CS461/ECE422 Spring 2012 Nikita Borisov — UIUC1

 Text Chapters 2 and 21  Handbook of Applied Cryptography, Chapter 8  Nikita Borisov — UIUC2

 Every pair of people must share a secret key  E.g.: Alice, Bob, Carol, David: K AB, K AC, K AD,K BC, K BD, K CD  How do you keep track of them all?  O(N 2 ) keys for N people  How do you exchange them?  Must use a secure, out-of-band channel Nikita Borisov — UIUC3

 Cryptographers to the rescue!  Two keys:  Private key known only to owner  Public key available to anyone  One key pair per person ▪ O(N) keys Merkle, Hellman, Diffie Nikita Borisov — UIUC4

 Public key encryption  Use public key to encrypt, private key to decrypt  RSA, ElGamal, ECIES  Public key signatures (similar to MAC)  Use private key to sign, public key to verify  RSA, DSA, ECDSA  Symmetric key distribution  Agree on a secret symmetric key over a public channel  Diffie-Hellman, ECDH, MQV, ECMQV Nikita Borisov — UIUC5

Slide #9-6 Nikita Borisov — UIUC6

Slide #9-7  Public Key Systems are much slower than Symmetric Key Systems  RSA 100 to 1000 times slower than DES. 10,000 times slower than AES?  Generally used in conjunction with a symmetric system for bulk encryption  Public Key Systems are based on “hard” problems  Factoring large composites of primes, discrete logarithms, elliptic curves  Only a handful of public key systems perform both encryption and signatures Nikita Borisov — UIUC7

 The first public key algorithm  A key exchange algorithm, not for encryption or decryption  Set up: p prime, g is coprime with p  Alice -> Bob: g x (mod p), x random  Bob -> Alice: g y (mod p), y random  Alice and Bob compute:  (g x ) y = (g y ) x  Establish a secret key over a public channel Nikita Borisov — UIUC8

 p=23, g=5  Alice picks x=6, sends Bob  5 6 mod 23 = 8  Bob picks y=15, sends Bob  5 15 mod 23 = 19  Alice computes:  19 6 mod 23 = 2  Bob computes:  8 15 mod 23 = 2 Nikita Borisov — UIUC9

 Charlie has g x, g y needs to find g xy  Called “ Diffie-Hellman Problem ”  Fastest way: find x given g x  I.e. take log g g x (mod p)  Discrete Logarithm Problem  Fastest known way is super-polynomial Nikita Borisov — UIUC10

 For IPSec and SSL, there are a small set of g's and p's published that all standard implementations support.  Group 1 and 2 ▪  Group 5 and newer proposed values ▪ groups-00 groups-00 Nikita Borisov — UIUC11

Alice Bob Eve Nikita Borisov — UIUC12

Slide #9-13  by Rivest, Shamir& Adleman of MIT in 1977  best known & widely used public-key scheme  based on exponentiation in a finite (Galois) field over integers modulo a prime  nb. exponentiation takes O((log n) 3 ) operations (easy)  uses large integers (eg bits)  security due to cost of factoring large numbers  nb. factorization takes O(e log n log log n ) operations (hard) Nikita Borisov — UIUC13

 a mod b = x if for some k >= 0, bk + x = a  Associativity, Commutativity, and Distributivity hold in Modular Arithmetic  Inverses also exist in modular arithmetic  a + (-a) mod n = 0  a * a -1 mod n = 1 Nikita Borisov — UIUC14

 Reducibility also holds  (a + b) mod n = (a mod n + b mod n) mod n  a * b mod n = ((a mod n) * b mod n) mod n  Fermat’s Thm: if p is any prime integer and a is an integer, then a p mod p = a  Corollary: a p-1 mod p = 1 if a != 0 and a is relatively prime to p Nikita Borisov — UIUC15

Slide #9-16  Totient function  (n)  Number of positive integers less than n and relatively prime to n ▪ Relatively prime means with no factors in common with n  Example:  (10) = ?  4 because 1, 3, 7, 9 are relatively prime to 10  Example:  (p) = ? where p is a prime  p-1 because all lower numbers are relatively prime   (pq) = (p-1)(q-1) when p, q are both prime Nikita Borisov — UIUC16

 Euler generalized Fermat’s Theorem for composite numbers.  Fermat's Thm a p-1 =1 mod p if a != 0  Euler’s Thm: x  (n) =1 mod n  Works for any n Nikita Borisov — UIUC17

Slide #9-18  Choose two large prime numbers p, q  Let n = pq; then  (n) = (p–1)(q–1)  Choose e < n such that e is relatively prime to  (n).  Compute d such that ed mod  (n) = 1  Public key: (e, n); private key: d  Encipher: C = M e mod n  Decipher: M = C d mod n  Generically: F(V, x) = V x mod n Nikita Borisov — UIUC18

 C = RSA(M, e) = M e mod n  M’ = RSA -1 (C, d)  M’ = (M e mod n) d mod n  M’ = M ed mod n  ed mod  (n) = 1  ed = k*  (n) + 1  M’ = (M mod n * M k  (n) mod n) mod n  By Euler’s theorem (M k )  (n) mod n = 1  M’ = M mod n Nikita Borisov — UIUC19

 p = 11, q = 17  n = 187,  (n) = 10*16 = 160  Let e = 3, then d = 107 (107 * 3 = 321)  (can find this using Euclidian algorithm)  M = 29  C = 29 3 = = 79 (mod 187)  M ’ = = = 29 (mod 187) Nikita Borisov — UIUC20

 Don ’ t need to compute huge numbers  29 3 (mod 187) = (29 2 mod 187) * 29 mod 187 = (841 mod 187) * 29 mod 187 = 93*29 mod 187 = 2697 mod 187 = 79  Even better: square/multiply  M 11 = ((M 2 ) 2 *M) 2 *M  This is reasonably fast  Only 1000 or so times slower than DES Nikita Borisov — UIUC21

 Charlie knows e, n, and receives M e (mod n)  How to find M?  Best known way is to factor n ▪ Find p and q, find  (n), find d ▪ No proof that there isn ’ t a faster way  Factoring n is believed to be hard ▪ Best algorithm is GNFS ▪ Complexity is sub-exponential but superpolynomial ▪ Largest factored number had 768 bits ▪ (About 2000-CPU years on an 2.2 GHz Opteron) ▪ Current recommendations are to use bits Nikita Borisov — UIUC22

 Note: RSA as described is insecure!  Why?  Deterministic encryption: M e = M ’ e if and only if M=M ’  Even worse than in the symmetric case because Charlie can try many possibilities for M  Semantic security  Adversary picks m 1 and m 2 and is provided with Encrypt(m i ), must guess i  Requires randomized encryption Nikita Borisov — UIUC23

 Introduce randomness to message  P = r || M, where r is random  Encryption: P e  Decryption: (P e ) d, discard random prefix  (Actually, still not quite secure, see RSA-OAEP for proper usage) Nikita Borisov — UIUC24

 How do we encrypt messages longer than 1024 bits?  Break into blocks, use RSA on each block (slow, potentially insecure)  Use a hybrid between RSA and AES  Pick random key K  Send: RSAEncrypt(K), AES-CBC-Encrypt(K, M)  Must ensure K is random! Nikita Borisov — UIUC25

 RSA is symmetric  RSADec(RSAEnc(M)) = RSAEnc(RSADec(M)) = M ed (mod n) = M  To “ sign ” a message, Alice computes S = M d (mod n)  Bob verifies that S e = M ed = M (mod n)  No one other than Alice could have generated S  Not even Bob  Bob can show S to third parties (non-repudiation) Nikita Borisov — UIUC26

 How do we sign messages longer than 1024 bits?  Use a hash function Nikita Borisov — UIUC27

 Alice sends RSASign(h(M))  Bob computes h(M), verifies signature  Security:  Bob cannot generate a signature because: ▪ He can ’ t produce a signature on a chosen message ▪ He can ’ t solve h(M) = S ’ e for M because h is one way  Alice is nevertheless committed to her signature ▪ Cannot find M1, M2 such that h(M1) = h(M2) Nikita Borisov — UIUC28

 Public Key systems enable multiple operations  Confidentiality (key encryption)  Integrity and nonrepudiation  Symmetric key exchange  Slower than symmetric crypto, but still practical  Especially in hybrid modes  Must be careful how they are used  Padding, hash functions Nikita Borisov — UIUC29