Presentation is loading. Please wait.

Presentation is loading. Please wait.

Practical Aspects of Modern Cryptography Josh Benaloh & Brian LaMacchia.

Published byKristin Phelps Modified over 7 years ago

Similar presentations

Presentation on theme: "Practical Aspects of Modern Cryptography Josh Benaloh & Brian LaMacchia."— Presentation transcript:

1 Practical Aspects of Modern Cryptography Josh Benaloh & Brian LaMacchia

2 January 15, 2002Practical Aspects of Modern Cryptography Public-Key History 1976 New Directions in Cryptograhy Whit Diffie and Marty Hellman One-Way functions Diffie-Hellman Key Exchange 1978 RSA paper Ron Rivest, Adi Shamir, and Len Adleman RSA Encryption System RSA Digital Signature Mechanism

3 January 15, 2002Practical Aspects of Modern Cryptography The Fundamental Equation Z=Y X mod N

4 January 15, 2002Practical Aspects of Modern Cryptography Diffie-Hellman Z=Y X mod N When X is unknown, the problem is known as the discrete logarithm and is generally believed to be hard to solve.

5 January 15, 2002Practical Aspects of Modern Cryptography Diffie-Hellman Key Exchange Alice Randomly select a large integer a and send A = Y a mod N. Compute the key K = B a mod N. Bob Randomly select a large integer b and send B = Y b mod N. Compute the key K = A b mod N. B a = Y ba = Y ab = A b

6 January 15, 2002Practical Aspects of Modern Cryptography Diffie-Hellman Key Exchange What does Eve see? Y, Y a, Y b … but the exchanged key is Y ab. Belief: Given Y, Y a, Y b it is difficult to compute Y ab. Contrast with discrete logarithm assumption: Given Y, Y x it is difficult to compute x.

7 January 15, 2002Practical Aspects of Modern Cryptography One-Way Trap-Door Functions Z=Y X mod N Recall that this equation is solvable for Y if the factorization of N is known, but is believed to be hard otherwise.

8 January 15, 2002Practical Aspects of Modern Cryptography RSA Public-Key Cryptosystem Alice Select two large random primes P & Q. Publish the product N=PQ. Use knowledge of P & Q to compute Y. Anyone To send message Y to Alice, compute Z=Y X mod N. Send Z and X to Alice.

9 January 15, 2002Practical Aspects of Modern Cryptography Some RSA Details When N=PQ is the product of distinct primes, Y X mod N = Y whenever X mod (P-1)(Q-1) = 1 and 0  Y  N.

10 January 15, 2002Practical Aspects of Modern Cryptography Some RSA Details When N=PQ is the product of distinct primes, Y X mod N = Y whenever X mod (P-1)(Q-1) = 1 and 0  Y  N. Alice can easily select integers E and D such that ED mod (P-1)(Q-1) = 1.

11 January 15, 2002Practical Aspects of Modern Cryptography Some RSA Details Encryption: E(Y) = Y E mod N. Decryption: D(Y) = Y D mod N. D(E(Y)) = (Y E mod N) D mod N = Y ED mod N = Y

12 January 15, 2002Practical Aspects of Modern Cryptography RSA Signatures An additional property D(E(Y)) = Y ED mod N = Y E(D(Y)) = Y DE mod N = Y Only Alice (knowing the factorization of N) knows D. Hence only Alice can compute D(Y) = Y D mod N. This D(Y) serves as Alice’s signature on Y.

13 January 15, 2002Practical Aspects of Modern Cryptography Remaining RSA Basics Why is Y X mod PQ = Y whenever X mod (P-1)(Q-1) = 1, 0  Y  PQ, and P and Q are distinct primes? How can Alice can select integers E and D such that ED mod (P-1)(Q-1) = 1?

14 January 15, 2002Practical Aspects of Modern Cryptography Modular Arithmetic To compute (A+B) mod N, compute (A+B) and take the result mod N. To compute (A-B) mod N, compute (A-B) and take the result mod N. To compute (A×B) mod N, compute (A×B) and take the result mod N. To compute (A÷B) mod N, …

15 January 15, 2002Practical Aspects of Modern Cryptography Modular Division What is the value of (1÷2) mod 7? We need a solution to 2x mod 7 = 1. Try x = 4. What is the value of (7÷5) mod 11? We need a solution to 5x mod 11 = 7. Try x = 8.

16 January 15, 2002Practical Aspects of Modern Cryptography Modular Division Is modular division always well-defined? (1÷3) mod 6 = ? 3x mod 6 = 1 has no solution! Fact (A÷B) mod N always has a solution when gcd(B,N) = 1.

17 January 15, 2002Practical Aspects of Modern Cryptography Greatest Common Divisors gcd(A, B) = gcd(B, A - B) gcd(21,12) = gcd(12,9) = gcd(9,3) = gcd(6,3) = gcd(3,3) = gcd(0,3) = 3 gcd(A, B) = gcd(B, A mod B) gcd(21,12) = gcd(12,9) = gcd(9,3) = gcd(0,3) = 3

18 January 15, 2002Practical Aspects of Modern Cryptography Extended Euclidean Algorithm Given integers A and B, find integers X and Y such that AX + BY = gcd(A,B). When gcd(A,B) = 1, solve AX mod B = 1, by finding X and Y such that AX + BY = gcd(A,B) = 1. Compute (C÷A) mod B as C×(1÷A) mod B.

19 January 15, 2002Practical Aspects of Modern Cryptography Extended Euclidean Algorithm Given A,B > 0, set x 1 =1, x 2 =0, y 1 =0, y 2 =1, a 1 =A, b 1 =B, i=1. Repeat while b i >0: {i = i + 1; q = a i-1 div b i-1 ; b i = a i-1 -qb i-1 ; a i = b i-1 ; x i+1 =x i-1 -qx i ; y i+1 =y i-1 -qy i }. Ax i + By i = a i = gcd(A,B).

20 January 15, 2002Practical Aspects of Modern Cryptography Remaining RSA Basics Why is Y X mod PQ = Y whenever X mod (P-1)(Q-1) = 1, 0  Y  PQ, and P and Q are distinct primes? How can Alice can select integers E and D such that ED mod (P-1)(Q-1) = 1?

21 January 15, 2002Practical Aspects of Modern Cryptography Fermat’s Little Theorem If p is prime, then x p-1 mod p = 1 for all 0 < x < p. Equivalently … If p is prime, then x p mod p = x mod p for all integers x.

22 January 15, 2002Practical Aspects of Modern Cryptography The Binomial Theorem (x + y) p = x p + ( ) x p-1 y + … + ( ) xy p-1 + y p If p is prime, then ( ) mod p = 0 for 0 < i < p. Thus, (x + y) p mod p = (x p + y p ) mod p. p1p1 Proof of Fermat’s Little Theorem p p-1 pipi

23 January 15, 2002Practical Aspects of Modern Cryptography Proof of Fermat’s Little Theorem By induction on x… Basis If x = 0, then x p mod p = 0 = x mod p. If x = 1, then x p mod p = 1 = x mod p.

24 January 15, 2002Practical Aspects of Modern Cryptography Proof of Fermat’s Little Theorem Inductive Step Assume that x p mod p = x mod p. Then (x + 1) p mod p = (x p + 1 p ) mod p = (x + 1) mod p. Hence, x p mod p = x mod p for integers x ≥ 0. Also true for negative x, since (-x) p = (-1) p x p.

25 January 15, 2002Practical Aspects of Modern Cryptography Proof of RSA We have shown … Y P mod P = Y whenever 0 ≤ Y < P and P is prime! You will show … Y K(P-1)(Q-1)+1 mod PQ = Y when 0 ≤ Y < PQ P and Q are distinct primes and K ≥ 0.

26 January 15, 2002Practical Aspects of Modern Cryptography Authentication How can I use RSA to authenticate someone’s identity? If Alice’s public key E A, just pick a random message m and send E A (m). If m comes back, I must be talking to Alice.

27 January 15, 2002Practical Aspects of Modern Cryptography Authentication Should Alice be happy with this method of authentication? Bob sends Alice the authentication string y = “I owe Bob $1,000,000 - signed Alice.” Alice dutifully authenticates herself by decrypting (putting her signature on) y.

28 January 15, 2002Practical Aspects of Modern Cryptography Authentication What if Alice only returns authentication queries when the decryption has a certain format?

29 January 15, 2002Practical Aspects of Modern Cryptography RSA Cautions Is it reasonable to sign/decrypt something given to you by someone else? Note that RSA is multiplicative. Can this property be used/abused?

30 January 15, 2002Practical Aspects of Modern Cryptography RSA Cautions D(Y 1 ) D(Y 2 ) = D(Y 1 Y 2 ) Thus, if I’ve decrypted (or signed) Y 1 and Y 2, I’ve also decrypted (or signed) Y 1 Y 2.

31 January 15, 2002Practical Aspects of Modern Cryptography The Hastad Attack Given E 1 (x) = x 3 mod n 1 E 2 (x) = x 3 mod n 2 E 3 (x) = x 3 mod n 3 one can easily compute x.

32 January 15, 2002Practical Aspects of Modern Cryptography The Bleichenbacher Attack PKCS#1 Message Format: 00 01 XX XX... XX 00 YY YY... YY random non-zero bytes message

33 January 15, 2002Practical Aspects of Modern Cryptography “Man-in-the-Middle” Attacks

34 January 15, 2002Practical Aspects of Modern Cryptography The Practical Side RSA can be used to encrypt any data. Public-key (asymmetric) cryptography is very inefficient when compared to traditional private-key (symmetric) cryptography.

35 January 15, 2002Practical Aspects of Modern Cryptography The Practical Side For efficiency, one generally uses RSA (or another public-key algorithm) to transmit a private (symmetric) key. The private session key is used to encrypt and authenticate any subsequent data. Digital signatures are only used to sign a digest of the message.

36 January 15, 2002Practical Aspects of Modern Cryptography Symmetric Ciphers Private-key (symmetric) ciphers are usually divided into two classes. Block ciphers Stream ciphers

37 January 15, 2002Practical Aspects of Modern Cryptography Symmetric Ciphers Private-key (symmetric) ciphers are usually divided into two classes. Block ciphers Stream ciphers

38 January 15, 2002Practical Aspects of Modern Cryptography Block Ciphers Block Cipher Plaintext DataCiphertext Key

39 January 15, 2002Practical Aspects of Modern Cryptography Block Ciphers Block Cipher Plaintext DataCiphertext Key Currently usually 8 bytes. Soon 16-32 bytes.

40 January 15, 2002Practical Aspects of Modern Cryptography Block Cipher Modes Electronic Code Book (ECB) Encryption: Block Cipher Block Cipher Block Cipher Block Cipher Plaintext Ciphertext

41 January 15, 2002Practical Aspects of Modern Cryptography Block Cipher Modes Electronic Code Book (ECB) Decryption: Inverse Cipher Inverse Cipher Inverse Cipher Inverse Cipher Plaintext Ciphertext

42 January 15, 2002Practical Aspects of Modern Cryptography Block Cipher Modes Electronic Code Book (ECB) Encryption: Block Cipher Block Cipher Block Cipher Block Cipher Plaintext Ciphertext

43 January 15, 2002Practical Aspects of Modern Cryptography Block Cipher Modes Cipher Block Chaining (CBC) Encryption: Block Cipher Block Cipher Block Cipher Block Cipher Plaintext Ciphertext IV

44 January 15, 2002Practical Aspects of Modern Cryptography Block Cipher Modes Cipher Block Chaining (CBC) Decryption: Inverse Cipher Inverse Cipher Inverse Cipher Inverse Cipher Plaintext Ciphertext IV

45 January 15, 2002Practical Aspects of Modern Cryptography Block Cipher Modes Cipher Block Chaining (CBC) Encryption: Block Cipher Block Cipher Block Cipher Block Cipher Plaintext Ciphertext IV

46 January 15, 2002Practical Aspects of Modern Cryptography How to Build a Block Cipher Block Cipher Plaintext Ciphertext Key

47 January 15, 2002Practical Aspects of Modern Cryptography Feistel Ciphers Ugly

48 January 15, 2002Practical Aspects of Modern Cryptography Feistel Ciphers Ugly

49 January 15, 2002Practical Aspects of Modern Cryptography Feistel Ciphers Ugly

50 January 15, 2002Practical Aspects of Modern Cryptography Ugly Feistel Ciphers

51 January 15, 2002Practical Aspects of Modern Cryptography Feistel Ciphers Ugly

52 January 15, 2002Practical Aspects of Modern Cryptography Feistel Ciphers Typically, most Feistel ciphers are iterated for about 16 rounds. Different “sub-keys” are used for each round. Even a weak round function can yield a strong Feistel cipher if iterated sufficiently.

53 January 15, 2002Practical Aspects of Modern Cryptography Data Encryption Standard (DES) Block Cipher 64-bit Plaintext 64-bit Ciphertext 56-bit Key

54 January 15, 2002Practical Aspects of Modern Cryptography Data Encryption Standard (DES) 64-bit Plaintext 64-bit Ciphertext 56-bit Key 16 Feistel Rounds

55 January 15, 2002Practical Aspects of Modern Cryptography Data Encryption Standard (DES) 64-bit Plaintext 64-bit Ciphertext 56-bit Key 16 Feistel Rounds

56 January 15, 2002Practical Aspects of Modern Cryptography DES Round Ugly

57 January 15, 2002Practical Aspects of Modern Cryptography Simplified DES Round Function Sub-key 4-bit substitutions 32-bit permutation Ugly 32 bits

58 January 15, 2002Practical Aspects of Modern Cryptography Actual DES Round Function Sub-key 6/4-bit substitutions 32-bit permutation Ugly 32 bits 48 bits

59 January 15, 2002Practical Aspects of Modern Cryptography Symmetric Ciphers Private-key (symmetric) ciphers are usually divided into two classes. Block ciphers Stream ciphers

60 January 15, 2002Practical Aspects of Modern Cryptography Stream Ciphers Use the key as a seed to a pseudo-random number-generator. Take the stream of output bits from the PRNG and XOR it with the plaintext to form the ciphertext.

61 January 15, 2002Practical Aspects of Modern Cryptography Stream Cipher Encryption Plaintext: PRNG(seed): Ciphertext:

62 January 15, 2002Practical Aspects of Modern Cryptography Stream Cipher Decryption Plaintext: PRNG(seed): Ciphertext:

63 January 15, 2002Practical Aspects of Modern Cryptography A PRNG: Alleged RC4 Initialization S[0..255] = 0,1,…,255 K[0..255] = Key,Key,Key,… for i = 0 to 255 j = (j + S[i] + K[i]) mod 256 swap S[i] and S[j]

64 January 15, 2002Practical Aspects of Modern Cryptography A PRNG: Alleged RC4 Iteration i = (i + 1) mod 256 j = (j + S[i]) mod 256 swap S[i] and S[j] t = (S[i] + S[j]) mod 256 Output S[t]

65 January 15, 2002Practical Aspects of Modern Cryptography Stream Cipher Integrity It is easy for an adversary (even one who can’t decrypt the ciphertext) to alter the plaintext in a known way. Bob to Bob’s Bank: Please transfer $0,000,002.00 to the account of my good friend Alice.

66 January 15, 2002Practical Aspects of Modern Cryptography Stream Cipher Integrity It is easy for an adversary (even one who can’t decrypt the ciphertext) to alter the plaintext in a known way. Bob to Bob’s Bank: Please transfer $1,000,002.00 to the account of my good friend Alice.

67 January 15, 2002Practical Aspects of Modern Cryptography Stream Cipher Integrity It is easy for an adversary (even one who can’t decrypt the ciphertext) to alter the plaintext in a known way. Bob to Bob’s Bank: Please transfer $1,000,002.00 to the account of my good friend Alice. This can be protected against by the careful addition of appropriate redundancy.

68 January 15, 2002Practical Aspects of Modern Cryptography One-Way Hash Functions The idea of a check sum is great, but it is designed to prevent accidental changes in a message. For cryptographic integrity, we need an integrity check that is resilient against a smart and determined adversary.

69 January 15, 2002Practical Aspects of Modern Cryptography One-Way Hash Functions Generally, a one-way hash function is a function H : {0,1}*  {0,1} k (typically k is 128 or 160) such that given an input value x, one cannot find a value x  x such H(x) = H(x ).

70 January 15, 2002Practical Aspects of Modern Cryptography One-Way Hash Functions There are many measures for one-way hashes. Non-invertability: given y, it’s difficult to find any x such that H(x) = y. Collision-intractability: one cannot find a pair of values x  x such that H(x) = H(x ).

71 January 15, 2002Practical Aspects of Modern Cryptography One-Way Hash Functions When using a stream cipher, a hash of the message can be appended to ensure integrity. [Message Authentication Code] When forming a digital signature, the signature need only be applied to a hash of the message. [Message Digest]

72 January 15, 2002Practical Aspects of Modern Cryptography A Cryptographic Hash: SHA-1 Compression Function 160-bit Output 512-bit Input (IV)

73 January 15, 2002Practical Aspects of Modern Cryptography A Cryptographic Hash: SHA-1 160-bit512-bit One of 80 rounds

74 January 15, 2002Practical Aspects of Modern Cryptography A Cryptographic Hash: SHA-1 160-bit512-bit One of 80 rounds No Change

75 January 15, 2002Practical Aspects of Modern Cryptography A Cryptographic Hash: SHA-1 160-bit512-bit One of 80 rounds Rotate 30 bits

76 January 15, 2002Practical Aspects of Modern Cryptography A Cryptographic Hash: SHA-1 160-bit512-bit One of 80 rounds No Change

77 January 15, 2002Practical Aspects of Modern Cryptography A Cryptographic Hash: SHA-1 160-bit512-bit One of 80 rounds No Change

78 January 15, 2002Practical Aspects of Modern Cryptography A Cryptographic Hash: SHA-1 160-bit512-bit One of 80 rounds ?

79 January 15, 2002Practical Aspects of Modern Cryptography A Cryptographic Hash: SHA-1 What’s in the final 32-bit transform? Take the rightmost word. Add in the leftmost word rotated 5 bits. Add in a round-dependent function f of the middle three words.

80 January 15, 2002Practical Aspects of Modern Cryptography A Cryptographic Hash: SHA-1 160-bit512-bit One of 80 rounds f

81 January 15, 2002Practical Aspects of Modern Cryptography A Cryptographic Hash: SHA-1 Depending on the round, the “non-linear” function f is one of the following. f(X,Y,Z) = (X  Y)  ((  X)  Z) f(X,Y,Z) = (X  Y)  (X  Z)  (Y  Z) f(X,Y,Z) = X  Y  Z

82 January 15, 2002Practical Aspects of Modern Cryptography A Cryptographic Hash: SHA-1 What’s in the final 32-bit transform? Take the rightmost word. Add in the leftmost word rotated 5 bits. Add in a round-dependent function f of the middle three words.

83 January 15, 2002Practical Aspects of Modern Cryptography A Cryptographic Hash: SHA-1 What’s in the final 32-bit transform? Take the rightmost word. Add in the leftmost word rotated 5 bits. Add in a round-dependent function f of the middle three words. Add in a round-dependent constant.

84 January 15, 2002Practical Aspects of Modern Cryptography A Cryptographic Hash: SHA-1 What’s in the final 32-bit transform? Take the rightmost word. Add in the leftmost word rotated 5 bits. Add in a round-dependent function f of the middle three words. Add in a round-dependent constant. Add in a portion of the 512-bit message.

85 January 15, 2002Practical Aspects of Modern Cryptography A Cryptographic Hash: SHA-1 160-bit512-bit One of 80 rounds

86 January 15, 2002Practical Aspects of Modern Cryptography Cryptographic Tools One-Way Trapdoor Functions Public-Key Encryption Schemes One-Way Functions One-Way Hash Functions Pseudo-Random Number-Generators Secret-Key Encryption Schemes Digital Signature Schemes

Download ppt "Practical Aspects of Modern Cryptography Josh Benaloh & Brian LaMacchia."

Similar presentations

Chapter 3 Public Key Cryptography and Message authentication.

Chapter 3 Public Key Cryptography and Message authentication.
CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (3) Information Security.

CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (3) Information Security.
22C:19 Discrete Structures Integers and Modular Arithmetic

22C:19 Discrete Structures Integers and Modular Arithmetic
22C:19 Discrete Math Integers and Modular Arithmetic Fall 2010 Sukumar Ghosh.

22C:19 Discrete Math Integers and Modular Arithmetic Fall 2010 Sukumar Ghosh.
 Stream ciphers o Encrypt chars/bits one at a time o Assume XOR w the key, need long key to be secure  Keystream generators (pseudo-random key) o Synchronous.

 Stream ciphers o Encrypt chars/bits one at a time o Assume XOR w the key, need long key to be secure  Keystream generators (pseudo-random key) o Synchronous.
Josh Benaloh Brian LaMacchia Winter 2011. January 6, 2011Practical Aspects of Modern Cryptography Cryptography is... Protecting Privacy of Data Authentication.

Josh Benaloh Brian LaMacchia Winter January 6, 2011Practical Aspects of Modern Cryptography Cryptography is... Protecting Privacy of Data Authentication.
20-751 ECOMMERCE TECHNOLOGY FALL 2003 COPYRIGHT © 2003 MICHAEL I. SHAMOS Cryptography.

ECOMMERCE TECHNOLOGY FALL 2003 COPYRIGHT © 2003 MICHAEL I. SHAMOS Cryptography.
Public Encryption: RSA

Public Encryption: RSA
How cryptography is used to secure web services Josh Benaloh Cryptographer Microsoft Research.

How cryptography is used to secure web services Josh Benaloh Cryptographer Microsoft Research.
Fall 2010/Lecture 311 CS 426 (Fall 2010) Public Key Encryption and Digital Signatures.

Fall 2010/Lecture 311 CS 426 (Fall 2010) Public Key Encryption and Digital Signatures.
Public Key Algorithms 4/17/2017 M. Chatterjee.

Public Key Algorithms 4/17/2017 M. Chatterjee.
Public Key Cryptography RSA Diffie Hellman Key Management Based on slides by Dr. Lawrie Brown of the Australian Defence Force Academy, University College,

Public Key Cryptography RSA Diffie Hellman Key Management Based on slides by Dr. Lawrie Brown of the Australian Defence Force Academy, University College,
Public Key Model 8. Cryptography part 2.

Public Key Model 8. Cryptography part 2.
Andreas Steffen, 17.10.2011, 4-PublicKey.pptx 1 Internet Security 1 (IntSi1) Prof. Dr. Andreas Steffen Institute for Internet Technologies and Applications.

Andreas Steffen, , 4-PublicKey.pptx 1 Internet Security 1 (IntSi1) Prof. Dr. Andreas Steffen Institute for Internet Technologies and Applications.
Page 1 Secure Communication Paul Krzyzanowski Distributed Systems Except as otherwise noted, the content of this presentation.

Page 1 Secure Communication Paul Krzyzanowski Distributed Systems Except as otherwise noted, the content of this presentation.
Lecture 15 Lecture’s outline Public algorithms (usually) that are each other’s inverse.

Lecture 15 Lecture’s outline Public algorithms (usually) that are each other’s inverse.
Network and Communications Network Security Department of Computer Science Virginia Commonwealth University.

Network and Communications Network Security Department of Computer Science Virginia Commonwealth University.
RSA and its Mathematics Behind

RSA and its Mathematics Behind
15-251 Great Theoretical Ideas in Computer Science.

Great Theoretical Ideas in Computer Science.
How cryptography is used to secure web services Josh Benaloh Cryptographer Microsoft Research.

How cryptography is used to secure web services Josh Benaloh Cryptographer Microsoft Research.

Similar presentations

Ads by Google