RSA Data Security, Inc. Emerging Standards for Public-Key Cryptography Burt Kaliski Chief Scientist, RSA Laboratories BRICS Summer School in Cryptology.

Slides:



Advertisements
Similar presentations
Public Key Infrastructure and Applications
Advertisements

Revised 08/16/1999 IEEE P1363: Standard Specifications for Public-Key Cryptography Burt Kaliski Chair, IEEE P1363 August 17, 1999.
Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.
Cryptography and Network Security
Digital Signatures and Hash Functions. Digital Signatures.
Cryptographic Security Presented by: Josh Baker October 9 th, CS5204 – Operating Systems.
Public-key based. Public-key Techniques based Protocols –may use either weak or strong passwords –high computation complexity (Slow) –high deployment.
CNS2010handout 10 :: digital signatures1 computer and network security matt barrie.
Dr Alejandra Flores-Mosri Message Authentication Internet Management & Security 06 Learning outcomes At the end of this session, you should be able to:
Secure Hashing and DSS Sultan Almuhammadi ICS 454 Principles of Cryptography.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
Fall 2010/Lecture 311 CS 426 (Fall 2010) Public Key Encryption and Digital Signatures.
IEEE P1363: Standard Specifications for Public-Key Cryptography
Lecture 4 Cryptographic Tools (cont) modified from slides of Lawrie Brown.
Computer Science CSC 474Dr. Peng Ning1 CSC 474 Information Systems Security Topic 2.5 Public Key Algorithms.
CSE 597E Fall 2001 PennState University1 Digital Signature Schemes Presented By: Munaiza Matin.
Network Security Essentials Fifth Edition by William Stallings Fifth Edition by William Stallings.
ASYMMETRIC CIPHERS.
Key Management Guidelines. 1. Introduction 2. Glossary of Terms and Acronyms 3. Cryptographic Algorithms, Keys and Other Keying Material 4. Key Management.
Public Key Model 8. Cryptography part 2.
Cryptography and Network Security Chapter 11 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.
Practical Techniques for Searches on Encrypted Data Yongdae Kim Written by Song, Wagner, Perrig.
Information Security and Management 13. Digital Signatures and Authentication Protocols Chih-Hung Wang Fall
CS5204 – Fall Cryptographic Security Presenter: Hamid Al-Hamadi October 13, 2009.
Lecture 8 Digital Signatures. This lecture considers techniques designed to provide the digital counterpart to a handwritten signature. A digital signature.
Chapter 5 Digital Signatures MSc. NGUYEN CAO DAT Dr. TRAN VAN HOAI 1.
Bob can sign a message using a digital signature generation algorithm
The RSA Algorithm Rocky K. C. Chang, March
Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 21 “Public-Key Cryptography.
Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.
Digital Signatures: Mathematics Zdeněk Říha. Data authentication Data integrity + data origin Digital signature Asymmetric cryptography public and private.
Hash Functions A hash function H accepts a variable-length block of data M as input and produces a fixed-size hash value h = H(M) Principal object is.
10/1/2015 9:38:06 AM1AIIS. OUTLINE Introduction Goals In Cryptography Secrete Key Cryptography Public Key Cryptograpgy Digital Signatures 2 10/1/2015.
Cyrtographic Security Identity-based Encryption 1Dennis Kafura – CS5204 – Operating Systems.
Key Management Workshop November 1-2, Cryptographic Algorithms, Keys, and other Keying Material  Approved cryptographic algorithms  Security.
PKCS #1 v2.1: RSA Cryptography Standard
Topic 22: Digital Schemes (2)
1 Lect. 13 : Public Key Encryption RSA ElGamal. 2 Shamir Rivest Adleman RSA Public Key Systems  RSA is the first public key cryptosystem  Proposed in.
RSA Data Security, Inc. PKCS #1 : RSA Cryptography Standard Jessica Staddon RSA Laboratories PKCS Workshop October 7, 1998.
Chapter 21 Public-Key Cryptography and Message Authentication.
On OAEP, PSS, and S/MIME John Linn RSA Laboratories S/MIME WG, San Diego IETF, 13 December 2000.
Cryptography and Network Security (CS435) Part Eight (Key Management)
Public Key Cryptography. symmetric key crypto requires sender, receiver know shared secret key Q: how to agree on key in first place (particularly if.
Cryptography and Network Security Chapter 13 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.
Signcryption Parshuram Budhathoki Department of Mathematical Sciences Florida Atlantic University April 18, 2013
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 2 – Cryptographic.
Some Perspectives on Smart Card Cryptography
PUBLIC-KEY CRYPTOGRAPH IT 352 : Lecture 2- part3 Najwa AlGhamdi, MSc – 2012 /1433.
Chapter 3 (B) – Key Management; Other Public Key Cryptosystems.
Advanced Database Course (ESED5204) Eng. Hanan Alyazji University of Palestine Software Engineering Department.
Cryptographic Hash Functions and Protocol Analysis
PKCS #1 v2.1: RSA Cryptography Standard Burt Kaliski, RSA Laboratories PKCS Workshop, 5 October 2000.
15-499Page :Algorithms and Applications Cryptography I – Introduction – Terminology – Some primitives – Some protocols.
Information Security CS 526
Public Key Algorithms Lesson Introduction ●Modular arithmetic ●RSA ●Diffie-Hellman.
Fall, Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Cryptographic Security Identity-Based Encryption.
PKCS #5: Password-Based Cryptography Standard
ANSI X9.44 and IETF TLS Russ Housley and Burt Kaliski RSA Laboratories November 2002.
Digital Signature Standard (DSS) US Govt approved signature scheme designed by NIST & NSA in early 90's published as FIPS-186 in 1991 revised in 1993,
Lecture 9 Overview. Digital Signature Properties CS 450/650 Lecture 9: Digital Signatures 2 Unforgeable: Only the signer can produce his/her signature.
IT 221: Introduction to Information Security Principles Lecture 5: Message Authentications, Hash Functions and Hash/Mac Algorithms For Educational Purposes.
COM 5336 Lecture 8 Digital Signatures
RSA Data Security, Inc. PKCS #13: Elliptic Curve Cryptography Standard Burt Kaliski RSA Laboratories PKCS Workshop October 7, 1998.
PKCS #5 v2.0: Password-Based Cryptography Standard
Key Exchange in Systems VPN usually has two phases –Handshake protocol: key exchange between parties sets symmetric keys –Traffic protocol: communication.
Cryptographic Hash Function. A hash function H accepts a variable-length block of data as input and produces a fixed-size hash value h = H(M). The principal.
RSA Laboratories’ PKCS Series - a Tutorial
Public Key Encryption and Digital Signatures
Diffie-Hellman Key Exchange
Presentation transcript:

RSA Data Security, Inc. Emerging Standards for Public-Key Cryptography Burt Kaliski Chief Scientist, RSA Laboratories BRICS Summer School in Cryptology and Data Security July 20-24, 1998

© RSA 1998 Introduction As research matures, it can be made “standard” –’70s and ’80s research in public-key cryptography leads to standards in ’90s This talk is a snapshot of some of the standards efforts — and the interesting issues they raise

© RSA 1998 Outline I. Survey of Standards Efforts II. A General Model for Public-Key Standards III. Strong Primes: A Recurring Technical Debate IV. Some Research Motivated by Standards

RSA Data Security, Inc. Part I: Survey of Standards Efforts

© RSA 1998 Why Standards? Many reasons: –interoperability –stability –assurance De facto or de jure?

© RSA 1998 Some Public-Key Standards Efforts ANSI X9F1 IEEE P1363 ISO/IEC JTC1 SC27 US NIST

© RSA 1998 ANSI X9F1 Financial Services / Data and Information Security / Cryptographic Tools Corporate membership Quarterly meetings in North America

© RSA 1998 ANSI X9F1 Efforts Some ANSI documents (drafts) –X9.30DSA signatures –X9.31RSA/RW signatures (rDSA) –X9.42DH/MQV key agreement –X9.44RSA key transport –X9.62elliptic curve signatures –X9.63EC key agreement / transport –X9.79prime generation

© RSA 1998 IEEE P1363 Standard Specifications for Public-Key Cryptography Sponsored by IEEE Microprocessor Standards Committee Individual participation Meetings mostly in North America grouper.ieee.org/groups/1363

© RSA 1998 IEEE P1363 Coverage Three types of technique: –key agreement, signature, encryption From three families: –DL: discrete logarithm –EC: elliptic curve –IF: integer factorization Also, number theory background, security considerations

© RSA 1998 IEEE P1363a Standard Specifications for Public-Key Cryptography: Additional Techniques In preparation More techniques, probably same families –identification likely to be added

© RSA 1998 ISO/IEC JTC1 SC27 International Organization for Standardization / International Electrotechnical Commission / Information Technology / IT Security Techniques National representation, with experts Meetings throughout the world

© RSA 1998 SC27 Efforts Some ISO/IEC documents –9796Signatures with message recovery –9798Entity authentication –11770Key management –13888Nonrepudiation –14888Signatures with appendix Symmetric and public-key techniques

© RSA 1998 U.S. NIST FIPS National Institute of Standards and Technology –part of U.S. Department of Commerce Federal Information Processing Standards (FIPS) Computer Security Act (1987) gives charter for government cryptography standards

© RSA 1998 NIST Efforts Some FIPS: –186Digital Signature Standard –196Entity Authentication –new Key Exchange / Agreement Others of interest: –46-2Data Encryption Standard –180-1Secure Hash Standard –newAdvanced Encryption Standard

© RSA 1998 Comparing the Efforts Different goals: –ISO, IEEE: general building blocks –ANSI: US banking requirements –NIST: US government, commercial Coordination: –IEEE, ANSI technical convergence –NIST will accept ANSI signature standards for government purposes –ISO TC68 adopts ANSI X9F1

© RSA 1998 Application Standards of Interest S/MIME: messaging SSL / TLS: communications SET: bank card payments PKIX: public-key infrastructure

© RSA 1998 RSA Laboratories’ PKCS Public-Key Cryptography Standards Informal, intervendor effort coordinated by RSA Laboratories Periodic workshops

© RSA 1998 PKCS Efforts Revisions and new documents: –PKCS #1RSA Cryptography v2.0 draft in review, includes Bellare- Rogaway OAEP –PKCS #5Password-Based Encryption –PKCS #13Elliptic Curve Cryptography –PKCS #14Pseudorandom Generation –PKCS #15(?)Smart Card File Formats

RSA Data Security, Inc. Part II: A General Model for Public-Key Standards

© RSA 1998 A General Model Framework with abstraction, generally following P1363 Three levels: –primitives –schemes –protocols … plus key management

© RSA 1998 P1363 Naming Convention General form: –family type - instance where –family is DL, EC, IF –type is one of: SP: Signature Primitive SSA: Signature Scheme with Appendix etc. –instance is a particular algorithm, e.g., DSA, DH, RSA

© RSA 1998 Primitives Basic mathematical operations Low-level implementation –e.g., crypto-accelerator, software module Computational security –enhanced when combined with additional techniques in a scheme

© RSA 1998 Types of Primitive Secret value derivation –shared secret value from public key(s), party’s private key(s) Signature and verification Encryption and decryption

© RSA 1998 Example: DLSP-DSA / DLVP-DSA DSA signature / verification primitives DLSP-DSA ((p, q, g, x), m): –r = (g k mod p) mod q, k random –s = k -1 (m + xr) mod q DLVP-DSA ((p, q, g, y), m, (r, s)) –r =? (g m/s y r/s mod p) mod q

© RSA 1998 Primitives in P1363 Secret Value Derivation –DH, MQV in DL, EC families Signature / Verification: –DSA, Nyberg-Rueppel in DL, EC families –RSA with and w/o absolute value –Rabin-Williams Encryption / Decryption: –RSA

© RSA 1998 Schemes Related operations combining primitives, additional techniques –a framework with options Medium-level implementation –e.g., cryptographic service library Complexity-theoretic security (ideally) –completed when appropriately applied in a protocol

© RSA 1998 Types of Scheme Key agreement Signature –with appendix –with message recovery Encryption Identification (in P1363a)

© RSA 1998 Additional Techniques Encoding method –maps between message, data to be processed by primitive –for signatures, encryption schemes Key derivation function –maps from shared secret value to key –for key agreement schemes

© RSA 1998 Example: DL/ECSSA DL/EC signature scheme –options: SP / VP / encoding method Signature operation (privKey, M): –S = SP (privKey, Encode (M)) Verification operation (pubKey, M, S): –VP (pubKey, Encode (M), S) [DSA] –Encode (M) =? VP (pubKey, S) [NR]

© RSA 1998 Encoding Methods for Signatures DL/EC signatures –Hash (M) IF signatures with appendix –Pad || HashID || Hash (M) IF signatures wit h message recovery –ISO (M)

© RSA 1998 Related Scheme Operations Domain parameter generation Domain parameter validation Key pair generation Public key validation Private key validation

© RSA 1998 Schemes in P1363 Key agreement –three DL/EC generic: DH1, DH2, MQV Signature with appendix –DL/EC generic –IF generic Signature with message recovery –IF generic Encryption –IF generic

© RSA 1998 Protocols Sequence of operations to be performed by parties to achieve some security goal High-level implementation –applications, services “Real” security –but depends on implementation considerations (No protocols in P1363)

© RSA 1998 Types of Protocol Key establishment –key agreement –key transport Entity authentication Data origin authentication Data confidentiality

RSA Data Security, Inc. Part III: “Strong” Primes: A Recurring Technical Debate

© RSA 1998 What is a “Strong” Prime? RSA key pair consists of –public key (n, e) –private key (n, d) –where n = pq, p and q are large primes, and ed  1 mod (p-1)(q-1) A prime p is strong if p’, the largest factor of p-1, is large Are strong primes necessary?

© RSA 1998 Early ’80s: Yes Pollard’s p-1 method (1974) can factor n in about p’ operations, so p’ should be large Gordon (1984) gives method for generating RSA keys efficiently with strong prime factors –X.509 (1988) also mentions conditions Related conditions on p+1, p’-1, etc.

© RSA 1998 Late ’80s / Early ’90s: No Lenstra’s ECM (1987) can factor n in O(exp (2 ln p ln ln p) 1/2 ) operations, so p should be large … but if p is large and random, then p’ will be large with high probability Rivest (unpublished) argues that strong primes don’t help –but don’t hurt either

© RSA 1998 Late ’90s: Maybe What about signature repudiation? –Dishonest user chooses n with weak prime –Later, disavows signature, claiming that someone factored n by p-1 method ANSI X9.31 (1998) standardizes on strong primes for banking –also, generates primes as one-way function of seed Still, are strong primes necessary?

RSA Data Security, Inc. Part IV: Some Research Motivated By Standards

© RSA 1998 Standards and Research Just as mature research is standardized, so standards efforts promote additional research Areas of research: –efficient implementation –cryptanalysis –components in the “framework”

© RSA 1998 Authenticated Encryption Schemes Problem: –Construct authenticated encryption schemes for DL, EC, IF families with similar properties to OAEP, but with variable message length Several solutions proposed for P1363a

© RSA 1998 Model C = Encrypt (pubKey, M, P) M = Decrypt (privKey, C, P) –Mmessage –Cciphertext –Pencoding parameters M, C, P arbitrary length

© RSA 1998 Desired Properties One application of underlying primitive Plaintext-aware encryption –no partial information about M –cannot generate C without M hence, cannot modify M Binding of P to M –cannot modify P Weaker assumptions –i.e., not just random oracle model

© RSA 1998 OAEP for RSA As in P1363 (and PKCS #1 v2.0 draft): Encrypt (pubKey, M, P): –EM = Encode (M, P) –C = EP (pubKey, EM) Decrypt (privKey, C, P): –EM = DP (privKey, C) –M = Decode (EM, P) M, C bounded, P arbitrary length

© RSA 1998 OAEP Encoding Encode (M, P) –EM = maskedSeed || maskedDB where maskedSeed = seed  G (maskedDB) maskedDB = DB  G (seed) DB = H (P) || pad || M seed random H hash function, G mask generation function Decode (C, P): an exercise

© RSA 1998 Limitations EM must be shorter than RSA modulus, so length of M is bounded Assumes encryption primitive — but DL/EC only has secret value derivation primitive Relies on random oracle model for G

© RSA 1998 IF Encryption Ideas 1. Encrypt only part of EM (various) –removes bound on length of M –which part? 2. Construct G only partly from random oracle (Bellare, Rogaway 1996) 3. Add more “rounds” to OAEP (Johnson, Matyas, Peyravian 1996) –may reduce assumptions, need for seed

© RSA 1998 DL/EC Encryption Ideas General: Generate shared secret value K as in key agreement scheme, combine with M, P 1. Encode M as in OAEP, exclusive-OR K with part of result (various) 2. Combine with MACs, reduced r.o. methods (Bellare, Rogaway 1996) 3. Combine with universal hash functions, mask generation (Zheng 1996)

© RSA 1998 Some Other Recent Results Security of “unified model” of DH key agreement (Blake-Wilson, Johnson, Menezes 1997) RSA key validation (Liskov, Silverman 1997) Storage-efficient basis conversion (Kaliski, Yin 1998)

© RSA 1998 Conclusions Research in cryptology and data security is leading to standards, and vice versa Several standards efforts for different sectors, but coordinated General model for public-key standards emerging … and some technical debate continues