Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Introduction to Information Security 0368-3065, Spring 2016 Lecture 4: Applied cryptography: asymmetric Zvi Ostfeld Slides credit: Eran Tromer.

Published byLisa McDowell Modified over 8 years ago

Similar presentations

Presentation on theme: "1 Introduction to Information Security 0368-3065, Spring 2016 Lecture 4: Applied cryptography: asymmetric Zvi Ostfeld Slides credit: Eran Tromer."— Presentation transcript:

1 1 Introduction to Information Security 0368-3065, Spring 2016 Lecture 4: Applied cryptography: asymmetric Zvi Ostfeld Slides credit: Eran Tromer

2 2 Public-Key Encryption

3 3 Public-key encryption

4 4 Example: RSA

5 5 Why RSA works

6 6 RSA Example (taken from Wikipedia) The parameters used here are artificially small. 1. Choose two distinct prime numbers, such as p=61 and n= 53 2. Compute n = pq giving n = 61 * 53 = 3233 3. Compute the totient of the product as φ(n) = (p − 1)(q − 1) giving φ(3233) = (61 − 1)(53 − 1) = 3120 4. Choose any number 1 < e < 3120 that is coprime to 3120. Choosing a prime number for e leaves us only to check that e is not a divisor of 3120. Let e = 17 5. Compute d, the modular multiplicative inverse of e (mod φ(n)) yielding, d = 2753 The public key is (n = 3233, e = 17). The private key is (d = 2753).

7 7 RSA Example (Cont’) Encryption For instance, in order to encrypt m = 65, we calculate Decryption To decrypt c = 2790, we calculate

8 8 Textbook RSA is insecure  What if message is from a small set (yes/no)? Can build table (Deterministic)  What if there’s some protocol in which I can learn other message decryptions? (Chosen ciphertext attack)  What if I want to outbid you in secret auction? I take your encrypted bid c and submit c (101/100) e mod n (Malleability)

9 9 RSA Padding: OAEP Preprocess message for RSA  H and G are cryptographic hash functions (e.g., SHA-1) If RSA is trapdoor permutation, then this is chosen-ciphertext secure (if H,G “behave like random oracles”) H + G + Plaintext to encryptwith RSA rand.Message0100..0 Decryption: Apply plain RSA decryption. Check pad, reject if invalid.  {0,1} n-1 [Bellare Rogaway ’94] [Shoup ‘01] [PKCS#1 v2] [RFC 2437]

10 10 Security of (properly-padded) RSA  If factoring is easy, RSA is broken. Converse conjectured but unproven.  Best factoring algorithm: Number Field Sieve (subexponential complexity)  Key size: Record: 768 bits, in 2009, using ∼ 2000 core-years. Popular until recently: 1024-bit. Estimated to be breakable by a large botnet or special-purpose hardware (<1M$ marginal cost). NIST recommendation:  3072 bits (equivalent to 128 bit symmetric).  2048 bits (equiv. to 112 bit symmetric) “acceptable until 2030”.  Quantum computers can factor in polynomial time (Shor’s algorithm). Appears possible in theory, but many believe it will take decades to solve the engineering/technological challenges. Record: factoring 15 and 21.

11 11 RSA discussion

12 12 Other public-key encryption schemes

13 13 Digital Signatures

14 14 Digital Signatures  Alice publishes key for verifying signatures  Anyone can check a message signed by Alice  Only Alice can send signed messages

15 15 Properties of signatures (for case of deterministic signatures)

16 16 RSA Signature Scheme  jjjjjjj Hybrid signature: sign hash of message instead of full plaintext

17 17 RSA Signature Scheme

18 18 Other digital signature schemes  DSA (Digital Signature Algorithm) Relies on hardness of discrete logarithms  Schemes based on elliptic curves Popular in modern systems due to faster operations and smaller key size  Signatures based just on hash functions (Lamport), with stateful signing algorithm and limited #messages.  Lattice-based schemes Generalization: succinct noninteractive proofs of knowledge (SNARK) allowing verifying the correctness not just of data, but also of computation. [whiteboard discussion]

19 19 Public-key infrastructure

20 20 Public-Key Infrastructure (PKI)  Anyone can send Bob a secret message Provided they know Bob’s public key  How do we know a key belongs to Bob? If imposter substitutes another key, can read Bob’s mail  One solution: PKI Trusted root authority (VeriSign, IBM, United Nations)  Everyone must know the verification key of root authority  Check your browser; there are hundreds! Root authority can sign certificates Certificates identify others, by linking their ID (e.g., domain name or legal name) to a verification key they own Certifiicates can also delegate trust to other certificate authorities  Leads to certificate chains Most common standard “X.509”

21 21 Public-Key Infrastructure Client (browser)

22 22 CA

23 23 Certificate authorities – practical problems Certification policy – when to sign server’s certificates? Inclusion in database of trusted Cas –Default database in browsers, OSs –Updates Transitive trusts, sub-CAs Practically: –Lax verification (attacks known) –Lax security (attacks known) –National/commercial bodies with diverse interests

Download ppt "1 Introduction to Information Security 0368-3065, Spring 2016 Lecture 4: Applied cryptography: asymmetric Zvi Ostfeld Slides credit: Eran Tromer."

Similar presentations

Spring 2000CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.

Spring 2000CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.
Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.

Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.
1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.

1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.
CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (4) Information Security.

CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (4) Information Security.
EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 6 Wenbing Zhao Department of Electrical and Computer Engineering.

EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 6 Wenbing Zhao Department of Electrical and Computer Engineering.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
CNS2010handout 10 :: digital signatures1 computer and network security matt barrie.

CNS2010handout 10 :: digital signatures1 computer and network security matt barrie.
CMSC 414 Computer and Network Security Lecture 7 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 7 Jonathan Katz.
November 1, 2006Sarah Wahl / Graduate Student UCCS1 Public Key Infrastructure By Sarah Wahl.

November 1, 2006Sarah Wahl / Graduate Student UCCS1 Public Key Infrastructure By Sarah Wahl.
The RSA Cryptosystem Dan Boneh Stanford University.

The RSA Cryptosystem Dan Boneh Stanford University.
CS470, A.SelcukElGamal Cryptosystem1 ElGamal Cryptosystem and variants CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.

CS470, A.SelcukElGamal Cryptosystem1 ElGamal Cryptosystem and variants CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
CS470, A.SelcukPublic Key Cryptography1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.

CS470, A.SelcukPublic Key Cryptography1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
How cryptography is used to secure web services Josh Benaloh Cryptographer Microsoft Research.

How cryptography is used to secure web services Josh Benaloh Cryptographer Microsoft Research.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
Cryptography1 CPSC 3730 Cryptography Chapter 13 Digital Signature Standard (DSS)

Cryptography1 CPSC 3730 Cryptography Chapter 13 Digital Signature Standard (DSS)
Introduction to Modern Cryptography Lecture 7 1.RSA Public Key CryptoSystem 2.One way Trapdoor Functions.

Introduction to Modern Cryptography Lecture 7 1.RSA Public Key CryptoSystem 2.One way Trapdoor Functions.
CMSC 414 Computer and Network Security Lecture 7 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 7 Jonathan Katz.
The School of Electrical Engineering and Computer Science (EECS) CS/ECE Network Security Dr. Attila Altay Yavuz Topic 5 Essential Public Key Crypto Methods.

The School of Electrical Engineering and Computer Science (EECS) CS/ECE Network Security Dr. Attila Altay Yavuz Topic 5 Essential Public Key Crypto Methods.
Fall 2010/Lecture 311 CS 426 (Fall 2010) Public Key Encryption and Digital Signatures.

Fall 2010/Lecture 311 CS 426 (Fall 2010) Public Key Encryption and Digital Signatures.
CS470, A.SelcukRSA1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.

CS470, A.SelcukRSA1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.

Similar presentations

Ads by Google