1 ISA 562 Information Security Theory & Practice Public Key Cryptosystem Chapter 9 of Bishop ’ s Book
2 Outline Background Diffie-Hellman RSA Cryptographic Checksums
3 History Concept conceived by Diffie and Hellman in 1976 Rivest, Shamir and Adleman (RSA) were first to describe a public key system in 1978 Merkle and Hellman published a different solution later in 1978 (broken by Shamir)
4 The Big Picture B's Public KeyB's Private Key RELIABLE CHANNEL Encryption Algorithm Decryption Algorithm Plain- text Plain- text Ciphertext INSECURE CHANNEL A A B B B's Public Key
5 The Basic Idea Confidentiality: encipher using public key, decipher using private key Integrity/authentication: encipher using private key, decipher using public key B's Public KeyB's Private Key Encryption Algorithm Decryption Algorithm Plain- text Plain- text Ciphertext A A B B ‘Signature’
6 Requirements The keys and algorithms must meet these requirements Must be computationally easy to encipher or decipher Must be computationally infeasible to derive the private key from the public key Must be computationally infeasible to determine the private key from a chosen plaintext attack Different from those of secret key cryptosystem except the first requirement Why another cryptosystem?
7 Motivation 1- Key Distribution Problem In a secret key cryptosystem, the secret key must be transmitted via a secure channel Inconvenient n parties want to communicate with each other, how many keys need to be transmitted? Insecure Is the secure channel really secure? Public key cryptosystem solves the problem Public key known by everyone – telephone directory Privacy key is never transmitted
8 Motivation 2- Digital Signature In a secret key cryptosystem, authentication and non-repudiation may be difficult Authentication You must share a secret key with someone in order to verify his signature Non-repudiation “ I didn ’ t sign it. You did since you also have the key ” Public key cryptosystem solves the problem Verification of signature needs only the public key One is solely responsible for his private key
9 Required number theory If a = b + kn for some integer k We write b = a mod n (namely, a is congruent to b modulo n, and b is the residue of a modulo n) Examples: 2 = 12 mod 5, 2 = 12 mod 10, 0 = 12 mod 6 Properties (a O b) mod n = ((a mod n) O (b mod n)) mod n where O is +, -, * 3 5 mod 7 = (3*3*3*3*3 mod 7) = ((3*3 mod 7)*(3*3 mod 7)*(3 mod 7))mod 7 Needed when enciphering/deciphering
10 More of the same … A prime number is a positive integer having exactly one positive divisor other than 1. E.g. 3, 5, 7, 11, 13 … a and b are relatively prime if they have no common positive factors other than 1. E.g. 1 and 2, 2 and 3, 3 and 4, but not 2 and 4 The totient function (n) gives the number of integers between 1 and n-1 that are relatively prime to n. E.g. (10) = 4 (1,3,7,9 are relatively prime to 10)
11 Still More Math Euler's Totient Theorem 1 = a (n) mod n, where a and n are relatively prime Example: 3 (10) mod 10= 3 4 mod 10 = 81 mod (3) mod 3= 10 2 mod 3 = 100 mod 3 Fermat ’ s Little Theorem a p-1 =1 mod p, where p is prime and relatively prime to a Notice (p) = p-1
12 Outline Background Diffie-Hellman RSA Cryptographic Checksums
13 Diffie-Hellman Key Exchange Scheme Proposed in 1976 as the first public key algorithm (predates RSA) Allows users to agree on a secret key over insecure channels with no prior communication The secret key can thus be used to encrypt or decrypt message (e.g., SSL 3.0, IPsec) K A A B B Insecure Channel
14 Discrete Logarithm Problem D-H is based on the discrete logarithm problem Given integers n and g and prime number p, compute k such that n = g k mod p In general computationally infeasible Choices for g and p are critical Both p and (p – 1)/2 should be prime p should be large (at least 512 bits, possibly 1028 bits) g should be a primitive root mod p
15 Diffie-Hellman Key Exchange Scheme A B agree on p and g with 1 < g < p A B X = g x mod p Y = g y mod p Choose x Choose y A B computes k = Y x mod p computes k ’ = X y mod p k=k ’ =g xy mod p knows p, g, X, and Y, but not x or y or k
16 Quiz p = 7 and g = 5 Alice chooses x = 2 and send X = ? Bob chooses y = 3 and send Y = ? Shared key: k= ? k ’ = ? (g xy mod p = ? )
17 Man-in-the-middle Attack A BC active intruder K1 K2 A B K1 A B K2
18 Outline Background Diffie-Hellman RSA Cryptographic Checksums
19 RSA In Summary Choose public key (n,e) Compute private key (n,d) Encryption C = M e mod n Decryption M = C d mod n Underlying theory – Euler's Totient Theorem Key Generation
20 Key Generation Choose 2 large (512 bit) prime numbers p and q Compute n = p * q Choose e relatively prime to (p-1)*(q-1) Compute d such that 1 = e*d mod (p-1)*(q-1) Publish (n,e) and keep (n,d) (discard p, q)
21 Key Generation (Cont ’ d) Large primes can be found efficiently using probabilistic algorithms due to Solvay and Strassen d can be computed using the Extended Euclidean Algorithm (Textbook 31.2) Care must be exercised in choosing p and q, otherwise insecurities may result (p-1, p+1, q-1, q+1 should have large prime factors)
22 Key Generation - Example p = 7, q = 11, so n = 77 and (p-1)(q-1) = 60 Alice chooses e = 17, computing d = 53 (17*53=901) publish (77,17) and keep (77,53) secret
23 Encryption/Decription Encryption C = M e mod n Decryption M = C d mod n Underlying theory C d mod n = (M e mod n) d mod n = M ed mod n = M 1 mod (p-1)*(q-1) mod n = M (p-1)*(q-1)*i + 1 mod n = (1 i *M) mod n (by Fermat ’ s Little Theorem ) = M mod n = M (require M<n; M relatively prime to n)
24 Example: Encryption p = 7, q = 11, n = 77 Alice chooses e = 17, making d = 53 Bob wants to send Alice secret message HELLO ( ) mod 77 = mod 77 = mod 77 = mod 77 = 42 Bob sends
25 Example: Decryption Alice receives Alice uses private key, d = 53, to decrypt message: mod 77 = mod 77 = mod 77 = mod 77 = 14 Alice translates to HELLO No one else could read it, as only Alice knows her private key and that is needed for decryption
26 Digital Signatures in RSA RSA has an important property, not shared by other public key systems Encryption and decryption are symmetric Encryption followed by decryption yields the original message (M e mod n) d mod n = M Decryption followed by encryption also yields the original message (M d mod n) e mod n = M Because e and d are symmetric in e*d = 1 mod (p-1)*(q-1)
27 Digital Signatures in RSA M d mod n C e mod n Plaintext M Ciphertext C (signature) A's Private Key d A's Public Key e RELIABLE CHANNEL A A B B Plaintext M Plaintext M’ ?
28 Compared To Encryption in RSA M e mod nC d mod n Ciphertext C B's Public Key e B's Private Key d RELIABLE CHANNEL A A B B Plaintext M Plaintext M
29 Signature and Encryption D Plain- text A's Private Key A A B B B's Public Key A's Public Key B's Private Key ED E Plain- text Signed Plaintext Encrypted Signed Plaintext Signed Plaintext
30 Signature and Encryption We could do the encryption first followed by the signature. Signature first has the advantage that the signature can be verified by parties other than B.
31 Example: Sign Take p = 7, q = 11, n = 77 Alice chooses e = 17, making d = 53 Alice wants to send Bob message HELLO ( ) so Bob knows it is from Alice, and it has not been modified in transit mod 77 = mod 77 = mod 77 = mod 77 = 49 Alice sends
32 Example: Verify Bob receives Bob uses Alice ’ s public key, e = 17, n = 77, to decrypt message: mod 77 = mod 77 = mod 77 = mod 77 = 14 Bob translates to HELLO (Assume) only Alice has her private key, so no one else could have been able to create a correct signature The (deciphered) signature matches the transmitted plaintext, so the plaintext is not altered
33 Example: Both Alice wants to send Bob message HELLO both enciphered and signed Alice ’ s keys: public (17, 77); private: 53 Bob ’ s keys: public: (37, 77); private: 13 Alice does (does she encipher first or sign first?) (07 53 mod 77) 37 mod 77 = 07 (04 53 mod 77) 37 mod 77 = 37 (11 53 mod 77) 37 mod 77 = 44 (14 53 mod 77) 37 mod 77 = 14 Alice sends What would Bob do upon receiving the message?
34 Security of RSA Cryptanalysis is to compute d while knowing (e, n) such that e*d = 1 mod (p-1)(q-1), and n=pq, for some p and q (the factorization is unique) If factorization of n into p*q is known, this is easy (Extended Euclidean Algorithm). Otherwise, it is hard. Therefore security of RSA is no better than complexity of the factoring problem Is the factoring problem provably hard (e.g., undecidable)? No However, the possibility of an easy factoring method is believed to be remote.
35 Fastest implementations of RSA can encrypt kilobits/second Fastest implementations of DES can encrypt megabits/second It is often proposed that RSA be used for secure exchange of DES keys This 1000-fold difference in speed is likely to remain independent of technology advances Matters more in wireless/ad hoc/sensor network RSA Versus DES
36 RSA Versus DES Key size of RSA is selected by the user Many implementations choose n to be 154 digits (512 bits) so the key (n,e) is 1024 bits Key size of DES is 64 bits (56 bits plus 8 parity bits)
37 RSA Key Size key size should be chosen conservatively cryptographers can stay ahead of (factorization) cryptanalysts by increasing the key size Until 1989 factorization attacks were based on "high school mathematics." Since then sophisticated attacks have extended factorization to larger numbers (usually of a specific form). At present it appears that 130 digit numbers can be factored in several months using lots of idle workstations.
38 Outline Background Diffie-Hellman RSA Cryptographic Checksums
39 One-way Hash Functions Also known as message digest A function H(M) = m satisfies (Fixed length): M can be of any length, whereas m is of fixed length (One-way): computing H(M)=m is easy, but computing H -1 (m)=M is computationally infeasible (Collision-free): in two forms Weak collision-freedom: given any M, difficult to find another M ’ such that H(M)=H(M ’ ) Strong collision-freedom: difficult to find any M and M ’ such that H(M)=H(M ’ )
40 Why Those Requirements? Many applications store H(p) instead of a password p Fixed length: cannot guess the length of p from H(p) (and H(p) is easier to store) One-way: the administrator cannot learn p of others Collision-free: cannot submit incorrect p matching H(p) Most applications sign H(M) instead of M
41 Example ASCII parity bit ASCII has 7 bits; 8th bit is “ parity ” Even parity: even number of 1 bits Odd parity: odd number of 1 bits Bob receives “ ” If sender is using even parity; six ‘ 1 ’ bits, so character was received correctly Note: could be garbled, but 2 bits would need to have been changed to match parity bit If sender is using odd parity; even number of 1 bits, so character was not received correctly
42 Hash Functions In Practice DES based hash functions tend to produce 64 bit digest which cannot be strong CCITT X.509 (proven insecure) Merkle's Snefru: 2-pass version proven insecure; 4-pass version unproven Jueneman's methods: broken and refined and broken and refined NIST Secure Hash Algorithm RSA: MD2, MD4, MD5, SHA-0, SHA-1, SHA-2 (SHA-224, SHA-256, SHA-384, and SHA-512 )
43 “ Hash Functions Broken ” ? Crypto 2004 Rump session reported attacks on MD4, MD5 and SHA-0 MD4 ’ s attacks are done by hands Crypto 2005 reported attacks on full SHA-1 Should we panic? Xiaoyun Wang ’ s webpage:
44 “ Hash Functions Broken ” ? (Cont ’ d) Nature of the results Algorithm that finds collision faster than theoretic bound MD5 about one hour; SHA vs 2 80 (theoretically) Yes, the results disprove those functions to be strong collision-free No, they do not give you a password from its hash Brute force attacks do (refer to Whether you should panic or not depends on what you use the hash functions for Xiaoyun Wang ’ s webpage:
45 Hash Functions Vs MAC Send a message M together with its hash h=H(M), so the recipient can verify M by comparing H(M) with the received h Attack: If anyone in the middle can replace M with M ’ and h with h ’ =H(M ’ ), the recipient won ’ t detect this Keyed hash functions Also known as message authentication codes (MAC) Example: DES in CBC mode: use a key to encipher message in CBC mode and use last n bits as the MAC value.
46 HMAC Build MAC from keyless hash functions Encryption algorithms cannot be exported h : keyless hash function k : a cryptographic key k padded with 0 Ipad: repeated Opad: repeated HMAC h(k, m) = h(k opad || h(k ipad || m)) exclusive or, || concatenation
47 Key Points Public key cryptosystems has two keys Diffie-Hellman exchanges secret key via insecure channel RSA can be used for confidentiality and integrity Cryptographic Checksums are keyed hash functions