1 / 59

COSC 350: Codes and Ciphers Public-Key Cryptography

COSC 350: Codes and Ciphers Public-Key Cryptography. March 26, 2002 Prof. Dorothy E. Denning. Public-Key Cryptography. Each user has a unique public-private key pair Alice - K Apriv , K Apub Bob - K Bpriv , K Bpub The public key can be given to anyone

chynna
Télécharger la présentation

COSC 350: Codes and Ciphers Public-Key Cryptography

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. COSC 350: Codes and CiphersPublic-Key Cryptography March 26, 2002 Prof. Dorothy E. Denning

  2. Public-Key Cryptography • Each user has a unique public-private key pair • Alice - KApriv, KApub • Bob - KBpriv, KBpub • The public key can be given to anyone • The private key is not shared with anyone, including a trusted third party (authentication server) • The public key is a one-way function of the private-key (hard to compute private key from public one) • Used for key distribution/agreement, message encryption, and digital signatures

  3. Origins of Public Key • Concept credited to Diffie and Hellman, 1976 • “New Directions in Cryptography” • Motivation - They wanted a scheme whereby Alice could send a message to Bob without the need for Alice and Bob to share a secret or for a Trusted Third Party -- called “public-key” because Alice & Bob need only exchange public keys to set up a secret channel • Invented earlier by British at CESG • http://www.cesg.gov.uk/about/nsecret.htm

  4. Public-Key Agreement • Method whereby Alice and Bob can agree on a secret key to use with DES, AES, or some other symmetric encryption algorithm • They do this after exchanging only public keys • They each compute a secret session key K from their own private key and the other’s public key. They both arrive at the same K independently

  5. Diffie-Hellman Method • Shared prime p and generator g • Alice: private xa and public ya = gxa mod p • xa = logg ya mod p (hard to compute) • Bob: private xb and public yb = gxb mod p • They swap public keys • Alice computes: K = ybxa mod p = gxbxa mod p • Bob computes: K = yaxb mod p = gxaxb mod p

  6. Math Strength • Depends on difficulty of computing the discrete logarithm • The best known methods are exponentially hard - same as factoring • e.g., given n, find p, q where n = p * q • Need to use numbers on the order of 768 bits (230 digits) or bigger • Implementations typically use 512 (155), 1024 (310) or 2048 (621) bits (digits).

  7. On The Fly Approach • Alice and Bob generate xa, xb, ya, yb on the fly • They exchange ya and yb and compute K • What are drawbacks? • What applications are appropriate?

  8. Permanent • Alice and Bob generate permanent keys and deposit ya and yb in public database (key center) • Alice gets yb from database (or from Bob) • Alice computes K = ybxa mod p = gxb xa mod p • Alice -> Bob: ya, C = EK(M) • (or Bob could get ya from database) • Bob computes K = yaxb mod p = gxa xb mod p • Bob decrypts C with K to get M • What are drawbacks?

  9. Hybrid Approach • Alice & Bob generate xa, xb and deposit public keys ya, yb • Alice gets yb from database (or from Bob) • Alice generates temporary pair xt, yt • Alice computes K = ybxt mod p = gxb xt mod p • Alice -> Bob: yt, EK(M) • Bob computes K = ytxb mod p = gxt xb mod p and decrypts M

  10. Public-Key Encryption • The public and private keys are used for message encryption and decryption for purpose of secrecy • Alice encrypts message to Bob with Bob’s public key • Bob decrypts messages to him with his private key • In practice, public-key encryption is used to encrypt and decrypt messages that contain symmetric keys (e.g., for DES/AES), and the symmetric keys are used to encrypt/decrypt the data

  11. Sending Messages • To send message M to Bob, only Bob’s keys used • Alice -> Bob: C = EBpub(M) • Bob decrypts: M = DBpriv(C) • In practice, use to distribute symmetric key K • Alice -> Bob: CK = EBpub(K), CM = EK(M) • Bob decrypts: K = DBpriv(CK), M = DK(CM) • Alice and Bob then use K to encrypt/decrypt messages

  12. RSA Method • Ron Rivest, Adi Shamir, Leonard Adleman • 1977 -- all at MIT at the time • Basic idea: an exponentiation cipher where the modulus is the product of two large primes • Mathematical strength is derived from the difficulty of factoring a number into its primes

  13. At Crypto 82

  14. RSA • Pick primes p and q and compute n = p * q • Pick e, d such that e * d = 1 mod f(n) • f(n) = (p-1) * (q-1) • (e, n) is public key • (d, n) is private key - (p, q) also part of private key, but not used after computation of d and e • Encrypt: C = Me mod n • Decrypt: M = Cd mod n

  15. Example • p = 53, q = 61, n = 53 * 61 = 3233 • pick e = 71 • compute d such that • 71 * d = 1 mod (52 * 60) • get d = 791 • Let M = 1704 • C = 170471 mod 3233 = 3106. • M = 3106791 mod 3233 = 1704.

  16. Theory • Proof sketch for f(n) = (p-1) * (q-1) • f(n) = # primes < n relatively prime to n • consider the n=pq numbers 0, 1, ..., pq-1 • all are relatively prime to n except for 0 and • p-1 elements: q, 2q, 3q, ..., (p-1)q • q-1 elements: p, 2p, 3p, ..., (q-1)p • so f(n) = pq - [(p-1) + (q-1) + 1] • = pq - p - q + 1 = (p-1)(q-1)

  17. Factoring • Given a number n, find primes p1, p2, ..., pk such that n = p1 * p2 * ... * pk • For RSA, there are known to be only 2 factors: • n = p * q • Factoring arbitrary numbers is harder than factoring special types of numbers, e.g., numbers of the form n = 2s - 1 (Mersenne number) • Breaking RSA can be no harder than factoring, but could be easier

  18. History of Factoring • Year# DigitsMethod • 1970 41 Continued Fraction - Morrison-Brillhart • 1980 50 • 1982 55 • 1983 62 • 1984 72 • 1991 100 Quadratic Sieve • 1993 120 Quadratic Sieve • 1994 129 Quadratic Sieve (RSA predicted 40 quadrilllion years!) • 1996 130 Number Field Sieve (1000 MIPS yrs) • 1999 140 Number Field Sieve (2000 MIPS yrs, 8.9 CPU yrs) • 2000 155 Number Field Sieve (35.7 CPU yrs) (512 bits) • ???? 174 RSA challenge not yet factored (576 bits)

  19. Proposed Advances • The Weizmann Institute Key Locating Engine (TWINKLE) • code breaking machine design by Adi Shamir • 6-by-6-inch electro-optical computer • measures light from diodes to perform calculations to break keys • Daniel Bernstein proposal to NSF • special purpose hardware to facilitate sieving and matrix reduction • trades time for memory • would allow factorization of numbers with 3 times as many bits for large n • might need 3,072-bit key instead of 1,024-bit key

  20. Quadratic Sieve • fastest algorithm for numbers up to 110 digits • Aug. 93 - Mar. 94 - 129-digit number factored in effort led by Arjen Lenstra • Used double large prime variation of the multiple polynomial QS • 600 people, 1,600 machines on the Internet using e-mail to communicate • Equivalent to about 5,000 MIPS years • 1 MIPS year is computation over 1 year at rate of 1 M instructions/sec

  21. Number Field Sieve • fastest method for numbers > 110 digits • 1996 - 130-digit number factored on the Internet -- again led by Lenstra • Took only 500 MIPS years! • Lenstra estimated that 50,000 Pentium PCs could break a 155 digit (512-bit key) in a few days • T = exp((1.923 + O(1))(ln(n)1/3(ln(ln(n)))2/3)

  22. RSA-512 Factored • Factored August 22, 1999 • Used General Number Field Sieve • line sieving and lattice sieving • 35.7 CPU years; 8000 MIPS years • Elapsed time: 7.4 months • Polynomial selection: 9 weeks • Sieving: 3.7 months produced over 124 million relations • 11 sites participated • Matrix solution: 224 CPU hours and 3.2 GB memory on Cray C916 to solve matrix with about 6.7 million rows and columns

  23. QS and NFS • Use random square factoring • Find x and y such that x2 = y2 mod n • Then • x2 - y2 = 0 mod n => (x-y)(x+y) = 0 mod n • If x  y mod n then • gcd(x-y, n) yields a prime factor of n probability of this is at least 1/2 • So trick is generating numbers that are squares

  24. Random Square Factoring • Two-phase process • 1) Sieving/collection • Find number to put into a matrix • Takes gobs of time for large numbers • Effort can be distributed • 2) Matrix reduction/solution • Find entries in matrix that, when combined, give pairs (x, y) of squares • Takes reasonable time, but not distributable • Uses gobs of memory

  25. factor n = 24961 factor base = {-1,2, 3, 5, 13, 23} compute m = sqrt n = 157 a = z + m b = a2 - n so b = a2 mod n i z b factorization of b a v 1 0 -312 -1 * 23 * 3 * 13 157 1 1 1 0 1 0 2 1 3 3 158 0 0 1 0 0 0 3 -1 -625 -1 * 54 156 1 0 0 0 0 0 4 2 320 26 * 5 159 0 0 0 1 0 0 5 -2 -936 -1 * 23 * 32 * 13 155 1 1 0 0 1 0 6 4 960 26 * 3 * 5 161 0 0 1 1 0 0 7 -6 -2160 -1 * 24 * 33 * 5 151 1 0 1 1 0 0 want x, y such that x2 = y2 mod n b3 * b6 * b7 = a32 * a62 * a72 = (a3 * a6 * a7)2 mod n x = a3 * a6 * a7 mod n = 156 * 161 * 151 mod n = 23405 y2 = b3 * b6 * b7 mod n = 210 * 34 * 56 mod n y = - 25 * 32 * 53 mod n = 13922 gcd (x-y, n) = gcd (9483, 24961) = 109 = first factor compute n/109 = 229 = second factor

  26. Generating Primes • For RSA, need to generate primes p, q • Other ciphers also require prime numbers • Guaranteed - prove the number has no factors • must attempt to factor, which is not feasible for very large numbers • Probabilistic - no guarantee • but can say with some very high probability that number is prime • much faster - practical even for very large numbers

  27. Sieve of Eratosthenes • Invented around 200 B.C. • Finds all primes less than N • Write down all numbers 2, 3, 4, 5, ..., N • Delete multiples of 2 greater than 2 • Delete multiples of 3 greater than 3 • Continue up to sqrt(N) • When done, have all primes < N • Totally impractical for 200 digit numbers!

  28. Practical Method • Prick random n-bit number p • Set low-order and high-order bit to 1 • Is p divisible by small primes 3, 5, 7, 11, …? • go up to primes < 256 or 2000 • 3, 5, 7 - eliminates 54% of odd numbers • all primes < 256 eliminates 76% • Do Rabin-Miller test 5 times. If pass all 5 tests, consider p to be prime

  29. Rabin-Miller Test • Probabilistic test • Details in Schneier • Suppose p passes the test. • The probability that p is prime is at least 3/4. Thus, the probability that p is not prime is at most 1/4. • Do test t times. If p passes all t times, then the probability that p is not prime is at most (1/4)t. for t = 5, this is 1/1024

  30. Odds of Success • Pick p at random - what are the chances that it is prime? • Let z = # primes between 1 and N • Prime Number Theorem: • z approaches N/ln(N) as z gets large • For N = 10,000,000 • N/ln(N) = 620,421 and z = 664,579 • So odds are about 7/100 • For 100 digit numbers, odds are 1/115

  31. Strong Primes • Defeat certain factoring methods • Properties • (p-1)/2 and (q-1)/2 should be prime • gcd(p-1, q-1) should be small • both p-1 and q-1 should have large prime factors, denoted p’ and q’ • both p’-1 and q’-1 should have large prime factors • Schneier recommends against using strong primes

  32. Practical Considerationsfor Exponentiation Ciphers • Block messages according to the modulus size • Use method of fast exponentiation • repeated squaring and multiplication • for each 0 bit, square (multiply by itself) • for each 1 bit, multiply and then square • (no square on last bit) • if exponent has t bits, # of multiplies is T where • t <= T <= 2t - 1

  33. Example • 25 = 1 1 0 0 1 • a25 mod n = a16 * a8 * a mod n • how many multiplies? • 89 = 1 0 1 1 0 0 1 • a89 mod n = a64 * a16 * a8 * a mod n • how many multiplies?

  34. Fast Exponentiation • function fastexp(a, z, n) - “return az mod n” • a1 := a; z1 := z; x:= 1; • while z1 != 0 do begin • while z1 mod 2 = 0 do begin “square a1 while z1 is even” • z1 := z1 div 2; • a1 := (a1 * a1) mod n • end; • z1 := z1 - 1; • x := (a1 * x) mod n “multiply” • end; • fastexp := x; • end

  35. Digital Signatures: Objectives • Message integrity and authenticity • detect tampering and bogus messages • Source/sender authenticity • detect forgeries • Non-repudiation • sender cannot disavow signing a message • a third party -- court -- can resolve dispute

  36. Public-Key Signatures • Signer has a public-private key pair • The signature is produced with the private key • only signer can do this • The signature is validated with the public key • anyone can do this, including the intended recipient and a third party judge • No keys of the receiver are used

  37. Sending a Signed Message • Alice sends a signed message to Bob using her private key. Bob validates with her public key • Alice -> Bob: (M, S) where • S = signApriv(h(M)) for hashing function h • Bob checks: validateApub(M, S) • Hashing function h is public and not keyed • S is function of entire message M

  38. RSA Signatures • Let (e, n) be Alice’s public key and (d, n) her private key • Alice -> Bob: (M, S) where • S = signApriv(h(M)) = (h(M))d mod n • Bob checks: validateApub(M, S): • h1 = h(M) • h2 = Se mod n [ = (h(M))d e mod n = h(M) ] • if h1 = h2 then accept else reject

  39. Why Hashing • Reduces time to sign and space for signature • Also important for security • Suppose don’t hash: what happens if you ask Alice to sign a message sent to her? • C = EApub(M) = Me mod n • S = signApriv(M) = Md mod n

  40. Digital Signature Standard (DSS) • FIPS PUB 186, adopted 1994 • Uses variant of methods invented by ElGamal and Schnorr, which in turn were based on Diffie-Hellman • Uses exponentiations in modular arithmetic where security is based on difficulty of computing the discrete log (as for DH) • Uses SHA for hashing

  41. DSS • public values shared by group • p - prime number - 512-1024 bits • q - 160-bit value (most computation mod q) • g = h(p-1)/q mod p where h < (p-1) and g > 1 • user private key • x - any number less than q • user public key • y = gx mod p

  42. Notes • Verification is slower than with RSA • Both RSA and DSS are used extensively -- many products support both • DSS not designed for encryption -- use with Diffie-Hellman key exchange

  43. Encrypt & Sign With RSA • Alice generates K & computes • CK = EBpub(K) • CM = EK(M) • S = signApriv(M) • Alice -> Bob: CK, CM, S • Bob computes • K = DBpriv(CK) • M = DK(CM) • validateApub(M, S)

  44. KBobpub certificate KBobpriv random K enc dec password ciphertext key K K Dear Bob … Love, Alice enc ciphertext message dec Dear Bob … hash sign signature ok? sent to Bob KSAlicepriv KSAlicepub password Bob Alice

  45. E-Mail In Practice • Alice composes message M to Bob and clicks button “send signed and encrypted” • Alice’s system prompts Alice for password, which unlocks her private signature key • Alice’s system looks up Bob’s public key-encrypting key. It generates K, and computes CK, CM, and S • When Bob gets message, he clicks on button “decrypt and validate” • Bob’s system prompts him for a password, which unlocks his private key-encrypting key. It decrypts CK and then CM • Bob’s system looks up Alice’s public signature key and validates S. It displays M and whether S was OK

  46. Login AuthenticationChallenge-Response • Alice logs onto server • Server sends Alice a challenge M • Alice returns M and her signature S of it • Server validates S and knows it is Alice

  47. Elliptic Curve Cryptography • Can implement schemes analogous to Diffie-Hellman and DSA using elliptic curves mod p instead of the integers mod p • Computing discrete logs is thought to be much harder in elliptic curve than integers mod p • Comparable security with shorter keys • 160 bits comparable to 1024 RSA/DH • 108 bits broken in 4 months using 9,500 computers • So less storage needed for keys • Order of magnitude speedup

More Related