Public Key Cryptography - PowerPoint PPT Presentation

1 / 43
About This Presentation
Title:

Public Key Cryptography

Description:

Radical departure from conventional cryptography. Asymmetric, or two key, cipher ... where (n) is the Euler's totient function (n) = (pq) = (p-1)(q-1) ... – PowerPoint PPT presentation

Number of Views:410
Avg rating:3.0/5.0
Slides: 44
Provided by: hyo5
Category:

less

Transcript and Presenter's Notes

Title: Public Key Cryptography


1
Public Key Cryptography
  • Principles of Public-Key Cryptosystems
  • The RSA Algorithm
  • Key Management
  • Diffie-Hellman Key Exchange
  • Elliptic Curve Cryptography

2
Public Key Cryptography
  • Radical departure from conventional cryptography
  • Asymmetric, or two key, cipher
  • Public key for encryption
  • Private key for decryption
  • Based on mathematics
  • Not necessarily stronger than symmetric
    cryptography
  • Typically used in conjunction with symmetric
    cryptography
  • Generally restricted to key management and
    digital signatures
  • Does not solve the general key management problem

3
Public-Key Cryptosystems
Principles of PKC
  • Concept of public-key cryptography evolved from
    an attempt to attack two of the most difficult
    problems associated with the conventional
    encryption
  • Key distribution
  • Digital signature
  • Diffie and Hellman first publicly introduced the
    concepts of public-key cryptography in 1976
  • Public-key algorithm rely on one key for
    encryption and a different but related key for
    decryption
  • Requirement
  • It is computationally infeasible to determine the
    decryption key given the encryption key
  • Optional feature
  • Either key can be used for encryption with the
    other serving as the decryption key

4
Public Key Encryption Process
Principles of PKC
  • Confidentiality C E(pubkey, M)
  • Authentication D E(privkey, M)
  • Digital signature

5
Conventional and Public-Key Encryption
Principles of PKC
  • Conventional (Symmetric)
  • Same algorithm and key used
  • for encryption and decryption
  • Parties share algorithm and key
  • Key must be kept secret
  • Cipher must be strong
  • Plaintext/ciphertext pairs must
  • not weaken the security of the key
  • Public-Key (Asymmetric)
  • Same algorithm but different keys
  • used for encryption and decryption
  • Parties share algorithm but each has
  • one key from a matched pair
  • One key must be kept secret
  • Cipher must be strong
  • Plaintext/ciphertext pairs plus one of
  • the keys must not weaken the other
  • key

6
Principles of PKC
Public-Key Cryptosystem Secrecy
Y EKUb(X) X DKRb(Y)
KUb Bs public key KRb Bs private key
7
Principles of PKC
PKC Authentication
Y EKRa(X) X DKUa(Y)
No protection of confidentiality
8
Principles of PKC
PKC Secrecy and Authentication
Z EKUbEKRa(X) X DKUaDKRb(Z)
9
PKC Algorithm Requirements
Principles of PKC
  • By Diffie and Hellman, in 1976
  • Key pair generation is computationally easy
  • Encryption is computationally easy
  • Decryption is computationally easy
  • Computationally infeasible to determine private
    key given public key
  • Computationally infeasible to recover plaintext
    given public key and ciphertext
  • Encryption and decryption functions can be
    applied in either order
  • M DKRbEKUb(M) EKRbDKUb(M)

10
One-way and Trap-door Functions
Principles of PKC
  • One-way function
  • Y f(X) easy (polynomial time)
  • X f-1(Y) infeasible (non-polynomial time)
  • Trap-door one-way functions
  • Family of invertible functions, one for each k
  • Y fk(X) easy, given k and X
  • X fk-1(Y) easy, given k and Y
  • X fk-1(Y) infeasible if Y is known but k is
    unknown

11
RSA Algorithm
RSA Algorithm
  • Developed in 1977, by Ron Rivest, Adi Shamir, and
    Len Adleman
  • Block cipher block size is log2(n), for some
    integer n
  • Encryption C Me mod n
  • Decryption M Cd mod n Med mod n
  • Requirements
  • Find values of e, d, and n s.t. Med M mod n for
    all M lt n
  • Relatively easy to compute Me and Cd
  • Infeasible to determine d given n and e

12
RSA
RSA Algorithm
  • Need to find a relationship of the form
  • Med M mod n
  • Can use the corollary of Eulers theorem
  • Given two primes p and q, and two integers, n and
    m, s.t. n pq and 0 lt m lt n. and an
    arbitrary integer k, the following relationship
    holds
  • mk?(n)1 ? m mod n
  • where ?(n) is the Eulers totient function
  • ?(n) ?(pq) (p-1)(q-1)
  • Can achieve the desired relationship if ed
    k?(n)1
  • Equivalent to saying that ed ? 1 mod ?(n) or d ?
    e-1 mod ?(n)
  • That is, e and d are multiplicative inverses
    modulo ?(n)
  • This is true only if d (and therefore e) is
    relatively to prime to ?(n)

13
RSA Algorithm
RSA Algorithm
14
RSA Algorithm
RSA Example
  • Select two primes, p 7 and q 17
  • Calculate n pq 7 ? 17 119
  • Calculate ?(n) (p-1)(q-1) 96
  • Select e s.t. e is relatively prime to ?(n) and
    less than ?(n) in this case, e 5
  • Determine d s.t. de mod 96 1 and d lt 96. The
    correct value is d 77 (77 ? 5 385 4 ? 96
    1)
  • KU 5, 119, KR 77, 119

15
RSA Algorithm
RSA Computational Aspects
  • Encryption and Decryption
  • Both require modular exponentiation
  • Can use the following efficient algorithm to
    compute ab mod n
  • Repeated squaring
  • Modular-Exponentiation(a, b, n)
  • c ? 0
  • d ? 1
  • let bkbk-1b0 be the binary representation of b
  • for i ? k downto 0
  • do c ? 2c
  • d ? (d ? d) mod n
  • if bi 1
  • then c ? c 1
  • d ? (d ? a) mod n
  • return d

16
RSA Algorithm
RSA Computational Aspects - 2
  • Key Generation
  • Selecting two prime numbers, p and q
  • Selecting either e or d and calculating the other
  • Selecting a prime number

1. Pick an odd integer n at random (e.g. using
PRNG) 2. Pick an integer a lt n at random 3.
Perform the probabilistic primality test, such as
Miller-Ravin. If n fails the test, reject the
value n and goto step 1 4. If n has passed a
sufficient number of tests, accept n otherwise
goto step 2
17
RSA Computational Aspects - 3
RSA Algorithm
  • How many numbers are likely to be rejected before
    a prime number is found?
  • Prime number theorem
  • ?(x) x/ln(x)
  • In other words, primes near x are spaced on the
    average one every (ln x) integers
  • Thus, on average, ln(x) tests are required to
    find a prime
  • (Actually ln(x)/2 because all even numbers can
    be immediately rejected)
  • Example
  • If a prime on the order of magnitude of 2100 were
    thought, then about ln(2200)/2 70 trials would
    be needed to find a prime

18
RSA Computational Aspects - 4
RSA Algorithm
  • Selecting e and calculating d (or alternatively
    selecting d and calculating e)
  • Need to select an e s.t. gcd(?(n), e) 1 and
    then calculate d e-1 mod ?(n)
  • Extended Euclids Algorithm can do this
  • Generate e randomly. Then using the EEA, test if
    gcd((?(n), e) 1, and then get d. Otherwise do
    again
  • Need very few tests
  • Extended Euclid(e, ?(n))
  • (X1, X2, X3) ? (1, 0, ?(n)) (Y1, Y2, Y3) ? (0,
    1, e)
  • If Y3 0 return X3 gcd(e, ?(n)) no inverse
  • If Y3 1 return Y3 gcd(e, ?(n)) Y2 e-1
    mod ?(n)
  • Q ?X3/Y3?
  • (T1, T2, T3) ? (X1 ? QY1, X2 ? QY2, X3 ? QY3)
  • (X1, X2, X3) ? (Y1, Y2, Y3)
  • (Y1, Y2, Y3) ? (T1, T2, T3)
  • goto 2

19
Attacks on RSA Algorithm
RSA Algorithm
  • Brute force (Key space search)
  • Try all possible private keys
  • Use large keys
  • Attacks on mathematical foundation
  • Several approaches, all equivalent to factoring
  • Timing attacks
  • Based on the running time of the decryption
    algorithm

20
Mathematical Attacks on RSA
RSA Algorithm
  • Factor n into p and q
  • Allows calculation of ?(n), which allows
    determination of d e-1 (mod ?(n))
  • Determine ?(n) directly from n
  • Equivalent to factoring
  • Determine d e-1 (mod ?(n)) directly
  • Seems to be as hard as factoring

21
Factoring
RSA Algorithm
  • For a large n with large prime factors, factoring
    is a hard problem -
  • RSA factoring challenge
  • Sponsored by RSA Labs.
  • To encourage research into computational number
    theory and the practical difficulty factoring
    large integers
  • A cash prize is awarded to the first person to
    factor each challenge number

Progress in Factorization
22
RSA Factoring Challenge
RSA Algorithm
  • Latest result is RSA 155 (512 bits)
  • Reported Aug 22, 1999
  • Factored with General Number Field Sieve
  • 35.7 CPU-years in total on
  • 160 175-400 MHz SGI and Sun workstations
  • 8 250 MHz SGI Origin 2000 processors
  • 120 300-450 MHz Pentium II PCs
  • 4 500 MHz Digital/Compaq boxes
  • This CPU-effort is estimated to be equivalent to
    approximately 8000 MIPS years calendar time for
    the sieving was 3.7 months.

23
RSA Factoring Challenge Numbers
RSA Algorithm
Numbers are designated RSA-XXXX, where XXXX is
the numbers length in bits Challenge Number
Prize (US) Status RSA-576 (174
Digits) 10,000 Not Factored RSA-640 (193
Digits) 20,000 Not Factored RSA-704 (212
Digits) 30,000 Not Factored RSA-768 (232
Digits) 50,000 Not Factored RSA-896 (270
Digits) 75,000 Not Factored RSA-1024 (309
Digits) 100,000 Not Factored RSA-1536 (463
Digits) 150,000 Not Factored RSA-2048 (617
Digits) 200,000 Not Factored RSA-576 Decimal
Digits 174 18819881292060796383869723946165043
980716356337941 738270076335642298885971523466548
53190606065047430 4531738801130339671619969232120
5734031879550656996 221305168759307650257059
24
Constraints on p and q
RSA Algorithm
  • Suggested constraints on p and q (by RSA
    inventors and researchers)
  • Length of p and q should differ by only a few
    digits
  • Both p-1 and q-1 should contain a large prime
    factor
  • gcd(p-1, q-1) should be small
  • d gt n¼

25
Timing Attacks
RSA Algorithm
  • Big integer multiplication take a long time
  • Assume that the target system uses the following
    modular exponentiation algorithm for decryption
  • By observing the time taken for modular
    multiplication, it is possible to infer bits in b
  • If bi is set, d ? (d ? a) mod n will be executed
    (Will be much slower than the case of bi 0)
  • By varying values of a (ciphertext), and
    observing the execution (decryption) times
    carefully, values of bkbk-1b0 (private key) can
    be inferred
  • Modular-Exponentiation(a, b, n) / Compute ab
    mod n /
  • d ? 1 / let bkbk-1b0 be the binary
    representation of b /
  • for i ? k downto 0
  • do d ? (d ? d) mod n
  • if bi 1
  • then d ? (d ? a) mod n
  • return d

26
Timing Attack Countermeasures
RSA Algorithm
  • Constant exponentiation time
  • Ensure that all exponentiations take the same
    amount of time
  • Simple fix, but degrade the performance
  • Random delay
  • Add a random delay to the exponentiation
    algorithm to confuse the timing attack
  • Blinding
  • Multiply the ciphertext by a random number before
    performing the exponentiation
  • RSA Data Securitys blinding method
  • Generate a secret random r, 0 lt r lt n-1
  • Compute C Cre mod n, where e is the public
    exponent
  • Compute M (C)d mod n with the ordinary RSA
  • Compute M M r-1 mod n (Cre)dr-1 mod n
    Cdredr-1 mod n
  • Cd mod n ? (red mod n r mod n)
  • 2 to 10 performance penalty

27
Public Key Distribution
Key Management
  • Public announcement
  • Public available directory
  • Public key authority
  • Public key certificates

28
Public Announcement of Public Keys
Key Management
  • Attach to email
  • Publish on web page,
  • Convenient, but has obvious weakness (forgery)

29
Public Key Directory
Key Management
  • Trusted entity maintains a public directory
  • Name public key
  • Individuals register with the authority
  • In person or using authenticated communication
  • Must allow replacement
  • To update compromised or lost keys
  • Trusted entity publishes the directory
  • Phone book, newspaper ads, etc
  • Via (authenticated) network communication

30
Public Key Directory Weaknesses
Key Management
  • More secure than individual announcements
  • Vulnerable to compromise of trusted entity
  • Network communication
  • Database contents

31
Public Key Authority
Key Management
  • Trusted entity maintains a public directory
  • Name public key
  • Trusted entity distributes its own public key
  • Alice requests Bobs public key
  • Include nonce to prevent replay
  • Authority response is encrypted under private key
  • i.e., digitally signed
  • Response contains Bobs public key, Alices
    original request and nonce
  • Alice requests communication with Bob
  • Encrypted under Bobs public key
  • Request contains Alices identity and a nonce
  • Bob retrieves Alices public key from the
    authority

32
Public Key Authority
Key Management
33
Public Key Authority
Key Management
  • Alice and Bob mutually authenticate and assure
    freshness
  • Bob responds to Alice
  • Encrypted under Alices public key
  • Contains Alices nonce and a new nonce
  • Alice returns Bobs nonce
  • Encrypted under Bobs public key
  • Seven messages in total
  • First four can be avoided in the future if the
    responses are cached, but that comes with some
    risk, so the cache should be periodically updated
  • Public key authority could be a performance
    bottleneck
  • Subject to tampering, as above

34
Public Key Certificates
Key Management
  • Goal is to provide a mechanism as secure and
    reliable as the public key authority without
    requiring direct contact
  • Public key certificate
  • Each user possesses her own
  • Used to convey public key
  • Distributed on request (or any means)
  • Public key certificate requirement
  • Anyone can read a certificate and determine the
    name and public key of the owner
  • Anyone can verify that the certificate originated
    from the public key certification authority
  • Only the public key certification authority can
    issue or update certificates
  • Anyone can tell whether a certificate is current

35
Public Key Certificates
Key Management
  • Each principal applies to the CA with her public
    key and a request for a certificate
  • Application must be in person or authenticated
  • Certificate contents
  • Identity of principal
  • Public key of principal
  • Timestamp (expiration date)
  • Certificate is signed by CA
  • Verifying a certificate
  • Check the CA signature
  • Using certificates
  • Alice and Bob exchange certificates
  • Alice and Bob validate the certificates they
    receive

36
Public Key Certificates
Key Management
37
Public-Key Distribution of Secret Key
Key Management
  • Because of its huge computational cost,
    Public-Key cryptosystem usage tends to be
    restricted
  • Digital signatures
  • Secret key distribution

38
Secret Key Distribution(Merkles Algorithm)
Key Management
  • Alice creates a public/private key pair, sends
    her public key to Bob
  • Bob creates a secret key, sends it to Alice
    encrypted in her public key
  • Simple but vulnerable to MITM (Man-in-the-Middle)
    active attack

39
Secret Key Distribution (Needham-Schroeders)
Key Management
  • Provides a protection against both active and
    passive attacks
  • Assume Alice and Bob have exchanged public keys
    (by any scheme described early)
  • Alice encrypts and sends a nonce to Bob
  • Bob encrypts and sends Alices nonce and his own
    nonce
  • Alice encrypts and sends Bobs nonce back to Bob
  • Alice selects, signs, encrypts and sends a secret
    key to Bob

40
Secret Key Distribution (Needham-Schroeders)
Key Management
41
Diffie-Hellman Key Exchange
  • Relies on difficulty of computing discrete
    logarithm

K (YB)XA mod q (?XB mod q)XA mod q
(?XB)XA mod q ?XBXA mod q (?XA)XB mod
q (?XA mod q)XB mod q (YA)XB mod q
42
Diffie-Hellman Key Exchange
EXAMPLE Q 97, primitive root of q, in this
case, ? 5 A and B selects secret keys XA 36
and XB 58 Each computes public key YA 536
50 mod 97, YB 558 44 mod 97 After exchanging
public keys, each compute the common secret
key K (YB)XA mod 97 4436 75 mod 97 K
(YA)XB mod 97 5058 75 mod 97
43
Chapter 6 HW
  • Prob. 6.2
  • Prob. 6.3
  • Prob. 6.4
  • Prob. 6.7
  • Prob. 6.14
Write a Comment
User Comments (0)
About PowerShow.com