Lecture 3: Cryptography II - PowerPoint PPT Presentation

1 / 73
About This Presentation
Title:

Lecture 3: Cryptography II

Description:

* Further Reading Stallings Chapter 11 HAC Chapter 9 ... Public Key Cryptography IV RSA Signatures ... 6 mod 9. 3 * 3 = 0 mod 9. * * Public Key Cryptography ... – PowerPoint PPT presentation

Number of Views:261
Avg rating:3.0/5.0
Slides: 74
Provided by: Nasir9
Category:

less

Transcript and Presenter's Notes

Title: Lecture 3: Cryptography II


1
Lecture 3 Cryptography II
  • CS 336/536 Computer Network Security
  • Fall 2013
  • Nitesh Saxena

2
Course Administration
  • Everyone receiving my emails?
  • Lecture slides worked okay?
  • Both ppt and pdf versions
  • Everyone knows how to access the course web page?
  • HW/Lab 1 heads up
  • To be posted coming Monday
  • Labs become active starting next week

3
Outline of Todays Lecture
  • Block Cipher Modes of Encryption
  • Public Key Crypto Overview
  • Number Theory Background
  • Public Key Encryption (RSA)
  • Public Key Signatures

4
  • Block Cipher Encryption Modes

5
Block Cipher Encryption modes
  • Electronic Code Book (ECB)
  • Cipher Block Chain (CBC)
  • Most popular one
  • Others (we will not cover)
  • Cipher Feed Back (CFB)
  • Output Feed Back (OFB)

6
Analysis
  • We will analyze each mode in terms of
  • Security
  • Computational Efficiency (parallelizing
    encryption/decryption)
  • Transmission Errors
  • Integrity Protection

7
Electronic Code Book (ECB) Mode
  • Although DES encrypts 64 bits (a block) at a
    time, it can encrypt a long message (file) in
    Electronic Code Book (ECB) mode.
  • Deterministic -- If same key is used then
    identical plaintext blocks map to identical
    ciphertext

8
Example why ECB is bad?
Tux encrypted with AES in ECB mode
Tux
9
Cipher Block Chain (CBC) Mode
encryption
decryption
10
CBC Traits
  • Randomized encryption
  • IV Initialization vector serves as the
    randomness for first block computation the
    ciphertext of the previous block serves as the
    randomness for the current block computation
  • IV is a random value
  • IV is no secret it is sent along with the
    ciphertext blocks (it is part of the ciphertext)

11
Example why CBC is good?
Tux encrypted with AES in CBC mode
Tux
12
CBC More Properties
  • What happens if k-th cipher block CK gets
    corrupted in transmission.
  • With ECB Only decrypted PK is affected.
  • With CBC?
  • Only blocks PK and PK1 are affected!!
  • What if one plaintext block PK is changed?
  • With ECB only CK affected.
  • With CBC all subsequent ciphertext blocks will be
    affected.
  • Avalanche effect
  • This leads to an effective integrity protection
    mechanism (or message authentication code (MAC))

13
Security of Block Cipher Modes
  • ECB is not even secure against eavesdroppers
    (ciphertext only and known plaintext attacks)
  • CBC is secure against CPA attacks (assuming 3-DES
    or AES is used in each block computation)
    automatically secure against eavesdropping
    attacks
  • However, not secure against CCA. Why?
  • Intuitively, this is because the ciphertext can
    be massaged in a meaningful way

14
CBC Mode CCA Attack
  • Assume adversary has eavesdropped upon a
    ciphertext (C0, C1, C2) -- corresponding to a
    plaintext (M1, M2). C0 is IV.
  • Adversary is not allowed to query for (C0, C1,
    C2) itself
  • With CBC, adversary queries for (C0, C1, C2) and
    obtains (M1, M2) X denotes bit-wise complement
    of X

15
How to achieve CCA security?
  • Prevent any massaging of the ciphertext
  • Intuitively, this can be achieved by using
    integrity protection mechanisms (such as MACs),
    which we will study later
  • The ciphertext is generated using CBC/CFB/OFB and
    a MAC is generated on this ciphertext
  • Both ciphertext and the MAC is sent off
  • The other party decrypts only if MAC is valid

16
Advanced Encryption Standard (AES)
  • National Institute of Science and Technology
  • DES is an aging standard that no longer addresses
    todays needs for strong encryption
  • Triple-DES Endorsed by NIST as todays defacto
    standard
  • AES The Advanced Encryption Standard
  • Finalized in 2001
  • Goal To define Federal Information Processing
    Standard (FIPS) by selecting a new powerful
    encryption algorithm suitable for encrypting
    government documents
  • AES candidate algorithms were required to be
  • Symmetric-key, supporting 128, 192, and 256 bit
    keys
  • Royalty-Free
  • Unclassified (i.e. public domain)
  • Available for worldwide export

17
AES
  • AES Round-3 Finalist Algorithms
  • MARS
  • Candidate offering from IBM
  • RC6
  • Developed by Ron Rivest of RSA Labs, creator of
    the widely used RC4 algorithm
  • Twofish
  • From Counterpane Internet Security, Inc.
  • Serpent
  • Designed by Ross Anderson, Eli Biham and Lars
    Knudsen
  • Rijndael the winner!
  • Designed by Joan Daemen and Vincent Rijmen

18
Other Symmetric Ciphers and their applications
  • IDEA (used in PGP)
  • Blowfish (password hashing in OpenBSD)
  • RC4 (used in WEP), RC5
  • SAFER (used in Bluetooth)

19
Some Questions
  • Double encryption in DES increases the key space
    size from 256 to 2112 true or false?
  • Is known-plaintext an active or a passive attack?
  • Is chosen-ciphertext attack an active or a
    passive attack?
  • Reverse Engineering is applied to what design of
    systems open or closed?
  • Alice needs to send a 64-bit long top-secret
    letter to Bob. Which of the ciphers that we
    studied today should she use?

20
Some Questions
  • CDES(K,P) where (P, C are 64-bit long blocks).
    What would be DES(K,PPPP) in ECB mode? What it
    would be in CBC mode?
  • ECB is secure for sending just one block of data
    true or false?
  • Is it okay to re-use IV in CBC? Why/why not?
  • Alice needs to send a long top-secret message
    to Bob. Which of the ciphers that we studied
    today can she use?
  • Is ECB secure against CPA?
  • Is CBC secure against CPA?

21
  • Public Key Crypto Overview
  • and Number Theory

22
Recall Private Key/Public Key Cryptography
  • Private Key Sender and receiver share a common
    (private) key
  • Encryption and Decryption is done using the
    private key
  • Also called conventional/shared-key/single-key/
    symmetric-key cryptography
  • Public Key Every user has a private key and a
    public key
  • Encryption is done using the public key and
    Decryption using private key
  • Also called two-key/asymmetric-key cryptography

23
Private key cryptography revisited.
  • Good Quite efficient (as youll see from the
    HW2 programming exercise on AES)
  • Bad Key distribution and management is a serious
    problem

24
Public key cryptography model
  • Good Key management problem potentially simpler
  • Bad Much slower than private key crypto (well
    see later!)

25
Public Key Encryption
  • Two keys
  • public encryption key e
  • private decryption key d
  • Encryption easy when e is known
  • Decryption easy when d is known
  • Decryption hard when d is not known
  • Well study such public key encryption schemes
    first we need some number theory.

26
Public Key Encryption Security Notions
  • Very similar to what we studied for private key
    encryption
  • Whats the difference?

27
Group Definition
  • (G,.) (where G is a set and . GxG?G) is said to
    be a
  • group if following properties are satisfied
  • Closure for any a, b G, a.b G
  • Associativity for any a, b, c G,
    a.(b.c)(a.b).c
  • Identity there is an identity element such that
    a.e e.a a, for any a G
  • Inverse there exists an element a-1 for every a
    in G, such that a.a-1 a-1.a e
  • Abelian Group Group which also satisfies
    commutativity , i.e., a.b b.a

28
Groups Examples
  • Set of all integers with respect to addition
    --(Z,)
  • Set of all integers with respect to
    multiplication (Z,) not a group
  • Set of all real numbers with respect to
    multiplication (R,)
  • Set of all integers modulo m with respect to
    modulo addition (Zm, modular addition)

29
Divisors
  • x divides y (written x y) if the remainder is 0
    when y is divided by x
  • 18, 28, 48, 88
  • The divisors of y are the numbers that divide y
  • divisors of 8 1,2,4,8
  • For every number y
  • 1y
  • yy

30
Prime numbers
  • A number is prime if its only divisors are 1 and
    itself
  • 2,3,5,7,11,13,17,19,
  • Fundamental theorem of arithmetic
  • For every number x, there is a unique set of
    primes p1, ,pn and a unique set of positive
    exponents e1, ,en such that

31
Common divisors
  • The common divisors of two numbers x,y are the
    numbers z such that zx and zy
  • common divisors of 8 and 12
  • intersection of 1,2,4,8 and 1,2,3,4,6,12
  • 1,2,4
  • greatest common divisor gcd(x,y) is the number z
    such that
  • z is a common divisor of x and y
  • no common divisor of x and y is larger than z
  • gcd(8,12) 4

32
Euclidean Algorithm gcd(r0,r1)
Main idea If y ax b then gcd(x,y) gcd(x,b)
33
Example gcd(15,37)
  • 37 2 15 7
  • 15 2 7 1
  • 7 7 1 0
  • gcd(15,37) 1

34
Relative primes
  • x and y are relatively prime if they have no
    common divisors, other than 1
  • Equivalently, x and y are relatively prime if
    gcd(x,y) 1
  • 9 and 14 are relatively prime
  • 9 and 15 are not relatively prime

35
Modular Arithmetic
  • Definition x is congruent to y mod m, if m
    divides (x-y). Equivalently, x and y have the
    same remainder when divided by m.
  • Notation
  • Example
  • We work in Zm 0, 1, 2, , m-1, the group of
    integers modulo m
  • Example Z9 0,1,2,3,4,5,6,7,8
  • We abuse notation and often write instead of

36
Addition in Zm
  • Addition is well-defined
  • 3 4 7 mod 9.
  • 3 8 2 mod 9.

37
Additive inverses in Zm
  • 0 is the additive identity in Zm
  • Additive inverse of a is -a mod m (m-a)
  • Every element has unique additive inverse.
  • 4 5 0 mod 9.
  • 4 is additive inverse of 5.

38
Multiplication in Zm
  • Multiplication is well-defined
  • 3 4 3 mod 9.
  • 3 8 6 mod 9.
  • 3 3 0 mod 9.

39
Multiplicative inverses in Zm
  • 1 is the multiplicative identity in Zm
  • Multiplicative inverse (xx-11 mod m)
  • SOME, but not ALL elements have unique
    multiplicative inverse.
  • In Z9 300, 313, 326, 330, 343,
    356, , so 3 does not have a multiplicative
    inverse (mod 9)
  • On the other hand, 428, 433, 447, 452,
    466, 471, so 4-17, (mod 9)

40
Which numbers have inverses?
  • In Zm, x has a multiplicative inverse if and only
    if x and m are relatively prime or gcd(x,m)1
  • E.g., 4 in Z9

41
Extended Euclidian a-1 mod n
  • Main Idea Looking for inverse of a mod n means
    looking for x such that xa yn 1.
  • To compute inverse of a mod n, do the following
  • Compute gcd(a, n) using Euclidean algorithm.
  • Since a is relatively prime to m (else there will
    be no inverse) gcd(a, n) 1.
  • So you can obtain linear combination of rm and
    rm-1 that yields 1.
  • Work backwards getting linear combination of ri
    and ri-1 that yields 1.
  • When you get to linear combination of r0 and r1
    you are done as r0n and r1 a.

42
Example 15-1 mod 37
  • 37 2 15 7
  • 15 2 7 1
  • 7 7 1 0
  • Now,
  • 15 2 7 1
  • 15 2 (37 2 15) 1
  • 5 15 2 37 1
  • So, 15-1 mod 37 is 5.

43
Modular ExponentiationSquare and Multiply method
  • Usual approach to computing xc mod n is
    inefficient when c is large.
  • Instead, represent c as bit string bk-1 b0 and
    use the following algorithm
  • z 1
  • For i k-1 downto 0 do
  • z z2 mod n
  • if bi 1 then z z x mod n

44
Example 3037 mod 77
z z2 mod n if bi 1 then z z x mod n
i b z
5 1 30 1130 mod 77
4 0 53 3030 mod 77
3 0 37 5353 mod 77
2 1 29 373730 mod 77
1 0 71 2929 mod 77
0 1 2 717130 mod 77
45
Other Definitions
  • An element g in G is said to be a generator of a
    group if a gi for every a in G, for a certain
    integer i
  • A group which has a generator is called a cyclic
    group
  • The number of elements in a group is called the
    order of the group
  • Order of an element a is the lowest i (gt0) such
    that ai e (identity)
  • A subgroup is a subset of a group that itself is
    a group

46
Lagranges Theorem
  • Order of an element in a group divides the order
    of the group

47
Eulers totient function
  • Given positive integer n, Eulers totient
    function is the number of positive
    numbers less than n that are relatively prime to
    n
  • Fact If p is prime then
  • 1,2,3,,p-1 are relatively prime to p.

48
Eulers totient function
  • Fact If p and q are prime and npq then
  • Each number that is not divisible by p or by q is
    relatively prime to pq.
  • E.g. p5, q7 1,2,3,4,-,6,-,8,9,-,11,12,13,-,-,1
    6,17,18,19,-,-,22,23,24,-,26,27,-,29,-,31,32,33,34
    ,-
  • pq-p-(q-1) (p-1)(q-1)

49
Eulers Theorem and Fermats Theorem
  • If a is relatively prime to n then
  • If a is relatively prime to p then
    ap-1 1 mod p
  • Proof follows from Lagranges Theorem

50
Eulers Theorem and Fermats Theorem
  • EG Compute 9100 mod 17
  • p 17, so p-1 16. 100 6164. Therefore,
    910096164(916)6(9)4 . So mod 17 we have 9100
    ? (916)6(9)4 (mod 17) ? (1)6(9)4 (mod 17)
  • ? (81)2 (mod 17) ? 16

51
Some questions
  • 2-1 mod 4 ?
  • Find x such that
  • x 4 (mod 5)
  • x 7 (mod 8)
  • x 3 (mod 9)
  • Order of a group is 5. What can be the order of
    an element in this group?

52
Further Reading
  • Chapter 4 of Stallings
  • Chapter 2.4 of HAC

53
  • The RSA Cryptosystem (Encryption)

54
Textbook RSA KeyGen
  • Alice wants people to be able to send her
    encrypted messages.
  • She chooses two (large) prime numbers, p and q
    and computes npq and . large 1024
    bits
  • She chooses a number e such that e is relatively
    prime to and computes d, the inverse of
    e in , i.e., ed 1 mod
  • She publicizes the pair (e,n) as her public key.
    (e is called RSA exponent, n is called RSA
    modulus). She keeps d secret and destroys p, q,
    and
  • Plaintext and ciphertext messages are elements of
    Zn and e is the encryption key.

55
RSA Encryption
  • Bob wants to send a message x (an element of Zn)
    to Alice.
  • He looks up her encryption key, (e,n), in a
    directory.
  • The encrypted message is
  • Bob sends y to Alice.

56
RSA Decryption
  • To decrypt the message
  • shes received from Bob, Alice computes
  • Claim D(y) x

57
RSA why does it all work
  • Need to show
  • DEx x
  • Ex and Dy can be computed efficiently if keys
    are known
  • E-1y cannot be computed efficiently without
    knowledge of the (private) decryption key d.
  • Also, it should be possible to select keys
    reasonably efficiently
  • This does not have to be done too often, so
    efficiency requirements are less stringent.

58
E and D are Inverses
Because
From Eulers Theorem
59
Tiny RSA example.
  • Let p 7, q 11. Then n 77 and
  • Choose e 13. Then d 13-1 mod 60 37.
  • Let message 2.
  • E(2) 213 mod 77 30.
  • D(30) 3037 mod 772

60
Slightly Larger RSA example.
  • Let p 47, q 71. Then n 3337 and
  • Choose e 79. Then d 79-1 mod 3220 1019.
  • Let message 688232 Break it into 3 digit
    blocks to encrypt.
  • E(688) 68879 mod 3337 1570.
  • E(232) 23279 mod 3337 2756
  • D(1570) 15701019 mod 3337 688.
  • D(2756) 27561019 mod 3337 232.

61
Security of RSA RSA assumption
  • Suppose Oscar intercepts the encrypted message y
    that Bob has sent to Alice.
  • Oscar can look up (e,n) in the public directory
    (just as Bob did when he encrypted the message)
  • If Oscar can compute d e-1 mod then he
    can use to
    recover the plaintext x.
  • If Oscar can compute , he can compute d
    (the same way Alice did).

62
Security of RSA factoring
  • Oscar knows that n is the product of two primes
  • If he can factor n, he can compute
  • But factoring large numbers is very difficult
  • Grade school method takes divisions.
  • Prohibitive for large n, such as 160 bits
  • Better factorization algorithms exist, but they
    are still too slow for large n
  • Lower bound for factorization is an open problem

63
How big should n be?
  • Today we need n to be at least 1024-bits
  • This is equivalent to security provided by 80-bit
    long keys in private-key crypto
  • No other attack on RSA known
  • Except some side channel attacks, based on
    timing, power analysis, etc. But, these exploit
    certain physical charactesistics, not a
    theoretical weakness in the cryptosystem!

64
Key selection
  • To select keys we need efficient algorithms to
  • Select large primes
  • Primes are dense so choose randomly.
  • Probabilistic primality testing methods known.
    Work in logarithmic time.
  • Compute multiplicative inverses
  • Extended Euclidean algorithm

65
RSA in Practice
  • Textbook RSA is insecure
  • Known-plaintext?
  • CPA?
  • CCA?
  • In practice, we use a randomized version of
    RSA, called RSA-OAEP
  • Use PKCS1 standard for RSA encryption
  • http//www.rsa.com/rsalabs/node.asp?id2125
  • Interested in details of OAEP refer to (section
    3.1 of) http//isis.poly.edu/courses/cs6903/Lectur
    es/lecture13.pdf

66
Some questions
  • c1 RSA_Enc(m1), c2 RSA_Enc(m2).
  • What is RSA_Enc(m1m2)?
  • Homomorphic property
  • What is RSA_Enc(2m1)?
  • Malleability (not a good property!)
  • Is it possible to find inverses mod n (RSA
    modulus)?

67
Some Questions
  • RSA stands for Robust Security Algorithm, right?
  • If e is small (such as 3)
  • Encryption is faster than decryption or the other
    way round?
  • Private key crypto has key distribution problem
    and Public key crypto is slow
  • How about a hybrid approach?
  • Do you know how ssl/ssh works?

68
Some Questions
  • I encrypt m with Alices RSA PK, I get c
  • I encryt m again, I get --?
  • What does this mean?
  • What if I do the above with DES?

69
Further Reading
  • Stallings Chapter 11
  • HAC Chapter 9

70
  • Digital Signatures

71
Public Key Signatures
  • Signer has public key, private key pair
  • Signer signs using its private key
  • Verifier verifies using public key of the signer

72
Security Notion/Model for Signatures
  • Existential Forgery under (adaptively) chosen
    message attack (CMA)
  • Adversary (adaptively) chooses messages mi of its
    choice
  • Obtains the signature si on each mi
  • Outputs any message m (? mi) and a signature s on
    m

73
RSA Signatures
  • Key Generation same as in encryption
  • Sign(m) s md mod N
  • Verify(m,s) (se m mod N)
  • The above text-book version is insecure why?
  • In practice, we use a randomized version of RSA
    (implemented in PKCS1)
  • Hash the message and then sign the hash
Write a Comment
User Comments (0)
About PowerShow.com