David Evans http://www.cs.virginia.edu/evans Class 36: Public-Key Cryptography A billion billion is a large number, but it's not that large a number. Whitfield Diffie CS200: Computer Science University of Virginia Computer Science David Evans http://www.cs.virginia.edu/evans
Last Time How to store securely Store the hash of the password One-way, collision resistant hashing function (e.g., md5) Check the hash of the entered password matches the stored hash The password is transmitted over the Internet 23 April 2003 CS200 Spring 2003
Sending Passwords Encrypt The Internet User Server 23 April 2003 CS200 Spring 2003
K K C = EncryptK (P) P = DecryptK (C) The Internet Ciphertext Encrypt Plaintext Plaintext K K User C = EncryptK (P) P = DecryptK (C) Server 23 April 2003 CS200 Spring 2003
Lorenz Cipher From http://www.codesandciphers.org.uk/lorenz/fish.htm 23 April 2003 CS200 Spring 2003
Modern Symmetric Ciphers A billion billion is a large number, but it's not that large a number. — Whitfield Diffie Same idea but: Use digital logic instead of mechanical rotors Larger keys Encrypt blocks of letters at a time 23 April 2003 CS200 Spring 2003
Modern Ciphers AES (Rijndael) successor to DES selected 2001 128-bit keys, encrypt 128-bit blocks Brute force attack Try 1 Trillion keys per second Would take 10790283070806000000 years to try all keys! If that’s not enough, can use 256-bit key No known techniques that do better than brute force search 23 April 2003 CS200 Spring 2003
K K The Internet Ciphertext Encrypt Decrypt Plaintext Plaintext User How do User and Server agree on K (without sending it over the Internet)? Server 23 April 2003 CS200 Spring 2003
Padlocked Boxes Hi! Alice 23 April 2003 CS200 Spring 2003
Padlocked Boxes Alice’s Padlock Hi! Alice Alice’s Padlock Key 23 April 2003 CS200 Spring 2003
Padlocked Boxes Shady Sammy’s Slimy Shipping Service Alice Alice’s Padlock Key 23 April 2003 CS200 Spring 2003
Padlocked Boxes Bob’s Padlock Alice Hi! Bob Alice’s Padlock Key Bob’s Padlock Key 23 April 2003 CS200 Spring 2003
Padlocked Boxes Hi! Alice Bob Alice’s Padlock Key Bob’s Padlock Key 23 April 2003 CS200 Spring 2003
Padlocked Boxes Hi! Alice Bob Alice’s Padlock Key Bob’s Padlock Key 23 April 2003 CS200 Spring 2003
Padlocked Boxes Alice Hi! Bob Bob’s Padlock Key 23 April 2003 CS200 Spring 2003
Padlocked Boxes Hi! Alice Hi! Bob Bob’s Padlock Key 23 April 2003 CS200 Spring 2003
Asymmetric Cryptosystems Encryption and Decryption are done with different keys Keep one of the keys secret, reveal the other EKRA (EKUA (M)) = M Alice’s Public Key: KUA Alice’s Private Key: KRA Only KRA can decrypt a message encrypted using KUA. 23 April 2003 CS200 Spring 2003
Course Evaluations SEAS Official Course Evaluation Generic questions – not useful for improving courses or teaching Administrators read results to decide if CS200 should be offered again (it is not a real course yet) and if I should be fired I also read them, and make them available on the web to future students CS200 Course Improvement Survey Specific questions to help me improve course (if it is offered again, see SEAS survey) 23 April 2003 CS200 Spring 2003
Transparencies If you have a laptop, its easy If not, you will probably need to resize the image to make it line up (all the CRT monitors are slightly different sizes) Should see a 3 letter passphrase (only the first 2 letters are checked, hard to see 3rd) If you can’t see it, click “Give Up” to go straight to the survey 23 April 2003 CS200 Spring 2003
Remember your Course Pledge I will provide useful feedback. I realize this is an evolving course and it is important that I let the course staff know what they need to improve the course. I will not wait until the end of the course to make the course staff aware of any problems. I will provide feedback either anonymously (using the course feedback form) or by contacting the course staff directly. I will fill out all course evaluation surveys honestly and thoroughly. 23 April 2003 CS200 Spring 2003
Asymmetric Cryptosystems Encryption and Decryption are done with different keys Keep one of the keys secret, reveal the other EKRA (EKUA (M)) = M Alice’s Public Key: KUA Alice’s Private Key: KRA Only KRA can decrypt a message encrypted using KUA. 23 April 2003 CS200 Spring 2003
Public-Key Applications: Privacy Bob Alice Encrypt Ciphertext Decrypt Plaintext Plaintext Bob’s Public Key Bob’s Private Key Alice encrypts message to Bob using Bob’s Private Key Only Bob knows Bob’s Private Key only Bob can decrypt message 23 April 2003 CS200 Spring 2003
Signatures Bob Alice Signed Message Encrypt Decrypt Plaintext Plaintext Alice’s Private Key Alice’s Public Key Bob knows it was from Alice, since only Alice knows Alice’s Private Key Non-repudiation: Alice can’t deny signing message (except by claiming her key was stolen!) Integrity: Bob can’t change message (doesn’t know Alice’s Private Key) 23 April 2003 CS200 Spring 2003
Asymmetric Cryptosystems Need a hard problem (like symmetric cryptosystems) With a trap door: if you know a secret, the hard problem becomes easy 23 April 2003 CS200 Spring 2003
RSA [Rivest, Shamir, Adelman 78] E(M) = Me mod n Public key (e, n) D(C) = Cd mod n Private key d e, d and n chosen so Med mod n = M D(E(M)) = E(D(M)) = M 23 April 2003 CS200 Spring 2003
Choosing e, d, n Choose 2 secret primes p and q n = pq ed 1 mod (p – 1)(q – 1) Depends on number theory theorems of Euler and Fermat Finding d is easy if you know p and q, but hard if you don’t. 23 April 2003 CS200 Spring 2003
Security of RSA n is public, but not p and q where n = pq If we can find p and q, easy to find d (private key) n is ~200 digits – would take quintillions of years Factoring is probably NP-Complete (but not proven to be) 23 April 2003 CS200 Spring 2003
KUS KRS The Internet Ciphertext Encrypt Decrypt Plaintext Plaintext User Public Key Private Key Server How does User know the public key to use? 23 April 2003 CS200 Spring 2003
Key Management 23 April 2003 CS200 Spring 2003
Approach 1: Meet Secretly User and Server Operator meet secretly and swap public keys If you can do that, might as well agree on a secret (symmetric key) instead Doesn’t work for Internet transactions 23 April 2003 CS200 Spring 2003
Approach 2: Public Announcement Publish public keys in a public forum Append to email messages Post on web site New York Time classifieds Easy for rogue to pretend to be someone else Forge email, alter web site, lie to New York Times 23 April 2003 CS200 Spring 2003
Approach 3: Public Directory Trusted authority maintains directory mapping names to public keys Entities register public keys with authority in some secure way Authority publishes directory Print using watermarked paper, special fonts, etc. Allow secure electronic access Depends on secure distribution of directory’s key 23 April 2003 CS200 Spring 2003
Approach 4: Certificates VeriSign KUS CS = EKRVeriSign[“Server”, KUS] $$$$ CS Request User Server EKUVeriSign (CS) = [“Server”, KUS] Knows KRS 23 April 2003 CS200 Spring 2003
SSL (Secure Sockets Layer) Browser Server Hello KRCA[Server Identity, KUS] Check Certificate using KUCA Pick random K KUS[K] Find K using KRS Secure channel using K 23 April 2003 CS200 Spring 2003
Data encrypted using secret key exchanged using some public key associated with some certificate. 23 April 2003 CS200 Spring 2003
23 April 2003 CS200 Spring 2003
23 April 2003 CS200 Spring 2003
23 April 2003 CS200 Spring 2003
How do you make your web site password form encrypt its input? http:// https:// 23 April 2003 CS200 Spring 2003
Charge Remember to do the course evaluations Friday: Secret of Life Don’t count on the SEAS site being up right until the last minute Friday: Secret of Life Monday: PS8 Presentations No more than 5 minutes for teams of 3 or more, 3 minutes for 2 or less (strictly enforced) There will be token prizes for the most impressive, best contribution and best presentation 23 April 2003 CS200 Spring 2003