Public Key Encryption Terminology RSA Hash functions CSCE 522 - Farkas

Public Key Encryption

Terminology RSA Hash functions

CSCE 522 - Farkas

CSCE 522 - Farkas 2Lecture 6

Reading Assignment Reading assignments for current lecture:

Required:Pfleeger: 2.7, …, 2.12

Recommended:Tom Simonite, MIT Technology Review: NSA

Leak Leaves Crypto-math Intact but Highlights Known Workarounds, http://www.dfinews.com/news/2013/09/nsa-leak-leaves-crypto-math-intact-highlights-known-workarounds#.UjdU8X-d6So

CSCE 522 - Farkas

Summary of Secret Key Encryption• Basic methods:

• Substitution • Transposition

• Security: secrecy of secret key

CSCE 522 - Farkas

Compare DES and AESDES AES

Date 1976 1999

Block size 64 bits 128 bits

Key length 56 bits 128, 192, 256 bits

Encryption Substitution, permutation Substitution, shift, mixing

Cryptography Confusion, diffusion Confusion, diffusion

Design Open Open

Design rationale Closed Open

Selection process Secret Secret with public comments

Source IBM, enhanced by NSA Independent Dutch cryptographers

CSCE 522 - Farkas

Weakness of Secret Key Encryption• Secrecy of key

• How to distribute the keys securely?

• Large number of keys

• N(N-1) / 2

• Other issues: no support for

• Third party verification

• Non-repudiation

CSCE 522 - Farkas

Can we provide other methods for confidentiality?

CSCE 522 - Farkas 6

Public-Key EncryptionTwo keys – one is private one is publicSolves the key distribution problem (but need

reliable channel)Provides electronic signaturesSlower than secret-key encryption

CSCE 522 - Farkas 7

Public-Key Encryption

Needed for security:One of the keys must be kept secretImpossible (at least impractical) to decipher

message if no other information is availableKnowledge of algorithm, one of the keys, and

samples of ciphertext must be insufficient to determine the other key

CSCE 522 - Farkas 8

Confidentiality

ASender

BRecipient

Insecure channel

Plaintext PlaintextCiphertextEncryption Alg.

Decryption Alg.

B’s public key B’s private key

(need reliable channel)

CSCE 522 - Farkas 9

Public Key Cryptosystem Concept conceived by Diffie and Hellman in 1976 Rivest, Shamir, and Adleman (RSA) describe a public

key system in 1978 Many proposals have been broken

e.g., Merkle-Hellman proposal broken by Shamir Serious candidates (public domain)

RSAEl Gamal

RSA

CSCE 522 - Farkas

CSCE 522 - Farkas 11

NotationC = E(KE-B, M)M = D(KD-B,C)

KE-B: public key of BKD-B: private key of BE: encryption alg.D: decryption alg.M: plaintextC: ciphertext


RSA Both sender and receiver know n Sender knows e Only receiver knows d Modulus: Remainder after division, i.e., if a mod n=b then

a=c*n+b Need:

Find values e,d,n such that

Easy to calculate Me, Cd for all M < n Infeasible to determine d give e

Med mod n = M mod n


RSAPublic key: (n,e)Private key: (n,d)n is a 200 digit numberC = Me mod nM = Cd mod n


RSA KeysGeneration of public and private keys Choose 2 large (100 digit) prime numbers p and q Compute n = p*q

Choose e > 1 relatively prime to (n) = (p-1)*(q-1) Compute d such that e*d = 1 mod (p-1)*(q-1) Publish (n,e) Secret (n,d), p, q


RSA Keys Example 1.

Choose 2 “large” prime numbers

p=7, q=17 Compute n=p*q

7*17=119 Choose e relative prime to (p-1)*(q-1)

6*16=96, e=5 Compute d = 5–1 mod 96=77 Publish (5,119) Keep (77,119), 7, 17


RSA Key Example 1Let M =19Encrypt

195 mod 119 = 2,476,099 mod 119 = 66Decrypt

6677 mod 119 = 19 mod 119


RSA KeysCompute d such that e*d = 1 mod (p-1)*(q-1)If factorization of n into p*q is known: EasyOtherwise: HardHow hard is it to compute d given (n,e)?Don’t know BUT not harder than factoring n

into p*q Security of RSA is no better than the complexity of the factorization problem


Digital Signatures in RSA RSA Property: encryption and decryption are

commutativeEncryption followed by decryption yields the original

message

(Me mod n)d mod n = MDecryption followed by encryption yields the original

message

(Md mod n)e mod n = M Cryptosystems that preserve message length have this property


Digital Signatures in RSA

AB

Insecure channel

Plaintext PlaintextSigned plaintext

Encryption Alg.

Decryption Alg.

A’s public keyA’s private key(need reliable channel)

Sign Verify


Signature and Encryption

D E D E

A B

Plaintext Plaintext

SignedPlaintext

SignedPlaintext

Encrypted Signed Plaintext

A’s private key

B’s public key

B’s private key

A’s public key


Signature and EncryptionWe could do the encryption first, followed by

the signature.

Adv. signature first: parties, other than B can verify the signature

DES can be used for encryption


Non-repudiationRequires notarized signature, involving a third

party

Large system: hierarchies of notarization

Hash Functions

CSCE 522 - Farkas

CSCE 522 - Farkas 24Lecture 8-9

Hash Functions

Hash function h maps an input x of arbitrary length to a fixed length output h(x) (compression)

Accidental or intentional change to the data will change the hash value

Given h and x, h(x) is easy to compute (ease of computation)


Good Hash Function

1. It is easy to compute the hash value for any given message

2. It is infeasible to find a message that has a given hash (one-way property)

3. It is infeasible to modify a message without changing its hash

4. It is infeasible to find two different messages with the same hash (collision-free property)


Hash functions

Preimage resistant (one-way): if for all specified outputs, it is computationally infeasible to find any input that hashes to that output

Second-preimage resistent (weak collision resistant): if it is computationally infeasible to find any second input which has the same output as any specified input

Collision resistant (strong collision resistant): if it is computationally infeasible to find any two distinct inputs that has the same output

Use of Hash function

• Message integrity

• Message authentication (hash is signed)

• Protect password files

• Support for intrusion detection

• Support for virus detection

CSCE 522 - FarkasLecture 8-9


Hash Algorithms

Input of arbitrary lengthOutput sizeBlock size Rounds Bitwise operations: and, or, xor, not


SHA Security

SHA-1: in 2005 security flaws were identified A possible mathematical weakness might exist

SHA-2: no attacks have yet been reported SHA-2 variants are algorithmically similar to

SHA-1 and so efforts are underway to develop improved alternatives

SHA-3: new hash standard is currently under development


SHA-2 Family

2001: first published in the draft FIPS PUB 180-2

2002, 2004: FIPS PUB 180-2 modifiedSHA-224, SHA-256, SHA-384, and SHA-512


MD5 vs. SHA

Very similar Security: SHA’s digest is 32 bits longer

without algorithm flaws SHA is more secure Speed: SHA has more steps and produces 160-bit

buffer SHA slower Simplicity and compactness: MD5 has more

internal steps with varying buffer modification SHA is simpler


Attacks

First preimage attack: given a hash h, find a message m such that hash(m) = h

Second preimage attack: given a fixed message m1, find a different message m2 such that hash(m2) = hash(m1)

Attack complexity: 2n (considered too high for a typical output size of n=160 bits)

Practical attacks: Collision attack


Collision AttackCryptographic attackBased on probability theory Given a function ƒ, the goal of the attack is to find

two different inputs x1, x2 such that ƒ(x1) = ƒ(x2), (complexity is 2n/2)


Hash Functions

Message digest Used for authenticity (sign hash value of a

message) and integrity purposesAlgorithms:

MD2,MD4,MD5 (128), SHA0 (160) -- insecure

SHA1 (160) – theoretical collision attackSHA-2, SHA-3 (256, 512, 1024) – OK


MD6

MD6 was submitted to the NIST SHA-3 competition

July 1, 2009: Rivest posted a comment at NIST that MD6 is not yet ready to be candidated for SHA-3speed issues and inability to supply a proof of security for a faster

reduced-round version


Next Class

Protocol Analysis and hash

How does it work?Chapter 12

CSCE 522 - Farkas

Not required for tests


Arithmetic Identity i: x op i = x Inverse: b is inverse of a under op if a op b = i Prime numbers: p is prime if 1 < p and divisible by

{1,p} only Euclidean algorithm: if x divides a and b then x also

divides a-(k*b)a-(k*b)=x*a1-(k*x*b1)

=x*(a1-(k*b1))=x*d


Greatest common divisor Given a > b, the greatest common divisor

x=gcd(a,b) can be calculated as follows:1. Rewrite a as a=m*b+r, where m=a/b and r is the

remainder

2. If x divides a and b, it also divides r, therefore x=gcd(a,b)=gcd(b,r) b=m’*r+ r’

3. Continue until the remainder is zero


Modular Arithmetic Results stay in the underlying range of numbers +,-,* can be applied before or after the modulus is

taken with similar results Modulus: remainder after division, that is if a mod

n=b then a=c*n+b Examples

9 mod 3 = 012 mod 5 = 212 mod 10 = 2


Modular Arithmetic

Properties: Associative

a+(b+c) mod n = (a+b)+c mod na*(b*c) mod n = (a*b)*c mod n

Commutativea+b mod n = b+a mod n a*b mod n = b*a mod n

Distributive(a*(b+c)) mod n = ((a*b) mod n) + (a*c) mod n)) mod n

Existence of identitiesa+0 mod n = 0+a mod n = aa*1 mod n = 1*a mod n = a


Modular ArithmeticProperties:

Existence of inverses

a+(-a) mod n = 0

a*(a–1) mod n = 1 if a 0 (and gcd(a,n) = 1; see next slide)Reducibility

(a+b) mod n = ((a mod n) + (b mod n)) mod n

(a*b) mod n = ((a mod n) * (b mod n)) mod n

ae mod n = [i=1e (a mod n)] mod n


Modular Arithmetic

a–1 = x mod n

has unique solution if a and n are

relatively prime


Fermat’s and Euler’s Theorem Fermat’s Theorem: For any prime number p and any element a<p

ap mod p = a or ap-1 mod p = 1Inverse of a is x, such that

ax mod p = 1ax mod p = 1= ap-1 mod p

x = ap-2 mod p Euler’s theorem: if a and n are relative primes, then

a(n) mod n = 1 = ax mod nx = a(n)-1 mod n

Example: inverse of 4 mod 54-1 mod 5 = 45-2 mod 5 = 64 mod 5 = 44*4 mod 5 = 16 mod 5 = 1

Documents

Public Key Encryption Terminology RSA Hash functions CSCE 522 - Farkas