Presentation is loading. Please wait.

Presentation is loading. Please wait.

CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.

Similar presentations

Presentation on theme: "CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz."— Presentation transcript:

1 CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz

2 Administrative announcements  Midterm I –March 6  GRACE accounts set up  Read the essays and papers linked from the course webpage –Will discuss next Tuesday and/or Thursday

3 Public-key cryptography

4 The public-key setting  A party (Alice) generates a public key along with a matching secret key (aka private key)  The public key is widely distributed, and is assumed to be known to anyone (Bob) who wants to communicate with Alice –We will discuss later how this can be ensured  Alice’s public key is also known to the attacker!  Alice’s secret key remains secret  Bob may or may not have a public key of his own

5 The public-key setting c = Enc pk (m) pk c = Enc pk (m) pk

6 Private- vs. public-key I  Disadvantages of private-key cryptography –Need to securely share keys What if this is not possible? Need to know in advance the parties with whom you will communicate Can be difficult to distribute/manage keys in a large organization –O(n 2 ) keys needed for person-to-person communication in an n-party network All these keys need to be stored securely –Inapplicable in open systems (think: e-commerce)

7 Private- vs. public-key II  Why study private-key at all? –Private-key is orders of magnitude more efficient –Private-key still has domains of applicability Military settings, disk encryption, … –Public-key crypto is “harder” to get right Needs stronger assumptions, more math –Can combine private-key primitives with public-key techniques to get the best of both (for encryption) Still need to understand the private-key setting! –Can distribute keys using trusted entities (KDCs)

8 Private- vs. public-key III  Public-key cryptography is not a cure-all –Still requires secure distribution of public keys May (sometimes) be just as hard as sharing a key Technically speaking, requires only an authenticated channel instead of an authenticated + private channel –Not clear with whom you are communicating (for public-key encryption) –Can be too inefficient for certain applications

9 Cryptographic primitives Private-key settingPublic-key setting Confidentiality Private-key encryption Public-key encryption Integrity Message authentication codes Digital signature schemes

10 Public-key encryption

11 Functional definition  Key generation algorithm: randomized algorithm that outputs (pk, sk)  Encryption algorithm: –Takes a public key and a message (plaintext), and outputs a ciphertext; c  E pk (m)  Decryption algorithm: –Takes a private key and a ciphertext, and outputs a message (or perhaps an error); m = D sk (c)  Correctness: for all (pk, sk), D sk (E pk (m)) = m

12 Security?  Just as in the case of private-key encryption, but the attacker gets to see the public key pk  That is: –For all m 0, m 1, no adversary running in time T, given pk and an encryption of m 0 or m 1 can determine the encrypted message with probability better than 1/2 +   Public-key encryption must be randomized (even to achieve security against ciphertext-only attacks)  Security against ciphertext-only attacks implies security against chosen-plaintext attacks

13 El Gamal encryption  We have already (essentially) seen one encryption scheme: p, g h A = g x mod p h B = g y mod p K AB = (h B ) x K BA = (h A ) y p, g, h A = g x ReceiverSender c = (K BA. m) mod p h B, c

14 Security  If the DDH assumption holds, the El Gamal encryption scheme is secure against chosen- plaintext attacks

15 RSA: background  N=pq, p and q distinct, odd primes   (N) = (p-1)(q-1) –Easy to compute  (N) given the factorization of N –Hard to compute  (N) without the factorization of N  Fact: for all x  Z N *, it holds that x  (N) = 1 mod N –Proof: take CMSC 456!  If ed=1 mod  (N), then for all x it holds that (x e ) d = x mod N

16 RSA key generation  Generate random p, q of sufficient length  Compute N=pq and  (N) = (p-1)(q-1)  Compute e and d such that ed = 1 mod  (N) –e must be relatively prime to  (N) –Typical choice: e = 3; other choices possible  Public key = (N, e); private key = (N, d)  We have an asymmetry! –Given c=x e mod N, receiver can compute x=c d mod N –No apparent way for anyone else to recover x

17 Hardness of the RSA problem?  The RSA problem: –Compute x given N, e, and x e mod N  If factoring is easy, then the RSA problem is easy  We know of no other way to solve the RSA problem besides factoring N –But we do not know how to prove that the RSA problem is as hard as factoring  The upshot: we believe factoring is hard, and we believe the RSA problem is hard

18 “Textbook RSA” encryption  Public key (N, e); private key (N, d)  To encrypt a message m  Z N *, compute c = m e mod N  To decrypt a ciphertext c, compute m = c d mod N  Correctness clearly holds…  …what about security?

19 Textbook RSA is insecure!  It is deterministic!  Furthermore, it can be shown that the ciphertext leaks specific information about the plaintext

20 Padded RSA  Public key (N, e); private key (N, d) –Say |N| = 1024 bits  To encrypt m  {0,1} 895, –Choose random r  {0,1} 128 –Compute c = (r | m) e mod N  Decryption done in the natural way…  Essentially this idea has been standardized as RSA PKCS #1 v1.5

21 Hybrid encryption  Public-key encryption is “slow”  Encrypting “block-by-block” would be inefficient for long messages  Hybrid encryption gives the functionality of public-key encryption at the (asymptotic) efficiency of private-key encryption!

22 Hybrid encryption Enc’ message Enc k pk “encapsulated key” “encrypted message” ciphertext Enc = public-key encryption scheme Enc’ = private-key encryption scheme

23 Security  If public-key component and private-key component are secure against chosen-plaintext attacks, then hybrid encryption is secure against chosen-plaintext attacks

24 Malleability/chosen-ciphertext security  All the public-key encryption schemes we have seen so far are malleable –Given a ciphertext c that encrypts an (unknown) message m, may be possible to generate a ciphertext c’ that encrypts a related message m’  In many scenarios, this is problematic –E.g., auction example; password example  Note: the problem is not integrity (there is no integrity in public-key encryption, anyway), but malleability

Download ppt "CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz."

Similar presentations

Ads by Google