VIEWS: 5 PAGES: 38 CATEGORY: Education POSTED ON: 5/16/2010
Cryptography Public Key Cryptosystems Anita Jones CS451 Information Security Copyright(C) Anita Jones Public key encryption The two problems to be solved: Key distribution Digital signature Revolutionary new approach Based on math functions, not simple operations on bit patterns September, 2006 Asymmetric (Public Key) Encryption Ralph Merkle, Martin Hellman, Whitfield Diffie (1977) Ronald Rivest Adi Shamir Len Adleman Contributions Diffie & Hellman showed that encryption with pairs of keys was possible Rivest, Shamir & Adleman created a cost- effective method, and then commercialized it which make it readily accessible to users September, 2006 A revolution of sorts Diffie & Hellman (1976) sought to solve 2 problems: better way to distribute keys provide for a digital document signature public key encryption is based on mathematical functions, not on substitution & permutation asymmetric – two different keys it does not displace block ciphers (symmetric keys) Why not? Because it costs too much September, 2006 Basics Each user generates a pair of keys Each user places one key in a publicly accessible place Each user keeps the other key secret EKR(M) = C EKU(C) = M Where, M = plaintext (message); C = ciphertext KR = restricted (private) key KU = unrestricted (public) key September, 2006 Requirements for Public Key Computationally EASY to generate a pair of keys (public KU, private KR) encrypt, given key KU & message M decrypt, given key KR & encrypted message, C Computationally INFEASIBLE to determine private key KR, knowing public key KU recover original message (M), given public key KU & ciphertext, C, for message M September, 2006 First of two uses Confidentiality A wants to send message to B A encrypts message with B’s public key A sends encrypted message to B B decrypts message with its private key (and by the way, B’s public key will not “decrypt” the encrypted message) September, 2006 Second of two uses Authentication, or digital signature A wants to send message to B in a way that B can be assured that A (and no one else) sent it A encrypts message with A’s private key (sign!) A sends encrypted/signed message to B B decrypts message with A’s public key B then knows that only A could have sent it data integrity assured, once encrypted (if whole message is encrypted) September, 2006 How do you distribute the Public Key? Digression What does the receiver know about a message once it is “correctly” decrypted? Plaintext is readable, i.e. understandable If a “bit flipped”, then resulting plaintext is unintelligible; remember “avalanche” property Both the cryptanalyst and a legitimate receiver know when they decrypt and read plaintext September, 2006 Comparisons – Preview * Symmetric Asymmetric •# • of Keys 1 2 •Protection of key • Must be kept secret One secret; One public •Best Uses • Crypto “workhorse”; Key distribution, authentication secrecy & integrity of data– single characters to blocks of data, messages, files •Key Distribution • Must be “out-of-band” Public key can be used to distribute other keys •Speed • Fast - based on addition, Slow; complex mathematics (e.g. masks, and shifts exponentiation); typically 10,000 times slower than symmetric keys •Key Lengths • 40, 128, 256, 512 512, 1024, 2048 •Examples • DES, 3DES, AES, RSA, El Gamal, Merkle-Hellman, Blowfish, Twofish, IDEA Elliptic Curve September, 2006 Primary Source: Security in Computing, Pfleeger&Pfleeger, p. 75 Some Misconceptions about Symmetric vs Asymmetric encryption One is superior to the other Public key encryption replaces symmetric encryption Public key encryption makes key distribution trivially easy September, 2006 RSA (Rivest, Shamir, Adelman) Algorithm plaintext and ciphertext are (considered) integers between 0 and n-1, some n public KU = {e, n} and public KR = {d, n} for plaintext M and ciphertext C C = Me mod n M = Cd mod n = (Me)d mod n = Med mod n Why so prevalent? Because RSA Inc. commercialized it September, 2006 RSA Important properties There exists e, d, n such that Med = M mod n for all M < n Easy to calculate Me and Cd for all values of M < n Infeasible to determine d, given e and n September, 2006 Modulo arithmetic – review a mod n is the remainder of a divided by n So, values of a mod n are all between 0 and n-1 24 mod 7 = 3 5 mod 7 = 5 a = b mod n means a mod n = b mod n i.e. give the same remainder a=b mod n means a = b + kn (k negative or positive) a and b are congruent mod n 24 mod 7 = 10 mod 7 = 3, so 24 =10 = 3 mod 7 September, 2006 RSA: computing e, n, and d select 2 prime numbers p, q (p not = q) calculate n = p * q (n is the modulus) calculate ø(n) = (p-1) * (q-1) select e such that e is relatively prime to ø(n) and 1 < e < ø(n) determine d such that d * e = 1 mod ø(n) September, 2006 RSA: computing e, n, and d select prime numbers p = 7, q = 17 calculate n = p * q = 119 calculate ø(n) = (p-1) * (q-1) = 6 * 16 = 96 select e = 5 such that e is relative prime to ø(n) and e < ø(n) determine d = 77 such that d * e = 1 mod ø(n) and d < ø(n) 5 * 77 = 385 = 4 * 96 + 1 September, 2006 RSA: applying e, n, and d KU = {5, 119} and KR = {77, 119} let plaintext M = 19 Encryption C = Me mod n C = EKU(19) = 195 mod 119 = 2,476,099 mod 119 = 66 Decryption M = Cd mod n M = DKR(66) = 6677 mod 119 = <big number> mod 119 = 19 mod 119 = 19 September, 2006 RSA -- getting parameters “right” need to choose suitably large p, q e is usually chosen to be small typically e may be the same for all users originally a value of 3 was suggested, but it is regarded as too small currently 216 -1 = 65535 is typical used the decryption exponent d will be large September, 2006 Practical aspects of RSA So why is RSA so much slower than DES? today’s computer’s can't directly handle numbers larger than 32- or 64-bits need multiple precision arithmetic requiring libraries to handle large numbers September, 2006 Is Public Key Crypto Secure? A 128 bit key would be a number between 1 and 340,282,366,920,938,000,000,000,000,000,000,000,000 How many prime numbers are between 1 and this number? approximately n / ln(n) which is about 2^128 / ln( 2^128 ) = 3,835,341,275,459,350,000,000,000,000,000,000,000 How long would it take to find all of these prime numbers if you could calculate one trillion of these numbers per second? More than 121,617,874,031,562,000 years (i.e., about 10 million times longer than the universe has existed so far.) Reference: http://www.livinginternet.com/?i/is_crypt_pkc_inv.htm Answer – Yes, but know its limitations (e.g. plaintext attacks, block sizes, etc.) September, 2006 Speeding up RSA modulo arithmetic permits reducing intermediate results, because (a*b) mod n = [(a mod n)*(b mod n)]mod n 195 mod 119 = 2,476,099 mod 119 = ? = [(191 mod 119) * ( 192 mod 119) * (192 mod 119)] mod 119 Note: 192 mod 119 = 361 mod 119 = 4 195 mod 119 = [19 * 4 * 4] mod 119 = 304 mod 119 = 66 September, 2006 Speeding up RSA usual multiplication takes O(n2) bit ops faster technique: Schonhage-Strassen Integer Multiplication Algorithm: breaks each integer into blocks, & uses them as coefficients of a polynomial evaluates these polynomials at suitable points, & multiplies the resultant values interpolates these values to form the coefficients of the product polynomial combines the coefficients to form the product of the original integer September, 2006 Attacks on RSA Brute force – try all possible private keys Depends on length of the key Mathematical attack – factor n into its two primes Timing attack – use measurement of the decryption time to guess values September, 2006 RSA security rests on factoring security of RSA is assumed to rest on the difficulty of computing ø(n), i.e. finding (p-1), (q-1) best known theoretical factoring algorithms take years (assume 1 binary op per nanosec) when number of decimal digits in n exceed 100 so, 1024 + bits looks secure for now September, 2006 Breaking RSA RSA inventors offered $100 reward for finding a plaintext sentence enciphered via RSA public key had 129 decimal digits (~ 428 bits) RSA predicted 40 quadrillion years was needed 1994 -- a group claimed the prize after 8 months of work (1600 computers used) September, 2006 Elliptic Curve Cryptography RSA challenger – uses fewer bits than RSA, so is computationally cheaper Based on cubic equations of form: y2 + axy + by = x3 +cx2 + dx + e … real a, b, c, d, e Define a form of addition on points on curve - multiple additions are the counterpart of modular exponentiation in RSA Less experience, so it is not as trusted as RSA September, 2006 Applications September, 2006 Digital Signature Construct that authenticates both the origin & content of a message In a manner that is provable to a third party E.g. A sends EA-R [M]; B has EA-U [M], M where M = EA-U [EA-R [M]] Repudiation problem: A says “My key was stolen” September, 2006 Key Distribution A sends/posts A’s public key All others can see it Forgery problem: Z posts a key and says that it is A’s public key Z can read what others send to A Until A alerts others to the forged key September, 2006 Public Key Certificate Create a trusted third party Key distribution center (KDC) or certificate authority (CA) Maintains a registry of user keys Creates certificates: [ID of A, A’s public key] Certificate signed by CA Encrypted with KDC’s private key Use: user gives CA the user’s public key User obtains certificate; publishes certificate Assumed valid until user informs CA that key is invalid September, 2006 Key distribution -- using certificates A and B register with the CA A and B exchange certificates A creates secret (shared) session key A encrypts session key with A’s private key A then encrypts with B’s public key A sends to B September, 2006 We need a more formal way of describing these exchanges! Let’s talk about security protocols! September, 2006 Backups September, 2006 Why? Why should it be the case that if M is plaintext & C is ciphertext & if C = Me mod n, that M = Cd mod n = (Me)d mod n = Med mod n, I.e. what makes us think that there even exists an e and d such that Med mod n = M? September, 2006 Theory behind RSA if n = pq where p, q are primes, then: xø(n) = 1 mod n for all x not divisible by p or q, ie gcd(x,ø(n))=1 where ø(n)=(p-1)(q-1) RSA chooses e & d to be inverses mod ø(n) ie e*d=1+q*ø(n) therefore M = Cd = Med = M1+q*ø(n) = M1 *(M ø(n) )q = M1*(1)q = M1 mod N September, 2006 Speeding up RSA (cont) Discrete Fourier Transform, & the Convolution Theorem are used to speed up the interpolation stage results in multiplying in O(n log n) bit ops (versus O(n2) special hardware is a possibility September, 2006