Topic 2: Public Key Encryption and Digital Signatures

Topic 2: Public Key Encryption and Digital Signatures
Network Security Topic 2: Public Key Encryption and Digital Signatures 2018/12/3 Topic 2: Public Key Encrypption and Digital Signatures

Readings for This Lecture
Required: On Wikipedia Public key cryptography RSA Diffie–Hellman key exchange ElGamal encryption Required: Differ & Hellman: “New Directions in Cryptography” IEEE Transactions on Information Theory, Nov 1976. 2018/12/3 Topic 2: Public Key Encrypption and Digital Signatures

Review of Secret Key (Symmetric) Cryptography
Confidentiality stream ciphers (uses PRNG) block ciphers with encryption modes (CBC or CTR) Integrity Cryptographic hash functions Message authentication code (keyed hash functions) Limitation: sender and receiver must share the same key Needs secure channel for key distribution Impossible for two parties having no prior relationship Needs many keys for n parties to communicate MAC are keyed hash functions. Using a key to select a particular one to use. Property for MAC? How to secure communication between you and a merchant’s website? Key distribution is generally the weakest link. 2018/12/3 Topic 2: Public Key Encrypption and Digital Signatures

Concept of Public Key Encryption
Each party has a pair (K, K-1) of keys: K is the public key, and used for encryption K-1 is the private key, and used for decryption Satisfies DK-1[EK[M]] = M Knowing the public-key K, it is computationally infeasible to compute the private key K-1 How to check (K,K-1) is a pair? Offers only computational security. Secure Public Key encryption is impossible when P=NP, as deriving K-1 from K is in NP. The public key K may be made publicly available, e.g., in a publicly available directory Many can encrypt, only one can decrypt Public-key systems aka asymmetric crypto systems What is the significance of using two keys vs the same key both for encryption and decryption? Critical property is SK cannot be computed from PK. SK is clearly related to PK. Given PK, if one guesses SK, one can verify whether SK is correct. What is so good about the property that the decryption Key cannot be computed from encryption key? 2018/12/3 Topic 2: Public Key Encrypption and Digital Signatures

Public Key Cryptography Early History
Proposed by Diffie and Hellman, documented in “New Directions in Cryptography” (1976) Public-key encryption schemes Key distribution systems Diffie-Hellman key agreement protocol Digital signature Public-key encryption was proposed in 1970 in a classified paper by James Ellis paper made public in 1997 by the British Governmental Communications Headquarters Concept of digital signature is still originally due to Diffie & Hellman Diffie and Hellman introduces the concepts of PKC and that of digital signatures, but could not come up with a scheme that works. They really want a public key encryption algorithm, but they couldn’t get one. Need some evidence to show that it works. Hence they need to look for something that have the flavor of PK cryptography. How to agree on a secret key using a public channel? However, it turns out that this can become an encryption scheme. El Gamal. 2018/12/3 Topic 2: Public Key Encrypption and Digital Signatures

Public Key Encryption Algorithms
Most public-key encryption algorithms use either modular arithmetic number theory, or elliptic curves RSA based on the hardness of factoring large numbers El Gamal Based on the hardness of solving discrete logarithm Use the same idea as Diffie-Hellman key agreement 2018/12/3 Topic 2: Public Key Encrypption and Digital Signatures

Diffie and Hellman won ACM Turing Award (2015)
2018/12/3 Topic 2: Public Key Encrypption and Digital Signatures

Diffie-Hellman Key Agreement Protocol
Not a Public Key Encryption system, but can allow A and B to agree on a shared secret in a public channel (against passive, i.e., eavesdropping only adversaries) Setup: p prime and g generator of Zp*, p and g public. ga mod p gb mod p Pick random, secret b Compute and send gb mod p Pick random, secret a Compute and send ga mod p K = (ga mod p)b = gab mod p K = (gb mod p)a = gab mod p 2018/12/3 Topic 2: Public Key Encrypption and Digital Signatures

Topic 2: Public Key Encrypption and Digital Signatures
Diffie-Hellman Example: Let p=11, g=2, then A chooses 4, B chooses 3, then shared secret is (23)4 = (24)3 = = 4 (mod 11) Adversaries sees 23=8 and 24=5, needs to solve one of 2x=8 and 2y=5 to figure out the shared secret. a 1 2 3 4 5 6 7 8 9 10 11 ga 16 32 64 128 256 512 1024 2048 ga mod p Small g is generator because raising to powers gives rise to all numbers between 1 and 10. 2018/12/3 Topic 2: Public Key Encrypption and Digital Signatures

Security of DH is based on Three Hard Problems
Discrete Log (DLG) Problem: Given <g, h, p>, computes a such that ga = h mod p. Computational Diffie Hellman (CDH) Problem: Given <g, ga mod p, gb mod p> (without a, b) compute gab mod p. Decision Diffie Hellman (DDH) Problem: distinguish (ga,gb,gab) from (ga,gb,gc), where a,b,c are randomly and independently chosen If one can solve the DL problem, one can solve the CDH problem. If one can solve CDH, one can solve DDH. 2018/12/3 Topic 2: Public Key Encrypption and Digital Signatures

Assumptions DDH Assumption: DDH is hard to solve. CDH Assumption: CDH is hard to solve. DLG Assumption: DLG is hard to solve DDH assumed difficult to solve for large p (e.g., at least 1024 bits). Warning: New progress in 2013 can solve discrete log for p values with some properties. No immediate attack against practical setting yet. Look out when you need to use/implement public key crypto May want to consider Elliptic Curve-based algorithms, require shorter keys than discrete log (for 128-bit security require 256 bit key size) 2018/12/3 Topic 2: Public Key Encrypption and Digital Signatures

Taher A. Elgamal (2010) Egyptian cryptographer Inventor of ElGamal discrete log cryptosystem and ElGamal signature scheme (1985, “A Public key Cryptosystem and A Signature Scheme based on discrete Logarithms”) ElGamal signature serves as the basis for Digital Signature Algorithm (DSA) adopted by National Institute of Standards and Technology (NIST) as the Digital Signature Standard (DSS) "father of SSL" 2018/12/3 Topic 2: Public Key Encrypption and Digital Signatures

ElGamal Encryption Public key <g, p, h=ga mod p> Private key is a To encrypt: chooses random b, computes C=[gb mod p, gab * M mod p]. Idea: for each M, sender and receiver establish a shared secret gab via the DH protocol. The value gab hides the message M by multiplying it. To decrypt C=[c1,c2], computes M where ((c1a mod p) * M) mod p = c2. To find M for x * M mod p = c2, compute z s.t. x*z mod p =1, and then M = C2*z mod p CDH assumption ensures M cannot be fully recovered. IND-CPA security requires DDH. 2018/12/3 Topic 2: Public Key Encrypption and Digital Signatures

Rivest Shamir and Adleman won ACM Turing Award (2012)

RSA Algorithm Invented in 1978 by Ron Rivest, Adi Shamir and Leonard Adleman Published as R L Rivest, A Shamir, L Adleman, "On Digital Signatures and Public Key Cryptosystems", Communications of the ACM, vol 21 no 2, pp , Feb 1978 Security relies on the difficulty of factoring large composite numbers Essentially the same algorithm was discovered in 1973 by Clifford Cocks, who works for the British intelligence Takes 2-3 years to discover the same alg. 2018/12/3 Topic 2: Public Key Encrypption and Digital Signatures

RSA Public Key Crypto System
Key generation: 1. Select 2 large prime numbers of about the same size, p and q Typically each p, q has between 512 and 2048 bits 2. Compute n = pq, and (n) = (q-1)(p-1) 3. Select e, 1<e< (n), s.t. gcd(e, (n)) = 1 Typically e=3 or e=65537 4. Compute d, 1< d< (n) s.t. ed  1 mod (n) Knowing (n), d easy to compute. Public key: (e, n) Private key: d 2018/12/3 Topic 2: Public Key Encrypption and Digital Signatures

RSA Description (cont.)
Encryption Given a message M, 0 < M < n M  Zn {0} use public key (e, n) compute C = Me mod n C  Zn {0} Decryption Given a ciphertext C, use private key (d) Compute Cd mod n = (Me mod n)d mod n = Med mod n = M 2018/12/3 Topic 2: Public Key Encrypption and Digital Signatures

RSA Example p = 11, q = 7, n = 77, (n) = 60 d = 13, e = 37 (ed = 481; ed mod 60 = 1) Let M = 15. Then C  Me mod n C  1537 (mod 77) = 71 M  Cd mod n M  7113 (mod 77) = 15 2018/12/3 Topic 2: Public Key Encrypption and Digital Signatures

Group discussion 1 Parameters: p = 3, q = 5, n= pq = 15 (n) = ? Let e = 3, what is d? Given M=2, what is C? How to decrypt? 2018/12/3 Topic 2: Public Key Encrypption and Digital Signatures

Hard Problems on Which RSA Security Depends
C = Me mod (n=pq) Plaintext: M Ciphertext: C Cd mod n Factoring Problem: Given n=pq, compute p,q Finding RSA Private Key: Given (n,e), compute d s.t. ed = 1 (mod (n)). Given (d,e) such that ed = 1 (mod (n)), there is a clever randomized algorithm to factor n efficiently. Implication: cannot share the modulus n among multiple users RSA Problem: From (n,e) and C, compute M s.t. C = Me Aka computing the e’th root of C. Can be solved if n can be factored 2018/12/3 Topic 2: Public Key Encrypption and Digital Signatures

RSA Security and Factoring
Security depends on the difficulty of factoring n Factor n  compute (n)  compute d from (e, n) Knowing e, d such that ed = 1 (mod (n))  factor n The length of n=pq reflects the strength 700-bit n factored in 2007 768 bit n factored in 2009 RSA encryption/decryption speed is quadratic in key length 1024 bit for minimal level of security today (roughly 80 bit security) likely to be breakable in near future Minimal 2048 bits recommended for current usage (roughly 112 bit security) NIST suggests bit RSA keys are equivalent in strength to 256-bit Factoring is easy to break with quantum computers An effort concluded in 2009 by several researchers factored a 232-digit number (RSA-768) utilizing hundreds of machines over a span of 2 years. 2018/12/3 Topic 2: Public Key Encrypption and Digital Signatures

Group Discussion 2 Is textbook RSA secure? 2018/12/3 Topic 2: Public Key Encrypption and Digital Signatures

A simple attack on textbook RSA
Random session-key K Web Browser CLIENT HELLO Web Server d SERVER HELLO (e,N) C=RSA(K) Session-key K is 64 bits. View K  {0,…,264} Eavesdropper sees: C = Ke (mod N) . Suppose K = K1K2 where K1, K2 < (prob. 20%) Then: C/K1e = K2e (mod N) Build table: C/1e, C/2e, C/3e, …, C/234e . time: 234 For K2 = 0,…, 234 test if K2e is in table. time: 23434 Attack time: 240 << 264

RSA Encryption & IND-CPA Security
The RSA assumption, which assumes that the RSA problem is hard to solve, ensures that the plaintext cannot be fully recovered. Plain RSA does not provide IND-CPA security. For Public Key systems, the adversary has the public key, hence the initial training phase is unnecessary, as the adversary can encrypt any message he wants to. How to use it more securely? 2018/12/3 Topic 2: Public Key Encrypption and Digital Signatures

Real World Usage of Public Key Encryption
Often used to encrypt a symmetric key To encrypt a message M under an RSA public key (n,e), generate a new AES key K, compute [Ke mod n, AES-CBCK(M)] Alternatively, one can use random padding. E.g., computer (M || r) e mod n to encrypt a message M with a random value r More generally, uses a function F(M,r), and encrypts as F(M,r) e mod n From F(M,r), one should be able to recover M This provides randomized encryption e.g., Optimal Asymmetric Encryption Padding (OAEP) Roughly, to encrypt M, chooses random r, encode M as M’ = [X = M  H1(r) , Y= r  H2(X) ] where H1 and H2 are cryptographic hash functions, then encrypt it as (M’) e mod n Note that given M’=[X,Y], r = Y  H2(X), and M = X  H1(r) 2018/12/3 Topic 2: Public Key Encrypption and Digital Signatures

RSA-OAEP Optimal Asymmetric Encryption Padding (OAEP)
Roughly, to encrypt m, chooses random r, encode m as m’ = [X = m  H1(r) , Y= r  H2(X) ] where H1 and H2 are cryptographic hash functions, then encrypt it as (m’) e mod n To decrypt m’=[X,Y], compute r = Y  H2(X), and m = X  H1(r) Proven secure under the RSA assumption when H1 and H2 are assumed to be random oracles. Unless both X and Y are fully recovered, cannot obtain r, without r, cannot obtain any information of m. We will not cover Random Oracle Model in this course. See Chapter 13 if interested. CS555 Topic 19

RSA- Optimal asymmetric encryption padding (RSA-OAEP)

A real-world attack on QQ Browser

Digital Signatures: The Problem
Consider the real-life example where a person pays by credit card and signs a bill; the seller verifies that the signature on the bill is the same with the signature on the card Contracts are valid if they are signed. Signatures provide non-repudiation. ensuring that a party in a dispute cannot repudiate, or refute the validity of a statement or contract. Can we have a similar service in the electronic world? Does Message Authentication Code provide non-repudiation? 2018/12/3 Topic 2: Public Key Encrypption and Digital Signatures

MAC: One party generates MAC, one party verifies integrity. Digital signatures: One party generates signature, many parties can verify. Digital Signature: a data string which associates a message with some originating entity. Digital Signature Scheme: a signing algorithm: takes a message and a (private) signing key, outputs a signature a verification algorithm: takes a (public) verification key, a message, and a signature Provides: Authentication, Data integrity, Non-Repudiation 2018/12/3 Topic 2: Public Key Encrypption and Digital Signatures

Digital Signatures and Hash
Very often digital signatures are used with hash functions, hash of a message is signed, instead of the message. Hash function must be: Strong collision resistant 2018/12/3 Topic 2: Public Key Encrypption and Digital Signatures

RSA Signatures Key generation (as in RSA encryption): Select 2 large prime numbers of about the same size, p and q Compute n = pq, and  = (q - 1)(p - 1) Select a random integer e, 1 < e < , s.t. gcd(e, ) = 1 Compute d, 1 < d <  s.t. ed  1 mod  Public key: (e, n) used for verification Private key: d, used for generation 2018/12/3 Topic 2: Public Key Encrypption and Digital Signatures

RSA Signatures with Hash (cont.)
Signing message M Verify 0 < M < n Compute S = h(M)d mod n Verifying signature S Use public key (e, n) Compute Se mod n = (h(M)d mod n)e mod n = h(M) 2018/12/3 Topic 2: Public Key Encrypption and Digital Signatures

Group Discussion: If removing hash, is plain RSA signature secure? Four or six people form a group to discuss it. One representative presents your discussion results. 2018/12/3 Topic 2: Public Key Encrypption and Digital Signatures

RSA Operations IS RSA signature Secure? Signing: s1 = m1d mod n, s2 = m2d mod n, Verification: m1 = s1e mod n, m2 = s2e mod n New Signature: Snew=s1*s2= m1m2d mod n, Verification: m1 m2 = Snewe mod n 2018/12/3 Topic 2: Public Key Encrypption and Digital Signatures

Multiplicative Homomorphism
Applications: privacy preserving computation (only for multiplication) 2018/12/3 Topic 2: Public Key Encrypption and Digital Signatures

Attack II The Blind signature Based On RSA
Assume that the Bob published his public key , and keep his secret key private. Alice wants to obtain a RSA signature on message (Blinding Phase) Alice choose a random integer r and compute and send to Bob. 2018/12/3 Topic 2: Public Key Encrypption and Digital Signatures 40

Blind Signature Based On RSA
(Signing Phase) The Bob executes the RSA signature on message , which is (Unblinding Phase) Thus, Alice can remove the blind factor by computing Note that, the final signature is different from the version observed by Bob So, Bob has no idea about the true content of the signature. 2018/12/3 Topic 2: Public Key Encrypption and Digital Signatures 41

David Lee Chaum Founder of International Association for Cryptologic Research (IACR) (1982) Inventor of secure digital cash (1982) by introducing the cryptographic primitive of a blind signature. Founder of DigiCash, an electronic cash company (1990) Undeniable signatures (1989) Group signatures (1991) Mix networks (1981), the basis of Tor (based on onion routing), 'Godfather of anonymous communication' 2018/12/3 Topic 2: Public Key Encrypption and Digital Signatures

Applications of Blind Signature
E-cash Anonymous authentication Hummingbird: Privacy at the time of Twitter (Oakland’12) Emiliano De Cristofaro (PARC), Claudio Soriente (Universidad Politécnica de Madrid, Spain), and Gene Tsudik and Andrew Williams (UC Irvine) 2018/12/3 Topic 2: Public Key Encrypption and Digital Signatures 43

Non-repudiation Nonrepudiation is the assurance that someone cannot deny something. Typically, nonrepudiation refers to the ability to ensure that a party to a contract or a communication cannot deny the authenticity of their signature on a document or the sending of a message that they originated. Can one deny a digital signature one has made? Does provide non-repudiation? 2018/12/3 Topic 2: Public Key Encrypption and Digital Signatures

The Big Picture Secrecy / Confidentiality Stream ciphers Block ciphers + encryption modes Public key encryption: RSA, El Gamal, etc. Authenticity / Integrity Message Authentication Code Digital Signatures: RSA, DSA, etc. Secret Key Setting Public Key Setting Secret key, one sender, one receiver. Public key encryption: anyone can encrypt, only one can decrypt. Digital signature: only one signs, anyone can verify 2018/12/3 Topic 2: Public Key Encrypption and Digital Signatures

Coming Attractions … User authentication 2018/12/3 Topic 2: Public Key Encrypption and Digital Signatures

Topic 2: Public Key Encryption and Digital Signatures

Similar presentations

Presentation on theme: "Topic 2: Public Key Encryption and Digital Signatures"— Presentation transcript:

Similar presentations

About project

Feedback

Log in

Auth with social network:

Topic 2: Public Key Encryption and Digital Signatures

Similar presentations

Presentation on theme: "Topic 2: Public Key Encryption and Digital Signatures"— Presentation transcript:

Similar presentations

About project

Feedback