CMSC 414 Computer and Network Security Lecture 6

1
CMSC 414Computer and Network SecurityLecture 6

• Jonathan Katz

2
Administrative announcements

• Midterm I
• March 6
• GRACE accounts set up
• Read the essays and papers linked from the course
  webpage
• Will discuss next Tuesday and/or Thursday

3
Public-key cryptography
4
The public-key setting

• A party (Alice) generates a public key along with
  a matching secret key (aka private key)
• The public key is widely distributed, and is
  assumed to be known to anyone (Bob) who wants to
  communicate with Alice
• We will discuss later how this can be ensured
• Alices public key is also known to the attacker!
• Alices secret key remains secret
• Bob may or may not have a public key of his own

5
The public-key setting
6
Private- vs. public-key I

• Disadvantages of private-key cryptography
• Need to securely share keys
• What if this is not possible?
• Need to know in advance the parties with whom you
  will communicate
• Can be difficult to distribute/manage keys in a
  large organization
• O(n2) keys needed for person-to-person
  communication in an n-party network
• All these keys need to be stored securely
• Inapplicable in open systems (think e-commerce)

7
Private- vs. public-key II

• Why study private-key at all?
• Private-key is orders of magnitude more efficient
• Private-key still has domains of applicability
• Military settings, disk encryption,
• Public-key crypto is harder to get right
• Needs stronger assumptions, more math
• Can combine private-key primitives with
  public-key techniques to get the best of both
  (for encryption)
• Still need to understand the private-key setting!
• Can distribute keys using trusted entities (KDCs)

8
Private- vs. public-key III

• Public-key cryptography is not a cure-all
• Still requires secure distribution of public keys
• May (sometimes) be just as hard as sharing a key
• Technically speaking, requires only an
  authenticated channel instead of an authenticated
  private channel
• Not clear with whom you are communicating (for
  public-key encryption)
• Can be too inefficient for certain applications

9
Cryptographic primitives
10
Public-key encryption
11
Functional definition

• Key generation algorithm randomized algorithm
  that outputs (pk, sk)
• Encryption algorithm
• Takes a public key and a message (plaintext), and
  outputs a ciphertext c ? Epk(m)
• Decryption algorithm
• Takes a private key and a ciphertext, and outputs
  a message (or perhaps an error) m Dsk(c)
• Correctness for all (pk, sk), Dsk(Epk(m)) m

12
Security?

• Just as in the case of private-key encryption,
  but the attacker gets to see the public key pk
• That is
• For all m0, m1, no adversary running in time T,
  given pk and an encryption of m0 or m1 can
  determine the encrypted message with probability
  better than 1/2 ?
• Public-key encryption must be randomized (even to
  achieve security against ciphertext-only attacks)
• Security against ciphertext-only attacks implies
  security against chosen-plaintext attacks

13
El Gamal encryption

• We have already (essentially) seen one encryption
  scheme

Receiver
Sender
KAB (hB)x
KBA (hA)y
14
Security

• If the DDH assumption holds, the El Gamal
  encryption scheme is secure against
  chosen-plaintext attacks

15
RSA background

• Npq, p and q distinct, odd primes
• ?(N) (p-1)(q-1)
• Easy to compute ?(N) given the factorization of N
• Hard to compute ?(N) without the factorization of
  N
• Fact for all x ? ZN, it holds that x?(N) 1
  mod N
• Proof take CMSC 456!
• If ed1 mod ?(N), then for all x it holds that
  (xe)d x mod N

16
RSA key generation

• Generate random p, q of sufficient length
• Compute Npq and ?(N) (p-1)(q-1)
• Compute e and d such that ed 1 mod ?(N)
• e must be relatively prime to ?(N)
• Typical choice e 3 other choices possible
• Public key (N, e) private key (N, d)
• We have an asymmetry!
• Given cxe mod N, receiver can compute xcd mod N
• No apparent way for anyone else to recover x

17
Hardness of the RSA problem?

• The RSA problem
• Compute x given N, e, and xe mod N
• If factoring is easy, then the RSA problem is
  easy
• We know of no other way to solve the RSA problem
  besides factoring N
• But we do not know how to prove that the RSA
  problem is as hard as factoring
• The upshot we believe factoring is hard, and we
  believe the RSA problem is hard

18
Textbook RSA encryption

• Public key (N, e) private key (N, d)
• To encrypt a message m ? ZN, compute
  c me mod N
• To decrypt a ciphertext c, compute m cd mod N
• Correctness clearly holds
• what about security?

19
Textbook RSA is insecure!

• It is deterministic!
• Furthermore, it can be shown that the ciphertext
  leaks specific information about the plaintext

20
Padded RSA

• Public key (N, e) private key (N, d)
• Say N 1024 bits
• To encrypt m ? 0,1895,
• Choose random r ? 0,1128
• Compute c (r m)e mod N
• Decryption done in the natural way
• Essentially this idea has been standardized as
  RSA PKCS 1 v1.5

21
Hybrid encryption

• Public-key encryption is slow
• Encrypting block-by-block would be inefficient
  for long messages
• Hybrid encryption gives the functionality of
  public-key encryption at the (asymptotic)
  efficiency of private-key encryption!

22
Hybrid encryption
message
encrypted message
ciphertext
k
encapsulated key
pk
Enc public-key encryption scheme Enc
private-key encryption scheme
23
Security

• If public-key component and private-key component
  are secure against chosen-plaintext attacks, then
  hybrid encryption is secure against
  chosen-plaintext attacks

24
Malleability/chosen-ciphertext security

• All the public-key encryption schemes we have
  seen so far are malleable
• Given a ciphertext c that encrypts an (unknown)
  message m, may be possible to generate a
  ciphertext c that encrypts a related message m
• In many scenarios, this is problematic
• E.g., auction example password example
• Note the problem is not integrity (there is no
  integrity in public-key encryption, anyway), but
  malleability