prove message integrity
hash(P) = hash ( D ( E ( P) ) )
38
Characteristics



One-way hash function H operates on arbitrary
length message M and returns a fixed length
hash value, h=H(M)
Many functions can do that
Our goals are



given M, easy to compute h
given h, difficult to compute M s.t. H(M)=h
given M, hard to find M’ such that H(M’) = H(M)
39
Hash Codes (Message Digests)
One example scheme:
01011111 …. 11
01001110 …. 10
00100001 …. 01
01001001 …. 11
11010100 …. 10
11110000 …. 11
10001011 …. 00
File for which you wish to
prove integrity (M)
H = exclusive-OR
h = 11010110 ... 10 = H(M)
40
Discussion




Let the hash function H() be the n-bit wide
exclusive-or of the message M.
Is that a good hash function?
Advantages?
Disadvantages?
41
Discuss
What if H(M) is a 16-bit wide exclusive OR?
M = “I will buy your house for $1,000,000”
M base 2 = 01100101 01101100
00101010 01101010
.....
H(M) =
10010100 01010110
Premise: If I use EX-OR as hash, and digitally sign
the hash value, then neither you nor I can change
the contract because doing so would change the
hash, and thus H(D(E(P))) != H(P).
Is that true?
42
Cheating with Digital Signatures
1. Change $1,000,000 to $1
2. Hash is only 16 bits wide.
3. There are only 216 hash values.
4. Start generating other variations on the
message that are merely cosmetic,
e.g., replace space with space-backspace-space, or
replace “.<CR>” with “.<space><CR>”
5. If this were a contract with >16 lines, making or not
making one change on each of 16 lines would produce
>216 variations of the document.
6. Not all 216 hash values are necessarily present---this
just shows that it is relatively easy to produce a
large number of variants quickly and easily –
and automatically!
43
Cheating with Digital Signatures




So take the original document and digitally
sign it.
Take a version of the altered document
where H(M’)=H(M) and sign that one also.
Present your check for $1.
Go to court to enforce the digitally signed
contract M’ where the price is $1.
44
Lessons


Lesson #1: H(M) needs to produce a lot
more than 16 bits. Target 128 or 256.
Lesson #2: And while we’re at it, let’s stir the
bits when computing H(M) so that hash bits
are a function of more than just a single
column of bits. Want each hash bit hi to be a
function of many input bits (as with DES).
45
Real-world crypto hash functions

MD5 and SHA-1 commonly used


Wikipedia:




Supported in libraries (e.g. PHP)
http://en.wikipedia.org/wiki/Cryptographic_hash_f
unction
http://en.wikipedia.org/wiki/MD5
http://en.wikipedia.org/wiki/SHA_hash_functions
Bruce Schneier, “Applied Cryptography”,
pages 436-441.
46
Tools


Gnu PGP
OpenSSL


Language libraries


More info on this later
E.g. PGP
Commercial vendors or groups

E.g. www.bouncycastle.org
47
Another Bit of History

The Clipper Chip



A encryption chip



Promoted by the US Government from 1993-96
http://en.wikipedia.org/wiki/Clipper_chip
To be installed in devices doing voice transmission
Skipjack algorithm developed by NSA
Government agency holds private keys “in
escrow”

If an agency “established its authority”, it could be
given the key
48
Threats on encryption


Distributed computing (grid computing) on
the scale of the Internet
Quantum computing
49
50
Pretty Good Privacy


PGP designed by Phillip Zimmerman for
electronic mail
Uses three known techniques:

IDEA for encrypting email message
 International Data Exchange Algorithm
 block cipher with 64-bit blocks
 similar in concept but different in details from
DES
 uses 128-bit keys
 patented, but free for non-commercial use
51
Controversies

Was released overseas




Use of RSA patents



Zimmerman says not by him
US Government investigated him for 3 years under
the Arms Export Control Act
Dropped in 1996
PGP eventually became a company
Open PGP
Use by non-government groups

Dissidents, terrorists, etc.
52
PGP





RSA public key encryption
 permits keys up to 2,047 bits in length
Digital signatures use MD5 as the one-way
hash function
PGP generates a random 128-bit symmetric
key, used by IDEA for each email message
PGP generates its own public/private key
pairs
Keys are stored locally using a hashed pass
phrase
53
Hashed Pass Phrase



Access to the private key is granted by
providing the “pass phrase” (not password)
Should be on the order of 100 characters
Issues with a pass phrase:


what’s the chance of guessing a 100 character
phrase?
Is it 2^(100*8)?
54
Hashed Pass Phrase






People don’t want to type 100 characters, so they are
typically shorter
Can you remember
“ndjehrkanf48ahdmmdh3jnqlkfyebnekfjnanrb9roakfn
63nfgaprektnvcgesiwm”?
Dictionary attacks (common words)
Personal knowledge attacks (spouse, children, pets,
birthdays, anniversaries)
Cultural bias (English)
Subject bias (computing, accounting)
55
PGP


PGP does not use conventional certificates
(too expensive)
Instead,





users generate and distribute their own public
keys
sign each other’s public keys
save trusted public keys on public-key ring
users build a web of trust
users determine how much to trust
56
PGP Comments

PGP is very powerful for email



runs on many platforms
available free from www.pgpi.org
But



no key revocation authority
no foolproof way to withdraw a compromised key
maybe there are some residual concerns over a
prior government lawsuit (now resolved) against
Phil Zimmerman
57
58