Real-world Security of Public Key Crypto Network Security Real-world Security of Public Key Crypto 2018/11/20 Topic 2: Public Key Encryption and Digital Signatures
Diffie and Hellman won ACM Turing Award (2015) 2018/11/20 Topic 2: Public Key Encrypption and Digital Signatures
Rivest Shamir and Adleman won ACM Turing Award (2012) 2018/11/20 Topic 2: Public Key Encrypption and Digital Signatures
Topic 2: Public Key Encrypption and Digital Signatures RSA Algorithm Invented in 1978 by Ron Rivest, Adi Shamir and Leonard Adleman Published as R L Rivest, A Shamir, L Adleman, "On Digital Signatures and Public Key Cryptosystems", Communications of the ACM, vol 21 no 2, pp120-126, Feb 1978 Security relies on the difficulty of factoring large composite numbers Essentially the same algorithm was discovered in 1973 by Clifford Cocks, who works for the British intelligence Takes 2-3 years to discover the same alg. 2018/11/20 Topic 2: Public Key Encrypption and Digital Signatures
RSA Public Key Crypto System Key generation: 1. Select 2 large prime numbers of about the same size, p and q Typically each p, q has between 512 and 2048 bits 2. Compute n = pq, and (n) = (q-1)(p-1) 3. Select e, 1<e< (n), s.t. gcd(e, (n)) = 1 Typically e=3 or e=65537 4. Compute d, 1< d< (n) s.t. ed 1 mod (n) Knowing (n), d easy to compute. Public key: (e, n) Private key: d 2018/11/20 Topic 2: Public Key Encrypption and Digital Signatures
RSA Description (cont.) Encryption Given a message M, 0 < M < n M Zn {0} use public key (e, n) compute C = Me mod n C Zn {0} Decryption Given a ciphertext C, use private key (d) Compute Cd mod n = (Me mod n)d mod n = Med mod n = M 2018/11/20 Topic 2: Public Key Encrypption and Digital Signatures
Topic 2: Public Key Encrypption and Digital Signatures Group Discussion 2 Is textbook RSA secure? 2018/11/20 Topic 2: Public Key Encrypption and Digital Signatures
A simple attack on textbook RSA Random session-key K Web Browser CLIENT HELLO Web Server d SERVER HELLO (e,N) C=RSA(K) Session-key K is 64 bits. View K {0,…,264} Eavesdropper sees: C = Ke (mod N) . Suppose K = K1K2 where K1, K2 < 234 . (prob. 20%) Then: C/K1e = K2e (mod N) Build table: C/1e, C/2e, C/3e, …, C/234e . time: 234 For K2 = 0,…, 234 test if K2e is in table. time: 23434 Attack time: 240 << 264
A real-world attack on QQ Browser 2018/11/20 Topic 2: Public Key Encrypption and Digital Signatures
Topic 2: Public Key Encrypption and Digital Signatures 2018/11/20 Topic 2: Public Key Encrypption and Digital Signatures
Topic 2: Public Key Encrypption and Digital Signatures 2018/11/20 Topic 2: Public Key Encrypption and Digital Signatures
Topic 2: Public Key Encrypption and Digital Signatures 2018/11/20 Topic 2: Public Key Encrypption and Digital Signatures
RSA Encryption & IND-CPA Security The RSA assumption, which assumes that the RSA problem is hard to solve, ensures that the plaintext cannot be fully recovered. Plain RSA does not provide IND-CPA security. For Public Key systems, the adversary has the public key, hence the initial training phase is unnecessary, as the adversary can encrypt any message he wants to. How to use it more securely? 2018/11/20 Topic 2: Public Key Encrypption and Digital Signatures
Real World Usage of Public Key Encryption Often used to encrypt a symmetric key To encrypt a message M under an RSA public key (n,e), generate a new AES key K, compute [Ke mod n, AES-CBCK(M)] Alternatively, one can use random padding. E.g., computer (M || r) e mod n to encrypt a message M with a random value r More generally, uses a function F(M,r), and encrypts as F(M,r) e mod n From F(M,r), one should be able to recover M This provides randomized encryption e.g., Optimal Asymmetric Encryption Padding (OAEP) Roughly, to encrypt M, chooses random r, encode M as M’ = [X = M H1(r) , Y= r H2(X) ] where H1 and H2 are cryptographic hash functions, then encrypt it as (M’) e mod n Note that given M’=[X,Y], r = Y H2(X), and M = X H1(r) 2018/11/20 Topic 2: Public Key Encrypption and Digital Signatures
RSA-OAEP Optimal Asymmetric Encryption Padding (OAEP) Roughly, to encrypt m, chooses random r, encode m as m’ = [X = m H1(r) , Y= r H2(X) ] where H1 and H2 are cryptographic hash functions, then encrypt it as (m’) e mod n To decrypt m’=[X,Y], compute r = Y H2(X), and m = X H1(r) Proven secure under the RSA assumption when H1 and H2 are assumed to be random oracles. Unless both X and Y are fully recovered, cannot obtain r, without r, cannot obtain any information of m. We will not cover Random Oracle Model in this course. See Chapter 13 if interested. CS555 Topic 19
RSA- Optimal asymmetric encryption padding (RSA-OAEP) 2018/11/20 Topic 2: Public Key Encrypption and Digital Signatures