Homework #4 Solutions Brian A. LaMacchia

Slides:



Advertisements
Similar presentations
1 Key Exchange Solutions Diffie-Hellman Protocol Needham Schroeder Protocol X.509 Certification.
Advertisements

L8. Reviews Rocky K. C. Chang, May Foci of this course 2 Rocky K. C. Chang  Understand the 3 fundamental cryptographic functions and how they are.
ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.
CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (3) Information Security.
CIS 725 Key Exchange Protocols. Alice ( PB Bob (M, PR Alice (hash(M))) PB Alice Confidentiality, Integrity and Authenication PR Bob M, hash(M) M, PR Alice.
SSL CS772 Fall Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.
Interlock Protocol - Akanksha Srivastava 2002A7PS589.
CS555Spring 2012/Topic 161 Cryptography CS 555 Topic 16: Key Management and The Need for Public Key Cryptography.
Dr. Lo’ai Tawalbeh Summer 2007 Chapter 9 – Public Key Cryptography and RSA Dr. Lo’ai Tawalbeh New York Institute of Technology (NYIT) Jordan’s Campus INCS.
Homework #4 Solutions Brian A. LaMacchia Portions © , Brian A. LaMacchia. This material is provided without.
Feb 25, 2003Mårten Trolin1 Previous lecture More on hash functions Digital signatures Message Authentication Codes Padding.
Public-key Cryptography Montclair State University CMPT 109 J.W. Benham Spring, 1998.
Wireless Security In wireless networks. Security and Assurance - Goals Integrity Modified only in acceptable ways Modified only by authorized people Modified.
Mar 5, 2002Mårten Trolin1 Previous lecture More on hash functions Digital signatures Message Authentication Codes Padding.
Public Key Cryptography
How cryptography is used to secure web services Josh Benaloh Cryptographer Microsoft Research.
Cryptography1 CPSC 3730 Cryptography Chapter 9 Public Key Cryptography and RSA.
Private-Key Cryptography traditional private/secret/single key cryptography uses one key shared by both sender and receiver if this key is disclosed communications.
The School of Electrical Engineering and Computer Science (EECS) CS/ECE Network Security Dr. Attila Altay Yavuz Topic 5 Essential Public Key Crypto Methods.
Homework #8 Solutions Brian A. LaMacchia Portions © , Brian A. LaMacchia. This material is provided without.
Network Security – Part 2 V.T. Raja, Ph.D., Oregon State University.
Homework #5 Solutions Brian A. LaMacchia Portions © , Brian A. LaMacchia. This material is provided without.
CSCI 172/283 Fall 2010 Public Key Cryptography. New paradigm introduced by Diffie and Hellman The mailbox analogy: Bob has a locked mailbox Alice can.
C HAPTER 13 Asymmetric Key Cryptography Slides adapted from "Foundations of Security: What Every Programmer Needs To Know" by Neil Daswani, Christoph Kern,
Public Key Model 8. Cryptography part 2.
Andreas Steffen, , 4-PublicKey.pptx 1 Internet Security 1 (IntSi1) Prof. Dr. Andreas Steffen Institute for Internet Technologies and Applications.
Great Theoretical Ideas in Computer Science.
How cryptography is used to secure web services Josh Benaloh Cryptographer Microsoft Research.
ECE 454/CS 594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall.
Public Key Cryptography. symmetric key crypto requires sender, receiver know shared secret key Q: how to agree on key in first place (particularly if.
PUBLIC-KEY CRYPTOGRAPH IT 352 : Lecture 2- part3 Najwa AlGhamdi, MSc – 2012 /1433.
Lecture 8 Overview. Analysis of Algorithms Algorithms – Time Complexity – Space Complexity An algorithm whose time complexity is bounded by a polynomial.
Cryptography and Network Security Public Key Cryptography and RSA.
Chapter 3 – Public Key Cryptography and RSA (A). Private-Key Cryptography traditional private/secret/single-key cryptography uses one key shared by both.
Chapter 9 Public Key Cryptography and RSA. Private-Key Cryptography traditional private/secret/single key cryptography uses one key shared by both sender.
The School of Electrical Engineering and Computer Science (EECS) CS/ECE Network Security Dr. Attila Altay Yavuz Authentication Protocols (I): Secure Handshake.
CS 4803 Fall 04 Public Key Algorithms. Modular Arithmetic n Public key algorithms are based on modular arithmetic. n Modular addition. n Modular multiplication.
Cryptography issues – elliptic curves Presented by Tom Nykiel.
1 Diffie-Hellman (Key Exchange) Protocol Rocky K. C. Chang 9 February 2007.
1 Diffie-Hellman (Key Exchange) Protocol Rocky K. C. Chang 9 February 2007.
최신정보보호기술 경일대학교 사이버보안학과 김 현성.
Reviews Rocky K. C. Chang 20 April 2007.
Public Key Encryption Major topics The RSA scheme was devised in 1978
Encryption and Integrity
Network Security.
CMSC 414 Computer and Network Security Lecture 15
Public-key Cryptography
Chapter 8 Network Security.
Public Key Cryptosystems - RSA
Originally by Yu Yang and Lilly Wang Modified by T. A. Yang
CSE 4095 Transport Layer Security TLS, Part II
刘振 上海交通大学 计算机科学与工程系 电信群楼3-509
Asymmetric Cryptography
Homework #5 Solutions Brian A. LaMacchia
Cryptography Lecture 24.
Assignment #4 – Solutions
SSL (Secure Socket Layer)
Cryptography: Basics (2)
Practical Aspects of Modern Cryptography
Public Key Cryptography
Public-Key, Digital Signatures, Management, Security
Chapter -5 PUBLIC-KEY CRYPTOGRAPHY AND RSA
Diffie-Hellman Key Exchange
Introduction to Cryptography
刘振 上海交通大学 计算机科学与工程系 电信群楼3-509
刘振 上海交通大学 计算机科学与工程系 电信群楼3-509
Security: Public Key Cryptography
Secure Diffie-Hellman Algorithm
Key Exchange With Public Key Cryptography
Lecture 6.2: Protocols - Authentication and Key Exchange II
Presentation transcript:

Homework #4 Solutions Brian A. LaMacchia bal@cs.washington.edu bal@microsoft.com Portions © 2002-2006, Brian A. LaMacchia. This material is provided without warranty of any kind including, without limitation, warranty of non-infringement or suitability for any purpose. This material is not guaranteed to be error free and is intended for instructional use only.

Practical Aspects of Modern Cryptography Question 1a Question 1(a): Compute the relative cost of RSA encryption to RSA decryption in SSL in terms of modular multiplications mod n. The server’s public key is (n, e), where n is a 1024-bit composite, n = p*q (p, q 512-bit primes), and e = 216+1. The server’s private decryption exponent is d where ed  1 mod (p-1)(q-1). Assume for this problem that half the bits in d are 1’s and |d| = 1024. January 31, 2006 Practical Aspects of Modern Cryptography

Practical Aspects of Modern Cryptography Question 1a Recall Josh's description of how to multiply fast Follow the bits in the exponent (high to low, ignoring the high bit since it's always 1), a 0 is a square and a 1 is a square followed by a side multiply. So the cost of exponentiating is determined by the size of the exponent and the number of 1 bits it has. The cost of encrypting (exponentiating to e) is thus going to involve 16 squares and 1 side multiply, since |e| = 17 and has only the high & low bit set. The cost of decrypting (exponentiating to d) is going to involve 1023 squares and 511 side multiplies (because |d| = 1024 and half the bits in d are 1s). January 31, 2006 Practical Aspects of Modern Cryptography

Question 1b - Rebalanced RSA n = pq, |p| = |q| = 512, p, q prime Server chooses the decryption exponent d first such that d  r1 mod p-1, d  r2 mod q-1, |r1| = |r2| = 160 Assume half the bits in r1 & r2 are 1s The server then computes e such that ed  1 mod (p-1)(q-1). |e| = 1024, assume half the bits in e are 1s Encryption E(X) = Xe mod n Decryption D(X) is now done by computing Xr1 mod p, Xr2 mod q, and using CRT to construct Xd mod n. January 31, 2006 Practical Aspects of Modern Cryptography

Practical Aspects of Modern Cryptography Question 1b Question 1(b): Compute the relative cost of RSA encryption to RSA decryption in the Rebalanced RSA case for |n| = 1024, |r1| = |r2| = 160, again in terms of modular multiplications in the exponentiations. What’s the speedup for a server compared to the “regular” RSA in Question 1(a)? January 31, 2006 Practical Aspects of Modern Cryptography

Practical Aspects of Modern Cryptography Question 1b We proceed as in 1(a), looking at the sizes and number of 1 bits in the various exponents. Encrypting: e is now "full size“, so |e| = 1024 and half the bits in e are 1s Computing Xe mod n will involve 1023 squares and 511 side multiplies Decrypting: we need to compute Xr1 mod p and Xr2 mod q. |r1| = |r2| = 160 (by definition), and each has 80 1 bits. Each exponentiation will involve 159 squares and 79 side multiplies. So together, the server has to perform 318 squares and 158 side multiplies. January 31, 2006 Practical Aspects of Modern Cryptography

Practical Aspects of Modern Cryptography Question 1b Just comparing the number of exponentiations, we've reduced the server's workload from 1023 squares & 511 side multiplies to 318 squares and 158 side multiplies, which is about a 3.2X speedup for the server. Plus, the server gets to do these calculations mod p and mod q, which means it's dealing with smaller numbers. The client is a lot slower. 1023 squares and 511 side multiplies vs. 16 squares and 1 side multiply in 1(a). January 31, 2006 Practical Aspects of Modern Cryptography

Practical Aspects of Modern Cryptography Question 2 – IPSEC cost C sends data to S in packets of varying length; for each packet S and C have to perform an IKE key establishment once to agree on a symmetric encryption key, and then perform repeated symmetric encryptions until the entire packet is encrypted. Assume the following performance characteristics for C’s encryption capabilities: C can perform IKE key establishment with S in 25,000 s to derive a symmetric encryption key for the session. C can perform a single symmetric encryption operation on a 16-byte plaintext in 0.25 s. January 31, 2006 Practical Aspects of Modern Cryptography

Practical Aspects of Modern Cryptography Question 2a Question 2(a): If the average packet of data sent from C to S is 1KB (1024 bytes) in length, what’s the maximum bandwidth that can be achieved between C and S? Encrypting each packet requires one IKE key establishment and some number of symmetric encryption operations. Bandwidth = bits/second January 31, 2006 Practical Aspects of Modern Cryptography

Practical Aspects of Modern Cryptography Question 2a - Solution For a 1K packet, we need one IKE + (1K/16) block encryptions The IKE takes 25000 s The block encryptions take 64*.25 s = 16 s The total time is 25016 s, and we’ve processed 1K bytes in that time, or about 40933 bytes/sec. January 31, 2006 Practical Aspects of Modern Cryptography

Practical Aspects of Modern Cryptography Question 2a - Solution But wait, what about the additional bytes ESP adds? No effect on bandwidth limits from encryption, but ESP does add overhead, so it’s fair to look at that cost too. We don’t know the actual wire speed, but we know that ESP adds some bytes to each packet. Assume 56 bytes added to each packet So we have to send 1024+56 = 1080 bytes to actually transmit 1024 data bytes. 1080/1024 = 1024/X  X = 970.9 bytes 970.9 bytes in 25016 s = 38811 bytes/sec January 31, 2006 Practical Aspects of Modern Cryptography

Practical Aspects of Modern Cryptography Question 2b Question 2(b): Now assume the average packet is 100KB; what’s the maximum achievable bandwidth? What’s the maximum bandwidth in the limiting case (i.e. one persistent session with an infinite-length packet to be sent)? January 31, 2006 Practical Aspects of Modern Cryptography

Practical Aspects of Modern Cryptography Question 2b - Solution For a 100K packet, we need one IKE + (1K/16) block encryptions The IKE takes 25000 s, 100K = 102400 bytes (100K/16) block encryptions take (100K/16)*.25 s = 6400*.25 s = 1600 s Total time: 26600 s, or about 3,849,624 bytes/sec. Adding in 56 header bytes, we have to send 102456 bytes instead of 102400 bytes. 102456/102400 = 102400/X  X = 102344 bytes 102344 bytes in 26600 s = 3,847,518 bytes/sec In the limit, the limiting factor is that it takes .25s to encrypt 16 bytes, so that's an upper limit of 64,000,000 bytes/sec. January 31, 2006 Practical Aspects of Modern Cryptography

Question 3 – KDC Eavesdropping KDC, S and C are members of the same Kerberos realm When C obtains a ticket for S, KDC assigns ephemeral key KC,S KDC knows KC,S and can eavesdrop on all traffic protected with KC,S Assume KDC is passive (i.e. KDC cannot modify messages it sees on the wire). Question 3(a): Show how C and S can establish key K’ known only to them January 31, 2006 Practical Aspects of Modern Cryptography

Practical Aspects of Modern Cryptography Question 3a Key establishment is easy, right? All we have to do is have C and S perform a Diffie-Hellman key exchange. January 31, 2006 Practical Aspects of Modern Cryptography

Practical Aspects of Modern Cryptography Question 3a Key establishment is easy, right? All we have to do is have C and S perform a Diffie-Hellman key exchange. But how do C and S know they’re talking to each other while doing so? January 31, 2006 Practical Aspects of Modern Cryptography

Practical Aspects of Modern Cryptography Question 3a Key establishment is easy, right? All we have to do is have C and S perform a Diffie-Hellman key exchange. But how do C and S know they’re talking to each other while doing so? One of the benefits of Kerberos is that it give you mutual authentication “for free” C and S authenticate each other as a side-effect of running the Kerberos protocol. January 31, 2006 Practical Aspects of Modern Cryptography

Practical Aspects of Modern Cryptography Question 3a Key establishment is easy, right? All we have to do is have C and S perform a Diffie-Hellman key exchange. But how do C and S know they’re talking to each other while doing so? One of the benefits of Kerberos is that it give you mutual authentication “for free” C and S authenticate each other as a side-effect of running the Kerberos protocol. January 31, 2006 Practical Aspects of Modern Cryptography

Practical Aspects of Modern Cryptography Question 3a So one way to solve the problem is to add mutual authentication to Diffie-Hellman. Here’s how: First, have C and S run the Kerberos protocol to obtain shared secret KC,S (known to C, S and the KDC). Now have C and S run ephemeral Diffie-Hellman (using some common set of parameters). Initialization: each party (C and S) chooses a secret exponent (a and b respectively) C computes A = ga mod p, S computes B = gb mod p C  S: A, HMAC-SHA1(A, KC,S). S verifies the keyed MAC and knows that A really came from C. S  C: B, HMAC-SHA1(B, KC,S). C verifies the keyed MAC and knows that B really came from S. C computes Ba mod p to get K’ = gab mod p. S computes Ab mod p to get K’ = gab mod p. Now C and S hold a new shared secret, K’, which is unknown to the KDC. C and S used KC,S to authenticate a later, public key-based exchange. January 31, 2006 Practical Aspects of Modern Cryptography

Practical Aspects of Modern Cryptography Question 3b What happens if the KDC is active? January 31, 2006 Practical Aspects of Modern Cryptography

Practical Aspects of Modern Cryptography Question 3b What happens if the KDC is active? If the KDC is active then it can intercept messages, rewrite A & B to A' and B' and conduct a man-in-the-middle attack. January 31, 2006 Practical Aspects of Modern Cryptography

Practical Aspects of Modern Cryptography Man-in-the-Middle An active KDC can play a man-in-the-middle attack. KDC can also defeat the modified D-H in 3(a) because it knows KC,S ga mod p ga’ mod p gb’ mod p gb mod p KDC Client C Server S Negotiated key: gab’ mod p Negotiated key: ga’b mod p January 31, 2006 Practical Aspects of Modern Cryptography

Question 3c (Extra Credit) Assume C and S are jointly members of two independent Kerberos realms: Realm 1: KDC1, yielding key KC,S,1 Realm 2: KDC2, yielding key KC,S,2 Assuming that KDC1 and KDC2 do not collude with each other, devise a protocol between C and S to create an encrypted channel that is secure against active eavesdropping from both KDC1 and KDC2. > 3c) With two independent keys, so long as the KDCs don't collude they can't play man-in-the-middle. January 31, 2006 Practical Aspects of Modern Cryptography

Question 3c (Extra Credit) With two independent keys shared between C and S, so long as the KDCs don't collude neither can perform a man-in-the-middle attack. “Independent” here means “Neither key is known to both KDC1 and KDC2”. Solution: as in 3(a) above, but use both keys in the HMAC authenticators Neither KDC1 or KDC2 knows both, so even if they’re active they can’t switch messages on C or S January 31, 2006 Practical Aspects of Modern Cryptography

Practical Aspects of Modern Cryptography Question 3c C and S run Kerberos in both realms, obtaining KC,S,1 and KC,S,2 Now have C and S run ephemeral Diffie-Hellman (using some common set of parameters). Initialization: C computes A = ga mod p, S computes B = gb mod p C  S: A, HMAC-SHA1(A, KC,S,1,KC,S,2). S verifies the keyed MAC and knows that A really came from C. S  C: B, HMAC-SHA1(B, KC,S,1,KC,S,2). C verifies the keyed MAC and knows that B really came from S. C computes Ba mod p to get K’ = gab mod p. S computes Ab mod p to get K’ = gab mod p. Now C and S hold a new shared secret, K’, which is unknown to the KDC. January 31, 2006 Practical Aspects of Modern Cryptography