Networks Management and Security Lecture 3

Public-Key Cryptography Each party will have a public key for encryption and a private key for decryption No key transmission High scalability Either key can be used first (for encryption)! m E p (m) M = D s (E p (m)) Public key, p Private key, s

Symmetric vs. Asymmetric Fast (In software, DES is 100 times as fast as RSA) L(c) usually ≤ L(m) Key management is difficult No. of keys is approximately = (No. of participants)2 Slower L(c) ≥ L(m) No problem in managing keys No. of keys = No. of participants Non-repudiation check

RSA: basic ideas Ron Rivest, Adi Shamir, and Len Adleman from MIT developed RSA in 1978 Keys are based on large prime numbers –easy to find –extremely hard to factor their products Selection and generation of public and private keys?

RSA: algorithm Use 2 large prime numbers, P and Q N = P x Q Find small E (public exponent) such that it is relatively prime to (P-1) x (Q-1) Find D (private exponent) such that (DxE) mod (P-1)(Q-1) = 1 For encryption C = M E mod N For decryption M = C D mod N

RSA: example Let’s P = 7 and Q = 17 N = P x Q = 119 and (P-1)(Q-1) = = 2 x 2 x 2 x 2 x 2 x 3, therefore E can be 5 (no 2 and 3 as a factor) D = 77 since (5x77) mod 96 = 1 Set M = 6, therefore C = 6 5 mode 119 = 41 Decrypting C, M = mod 119 = 6

Cracking RSA Factoring N to find P, Q (and finally D) –complex and time-consuming if N is sufficiently large Find E th root mod N (since C=M E mod N) –No general methods are known –Related messages encrypted with the same E may give away some clues M can be guessed if it is sent to multiple parties –Prevented by random padding

RSA Key Size Larger N, higher security, slower process P and Q should be roughly of equal length In 1999, 512-bit RSA keys was factored in 7 months Recommended 1024 bits for corporate use (2048 bits for extremely valuable keys)

RSA in Practice Built into current OS by Microsoft, Apple, SUN, Novell On Ethernet cards, smart cards, secure telephones In protocols such as S/MIME, SSL, and S/WAN It’s the most widely used cryptosystem in the world

Elliptic Curve Algorithm Let’s E be an elliptic curve P is a point in E A random number d is generated Let’s Q = d x P Then E, P, Q are public values And d is a private key If the curve is big enough, it’s almost impossible to find d

Hybrid Scheme: Digital Envelope A encrypts m using K1, a one-time secret key A encrypts K1 with B’s public key, K2 (Key wrapping) A puts c and encrypted symmetric key in a digital envelope, which is then sent to B B uses its private key, K3, to decrypt and get K1 B uses K1 to decrypt m E k1 (m) + E k2 (K1) A B 1.D k3 (E k2 (K1)) = K1 2.D k1 (E k1 (m) = m

Advantages of Digital Envelope Using a symmetric key to encrypt a long m is fast c is of the same size of m Using a public key for K1 encryption is relatively fast (since K1 is smaller than m) No problem in key exchange

Digital Signature For authentication and non-repudiation purpose A encrypts h(m) with its private key –E SA (h(m)) = digital signature (DS) of A B decrypts A’s DS with A’s public key B computes h(m) and compares with the hash value from A’s message. If matched, … –The sender is really A –Message is not altered in transit

Well-known Hashing Functions MD5, designed by Ron Rivest –128-bit output –No known attacks have been proved to break MD5 (yet) SHA-1 (Secure Hash Algorithm) –A modified version of MD5 by NIST and NSA –160-bit output –Slower but more secure

Problem in Public-key Exchange: Man-in-the-middle Attack A B M my E=3 Intercepted and send ‘my E=5’ instead my E=7 my E=5 How to know the DS is really from A (or B)? How to know the DS is really from A (or B)? Timestamp to bind DS to a particular time Timestamp to bind DS to a particular time Need someone who is trusted by everyone Need someone who is trusted by everyone

RSA-based Digital Signature in Practice If a third party is needed to check m’s integrity, MD can be computed from c Since E is much smaller than D, signature verification is faster than signing Certificate(s) may accompany DS to prevent impersonation

Digital Certificate A signed document that binds the public key to the identity of a party The certifier’s public key is widely trusted Contains the user name, the user’s public key, and The validity date range Issuer name and its digital signature X.509 defines the structure of a digital certificate

Certification Authority (CA) A trusted agency that issues digital certificates Can issue digital certificates to individuals or organizations May be assisted by RA (registration authority) in interaction activities between CA and users

Certificate Creation Key generation (by users or by RA) Registration by using Certificate Signing Request (CSR) or PKCS #10 (Public key Cryptography Standard) User’s credential verification –Checks paper-based evidence (e.g. passport) –Checks Proof of Possession (POP) of D CA signs certificates with its private key

CA’s certificate verification Alice cannot verify B4’s nor A2’s certificates Both Alice and Bob can verify root CA Who signs root CA’s certificate? Root CA 2 nd level CA 3 rd level CA Alice Bob B1 B4 A2A1

Cross-certification Alice and Bob live in different countries = different root CAs Bob’s root CA is certified by Alice’s root CA Alice’s root CA can also be certified by Bob’s root CA

Certificate Revocation In case a private key is compromised or lost The user must immediately notify CA The public key is then added to Certificate Revocation List (CRL) The user may need to use a new private key to re-sign documents

Well-known CAs Baltimore ( Entrust Technologies ( RSA Security ( VeriSign (

Attacks on CAs Cryptanalytic attack on CA’s key pair –CAs use long keys that change regularly –Top-level CAs must use specially long keys What if a CA’s key is broken after it expires? –E.g. Forged will or other legal documents etc Impersonated CSR by –Forged evidence –Bribery

Key Agreement Protocol A.k.a. Key exchange protocol Used by multiple parties to agree on a secret key Allows a secure key sharing over a insecure medium e.g. Diffie-Hellman algorithm Public-key cryptography or digital envelope can also be used for key exchange

Diffie-Hellman Key Exchange: initial setup A.k.a. exponential key exchange Public values p and g (generator) where –p is prime and g ≤ p –For every n between 1 and p-1, there are g and k such that n = g k mod p

Diffie-Hellman Key Exchange: Algorithm Alice and Bob generate random private values a and b (both are integers) A’s public value = g a mod p B’s public value = g b mod p Public values exchanged A computes g ab = (g b ) a mod p = k B computes g ab = (g a ) b mod p = k

Attacks on Diffie-Hellman Algorithm Man-in-the-middle !! Solution: –digital signature –authenticated Diffie-Hellman (STS: Station to Station protocol)