Download presentation
Presentation is loading. Please wait.
Published byKristopher Jenkins Modified over 9 years ago
1
CS461/ECE422 Spring 2012 Nikita Borisov — UIUC1
2
Text Chapters 2 and 21 Handbook of Applied Cryptography, Chapter 8 http://www.cacr.math.uwaterloo.ca/hac/http://www.cacr.math.uwaterloo.ca/hac/ Nikita Borisov — UIUC2
3
Every pair of people must share a secret key E.g.: Alice, Bob, Carol, David: K AB, K AC, K AD,K BC, K BD, K CD How do you keep track of them all? O(N 2 ) keys for N people How do you exchange them? Must use a secure, out-of-band channel Nikita Borisov — UIUC3
4
Cryptographers to the rescue! Two keys: Private key known only to owner Public key available to anyone One key pair per person ▪ O(N) keys Merkle, Hellman, Diffie Nikita Borisov — UIUC4
5
Public key encryption Use public key to encrypt, private key to decrypt RSA, ElGamal, ECIES Public key signatures (similar to MAC) Use private key to sign, public key to verify RSA, DSA, ECDSA Symmetric key distribution Agree on a secret symmetric key over a public channel Diffie-Hellman, ECDH, MQV, ECMQV Nikita Borisov — UIUC5
6
Slide #9-6 Nikita Borisov — UIUC6
7
Slide #9-7 Public Key Systems are much slower than Symmetric Key Systems RSA 100 to 1000 times slower than DES. 10,000 times slower than AES? Generally used in conjunction with a symmetric system for bulk encryption Public Key Systems are based on “hard” problems Factoring large composites of primes, discrete logarithms, elliptic curves Only a handful of public key systems perform both encryption and signatures Nikita Borisov — UIUC7
8
The first public key algorithm A key exchange algorithm, not for encryption or decryption Set up: p prime, g is coprime with p Alice -> Bob: g x (mod p), x random Bob -> Alice: g y (mod p), y random Alice and Bob compute: (g x ) y = (g y ) x Establish a secret key over a public channel Nikita Borisov — UIUC8
9
p=23, g=5 Alice picks x=6, sends Bob 5 6 mod 23 = 8 Bob picks y=15, sends Bob 5 15 mod 23 = 19 Alice computes: 19 6 mod 23 = 2 Bob computes: 8 15 mod 23 = 2 Nikita Borisov — UIUC9
10
Charlie has g x, g y needs to find g xy Called “ Diffie-Hellman Problem ” Fastest way: find x given g x I.e. take log g g x (mod p) Discrete Logarithm Problem Fastest known way is super-polynomial Nikita Borisov — UIUC10
11
For IPSec and SSL, there are a small set of g's and p's published that all standard implementations support. Group 1 and 2 ▪ http://tools.ietf.org/html/rfc2409 http://tools.ietf.org/html/rfc2409 Group 5 and newer proposed values ▪ http://tools.ietf.org/html/draft-ietf-ipsec-ike-modp- groups-00 http://tools.ietf.org/html/draft-ietf-ipsec-ike-modp- groups-00 Nikita Borisov — UIUC11
12
Alice Bob Eve Nikita Borisov — UIUC12
13
Slide #9-13 by Rivest, Shamir& Adleman of MIT in 1977 best known & widely used public-key scheme based on exponentiation in a finite (Galois) field over integers modulo a prime nb. exponentiation takes O((log n) 3 ) operations (easy) uses large integers (eg. 1024 bits) security due to cost of factoring large numbers nb. factorization takes O(e log n log log n ) operations (hard) Nikita Borisov — UIUC13
14
a mod b = x if for some k >= 0, bk + x = a Associativity, Commutativity, and Distributivity hold in Modular Arithmetic Inverses also exist in modular arithmetic a + (-a) mod n = 0 a * a -1 mod n = 1 Nikita Borisov — UIUC14
15
Reducibility also holds (a + b) mod n = (a mod n + b mod n) mod n a * b mod n = ((a mod n) * b mod n) mod n Fermat’s Thm: if p is any prime integer and a is an integer, then a p mod p = a Corollary: a p-1 mod p = 1 if a != 0 and a is relatively prime to p Nikita Borisov — UIUC15
16
Slide #9-16 Totient function (n) Number of positive integers less than n and relatively prime to n ▪ Relatively prime means with no factors in common with n Example: (10) = ? 4 because 1, 3, 7, 9 are relatively prime to 10 Example: (p) = ? where p is a prime p-1 because all lower numbers are relatively prime (pq) = (p-1)(q-1) when p, q are both prime Nikita Borisov — UIUC16
17
Euler generalized Fermat’s Theorem for composite numbers. Fermat's Thm a p-1 =1 mod p if a != 0 Euler’s Thm: x (n) =1 mod n Works for any n Nikita Borisov — UIUC17
18
Slide #9-18 Choose two large prime numbers p, q Let n = pq; then (n) = (p–1)(q–1) Choose e < n such that e is relatively prime to (n). Compute d such that ed mod (n) = 1 Public key: (e, n); private key: d Encipher: C = M e mod n Decipher: M = C d mod n Generically: F(V, x) = V x mod n Nikita Borisov — UIUC18
19
C = RSA(M, e) = M e mod n M’ = RSA -1 (C, d) M’ = (M e mod n) d mod n M’ = M ed mod n ed mod (n) = 1 ed = k* (n) + 1 M’ = (M mod n * M k (n) mod n) mod n By Euler’s theorem (M k ) (n) mod n = 1 M’ = M mod n Nikita Borisov — UIUC19
20
p = 11, q = 17 n = 187, (n) = 10*16 = 160 Let e = 3, then d = 107 (107 * 3 = 321) (can find this using Euclidian algorithm) M = 29 C = 29 3 = 24389 = 79 (mod 187) M ’ = 79 107 = 111198458817782001560345203757362612455385730171461711652460 77616187866650307803733211448189784066639705404666734267722 80421264880580199063176758111537928108652374827051740798868 93643689363009468423234159 = 29 (mod 187) Nikita Borisov — UIUC20
21
Don ’ t need to compute huge numbers 29 3 (mod 187) = (29 2 mod 187) * 29 mod 187 = (841 mod 187) * 29 mod 187 = 93*29 mod 187 = 2697 mod 187 = 79 Even better: square/multiply M 11 = ((M 2 ) 2 *M) 2 *M This is reasonably fast Only 1000 or so times slower than DES Nikita Borisov — UIUC21
22
Charlie knows e, n, and receives M e (mod n) How to find M? Best known way is to factor n ▪ Find p and q, find (n), find d ▪ No proof that there isn ’ t a faster way Factoring n is believed to be hard ▪ Best algorithm is GNFS ▪ Complexity is sub-exponential but superpolynomial ▪ Largest factored number had 768 bits ▪ (About 2000-CPU years on an 2.2 GHz Opteron) ▪ Current recommendations are to use 1500-2000 bits Nikita Borisov — UIUC22
23
Note: RSA as described is insecure! Why? Deterministic encryption: M e = M ’ e if and only if M=M ’ Even worse than in the symmetric case because Charlie can try many possibilities for M Semantic security Adversary picks m 1 and m 2 and is provided with Encrypt(m i ), must guess i Requires randomized encryption Nikita Borisov — UIUC23
24
Introduce randomness to message P = r || M, where r is random Encryption: P e Decryption: (P e ) d, discard random prefix (Actually, still not quite secure, see RSA-OAEP for proper usage) Nikita Borisov — UIUC24
25
How do we encrypt messages longer than 1024 bits? Break into blocks, use RSA on each block (slow, potentially insecure) Use a hybrid between RSA and AES Pick random key K Send: RSAEncrypt(K), AES-CBC-Encrypt(K, M) Must ensure K is random! Nikita Borisov — UIUC25
26
RSA is symmetric RSADec(RSAEnc(M)) = RSAEnc(RSADec(M)) = M ed (mod n) = M To “ sign ” a message, Alice computes S = M d (mod n) Bob verifies that S e = M ed = M (mod n) No one other than Alice could have generated S Not even Bob Bob can show S to third parties (non-repudiation) Nikita Borisov — UIUC26
27
How do we sign messages longer than 1024 bits? Use a hash function Nikita Borisov — UIUC27
28
Alice sends RSASign(h(M)) Bob computes h(M), verifies signature Security: Bob cannot generate a signature because: ▪ He can ’ t produce a signature on a chosen message ▪ He can ’ t solve h(M) = S ’ e for M because h is one way Alice is nevertheless committed to her signature ▪ Cannot find M1, M2 such that h(M1) = h(M2) Nikita Borisov — UIUC28
29
Public Key systems enable multiple operations Confidentiality (key encryption) Integrity and nonrepudiation Symmetric key exchange Slower than symmetric crypto, but still practical Especially in hybrid modes Must be careful how they are used Padding, hash functions Nikita Borisov — UIUC29
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.