Presentation is loading. Please wait.

Presentation is loading. Please wait.

Public Key Cryptography. why we might want to consider an alternative to a secret key system using key distribution, and what we're looking for in public.

Similar presentations


Presentation on theme: "Public Key Cryptography. why we might want to consider an alternative to a secret key system using key distribution, and what we're looking for in public."— Presentation transcript:

1 Public Key Cryptography

2 why we might want to consider an alternative to a secret key system using key distribution, and what we're looking for in public key cryptography.

3 Problem of Key Distribution there is one difficultly inherent in all KDC mechanisms. –it seems like you must already have agreed on a key in order to securely distribute the next key it won't work after your system has been compromised (when you have to start over again) it won't work initially (when you have not yet agreed on a key). You move the vulnerability away from "people trying to figure out a message" to the KDCs.

4 Problem of Key Distribution However, we can imagine a physical solution to the problem –"Alice sends a secret to Bob, but they don't share a key", which is identical to the two problems mentioned above

5 Solution

6 1.Alice puts a secret in a box, which she locks with her own lock. Only Alice has the key to this lock. 2.Alice then ships the box to Bob. 3.Bob adds his own lock to this box in parallel, so that now the box has two locks 4.Bob then ships the box back to Alice. 5.Alice, knowing that the box is secure with Bob's lock, then takes her own lock off the box (with her key). 6.Alice sends the box back to Bob 7.Bob then removes his lock and receives the secret (which could have been a new shared key).

7 Solution We have successfully shared a secret without exposing it We did not possess a shared key initially We don't care who is able to actually lock our mechanism We want to make sure that only somebody with a key can unlock it It should be cheap to unlock our mechanism with the key, but very expensive to try to unlock it without the key

8 Solution In a mathematical sense –What we're looking for is called a 1-way trap-door function To apply this idea to a cryptosystem, we would want an encryption mechanism that is a 1-way function –easy to compute but hard to invert Our decryption of this resulting value should be easy if you know about the trap door

9 Solution Diffie - Hellman Key Exchange –allows two principals to agree on a shared key even though they exchange messages in public –In the protocol, there is no authentication –either side could be be spoofed by an active wiretapper –The protocol can easily be extended into one that does also implement the necessary authentication.

10 Diffie - Hellman Key Exchange

11 The first step is to choose a large prime number p (around 512 bits). The second is to choose an integer g where g < p (with some other technical restrictions.) At this point, A can compute: –(TB)SA = (gSB mod p)SA = (gSB)SA mod p = ((gSBSA) mod p). –Similarly B can compute : –(TA)SB =... = ((gSASB) mod p). –Therefore, ((gSASB) mod p) = ((gSBSA) mod p) is the final shared key.

12 Diffie - Hellman Key Exchange A wiretapper can see all the messages that are sent, but can't do anything without having a fast way to compute logs in finite fields, which is assumed to be hard. One problem with Diffie-Hellman is that it does not generalize to send arbitrary messages.

13 Physical Analogy for Diffie- Hellman Key Exchange 1.We have two principals,A and B, each with a 3-liter paint pot that contains 1-liter of yellow paint. We will use E to denote a passive wiretapper. We can assume that mixed paint cannot be deconstructed into original colors. 2.A adds to her 1 liter of yellow paint a secret color SA. B also adds to his 1 liter of yellow paint a secret color SB. 3.A and B swap pots. E is able to observe the 2, 2-liter mixtures be exchanged, but E cannot deduce what color was added to either mixture, E can only deduce the relative color balance in the combined 4 liter mixture: 2 * yellow + SA + SB (Y:Y:SA:SB). 4.A adds SA to B's pot. The result (Y:SA:SB) is the key. B adds SB to A's pot. The result (Y:SB:SA) is the key. Notice: A and B have computed the same key, but E gets a different one.

14 Public Key Cryptography In public key cryptography, some keys are known to everyone, so it would seem that the key distribution problem vanishes The basic idea of a public key cryptosystem is to have two keys: –a private (secret) key and –a public key. Anyone can know the public key

15 Public Key Cryptography Plaintext to a principal B is encrypted using B's public key. B decrypts the enciphered text using its private key. As long as B is the only one who knows the private key, then only B can decrypt messages encrypted under B's public key.

16 Public Key Cryptography Some public key cryptography schemes also allow plaintext to be run through the decryption algorithm (using the private key). What is produced is referred to as signed text and it can be "deciphered" using the public key Only the possessor of a private key can create text that is decipherable using the public key. The functionality of signed text cannot be replicated using secret key/symmetric cryptography.

17 Public Key Cryptography Public key cryptography is usually much slower than secret key cryptography it is rarely used to encrypt an entire message. –a message is encrypted using shared key cryptography (with a secret key). –That secret key is then encrypted using public key cryptography –the encrypted message and key are sent. –This is called hybrid encryption can allow for complex structures in implementing our secrecy requirements

18 History of Public Key Cryptography (United States)  1975: Diffie imagines asymmetric cryptography (Diffie + Hellman)  1976: Diffie-Hellman key exchange  April 1977: RSA (Rivest, Shamir, Adelman) (United Kingdom  1969: Government Communications Headquarters (GCHQ) - succesor to Bletchly Park - asks James Ellis to look into the key distribution problem. Ellis recalls a Bell Labs report about adding noise to a signal, transmitting it, and then removing the noise.  1973: Clifford Cocks (recent Cambridge Math Ph.D) joins GCHQ. He hears about Ellis idea and searches for a suitable function, and he thinks of RSA. GCHQ now could do public key encryption.  January 1974: Malcolm Williamson, in an effort to try to break Cock's work, discovers Diffie-Hellman.

19 Uses of Public-Key Cryptography secrecy, authentication, and digital signatures

20 Uses of Public-Key Cryptography Secrecy is obtained when principal A encrypts a message m using B's public key. Thereafter, the only way to decrypt m is to know the private key of B. (see Figure below)

21 Uses of Public-Key Cryptography In secret key cryptography, doing authentication requires having a different key for each pair of principals; in public key cryptography, each principal needs to know just its own private key. An example of a public-key authentication protocol is:

22 Uses of Public-Key Cryptography Digital signatures are used to prove that a message was generated by a particular principal. Assume that the cryptosystem has the additional property wherein a message m "decrypted" under a private key, and then "encrypted" using the corresponding public key produces m. To create a signed message, A will encrypt a message using its own private key and send that encrypted message to B. B looks up A's public key and uses it to decrypt the message. This is not completely practical since it requires running the decryption on an entire message, which can be expensive. A solution is to compute a hash of the message and sign that.

23 Uses of Public-Key Cryptography A hash is a function that digests information. It takes a message as input and outputs a short bit string (say, 128 bits). An example of a 1-bit hash would be a function that returns the parity of the message.

24 Uses of Public-Key Cryptography Think of a hash as a succint summary of a message that has four properties: –It is computationally infeasible to determine the input message m based on the digest of that message hash(m), which means the digest must convey no information about the original message –It is infeasible to find any message with a given digest value, which means we can't attack by replacing a message m1 with another message m2 with the same hash value

25 Uses of Public-Key Cryptography Think of a hash as a succint summary of a message that has four properties:  It is infeasible to find 2 messages with a given hash. If we don't have this property, then it is possible a person could sign a message, then the signature could be cut and pasted on to another message with the same hash. –And finally, changing even 1-bit of the input gets completely different output, so that syntactically similar messages generate very different outputs and it is not likely that two bit-strings with the same hash value could be mistaken for each other.

26 Uses of Public-Key Cryptography These properties make a message-text substitution attack difficult given a hash. Suppose that message m is sent along with a signed hash value for m. The properties of the hash function would make it difficult for an attacker to substitute another meaningful message that has the same hash value as the original.

27 Uses of Public-Key Cryptography We can easily have multiple signatures as well as build up a chain of signatures which establishes a valid history. This chaining of signatures can be used to prove such a claim as "Alice had signed the message when I got it.".

28 Examples of Public-Key Cryptosystems Merkle's Puzzles –one of the first public key cryptographic systems to be described –It allows A and B to agree on a secret key –Principal A invents a million keys and a million puzzles, where each puzzle encodes a different one of the keys –Each puzzle is assumed to take at least two minutes to solve and fit into 96 bits –A sends these puzzles to B –B then picks a puzzle at random and solves it –B encrypts a pre-arranged string (say 0000) with the key from the puzzle it solved –B sends this encrypted string back to A. A trys each of the million keys on the message it receives from B –The one that decrypts the message and obtains the pre-arranged string is the secret key that A will use henceforth to communicate with B.

29 Examples of Public-Key Cryptosystems Merkle's Puzzles –A wiretapper C could steal the million puzzles. –However, C would need to crack all million of the puzzles in order to discover the secret key. –If the wiretapper didn't know the pre-arranged string, then it can't even use a known-plaintext attack. –Since cracking each puzzle requires at least 2 minutes, the wiretapper would need on average 330 days to find the key.

30 Examples of Public-Key Cryptosystems RSA –RSA (Rivest Shamir Adelman) –RSA is usually used to encrypt a private key and then send that with along with a message encrypted by the private key. –It uses a variable key length (usually 512 bits) and a variable block size that is not greater than the key length.

31 Examples of Public-Key Cryptosystems RSA works as follows  Choose two large primes (say, 256 bits each) p and q. These must be kept secret. –Compute n = p*q. The number n is not secret. This systems works under the assumption that factoring n is computationally intractable.  Chose e such that e is relatively prime to (has no common factors other than 1 with) (p-1)*(q-1). The number e is usually chosen to be small. 3 and are popular.  The public key is the pair (e, n). Note that e doesn't have to be secret. The private key is (d, n) where d is the multiplicative inverse of e mod (p-1)(q-1).

32 Examples of Public-Key Cryptosystems RSA To encrypt a message m, compute me mod n and send the result as ciphertext. To decrypt ciphertext c: m = cd mod n. RSA can also be used for digital signatures. –To sign a message m: s = md mod n. To check a signature: m = se mod n. A lot of number theory is needed to prove that this technique works. One necessary theorem is: m = (me mod n)d mod n.

33 Examples of Public-Key Cryptosystems Certification Authorities (Public Key Infrastructure) KDC is no longer necessary –How can one principal learn the public key another? –How does one principal know they have the right public key and haven't been spoofed by an intruder? It turns out that some sort of server is still needed to certify which public keys belong to whom.

34 Examples of Public-Key Cryptosystems A certification authority (CA) is a trusted server that generates certificates of the form {name, public key}CA where CA is the certification authority's signature (private) key All hosts are preconfigured with the certification authority's public key –any host can check the signature on these certificates CA is more attractive than a KDC because a CA it doesn't need to be on-line. –Certificates can be stored anyplace and forwarded anywhere as they are needed.

35 Examples of Public-Key Cryptosystems One problem is that if a principal's private key is compromised, then all those certificates (wherever they are) will cause the wrong public key to be used. Since there isn't a single authority that everyone trusts, updating all those certificates is not feasible. A solution is to require that certificates have expiration dates. –This will limit damage but not rule it out entirely.


Download ppt "Public Key Cryptography. why we might want to consider an alternative to a secret key system using key distribution, and what we're looking for in public."

Similar presentations


Ads by Google