Download presentation
Presentation is loading. Please wait.
1
15-349 Introduction to Computer and Network Security Iliano Cervesato 2 September 2008 – Public-key Encryption
2
2 Where we are Course intro Cryptography Intro to crypto Modern crypto Symmetric encryption Asymmetric encryption Beyond encryption Cryptographic protocols Attacking protocols Program/OS security & trust Networks security Beyond technology
3
3 Outline Public-key cryptography – motivations The Merkle-Hellman encryption algorithm The knapsack problem How Merkle-Hellman works Cryptoanalysis Basic number theory Modular arithmetic Primality and inverses The El Gamal encryption scheme The discrete logarithm problem RSA The factorization problem RSA cryptographic challenges
4
4 Asymmetric Encryption – Review D k (E k (m)) = m E D M M X X k Cleartext Ciphertext Public key Decryption box Encryption box k -1 Private key Public data k
5
5 Motivations Can 2 keys be better than 1? How do we make data public? Why bother? Key management problem Added flexibility E.g., digital signatures
6
6 Naïve Key Management Principals A 1, …, A n want to talk Each pair needs a key n(n-1)/2 keys Keys must be established Physical exchange Secure channel …… A1A1 A2A2 A3A3 A4A4 A5A5
7
7 Improved Solution Centralized key- distribution center n key pairs needed However KDC must be trusted KDC is single point of failure Still n direct exchanges KDC A1A1 A2A2 A3A3 A4A4 A5A5 k1k1 k2k2 k3k3 k4k4 k5k5 … if A i wants to talk to A j … A i KDC: “connect me to A j ” KDC generates new key k ij KDC A i : E ki (k ij ) KDC A j : E kj (k ij, “A i wants to talk”) Still naïve KDC online all the time
8
8 Public-Key Solution Pair (k i, k i -1 ) for each A i k i ’s are published Phonebook Simple setup A i generates (k i, k i -1 ) A i publishes k i … details later Secure web sites would be impossible without https A1A1 k -1 1 AiAi k -1 i Public data A 1 k 1 … A i k i …
9
9 The Knapsack problem Given objects of size s 1, s 2, … s n, is it possible to completely fill a knapsack of size s? Is there binary vector v such that i v i s i = s ? NP-complete What if s i+1 > j<i s j ? Easy: O(n) Super-increasing knapsack Hmm, this feels like encryption material … for (i=n; i > 0; i--) { if (s > s i ) s = s – s i } return (s == 0)
10
10 Merkle-Hellman Encryption Pick a super-increasing sequence S = ( s 1,s 2,…,s n ) a prime p > s n 100-200 digits long a multiplier w (S, w) is the private key Compute h i = w s i mod p H = (h 1, h 2, …, h n ) is the public key Encryption of binary m x = i h i m i Attacker has to solve general knapsack in H – hard Decryption of x Multiply x by w -1 Solve super-increasing knapsack problem in S – easy
11
11 Cryptanalysis of Merkel-Hellman Scheme based on a special instance of knapsack problem modular knapsack generated from super- increasing sequence Not as hard as general knapsack If p is known If s 1 can be found, all s i can be found Can deduce w and p from H Try successive values of w and observe where wh i rolls over Right w is where they all roll over at the same time
12
12 Number Theory – Divisors Z Z = {…, -1, 0, 1, …} + is commutative, associative and invertible w.r.t. 0 * is commutative, associative with identity 1 a|b if c. ac = b E.g., 3|6 E.g., 3|10 Z gcd(a, b) = largest d Z s.t. d|a and d|b E.g. gcd(18,15) = 3 Modular arithmetic a = b mod n if c. an + c = b Z n = {0, …, n-1} All operations modulo n Also a ring Euclid’s algorithm Given a > b r 0 = b, r 1 = a r i-2 = q i r i-1 + r i When r n+1 = 0, set gcd(a,b) = r n u,v. gcd(a,b) = ua + vb Z Z is a ring
13
13 Number Theory – Prime numbers p>1 prime if 1 and p are its only divisors E.g. 3, 5, 7, … p and q are relatively prime if gcd(p,q) = 1 E.g. 4 and 5 are relative primes There are infinitely many primes
14
14 Arithmetic Modulo a Prime p prime number For us, at least 1024 bits (~ 300 digits) Z Z p = {0, 1, …, p-1} Addition and multiplication are modulo p Exponentiation is iterated multiplication x is the inverse of y 0 if xy = 1 mod p Z All non-null elements of Z p are invertible x -1 = x p-2 mod p Z We can solve linear equations in Z * p If ax = b mod p, then x = ba p-2 mod p Z Z * p = {1, …, p-1} Z Contains all invertible elements of Z p ZZ Z p = Z * p U {0} Fermat’s little theorem If a 0, then a p-1 = 1 mod p Z Z p is a Galois field
15
15 Z Computing in Z p Let n be the length of p Usually around 1024 bits Z Addition in Z p done in O(n) Multiplication is O(n 2 ) Clever (and practical) algorithms achieve O(n 1.7 ) Same for inverse x r mod p computed in O((log r) n 2 ) Repeated squares E.g.: g 23 = g 10111 = g. g 2. g 4. g 16 (7 multiplications) Addition chains Saves 20% in average (but shortest chain is NP-complete) g, g 2, g 3, g 5, g 10, g 20, g 23 (6 multiplications)
16
16 Z Complexity in Z p Easy problems Generating p Addition, multiplication, exponentiation Inversion, solving linear equations Problems believed to be hard DL: Discrete logarithm Z Given g and x Z p, find r s.t. x = g r mod p DH: Diffie-Hellman Z Given g, g r, g s Z p, find g rs mod p Note DL implies DH Unknown if DH implies DL Best known attack on DL requires space and O(2 n ) time
17
17 Diffie-Hellman Key Exchange Public data p, g A B Choose random a 1 a p-1 send g a mod p Receive g b mod p (g b ) a = g ab mod p k = f(g ab ) Receive g a mod p Choose random b 1 b p-1 Send g b mod p (g a ) b = g ab mod p k = f(g ab ) g a mod p g b mod p
18
18 Diffie-Hellman Key Exchange [2] Allows 2 principals to produce a shared secret Without secure channel or physical exchange Without a key distribution center f is typically a hash function Agreed upon in advance However, no authentication Can be fixed with some infrastructure Security relies on hardness of DH
19
19 El Gamal Encryption Scheme Security rests on hardness of DL Criticisms Transmitted message double of m Public data has to be managed Very slow (~10Kb/sec vs. 250Kb/s of DES) Public data A 1 p 1,g 1,g 1 1 … A i p i,g i,g i i … A B Choose random a Send g B a, g B B a m mod p B Receive g B a, g B B a m mod p B (g B a ) B = g B B a mod p B Compute g B - B a mod p B g B - B a g B B a m mod p B = m g B a, g B B a m mod p B A wants to send AA BB Z secret m Z p B to B
20
20 Arithmetic Modulo a Composite n natural number For us, typically 1024 bits or ~ 300 digits Typically n = pq, with p and q primes Z Z n = {0, 1, …, n-1} x is inverse of y 0 if xy = 1 mod n x has inverse iff gcd(x,n) = 1 ux + vn = 1 by Euclid’s algorithm so x -1 = u Z Works also in Z p where more efficient than x -1 = x p-2 Z We can solve linear equations in Z n Z Z * n = {x : gcd(x,n) = 1} Z Contains all invertible elements of Z n
21
21 Euler’s Totient Function (n) is the number of positive integers relatively prime to n Z (n) is the size of Z * n If n = i p i e i, then (n) = i p i e i-1 (p i -1) If n=pq, then (n) = (p-1)(q-1) = n – p – q – 1 a is invertible with inverse a (n)-1 Euler’s theorem Z If a Z * n, then a (n) = 1 mod n
22
22 Cyclic Groups Z (n) is the size of Z * n (Euler’s totient function) If n = i p i e i, then (n) = i p i e i-1 (p i -1) If n=p, then (n) = n-1 ZZZ Z * n is cyclic if g Z * n s.t. Z * n = {g 0,g 1,g 2,…g (n)-1 } ZZ g is a generator of Z * n ( Z * n = ) Z Z * n is cyclic iff n = 2, 4, p a, 2p a for an odd prime p Z Every Z * n is cyclic Z The order of a Z * n is the smallest non-null d s.t. a d =1 mod n If factorization of p-1 is known, –ord p (g) Z –A generator of Z * p can be found efficiently Lagrange theorem Z If a Z * n, then ord p (a) | p-1
23
23 Z Computing in Z n Easy problems Generating p Addition, multiplication, exponentiation Inversion, solving linear equations Hard problems Factoring Given n, find p,q s.t. n = pq
24
24 The set-up of RSA n = pq n is the product of 2 (large) primes By Euler’s theorem, (n) = (p – 1)(q – 1) Select e and d such that (m e ) d = m How? Pick e relative prime to (n) E.g., a prime greater than (n) By Fermat’s theorem, compute d = e (n)-1 ed = 1 mod (n) ed = k (n) + 1 = k(p-1)(q-1) + 1 = k’(p-1) + 1 Now: m p-1 = 1 mod p m k’ (n) = 1 mod p m k’ (n)+1 = m mod p m ed = m mod p
25
25 RSA [Rivest,Shamir,Adelman ’76] Security of RSA rests on Hard to factorize n = pq Hard to compute (n) from n Factoring implies RSA Unknown if RSA implies factoring Public data A 1 n 1,e 1 … A i n i,e i … A B Send m e B mod n B Receive m e B mod n B (m e B ) d B mod n B = m e B d B mod n B = m k (n B )+1 mod n B = (m (n B ) ) k m mod n B = (1) k m mod n B = m mod n B m e B mod n B Z A wants to send secret m Z n B to B p A,q A,d A p B,q B,d B n i = p i q i e i d i = 1 mod (n i )
26
26 Attacks on RSA Small d for fast decryption But easy to crack if d < (n 1/4 )/3 [Wiener] d should be at least 10 80 Small e for fast encryption If m sent to more than e recipients, then m easily extracted Popular e = 2 16 + 1 Same message should not be sent more than 2 16 + 1 times Modify message (still dangerous) Timing attacks Time to compute m d mod n for many m can reveal d Homomorphic properties of RSA If c i = m i e mod n (i=1,2), then c 1 c 2 = (m 1 m 2 ) e mod n Easy chosen plaintext attack Eliminated in standards based on RSA
27
27 RSA Cryptographic Challenges Factoring given primes set as challenge by RSA Labs http://www.rsa.com/rsalabs/ –RSA-ddd: challenge in digits –RSA-bbb: challenge in bits RSA-140: 1999 in 1 month RSA-155: 1999 in 4 months RSA-160: 2003 in 20 days RSA-200: 2005 in 18 months Challenges no longer active
28
28 Key length Public-key crypto has very long keys 1024, 2048, 4096 are common Is it more secure than symmetric crypto? 56, 128, 192, 256 Key lengths don’t compare! 1024 80 bit 2048 112 bit 3072 128 bit 7680 192 bit 15,360 256 bit
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.