Presentation is loading. Please wait.

Presentation is loading. Please wait.

Public Key Algorithms 4/17/2017 M. Chatterjee.

Similar presentations


Presentation on theme: "Public Key Algorithms 4/17/2017 M. Chatterjee."— Presentation transcript:

1 Public Key Algorithms 4/17/2017 M. Chatterjee

2 Modular Arithmetic Public key algorithms are based on modular arithmetic. Modular addition. Modular multiplication. Modular exponentiation. 4/17/2017 M. Chatterjee

3 Modular Addition Addition modulo (mod) K
Poor cipher with (dk+dm) mod K, e.g., if K=10 and dk is the key. Additive inverse: addition mod K yields 0. “Decrypt” by adding inverse. 4/17/2017 M. Chatterjee

4 Modular Multiplication
Multiplication modulo K Multiplicative inverse: multiplication mod K yields 1 Only some numbers have inverse Use Euclid’s algorithm to find inverse Given x, n, it finds y such that xy mod n = 1 All number relatively prime to n will have mod n multiplicative inverse 4/17/2017 M. Chatterjee

5 Totient Function x, m relative prime: no other common factor than 1
Totient function ø(n): number of integers less than n relatively prime to n if n is prime, ø(n)=n-1 if n=pq, and p, q are primes, ø(n)=(p-1)(q-1) 4/17/2017 M. Chatterjee

6 Modular Exponentiation
xy mod n = xy mod ø(n) mod n if y = 1 mod ø(n) then xy mod n = x mod n 4/17/2017 M. Chatterjee

7 RSA (Rivest, Shamir, Adleman)
The most popular one. Support both public key encryption and digital signature. Assumption/theoretical basis: Factoring a big number is hard. Variable key length (usually 512 bits). Variable plaintext block size. Plaintext must be “smaller” than the key. Ciphertext block size is the same as the key length. 4/17/2017 M. Chatterjee

8 What Is RSA? To generate key pair:
Pick large primes (>= 256 bits each) p and q Let n = p*q, keep your p and q to yourself! For public key, choose e that is relatively prime to ø(n) =(p-1)(q-1), let pub = <e,n> For private key, find d that is the multiplicative inverse of e mod ø(n), i.e., e*d = 1 mod ø(n), let priv = <d,n> 4/17/2017 M. Chatterjee

9 How Does RSA Work? Given pub = <e, n> and priv = <d, n>
encryption: c = me mod n, m < n decryption: m = cd mod n signature: s = md mod n, m < n verification: m = se mod n 4/17/2017 M. Chatterjee

10 Why Does RSA Work? Given pub = <e, n> and priv = <d, n>
n =p*q, ø(n) =(p-1)(q-1) e*d = 1 mod ø(n) xed = x mod n encryption: c = me mod n decryption: m = cd mod n = med mod n = m mod n = m Why???????? 4/17/2017 M. Chatterjee

11 What is Fermat’s theorem???
e*d = 1 mod ø(n) So e*d = 1 + kø(n) …med mod n = m 1 + kø(n) m (m kø(n) mod n) = m ???? What is Fermat’s theorem??? 4/17/2017 M. Chatterjee

12 Why Is RSA Secure? Factoring 512-bit number is very hard!
But if you can factor big number n then given public key <e,n>, you can find d, hence the private key by: Knowing factors p, q, such that, n = p*q Then ø(n) =(p-1)(q-1) Then d such that e*d = 1 mod ø(n) 4/17/2017 M. Chatterjee

13 Attacks on RSA • Brute force key search • Mathematical attacks
• Timing attacks 4/17/2017 M. Chatterjee

14 Math-Based Attacks Three possible approaches: – Factor n = pq
– Determine F(n) – Find the private key d directly • All the above are equivalent to factoring n 4/17/2017 M. Chatterjee

15 Brute Force An adversary just tries all possible
keys and keeps his fingers crossed that the right key is not the last key he will try ! 4/17/2017 M. Chatterjee

16 Timing Attacks By measuring the time required to perform
decryption (exponentiation with the private key as exponent), an attacker can figure out the private key Possible countermeasures: – use constant exponentiation time – add random delays – blind values used in calculations 4/17/2017 M. Chatterjee

17 Other Attacks on RSA Small encryption exponent e
E=3, Alice sends the message m to three people (public keys (e, n1), (e, n2), (e,n3)) An attacker can compute a solution to the following system x = c1 mod n1 x = c2 mod n2 x = c3 mod n3 Then, compute m from x = m3 Countermeasure: padding required 4/17/2017 M. Chatterjee

18 Forward Search Attack If message space is small, the attacker can
create a dictionary of encrypted messages (public key known, encrypt all possible messages and store them) When the attacker ‘sees’ a message on the network, compares the encryptedmessages, so he finds out what particular message was encrypted 4/17/2017 M. Chatterjee

19 Small decryption exponent d
Choosing a small exponent helps efficiency BUT If size of d is 1/4 size of n (in bits) and gcd(p-1,q-1) is small, there is a way to compute d only from e and n. Countermeasure: d should be about the same size as n. 4/17/2017 M. Chatterjee

20 Common modulus attack Each entity must choose its own modulus
Assume Alice and Bob generated keys using the same modulus n, ((e1, n ), d1)) and ((e2, n), d2)) C1 = Me1 mod n, C2 = Me2 mod n (e1)a + (e2) b = 1 if gcd(e1,e2)=1 M = C1a C2 b mod n 4/17/2017 M. Chatterjee

21 Cycling attack Intercepted ciphertext: C C1 = Ce mod n C2 = C1e mod n
Ck = Ck-1e mod n If Ck = C then stop P = Ck-1 4/17/2017 M. Chatterjee

22 Attacker Goals Total break: the attacker finds the key (the
symmetric key for ciphers or the private key for public key cryptosystems); after that all ciphertexts can be decrypted. Partial break: with some probability , the adversary is able to decrypt previously unseen ciphertexts, without knowing the key. Or the adversary can find out info about the plaintext, just by looking at the ciphertext. Distinguishability: with probability > 0.5, the adversary can distinguish between encryption of two different plaintexts, or between an encryption and a random string. 4/17/2017 M. Chatterjee

23 Diffie-Hellman Key Exchange
Shared key, public communication No authentication of partners What’s involved? P is a prime (about 512 bits), and g < p P and g are publicly known 4/17/2017 M. Chatterjee

24 4/17/2017 M. Chatterjee

25 Diffie-Hellman Key Exchange
Procedure Alice Bob pick secret Sa randomly pick secret Sb randomly compute TA=gSa mod p compute TB=gSb mod p send TA to Bob send TB to Alice compute TBSa mod p compute TASb mod p Alice and Bob reached the same secret gSaSb mod p, which is then used as the shared key. 4/17/2017 M. Chatterjee

26 DH Security - Discrete Logarithm Is Hard
T = gs mod p Conjecture: given T, g, p, it is extremely hard to compute the value of s (discrete logarithm) 4/17/2017 M. Chatterjee

27 Diffie-Hellman Scheme
Security factors Discrete logarithm very difficult. Shared key (the secret) itself never transmitted. 4/17/2017 M. Chatterjee

28 Disadvantages: Expensive exponential operation
DoS possible. The scheme itself cannot be used to encrypt anything – it is for secret key establishment. No authentication, so you can not sign anything … 4/17/2017 M. Chatterjee

29 Bucket Brigade Attack...Man In The Middle
Alice Trudy Bob gSa=123 gSx =654 gSb =255 123 --> > < <--255 654Sa=123Sx Sx=654Sb Trudy plays Bob to Alice and Alice to Bob 4/17/2017 M. Chatterjee

30 Diffie-Hellman in Phone Book Mode
DH was subject to active man-in-the-middle attack because their public key-component was intercepted and substituted Phone book mode allows everyone to generate the public key-component in advance and publish them through other reliable means, e.g. <TB> for bob All communicating parties agree on their common <g, p> 4/17/2017 M. Chatterjee

31 Encryption With Diffie-Hellman
Everyone computes and publishes <p, g, T> T=gS mod p Alice communicates with Bob: Alice Picks a random secret Sa Computes gbSa mod pb Use Kab = TbSa mod pb to encrypt message Send encrypted message along with gbSa mod pb 4/17/2017 M. Chatterjee

32 Bob (gbSa)Sb mod pb = (gbSb)Sa mod pb = TbSa mod pb = Kab
Use Kab to decrypt 4/17/2017 M. Chatterjee


Download ppt "Public Key Algorithms 4/17/2017 M. Chatterjee."

Similar presentations


Ads by Google