Information Security CS 526 Lecture 23

1
Information Security CS 526Lecture 23

• Public Key Cryptography and Key Establishment

2
Review of Secret Key (Symmetric) Cryptography

• Confidentiality
• stream ciphers
• block ciphers with encryption modes
• Integrity
• message authentication code
• Limitation sender and receiver must share the
  same key
• needs secure channel for key distribution
• impossible for two parties having no prior
  relationship

3
Public Key Cryptography Overview

• Proposed in Diffie and Hellman (1976) New
  Directions in Cryptography
• public-key encryption schemes
• public key distribution systems
• Diffie-Hellman key agreement protocol
• digital signature
• Public-key encryption was proposed in 1970 by
  James Ellis
• in a classified paper made public in 1997 by the
  British Governmental Communications Headquarters
• Diffie-Hellman key agreement and concept of
  digital signature are still due to Diffie
  Hellman

4
Public Key Encryption

• Public-key encryption
• each party has a PAIR (K, K-1) of keys K is the
  public key and K-1 is the private key, such that
  DK-1EKM M
• Knowing the public-key and the cipher, it is
  computationally infeasible to compute the private
  key
• Public-key crypto system is thus known to be
  asymmetric crypto systems
• The public-key K may be made publicly available,
  e.g., in a publicly available directory
• Many can encrypt, only one can decrypt

5
Public Key Encryption Algorithms

• Almost all public-key encryption algorithms use
  number theory and modular arithmetic
• RSA
• based on the hardness of factoring large numbers
• El Gamal
• based on the hardness of solving discrete
  logarithm

6
RSA Algorithm

• Invented in 1978 by Ron Rivest, Adi Shamir and
  Leonard Adleman
• Published as R L Rivest, A Shamir, L Adleman, "On
  Digital Signatures and Public Key Cryptosystems",
  Communications of the ACM, vol 21 no 2,
  pp120-126, Feb 1978
• Security relies on the difficulty of factoring
  large composite numbers
• Essentially the same algorithm was discovered in
  1973 by Clifford Cocks, who works for the British
  intelligence

7
RSA Public Key Crypto System

• Key generation
• Select 2 large prime numbers of about the same
  size, p and q
• Compute n pq, and ?(n) (q-1)(p-1)
• Select a random integer e, 1 lt e lt ?(n), s.t.
  gcd(e, ?(n)) 1
• Compute d, 1lt dlt ?(n) s.t. ed ? 1 mod ?(n)
• Public key (e, n)
• Private key d

8
RSA Description (cont.)

• Encryption
• Given a message M, 0 lt M lt n M ? Zn? 0
• use public key (e, n)
• compute C Me mod n C ? Zn? 0
• Decryption
• Given a ciphertext C, use private key (d)
• Compute Cd mod n (Me mod n)d mod n Med mod n
  M

9
RSA Example

• p 11, q 7, n 77, ?(n) 60
• d 13, e 37 (ed 481 ed mod 60 1)
• Let M 15. Then C ? Me mod n
• C ? 1537 (mod 77) 71
• M ? Cd mod n
• M ? 7113 (mod 77) 15

10
RSA Security

• Security depends on the difficulty of factoring n
• The length of npq reflects the strength
• 700-bit n factored in 2007
• 1024 bit for minimal level of security today
• likely to be breakable in near future
• Minimal 2048 bits recommended for current usage
• NIST suggests 15360-bit RSA keys are equivalent
  in strength to 256-bit
• RSA speed is quadratic in key length

11
Digital Signatures The Problem

• Consider the real-life example where a person
  pays by credit card and signs a bill the seller
  verifies that the signature on the bill is the
  same with the signature on the card
• Contracts, they are valid if they are signed.
• Can we have a similar service in the electronic
  world?

12
Digital Signatures

• Digital Signature a data string which associates
  a message with some originating entity.
• Digital Signature Scheme
• a signing algorithm takes a message and a
  (private) signing key, outputs a signature
• a verification algorithm takes a (public) key
  verification key, a message, and a signature
• Provides
• Authentication
• Data integrity
• Non-Repudiation (MAC does not provide this.)

13
Digital Signatures and Hash

• Very often digital signatures are used with hash
  functions, hash of a message is signed, instead
  of the message.
• Hash function must be
• Pre-image resistant
• Weak collision resistant
• Strong collision resistant

14
RSA Signatures

• Key generation (as in RSA encryption)
• Select 2 large prime numbers of about the
• same size, p and q
• Compute n pq, and ? (q - 1)(p - 1)
• Select a random integer e, 1 lt e lt ?, s.t.
• gcd(e, ?) 1
• Compute d, 1 lt d lt ? s.t. ed ? 1 mod ?
• Public key (e, n)
• Secret key d,

15
RSA Signatures (cont.)

• Signing message M
• Verify 0 lt M lt n
• Compute S Md mod n
• Verifying signature S
• Use public key (e, n)
• Compute Se mod n (Md mod n)e mod n M
• Note in practice, a hash of the message is
  signed
• and not the message itself.

16
Public Keys and Trust
Public Key PB Secret key SB
Public Key PA Secret key SA

• How are public keys stored?
• How to obtain the public key?
• How does Bob know or trusts that PA is
• Alices public key?

17
Distribution of Public Keys

• Public announcement users distribute public keys
  to recipients or broadcast to community at large
• Publicly available directory can obtain greater
  security by registering keys with a public
  directory
• Both approaches have problems, and are vulnerable
  to forgeries

18
Public-Key Certificates

• A certificate binds identity (or other
  information) to public key
• Contents signed by a trusted Public-Key or
  Certificate Authority (CA)
• Can be verified by anyone who knows the
  public-key authoritys public-key
• Certificates allow key exchange without real-time
  access to public-key authority

19
X.509 Certificates

• Part of X.500 directory service standards.
• Defines framework for authentication services
• Defines that public keys stored as certificates
  in a public directory.
• Certificates are issued and signed by an entity
  called certification authority (CA).
• Used by numerous applications SSL, IPSec, SET
• Started 1988

20
How to Obtain a Certificate?

• For a particular application you can define your
  own CA (libraries like openssl provide the
  necessary tools)
• many companies define their own CA.
• VeriSign a company that provides certificates to
  many commercial companies
• Private key remains secret and certificate must
  be accessible.
• Example see certificates accepted by your browser

21
CAs and Trust

• Certificates are trusted if signature of CA
  verifies
• Chain of CAs can be formed, head CA is called
  root CA
• In order to verify the signature, the public key
  of the root CA should be obtain.
• TRUST is centralized (to root CAs) and
  hierarchical

22
The Big Picture
Public Key Setting
Secret Key Setting
23
Need for Key Establishment
EncryptK(M)
C EncryptK(M)
M DecryptK(C)

• Alice and Bob share a secret key K
• How to establish the shared key?
• How to refresh it (not a good idea to
• encrypt a lot of data with the same key)

24
Long-Term Key vs. Session Key

• Session key temporary key, used for a short time
  period.
• Long-term key used for a long term period,
  sometimes public and secret key pairs used to
  sign messages.
• Using session keys to
• limit available cipher-text encrypted with the
  same key
• limit exposure in the event of key compromise
• avoid long-term storage of a large number of
  distinct secret keys
• create independence across communications
  sessions or applications

25
Needham-Schroeder Shared-Key Protocol Use
Trusted Third Party

• Parties A, B, and trusted server T
• Setup A and T share KAT, B and T share KBT
• Goal Mutual entity authentication between A and
  B key establishment
• Messages
• A ? T A, B, NA (1) A ? T
  EKAT (NA, B, k, EKBT(k,A)) (2) A ? B
  EKBT (k, A) (3) A ? B Ek (NB)
  (4) A ? B Ek (NB-1) (5)

26
Kerberos

• Kerberos is a network authentication protocol
• Provides authentication and secure communication
• Relies entirely on symmetric cryptography
• Developed at MIT two versions, Version 4 and
  Version 5 (specified as RFC1510)
• http//web.mit.edu/kerberos/www
• Used in many systems, e.g., Windows 2000 and
  later as default authentication protocol

27
Kerberos Overview

• AS Authentication Server
• TGS Ticket Granting Server
• SS Service Server.
• TGT Ticket Granting Ticket
• The client authenticates to AS using a long-term
  shared secret and receives a TGT.
• supports single sign-on
• Later the client can use this TGT to get
  additional tickets from TGS without resorting to
  using the shared secret. These tickets can be
  used to prove authentication to SS.

28
Overview of Kerberos
29
Kerberos Drawback

• Single point of failure
• requires online Trusted Third Party Kerberos
  server
• Security depends on tight clock synchronization.
  Convenience require loose clock synchronization
• The default configuration requires
  synchronization to with 10 minutes.
• Useful primarily inside an organization

30
Key Agreement Diffie-Hellman Protocol

• Key agreement protocol, both A and B contribute
• to the key
• Setup p prime and g generator of Zp, p and g
  public.

ga mod p
gb mod p
Pick random, secret b Compute and send gb mod p
Pick random, secret a Compute and send ga mod p
K (gb mod p)a gab mod p
K (ga mod p)b gab mod p
31
Authenticated Diffie-Hellman
ga mod n
gc mod n
gb mod n
gc mod n
Alice computes gac mod n and Bob computes gbc mod
n !!!
32
Secure communication
33
Secure Sockets Layer / TLS

• Standard for Internet security
• Originally designed by Netscape
• Goal ... provide privacy and reliability
  between two communicating applications
• Two main parts
• Handshake Protocol
• Establish shared secret key using public-key
  cryptography
• Signed certificates for authentication
• Record Layer
• Transmit data using negotiated key, encryption
  function

34
SSL/TLS Cryptography

• Public-key encryption
• Shared key material sent encrypted with public
  key
• Symmetric encryption
• Shared (secret) key encryption of data packets
• Signature-based authentication
• Client can check signed server certificate
• And vice-versa, in principal
• Hash and MAC for integrity
• Client, server check hash of sequence of messages
• MAC used in data packets (record protocol)

35
TLS Protocol
Version, Crypto choice, nonce
S
C
Version, Choice, nonce, Signed certificate contain
ing servers public key Ks
Secret key K encrypted with servers key Ks
switch to negotiated cipher
Hash of sequence of messages
Hash of sequence of messages
36
Coming Attractions

• Network Security Issues