View
227
Download
1
Category
Preview:
Citation preview
1
Public Key Cryptography
Tom HortonAlfred C. Weaver
CS453 Electronic Commerce
2
References
Chap. 12 of our textbook Web articles on PGP, GPG, Phil
Zimmerman Bruce Schneier, “Applied
Cryptography,” John Wiley & Sons Andrew Tanenbaum, “Computer
Networks,” Prentice-Hall Jim Kurose and Keith Ross, “Computer
Networking,” Addison-Wesley
3
Overview of PKC
Also known as using asymmetric keys A pair of keys
(Can think of this as one long key in two parts) One used for encryption, the other for decryption One publicly accessible, the other private to one
person Algorithms / Systems
RSA (Rivest, Shamir, Adelman) DSA (Digital Signature Algorithm) PGP, OpenPGP, GPG (Gnu’s PGP) ssh, sftp SSL
4
Public Key Cryptography
PlaintextOriginalPlaintextEncryption DecryptionCiphertext
Encryption withReceiver’s Public Key
Decryption withReceiver’s Private Key
5
Mailbox Analogy
Part of the system is public yet secure Mailbox with slot Public: everyone can access it and leave info Secure: info not accessible to anyone except
Usefully accessing the info requires a private key The recipient has something personal to get
to the data and read it Matches common use (shown in slide):
Sending encrypted information to someone Other ways to use this
6
7
Public Key Cryptography
Key is some large number (string of bits) Key has two parts, one public, one
private Public key is well-known Trusted agents verify the public key Private key is a secret forever Key is arbitrarily large Encrypt with receiver’s public key Decrypt with receiver’s private key
8
Public Key Cryptography
1. Choose two large primes, p and q 2. Compute n = (p)(q) 3. Compute z = (p-1)(q-1) 4. Choose d such that it is relatively
prime to z (no common divisor) 5. Find e such that (e)(d) modulo z = 1 6. Public key is (e,n) 7. Private key is (d,n)
9
Public Key Cryptography
8. To encrypt plaintext message m, compute c = me mod n
9. To decrypt ciphertext message c, compute m = cd mod n.
10
PKC Example
1. Choose two (large) primes, p and q p = 3 and q = 11
2. Compute n = (p)(q) n = (3)(11) = 33
3. Compute z = (p-1)(q-1) z = (2)(10) = 20
4. Choose d such that it is relatively prime to z (no common divisor) choose d = 7 7 and 20 have no common divisor
11
PKC Example
5. Find e such that (e)(d) modulo z = 1 find e such that 7e mod 20 = 1 one solution is e = 3
6. Public key is (e,n) public key = (3, 33)
7. Private key is (d,n) private key is (7, 33)
12
PKC Example
8. To encrypt plaintext message m, compute c = me mod n c = m3 mod 33 note: require m < n
9. To decrypt ciphertext message c, compute m = cd mod n m = c7 mod 33
13
PKC Example
Encode letter “S” as 19 just because it is the 19th letter of the alphabet, so plaintext message m = “S” = 19
Of course we could use any other encoding, say ASCII
Encryption (e=3): c = me mod n = 193 mod 33 c = 6,859 mod 33 = 28
Decryption (d=7): m = cd mod n = 287 mod 33 m = 13,492,928,512 mod 33 = 19
14
Work an Example
1. Choose two (not so large) primes, p and q
p = 47 and q = 71
2. n = (p)(q) = (47)(71) = 3337 = n
3. z = (p-1)(q-1) = (46)(70) = 3220 = z
4. Choose e (or d) such that it is relatively prime to z (i.e., e and z share no common divisors)
e=5? 3220/5=644 no
e=23? 3220/23=140 noe=35? 3220/35=92 no
e=79? 3220 and 79 share no divisors ... yes
15
Work an Example
5. Choose d such that (e)(d) modulo z = 1
So: 79d mod z = 1 now what?
6. Public key = (e, n) = (79, 3337)
7. Private key = (d, n) = (1019, 3337)
Compute candidate values of d
d = 1019 or 4239 or 7459 or ...
16
Work an Example
8. Encrypt: c = me mod nLet the message = m = 3
c = 379 mod 3337= 4926960980478197443869440340212776567 mod 3337= 158
17
18
Work an Example
9. Decrypt: m = cd mod n
m = 1581019 mod 3337m = 3
19
20
Now Do This One
m = 12871283761287623450982346231237462836428e = 98982347326723847658728742384782347823477d = 87385671910957210238457823842398472397471n = 91239128371982491824912873918237918239183What is me mod n? What is cd mod n?
123981203981297532739456374587469898274502399129837129837923593045734658264927341204389245987239472934729375923457935793457938573947593981239123912371982749128379357935793579872391893459873495873294573298572986798256984569873987347373477609823497243958713057312409857753134957831294709246798570398422362456698987987239048203850923486095860396840958609832492398203895793867938679387593857392720020204230...
21
Public Key Cryptography
Now imagine that p and q are hundreds of digits long!
Power of PKC based upon the difficulty of factoring large numbers
Commercial firms provide: choice of p and q suitable e and d software for large integer arithmetic registration of keys to a particular entity
22
23
RSA Implementation
Java implementation of the RSA version of public key cryptography
http://intercom.virginia.edu/crypto/crypto.html
24
Public Key + Symmetric Key
Public key algorithms are slow when used with large numbers
Commercial practice: generate random symmetric key for each
message or session use symmetric key techniques to encrypt
message(s) encrypt the random symmetric key using PKC provide recipient with encrypted symmetric
key, signed with a digital signature, and a signature certificate
25
Digital Signatures
Digital signatures use PKC techniques to sign a message, proving the authenticity of the sender
Sender encrypts some message with his private key
Receiver consults a certification authority to verify sender’s public key
Receiver uses sender’s verified public key to decrypt sender’s message
26
Digital Signatures
PlaintextOriginalPlaintextEncryption DecryptionCiphertext
Encryption withSender’s Private Key
Decryption withSender’s Public Key
27
Digital Signatures
ciphertext = (message)private-key mod n message = (ciphertext)public-key mod n In other words, reverse the use of “e”
and “d” from PKC But, PKC is slow when the keys are large So instead, take a “hash” of the
message and sign that
28
Digital Signatures
Message = m = “ABCDE” Let hash be mod 10 sum of bytes hash(m) = (65+66+67+68+69) mod 10 = 335 mod 10 = 5 If any byte of message changes, there is
a 1 in 10 change that we will catch it Poor choice of h, but illustrative Later we learn how to make a good
hash function
29
Digital Signatures
Sender computes hash H of plaintext Sender encrypts hash with his private key digsig = (H)private mod n Receiver decrypts the digsig with sender’s public key Hdecrypted = (digsig)public mod n Receiver recovers the plaintext of the message from
its ciphertext (however that’s done) Receiver uses same hash function on recovered
plaintext to get computed hash value, Hcomputed
If Hcomputed = Hdecrypted, then with probability p the plaintext was not altered enroute, and with probability 1 the hash was signed by the owner of the public key
How do we make p vanishingly small? (soon)
30
Still Not Done
PKC is very, very powerful So is symmetric key if key is long But there are still ways to attack the
process, if not the algorithm
31
Bob Talks to Alice
1. Bob sends his public key
2. Alice sends her public key
3. Bob encrypts with Alice’s public key
4. Bob sends encrypted message to Alice
5. Alice decrypts with Alice’s private key
6. Alice encrypts with Bob’s public key
7. Alice sends encrypted message to Bob
8. Bob decrypts with Bob’s private key
Bob and Alice are now communicating securely --- or are they?
32
Risks
BobAlice
Mallory
Mallory replaces Alice's andBob's public key with her own;records data and re-encrypts itwith the other person's purported public key
33
How Secure is Symmetric Key Cryptography?
DES is toast Known that DES can be broken in a few
hours, and probably in just minutes or seconds
If DES can be broken in one second, then 128-bit AES takes 119 trillion years
3DES (168 bits) takes longer 256-bit AES takes far longer This assumes there are no trap doors
(and no reason to suspect there are any)
34
How Secure is Public Key Cryptography?
As secure as you wish it to be Moore’s Law says that computing power
doubles at no increase in cost every 18 months
Approximately true since 1976 As computing power progresses, increase key
length But beware distributed computing! Make sure key is much, much longer than any
one machine can solve, because many computers might be working on it
35
How Secure is Modern Crypto?
For now, crypto provides very serious protection for electronic commerce transactions when using symmetric keys of length >= 128 bits public keys of length >= 1024 bits
If cryptography is so strong, why is this not a completely solved problem?
36
Key Management Crypto is strong – so criminals, hackers,
and the government go after key management
If the keys are not secure, the communication is not secure
The threat to modern cryptography is key management
key distribution key revocation key storage key theft
37
Digital Signature
Sender’s data
Hash algorithm (SHA-1, MD5)
Hash code (message digest)
PKC encryption Sender’s private key
Digital signature Validate with sender’s public keyTimestamp
Timestamp
38
Hash Code
What makes a good hash code? Recall why we use it:
the hash code is digitally signed (rather than the message itself) for computational economy
the hash code is used to prove message integrity
hash(P) = hash ( D ( E ( P) ) )
39
Characteristics
One-way hash function H operates on arbitrary length message M and returns a fixed length hash value, h=H(M)
Many functions can do that Our goals are
given M, easy to compute h given h, difficult to compute M s.t. H(M)=h given M, hard to find M’ such that H(M’) =
H(M)
40
Hash Codes (Message Digests)
One example scheme:
01011111 …. 1101001110 …. 1000100001 …. 0101001001 …. 1111010100 …. 1011110000 …. 1110001011 …. 00
File for which you wish to prove integrity (M)
h = 11010110 ... 10 = H(M)
H = exclusive-OR
41
Discussion
Let the hash function H() be the n-bit wide exclusive-or of the message M.
Is that a good hash function? Advantages? Disadvantages?
42
Discuss
What if H(M) is a 16-bit wide exclusive OR?
M = “I will buy your house for $1,000,000”
M base 2 = 01100101 01101100
00101010 01101010
.....
H(M) = 10010100 01010110
Premise: If I use EX-OR as hash, and digitally sign the hash value, then neither you nor I can change the contract because doing so would change the hash, and thus H(D(E(P))) != H(P).
Is that true?
43
Cheating with Digital Signatures
1. Change $1,000,000 to $12. Hash is only 16 bits wide.3. There are only 216 hash values.4. Start generating other variations on the message that are merely cosmetic,e.g., replace space with space-backspace-space, orreplace “.<CR>” with “.<space><CR>”5. If this were a contract with >16 lines, making or notmaking one change on each of 16 lines would produce>216 variations of the document. 6. Not all 216 hash values are necessarily present---thisjust shows that it is relatively easy to produce a large number of variants quickly and easily – and automatically!
44
Cheating with Digital Signatures
So take the original document and digitally sign it.
Take a version of the altered document where H(M’)=H(M) and sign that one also.
Present your check for $1. Go to court to enforce the digitally signed
contract M’ where the price is $1.
45
Lessons
Lesson #1: H(M) needs to produce a lot more than 16 bits. Target 128 or 256.
Lesson #2: And while we’re at it, let’s stir the bits when computing H(M) so that hash bits are a function of more than just a single column of bits. Want each hash bit hi to be a function of many input bits (as with DES).
46
MD5
Bruce Schneier, “Applied Cryptography”, pages 436-441.
47
Key Escrow
The story of the Clipper chip and the plan for key escrow
48
Threats
Distributed computing (grid computing) on the scale of the Internet
Quantum computing
49
50
Pretty Good Privacy
PGP designed by Phillip Zimmerman for electronic mail
Uses three known techniques: IDEA for encrypting email message
International Data Exchange Algorithm block cipher with 64-bit blocks similar in concept but different in details
from DES uses 128-bit keys patented, but free for non-commercial
use
51
Controversies
Was released overseas Zimmerman says not by him US Government investigated him for 3 years
under the Arms Export Control Act Dropped in 1996
Use of RSA patents PGP eventually became a company Open PGP
Use by non-government groups Dissidents, terrorists, etc.
52
PGP
RSA public key encryption permits keys up to 2,047 bits in length
Digital signatures use MD5 as the one-way hash function
PGP generates a random 128-bit symmetric key, used by IDEA for each email message
PGP generates its own public/private key pairs
Keys are stored locally using a hashed pass phrase
53
Hashed Pass Phrase
Access to the private key is granted by providing the “pass phrase” (not password)
Should be on the order of 100 characters
Issues with a pass phrase: what’s the chance of guessing a 100
character phrase? Is it 2^(100*8)?
54
Hashed Pass Phrase
People don’t want to type 100 characters, so they are typically shorter
Can you remember “ndjehrkanf48ahdmmdh3jnqlkfyebnekfjnanrb9roakfn63nfgaprektnvcgesiwm”?
Dictionary attacks (common words) Personal knowledge attacks (spouse, children,
pets, birthdays, anniversaries) Cultural bias (English) Subject bias (computing, accounting)
55
PGP
PGP does not use conventional certificates (too expensive)
Instead, users generate and distribute their own
public keys sign each other’s public keys save trusted public keys on public-key ring users build a web of trust users determine how much to trust
56
PGP Comments
PGP is very powerful for email runs on many platforms available free from www.pgpi.org
But no key revocation authority no foolproof way to withdraw a
compromised key maybe there are some residual concerns
over a prior government lawsuit (now resolved) against Phil Zimmerman
57
58
Recommended