CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
Published byModified over 4 years ago
Presentation on theme: "CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz."— Presentation transcript:
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz
Diffie-Hellman key exchange Before describing the protocol, a brief detour through number theory… –Modular arithmetic, Z p, Z p * –Generators: e.g., 3 is a generator of Z 17 *, but 2 is not –The discrete logarithm assumption
The Diffie-Hellman protocol prime p, element g Z p * h A = g x mod p h B = g y mod p K AB = (h B ) x K BA = (h A ) y
Security? Consider security against a passive eavesdropper –We will cover stronger notions of security for key exchange in more detail later in the semester Under the computational Diffie-Hellman (CDH) assumption, hard for eavesdropper to compute K AB = K BA –Not sufficient for security! –Can hash the key before using Under the decisional Diffie-Hellman (DDH) assumption, the key K AB looks random to an eavesdropper
Technical notes p and g must be chosen so that the CDH/DDH assumptions hold –Need to be chosen with care – in particular, g should be chosen as a generator of a subgroup of Z p * –Details in CMSC456 Can use other groups –Elliptic curves are also popular Modular exponentiation can be done quickly (in particular, in polynomial time) –But the naïve algorithm does not work!
Security against active attacks? The basic Diffie-Hellman protocol we have shown is not secure against a ‘man-in-the-middle’ attack In fact, impossible to achieve security against such an attacker unless some information is shared in advance –E.g., private-key setting –Or public-key setting (next)
The public-key setting A party (Alice) generates a public key along with a matching secret key (aka private key) The public key is widely distributed, and is assumed to be known to anyone (Bob) who wants to communicate with Alice –We will discuss later how this can be ensured Alice’s public key is also known to the attacker! Alice’s secret key remains secret Bob may or may not have a public key of his own
The public-key setting c = Enc pk (m) pk c = Enc pk (m) pk
Private- vs. public-key I Disadvantages of private-key cryptography –Need to securely share keys What if this is not possible? Need to know in advance the parties with whom you will communicate Can be difficult to distribute/manage keys in a large organization –O(n 2 ) keys needed for person-to-person communication in an n-party network All these keys need to be stored securely –Inapplicable in open systems (think: e-commerce)
Private- vs. public-key II Why study private-key at all? –Private-key is orders of magnitude more efficient –Private-key still has domains of applicability Military settings, disk encryption, … –Public-key crypto is “harder” to get right Need stronger assumptions, easier to attack –Can combine private-key primitives with public-key techniques to get the best of both (for encryption) Still need to understand the private-key setting! –Can distribute keys using trusted entities (KDCs)
Private- vs. public-key III Public-key cryptography is not a cure-all –Still requires secure distribution of public keys May (sometimes) be just as hard as sharing a key Technically speaking, requires only an authenticated channel instead of an authenticated + private channel –Not clear with whom you are communicating (unless the sender has a public key) –Can be too inefficient for certain applications
Functional definition Key generation algorithm: randomized algorithm that outputs (pk, sk) Encryption algorithm: –Takes a public key and a message (plaintext), and outputs a ciphertext; c E pk (m) Decryption algorithm: –Takes a private key and a ciphertext, and outputs a message (or perhaps an error); m = D sk (c) Correctness: for all (pk, sk), D sk (E pk (m)) = m
Security? Just as in the case of private-key encryption, but the attacker gets to see the public key pk That is: –For all m 0, m 1, no adversary running in time T, given pk and an encryption of m 0 or m 1, can determine the encrypted message with probability better than 1/2 + Public-key encryption must be randomized (even to achieve security against ciphertext-only attacks) In the public-key setting, security against ciphertext-only attacks implies security against chosen-plaintext attacks
El Gamal encryption We have already (essentially) seen one encryption scheme: p, g h A = g x mod p h B = g y mod p K AB = (h B ) x K BA = (h A ) y p, g, h A = g x ReceiverSender c = (K BA. m) mod p h B, c
Security If the DDH assumption holds, the El Gamal encryption scheme is secure against chosen- plaintext attacks
RSA background N=pq, p and q distinct, odd primes (N) = (p-1)(q-1) –Easy to compute (N) given the factorization of N –Hard to compute (N) without the factorization of N Fact: for all x Z N *, it holds that x (N) = 1 mod N –Proof: take CMSC 456! If ed=1 mod (N), then for all x it holds that (x e ) d = x mod N I.e., this is a way to compute e th roots
We have an asymmetry! Given d (which can be computed from e and the factorization of N), possible to compute e th roots Without the factorization of N, no apparent way to compute e th roots
Hardness of computing e th roots? The RSA problem: –Given N, e, and c, compute c 1/e mod N If factoring is easy, then the RSA problem is easy We know of no other way to solve the RSA problem besides factoring N –But we do not know how to prove that the RSA problem is as hard as factoring The upshot: we believe factoring is hard, and we believe the RSA problem is hard
We have an asymmetry! Given d (which can be computed from e and the factorization of N), possible to compute e th roots Without the factorization of N, no apparent way to compute e th roots Let’s use this to encrypt…
RSA key generation Generate random p, q of sufficient length Compute N=pq and (N) = (p-1)(q-1) Compute e and d such that ed = 1 mod (N) –e must be relatively prime to (N) –Typical choice: e = 3; other choices possible Public key = (N, e); private key = (N, d)
“Textbook RSA” encryption Public key (N, e); private key (N, d) To encrypt a message m Z N *, compute c = m e mod N To decrypt a ciphertext c, compute m = c d mod N Correctness clearly holds… …what about security?