Presentation is loading. Please wait.

Presentation is loading. Please wait.

Lecture 6 Public Key Cryptosystems & Digital Signatures --- New era of secure communications ---

Published byAllison Sullivan Modified over 9 years ago

Similar presentations

Presentation on theme: "Lecture 6 Public Key Cryptosystems & Digital Signatures --- New era of secure communications ---"— Presentation transcript:

1 Lecture 6 Public Key Cryptosystems & Digital Signatures --- New era of secure communications ---

2 (C) CPE5002 Semester 2 - 20012 Outline n Why public key cryptography ? n general principles of public key cryptography n the RSA public key cryptosystem n examples of RSA

3 (C) CPE5002 Semester 2 - 20013 Private key cipher E Network or Storage Plain Text Cipher Text D Original Plain Text Bob Secret Key Alice Secret Key

4 (C) CPE5002 Semester 2 - 20014 Problems with private key ciphers n In order for Alice & Bob to be able to communicate securely using a private key cipher, such as DES, they have to have a shared key in the first place. çQuestion: What if they have never met before ? n Alice needs to keep 100 different keys if she wishes to communicate with 100 different people

5 (C) CPE5002 Semester 2 - 20015 A question n Consider a group of n people, each wishing to communicate securely with all other members in the group, by using a private key cipher, say DES. çHow many different secret keys does each member of the group have to keep ? çWhat’s the total number of different secret keys that have to be kept by all members of the group ?

6 (C) CPE5002 Semester 2 - 20016 Motivation of Diffie & Hellman n Is it possible for Alice & Bob, who have no shared secret key, to communicate securely ? n This led to the SINGLE MOST IMPORTANT discovery in the history of secure communications: n This led to the SINGLE MOST IMPORTANT discovery in the history of secure communications: W. Diffie & M. Hellman: New Directions in Cryptography, IEEE Transactions on Information Theory, Vol. IT-22, No.6, Nov. 1976, pp.644-654.

7 (C) CPE5002 Semester 2 - 20017 Main ideas n Bob: ç publishes, say in Yellow/White pages, his lpublic (encryption) key, and lencryption algorithm. çkeeps to himself lthe matching secret (decryption) key.

8 (C) CPE5002 Semester 2 - 20018 Main ideas (2) n Alice: çLooks up the phone book, and finds out Bob’s lpublic (encryption) key, and lencryption algorithm. çEncrypts a message using Bob’s public key and encryption algorithm. çsends the ciphertext to Bob.

9 (C) CPE5002 Semester 2 - 20019 Main ideas (3) n Bob: çReceives the ciphertext from Alice çDecrypts the ciphertext using his secret decryption key, together with the decryption algorithm

10 (C) CPE5002 Semester 2 - 200110 Public Key Cryptosystem E Network Plain Text Cipher Text D Plain Text Alice Bob Bob: Public Key Directory (Yellow/White Pages) Secret Key

11 (C) CPE5002 Semester 2 - 200111 Main differences with DES n The public encryption key is different from the secret decryption key. n Infeasible for an attacker to find out the secret decryption key from the public encryption key. n no need for Alice & Bob to distribute a shared secret key beforehand ! n only one pair of public and secret keys is required for each user !

12 (C) CPE5002 Semester 2 - 200112 Realising public key ciphers n The most famous system that implements Diffie & Hellman’s ideas on public key ciphers is due to çRonald Rivest çAdi Shamir çLeonard Adleman n This concrete public key cryptosystem is called RSA.

13 (C) CPE5002 Semester 2 - 200113 Prime & composite n Prime and composite numbers ça prime number is an integer that can divided only by 1 and itself lE.g.2,3,5,7,11,13, 101,103,...... çall other integers are composite lE.g.4,6,8,9,10,12, 523743960876432,800164386535

14 (C) CPE5002 Semester 2 - 200114 Modular operations n “remainder” ç13 = 3 (mod 5),1 = 1 (mod 7) ç20 = 0 (mod 5),32 = 4 (mod 7) n modular exponentiation ç2 2 = 1 (mod 3), 3 2 = 0 (mod 3) ç2 2 = 4 (mod 5), 10 2 = 8 (mod 92) ç4 6 = 6 (mod 10), 3 11 = 7 (mod 10)

15 (C) CPE5002 Semester 2 - 200115 RSA Public Key Cryptosystem c= m e mod n Network Plain TextCipher Text Plain Text Alice Bob Bob: (e, n) Public Key Directory (Yellow/White Pages) public key: e & n secret key: d m= c d mod n

16 (C) CPE5002 Semester 2 - 200116 RSA (1) n Bob: çchooses 2 large primes (each at least 100 digits):p, q multiplies p and q:n = p*q çfinds out two numbers e & d such that e * d = 1 (mod (p-1)(q-1)) çpublic key (published in the phone book) l2 numbers:(e, n) lencryption alg:modular exponentiation çsecret key:d

17 (C) CPE5002 Semester 2 - 200117 RSA (2) n Alice has a message m to be sent to Bob: çfinds out Bob’s public encryption key (e, n) çcalculates c = m e (mod n) çsends the ciphertext c to Bob

18 (C) CPE5002 Semester 2 - 200118 RSA (3) n Bob: çreceives the ciphertext c from Alice çuses his matching secret decryption key d to calculate m = c d (mod n)

19 (C) CPE5002 Semester 2 - 200119 RSA --- 1st small example (1) n Bob: çchooses 2 primes:p=5, q=11 multiplies p and q:n = p*q = 55 çfinds out two numbers e=3 & d=27 which satisfy 3 * 27 = 1 (mod 40) çBob’s public key l2 numbers:(3, 55) lencryption alg:modular exponentiation çsecret key:27

20 (C) CPE5002 Semester 2 - 200120 RSA --- 1st small example (2) n Alice has a message m=13 to be sent to Bob: çfinds out Bob’s public encryption key (3, 55) çcalculates c = m e (mod n) = 13 3 (mod 55) = 2197 (mod 55) = 52 çsends the ciphertext c=52 to Bob

21 (C) CPE5002 Semester 2 - 200121 RSA --- 1st small example (3) n Bob: çreceives the ciphertext c=52 from Alice çuses his matching secret decryption key 27 to calculate m = 52 27 (mod 55) = 13 (Alice’s message)

22 (C) CPE5002 Semester 2 - 200122 RSA --- 2nd small example (1) n Bob: çchooses 2 primes:p=101, q=113 multiplies p and q:n = p*q = 11413 çfinds out two numbers e=3533 & d=6597 which satisfy 3533 * 6597 = 1 (mod 11200) çBob’s public key l2 numbers:(3533, 11413) lencryption alg:modular exponentiation çsecret key:6597

23 (C) CPE5002 Semester 2 - 200123 RSA --- 2nd small example (2) n Alice has a message m=9726 to be sent to Bob: çfinds out Bob’s public encryption key (3533, 11413) çcalculates c = m e (mod n) = 9726 3533 (mod 11413) = 5761 çsends the ciphertext c=5761 to Bob

24 (C) CPE5002 Semester 2 - 200124 RSA --- 2nd small example (3) n Bob: çreceives the ciphertext c=5761 from Alice çuses his matching secret decryption key 6597 to calculate m = c d (mod n) = 5761 6597 (mod 11413) = 9726 (Alice’s message)

25 (C) CPE5002 Semester 2 - 200125 Remarks on RSA n The message m has to be an integer between in the range [1, n]. n To encrypt long messages we can use modes of operation as for private key ciphers, or a hybrid cryptosystem (see later).

26 (C) CPE5002 Semester 2 - 200126 Why RSA is Secure n Attack Scenario: çMarvin wants to read Alice’s private message (m) intended to be read only by Bob. çHowever, Alice used RSA to encrypt m using Bob’s public key (e, n), into the ciphertext c = m e (mod n). çMarvin is a determined attacker and managed to intercept the ciphertext c on its way from Alice’s to Bob’s computer. çMarvin also looked up Bob’s public key (e,n) to help him in his attack.

27 (C) CPE5002 Semester 2 - 200127 Why RSA is Secure n Marvin now has (c,e,n) and wants to find out m. n How can Marvin proceed to find m? çApproach 1: If Marvin could also find out Bob’s secret key d, he could decrypt c into m in the same way as Bob does. lSuppose Bob guards his secret key d very well, what can Marvin do then? çApproach 2: Marvin knows that c = m e (mod n). He knows that m is a number between 0 and n-1. So he could use exhaustive search through all n possible messages m. l But if n is large this takes a long time! l Exercise: If m is known to be one of X possible messages, how long does this attack take? (Assume it takes time T to encrypt m into c)

28 (C) CPE5002 Semester 2 - 200128 Why RSA is Secure n Marvin’s Attack options (cont): çApproach 3: Marvin can try to compute Bob’s secret key d from (e,n) and then use Approach 1. l Remember that e * d = 1 ( mod (p-1)(q-1) ) l Marvin found in a ‘Number Theory’ book a very fast algorithm called EUCLID to solve the following problem: Given two numbers (r,s), the algorithm outputs a number x such that r * x = 1 (mod s). l Exercise: Explain how Marvin can use algorithm EUCLID to find Bob’s secret key d very quickly from (e,n) once he manages to ‘factorize’ n = p*q into the prime factors p and q.

29 (C) CPE5002 Semester 2 - 200129 Why RSA is Secure n Approach 3 is the most efficient known method Marvin can use to attack RSA! n The time taken for Marvin to execute the attack in Approach 3 is essentially the time to factorize n=p*q into the prime factors p and q. n Therefore, we say that RSA is based on the factorization problem: While it is easy to multiply large primes together, ! n Therefore, we say that RSA is based on the factorization problem: While it is easy to multiply large primes together, it is computationally infeasible to factorize or split a large composite into its prime factors !

30 (C) CPE5002 Semester 2 - 200130 Why RSA is Secure n The current state of the art in factorization: çLargest RSA number factored so far: 155 decimal digits, as at August 1999 l It took several months of computing time on many computers around the world l Exercise: How long was the binary representation of the above number (bit length)? (hint: log 2 (10) = 3.32 approximately) çThe length of n in an RSA key should therefore be sufficiently longer than 155 decimal digits to be secure against attackers with access to many fast computers.

31 (C) CPE5002 Semester 2 - 200131 Why RSA is Secure  How many digits should n have to be secure?  Approximate Factoring Time: For the fastest known factoring algorithm (‘Number Field Sieve’):  If it takes time to factorize number of length |n| digits (or bits),  Then it takes time to factorize a number of length k * |n| digits (bits), where (with |n| in bits):  Assuming it takes T = 1 day to factorize |n| of length 155 decimal digits, it would take:  M(2)*T = 2 22 days = 20,000 years to factor n of length |n| = 2*155 = 310 digits  M(3)*T = 2 39 days = 2 billion (!!) years to factor n of length |n| = 3*155 = 465 digits…

32 (C) CPE5002 Semester 2 - 200132 Why RSA is Secure n Therefore, when both p and q in RSA are of at least 155 digits, the product n=p*q is 310 digits. n Then no one can factorize n in less time than a few thousand years, not even Marvin!! n Thus the only person who can extract the plaintext m from the ciphertext c is Bob, as only he knows the secret decryption key d !

33 (C) CPE5002 Semester 2 - 200133 Marvin’s New Attack Idea n Instead of just eavesdropping, Marvin can try a more active attack! n Outline of the New Attack: çMarvin generates an RSA key pair lPublic key = Kpub_* = (N_*, e_*) lSecret key = Ksec_* = d_* çMarvin sends the following email to Alice, pretending to be Bob: lHi Alice, ¥Please use my new public key from now on to encrypt messages to me. My new public key is Kpub_*. ¥Yours sincerely, Bob. çMarvin decrypts any messages Alice sends to Bob (encrypted with Kpub_*), using Ksec_*.

34 (C) CPE5002 Semester 2 - 200134 Preventing Marvin’s Active Attack n The active attack works because: çAlice was tricked by Marvin into encrypting a message intended for Bob using a “fake” public key which is NOT Bob’s public key (in fact it was Marvin’s). n To prevent the attack: çBefore Alice encrypts a message for Bob, she must make sure she has Bob’s CORRECT public key (and not a fake one). çAlice needs a way of testing the truth of any “Bob’s key message” informing Alice of Bob’s Public Key. çNo one besides Bob should be able to produce such a message so that it will pass Alice’s Test.

35 (C) CPE5002 Semester 2 - 200135 Preventing Marvin’s Active Attack (2) n This is a setting where Alice and Bob have a message integrity security requirement! çIe. Alice and Bob want to prevent fabrication and/or modification of a “Bob’s key message” (a message informing Alice of Bob’s public key) by unautorised parties (like Marvin). n The main cryptographic tool used to achieve message integrity is “Digital Signatures”. n In a later lecture (after we have covered “Digital Signatures”), we will come back to this topic and see how Digital Signatures can be used to prevent Marvin’s Attack!

36 (C) CPE5002 Semester 2 - 200136 Private key ciphers n Good points çin-expensive to use çfast çlow cost VLSI chips available n bad points çkey distribution is a problem

37 (C) CPE5002 Semester 2 - 200137 Public key ciphers n good points çkey distribution is NOT a problem n bad points çrelatively expensive to use çrelatively slow çVLSI chips not available or relatively high cost

38 (C) CPE5002 Semester 2 - 200138 Combining 2 type of ciphers n In practice, we çuse a public key cipher (such as RSA) to distribute keys çuse a private key cipher (such as DES) to encrypt and decrypt messages

39 (C) CPE5002 Semester 2 - 200139 The need of digital signature n social & business activities and their associated documents are becoming digital çdigital conferences çdigital contract signing çdigital cash payments,...... n hand-written signatures are not applicable to digital data

40 (C) CPE5002 Semester 2 - 200140 Digital Signature (based on RSA) Public Key Directory (Yellow/White Pages) Bob: D Network Plain Text Bob Secret Key + Cathy Signature Accept if equal E Signature ? Public Key

41 (C) CPE5002 Semester 2 - 200141 Digital Signature (for short doc) Public Key Directory (Yellow/White Pages) Bob: (e, n) Network Plain Text Bob Secret Key d + Cathy Signature Accept if equal Signature ? Public Key (e, n) s = m d mod n t =s e mod n

42 (C) CPE5002 Semester 2 - 200142 RSA signature --- an eg (1) n Bob: çchooses 2 primes:p=5, q=11 multiplies p and q:n = p*q = 55 çfinds out two numbers e=3 & d=27 which satisfy 3 * 27 = 1 (mod 40) çBob’s public key l2 numbers:(3, 55) lencryption alg:modular exponentiation çsecret key:27

43 (C) CPE5002 Semester 2 - 200143 RSA signature --- an eg (2) n Bob has a document m=19 to sign: çuses his secret key d=27 to calculate the digital signature of m=19: s = m d (mod n) = 19 27 (mod 55) = 24 çappends 24 to 19. Now (m, s) = (19, 24) indicates that the doc is 19, and Bob’s signature on the doc is 24.

44 (C) CPE5002 Semester 2 - 200144 RSA signature --- an eg. (3) n Cathy, a verifier: çreceives a pair (m,s)=(19, 24) çlooks up the phone book and finds out Bob’s public key (e, n)=(3, 55) çcalculatest = s e (mod n) = 24 3 (mod 55) = 19 çchecks whether t=m çconfirms that (19,24) is a genuinely signed document of Bob if t=m.

45 (C) CPE5002 Semester 2 - 200145 How about long documents ? n In the previous example, a document has to be an integer in [0,...,n] n to sign a very long document, we need a so called one-way hash algorithm n instead of signing directly on a doc, we hash the doc first, and sign the hashed data which is normally short.

46 (C) CPE5002 Semester 2 - 200146 One-Way Hash Algorithm n A one-way hash algorithm hashes an input document into a condensed short output (say of 100 bits) çDenoting a one-way hash algorithm by H(.), we have: lInput: m - a binary string of any length lOutput: H(m) - a binary string of L bits, called the “hash of m under H”. lThe output length parameter L is fixed for a given one- way hash function H, leg ¥The one-way hash function “MD5” has L = 128 bits ¥The one-way hash function “SHA-1” hash L = 160 bits

47 (C) CPE5002 Semester 2 - 200147 One-Way Hash Algorithm A document (of any length) A condensed short output, say of 100 bits

48 (C) CPE5002 Semester 2 - 200148 Properties of One-Way Hash Algorithm n A good one-way hash algorithm H needs to have these properties : ç1. Easy to Evaluate: lThe hashing algorithm should be fast lI.e. given any document m, the hashed value h = H(m) can be computed quickly. ç2. Hard to Reverse: lThere is no feasible algorithm to “reverse” a hashed value, lI.e. given any hashed value h, it is computationally infeasible to find any document m such that F(h) = m. çNOTE: An algorithm is called ‘One-Way’ if it has BOTH properties 1 and 2. ç3. Hard to find Collisions: lThere is no feasible algorithm to find two or more input documents which are hashed into the same condensed output, lI.e it is computationally infeasible to find any two documents m 1, m 2 such that H(m 1 )= H(m 2 ).

49 (C) CPE5002 Semester 2 - 200149 The One-way Property Hash value h (length= L bits) H Document m (any length) This direction is easy to compute! Hash value h (length= L bits) H Document m (any length) But this direction is infeasible to compute!

50 (C) CPE5002 Semester 2 - 200150 Finding collision is infeasible (same condensed output) I, Bob, will pay $1,000 to Alice. I, Bob, will pay $10,000 to Alice. HH Document m 1 Document m 2

51 (C) CPE5002 Semester 2 - 200151 Good one-way hashing algorithms n MD5 (R. Rivest, 1992) n SHS (secure hashing standard, USA, 1992, modified in 1995) n HAVAL (Y. Zheng, 1992)

52 (C) CPE5002 Semester 2 - 200152 Digital Signature (for long doc) Public Key Directory (Yellow/White Pages) Bob: D Network Plain Text E H 100 bits Bob Secret Key + H 100 bits Cathy Signature Accept if equal 1-way hash 100 bits Signature ? Public Key

53 (C) CPE5002 Semester 2 - 200153 Why Digital Signature ? n Unforgeable çtakes 1 billion years to forge ! n Un-deniable by the signatory n Universally verifiable n Differs from doc to doc n Easily implementable by çsoftware or çhardware or çsoftware + hardware

54 (C) CPE5002 Semester 2 - 200154 Unforgeable digital signature I, Bob, will pay $1,000 to Alice. a valid signature 101001010 I, Bob, will pay $10,000 to Alice. 001001101 also a valid signature

55 (C) CPE5002 Semester 2 - 200155 Important digital signatures n RSA çstrongly supported by industries ça de facto industrial standard n Schnorr digital signature çderived from ElGamal digital signature çbased on infeasibility of discrete logarithm n DSS (digital signature standard, USA) çderived from ElGamal digital signature çbased on infeasibility of discrete logarithm çstrongly pushed forward by US government n Signature schemes using elliptic curves

56 (C) CPE5002 Semester 2 - 200156 Digital signature -- summary n three (3) steps are involved in digital signature çSetting up public and secret keys çSigning a document çVerifying a signature

57 (C) CPE5002 Semester 2 - 200157 Setting up public&secret keys n Bob does the following çprepares a pair of public and secret keys çpublishes his public key in the public key file (such as an on-line phone book) çkeeps the secret key to himself n Note: çSetting up needs only to be done once !

58 (C) CPE5002 Semester 2 - 200158 Signing a document n Once setting up is completed, Bob can sign a document (such as a contract, a cheque, a certificate,...) using the secret key n The pair of document & signature is a proof that Bob has signed the document.

59 (C) CPE5002 Semester 2 - 200159 Verifying a signature n Any party, say Cathy, can verify the pair of document and signature, by using Bob’s public key in the public key file. n Important ! çCathy does NOT have to have public or secret key !

Download ppt "Lecture 6 Public Key Cryptosystems & Digital Signatures --- New era of secure communications ---"

Similar presentations

Chapter 3 Public Key Cryptography and Message authentication.

Chapter 3 Public Key Cryptography and Message authentication.
Hash Functions A hash function takes data of arbitrary size and returns a value in a fixed range. If you compute the hash of the same data at different.

Hash Functions A hash function takes data of arbitrary size and returns a value in a fixed range. If you compute the hash of the same data at different.
Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.

Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.
Digital Signatures and Hash Functions. Digital Signatures.

Digital Signatures and Hash Functions. Digital Signatures.
BY : Darshana Chaturvedi.  INTRODUCTION  RSA ALGORITHM  EXAMPLES  RSA IS EFFECTIVE  FERMAT’S LITTLE THEOREM  EUCLID’S ALGORITHM  REFERENCES.

BY : Darshana Chaturvedi.  INTRODUCTION  RSA ALGORITHM  EXAMPLES  RSA IS EFFECTIVE  FERMAT’S LITTLE THEOREM  EUCLID’S ALGORITHM  REFERENCES.
1 Counter-measures Threat Monitoring Cryptography as a security tool Encryption Digital Signature Key distribution.

1 Counter-measures Threat Monitoring Cryptography as a security tool Encryption Digital Signature Key distribution.
Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.

Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.
EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 6 Wenbing Zhao Department of Electrical and Computer Engineering.

EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 6 Wenbing Zhao Department of Electrical and Computer Engineering.
Public-key Cryptography Montclair State University CMPT 109 J.W. Benham Spring, 1998.

Public-key Cryptography Montclair State University CMPT 109 J.W. Benham Spring, 1998.
CNS2010handout 10 :: digital signatures1 computer and network security matt barrie.

CNS2010handout 10 :: digital signatures1 computer and network security matt barrie.
Dr Alejandra Flores-Mosri Message Authentication Internet Management & Security 06 Learning outcomes At the end of this session, you should be able to:

Dr Alejandra Flores-Mosri Message Authentication Internet Management & Security 06 Learning outcomes At the end of this session, you should be able to:
Introduction to cryptography for authentication and identification systems --- FIT3105 --- Lecture 2 & 3.

Introduction to cryptography for authentication and identification systems --- FIT Lecture 2 & 3.
Henric Johnson1 Chapter3 Public-Key Cryptography and Message Authentication Henric Johnson Blekinge Institute of Technology, Sweden

Henric Johnson1 Chapter3 Public-Key Cryptography and Message Authentication Henric Johnson Blekinge Institute of Technology, Sweden
Secure Hashing and DSS Sultan Almuhammadi ICS 454 Principles of Cryptography.

Secure Hashing and DSS Sultan Almuhammadi ICS 454 Principles of Cryptography.
Introduction to Signcryption November 22, 2004. 22/11/2004 Signcryption Public Key (PK) Cryptography Discovering Public Key (PK) cryptography has made.

Introduction to Signcryption November 22, /11/2004 Signcryption Public Key (PK) Cryptography Discovering Public Key (PK) cryptography has made.
WS 2006-07 Algorithmentheorie 03 – Randomized Algorithms (Public Key Cryptosystems) Prof. Dr. Th. Ottmann.

WS Algorithmentheorie 03 – Randomized Algorithms (Public Key Cryptosystems) Prof. Dr. Th. Ottmann.
How cryptography is used to secure web services Josh Benaloh Cryptographer Microsoft Research.

How cryptography is used to secure web services Josh Benaloh Cryptographer Microsoft Research.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
Cryptosystems, Hash Functions and Digital Signatures --- Lecture 4 ---

Cryptosystems, Hash Functions and Digital Signatures --- Lecture 4 ---
Fall 2010/Lecture 311 CS 426 (Fall 2010) Public Key Encryption and Digital Signatures.

Fall 2010/Lecture 311 CS 426 (Fall 2010) Public Key Encryption and Digital Signatures.

Similar presentations

Ads by Google