computer and network security matt barrie <mattb@ee.usyd.edu.au> CNS2010 handout 9 :: asymmetric crypto

origins of public key cryptography A tale of cryptoarchaeology… 1976: Diffie and Hellman & Merkle (Stanford) invented the concept separately 1976: RSA invented (Rivest, Shamir, Adelman) 1973: Clifford Cocks wrote a varient of RSA (GCHQ) 1967: James Ellis (GCHQ) proved public key possible Even Earlier: NSA claims they invented public key cryptography earlier Jim Frazer (NSA - retired) claims a 1962 NSA memo on command & control of nuclear weapons was the basis for it’s invention. Side note: the STU-III secure telephone used PKI in the mid 1970’s, well before certificates were in the civilian world. Black sector (esp. the NSA) is way ahead of civilian crypto Many claim at least 20 years CNS2009 handout 9 :: asymmetric crypto

handout 9 :: asymmetric crypto NSA memo 160 :: June 1962 CNS2009 handout 9 :: asymmetric crypto

public key cryptography Sometimes known as asymmetric cryptography. Each entity has a public key e and a private key d. The public key is associated with the encryption algorithm, and the private key the decryption algorithm. The public key and the encryption algorithm need not be a secret and are often published (e.g. in a directory). Public key encryption alone provides confidentiality, not data origin authentication nor integrity (since the encryption key and algorithm is known). Public key decryption can be used to provide authentication guarantees. CNS2009 handout 9 :: asymmetric crypto

handout 9 :: asymmetric crypto example Alice Bob Looks up Bob’s public key e Sends c = Ee(m) (e.g. keyserver, directory, email footer, web page) Decrypts message m’ = Dd(c) Directory Alice e Bob f ... CNS2009 handout 9 :: asymmetric crypto

public key cryptography Problems: Based on known algorithms, public key crypto is much slower than private key crypto Public key crypto often used to negotiate keys used for bulk data encryption by symmetric algorithms (commonly known as session keys). Public key crypto is also used to encrypt small things (e.g. credit card transactions, PIN numbers, etc.) Unless the public keys are verified, public key systems are vulnerable to an impersonation attack How do we know this is really Alice’s public key? Since an attacker knows the encryption algorithm and key, they can always perform a chosen plaintext attack Anyone can send messages to a receiver; there is no authentication of message source CNS2009 handout 9 :: asymmetric crypto

handout 9 :: asymmetric crypto el gamal cryptosystem Taher El Gamal (Stanford) Security is based upon the discrete log problem. Key generation: Alice generates random g, a and prime p. Alice calculates ga (mod p). Alice’s public key is p, g and ga (which she can publish). The variable a is the private key used to decrypt. Public Directory Alice p, g, ga Bob q, h, hb … CNS2009 handout 9 :: asymmetric crypto

handout 9 :: asymmetric crypto el gamal cryptosystem Message encryption: retrieve p, g, ga from directory choose a random k relatively prime to (p-1) compute y1 = gk for message m є Zp* compute y2 = (ga)k m (mod p) send (y1 , y2) to Alice Message decryption: compute y1a = gak (mod p) compute g-ak compute y2g-ak = m to retrieve the message The security of the algorithm relies on not being able to calculate the discrete logarithm of y1 (mod p). CNS2009 handout 9 :: asymmetric crypto

handout 9 :: asymmetric crypto RSA Rivest, Shamir, Adelman (MIT) (1976) Most widely used public key cryptosystem Patent expired in 2000 Security relies on the difficulty of factoring of large composites Key Generation: Generate two large random (and distinct) large primes (p, q > 1024 bits), each roughly the same size. Compute n = pq and Φ(n) = | Zn* | = (p-1)(q-1) From Euler’s theorem aΦ(n) = 1 (mod n) so chose encyphering exponent e and decyphering exponent d such that ed ≡ 1 mod Φ(n) The public key is (e, n) and the private key is d p, q and Φ(n) are secret (only used during key generation) CNS2009 handout 9 :: asymmetric crypto

handout 9 :: asymmetric crypto RSA Message encryption: Obtain Alice’s public key (n, e) Represent the message as an integer [0 .. n-1] Compute c = me mod n Send cyphertext c to Alice. Message decryption: Alice computes cd mod n ≡ (me)d mod n ≡ med mod n ≡ m1 + kΦ(n) mod n ≡ m(mΦ(n))k mod n Using Euler’s theorem mΦ(n) ≡ 1 (mod n) so : cd mod n ≡ m CNS2009 handout 9 :: asymmetric crypto

chinese remainder theorem If you know the factorisation of n (where n = pq), then you can use the Chinese Remainder Theorem to solve a system of equations: x = a1 (mod m1) x = a2 (mod m2) x = a3 (mod m3) where gcd(mi, mj) = 1 (i.e. relatively prime) The CRT states that there exists a simultaneous solution to these equations where any two such solutions are congruent to each other mod M (M = m1m2 m3 m4…) CNS2009 handout 9 :: asymmetric crypto

chinese remainder theorem For each i, define Mi = M/mi = Πi≠jmj By the Euclidean Algorithm, calculate Ni such that NiMi = 1 mod mi The solution to the system of simultaneous equations is x = Σi=1..r ai Mi Ni CNS2009 handout 9 :: asymmetric crypto

handout 9 :: asymmetric crypto CRT example Solve the following system of equations: x = a1 (mod 7) x = a2 (mod 11) x = a3 (mod 13) Now M = m1m2 m3 = 7 x 11 x 13 = 1001 To find N’s (e.g. N1): NiMi = 1 mod mi N1 x M1 = 1 (mod 7) [M1 = 11 x 13] -> N1 x 11 x 13 = 1 (mod 7) [11 x 13 = 3 mod 7] -> N1 x 3 = 1 (mod 7) Using Euler’s generalisation: mΦ(n) ≡ 1 (mod n) Φ(m1) = 7 - 1 = 6 So N1 = 3Φ-1 mod 7 = 35 mod 7 = 5 mod 7 CNS2009 handout 9 :: asymmetric crypto

handout 9 :: asymmetric crypto CRT example Solving for the other N’s: M1 = 143, N1 = 5 [11x13] M2 = 91, N2 = 4 [7x13] M3 = 77, N3 = 12 [11x7] So x = Σi=1..r ai Mi Ni x = 715 a1 + 364 a2 + 924 a3 (mod 1001) CNS2009 handout 9 :: asymmetric crypto

handout 9 :: asymmetric crypto attacks on RSA Factoring attack Small encryption exponent attack Small decryption exponent attack Forward search attack Homomorphic attack Common modulus attack Cycling attack Message concealing Size of modulus Selection of primes CNS2009 handout 9 :: asymmetric crypto

factoring attack on RSA The RSA problem is to recover m from c ≡ me mod n, knowing only n and e. Suppose n can be factored into p and q. Then Φ(n) = (p-1)(q-1) can be computed. Therefore d can be computed as ed ≡ 1 mod Φ(n) Therefore we can recover the message m Fact: The problem of computing the RSA decryption exponent from the public key (n,e) and the problem of factoring n are computationally equivalent. When performing key generation, it is imperative that the primes p and q are selected to make factoring n=pq difficult e.g. by picking p and q roughly equal size CNS2009 handout 9 :: asymmetric crypto

small encryption exponent attack on RSA In order to improve the speed of RSA, often a small encryption exponent is used (e.g. 216+1 is often used). If a group of entities all use the same encryption exponent, it is clear that they must have their own distinct modulus. If they are the same, then other users can obviously calculate other’s private keys d. Say Alice wishes to send messages to three parties, all with a small encryption exponent (e = 3): c1 = m3 (mod n1) c2 = m3 (mod n2) c3 = m3 (mod n3) CNS2009 handout 9 :: asymmetric crypto

small encryption exponent attack on RSA Observing c1, c2, c3 and knowing n1, n2, n3 we use the CRT: x = m3 mod n1n3n3 Since m < ni for n (or information is lost during encryption) x = m3 m = x1/3 Thus a small encryption exponent should not be used to send the same message (or the same message with variations) to several entities. Salting the plaintext (padding with random bits) can help avoid this attack. CNS2009 handout 9 :: asymmetric crypto

handout 9 :: asymmetric crypto other attacks on RSA Small decryption exponent: Similarly, a small decryption exponent should also be avoided. Forward search attack: Note since the encryption key is public, if the message space is small or predictable, an attacker can try brute force on the message space. Salting the plaintext may help to prevent this attack Example: a stock trading system Message format: “{BUY, SELL} DDDD TICKER” where there are 1000 tickers |M| = 2 x 10000 x 1000 = 20,000,000 possible messages At 1M guesses / second  20 seconds to guess transmitted message CNS2009 handout 9 :: asymmetric crypto

homomorphic properties of RSA Suppose c1 = m1e mod n c2 = m2e mod n Then c1 c2 = (m1m2)e mod n Using this property we can attack RSA Suppose we want Alice to reveal the decryption of c = me mod n CNS2009 handout 9 :: asymmetric crypto

homomorphic properties of RSA Bob sends to Alice for random x (blinding factor) (c’) = cxe mod n Alice computes (c’)d = (cxe)d mod n = cdxed mod n = mxed mod n = mx mod n If Alice reveals this information, Bob can unblind the message m = (mx)x-1 mod n CNS2009 handout 9 :: asymmetric crypto

handout 9 :: asymmetric crypto size of modulus in RSA Powerful attacks on RSA include using a quadratic sieve and number field sieve factoring algorithms to factor the modulus n=pq. In 1999, a team led by de Riele factored a 512 bit number. In 2001, Dan Bernstein wrote a paper proposing a circuit-based machine with active processing units (with the same density as RAM) that could factor keys roughly 3 times as long with the same computational cost (1536 bits insecure??) The premise is that algorithms exist where if you increase the number of processors by n, you decrease the running time by a factor greater than n (!) Exploits massive parallelism of small circuit level processing units In 2005, a 200 digits (RSA200) was factored in 18 months. CNS2009 handout 9 :: asymmetric crypto

handout 9 :: asymmetric crypto size of modulus in RSA In 2007, a 1039-bit number (21039-1) (307 digits) was factored in 11 months of computation (a special case) using a “special number field sieve”. “Unthinkable” in 1990. “We have more powerful computers, we have come up with better ways to map the algorithm onto the architecture, and we take better advantage of cache behaviour”. Lenstra: Is the writing on the wall for 1024-bit encryption? The answer to that is an unqualified yes”. It is recommended today that 4096 bit keys be used and p and q should be about the same bit length (but not too close to each other) Advances in factoring are leaps and bounds over advances in brute force of classical cyphers.. CNS2009 handout 9 :: asymmetric crypto

rabin public key cryptosystem Public key: n = pq Private key: p, q (roughly the same size) Encryption: c = m2 mod n Decryption: Calculate the four square roots m1, m2, m3, m4 of c The message sent was one of these roots Security based on the fact that finding of square roots mod n without knowing the prime factorisation of n is computationally equivalent to factoring. CNS2009 handout 9 :: asymmetric crypto

handout 9 :: asymmetric crypto square and multiply In RSA and Discrete Log, a common operation is exponentiation i.e. calculating ge where g, e are large numbers (~300 digits) A simple approach to this is to use square-and-multiply g23 = g16 . g4 . g2 . g1 In this example we take 7 multiplication (assuming squaring is computationally equivalent to multiplying). Algorithm: z ← 1, y ← g for i = 0 .. n-1 if e[i] = 1 then z ← zy # check bit position y ← y2 CNS2009 handout 9 :: asymmetric crypto

handout 9 :: asymmetric crypto addition chains Using addition chains, we can be a little more efficient: g, g2, g3, g5, g10, g20, g23 [g2 * g3 = g5, etc] This takes only 6 multiplications (versus 7). An addition chain is used to minimise the number of multiplications required. The addition chain of length s for exponent e is a sequence of positive integers {u0 .. us} and associated sequence {w0 .. ws} of pairs of integers wi = (i1, i2) with the property that: (1) u0 = 1, us = e (2) ui = ui1 + ui2 CNS2009 handout 9 :: asymmetric crypto

addition chains - example Take e = 15 (i.e. calculate g15): i : 0 1 2 3 4 5 wi : (0,0) (0,1) (2,2) (3,3) (2,4) gi : g g2 g3 g6 g12 g15 Algorithm: g0 ← g for i = 0 .. s gi ← gi1gi2 Finding the shortest addition chain is computationally hard (NP-hard). It is akin to solving the traveling salesman problem. CNS2009 handout 9 :: asymmetric crypto

definitions in complexity theory A polynomial time algorithm is one where the worst case running time of the algorithm is O(nk) where n is the input size and k is some constant. Polynomial time algorithms are said to be good or efficient. Any algorithm which cannot be bounded as such is said to be an exponential-time algorithm. The complexity class P is the set of all decision problems which are solvable in polynomial time. The complexity class NP is the set of all decision problems which an answer can be verified in polynomial time, given some extra information called a certificate. CNS2009 handout 9 :: asymmetric crypto

handout 9 :: asymmetric crypto complexity theory Fact: P  NP Unknown: Is P = NP? Example of a problem in NP: Given a positive integer n, is n composite? That is, are there integers a, b > 1 such that n = ab? If L1 and L2 are two decision problems, L1 is said to polynomial reduce to L2 (L1 ≤P L2) if there is an algorithm that solves L1 which uses as a subroutine an algorithm that solves L2, and runs in polynomial time. Two problems are said to be computationally equivalent if L1 ≤P L2 and L2 ≤P L1 CNS2009 handout 9 :: asymmetric crypto

summary: symmetric crypto Advantages of symmetric-key crypto: Can be designed to have high throughput rates Keys are relatively short (128 bits .. 256 bits) Symmetric cyphers can be used as primitives to construct other constructs such as pseudo random number generators (PRNGs). Symmetric cyphers can be used to construct stronger cyphers e.g. simple substitutions and permutations can be used to create stronger cyphers All known attacks involve “exhaustive” key search. Disadvantages of symmetric-key crypto: In a two party network, the key must remain secret at both ends Sound practice dictates the key needs to be changed frequently (e.g. each session). In a large network, n! keys are required which creates a massive problem for key management. CNS2009 handout 9 :: asymmetric crypto

summary: asymmetric crypto Advantages of asymmetric-key crypto: Only the private key needs to remain secret The administration of keys on a network requires the presence of only a functionally trusted (honest and fair) TTP. Depending on the mode of usage, the public and private key pairs may be used for long periods of time (upper bound: Moore’s Law). In large networks, n keys are required instead of n! Disadvantages of asymmetric-key crypto: Throughput rates are typically very slow (all known algorithms) Key sizes are typically much larger (1024 .. 4096 bits) Security is based upon the presumed difficulty of a small set of number-theoretic problems and all known are subject to short-cut attacks (e.g. knowing the prime factorisation of n) Public key crypto does not have an extensive history in the public world. CNS2009 handout 9 :: asymmetric crypto

combining cryptosystems Symmetric and asymmetric crypto are complementary Public key crypto can be used to establish a key for fast symmetric crypto (e.g. a session key) Alice and Bob take advantage of the long term benefits of public key crypto and publish their public keys in a directory Public key crypto is good for key management and signatures Private key crypto is good for encryption and some data integrity applications CNS2009 handout 9 :: asymmetric crypto

symmetric crypto key length Security of a symmetric cypher is based on strength of the algorithm length of the key Assuming the strength of the algorithm is perfect (impossible in practice) then brute force is the best attack. Hardware attack estimates (2005) Cost (USD) 40-bit 56-bit 64-bit 128-bit $100k 0.06s 1.1hrs 11.5d 1018 yrs $1M 6.25ms 6.5min 1.2d 1017 yrs $100M 0.06ms 3.75min 17min 1015 yrs $1G 6.25us 0.4s 1.9min 1014 yrs What does Howson’s work impact on these numbers? CNS2009 handout 9 :: asymmetric crypto

interesting ways to break symmetric cyphers Virus / Worms What if a worm brute forced a cypher? Melissa infected ~800k machines Cracking DES @ 280kkeys/s (P4@2.8GHz) Melissa-DES would brute force the key space in 30 hours. In 2000 a worm did just that: http://www.distributed.net/trojans.html.en Chinese Lottery Say a 1Mkey/s chip was built into every radio and TV sold in China. Each chip is designed to brute force when a signal is received over the air. If 10% of the people in China have a radio or TV, the 56-bit DES key space can be exhausted in 12 minutes. CNS2009 handout 9 :: asymmetric crypto

asymmetric crypto key length The security of all current, known public key algorithms is based upon the presumed difficulty of a small set of number-theoretic problems. All known are subject to short-cut attacks (e.g. knowing the prime factorisation of n). Tomorrow we might figure out how do to this factorisation easily (DNA? Quantum?). In 1977, Ron Rivest said that factoring a 125-digit number would take 40 quadrillion years. In 2003, a 576-bit (177 digit) number was factored. In 2007, a 1039-bit (307 digit) number was factored. Year # digits 512-bit complexity 1983 71 > 20,000,000 times 1985 80 > 2,000,000 1988 90 > 250,000 1989 100 > 30,000 1993 120 > 500 times 1994 129 > 100 1999 140 4 1999 155 1 (300 workstation computing years in 1999) 2003 177 . 2005 200 (18 months) 2007 307 (special case, 11 months) Designs are being drawn out for optical / quantum sieving machines that could lead to massive optimisations on these numbers in the near future CNS2009 handout 9 :: asymmetric crypto

handout 9 :: asymmetric crypto how long should a key be? Type of Traffic Lifetime Min. Key Length Tactical Military Information minutes / hours 64 bits Product Announcements / M&A days / weeks 64 bits (too small??) Long Term Business Plans years 64 bits (too small??) Trade Secrets (Recipe for Coke) decades 112 bits H-bomb Secrets > 40 years 128 bits Identities of Spies > 50 years 128 bits Personal Affairs > 50 years 128 bits Diplomatic Embarrassments > 65 years 192 bits U.S. Census Data 100 years 192 bits Symmetric versus Asymmetric (as of 1999… way incorrect in 2008!) 56 bits vs > 384 bits (56-bit broken in 1997) 64 bits vs > 512 bits (1024-bit broken in 2007) 80 bits vs > 768 bits 128 bits vs > 2304 bits In 2007, 1024-bit crypto was said to be broken.. Perhaps 64-bits ~= 1024? Compare with hardware based results for cryptanalysis……….. CNS2009 handout 9 :: asymmetric crypto

handout 9 :: asymmetric crypto references Stallings §6, §7 Handbook of Applied Cryptography read §1 read §3.1, skim §3.2 - §3.2.3, read §3.6 - §3.6.2, skim §3.6.3, read §8-8.2, 8.4 For historical interest: Prehistory of Public Key Cryptography http://www.research.att.com/~smb/nsam-160/ CNS2009 handout 9 :: asymmetric crypto