Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Introduction to Information Security 0368-3065, Spring 2015 Lecture 7: Applied cryptography: asymmetric Eran Tromer Slides credit: John Mitchell, Stanford.

Published byKory Wright Modified over 9 years ago

Similar presentations

Presentation on theme: "1 Introduction to Information Security 0368-3065, Spring 2015 Lecture 7: Applied cryptography: asymmetric Eran Tromer Slides credit: John Mitchell, Stanford."— Presentation transcript:

1 1 Introduction to Information Security 0368-3065, Spring 2015 Lecture 7: Applied cryptography: asymmetric Eran Tromer Slides credit: John Mitchell, Stanford

2 2 Public-Key Encryption

3 3 Public-key encryption

4 4 Example: RSA

5 5 Why RSA works

6 6 Textbook RSA is insecure  What if message is from a small set (yes/no)? Can build table (Deterministic)  What if there’s some protocol in which I can learn other message decryptions? (Chosen ciphertext attack)  What if I want to outbid you in secret auction? I take your encrypted bid c and submit c (101/100) e mod n (Malleability)

7 7 RSA Padding: OAEP Preprocess message for RSA  H and G are cryptographic hash functions (e.g., SHA-1) If RSA is trapdoor permutation, then this is chosen-ciphertext secure (if H,G “behave like random oracles”) H + G + Plaintext to encryptwith RSA rand.Message0100..0 Decryption: Apply plain RSA decryption. Check pad, reject if invalid.  {0,1} n-1 [Bellare Rogaway ’94] [Shoup ‘01] [PKCS#1 v2] [RFC 2437]

8 8 Security of (properly-padded) RSA  If factoring is easy, RSA is broken. Converse conjectured but unproven.  Best factoring algorithm: Number Field Sieve (subexponential complexity)  Key size: Record: 768 bits, in 2009, using ∼ 2000 core-years. Popular until recently: 1024-bit. Estimated to be breakable by a large botnet or special-purpose hardware (<1M$ marginal cost). NIST recommendation:  3072 bits (equivalent to 128 bit symmetric).  2048 bits (equiv. to 112 bit symmetric) “acceptable until 2030”.  Quantum computers can factor in polynomial time (Shor’s algorithm). Appears possible in theory, but many believe it will take decades to solve the ngineering/technological challenges. Record: factoring 15 and 21.

9 9 RSA discussion

10 10 Other public-key encryption schemes

11 11 Digital Signatures

12 12 Digital Signatures  Alice publishes key for verifying signatures  Anyone can check a message signed by Alice  Only Alice can send signed messages

13 13 Properties of signatures (for case of deterministic signatures)

14 14 RSA Signature Scheme Hybrid signature: sign hash of message instead of full plaintext

15 15 Other digital signature schemes  DSA (Digital Signature Algorithm) Relies on hardness of discrete logarithms  Schemes based on elliptic curves Popular in modern systems due to faster operations and smaller key size  Signatures based just on hash functions (Lamport), with stateful signing algorithm and limited #messages.  Lattice-based schemes Generalization: succinct noninteractive proofs of knowledge (SNARK) allowing verifying the correctness not just of data, but also of computation. [whiteboard discussion]

16 16 Public-key infrastructure

17 17 Public-Key Infrastructure (PKI)  Anyone can send Bob a secret message Provided they know Bob’s public key  How do we know a key belongs to Bob? If imposter substitutes another key, can read Bob’s mail  One solution: PKI Trusted root authority (VeriSign, IBM, United Nations)  Everyone must know the verification key of root authority  Check your browser; there are hundreds! Root authority can sign certificates Certificates identify others, by linking their ID (e.g., domain name or legal name) to a verification key they own Certifiicates can also delegate trust to other certificate authorities  Leads to certificate chains Most common standard “X.509”

18 18 Public-Key Infrastructure Client (browser)

19 19 CA

20 20 Certificate authorities – practical problems Certification policy – when to sign server’s certificates? Inclusion in database of trusted Cas –Default database in browsers, OSs –Updates Transitive trusts, sub-CAs Practically: –Lax verification (attacks known) –Lax security (attacks known) –National/commercial bodies with diverse interests

Download ppt "1 Introduction to Information Security 0368-3065, Spring 2015 Lecture 7: Applied cryptography: asymmetric Eran Tromer Slides credit: John Mitchell, Stanford."

Similar presentations

Public Key Cryptosystem

Public Key Cryptosystem
Spring 2000CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.

Spring 2000CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.
Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.

Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.
CS 6262 Spring 02 - Lecture #7 (Tuesday, 1/29/2002) Introduction to Cryptography.

CS 6262 Spring 02 - Lecture #7 (Tuesday, 1/29/2002) Introduction to Cryptography.
1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.

1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.
Public Key Algorithms …….. RAIT M. Chatterjee.

Public Key Algorithms …….. RAIT M. Chatterjee.
EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 6 Wenbing Zhao Department of Electrical and Computer Engineering.

EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 6 Wenbing Zhao Department of Electrical and Computer Engineering.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
CNS2010handout 10 :: digital signatures1 computer and network security matt barrie.

CNS2010handout 10 :: digital signatures1 computer and network security matt barrie.
CMSC 414 Computer and Network Security Lecture 7 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 7 Jonathan Katz.
Cryptography Basic (cont)

Cryptography Basic (cont)
November 1, 2006Sarah Wahl / Graduate Student UCCS1 Public Key Infrastructure By Sarah Wahl.

November 1, 2006Sarah Wahl / Graduate Student UCCS1 Public Key Infrastructure By Sarah Wahl.
The RSA Cryptosystem Dan Boneh Stanford University.

The RSA Cryptosystem Dan Boneh Stanford University.
CMSC 414 Computer and Network Security Lecture 9 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 9 Jonathan Katz.
CS470, A.SelcukPublic Key Cryptography1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.

CS470, A.SelcukPublic Key Cryptography1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 7 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 7 Jonathan Katz.
Fall 2010/Lecture 311 CS 426 (Fall 2010) Public Key Encryption and Digital Signatures.

Fall 2010/Lecture 311 CS 426 (Fall 2010) Public Key Encryption and Digital Signatures.
CS470, A.SelcukRSA1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.

CS470, A.SelcukRSA1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
Public Key Cryptography RSA Diffie Hellman Key Management Based on slides by Dr. Lawrie Brown of the Australian Defence Force Academy, University College,

Public Key Cryptography RSA Diffie Hellman Key Management Based on slides by Dr. Lawrie Brown of the Australian Defence Force Academy, University College,

Similar presentations

Ads by Google