1 / 59

Private Keys of Public Key Pairs and Zero-Knowledge Protocols

Private Keys of Public Key Pairs and Zero-Knowledge Protocols. Peter Landrock. Public Key Infrastructures requires. Generation of user public keys Registration of users and keys (LRA) Certification (CA) certificates bind a person to his key Directories (DIR) Blacklists/revocation

melissan-ian
Télécharger la présentation

Private Keys of Public Key Pairs and Zero-Knowledge Protocols

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Private Keys of Public Key Pairs and Zero-Knowledge Protocols Peter Landrock

  2. Public Key Infrastructures requires • Generation of user public keys • Registration of users and keys (LRA) • Certification (CA) • certificates bind a person to his key • Directories (DIR) • Blacklists/revocation • Key administration plus -

  3. Format/syntax • ASN.1 based certificates (X.509)? • Special purpose certificates? • Integration into browsers? • Integration into applications (java?) • Security in transport layer (e.g. SSL)? • Format: S/MIME, PGP,….? • Use of smartcards?

  4. PKI - Roles CA DA LRA Users

  5. The world seen with the user’s eyes Business Transactions

  6. Registration atLocal Registration Authority

  7. Communication with Directory under session

  8. Revocation of key

  9. Foundation • But the foundation is cryptographic algorithms, which is – mathematics! • So let’s focus on that for a while

  10. Cryptographic Algorithms • Conventionel (symmetric) crypto systems • Quantum cryptography - unbreakable • Hash functions • perhaps the weakest point - art, not math. • Public key (asymmetric) systems • Today RSA, tomorrow elliptic curves?

  11. Crypto systems • Symmetric systems • same key for encryption and decryption • Asymmetric systems • One key may be given to everybody • the public key, P • while the other is kept secret • the private key, S

  12. Public Key encryption - RSA • Choose two large primes p,q and let n = pq • Choose a public exponent e • mutually prime to (n) = (p -1)(q -1) • Based on classical (Greek) math we find integers d, x < 0, with de + x(n) = 1 • Fact (Euler, Fermat): • For m < n we have m  medmod n • Finding the private key means factoring n

  13. Alternative: One way functions • Choose a large prime number p • Choose a “generator”, g • Choose a random number vas private key • Calculate the public key w = gv modp • Finding v from w is known as the discrete log problem

  14. The new technique: Elliptic Curves • The set of points P = (x,y) satisfying y2 = x3 + ax + b in Z/pZ. can be added using a particular formula. It allows construction of a public key pair. Example: a = 6890847943309044493598067961180259058846730261 b = 45938986288872696329065378640786839725897820174 will correspond to an RSA security level of 768 bits for some prime p of length 200 bits!

  15. Why Elliptic Curves? • More security per bit • Smaller key size • Smaller signature size • Faster computations • Less resources required (smart cards) • Well developed mathematical theory (complex)

  16. RSA/DSA/EC - comparingperformance (RSA: small public exp.)

  17. RSA/DSA/EC - Comparing key sizes

  18. Elliptic Curves An EC is the set of solutions (x,y) to equations of the form y2 + a1xy + a3y = x3 + a2x2 + a4x +a6 over a (finite) field together with an additional point (called the point at infinity O)

  19. Finite fields • (F, +, •): set of elements with addition, subtraction, multiplication and division. • GF(p): Integers modulo p (prime) • GF(2n) • polynomials with binary coefficients modulo and irreducible polynomial of degree n • (a+b)2 = a2 + b2 • Unique up to isomorphism

  20. Implementation Issues • Choice of field • GF(2n) faster than GF(p) (at least in hardware) • Representation of elements for GF(2n) • Standard basis • Optimal normal basis • Polynomials over subfield

  21. Elliptic Curves Example: GF(23) Curve defined by y2 = x3 + x + 1 {(0,1), (0,-1), (1,7), (1,-7), (3, 10), (3,-10), (4,0), (5,4), (5, -4), (6,4), (6,-4), (7,11), (7,-11), (9,7), (9,-7), (11,3), (11, -3), (12,4), (12,-4), (13,7), (13,-7), (17,3), (17,-3), (18,3),(18,-3), (19,5), (19,-5)}

  22. Elliptic Curves Sum (xs,ys) of (x1,y1) = (9,7) and (x2, y2) = (18,3)=(-5,3), x1≠y1 is defined as follows: :=(y2-y1)/(x2-x1) = -4/9 = 20 mod 23 xs = 2-x1-x2 =9-9+5=5 ys= (x1-xs)-y1 = -3(9-5) - 7 = 4 Thus (9,7)+(18,3) = (5,4)

  23. Elliptic Curves Double of (5,4) :=(3x12+1)/(2y1) = 76/8 = 7/8 = 21 = -2 xd = 2-2x1 =4-5-5=17 yd= (x1-xs)-y1 = -2(5+6) - 4 = -3 Thus (5,4)+(5,4) = (17,-3)

  24. GF(2n) GF(2): p(u) irreducible polynomial of degree n EC over GF(2n) defined by y2+xy = x3 + ax2 + b

  25. EC over GF(2n) Sum :=(y1+y2)/(x1+x2) xs = 2+  + x1+x2 + a ys = (x1+xs)+ xs + y1 Double:= x1 + y1/x1 xd = 2+  + a yd = ( + 1)xD + x12

  26. Key Generation • Choose field and equation • Determine the group order g • If large prime divisor q, choose curve randomly • Find a generator of subgroup of order q • Let g = qr • Choose random point P • Calculate rP • If rP  O, set generator := rP • Try our lab on www.cryptomathic.com!

  27. How to blackmail a bank using RSA with public exponent 3

  28. 1. step • The well-known bank AMO announces a nation-wide PKI scheme based on RSA (1024 bits, public exponent 3) • Message received week 1 at AMO: • I know your private key! I am going to publish the 1st upper byte of the key, unless you send me 2 $! • Bank ignores

  29. 2. step • Message received week 2 by AMO: • Here is the 1st byte: 11011010 • I am going to publish the 2nd upper byte of your private key, unless you send me 4 $! • Bank is puzzled. The blackmailer is right about the first byte! Could he be guessing, or maybe the first byte is not so difficult?

  30. 3. step • Message received week 3 by AMO: • Here is the 2nd byte: 00011001 • I am going to publish the 3rd upper byte of your secret key, unless you send me 8 $! • The Bank hires a security specialist • the problem is that it will cost 100.000 $ to switch to a different key

  31. About 1 year later • Message received week 52 by AMO: • Here is the 51st byte: 01111101 • I am going to publish the 52nd upper byte of your secret key, unless you send me 252 $! • Conclusion of the specialist: • offerhim 25.000 $ now

  32. Conclusion • If they had hired an expert rather than a specialist, they could have saved the money (less his fee of course!) • Expert opinion: • 1024 bits is 128 bytes. He can only do what he does up to the first 64 bytes. • Here is how he does it:

  33. Solution • 1. Subtract 1 from the modulus n • 2. Divide by 3 and multiply by 2 • 3. The upper half of this number is the upper half of your private exponent • AMO: What about the lower half? • Only the banks knows! The system is secure

  34. Proof • ”Based on classical (Greek) math we find integers d, x < 0, with (*) de + x(n) = 1” • where d is chosen minimal of course • Now let e = 3. As d<(n), x is -1 or -2! • But as 3 is mutually prime to (n) = (p -1)(q -1), • p and q are both 2 mod 3, • and (*) above shows x = -2 as (n) = 1mod3

  35. Proof • Hence d = (1 + 2(n))/3 • But (n) = (p -1)(q -1) = n –(p + q) + 1, • Thus we know the upper half of (n): It is equal to the upper half of n. • This suggest to consider very carefully what to store as the private key, e.g. if storage is a problem

  36. Card trick • End up with two piles: A private key and the corresponding public key Card trick described in the appendix

  37. Demo: Key Generation - the most vulnerable part -- using two suits in a deck of cards. Say spade (black) and hearts (red) • Chose a very large prime number (13) • Calculate ”modulo” 13: divide by 13 and take the remainder: 29 = 213 + 3 = 3 mod 13 53 = 125 = 10·13 - 5 = 8 mod 13 (= 9·13 + 8) • Remove the king = 13 = 0 mod 13

  38. My private key!!! • 12, 11, 9, 5, 10, 7, 1, 2, 4, 8, 3, 6 • Do you recognise a pattern? • We have illustrated Fermat’s little Theorem: 213 mod 13 = 2 (ap mod p = a) • 2 is a generator: 2, 22, 23, 24, 25,…. up to 212 = 1 are all different mod 13! • Which power of 2 is e.g. 10 mod 13?

  39. Mechanisms and (Interactive) Protocols • Mechanisms • To generate a digital signature is a mechanism • Comprising of cryptographic primitives, e.g. • Hash calculation (e.g. SHA-1) • Signature generation (e.g. RSA PKCS #1) • Interactive protocols • Can be used for • Key exchange (e.g. Diffie-Hellman) • User Identification

  40. User Identification • Let’s assume Alice has a public key pair (P,S). • Alice wants to get access to a database DB • DB knows her public key (e.g. through a valid certificate) • We need to agree on an identification protocol? • How?

  41. Many possibilities • How about? • Alice connects • BD sends a ransom challence r • Alice calculates S(r) and sends this to DB • DB verifies that P(S(r)) = r and lets her in • Is this safe?

  42. Problem • DB can use Alice as an oracle • R might be the hash of a message which commits Alice unknowingly • The problem is that Alice calculates what may be a digital signature • How can this be prevented? • The problem is that we cannot be sure that Alice applies her private key to something completely random

  43. Solution • 1. step • DB chooses any r, calculates s = P(r), and sends s to Alice • 2. step • Alice calculates S(s) = r and returns r to DB • What did DB learn, except that Alice was able to recover r – not known to her – from s? • Nothing at all • But ....

  44. Solution • Alice has no means of verifying that DB follows the protocol • Something else is needed: • Let E be some symmetric encryption which Alice and DB agrees is strong • We can now define a socalled zero-knowledge identification protocol:

  45. Solution • 1. step • DB chooses any r, calculates s = P(r), and sends s to Alice • 2. step • Alice calculates S(s) = r, chooses a random key k and returns Ek(r) to DB • 3. step • DB sends r to Alice • 4. step • Alice sends k to DB who verifies Dk(Ek(r)) = r

  46. Succes! • This protocol • is secure • Alice will not be succesful without knowing S • is sound • DB will know that only a person able to compute r from randomly chosen P(r) can respond • is zero-knowledge • DB learns nothing from the protocol that he could not calculate by himself: P(r) = s  S(s) = r – except that Alice can calculate r from s • In fact -

  47. Zero-knowledge protocol can be simulated • 1. step • DB chooses any r, calculates s = P(r), and sends s to DB • 2. step • DB chooses a random key k and returns Ek(r) to DB • 3. step • DB sends r to DB • 4. step • DB sends k to DB who verifies Dk(Ek(r)) = r

  48. Zero-knowledge protocol can be simulated • A third party (an arbiter) cannot differentiate the traces of • a simulated zero-knowledge protocol from that of • a 2-party zero-knowledge protocol: • Only DB will know if he simulated it or he indeed did identity Alice in the protocol!

  49. Useful definitions (Fiat-Shamir) • Authentication • A can prove to B that she is A • Identification • A can prove to B that she is A, but B cannot prove to C that he is A • Non-repudiation • A can prove to B that she is A, but B cannot even prove to himself that he is A

  50. Conclusion • Cryptography is applied mathematics • Mathematics was ”invented” to be helpful • and it is! • T.H. Hardy wrote in ”A mathemathian’s Apology ”: • I have never done anything useful! • Not true: We use the Hardy-Littlewood conjecture in our products

More Related