Preliminary by 1sV5y5t

VIEWS: 21 PAGES: 65

									                                       CS4288 Cryptographic Algorithms and Protocols




      Cryptographic Algorithms and
               Protocols

       Text Book: Williams Stalling
       Lecture Notes: Adapted from that of Lawrie Brown
       Lecturer:
                   Professor Frances Yao & Professor Xiaotie Deng
                   Department of Computer Science
                   City University of Hong Kong



2012/8/7                                                                               1
                                       CS4288 Cryptographic Algorithms and Protocols

Chapter 9 – Public Key Cryptography
and RSA

Every Egyptian received two names, which were known
  respectively as the true name and the good name, or
  the great name and the little name; and while the
  good or little name was made public, the true or
  great name appears to have been carefully concealed.
—The Golden Bough, Sir James George Frazer



                  Adopted from Lecture slides by Lawrie Brown
2012/8/7             Lecturer: Frances Yao & Xiaotie Deng                              2
                                      CS4288 Cryptographic Algorithms and Protocols



     Outline
    Introduction of public-key cryptosystem
    RSA trapdoor one-way function
    RSA digital signature




                 Adopted from Lecture slides by Lawrie Brown
2012/8/7            Lecturer: Frances Yao & Xiaotie Deng                              3
                                CS4288 Cryptographic Algorithms and Protocols




1. Public-key cryptosystem




           Adopted from Lecture slides by Lawrie Brown
2012/8/7      Lecturer: Frances Yao & Xiaotie Deng                              4
                                                  CS4288 Cryptographic Algorithms and Protocols



     Introduction
    First proposed in public by Diffie and Hellman at
    Stanford University in 1976.
          known earlier in classified community
               http://www.research.att.com/~smb/nsam-160/
    Enable secure message exchange
          between sender and receiver
               without ever having to meet in advance to agree on a common
                secret-key.




                             Adopted from Lecture slides by Lawrie Brown
2012/8/7                        Lecturer: Frances Yao & Xiaotie Deng                              5
                                              CS4288 Cryptographic Algorithms and Protocols



     Private-Key Cryptography
Traditional private/secret/single key
cryptography uses one key
    shared by both sender and receiver
If this key is disclosed, communications are
compromised
The key also is symmetric, parties are equal
    it does not protect sender from
          receiver forging a message & claiming is sent by sender

                         Adopted from Lecture slides by Lawrie Brown
2012/8/7                    Lecturer: Frances Yao & Xiaotie Deng                              6
                                    CS4288 Cryptographic Algorithms and Protocols



     Public-Key Cryptography
Probably most significant advance in the
3000 year history of cryptography
It uses two keys – a public & a private key
It is asymmetric: parties are not equal
It uses clever applications of number theoretic
concepts to function
It complements rather than replaces private
key cryptography
               Adopted from Lecture slides by Lawrie Brown
2012/8/7          Lecturer: Frances Yao & Xiaotie Deng                              7
                                  CS4288 Cryptographic Algorithms and Protocols



     Public-Key Cryptography




             Adopted from Lecture slides by Lawrie Brown
2012/8/7        Lecturer: Frances Yao & Xiaotie Deng                              8
                                                   CS4288 Cryptographic Algorithms and Protocols



       Public-Key Cryptography
 Public-key/two-key/asymmetric cryptography
 involves in, for each agent u, the use of its
 associated pair of keys <Pu, Su> :
      the public key Pu which is published under the user’s
       name in a ``public directory” accessible for everyone to
       read,
              can be used to encrypt messages, and verify signatures
      the private-key Su which is known only to the agent u,
              used to decrypt messages, and sign (create) signatures
 It is asymmetric because
      Those who encrypt messages or verify signatures may
       not be able to decrypt messages or create signatures
                              Adopted from Lecture slides by Lawrie Brown
2012/8/7                         Lecturer: Frances Yao & Xiaotie Deng                              9
                                            CS4288 Cryptographic Algorithms and Protocols




Encoding:
    To send a secret message M to u,
   everyone looks up Pu, computing C=E(Pu, M) where E is a
  public encryption algorithm, and
    sending the resulting ciphertext C to u.
Decoding:
   Upon receiving ciphertext C, u uses his private key Su and
  computing D(Su, C), where D is the corresponding
  decryption algorithm.
Clearly, for this to work we need that D(Su, E(Pu, M))=M.
                       Adopted from Lecture slides by Lawrie Brown
 2012/8/7                 Lecturer: Frances Yao & Xiaotie Deng                              10
                                       CS4288 Cryptographic Algorithms and Protocols



     Why Public-Key Cryptography?
   Initially to address two key issues:
     key distribution – how to have secure
      communications in general without having to
      trust a KDC with your key
     digital signatures – how to verify a message
      comes intact from the claimed sender
   Ripple Effect: Make E-commerce possible.


                  Adopted from Lecture slides by Lawrie Brown
2012/8/7             Lecturer: Frances Yao & Xiaotie Deng                              11
                                       CS4288 Cryptographic Algorithms and Protocols



     Computational Characteristics
  Public-Key algorithms rely on two keys with
  the characteristics:
    computationally infeasible to find decryption
     key knowing only algorithm & encryption key
    computationally easy to en/decrypt messages
     when the relevant (en/decrypt) key is known
    either of the two related keys can be used for
     encryption, with the other used for decryption
     (in some schemes).
                  Adopted from Lecture slides by Lawrie Brown
2012/8/7             Lecturer: Frances Yao & Xiaotie Deng                              12
                                   CS4288 Cryptographic Algorithms and Protocols



     Use of Public-Key Cryptosystems




              Adopted from Lecture slides by Lawrie Brown
2012/8/7         Lecturer: Frances Yao & Xiaotie Deng                              13
                                        CS4288 Cryptographic Algorithms and Protocols



     Public-Key Applications
    3 major categories:
      encryption/decryption (provide secrecy)
      digital signatures (provide authentication)

      key exchange (of session keys)

    Some algorithms are suitable for all uses,
    others are specific to one


                   Adopted from Lecture slides by Lawrie Brown
2012/8/7              Lecturer: Frances Yao & Xiaotie Deng                              14
                                           CS4288 Cryptographic Algorithms and Protocols



     Security of Public Key Schemes
Security relies on a large enough difference in difficulty
between easy (en/decrypt) and hard (cryptanalyse)
problems
Similar to private key schemes, brute force exhaustive
search attack is always theoretically possible
   But keys used are too large (>512bits) to break that way
It requires the use of very large numbers
   slow when compared to private key schemes


                      Adopted from Lecture slides by Lawrie Brown
2012/8/7                 Lecturer: Frances Yao & Xiaotie Deng                              15
                                CS4288 Cryptographic Algorithms and Protocols




2. RSA trapdoor one-way function




           Adopted from Lecture slides by Lawrie Brown
2012/8/7      Lecturer: Frances Yao & Xiaotie Deng                              16
                                                CS4288 Cryptographic Algorithms and Protocols




     One-Way Function and the Factorization assumption


The most basic primitive for cryptosystem is a
one-way function (OWF).
  Informally, this is a function which is EASY to
   compute but HARD to invert.
  For example, the following Factorization assumption
   is a well-known candidate for OWF.
       Randomly select two prime numbers: p and q. Set N=pq.
       Only given N it is HARD to compute p or q
              By the Factorization assumption
                           Adopted from Lecture slides by Lawrie Brown
2012/8/7                      Lecturer: Frances Yao & Xiaotie Deng                              17
                                              CS4288 Cryptographic Algorithms and Protocols



     Trapdoor one-way function

    A trapdoor function f is a one-way function with
    an extra property.
          There also exists a secret inverse information (the
           trapdoor) that allows its possessor to EFFICIENTLY
           invert f at any point in the domain of his choosing.
    It should be easy to compute f on any point,
    but infeasible to invert f on any point without
    knowledge of the trapdoor.
    Inverting f is easy with knowledge of the trapdoor.

                         Adopted from Lecture slides by Lawrie Brown
2012/8/7                    Lecturer: Frances Yao & Xiaotie Deng                              18
                                      CS4288 Cryptographic Algorithms and Protocols



     Use Trapdoor Function for PKC

    Given a pair (f, tf) where f is a trapdoor
    functions and tf is its associated trapdoor
    information,
    Diffe and Hellman suggested in 1976 using
    the supposed existence of trapdoor
    functions to implement Public-Key
    Cryptosystem as follows.

                 Adopted from Lecture slides by Lawrie Brown
2012/8/7            Lecturer: Frances Yao & Xiaotie Deng                              19
                                       CS4288 Cryptographic Algorithms and Protocols




(1). For every message mM, E(f, m)=f(m).
(2). Given c= E(f, m)=f(m) and tf,
            D(tf, c)=f-1 (c) =f-1(f(m))=m.




                  Adopted from Lecture slides by Lawrie Brown
 2012/8/7            Lecturer: Frances Yao & Xiaotie Deng                              20
                                                  CS4288 Cryptographic Algorithms and Protocols



     RSA
    In 1977 Rivest, Shamir and Adelman proposed the first
    candidate trapdoor function,
          Now called the RSA. The story of modern cryptography
           followed.
          The best known & widely used public-key scheme
    It is based on exponentiation in a finite (Galois) field
    over integers modulo a number
          exponentiation takes O((log n)3) operations (easy)
    It uses large integers (eg. 1024 bits)
    The security relies on difficulty of factoring large
    numbers
                                         log n log log n
          factorization takes    O(e                      ) operations (hard)

                             Adopted from Lecture slides by Lawrie Brown
2012/8/7                        Lecturer: Frances Yao & Xiaotie Deng                              21
                                        CS4288 Cryptographic Algorithms and Protocols



 Use of trapdoor one-way function in PKC

 Each user u in the network has a pair of keys <Pu, Su>
associated with him,
    The public key Pu which is published under the
   users name in a ``public directory” accessible for
   everyone to read, and
     The private-key Su which is the trapdoor
   information, known only to u.


                   Adopted from Lecture slides by Lawrie Brown
 2012/8/7             Lecturer: Frances Yao & Xiaotie Deng                              22
                                                   CS4288 Cryptographic Algorithms and Protocols



     RSA Key Setup
    Each user generates a public/private key pair by:
          Selecting two large primes at random: p, q
          Computing their system modulus N=p.q
               note (N)=(p-1)(q-1)
          Selecting at random the encryption key e
                     where 1<e< (N), gcd(e, (N))=1
          Solve following equation to find decryption key d
               e.d=1 mod (N) and 0≤d≤N
               Fast to do it using Euclid's Algorithm.
          publish their public encryption key: Pu ={e,N}
          keep secret private decryption key: Su ={d,p,q}

                              Adopted from Lecture slides by Lawrie Brown
2012/8/7                         Lecturer: Frances Yao & Xiaotie Deng                              23
                                       CS4288 Cryptographic Algorithms and Protocols



     RSA Encryption/Decryption
    Encrypt a message M by the sender:
      obtains public key of recipient Pu={e,N}
      computes: C=Me mod N, where 0≤M<N

    Decrypt the ciphertext C by the owner u:
      use its private key Su={d,p,q}
      compute: M=Cd mod N

    note that the message M must be smaller
    than the modulus N (block if needed)
                  Adopted from Lecture slides by Lawrie Brown
2012/8/7             Lecturer: Frances Yao & Xiaotie Deng                              24
                                 CS4288 Cryptographic Algorithms and Protocols




 Number Theory Background for RSA




            Adopted from Lecture slides by Lawrie Brown
2012/8/7       Lecturer: Frances Yao & Xiaotie Deng                              25
                                        CS4288 Cryptographic Algorithms and Protocols



     Definition of The Euler Totient Function

    Euler’s Totient Function  is defined by

     (n)  {x : 1  x  n and gcd(x,n)  1}
    (2)=|{1}|=1
    (3)=|{1,2}|=2
    (4)={1,3}=2
    (5)=|{1,2,3,4}|=4
    (6)=|{1,5}|=2
                   Adopted from Lecture slides by Lawrie Brown
2012/8/7              Lecturer: Frances Yao & Xiaotie Deng                              26
                                     CS4288 Cryptographic Algorithms and Protocols



     Calculation of Euler Totient Function

  The following are facts about Euler Totient
  Function:
(1) For p a prime and 1, (p)= p-1(p-1)
(2) For integers m, n with gcd(m, n)=1,
     (m*n)= (m) (n)

Corollary: (p*q)= (p-1)*(q-1) for p, q primes
                Adopted from Lecture slides by Lawrie Brown
2012/8/7           Lecturer: Frances Yao & Xiaotie Deng                              27
                                       CS4288 Cryptographic Algorithms and Protocols



     The Group Z*n
    Zn*={k: gcd(k,n)=1, 1<=k<n}
    For any positive integer n, Zn* forms a
    group under multiplication modulo n.
      If GCD(a,n)=GCD(b,n)=1, then
      GCD(a*b,n)=GCD(a,n)*GCD(b,n)=1*1=1

    For any  Zn*, it is the case that (n)=1
    (mod n).

                  Adopted from Lecture slides by Lawrie Brown
2012/8/7             Lecturer: Frances Yao & Xiaotie Deng                              28
                                               CS4288 Cryptographic Algorithms and Protocols



     Why RSA Works
    By Euler's Theorem:
          a(n)mod N = 1
               where gcd(a,N)=1
    In RSA, we have:
          N=p.q
          (N)=(p-1)(q-1)
          carefully chosen e & d to be inverses mod (N)
          hence e.d=1+k.(N) for some k
    Hence (if M is relatively prime to N):
    Cd = (Me)d = M1+k.ø(N) = M1.(Mø(N))k =
    M1.(1)k = M1 = M mod N
                          Adopted from Lecture slides by Lawrie Brown
2012/8/7                     Lecturer: Frances Yao & Xiaotie Deng                              29
                                         CS4288 Cryptographic Algorithms and Protocols



     Corollary of Euler’s theorem
Given two prime numbers p and q, and integers n =
pq and m, with 0<m<n, the following relationship
holds:
         m(n)+1  m mod n (Eq. 8.5)

Proof: When GCD(m,n)1, and m is a multiply of p
 m = cp, GCD(m,q) = 1 since m < pq
 m(q)  1 mod q
 [m(q)](p) 1 mod q
 m(n)  1 mod q  m(n) = 1 + kq
 m(n)+1 = m + kcpq = m + kcn (multiply m = cp in both side)
 m(n)+1 = m mod n
                    Adopted from Lecture slides by Lawrie Brown
2012/8/7               Lecturer: Frances Yao & Xiaotie Deng                              30
                                        CS4288 Cryptographic Algorithms and Protocols



     Exponentiation
    A useful operation for PKC:
      Given a, n, m, where a Zn and m is an integer,
      computes am mod n.

    By repeated squaring, am mod n can be
    computed in O(log m) multiplications in mod
    n, hence O(log3n) time, if m<n.


                   Adopted from Lecture slides by Lawrie Brown
2012/8/7              Lecturer: Frances Yao & Xiaotie Deng                              31
                                      CS4288 Cryptographic Algorithms and Protocols



     RSA Example
1.     Select primes: p=17 & q=11
2.     Compute n = pq =17×11=187
3.     Compute (n)=(p–1)(q-1)=16×10=160
4.     Select e : gcd(e,160)=1; choose e=7
5.     Determine d: de=1 mod 160 and d < 160
       Value is d=23 since 23×7=161= 10×160+1
6.     Publish public key P={7,187}
7.     Keep secret private key S={23,17,11}
                 Adopted from Lecture slides by Lawrie Brown
2012/8/7            Lecturer: Frances Yao & Xiaotie Deng                              32
                                      CS4288 Cryptographic Algorithms and Protocols



     RSA Example cont
    sample RSA encryption/decryption is:
    given message M = 88
    Encryption (using public key):
     C = 887 mod 187 = 11
    Decryption (using private key):
     M = 1123 mod 187 = 88


                 Adopted from Lecture slides by Lawrie Brown
2012/8/7            Lecturer: Frances Yao & Xiaotie Deng                              33
                                             CS4288 Cryptographic Algorithms and Protocols



       Exponentiation
 Use the Square and Multiply Algorithm
      a fast, efficient algorithm for exponentiation
 Concept is based on repeatedly squaring base
 and multiplying in the ones that are needed to
 compute the result
 look at binary representation of exponent
 only takes O(log2 n) multiples for number n
      eg. 75 = 74.71 = 3.7 = 10 mod 11
      eg. 3129 = 3128.31 = 5.3 = 4 mod 11
                        Adopted from Lecture slides by Lawrie Brown
2012/8/7                   Lecturer: Frances Yao & Xiaotie Deng                              34
                                  CS4288 Cryptographic Algorithms and Protocols



     Exponentiation




             Adopted from Lecture slides by Lawrie Brown
2012/8/7        Lecturer: Frances Yao & Xiaotie Deng                              35
                                          CS4288 Cryptographic Algorithms and Protocols




 Equivalently, the algorithm looks at binary
expansion of m. What we did is collect all the
powers of two corresponding to the ones and
multiply them.
 For example: compute 221 mod 22.
        21=`10101’             4            3            2         1         0
                              a16           a8           a4        a2        a1
                               1            0            1         0         1
                     Adopted from Lecture slides by Lawrie Brown
  2012/8/7              Lecturer: Frances Yao & Xiaotie Deng                              36
                                       CS4288 Cryptographic Algorithms and Protocols




21=2 (mod 22) 22=4 (mod 22) 24=16 (mod 22)
28=16*16=256=220+36=36(mod 22)=14 (mod 22)
216=14*14=196=22*8+20=20 (mod 22)
Therefore,
221=216*24*21=20*16*2=20*32=
=20*10 (mod 22)=200 (mod 22)=22*9+2=2 (mod 22).
                  Adopted from Lecture slides by Lawrie Brown
   2012/8/7          Lecturer: Frances Yao & Xiaotie Deng                              37
                                CS4288 Cryptographic Algorithms and Protocols




Some Remarks on RSA



           Adopted from Lecture slides by Lawrie Brown
2012/8/7      Lecturer: Frances Yao & Xiaotie Deng                              38
                                     CS4288 Cryptographic Algorithms and Protocols



     The hardness to invert RSA
    Thus far, the best way known to invert RSA
    is to first factor n.
    The best running time for a fully proved
    algorithm is Dixon’s random squares
    algorithms which runs in time: O(e       )                 log n log log n



    But, in practice we may consider others.


                Adopted from Lecture slides by Lawrie Brown
2012/8/7           Lecturer: Frances Yao & Xiaotie Deng                              39
                                       CS4288 Cryptographic Algorithms and Protocols




  Let l=|p| where p is the smallest prime divisor of
n. The Elliptic Curve algorithm takes expected
time              O(e   2 ln l ln ln l
                                       )
  The Quadratic Sieve algorithm runs in expected
time: O(e ln n ln ln n )
 The recommended size for n these days is 1024
bits.
                  Adopted from Lecture slides by Lawrie Brown
 2012/8/7            Lecturer: Frances Yao & Xiaotie Deng                              40
                                              CS4288 Cryptographic Algorithms and Protocols



     Knowledge of (n) is equivalent to knowledge of the factorization



           To computer (n) from p and q:
           (n) =(p-1)(q-1)=n+1-(p+q).
           To compute out p and q from (n).
           Since pq=n and p+q=n+1- (n).
           Define 2b= n+1- (n) since (n) is even.
           p and q must be the root of equation
           x2-2bx+n=0. Thus p and q equal to
                                  b b2  n
                         Adopted from Lecture slides by Lawrie Brown
2012/8/7                    Lecturer: Frances Yao & Xiaotie Deng                              41
                                        CS4288 Cryptographic Algorithms and Protocols



     RSA Key Generation
   Users of RSA must:
     determine two primes at random - p, q
     select either e or d and compute the other

   Primes p,q must not be easily derived from
   modulus N=p.q
     means must be sufficiently large
     typically guess and use probabilistic test

   Exponents e, d are inverses, so use Inverse
   algorithm to compute the other
                   Adopted from Lecture slides by Lawrie Brown
2012/8/7              Lecturer: Frances Yao & Xiaotie Deng                              42
                                         CS4288 Cryptographic Algorithms and Protocols



     RSA Security
    three approaches to attacking RSA:
      brute force key search (infeasible given size of
       numbers)
      mathematical attacks (based on difficulty of
       computing (N), by factoring modulus N)
      timing attacks (on running of decryption)




                    Adopted from Lecture slides by Lawrie Brown
2012/8/7               Lecturer: Frances Yao & Xiaotie Deng                              43
                                                   CS4288 Cryptographic Algorithms and Protocols



     Factoring Problem
    mathematical approach takes 3 forms:
          factor N=p.q, hence find (N) and then d
          determine (N) directly and find d
          find d directly
    currently believe all equivalent to factoring
          have seen slow improvements over the years
               as of Aug-99 best is 130 decimal digits (512) bit with GNFS
          biggest improvement comes from improved algorithm
               cf “Quadratic Sieve” to “Generalized Number Field Sieve”
          barring dramatic breakthrough 1024+ bit RSA secure
               ensure p, q of similar size and matching other constraints

                              Adopted from Lecture slides by Lawrie Brown
2012/8/7                         Lecturer: Frances Yao & Xiaotie Deng                              44
                                       CS4288 Cryptographic Algorithms and Protocols



     How to choose p and q
(1). The two primes should not be too close to each
  other (e. g. one should be a few decimal digits
  longer than the other).
Also, any one of p and q should not be too small due
  to the Elliptic Curve algorithm
  Reason: n=pq         n=((p+q)/2)2-((p-q)/2)2=t2-s2.
  Since p and q are close together we get: s is small
  and t is an integer only slightly larger than n . If
  you test the successive integers t > n you will
  soon find one such that n= t2-s2, at which point
  you have p=t+s and q=t-s.
                  Adopted from Lecture slides by Lawrie Brown
2012/8/7             Lecturer: Frances Yao & Xiaotie Deng                              45
                                       CS4288 Cryptographic Algorithms and Protocols




(2). p-1 and q-1 should have a fairly small g.c.d.
and both have at least one large prime factor.
(3). Of course, if someone discovers a
factorization method that works quickly under
certain other conditions on p and q, then further
users of RSA would have to take care to avoid
those conditions as well.

                  Adopted from Lecture slides by Lawrie Brown
  2012/8/7           Lecturer: Frances Yao & Xiaotie Deng                              46
                                       CS4288 Cryptographic Algorithms and Protocols



     Summary
    We covered:
      principles of public-key cryptography
      RSA algorithm, implementation, security




                  Adopted from Lecture slides by Lawrie Brown
2012/8/7             Lecturer: Frances Yao & Xiaotie Deng                              47
     Chapter 10 – Key Management;    CS4288 Cryptographic Algorithms and Protocols



     Other Public Key Cryptosystems

No Singhalese, whether man or woman, would
 venture out of the house without a bunch of
 keys in his hand, for without such a talisman
 he would fear that some devil might take
 advantage of his weak state to slip into his
 body.
—The Golden Bough, Sir James George
 Frazer
                Adopted from Lecture slides by Lawrie Brown
2012/8/7           Lecturer: Frances Yao & Xiaotie Deng                              48
                                         CS4288 Cryptographic Algorithms and Protocols



     Key Management
    Public-key encryption helps address key
    distribution problems in two aspects:
      distribution of public keys
      use of public-key encryption to distribute secret
       keys




                    Adopted from Lecture slides by Lawrie Brown
2012/8/7               Lecturer: Frances Yao & Xiaotie Deng                              49
                                        CS4288 Cryptographic Algorithms and Protocols



     Distribution of Public Keys
    Can use the following approaches:
      Public announcement
      Publicly available directory

      Public-key authority

      Public-key certificates




                   Adopted from Lecture slides by Lawrie Brown
2012/8/7              Lecturer: Frances Yao & Xiaotie Deng                              50
                                                CS4288 Cryptographic Algorithms and Protocols



     Public Announcement
    Users distribute public keys to recipients or
    broadcast to community at large
          eg. append PGP keys to email messages or post
           to news groups or email list
    Major weakness is forgery
          anyone can create a key claiming to be
           someone else and broadcast it
               can masquerade as claimed user until forgery is
                discovered
                           Adopted from Lecture slides by Lawrie Brown
2012/8/7                      Lecturer: Frances Yao & Xiaotie Deng                              51
                                         CS4288 Cryptographic Algorithms and Protocols



     Publicly Available Directory
    Achieve greater security by registering keys
    with a public directory
    Directory must be trusted with properties:
      contains {name,public-key} entries
      participants register securely with directory
      participants can replace key at any time
      directory is periodically published
      directory can be accessed electronically

    still vulnerable to tampering or forgery
                    Adopted from Lecture slides by Lawrie Brown
2012/8/7               Lecturer: Frances Yao & Xiaotie Deng                              52
                                    CS4288 Cryptographic Algorithms and Protocols



     Public-Key Authority
    Further improve security by tightening
    control over distribution of keys from
    directory
    Keeps all the properties of directory
    Requires users to know the public key for
    the directory
    Users interact with directory to obtain any
    desired public key securely
          does require real-time access to directory when
2012/8/7
           keys are needed fromFrances Yao & by Lawrie Brown
                        Adopted
                           Lecturer:
                                     Lecture slides
                                                    Xiaotie Deng                    53
                                  CS4288 Cryptographic Algorithms and Protocols



     Public-Key Authority




             Adopted from Lecture slides by Lawrie Brown
2012/8/7        Lecturer: Frances Yao & Xiaotie Deng                              54
                                            CS4288 Cryptographic Algorithms and Protocols



     Public-Key Certificates
    Certificates allow key exchange without
    real-time access to public-key authority
    a certificate binds identity to a public key
          usually with other info such as period of
           validity, rights of use etc
    with all contents signed by a trusted Public-
    Key or Certificate Authority (CA)
    can be verified by anyone who knows the
    public-key authorities’ public-key
                       Adopted from Lecture slides by Lawrie Brown
2012/8/7                  Lecturer: Frances Yao & Xiaotie Deng                              55
                                   CS4288 Cryptographic Algorithms and Protocols



     Public-Key Certificates




              Adopted from Lecture slides by Lawrie Brown
2012/8/7         Lecturer: Frances Yao & Xiaotie Deng                              56
                                        CS4288 Cryptographic Algorithms and Protocols
     Distribution of Secret Keys using
     Public-Key

    public-key cryptography can be used for
    secrecy or authentication
      but public-key algorithms are slow
      so usually we want to use private-key
       encryption to protect message contents, such as
       using a session key
    There are several alternatives for
    negotiating a suitable session key
                   Adopted from Lecture slides by Lawrie Brown
2012/8/7              Lecturer: Frances Yao & Xiaotie Deng                              57
                                        CS4288 Cryptographic Algorithms and Protocols



     Simple Secret Key Distribution
    proposed by Merkle in 1979
      A generates a new temporary public key pair
      A sends B the public key and their identity

      B generates a session key K sends it to A
       encrypted using the supplied public key
      A decrypts the session key and both use

    problem is that an opponent can intercept
    and impersonate both halves of protocol
                   Adopted from Lecture slides by Lawrie Brown
2012/8/7              Lecturer: Frances Yao & Xiaotie Deng                              58
                                     CS4288 Cryptographic Algorithms and Protocols
     Public-Key Distribution of Secret
     Keys
   if A and B have securely exchanged public-keys:




                Adopted from Lecture slides by Lawrie Brown
2012/8/7           Lecturer: Frances Yao & Xiaotie Deng                              59
                                              CS4288 Cryptographic Algorithms and Protocols



     Diffie-Hellman Key Exchange
   The first public-key type scheme proposed
   by Diffie & Hellman in 1976 along with the
   exposition of public key concepts
          note: now know that James Ellis (UK CESG)
           secretly proposed the concept in 1970
             http://www.gchq.gov.uk/press_office/ellis.html
             http://www.gchq.gov.uk/about/heroes.html

   is practical for public exchange of a secret key
   is used in a number of commercial products
                         Adopted from Lecture slides by Lawrie Brown
2012/8/7                    Lecturer: Frances Yao & Xiaotie Deng                              60
                                             CS4288 Cryptographic Algorithms and Protocols



     Diffie-Hellman Key Exchange
    A public-key distribution scheme
          NOT used to exchange an arbitrary message
          BUT to establish a common key known only to the two
           participants
    Value of key depends on the participants (and
    their private and public key information)
    Based on exponentiation in a finite (Galois) field
    (modulo a prime or a polynomial) - easy
    Security relies on the difficulty of computing
    discrete logarithms (similar to factoring) – hard
                        Adopted from Lecture slides by Lawrie Brown
2012/8/7                   Lecturer: Frances Yao & Xiaotie Deng                              61
                                            CS4288 Cryptographic Algorithms and Protocols



     Diffie-Hellman Setup
    All users agree on global parameters:
          Large prime integer or polynomial q
          α a primitive root mod q
    Each user (eg. A) generates their key
      chooses a secret key (number): xA < q
                                         xA
      compute their public key: yA = α     mod q
     Each user makes public that key yA

                       Adopted from Lecture slides by Lawrie Brown
2012/8/7                  Lecturer: Frances Yao & Xiaotie Deng                              62
                                         CS4288 Cryptographic Algorithms and Protocols



     Diffie-Hellman Key Exchange
    Shared session key for users A & B is KAB:
            xA.xB
     KAB = α     mod q
         xB
     = yA mod q (which B can compute)
         x
     = yB A mod q (which A can compute)
    KAB is used as session key in private-key
    encryption scheme between Alice and Bob
    If Alice and Bob subsequently communicate, they
    will have the same key as before, unless they
    choose new public-keys
    Attacker needs an x, must solve discrete log
                    Adopted from Lecture slides by Lawrie Brown
2012/8/7               Lecturer: Frances Yao & Xiaotie Deng                              63
                                            CS4288 Cryptographic Algorithms and Protocols



     Diffie-Hellman Example
    Users Alice & Bob who wish to swap keys:
    Agree on prime q=353 and α=3
    Select random secret keys:
          A chooses xA=97, B chooses xB=233
    Compute public keys:
               97
          yA=3 mod 353 = 40      (Alice)
                233
          yB=3     mod 353 = 248 (Bob)
    Compute shared session key as:
                xA                              97
     KAB= yB mod 353 = 248 = 160                                           (Alice)
            x               233
     KAB= yA B mod 353 = 40     = 160                                      (Bob)
                       Adopted from Lecture slides by Lawrie Brown
2012/8/7                  Lecturer: Frances Yao & Xiaotie Deng                              64
                                        CS4288 Cryptographic Algorithms and Protocols



     Summary
    have considered:
      Distribution of public keys
      Public-key distribution of secret keys

      Diffie-Hellman key exchange




                   Adopted from Lecture slides by Lawrie Brown
2012/8/7              Lecturer: Frances Yao & Xiaotie Deng                              65

								
To top