Information Security Lab. Dept. of Computer Engineering 251/ 278 PART II Asymmetric Ciphers Key Management; Other CHAPTER 10 Key Management; Other Public Key Cryptosystems Public Key Cryptosystems 10.1 Key Management 10.2 Diffie-Hellman Key Exchange 10.3 Elliptic Curve Arithmetic 10.4 Elliptic Curve Cryptography

Information Security Lab. Dept. of Computer Engineering 252/ Key Management  Public-key encryption helps address key distribution problems  have two aspects of this: distribution of public keys use of public-key encryption to distribute secret keys Distribution of Public Keys  Techniques for the distribution of public keys public announcement publicly available directory public-key authority public-key certificates

Information Security Lab. Dept. of Computer Engineering 253/ Key Management Distribution of Public Keys Public Announcement  Users distribute public keys to recipients or broadcast to community at large : Append PGP keys to messages or post to news groups or list  major weakness is forgery anyone can create a key claiming to be someone else and broadcast it; until forgery is discovered can masquerade as claimed user

Information Security Lab. Dept. of Computer Engineering 254/ Key Management Distribution of Public Keys Publicly Available Directory  Can obtain greater security by registering keys with a public directory  Directory must be trusted with properties: contains {name, public-key} entries participants register securely with directory participants can replace key at any time directory is periodically published directory can be accessed electronically  Still vulnerable to tampering or forgery

Information Security Lab. Dept. of Computer Engineering 255/ Key Management Distribution of Public Keys Public-Key Authority  Improve security by tightening control over distribution of keys from directory  Has properties of directory; and requires users to know public key for the directory; then users interact with directory to obtain any desired public key securely.  A typical scenario is illustrated in Fig. 10.3

Information Security Lab. Dept. of Computer Engineering 256/ Key Management Distribution of Public Keys Public-Key Authority Fig Public-Key Distribution Scenario

Information Security Lab. Dept. of Computer Engineering 257/ Key Management Distribution of Public Keys Public-Key Certificates  Certificates allow key exchange without real-time access to public-key authority  A certificate binds identity to public key; usually with other info such as period of validity, rights of use etc  With all contents signed by a trusted private-key or Certificate Authority (CA)  Can be verified by anyone who knows the authorities public-key

Information Security Lab. Dept. of Computer Engineering 258/ Key Management Distribution of Public Keys Public-Key Certificates Fig Exchange of Public-Key Certificate

Information Security Lab. Dept. of Computer Engineering 259/ Key Management Distribution of Secret Keys Using Public-Key Cryptography  Use previous methods to obtain public-key.  Can use for secrecy or authentication; but public-key algorithms are slow; so usually want to use private-key encryption to protect message contents. Hence, a session key is needed.  Have several alternatives for negotiating a suitable session. Simple Secret Key Distribution  proposed by Merkle in 1979

Information Security Lab. Dept. of Computer Engineering 260/ Key Management Distribution of Secret Keys Using Public-Key Cryptography Simple Secret Key Distribution  Problem is that an opponent can intercept and impersonate both halves of protocol; man-in-the-Middle attack Fig Simple Use of Public-Key Encryption to Establish a Session Key

Information Security Lab. Dept. of Computer Engineering 261/ Key Management Distribution of Secret Keys Using Public-Key Cryptography Secret Key Distribution with Confidentiality & Auth. Fig Public-Key Distribution of Secret Keys

Information Security Lab. Dept. of Computer Engineering 262/ Key Management Distribution of Secret Keys Using Public-Key Cryptography A Hybrid Scheme  This scheme retains the use of a key distribution center (KDC) that shares a secret master key with each user and distributes secret session keys with the master key  A public-key scheme is used to distribute master keys  The rationale is provided for using this three-level approach: Performance : frequently distribution of session keys by public-key : slow --- occasionally distribution of master key by public-key; then session key distribution by master key Backward compatibility : overlaid on an existing KDC scheme

Information Security Lab. Dept. of Computer Engineering 263/ Diffie-Hellman Key Exchange  The first public-key type scheme proposed.  a public-key distribution scheme cannot be used to exchange an arbitrary message rather it can establish a common key known only to the two participants  By Diffie & Hellman in 1976 along with the exposition of public key concepts; Note: now know that Williamson (UK CESG) secretly proposed the concept in 1970  Is a practical method for public exchange of a secret key  Used in a number of commercial products  security relies on the difficulty of computing discrete logarithms (similar to factoring) – hard

Information Security Lab. Dept. of Computer Engineering 264/ Diffie-Hellman Key Exchange The Algorithm & Key Exchange Protocol User A Select private X A Compute public Y A =  X A mod q User B Select private X B Compute public Y B =  X B mod q Global Public Elements q : prime number  :  < q and  : primitive root of q YAYA YBYB K = (Y A ) X B mod q K = (Y B ) X A mod q K AB = (Y B ) X A mod q =  X B X A mod q =  X A X B mod q = (Y A ) X B mod q

Information Security Lab. Dept. of Computer Engineering 265/ Diffie-Hellman Key Exchange Man-in-the-Middle Attack  Both of these are vulnerable to a meet-in-the-Middle Attack; Authentication of the keys is needed Alice X A Y A =  X A mod q Y A Bob X B Y B =  X B mod q Darth X D1, X D2 Y D1 =  X D1 mod q Y D2 =  X D2 mod q Y A Y D1 K = (Y D1 ) X B mod q =  X D1 X B mod q YBYB YBYB YD2YD2 YD2YD2 K = (Y D2 ) X A mod q =  X D2 X A mod q K = (Y A ) D2 mod q =  X A X D2 mod q K = (Y D1 ) X B mod q =  X D1 X B mod q

Information Security Lab. Dept. of Computer Engineering 266/ Elliptic Curve Arithmetic  Majority of public-key crypto (RSA, D-H) use either integer or polynomial arithmetic with very large numbers/polynomials  Imposes a significant load in storing and processing keys and messages  An alternative is to use elliptic curves;  In 1985, Neal Koblitz and Victor Miller proposed ECC  Offers same security with smaller bit sizes  Newer, but not as well analyzed,  Elliptic curve cryptography (ECC) is showing up in standardization efforts, IEEE P1363 standard for Public- key Cryptography

Information Security Lab. Dept. of Computer Engineering 267/ Elliptic Curve Arithmetic Elliptic Curves over Real Numbers  An elliptic curve is defined by an equation in two variables x & y, with coefficients a, b, c, d, e y 2 + axy + by = x 3 + cx 2 + dx + e : Weierstrass equation  Consider a cubic elliptic curve of form; y 2 = x 3 + ax + b ( 4a b 2  0 )  Consider the set of points E(a, b) consisting of all of the points (x, y) that satisfy the equation y 2 = x 3 + ax + b, with the elements O called the point at infinity or the zero point. E = { E(a, b) }  { O } : additive abelian group operation( + ) : addition of two points identity elements of + : the point at infinity O

Information Security Lab. Dept. of Computer Engineering 268/ Elliptic Curve Arithmetic Elliptic Curves over Real Numbers Geometric Description of Addition Fig Example of Elliptic Curves

Information Security Lab. Dept. of Computer Engineering 269/ Elliptic Curve Arithmetic Elliptic Curves over Real Numbers Algebraic Description of Addition  For two distinct points P = (x P, y P ) and Q = (x Q, y Q ) Point addition : R (x R, y R ) = P + Q  = (y Q – y P )/(x Q – x P ) : slope of the line that join them x R =  2 – x P – x Q y R = – y P +  (x P – x R )  Doubling : R = P + P = 2P

Information Security Lab. Dept. of Computer Engineering 270/ Elliptic Curve Arithmetic Elliptic Curves over Z p  prime curves E p (a, b) defined over Z p = {0, 1, …, p  1} use integers modulo prime p; best in software y x Fig The Elliptic Curve E 23 (1,1) y 2 mod p = (x 3 + ax + b ) mod p y 2 mod 23 = (x 3 + x + 1 ) mod 23

Information Security Lab. Dept. of Computer Engineering 271/ Elliptic Curve Arithmetic Elliptic Curves over Z p  If P = (x P, y P ) and Q = (x Q, y Q ) with P  – Q R (x R, y R ) = P + Q x R = ( 2 – x P – x Q ) mod p y R = ( (x P – x R ) – y P ) mod p where  If P = (x P, y P ), then – P = (x P, – y P ),

Information Security Lab. Dept. of Computer Engineering 272/ Elliptic Curve Arithmetic Elliptic Curves over GF(2 m )  Binary curves E 2 m (a, b) defined over GF(2 m ) use polynomials with binary coefficients; best in hardware. y x Fig The Elliptic Curve E 2 4 (g 4,1) y 2 + xy = x 3 + ax + b y 2 + xy = x 3 + g 4 x + 1 g 0 = 0001g 4 = 0011g 8 = 0101g 12 = 1111 g 1 = 0010g 5 = 0110g 9 = 1010g 13 = 1101 g 2 = 0100g 6 = 1100g 10 = 0111g 14 = 1001 g 3 = 1000g 7 = 1011g 11 =1110g 15 = 0001 GF(2 m ) = F[x]/(x 4 + x + 1)

Information Security Lab. Dept. of Computer Engineering 273/ Elliptic Curve Arithmetic Elliptic Curves over GF(2 m )  If P = (x P, y P ) and Q = (x Q, y Q ) with P  – Q and P  Q R (x R, y R ) = P + Q x R = x P + x Q + a y R = (x P + x R ) + x R + y P  If P = (x P, y P ) then R = 2P x R = a y R = x 2 P + ( + 1)x R  If P = (x P, y P ), then – P = (x P, x P + y P ) where

Information Security Lab. Dept. of Computer Engineering 274/ Elliptic Curve Cryptography  ECC addition is analog of modulo multiply  ECC repeated addition is analog of modulo exponentiation  “hard” problem equivalent to discrete logarithm Q = kP, where Q, P belong to a prime curve is “easy” to compute Q given k, P but “hard” to find k given Q, P known as the elliptic curve discrete logarithm problem  Example: E 23 (9,17) : y 2 mod 23 = (x 3 + 9x + 17) mod 23 What is k of Q = kP, where P = (16, 5), Q = (4, 5) Brute-force method: P = (16, 5), 2P = (20, 20), 3P = (14, 14), 4P = (19, 20), 5P = (13, 10), 6P = (7, 3) 7P = (8, 7), 8P = (12, 17), 9P = (4, 5)

Information Security Lab. Dept. of Computer Engineering 275/ Elliptic Curve Cryptography Analog of Diffie-Hellman Key Exchange  Can do key exchange analogous to D-H  Select a suitable curve E p (a, b) Select base point G=(x 1, y 1 ) with large order n s.t. nG = O  A & B select private keys n A < n and n B < n, respectively  Both compute public keys: P A = n A G, P B = n B G  Both compute shared key: K = n A P B, K = n B P A K = n A P B = n A n B G = n B n A G = n B P A

Information Security Lab. Dept. of Computer Engineering 276/ Elliptic Curve Cryptography EC Encryption/Decryption  Several alternatives, will consider simplest  must first encode any message M as a point on the elliptic curve P m  Select suitable curve & point G as in D-H  Each user chooses private key n A < n; computes public key P A = n A G  To encrypt P m : C m = {kG, P m + kP b }, k = random  To decrypt C m compute : P m + kP b – n B (kG) = P m + k(n B G) – n B (kG) = P m

Information Security Lab. Dept. of Computer Engineering 277/ Elliptic Curve Cryptography Security of Elliptic Curve Cryptography  Relies on elliptic curve discrete logarithm problem  The fastest method is “Pollard rho method”  Compared to factoring, can use much smaller key sizes than with RSA etc  For equivalent key lengths computations are roughly equivalent  Hence for similar security ECC offers significant computational advantages

Information Security Lab. Dept. of Computer Engineering 278/ Elliptic Curve Cryptography Security of Elliptic Curve Cryptography Table 10.3 Comparable Key Sizes in terms of Computational Effort for Cryptanalysis