CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz

Diffie-Hellman key exchange  Before describing the protocol, a brief detour through number theory… –Modular arithmetic, Z p, Z p * –Generators: e.g., 3 is a generator of Z 17 *, but 2 is not –The discrete logarithm assumption

The Diffie-Hellman protocol prime p, element g  Z p * h A = g x mod p h B = g y mod p K AB = (h B ) x K BA = (h A ) y

Security?  Consider security against a passive eavesdropper –We will cover stronger notions of security for key exchange in more detail later in the semester  Under the computational Diffie-Hellman (CDH) assumption, hard for eavesdropper to compute K AB = K BA –Not sufficient for security! –Can hash the key before using  Under the decisional Diffie-Hellman (DDH) assumption, the key K AB looks random to an eavesdropper

Technical notes  p and g must be chosen so that the CDH/DDH assumptions hold –Need to be chosen with care – in particular, g should be chosen as a generator of a subgroup of Z p * –Details in CMSC456  Can use other groups –Elliptic curves are also popular  Modular exponentiation can be done quickly (in particular, in polynomial time) –But the naïve algorithm does not work!

Security against active attacks?  The basic Diffie-Hellman protocol we have shown is not secure against a ‘man-in-the-middle’ attack  In fact, impossible to achieve security against such an attacker unless some information is shared in advance –E.g., private-key setting –Or public-key setting (next)

Public-key cryptography

The public-key setting  A party (Alice) generates a public key along with a matching secret key (aka private key)  The public key is widely distributed, and is assumed to be known to anyone (Bob) who wants to communicate with Alice –We will discuss later how this can be ensured  Alice’s public key is also known to the attacker!  Alice’s secret key remains secret  Bob may or may not have a public key of his own

The public-key setting c = Enc pk (m) pk c = Enc pk (m) pk

Private- vs. public-key I  Disadvantages of private-key cryptography –Need to securely share keys What if this is not possible? Need to know in advance the parties with whom you will communicate Can be difficult to distribute/manage keys in a large organization –O(n 2 ) keys needed for person-to-person communication in an n-party network All these keys need to be stored securely –Inapplicable in open systems (think: e-commerce)

Private- vs. public-key II  Why study private-key at all? –Private-key is orders of magnitude more efficient –Private-key still has domains of applicability Military settings, disk encryption, … –Public-key crypto is “harder” to get right Need stronger assumptions, easier to attack –Can combine private-key primitives with public-key techniques to get the best of both (for encryption) Still need to understand the private-key setting! –Can distribute keys using trusted entities (KDCs)

Private- vs. public-key III  Public-key cryptography is not a cure-all –Still requires secure distribution of public keys May (sometimes) be just as hard as sharing a key Technically speaking, requires only an authenticated channel instead of an authenticated + private channel –Not clear with whom you are communicating (unless the sender has a public key) –Can be too inefficient for certain applications

Cryptographic primitives Private-key settingPublic-key setting Confidentiality Private-key encryption Public-key encryption Integrity Message authentication codes Digital signature schemes

Public-key encryption

Functional definition  Key generation algorithm: randomized algorithm that outputs (pk, sk)  Encryption algorithm: –Takes a public key and a message (plaintext), and outputs a ciphertext; c  E pk (m)  Decryption algorithm: –Takes a private key and a ciphertext, and outputs a message (or perhaps an error); m = D sk (c)  Correctness: for all (pk, sk), D sk (E pk (m)) = m

Security?  Just as in the case of private-key encryption, but the attacker gets to see the public key pk  That is: –For all m 0, m 1, no adversary running in time T, given pk and an encryption of m 0 or m 1, can determine the encrypted message with probability better than 1/2 +   Public-key encryption must be randomized (even to achieve security against ciphertext-only attacks)  In the public-key setting, security against ciphertext-only attacks implies security against chosen-plaintext attacks

El Gamal encryption  We have already (essentially) seen one encryption scheme: p, g h A = g x mod p h B = g y mod p K AB = (h B ) x K BA = (h A ) y p, g, h A = g x ReceiverSender c = (K BA. m) mod p h B, c

Security  If the DDH assumption holds, the El Gamal encryption scheme is secure against chosen- plaintext attacks

RSA background  N=pq, p and q distinct, odd primes   (N) = (p-1)(q-1) –Easy to compute  (N) given the factorization of N –Hard to compute  (N) without the factorization of N  Fact: for all x  Z N *, it holds that x  (N) = 1 mod N –Proof: take CMSC 456!  If ed=1 mod  (N), then for all x it holds that (x e ) d = x mod N I.e., this is a way to compute e th roots

We have an asymmetry!  Given d (which can be computed from e and the factorization of N), possible to compute e th roots  Without the factorization of N, no apparent way to compute e th roots

Hardness of computing e th roots?  The RSA problem: –Given N, e, and c, compute c 1/e mod N  If factoring is easy, then the RSA problem is easy  We know of no other way to solve the RSA problem besides factoring N –But we do not know how to prove that the RSA problem is as hard as factoring  The upshot: we believe factoring is hard, and we believe the RSA problem is hard

We have an asymmetry!  Given d (which can be computed from e and the factorization of N), possible to compute e th roots  Without the factorization of N, no apparent way to compute e th roots  Let’s use this to encrypt…

RSA key generation  Generate random p, q of sufficient length  Compute N=pq and  (N) = (p-1)(q-1)  Compute e and d such that ed = 1 mod  (N) –e must be relatively prime to  (N) –Typical choice: e = 3; other choices possible  Public key = (N, e); private key = (N, d)

“Textbook RSA” encryption  Public key (N, e); private key (N, d)  To encrypt a message m  Z N *, compute c = m e mod N  To decrypt a ciphertext c, compute m = c d mod N  Correctness clearly holds…  …what about security?