Presentation is loading. Please wait.

Presentation is loading. Please wait.

Electronic Payment Systems Lecture 5: ePayment Security II

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Electronic Payment Systems Lecture 5: ePayment Security II"— Presentation transcript:

1 Electronic Payment Systems 20-763 Lecture 5: ePayment Security II
ELECTRONIC PAYMENT SYSTEMS SPRING COPYRIGHT © 2004 MICHAEL I. SHAMOS

2 Outline Public-key Cryptography One-way trapdoor functions RSA
Protocol Failure Discrete Logarithms Diffie-Hellman El Gamal Elliptic Curve Cryptosystems ELECTRONIC PAYMENT SYSTEMS SPRING COPYRIGHT © 2004 MICHAEL I. SHAMOS

3 Public Key Encryption Clear-text Input Cipher-text Clear-text Output
“The quick brown fox jumps over the lazy dog” “The quick brown fox jumps over the lazy dog” Encryption Decryption public private Different but mathematically linked keys Recipient’s public key Recipient’s private key SOURCE: ALBERTO PACE

4 One-Way Trapdoor Function
A function that is easy to compute Computationally difficult to invert without knowing the secret (the “trapdoor”) Easy to invert with the secret Example: f x (y) = x • y Given f x (y), it is difficult to find either x or y Given f x (y) and x (the secret), it is easy to find y: y = x • y / x ANY one-way trapdoor function can be used in public-key cryptography. ELECTRONIC PAYMENT SYSTEMS SPRING COPYRIGHT © 2004 MICHAEL I. SHAMOS

5 Trapdoor Functions for Cryptogrpahy
Alice wants to send message m to Bob Bob’s public key e is a parameter to the trapdoor function fe(x) The inverse fe -1(y) is easy to compute knowing Bob’s private key d but difficult without d Alice computes fe(m), sends it to Bob Bob computes fe -1(fe(m)) = m (easy if d is known) Eavesdropper Eve can’t compute m = fe -1(fe(m)) without the trapdoor d to find the inverse fe -1 Symmetric encryption satisfies the trapdoor criteria except that e and d are the same, so neither can be made public ELECTRONIC PAYMENT SYSTEMS SPRING COPYRIGHT © 2004 MICHAEL I. SHAMOS

6 Rivest-Shamir-Adelman (RSA)
It is easy to multiply two numbers but apparently hard to factor a number into a product of two others. Given p, q, it is easy to compute n = p • q Example: p = ; q = Easy to find n = Given n, hard to find two numbers p, q with p • q = n Now suppose n = What are p and q such that p • q = n ? Multiplication is a one-way function RSA exploits this fact in public-key encryption ELECTRONIC PAYMENT SYSTEMS SPRING COPYRIGHT © 2004 MICHAEL I. SHAMOS

7 RSA Encryption Select two large prime numbers p, q (e.g. 1024 bits)
Let n = p • q Choose a small odd integer e that does not divide m = (p - 1)(q - 1). Then x(p-1)(q-1) = 1 (mod n) Compute d = e-1(mod m) That is, d • e gives remainder 1 when divided by m Then xe •d = x (mod n) (by Fermat’s “Little” Theorem) Public key is the pair (e, n) Private key is the pair (d, n) d cannot be calculated quickly from (e, n) Still need p and q, which involves factoring n ELECTRONIC PAYMENT SYSTEMS SPRING COPYRIGHT © 2004 MICHAEL I. SHAMOS

8 RSA Encryption Message M is a number
To encrypt message M using key (e, n): Compute E(M) = M e (mod n) To decrypt message E(M) using key (d, n): Compute D(E(M)) = E(M) d (mod n) Note that D(E(M)) = E(D(M)) = (M e)d (mod n) = M e•d (mod n) = M because e • d = 1 (mod m) and m = (p-1)(q-1) DEMO ELECTRONIC PAYMENT SYSTEMS SPRING COPYRIGHT © 2004 MICHAEL I. SHAMOS

9 Protocol Failure A “secure” cryptosystem is not secure if used carelessly Protocols must be followed carefully or a “protocol failure” occurs Example: “common modulus” failure Bob and Carol have the same public-key modulus n with encryption exponents eBOB and eCAROL having no common factor Alice sends the same plaintext M to both Bob and Carol Bob gets yBOB = MeBOB mod n Carol gets yCAROL = MeCAROL mod n If Eve intercepts both, she can read the message WARNING: NEVER SEND THE SAME MESSAGE TWICE! ELECTRONIC PAYMENT SYSTEMS SPRING COPYRIGHT © 2004 MICHAEL I. SHAMOS

10 Protocol Failure Eve computes: c1 = eBOB-1 (mod eCAROL ) c2 = ((c1 eBOB) - 1 )/ eCAROL M = yBOBc1 ( yCAROLc2 )-1 (mod n) = (MeBOB)c1 ((MeCAROL)c2)-1 (mod n) = (MeBOB)c1 ((MeCAROL)(c1(eBOB)-1)/eCAROL)-1 (mod n) = (MeBOB)c1 (M(c1eBOB-1))-1 (mod n) = M (Mc1(eBOB)-1)) (M( c1(eBOB)-1))-1 (mod n) = M mod n So Eve recovers the original message! KNOWN QUANTITIES: n eBOB eCAROL yBOB yCAROL ELECTRONIC PAYMENT SYSTEMS SPRING COPYRIGHT © 2004 MICHAEL I. SHAMOS

11 Discrete Logarithms If ab = c, we say that logac = b
Example: 232 = so log2( ) = 32 Computing ab and logac are both easy for real numbers In a finite field, it is easy to calculate c = ab mod p but given c, a and p it is very difficult to find b This is the “discrete logarithm” problem Analogy: Given x it is easy to find two real numbers y, z such that x = y•z Given an integer n it is hard to find two integers p, q such that n = p•q ELECTRONIC PAYMENT SYSTEMS SPRING COPYRIGHT © 2004 MICHAEL I. SHAMOS

12 Diffie-Hellman Key Exchange
Object: allow Alice and Bob to exchange a secret key Protocol has two public parameters: a prime p and a number g < p such that given 0 < n < p there is some k such that gk = n (g is called a generator) Alice and Bob generate random private values a, b between 1 and p-2 Alice’s public value is ga (mod p); Bob’s is gb (mod p) Alice and Bob share their public values Alice computes (gb)a (mod p) = gba (mod p) Bob computes (ga)b (mod p) = gab = gba (mod p) Let key = gab. Now both Alice and Bob have it. No one else can compute it -- they don’t know a or b ELECTRONIC PAYMENT SYSTEMS SPRING COPYRIGHT © 2004 MICHAEL I. SHAMOS

13 El Gamal Encryption Based on the discrete logarithm
Bob’s public key is (p, q, r) Bob’s private key is s such that r = qs mod p Alice sends Bob the message m by picking a random secret number k and sending (a, b) = (qk mod p, mrk mod p) Bob computes b (as )-1 mod p = mrk (qks)-1 = mqks (qks)-1 = m (Bob knows s; nobody else can do this) ELECTRONIC PAYMENT SYSTEMS SPRING COPYRIGHT © 2004 MICHAEL I. SHAMOS

14 Relative Time in Seconds Required for RSA Modular Exponentiation y = xe mod n
RSA key size k [bits] Processing time t [s] 512 8 768 22 1024 48 1536 150 2048 335 RSA Benchmarks for the 20 MHz SOURCE: ANDREAS STEFFEN, ZHW

15 Elliptic Curves y2 = x3  4x y2 = x3 + ax + b 4a3 + 27b2  0
General form: y2 = x3 + ax + b Condition for distinct single roots: 4a b2  0 Example: y2 = x3  4x = x(x 2)(x +2) ONLINE TUTORIAL SOURCE: ANDREAS STEFFEN, ZHW

16 The Group <G,> A set G and an operation  defined on pairs of elements of set G such that for all elements a, b and c in G we have: Closure: a  b is also an element of G Associativity: a  (b  c) = (a  b)  c Identity Element: For some e in G, for all a, a  e = e  a = a Inverse Element: Every a has an inverse a' : a  a' = a'  a = e Commutativity: a  b = b  a (Abelian Group) Examples: Addition: <R, +> e = 0 , a' = -a Multiplication: <R-{0}, · > e = 1 , a' = a-1 SOURCE: ANDREAS STEFFEN, ZHW

17 The Points P(x,y) on an Elliptic Curve form a Group
Group set: All points P(x,y) lying on an elliptic curve R R' P Group operation: Point addition Q R = P  Q SOURCE: ANDREAS STEFFEN, ZHW

18 Identity and Inverse Elements
P'(x,-y) = P(x,y) is mirrored on x-axis P' Point addition with inverse element: P  P' = O results in the identity element O(x,) at infinity P Identity element: P  O = P O SOURCE: ANDREAS STEFFEN, ZHW

19 Point Doubling – Adding a point to itself
Form the tangent in Point P(x,y) R R' P R = P  P SOURCE: ANDREAS STEFFEN, ZHW

20 Point Iteration – Adding a point k-1 times to itself
Pk = P  P  ...  P P3 P2 P SOURCE: ANDREAS STEFFEN, ZHW

21 Calculation of Point Addition
Line g: y = s x+y0 with g P(xP , yP) R(xR, yR) Q (xQ , yQ) Intersection with curve: (s x+y0)2 = x3 +ax+b Coordinates of point R: R' (xR, -yR) SOURCE: ANDREAS STEFFEN, ZHW

22 Elliptic Curves Over Finite Fields
Elliptic curves can be defined in a finite or Galois field GFp (mod p) y2 = x3 + ax + b mod p where the field size p is a prime number and {0,1, ..., p-1} is an abelian group under addition mod p and {1, ..., p-1} is an abelian group under multiplication mod p. SOURCE: ANDREAS STEFFEN, ZHW

23 Points on an Elliptic Curve Over a Finite Field
Which points P(x,y) with x and y in GF11 satisfy the elliptic curve equation: y2 = x3 + x + 6 mod 11 In Mathematica, compute Position[Table[Mod[y^2 – (x^3 + x + 6), 11], {x, 1, 10}, {y, 1, 10}], 0] SOURCE: ANDREAS STEFFEN, ZHW

24 Solution: Points on the Elliptic Curve
6 - 8 - 5 4,7 (2,4) (2,7) 3 5,6 (3,5) (3,6) 4 2,9 (5,2) (5,9) 4 2,9 (7,2) (7,9) 9 3,8 (8,3) (8,8) 7 - 4 2,9 (10,2) (10,9) y2 y1,2 P(x,y) P'(x,y) 1 2 3 4 5 6 7 8 9 10 x There are 12 points lying on the elliptic curve. Together with the point O at infinity, the points on the elliptic curve form a group with n=13 elements. n is called the order of the elliptic curve group and depends on the choice of the curve parameters a and b. SOURCE: ANDREAS STEFFEN, ZHW

25 Elliptic Curve Discrete Logarithm Problem (ECDLP)
( 2,4) ( 5,9) ( 8,8) (10,9) ( 3,5) ( 7,2) ( 7,9) ( 3,6) (10,2) ( 8,3) ( 5,2) ( 2,7)  - O  - Pk s y0 1 2 3 4 5 6 7 8 9 10 11 12 13 k Given an elliptic curve y2 = x3 + ax + b mod p and a basis point P, we can compute Q = Pk through k-1 iterative point additions. Fast algorithms for this task exist. The order of P is the smallest k for which Pk = O (the identity element) Question: Is it possible to compute k when points Q and P are known? Answer: This is a hard problem called the Elliptic Curve Discrete Logarithm Problem. SOURCE: ANDREAS STEFFEN, ZHW

26 Defining An Elliptic Curve Cryptosystem
Must specify the following parameters: version is currently v1 fieldID the finite field over which curve is defined curve coefficients a and b of the elliptic curve base the base point P order the order of the base point, a LARGE prime number SOURCE: ANDREAS STEFFEN, ZHW

27 Secret Key Exchange: Diffie-Hellman v. ECC
A = ga mod p Diffie-Hellman: Basis g and prime p B = gb mod p Secret: s = Ab = Ba = gab mod p QA = P a Elliptic Curve Cryptosystem: ECC, basis point P and prime p Secret: S = Q Ab = Q Ba = P ab QB = P b Cryptographic Applications • The following ECC algorithms have been defined: • ECDH (Elliptic Curve Diffie-Hellman) for secret key exchange • ECIES (Elliptic Curve Integrated Encryption Scheme) for public key encryption • ECDSA (Elliptic Curve Digital Signature Algorithm) for digital signatures • Elliptic curve certificates based on the X.509 standard can either be ordered from several trust centers (e.g. Certicom) or can be generated with the current OpenSSL snapshot. • A set of elliptic curves have been standardized by NIST. • Several ECC cipher suites based on the NIST curves have been defined for the SSL/TLS secure transport layer. SOURCE: ANDREAS STEFFEN, ZHW

28 Elliptic Curves for El Gamal
Multiplication in the elliptic group corresponds to exponentiation of real numbers Solving y = k x (mod p) for k in the elliptic group is similar to solving c = ab (mod p) for b in El Gamal (discrete logarithm) Select a generator g (an elements whose successive powers generate all group elements) Bob’s private key is s; Bob’s public key is (g, s g) A plaintext message m is transformed to a point x in the group Alice encrypts x by picking a random value k and sending (k g, x + k s g) Bob decrypts by computing (x + k s g) - (k g) s = x Can’t find s from g and sg g and sg are public; Alice knows x and k Alice sent him these Bob knows s (his private key)

29 Table of Equivalent Cryptographic “Strength”
Key Lengths Symmetric RSA n ECC p 56 512 112 80 1024 160 2048 224 128 3072 256 192 7680 384 15360 Key size ratio 5:1 6:1 9:1 12:1 20:1 30:1 Elliptic curve cryptography standards: PKCS#13 FIPS 186-2 ECC Cipher Suites for TLS ANSI X9.63, X9.63, Public Key Cryptography for the Financial Services Industry SOURCE: ANDREAS STEFFEN, ZHW

30 Security of ECC versus RSA
ECC Advantages 1. The elliptic curve logarithm problem is harder than the discrete logarithm problem. 2. Key size in ECC is much smaller for a given security level. 3. ECC is complicated; fewer people understand it. 4. ECC is not patented. GRAPHIC: RICHARD SOUTHERN ELECTRONIC PAYMENT SYSTEMS SPRING COPYRIGHT © 2004 MICHAEL I. SHAMOS

31 Major Ideas Any one-way trapdoor function can be used as the basis of a public-key cryptosystem Public-key encryption is slow because of the need to work with huge numbers (~2000 bits) Cryptosystems can be insecure if not used properly Elliptic curve cryptography allows high security with small key sizes ELECTRONIC PAYMENT SYSTEMS SPRING COPYRIGHT © 2004 MICHAEL I. SHAMOS 52

32 Q A & ELECTRONIC PAYMENT SYSTEMS SPRING COPYRIGHT © 2004 MICHAEL I. SHAMOS

33 Calculation of Point Doubling
Tangent g: y = s x+y0 g P(xP , yP) R (xR, yR) Intersection with curve: (s x+y0)2 = x3 +ax+b R' (xR, -yR) Coordinates of point R: SOURCE: ANDREAS STEFFEN, ZHW

34 Task 1 - Multiplication c = ab in GF11
Compile a multiplication table for c = a  b mod 11 Determine the solutions of the equation x2 = 5 mod 11 You have about 10 minutes for this task SOURCE: ANDREAS STEFFEN, ZHW

35 Solution 1 - Multiplication c = ab in GF11
1 2 3 4 5 6 7 8 9 10 a b c x2 = 5 mod 11 ? x1 = 4, x2 = 7 SOURCE: ANDREAS STEFFEN, ZHW

36 Task 3 – Iterate a Point on the Elliptic Curve
Iterate the point P(2,4) lying on y2 = x3 + x + 6 mod 11: Compute P2 = P  P by doubling the point P Compute P3 = P  P  P = P2  P by point addition All operations are computed in GF11 SOURCE: ANDREAS STEFFEN, ZHW

37 Solution 3 – Iterate a Point on the Elliptic Curve
Compute P2 = P  P by doubling the point P(2,4) P2=(5,9) Compute P3 = P  P  P = P2  P by point addition P3=(8,8) SOURCE: ANDREAS STEFFEN, ZHW

Download ppt "Electronic Payment Systems Lecture 5: ePayment Security II"

Similar presentations

RSA.

RSA.
Public Key Cryptosystem

Public Key Cryptosystem
Public Key Cryptography INFSCI 1075: Network Security – Spring 2013 Amir Masoumzadeh.

Public Key Cryptography INFSCI 1075: Network Security – Spring 2013 Amir Masoumzadeh.
1 390-Elliptic Curves and Elliptic Curve Cryptography Michael Karls.

1 390-Elliptic Curves and Elliptic Curve Cryptography Michael Karls.
Data encryption with big prime numbers

Data encryption with big prime numbers
22C:19 Discrete Math Integers and Modular Arithmetic Fall 2010 Sukumar Ghosh.

22C:19 Discrete Math Integers and Modular Arithmetic Fall 2010 Sukumar Ghosh.
7. Asymmetric encryption-

7. Asymmetric encryption-
15-251 Great Theoretical Ideas in Computer Science.

Great Theoretical Ideas in Computer Science.
Session 4 Asymmetric ciphers.

Session 4 Asymmetric ciphers.
YSLInformation Security -- Public-Key Cryptography1 Elliptic Curve Cryptography (ECC) For the same length of keys, faster than RSA For the same degree.

YSLInformation Security -- Public-Key Cryptography1 Elliptic Curve Cryptography (ECC) For the same length of keys, faster than RSA For the same degree.
20-763 ELECTRONIC PAYMENT SYSTEMSFALL 2002COPYRIGHT © 2002 MICHAEL I. SHAMOS Electronic Payment Systems 20-763 Lecture 6 Epayment Security II.

ELECTRONIC PAYMENT SYSTEMSFALL 2002COPYRIGHT © 2002 MICHAEL I. SHAMOS Electronic Payment Systems Lecture 6 Epayment Security II.
HW6 due tomorrow Teams T will get to pick their presentation day in the order Teams T will get to pick their presentation day in the orderQuestions? Review.

HW6 due tomorrow Teams T will get to pick their presentation day in the order Teams T will get to pick their presentation day in the orderQuestions? Review.
20-751 ECOMMERCE TECHNOLOGY SUMMER 2002 COPYRIGHT © 2002 MICHAEL I. SHAMOS Cryptographic Security.

ECOMMERCE TECHNOLOGY SUMMER 2002 COPYRIGHT © 2002 MICHAEL I. SHAMOS Cryptographic Security.
Windows Core Security1© 2006 Microsoft Corp Cryptography: Helping Number Theorists Bring Home the Bacon Since 1977 Dan Shumow SDE Windows Core Security.

Windows Core Security1© 2006 Microsoft Corp Cryptography: Helping Number Theorists Bring Home the Bacon Since 1977 Dan Shumow SDE Windows Core Security.
20-751 ECOMMERCE TECHNOLOGY FALL 2003 COPYRIGHT © 2003 MICHAEL I. SHAMOS Cryptography.

ECOMMERCE TECHNOLOGY FALL 2003 COPYRIGHT © 2003 MICHAEL I. SHAMOS Cryptography.
Elliptic Curve Cryptography Jen-Chang Liu, 2004 Adapted from lecture slides by Lawrie Brown Ref: RSA Security ’ s Official Guide to Cryptography.

Elliptic Curve Cryptography Jen-Chang Liu, 2004 Adapted from lecture slides by Lawrie Brown Ref: RSA Security ’ s Official Guide to Cryptography.
Dr. Lo’ai Tawalbeh Fall 2005 Chapter 10 – Key Management; Other Public Key Cryptosystems Dr. Lo’ai Tawalbeh Computer Engineering Department Jordan University.

Dr. Lo’ai Tawalbeh Fall 2005 Chapter 10 – Key Management; Other Public Key Cryptosystems Dr. Lo’ai Tawalbeh Computer Engineering Department Jordan University.
CSE331: Introduction to Networks and Security Lecture 20 Fall 2002.

CSE331: Introduction to Networks and Security Lecture 20 Fall 2002.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
Fall 2010/Lecture 311 CS 426 (Fall 2010) Public Key Encryption and Digital Signatures.

Fall 2010/Lecture 311 CS 426 (Fall 2010) Public Key Encryption and Digital Signatures.

Similar presentations

Ads by Google