Lecture 7: Key Distribution

Slides:



Advertisements
Similar presentations
Public Key Cryptography Nick Feamster CS 6262 Spring 2009.
Advertisements

Cryptography in World War II Jefferson Institute for Lifelong Learning at UVa Spring 2006 David Evans Class 4: Modern Cryptography
Public Key Crytography1 From: Introduction to Algorithms Cormen, Leiserson and Rivest.
Cryptography1 CPSC 3730 Cryptography Chapter 9 Public Key Cryptography and RSA.
Fall 2010/Lecture 311 CS 426 (Fall 2010) Public Key Encryption and Digital Signatures.
Public Key Algorithms 4/17/2017 M. Chatterjee.
1 Pertemuan 08 Public Key Cryptography Matakuliah: H0242 / Keamanan Jaringan Tahun: 2006 Versi: 1.
Public Key Cryptography Bryan Pearsaul. Outline What is Cryptology? Symmetric Ciphers Asymmetric Ciphers Diffie-Hellman RSA (Rivest/Shamir/Adleman) Moral.
CSCI 172/283 Fall 2010 Public Key Cryptography. New paradigm introduced by Diffie and Hellman The mailbox analogy: Bob has a locked mailbox Alice can.
Lecture 6: Public Key Cryptography
Public Key Model 8. Cryptography part 2.
Public Key Encryption and the RSA Public Key Algorithm CSCI 5857: Encoding and Encryption.
CSCI 398 Research Topics in Computer Science Yana Kortsarts Computer Science Department Widener University Chester, PA.
Lecture 11: Key Distribution
David Evans CS200: Computer Science University of Virginia Computer Science Class 36: Public-Key Cryptography If you want.
CS526: Information Security Prof. Sam Wagstaff September 16, 2003 Cryptography Basics.
Chapter 21 Public-Key Cryptography and Message Authentication.
Modular Arithmetic with Applications to Cryptography Lecture 47 Section 10.4 Wed, Apr 13, 2005.
Cryptography and Network Security Chapter 10 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.
Public Key Cryptography. symmetric key crypto requires sender, receiver know shared secret key Q: how to agree on key in first place (particularly if.
1 Public-Key Cryptography and Message Authentication.
Cryptography and Network Security Chapter 9 - Public-Key Cryptography
PUBLIC-KEY CRYPTOGRAPH IT 352 : Lecture 2- part3 Najwa AlGhamdi, MSc – 2012 /1433.
Chapter 3 (B) – Key Management; Other Public Key Cryptosystems.
Chapter 3 – Public Key Cryptography and RSA (A). Private-Key Cryptography traditional private/secret/single-key cryptography uses one key shared by both.
The First Ten Years of Public-Key Cryptography Paper by: Whitfield Diffie Presentation by Taotao Zhao.
Public Key Algorithms Lesson Introduction ●Modular arithmetic ●RSA ●Diffie-Hellman.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
David Evans CS551: Security and Privacy University of Virginia Computer Science Lecture 6: Key Exchange The era of “electronic.
Public Key Cryptosystem In Symmetric or Private Key cryptosystems the encryption and decryption keys are either the same or can be easily found from each.
CSEN 1001 Computer and Network Security Amr El Mougy Mouaz ElAbsawi.
Network security Cryptographic Principles
최신정보보호기술 경일대학교 사이버보안학과 김 현성.
CS480 Cryptography and Information Security
Public Key Encryption Major topics The RSA scheme was devised in 1978
Public Key Encryption.
CSCE 715: Network Systems Security
Public Key Cryptosystem
Asymmetric-Key Cryptography
Network Security Design Fundamentals Lecture-13
Key Exchange References: Applied Cryptography, Bruce Schneier
Privacy & Security.
Public Key Encryption Systems
Public Key Encryption and Digital Signatures
Big Numbers: Mathematics and Internet Commerce
Private-Key Cryptography
Input: A={a1, a2, … an} – public key, S - ciphertext
Asymmetric Cryptography
NET 311 Information Security
Chapter 10: Key Management (Again) and other Public Key Systems
Public-Key Cryptography and Message Authentication
Intro to Cryptography Some slides have been taken from:
Key Management Network Systems Security
CS 115: COMPUTING FOR The Socio-Techno Web
NET 311 Information Security
Cryptography and Network Security Chapter 10
CSCE 715: Network Systems Security
Chapter 3 - Public-Key Cryptography & Authentication
CSCE 715: Network Systems Security
Cryptology Design Fundamentals
Introduction to Cryptography
CSCE 715: Network Systems Security
Class 36: Public-Key Cryptography
刘振 上海交通大学 计算机科学与工程系 电信群楼3-509
Public Key Encryption Systems
Security: Public Key Cryptography
Network Security Design Fundamentals Lecture-13
Secure Diffie-Hellman Algorithm
Diffie-Hellman Algorithm
Presentation transcript:

David Evans http://www.cs.virginia.edu/~evans Lecture 7: Key Distribution The era of “electronic mail” [Potter1977] may soon be upon us; we must ensure that two important properties of the current “paper mail” system are preserved: (a) messages are private, and (b) messages can be signed. R. Rivest, A. Shamir and L. Adleman. A Method for Obtaining Digital Signatures and Public-Key Cryptosystems. Communications of the ACM, January 1978. (The original RSA paper.) CS588: Security and Privacy University of Virginia Computer Science David Evans http://www.cs.virginia.edu/~evans

Traditional Cryptology Given a secure channel to transmit a shared secret key, symmetric cryptosystems amplify and time-shift that channel: Can transmit bigger secrets over an insecure channel (except one-time pad) Can transmit later secrets over an insecure channel But, the initial secure channel is required 19 Sept 2001 University of Virginia CS 588

University of Virginia CS 588 Key Distribution All the cryptosystems we have seen depend on two parties having a shared secret Distributing secret keys is hard and expensive Can two people communicate securely without having to meet first and establish a key? 19 Sept 2001 University of Virginia CS 588

University of Virginia CS 588 Trust a Third Party Keys “R” Us knows KA, KB ... Generates random KAB E (KAB, KA) E (KAB, KB) E (“Bob”, KA) E (“Alice” || KAB, KB) E (M, KAB) Bob Alice How can Alice and Bob securely provide their keys to Keys “R” Us? 19 Sept 2001 University of Virginia CS 588

University of Virginia CS 588 Merkle’s Puzzles Ralph Merkle [1974] Alice generates 220 messages: “This is puzzle x. The secret is y.” (x and y are random numbers) Encrypts each message using symmetric cipher with a different key. Sends all encrypted messages to Bob 19 Sept 2001 University of Virginia CS 588

University of Virginia CS 588 Merkle’s Puzzles, cont. Bob chooses random message, performs brute-force attack to recover plaintext and secret y Bob sends x (clear) to Alice Alice and Bob use y to encrypt messages 19 Sept 2001 University of Virginia CS 588

University of Virginia CS 588 Is this secure? Alice: symmetric cipher DES ~255 expected brute force work to break DES Eve: has to break the 220 to find which one matches x. ~ 219 * 255 expected work Alice and Bob change keys frequently enough since it is less work to agree to a new key Why not increase number of puzzle messages? 19 Sept 2001 University of Virginia CS 588

University of Virginia CS 588 Padlocked Boxes Hi! Alice 19 Sept 2001 University of Virginia CS 588

University of Virginia CS 588 Padlocked Boxes EA(M) Alice’s Padlock Hi! Alice Alice’s Padlock Key 19 Sept 2001 University of Virginia CS 588

University of Virginia CS 588 Padlocked Boxes Shady Sammy’s Slimy Shipping Service Alice Alice’s Padlock Key 19 Sept 2001 University of Virginia CS 588

University of Virginia CS 588 Padlocked Boxes EB( ) EA(M) Bob’s Padlock Alice Hi! Bob Alice’s Padlock Key Bob’s Padlock Key 19 Sept 2001 University of Virginia CS 588

University of Virginia CS 588 Padlocked Boxes EB(EA(M)) Hi! Alice Bob Alice’s Padlock Key Bob’s Padlock Key 19 Sept 2001 University of Virginia CS 588

University of Virginia CS 588 Padlocked Boxes DA(EB(EA(M))) = EB(M) Hi! Alice Bob Alice’s Padlock Key Bob’s Padlock Key 19 Sept 2001 University of Virginia CS 588

University of Virginia CS 588 Padlocked Boxes EB(M) Alice Hi! Bob Bob’s Padlock Key 19 Sept 2001 University of Virginia CS 588

University of Virginia CS 588 Padlocked Boxes Hi! Alice Hi! Bob Bob’s Padlock Key 19 Sept 2001 University of Virginia CS 588

Secret Paint Mixing Alice Bob Yellow paint (public) Analogy due to Simon Singh, The Code Book. Secret Paint Mixing Alice Bob Yellow paint (public) Alice’s Secret Color Bob’s Secret Color CA = Yellow + Purple CB = Yellow + Red K = Yellow + Red + Purple K = Yellow + Purple + Red Eve 19 Sept 2001 University of Virginia CS 588

Birth of Public Key Cryptosystems 1969 – ARPANet born: 4 sites Whitfield Diffie starts thinking about strangers sending messages securely 1974 – Whitfield Diffie gives talk at IBM lab Audience member mentions that Matrin Hellman (Stanford prof) had spoke about key distribution That night – Diffie starts driving 5000km to Palo Alto Diffie, Hellman and Ralph Merkle work on key distribution problem 19 Sept 2001 University of Virginia CS 588

University of Virginia CS 588 We stand today on the brink of a revolution in cryptography. The development of cheap digital hardware has freed it from the design limitations of mechanical computing and brought the cost of high grade cryptographic devices down to where they can be used in such commercial applications as remote cash dispensers and computer terminals. In turn, such applications create a need for new types of cryptographic systems which minimize the necessity of secure key distribution channels and supply the equivalent of a written signature. At the same time, theoretical developments in information theory and computer science show promise of providing provably secure cryptosystems, changing this ancient art into a science. Diffie and Hellman, November 1976. 19 Sept 2001 University of Virginia CS 588

Diffie-Hellman Key Agreement Choose public numbers: q (large prime number),  (primitive root of q) A generates random XA and sends B: YA = XA mod q. B generates random XB and sends A: YB =  XB mod q. A calculates secret key: K = (YB) XA mod q. B calculates secret key: K = (YA) XB mod q. 19 Sept 2001 University of Virginia CS 588

What’s a primitive root?  is a primitive root of q if for all 1  n < q, there is some m, 1  m < q such that m = n mod q Given , n and q can we solve for m? Yes: there is only one possible m But, it might be hard to find Discrete logarithm: given , n, and q find 0  m < q such that m = n mod q. 19 Sept 2001 University of Virginia CS 588

University of Virginia CS 588 Example What is a primitive root for q = 11? 21 11 2 26 = 64 11 9 22 11 4 27 = 128 11 7 23 11 8 28 = 256 11 3 24 = 16 11 5 29 = 512 11 6 25 = 32 11 10 210 = 1024 11 1 19 Sept 2001 University of Virginia CS 588

Finding Primitive Roots Theorem: All prime numbers have primitive roots. Book proves this using Proof by Forward Reference “(Proof later.)” (p .137) and “this will be proven later” (p. 230), “which will be proven only later” (p. 231), “which is known to exist” (p. 445). We’ll use the same technique In practice, it is easy to find primitive roots for prime numbers by guessing. Almost ½ of guesses will work (next class we will see why). 19 Sept 2001 University of Virginia CS 588

Diffie-Hellman Example Choose public numbers: q (large prime number),  (generator mod q): q = 11,  = 2 A generates random XA and sends B: YA = XA mod q. XA = 4, YA = 24 mod 11 = 16 mod 11 = 5 B generates random XB and sends A: YB =  XB mod q. XB = 6, YB = 26 mod 11 = 64 mod 11 = 9 Example from Tom Dunigan’s notes: http://www.cs.utk.edu/~dunigan/cs594-cns00/class14.html 19 Sept 2001 University of Virginia CS 588

Diffie-Hellman Example, cont. q = 11,  = 2 XA = 4, YA = 5 XB = 6, YB = 9 A calculates secret key: K = (YB) XA mod q. K = 94 mod 11 = 6561 mod 11 = 5. B calculates secret key: K = (YA) XB mod q. K = 56 mod 11 = 15625 mod 11 = 5. 19 Sept 2001 University of Virginia CS 588

Is it magic? Things to Prove: They generate the same keys: K = (YB) XA mod q = (YA) XB mod q An eavesdropper cannot find K from any transmitted value: q, , YA, YB 19 Sept 2001 University of Virginia CS 588

University of Virginia CS 588 1. Keys Agree Prove K = (YB)XA mod q = (YA)XB mod q. (YB)XA mod q (YA)XB mod q = (XB mod q)XA mod q = (XA mod q)XB mod q = (XB)XA mod q = (XA)XB mod q = XBXA mod q = XAXB mod q QED. 19 Sept 2001 University of Virginia CS 588

Modular Exponentiation (a mod q)b mod q = ab mod q (7 mod 6)2 mod 6 = 72 mod 6 12 mod 6 = 49 mod 6 Proof by example? 19 Sept 2001 University of Virginia CS 588

Modular Exponentiation First prove: (a * b) mod q = (a mod q) * (b mod q) mod q Then, by induction, (a mod q)b mod q = ab mod q since ab = a * ab-1 and a1 = a. 19 Sept 2001 University of Virginia CS 588

University of Virginia CS 588 Modular Arithmetic (a * b) mod n = x x + (n * d0) = a * b x = a * b – (n * d0) a mod n = y  y = a – (n * d1) b mod n = z  z = b – (n * d2) (a mod n) * (b mod n) mod n = (a – (n * d1)) * (b – (n * d2)) mod n = (a * b + (a * (n * d2) – b * (n * d1) + (n * d1)(n * d2)) mod n = a * b mod n (all terms with n * are 0 mod n) 19 Sept 2001 University of Virginia CS 588

2. Secure from Eavesdropper An eavesdropper cannot find K = (YB)XA mod q = (YA)XB mod q from any transmitted value: q, , YA = XA mod q, YB =  XB mod q Attacker needs to solve YA = XA mod q for XA Finding discrete logarithms is (probably) hard! Best known algorithm: e((ln q)1/3 ln (ln q)) 2/3) 19 Sept 2001 University of Virginia CS 588

Secure from Active Eavesdropper? Public: q,  YA = XA mod q Bob Secret: XB Alice Secret: XA YB =  XB mod q K = (YA)XB mod q K = (YB)XA mod q 19 Sept 2001 University of Virginia CS 588

Secure from Active Eavesdropper? Public: q,  YA = XA mod q YE = XE mod q Bob YE =  XE mod q Secret: XB Alice Secret: XA YB =  XB mod q KAE = (YE)XA mod q KEB = (YE)XB mod q Secret: XE 19 Sept 2001 University of Virginia CS 588

University of Virginia CS 588 Diffie-Hellman Use SSL Cisco encrypting routers Sun secure RPC etc... 19 Sept 2001 University of Virginia CS 588

Public-Key Cryptography Same paper introduced concept of Public-Key Cryptography Public algorithm: E Private algorithm: D Identity: E (D (m)) = D (E (m)) = m Secure: cannot determine E from D But didn’t know how to find suitable E and D 19 Sept 2001 University of Virginia CS 588

University of Virginia CS 588 Knapsack Ciphers [Merkle, Hellman 78] Knapsack Problem: Given positive integers a1, a2 , …, an and a positive integer b find a subset of a’s that sum to b. In general, this is NP-complete Can try 2n possible subsets, check each one in polynomial time If we could solve it in polynomial time, we could solve all other NP problems in P also Proof: reduce to satisfiability (~ vehement assertion) 19 Sept 2001 University of Virginia CS 588

University of Virginia CS 588 Encryption Message = (x1, …., xn) (bit vector) Knapsack vector: a = (a1, …., an) Ciphertext: b = x1a1 + x2a2 + …+ xnan Decrypt by finding subset of ai’s that sum to b. Message bits corresponding to i’s are 1. Unique decryption? Depends on choice of knapsack: can’t have duplicate elements, can’t have elements equal to sum of subset of other elements 19 Sept 2001 University of Virginia CS 588

Superincreasing Knapsack a = (a1, …., an) where for all i, ai > a1+ a2 + … + ai - 1 If a is superincreasing, how hard is decryption? for i = n to 1 step –1 if b >= ai then bi = 1 b = b – ai else bi = 0 19 Sept 2001 University of Virginia CS 588

University of Virginia CS 588 Disguise the Knapsack Instead of using a = (a1, …., an) use c = (ta1 mod m, …., tan mod m) where m > a1 + a2 + … + an and t is random secret, relatively prime to m (Hence, there is an inverse t-1 mod n) Alice publishes c as her “public knapsack”. 19 Sept 2001 University of Virginia CS 588

University of Virginia CS 588 Knapsack Encryption To send a message, b = x1c1 + x2c2 + …+ xncn Alice decrypts by: t-1 b mod m = t-1x1c1 + t-1x2c2 + …+ t-1 xncn c = (ta1 mod m, …., tan mod m) so t-1x1c1 = a1x1 mod m t-1 b mod m = x1a1 + x2a2 + …+ xnan Easy for Alice to compute x’s now using superincreasing knapsack. 19 Sept 2001 University of Virginia CS 588

University of Virginia CS 588 Example Private key: (3, 5, 9, 20, 44) t = 67, m = 89 t-1 = 4 since 67 * 4 = 1 mod 89 3 * 67 = 201 mod 89 = 23, … Public key: (23, 68, 69, 5, 11) Encrypt M = (01011) C = 68 + 5 + 11 = 84 Decrypt C * 4 = 69 mod 89 = 5 + 20 + 44 = (01011) 19 Sept 2001 University of Virginia CS 588

University of Virginia CS 588 Knapsack Security? Security relied on proof that solving general knapsack problem is NP-hard But, adversary doesn’t have to solve general knapsack problem – just convert to superincreasing knapsack Shamir [1983] showed it is possible to do this in polynomial time without known t and m Lesson: just because a cipher uses a provably hard problem, doesn’t mean there isn’t a way of breaking the cipher without solving that problem 19 Sept 2001 University of Virginia CS 588

University of Virginia CS 588 Charge Next time: Rivest, Shamir, Adelman: First solution to finding suitable E and D Identity: E (D (m)) = D (E (m)) = m Secure: cannot determine E from D Read the paper! Go somewhere appropriate: this is perhaps the most important paper in past 30 years! Identify 2 questionable statements in the paper 19 Sept 2001 University of Virginia CS 588