CSc 466/566 [5mm] Computer Security [5mm] 7 : Cryptography

  • View
    217

  • Download
    1

Embed Size (px)

Text of CSc 466/566 [5mm] Computer Security [5mm] 7 : Cryptography

  • CSc 466/566

    Computer Security

    7 : Cryptography Public KeyVersion: 2012/02/15 16:15:24

    Department of Computer ScienceUniversity of Arizona

    collberg@gmail.com

    Copyright c 2012 Christian Collberg

    Christian Collberg

    1/83

    Outline

    1 Introduction2 RSA

    AlgorithmExampleCorrectnessSecurity

    3 GPG4 Elgamal

    AlgorithmExampleCorrectnessSecurity

    5 Diffie-Hellman Key ExchangeDiffie-Hellman Key ExchangeExampleCorrectnessSecurity

    6 SummaryIntroduction 2/83

    History of Public Key Cryptography

    RSA Conference 2011-Opening-Giants Among Us:http://www.youtube.com/watch?v=mvOsb9vNIWM&feature=related

    Rivest, Shamir, Adleman - The RSA Algorithm Explained:http://www.youtube.com/watch?v=b57zGAkNKIc

    Bruce Schneier - Who are Alice & Bob?:http://www.youtube.com/watch?v=BuUSi_QvFLY&feature=related

    Adventures of Alice & Bob - Alice Gets Lost:http://www.youtube.com/watch?v=nULAC_g22So http://www.youtube.com/watch?v=nJB7a79ahGM

    Introduction 3/83

    Public-key Algorithms

    Definition (Public-key Algorithms)

    Public-key cryptographic algorithms use different keys forencryption and decryption.

    Bobs public key: PB

    Bobs secret key: SB

    EPB (M) = C

    DSB (C ) = M

    DSB (EPB (M)) = M

    Introduction 4/83

    collberg@gmail.comhttp://www.youtube.com/watch?v=mvOsb9vNIWM&feature=relatedhttp://www.youtube.com/watch?v=b57zGAkNKIchttp://www.youtube.com/watch?v=BuUSi_QvFLY&feature=relatedhttp://www.youtube.com/watch?v=nULAC_g22Sohttp://www.youtube.com/watch?v=nJB7a79ahGM

  • Public Key Protocol

    Key-management is the main problem with symmetricalgorithms Bob and Alice have to somehow agree on a keyto use.

    In public key cryptosystems there are two keys, a public oneused for encryption and and private one for decryption.

    1 Alice and Bob agree on a public key cryptosystem.

    2 Bob sends Alice his public key, or Alice gets it from a publicdatabase.

    3 Alice encrypts her plaintext using Bobs public key and sendsit to Bob.

    4 Bob decrypts the message using his private key.

    Introduction 5/83

    Public Key Encryption Protocol. . .

    Alice Bob

    plaintext encrypt ciphertext decrypt plaintext

    PBEve

    SB

    Introduction 6/83

    Public Key Encryption: Key Distribution

    Alice Bob

    Carol Dave

    SA,PA SB ,PB

    SC ,PC SD ,PD

    PA,PB

    PA,PC PA,PD PB ,PDPB ,PC

    PC ,PD

    Advantages : n key pairs to communicate between n parties.

    Disadvantages : Ciphers (RSA,. . . ) are slow; keys are large

    Introduction 7/83

    A Hybrid Protocol

    In practice, public key cryptosystems are not used to encryptmessages they are simply too slow.

    Instead, public key cryptosystems are used to encryptkeys for symmetric cryptosystems . These are calledsession keys , and are discarded once the communicationsession is over.

    1 Bob sends Alice his public key.

    2 Alice generates a session key K , encrypts it with Bobs publickey, and sends it to Bob.

    3 Bob decrypts the message using his private key to get thesession key K .

    4 Both Alice and Bob communicate by encrypting theirmessages using K .

    Introduction 8/83

  • Hybrid Encryption Protocol. . .

    Alice Bob

    K encrypt EPB (K ) decrypt K

    PB SB

    M encrypt EK (M) decrypt M

    K K

    Introduction 9/83

    Outline

    1 Introduction2 RSA

    AlgorithmExampleCorrectnessSecurity

    3 GPG4 Elgamal

    AlgorithmExampleCorrectnessSecurity

    5 Diffie-Hellman Key ExchangeDiffie-Hellman Key ExchangeExampleCorrectnessSecurity

    6 SummaryRSA 10/83

    RSA

    RSA is the best know public-key cryptosystem. Its security isbased on the (believed) difficulty of factoring large numbers.

    Plaintexts and ciphertexts are large numbers (1000s of bits).

    Encryption and decryption is done using modularexponentiation.

    RSA 11/83

    RSA: Algorithm

    Bob (Key generation):1 Generate two large random primes p and q.2 Compute n = pq.3 Select a small odd integer e relatively prime with (n).4 Compute (n) = (p 1)(q 1).5 Compute d = e1 mod (n).

    PB = (e, n) is Bobs RSA public key.SB = (d , n) is Bob RSA private key.

    Alice (encrypt and send a message M to Bob):1 Get Bobs public key PB = (e, n).2 Compute C = Me mod n.

    Bob (decrypt a message C received from Alice):1 Compute M = C d mod n.

    RSA 12/83

  • RSA: Algorithm Notes

    How should we choose e?

    It doesnt matter for security; everybody could use the same e.It matters for performance: 3, 17, or 65537 are good choices.

    n is referred to as the modulus , since its the n of mod n.

    You can only encrypt messages M < n. Thus, to encryptlarger messages you need to break them into pieces, each < n.

    Throw away p, q, and (n) after the key generation stage.

    Encrypting and decrypting requires a single modularexponentiation.

    RSA 13/83

    RSA Example: Key Generations

    1 Select two primes: p = 47 and q = 71.

    2 Compute n = pq = 3337.

    3 Compute (n) = (p 1)(q 1) = 3220.

    4 Select e = 79.

    5 Compute

    d = e1 mod (n)

    = 791 mod 3220

    = 1019

    6 P = (79, 3337) is the RSA public key.

    7 S = (1019, 3337) is the RSA private key.

    RSA 14/83

    RSA Example: Encryption

    1 Encrypt M = 6882326879666683.

    2 Break up M into 3-digit blocks:

    m = 688, 232, 687, 966, 668, 003

    Note the padding at the end.

    3 Encrypt each block:

    c1 = me1 mod n

    = 68879 mod 3337

    = 1570

    We get:

    c = 1570, 2756, 2091, 2276, 2423, 158

    RSA 15/83

    RSA Example: Decryption

    1 Decrypt each block:

    m1 = cd1 mod n

    = 15701019 mod 3337

    = 688

    RSA 16/83

  • In-Class Exercise: Goodrich & Tamassia R-8.18

    Show the result of encrypting M = 4 using the public key(e, n) = (3, 77) in the RSA cryptosystem.

    RSA 17/83

    In-Class Exercise: Goodrich & Tamassia R-8.20

    Alice is telling Bob that he should use a pair of the form

    (3, n)

    or(16385, n)

    as his RSA public key if he wants people to encrypt messagesfor him from their cell phones.

    As usual, n = pq, for two large primes, p and q.

    What is the justification for Alices advice?

    RSA 18/83

    In-Class Exercise: Stallings pp. 270-271

    1 Generate an RSA key-pair using p = 17, q = 11, e = 7.

    2 Encrypt M = 88.

    3 Decrypt the result from 2.

    RSA 19/83

    RSA Correctness

    We have

    C = Me mod n

    M = Cd mod n.

    To show correctness we have to show that decryption of theciphertext actually gets the plaintext back, i.e that, for allM < n

    Cd mod n = (Me)d mod n

    = Med mod n

    = M

    RSA 20/83

  • RSA Correctness: Case 1

    From the key generation step we have

    d = e1 mod (n)

    from which we can conclude that

    ed mod (n) = 1

    ed = k(n) + 1

    Case 1, M is relatively prime to n:

    Cd mod n = Med mod n

    = Mk(n)+1 mod n

    = M (M(n))k mod n

    = M 1k mod n

    = M mod n

    = M

    RSA 21/83

    RSA Correctness: Case 1. . .

    M(n) mod n = 1 follows from Eulers theorem.

    Theorem (Euler)

    Let x be any positive integer thats relatively prime to the integern > 0, then

    x(n) mod n = 1

    RSA 22/83

    RSA Correctness: Case 2

    Assume that M is not relatively prime to n, i.e. M has somefactor in common with n, since M < n.

    There are two cases:1 M is relatively prime with q and M = ip, or2 M is relatively prime with p and M = iq.

    We consider only the first case, the second is similar.

    RSA 23/83

    RSA Correctness: Case 2. . .

    We have that

    (n) = (pq) = (p)(q)

    By Eulers theorem we have that

    Mk(n) mod q = Mk(p)(q) mod q

    = (Mk(p))(q) mod q

    = 1

    Thus, for some integer h

    Mk(n) = 1 + hq

    Multiply both sides by M

    M Mk(n) = M(1 + hq)

    Mk(n)+1 = M + Mhq

    RSA 24/83

  • RSA Correctness: Case 2. . .

    We can now prove Case 2, for M = ip:

    Cd mod n = Med mod n

    = Mk(n)+1 mod n

    = (M + Mhq) mod n

    = (M + (ip)hq) mod n

    = (M + (ih)pq) mod n

    = (M + (ih)n) mod n

    = (M mod n) + ((ih)n mod n)

    = M mod n

    = M

    RSA 25/83

    RSA Security

    Summary:1 Compute n = pq, p and q prime.2 Select a small odd integer e relatively prime with (n).3 Compute (n) = (p 1)(q 1).4 Compute d = e1 mod (n).5 PB = (e, n) is Bobs RSA public key.6 SB = (d , n) is Bob RSA private key.

    Since Alice knows Bobs PB , she knows e and n.

    If she can compute d from e and n, she has Bobs private key.

    If she knew (n) = (p 1)(q 1) she could computed = e1 mod (n) using Euclids algorithm.

    If she could factor n, shed get p and q!

    RSA 26/83

    Security of Cryptosystems by Failed Cryptanalysis

    1 Propose a cryptographic scheme.

    2 If an attack is found, patch the scheme. GOTO 2.

    3 If enough time has passed The scheme is secure!

    How long is enough?1 It took 5 years to break the Merkle-Hellman cryptosystem.2 It took 10 years to break the Chor-Rivest cryptosystem.

    RSA 27/83

    RSA Security. . .

    If we can factor n, we can find p and q and the scheme isbroken.

    As far as we know, factoring is hard.

    We need n to be large enough, 2,048 bits.

    RSA 28/83

  • RSA Factoring Challenge

    http://www.rsa.com/rsalabs/node.asp?id=2093

    Name : RSA576D i g i t s : 174188198812920607963838697239461650439807163563379417382700763356422988859715234665485319060606504743045317388011303396716199692321205734031879550656996221305168759307650257059

    On December 3, 2003, a team of researchers in Germany andsevera