Presentation is loading. Please wait.

Presentation is loading. Please wait.

ECE454/599 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2012.

Published byKatherine Cook Modified over 8 years ago

Similar presentations

Presentation on theme: "ECE454/599 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2012."— Presentation transcript:

1 ECE454/599 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2012 1

2 Public Key Cryptography Modular Arithmetic RSA Diffie-Hellman Elliptic Curve Cryptography 2

3 Public Key Cryptography Aka: asymmetric cryptography, invented in 1970s Use two keys: a public key known to everyone, a private key kept secret to the owner Encryption/decryption: encryption can be done by everyone using the recipient’s public key, decryption can be done only by the recipient with his/her private key Digital signature: signing is done with signer’s private key, and verification is done with signer’s public key Key exchange: establish a shared session key with PKC, SKC is used afterwards 3

4 Modular Arithmetic Fundamental to PKC Modulo n or mod n: non-negative integers < some integer n, sometimes “mod n” is omitted Modular addition Modular multiplication Modular exponentiation 4

5 Modular Addition Example: mod 10 5 + 5 = 0 3 + 9 = ? 2 + 2 = ? 9 + 9 = ? Additive inverse: an additive inverse of x is the number we need to add to x to get 0, e.g., what’s the additive inverse of 4 mod 10? 5

6 Modular Multiplication 6 Example: 3  7 = 1 mod 10 Multiplicative inverse: if xy = 1 mod n, then x and y are each other’s multiplicative inverse mod n Relatively prime: no common factors other than 1 Existence of multiplicative inverse: x has multiplicative inverse mod n iff x is relatively prime to n Euclid’s algorithm: provides efficient method to find multiplicative inverses mod n

7 Modular Multiplication (Cont’d) 7  (n): totient function number of integers < n and relatively prime to n  (n) = n – 1 if n is prime  (pq) = pq – (p + q – 1) = (p – 1)(q – 1), if p and q are prime

8 Euclid’s Algorithm—gcd 8 Finds the greatest common divisor (gcd) of two integers: subtract y from x and still have the same gcd subtract as many ys as possible and replace x with the remainder switch x and y when x becomes smaller than y each step looks like:  eventually x or y will be zero and the other is the gcd Example: gcd (408, 595) = 17 595/408 = 1 remainder 187 408/187 = 2 remainder 34 187/34 = 5 remainder 17 34/17 = 2 remainder 0 Each step we can write the remainder r = ux + vy (e.g., 17 = -16x408 + 11x595)

9 Euclid’s Algorithm— Multiplicative Inverse 9 Efficiently finds a number m’s multiplicative inverse mod n We are looking for u that makes um = 1 mod n In other words, we are looking for u and v s.t. um + vn = 1 Calculate r = gcd (m, n) = um + vn and find r = 1 (only exists when m and n are relatively prime, i.e., gcd (m, n) = 1) Q: Will there be more than one multiplicative inverse for a given number?

10 Modular Exponentiation 10 Example: 4 6 = 4096 = 6 mod 10 x y mod n = x (y mod  (n)) mod n If y = 1 mod  (n), then x y mod n = x mod n  (n) = 4

11 RSA 11 Named after Rivest, Shamir, and Adleman Public key / private key, use one to encrypt and the other to decrypt Key length: variable, most commonly 512 bits Plaintext block: smaller than the key length Ciphertext block: same as key length Advantage: Easy key management Disadvantage: much slower than secret key algorithms

12 RSA Algorithm 12 Choose two large primes, p and q, ~256 bits each n = pq,  (n) = (p – 1)(q – 1) Choose e that is relatively prime to  (n) By Euclid’s algorithm, find d that is the multiplicative inverse of e mod  (n), i.e., ed = 1 mod  (n) Let be the public key, d the private key

13 Encryption and Decryption 13 Encryption with public key : c = m e mod n Decryption with private key d: m = c d mod n c d mod n = (m e mod n) d mod n = (m e ) d mod n = m mod n = m

14 Signature and Verification 14 Sign with private key d: Sig = m d mod n Verify with public key : m = Sig e mod n Sig e mod n = (m d mod n) e mod n = (m d ) e mod n = m mod n = m

15 Why is RSA Secure? 15 Given n, it is hard to factor it to get p and q RSA misuse: Alice uses Bob’s public key to encrypt a message sent to Bob. If Frank knows the message is one of many possible messages, he can use the same public key to compute and compare the ciphertexts to find the message (Solution?)

16 Efficiency of RSA Operations 16 Exponentiation of large numbers of several hundred digits Find big primes, p and q Find e and d

17 Exponentiating With Big Numbers 17 Page 154 – 155

18 Finding Big Primes p and q 18 The probability of a randomly chosen number n to be prime is 1 / ln n, which is about one in 230 for n of a hundred digit Test whether a random number n is a prime - Fermat’s Theorem: if n is a prime and 0 < a < n, then a n-1 = 1 mod n - For a non-prime n of a hundred bits, the chance of a n-1 = 1 mod n is about 1 in 10 13 (run more times) - Unfortunately, there are Carmichael numbers (very rare) that show a n-1 = 1 mod n for all a’s - Use Miller-Rabin algorithm

19 An Efficient Method of Finding Primes 19 1.Pick an odd random number n in the proper range. 2.Test n's divisibility by small primes and go back to 1 if you find a factor. 3.Repeat the following until n is proven not prime (in which case go back to step 1) or as many times as you feel necessary to show that n is probably prime (using Miller-Rabin algorithm): Pick an a at random and compute a c mod n (where c is the odd number for which n-1 = 2 b c). Each time squaring of a c mod n is performed, check if the result is 1; if so, check if the number that was squared is ±1; if not, n is not prime (Chinese remainder theorem: 1 has many square roots if n is not prime). Next, if the result of a c mod n is ±1, n passes the primality test for this a. Otherwise, at most b-1 times, replace the result by its square and check if it is ±1. If it is 1, n is not prime (because the previous result is a square root of 1 different from ±1). If it is -1, n passes the primality test for this a. If you've done the squaring b-1 times, n is not prime (because a (n-1)/2 is not ±1). Even if n is a Carmichael number, at least ¾ a’s will show it

20 Finding e and d 20 e: can be randomly chosen, relatively prime to  (n) d: calculated by Euclid’s algorithm, s.t. ed =1 mod  (n) If e is chosen to be small such as 3, the encryption and signature verification will be faster, while the decryption and digital signature remain the same d should not be small (Why?)

21 Popular Values of e 21 3 and 65537 (2 16 + 1) Advantage: computationally efficient - 3: 2 multiplies - 65537: 17 multiplies

22 Problems of e=3 22 Problem 1: c = m e mod n, if e is 3 and m is less than n 1/3, then m 3 < n and thus c = m 3 mod n = m 3  m = c 1/3 Solution: pad m to be larger than n 1/3 Problem 2: If a message is encrypted for three recipients using their public keys, to get three ciphertexts, c 1 = m 3 mod n 1, c 2 = m 3 mod n 2, c 3 = m 3 mod n 3, an attacker can compute c = m 3 mod n 1 n 2 n 3 by Chinese Remainder Theorem. Since m is smaller than n 1, n 2, and n 3, c = m 3  m = c 1/3 Solution: pad m with different numbers for c 1, c 2, c 3 Problem 3: Need to choose p and q s.t. 3 is relatively prime to (p-1)(q-1). It is easier to choose eligible p and q for 65537.

23 Attacks on RSA 23 Brute-force attacks: trying all possible private keys Mathematical attacks: trying to factor the product of two primes Timing attacks: depend on the running time of the decryption algorithm (one type of side channel attacks) Chosen ciphertext attacks: exploit properties of the RSA algorithm

24 Countermeasures 24 Brute-force attacks: use a large key space Mathematical attacks: use large enough n (1024-2048 bits), select p and q with constraints Timing attacks: constant exponentiation time, random delay, blinding the ciphertext Chosen ciphertext attacks: randomly pad the plaintext before encryption, e.g., optimal asymmetric encryption padding (OAEP)

25 PKCS—Public Key Cryptography Standard: Encryption 25 Standard for the encoding of information that will be signed or encrypted through RSA A suite of standards PKCS #1—15 PKCS #1 for formatting a message to be encrypted: The encoding addresses several RSA threats: - guessable message - sending same encrypted message to >=3 recipients (e=3) - Encrypting messages<1/3 length of n (e=3)

26 PKCS—Public Key Cryptography Standard: Signature 26 PKCS #1 for formatting a message to be signed: The encoding addresses several RSA threats: - padding avoids smooth numbers w.h.p. - avoids cube root problem - including digest type avoids an obscure threat: MD4(m’)=MD5(m)

27 Diffie-Hellman 27 The first public key cryptosystem But does neither encryption nor signatures Used for key exchange: Alice and Bob negotiate a shared secret key over a public communication channel

28 Diffie- Hellman Key Exchange 28

29 Why Is Diffie-Hellman Secure? 29 It is difficult to compute discrete logarithm: knowing g and g x, it is difficult to compute x

30 Man-in-the-Middle Attack 30 Alice A, g A Frank F, g F Bob B, g B gAgA gFgF gFgF gBgB K AF =g AF K FB =g FB Alice A, g A Bob B, g B gAgA gBgB K AB =g AB

31 Countermeasures 31 Publish public numbers: Alice keeps x private, but publishes X = g x mod p through a reliable, trusted service such as PKI Bob keeps y private, but publishes Y = g y mod p Alice retrieves Y from the trusted service Bob retrieves X from the trusted service No place for Frank to get in the middle. The key between Alice and Bob is in fact pre-determined.

32 Countermeasures (Cont’d) 32 Authenticated Diffie-Hellman: Encrypt the Diffie-Hellman exchange with the pre-shared secret Encrypt the Diffie-Hellman public number with the other side’s public key Sign the Diffie-Hellman public number with your private key Following the Diffie-Hellman exchange, transmit a hash of the agreed key and the pre-shared secret Following the Diffie-Hellman exchange, transmit a hash of the pre-shared secret and your public number

33 Encryption with Diffie-Hellman 33 Alice uses Diffie-Hellman to generate a shared secret key, g AB, with Bob Encryption: Alice uses any secret key encryption scheme with the above secret key The secret key need not be shared with Bob before encryption: Bob can retrieve the encrypted message and the secret key simultaneously given that he has published his

34 ElGamal Signatures 34 Each party has a long-term public/private key pair Public key is and private key is S For each message m signed, generate a new public/private key pair:, S m (a random number) Signature: X=S m +d m S mod (p-1), where d m =MD(m|T m ) Transmitted to the recipient: Verification: check if g X =T m T d m mod p If signature is valid, verification will pass because: Other requirements for a secure signature: verification will fail if message/signature is modified, knowing signature will not divulge S, not knowing S will not be able to sign

35 Elliptic Curve Cryptography 35 Known subexponential algorithms for breaking RSA and Diffie-Hellman (a brute-force attack requires exponential amount of computation), so required key size is large No known subexponential algorithm for breaking ECC ECC offers the same security with much smaller key size Comparable key sizes in terms of computational effort for cryptanalysis

36 Assignments Read [Kaufman] Chapter 6 36

Download ppt "ECE454/599 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2012."

Similar presentations

RSA COSC 201 ST. MARY’S COLLEGE OF MARYLAND FALL 2012 RSA.

RSA COSC 201 ST. MARY’S COLLEGE OF MARYLAND FALL 2012 RSA.
22C:19 Discrete Structures Integers and Modular Arithmetic

22C:19 Discrete Structures Integers and Modular Arithmetic
22C:19 Discrete Math Integers and Modular Arithmetic Fall 2010 Sukumar Ghosh.

22C:19 Discrete Math Integers and Modular Arithmetic Fall 2010 Sukumar Ghosh.
15-251 Great Theoretical Ideas in Computer Science.

Great Theoretical Ideas in Computer Science.
Session 4 Asymmetric ciphers.

Session 4 Asymmetric ciphers.
Dr. Lo’ai Tawalbeh Summer 2007 Chapter 9 – Public Key Cryptography and RSA Dr. Lo’ai Tawalbeh New York Institute of Technology (NYIT) Jordan’s Campus INCS.

Dr. Lo’ai Tawalbeh Summer 2007 Chapter 9 – Public Key Cryptography and RSA Dr. Lo’ai Tawalbeh New York Institute of Technology (NYIT) Jordan’s Campus INCS.
Public-key Cryptography Montclair State University CMPT 109 J.W. Benham Spring, 1998.

Public-key Cryptography Montclair State University CMPT 109 J.W. Benham Spring, 1998.
WS 2006-07 Algorithmentheorie 03 – Randomized Algorithms (Public Key Cryptosystems) Prof. Dr. Th. Ottmann.

WS Algorithmentheorie 03 – Randomized Algorithms (Public Key Cryptosystems) Prof. Dr. Th. Ottmann.
Cryptography and Network Security Chapter 9. Chapter 9 – Public Key Cryptography and RSA Every Egyptian received two names, which were known respectively.

Cryptography and Network Security Chapter 9. Chapter 9 – Public Key Cryptography and RSA Every Egyptian received two names, which were known respectively.
Cryptography1 CPSC 3730 Cryptography Chapter 9 Public Key Cryptography and RSA.

Cryptography1 CPSC 3730 Cryptography Chapter 9 Public Key Cryptography and RSA.
Theory I Algorithm Design and Analysis (9 – Randomized algorithms) Prof. Dr. Th. Ottmann.

Theory I Algorithm Design and Analysis (9 – Randomized algorithms) Prof. Dr. Th. Ottmann.
Private-Key Cryptography traditional private/secret/single key cryptography uses one key shared by both sender and receiver if this key is disclosed communications.

Private-Key Cryptography traditional private/secret/single key cryptography uses one key shared by both sender and receiver if this key is disclosed communications.
WS 2006-07 Algorithmentheorie 03 – Randomized Algorithms (Public Key Cryptosystems) Prof. Dr. Th. Ottmann.

WS Algorithmentheorie 03 – Randomized Algorithms (Public Key Cryptosystems) Prof. Dr. Th. Ottmann.
The School of Electrical Engineering and Computer Science (EECS) CS/ECE Network Security Dr. Attila Altay Yavuz Topic 5 Essential Public Key Crypto Methods.

The School of Electrical Engineering and Computer Science (EECS) CS/ECE Network Security Dr. Attila Altay Yavuz Topic 5 Essential Public Key Crypto Methods.
Fall 2010/Lecture 311 CS 426 (Fall 2010) Public Key Encryption and Digital Signatures.

Fall 2010/Lecture 311 CS 426 (Fall 2010) Public Key Encryption and Digital Signatures.
Dr.Saleem Al_Zoubi1 Cryptography and Network Security Third Edition by William Stallings Public Key Cryptography and RSA.

Dr.Saleem Al_Zoubi1 Cryptography and Network Security Third Edition by William Stallings Public Key Cryptography and RSA.
Public Key Algorithms 4/17/2017 M. Chatterjee.

Public Key Algorithms 4/17/2017 M. Chatterjee.
Computer Science CSC 474Dr. Peng Ning1 CSC 474 Information Systems Security Topic 2.5 Public Key Algorithms.

Computer Science CSC 474Dr. Peng Ning1 CSC 474 Information Systems Security Topic 2.5 Public Key Algorithms.
The RSA Algorithm JooSeok Song 2007. 11. 13. Tue.

The RSA Algorithm JooSeok Song Tue.
Public-Key Cryptography and RSA CSE 651: Introduction to Network Security.

Public-Key Cryptography and RSA CSE 651: Introduction to Network Security.

Similar presentations

Ads by Google