Presentation is loading. Please wait.

Presentation is loading. Please wait.

Public Key Cryptography Diffie-Hellman, Discrete Log, RSA

Published byChester Shelton Modified over 5 years ago

Similar presentations

Presentation on theme: "Public Key Cryptography Diffie-Hellman, Discrete Log, RSA"— Presentation transcript:

1 Public Key Cryptography Diffie-Hellman, Discrete Log, RSA
Diffie-Hellman Key Exchange, Discrete Log Problem Public Key Crypto RSA Public Key Cryptography Diffie-Hellman, Discrete Log, RSA CSCI283 Fall 2005 GWU

2 Diffie-Hellman Key Exchange

3 Diffie-Hellman Key Exchange
Protocol for exchanging secret key over public channel. Select global parameters p, n and . p is prime and  is of order n in Zp*. These parameters are public and known to all. 11/27/2018 CS283/Fall05/GWU/Vora/PKC Some slides from Bishop's set

4 Diffie-Hellman Key Exchange contd.
Alice privately selects random b and sends to Bob b mod p. Bob privately selects random c and sends to Alice c mod p. Alice and Bob privately compute bc mod p which is their shared secret. An observer Oscar can compute bc if he knows either c or b or can solve the discrete log problem. This is a key agreement protocol. 11/27/2018 CS283/Fall05/GWU/Vora/PKC Some slides from Bishop's set

5 Diffie-Hellman is based on the hardness of the Discrete Log problem:
Given a multiplicative group G, an element  G such that o() = n, and an element  <> Find the unique integer x, 0  x  n-1 such that  = x x denoted as log Not known to be doable in polynomial time, however exponentiation is. 11/27/2018 CS283/Fall05/GWU/Vora/PKC Some slides from Bishop's set

6 CS283/Fall05/GWU/Vora/PKC Some slides from Bishop's set
An attack Diffie-Hellman key exchange is susceptible to a man-in-the-middle attack. Mallory captures b and c in transmission and replaces with own b’ and c’. Essentially runs two Diffie-Hellman’s. One with Alice and one with Bob. 11/27/2018 CS283/Fall05/GWU/Vora/PKC Some slides from Bishop's set

7 Public-Key Cryptography

8 Diffie-Hellman propose Public Key Cryptography
Computationally easy to encrypt/decrypt given key Computationally infeasible to derive private key from public key Computationally infeasible to determine private key from a chosen-plaintext attack Look at DH key exchange as PKC 11/27/2018 CS283/Fall05/GWU/Vora/PKC Some slides from Bishop's set

9 How does Alice send Bob the decryption key in private key crypto?
If Alice wants it such that anyone can decrypt her messages, but know that they came from her Suppose she could make the decryption key available in a public place This would require that the decryption key should not give any information on the encryption key, in particular it should not be equal to it 11/27/2018 CS283/Fall05/GWU/Vora/PKC Some slides from Bishop's set

10 CS283/Fall05/GWU/Vora/PKC Some slides from Bishop's set
How does Alice send Bob the decryption key in private key crypto? contd If she wants it so that only Bob can read her messages, and Bob is ok with anyone sending him messages in this way Suppose Bob makes his encryption key available publicly No one should be able to compute the decryption key from the encryption key This is the dual of the previous case 11/27/2018 CS283/Fall05/GWU/Vora/PKC Some slides from Bishop's set

11 Public Key Cryptography
Two injective functions f and g such that fg=I i.e. messages encrypted with one can be decrypted with the other; functions include association with key f cannot be used to find g and vice versa One is made public, the other kept private Encryption with public function provides confidential transmission, decryption with public function provides authentication 11/27/2018 CS283/Fall05/GWU/Vora/PKC Some slides from Bishop's set

12 RSA

13 CS283/Fall05/GWU/Vora/PKC Some slides from Bishop's set
Background Totient function (n) Number of positive integers less than n and relatively prime to n Relatively prime means with no factors in common with n Example: (10) = 4 1, 3, 7, 9 are relatively prime to 10 Example: (21) = 12 1, 2, 4, 5, 8, 10, 11, 13, 16, 17, 19, 20 are relatively prime to 21 11/27/2018 CS283/Fall05/GWU/Vora/PKC Some slides from Bishop's set

14 RSA Cocks (’73), Rivest, Shamir, Adleman (’76)
n = pq, p and q (large) primes P = C = Zn K = {(n, p, q, a, b}: ab  1 mod (n)} Public key: (n, a); Private key: (b) fK(m) = ma mod n gK(m) = mb mod n fK and gK are inverses (we won’t show this, it is not straightforward) 11/27/2018 CS283/Fall05/GWU/Vora/PKC Some slides from Bishop's set

15 CS283/Fall05/GWU/Vora/PKC Some slides from Bishop's set
RSA: Key generation Find p and q (two large random primes) n pq (n)  (p-1)(q-1) Choose random a invertible mod (n) s.t 1 < a < (n) i.e. a s.t gcd(a, (n)) = 1 Use Euclidean algorithm to find a-1mod (n) Without p and q cannot determine (n) One key: (n, a) other key (n, b); Example 11/27/2018 CS283/Fall05/GWU/Vora/PKC Some slides from Bishop's set

16 CS283/Fall05/GWU/Vora/PKC Some slides from Bishop's set
Example Take p = 7, q = 11, so n = 77 and (n) = 60 Alice chooses e = 17, making d = 53 Bob wants to send Alice secret message HELLO ( ) 0717 mod 77 = 28 0417 mod 77 = 16 1117 mod 77 = 44 1417 mod 77 = 42 Bob sends 11/27/2018 CS283/Fall05/GWU/Vora/PKC Some slides from Bishop's set

17 CS283/Fall05/GWU/Vora/PKC Some slides from Bishop's set
Example Alice receives Alice uses private key, d = 53, to decrypt message: 2853 mod 77 = 07 1653 mod 77 = 04 4453 mod 77 = 11 4253 mod 77 = 14 Alice translates message to letters to read HELLO No one else could read it, as only Alice knows her private key and that is needed for decryption The letters could not have been changed in transit, as no one else has Bob’s private key 11/27/2018 CS283/Fall05/GWU/Vora/PKC Some slides from Bishop's set

18 CS283/Fall05/GWU/Vora/PKC Some slides from Bishop's set
Warnings Encipher message in blocks considerably larger than the examples here If 1 character per block, RSA can be broken using statistical attacks (just like classical cryptosystems) Attacker cannot alter letters, but can rearrange them and alter message meaning Example: reverse enciphered message of text ON to get NO 11/27/2018 CS283/Fall05/GWU/Vora/PKC Some slides from Bishop's set

19 Encryption of blocks of symbols
Block ABCD…, each symbol is base N (e.g. N=2, 16) Convert a block of a few symbols to an integer mod n RSA encrypt Convert back to base N Example. Problem if short strings encrypted with RSA, hence pad short strings with random characters. 11/27/2018 CS283/Fall05/GWU/Vora/PKC Some slides from Bishop's set

20 Security of RSA Is it based on hardness of factoring n?
It is not known if: factoring a product of two primes into its prime components is solvable in polynomial time NP-complete there are other trapdoors to RSA, i.e. other ways of breaking it in general Factoring is an easy problem in the quantum computing model. 11/27/2018 CS283/Fall05/GWU/Vora/PKC Some slides from Bishop's set

21 CS283/Fall05/GWU/Vora/PKC Some slides from Bishop's set
Security Services Confidentiality Only the owner of the private key knows it, so text enciphered with public key cannot be read by anyone except the owner of the private key Authentication Only the owner of the private key knows it, so text enciphered with private key must have been generated by the owner 11/27/2018 CS283/Fall05/GWU/Vora/PKC Some slides from Bishop's set

22 More Security Services
Integrity Enciphered letters cannot be changed undetectably without knowing private key Non-Repudiation Message enciphered with private key came from someone who knew it 11/27/2018 CS283/Fall05/GWU/Vora/PKC Some slides from Bishop's set

23 Secure Hash

24 The problems crypto addresses
Confidentiality/secrecy/privacy How to keep a message secret so it can be read only by a chosen person Use encryption Integrity How to determine a string of symbols has not been changed since it was created ? 11/27/2018 CS283/Fall05/GWU/Vora/PKC Some slides from Bishop's set

25 CS283/Fall05/GWU/Vora/PKC Some slides from Bishop's set
Integrity Alice sends message x to Bob. She fears Oscar will manipulate it along the way, and Bob will get an incorrect message. She could encrypt it using a key Oscar did not have, but is that overkill when she does not need to prevent Oscar from reading it? But maybe she could tell Bob something else about the message so he would know if something was terribly wrong: parity, last bit, a particular bit, etc. 11/27/2018 CS283/Fall05/GWU/Vora/PKC Some slides from Bishop's set

26 In general, she could use a hash function
h: X  Y y = h(x) |X| > |Y| i.e.  x, x’ s.t x  x’ and h(x) = h(x’) Used in storage tables E.g.: h(x) = last bit, parity, smallest prime factor 11/27/2018 CS283/Fall05/GWU/Vora/PKC Some slides from Bishop's set

27 CS283/Fall05/GWU/Vora/PKC Some slides from Bishop's set
Checksums/hashes Mathematical function to generate a set of k bits from a set of n bits (where k ≤ n). k is smaller then n except in unusual circumstances Example: ASCII parity bit ASCII has 7 bits; 8th bit is “parity” Even parity: even number of 1 bits Odd parity: odd number of 1 bits 11/27/2018 CS283/Fall05/GWU/Vora/PKC Some slides from Bishop's set

28 CS283/Fall05/GWU/Vora/PKC Some slides from Bishop's set
Example Use Bob receives “ ” as bits. Sender is using even parity; 6 1 bits, so character was received correctly Note: could be garbled, but 2 bits would need to have been changed to preserve parity Sender is using odd parity; even number of 1 bits, so character was not received correctly 11/27/2018 CS283/Fall05/GWU/Vora/PKC Some slides from Bishop's set

29 CS283/Fall05/GWU/Vora/PKC Some slides from Bishop's set
h(x) sent with x Both Bob and Alice can create h(x) given x Alice sends (x, h(x)) Bob receives (x’,y’), he checks if y’ = h(x’). If so, he assumes x’ is what Alice sent 11/27/2018 CS283/Fall05/GWU/Vora/PKC Some slides from Bishop's set

30 In either case, what can the attacker do?
If he can compute h(x), he can: try to find x’ s.t. h(x) = h(x’). If he knows h, and can influence Alice, he can try to get her to send an x that she likes such that h(x) = h(x’) for an x’ he likes. If he doesn’t, he hopes for the best. 11/27/2018 CS283/Fall05/GWU/Vora/PKC Some slides from Bishop's set

31 Hence require an h “secure” in the following ways:
Secure wrt second image requires that the following problem is “difficult”: Given an xX, find x’ X s.t x’  x but h(x’) = h(x) Secure wrt collision requires that the following problem is “difficult”: Find x, x’ X s.t x’  x but h(x’) = h(x) The above should be true even if h(x1), h(x2).. h(xn) are known 11/27/2018 CS283/Fall05/GWU/Vora/PKC Some slides from Bishop's set

32 In general, h is a secure-hash, or a one-way function
Easy to compute in one direction, hard in the other. Can we recall one such function? 11/27/2018 CS283/Fall05/GWU/Vora/PKC Some slides from Bishop's set

33 CS283/Fall05/GWU/Vora/PKC Some slides from Bishop's set
Definition Cryptographic checksum h: AB: For any x  A, h(x) is easy to compute For any y  B, it is computationally infeasible to find x  A such that h(x) = y It is computationally infeasible to find two inputs x, x  A such that x ≠ x and h(x) = h(x) 11/27/2018 CS283/Fall05/GWU/Vora/PKC Some slides from Bishop's set

34 CS283/Fall05/GWU/Vora/PKC Some slides from Bishop's set
Keys Keyed cryptographic checksum: requires cryptographic key DES in chaining mode: encipher message, use last n bits. Requires a key to encipher, so it is a keyed cryptographic checksum. Keyless cryptographic checksum: requires no cryptographic key MD5 and SHA-1 are best known; others include MD4, HAVAL, and Snefru 11/27/2018 CS283/Fall05/GWU/Vora/PKC Some slides from Bishop's set

35 CS283/Fall05/GWU/Vora/PKC Some slides from Bishop's set
HMAC Keyed cryptographic checksums from keyless ones h keyless cryptographic checksum function that takes data in blocks of b bytes and outputs blocks of l bytes. k is cryptographic key of length b bytes If short, pad with 0 bytes; if long, hash to length b ipad is repeated b times; opad is repeated b times HMAC-h(k, m) = h(k  opad || h(k  ipad || m)) 11/27/2018 CS283/Fall05/GWU/Vora/PKC Some slides from Bishop's set

36 Digital Signatures

37 CS283/Fall05/GWU/Vora/PKC Some slides from Bishop's set
For non-repudiation A digital signature authenticates both the origin and the contents of a message in a manner that is provable to a disinterested third party Encrypt message digest (computed using a secure hash) with public key 11/27/2018 CS283/Fall05/GWU/Vora/PKC Some slides from Bishop's set

Download ppt "Public Key Cryptography Diffie-Hellman, Discrete Log, RSA"

Similar presentations

Public Key Encryptions CS461/ECE422 Fall 2011. Reading Material Text Chapters 2 and 20 Handbook of Applied Cryptography, Chapter 8 –

Public Key Encryptions CS461/ECE422 Fall Reading Material Text Chapters 2 and 20 Handbook of Applied Cryptography, Chapter 8 –
Internet and Intranet Protocols and Applications Lecture 9a: Secure Sockets Layer (SSL) March, 2004 Arthur Goldberg Computer Science Department New York.

Internet and Intranet Protocols and Applications Lecture 9a: Secure Sockets Layer (SSL) March, 2004 Arthur Goldberg Computer Science Department New York.
Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.

Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.
Digital Signatures and Hash Functions. Digital Signatures.

Digital Signatures and Hash Functions. Digital Signatures.
Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.

Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.
Public-key Cryptography Montclair State University CMPT 109 J.W. Benham Spring, 1998.

Public-key Cryptography Montclair State University CMPT 109 J.W. Benham Spring, 1998.
20-751 ECOMMERCE TECHNOLOGY FALL 2003 COPYRIGHT © 2003 MICHAEL I. SHAMOS Cryptography.

ECOMMERCE TECHNOLOGY FALL 2003 COPYRIGHT © 2003 MICHAEL I. SHAMOS Cryptography.
ITIS 3200: Introduction to Information Security and Privacy Dr. Weichao Wang.

ITIS 3200: Introduction to Information Security and Privacy Dr. Weichao Wang.
Csci5233 Computer Security & Integrity 1 Cryptography: Basics (2)

Csci5233 Computer Security & Integrity 1 Cryptography: Basics (2)
RSA Exponentiation cipher

RSA Exponentiation cipher
WS 2006-07 Algorithmentheorie 03 – Randomized Algorithms (Public Key Cryptosystems) Prof. Dr. Th. Ottmann.

WS Algorithmentheorie 03 – Randomized Algorithms (Public Key Cryptosystems) Prof. Dr. Th. Ottmann.
Fall 2010/Lecture 311 CS 426 (Fall 2010) Public Key Encryption and Digital Signatures.

Fall 2010/Lecture 311 CS 426 (Fall 2010) Public Key Encryption and Digital Signatures.
Public Key Cryptography and Cryptographic Hashes CS461/ECE422 Fall 2009.

Public Key Cryptography and Cryptographic Hashes CS461/ECE422 Fall 2009.
CSCI 172/283 Fall 2010 Public Key Cryptography. New paradigm introduced by Diffie and Hellman The mailbox analogy: Bob has a locked mailbox Alice can.

CSCI 172/283 Fall 2010 Public Key Cryptography. New paradigm introduced by Diffie and Hellman The mailbox analogy: Bob has a locked mailbox Alice can.
Public Key Model 8. Cryptography part 2.

Public Key Model 8. Cryptography part 2.
Andreas Steffen, 17.10.2011, 4-PublicKey.pptx 1 Internet Security 1 (IntSi1) Prof. Dr. Andreas Steffen Institute for Internet Technologies and Applications.

Andreas Steffen, , 4-PublicKey.pptx 1 Internet Security 1 (IntSi1) Prof. Dr. Andreas Steffen Institute for Internet Technologies and Applications.
CS5204 – Fall 2009 1 Cryptographic Security Presenter: Hamid Al-Hamadi October 13, 2009.

CS5204 – Fall Cryptographic Security Presenter: Hamid Al-Hamadi October 13, 2009.
Page 1 Secure Communication Paul Krzyzanowski Distributed Systems Except as otherwise noted, the content of this presentation.

Page 1 Secure Communication Paul Krzyzanowski Distributed Systems Except as otherwise noted, the content of this presentation.
Lecture 15 Lecture’s outline Public algorithms (usually) that are each other’s inverse.

Lecture 15 Lecture’s outline Public algorithms (usually) that are each other’s inverse.
Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.

Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.

Similar presentations

Ads by Google