Chapter 3 – Public-Key Cryptography and Message Authentication

Chapter 3 – Public-Key Cryptography and Message Authentication
Every Egyptian received two names, which were known respectively as the true name and the good name, or the great name and the little name; and while the good or little name was made public, the true or great name appears to have been carefully concealed. —The Golden Bough, Sir James George Frazer Intro quote.

Outline Approaches to Message Authentication
Secure Hash Functions and HMAC Public-Key Cryptography Principles Public-Key Cryptography Algorithms Digital Signatures Key Management In the context of communications across a network, the attacks listed above can be identified. The first two requirements belong in the realm of message confidentiality, and are handled using the encryption techniques already discussed. The remaining requirements belong in the realm of message authentication. At its core this addresses the issue of ensuring that a message comes from the alleged source and has not been altered. It may also address sequencing and timeliness. The use of a digital signature can also address issues of repudiation by the source.

Approaches to Message Authentication
In the context of communications across a network, the attacks listed above can be identified. The first two requirements belong in the realm of message confidentiality, and are handled using the encryption techniques already discussed. The remaining requirements belong in the realm of message authentication. At its core this addresses the issue of ensuring that a message comes from the alleged source and has not been altered. It may also address sequencing and timeliness. The use of a digital signature can also address issues of repudiation by the source.

Authentication Requirements - must be able to verify that:
1. Message came from apparent source or author, 2. Contents have not been altered, 3. Sometimes, it was sent at a certain time or sequence. Protection against active attack (falsification of data and transactions) In the context of communications across a network, the attacks listed above can be identified. The first two requirements belong in the realm of message confidentiality, and are handled using the encryption techniques already discussed. The remaining requirements belong in the realm of message authentication. At its core this addresses the issue of ensuring that a message comes from the alleged source and has not been altered. It may also address sequencing and timeliness. The use of a digital signature can also address issues of repudiation by the source.

Approaches to Message Authentication
Authentication Using Conventional Encryption Only the sender and receiver should share a key Message Authentication without Message Encryption An authentication tag is generated and appended to each message Message Authentication Code Calculate the MAC as a function of the message and the key. MAC = F(K, M)

Message Encryption message encryption by itself also provides a measure of authentication if symmetric encryption is used then: receiver know sender must have created it since only sender and receiver know key used know content cannot of been altered if message has suitable structure, redundancy or a checksum to detect any changes Message encryption by itself can provide a measure of authentication. Here, the ciphertext of the entire message serves as its authenticator, on the basis that only those who know the appropriate keys could have validly encrypted the message. This is provided you can recognize a valid message (ie if the message has suitable structure such as redundancy or a checksum to detect any changes).

Prevent Message From being Altered
Message encryption by itself can provide a measure of authentication. Here, the ciphertext of the entire message serves as its authenticator, on the basis that only those who know the appropriate keys could have validly encrypted the message. This is provided you can recognize a valid message (ie if the message has suitable structure such as redundancy or a checksum to detect any changes).

Message Authentication Code (MAC)
generated by an algorithm that creates a small fixed-sized block depending on both message and some key like encryption though need not be reversible appended to message as a signature receiver performs same computation on message and checks it matches the MAC provides assurance that message is unaltered and comes from sender An alternative authentication technique involves the use of a secret key to generate a small fixed-size block of data, known as a cryptographic checksum or MAC that is appended to the message. This technique assumes that two communicating parties, say A and B, share a common secret key K. A MAC function is similar to encryption, except that the MAC algorithm need not be reversible, as it must for decryption.

Message Authentication Code
Stallings Figure 11.4a “Message Authentication” shows the use of a MAC just for authentication.

Message Authentication Codes
as shown the MAC provides authentication can also use encryption for secrecy generally use separate keys for each can compute MAC either before or after encryption is generally regarded as better done before why use a MAC? sometimes only authentication is needed sometimes need authentication to persist longer than the encryption (eg. archival use) note that a MAC is not a digital signature (sender and receiver share the same key) Can combine use of MAC with encryption in various ways to provide both authentication & secrecy. Use MAC in circumstances where just authentication is needed (or needs to be kept), see text for examples. A MAC is NOT a digital signature since both sender & receiver share key and could create it.

Message Authentication Codes
Can combine use of MAC with encryption in various ways to provide both authentication & secrecy. Use MAC in circumstances where just authentication is needed (or needs to be kept), see text for examples. A MAC is NOT a digital signature since both sender & receiver share key and could create it.

MAC Properties a MAC is a cryptographic checksum
MAC = CK(M) condenses a variable-length message M using a secret key K to a fixed-sized authenticator is a many-to-one function potentially many messages have same MAC but finding these needs to be very difficult A MAC, also known as a cryptographic checksum,is generated by a function C. The MAC is appended to the message at the source at a time when the message is assumed or known to be correct. The receiver authenticates that message by re-computing the MAC. The MAC function is a many-to-one function, since potentially many arbitrarily long messages can be condensed to the same summary value, but don’t want finding them to be easy!

Requirements for MACs taking into account the types of attacks
need the MAC to satisfy the following: knowing a message and MAC, is infeasible to find another message with same MAC MACs should be uniformly distributed MAC should depend equally on all bits of the message In assessing the security of a MAC function, we need to consider the types of attacks that may be mounted against it. Hence it needs to satisfy the listed requirements. The first requirement deals with message replacement attacks, in which an opponent is able to construct a new message to match a given MAC, even though the opponent does not know and does not learn the key. The second requirement deals with the need to thwart a brute-force attack based on chosen plaintext. The final requirement dictates that the authentication algorithm should not be weaker with respect to certain parts or bits of the message than others. Example:

Using Symmetric Ciphers for MACs
can use any block cipher chaining mode and use final block as a MAC Data Authentication Algorithm (DAA) is a widely used MAC based on DES-CBC using IV=0 and zero-pad of final block encrypt message using DES in CBC mode and send just the final block as the MAC or the leftmost M bits (16≤M≤64) of final block but final MAC is now too small for security Can also use block cipher chaining modes to create a separate authenticator, by just sending the last block. This was done with the Data Authentication Algorithm (DAA), a widely used MAC based on DES-CBC (next slide). However this suffers from being too small for acceptable use today.

Data Authentication Algorithm
Stallings Figure 11.6 “Data Authentication Algorithm”, illustrates the FIPS PUB 113 / ANSI X9.17 MAC based on DES-CBC with IV 0 and 0-pad of the final block if needed. Resulting MAC can be bits of the final block. But this is now too small for security.

Secure Hash Functions and HMAC

Hash Functions condenses arbitrary message to fixed size h = H(M)
usually assume that the hash function is public and not keyed cf. MAC which is keyed hash used to detect changes to message can use in various ways with message most often to create a digital signature A variation on the message authentication code is the one-way hash function. As with the message authentication code, a hash function accepts a variable-size message M as input and produces a fixed-size output, referred to as a hash code H(M). Unlike a MAC, a hash code does not use a key but is a function only of the input message. The hash code is also referred to as a message digest or hash value.

Requirements for Hash Functions
can be applied to any sized message M produces fixed-length output h is easy to compute h=H(M) for any message M given h is infeasible to find x s.t. H(x) = h one-way property given x is infeasible to find y s.t. H(y) = H(x) weak collision resistance is infeasible to find any x, y s.t. H(y) = H(x) strong collision resistance The purpose of a hash function is to produce a “fingerprint”of a file, message, or other block of data. These are the specifications for good hash functions. Essentially it must be extremely difficult to find 2 messages with the same hash, and the hash should not be related to the message in any obvious way (ie it should be a complex non-linear function of the message). There are quite a few similarities in the evolution of hash functions & block ciphers, and in the evolution of the design requirements on both.

Simple Hash Functions are several proposals for simple functions
based on XOR of message blocks not secure since can manipulate any message and either not change hash or change hash also need a stronger cryptographic function (next chapter) All hash functions operate using the following general principles. The input (message, file,etc.) is viewed as a sequence of n-bit blocks, processed one block at a time in an iterative fashion to produce an n-bit hash function. Can construct a range of possible simple hash functions by just XOR’ing blocks with rotates etc. None of these are secure, since can predict how changes to message affect the resulting hash.

Hash and MAC Algorithms
Hash Functions condense arbitrary size message to fixed size by processing message in blocks through some compression function either custom or block cipher based Message Authentication Code (MAC) fixed sized authenticator for some message to provide authentication for message by using block cipher mode or hash function Now look at important examples of both secure hash functions and message authentication codes (MACs). Traditionally, most hash functions that have achieved widespread use rely on a compression function specifically designed for the hash function. Another approach is to use a symmetric block cipher as the compression function. MACs also fall into two categories: some use a hash algorithm such as SHA as the core of the MAC algorithm, others use a symmetric block cipher in a cipher block chaining mode.

Hash Algorithm Structure
Most important modern hash functions follow the basic structure shown in this figure, Stallings Figure This has proved to be a fundamentally sound structure, and newer designs simply refine the structure and add to the hash code length. Within this basic structure, two approaches have been followed in the design of the compression function, as mentioned previously, which is the basic building block of the hash function.

Secure Hash Algorithm SHA originally designed by NIST & NSA in 1993
was revised in 1995 as SHA-1 US standard for use with DSA signature scheme standard is FIPS , also Internet RFC 3174 nb. the algorithm is SHA, the standard is SHS based on design of MD4 with key differences produces 160-bit hash values recent 2005 results on security of SHA-1 have raised concerns on its use in future applications The Secure Hash Algorithm (SHA) was developed by the National Institute of Standards and Technology (NIST) and published as a federal information processing standard (FIPS 180) in 1993; a revised version was issued as FIPS in 1995 and is generally referred to as SHA-1. The actual standards document is entitled Secure Hash Standard. SHA is based on the hash function MD4 and its design closely models MD4. SHA-1 produces a hash value of 160 bits. In 2005, a research team described an attack in which two separate messages could be found that deliver the same SHA-1 hash using 2^69 operations, far fewer than the 2^80 operations previously thought needed to find a collision with an SHA-1 hash [WANG05]. This result should hasten the transition to newer, longer versions of SHA.

Revised Secure Hash Standard
NIST issued revision FIPS in 2002 adds 3 additional versions of SHA SHA-256, SHA-384, SHA-512 designed for compatibility with increased security provided by the AES cipher structure & detail is similar to SHA-1 hence analysis should be similar but security levels are rather higher In 2002, NIST produced a revised version of the standard, FIPS 180-2, that defined three new versions of SHA, with hash value lengths of 256, 384, and 512 bits, known as SHA-256, SHA-384, and SHA-512. These new versions have the same underlying structure and use the same types of modular arithmetic and logical binary operations as SHA-1, hence analyses should be similar. In 2005, NIST announced the intention to phase out approval of SHA-1 and move to a reliance on the other SHA versions by See Stallings Table12.1 for comparative details of these algorithms.

SHA-512 Overview Now examine the structure of SHA-512, noting that the other versions are quite similar. SHA-512 follows the structure depicted in Stallings Figure The processing consists of the following steps: • Step 1: Append padding bits • Step 2: Append length • Step 3: Initialize hash buffer • Step 4: Process the message in 1024-bit (128-word) blocks, which forms the heart of the algorithm • Step 5: Output the final state value as the resulting hash See text for details.

SHA-512 Compression Function
heart of the algorithm processing message in 1024-bit blocks consists of 80 rounds updating a 512-bit buffer using a 64-bit value Wt derived from the current message block and a round constant based on cube root of first 80 prime numbers The SHA-512 Compression Function is the heart of the algorithm. In this Step 4, it processes the message in 1024-bit (128-word) blocks, using a module that consists of 80 rounds, labeled F in Stallings Figure 12, as shown in Figure Each round takes as input the 512-bit buffer value, and updates the contents of the buffer. Each round t makes use of a 64-bit value Wt derived using a message schedule from the current 1024-bit block being processed. Each round also makes use of an additive constant Kt, based on the fractional parts of the cube roots of the first eighty prime numbers. The output of the eightieth round is added to the input to the first round to produce the final hash value for this message block, which forms the input to the next iteration of this compression function, as shown on the previous slide. a = 6A09E667F3BCC b = BB67AE85 84CAA73B c = 3C6EF372FE94F82B d = A54FF53A5F1D36F1 e = 510E527FADE682D f = 9B05688C2B3E6C1F g = 1F83D9ABFB41BD6B h = 5BE0CD19137E2179

SHA-512 Compression Function
The SHA-512 Compression Function is the heart of the algorithm. In this Step 4, it processes the message in 1024-bit (128-word) blocks, using a module that consists of 80 rounds, labeled F in Stallings Figure 12, as shown in Figure Each round takes as input the 512-bit buffer value, and updates the contents of the buffer. Each round t makes use of a 64-bit value Wt derived using a message schedule from the current 1024-bit block being processed. Each round also makes use of an additive constant Kt, based on the fractional parts of the cube roots of the first eighty prime numbers. The output of the eightieth round is added to the input to the first round to produce the final hash value for this message block, which forms the input to the next iteration of this compression function, as shown on the previous slide.

SHA-512 Round Function 1 The structure of each of the 80 rounds is shown in Stallings Figure Each 64-bit word shuffled along one place, and in some cases manipulated using a series of simple logical functions (ANDs, NOTs, ORs, XORs, ROTates), in order to provide the avalanche & completeness properties of the hash function. The elements are: Ch(e,f,g) = (e AND f) XOR (NOT e AND g) Maj(a,b,c) = (a AND b) XOR (a AND c) XOR (b AND c) ∑(a) = ROTR(a,28) XOR ROTR(a,34) XOR ROTR(a,39) ∑(e) = ROTR(e,14) XOR ROTR(e,18) XOR ROTR(e,41) + = addition modulo 2^64 Kt = a 64-bit additive constant Wt = a 64-bit word derived from the current 512-bit input block.

SHA-512 Round Function Stallings Figure 12.4 details how the 64-bit word values Wt are derived from the 1024-bit message. The first 16 values of Wt are taken directly from the 16 words of the current block. The remaining values are defined as a function of the earlier values using ROTates, SHIFTs and XORs as shown. The function elements are: ∂0(x) = ROTR(x,1) XOR ROTR(x,8) XOR SHR(x,7) ∂1(x) = ROTR(x,19) XOR ROTR(x,61) XOR SHR(x,6).

Whirlpool now examine the Whirlpool hash function
endorsed by European NESSIE project uses modified AES internals as compression function addressing concerns on use of block ciphers seen previously with performance comparable to dedicated algorithms like SHA Next examine the hash function Whirlpool [BARR03]. Whirlpool is one of only two hash functions endorsed by the NESSIE (New European Schemes for Signatures, Integrity, and Encryption) project, a European Union–sponsored effort to put forward a portfolio of strong cryptographic primitives of various types. Whirlpool is based on the use of a modified AES block cipher as the compression function, and is intended to provide security and performance that is comparable, if not better, than that found in non block-cipher based hash functions, such as the MD or SHA families.

Whirlpool Overview Stallings Figure 12.6 shows an overview of Whirlpool, which takes as input a message with a maximum length of less than 2^256 bits and produces as output a 512-bit message digest. The input is processed in 512-bit blocks. The processing consists of the following steps: • Step 1: Append padding bits • Step 2: Append length • Step 3: Initialize hash matrix • Step 4: Process message in 512-bit (64-byte) blocks, using as its core, the block cipher W.

Whirlpool Block Cipher W
designed specifically for hash function use with security and efficiency of AES but with 512-bit block size and hence hash similar structure & functions as AES but input is mapped row wise has 10 rounds a different primitive polynomial for GF(28) uses different S-box design & values Unlike virtually all other proposals for a block-cipher-based hash function, Whirlpool uses a block cipher that is specifically designed for use in the hash function and that is unlikely ever to be used as a standalone encryption function. The reason for this is that the designers wanted to make use of an block cipher with the security and efficiency of AES but with a hash length that provided a potential security equal to SHA-512. The result is the block cipher W, which has a similar structure and uses the same elementary functions as AES, but which uses a block size and a key size of 512 bits. See Stallings Table12.2 which compares AES and W.

Whirlpool Block Cipher W
Stallings Figure 12.7 shows the structure of Block Cipher W. The encryption algorithm takes a 512-bit block of plaintext as input and a 512-bit key and produces a 512-bit block of ciphertext as output. The encryption algorithm involves the use of four different functions, or transformations: add key (AK), substitute bytes (SB), shift columns (SC), and mix rows (MR). Note that the input is mapped by rows (unlike AES which is mapped by column). Hence the use of “Mix Rows” as the diffusion layer; and “Shift Columns” as the permutation (vs Mix Columns & Shift Rows in AES). Note also that the Key Schedule uses the same W round function, but with round constants RC[I] (being S-box outputs) taking the role of “subkeys” in the AddKey function.

Whirlpool Performance & Security
Whirlpool is a very new proposal hence little experience with use but many AES findings should apply does seem to need more h/w than SHA, but with better resulting performance Whirlpool is a very new proposal, hence there is little experience with use, though many AES findings should apply to it. As yet, there has been little implementation experience with Whirlpool. One study [KITS04] compared Whirlpool with a number of other secure hash functions. The authors developed multiple hardware implementations of each hash function and concluded that, compared to SHA-512, Whirlpool requires more hardware resources but performs much better in terms of throughput.

Keyed Hash Functions as MACs
want a MAC based on a hash function because hash functions are generally faster code for crypto hash functions widely available hash includes a key along with message original proposal: KeyedHash = Hash( Key | Message ) some weaknesses were found with this eventually led to development of HMAC In recent years, there has been increased interest in developing a MAC derived from a cryptographic hash function. A hash function such as SHA was not designed for use as a MAC and cannot be used directly for that purpose because it does not rely on a secret key. There have been a number of proposals for the incorporation of a secret key into an existing hash algorithm, originally by just pre-pending a key to the message. Problems were found with these earlier, simpler proposals, but they resulted in the development of HMAC.

HMAC specified as Internet standard RFC 2104
uses hash function on the message: HMACK = Hash[(K+ XOR opad) || Hash[(K+ XOR ipad)||M)]] where K+ is the key padded out to size and opad, ipad are specified padding constants overhead is just 3 more hash calculations than the message needs alone any hash function can be used eg. MD5, SHA-1, RIPEMD-160, Whirlpool The idea of a keyed hash evolved into HMAC, designed to overcome some problems with the original proposals. It involves hashing padded versions of the key concatenated with the message, and then with another outer hash of the result prepended by another padded variant of the key. The hash function need only be used on 3 more blocks than when hashing just the original message (for the two keys + inner hash). HMAC can use any desired hash function, and has been shown to have the same security as the underlying hash function. Can choose the hash function to use based on speed/security concerns.

HMAC Overview 00110110 repeated b/8 times 01011100 repeated
Stallings Figure shows the structure of HMAC, which implements the function: HMACK = Hash[(K+ XOR opad) || Hash[(K+ XOR ipad) || M)] elements are: K+ is K padded with zeros on the left so that the result is b bits in length ipad is a pad value of 36 hex repeated to fill block opad is a pad value of 5C hex repeated to fill block M is the message input to HMAC (including the padding specified in the embedded hash function)

HMAC Security proved security of HMAC relates to that of the underlying hash algorithm attacking HMAC requires either: brute force attack on key used birthday attack (but since keyed would need to observe a very large number of messages) choose hash function used based on speed verses security constraints The appeal of HMAC is that its designers have been able to prove an exact relationship between the strength of the embedded hash function and the strength of HMAC. The security of a MAC function is generally expressed in terms of the probability of successful forgery with a given amount of time spent by the forger and a given number of message-MAC pairs created with the same key. Have two classes of attacks: brute force attack on key used which has work of order 2^n; or a birthday attack which requires work of order 2^(n/2) - but which requires the attacker to observe 2^n blocks of messages using the same key - very unlikely. So even MD5 is still secure for use in HMAC given these constraints.

Public-Key Cryptography Principles

Private-Key Cryptography
traditional private/secret/single key cryptography uses one key shared by both sender and receiver if this key is disclosed communications are compromised also is symmetric, parties are equal hence does not protect sender from receiver forging a message & claiming is sent by sender So far all the cryptosystems discussed, from earliest history to modern times, have been private/secret/single key (symmetric) systems. All classical, and modern block and stream ciphers are of this form, and still rely on the fundamental building blocks of substitution and permutation (transposition).

Public-Key Cryptography
probably most significant advance in the 3000 year history of cryptography uses two keys – a public & a private key asymmetric since parties are not equal uses clever application of number theoretic concepts to function complements rather than replaces private key crypto Will now discuss the radically different public key systems, in which two keys are used. The development of public-key cryptography is the greatest and perhaps the only true revolution in the entire history of cryptography. It is asymmetric, involving the use of two separate keys, in contrast to symmetric encryption,which uses only one key. Anyone knowing the public key can encrypt messages or verify signatures, but cannot decrypt messages or create signatures, counter-intuitive though this may seem. It works by the clever use of number theory problems that are easy one way but hard the other. Note that public key schemes are neither more nor less secure than private key (security depends on the key size for both), nor do they replace private key schemes (they are too slow to do so), rather they complement them. Both also have issues with key distribution, requiring the use of some suitable protocol.

Why Public-Key Cryptography?
developed to address two key issues: key distribution – how to have secure communications in general without having to trust a KDC with your key digital signatures – how to verify a message comes intact from the claimed sender public invention due to Whitfield Diffie & Martin Hellman at Stanford Uni in 1976 known earlier in classified community The concept of public-key cryptography evolved from an attempt to attack two of the most difficult problems associated with symmetric encryption: key distribution and digital signatures. The idea of public key schemes, and the first practical scheme, which was for key distribution only, was published in 1977 by Diffie & Hellman. The concept had been previously described in a classified report in 1970 by James Ellis (UK CESG) - and subsequently declassified [ELLI99]. Its interesting to note that they discovered RSA first, then Diffie-Hellman, opposite to the order of public discovery! There is also a claim that the NSA knew of the concept in the mid-60’s [SIMM93].

public-key/two-key/asymmetric cryptography involves the use of two keys: a public-key, which may be known by anybody, and can be used to encrypt messages, and verify signatures a private-key, known only to the recipient, used to decrypt messages, and sign (create) signatures is asymmetric because those who encrypt messages or verify signatures cannot decrypt messages or create signatures Emphasize here the radical difference with Public-Key Cryptography is the use of two related keys but with very different roles and abilities. Anyone knowing the public key can encrypt messages or verify signatures, but cannot decrypt messages or create signatures, all thanks to some clever use of number theory.

Stallings Figure 9.1a “Public-Key Cryptography”, shows that a public-key encryption scheme has six ingredients: plaintext, encryption algorithm, public & private keys, ciphertext & decryption algorithm. Consider the following analogy using padlocked boxes: traditional schemes involve the sender putting a message in a box and locking it, sending that to the receiver, and somehow securely also sending them the key to unlock the box. The radical advance in public key schemes was to turn this around, the receiver sends an unlocked box (their public key) to the sender, who puts the message in the box and locks it (easy - and having locked it cannot get at the message), and sends the locked box to the receiver who can unlock it (also easy), having the (private) key. An attacker would have to pick the lock on the box (hard).

Public-Key Characteristics
Public-Key algorithms rely on two keys where: it is computationally infeasible to find decryption key knowing only algorithm & encryption key it is computationally easy to en/decrypt messages when the relevant (en/decrypt) key is known either of the two related keys can be used for encryption, with the other used for decryption (for some algorithms) Asymmetric algorithms rely on one key for encryption and a different but related key for decryption. These algorithms have the following important characteristic: that it is computationally infeasible to determine the decryption key given only knowledge of the cryptographic algorithm and the encryption key. That is public key schemes utilise problems that are easy (P type) one way but hard (NP type) the other way, eg exponentiation vs logs, multiplication vs factoring. In addition, some algorithms, such as RSA, are also able to use either key as public & other private.

Public-Key Cryptosystems
Stallings Figure 9.4 “Public-Key Cryptosystems: Secrecy and Authentication” illustrates the essential elements of a public-key encryption scheme. Note that public-key schemes can be used for either secrecy or authentication, or both (as shown here). In this case, separate key pairs are used for each of these purposes. The receiver owns and creates secrecy keys, sender owns and creates authentication keys. In practice typically DO NOT do this, because of the computational cost of public-key schemes. Rather encrypt a session key which is then used with a block cipher to encrypt the actual message, and separately sign a hash of the message as a digital signature - this will be discussed more later.

Public-Key Applications
can classify uses into 3 categories: encryption/decryption (provide secrecy) digital signatures (provide authentication) key exchange (of session keys) some algorithms are suitable for all uses, others are specific to one Public-key systems are characterized by the use of a cryptographic type of algorithm with two keys. Depending on the application, the sender uses either the sender’s private key or the receiver’s public key, or both, to perform some type of cryptographic function. In broad terms, we can classify the use of public-key cryptosystems into the three categories: • Encryption/decryption: The sender encrypts a message with the recipient’s public key. • Digital signature: The sender “signs”a message with its private key, either to the whole message or to a small block of data that is a function of the message. • Key exchange: Two sides cooperate to exchange a session key. Several different approaches are possible, involving the private key(s) of one or both parties. Some algorithms are suitable for all three applications, whereas others can be used only for one or two of these applications.

Security of Public Key Schemes
like private key schemes brute force exhaustive search attack is always theoretically possible but keys used are too large (>512bits) security relies on a large enough difference in difficulty between easy (en/decrypt) and hard (cryptanalyse) problems more generally the hard problem is known, but is made hard enough to be impractical to break requires the use of very large numbers hence is slow compared to private key schemes Public key schemes are no more or less secure than private key schemes - in both cases the size of the key determines the security. Note also that you can't compare key sizes - a 64-bit private key scheme has very roughly similar security to a 512-bit RSA - both could be broken given sufficient resources. But with public key schemes at least there is usually a firmer theoretical basis for determining the security since its based on well-known and well studied number theory problems.

Public-Key Cryptography Algorithms

RSA by Rivest, Shamir & Adleman of MIT in 1977
best known & widely used public-key scheme based on exponentiation in a finite (Galois) field over integers modulo a prime nb. exponentiation takes O(log n) operations (easy) uses large integers (eg bits) security due to cost of factoring large numbers nb. factorization takes O(e log n log log n) operations (hard) RSA is the best known, and by far the most widely used general public key encryption algorithm, and was first published by Rivest, Shamir & Adleman of MIT in 1978 [RIVE78]. Since that time RSA has reigned supreme as the most widely accepted and implemented general-purpose approach to public-key encryption. It is based on exponentiation in a finite (Galois) field over integers modulo a prime, using large integers (eg bits). Its security is due to the cost of factoring large numbers.

RSA Key Setup each user generates a public/private key pair by:
selecting two large primes at random : p, q computing their system modulus n = pq note (n)=(p1)(q1) selecting at random the encryption key e where 1< e < (n), gcd(e, (n))=1 solve following equation to find decryption key d ed=1 mod (n) and 0≤ d ≤ n publish their public encryption key: PU={e, n} keep secret private decryption key: PR={d, n} RSA key setup is done once (rarely) when a user establishes (or replaces) their public key, using the steps as shown. The exponent e is usually fairly small, just must be relatively prime to ø(n). Need to compute its inverse mod ø(n) to find d. It is critically important that the factors p & q of the modulus n are kept secret, since if they become known, the system can be broken. Note that different users will have different moduli n.

RSA Use to encrypt a message M the sender:
obtains public key of recipient PU={e, n} computes: C = Me mod n, where 0≤ M < n to decrypt the ciphertext C the owner: uses their private key PR={d, n} computes: M = Cd mod n note that the message M must be smaller than the modulus n (block if needed) The actual RSA encryption and decryption computations are each simply a single exponentiation mod (n). Note that the message must be smaller than the modulus. The “magic” is in the choice of the exponents which makes the system work.

Why RSA Works = M1.(1)k = M1 = M mod n because of Euler's Theorem:
a(n) mod n = 1 where gcd(a, n)=1 in RSA have: n=pq (n)=(p1)(q1) carefully choose e & d to be inverses mod (n) hence ed = 1 + k(n) for some k hence : Cd = Med = M1+k(n) = M1.(M(n))k = M1.(1)k = M1 = M mod n Can show that RSA works as a direct consequence of Euler’s Theorem, so that raising a number to power e then d (or vica versa) results in the original number!

RSA Example - Key Setup Select primes: p = 17 & q = 11
Compute n = pq =1711 = 187 Compute (n) = (p–1)(q1) = 1610 = 160 Select e: gcd(e, 160)=1; choose e = 7 Determine d: de = 1 mod 160 and d < 160 Value is d = 23 since 237 = 161 = 10 Publish public key PU={7, 187} Keep secret private key PR={23, 187} Here walk through example RSA key generation using “trivial” sized numbers. Selecting primes requires the use of a primality test. Finding d as inverse of e mod ø(n) requires use of Euclid’s Inverse algorithm (see Ch4)

RSA Example - En/Decryption
sample RSA encryption/decryption is: given message M = 88 (nb. 88 < 187) encryption: C = 887 mod 187 = 11 decryption: M = 1123 mod 187 = 88 Then show that the encryption and decryption operations are simple exponentiations mod 187. Rather than having to laborious repeatedly multiply, can use the "square and multiply" algorithm with modulo reductions to implement all exponentiations quickly and efficiently (see next).

Exponentiation can use the Square and Multiply Algorithm
a fast, efficient algorithm for exponentiation concept is based on repeatedly squaring base and multiplying in the ones that are needed to compute the result look at binary representation of exponent only takes O(log2 n) multiples for number n eg. 75 = 7471 = 37 = 10 mod 11 eg = 312831 = 53 = 4 mod 11 To perform the modular exponentiations, you can use the “Square and Multiply Algorithm”, a fast, efficient algorithm for doing exponentiation. The idea is to repeatedly square the base, and multiply in the ones that are needed to compute the result, as found by examining the binary representation of the exponent.

Exponentiation Compute: c = 0; f = 1 for i = k downto 0 do c = 2  c
f = (f  f) mod n if bi == 1 then c = c + 1 f = (f  a) mod n return f State here one version of the “Square and Multiply Algorithm”, from Stallings Figure 9.7.

Efficient Encryption encryption uses exponentiation to power e
hence if e small, this will be faster often choose e = (2161) also see choices of e = 3 or e = 17 but if e too small (eg e = 3) can attack using Chinese remainder theorem & 3 messages with different modulii if e fixed must ensure gcd(e, (n))=1 ie reject any p or q not relatively prime to e To speed up the operation of the RSA algorithm using the public key, can choose to use a small value of e (but not too small, since its then vulnerable to attack). Must then ensure any p or q chosen are relatively prime to the fixed e (and reject and find another if not), for system to work.

Efficient Decryption decryption uses exponentiation to power d
this is likely large, insecure if not can use the Chinese Remainder Theorem (CRT) to compute mod p & q separately. then combine to get desired answer approx 4 times faster than doing directly only owner of private key who knows values of p & q can use this technique To speed up the operation of the RSA algorithm using the private key, can use the Chinese Remainder Theorem (CRT) to compute mod p & q separately, and then combine results to get the desired answer. This is approx 4 times faster than calculating “C^d mod n” directly. Note that only the owner of the private key details (who knows the values of p & q) can do this, but of course that’s exactly where help is needed, since if e is small then d will be likely be large!

RSA Key Generation users of RSA must:
determine two primes at random : p,q select either e or d and compute the other primes p,q must not be easily derived from modulus n = pq means must be sufficiently large typically guess and use probabilistic test exponents e, d are inverses, so use Inverse algorithm to compute the other Before the application of the public-key cryptosystem, each participant must generate a pair of keys, which requires finding primes and computing inverses. Both the prime generation and the derivation of a suitable pair of inverse exponents may involve trying a number of alternatives. Typically make random guesses for a possible p or q, and check using a probabalistic primality test whether the guessed number is indeed prime. If not, try again. Note that the prime number theorem shows that the average number of guesses needed is not too large. Then compute decryption exponent d using Euclid’s Inverse Algorithm, which is quite efficient.

RSA Security possible approaches to attacking RSA are:
brute force key search (infeasible given size of numbers) mathematical attacks (based on difficulty of computing (n), by factoring modulus n) timing attacks (on running of decryption) chosen ciphertext attacks (given properties of RSA) Note some possible possible approaches to attacking the RSA algorithm, as shown. The defense against the brute-force approach is the same for RSA as for other cryptosystems, namely, use a large key space. Thus the larger the number of bits in d, the better. However because the calculations involved both in key generation and in encryption/decryption are complex, the larger the size of the key, the slower the system will run. Will now review the other possible types of attacks.

Factoring Problem mathematical approach takes 3 forms:
factor n = pq, hence compute (n) and then d determine (n) directly and compute d find d directly currently believe all equivalent to factoring have seen slow improvements over the years as of May-05 best is 200 decimal digits (663) bit with LS biggest improvement comes from improved algorithm cf QS to GHFS to LS currently assume bit RSA is secure ensure p, q of similar size and matching other constraints We can identify three approaches to attacking RSA mathematically, as shown. Mathematicians currently believe all equivalent to factoring. See Stallings Table 9.4 for progress in factoring, where see slow improvements over the years, with the biggest improvements coming from improved algorithms. The best current algorithm is the “Lattice Sieve” (LS), which replaced the “Generalized Number Field Sieve” (GNFS), which replaced the “Quadratic Sieve”(QS). Have to assume computers will continue to get faster, and that better factoring algorithms may yet be found. Numbers of size bits look reasonable at present, provided the factors meet other constraints.

Elliptic Curve Cryptography
majority of public-key crypto (RSA, D-H) use either integer or polynomial arithmetic with very large numbers/polynomials imposes a significant load in storing and processing keys and messages an alternative is to use elliptic curves offers same security with smaller bit sizes newer, but not as well analyzed A major issue with the use of Public-Key Cryptography, is the size of numbers used, and hence keys being stored. Recently, an alternate approach has emerged, elliptic curve cryptography (ECC), which performs the computations using elliptic curve arithmetic instead of integer or polynomial arithmetic. Already, ECC is showing up in standardization efforts, including the IEEE P1363 Standard for Public-Key Cryptography. Although the theory of ECC has been around for some time, it is only recently that products have begun to appear and that there has been sustained cryptanalytic interest in probing for weaknesses. Accordingly, the confidence level in ECC is not yet as high as that in RSA.

Real Elliptic Curves an elliptic curve is defined by an equation in two variables x & y, with coefficients consider a cubic elliptic curve of form y2 = x3 + ax + b where x, y, a, b are all real numbers also define zero point O have addition operation for elliptic curve geometrically sum of P + Q is reflection of intersection R First consider elliptic curves using real number values. See text for detailed rules of addition and relation to zero point O. Can derive an algebraic interpretation of addition, based on computing gradient of tangent and then solving for intersection with curve. There is also an algebraic description of additions over elliptic curves, see text.

Real Elliptic Curve Example
Stallings Figure 10.9b “Example of Elliptic Curves”, illustrates the geometric interpretation of elliptic curve addition.

Comparable Key Sizes for Equivalent Security
Symmetric scheme (key size in bits) ECC-based scheme (size of n in bits) RSA/DSA (modulus size in bits) 56 112 512 80 160 1024 224 2048 128 256 3072 192 384 7680 15360 Stallings Table “ Comparable Key Sizes in Terms of Computational Effort for Cryptanalysis” illustrates the relative key sizes needed for security.

Digital Signatures In the context of communications across a network, the attacks listed above can be identified. The first two requirements belong in the realm of message confidentiality, and are handled using the encryption techniques already discussed. The remaining requirements belong in the realm of message authentication. At its core this addresses the issue of ensuring that a message comes from the alleged source and has not been altered. It may also address sequencing and timeliness. The use of a digital signature can also address issues of repudiation by the source.

Digital Signatures have looked at message authentication
but does not address issues of lack of trust digital signatures provide the ability to: verify author, date & time of signature authenticate message contents be verified by third parties to resolve disputes hence include authentication function with additional capabilities The most important development from the work on public-key cryptography is the digital signature. Message authentication protects two parties who exchange messages from any third party. However, it does not protect the two parties against each other. A digital signature is analogous to the handwritten signature, and provides a set of security capabilities that would be difficult to implement in any other way. It must have the following properties: • It must verify the author and the date and time of the signature • It must to authenticate the contents at the time of the signature • It must be verifiable by third parties,to resolve disputes Thus, the digital signature function includes the authentication function.

Digital Signature Properties
must depend on the message signed must use information unique to sender to prevent both forgery and denial must be relatively easy to produce must be relatively easy to recognize & verify be computationally infeasible to forge with new message for existing digital signature with fraudulent digital signature for given message be practical save digital signature in storage On the basis of the properties on the previous slide, we can formulate the requirements for a digital signature as shown. A variety of approaches has been proposed for the digital signature function. These approaches fall into two categories: direct and arbitrated.

Direct Digital Signatures
involve only sender & receiver assumed receiver has sender’s public-key digital signature made by sender signing entire message or hash with private-key can encrypt using receivers public-key important that sign first then encrypt message & signature security depends on sender’s private-key Direct Digital Signatures involve the direct application of public-key algorithms involving only the communicating parties. A digital signature may be formed by encrypting the entire message with the sender’s private key, or by encrypting a hash code of the message with the sender’s private key. Confidentiality can be provided by further encrypting the entire message plus signature using either public or private key schemes. It is important to perform the signature function first and then an outer confidentiality function, since in case of dispute, some third party must view the message and its signature. But these approaches are dependent on the security of the sender’s private-key. Will have problems if it is lost/stolen and signatures forged. Need time-stamps and timely key revocation.

Arbitrated Digital Signatures
involves use of arbiter A validates any signed message then dated and sent to recipient requires suitable level of trust in arbiter can be implemented with either private or public-key algorithms arbiter may or may not see message The problems associated with direct digital signatures can be addressed by using an arbiter, in a variety of possible arrangements, as shown in Stallings Table 13.1. The arbiter plays a sensitive and crucial role in this sort of scheme, and all parties must have a great deal of trust that the arbitration mechanism is working properly. These schemes can be implemented with either private or public-key algorithms, and the arbiter may or may not see the actual message contents.

Public-Key Message Encryption
if public-key encryption is used: encryption provides no confidence of sender since anyone potentially knows public-key however if sender signs message using their private-key then encrypts with recipients public key have both secrecy and authentication again need to recognize corrupted messages but at cost of two public-key uses on message With public-key techniques, can get a digital signature which can only have been created by key owner. But at cost of two public-key operations at each end on message.

Public-Key Encryption
With public-key techniques, can get a digital signature which can only have been created by key owner. But at cost of two public-key operations at each end on message.

Hash Functions & Digital Signatures
Stallings Figure 11.5c “Basic Uses of Hash Functions” shows the hash being “signed” with the senders private key, thus forming a digital signature.

Digital Signature Standard (DSS)
US Govt approved signature scheme designed by NIST & NSA in early 90's published as FIPS-186 in 1991 revised in 1993, 1996 & then 2000 uses the SHA hash algorithm DSS is the standard, DSA is the algorithm FIPS (2000) includes alternative RSA & elliptic curve signature variants DSA is the US Govt approved signature scheme, which is designed to provide strong signatures without allowing easy use for encryption. The DSS makes use of the Secure Hash Algorithm (SHA), and presents a new digital signature technique, the Digital Signature Algorithm (DSA). The DSS was originally proposed in 1991 and revised in 1993 in response to public feedback concerning the security of the scheme. There was a further minor revision in In 2000, an expanded version of the standard was issued as FIPS 186-2, which incorporates digital signature algorithms based on RSA and on elliptic curve cryptography.

Digital Signature Algorithm (DSA)
creates a 320 bit signature with bit security smaller and faster than RSA a digital signature scheme only security depends on difficulty of computing discrete logarithms variant of ElGamal & Schnorr schemes Will discuss the original DSS algorithm. The DSA signature scheme has advantages, being both smaller (320 vs 1024bit) and faster (much of the computation is done modulo a 160 bit number), over RSA. Unlike RSA, it cannot be used for encryption or key exchange. Nevertheless, it is a public-key technique. The DSA is based on the difficulty of computing discrete logarithms, and is based on schemes originally presented by ElGamal [ELGA85] and Schnorr [SCHN91].

Digital Signature Algorithm (DSA)
DSA differs from RSA in how the message signature is generated and validated, as shown in Stallings Figure 13.1. RSA signatures encrypt the message hash with the private key to create a signature, which is then verified by being decrypted with the public key to compare to a recreated hash value. DSA signatures use the message hash, global public values, private key & random k to create a 2 part signature (s,r). This is verified by computing a function of the message hash, public key, r and s, and comparing the result with r. The proof that this works is complex, but it achieves its aims!

DSA Key Generation have shared global public key values (p,q,g):
choose q, is 160 bits choose a large prime 2L1 < p < 2L where L= 512 to 1024 bits and is a multiple of 64 and q is a prime factor of (p1) choose g = h(p1)/q where h < p1, h(p1)/q (mod p) > 1 users choose private & compute public key: choose x < q compute y = gx (mod p) DSA typically uses a common set of global parameters (p,q,g) for a community of clients, as shown. Then each DSA uses chooses a random private key x, and computes their public key as shown. The calculation of the public key y given x is relatively straightforward. However, given the public key y, it is computationally infeasible to determine x, which is the discrete logarithm of y to base g, mod p.

DSA Signature Creation
to sign a message M the sender: generates a random signature key k, k < q nb. k must be random, be destroyed after use, and never be reused then computes signature pair: r = (gk(mod p))(mod q) s = (k1H(M)+ x.r)(mod q) sends signature (r, s) with message M To create a signature, a user calculates two quantities, r and s, that are functions of the public key components (p,q,g), the user’s private key (x), the hash code of the message H(M), and an additional integer k that should be generated randomly or pseudo-randomly and be unique for each signing. This is similar to ElGamal signatures, with the use of a per message temporary signature key k, but doing calculations first mod p, then mod q to reduce the size of the result. The signature (r,s) is then sent with the message to the recipient. Note that computing r only involves calculation mod p and does not depend on message, hence can be done in advance. Similarly with randomly choosing k’s and computing their inverses.

DSA Signature Verification
having received M & signature (r, s) to verify a signature, recipient computes: w = s1(mod q) u1= (H(M)w)(mod q) u2= (rw)(mod q) v = (gu1yu2(mod p)) (mod q) if v = r then signature is verified see book web site for details of proof why At the receiving end, verification is performed using the formulas shown. The receiver generates a quantity v that is a function of the public key components, the sender’s public key, and the hash of the incoming message. If this quantity matches the r component of the signature, then the signature is validated. Note that the difficulty of computing discrete logs is why it is infeasible for an opponent to recover k from r, or x from s. Note also that nearly all the calculations are mod q, and hence are much faster save for the last step. The structure of this function is such that the receiver can recover r using the incoming message and signature, the public key of the user, and the global public key.I t is certainly not obvious that such a scheme would work. A proof is provided at this book’s Web site.

Key Management In the context of communications across a network, the attacks listed above can be identified. The first two requirements belong in the realm of message confidentiality, and are handled using the encryption techniques already discussed. The remaining requirements belong in the realm of message authentication. At its core this addresses the issue of ensuring that a message comes from the alleged source and has not been altered. It may also address sequencing and timeliness. The use of a digital signature can also address issues of repudiation by the source.

Key Management public-key encryption helps address key distribution problems have two aspects of this: distribution of public keys use of public-key encryption to distribute secret keys One of the major roles of public-key encryption has been to address the problem of key distribution, with two distinct aspects: the distribution of public keys, and the use of public-key encryption to distribute secret keys.

Distribution of Public Keys
can be considered as using one of: public announcement publicly available directory public-key authority public-key certificates Several techniques have been proposed for the distribution of public keys, which can mostly be grouped into the categories shown.

Public Announcement users distribute public keys to recipients or broadcast to community at large eg. append PGP keys to messages or post to news groups or list major weakness is forgery anyone can create a key claiming to be someone else and broadcast it until forgery is discovered can masquerade as claimed user The point of public-key encryption is that the public key is public, hence any participant can send his or her public key to any other participant, or broadcast the key to the community at large. Its major weakness is forgery, anyone can create a key claiming to be someone else and broadcast it, and until the forgery is discovered they can masquerade as the claimed user.

Public-Key Authority improve security by tightening control over distribution of keys from directory has properties of directory and requires users to know public key for the directory then users interact with directory to obtain any desired public key securely does require real-time access to directory when keys are needed Stronger security for public-key distribution can be achieved by providing tighter control over the distribution of public keys from the directory. It requires users to know the public key for the directory, and that they interact with directory in real-time to obtain any desired public key securely. Note that a total of seven messages are required, as shown next.

Publicly Available Directory
can obtain greater security by registering keys with a public directory directory must be trusted with properties: contains {name, public-key} entries participants register securely with directory participants can replace key at any time directory is periodically published directory can be accessed electronically still vulnerable to tampering or forgery A greater degree of security can be achieved by maintaining a publicly available dynamic directory of public keys. Maintenance and distribution of the public directory would have to be the responsibility of some trusted entity or organization. This scheme is clearly more secure than individual public announcements but still has vulnerabilities to tampering or forgery.

Public-Key Authority Stallings Figure 10.3 “Public-Key Authority” illustrates a typical protocol interaction. See text for details of steps in protocol.

Public-Key Certificates
certificates allow key exchange without real-time access to public-key authority a certificate binds identity to public key usually with other info such as period of validity, rights of use etc with all contents signed by a trusted Public-Key or Certificate Authority (CA) can be verified by anyone who knows the public-key authorities public-key An further improvement is to use certificates, which can be used to exchange keys without contacting a public-key authority, in a way that is as reliable as if the keys were obtained directly from a public-key authority. A certificate binds an identity to public key, with all contents signed by a trusted Public-Key or Certificate Authority (CA). This can be verified by anyone who knows the public-key authorities public-key. One scheme has become universally accepted for formatting public-key certificates: the X.509 standard. X.509 certificates are used in most network security applications, including IP security, secure sockets layer (SSL), secure electronic transactions (SET), and S/MIME. Will discuss it in much more detail later.

Public-Key Certificates
Stallings Figure 10.4 “Public-Key Certificates” illustrates such a scheme. See text for details of steps in protocol.

Public-Key Distribution of Secret Keys
use previous methods to obtain public-key can use for secrecy or authentication but public-key algorithms are slow so usually want to use private-key encryption to protect message contents hence need a session key have several alternatives for negotiating a suitable session Once public keys have been distributed or have become accessible, secure communication that thwarts eavesdropping, tampering, or both, is possible. However, few users will wish to make exclusive use of public-key encryption for communication because of the relatively slow data rates that can be achieved. Accordingly, public-key encryption provides for the distribution of secret keys to be used for conventional encryption.

Simple Secret Key Distribution
proposed by Merkle in 1979 A generates a new temporary public key pair A sends B the public key and their identity B generates a session key K sends it to A encrypted using the supplied public key A decrypts the session key and both use problem is that an opponent can intercept and impersonate both halves of protocol An extremely simple scheme was put forward by Merkle [MERK79]. But it is insecure against an adversary who can intercept messages and then either relay the intercepted message or substitute another message. Such an attack is known as a man-in-the-middle attack [RIVE84].

Public-Key Distribution of Secret Keys
if have securely exchanged public-keys: Stallings Figure 10.6 “Public-Key Distribution of Secret Keys” illustrates such an exchange. See text for details of steps in protocol. Note that these steps correspond to final 3 of Figure 10.3, hence can get both secret key exchange and authentication in a single protocol.

Hybrid Key Distribution
retain use of private-key KDC shares secret master key with each user distributes session key using master key public-key used to distribute master keys especially useful with widely distributed users rationale performance backward compatibility Yet another way to use public-key encryption to distribute secret keys is a hybrid approach in use on IBM mainframes [LE93]. This scheme retains the use of a key distribution center (KDC) that shares a secret master key with each user and distributes secret session keys encrypted with the master key. A public key scheme is used to distribute the master keys. The addition of a public-key layer provides a secure, efficient means of distributing master keys. This is an advantage in a configuration in which a single KDC serves a widely distributed set of users.

Diffie-Hellman Key Exchange
first public-key type scheme proposed by Diffie & Hellman in 1976 along with the exposition of public key concepts note: now know that Williamson (UK CESG) secretly proposed the concept in 1970 is a practical method for public exchange of a secret key used in a number of commercial products The idea of public key schemes, and the first practical scheme, which was for key distribution only, was published in 1977 by Diffie & Hellman. The concept had been previously described in a classified report in 1970 by Williamson (UK CESG) - and subsequently declassified in 1987, see [ELLI99].

a public-key distribution scheme cannot be used to exchange an arbitrary message rather it can establish a common key known only to the two participants value of key depends on the participants (and their private and public key information) based on exponentiation in a finite (Galois) field (modulo a prime or a polynomial) - easy security relies on the difficulty of computing discrete logarithms (similar to factoring) – hard The purpose of the algorithm is to enable two users to securely exchange a key that can then be used for subsequent encryption of messages. The algorithm itself is limited to the exchange of secret values, which depends on the value of the public/private keys of the participants. The Diffie-Hellman algorithm uses exponentiation in a finite (Galois) field (modulo a prime or a polynomial), and depends for its effectiveness on the difficulty of computing discrete logarithms.

Diffie-Hellman Setup all users agree on global parameters:
large prime integer or polynomial q a being a primitive root mod q each user (eg. A) generates their key chooses a secret key (number): xA < q compute their public key: yA = axA mod q each user makes public that key yA In the Diffie-Hellman key exchange algorithm, there are two publicly known numbers: a prime number q and an integer a that is a primitive root of q. The prime q and primitive root a can be common to all using some instance of the D-H scheme. Note that the primitive root a is a number whose powers successively generate all the elements mod q. Users Alice and Bob choose random secrets x's, and then "protect" them using exponentiation to create their public y's. For an attacker monitoring the exchange of the y's to recover either of the x's, they'd need to solve the discrete logarithm problem, which is hard.

shared session key for users A & B is KAB: KAB = axA.xB mod q = yA xB mod q (which B can compute) = yB xA mod q (which A can compute) KAB is used as session key in private-key encryption scheme between Alice and Bob if Alice and Bob subsequently communicate, they will have the same key as before, unless they choose new public-keys attacker needs an x, must solve discrete log The actual key exchange for either party consists of raising the others "public key' to power of their private key. The resulting number (or as much of as is necessary) is used as the key for a block cipher or other private key scheme. For an attacker to obtain the same value they need at least one of the secret numbers, which means solving a discrete log, which is computationally infeasible given large enough numbers. Note that if Alice and Bob subsequently communicate, they will have the same key as before, unless they choose new public-keys.

Diffie-Hellman Example
users Alice & Bob who wish to swap keys: agree on prime q = 353 and a = 3 select random secret keys: A chooses xA = 97, B chooses xB = 233 compute respective public keys: yA = 397 mod 353 = 40 (Alice) yB = 3233 mod 353 = 248 (Bob) compute shared session key as: KAB = yBxA mod 353 = = 160 (Alice) KAB = yAxB mod 353 = = 160 (Bob) Here is an example of Diffie-Hellman from the text.

Key Exchange Protocols
users could create random private/public D-H keys each time they communicate users could create a known private/public D-H key and publish in a directory, then consulted and used to securely communicate with them both of these are vulnerable to a meet-in-the-Middle Attack authentication of the keys is needed Detail a couple of possible Key Exchange Protocols based on Diffie-Hellman. Note that these are vulnerable to a meet-in-the-Middle Attack, and that authentication of the keys is needed.

Summary have considered: HMAC authentication using hash function
some current hash algorithms SHA-512 & Whirlpool principles of public-key cryptography RSA algorithm Digital signature, DSA Diffie-Hellman key exchange Chapter 12 summary.

Chapter 3 – Public-Key Cryptography and Message Authentication

Similar presentations

Presentation on theme: "Chapter 3 – Public-Key Cryptography and Message Authentication"— Presentation transcript:

Similar presentations

About project

Feedback

Log in

Auth with social network:

Chapter 3 – Public-Key Cryptography and Message Authentication

Similar presentations

Presentation on theme: "Chapter 3 – Public-Key Cryptography and Message Authentication"— Presentation transcript:

Similar presentations

About project

Feedback