Presentation is loading. Please wait.

Presentation is loading. Please wait.

Information Security CS 526

Published byΛεββαῖος Αἰνέας Ζωγράφου Modified over 6 years ago

Similar presentations

Presentation on theme: "Information Security CS 526"— Presentation transcript:

1 Information Security CS 526
Topic 5: Public Key Encryption and Digital Signatures Topic 5: Public Key Encrypption and Digital Signatures

2 Readings for This Lecture
Required: On Wikipedia Public key cryptography RSA Diffie–Hellman key exchange ElGamal encryption Required: Differ & Hellman: “New Directions in Cryptography” IEEE Transactions on Information Theory, Nov 1976. Topic 5: Public Key Encrypption and Digital Signatures

3 Review of Secret Key (Symmetric) Cryptography
Confidentiality stream ciphers (uses PRNG) block ciphers with encryption modes (CBC or CTR) Integrity Cryptographic hash functions Message authentication code (keyed hash functions) Limitation: sender and receiver must share the same key Needs secure channel for key distribution Impossible for two parties having no prior relationship Needs many keys for n parties to communicate MAC are keyed hash functions. Using a key to select a particular one to use. Property for MAC? How to secure communication between you and a merchant’s website? Key distribution is generally the weakest link. Topic 5: Public Key Encrypption and Digital Signatures

4 Concept of Public Key Encryption
Each party has a pair (K, K-1) of keys: K is the public key, and used for encryption K-1 is the private key, and used for decryption Satisfies DK-1[EK[M]] = M Knowing the public-key K, it is computationally infeasible to compute the private key K-1 How to check (K,K-1) is a pair? Offers only computational security. Secure Public Key encryption is impossible when P=NP, as deriving K-1 from K is in NP. The public key K may be made publicly available, e.g., in a publicly available directory Many can encrypt, only one can decrypt Public-key systems aka asymmetric crypto systems What is the significance of using two keys vs the same key both for encryption and decryption? Critical property is SK cannot be computed from PK. SK is clearly related to PK. Given PK, if one guesses SK, one can verify whether SK is correct. What is so good about the property that the decryption Key cannot be computed from encryption key? Topic 5: Public Key Encrypption and Digital Signatures

5 Public Key Cryptography Early History
Proposed by Diffie and Hellman, documented in “New Directions in Cryptography” (1976) Public-key encryption schemes Key distribution systems Diffie-Hellman key agreement protocol Digital signature Public-key encryption was proposed in 1970 in a classified paper by James Ellis paper made public in 1997 by the British Governmental Communications Headquarters Concept of digital signature is still originally due to Diffie & Hellman Diffie and Hellman introduces the concepts of PKC and that of digital signatures, but could not come up with a scheme that works. They really want a public key encryption algorithm, but they couldn’t get one. Need some evidence to show that it works. Hence they need to look for something that have the flavor of PK cryptography. How to agree on a secret key using a public channel? However, it turns out that this can become an encryption scheme. El Gamal. Topic 5: Public Key Encrypption and Digital Signatures

6 Public Key Encryption Algorithms
Most public-key encryption algorithms use either modular arithmetic number theory, or elliptic curves RSA based on the hardness of factoring large numbers El Gamal Based on the hardness of solving discrete logarithm Use the same idea as Diffie-Hellman key agreement Topic 5: Public Key Encrypption and Digital Signatures

7 Diffie-Hellman Key Agreement Protocol
Not a Public Key Encryption system, but can allow A and B to agree on a shared secret in a public channel (against passive, i.e., eavesdropping only adversaries) Setup: p prime and g generator of Zp*, p and g public. ga mod p gb mod p Pick random, secret b Compute and send gb mod p Pick random, secret a Compute and send ga mod p K = (ga mod p)b = gab mod p K = (gb mod p)a = gab mod p Topic 5: Public Key Encrypption and Digital Signatures

8 Topic 5: Public Key Encrypption and Digital Signatures
Diffie-Hellman Example: Let p=11, g=2, then A chooses 4, B chooses 3, then shared secret is (23)4 = (24)3 = = 4 (mod 11) Adversaries sees 23=8 and 24=5, needs to solve one of 2x=8 and 2y=5 to figure out the shared secret. a 1 2 3 4 5 6 7 8 9 10 11 ga 16 32 64 128 256 512 1024 2048 ga mod p Small g is generator because raising to powers gives rise to all numbers between 1 and 10. Topic 5: Public Key Encrypption and Digital Signatures

9 Security of DH is based on Three Hard Problems
Discrete Log (DLG) Problem: Given <g, h, p>, computes a such that ga = h mod p. Computational Diffie Hellman (CDH) Problem: Given <g, ga mod p, gb mod p> (without a, b) compute gab mod p. Decision Diffie Hellman (DDH) Problem: distinguish (ga,gb,gab) from (ga,gb,gc), where a,b,c are randomly and independently chosen If one can solve the DL problem, one can solve the CDH problem. If one can solve CDH, one can solve DDH. Topic 5: Public Key Encrypption and Digital Signatures

10 Topic 5: Public Key Encrypption and Digital Signatures
Assumptions DDH Assumption: DDH is hard to solve. CDH Assumption: CDH is hard to solve. DLG Assumption: DLG is hard to solve DDH assumed difficult to solve for large p (e.g., at least 1024 bits). Warning: New progress in 2013 can solve discrete log for p values with some properties. No immediate attack against practical setting yet. Look out when you need to use/implement public key crypto May want to consider Elliptic Curve-based algorithms, require shorter keys than discrete log (for 128-bit security require 256 bit key size) Topic 5: Public Key Encrypption and Digital Signatures

11 Topic 5: Public Key Encrypption and Digital Signatures
ElGamal Encryption Public key <g, p, h=ga mod p> Private key is a To encrypt: chooses random b, computes C=[gb mod p, gab * M mod p]. Idea: for each M, sender and receiver establish a shared secret gab via the DH protocol. The value gab hides the message M by multiplying it. To decrypt C=[c1,c2], computes M where ((c1a mod p) * M) mod p = c2. To find M for x * M mod p = c2, compute z s.t. x*z mod p =1, and then M = C2*z mod p CDH assumption ensures M cannot be fully recovered. IND-CPA security requires DDH. Topic 5: Public Key Encrypption and Digital Signatures

12 Topic 5: Public Key Encrypption and Digital Signatures
RSA Algorithm Invented in 1978 by Ron Rivest, Adi Shamir and Leonard Adleman Published as R L Rivest, A Shamir, L Adleman, "On Digital Signatures and Public Key Cryptosystems", Communications of the ACM, vol 21 no 2, pp , Feb 1978 Security relies on the difficulty of factoring large composite numbers Essentially the same algorithm was discovered in 1973 by Clifford Cocks, who works for the British intelligence Takes 2-3 years to discover the same alg. Topic 5: Public Key Encrypption and Digital Signatures

13 RSA Public Key Crypto System
Key generation: 1. Select 2 large prime numbers of about the same size, p and q Typically each p, q has between 512 and 2048 bits 2. Compute n = pq, and (n) = (q-1)(p-1) 3. Select e, 1<e< (n), s.t. gcd(e, (n)) = 1 Typically e=3 or e=65537 4. Compute d, 1< d< (n) s.t. ed  1 mod (n) Knowing (n), d easy to compute. Public key: (e, n) Private key: d Topic 5: Public Key Encrypption and Digital Signatures

14 RSA Description (cont.)
Encryption Given a message M, 0 < M < n M  Zn {0} use public key (e, n) compute C = Me mod n C  Zn {0} Decryption Given a ciphertext C, use private key (d) Compute Cd mod n = (Me mod n)d mod n = Med mod n = M Topic 5: Public Key Encrypption and Digital Signatures

15 Topic 5: Public Key Encrypption and Digital Signatures
RSA Example p = 11, q = 7, n = 77, (n) = 60 d = 13, e = 37 (ed = 481; ed mod 60 = 1) Let M = 15. Then C  Me mod n C  1537 (mod 77) = 71 M  Cd mod n M  7113 (mod 77) = 15 Topic 5: Public Key Encrypption and Digital Signatures

16 Topic 5: Public Key Encrypption and Digital Signatures
RSA Example 2 Parameters: p = 3, q = 5, n= pq = 15 (n) = ? Let e = 3, what is d? Given M=2, what is C? How to decrypt? Topic 5: Public Key Encrypption and Digital Signatures

17 Hard Problems on Which RSA Security Depends
C = Me mod (n=pq) Plaintext: M Ciphertext: C Cd mod n Factoring Problem: Given n=pq, compute p,q Finding RSA Private Key: Given (n,e), compute d s.t. ed = 1 (mod (n)). Given (d,e) such that ed = 1 (mod (n)), there is a clever randomized algorithm to factor n efficiently. Implication: cannot share the modulus n among multiple users RSA Problem: From (n,e) and C, compute M s.t. C = Me Aka computing the e’th root of C. Can be solved if n can be factored Topic 5: Public Key Encrypption and Digital Signatures

18 RSA Security and Factoring
Security depends on the difficulty of factoring n Factor n  compute (n)  compute d from (e, n) Knowing e, d such that ed = 1 (mod (n))  factor n The length of n=pq reflects the strength 700-bit n factored in 2007 768 bit n factored in 2009 RSA encryption/decryption speed is quadratic in key length 1024 bit for minimal level of security today (roughly 80 bit security) likely to be breakable in near future Minimal 2048 bits recommended for current usage (roughly 112 bit security) NIST suggests bit RSA keys are equivalent in strength to 256-bit Factoring is easy to break with quantum computers An effort concluded in 2009 by several researchers factored a 232-digit number (RSA-768) utilizing hundreds of machines over a span of 2 years. Topic 5: Public Key Encrypption and Digital Signatures

19 RSA Encryption & IND-CPA Security
The RSA assumption, which assumes that the RSA problem is hard to solve, ensures that the plaintext cannot be fully recovered. Plain RSA does not provide IND-CPA security. For Public Key systems, the adversary has the public key, hence the initial training phase is unnecessary, as the adversary can encrypt any message he wants to. How to break IND-CPA security? How to use it more securely? Topic 5: Public Key Encrypption and Digital Signatures

20 Real World Usage of Public Key Encryption
Often used to encrypt a symmetric key To encrypt a message M under an RSA public key (n,e), generate a new AES key K, compute [Ke mod n, AES-CBCK(M)] Alternatively, one can use random padding. E.g., computer (M || r) e mod n to encrypt a message M with a random value r More generally, uses a function F(M,r), and encrypts as F(M,r) e mod n From F(M,r), one should be able to recover M This provides randomized encryption e.g., Optimal Asymmetric Encryption Padding (OAEP) Roughly, to encrypt M, chooses random r, encode M as M’ = [X = M  H1(r) , Y= r  H2(X) ] where H1 and H2 are cryptographic hash functions, then encrypt it as (M’) e mod n Note that given M’=[X,Y], r = Y  H2(X), and M = X  H1(r) Topic 5: Public Key Encrypption and Digital Signatures

21 Digital Signatures: The Problem
Consider the real-life example where a person pays by credit card and signs a bill; the seller verifies that the signature on the bill is the same with the signature on the card Contracts are valid if they are signed. Signatures provide non-repudiation. ensuring that a party in a dispute cannot repudiate, or refute the validity of a statement or contract. Can we have a similar service in the electronic world? Does Message Authentication Code provide non-repudiation? Topic 5: Public Key Encrypption and Digital Signatures

22 Topic 5: Public Key Encrypption and Digital Signatures
MAC: One party generates MAC, one party verifies integrity. Digital signatures: One party generates signature, many parties can verify. Digital Signature: a data string which associates a message with some originating entity. Digital Signature Scheme: a signing algorithm: takes a message and a (private) signing key, outputs a signature a verification algorithm: takes a (public) verification key, a message, and a signature Provides: Authentication, Data integrity, Non-Repudiation Topic 5: Public Key Encrypption and Digital Signatures

23 Digital Signatures and Hash
Very often digital signatures are used with hash functions, hash of a message is signed, instead of the message. Hash function must be: Strong collision resistant Topic 5: Public Key Encrypption and Digital Signatures

24 Topic 5: Public Key Encrypption and Digital Signatures
RSA Signatures Key generation (as in RSA encryption): Select 2 large prime numbers of about the same size, p and q Compute n = pq, and  = (q - 1)(p - 1) Select a random integer e, 1 < e < , s.t. gcd(e, ) = 1 Compute d, 1 < d <  s.t. ed  1 mod  Public key: (e, n) used for verification Private key: d, used for generation Topic 5: Public Key Encrypption and Digital Signatures

25 RSA Signatures with Hash (cont.)
Signing message M Verify 0 < M < n Compute S = h(M)d mod n Verifying signature S Use public key (e, n) Compute Se mod n = (h(M)d mod n)e mod n = h(M) Topic 5: Public Key Encrypption and Digital Signatures

26 Topic 5: Public Key Encrypption and Digital Signatures
Non-repudiation Nonrepudiation is the assurance that someone cannot deny something. Typically, nonrepudiation refers to the ability to ensure that a party to a contract or a communication cannot deny the authenticity of their signature on a document or the sending of a message that they originated. Can one deny a digital signature one has made? Does provide non-repudiation? Topic 5: Public Key Encrypption and Digital Signatures

27 Topic 5: Public Key Encrypption and Digital Signatures
The Big Picture Secrecy / Confidentiality Stream ciphers Block ciphers + encryption modes Public key encryption: RSA, El Gamal, etc. Authenticity / Integrity Message Authentication Code Digital Signatures: RSA, DSA, etc. Secret Key Setting Public Key Setting Secret key, one sender, one receiver. Public key encryption: anyone can encrypt, only one can decrypt. Digital signature: only one signs, anyone can verify Topic 5: Public Key Encrypption and Digital Signatures

28 Topic 5: Public Key Encrypption and Digital Signatures
Coming Attractions … User authentication Topic 5: Public Key Encrypption and Digital Signatures

Download ppt "Information Security CS 526"

Similar presentations

Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.

Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.
CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.

CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.
CS555Spring 2012/Topic 161 Cryptography CS 555 Topic 16: Key Management and The Need for Public Key Cryptography.

CS555Spring 2012/Topic 161 Cryptography CS 555 Topic 16: Key Management and The Need for Public Key Cryptography.
Kemal AkkayaWireless & Network Security 1 Department of Computer Science Southern Illinois University Carbondale CS 591 – Wireless & Network Security Lecture.

Kemal AkkayaWireless & Network Security 1 Department of Computer Science Southern Illinois University Carbondale CS 591 – Wireless & Network Security Lecture.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
Cryptography1 CPSC 3730 Cryptography Chapter 9 Public Key Cryptography and RSA.

Cryptography1 CPSC 3730 Cryptography Chapter 9 Public Key Cryptography and RSA.
Private-Key Cryptography traditional private/secret/single key cryptography uses one key shared by both sender and receiver if this key is disclosed communications.

Private-Key Cryptography traditional private/secret/single key cryptography uses one key shared by both sender and receiver if this key is disclosed communications.
Fall 2010/Lecture 311 CS 426 (Fall 2010) Public Key Encryption and Digital Signatures.

Fall 2010/Lecture 311 CS 426 (Fall 2010) Public Key Encryption and Digital Signatures.
Dr.Saleem Al_Zoubi1 Cryptography and Network Security Third Edition by William Stallings Public Key Cryptography and RSA.

Dr.Saleem Al_Zoubi1 Cryptography and Network Security Third Edition by William Stallings Public Key Cryptography and RSA.
1 Pertemuan 08 Public Key Cryptography Matakuliah: H0242 / Keamanan Jaringan Tahun: 2006 Versi: 1.

1 Pertemuan 08 Public Key Cryptography Matakuliah: H0242 / Keamanan Jaringan Tahun: 2006 Versi: 1.
Public Key Cryptography RSA Diffie Hellman Key Management Based on slides by Dr. Lawrie Brown of the Australian Defence Force Academy, University College,

Public Key Cryptography RSA Diffie Hellman Key Management Based on slides by Dr. Lawrie Brown of the Australian Defence Force Academy, University College,
Computer Science CSC 474Dr. Peng Ning1 CSC 474 Information Systems Security Topic 2.5 Public Key Algorithms.

Computer Science CSC 474Dr. Peng Ning1 CSC 474 Information Systems Security Topic 2.5 Public Key Algorithms.
Introduction to Public Key Cryptography

Introduction to Public Key Cryptography
Public Key Model 8. Cryptography part 2.

Public Key Model 8. Cryptography part 2.
1 CIS 5371 Cryptography 8. Asymmetric encryption-.

1 CIS 5371 Cryptography 8. Asymmetric encryption-.
Andreas Steffen, 17.10.2011, 4-PublicKey.pptx 1 Internet Security 1 (IntSi1) Prof. Dr. Andreas Steffen Institute for Internet Technologies and Applications.

Andreas Steffen, , 4-PublicKey.pptx 1 Internet Security 1 (IntSi1) Prof. Dr. Andreas Steffen Institute for Internet Technologies and Applications.
CS5204 – Fall 2009 1 Cryptographic Security Presenter: Hamid Al-Hamadi October 13, 2009.

CS5204 – Fall Cryptographic Security Presenter: Hamid Al-Hamadi October 13, 2009.
Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 21 “Public-Key Cryptography.

Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 21 “Public-Key Cryptography.
CS555Topic 211 Cryptography CS 555 Topic 21: Digital Schemes (1)

CS555Topic 211 Cryptography CS 555 Topic 21: Digital Schemes (1)
How cryptography is used to secure web services Josh Benaloh Cryptographer Microsoft Research.

How cryptography is used to secure web services Josh Benaloh Cryptographer Microsoft Research.

Similar presentations

Ads by Google