Presentation is loading. Please wait.

Presentation is loading. Please wait.

Slide 1 Vitaly Shmatikov CS 361S Overview of Public-Key Cryptography.

Published byShauna Clark Modified over 9 years ago

Similar presentations

Presentation on theme: "Slide 1 Vitaly Shmatikov CS 361S Overview of Public-Key Cryptography."— Presentation transcript:

1 slide 1 Vitaly Shmatikov CS 361S Overview of Public-Key Cryptography

2 slide 2 Reading Assignment uKaufman 6.1-6

3 slide 3 Public-Key Cryptography ? Given: Everybody knows Bob’s public key - How is this achieved in practice? Only Bob knows the corresponding private key private key Goals: 1. Alice wants to send a message that only Bob can read 2. Bob wants to send a message that only Bob could have written public key Alice Bob

4 slide 4 Applications of Public-Key Crypto uEncryption for confidentiality Anyone can encrypt a message –With symmetric crypto, must know the secret key to encrypt Only someone who knows the private key can decrypt Secret keys are only stored in one place uDigital signatures for authentication Only someone who knows the private key can sign uSession key establishment Exchange messages to create a secret session key Then switch to symmetric cryptography (why?)

5 slide 5 Public-Key Encryption uKey generation: computationally easy to generate a pair (public key PK, private key SK) uEncryption: given plaintext M and public key PK, easy to compute ciphertext C=E PK (M) uDecryption: given ciphertext C=E PK (M) and private key SK, easy to compute plaintext M Infeasible to learn anything about M from C without SK Trapdoor function: Decrypt(SK,Encrypt(PK,M))=M

6 slide 6 Some Number Theory Facts uEuler totient function  (n) where n  1 is the number of integers in the [1,n] interval that are relatively prime to n Two numbers are relatively prime if their greatest common divisor (gcd) is 1 uEuler’s theorem: if a  Z n *, then a  (n)  1 mod n uSpecial case: Fermat’s Little Theorem if p is prime and gcd(a,p)=1, then a p-1  1 mod p

7 slide 7 RSA Cryptosystem uKey generation: Generate large primes p, q –At least 2048 bits each… need primality testing! Compute n=pq –Note that  (n)=(p-1)(q-1) Choose small e, relatively prime to  (n) –Typically, e=3 (may be vulnerable) or e=2 16 +1=65537 (why?) Compute unique d such that ed  1 mod  (n) Public key = (e,n); private key = d uEncryption of m: c = m e mod n uDecryption of c: c d mod n = (m e ) d mod n = m [Rivest, Shamir, Adleman 1977]

8 slide 8 Why RSA Decryption Works ue  d  1 mod  (n) uThus e  d = 1+k  (n) = 1+k(p-1)(q-1) for some k uIf gcd(m,p)=1, then by Fermat’s Little Theorem, m p-1  1 mod p uRaise both sides to the power k(q-1) and multiply by m, obtaining m 1+k(p-1)(q-1)  m mod p uThus m ed  m mod p uBy the same argument, m ed  m mod q uSince p and q are distinct primes and p  q=n, m ed  m mod n

9 slide 9 Why Is RSA Secure? uRSA problem: given c, n=pq, and e such that gcd(e,(p-1)(q-1))=1, find m such that m e =c mod n In other words, recover m from ciphertext c and public key (n,e) by taking e th root of c modulo n There is no known efficient algorithm for doing this uFactoring problem: given positive integer n, find primes p 1, …, p k such that n=p 1 e 1 p 2 e 2 …p k e k uIf factoring is easy, then RSA problem is easy, but may be possible to break RSA without factoring n

10 “Textbook” RSA Is Bad Encryption uDeterministic Attacker can guess plaintext, compute ciphertext, and compare for equality If messages are from a small set (for example, yes/no), can build a table of corresponding ciphertexts uCan tamper with encrypted messages Take an encrypted auction bid c and submit c(101/100) e mod n instead uDoes not provide semantic security (security against chosen-plaintext attacks) slide 10

11 slide 11 Integrity in RSA Encryption u“Textbook” RSA does not provide integrity Given encryptions of m 1 and m 2, attacker can create encryption of m 1  m 2 –(m 1 e )  (m 2 e ) mod n  (m 1  m 2 ) e mod n Attacker can convert m into m k without decrypting –(m e ) k mod n  (m k ) e mod n uIn practice, OAEP is used: instead of encrypting M, encrypt M  G(r) ; r  H(M  G(r)) r is random and fresh, G and H are hash functions Resulting encryption is plaintext-aware: infeasible to compute a valid encryption without knowing plaintext –… if hash functions are “good” and RSA problem is hard

12 slide 12 Digital Signatures: Basic Idea ? Given: Everybody knows Bob’s public key Only Bob knows the corresponding private key private key Goal: Bob sends a “digitally signed” message 1.To compute a signature, must know the private key 2.To verify a signature, only the public key is needed public key AliceBob

13 slide 13 RSA Signatures uPublic key is (n,e), private key is d uTo sign message m: s = hash(m) d mod n Signing and decryption are the same mathematical operation in RSA uTo verify signature s on message m: s e mod n = (hash(m) d ) e mod n = hash(m) Verification and encryption are the same mathematical operation in RSA uMessage must be hashed and padded (why?)

14 slide 14 Digital Signature Algorithm (DSA) uU.S. government standard (1991-94) Modification of the ElGamal signature scheme (1985) uKey generation: Generate large primes p, q such that q divides p-1 –2 159 < q < 2 160, 2 511+64t < p < 2 512+64t where 0  t  8 Select h  Z p * and compute g=h (p-1)/q mod p Select random x such 1  x  q-1, compute y=g x mod p uPublic key: (p, q, g, g x mod p), private key: x uSecurity of DSA requires hardness of discrete log If one can take discrete logarithms, then can extract x (private key) from g x mod p (public key)

15 slide 15 DSA: Signing a Message Message Hash function (SHA-1) Random secret between 0 and q r = (g k mod p) mod q Private key s = k -1  (H(M)+x  r) mod q (r,s) is the signature on M

16 slide 16 DSA: Verifying a Signature Message Signature w = s’ -1 mod q Compute (g H(M’)w  y r’w mod q mod p) mod q Public key If they match, signature is valid

17 slide 17 Why DSA Verification Works uIf (r,s) is a valid signature, then r  (g k mod p ) mod q ; s  k -1  (H(M)+x  r) mod q uThus H(M)  -x  r+k  s mod q uMultiply both sides by w=s -1 mod q uH(M)  w + x  r  w  k mod q uExponentiate g to both sides u(g H(M)  w + x  r  w  g k ) mod p mod q uIn a valid signature, g k mod p mod q = r, g x mod p = y uVerify g H(M)  w  y r  w  r mod p mod q

18 slide 18 Security of DSA uCan’t create a valid signature without private key uCan’t change or tamper with signed message uIf the same message is signed twice, signatures are different Each signature is based in part on random secret k uSecret k must be different for each signature! If k is leaked or if two messages re-use the same k, attacker can recover secret key x and forge any signature from then on

19 slide 19 PS3 Epic Fail uSony uses ECDSA algorithm to sign authorized software for Playstation 3 Basically, DSA based on elliptic curves … with the same random value in every signature uTrivial to extract master signing key and sign any homebrew software – perfect “jailbreak” for PS3 uAnnounced by George “Geohot” Hotz and Fail0verflow team in Dec 2010 Q: Why didn’t Sony just revoke the key?

20 slide 20 Diffie-Hellman Protocol uAlice and Bob never met and share no secrets uPublic info: p and g p is a large prime number, g is a generator of Z p * –Z p *={1, 2 … p-1};  a  Z p *  i such that a=g i mod p AliceBob Pick secret, random XPick secret, random Y g y mod p g x mod p Compute k=(g y ) x =g xy mod p Compute k=(g x ) y =g xy mod p

21 slide 21 Why Is Diffie-Hellman Secure? uDiscrete Logarithm (DL) problem: given g x mod p, it’s hard to extract x There is no known efficient algorithm for doing this This is not enough for Diffie-Hellman to be secure! uComputational Diffie-Hellman (CDH) problem: given g x and g y, it’s hard to compute g xy mod p … unless you know x or y, in which case it’s easy uDecisional Diffie-Hellman (DDH) problem: given g x and g y, it’s hard to tell the difference between g xy mod p and g r mod p where r is random

22 slide 22 Properties of Diffie-Hellman uAssuming DDH problem is hard, Diffie-Hellman protocol is a secure key establishment protocol against passive attackers Eavesdropper can’t tell the difference between the established key and a random value Can use the new key for symmetric cryptography uBasic Diffie-Hellman protocol does not provide authentication IPsec combines Diffie-Hellman with signatures, anti-DoS cookies, etc.

23 slide 23 Advantages of Public-Key Crypto uConfidentiality without shared secrets Very useful in open environments Can use this for key establishment, avoiding the “chicken-or-egg” problem –With symmetric crypto, two parties must share a secret before they can exchange secret messages uAuthentication without shared secrets uEncryption keys are public, but must be sure that Alice’s public key is really her public key This is a hard problem… Often solved using public-key certificates

24 slide 24 Disadvantages of Public-Key Crypto uCalculations are 2-3 orders of magnitude slower Modular exponentiation is an expensive computation Typical usage: use public-key cryptography to establish a shared secret, then switch to symmetric crypto –SSL, IPsec, most other systems based on public crypto uKeys are longer 2048 bits (RSA) rather than 128 bits (AES) uRelies on unproven number-theoretic assumptions Factoring, RSA problem, discrete logarithm problem, decisional Diffie-Hellman problem…

Download ppt "Slide 1 Vitaly Shmatikov CS 361S Overview of Public-Key Cryptography."

Similar presentations

Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.

Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.
CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (4) Information Security.

CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (4) Information Security.
Asymmetric-Key Cryptography

Asymmetric-Key Cryptography
7. Asymmetric encryption-

7. Asymmetric encryption-
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
Public-key Cryptography Montclair State University CMPT 109 J.W. Benham Spring, 1998.

Public-key Cryptography Montclair State University CMPT 109 J.W. Benham Spring, 1998.
20-751 ECOMMERCE TECHNOLOGY FALL 2003 COPYRIGHT © 2003 MICHAEL I. SHAMOS Cryptography.

ECOMMERCE TECHNOLOGY FALL 2003 COPYRIGHT © 2003 MICHAEL I. SHAMOS Cryptography.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
The School of Electrical Engineering and Computer Science (EECS) CS/ECE Network Security Dr. Attila Altay Yavuz Topic 5 Essential Public Key Crypto Methods.

The School of Electrical Engineering and Computer Science (EECS) CS/ECE Network Security Dr. Attila Altay Yavuz Topic 5 Essential Public Key Crypto Methods.
Fall 2010/Lecture 311 CS 426 (Fall 2010) Public Key Encryption and Digital Signatures.

Fall 2010/Lecture 311 CS 426 (Fall 2010) Public Key Encryption and Digital Signatures.
Public Key Algorithms 4/17/2017 M. Chatterjee.

Public Key Algorithms 4/17/2017 M. Chatterjee.
Slide 1 Vitaly Shmatikov CS 378 Overview of Public-Key Cryptography.

Slide 1 Vitaly Shmatikov CS 378 Overview of Public-Key Cryptography.
1 Pertemuan 08 Public Key Cryptography Matakuliah: H0242 / Keamanan Jaringan Tahun: 2006 Versi: 1.

1 Pertemuan 08 Public Key Cryptography Matakuliah: H0242 / Keamanan Jaringan Tahun: 2006 Versi: 1.
20-763 ELECTRONIC PAYMENT SYSTEMSFALL 2001COPYRIGHT © 2001 MICHAEL I. SHAMOS Electronic Payment Systems 20-763 Lecture 6 Epayment Security II.

ELECTRONIC PAYMENT SYSTEMSFALL 2001COPYRIGHT © 2001 MICHAEL I. SHAMOS Electronic Payment Systems Lecture 6 Epayment Security II.
Public Key Cryptography RSA Diffie Hellman Key Management Based on slides by Dr. Lawrie Brown of the Australian Defence Force Academy, University College,

Public Key Cryptography RSA Diffie Hellman Key Management Based on slides by Dr. Lawrie Brown of the Australian Defence Force Academy, University College,
Slide 1 Vitaly Shmatikov CS 380S Semantic Security.

Slide 1 Vitaly Shmatikov CS 380S Semantic Security.
Computer Science CSC 474Dr. Peng Ning1 CSC 474 Information Systems Security Topic 2.5 Public Key Algorithms.

Computer Science CSC 474Dr. Peng Ning1 CSC 474 Information Systems Security Topic 2.5 Public Key Algorithms.
ASYMMETRIC CIPHERS.

ASYMMETRIC CIPHERS.
Cryptography and Network Security Chapter 13

Cryptography and Network Security Chapter 13
Lecture 6: Public Key Cryptography

Lecture 6: Public Key Cryptography

Similar presentations

Ads by Google