Cryptography and Network Security - PowerPoint PPT Presentation

1 / 29

About This Presentation

Title:

Cryptography and Network Security

Description:

Every Egyptian received two names, which were known respectively as the true ... this combats the Pollard factoring algorithm. RSA in Practice ... – PowerPoint PPT presentation

Number of Views:82

Avg rating:3.0/5.0

Slides: 30

Provided by: drla67

Category:

more less

Transcript and Presenter's Notes

Title: Cryptography and Network Security

1
Cryptography and Network Security

Third Edition
by William Stallings
Lecture slides by Lawrie Brown
Modified by David Martin

2
Chapter 9 Public Key Cryptography and RSA

Every Egyptian received two names, which were
known respectively as the true name and the good
name, or the great name and the little name and
while the good or little name was made public,
the true or great name appears to have been
carefully concealed.
The Golden Bough, Sir James George Frazer

3
Private-Key Cryptography

traditional private/secret/single key
cryptography uses one key
shared by both sender and receiver
if this key is disclosed communications are
compromised
also is symmetric, parties are equal
hence does not protect sender from receiver
forging a message claiming is sent by sender
or prevent an actual sender from denying it sent
the message (repudiating)

4
Public-Key Cryptography

probably most significant advance in the 3000
year history of cryptography
uses two keys a public a private key
asymmetric since parties are not equal
uses clever application of number theoretic
concepts
complements rather than replaces secret key crypto

5
Public-Key Cryptography

public-key/two-key/asymmetric cryptography
involves the use of two keys
a public-key, which may be known by anybody, and
can be used to encrypt messages, and verify
signatures
a private-key, known only to the recipient, used
to decrypt messages, and sign (create) signatures
is asymmetric because
those who encrypt messages or verify signatures
cannot decrypt messages or create signatures

6
Public-Key Cryptography
7
Why Public-Key Cryptography?

developed to address two key issues
key distribution how to have secure
communications in general without having to trust
a KDC with your key
digital signatures how to verify a message
comes intact from the claimed sender
public invention due to Whitfield Diffie Martin
Hellman at Stanford in 1976
known earlier in classified community

8
Public-Key Characteristics

Public-Key algorithms rely on two keys with the
characteristics that it is
computationally infeasible to find decryption key
knowing only algorithm encryption key
computationally easy to en/decrypt messages when
the relevant (en/decrypt) key is known
either of the two related keys can be used for
encryption, with the other used for decryption
(in some schemes)

9
Public-key Cryptosystems
10
Public-Key Cryptosystems
11
Public-Key Applications

can classify uses into 3 categories
encryption/decryption (provide secrecy)
digital signatures (provide authentication)
key exchange (of session keys)
some algorithms are suitable for all uses, others
are specific to one

12
Security of Public Key Schemes

like private key schemes brute force exhaustive
search attack is always theoretically possible
but keys used are too large (gt512 bits)
not comparable to symmetric key sizes
security relies on a large enough difference in
difficulty between easy (en/decrypt) and hard (to
cryptanalyze) problems
more generally the hard problem is known, its
just made too hard to do in practice
requires the use of very large numbers
hence is slow compared to secret key schemes

13
RSA

by Rivest, Shamir Adleman of MIT in 1977
patent expired in September 2000
best known widely used public-key scheme
based on modular exponentiation
exponentiation takes O((log n)3) bit operations
(easy)
still, 1000 times slower than DES (hardware) 100
times slower in software
uses large integers (eg. 1024 bits)
security due to cost of factoring large numbers
nb. factorization takes O(e log n log log n)
operations (hard)

14
RSA Key Setup

each user generates a public/private key pair by
selecting two large primes at random - p, q
computing their system modulus Npq
note ø(N)(p-1)(q-1)
selecting the encryption key e
where 1lteltø(N), gcd(e,ø(N))1
solve following equation to find decryption key d
ed1 mod ø(N) and 0dN
publish their public encryption key KUe,N
keep secret private decryption key KRd,p,q

15
RSA Use

to encrypt a message M the sender
obtains public key of recipient KUe,N
computes CMe mod N, where 0MltN
to decrypt the ciphertext C the owner
uses their private key KRd,p,q
computes MCd mod N
note that the message M must be smaller than the
modulus N (block if needed)

16
Why RSA Works

because of Euler's Theorem
aø(n)mod N 1
where gcd(a,N)1
in RSA have
Npq
ø(N)(p-1)(q-1)
carefully chosen e d to be inverses mod ø(N)
hence ed1kø(N) for some k
hence Cd (Me)d M1kø(N) M1(Mø(N))k
M1(1)k M1 M mod N

17
RSA Example

Select primes p17 q11
Compute n pq 1711187
Compute ø(n)(p1)(q-1)1610160
Select e gcd(e,160)1 choose e7
Determine d de1 mod 160 and d lt 160 Value is
d23 since 237161 101601
Publish public key KU7,187
Keep secret private key KR23,17,11

18
RSA Example cont

sample RSA encryption/decryption is
given message M 88 (nb. 88lt187)
encryption
C 887 mod 187 11
decryption
M 1123 mod 187 88

19
Exponentiation

can use the Square and Multiply Algorithm
a fast, efficient algorithm for exponentiation
concept is based on repeatedly squaring base
and multiplying in the ones that are needed to
compute the result
look at binary representation of exponent
only takes O(log2 n) multiples for number n
eg. 75 74(71) 3(7) 10 mod 11
eg. 3129 3128(31) 5(3) 4 mod 11

20
Exponentiation
21
RSA Key Generation

users of RSA must
determine two primes at random - p, q
select either e or d and compute the other
primes p,q must not be easily derived from
modulus Np.q
means must be sufficiently large
typically guess and use probabilistic test
exponents e, d are inverses, so use Inverse
algorithm to compute the other

22
RSA Security

four approaches to attacking RSA
brute force key search (infeasible given size of
numbers)
mathematical attacks (based on difficulty of
computing ø(N), by factoring modulus N)
timing attacks (on running of decryption)
misuse attacks

23
Factoring Problem

factoring is in NP and co-NP
have seen slow improvements over the years
as of Aug-99 best is 130 decimal digits (512 bit)
with GNFS
As of Dec-03 best is 174 decimal digits (576 bit)
biggest improvement comes from improved algorithm
cf Quadratic Sieve to Generalized Number Field
Sieve
barring dramatic breakthrough 1024 bit RSA
secure
ensure p, q of similar size and matching other
constraints
Google RSA Security for "RSA Factoring Challenge"

24
Factoring in NP and co-NP

Factorsltm,rgt there exists s such that 1ltsltrltm
and sm
ltm,rgt in Factors means m is composite
Can find factors with binary search on r
Factors in NP the witness is a factor
Factors is not known to be NP-hard

25
Factoring in NP and co-NP

Factors in co-NP
Primesltm,rgt m is prime
If m is prime, then witness generates the group
Zm
To verify ltagt Zm, need to compute m powers of
a, too much time
We know that o(a) Zm if a is a generator,
whether m is prime or not
So guess verify factorization of m-1,and that
aq ltgt 1 mod m for all q m-1

26
Timing Attacks

developed in mid-1990s
exploit timing variations in operations
eg. multiplying by small vs large number
or faults varying which instructions executed
infer operand size based on time taken
RSA exploits time taken in exponentiation
countermeasures
use constant exponentiation time
add random delays
blind values used in calculations

27
RSA complexity

The "RSA Problem", RSAP
Idea given public info and a ciphertext, figure
out the plaintext
Input
n pq for some unknown primes p,q
e such that gcd(e,(p-1)(q-1)) 1
c, a cipher text
Output
m such that me c (mod pq)

28
RSA complexity

Fact If you know how to efficiently factor
numbers, then you can efficiently solve RSAP by
just computing the decryptor d
So RSAP is no harder than factoring
However, if you know how to solve RSAP, this may
or may not lead to a method for factoring numbers
Some smart people suspect that factoring also
reduces to RSAP, but no proof yet

29
RSA complexity

The RSA "key problem", RSAKP
Idea given public info, compute decryptor
Input
n pq for some unknown primes p,q
e such that gcd(e,(p-1)(q-1)) 1
Output
d such that ed 1 (mod (p-1)(q-1))

30
RSA complexity

Fact RSAKP is computationally equivalent to
factoring n (a product of two primes)
We already know how to compute d if we know both
p and q
But conversely, any efficient method for
computing d from public info can be converted
into an efficient method for factoring arbitrary
numbers like n

31
RSA in Practice

In order to avoid factoring, p and q should be
about the same bitlength
512-bit n is too small. Recommendation is
1024-bit n (512 bits for each p, q)
p-q should not be "too small" (it wont be if p,
q chosen randomly)
Many recommend that p, q be strong primes. p is
strong if
p-1 has a large prime factor called r
p1 has a large prime factor
r-1 has a large prime factor
this combats the Pollard factoring algorithm

32
RSA in Practice

Encryption can be sped up by selecting an e with
few 1s in its binary representation
Because of modular squaring algorithm
Common values for e
3 101
65537 216 1
e is public anyway. But using same e for all
does not seem to weaken system. Still have to
ensure that gcd(e, ø(n)) 1.

33
Misuse Attacks

Encrypting the same message to 3 different
parties using e3
Using CRT, attacker can recover plaintext by
computing cube root
Similarly, if m lt n1/e, then me lt n, and
adversary can compute ordinary eth root
Salt the message (add random padding) to mitigate
this risk

34
More Misuse

Recall RSAKP (key problem) can be used to solve
factoring
In other words, knowing both e and d lets you
factor n
So you must not reuse the same modulus between
different keypairs
Take-home message don't implement merely from
textbook description. Find a library!

35
Summary