Public Key Cryptography Diffie-Hellman, Discrete Log, RSA Diffie-Hellman Key Exchange, Discrete Log Problem Public Key Crypto RSA Public Key Cryptography Diffie-Hellman, Discrete Log, RSA CSCI283 Fall 2005 GWU
Diffie-Hellman Key Exchange
Diffie-Hellman Key Exchange Protocol for exchanging secret key over public channel. Select global parameters p, n and . p is prime and is of order n in Zp*. These parameters are public and known to all. 11/27/2018 CS283/Fall05/GWU/Vora/PKC Some slides from Bishop's set
Diffie-Hellman Key Exchange contd. Alice privately selects random b and sends to Bob b mod p. Bob privately selects random c and sends to Alice c mod p. Alice and Bob privately compute bc mod p which is their shared secret. An observer Oscar can compute bc if he knows either c or b or can solve the discrete log problem. This is a key agreement protocol. 11/27/2018 CS283/Fall05/GWU/Vora/PKC Some slides from Bishop's set
Diffie-Hellman is based on the hardness of the Discrete Log problem: Given a multiplicative group G, an element G such that o() = n, and an element <> Find the unique integer x, 0 x n-1 such that = x x denoted as log Not known to be doable in polynomial time, however exponentiation is. 11/27/2018 CS283/Fall05/GWU/Vora/PKC Some slides from Bishop's set
CS283/Fall05/GWU/Vora/PKC Some slides from Bishop's set An attack Diffie-Hellman key exchange is susceptible to a man-in-the-middle attack. Mallory captures b and c in transmission and replaces with own b’ and c’. Essentially runs two Diffie-Hellman’s. One with Alice and one with Bob. 11/27/2018 CS283/Fall05/GWU/Vora/PKC Some slides from Bishop's set
Public-Key Cryptography
Diffie-Hellman propose Public Key Cryptography Computationally easy to encrypt/decrypt given key Computationally infeasible to derive private key from public key Computationally infeasible to determine private key from a chosen-plaintext attack Look at DH key exchange as PKC 11/27/2018 CS283/Fall05/GWU/Vora/PKC Some slides from Bishop's set
How does Alice send Bob the decryption key in private key crypto? If Alice wants it such that anyone can decrypt her messages, but know that they came from her Suppose she could make the decryption key available in a public place This would require that the decryption key should not give any information on the encryption key, in particular it should not be equal to it 11/27/2018 CS283/Fall05/GWU/Vora/PKC Some slides from Bishop's set
CS283/Fall05/GWU/Vora/PKC Some slides from Bishop's set How does Alice send Bob the decryption key in private key crypto? contd If she wants it so that only Bob can read her messages, and Bob is ok with anyone sending him messages in this way Suppose Bob makes his encryption key available publicly No one should be able to compute the decryption key from the encryption key This is the dual of the previous case 11/27/2018 CS283/Fall05/GWU/Vora/PKC Some slides from Bishop's set
Public Key Cryptography Two injective functions f and g such that fg=I i.e. messages encrypted with one can be decrypted with the other; functions include association with key f cannot be used to find g and vice versa One is made public, the other kept private Encryption with public function provides confidential transmission, decryption with public function provides authentication 11/27/2018 CS283/Fall05/GWU/Vora/PKC Some slides from Bishop's set
RSA
CS283/Fall05/GWU/Vora/PKC Some slides from Bishop's set Background Totient function (n) Number of positive integers less than n and relatively prime to n Relatively prime means with no factors in common with n Example: (10) = 4 1, 3, 7, 9 are relatively prime to 10 Example: (21) = 12 1, 2, 4, 5, 8, 10, 11, 13, 16, 17, 19, 20 are relatively prime to 21 11/27/2018 CS283/Fall05/GWU/Vora/PKC Some slides from Bishop's set
RSA Cocks (’73), Rivest, Shamir, Adleman (’76) n = pq, p and q (large) primes P = C = Zn K = {(n, p, q, a, b}: ab 1 mod (n)} Public key: (n, a); Private key: (b) fK(m) = ma mod n gK(m) = mb mod n fK and gK are inverses (we won’t show this, it is not straightforward) 11/27/2018 CS283/Fall05/GWU/Vora/PKC Some slides from Bishop's set
CS283/Fall05/GWU/Vora/PKC Some slides from Bishop's set RSA: Key generation Find p and q (two large random primes) n pq (n) (p-1)(q-1) Choose random a invertible mod (n) s.t 1 < a < (n) i.e. a s.t gcd(a, (n)) = 1 Use Euclidean algorithm to find a-1mod (n) Without p and q cannot determine (n) One key: (n, a) other key (n, b); Example 11/27/2018 CS283/Fall05/GWU/Vora/PKC Some slides from Bishop's set
CS283/Fall05/GWU/Vora/PKC Some slides from Bishop's set Example Take p = 7, q = 11, so n = 77 and (n) = 60 Alice chooses e = 17, making d = 53 Bob wants to send Alice secret message HELLO (07 04 11 11 14) 0717 mod 77 = 28 0417 mod 77 = 16 1117 mod 77 = 44 1417 mod 77 = 42 Bob sends 28 16 44 44 42 11/27/2018 CS283/Fall05/GWU/Vora/PKC Some slides from Bishop's set
CS283/Fall05/GWU/Vora/PKC Some slides from Bishop's set Example Alice receives 28 16 44 44 42 Alice uses private key, d = 53, to decrypt message: 2853 mod 77 = 07 1653 mod 77 = 04 4453 mod 77 = 11 4253 mod 77 = 14 Alice translates message to letters to read HELLO No one else could read it, as only Alice knows her private key and that is needed for decryption The letters could not have been changed in transit, as no one else has Bob’s private key 11/27/2018 CS283/Fall05/GWU/Vora/PKC Some slides from Bishop's set
CS283/Fall05/GWU/Vora/PKC Some slides from Bishop's set Warnings Encipher message in blocks considerably larger than the examples here If 1 character per block, RSA can be broken using statistical attacks (just like classical cryptosystems) Attacker cannot alter letters, but can rearrange them and alter message meaning Example: reverse enciphered message of text ON to get NO 11/27/2018 CS283/Fall05/GWU/Vora/PKC Some slides from Bishop's set
Encryption of blocks of symbols Block ABCD…, each symbol is base N (e.g. N=2, 16) Convert a block of a few symbols to an integer mod n RSA encrypt Convert back to base N Example. Problem if short strings encrypted with RSA, hence pad short strings with random characters. 11/27/2018 CS283/Fall05/GWU/Vora/PKC Some slides from Bishop's set
Security of RSA Is it based on hardness of factoring n? It is not known if: factoring a product of two primes into its prime components is solvable in polynomial time NP-complete there are other trapdoors to RSA, i.e. other ways of breaking it in general Factoring is an easy problem in the quantum computing model. 11/27/2018 CS283/Fall05/GWU/Vora/PKC Some slides from Bishop's set
CS283/Fall05/GWU/Vora/PKC Some slides from Bishop's set Security Services Confidentiality Only the owner of the private key knows it, so text enciphered with public key cannot be read by anyone except the owner of the private key Authentication Only the owner of the private key knows it, so text enciphered with private key must have been generated by the owner 11/27/2018 CS283/Fall05/GWU/Vora/PKC Some slides from Bishop's set
More Security Services Integrity Enciphered letters cannot be changed undetectably without knowing private key Non-Repudiation Message enciphered with private key came from someone who knew it 11/27/2018 CS283/Fall05/GWU/Vora/PKC Some slides from Bishop's set
Secure Hash
The problems crypto addresses Confidentiality/secrecy/privacy How to keep a message secret so it can be read only by a chosen person Use encryption Integrity How to determine a string of symbols has not been changed since it was created ? 11/27/2018 CS283/Fall05/GWU/Vora/PKC Some slides from Bishop's set
CS283/Fall05/GWU/Vora/PKC Some slides from Bishop's set Integrity Alice sends message x to Bob. She fears Oscar will manipulate it along the way, and Bob will get an incorrect message. She could encrypt it using a key Oscar did not have, but is that overkill when she does not need to prevent Oscar from reading it? But maybe she could tell Bob something else about the message so he would know if something was terribly wrong: parity, last bit, a particular bit, etc. 11/27/2018 CS283/Fall05/GWU/Vora/PKC Some slides from Bishop's set
In general, she could use a hash function h: X Y y = h(x) |X| > |Y| i.e. x, x’ s.t x x’ and h(x) = h(x’) Used in storage tables E.g.: h(x) = last bit, parity, smallest prime factor 11/27/2018 CS283/Fall05/GWU/Vora/PKC Some slides from Bishop's set
CS283/Fall05/GWU/Vora/PKC Some slides from Bishop's set Checksums/hashes Mathematical function to generate a set of k bits from a set of n bits (where k ≤ n). k is smaller then n except in unusual circumstances Example: ASCII parity bit ASCII has 7 bits; 8th bit is “parity” Even parity: even number of 1 bits Odd parity: odd number of 1 bits 11/27/2018 CS283/Fall05/GWU/Vora/PKC Some slides from Bishop's set
CS283/Fall05/GWU/Vora/PKC Some slides from Bishop's set Example Use Bob receives “10111101” as bits. Sender is using even parity; 6 1 bits, so character was received correctly Note: could be garbled, but 2 bits would need to have been changed to preserve parity Sender is using odd parity; even number of 1 bits, so character was not received correctly 11/27/2018 CS283/Fall05/GWU/Vora/PKC Some slides from Bishop's set
CS283/Fall05/GWU/Vora/PKC Some slides from Bishop's set h(x) sent with x Both Bob and Alice can create h(x) given x Alice sends (x, h(x)) Bob receives (x’,y’), he checks if y’ = h(x’). If so, he assumes x’ is what Alice sent 11/27/2018 CS283/Fall05/GWU/Vora/PKC Some slides from Bishop's set
In either case, what can the attacker do? If he can compute h(x), he can: try to find x’ s.t. h(x) = h(x’). If he knows h, and can influence Alice, he can try to get her to send an x that she likes such that h(x) = h(x’) for an x’ he likes. If he doesn’t, he hopes for the best. 11/27/2018 CS283/Fall05/GWU/Vora/PKC Some slides from Bishop's set
Hence require an h “secure” in the following ways: Secure wrt second image requires that the following problem is “difficult”: Given an xX, find x’ X s.t x’ x but h(x’) = h(x) Secure wrt collision requires that the following problem is “difficult”: Find x, x’ X s.t x’ x but h(x’) = h(x) The above should be true even if h(x1), h(x2).. h(xn) are known 11/27/2018 CS283/Fall05/GWU/Vora/PKC Some slides from Bishop's set
In general, h is a secure-hash, or a one-way function Easy to compute in one direction, hard in the other. Can we recall one such function? 11/27/2018 CS283/Fall05/GWU/Vora/PKC Some slides from Bishop's set
CS283/Fall05/GWU/Vora/PKC Some slides from Bishop's set Definition Cryptographic checksum h: AB: For any x A, h(x) is easy to compute For any y B, it is computationally infeasible to find x A such that h(x) = y It is computationally infeasible to find two inputs x, x A such that x ≠ x and h(x) = h(x) 11/27/2018 CS283/Fall05/GWU/Vora/PKC Some slides from Bishop's set
CS283/Fall05/GWU/Vora/PKC Some slides from Bishop's set Keys Keyed cryptographic checksum: requires cryptographic key DES in chaining mode: encipher message, use last n bits. Requires a key to encipher, so it is a keyed cryptographic checksum. Keyless cryptographic checksum: requires no cryptographic key MD5 and SHA-1 are best known; others include MD4, HAVAL, and Snefru 11/27/2018 CS283/Fall05/GWU/Vora/PKC Some slides from Bishop's set
CS283/Fall05/GWU/Vora/PKC Some slides from Bishop's set HMAC Keyed cryptographic checksums from keyless ones h keyless cryptographic checksum function that takes data in blocks of b bytes and outputs blocks of l bytes. k is cryptographic key of length b bytes If short, pad with 0 bytes; if long, hash to length b ipad is 00110110 repeated b times; opad is 01011100 repeated b times HMAC-h(k, m) = h(k opad || h(k ipad || m)) 11/27/2018 CS283/Fall05/GWU/Vora/PKC Some slides from Bishop's set
Digital Signatures
CS283/Fall05/GWU/Vora/PKC Some slides from Bishop's set For non-repudiation A digital signature authenticates both the origin and the contents of a message in a manner that is provable to a disinterested third party Encrypt message digest (computed using a secure hash) with public key 11/27/2018 CS283/Fall05/GWU/Vora/PKC Some slides from Bishop's set