View
227
Download
0
Category
Tags:
Preview:
Citation preview
04/19/23 M. Chatterjee 1
Public Key Algorithms
04/19/23 M. Chatterjee 2
Modular Arithmetic
Public key algorithms are based on modular arithmetic.
Modular addition. Modular multiplication. Modular exponentiation.
04/19/23 M. Chatterjee 3
Modular Addition
Addition modulo (mod) K Poor cipher with (dk+dm) mod K, e.g.,
if K=10 and dk is the key.
Additive inverse: addition mod K yields 0.
“Decrypt” by adding inverse.
04/19/23 M. Chatterjee 4
Modular Multiplication Multiplication modulo K Multiplicative inverse: multiplication
mod K yields 1 Only some numbers have inverse Use Euclid’s algorithm to find inverse
Given x, n, it finds y such that xy mod n = 1
All number relatively prime to n will have mod n multiplicative inverse
04/19/23 M. Chatterjee 5
Totient Function x, m relative prime: no other
common factor than 1 Totient function ø(n): number of
integers less than n relatively prime to n if n is prime, ø(n)=n-1 if n=pq, and p, q are primes,
ø(n)=(p-1)(q-1)
04/19/23 M. Chatterjee 6
Modular Exponentiation
xy mod n = xy mod ø(n) mod n
if y = 1 mod ø(n) then xy mod n = x mod n
04/19/23 M. Chatterjee 7
RSA (Rivest, Shamir, Adleman)
The most popular one. Support both public key encryption and
digital signature. Assumption/theoretical basis:
Factoring a big number is hard. Variable key length (usually 512 bits). Variable plaintext block size.
Plaintext must be “smaller” than the key. Ciphertext block size is the same as the key
length.
04/19/23 M. Chatterjee 8
What Is RSA? To generate key pair:
Pick large primes (>= 256 bits each) p and q
Let n = p*q, keep your p and q to yourself!
For public key, choose e that is relatively prime to ø(n) =(p-1)(q-1), let pub = <e,n>
For private key, find d that is the multiplicative inverse of e mod ø(n), i.e., e*d = 1 mod ø(n), let priv = <d,n>
04/19/23 M. Chatterjee 9
How Does RSA Work?
Given pub = <e, n> and priv = <d, n> encryption: c = me mod n, m < n decryption: m = cd mod n signature: s = md mod n, m < n verification: m = se mod n
04/19/23 M. Chatterjee 10
Why Does RSA Work?
Given pub = <e, n> and priv = <d, n> n =p*q, ø(n) =(p-1)(q-1) e*d = 1 mod ø(n) xed = x mod n encryption: c = me mod n decryption: m = cd mod n = med mod
n = m mod n = m Why????????
04/19/23 M. Chatterjee 11
e*d = 1 mod ø(n) So e*d = 1 + kø(n)
…med mod n = m 1 + kø(n)
m (m kø(n) mod n) = m ????
What is Fermat’s theorem???
04/19/23 M. Chatterjee 12
Why Is RSA Secure? Factoring 512-bit number is very
hard! But if you can factor big number n
then given public key <e,n>, you can find d, hence the private key by: Knowing factors p, q, such that, n =
p*q Then ø(n) =(p-1)(q-1) Then d such that e*d = 1 mod ø(n)
04/19/23 M. Chatterjee 13
Attacks on RSA
• Brute force key search• Mathematical attacks• Timing attacks
04/19/23 M. Chatterjee 14
Math-Based Attacks
Three possible approaches: – Factor n = pq – Determine F(n) – Find the private key d directly • All the above are equivalent to factoring n
04/19/23 M. Chatterjee 15
Brute Force
An adversary just tries all possiblekeys and keeps his fingers crossed
thatthe right key is not the last key he
willtry !
04/19/23 M. Chatterjee 16
Timing Attacks By measuring the time required to
perform decryption (exponentiation with the
private key as exponent), an attacker can figure out the private key
Possible countermeasures: – use constant exponentiation time – add random delays – blind values used in calculations
04/19/23 M. Chatterjee 17
Other Attacks on RSA Small encryption exponent e E=3, Alice sends the message m to three people (public keys (e, n1), (e, n2), (e,n3)) An attacker can compute a solution to the
followingsystem x = c1 mod n1 x = c2 mod n2 x = c3 mod n3 Then, compute m from x = m3 Countermeasure: padding required
04/19/23 M. Chatterjee 18
Forward Search Attack If message space is small, the attacker cancreate a dictionary of encrypted messages(public key known, encrypt all possiblemessages and store them) When the attacker ‘sees’ a message on thenetwork, compares the encryptedmessages,
so he finds out what particular message was encrypted
04/19/23 M. Chatterjee 19
Small decryption exponent d
Choosing a small exponent helps efficiency BUT
If size of d is 1/4 size of n (in bits) and gcd(p-1,q-1) is small, there is a way to compute d only from e and n.
Countermeasure: d should be about the same size as n.
04/19/23 M. Chatterjee 20
Common modulus attack Each entity must choose its own modulus Assume Alice and Bob generated keys
using the same modulus n, ((e1, n ), d1)) and ((e2, n), d2))
C1 = Me1 mod n, C2 = Me2 mod n (e1)a + (e2) b = 1 if gcd(e1,e2)=1 M = C1a C2 b mod n
04/19/23 M. Chatterjee 21
Cycling attack Intercepted ciphertext: C C1 = Ce mod n C2 = C1
e mod n C3 = C2
e mod n
Ck = Ck-1e mod n
If Ck = C then stop P = Ck-1
04/19/23 M. Chatterjee 22
Attacker Goals Total break: the attacker finds the key (thesymmetric key for ciphers or the private key for publickey cryptosystems); after that all ciphertexts can bedecrypted. Partial break: with some probability , the adversaryis able to decrypt previously unseen ciphertexts,without knowing the key. Or the adversary can findout info about the plaintext, just by looking at theciphertext. Distinguishability: with probability > 0.5, theadversary can distinguish between encryption of twodifferent plaintexts, or between an encryption and arandom string.
04/19/23 M. Chatterjee 23
Diffie-Hellman Key Exchange
Shared key, public communication No authentication of partners What’s involved?
P is a prime (about 512 bits), and g < p
P and g are publicly known
04/19/23 M. Chatterjee 24
04/19/23 M. Chatterjee 25
Diffie-Hellman Key Exchange
ProcedureAlice Bobpick secret Sa randomly pick secret Sb
randomlycompute TA=gSa mod p compute TB=gSb
mod psend TA to Bob send TB to Alice
compute TBSa mod p compute TA
Sb mod p
Alice and Bob reached the same secret gSaSb
mod p, which is then used as the shared key.
04/19/23 M. Chatterjee 26
DH Security - Discrete Logarithm Is Hard
T = gs mod p Conjecture: given T, g, p, it is
extremely hard to compute the value of s (discrete logarithm)
04/19/23 M. Chatterjee 27
Diffie-Hellman Scheme
Security factors Discrete logarithm very difficult. Shared key (the secret) itself never
transmitted.
04/19/23 M. Chatterjee 28
Disadvantages: Expensive exponential operation
DoS possible. The scheme itself cannot be used to
encrypt anything – it is for secret key establishment.
No authentication, so you can not sign anything …
04/19/23 M. Chatterjee 29
Bucket Brigade Attack...Man In The Middle
Alice Trudy BobgSa=123 gSx =654 gSb =255 123 --> 654 -->
<--654 <--255 654Sa=123Sx 255Sx=654Sb
Trudy plays Bob to Alice and Alice to Bob
04/19/23 M. Chatterjee 30
Diffie-Hellman in Phone Book Mode
DH was subject to active man-in-the-middle attack because their public key-component was intercepted and substituted
Phone book mode allows everyone to generate the public key-component in advance and publish them through other reliable means, e.g. <TB> for bob
All communicating parties agree on their common <g, p>
04/19/23 M. Chatterjee 31
Encryption With Diffie-Hellman
Everyone computes and publishes <p, g, T> T=gS mod p
Alice communicates with Bob: Alice
Picks a random secret Sa
Computes gbSa mod pb
Use Kab = TbSa mod pb to encrypt message
Send encrypted message along with gbSa
mod pb
04/19/23 M. Chatterjee 32
Bob (gb
Sa)Sb mod pb = (gbSb)Sa mod pb = Tb
Sa mod pb = Kab
Use Kab to decrypt
Recommended