960 likes | 1.29k Vues
Week 7: Public-Key Cryptography. MSIS 525 Encryption and Authentication Systems Summer 2010. Topics. Public Key Encryption (PKE) PKE Math Symmetric Key Exchange Using PKE Distributing Public Keys Authentication Technologies MACs Hashes Digital Signatures. Public Key Encryption.
E N D
Week 7: Public-Key Cryptography MSIS 525 Encryption and Authentication Systems Summer 2010
Topics • Public Key Encryption (PKE) • PKE Math • Symmetric Key Exchange Using PKE • Distributing Public Keys • Authentication Technologies • MACs • Hashes • Digital Signatures
Public Key Encryption • Uses one key for encryption, and another for decryption • Applications • Encryption of short messages • like keys • Authentication • through digital signatures
PKE for Encryption Alice Bob
PKE for Authentication Alice Bob
PKE for both simultaneously Alice Bob PRAlice PUAlice PRBob PRBob PUBob
PKE is not ... • Suitable for encrypting long messages • Necessarily more secure than symmetric • Necessarily more efficient in distributing keys than symmetric So don’t fall prey to these myths.
RSA • The most popular PKE system • Developed by Rivest, Shamir, and Adelman in 1977 • Is a block cipher • Plaintext and ciphertext are treated as numbers between 0 and 2numbits–1 • numbits typically >= 1024
RSA Encryption and Decryption • Encryption has the form: C = Me mod n • Decryption has the form M = Cd mod n • n is the product of two primes, p and q
RSA: What the two sides know • Visibility for confidentiality: • sender knows e and n • receiver knows d and n (as the product p and q) • In other words, these are the keys: • public key = {e, n} • private key = {d, p, q}
Example: RSA by hand • Select primes: p=17 & q=11 • Computen = pq =17×11=187 • Compute ø(n)=(p–1)(q-1)=16×10=160 • Select e : gcd(e,160)=1; choose e=7 • Determine d: e-1 mod 160 and d < 160 Value is d=23 since 23×7=161= 1 mod 160(could also use http://cs.lewisu.edu/~klumpra/msis525/multinv.php) • Publish public key PU={7,187} • Keep secret private key PR={23,17,11} KEY GENERATION
Example: RSA by hand • given message M = 88 (note: 88<187) • encryption: C = 887 mod 187 = 11 • decryption: M = 1123 mod 187 = 88
How hard is it to break RSA? • The big concern – • attacker knows the public key e & n • can an attacker determine the private key d? • if he can, then he can determine M = Cd mod n
How hard is it to determine d? • To determine d • Need to factor n into p and q • No small task – n is a 309-digit number • So that he can determine f(n) = (p-1)(q-1) • So that we can determine d = e-1 mod f(n)
Timing Attacks • Alternative to brute force • Exploit timing variations in operations • eg. multiplying by small vs large number • Infer operand size based on time taken • RSA involves raising numbers to large powers • Can estimate size of exponent by how long it takes • Countermeasures • use constant exponentiation time • add random delays
RSA Secure but ... • It’s slow • So, use it for exchanging short messages • like keys
Issues • How can we speed up the arithmetic? • How do you find two large primes? • What the heck is f(n)?
Speeding up the math through knowledge of modular arithmetic Basic operations mod n • (a+b) mod n = (a mod n + b mod n) mod n • (a*b) mod n = (a mod n * b mod n) mod n • y = -x mod n if and only if (y + x) mod n = 0 • y = x-1 mod n if and only if (y * x) mod n = 1
Examples • What is (8+4) mod 5? • What is (8*4) mod 5? • What is the additive inverse of 2 mod 5? • What is the multiplicative inverse of 2 mod 5?
How do you compute big powers? • 1123 mod 187 = ???
Example:Computing 1123 mod 187 • 1123 mod 187 = [(111 mod 187) x (112 mod 187) x (114 mod 187) x (118 mod 187) x (118 mod 187) mod 187 • 111 mod 187 = 11 • 112 mod 187 = 121 • 114mod 187=(121*121)mod 187 =55 • 118mod 187 = (55*55)mod 187 = 33 • 1123mod 187=(11*121*55*33*33) mod 187 = 88
Chinese Remainder Theorem • Makes it possible to reconstruct integers in a certain range from their remainders when divided by a pair of relatively prime numbers. • provided we know the factors, a very large number can be manipulated using smaller numbers • this will help the recipient compute M = Cd mod n, since n = p * q, and the recipient knows p and q
Example: CRT • Using residues 2 and 5, compute 7 + 8 mod 10. • 7 mod 2 = 1, 7 mod 5 = 2, so 7 is (1,2) • 8 mod 2 = 0, 8 mod 5 = 3, so 8 is (0,3) • (1,2) + (0,3) = (1,5) • So, we seek a number x < 10 such that x mod 2 = 1 mod 2 (i.e. 1) and x mod 5 = 5 mod 5 (i.e. 0) • That number is 5. • Sure enough, (7 + 8) mod 10 = 15 mod 10 = 5
Another example: CRT • Using residues 2 and 5, compute 7 * 8 mod 10 • 7 mod 2 = 1, 7 mod 5 = 2, so 7 is (1,2) • 8 mod 2 = 0, 8 mod 5 = 3, so 8 is (0,3) • (1,2) * (0,3) = (0,6) • So, we seek a number x < 10 with x mod 2 = 0 mod 2 and x mod 5 = 6 mod 5 = 1. • That number is 6 • Sure enough (7*8) mod 10 = 56 mod 10 = 6
Application of CRT to Encryption • RSA involves calculations modulo n, a product of primes p and q • n is huge ( >= 1024 bits long) • Because of CRT, calculations can be done on p and q instead • p and q are much smaller • thus, calculations are easier
Determining the multiplicative inverse • For large numbers, it can be difficult to determine the multiplicative inverse • but we have to: d = e-1 mod F(n) • You can use this tool instead:http://cs.lewisu.edu/~klumpra/msis525/multinv.php This will find the inverse of 5 mod 7
Just in case you’re interested. Here’s the source code: <html> <head> <title>Find the multiplicative inverse in GF(p^n)</title> </head> <body> <?php function xGCD($a1,$a2,$a3,$b1,$b2,$b3) { $q = 0; $t1 = $t2 = $t3 = 0; if ($b3 == 0) { return 0; } if ($b3 == 1) { return $b2; } $q = (int)($a3/$b3); $t1 = $a1-$q*$b1; $t2 = $a2-$q*$b2; $t3 = $a3-$q*$b3; return xGCD($b1,$b2,$b3,$t1,$t2,$t3); } $vars= $_REQUEST; if (count($vars) > 0) { $p = $vars["base"]; $n = $vars["exp"]; $num = $vars["num"]; $base = pow($p,$n); $answer = xGCD(1,0,$base,0,1,$num%$base); while ($answer < 0) { $answer += $base; } print "Answer = $answer<br>"; } ?> <form method="get"> Enter base p: <input type="text" name="base"></input><br> Enter exponent n: <input type="text" name="exp"></input><br> Enter number for which you want the inverse: <input type="text" name="num"></input><br> <input type="submit" value="OK"></input> <input type="reset" value="Clear"></input> </form> </body> </html>
Prime numbers • First step in RSA: choose p and q prime • A prime number p is a positive integer having no divisors other than 1 and p • There are an infinite number of primes
Theorems regarding primes • If p is a prime number and a is a positive integer not divisible by p, then ap-1 mod p = 1 • If p is a prime number and a is a positive integer, then ap mod p = a mod p
Examples • What is 44 mod 5? • Here,a = 4p = 5 • By the first theorem, ap-1 mod p = 1So, we know 45-1 mod 5 = 1
Examples • What is 45 mod 5? • Second theorem: ap mod p = a mod p. • So, the answer should be 4 mod 5, or 4. • Indeed: 45 = 1024, and 1024 mod 5 = 4
Euler’s Totient Function • f(n) = # of positive integers between 1 and n that are relatively prime with n • Examples
What does “relatively prime” mean? • Two numbers are relatively prime if they have no factors in common • For example, 3 and 8 are relatively prime • Also, 4 and 15 are relatively prime
Euler’s Totient Function (continued) • Theorem:f(p*q) = f(p)* f(q) • Also, if p is prime, then f(p) = p-1 • So, if p and q are primes and p doesn’t equal q, thenf(p*q) = (p-1) * (q-1)
Example: Properties of the Totient • Again: If p and q are primes, then f(p*q) = (p-1) * (q-1) • f(6) = f(2*3) = (2-1) * (3-1) = 2 • f(14) = f(2*7) = (2-1) * (7-1) = 6
Euler’s Theorem • if a and n are relatively prime, then af(n) = 1 mod n • if a and n are relatively prime, then af(n)+1 = a mod n • Examples (with a = 3, n = 8) • Note that f(8) = 4 • Then, 34 = 1 mod 8 • Also, 35 = 3 mod 8 confirm these by computing 34 and 35
Testing for Primes • Public-key encryption requires finding very large prime numbers • There is no efficient way to do this • Simplest algorithm:for i = 2 up to square root of n if n mod i is 0 then n is not prime, so exit loopif you don’t find an i for which n mod i = 0, then n is prime
Testing for Primes – Miller & Rabin Algorithm • Can say simply that a number is not prime • can’t say for sure whether a number is prime • However, if you repeat the algorithm t times, Probability(n is prime) > 1 – (1/4)t • Thus, if you repeat the test 10 times, the probability the number is prime > 99.9999%
Distribution of Primes • Primes near n are spaced on the average one every 0.5*ln(n) integers • Thus, one has to test, on average, this many integers • For example, if a prime near 2200 is desired, need to test 0.5 * ln(2200) = 69numbers (on average)
Review: The RSA Algorithm We’ve discussed how to speed up all of this.
Now we’ll talk about Key Exchange • First, how do you exchange symmetric keys using PKE technology? • This is the recommended application of PKE • Will present the most popular technique – Diffie Helman • Then, how do you exchange public keys? • Necessary for PKE to happen
Symmetric Key Exchange • Last week, we saw a few different ways to exchange keys ... • Physical delivery • Directly from A to B • Third-party C distributes to A and B • Use of previous key • Key Distribution Center • Decentralized
Centralized Key Distribution This is called Needham-Schroeder Protocol
Limitation of KDC • “What good would it do after all to develop impenetrable cryptosystems if their users were forced to share their keys with a KDC that could be compromised by either burglary or subpoena?” – Whitfield Diffie, co-creator of public-key encryption
Decentralized Key Distribution • Each node must maintain (M-1) master keys • Messages sent with master keys are short • Unlikely to be compromised because there’s not a lot to glob on to.
Limitation of Decentralized Approach • With M different participants, there are M(M-1)/2 different master keys to distribute • Doesn’t scale well
So, we seek an alternative • One that doesn’t necessarily require trust in a third party • One that doesn’t require such a large up-front key distribution