Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 ISA 562 Information Security Theory & Practice Public Key Cryptosystem Chapter 9 of Bishop ’ s Book.

Published byDonald Byron Thornton Modified over 8 years ago

Similar presentations

Presentation on theme: "1 ISA 562 Information Security Theory & Practice Public Key Cryptosystem Chapter 9 of Bishop ’ s Book."— Presentation transcript:

1 1 ISA 562 Information Security Theory & Practice Public Key Cryptosystem Chapter 9 of Bishop ’ s Book

2 2 Outline Background Diffie-Hellman RSA Cryptographic Checksums

3 3 History Concept conceived by Diffie and Hellman in 1976 Rivest, Shamir and Adleman (RSA) were first to describe a public key system in 1978 Merkle and Hellman published a different solution later in 1978 (broken by Shamir)

4 4 The Big Picture B's Public KeyB's Private Key RELIABLE CHANNEL Encryption Algorithm Decryption Algorithm Plain- text Plain- text Ciphertext INSECURE CHANNEL A A B B B's Public Key

5 5 The Basic Idea Confidentiality: encipher using public key, decipher using private key Integrity/authentication: encipher using private key, decipher using public key B's Public KeyB's Private Key Encryption Algorithm Decryption Algorithm Plain- text Plain- text Ciphertext A A B B ‘Signature’

6 6 Requirements The keys and algorithms must meet these requirements Must be computationally easy to encipher or decipher Must be computationally infeasible to derive the private key from the public key Must be computationally infeasible to determine the private key from a chosen plaintext attack Different from those of secret key cryptosystem except the first requirement Why another cryptosystem?

7 7 Motivation 1- Key Distribution Problem In a secret key cryptosystem, the secret key must be transmitted via a secure channel Inconvenient n parties want to communicate with each other, how many keys need to be transmitted? Insecure Is the secure channel really secure? Public key cryptosystem solves the problem Public key known by everyone – telephone directory Privacy key is never transmitted

8 8 Motivation 2- Digital Signature In a secret key cryptosystem, authentication and non-repudiation may be difficult Authentication You must share a secret key with someone in order to verify his signature Non-repudiation “ I didn ’ t sign it. You did since you also have the key ” Public key cryptosystem solves the problem Verification of signature needs only the public key One is solely responsible for his private key

9 9 Required number theory If a = b + kn for some integer k We write b = a mod n (namely, a is congruent to b modulo n, and b is the residue of a modulo n) Examples: 2 = 12 mod 5, 2 = 12 mod 10, 0 = 12 mod 6 Properties (a O b) mod n = ((a mod n) O (b mod n)) mod n where O is +, -, * 3 5 mod 7 = (3*3*3*3*3 mod 7) = ((3*3 mod 7)*(3*3 mod 7)*(3 mod 7))mod 7 Needed when enciphering/deciphering

10 10 More of the same … A prime number is a positive integer having exactly one positive divisor other than 1. E.g. 3, 5, 7, 11, 13 … a and b are relatively prime if they have no common positive factors other than 1. E.g. 1 and 2, 2 and 3, 3 and 4, but not 2 and 4 The totient function  (n) gives the number of integers between 1 and n-1 that are relatively prime to n. E.g.  (10) = 4 (1,3,7,9 are relatively prime to 10)

11 11 Still More Math Euler's Totient Theorem 1 = a  (n) mod n, where a and n are relatively prime Example: 3  (10) mod 10= 3 4 mod 10 = 81 mod 10 10  (3) mod 3= 10 2 mod 3 = 100 mod 3 Fermat ’ s Little Theorem a p-1 =1 mod p, where p is prime and relatively prime to a Notice  (p) = p-1

12 12 Outline Background Diffie-Hellman RSA Cryptographic Checksums

13 13 Diffie-Hellman Key Exchange Scheme Proposed in 1976 as the first public key algorithm (predates RSA) Allows users to agree on a secret key over insecure channels with no prior communication The secret key can thus be used to encrypt or decrypt message (e.g., SSL 3.0, IPsec) K A A B B Insecure Channel

14 14 Discrete Logarithm Problem D-H is based on the discrete logarithm problem Given integers n and g and prime number p, compute k such that n = g k mod p In general computationally infeasible Choices for g and p are critical Both p and (p – 1)/2 should be prime p should be large (at least 512 bits, possibly 1028 bits) g should be a primitive root mod p

15 15 Diffie-Hellman Key Exchange Scheme A B agree on p and g with 1 < g < p A B X = g x mod p Y = g y mod p Choose x Choose y A B computes k = Y x mod p computes k ’ = X y mod p k=k ’ =g xy mod p knows p, g, X, and Y, but not x or y or k

16 16 Quiz p = 7 and g = 5 Alice chooses x = 2 and send X = ? Bob chooses y = 3 and send Y = ? Shared key: k= ? k ’ = ? (g xy mod p = ? )

17 17 Man-in-the-middle Attack A BC active intruder K1 K2 A B K1 A B K2

18 18 Outline Background Diffie-Hellman RSA Cryptographic Checksums

19 19 RSA In Summary Choose public key (n,e) Compute private key (n,d) Encryption C = M e mod n Decryption M = C d mod n Underlying theory – Euler's Totient Theorem Key Generation

20 20 Key Generation Choose 2 large (512 bit) prime numbers p and q Compute n = p * q Choose e relatively prime to (p-1)*(q-1) Compute d such that 1 = e*d mod (p-1)*(q-1) Publish (n,e) and keep (n,d) (discard p, q)

21 21 Key Generation (Cont ’ d) Large primes can be found efficiently using probabilistic algorithms due to Solvay and Strassen d can be computed using the Extended Euclidean Algorithm (Textbook 31.2) Care must be exercised in choosing p and q, otherwise insecurities may result (p-1, p+1, q-1, q+1 should have large prime factors)

22 22 Key Generation - Example p = 7, q = 11, so n = 77 and (p-1)(q-1) = 60 Alice chooses e = 17, computing d = 53 (17*53=901) publish (77,17) and keep (77,53) secret

23 23 Encryption/Decription Encryption C = M e mod n Decryption M = C d mod n Underlying theory C d mod n = (M e mod n) d mod n = M ed mod n = M 1 mod (p-1)*(q-1) mod n = M (p-1)*(q-1)*i + 1 mod n = (1 i *M) mod n (by Fermat ’ s Little Theorem ) = M mod n = M (require M<n; M relatively prime to n)

24 24 Example: Encryption p = 7, q = 11, n = 77 Alice chooses e = 17, making d = 53 Bob wants to send Alice secret message HELLO (07 04 11 11 14) 07 17 mod 77 = 28 04 17 mod 77 = 16 11 17 mod 77 = 44 14 17 mod 77 = 42 Bob sends 28 16 44 44 42

25 25 Example: Decryption Alice receives 28 16 44 44 42 Alice uses private key, d = 53, to decrypt message: 28 53 mod 77 = 07 16 53 mod 77 = 04 44 53 mod 77 = 11 42 53 mod 77 = 14 Alice translates 07 04 11 11 14 to HELLO No one else could read it, as only Alice knows her private key and that is needed for decryption

26 26 Digital Signatures in RSA RSA has an important property, not shared by other public key systems Encryption and decryption are symmetric Encryption followed by decryption yields the original message (M e mod n) d mod n = M Decryption followed by encryption also yields the original message (M d mod n) e mod n = M Because e and d are symmetric in e*d = 1 mod (p-1)*(q-1)

27 27 Digital Signatures in RSA M d mod n C e mod n Plaintext M Ciphertext C (signature) A's Private Key d A's Public Key e RELIABLE CHANNEL A A B B Plaintext M Plaintext M’ ?

28 28 Compared To Encryption in RSA M e mod nC d mod n Ciphertext C B's Public Key e B's Private Key d RELIABLE CHANNEL A A B B Plaintext M Plaintext M

29 29 Signature and Encryption D Plain- text A's Private Key A A B B B's Public Key A's Public Key B's Private Key ED E Plain- text Signed Plaintext Encrypted Signed Plaintext Signed Plaintext

30 30 Signature and Encryption We could do the encryption first followed by the signature. Signature first has the advantage that the signature can be verified by parties other than B.

31 31 Example: Sign Take p = 7, q = 11, n = 77 Alice chooses e = 17, making d = 53 Alice wants to send Bob message HELLO (07 04 11 11 14) so Bob knows it is from Alice, and it has not been modified in transit 07 53 mod 77 = 35 04 53 mod 77 = 09 11 53 mod 77 = 44 14 53 mod 77 = 49 Alice sends 35 09 44 44 49

32 32 Example: Verify Bob receives 35 09 44 44 49 Bob uses Alice ’ s public key, e = 17, n = 77, to decrypt message: 35 17 mod 77 = 07 09 17 mod 77 = 04 44 17 mod 77 = 11 49 17 mod 77 = 14 Bob translates 07 04 11 11 14 to HELLO (Assume) only Alice has her private key, so no one else could have been able to create a correct signature The (deciphered) signature matches the transmitted plaintext, so the plaintext is not altered

33 33 Example: Both Alice wants to send Bob message HELLO both enciphered and signed Alice ’ s keys: public (17, 77); private: 53 Bob ’ s keys: public: (37, 77); private: 13 Alice does (does she encipher first or sign first?) (07 53 mod 77) 37 mod 77 = 07 (04 53 mod 77) 37 mod 77 = 37 (11 53 mod 77) 37 mod 77 = 44 (14 53 mod 77) 37 mod 77 = 14 Alice sends 07 37 44 44 14 What would Bob do upon receiving the message?

34 34 Security of RSA Cryptanalysis is to compute d while knowing (e, n) such that e*d = 1 mod (p-1)(q-1), and n=pq, for some p and q (the factorization is unique) If factorization of n into p*q is known, this is easy (Extended Euclidean Algorithm). Otherwise, it is hard. Therefore security of RSA is no better than complexity of the factoring problem Is the factoring problem provably hard (e.g., undecidable)? No However, the possibility of an easy factoring method is believed to be remote.

35 35 Fastest implementations of RSA can encrypt kilobits/second Fastest implementations of DES can encrypt megabits/second It is often proposed that RSA be used for secure exchange of DES keys This 1000-fold difference in speed is likely to remain independent of technology advances Matters more in wireless/ad hoc/sensor network RSA Versus DES

36 36 RSA Versus DES Key size of RSA is selected by the user Many implementations choose n to be 154 digits (512 bits) so the key (n,e) is 1024 bits Key size of DES is 64 bits (56 bits plus 8 parity bits)

37 37 RSA Key Size key size should be chosen conservatively cryptographers can stay ahead of (factorization) cryptanalysts by increasing the key size Until 1989 factorization attacks were based on "high school mathematics." Since then sophisticated attacks have extended factorization to larger numbers (usually of a specific form). At present it appears that 130 digit numbers can be factored in several months using lots of idle workstations.

38 38 Outline Background Diffie-Hellman RSA Cryptographic Checksums

39 39 One-way Hash Functions Also known as message digest A function H(M) = m satisfies (Fixed length): M can be of any length, whereas m is of fixed length (One-way): computing H(M)=m is easy, but computing H -1 (m)=M is computationally infeasible (Collision-free): in two forms Weak collision-freedom: given any M, difficult to find another M ’ such that H(M)=H(M ’ ) Strong collision-freedom: difficult to find any M and M ’ such that H(M)=H(M ’ )

40 40 Why Those Requirements? Many applications store H(p) instead of a password p Fixed length: cannot guess the length of p from H(p) (and H(p) is easier to store) One-way: the administrator cannot learn p of others Collision-free: cannot submit incorrect p matching H(p) Most applications sign H(M) instead of M

41 41 Example ASCII parity bit ASCII has 7 bits; 8th bit is “ parity ” Even parity: even number of 1 bits Odd parity: odd number of 1 bits Bob receives “ 10111101 ” If sender is using even parity; six ‘ 1 ’ bits, so character was received correctly Note: could be garbled, but 2 bits would need to have been changed to match parity bit If sender is using odd parity; even number of 1 bits, so character was not received correctly

42 42 Hash Functions In Practice DES based hash functions tend to produce 64 bit digest which cannot be strong CCITT X.509 (proven insecure) Merkle's Snefru: 2-pass version proven insecure; 4-pass version unproven Jueneman's methods: broken and refined and broken and refined NIST Secure Hash Algorithm RSA: MD2, MD4, MD5, SHA-0, SHA-1, SHA-2 (SHA-224, SHA-256, SHA-384, and SHA-512 )

43 43 “ Hash Functions Broken ” ? Crypto 2004 Rump session reported attacks on MD4, MD5 and SHA-0 MD4 ’ s attacks are done by hands Crypto 2005 reported attacks on full SHA-1 Should we panic? Xiaoyun Wang ’ s webpage: http://www.infosec.sdu.edu.cn/people/wangxiaoyun.htm

44 44 “ Hash Functions Broken ” ? (Cont ’ d) Nature of the results Algorithm that finds collision faster than theoretic bound MD5 about one hour; SHA-1 2 63 vs 2 80 (theoretically) Yes, the results disprove those functions to be strong collision-free No, they do not give you a password from its hash Brute force attacks do (refer to http://passcracking.com/)http://passcracking.com/ Whether you should panic or not depends on what you use the hash functions for Xiaoyun Wang ’ s webpage: http://www.infosec.sdu.edu.cn/people/wangxiaoyun.htmhttp://www.infosec.sdu.edu.cn/people/wangxiaoyun.htm

45 45 Hash Functions Vs MAC Send a message M together with its hash h=H(M), so the recipient can verify M by comparing H(M) with the received h Attack: If anyone in the middle can replace M with M ’ and h with h ’ =H(M ’ ), the recipient won ’ t detect this Keyed hash functions Also known as message authentication codes (MAC) Example: DES in CBC mode: use a key to encipher message in CBC mode and use last n bits as the MAC value.

46 46 HMAC Build MAC from keyless hash functions Encryption algorithms cannot be exported h : keyless hash function k : a cryptographic key k padded with 0 Ipad: 00110110 repeated Opad: 01011100 repeated HMAC h(k, m) = h(k  opad || h(k  ipad || m))  exclusive or, || concatenation

47 47 Key Points Public key cryptosystems has two keys Diffie-Hellman exchanges secret key via insecure channel RSA can be used for confidentiality and integrity Cryptographic Checksums are keyed hash functions

Download ppt "1 ISA 562 Information Security Theory & Practice Public Key Cryptosystem Chapter 9 of Bishop ’ s Book."

Similar presentations

Public Key Encryptions CS461/ECE422 Fall 2011. Reading Material Text Chapters 2 and 20 Handbook of Applied Cryptography, Chapter 8 –

Public Key Encryptions CS461/ECE422 Fall Reading Material Text Chapters 2 and 20 Handbook of Applied Cryptography, Chapter 8 –
Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.

Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.
CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (4) Information Security.

CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (4) Information Security.
1 Counter-measures Threat Monitoring Cryptography as a security tool Encryption Digital Signature Key distribution.

1 Counter-measures Threat Monitoring Cryptography as a security tool Encryption Digital Signature Key distribution.
Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.

Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.
Public Key Algorithms …….. RAIT M. Chatterjee.

Public Key Algorithms …….. RAIT M. Chatterjee.
Attacks on Digital Signature Algorithm: RSA

Attacks on Digital Signature Algorithm: RSA
Public-key Cryptography Montclair State University CMPT 109 J.W. Benham Spring, 1998.

Public-key Cryptography Montclair State University CMPT 109 J.W. Benham Spring, 1998.
Dr Alejandra Flores-Mosri Message Authentication Internet Management & Security 06 Learning outcomes At the end of this session, you should be able to:

Dr Alejandra Flores-Mosri Message Authentication Internet Management & Security 06 Learning outcomes At the end of this session, you should be able to:
BY MUKTADIUR RAHMAN MAY 06, 2010 INTERODUCTION TO CRYPTOGRAPHY.

BY MUKTADIUR RAHMAN MAY 06, 2010 INTERODUCTION TO CRYPTOGRAPHY.
20-751 ECOMMERCE TECHNOLOGY FALL 2003 COPYRIGHT © 2003 MICHAEL I. SHAMOS Cryptography.

ECOMMERCE TECHNOLOGY FALL 2003 COPYRIGHT © 2003 MICHAEL I. SHAMOS Cryptography.
Kemal AkkayaWireless & Network Security 1 Department of Computer Science Southern Illinois University Carbondale CS 591 – Wireless & Network Security Lecture.

Kemal AkkayaWireless & Network Security 1 Department of Computer Science Southern Illinois University Carbondale CS 591 – Wireless & Network Security Lecture.
ITIS 3200: Introduction to Information Security and Privacy Dr. Weichao Wang.

ITIS 3200: Introduction to Information Security and Privacy Dr. Weichao Wang.
Csci5233 Computer Security & Integrity 1 Cryptography: Basics (2)

Csci5233 Computer Security & Integrity 1 Cryptography: Basics (2)
RSA Exponentiation cipher

RSA Exponentiation cipher
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
Cryptography1 CPSC 3730 Cryptography Chapter 9 Public Key Cryptography and RSA.

Cryptography1 CPSC 3730 Cryptography Chapter 9 Public Key Cryptography and RSA.
The School of Electrical Engineering and Computer Science (EECS) CS/ECE Network Security Dr. Attila Altay Yavuz Topic 5 Essential Public Key Crypto Methods.

The School of Electrical Engineering and Computer Science (EECS) CS/ECE Network Security Dr. Attila Altay Yavuz Topic 5 Essential Public Key Crypto Methods.
Fall 2010/Lecture 311 CS 426 (Fall 2010) Public Key Encryption and Digital Signatures.

Fall 2010/Lecture 311 CS 426 (Fall 2010) Public Key Encryption and Digital Signatures.
Public Key Algorithms 4/17/2017 M. Chatterjee.

Public Key Algorithms 4/17/2017 M. Chatterjee.

Similar presentations

Ads by Google