Download presentation

Presentation is loading. Please wait.

2
20-763 ELECTRONIC PAYMENT SYSTEMSFALL 2002COPYRIGHT © 2002 MICHAEL I. SHAMOS Electronic Payment Systems 20-763 Lecture 6 Epayment Security II

3
20-763 ELECTRONIC PAYMENT SYSTEMSFALL 2002COPYRIGHT © 2002 MICHAEL I. SHAMOS Public-Key (Asymmetric) Encryption 1. USERS WANT TO SEND PLAINTEXT TO RECIPIENT WEBSITE 2. SENDERS USE SITE’S PUBLIC KEY FOR ENCRYPTION 3. SITE USES ITS PRIVATE KEY FOR DECRYPTION 4. ONLY WEBSITE CAN DECRYPT THE CIPHERTEXT. NO ONE ELSE KNOWS HOW SOURCE: STEIN, WEB SECURITY

4
20-763 ELECTRONIC PAYMENT SYSTEMSFALL 2002COPYRIGHT © 2002 MICHAEL I. SHAMOS Public-Key Encryption Alice wants to send Bob a secure message M. Alice uses Bob’s public key to encrypt M. Bob uses his private key to decrypt M. Bob is the ONLY ONE who can do this, so M is secure. Problem: Anyone could have sent it. Was it really Alice? ALICE’S CLEAR TEXT ALICE’S CODED TEXT ALICE’S CLEAR TEXT TRANSM ISSION BOB DECRYPTS WITH HIS PRIVATE KEY ALICE ENCRYPTS WITH BOB’S PUBLIC KEY BOB’S PRIVATE KEY

5
20-763 ELECTRONIC PAYMENT SYSTEMSFALL 2002COPYRIGHT © 2002 MICHAEL I. SHAMOS Digital Authentication Alice wants to send Bob a message M so that Bob is sure Alice is the sender. Alice uses her own private key to encrypt M. Bob uses Alice’s public key to decrypt M. Alice is the ONLY ONE who could have sent it. Problem 1: Anyone can read it! Problem 2: Replay attack! ALICE’S CLEAR TEXT ALICE’S CODED TEXT ALICE’S CLEAR TEXT TRANSM ISSION BOB DECRYPTS WITH ALICE’S PUBLIC KEY ALICE ENCRYPTS WITH HER PRIVATE KEY ALICE’S PRIVATE KEY ALICE’S PUBLIC KEY

6
20-763 ELECTRONIC PAYMENT SYSTEMSFALL 2002COPYRIGHT © 2002 MICHAEL I. SHAMOS Secure Authenticated Messages Alice must send Bob a secret & authenticated message M so Bob is sure it was sent by Alice. Use both encryption and signature. ALICE’S CODED TEXT (AUTHENTICATED) ALICE’S CLEAR TEXT BOB DECRYPTS WITH ALICE’S PUBLIC KEY ALICE ENCRYPTS WITH HER PRIVATE KEY ALICE ENCRYPTS WITH BOB’S PUBLIC KEY ALICE’S CODED AND SIGNED TEXT T R A N S M I T ALICE’S CLEAR TEXT (DECRYPTED AND AUTHENTICATED) BOB DECRYPTS WITH HIS PRIVATE KEY BOB’S PUBLIC ALICE’S PUBLIC BOB’S PRIVATE ALICE’S PRIVATE 4 KEYS NEEDED:

7
20-763 ELECTRONIC PAYMENT SYSTEMSFALL 2002COPYRIGHT © 2002 MICHAEL I. SHAMOS One-Way Trapdoor Function A function that is easy to compute Computationally difficult to invert without knowing the secret (the “trapdoor”) Example: f (x, y) = xy Given f (x, y), it is difficult to find either x or y Given f (x, y) and x (the secret), it is easy to find y Any one-way trapdoor function can be used in public- key cryptography.

8
20-763 ELECTRONIC PAYMENT SYSTEMSFALL 2002COPYRIGHT © 2002 MICHAEL I. SHAMOS Rivest-Shamir-Adelman (RSA) It is easy to multiply two numbers but apparently hard to factor a number into a product of two others. Given p, q, it is easy to compute n = p q Example: p = 5453089; q = 3918067 Easy to find n = 21365568058963 Given n, hard to find two numbers p, q with p q = n Now suppose n = 7859112349338149 What are p and q such that p q = n ? Multiplication is a one-way function RSA exploits this fact in public-key encryption

9
20-763 ELECTRONIC PAYMENT SYSTEMSFALL 2002COPYRIGHT © 2002 MICHAEL I. SHAMOS RSA Encryption Select two large prime numbers p, q (e.g. 1024 bits) Let n = p q Choose a small odd integer e that does not divide m = (p - 1)(q - 1). Then x (p-1)(q-1) = 1 (mod n) Compute d = e -1 (mod m) –That is, d e gives remainder 1 when divided by m –Then x e d = x (mod n) (by Fermat’s “Little” Theorem) Public key is the pair (e, n) Private key is the pair (d, n) Knowing (e, n) is of no help in finding d. Still need p and q, which involves factoring n

10
20-763 ELECTRONIC PAYMENT SYSTEMSFALL 2002COPYRIGHT © 2002 MICHAEL I. SHAMOS MULTIPLICATION MOD 7 INVERSE OF 5 IS 3 Multiplicative Inverses Over Finite Fields The inverse e -1 of a number e satisfies e -1 e = 1 The inverse of 5 is 1/5 If we only allow numbers from 0 to n-1 (mod n), then for special values of n, each e has a unique inverse 6 2 = 12 WHEN DIVIDED BY 7 GIVES REMAINDER 5 EACH ROW EXCEPT THE ZERO ROW HAS EXACTLY ONE 1 EACH ELEMENT HAS A UNIQUE INVERSE

11
20-763 ELECTRONIC PAYMENT SYSTEMSFALL 2002COPYRIGHT © 2002 MICHAEL I. SHAMOS RSA Encryption Message M is a number To encrypt message M using key (e, n): Compute C(M) = M e (mod n) To decrypt message C using key (d, n): Compute P(C) = C d (mod n) Note that P(C(M)) = C(P(M)) = (M e ) d (mod n) = M ed (mod n) = M because e d = 1 and m = (p-1)(q-1) DEMO

12
20-763 ELECTRONIC PAYMENT SYSTEMSFALL 2002COPYRIGHT © 2002 MICHAEL I. SHAMOS RSA Example p = 61; q = 53 n = pq = 3233 (modulus, can be given to others) e = 17 (public exponent, can be given to others) d = 2753 (private exponent, kept secret!) PUBLIC KEY = (3233, 17) PRIVATE KEY = (3233, 2753) To encrypt 123, compute 123 17 (mod 3233) = 337587917446653715596592958817679803 mod 3233 = 855 To decrypt 855, compute 855 2753 (mod 3233) = 123 (intermediate value has 8072 digits) SOURCE: FRANCIS LITTERIOFRANCIS LITTERIO 37 digits

13
20-763 ELECTRONIC PAYMENT SYSTEMSFALL 2002COPYRIGHT © 2002 MICHAEL I. SHAMOS Trapdoor Functions for Cryptogrpahy Any one-way trapdoor function f(x) can be used for public-key cryptography Alice wants to send message m to Bob Bob’s public key e is a parameter to the trapdoor function f e (x) (the inverse f e -1 (x) is easy to compute knowing Bob’s private key d but difficult without d) Alice computes f e (m), sends it to Bob Bob computes f e -1 (f e (m)) = m (easy if d is known) Eavesdropper Eve can’t compute m = f e -1 (f e (m)) without the trapdoor d to find the inverse f e -1

14
20-763 ELECTRONIC PAYMENT SYSTEMSFALL 2002COPYRIGHT © 2002 MICHAEL I. SHAMOS Digital Signatures A handwritten signature is a function of the signer only, not the message Handwritten signatures can be copied and forged The digital equivalent of a handwritten signature would be useless in eCommerce Must be able to –Compare it with the “real” signature; AND –Must be sure it isn’t copied or forged How can A prove his identity over the Internet?

15
20-763 ELECTRONIC PAYMENT SYSTEMSFALL 2002COPYRIGHT © 2002 MICHAEL I. SHAMOS Digital Signatures A digital signature is a function of both the signer and the message A digital signature is a digest of the message encrypted with the signer’s private key MESSAGE M (LONG) HASH SIG USE SECURE HASH ALGORITHM (SHA) TO PRODUCE HASH (MESSAGE DIGEST) ENCRYPT HASH USING SIGNER’S PRIVATE KEY PRIVATE KEY OF MR. A THIS IS THE DIGITAL SIGNATURE OF MR. A ON MESSAGE M

16
20-763 ELECTRONIC PAYMENT SYSTEMSFALL 2002COPYRIGHT © 2002 MICHAEL I. SHAMOS Authentication by Digital Signature MESSAGE (LONG) HASH RECIPIENT USES SHA TO COMPUTE HASH RECIPIENT DECRYPTS SIG WITH SIGNER’S PUBLIC KEY MESSAGE (LONG) SIG IF HASHES ARE EQUAL, MESSAGE IS AUTHENTIC. WHY? IF ANY BIT OF M OR SIG IS ALTERED, HASH CHANGES. RECIPIENT RECEIVES SIG + MESSAGE =?

17
20-763 ELECTRONIC PAYMENT SYSTEMSFALL 2002COPYRIGHT © 2002 MICHAEL I. SHAMOS Digital Signature Message digest encrypted with signer’s private key MESSAGE (LONG)SIG APPEND SIGNATURE TO MESSAGE; SEND BOTH MESSAGE (LONG) HASH SIG USE SHA TO PRODUCE HASH (MESSAGE DIGEST) ENCRYPT HASH WITH SIGNER’S PRIVATE KEY Recipient decrypts SIG with signer’s public key. Recipient computes the message digest. If it matches the SIG, the SIG is genuine AND the message has not been altered! PRIVATE KEY

18
20-763 ELECTRONIC PAYMENT SYSTEMSFALL 2002COPYRIGHT © 2002 MICHAEL I. SHAMOS Discrete Logarithms If a b = c, we say that log a c = b Example: 2 32 = 4294927296 so log 2 (4294927296) = 32 Computing a b and log a c are both easy for real numbers In a finite field, it is easy to calculate c = a b mod p but given c, a and p it is very difficult to find b This is the “discrete logarithm” problem Analogy: Given x it is easy to find two real numbers y, z such that x = y z Given an integer n it is hard to find two integers p, q such that n = p q

19
20-763 ELECTRONIC PAYMENT SYSTEMSFALL 2002COPYRIGHT © 2002 MICHAEL I. SHAMOS Diffie-Hellman Key Exchange Object: allow Alice and Bob to exchange a secret key Protocol has two public parameters: a prime p and a number g < p such that given 0 < n < p there is some k such that g k = n (g is called a generator) Alice and Bob generate random private values a, b between 1 and p-2 Alice’s public value is g a (mod p); Bob’s is g b (mod p) Alice and Bob share their public values Alice computes (g b ) a (mod p) = g ba Bob computes (g a ) b (mod p) = g ab = g ba Let key = g ab. Now both Alice and Bob have it. No one else can compute it -- they don’t know a or b

20
20-763 ELECTRONIC PAYMENT SYSTEMSFALL 2002COPYRIGHT © 2002 MICHAEL I. SHAMOS El Gamal Encryption Based on the discrete logarithm Bob’s public key is (p, q, r) Bob’s private key is s such that r = q s mod p Alice sends Bob the message m by picking a random secret number k and sending (a, b) = (q k mod p, mr k mod p) Bob computes b (a s ) -1 mod p = mr k (q ks ) -1 = mq ks (q ks ) -1 = m (Bob knows s; nobody else can do this)

21
20-763 ELECTRONIC PAYMENT SYSTEMSFALL 2002COPYRIGHT © 2002 MICHAEL I. SHAMOS Elliptic Curve Cryptography (ECC) An elliptic curve is the set of points (x, y) satisfying y 2 + axy + by = x 3 + cx 2 + dx + e x y An elliptic curve has the property that a line drawn between two points of the curve intersects the curve at a single point. (Warning: need to include the point at infinity.) This allows us to define P + Q so that the sum is always another point on the curve. If the sum P + Q is always on the curve, so are the points P, P + P, P + P + P,... = P, 2P, 3P, 4P,... ONLINE TUTORIAL

22
20-763 ELECTRONIC PAYMENT SYSTEMSFALL 2002COPYRIGHT © 2002 MICHAEL I. SHAMOS Elliptic Curve Operations SOURCE: INTEGRITY SCIENCESINTEGRITY SCIENCES The point at infinity O is an identity element for addition

23
20-763 ELECTRONIC PAYMENT SYSTEMSFALL 2002COPYRIGHT © 2002 MICHAEL I. SHAMOS Elliptic Curves Over Finite Fields Select a large prime number p Choose two non-negative integers a and b with 4a 2 + 27b 2 0 (mod p) The pairs (x, y) with x, y < p that satisfy y 2 = x 3 + ax + b (mod p) are the elliptic group mod p –addition is closed and associative (x + y) + z = x + (y + z) –there is an identity element O such that x + O = x –every element x has an inverse x - 1 such that x + x - 1 = O If y = k x (mod p), then given k and x it is easy to find y but given x and y it is computationally hard to find k So elliptic curves can be used for cryptography

24
20-763 ELECTRONIC PAYMENT SYSTEMSFALL 2002COPYRIGHT © 2002 MICHAEL I. SHAMOS Elliptic Curves for El Gamal Multiplication in the elliptic group corresponds to exponentiation of real numbers Solving y = k x (mod p) for k in the elliptic group is similar to solving c = a b ( mod p) for b in El Gamal (discrete logarithm) Choose a special point g of the group (called a generator) Bob’s private key is s; Bob’s public key is (g, s g) A plaintext message m is transformed to a point x in the group Alice encrypts x by picking a random value k and sending (k g, x + k s g) Bob decrypts by computing (x + k s g) - (k g) s = x Alice sent him these Bob knows s (his private key) g and sg are public; Alice knows x and k Can’t find s from g and sg

25
20-763 ELECTRONIC PAYMENT SYSTEMSFALL 2002COPYRIGHT © 2002 MICHAEL I. SHAMOS Security of ECC versus RSA GRAPHIC: RICHARD SOUTHERNRICHARD SOUTHERN ECC Advantages 1. The elliptic curve logarithm problem is harder than the discrete logarithm problem. 2. Key size in ECC is much smaller for a given security level. 3. ECC is complicated; fewer people understand it. 4. ECC is not patented.

26
20-763 ELECTRONIC PAYMENT SYSTEMSFALL 2002COPYRIGHT © 2002 MICHAEL I. SHAMOS Birthday Attacks Dave’s birthday is Jan. 29. How many people must be in a room for the probability to be > 1/2 that someone else was born on Jan. 29? Probability that 1 person was not born on Jan. 29 = 364/365. Probability that n people were not born on Jan. 29 is p(n) = (364/365) n. Now choose n so that p(n) < 0.5 log p(n) < n log (364/635) n > log(1/2)/log(364/365) 253 If n = 183 (half of 366), p(n) = 0.6053. Less then 40% chance that someone else has same birthday

27
20-763 ELECTRONIC PAYMENT SYSTEMSFALL 2002COPYRIGHT © 2002 MICHAEL I. SHAMOS Birthday Probabilities Suppose a year has d days. How many people must be in a room for the probability to be > 1/2 that some pair of people have the same birthday? Label the people 1 … n Probability that person i has no birthday in common with people 1 … i -1 is (d - i + 1)/d, so If d = 365 and n = 23, p(n) 0.4927 If d = 365 and n = 50, p(n) 0.0296 For large d, taking n 1.17 gives p(n) > 1/2

28
20-763 ELECTRONIC PAYMENT SYSTEMSFALL 2002COPYRIGHT © 2002 MICHAEL I. SHAMOS Attacking Hash Algorithms If two strings M and M* can be found such that H(M) = H(M*) then a hash algorithm can be compromised Let M = PO for $100; M* = PO for $100,000 John digitally signs H(M), so it can’t be altered! If H(M*) = H(M) then we can “prove” in court that John signed the $100,000 PO Birthday attack: If the hash length is b bits, then d = 2 b ; = 2 b/2 Try about 2 b/2 small variations of the message. Prob. ~ 50% we will find one that hashes to the same value If the digest is 64 bits, try 2 32 variations. Possible!

29
20-763 ELECTRONIC PAYMENT SYSTEMSFALL 2002COPYRIGHT © 2002 MICHAEL I. SHAMOS Major Ideas Digital signature = message digest encrypted with signer’s private key Dual signature: two people sign a document without being able to read the other person’s content Blind signature: one person signs a document without being able to read it Any trapdoor function can be used for public-key cryptography Great care must be used with public-key systems to avoid protocol failure (allowing cracking through mistakes) Elliptic-curve cryptography (ECC) is replacing RSA –Shorter keys for the same level of security

30
20-763 ELECTRONIC PAYMENT SYSTEMSFALL 2002COPYRIGHT © 2002 MICHAEL I. SHAMOS Q A &

Similar presentations

© 2019 SlidePlayer.com Inc.

All rights reserved.

To make this website work, we log user data and share it with processors. To use this website, you must agree to our Privacy Policy, including cookie policy.

Ads by Google