prev

next

out of 21

View

217Download

1

Embed Size (px)

CSc 466/566

Computer Security

7 : Cryptography Public KeyVersion: 2012/02/15 16:15:24

Department of Computer ScienceUniversity of Arizona

collberg@gmail.com

Copyright c 2012 Christian Collberg

Christian Collberg

1/83

Outline

1 Introduction2 RSA

AlgorithmExampleCorrectnessSecurity

3 GPG4 Elgamal

AlgorithmExampleCorrectnessSecurity

5 Diffie-Hellman Key ExchangeDiffie-Hellman Key ExchangeExampleCorrectnessSecurity

6 SummaryIntroduction 2/83

History of Public Key Cryptography

RSA Conference 2011-Opening-Giants Among Us:http://www.youtube.com/watch?v=mvOsb9vNIWM&feature=related

Rivest, Shamir, Adleman - The RSA Algorithm Explained:http://www.youtube.com/watch?v=b57zGAkNKIc

Bruce Schneier - Who are Alice & Bob?:http://www.youtube.com/watch?v=BuUSi_QvFLY&feature=related

Adventures of Alice & Bob - Alice Gets Lost:http://www.youtube.com/watch?v=nULAC_g22So http://www.youtube.com/watch?v=nJB7a79ahGM

Introduction 3/83

Public-key Algorithms

Definition (Public-key Algorithms)

Public-key cryptographic algorithms use different keys forencryption and decryption.

Bobs public key: PB

Bobs secret key: SB

EPB (M) = C

DSB (C ) = M

DSB (EPB (M)) = M

Introduction 4/83

collberg@gmail.comhttp://www.youtube.com/watch?v=mvOsb9vNIWM&feature=relatedhttp://www.youtube.com/watch?v=b57zGAkNKIchttp://www.youtube.com/watch?v=BuUSi_QvFLY&feature=relatedhttp://www.youtube.com/watch?v=nULAC_g22Sohttp://www.youtube.com/watch?v=nJB7a79ahGM

Public Key Protocol

Key-management is the main problem with symmetricalgorithms Bob and Alice have to somehow agree on a keyto use.

In public key cryptosystems there are two keys, a public oneused for encryption and and private one for decryption.

1 Alice and Bob agree on a public key cryptosystem.

2 Bob sends Alice his public key, or Alice gets it from a publicdatabase.

3 Alice encrypts her plaintext using Bobs public key and sendsit to Bob.

4 Bob decrypts the message using his private key.

Introduction 5/83

Public Key Encryption Protocol. . .

Alice Bob

plaintext encrypt ciphertext decrypt plaintext

PBEve

SB

Introduction 6/83

Public Key Encryption: Key Distribution

Alice Bob

Carol Dave

SA,PA SB ,PB

SC ,PC SD ,PD

PA,PB

PA,PC PA,PD PB ,PDPB ,PC

PC ,PD

Advantages : n key pairs to communicate between n parties.

Disadvantages : Ciphers (RSA,. . . ) are slow; keys are large

Introduction 7/83

A Hybrid Protocol

In practice, public key cryptosystems are not used to encryptmessages they are simply too slow.

Instead, public key cryptosystems are used to encryptkeys for symmetric cryptosystems . These are calledsession keys , and are discarded once the communicationsession is over.

1 Bob sends Alice his public key.

2 Alice generates a session key K , encrypts it with Bobs publickey, and sends it to Bob.

3 Bob decrypts the message using his private key to get thesession key K .

4 Both Alice and Bob communicate by encrypting theirmessages using K .

Introduction 8/83

Hybrid Encryption Protocol. . .

Alice Bob

K encrypt EPB (K ) decrypt K

PB SB

M encrypt EK (M) decrypt M

K K

Introduction 9/83

Outline

1 Introduction2 RSA

AlgorithmExampleCorrectnessSecurity

3 GPG4 Elgamal

AlgorithmExampleCorrectnessSecurity

5 Diffie-Hellman Key ExchangeDiffie-Hellman Key ExchangeExampleCorrectnessSecurity

6 SummaryRSA 10/83

RSA

RSA is the best know public-key cryptosystem. Its security isbased on the (believed) difficulty of factoring large numbers.

Plaintexts and ciphertexts are large numbers (1000s of bits).

Encryption and decryption is done using modularexponentiation.

RSA 11/83

RSA: Algorithm

Bob (Key generation):1 Generate two large random primes p and q.2 Compute n = pq.3 Select a small odd integer e relatively prime with (n).4 Compute (n) = (p 1)(q 1).5 Compute d = e1 mod (n).

PB = (e, n) is Bobs RSA public key.SB = (d , n) is Bob RSA private key.

Alice (encrypt and send a message M to Bob):1 Get Bobs public key PB = (e, n).2 Compute C = Me mod n.

Bob (decrypt a message C received from Alice):1 Compute M = C d mod n.

RSA 12/83

RSA: Algorithm Notes

How should we choose e?

It doesnt matter for security; everybody could use the same e.It matters for performance: 3, 17, or 65537 are good choices.

n is referred to as the modulus , since its the n of mod n.

You can only encrypt messages M < n. Thus, to encryptlarger messages you need to break them into pieces, each < n.

Throw away p, q, and (n) after the key generation stage.

Encrypting and decrypting requires a single modularexponentiation.

RSA 13/83

RSA Example: Key Generations

1 Select two primes: p = 47 and q = 71.

2 Compute n = pq = 3337.

3 Compute (n) = (p 1)(q 1) = 3220.

4 Select e = 79.

5 Compute

d = e1 mod (n)

= 791 mod 3220

= 1019

6 P = (79, 3337) is the RSA public key.

7 S = (1019, 3337) is the RSA private key.

RSA 14/83

RSA Example: Encryption

1 Encrypt M = 6882326879666683.

2 Break up M into 3-digit blocks:

m = 688, 232, 687, 966, 668, 003

Note the padding at the end.

3 Encrypt each block:

c1 = me1 mod n

= 68879 mod 3337

= 1570

We get:

c = 1570, 2756, 2091, 2276, 2423, 158

RSA 15/83

RSA Example: Decryption

1 Decrypt each block:

m1 = cd1 mod n

= 15701019 mod 3337

= 688

RSA 16/83

In-Class Exercise: Goodrich & Tamassia R-8.18

Show the result of encrypting M = 4 using the public key(e, n) = (3, 77) in the RSA cryptosystem.

RSA 17/83

In-Class Exercise: Goodrich & Tamassia R-8.20

Alice is telling Bob that he should use a pair of the form

(3, n)

or(16385, n)

as his RSA public key if he wants people to encrypt messagesfor him from their cell phones.

As usual, n = pq, for two large primes, p and q.

What is the justification for Alices advice?

RSA 18/83

In-Class Exercise: Stallings pp. 270-271

1 Generate an RSA key-pair using p = 17, q = 11, e = 7.

2 Encrypt M = 88.

3 Decrypt the result from 2.

RSA 19/83

RSA Correctness

We have

C = Me mod n

M = Cd mod n.

To show correctness we have to show that decryption of theciphertext actually gets the plaintext back, i.e that, for allM < n

Cd mod n = (Me)d mod n

= Med mod n

= M

RSA 20/83

RSA Correctness: Case 1

From the key generation step we have

d = e1 mod (n)

from which we can conclude that

ed mod (n) = 1

ed = k(n) + 1

Case 1, M is relatively prime to n:

Cd mod n = Med mod n

= Mk(n)+1 mod n

= M (M(n))k mod n

= M 1k mod n

= M mod n

= M

RSA 21/83

RSA Correctness: Case 1. . .

M(n) mod n = 1 follows from Eulers theorem.

Theorem (Euler)

Let x be any positive integer thats relatively prime to the integern > 0, then

x(n) mod n = 1

RSA 22/83

RSA Correctness: Case 2

Assume that M is not relatively prime to n, i.e. M has somefactor in common with n, since M < n.

There are two cases:1 M is relatively prime with q and M = ip, or2 M is relatively prime with p and M = iq.

We consider only the first case, the second is similar.

RSA 23/83

RSA Correctness: Case 2. . .

We have that

(n) = (pq) = (p)(q)

By Eulers theorem we have that

Mk(n) mod q = Mk(p)(q) mod q

= (Mk(p))(q) mod q

= 1

Thus, for some integer h

Mk(n) = 1 + hq

Multiply both sides by M

M Mk(n) = M(1 + hq)

Mk(n)+1 = M + Mhq

RSA 24/83

RSA Correctness: Case 2. . .

We can now prove Case 2, for M = ip:

Cd mod n = Med mod n

= Mk(n)+1 mod n

= (M + Mhq) mod n

= (M + (ip)hq) mod n

= (M + (ih)pq) mod n

= (M + (ih)n) mod n

= (M mod n) + ((ih)n mod n)

= M mod n

= M

RSA 25/83

RSA Security

Summary:1 Compute n = pq, p and q prime.2 Select a small odd integer e relatively prime with (n).3 Compute (n) = (p 1)(q 1).4 Compute d = e1 mod (n).5 PB = (e, n) is Bobs RSA public key.6 SB = (d , n) is Bob RSA private key.

Since Alice knows Bobs PB , she knows e and n.

If she can compute d from e and n, she has Bobs private key.

If she knew (n) = (p 1)(q 1) she could computed = e1 mod (n) using Euclids algorithm.

If she could factor n, shed get p and q!

RSA 26/83

Security of Cryptosystems by Failed Cryptanalysis

1 Propose a cryptographic scheme.

2 If an attack is found, patch the scheme. GOTO 2.

3 If enough time has passed The scheme is secure!

How long is enough?1 It took 5 years to break the Merkle-Hellman cryptosystem.2 It took 10 years to break the Chor-Rivest cryptosystem.

RSA 27/83

RSA Security. . .

If we can factor n, we can find p and q and the scheme isbroken.

As far as we know, factoring is hard.

We need n to be large enough, 2,048 bits.

RSA 28/83

RSA Factoring Challenge

http://www.rsa.com/rsalabs/node.asp?id=2093

Name : RSA576D i g i t s : 174188198812920607963838697239461650439807163563379417382700763356422988859715234665485319060606504743045317388011303396716199692321205734031879550656996221305168759307650257059

On December 3, 2003, a team of researchers in Germany andsevera