1 / 29

Public Key Encryption

CS461/ECE422 Spring 2012. Public Key Encryption. Reading Material. Text Chapters 2 and 21 Handbook of Applied Cryptography, Chapter 8 http://www.cacr.math.uwaterloo.ca/hac/. Symmetric keys & Distribution. Every pair of people must share a secret key E.g.: Alice, Bob, Carol, David:

jola
Télécharger la présentation

Public Key Encryption

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. CS461/ECE422 Spring 2012 Public Key Encryption Nikita Borisov — UIUC

  2. Reading Material • Text Chapters 2 and 21 • Handbook of Applied Cryptography, Chapter 8 • http://www.cacr.math.uwaterloo.ca/hac/ Nikita Borisov — UIUC

  3. Symmetric keys & Distribution • Every pair of people must share a secret key • E.g.: Alice, Bob, Carol, David: KAB, KAC, KAD,KBC, KBD, KCD • How do you keep track of them all? • O(N2) keys for N people • How do you exchange them? • Must use a secure, out-of-band channel Nikita Borisov — UIUC

  4. Public Key Cryptography • Cryptographers to the rescue! • Two keys: • Private key known only to owner • Public key available to anyone • One key pair per person • O(N) keys Merkle, Hellman, Diffie Nikita Borisov — UIUC

  5. Public Cryptography Functionality • Public key encryption • Use public key to encrypt, private key to decrypt • RSA, ElGamal, ECIES • Public key signatures (similar to MAC) • Use private key to sign, public key to verify • RSA, DSA, ECDSA • Symmetric key distribution • Agree on a secret symmetric key over a public channel • Diffie-Hellman, ECDH, MQV, ECMQV Nikita Borisov — UIUC

  6. Public-Key Cryptography Slide #9-6 Nikita Borisov — UIUC

  7. General Facts about Public Key Systems • Public Key Systems are much slower than Symmetric Key Systems • RSA 100 to 1000 times slower than DES. 10,000 times slower than AES? • Generally used in conjunction with a symmetric system for bulk encryption • Public Key Systems are based on “hard” problems • Factoring large composites of primes, discrete logarithms, elliptic curves • Only a handful of public key systems perform both encryption and signatures Slide #9-7 Nikita Borisov — UIUC

  8. Diffie-Hellman • The first public key algorithm • A key exchange algorithm, not for encryption or decryption • Set up: p prime, g is coprime with p • Alice -> Bob: gx (mod p), x random • Bob -> Alice: gy (mod p), y random • Alice and Bob compute: • (gx)y = (gy)x • Establish a secret key over a public channel Nikita Borisov — UIUC

  9. Example: • p=23, g=5 • Alice picks x=6, sends Bob • 56 mod 23 = 8 • Bob picks y=15, sends Bob • 515 mod 23 = 19 • Alice computes: • 196 mod 23 = 2 • Bob computes: • 815 mod 23 = 2 Nikita Borisov — UIUC

  10. Diffie-Hellman Security • Charlie has gx, gy needs to find gxy • Called “Diffie-Hellman Problem” • Fastest way: find x given gx • I.e. take logggx(mod p) • Discrete Logarithm Problem • Fastest known way is super-polynomial Nikita Borisov — UIUC

  11. Real public DH values • For IPSec and SSL, there are a small set of g's and p's published that all standard implementations support. • Group 1 and 2 • http://tools.ietf.org/html/rfc2409 • Group 5 and newer proposed values • http://tools.ietf.org/html/draft-ietf-ipsec-ike-modp-groups-00 Nikita Borisov — UIUC

  12. Diffie-Hellman and Man-in-the-Middle Bob Alice Eve Nikita Borisov — UIUC

  13. RSA • by Rivest, Shamir& Adleman of MIT in 1977 • best known & widely used public-key scheme • based on exponentiation in a finite (Galois) field over integers modulo a prime • nb. exponentiation takes O((log n)3) operations (easy) • uses large integers (eg. 1024 bits) • security due to cost of factoring large numbers • nb. factorization takes O(elog n log log n) operations (hard) Slide #9-13 Nikita Borisov — UIUC

  14. Modular Arithmetic • a mod b = x if for some k >= 0, bk + x = a • Associativity, Commutativity, and Distributivity hold in Modular Arithmetic • Inverses also exist in modular arithmetic • a + (-a) mod n = 0 • a * a-1 mod n = 1 Nikita Borisov — UIUC

  15. Modular Arithmetic • Reducibility also holds • (a + b) mod n = (a mod n + b mod n) mod n • a * b mod n = ((a mod n) * b mod n) mod n • Fermat’s Thm: if p is any prime integer and a is an integer, then ap mod p = a • Corollary: ap-1 mod p = 1 if a != 0 and a is relatively prime to p Nikita Borisov — UIUC

  16. Background • Totient function (n) • Number of positive integers less than n and relatively prime to n • Relatively prime means with no factors in common with n • Example: (10) = ? • 4 because 1, 3, 7, 9 are relatively prime to 10 • Example: (p) = ? where p is a prime • p-1 because all lower numbers are relatively prime • (pq) = (p-1)(q-1) when p, q are both prime Slide #9-16 Nikita Borisov — UIUC

  17. Background • Euler generalized Fermat’s Theorem for composite numbers. • Fermat's Thmap-1=1 mod p if a != 0 • Euler’s Thm: x(n)=1 mod n • Works for any n Nikita Borisov — UIUC

  18. RSA Algorithm • Choose two large prime numbers p, q • Let n = pq; then (n) = (p–1)(q–1) • Choose e < n such that e is relatively prime to (n). • Compute d such that ed mod (n) = 1 • Public key: (e, n); private key: d • Encipher: C = Me mod n • Decipher: M = Cd mod n • Generically: F(V, x) = Vx mod n Slide #9-18 Nikita Borisov — UIUC

  19. Working through the equations • C = RSA(M, e) = Me mod n • M’ = RSA-1(C, d) • M’ = (Me mod n)d mod n • M’ = Med mod n • ed mod (n) = 1 • ed = k* (n) + 1 • M’ = (M mod n * Mk (n) mod n) mod n • By Euler’s theorem (Mk)(n) mod n = 1 • M’ = M mod n Nikita Borisov — UIUC

  20. Example • p = 11, q = 17 • n = 187, (n) = 10*16 = 160 • Let e = 3, then d = 107 (107 * 3 = 321) • (can find this using Euclidian algorithm) • M = 29 • C = 293 = 24389 = 79 (mod 187) • M’ = 79107 = 111198458817782001560345203757362612455385730171461711652460776161878666503078037332114481897840666397054046667342677228042126488058019906317675811153792810865237482705174079886893643689363009468423234159 = 29 (mod 187) Nikita Borisov — UIUC

  21. Modular Exponentiation • Don’t need to compute huge numbers • 293 (mod 187) = (292 mod 187) * 29 mod 187 = (841 mod 187) * 29 mod 187 = 93*29 mod 187 = 2697 mod 187 = 79 • Even better: square/multiply • M11 = ((M2)2*M)2*M • This is reasonably fast • Only 1000 or so times slower than DES Nikita Borisov — UIUC

  22. RSA security • Charlie knows e, n, and receives Me (mod n) • How to find M? • Best known way is to factor n • Find p and q, find (n), find d • No proof that there isn’t a faster way • Factoring n is believed to be hard • Best algorithm is GNFS • Complexity is sub-exponential but superpolynomial • Largest factored number had 768 bits • (About 2000-CPU years on an 2.2 GHz Opteron) • Current recommendations are to use 1500-2000 bits Nikita Borisov — UIUC

  23. RSA Security • Note: RSA as described is insecure! • Why? • Deterministic encryption: Me = M’eif and only if M=M’ • Even worse than in the symmetric case because Charlie can try many possibilities for M • Semantic security • Adversary picks m1 and m2 and is provided with Encrypt(mi), must guess i • Requires randomized encryption Nikita Borisov — UIUC

  24. Padding • Introduce randomness to message • P = r || M, where r is random • Encryption: Pe • Decryption: (Pe)d, discard random prefix • (Actually, still not quite secure, see RSA-OAEP for proper usage) Nikita Borisov — UIUC

  25. Hybrid Encryption • How do we encrypt messages longer than 1024 bits? • Break into blocks, use RSA on each block (slow, potentially insecure) • Use a hybrid between RSA and AES • Pick random key K • Send: RSAEncrypt(K), AES-CBC-Encrypt(K, M) • Must ensure K is random! Nikita Borisov — UIUC

  26. RSA Signatures • RSA is symmetric • RSADec(RSAEnc(M)) = RSAEnc(RSADec(M)) = Med (mod n) = M • To “sign” a message, Alice computes S = Md(mod n) • Bob verifies that Se = Med = M (mod n) • No one other than Alice could have generated S • Not even Bob • Bob can show S to third parties (non-repudiation) Nikita Borisov — UIUC

  27. Hash functions • How do we sign messages longer than 1024 bits? • Use a hash function Nikita Borisov — UIUC

  28. Hash functions in signatures • Alice sends RSASign(h(M)) • Bob computes h(M), verifies signature • Security: • Bob cannot generate a signature because: • He can’t produce a signature on a chosen message • He can’t solve h(M) = S’efor M because h is one way • Alice is nevertheless committed to her signature • Cannot find M1, M2 such that h(M1) = h(M2) Nikita Borisov — UIUC

  29. Key Points • Public Key systems enable multiple operations • Confidentiality (key encryption) • Integrity and nonrepudiation • Symmetric key exchange • Slower than symmetric crypto, but still practical • Especially in hybrid modes • Must be careful how they are used • Padding, hash functions Nikita Borisov — UIUC

More Related