Presentation is loading. Please wait.

Presentation is loading. Please wait.

RSA Data Security, Inc. Emerging Standards for Public-Key Cryptography Burt Kaliski Chief Scientist, RSA Laboratories BRICS Summer School in Cryptology.

Published byClarence Foster Modified over 8 years ago

Similar presentations

Presentation on theme: "RSA Data Security, Inc. Emerging Standards for Public-Key Cryptography Burt Kaliski Chief Scientist, RSA Laboratories BRICS Summer School in Cryptology."— Presentation transcript:

1 RSA Data Security, Inc. Emerging Standards for Public-Key Cryptography Burt Kaliski Chief Scientist, RSA Laboratories BRICS Summer School in Cryptology and Data Security July 20-24, 1998

2 © RSA 1998 Introduction As research matures, it can be made “standard” –’70s and ’80s research in public-key cryptography leads to standards in ’90s This talk is a snapshot of some of the standards efforts — and the interesting issues they raise

3 © RSA 1998 Outline I. Survey of Standards Efforts II. A General Model for Public-Key Standards III. Strong Primes: A Recurring Technical Debate IV. Some Research Motivated by Standards

4 RSA Data Security, Inc. Part I: Survey of Standards Efforts

5 © RSA 1998 Why Standards? Many reasons: –interoperability –stability –assurance De facto or de jure?

6 © RSA 1998 Some Public-Key Standards Efforts ANSI X9F1 IEEE P1363 ISO/IEC JTC1 SC27 US NIST

7 © RSA 1998 ANSI X9F1 Financial Services / Data and Information Security / Cryptographic Tools Corporate membership Quarterly meetings in North America www.x9.org

8 © RSA 1998 ANSI X9F1 Efforts Some ANSI documents (drafts) –X9.30DSA signatures –X9.31RSA/RW signatures (rDSA) –X9.42DH/MQV key agreement –X9.44RSA key transport –X9.62elliptic curve signatures –X9.63EC key agreement / transport –X9.79prime generation

9 © RSA 1998 IEEE P1363 Standard Specifications for Public-Key Cryptography Sponsored by IEEE Microprocessor Standards Committee Individual participation Meetings mostly in North America grouper.ieee.org/groups/1363

10 © RSA 1998 IEEE P1363 Coverage Three types of technique: –key agreement, signature, encryption From three families: –DL: discrete logarithm –EC: elliptic curve –IF: integer factorization Also, number theory background, security considerations

11 © RSA 1998 IEEE P1363a Standard Specifications for Public-Key Cryptography: Additional Techniques In preparation More techniques, probably same families –identification likely to be added

12 © RSA 1998 ISO/IEC JTC1 SC27 International Organization for Standardization / International Electrotechnical Commission / Information Technology / IT Security Techniques National representation, with experts Meetings throughout the world www.iso.ch

13 © RSA 1998 SC27 Efforts Some ISO/IEC documents –9796Signatures with message recovery –9798Entity authentication –11770Key management –13888Nonrepudiation –14888Signatures with appendix Symmetric and public-key techniques

14 © RSA 1998 U.S. NIST FIPS National Institute of Standards and Technology –part of U.S. Department of Commerce Federal Information Processing Standards (FIPS) Computer Security Act (1987) gives charter for government cryptography standards www.nist.gov

15 © RSA 1998 NIST Efforts Some FIPS: –186Digital Signature Standard –196Entity Authentication –new Key Exchange / Agreement Others of interest: –46-2Data Encryption Standard –180-1Secure Hash Standard –newAdvanced Encryption Standard

16 © RSA 1998 Comparing the Efforts Different goals: –ISO, IEEE: general building blocks –ANSI: US banking requirements –NIST: US government, commercial Coordination: –IEEE, ANSI technical convergence –NIST will accept ANSI signature standards for government purposes –ISO TC68 adopts ANSI X9F1

17 © RSA 1998 Application Standards of Interest S/MIME: messaging SSL / TLS: communications SET: bank card payments PKIX: public-key infrastructure

18 © RSA 1998 RSA Laboratories’ PKCS Public-Key Cryptography Standards Informal, intervendor effort coordinated by RSA Laboratories Periodic workshops www.rsa.com/rsalabs/pubs/PKCS/

19 © RSA 1998 PKCS Efforts Revisions and new documents: –PKCS #1RSA Cryptography v2.0 draft in review, includes Bellare- Rogaway OAEP –PKCS #5Password-Based Encryption –PKCS #13Elliptic Curve Cryptography –PKCS #14Pseudorandom Generation –PKCS #15(?)Smart Card File Formats

20 RSA Data Security, Inc. Part II: A General Model for Public-Key Standards

21 © RSA 1998 A General Model Framework with abstraction, generally following P1363 Three levels: –primitives –schemes –protocols … plus key management

22 © RSA 1998 P1363 Naming Convention General form: –family type - instance where –family is DL, EC, IF –type is one of: SP: Signature Primitive SSA: Signature Scheme with Appendix etc. –instance is a particular algorithm, e.g., DSA, DH, RSA

23 © RSA 1998 Primitives Basic mathematical operations Low-level implementation –e.g., crypto-accelerator, software module Computational security –enhanced when combined with additional techniques in a scheme

24 © RSA 1998 Types of Primitive Secret value derivation –shared secret value from public key(s), party’s private key(s) Signature and verification Encryption and decryption

25 © RSA 1998 Example: DLSP-DSA / DLVP-DSA DSA signature / verification primitives DLSP-DSA ((p, q, g, x), m): –r = (g k mod p) mod q, k random –s = k -1 (m + xr) mod q DLVP-DSA ((p, q, g, y), m, (r, s)) –r =? (g m/s y r/s mod p) mod q

26 © RSA 1998 Primitives in P1363 Secret Value Derivation –DH, MQV in DL, EC families Signature / Verification: –DSA, Nyberg-Rueppel in DL, EC families –RSA with and w/o absolute value –Rabin-Williams Encryption / Decryption: –RSA

27 © RSA 1998 Schemes Related operations combining primitives, additional techniques –a framework with options Medium-level implementation –e.g., cryptographic service library Complexity-theoretic security (ideally) –completed when appropriately applied in a protocol

28 © RSA 1998 Types of Scheme Key agreement Signature –with appendix –with message recovery Encryption Identification (in P1363a)

29 © RSA 1998 Additional Techniques Encoding method –maps between message, data to be processed by primitive –for signatures, encryption schemes Key derivation function –maps from shared secret value to key –for key agreement schemes

30 © RSA 1998 Example: DL/ECSSA DL/EC signature scheme –options: SP / VP / encoding method Signature operation (privKey, M): –S = SP (privKey, Encode (M)) Verification operation (pubKey, M, S): –VP (pubKey, Encode (M), S) [DSA] –Encode (M) =? VP (pubKey, S) [NR]

31 © RSA 1998 Encoding Methods for Signatures DL/EC signatures –Hash (M) IF signatures with appendix –Pad || HashID || Hash (M) IF signatures wit h message recovery –ISO9796-1 (M)

32 © RSA 1998 Related Scheme Operations Domain parameter generation Domain parameter validation Key pair generation Public key validation Private key validation

33 © RSA 1998 Schemes in P1363 Key agreement –three DL/EC generic: DH1, DH2, MQV Signature with appendix –DL/EC generic –IF generic Signature with message recovery –IF generic Encryption –IF generic

34 © RSA 1998 Protocols Sequence of operations to be performed by parties to achieve some security goal High-level implementation –applications, services “Real” security –but depends on implementation considerations (No protocols in P1363)

35 © RSA 1998 Types of Protocol Key establishment –key agreement –key transport Entity authentication Data origin authentication Data confidentiality

36 RSA Data Security, Inc. Part III: “Strong” Primes: A Recurring Technical Debate

37 © RSA 1998 What is a “Strong” Prime? RSA key pair consists of –public key (n, e) –private key (n, d) –where n = pq, p and q are large primes, and ed  1 mod (p-1)(q-1) A prime p is strong if p’, the largest factor of p-1, is large Are strong primes necessary?

38 © RSA 1998 Early ’80s: Yes Pollard’s p-1 method (1974) can factor n in about p’ operations, so p’ should be large Gordon (1984) gives method for generating RSA keys efficiently with strong prime factors –X.509 (1988) also mentions conditions Related conditions on p+1, p’-1, etc.

39 © RSA 1998 Late ’80s / Early ’90s: No Lenstra’s ECM (1987) can factor n in O(exp (2 ln p ln ln p) 1/2 ) operations, so p should be large … but if p is large and random, then p’ will be large with high probability Rivest (unpublished) argues that strong primes don’t help –but don’t hurt either

40 © RSA 1998 Late ’90s: Maybe What about signature repudiation? –Dishonest user chooses n with weak prime –Later, disavows signature, claiming that someone factored n by p-1 method ANSI X9.31 (1998) standardizes on strong primes for banking –also, generates primes as one-way function of seed Still, are strong primes necessary?

41 RSA Data Security, Inc. Part IV: Some Research Motivated By Standards

42 © RSA 1998 Standards and Research Just as mature research is standardized, so standards efforts promote additional research Areas of research: –efficient implementation –cryptanalysis –components in the “framework”

43 © RSA 1998 Authenticated Encryption Schemes Problem: –Construct authenticated encryption schemes for DL, EC, IF families with similar properties to OAEP, but with variable message length Several solutions proposed for P1363a

44 © RSA 1998 Model C = Encrypt (pubKey, M, P) M = Decrypt (privKey, C, P) –Mmessage –Cciphertext –Pencoding parameters M, C, P arbitrary length

45 © RSA 1998 Desired Properties One application of underlying primitive Plaintext-aware encryption –no partial information about M –cannot generate C without M hence, cannot modify M Binding of P to M –cannot modify P Weaker assumptions –i.e., not just random oracle model

46 © RSA 1998 OAEP for RSA As in P1363 (and PKCS #1 v2.0 draft): Encrypt (pubKey, M, P): –EM = Encode (M, P) –C = EP (pubKey, EM) Decrypt (privKey, C, P): –EM = DP (privKey, C) –M = Decode (EM, P) M, C bounded, P arbitrary length

47 © RSA 1998 OAEP Encoding Encode (M, P) –EM = maskedSeed || maskedDB where maskedSeed = seed  G (maskedDB) maskedDB = DB  G (seed) DB = H (P) || pad || M seed random H hash function, G mask generation function Decode (C, P): an exercise

48 © RSA 1998 Limitations EM must be shorter than RSA modulus, so length of M is bounded Assumes encryption primitive — but DL/EC only has secret value derivation primitive Relies on random oracle model for G

49 © RSA 1998 IF Encryption Ideas 1. Encrypt only part of EM (various) –removes bound on length of M –which part? 2. Construct G only partly from random oracle (Bellare, Rogaway 1996) 3. Add more “rounds” to OAEP (Johnson, Matyas, Peyravian 1996) –may reduce assumptions, need for seed

50 © RSA 1998 DL/EC Encryption Ideas General: Generate shared secret value K as in key agreement scheme, combine with M, P 1. Encode M as in OAEP, exclusive-OR K with part of result (various) 2. Combine with MACs, reduced r.o. methods (Bellare, Rogaway 1996) 3. Combine with universal hash functions, mask generation (Zheng 1996)

51 © RSA 1998 Some Other Recent Results Security of “unified model” of DH key agreement (Blake-Wilson, Johnson, Menezes 1997) RSA key validation (Liskov, Silverman 1997) Storage-efficient basis conversion (Kaliski, Yin 1998)

52 © RSA 1998 Conclusions Research in cryptology and data security is leading to standards, and vice versa Several standards efforts for different sectors, but coordinated General model for public-key standards emerging … and some technical debate continues

Download ppt "RSA Data Security, Inc. Emerging Standards for Public-Key Cryptography Burt Kaliski Chief Scientist, RSA Laboratories BRICS Summer School in Cryptology."

Similar presentations

Public Key Infrastructure and Applications

Public Key Infrastructure and Applications
Revised 08/16/1999 IEEE P1363: Standard Specifications for Public-Key Cryptography Burt Kaliski Chair, IEEE P1363 August 17, 1999.

Revised 08/16/1999 IEEE P1363: Standard Specifications for Public-Key Cryptography Burt Kaliski Chair, IEEE P1363 August 17, 1999.
Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.

Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.
Cryptography and Network Security

Cryptography and Network Security
Digital Signatures and Hash Functions. Digital Signatures.

Digital Signatures and Hash Functions. Digital Signatures.
Cryptographic Security Presented by: Josh Baker October 9 th, 2012 1CS5204 – Operating Systems.

Cryptographic Security Presented by: Josh Baker October 9 th, CS5204 – Operating Systems.
Public-key based. Public-key Techniques based Protocols –may use either weak or strong passwords –high computation complexity (Slow) –high deployment.

Public-key based. Public-key Techniques based Protocols –may use either weak or strong passwords –high computation complexity (Slow) –high deployment.
CNS2010handout 10 :: digital signatures1 computer and network security matt barrie.

CNS2010handout 10 :: digital signatures1 computer and network security matt barrie.
Dr Alejandra Flores-Mosri Message Authentication Internet Management & Security 06 Learning outcomes At the end of this session, you should be able to:

Dr Alejandra Flores-Mosri Message Authentication Internet Management & Security 06 Learning outcomes At the end of this session, you should be able to:
Secure Hashing and DSS Sultan Almuhammadi ICS 454 Principles of Cryptography.

Secure Hashing and DSS Sultan Almuhammadi ICS 454 Principles of Cryptography.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
Fall 2010/Lecture 311 CS 426 (Fall 2010) Public Key Encryption and Digital Signatures.

Fall 2010/Lecture 311 CS 426 (Fall 2010) Public Key Encryption and Digital Signatures.
IEEE P1363: Standard Specifications for Public-Key Cryptography

IEEE P1363: Standard Specifications for Public-Key Cryptography
Lecture 4 Cryptographic Tools (cont) modified from slides of Lawrie Brown.

Lecture 4 Cryptographic Tools (cont) modified from slides of Lawrie Brown.
Computer Science CSC 474Dr. Peng Ning1 CSC 474 Information Systems Security Topic 2.5 Public Key Algorithms.

Computer Science CSC 474Dr. Peng Ning1 CSC 474 Information Systems Security Topic 2.5 Public Key Algorithms.
CSE 597E Fall 2001 PennState University1 Digital Signature Schemes Presented By: Munaiza Matin.

CSE 597E Fall 2001 PennState University1 Digital Signature Schemes Presented By: Munaiza Matin.
Network Security Essentials Fifth Edition by William Stallings Fifth Edition by William Stallings.

Network Security Essentials Fifth Edition by William Stallings Fifth Edition by William Stallings.
ASYMMETRIC CIPHERS.

ASYMMETRIC CIPHERS.
Key Management Guidelines. 1. Introduction 2. Glossary of Terms and Acronyms 3. Cryptographic Algorithms, Keys and Other Keying Material 4. Key Management.

Key Management Guidelines. 1. Introduction 2. Glossary of Terms and Acronyms 3. Cryptographic Algorithms, Keys and Other Keying Material 4. Key Management.
Public Key Model 8. Cryptography part 2.

Public Key Model 8. Cryptography part 2.

Similar presentations

Ads by Google