J. Wang. Computer Network Security Theory and Practice. Springer 2008 Chapter 3 Public-Key Cryptography and Key Management.

Slides:



Advertisements
Similar presentations
22C:19 Discrete Structures Integers and Modular Arithmetic
Advertisements

22C:19 Discrete Math Integers and Modular Arithmetic Fall 2010 Sukumar Ghosh.
7. Asymmetric encryption-
Great Theoretical Ideas in Computer Science.
Session 4 Asymmetric ciphers.
Public Key Algorithms …….. RAIT M. Chatterjee.
Dr. Lo’ai Tawalbeh Summer 2007 Chapter 9 – Public Key Cryptography and RSA Dr. Lo’ai Tawalbeh New York Institute of Technology (NYIT) Jordan’s Campus INCS.
Cryptography1 CPSC 3730 Cryptography Chapter 10 Key Management.
WS Algorithmentheorie 03 – Randomized Algorithms (Public Key Cryptosystems) Prof. Dr. Th. Ottmann.
Cryptography and Network Security Chapter 9. Chapter 9 – Public Key Cryptography and RSA Every Egyptian received two names, which were known respectively.
Cryptography & Number Theory
Cryptography1 CPSC 3730 Cryptography Chapter 9 Public Key Cryptography and RSA.
Theory I Algorithm Design and Analysis (9 – Randomized algorithms) Prof. Dr. Th. Ottmann.
Private-Key Cryptography traditional private/secret/single key cryptography uses one key shared by both sender and receiver if this key is disclosed communications.
WS Algorithmentheorie 03 – Randomized Algorithms (Public Key Cryptosystems) Prof. Dr. Th. Ottmann.
Dr.Saleem Al_Zoubi1 Cryptography and Network Security Third Edition by William Stallings Public Key Cryptography and RSA.
Public Key Algorithms 4/17/2017 M. Chatterjee.
1 Pertemuan 08 Public Key Cryptography Matakuliah: H0242 / Keamanan Jaringan Tahun: 2006 Versi: 1.
Cryptography and Network Security Chapter 10. Chapter 10 – Key Management; Other Public Key Cryptosystems No Singhalese, whether man or woman, would venture.
CSCI 172/283 Fall 2010 Public Key Cryptography. New paradigm introduced by Diffie and Hellman The mailbox analogy: Bob has a locked mailbox Alice can.
C HAPTER 13 Asymmetric Key Cryptography Slides adapted from "Foundations of Security: What Every Programmer Needs To Know" by Neil Daswani, Christoph Kern,
ASYMMETRIC CIPHERS.
Lecture 6: Public Key Cryptography
Public Key Model 8. Cryptography part 2.
Public Key Encryption and the RSA Public Key Algorithm CSCI 5857: Encoding and Encryption.
1 CIS 5371 Cryptography 8. Asymmetric encryption-.
Page 1 Secure Communication Paul Krzyzanowski Distributed Systems Except as otherwise noted, the content of this presentation.
The RSA Algorithm Rocky K. C. Chang, March
Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 21 “Public-Key Cryptography.
Prime Numbers Prime numbers only have divisors of 1 and self

Network and Communications Network Security Department of Computer Science Virginia Commonwealth University.
Key Management and Diffie- Hellman Dr. Monther Aldwairi New York Institute of Technology- Amman Campus 12/3/2009 INCS 741: Cryptography 12/3/20091Dr. Monther.
Great Theoretical Ideas in Computer Science.
RSA Ramki Thurimella.
Prelude to Public-Key Cryptography Rocky K. C. Chang, February
1 Lecture 9 Public Key Cryptography Public Key Algorithms CIS CIS 5357 Network Security.
Chapter 21 Public-Key Cryptography and Message Authentication.
Information Security -- Part II Public-Key Encryption and Hash Functions Frank Yeong-Sung Lin Information Management Department National Taiwan University.
Private-Key Cryptography  traditional private/secret/single key cryptography uses one key  shared by both sender and receiver  if this key is disclosed.
Cryptography and Network Security (CS435) Part Eight (Key Management)
Cryptography and Network Security Chapter 10 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.
Public Key Cryptography. symmetric key crypto requires sender, receiver know shared secret key Q: how to agree on key in first place (particularly if.
Cryptography and Network Security Chapter 9 - Public-Key Cryptography
CS461/ECE422 Spring 2012 Nikita Borisov — UIUC1.  Text Chapters 2 and 21  Handbook of Applied Cryptography, Chapter 8 
PUBLIC-KEY CRYPTOGRAPH IT 352 : Lecture 2- part3 Najwa AlGhamdi, MSc – 2012 /1433.
Chapter 3 (B) – Key Management; Other Public Key Cryptosystems.
Cryptography and Network Security Key Management and Other Public Key Cryptosystems.
PUBLIC KEY CRYPTOGRAPHY ALGORITHM Concept and Example 1IT352 | Network Security |Najwa AlGhamdi.
22C:19 Discrete Structures Integers and Modular Arithmetic Fall 2014 Sukumar Ghosh.
Cryptography and Network Security Public Key Cryptography and RSA.
Chapter 3 – Public Key Cryptography and RSA (A). Private-Key Cryptography traditional private/secret/single-key cryptography uses one key shared by both.
Chapter 9 Public Key Cryptography and RSA. Private-Key Cryptography traditional private/secret/single key cryptography uses one key shared by both sender.
1 Chapter 10: Key Management in Public key cryptosystems Fourth Edition by William Stallings Lecture slides by Lawrie Brown (Modified by Prof. M. Singhal,
Public Key Algorithms Lesson Introduction ●Modular arithmetic ●RSA ●Diffie-Hellman.
Key Management Network Systems Security Mort Anvari.
1 Diffie-Hellman (Key Exchange) Protocol Rocky K. C. Chang 9 February 2007.
Lecture 9 Overview. Digital Signature Properties CS 450/650 Lecture 9: Digital Signatures 2 Unforgeable: Only the signer can produce his/her signature.
Cryptography and Network Security Chapter 10 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.
Great Theoretical Ideas in Computer Science.
Diffie-Hellman Key Exchange first public-key type scheme proposed by Diffie & Hellman in 1976 along with the exposition of public key concepts – note:
Introduction to Elliptic Curve Cryptography CSCI 5857: Encoding and Encryption.
1 Diffie-Hellman (Key Exchange) Protocol Rocky K. C. Chang 9 February 2007.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
CSEN 1001 Computer and Network Security Amr El Mougy Mouaz ElAbsawi.
1 The RSA Algorithm Rocky K. C. Chang February 23, 2007.
Key Management public-key encryption helps address key distribution problems have two aspects of this: – distribution of public keys – use of public-key.
CPIS 312 Chapter Four: PUBLIC KEY CRYPTO. Index 2 A.Introduction A.1 Asymmetric Key Cryptography- Introduction A.2 General ideas about the Public Key.
Key Exchange in Systems VPN usually has two phases –Handshake protocol: key exchange between parties sets symmetric keys –Traffic protocol: communication.
Presentation transcript:

J. Wang. Computer Network Security Theory and Practice. Springer 2008 Chapter 3 Public-Key Cryptography and Key Management

J. Wang. Computer Network Security Theory and Practice. Springer 2008 Why Public-Key Cryptography? To use data encryption algorithms in network communications, all parities must first agree on using the same secret keys  Rely on couriers  Set up a meeting to determine a secret key  Use postal service, service, phone service  …  However, these conventional methods are inflexible for network communication applications Public-key cryptography (PKC)  Invented in the 1970’s  Without the need of sharing prior secrets to distribute secret keys securely  Can also be used for authentication

J. Wang. Computer Network Security Theory and Practice. Springer 2008 Chapter 3 Outline 3.1 Concepts of Public-Key Cryptography 3.2 Elementary Concepts and Theorems in Number Theory 3.3 Diffie-Hellman Key Exchange 3.4 RSA Cryptosystem 3.5 Elliptic-Curve Cryptography 3.6 Key Distributions and Management

J. Wang. Computer Network Security Theory and Practice. Springer 2008 Basic Idea of PKC Using conventional postal service, Bob can receive confidential message from Alice without sharing prior secrets The open padlock and the box: public key (open to public) The key Bob keeps: private key (to be kept private) Q: How to realize this idea in a mathematical form?

J. Wang. Computer Network Security Theory and Practice. Springer 2008 Another example Suppose we have f 1 (f 0 (a, y), x) = f 1 (f 0 (a, x), y) and it is difficult to derive x from f 0 (a, x) and a, which are publicly known Alice does the following:  Randomly selects a positive number x 1 (private key) and sends y 1 = f 0 (a, x 1 ) to Bob Bob does the same  Randomly generates x 2 and sends y 2 = f 0 (a, x 2 ) to Alice Alice calculates K 2 = f 1 (y 1, x 2 ) and Bob calculates K 1 = f 1 (y 2, x 1 ) as their secret keys for a conventional encryption algorithm Because f 1 (y 2, x 1 ) = f 1 (f 0 (a, x 2 ), x 1 ) = f 1 (f 0 (a, x 1 ), x 2 ) = f 1 (y 1, x 2 ), they have K 1 = K 2 Malice may eavesdrop y 1 and y 2, but still cannot find x 1 or x 2 Q: How to find such functions f 1 and f 2 ?

J. Wang. Computer Network Security Theory and Practice. Springer 2008 Criteria for PKC Forward efficiency  Computing encryption and decryption by legitimate parties must be easy  Generating a new key pair (K u, K r ) must be easy, where K u is a public key and K r the corresponding private key Backward intractability  Computing M from ciphertext C and the public key K u must be computationally intractable  In other words, K u must not leak out any useful information of K r Commutability (optional)  (K u, K r ) must satisfy  May be needed for data authentications; not needed for key exchange

J. Wang. Computer Network Security Theory and Practice. Springer 2008 Chapter 3 Outline 3.1 Concepts of Public-Key Cryptography 3.2 Elementary Concepts and Theorems in Number Theory 3.3 Diffie-Hellman Key Exchange 3.4 RSA Cryptosystem 3.5 Elliptic-Curve Cryptography 3.6 Key Distributions and Management

J. Wang. Computer Network Security Theory and Practice. Springer 2008 The Fundamental Theorem of Arithmetic  Any integer greater than 1 is a product of prime numbers. Moreover, this product has a unique representation if prime numbers are listed in non- decreasing order. Prime number theorem  Let n be an integer greater than 1 and π(n) be the number of prime numbers that are less than n. Then π(n) ~ n/ln n Modular arithmetic  Let a and b be integers and m a positive integer  (a + b) mod m = (a mod m + b mod m) mod m  (a – b) mod m = (a mod m – b mod m) mod m  (a × b) mod m = (a mod m× b mod m) mod m Congruence relations  a is congruent to b modulo m if a – b is divisible by m, denoted by

J. Wang. Computer Network Security Theory and Practice. Springer 2008 Modular inverse:  Let a and n be positive integers with a < n. If there is a positive integer b < n such that ab ≡ 1 (mod n), then b is a ’s inverse modulo n  Finding modular inverse is a basic operation for the RSA public-key cryptosystem  Note that modular inverse does not always exist Euler’s totient function  The number of positive integers that are less than n and relatively prime to n Euler’s theorem:  Let a be a positive integer and n an integer greater than 1 that is relatively prime to a, Then Fermat’s little theorem:  Let p be a prime number and a be a positive integer not divisible by p, then

J. Wang. Computer Network Security Theory and Practice. Springer 2008 Primitive roots:  If for any positive integer m < φ(n), then a is called a primitive root modulo n  Not every integer n has a primitive root Fast modular exponentiation:  a x mod n is a common operation in PKC  Naïve method to calculate a x mod n: First calculate a x, then calculate modulo n. It incurs high time complexity!!!  x is a positive integer. Let then

J. Wang. Computer Network Security Theory and Practice. Springer 2008 Thus, An example in textbook on page 96

J. Wang. Computer Network Security Theory and Practice. Springer 2008 Finding Large Prime Numbers How to efficiently determine whether a given odd number n is prime  Check whether n has a factor x with Time complexity:  Miller-Rabin’s primality test A probabilistic algorithm; the probability of returning false info is less than 2 -2m, where m is the number of iterations of the algorithm Let n be an odd integer > 1 and k a positive integer satisfying n – 1 = 2kq, where q is an odd integer

J. Wang. Computer Network Security Theory and Practice. Springer 2008 The Chinese Remainder Theorem A solution to a set of simultaneous congruence equations Let i be a positive integer, Z i = {0, …, i-1} Let n 1, n 2, …, n k be positive integers pairwise relatively prime Let n = n 1 ×n 2 ×…×n k For any given set of simultaneous congruence equations x ≡ a i (mod n j ), where i = 1, …, k, it has the following unique solution in Z n : where b i = m i (m i -1 mod n i ) and m i = n/n i

J. Wang. Computer Network Security Theory and Practice. Springer 2008 Finite Continued Fractions Finite continued fractions are fractional numbers of the form: where a 0 is an integer, and a 1 …, a k are non-zero integers Given a real number x, we can construct a continued fraction to represent x as follows:

J. Wang. Computer Network Security Theory and Practice. Springer 2008 Chapter 3 Outline 3.1 Concepts of Public-Key Cryptography 3.2 Elementary Concepts and Theorems in Number Theory 3.3 Diffie-Hellman Key Exchange 3.4 RSA Cryptosystems 3.5 Elliptic-Curve Cryptography 3.6 Key Distributions and Management

J. Wang. Computer Network Security Theory and Practice. Springer 2008 Diffie-Hellman Key Exchange Diffie and Hellman provide a concrete construction of functions f 0 and f 1 as follows: f 0 (p, a; x) = a x mod p, f 1 (x, b) = x b mod p where p is a large prime and a is a primitive root modulo p ; public: (p, a) ; private: x Thus, f 1 (f 0 (p, a; y), x) = f 1 (f 0 (p, a; x), y)

J. Wang. Computer Network Security Theory and Practice. Springer 2008 D-H Key Exchange Protocol Alice:  Randomly selects a positive number X A < p (private)  Send Y A = f 0 (p, a; X A ) = a XA mod p to Bob (public; a is also public)  Compute K A = f 1 (Y B, X A ) = Y B XA mod p as Alice’s secret key for a conventional encryption algorithm, where Y B is a string sent from Bob Bob: X B ; Y B = f 0 (p, a; X B ) = a XB mod p; K B = f 1 (Y A, X B ) = Y A XB mod p Alice and Bob share the same secret key K = K A = K B Forward efficiency: fast modular exponentiation Backward intractability: relying on the difficulty of solving x from y = a x mod p with x < p (this is called the discrete logarithm problem)  Believed to be unsolvable in poly-time on conventional computing devices  When p is sufficiently large, D-H Key Exchange is considered secure Malice can eavesdrop Y A or Y B, but has no ways to solve X A or X B ; but it’s vulnerable to the man-in-the-middle attack

J. Wang. Computer Network Security Theory and Practice. Springer 2008 Man-in-the Middle Attacks What Alice and Bob compute:

J. Wang. Computer Network Security Theory and Practice. Springer 2008 What Malice computes: Alice and Malice have established a common secret key Bob and Malice have established a common secret key Alice and Bob have not established any common secret key

J. Wang. Computer Network Security Theory and Practice. Springer 2008 Elgamal PKC Devised in 1985 and based on the D-H key exchange protocol Alice encrypts M as follows: After receiving (C 1, C 2 ), Bob decrypts it by calculating

J. Wang. Computer Network Security Theory and Practice. Springer 2008 Chapter 3 Outline 3.1 Concepts of Public-Key Cryptography 3.2 Elementary Concepts and Theorems in Number Theory 3.3 Diffie-Hellman Key Exchange 3.4 RSA Cryptosystem 3.5 Elliptic-Curve Cryptography 3.6 Key Distributions and Management

J. Wang. Computer Network Security Theory and Practice. Springer 2008 RSA Keys, Encryption, Decryption Basic operation: modular exponentiation Select prime numbers p and q. Let n = p·q Select a positive integer d with 1 < d < φ(n) and gcd(d, φ(n)) = 1 Compute e = d -1 mod φ(n) Public key: (e, n); private key: d Encryption: C = M e mod n Decryption: M = C d mod n Forward efficiency: fast modular exponentiation Backward intractability: integer factorization Commutability: also satisfied p, q n=p× q easy hard

J. Wang. Computer Network Security Theory and Practice. Springer 2008 RSA Parameter Attacks Attacks taking advantage of inappropriately chosen parameters  Try all possible parameters d to decrypt an encrypted block Brute-force method, infeasible.  Factor n Not known whether it is solvable in polynomial time on a conventional computer  Use time analysis to find d Execution time of modular exponentiation differs greatly between 0 and 1 of the current bit in the exponent  Derive RSA parameters from partial information of these parameters

J. Wang. Computer Network Security Theory and Practice. Springer 2008 Small Exponent Attacks Suppose Alice’s K A u = (e, n A ), Bob’s K B u = (e, n B ) and gcd(n A, n B ) = 1 Charlie sends M ( M < min{n A, n B } ) to Alice and Bob as follows:  C A = M 2 mod n A to Alice  C B = M 2 mod n B to Bob Malice intercepts C A and C B. She can use the Chinese remainder theorem to solve the two simultaneous congruence relations: x ≡ C A (mod n A ) x ≡ C B (mod n B ) Let x 0 ∈ Z n be a solution, where n=n A n B. Then x 0 = M 2 mod n. Since M < √n, we have x 0 = M 2. Hence, M =

J. Wang. Computer Network Security Theory and Practice. Springer 2008 Partial Information Attacks Let m be the length of n in decimal representation If the prefix (or suffix) m/4 bits of p (or q ) leak out, then n (or d ) can be factored efficiently Suppose d is compromised. Generating a new pair of d and e using the original secret p and q can help to factor n

J. Wang. Computer Network Security Theory and Practice. Springer 2008 Other Attacks M should not contain the prime factor p or q  n can be factored efficiently otherwise If M is short and a product of two integers have close lengths, then Malice can use man-in-the-middle attack to compute M :  M = m 1 · m 2, |M| = l  Malice intercepts C = M e mod n, computes, and sorts the following to arrays: For each positive integer x ≤ 2 l/2+1, compute Cx -e (mod n) For each positive integer y ≤ 2 l/2+1, compute y e (mod n)  If there are integers x and y such that Cx -e (mod n )= y e (mod n ), then C ≡ (xy) e (mod n ). Thus, M ≡ C -e ≡ xy (mod n)  Time complexity: O(2 l/2 )  Defense: break up the product

J. Wang. Computer Network Security Theory and Practice. Springer 2008 Chapter 3 Outline 3.1 Concepts of Public-Key Cryptography 3.2 Elementary Concepts and Theorems in Number Theory 3.3 Diffie-Hellman Key Exchange 3.4 RSA Cryptosystem 3.5 Elliptic-Curve Cryptography 3.6 Key Distributions and Management

J. Wang. Computer Network Security Theory and Practice. Springer 2008 Key Distribution and Management PKC takes more time to encrypt data than conventional encryption algorithms  PKC is not suitable for encrypting long data PKC is often used to encrypt secret keys for conventional encryption algorithms and other short messages for authentication

J. Wang. Computer Network Security Theory and Practice. Springer 2008 Master Keys and Session Keys Master keys (K m ): a secret key used to encrypt other secret keys during a certain period of time  Reduce exposure of the master key Session keys (K s ): a secret key for each new communication session and encrypted by the master key  Encrypt a message or a packet in TCP  Shorter lifetime than that of a master key

J. Wang. Computer Network Security Theory and Practice. Springer 2008 Public-Key Certificates To use PKC, users must get the other users’ public keys  Published in a special Website or by s  Cannot ensure true ownership of a public key Public-key certificates to authenticate public keys  Issued by trusted organizations, certificate authorities (CAs)  A CA uses PKC to authenticate certificates Publishes its public key on its Website Issues a certificate for each user Encrypts the certificate by CA’s private key for authentication When Alice wants to use Bob’s public key:  Asks Bob to send her his certificate  Uses CA’s public key to verify it  Gets Bob’s public key from his certificate

J. Wang. Computer Network Security Theory and Practice. Springer 2008 CA Networks A CA needs to keep track of which certificates are out of date and which have been canceled CA(K X u ): a certificate issued by CA to user X whose public key is K X u Alice and Bob possess certificates from two different CAs. How to verify each other’s certificate?  CAs should be able to authenticate each other’s public keys

J. Wang. Computer Network Security Theory and Practice. Springer 2008 Alice:  Sends to Bob CA 1 (K A u ) and CA 2 (K u CA1 ) Bob:  Uses CA 2 ‘s public key to verify CA 1 ‘s public key  Uses CA 1 ‘s public key to verify Alice’s public key A CA network consisting of two CAs that can verify each other’s public key

J. Wang. Computer Network Security Theory and Practice. Springer 2008 A CA network consisting more than two CAs Path from Alice to Bob: CA 1  CA 5  CA 4 and CA 1  CA 3  CA 5  CA 4 Path from Bob to Alice: CA 4  CA 2  CA 1

J. Wang. Computer Network Security Theory and Practice. Springer 2008 Key Rings A system may have many different users How to store and manage these public and private keys? Private-key rings  A table in which each row represents a record of a particular user: key ID, owner’s name, public key, encrypted private key, time stamp… Public-key rings  A table in which each row represents a record of a particular user: key ID, owner’s name, public key, CA name, CA trust, time stamp…