Public Key Requirements 1. computationally easy to create key pairs 2. computationally easy for sender knowing public key to encrypt messages 3. computationally easy for receiver knowing private key to decrypt ciphertext 4. computationally infeasible for opponent to determine private key from public key 5. computationally infeasible for opponent to otherwise recover original message 6. useful if either key can be used for each role

Public Key Algorithms  RSA (Rivest, Shamir, Adleman) developed in 1977 only widely accepted public-key encryption alg given tech advances need bit keys  Diffie-Hellman key exchange algorithm only allows exchange of a secret key  Digital Signature Standard (DSS) provides only a digital signature function with SHA-1  Elliptic curve cryptography (ECC) new, security like RSA, but with much smaller keys

7/12/2015 Prof. Ehud Gudes Security Ch 3 3 The RSA Cipher Based on Number Theory and Modulu arithmetic Stallings App. A

7/12/2015 Prof. Ehud Gudes Security Ch 4 4 Fermat Little Theorem a is a relatively prime to P and P is Prime: a p-1 = 1 mod P or a p = a mod P See proof p. 747 in [SB]

7/12/2015 Prof. Ehud Gudes Security Ch 4 5 Euler Theorem Denote Ø(P) the number of numbers relatively prime to P and less than P( P is not necessarily prime) For P prime, clearly Ø(P) = P-1 For N=P*Q where both P and Q are primes, Ø(N ) = (P-1)* (Q-1) See proof in [SB] p. 748

7/12/2015 Prof. Ehud Gudes Security Ch 3 6 Euler Theorem (Cont.) if X is relatively prime to P, then X Ø(P) = 1 mod P obvious if P is prime since Ø(P) = P-1 and use Femat little theorem For P not prime see proof in [SB] p. 749

7/12/2015 Prof. Ehud Gudes Security Ch 3 7 RSA  פורסם ע ” י Rivest, Shamir ו -Adelman ב -78.  יהי N=PQ.  P ו -Q מספרים ראשוניים גדולים.  סדר החבורה הכפלית מודולו N הוא (P-1)(Q-1) החבורה הכפלית מודולו N מכילה את כל המספרים בין 1 ל -N שזרים ל -N.  לפי משפט אוילר a (P-1)(Q-1) =1 (mod N)

7/12/2015 Prof. Ehud Gudes Security Ch 3 8 RSA (cont.)  e הוא מפתח ההצפנה ( הציבורי )  d הוא מפתח הפענוח ( הפרטי ). גם הפרוק של N הוא חלק מהמפתח הפרטי.  הצפנה נעשית ע ” י העלאת ההודעה בחזקת e מודולו N.  פענוח נעשה ע ” י העלאת ה -ciphertext בחזקת d מודולו N.

7/12/2015 Prof. Ehud Gudes Security Ch 3 9 RSA (cont.)  מצא P ו -Q ראשוניים גדולים וחשב N=P*Q  מצא e ו -d זרים ל -(P-1)(Q-1) שמקימים ed = 1 (mod (P-1)(Q-1)) C=M e (mod N) M=C d (mod N) M=C d (mod N) = M ed (mod N) = M Note, to find d from e (e from d) one needs to know P and Q, i.e decompose N

7/12/2015 Prof. Ehud Gudes Security Ch 4 10 Proof of RSA X ed mod N = X ed = 1 mod (p-1) (q-1) ed = 1 + K. (p-1) (q-1) X p-1 = 1 mod p (little Fermat) (X k(q-1) ) (p-1)  1 mod p = rp + 1 (X k(p-1) ) (q-1)  1 mod q = sq + 1 rp + 1 = sq + 1 = t. pq + 1 (since p and q primes)  1 mod pq X 1+k(p-1) (q-1)  X *(1 mod pq) = X mod pq !! ?

RSA Algorithm

7/12/2015 Prof. Ehud Gudes Security Ch 4 12 RSA Example Example1: Let p=5 and q=7, whence n=pq=35 and Ø(n)=(5-1)(7-1)=24. Pick d=11. Then e=inv(11, 24)=11. Suppose M=2. C = M e mod n = 2 11 mod 35 = 2048 mod 35 = 18 and C d mod n = mod 35 = 2 = M Example2: Let p=53 and q=61, where n=53*61=3233 and Ø(n)=52*60=3120. Letting d=791, we get e=71. To encipher the message M=RENAISSANCE, we break it into blocks of 4 digits each, where A=00, B=01,…, Z=25, and blank=26 (in practice, characters would be represented by their 8-bit ASCII codes). We thus get M = R E N A I S S A N C E = The first block is enciphered as Mod 3233 =3106. The entire message is enciphered as : C =

RSA Example PU – is Public key PR – is Private key

7/12/2015 Prof. Ehud Gudes Security Ch 3 14 Computing Inverses 1. ax = 1 Mod P 2. a p-1 = 1 Mod P 3. X = a p-2 Mod P A more efficient algorithm by Knuth in [P]

7/12/2015 Prof. Ehud Gudes Security Ch 3 15 Computing Powers Example: 3 10 mod 5 (3 2 ) 5 mod 5 = (4 2 )* (4 2 )* 4 mod 5 = 4 very easy! – using associativity of MOD function

7/12/2015 Prof. Ehud Gudes Security Ch 3 16 Finding prime numbers Finding if a number is prime if N is represented by K bits 1. Simple: N/2 division O(2 k ) exp! 2. Use probabilistic algorithm: Rabin Test with m tries, you get prime with prob. 2 -m for fixed m - 0(1) Ref: Corman et. al. 3. New!!! Deterministic Polynomial Alg.!!!

7/12/2015 Prof. Ehud Gudes Security Ch 3 17 Properties of RSA Cipher 1. Very secure! In order to find d from e or vice- versa, you need to know p and q. this means you need to find the two terms which divide n. This is called Factorization and it’s very difficult to factor huge numbers (500 bits!). 2. Method depends on finding large p and q prime! How this can be done? By using a probabilistic test, e.g. Rabin-Miller test. 3. A relatively slow cipher since arithmetic in modolu for large numbers is very slow!

7/12/2015 Prof. Ehud Gudes Security Ch 4 18 בטיחות RSA  בטיחותו של RSA מסתמכת על הקושי בפרוק מספר לגורמיו.  קיימת עבודת מחקר רבה בנושא של אלגוריתם לפרוק לגורמים.

7/12/2015 Prof. Ehud Gudes Security Ch 3 19 פרוק לגורמים  RSA-129 מספר בן 129 ספרות (426 סיביות ), פורסם ב  פורק לגורמים ב ע ” י שימוש ב מחשבים ( דרך ה -Internet), תוך שמונה חודשים.  אלגוריתם הפירוק הטוב ביותר יכול לפרק מספר באורך 512 סיביות במספר חדשים תוך שימוש באלפי מחשבים  כיום לא ידוע על פרוק לגורמים של מספרים בני 768 סיביות או יותר

Attacks on RSA  brute force trying all possible private keys use larger key, but then slower  mathematical attacks (factoring n) see improving algorithms (QS, GNFS, SNFS) See Table 20.2 in [SB] currently bit keys seem secure  timing attacks (on implementation) use - constant time, random delays, blinding  chosen ciphertext attacks (on RSA props)

7/12/2015 Prof. Ehud Gudes Security Ch 3 21 Public Key Cryptography 2: El Gamal  Instead of using difficulty of factoring, we use difficulty of taking discrete logarithms.  Pick modulus, subgrp generator (g) - known.  Secret keys (s) are random numbers; public keys (p) is g to the s.  Encrypt message by picking blinding exponent (e), multiplying message by p^e. Also send g^e; recipient computes g^e^s (=p^e), and divides to recover message.  Bob (g e, M. P e )Alice: (g e ) s =p e ; M= X/p e x

7/12/2015 Prof. Ehud Gudes Security Ch 3 22 ElGamal  מערכת הצפנה שמבוססת על בעיית ה -Discrete Log.  דורשת יצירה של מחרוזת אקראית בכל הצפנה.  אורך הטקסט המוצפן כפול מאורך הטקסט המקורי.  משמשת יותר לצורכי חתימה אלקטרונית

Other Public-Key Algorithms  Digital Signature Standard (DSS) FIPS PUB 186 from 1991, revised 1993 & 96 uses SHA-1 in a new digital signature alg cannot be used for encryption  elliptic curve cryptography (ECC) equal security for smaller bit size than RSA seen in standards such as IEEE P1363 still very new, but promising based on a mathematical construct known as the elliptic curve (difficult to explain)

7/12/2015 Prof. Ehud Gudes Security Ch 3 24 Elliptic curve cryptography  Because the RSA algorithm is rather inefficient in its use of key length, elliptic curve algorithms have been proposed (see [Sta99], Sect. 6.3). For example, exhaustive search of an elliptic curve algorithm with a key length of 150 bits takes 3.8 x 10 to the 10 th MIPS-years, while the RSA with a key length of 512 takes only 3 x 10 to the 4 th.  Because of their small memory requirements, elliptic curve algorithms are appealing for portable devices.

7/12/2015 Prof. Ehud Gudes Security Ch 3 25 Digital Signatures 1. Requirements: a) Authenticity – proves identity of Signer b)Un-forgeable – No other person can forge the signature (without knowing the key) c) No-repudiation - a signer cannot deny his/her signature 2. Symmetric key – cannot achieve C! use third party – inconvenient!

7/12/2015 Prof. Ehud Gudes Security Ch 4 26 Digital Signatures with Symmetric Key – Using an Arbiter

7/12/2015 Prof. Ehud Gudes Security Ch 4 27 Digital signatures  PK algorithms have the property that the roles of the keys can be reversed; that is, D(E(M)) = E(D(M)) = M. This is the basis for digital signatures.  The transformations D and E are computationally easy but for any key K used for D and E it is unfeasible to find D from E or E from D. 3

7/12/2015 Prof. Ehud Gudes Security Ch 4 28 אלגוריתמים לחתימה דיגיטלית I  אלגוריתמים לחתימה דיגיטלית הם אלגוריתמי מפתח ציבורי. סימונים :  חתימה S  אימות חתימה V חתימה על הודעה נעשית באמצעות מפתח החתימה הפרטי. SIG = D private key (M) אימות החתימה נעשה ע ” י מפתח האימות הציבורי. M = E public key (SIG) כל אחד שברשותו המפתח הציבורי יכול לאמת את החתימה. ?

7/12/2015 Prof. Ehud Gudes Security Ch 3 29 אלגוריתמים לחתימה דיגיטלית II  ההודעה החתומה מיוצרת ע ” י שרשור החתימה sig להודעה M  אלגוריתמי חתימה דיגיטלית מספקים Authentication, non-forgery  אימות זהותו של החותם על ההודעה  אי - יכולת לזייף חתימה Integrity  הוכחה שההודעה לא שונתה Non-repudiation  הגנה כנגד התכחשות של החותם להודעה. רק החותם יכול ליצר את החתימה, כי רק בבעלותו נמצא המפתח הפרטי

7/12/2015 Prof. Ehud Gudes Security Ch 4 30 אלגוריתמים לחתימה דיגיטלית III  ניתן להשתמש באלגוריתם הצפנה בעל מפתח ציבורי, בתור אלגוריתם חתימה דיגיטלית. דוגמא : RSA. חתימה - פענוח ( בעזרת המפתח הפרטי ) אימות חתימה - הצפנה ( בעזרת המפתח הציבורי )  לא כל אלגוריתם חתימה דיגיטלית יכול לשמש כאלגוריתם הצפנה. דוגמא : DSA

7/12/2015 Prof. Ehud Gudes Security Ch 4 31 אלגוריתמים לחתימה דיגיטלית VI בעיות :  לא ניתן להבחין בין מקור ועותק של הודעה חתומה - יש להוסיף הגנה נגד replay  חתימה דיגיטלית ארוכה לפחות כמו ההודעה המקורית ההודעה החתומה ארוכה לפחות פי שתיים מההודעה המקורית. הפתרון : שימוש ב -HASHING

7/12/2015 Prof. Ehud Gudes Security Ch 4 32 Hashing  Hashing is used for message authentication. A hash value is associated with a message, any change to the message will result in a change in the hash value and can be detected in this way.  Another application is the use of hash signatures for notarized documents.

7/12/2015 Prof. Ehud Gudes Security Ch 4 33 One-way Hash Function A one-way hash function, like MD5 or HMAC- MD5, has the properties: one-way: given hash(S), it is hard to find S collision-free: given S and hash(S), it is hard to find T such that S!=T and hash(S) = hash(T)

Secure Hash Functions

Hash Function Requirements  applied to any size data  H produces a fixed-length output.  H(x) is relatively easy to compute for any given x  one-way property computationally infeasible to find x such that H(x) = h  weak collision resistance computationally infeasible to find y ≠ x such that H(y) = H(x)  strong collision resistance computationally infeasible to find any pair (x, y) such that H(x) = H(y)

7/12/2015 Prof. Ehud Gudes Security Ch 4 36 תכונות של פונקציות Hash חד - כיווניות  פיזור הפלטים אחיד הפלט של הפונקציה “ נראה ” אקראי  פרדוקס יום ההולדת מה מספר האנשים שצריכים להיות בחדר בכדי שיהיה סיכוי גדול מ -1/2 שיש בחדר איש שיום ההולדת שלו נופל בתאריך זהה לשלי ? מה מספר האנשים שצריכים להיות בחדר בכדי שיהיה סיכוי גדול מ - 1/2, שיש ביניהם שניים שיום ההולדת שלהם באותו תאריך ? – 23 !

7/12/2015 Prof. Ehud Gudes Security Ch 4 37 פונקציות Hash קריפטוגרפיות  פונקצית Hash - הקלט הוא בעל אורך משתנה. הפלט הוא בעל אורך קבוע (Digest) (H(x קלה לחישוב (H(x היא One-way - בהינתן Digest קשה למצוא קלט שמיצר אותו Collision Free - קשה למצוא שתי הודעות שמתמפות אל אותו Digest  דוגמאות : MD5, SHA-1, Tiger

7/12/2015 Prof. Ehud Gudes Security Ch 4 38 חתימה דיגיטלית  (H(x - פונקצית Hash קריפטוגרפית  חתימה SIG = D private key (H(M))  אימות החתימה H(M)=? E public key (SIG) Both parties know H!

Simple Hash Functions  a one-way or secure hash function used in message authentication, digital signatures  all hash functions process input a block at a time in an iterative fashion  one of simplest hash functions is the bit- by-bit exclusive-OR (XOR) of each block C i = b i1  b i2 ...  b im effective data integrity check on random data less effective on more predictable data virtually useless for data security

SHA Secure Hash Functions  SHA originally developed by NIST/NSA in 1993  was revised in 1995 as SHA-1 US standard for use with DSA signature scheme standard is FIPS , also Internet RFC3174 produces 160-bit hash values  NIST issued revised FIPS in 2002 adds 3 additional versions of SHA SHA-256, SHA-384, SHA-512 with 256/384/512-bit hash values same basic structure as SHA-1 but greater security  NIST intend to phase out SHA-1 use

SHA-512 Structure (see [SB])

Other Secure Hash Functions  most based on iterated hash function design if compression function is collision resistant so is resultant iterated hash function  MD5 (RFC1321) was a widely used hash developed by Ron Rivest produces 128-bit hash, now too small also have cryptanalytic concerns  Whirlpool (NESSIE endorsed hash) developed by Vincent Rijmen & Paulo Barreto compression function is AES derived W block cipher produces 512-bit hash

7/12/2015 Prof. Ehud Gudes Security Ch 4 43 Hashing and Electronic Cash – Shamir’s Method  Generate pairs (quadruples) of twins.  Verify by using the Hash function.  Very difficult to generate false coins  Easy to check repeating use by a Database

7/12/2015 Prof. Ehud Gudes Security Ch 4 44 Blind Signatures Alice wants the Bank to sign on M without the Bank knowing M Bank keys (e, d) Alice: x=M r e mod n r-random; Bank: X d =rM d Alice: X d / r= M d !! M signed by Bank!

Digital Envelopes

Message Authentication  protects against active attacks  verifies received message is authentic contents unaltered from authentic source timely and in correct sequence  can use conventional encryption only sender & receiver have key needed  or separate authentication mechanisms append authentication tag to cleartext message

Message Authentication Codes

7/12/2015 Prof. Ehud Gudes Security Ch 3 48 MAC תקן Message Authentication Codes MAC הוא קוד סימטרי ( משמע מבוסס על מפתח סודי ), שמספק Authentication Integrity אינו מספק Non-repudiation רק מקבל ההודעה שברשותו המפתח הסודי יכול לוודא את ה -MAC קיימים שלושה סוגים של MACs מבוססי פונקצית Hash. מבוססי צופן בלוקים. מבוססי Stream cipher

Message Authen tication

7/12/2015 Prof. Ehud Gudes Security Ch 3 50 MACs from Block Ciphers  הבלוק האחרון של הצפנה ב - CBC mode של ההודעה משמש כ -MAC. Integrity : שנוי סיבית בהודעה המוצפנת ישנה את הבלוק האחרון Authenticity : מובטח ע ” י מפתח ההצפנה הסודי

7/12/2015 Prof. Ehud Gudes Security Ch 4 51 CBC Cipher Block Chaining ENC M1M1 C1C1 K MnMn CnCn K... K ENC M0M0 C0C0 IV

7/12/2015 Prof. Ehud Gudes Security Ch 3 52 Message Authentication Code Based on DES One of the most widely used MACs, referred to as the Data Authentication Algorithm, is based on DES. The Algorithm is both a FIPS publication (FIPS PUB 113) and an ANSI standard (x9.17). The algorithm can be defined as using the cipher block chaining (CBC) mode of operation of DES with an initialization vector of zero. The data (e.g., message, record, file, or program) to be authenticated is grouped into contiguous 64-bit blocks: D 1, D 2, …, D N. If necessary, the final block is padded on the right with zeroes to form a full 64-bit block. Using the DES encryption algorithm, E, and a secret key, K, a data authentication code (DAC) is calculated as follows

7/12/2015 Prof. Ehud Gudes Security Ch 3 53 Data Authentication Algorithm (FIPS PUB 113)

HMAC  interest a MAC using a cryptographic hash due to speed and code availability  must incorporate key into use of hash alg  HMAC (RFC2104) widely supported used in IPsec, TLS & SET  HMAC treats hash as “black box”  HMAC proven secure if embedded hash function has reasonable cryptographic strength

HMAC Structure

7/12/2015 Prof. Ehud Gudes Security Ch 4 56 Certificates  The public keys are normally registered with a certification authority (CA). This authority distributes certificates, which are public keys with the signature of the CA.  There are authentication and attribute certificates. Attribute certificates assert that certain properties are true of the owner of some authentication certificate. Attribute certificates are used in SSL and other protocols.

7/12/2015 Prof. Ehud Gudes Security Ch 4 57 Use of Certificates  For Authentication – see later  For preventing Man in the Middle Attack – Matt cannot just replace the public key because his certificate will be incorrect! AliceBob Hello, I am Alice K A Hello, I am Bob K B Matt Hello, I am Alice K A Hello, I am Alice K A’ Hello, I am Bob K B Hello, I am Bob K B’

Man-in-the-Middle Attack  attack is: 1. Darth generates private keys X D1 & X D2, and their public keys Y D1 & Y D2 2. Alice transmits Y A to Bob 3. Darth intercepts Y A and transmits Y D1 to Bob. Darth also calculates K2 4. Bob receives Y D1 and calculates K1 5. Bob transmits X A to Alice 6. Darth intercepts X A and transmits Y D2 to Alice. Darth calculates K1 7. Alice receives Y D2 and calculates K2  all subsequent communications compromised

Public Key Certificates

7/12/2015 Prof. Ehud Gudes Security Ch 4 60 Essential Components of Certificates  Identity of holder (name, number) - N  Public key of holder - K  Identity of issuer  Assumption – public key of Issuer is known – P, private key is P’  Signature: D(X,P’) where X = H(N ||K)  Only the Issuer can issue the certificate since it’s the only one having P’  Verification: perform E (Signature, P ) – check if equal to H(N ||K)

Certificate Authorities  certificate consists of: a public key plus a User ID of the key owner signed by a third party trusted by community often govt./bank certificate authority (CA)  users obtain certificates from CA create keys & unsigned cert, gives to CA, CA signs cert & attaches sig, returns to user  other users can verify cert checking sig on cert using CA’s public key E.g. CA is Verisign, checking done by Browser who has prior knowledge of Verisign public key

7/12/2015 Prof. Ehud Gudes Security Ch 4 62 Certificates

7/12/2015 Prof. Ehud Gudes Security Ch 4 63 Fields of X.509 Certificate  Version – which version of the standard  Serial number – unique, used for Revocation  Algorithm Id – which algorithm is used for the signature  Issuer – the CA issuing the certificate  Period of validity  The subject – attributes describing the subject (name, position, etc.)  Public key – of the subject  Signature – of the above by the private key of the CA!

X.509 Authentication Service  universally accepted standard for formatting public-key certificates widely used in network security applications, including IPSec, SSL, SET, and S/MIME  part of CCITT X.500 directory service standards  uses public-key crypto & digital signatures algorithms not standardised, but RSA recommended

X.509 Certificates

Public Key Infrastructure

PKIX Management  functions: registration initialization certification key pair recovery key pair update revocation request cross certification  protocols: CMP, CMC

7/12/2015 Prof. Ehud Gudes Security Ch 3 68 Key Escrow - Clipper Id

7/12/2015 Prof. Ehud Gudes Security Ch 3 69 Clipper Operation Clipper – operation of law enforcement F is known to the police D F (Leaf) ID with ID court order Obtain K d (U ID ) with K d D Kd (E(K S )) -> K S With K S D KS (C) -> M

7/12/2015 Prof. Ehud Gudes Security Ch 4 70 Performance of Cryptography Very roughly, a commodity computer can do: Public-key (RSA 1024bits) 20 signatures or 100 verifications/second Shared-key (DES, RC-4) 10,000s encryptions/second 1MByte/second One-way hashing (MD5, SHA-1) 100,000s hashes/second 15MBytes/second, I.e. network speed

7/12/2015 Prof. Ehud Gudes Security Ch 4 71 Cryptographic products  Baltimore [Bal]  Entrust (Northern Telecom)  RSA [rsa]  VeriSign [ver]  All these have PKI products. Some other combine DES and Public Key systems, e.g., CipherNet from Motorola [MOT]

7/12/2015 Prof. Ehud Gudes Security Ch 4 72 Products II  Java incorporates in its Java 2 version the Java Cryptography Architecture (JCA), that includes several classes implementing PK functions for authentication, digital signatures, and message integrity [Gon99, Oak01].