CSCI283 Fall 2005

1
Public Key CryptographyDiffie-Hellman, Discrete
Log, RSA

• Diffie-Hellman Key Exchange, Discrete Log
  Problem
• Public Key Crypto
• RSA

• CSCI283 Fall 2005
• GWU

2
Diffie-Hellman Key Exchange
3
Diffie-Hellman Key Exchange

• Protocol for exchanging secret key over public
  channel.
• Select global parameters p, n and ?. p is prime
  and ? is of order n in Zp. These parameters are
  public and known to all.

4
Diffie-Hellman Key Exchange contd.

• Alice privately selects random b and sends to Bob
  ?b mod p.
• Bob privately selects random c and sends to Alice
  ?c mod p.
• Alice and Bob privately compute ?bc mod p which
  is their shared secret.
• An observer Oscar can compute ?bc if he knows
  either c or b or can solve the discrete log
  problem.
• This is a key agreement protocol.

5
Diffie-Hellman is based on the hardness of the
Discrete Log problem

• Given a multiplicative group G, an element ? ?G
  such that o(?) n, and an element ? ?lt?gt
• Find the unique integer x, 0 ? x ? n-1 such that
• ? ?x
• x denoted as log??
• Not known to be doable in polynomial time,
  however exponentiation is.

6
An attack

• Diffie-Hellman key exchange is susceptible to a
  man-in-the-middle attack.
• Mallory captures b and c in transmission and
  replaces with own b and c.
• Essentially runs two Diffie-Hellmans. One with
  Alice and one with Bob.

7
Public-Key Cryptography
8
Diffie-Hellman propose Public Key Cryptography

• Computationally easy to encrypt/decrypt given key
• Computationally infeasible to derive private key
  from public key
• Computationally infeasible to determine private
  key from a chosen-plaintext attack
• Look at DH key exchange as PKC

9
How does Alice send Bob the decryption key in
private key crypto?

• If Alice wants it such that anyone can decrypt
  her messages, but know that they came from her
• Suppose she could make the decryption key
  available in a public place
• This would require that the decryption key should
  not give any information on the encryption key,
  in particular it should not be equal to it

10
How does Alice send Bob the decryption key in
private key crypto? contd

• If she wants it so that only Bob can read her
  messages, and Bob is ok with anyone sending him
  messages in this way
• Suppose Bob makes his encryption key available
  publicly
• No one should be able to compute the decryption
  key from the encryption key
• This is the dual of the previous case

11
Public Key Cryptography

• Two injective functions f and g such that fgI
• i.e. messages encrypted with one can be decrypted
  with the other functions include association
  with key
• f cannot be used to find g and vice versa
• One is made public, the other kept private
• Encryption with public function provides
  confidential transmission, decryption with public
  function provides authentication

12
RSA
13
Background

• Totient function ?(n)
• Number of positive integers less than n and
  relatively prime to n
• Relatively prime means with no factors in common
  with n
• Example ?(10) 4
• 1, 3, 7, 9 are relatively prime to 10
• Example ?(21) 12
• 1, 2, 4, 5, 8, 10, 11, 13, 16, 17, 19, 20 are
  relatively prime to 21

14
RSACocks (73), Rivest, Shamir, Adleman (76)

• n pq, p and q (large) primes
• P C Zn
• K (n, p, q, a, b ab ? 1 mod ?(n)
• Public key (n, a) Private key (b)
• fK(m) ma mod n
• gK(m) mb mod n
• fK and gK are inverses (we wont show this, it is
  not straightforward)

15
RSA Key generation

• Find p and q (two large random primes)
• n? pq
• ?(n) ? (p-1)(q-1)
• Choose random a invertible mod ?(n) s.t 1 lt a lt
  ?(n)
• i.e. a s.t gcd(a, ?(n)) 1
• Use Euclidean algorithm to find a-1mod ?(n)
• Without p and q cannot determine ?(n)
• One key (n, a) other key (n, b) Example

16
Example

• Take p 7, q 11, so n 77 and ?(n) 60
• Alice chooses e 17, making d 53
• Bob wants to send Alice secret message HELLO (07
  04 11 11 14)
• 0717 mod 77 28
• 0417 mod 77 16
• 1117 mod 77 44
• 1117 mod 77 44
• 1417 mod 77 42
• Bob sends 28 16 44 44 42

17
Example

• Alice receives 28 16 44 44 42
• Alice uses private key, d 53, to decrypt
  message
• 2853 mod 77 07
• 1653 mod 77 04
• 4453 mod 77 11
• 4453 mod 77 11
• 4253 mod 77 14
• Alice translates message to letters to read HELLO
• No one else could read it, as only Alice knows
  her private key and that is needed for decryption
• The letters could not have been changed in
  transit, as no one else has Bobs private key

18
Warnings

• Encipher message in blocks considerably larger
  than the examples here
• If 1 character per block, RSA can be broken using
  statistical attacks (just like classical
  cryptosystems)
• Attacker cannot alter letters, but can rearrange
  them and alter message meaning
• Example reverse enciphered message of text ON to
  get NO

19
Encryption of blocks of symbols

• Block ABCD, each symbol is base N (e.g. N2, 16)
• Convert a block of a few symbols to an integer
  mod n
• RSA encrypt
• Convert back to base N
• Example.
• Problem if short strings encrypted with RSA,
  hence pad short strings with random characters.

20
Security of RSAIs it based on hardness of
factoring n?

• It is not known if
• factoring a product of two primes into its prime
  components is
• solvable in polynomial time
• NP-complete
• there are other trapdoors to RSA, i.e. other ways
  of breaking it in general
• Factoring is an easy problem in the quantum
  computing model.

21
Security Services

• Confidentiality
• Only the owner of the private key knows it, so
  text enciphered with public key cannot be read by
  anyone except the owner of the private key
• Authentication
• Only the owner of the private key knows it, so
  text enciphered with private key must have been
  generated by the owner

22
More Security Services

• Integrity
• Enciphered letters cannot be changed undetectably
  without knowing private key
• Non-Repudiation
• Message enciphered with private key came from
  someone who knew it

23
Secure Hash
24
The problems crypto addresses

• Confidentiality/secrecy/privacy
• How to keep a message secret so it can be read
  only by a chosen person
• Use encryption
• Integrity
• How to determine a string of symbols has not been
  changed since it was created
• ?

25
Integrity

• Alice sends message x to Bob. She fears Oscar
  will manipulate it along the way, and Bob will
  get an incorrect message.
• She could encrypt it using a key Oscar did not
  have, but is that overkill when she does not need
  to prevent Oscar from reading it?
• But maybe she could tell Bob something else about
  the message so he would know if something was
  terribly wrong parity, last bit, a particular
  bit, etc.

26
In general, she could use a hash function

• h X ? Y
• y h(x)
• X gt Y
• i.e. ? x, x s.t x ? x and h(x) h(x)
• Used in storage tables
• E.g. h(x) last bit, parity, smallest prime
  factor

27
Checksums/hashes

• Mathematical function to generate a set of k bits
  from a set of n bits (where k n).
• k is smaller then n except in unusual
  circumstances
• Example ASCII parity bit
• ASCII has 7 bits 8th bit is parity
• Even parity even number of 1 bits
• Odd parity odd number of 1 bits

28
Example Use

• Bob receives 10111101 as bits.
• Sender is using even parity 6 1 bits, so
  character was received correctly
• Note could be garbled, but 2 bits would need to
  have been changed to preserve parity
• Sender is using odd parity even number of 1
  bits, so character was not received correctly

29
h(x) sent with x

• Both Bob and Alice can create h(x) given x
• Alice sends (x, h(x))
• Bob receives (x,y), he checks if y h(x).
• If so, he assumes x is what Alice sent

30
In either case, what can the attacker do?

• If he can compute h(x), he can
• try to find x s.t. h(x) h(x).
• If he knows h, and can influence Alice, he can
• try to get her to send an x that she likes such
  that h(x) h(x) for an x he likes.
• If he doesnt, he hopes for the best.

31
Hence require an h secure in the following ways

• Secure wrt second image requires that the
  following problem is difficult
• Given an x?X, find x ?X s.t x ? x but h(x)
  h(x)
• Secure wrt collision requires that the following
  problem is difficult
• Find x, x ?X s.t x ? x but h(x) h(x)
• The above should be true even if h(x1), h(x2)..
  h(xn) are known

32
In general, h is a secure-hash, or a one-way
function

• Easy to compute in one direction, hard in the
  other.
• Can we recall one such function?

33
Definition

• Cryptographic checksum h A?B
• For any x ? A, h(x) is easy to compute
• For any y ? B, it is computationally infeasible
  to find x ? A such that h(x) y
• It is computationally infeasible to find two
  inputs x, x? ? A such that x ? x? and h(x)
  h(x?)

34
Keys

• Keyed cryptographic checksum requires
  cryptographic key
• DES in chaining mode encipher message, use last
  n bits. Requires a key to encipher, so it is a
  keyed cryptographic checksum.
• Keyless cryptographic checksum requires no
  cryptographic key
• MD5 and SHA-1 are best known others include MD4,
  HAVAL, and Snefru

35
HMAC

• Keyed cryptographic checksums from keyless ones
• h keyless cryptographic checksum function that
  takes data in blocks of b bytes and outputs
  blocks of l bytes. k? is cryptographic key of
  length b bytes
• If short, pad with 0 bytes if long, hash to
  length b
• ipad is 00110110 repeated b times opad is
  01011100 repeated b times
• HMAC-h(k, m) h(k? ? opad h(k? ? ipad m))

36
Digital Signatures
37
For non-repudiation

• A digital signature authenticates both the origin
  and the contents of a message in a manner that is
  provable to a disinterested third party
• Encrypt message digest (computed using a secure
  hash) with public key