ISA 662 Information System Security

1
ISA 662 Information System Security

• Public Key Cryptosystem

2
Outline

• Background
• Diffie-Hellman
• RSA
• Cryptographic Checksums

3
History

• Concept conceived by Diffie and Hellman in 1976
• Rivest, Shamir and Adleman (RSA) were first to
  describe a public key system in 1978
• Merkle and Hellman published a different solution
  later in 1978 (broken by Shamir)

4
The Big Picture
Plain- text
Plain- text
Ciphertext
Encryption Algorithm
Decryption Algorithm
INSECURE CHANNEL
A
B
B's Public Key
B's Private Key
RELIABLE CHANNEL
B's Public Key
5
The Basic Idea

• Confidentiality encipher using public key,
  decipher using private key
• Integrity/authentication encipher using private
  key, decipher using public key

Plain- text
Plain- text
Encryption Algorithm
Decryption Algorithm
Ciphertext
Signature
B's Public Key
B's Private Key
B
A
6
Requirements

• The keys and algorithms must meet these
  requirements
• Must be computationally easy to encipher or
  decipher
• Must be computationally infeasible to derive the
  private key from the public key
• Must be computationally infeasible to determine
  the private key from a chosen plaintext attack
• Different from those of secret key cryptosystem
  except the first requirement
• Why another cryptosystem?

7
Motivation 1- Key Distribution Problem

• In a secret key cryptosystem, the secret key must
  be transmitted via a secure channel
• Inconvenient
• n parties want to communicate with each other,
  how many keys need to be transmitted?
• Insecure
• Is the secure channel really secure?
• Public key cryptosystem solves the problem
• Public key known by everyone telephone
  directory
• Privacy key is never transmitted

8
Motivation 2- Digital Signature

• In a secret key cryptosystem, authentication and
  non-repudiation may be difficult
• Authentication
• You must share a secret key with someone in order
  to verify his signature
• Non-repudiation
• I didnt sign it. You did since you also have
  the key
• Public key cryptosystem solves the problem
• Verification of signature needs only the public
  key
• One is solely responsible for his private key

9
Required number theory

• If a b kn for some integer k
• We write b a mod n (namely, a is congruent to b
  modulo n, and b is the residue of a modulo n)
• Examples 2 12 mod 5, 2 12 mod 10, 0 12 mod
  6
• Properties(a O b) mod n ((a mod n) O (b mod
  n)) mod n where O is , -,
• 35 mod 7 (33333 mod 7)
• ((33 mod 7)(33 mod 7)(3 mod 7))mod 7
• Needed when enciphering/deciphering

10
More of the same

• A prime number is a positive integer having
  exactly one positive divisor other than 1. E.g.
  3, 5, 7, 11, 13
• a and b are relatively prime if they have no
  common positive factors other than 1. E.g. 1 and
  2, 2 and 3, 3 and 4, but not 2 and 4
• The totient function ?(n) gives the number of
  integers between 1 and n-1 that are relatively
  prime to n. E.g. ?(10) 4 (1,3,7,9 are
  relatively prime to 10)

11
Still More Math

• Euler's Totient Theorem
• 1 a ?(n) mod n, where a and n are relatively
  prime
• Example 3 ?(10) mod 10 3 4 mod 10 81 mod 10
• 10 ?(3) mod 3 10 2 mod 3 100 mod 3
• Fermats Little Theorem
• a p-11 mod p, where p is prime and relatively
  prime to a
• Notice ?(p) p-1

12
Outline

• Background
• Diffie-Hellman
• RSA
• Cryptographic Checksums

13
Diffie-Hellman Key Exchange Scheme

• Proposed in 1976 as the first public key
  algorithm (predates RSA)
• Allows users to agree on a secret key over
  insecure channels with no prior communication
• The secret key can thus be used to encrypt or
  decrypt message (e.g., SSL 3.0, IPsec)

A
B
K
Insecure Channel
14
Discrete Logarithm Problem

• D-H is based on the discrete logarithm problem
• Given integers n and g and prime number p,
  compute k such that n g k mod p
• In general computationally infeasible
• Choices for g and p are critical
• Both p and (p1)/2 should be prime
• p should be large (at least 512 bits, possibly
  1028 bits)
• g should be a primitive root mod p

15
Diffie-Hellman Key Exchange Scheme
16
Quiz

• p 7 and g 5
• Alice
• chooses x 2
• and send X ?
• Bob
• chooses y 3
• and send Y ?
• Shared key
• k ?
• k ?
• (gxy mod p ? )

17
Man-in-the-middle Attack
K1
K2
B
C
A
active intruder
K1
A
B
K2
A
B
18
Outline

• Background
• Diffie-Hellman
• RSA
• Cryptographic Checksums

19
RSA In Summary

• Choose public key (n,e)
• Compute private key (n,d)
• Encryption C Me mod n
• Decryption M Cd mod n
• Underlying theory Euler's Totient Theorem

Key Generation
20
Key Generation

• Choose 2 large (512 bit) prime numbers p and q
• Compute n p q
• Choose e relatively prime to (p-1)(q-1)
• Compute d such that 1 ed mod (p-1)(q-1)
• Publish (n,e) and keep (n,d) (discard p, q)

21
Key Generation (Contd)

• Large primes can be found efficiently using
  probablistic algorithms due to Solvay and
  Strassen
• d can be computed using the Extended Euclidean
  Algorithm (Textbook 31.2)
• Care must be exercised in choosing p and q,
  otherwise insecurities may result (p-1, p1, q-1,
  q1 should have large prime factors)

22
Key Generation - Example

• p 7, q 11, so n 77 and (p-1)(q-1) 60
• Alice chooses e 17, computing d 53
  (1753901)
• publish (77,17) and keep (77,53) secret

23
Encryption/Decription

• Encryption C Me mod n
• Decryption M Cd mod n
• Underlying theory
• Cd mod n (Me mod n)d mod n
• Med mod n
• M1 mod (p-1)(q-1) mod n
• M (p-1)(q-1)i 1 mod n
• (1i M) mod n (by Fermats Little Theorem)
• M mod n
• M (require Mltn M relatively prime to n)

24
Example Encryption

• p 7, q 11, n 77
• Alice chooses e 17, making d 53
• Bob wants to send Alice secret message HELLO (07
  04 11 11 14)
• 0717 mod 77 28
• 0417 mod 77 16
• 1117 mod 77 44
• 1117 mod 77 44
• 1417 mod 77 42
• Bob sends 28 16 44 44 42

25
Example Decryption

• Alice receives 28 16 44 44 42
• Alice uses private key, d 53, to decrypt
  message
• 2853 mod 77 07
• 1653 mod 77 04
• 4453 mod 77 11
• 4453 mod 77 11
• 4253 mod 77 14
• Alice translates 07 04 11 11 14 to HELLO
• No one else could read it, as only Alice knows
  her private key and that is needed for decryption

26
Digital Signatures in RSA

• RSA has an important property, not shared by
  other public key systems
• Encryption and decryption are symmetric
• Encryption followed by decryption yields the
  original message
• (Me mod n)d mod n M
• Decryption followed by encryption also yields the
  original message
• (Md mod n)e mod n M
• Because e and d are symmetric in
• ed 1 mod (p-1)(q-1)

27
Digital Signatures in RSA
Plaintext M
?
Plaintext M
Plaintext M
M d mod n
C e mod n
Ciphertext C (signature)
A's Public Key e
A's Private Key d
A
B
RELIABLE CHANNEL
28
Compared To Encryption in RSA
Plaintext M
Plaintext M
M e mod n
C d mod n
Ciphertext C
A
B
B's Private Key d
B's Public Key e
RELIABLE CHANNEL
29
Signature and Encryption
A
B
Encrypted Signed Plaintext
Signed Plaintext
Signed Plaintext
Plain- text
Plain- text
D
E
D
E
B's Private Key
A's Private Key
A's Public Key
B's Public Key
30
Signature and Encryption

• We could do the encryption first followed by the
  signature.
• Signature first has the advantage that the
  signature can be verified by parties other than B.

31
Example Sign

• Take p 7, q 11, n 77
• Alice chooses e 17, making d 53
• Alice wants to send Bob message HELLO (07 04 11
  11 14) so Bob knows it is from Alice, and it has
  not been modified in transit
• 0753 mod 77 35
• 0453 mod 77 09
• 1153 mod 77 44
• 1153 mod 77 44
• 1453 mod 77 49
• Alice sends 35 09 44 44 49

32
Example Verify

• Bob receives 35 09 44 44 49
• Bob uses Alices public key, e 17, n 77, to
  decrypt message
• 3517 mod 77 07
• 0917 mod 77 04
• 4417 mod 77 11
• 4417 mod 77 11
• 4917 mod 77 14
• Bob translates 07 04 11 11 14 to HELLO
• (Assume) only Alice has her private key, so no
  one else could have been able to create a correct
  signature
• The (deciphered) signature matches the
  transmitted plaintext, so the plaintext is not
  altered

33
Example Both

• Alice wants to send Bob message HELLO both
  enciphered and signed
• Alices keys public (17, 77) private 53
• Bobs keys public (37, 77) private 13
• Alice does (does she encipher first or sign
  first?)
• (0753 mod 77)37 mod 77 07
• (0453 mod 77)37 mod 77 37
• (1153 mod 77)37 mod 77 44
• (1153 mod 77)37 mod 77 44
• (1453 mod 77)37 mod 77 14
• Alice sends 07 37 44 44 14
• What would Bob do upon receiving the message?

34
Security of RSA

• Cryptanalysis is to compute d while knowing (e,
  n)
• such that ed 1 mod (p-1)(q-1), and npq, for
  some p and q (the factorization is unique)
• If factorization of n into pq is known, this is
  easy (Extended Euclidean Algorithm). Otherwise,
  it is hard.
• Therefore security of RSA is no better than
  complexity of the factoring problem
• Is the factoring problem provably hard (e.g.,
  undecidable)? No
• However, the possibility of an easy factoring
  method is believed to be remote.

35
RSA Versus DES

• Fastest implementations of RSA can encrypt
  kilobits/second
• Fastest implementations of DES can encrypt
  megabits/second
• It is often proposed that RSA be used for secure
  exchange of DES keys
• This 1000-fold difference in speed is likely to
  remain independent of technology advances
• Matters more in wireless/ad hoc/sensor network

36
RSA Versus DES

• Key size of RSA is selected by the user
• Many implementations choose n to be 154 digits
  (512 bits) so the key (n,e) is 1024 bits
• Key size of DES is 64 bits (56 bits plus 8 parity
  bits)

37
RSA Key Size

• key size should be chosen conservatively
• cryptographers can stay ahead of (factorization)
  cryptanalysts by increasing the key size
• Until 1989 factorization attacks were based on
  "high school mathematics." Since then
  sophisticated attacks have extended factorization
  to larger numbers (usually of a specific form).
• At present it appears that 130 digit numbers can
  be factored in several months using lots of idle
  workstations.

38
Outline

• Background
• Diffie-Hellman
• RSA
• Cryptographic Checksums

39
One-way Hash Functions

• Also known as message digest
• A function H(M) m satisfies
• (Fixed length) M can be of any length, whereas m
  is of fixed length
• (One-way) computing H(M)m is easy, but
  computing H-1(m)M is computationally infeasible
• (Collision-free) in two forms
• Weak collision-freedom given any M, difficult to
  find another M such that H(M)H(M)
• Strong collision-freedom difficult to find any M
  and M such that H(M)H(M)

40
Why Those Requirements?

• Many applications store H(p) instead of a
  password p
• Fixed length cannot guess the length of p from
  H(p) (and H(p) is easier to store)
• One-way the administrator cannot learn p of
  others
• Collision-free cannot submit incorrect p
  matching H(p)
• Most applications sign H(M) instead of M

41
Example

• ASCII parity bit
• ASCII has 7 bits 8th bit is parity
• Even parity even number of 1 bits
• Odd parity odd number of 1 bits
• Bob receives 10111101
• If sender is using even parity six 1 bits, so
  character was received correctly
• Note could be garbled, but 2 bits would need to
  have been changed to match parity bit
• If sender is using odd parity even number of 1
  bits, so character was not received correctly

42
Hash Functions In Practice

• DES based hash functions tend to produce 64 bit
  digest which cannot be strong
• CCITT X.509 (proven insecure)
• Merkle's Snefru 2-pass version proven insecure
  4-pass version unproven
• Jueneman's methods broken and refined and broken
  and refined
• NIST Secure Hash Algorithm
• RSA MD2, MD4, MD5, SHA-0, SHA-1, SHA-2 (SHA-224,
  SHA-256, SHA-384, and SHA-512 )

43
Hash Functions Broken ?

• Crypto 2004 Rump session reported attacks on MD4,
  MD5 and SHA-0
• MD4s attacks are done by hands
• Crypto 2005 reported attacks on full SHA-1
• Should we panic?

Xiaoyun Wangs webpage http//www.infosec.sdu.ed
u.cn/people/wangxiaoyun.htm
44
Hash Functions Broken ? (Contd)

• Nature of the results
• Algorithm that finds collision faster than
  theoretic bound
• MD5 about one hour SHA-1 263 vs 280
  (theoretically)
• Yes, the results disprove those functions to be
  strong collision-free
• No, they do not give you a password from its hash
• Brute force attacks do (refer to
  http//passcracking.com/)
• Whether you should panic or not depends on what
  you use the hash functions for

Xiaoyun Wangs webpage http//www.infosec.sdu.ed
u.cn/people/wangxiaoyun.htm
45
Hash Functions Vs MAC

• Send a message M together with its hash hH(M),
  so the recipient can verify M by comparing H(M)
  with the received h
• Attack If anyone in the middle can replace M
  with M and h with hH(M), the recipient wont
  detect this
• Keyed hash functions
• Also known as message authentication codes (MAC)
• Example DES in CBC mode use a key to encipher
  message in CBC mode and use last n bits as the
  MAC value.

46
HMAC

• Build MAC from keyless hash functions
• Encryption algorithms cannot be exported
• h keyless hash function
• k? a cryptographic key k padded with 0
• Ipad 00110110 repeated
• Opad 01011100 repeated
• HMAC h(k, m) h(k? ? opad h(k? ? ipad m))
• ? exclusive or, concatenation

47
Key Points

• Public key cryptosystems has two keys
• Diffie-Hellman exchanges secret key via insecure
  channel
• RSA can be used for confidentiality and integrity
• Cryptographic Checksums are keyed hash functions