Cryptography and Network Security - PowerPoint PPT Presentation

1 / 29
About This Presentation
Title:

Cryptography and Network Security

Description:

Every Egyptian received two names, which were known respectively as the true ... this combats the Pollard factoring algorithm. RSA in Practice ... – PowerPoint PPT presentation

Number of Views:83
Avg rating:3.0/5.0
Slides: 30
Provided by: drla67
Category:

less

Transcript and Presenter's Notes

Title: Cryptography and Network Security


1
Cryptography and Network Security
  • Third Edition
  • by William Stallings
  • Lecture slides by Lawrie Brown
  • Modified by David Martin

2
Chapter 9 Public Key Cryptography and RSA
  • Every Egyptian received two names, which were
    known respectively as the true name and the good
    name, or the great name and the little name and
    while the good or little name was made public,
    the true or great name appears to have been
    carefully concealed.
  • The Golden Bough, Sir James George Frazer

3
Private-Key Cryptography
  • traditional private/secret/single key
    cryptography uses one key
  • shared by both sender and receiver
  • if this key is disclosed communications are
    compromised
  • also is symmetric, parties are equal
  • hence does not protect sender from receiver
    forging a message claiming is sent by sender
  • or prevent an actual sender from denying it sent
    the message (repudiating)

4
Public-Key Cryptography
  • probably most significant advance in the 3000
    year history of cryptography
  • uses two keys a public a private key
  • asymmetric since parties are not equal
  • uses clever application of number theoretic
    concepts
  • complements rather than replaces secret key crypto

5
Public-Key Cryptography
  • public-key/two-key/asymmetric cryptography
    involves the use of two keys
  • a public-key, which may be known by anybody, and
    can be used to encrypt messages, and verify
    signatures
  • a private-key, known only to the recipient, used
    to decrypt messages, and sign (create) signatures
  • is asymmetric because
  • those who encrypt messages or verify signatures
    cannot decrypt messages or create signatures

6
Public-Key Cryptography
7
Why Public-Key Cryptography?
  • developed to address two key issues
  • key distribution how to have secure
    communications in general without having to trust
    a KDC with your key
  • digital signatures how to verify a message
    comes intact from the claimed sender
  • public invention due to Whitfield Diffie Martin
    Hellman at Stanford in 1976
  • known earlier in classified community

8
Public-Key Characteristics
  • Public-Key algorithms rely on two keys with the
    characteristics that it is
  • computationally infeasible to find decryption key
    knowing only algorithm encryption key
  • computationally easy to en/decrypt messages when
    the relevant (en/decrypt) key is known
  • either of the two related keys can be used for
    encryption, with the other used for decryption
    (in some schemes)

9
Public-key Cryptosystems
10
Public-Key Cryptosystems
11
Public-Key Applications
  • can classify uses into 3 categories
  • encryption/decryption (provide secrecy)
  • digital signatures (provide authentication)
  • key exchange (of session keys)
  • some algorithms are suitable for all uses, others
    are specific to one

12
Security of Public Key Schemes
  • like private key schemes brute force exhaustive
    search attack is always theoretically possible
  • but keys used are too large (gt512 bits)
  • not comparable to symmetric key sizes
  • security relies on a large enough difference in
    difficulty between easy (en/decrypt) and hard (to
    cryptanalyze) problems
  • more generally the hard problem is known, its
    just made too hard to do in practice
  • requires the use of very large numbers
  • hence is slow compared to secret key schemes

13
RSA
  • by Rivest, Shamir Adleman of MIT in 1977
  • patent expired in September 2000
  • best known widely used public-key scheme
  • based on modular exponentiation
  • exponentiation takes O((log n)3) bit operations
    (easy)
  • still, 1000 times slower than DES (hardware) 100
    times slower in software
  • uses large integers (eg. 1024 bits)
  • security due to cost of factoring large numbers
  • nb. factorization takes O(e log n log log n)
    operations (hard)

14
RSA Key Setup
  • each user generates a public/private key pair by
  • selecting two large primes at random - p, q
  • computing their system modulus Npq
  • note ø(N)(p-1)(q-1)
  • selecting the encryption key e
  • where 1lteltø(N), gcd(e,ø(N))1
  • solve following equation to find decryption key d
  • ed1 mod ø(N) and 0dN
  • publish their public encryption key KUe,N
  • keep secret private decryption key KRd,p,q

15
RSA Use
  • to encrypt a message M the sender
  • obtains public key of recipient KUe,N
  • computes CMe mod N, where 0MltN
  • to decrypt the ciphertext C the owner
  • uses their private key KRd,p,q
  • computes MCd mod N
  • note that the message M must be smaller than the
    modulus N (block if needed)

16
Why RSA Works
  • because of Euler's Theorem
  • aø(n)mod N 1
  • where gcd(a,N)1
  • in RSA have
  • Npq
  • ø(N)(p-1)(q-1)
  • carefully chosen e d to be inverses mod ø(N)
  • hence ed1kø(N) for some k
  • hence Cd (Me)d M1kø(N) M1(Mø(N))k
    M1(1)k M1 M mod N

17
RSA Example
  • Select primes p17 q11
  • Compute n pq 1711187
  • Compute ø(n)(p1)(q-1)1610160
  • Select e gcd(e,160)1 choose e7
  • Determine d de1 mod 160 and d lt 160 Value is
    d23 since 237161 101601
  • Publish public key KU7,187
  • Keep secret private key KR23,17,11

18
RSA Example cont
  • sample RSA encryption/decryption is
  • given message M 88 (nb. 88lt187)
  • encryption
  • C 887 mod 187 11
  • decryption
  • M 1123 mod 187 88

19
Exponentiation
  • can use the Square and Multiply Algorithm
  • a fast, efficient algorithm for exponentiation
  • concept is based on repeatedly squaring base
  • and multiplying in the ones that are needed to
    compute the result
  • look at binary representation of exponent
  • only takes O(log2 n) multiples for number n
  • eg. 75 74(71) 3(7) 10 mod 11
  • eg. 3129 3128(31) 5(3) 4 mod 11

20
Exponentiation
21
RSA Key Generation
  • users of RSA must
  • determine two primes at random - p, q
  • select either e or d and compute the other
  • primes p,q must not be easily derived from
    modulus Np.q
  • means must be sufficiently large
  • typically guess and use probabilistic test
  • exponents e, d are inverses, so use Inverse
    algorithm to compute the other

22
RSA Security
  • four approaches to attacking RSA
  • brute force key search (infeasible given size of
    numbers)
  • mathematical attacks (based on difficulty of
    computing ø(N), by factoring modulus N)
  • timing attacks (on running of decryption)
  • misuse attacks

23
Factoring Problem
  • factoring is in NP and co-NP
  • have seen slow improvements over the years
  • as of Aug-99 best is 130 decimal digits (512 bit)
    with GNFS
  • As of Dec-03 best is 174 decimal digits (576 bit)
  • biggest improvement comes from improved algorithm
  • cf Quadratic Sieve to Generalized Number Field
    Sieve
  • barring dramatic breakthrough 1024 bit RSA
    secure
  • ensure p, q of similar size and matching other
    constraints
  • Google RSA Security for "RSA Factoring Challenge"

24
Factoring in NP and co-NP
  • Factorsltm,rgt there exists s such that 1ltsltrltm
    and sm
  • ltm,rgt in Factors means m is composite
  • Can find factors with binary search on r
  • Factors in NP the witness is a factor
  • Factors is not known to be NP-hard

25
Factoring in NP and co-NP
  • Factors in co-NP
  • Primesltm,rgt m is prime
  • If m is prime, then witness generates the group
    Zm
  • To verify ltagt Zm, need to compute m powers of
    a, too much time
  • We know that o(a) Zm if a is a generator,
    whether m is prime or not
  • So guess verify factorization of m-1,and that
    aq ltgt 1 mod m for all q m-1

26
Timing Attacks
  • developed in mid-1990s
  • exploit timing variations in operations
  • eg. multiplying by small vs large number
  • or faults varying which instructions executed
  • infer operand size based on time taken
  • RSA exploits time taken in exponentiation
  • countermeasures
  • use constant exponentiation time
  • add random delays
  • blind values used in calculations

27
RSA complexity
  • The "RSA Problem", RSAP
  • Idea given public info and a ciphertext, figure
    out the plaintext
  • Input
  • n pq for some unknown primes p,q
  • e such that gcd(e,(p-1)(q-1)) 1
  • c, a cipher text
  • Output
  • m such that me c (mod pq)

28
RSA complexity
  • Fact If you know how to efficiently factor
    numbers, then you can efficiently solve RSAP by
    just computing the decryptor d
  • So RSAP is no harder than factoring
  • However, if you know how to solve RSAP, this may
    or may not lead to a method for factoring numbers
  • Some smart people suspect that factoring also
    reduces to RSAP, but no proof yet

29
RSA complexity
  • The RSA "key problem", RSAKP
  • Idea given public info, compute decryptor
  • Input
  • n pq for some unknown primes p,q
  • e such that gcd(e,(p-1)(q-1)) 1
  • Output
  • d such that ed 1 (mod (p-1)(q-1))

30
RSA complexity
  • Fact RSAKP is computationally equivalent to
    factoring n (a product of two primes)
  • We already know how to compute d if we know both
    p and q
  • But conversely, any efficient method for
    computing d from public info can be converted
    into an efficient method for factoring arbitrary
    numbers like n

31
RSA in Practice
  • In order to avoid factoring, p and q should be
    about the same bitlength
  • 512-bit n is too small. Recommendation is
    1024-bit n (512 bits for each p, q)
  • p-q should not be "too small" (it wont be if p,
    q chosen randomly)
  • Many recommend that p, q be strong primes. p is
    strong if
  • p-1 has a large prime factor called r
  • p1 has a large prime factor
  • r-1 has a large prime factor
  • this combats the Pollard factoring algorithm

32
RSA in Practice
  • Encryption can be sped up by selecting an e with
    few 1s in its binary representation
  • Because of modular squaring algorithm
  • Common values for e
  • 3 101
  • 65537 216 1
  • e is public anyway. But using same e for all
    does not seem to weaken system. Still have to
    ensure that gcd(e, ø(n)) 1.

33
Misuse Attacks
  • Encrypting the same message to 3 different
    parties using e3
  • Using CRT, attacker can recover plaintext by
    computing cube root
  • Similarly, if m lt n1/e, then me lt n, and
    adversary can compute ordinary eth root
  • Salt the message (add random padding) to mitigate
    this risk

34
More Misuse
  • Recall RSAKP (key problem) can be used to solve
    factoring
  • In other words, knowing both e and d lets you
    factor n
  • So you must not reuse the same modulus between
    different keypairs
  • Take-home message don't implement merely from
    textbook description. Find a library!

35
Summary
  • have considered
  • basic principles of public-key cryptography
  • RSA algorithm, implementation, security

36
Preparation for Exam
  • Planning for 90 minute exam with some lecture on
    new topics as well
  • I am more interested in
  • Open notes (no photocopies of books please)
  • Ch. 2, classical basic encryption ideas
  • Ch. 3, DES and block cipher chaining modes
  • Don't memorize S-boxes, etc. But know overall
    structures
  • Do review the chaining modes, they're important
  • Ch. 4, math that supports AES and public-key

37
Preparation for Exam
  • Buffer overflow
  • Theory of operation
  • Safe programming
  • Automated techniques for resisting
  • Ch. 6 (other misc. ciphers)
  • Ch. 7
  • cipher placement considerations link vs
    end-to-end
  • the Needham-Schroeder key distribution scheme
  • random number generation techniques

38
Preparation for exam
  • Ch. 8, math that supports public-key
  • Ch. 9
  • Fundamentals of public-key crypto
  • The RSA cryptosystem
  • More how it works than why it works
  • Concepts from homeworks and project
  • No lock-breaking
Write a Comment
User Comments (0)
About PowerShow.com