Presentation is loading. Please wait.

Presentation is loading. Please wait.

Slide 1 Vitaly Shmatikov CS 378 Overview of Public-Key Cryptography.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Slide 1 Vitaly Shmatikov CS 378 Overview of Public-Key Cryptography."— Presentation transcript:

1 slide 1 Vitaly Shmatikov CS 378 Overview of Public-Key Cryptography

2 slide 2 Basic Problem ? Given: Everybody knows Bob’s public key - How is this achieved in practice? Only Bob knows the corresponding private key private key Goal: Alice wants to send a secret message to Bob Bob wants to authenticate himself public key AliceBob

3 slide 3 Applications of Public-Key Crypto uEncryption for confidentiality Anyone can encrypt a message –With symmetric crypto, must know secret key to encrypt Only someone who knows private key can decrypt Key management is simpler (maybe) –Secret is stored only at one site: good for open environments uDigital signatures for authentication Can “sign” a message with your private key uSession key establishment Exchange messages to create a secret session key Then switch to symmetric cryptography (why?)

4 slide 4 Diffie-Hellman Protocol (1976) uAlice and Bob never met and share no secrets uPublic info: p and g p is a large prime number, g is a generator of Z p * –Z p *={1, 2 … p-1};  a  Z p *  i such that a=g i mod p –Modular arithmetic: numbers “wrap around” after they reach p AliceBob Pick secret, random X Pick secret, random Y g y mod p g x mod p Compute k=(g y ) x =g xy mod p Compute k=(g x ) y =g xy mod p

5 slide 5 Why Is Diffie-Hellman Secure? uDiscrete Logarithm (DL) problem: given g x mod p, it’s hard to extract x There is no known efficient algorithm for doing this This is not enough for Diffie-Hellman to be secure! uComputational Diffie-Hellman (CDH) problem: given g x and g y, it’s hard to compute g xy mod p … unless you know x or y, in which case it’s easy uDecisional Diffie-Hellman (DDH) problem: given g x and g y, it’s hard to tell the difference between g xy mod p and g r mod p where r is random

6 slide 6 Properties of Diffie-Hellman uAssuming DDH problem is hard, Diffie-Hellman protocol is a secure key establishment protocol against passive attackers Eavesdropper can’t tell difference between established key and a random value Can use new key for symmetric cryptography –Approx. 1000 times faster than modular exponentiation uDiffie-Hellman protocol does not provide authentication When we talk about IPSec, we’ll see how to combine Diffie-Hellman with signatures, anti-DoS cookies, etc.

7 slide 7 Public-Key Encryption: Basic Idea

8 slide 8 Requirements for Public-Key Crypto uKey generation: computationally easy to generate a pair (public key PK, private key SK) Computationally infeasible to determine private key PK given only public key PK uEncryption: given plaintext M and public key PK, easy to compute ciphertext C=E PK (M) uDecryption: given ciphertext C=E PK (M) and private key SK, easy to compute plaintext M Infeasible to compute M from C without SK Trapdoor function: Decrypt(SK,Encrypt(PK,M))=M

9 slide 9 Some Number Theory Facts uEuler totient function  (n) where n  1 is the number of integers in the [1,n] interval that are relatively prime to n Two numbers are relatively prime if their greatest common divisor (gcd) is 1 uEuler’s theorem: if a  Z n *, then a  (n) =1 mod n uSpecial case: Fermat’s Little Theorem if p is prime and gcd(a,p)=1, then a p-1 =1 mod p

10 slide 10 RSA Cryptosystem [Rivest, Shamir, Adleman 1977] uKey generation: Generate large primes p, q –Say, 1024 bits each (need primality testing, too) Compute n=pq and  (n)=(p-1)(q-1) Choose small e, relatively prime to  (n) –Typically, e=3 (may be vulnerable) or e=2 16 +1=65537 (why?) Compute unique d such that ed = 1 mod  (n) Public key = (e,n); private key = d uEncryption of m: c = m e mod n Modular exponentiation by repeated squaring uDecryption of c: c d mod n = (m e ) d mod n = m

11 slide 11 Why RSA Decryption Works ue  d=1 mod  (n) uThus e  d=1+k  (n)=1+k(p-1)(q-1) for some k uIf gcd(m,p)=1, then m ed =m mod p By Fermat’s Little Theorem, m p-1 =1 mod p Raise both sides to the power k(q-1) and multiply by m m 1+k(p-1)(q-1) =m mod p, thus m ed =m mod p uIf gcd(m,p)=p, then m ed = m mod p = 0 uBy the same argument, m ed =m mod q uSince p and q are distinct primes and p  q=n, m ed =m mod n

12 slide 12 Why Is RSA Secure? uRSA problem: given n=pq, e such that gcd(e,(p-1)(q-1))=1 and c, find m such that m e =c mod n i.e., recover m from ciphertext c and public key (n,e) There is no known efficient algorithm for doing this uFactoring problem: given positive integer n, find primes p 1, …, p k such that n=p 1 e 1 p 2 e 2 …p k e k uIf factoring is easy, then RSA problem is easy, but there is no known reduction from factoring to RSA In other words, it may be possible to break RSA (i.e., take e th root of c) without factoring n

13 slide 13 Integrity in RSA Encryption uPlain RSA does not provide integrity Given encryptions of m 1 and m 2, attacker can create encryption of m 1  m 2 –(m 1 e )  (m 2 e ) mod n = (m 1  m 2 ) e mod n Attacker can convert m into m k without decrypting –(m 1 e ) k mod n = (m k ) e mod n uIn practice, OAEP is used: instead of encrypting M, encrypt M  G(r) | r  H(M  G(r)) r is random and fresh, G and H are hash functions Resulting encryption is plaintext-aware: infeasible to compute a valid encryption without knowing plaintext –If hash functions are “good” and RSA problem is hard

14 slide 14 Digital Signatures: Basic Idea ? Given: Everybody knows Bob’s public key Only Bob knows the corresponding private key private key Goal: Bob sends a “digitally signed” message 1.To compute a signature, must know the private key 2.To verify a signature, enough to know the public key public key AliceBob

15 slide 15 RSA Signatures uPublic key is (n,e), private key is d uTo sign message m: s = m d mod n Signing and decryption are the same operation in RSA It’s infeasible to compute s on m if you don’t know d uTo verify signature s on message m: s e mod n = (m d ) e mod n = m Just like encryption Anyone who knows n and e (public key) can verify signatures produced with d (private key) uIn practice, also need to use padding & hashing

16 slide 16 Digital Signature Standard (DSS) uU.S. government standard (1991-94) Modification of the ElGamal signature scheme (1985) uKey generation: Generate large primes p, q such that q divides p-1 –2 159 < q < 2 160, 2 511+64t < p < 2 512+64t where 0  t  8 Select h  Z p * and compute g=h (p-1)/q mod p Select random x such 1  x  q-1, compute y=g x mod p uPublic key: (p, q, g, y=g x mod p), private key: x uSecurity of DSS requires hardness of discrete log By solving the discrete logarithm problem, can extract x (private key) from g x mod p (public key)

17 slide 17 DSS: Signing a Message Message Hash function (SHA-1) Random secret between 0 and q Compute r = (g k mod p) mod q Private key Compute s = k -1  (H(M)+x  r) mod q (r,s) is the signature on M

18 slide 18 DSS: Verifying a Signature Message Signature Compute w = s’ -1 mod q Compute (g H(M’)w  y r’w mod q mod p) mod q Public key If they match, signature is valid (i.e., it was produced by someone who knows private key x)

19 slide 19 Why DSS Verification Works uIf (r,s) is a legitimate signature, then r = (g k mod p ) mod q ; s = k -1  (H(M)+x  r) mod q uThus H(M) = -x  r+k  s mod q Multiply both sides by w=s -1 mod q uH(M)  w + x  r  w = k mod q Exponentiate g to both sides u(g H(M)  w + x  r  w = g k ) mod p mod q In a valid signature, g k mod p mod q = r, g x mod p = y uVerify g H(M)  w  y r  w = r mod p mod q

20 slide 20 Security of DSS uCan’t create a valid signature without private key uGiven a signature, hard to recover private key uCan’t change or tamper with signed message uIf the same message is signed twice, signatures are different Each signature is based in part on random secret k uSecret k must be different for each signature! If k is leaked or if two messages re-use the same k, attacker can recover secret key x and forge any signature from then on

21 slide 21 Advantages of Public-Key Crypto uConfidentiality without shared secrets Very useful in open environments No “chicken-and-egg” key establishment problem –With symmetric crypto, two parties must share a secret before they can exchange secret messages uAuthentication without shared secrets Use digital signatures to prove the origin of messages uReduce protection of information to protection of authenticity of public keys No need to keep public keys secret, but must be sure that Alice’s public key is really her true public key

22 slide 22 Disadvantages of Public-Key Crypto uCalculations are 2-3 orders of magnitude slower Modular exponentiation is an expensive computation Typical usage: use public-key cryptography to establish a shared secret, then switch to symmetric crypto –We’ll see this in IPSec and SSL uKeys are longer 1024 bits (RSA) rather than 128 bits (AES) uRelies on unproven number-theoretic assumptions What if factoring is easy? –Factoring is believed to be neither P, nor NP-complete

23 slide 23 Reading Assignment uStallings 3.3 through 3.5

Download ppt "Slide 1 Vitaly Shmatikov CS 378 Overview of Public-Key Cryptography."

Similar presentations

Public Key Cryptography Nick Feamster CS 6262 Spring 2009.

Public Key Cryptography Nick Feamster CS 6262 Spring 2009.
Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.

Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.
22C:19 Discrete Math Integers and Modular Arithmetic Fall 2010 Sukumar Ghosh.

22C:19 Discrete Math Integers and Modular Arithmetic Fall 2010 Sukumar Ghosh.
Authentication and Digital Signatures CSCI 5857: Encoding and Encryption.

Authentication and Digital Signatures CSCI 5857: Encoding and Encryption.
7. Asymmetric encryption-

7. Asymmetric encryption-
15-251 Great Theoretical Ideas in Computer Science.

Great Theoretical Ideas in Computer Science.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
Public-key Cryptography Montclair State University CMPT 109 J.W. Benham Spring, 1998.

Public-key Cryptography Montclair State University CMPT 109 J.W. Benham Spring, 1998.
20-751 ECOMMERCE TECHNOLOGY FALL 2003 COPYRIGHT © 2003 MICHAEL I. SHAMOS Cryptography.

ECOMMERCE TECHNOLOGY FALL 2003 COPYRIGHT © 2003 MICHAEL I. SHAMOS Cryptography.
CS470, A.SelcukPublic Key Cryptography1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.

CS470, A.SelcukPublic Key Cryptography1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
WS 2006-07 Algorithmentheorie 03 – Randomized Algorithms (Public Key Cryptosystems) Prof. Dr. Th. Ottmann.

WS Algorithmentheorie 03 – Randomized Algorithms (Public Key Cryptosystems) Prof. Dr. Th. Ottmann.
Overview of Cryptography What is Cryptography?

Overview of Cryptography What is Cryptography?
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
Cryptography1 CPSC 3730 Cryptography Chapter 9 Public Key Cryptography and RSA.

Cryptography1 CPSC 3730 Cryptography Chapter 9 Public Key Cryptography and RSA.
The School of Electrical Engineering and Computer Science (EECS) CS/ECE Network Security Dr. Attila Altay Yavuz Topic 5 Essential Public Key Crypto Methods.

The School of Electrical Engineering and Computer Science (EECS) CS/ECE Network Security Dr. Attila Altay Yavuz Topic 5 Essential Public Key Crypto Methods.
Fall 2010/Lecture 311 CS 426 (Fall 2010) Public Key Encryption and Digital Signatures.

Fall 2010/Lecture 311 CS 426 (Fall 2010) Public Key Encryption and Digital Signatures.
Public Key Algorithms 4/17/2017 M. Chatterjee.

Public Key Algorithms 4/17/2017 M. Chatterjee.
20-763 ELECTRONIC PAYMENT SYSTEMSFALL 2001COPYRIGHT © 2001 MICHAEL I. SHAMOS Electronic Payment Systems 20-763 Lecture 6 Epayment Security II.

ELECTRONIC PAYMENT SYSTEMSFALL 2001COPYRIGHT © 2001 MICHAEL I. SHAMOS Electronic Payment Systems Lecture 6 Epayment Security II.
Public Key Cryptography RSA Diffie Hellman Key Management Based on slides by Dr. Lawrie Brown of the Australian Defence Force Academy, University College,

Public Key Cryptography RSA Diffie Hellman Key Management Based on slides by Dr. Lawrie Brown of the Australian Defence Force Academy, University College,
Slide 1 Vitaly Shmatikov CS 380S Semantic Security.

Slide 1 Vitaly Shmatikov CS 380S Semantic Security.

Similar presentations

Ads by Google