1 / 37

Cryptography

Cryptography. Lecture 7 Stefan Dziembowski www.dziembowski.net stefan@dziembowski.net. Plan. Introduction to public-key cryptography Diffie-Hellman key exchange Trapdoor one-way permutations. How to distribute the cryptographic keys?.

annis
Télécharger la présentation

Cryptography

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Cryptography Lecture 7Stefan Dziembowskiwww.dziembowski.net stefan@dziembowski.net

  2. Plan • Introduction to public-key cryptography • Diffie-Hellman key exchange • Trapdoor one-way permutations

  3. How to distribute the cryptographic keys? • If the users can meet in person beforehand – it’s simple. • But what to do if they cannot meet?(a typical example: on-line shopping)

  4. A naive solution: give to every user Pia separate key Kij to communicate with every Pj P2 P3 K12 K13 P4 K14 K15 P1 P5

  5. In general:a quadratic number of keys is needed P2 P3 P4 P1 P5

  6. Problems: • Someone (a Key Distribution Center, KDC) needs to “give the keys” • feasible if the users are e.g. working in one company • infeasible on the internet • relies on the honesty of KDC • KDC needs to be permanently available • ... • The users need to store large numbers of keys in a secure way

  7. The solution: Public-Key Cryptography Ralph Merkle (1974) Whitfield Diffie and Martin Hellman (1976)

  8. A little bit of history • Diffie and Hellman were the first to publish a paper containing the idea of the public-key cryptography:W.Diffie and M.E.Hellman, New directions in cryptographyIEEE Trans. Inform. Theory, IT-22, 6, 1976, pp.644-654. • A similar idea was described by Ralph Merkle: • in 1974 he described it in a project proposal for a Computer Security course at UC Berkeley (it was rejected) • in 1975 he submitted it to the CACM journal (it was rejected) (see http://www.merkle.com/1974/ ) • It 1997 the GCHQ (the British equivalent of the NSA) revealed that they new it already in 1973.

  9. The idea this will be called “signatures” Sign – the signing algorithm Instead of using one key K, • use 2 keys (e,d), where • eis used for encryption, • d is used for decryption, or • d is used for computing a tag, • eis used for verifying correctness of the tag. Moreover: e can be public, and only d has to be kept secret! That’s why it’s called: public-key cryptography

  10. Anyone can send encrypted messages to anyone else 4. P3 computes D(d3,m) P2 P3 public register: d3 3. sends E(e3,m) P4 2. reads e3 P1 1. P1 wants to send m to P3 P5

  11. Anyone can verify the signatures Sign(d3,m) P2 P3 public register: d3 1. Sign(d3,m) Sign(d3,m) P4 2. reads e3 P1 3. computes Vrfy(e3,m) P5

  12. Things that need to be discussed • Who maintains “the register”? • How to contact it securely? • How to revoke the key (if it is lost)? • ... We will discuss this things later(when we will be talking about the Public-Key Infrastructure)

  13. But is it possible? In “physical world”: yes! Examples: • “normal” signatures • padlocks: anyone can lock it the key is needed to unlock

  14. Diffie and Hellman (1976) • Diffie and Hellman proposed the public key cryptography in 1976. • They just proposed the concept, not the implementation. • But they have shown a protocol for key-exchange.

  15. Key exchange initially they share no secret listens Alice Bob key k key k Eve should have no information about k We will formalize it later.Let’s first show the protocol.

  16. h1 = gx h2 = gy The Diffie-Hellman Key exchange G – a group, where discrete log is hard q = |G| g – a generator of G x ← Zq y ← Zq Bob Alice output:kA=(h2)x output:kB=(h1)y equal to:gyx equal to:gxy equal!

  17. Security of the Diffie-Hellman exchange G,g h1 = gx h2 = gy knows gyx? Eve Eve should have no information about gyx

  18. Is it secure? If the discrete log in G is easy then the DH key exchange is not secure. (because the adversary can compute x and y from gxand gy) If the discrete log in G is hard, then... it may also not be completely secure

  19. Example: G = Zp* x is even iff h1is a QR x ← Zq h1 = gx y ← Zq h2 = gy Bob Alice y is even iff h2 is a QR Therefore: gyx is a QR iff (h1 is a QR) or (h2is a QR) So, Eve can compute some information aboutgyx(namely: if it is a QR, or not). gyx ?

  20. Is it a problem, or not? We need to • formalize what we mean by secure key exchange, • identify the assumptions needed to prove the security.

  21. interactive randomizedTuring machine A interactiverandomized Turing machine B “transcript” T: the sequence of exchanged messages: Alice Bob key k key k A protocol is a pair(A,B)of randomized Turing machines. Informal definition:(A,B)issecureif no “efficient adversary” can distinguish kfrom random, givenT, with a “non-negligible advantage”. key k ? T random string of the same length

  22. How to formalize it? security parameter 1n T A B key k є {0,1}n key k є {0,1}n • We say (A,B) is secure a secure key-exchange protocol if • the output of A and B is always the same, and A |Prob [M(1n,T,k) = 1] - Prob [M(1n,T,r) = 1] |is negligible in n polynomial-time Mthat outputs 0 or 1 r is random and |r| = n

  23. How does the protocol look now? It needs to be defined for any parameter 1n. Therefore we need an algorithm H that • on input 1n • outputs: • a description of G of order q, such that |q| = n, • a generator g of G.

  24. How does the protocol look now? security parameter 1n (G,g) ← H(1n) x ← Zq (G,g),q, h1 = gx y ← Zq h2 = gy Bob Alice output:kA=(h2)x output:kB=(h1)y (Note that we cheat a bit because k is a “pseudorandom” group element, not a string of bits.) If such a key exchange protocol is secure, we say that:the Decisional Diffie-Hellman (DDH) problem is hard with respect toH)

  25. An example of H where DDH is believed to be hard QR(p) H(1n): • generate a random strong prime p of length n+1. • set q := (p-1)/2. • choose any x є Zp* such that x ≠ ±1 (mod p). • set g := x2 mod p. • output (p,g). Other groups are also used (e.g. groups based on the elliptic curves).

  26. Practical considerations • It is common to chose any Zp* (for prime p), instead of QR(p). • In some standards p is fixed, for example the RFC3526 document specifies the primes of following lengths: 1536, 2048, 3072, 4096, 6144, 8192.This is the 1536-bit prime: FFFFFFFF FFFFFFFF C90FDAA2 2168C234 C4C6628B 80DC1CD1 29024E08 8A67CC74 020BBEA6 3B139B22 514A0879 8E3404DD EF9519B3 CD3A431B 302B0A6D F25F1437 4FE1356D 6D51C245 E485B576 625E7EC6 F44C42E9 A637ED6B 0BFF5CB6 F406B7ED EE386BFB 5A899FA5 AE9F2411 7C4B1FE6 49286651 ECE45B3D C2007CB8 A163BF05 98DA4836 1C55D39A 69163FA8 FD24CF5F 83655D23 DCA3AD96 1C62F356 208552BB 9ED52907 7096966D 670C354E 4ABC9804 F1746C08 CA237327 FFFFFFFF FFFFFFFF.the generator is: 2.

  27. A problem The protocols that we discussed are secure only against a passive adversary(that only eavesdrop). What if the adversary is active? She can launch a man-in-the-middle attack.

  28. Man in the middle attack I am Bob I am Alice Alice Bob key k key k key k’ key k’ A very realistic attack! So, is this thing totally useless?No! (it is useful as a building block)

  29. Two questions remain • How to construct the public-key encryption? • How to construct the signature schemes? turns out: these questions are related

  30. The observation of Diffie and Hellman: (e,d) – the key pair public-key encryption: ciphertexts plaintexts E(e,x) D(d,y) easy only if one knows d signature schemes: tags(“signatures”) messages Tag(d,y) Vrfy(e,x) easy only if one knows d Looks similar...

  31. Trapdoor permutations A family of permutations indexed by pairs (e,d): {E : X → X}(e,d) є keys this is denoted Dd such that: Ee easy X X • easy: one can compute Ee-1if one knows a trapdoor d • hard (otherwise)

  32. How to encrypt a messagem encryption c := Ee(m) messages plaintexts decryption: m := Dd(c) one can compute it only if one knows d Warning: in general it’s not that simple. We will explain it later.

  33. How to sign a messagem one can compute it only if one knows d signing: signatures messages Dd(m) verifying: Ee(m) Warning: in general it’s not that simple. We will explain it later.

  34. Do such functions exist? Ron Rivest, Adi Shamir, and Leonard Adleman (1977) yes! RSA function is a trapdoor permutation!

  35. The RSA function φ(N)) = (p-1)(q-1). N = pq,such that p and q are large primes eis such thatgcd(e,d) = 1 d is such that ed = 1 (mod φ(N)) Ee: ZN*→ ZN* is defined as: E(m) = me mod N. Dd: ZN*→ ZN* is defined as: D(c) = cd mod N. Does it work? D(E(m)) = md mod N. we get Dd(Ee(m)) = (me)d = med = m1 mod φ(N) public key:(N,e)private key:(N,d)

  36. Is it a trapdoor permutation? • If one can factor large integers → no! (because one can compute φ(N)) • Is there an implication in the opposite direction? nobody knows...

  37. What can be shown • Computing φ(N) is as hard as factoring(we have shown it a week ago). • Computing d from (e,N) is as hard as factoring.

More Related