Presentation is loading. Please wait.

Presentation is loading. Please wait.

Lecture 7: Key Distribution

Published byAdam Green Modified over 5 years ago

Similar presentations

Presentation on theme: "Lecture 7: Key Distribution"— Presentation transcript:

1 David Evans http://www.cs.virginia.edu/~evans
Lecture 7: Key Distribution The era of “electronic mail” [Potter1977] may soon be upon us; we must ensure that two important properties of the current “paper mail” system are preserved: (a) messages are private, and (b) messages can be signed. R. Rivest, A. Shamir and L. Adleman. A Method for Obtaining Digital Signatures and Public-Key Cryptosystems. Communications of the ACM, January (The original RSA paper.) CS588: Security and Privacy University of Virginia Computer Science David Evans

2 Traditional Cryptology
Given a secure channel to transmit a shared secret key, symmetric cryptosystems amplify and time-shift that channel: Can transmit bigger secrets over an insecure channel (except one-time pad) Can transmit later secrets over an insecure channel But, the initial secure channel is required 19 Sept 2001 University of Virginia CS 588

3 University of Virginia CS 588
Key Distribution All the cryptosystems we have seen depend on two parties having a shared secret Distributing secret keys is hard and expensive Can two people communicate securely without having to meet first and establish a key? 19 Sept 2001 University of Virginia CS 588

4 University of Virginia CS 588
Trust a Third Party Keys “R” Us knows KA, KB ... Generates random KAB E (KAB, KA) E (KAB, KB) E (“Bob”, KA) E (“Alice” || KAB, KB) E (M, KAB) Bob Alice How can Alice and Bob securely provide their keys to Keys “R” Us? 19 Sept 2001 University of Virginia CS 588

5 University of Virginia CS 588
Merkle’s Puzzles Ralph Merkle [1974] Alice generates 220 messages: “This is puzzle x. The secret is y.” (x and y are random numbers) Encrypts each message using symmetric cipher with a different key. Sends all encrypted messages to Bob 19 Sept 2001 University of Virginia CS 588

6 University of Virginia CS 588
Merkle’s Puzzles, cont. Bob chooses random message, performs brute-force attack to recover plaintext and secret y Bob sends x (clear) to Alice Alice and Bob use y to encrypt messages 19 Sept 2001 University of Virginia CS 588

7 University of Virginia CS 588
Is this secure? Alice: symmetric cipher DES ~255 expected brute force work to break DES Eve: has to break the 220 to find which one matches x. ~ 219 * 255 expected work Alice and Bob change keys frequently enough since it is less work to agree to a new key Why not increase number of puzzle messages? 19 Sept 2001 University of Virginia CS 588

8 University of Virginia CS 588
Padlocked Boxes Hi! Alice 19 Sept 2001 University of Virginia CS 588

9 University of Virginia CS 588
Padlocked Boxes EA(M) Alice’s Padlock Hi! Alice Alice’s Padlock Key 19 Sept 2001 University of Virginia CS 588

10 University of Virginia CS 588
Padlocked Boxes Shady Sammy’s Slimy Shipping Service Alice Alice’s Padlock Key 19 Sept 2001 University of Virginia CS 588

11 University of Virginia CS 588
Padlocked Boxes EB( ) EA(M) Bob’s Padlock Alice Hi! Bob Alice’s Padlock Key Bob’s Padlock Key 19 Sept 2001 University of Virginia CS 588

12 University of Virginia CS 588
Padlocked Boxes EB(EA(M)) Hi! Alice Bob Alice’s Padlock Key Bob’s Padlock Key 19 Sept 2001 University of Virginia CS 588

13 University of Virginia CS 588
Padlocked Boxes DA(EB(EA(M))) = EB(M) Hi! Alice Bob Alice’s Padlock Key Bob’s Padlock Key 19 Sept 2001 University of Virginia CS 588

14 University of Virginia CS 588
Padlocked Boxes EB(M) Alice Hi! Bob Bob’s Padlock Key 19 Sept 2001 University of Virginia CS 588

15 University of Virginia CS 588
Padlocked Boxes Hi! Alice Hi! Bob Bob’s Padlock Key 19 Sept 2001 University of Virginia CS 588

16 Secret Paint Mixing Alice Bob Yellow paint (public)
Analogy due to Simon Singh, The Code Book. Secret Paint Mixing Alice Bob Yellow paint (public) Alice’s Secret Color Bob’s Secret Color CA = Yellow + Purple CB = Yellow + Red K = Yellow + Red + Purple K = Yellow + Purple + Red Eve 19 Sept 2001 University of Virginia CS 588

17 Birth of Public Key Cryptosystems
1969 – ARPANet born: 4 sites Whitfield Diffie starts thinking about strangers sending messages securely 1974 – Whitfield Diffie gives talk at IBM lab Audience member mentions that Matrin Hellman (Stanford prof) had spoke about key distribution That night – Diffie starts driving 5000km to Palo Alto Diffie, Hellman and Ralph Merkle work on key distribution problem 19 Sept 2001 University of Virginia CS 588

18 University of Virginia CS 588
We stand today on the brink of a revolution in cryptography. The development of cheap digital hardware has freed it from the design limitations of mechanical computing and brought the cost of high grade cryptographic devices down to where they can be used in such commercial applications as remote cash dispensers and computer terminals. In turn, such applications create a need for new types of cryptographic systems which minimize the necessity of secure key distribution channels and supply the equivalent of a written signature. At the same time, theoretical developments in information theory and computer science show promise of providing provably secure cryptosystems, changing this ancient art into a science. Diffie and Hellman, November 1976. 19 Sept 2001 University of Virginia CS 588

19 Diffie-Hellman Key Agreement
Choose public numbers: q (large prime number),  (primitive root of q) A generates random XA and sends B: YA = XA mod q. B generates random XB and sends A: YB =  XB mod q. A calculates secret key: K = (YB) XA mod q. B calculates secret key: K = (YA) XB mod q. 19 Sept 2001 University of Virginia CS 588

20 What’s a primitive root?
 is a primitive root of q if for all 1  n < q, there is some m, 1  m < q such that m = n mod q Given , n and q can we solve for m? Yes: there is only one possible m But, it might be hard to find Discrete logarithm: given , n, and q find 0  m < q such that m = n mod q. 19 Sept 2001 University of Virginia CS 588

21 University of Virginia CS 588
Example What is a primitive root for q = 11? 21  = 64 11 9 22  = 128 11 7 23  = 256 11 3 24 = 16  = 512 11 6 25 = 32  = 1024 11 1 19 Sept 2001 University of Virginia CS 588

22 Finding Primitive Roots
Theorem: All prime numbers have primitive roots. Book proves this using Proof by Forward Reference “(Proof later.)” (p .137) and “this will be proven later” (p. 230), “which will be proven only later” (p. 231), “which is known to exist” (p. 445). We’ll use the same technique In practice, it is easy to find primitive roots for prime numbers by guessing. Almost ½ of guesses will work (next class we will see why). 19 Sept 2001 University of Virginia CS 588

23 Diffie-Hellman Example
Choose public numbers: q (large prime number),  (generator mod q): q = 11,  = 2 A generates random XA and sends B: YA = XA mod q. XA = 4, YA = 24 mod 11 = 16 mod 11 = 5 B generates random XB and sends A: YB =  XB mod q. XB = 6, YB = 26 mod 11 = 64 mod 11 = 9 Example from Tom Dunigan’s notes: 19 Sept 2001 University of Virginia CS 588

24 Diffie-Hellman Example, cont.
q = 11,  = 2 XA = 4, YA = 5 XB = 6, YB = 9 A calculates secret key: K = (YB) XA mod q. K = 94 mod 11 = 6561 mod 11 = 5. B calculates secret key: K = (YA) XB mod q. K = 56 mod 11 = mod 11 = 5. 19 Sept 2001 University of Virginia CS 588

25 Is it magic? Things to Prove:
They generate the same keys: K = (YB) XA mod q = (YA) XB mod q An eavesdropper cannot find K from any transmitted value: q, , YA, YB 19 Sept 2001 University of Virginia CS 588

26 University of Virginia CS 588
1. Keys Agree Prove K = (YB)XA mod q = (YA)XB mod q. (YB)XA mod q (YA)XB mod q = (XB mod q)XA mod q = (XA mod q)XB mod q = (XB)XA mod q = (XA)XB mod q = XBXA mod q = XAXB mod q QED. 19 Sept 2001 University of Virginia CS 588

27 Modular Exponentiation
(a mod q)b mod q = ab mod q (7 mod 6)2 mod 6 = 72 mod 6 12 mod 6 = 49 mod 6 Proof by example? 19 Sept 2001 University of Virginia CS 588

28 Modular Exponentiation
First prove: (a * b) mod q = (a mod q) * (b mod q) mod q Then, by induction, (a mod q)b mod q = ab mod q since ab = a * ab-1 and a1 = a. 19 Sept 2001 University of Virginia CS 588

29 University of Virginia CS 588
Modular Arithmetic (a * b) mod n = x x + (n * d0) = a * b x = a * b – (n * d0) a mod n = y  y = a – (n * d1) b mod n = z  z = b – (n * d2) (a mod n) * (b mod n) mod n = (a – (n * d1)) * (b – (n * d2)) mod n = (a * b + (a * (n * d2) – b * (n * d1) + (n * d1)(n * d2)) mod n = a * b mod n (all terms with n * are 0 mod n) 19 Sept 2001 University of Virginia CS 588

30 2. Secure from Eavesdropper
An eavesdropper cannot find K = (YB)XA mod q = (YA)XB mod q from any transmitted value: q, , YA = XA mod q, YB =  XB mod q Attacker needs to solve YA = XA mod q for XA Finding discrete logarithms is (probably) hard! Best known algorithm: e((ln q)1/3 ln (ln q)) 2/3) 19 Sept 2001 University of Virginia CS 588

31 Secure from Active Eavesdropper?
Public: q,  YA = XA mod q Bob Secret: XB Alice Secret: XA YB =  XB mod q K = (YA)XB mod q K = (YB)XA mod q 19 Sept 2001 University of Virginia CS 588

32 Secure from Active Eavesdropper?
Public: q,  YA = XA mod q YE = XE mod q Bob YE =  XE mod q Secret: XB Alice Secret: XA YB =  XB mod q KAE = (YE)XA mod q KEB = (YE)XB mod q Secret: XE 19 Sept 2001 University of Virginia CS 588

33 University of Virginia CS 588
Diffie-Hellman Use SSL Cisco encrypting routers Sun secure RPC etc... 19 Sept 2001 University of Virginia CS 588

34 Public-Key Cryptography
Same paper introduced concept of Public-Key Cryptography Public algorithm: E Private algorithm: D Identity: E (D (m)) = D (E (m)) = m Secure: cannot determine E from D But didn’t know how to find suitable E and D 19 Sept 2001 University of Virginia CS 588

35 University of Virginia CS 588
Knapsack Ciphers [Merkle, Hellman 78] Knapsack Problem: Given positive integers a1, a2 , …, an and a positive integer b find a subset of a’s that sum to b. In general, this is NP-complete Can try 2n possible subsets, check each one in polynomial time If we could solve it in polynomial time, we could solve all other NP problems in P also Proof: reduce to satisfiability (~ vehement assertion) 19 Sept 2001 University of Virginia CS 588

36 University of Virginia CS 588
Encryption Message = (x1, …., xn) (bit vector) Knapsack vector: a = (a1, …., an) Ciphertext: b = x1a1 + x2a2 + …+ xnan Decrypt by finding subset of ai’s that sum to b. Message bits corresponding to i’s are 1. Unique decryption? Depends on choice of knapsack: can’t have duplicate elements, can’t have elements equal to sum of subset of other elements 19 Sept 2001 University of Virginia CS 588

37 Superincreasing Knapsack
a = (a1, …., an) where for all i, ai > a1+ a2 + … + ai - 1 If a is superincreasing, how hard is decryption? for i = n to 1 step –1 if b >= ai then bi = 1 b = b – ai else bi = 0 19 Sept 2001 University of Virginia CS 588

38 University of Virginia CS 588
Disguise the Knapsack Instead of using a = (a1, …., an) use c = (ta1 mod m, …., tan mod m) where m > a1 + a2 + … + an and t is random secret, relatively prime to m (Hence, there is an inverse t-1 mod n) Alice publishes c as her “public knapsack”. 19 Sept 2001 University of Virginia CS 588

39 University of Virginia CS 588
Knapsack Encryption To send a message, b = x1c1 + x2c2 + …+ xncn Alice decrypts by: t-1 b mod m = t-1x1c1 + t-1x2c2 + …+ t-1 xncn c = (ta1 mod m, …., tan mod m) so t-1x1c1 = a1x1 mod m t-1 b mod m = x1a1 + x2a2 + …+ xnan Easy for Alice to compute x’s now using superincreasing knapsack. 19 Sept 2001 University of Virginia CS 588

40 University of Virginia CS 588
Example Private key: (3, 5, 9, 20, 44) t = 67, m = 89 t-1 = 4 since 67 * 4 = 1 mod 89 3 * 67 = 201 mod 89 = 23, … Public key: (23, 68, 69, 5, 11) Encrypt M = (01011) C = = 84 Decrypt C * 4 = 69 mod 89 = = (01011) 19 Sept 2001 University of Virginia CS 588

41 University of Virginia CS 588
Knapsack Security? Security relied on proof that solving general knapsack problem is NP-hard But, adversary doesn’t have to solve general knapsack problem – just convert to superincreasing knapsack Shamir [1983] showed it is possible to do this in polynomial time without known t and m Lesson: just because a cipher uses a provably hard problem, doesn’t mean there isn’t a way of breaking the cipher without solving that problem 19 Sept 2001 University of Virginia CS 588

42 University of Virginia CS 588
Charge Next time: Rivest, Shamir, Adelman: First solution to finding suitable E and D Identity: E (D (m)) = D (E (m)) = m Secure: cannot determine E from D Read the paper! Go somewhere appropriate: this is perhaps the most important paper in past 30 years! Identify 2 questionable statements in the paper 19 Sept 2001 University of Virginia CS 588

Download ppt "Lecture 7: Key Distribution"

Similar presentations

Public Key Cryptography Nick Feamster CS 6262 Spring 2009.

Public Key Cryptography Nick Feamster CS 6262 Spring 2009.
Cryptography in World War II Jefferson Institute for Lifelong Learning at UVa Spring 2006 David Evans Class 4: Modern Cryptography

Cryptography in World War II Jefferson Institute for Lifelong Learning at UVa Spring 2006 David Evans Class 4: Modern Cryptography
Public Key Crytography1 From: Introduction to Algorithms Cormen, Leiserson and Rivest.

Public Key Crytography1 From: Introduction to Algorithms Cormen, Leiserson and Rivest.
Cryptography1 CPSC 3730 Cryptography Chapter 9 Public Key Cryptography and RSA.

Cryptography1 CPSC 3730 Cryptography Chapter 9 Public Key Cryptography and RSA.
Fall 2010/Lecture 311 CS 426 (Fall 2010) Public Key Encryption and Digital Signatures.

Fall 2010/Lecture 311 CS 426 (Fall 2010) Public Key Encryption and Digital Signatures.
Public Key Algorithms 4/17/2017 M. Chatterjee.

Public Key Algorithms 4/17/2017 M. Chatterjee.
1 Pertemuan 08 Public Key Cryptography Matakuliah: H0242 / Keamanan Jaringan Tahun: 2006 Versi: 1.

1 Pertemuan 08 Public Key Cryptography Matakuliah: H0242 / Keamanan Jaringan Tahun: 2006 Versi: 1.
Public Key Cryptography Bryan Pearsaul. Outline What is Cryptology? Symmetric Ciphers Asymmetric Ciphers Diffie-Hellman RSA (Rivest/Shamir/Adleman) Moral.

Public Key Cryptography Bryan Pearsaul. Outline What is Cryptology? Symmetric Ciphers Asymmetric Ciphers Diffie-Hellman RSA (Rivest/Shamir/Adleman) Moral.
CSCI 172/283 Fall 2010 Public Key Cryptography. New paradigm introduced by Diffie and Hellman The mailbox analogy: Bob has a locked mailbox Alice can.

CSCI 172/283 Fall 2010 Public Key Cryptography. New paradigm introduced by Diffie and Hellman The mailbox analogy: Bob has a locked mailbox Alice can.
Lecture 6: Public Key Cryptography

Lecture 6: Public Key Cryptography
Public Key Model 8. Cryptography part 2.

Public Key Model 8. Cryptography part 2.
Public Key Encryption and the RSA Public Key Algorithm CSCI 5857: Encoding and Encryption.

Public Key Encryption and the RSA Public Key Algorithm CSCI 5857: Encoding and Encryption.
CSCI 398 Research Topics in Computer Science Yana Kortsarts Computer Science Department Widener University Chester, PA.

CSCI 398 Research Topics in Computer Science Yana Kortsarts Computer Science Department Widener University Chester, PA.
Lecture 11: Key Distribution

Lecture 11: Key Distribution
David Evans CS200: Computer Science University of Virginia Computer Science Class 36: Public-Key Cryptography If you want.

David Evans CS200: Computer Science University of Virginia Computer Science Class 36: Public-Key Cryptography If you want.
CS526: Information Security Prof. Sam Wagstaff September 16, 2003 Cryptography Basics.

CS526: Information Security Prof. Sam Wagstaff September 16, 2003 Cryptography Basics.
Chapter 21 Public-Key Cryptography and Message Authentication.

Chapter 21 Public-Key Cryptography and Message Authentication.
Modular Arithmetic with Applications to Cryptography Lecture 47 Section 10.4 Wed, Apr 13, 2005.

Modular Arithmetic with Applications to Cryptography Lecture 47 Section 10.4 Wed, Apr 13, 2005.
Cryptography and Network Security Chapter 10 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Chapter 10 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.
Public Key Cryptography. symmetric key crypto requires sender, receiver know shared secret key Q: how to agree on key in first place (particularly if.

Public Key Cryptography. symmetric key crypto requires sender, receiver know shared secret key Q: how to agree on key in first place (particularly if.

Similar presentations

Ads by Google