Transcript Slides
Class 36: Public-Key Cryptography A billion billion is a large number, but it's not that large a number. Whitfield Diffie CS200: Computer Science University of Virginia Computer Science David Evans http://www.cs.virginia.edu/evans Last Time • How to store securely – Store the hash of the password • One-way, collision resistant hashing function (e.g., md5) – Check the hash of the entered password matches the stored hash • The password is transmitted over the Internet 23 April 2003 CS200 Spring 2003 2 Sending Passwords Encrypt The Internet User 23 April 2003 Server CS200 Spring 2003 3 The Internet Ciphertext Plaintext User 23 April 2003 Encrypt Decrypt K K C = EncryptK (P) P = DecryptK (C) CS200 Spring 2003 Plaintext Server 4 Lorenz Cipher From http://www.codesandciphers.org.uk/lorenz/fish.htm 23 April 2003 CS200 Spring 2003 5 Modern Symmetric Ciphers A billion billion is a large number, but it's not that large a number. — Whitfield Diffie • Same idea but: – Use digital logic instead of mechanical rotors – Larger keys – Encrypt blocks of letters at a time 23 April 2003 CS200 Spring 2003 6 Modern Ciphers • AES (Rijndael) successor to DES selected 2001 • 128-bit keys, encrypt 128-bit blocks • Brute force attack – Try 1 Trillion keys per second – Would take 10790283070806000000 years to try all keys! – If that’s not enough, can use 256-bit key • No known techniques that do better than brute force search 23 April 2003 CS200 Spring 2003 7 The Internet Ciphertext Plaintext User 23 April 2003 Encrypt Decrypt K K How do User and Server agree on K (without sending it over the Internet)? CS200 Spring 2003 Plaintext Server 8 Padlocked Boxes Hi! Alice 23 April 2003 CS200 Spring 2003 9 Padlocked Boxes Alice’s Padlock Alice Alice’s Padlock Key 23 April 2003 CS200 Spring 2003 10 Padlocked Boxes Shady Sammy’s Slimy Shipping Service Alice Alice’s Padlock Key 23 April 2003 CS200 Spring 2003 11 Padlocked Boxes Bob’s Padlock Alice Bob Alice’s Padlock Key Bob’s Padlock Key 23 April 2003 CS200 Spring 2003 12 Padlocked Boxes Alice Bob Alice’s Padlock Key Bob’s Padlock Key 23 April 2003 CS200 Spring 2003 13 Padlocked Boxes Alice Bob Alice’s Padlock Key Bob’s Padlock Key 23 April 2003 CS200 Spring 2003 14 Padlocked Boxes Alice Bob Bob’s Padlock Key 23 April 2003 CS200 Spring 2003 15 Padlocked Boxes Hi! Alice Bob Bob’s Padlock Key 23 April 2003 CS200 Spring 2003 16 Asymmetric Cryptosystems • Encryption and Decryption are done with different keys • Keep one of the keys secret, reveal the other EKRA (EKUA (M)) = M Alice’s Public Key: KUA Alice’s Private Key: KRA 23 April 2003 CS200 Spring 2003 Only KRA can decrypt a message encrypted using KUA. 17 Course Evaluations • SEAS Official Course Evaluation – Generic questions – not useful for improving courses or teaching – Administrators read results to decide if CS200 should be offered again (it is not a real course yet) and if I should be fired – I also read them, and make them available on the web to future students • CS200 Course Improvement Survey – Specific questions to help me improve course (if it is offered again, see SEAS survey) 23 April 2003 CS200 Spring 2003 18 Transparencies • If you have a laptop, its easy • If not, you will probably need to resize the image to make it line up (all the CRT monitors are slightly different sizes) • Should see a 3 letter passphrase (only the first 2 letters are checked, hard to see 3rd) • If you can’t see it, click “Give Up” to go straight to the survey 23 April 2003 CS200 Spring 2003 19 Remember your Course Pledge I will provide useful feedback. I realize this is an evolving course and it is important that I let the course staff know what they need to improve the course. I will not wait until the end of the course to make the course staff aware of any problems. I will provide feedback either anonymously (using the course feedback form) or by contacting the course staff directly. I will fill out all course evaluation surveys honestly and thoroughly. 23 April 2003 CS200 Spring 2003 20 Asymmetric Cryptosystems • Encryption and Decryption are done with different keys • Keep one of the keys secret, reveal the other EKRA (EKUA (M)) = M Alice’s Public Key: KUA Alice’s Private Key: KRA 23 April 2003 CS200 Spring 2003 Only KRA can decrypt a message encrypted using KUA. 21 Public-Key Applications: Privacy Bob Alice Plaintext Encrypt Ciphertext Bob’s Public Key Decrypt Plaintext Bob’s Private Key • Alice encrypts message to Bob using Bob’s Private Key • Only Bob knows Bob’s Private Key only Bob can decrypt message 23 April 2003 CS200 Spring 2003 22 Signatures Alice Plaintext Encrypt Signed Message Alice’s Private Key Decrypt Bob Plaintext Alice’s Public Key • Bob knows it was from Alice, since only Alice knows Alice’s Private Key • Non-repudiation: Alice can’t deny signing message (except by claiming her key was stolen!) • Integrity: Bob can’t change message (doesn’t know Alice’s Private Key) 23 April 2003 CS200 Spring 2003 23 Asymmetric Cryptosystems • Need a hard problem (like symmetric cryptosystems) • With a trap door: if you know a secret, the hard problem becomes easy 23 April 2003 CS200 Spring 2003 24 RSA [Rivest, Shamir, Adelman 78] E(M) = Me mod n D(C) = Cd mod n Public key (e, n) Private key d e, d and n chosen so Med mod n = M D(E(M)) = E(D(M)) = M 23 April 2003 CS200 Spring 2003 25 Choosing e, d, n Choose 2 secret primes p and q n = pq ed 1 mod (p – 1)(q – 1) Depends on number theory theorems of Euler and Fermat Finding d is easy if you know p and q, but hard if you don’t. 23 April 2003 CS200 Spring 2003 26 Security of RSA • n is public, but not p and q where n = pq • If we can find p and q, easy to find d (private key) n is ~200 digits – would take quintillions of years Factoring is probably NP-Complete (but not proven to be) 23 April 2003 CS200 Spring 2003 27 The Internet Ciphertext Plaintext User Encrypt Decrypt KUS KRS Public Key Private Key Plaintext Server How does User know the public key to use? 23 April 2003 CS200 Spring 2003 28 Key Management 23 April 2003 CS200 Spring 2003 29 Approach 1: Meet Secretly • User and Server Operator meet secretly and swap public keys – If you can do that, might as well agree on a secret (symmetric key) instead – Doesn’t work for Internet transactions 23 April 2003 CS200 Spring 2003 30 Approach 2: Public Announcement • Publish public keys in a public forum – Append to email messages – Post on web site – New York Time classifieds • Easy for rogue to pretend to be someone else – Forge email, alter web site, lie to New York Times 23 April 2003 CS200 Spring 2003 31 Approach 3: Public Directory • Trusted authority maintains directory mapping names to public keys • Entities register public keys with authority in some secure way • Authority publishes directory – Print using watermarked paper, special fonts, etc. – Allow secure electronic access • Depends on secure distribution of directory’s key 23 April 2003 CS200 Spring 2003 32 Approach 4: Certificates VeriSign KUS $$$$ CS = EKRVeriSign[“Server”, KUS] Request CS User EKUVeriSign (CS) = [“Server”, KUS] 23 April 2003 CS200 Spring 2003 Server Knows KRS 33 SSL (Secure Sockets Layer) Server Browser Hello KRCA[Server Identity, KUS] Check Certificate using KUCA Pick random K KUS[K] Find K using KRS Secure channel using K 23 April 2003 CS200 Spring 2003 34 Data encrypted using secret key exchanged using some public key associated with some certificate. 23 April 2003 CS200 Spring 2003 35 23 April 2003 CS200 Spring 2003 36 23 April 2003 CS200 Spring 2003 37 23 April 2003 CS200 Spring 2003 38 How do you make your web site password form encrypt its input? https:// http:// 23 April 2003 CS200 Spring 2003 39 Charge • Remember to do the course evaluations – Don’t count on the SEAS site being up right until the last minute • Friday: Secret of Life • Monday: PS8 Presentations – No more than 5 minutes for teams of 3 or more, 3 minutes for 2 or less (strictly enforced) – There will be token prizes for the most impressive, best contribution and best presentation 23 April 2003 CS200 Spring 2003 40