Cryptography Public Key Cryptosystems

Document Sample
Cryptography Public Key Cryptosystems Powered By Docstoc
					    Cryptography
    Public Key Cryptosystems


                                 Anita Jones
                           CS451 Information Security




Copyright(C) Anita Jones
Public key encryption

The two problems to be solved:
     Key distribution
     Digital signature
Revolutionary new approach
     Based on math functions, not simple
      operations on bit patterns



September, 2006
                              Asymmetric (Public
                              Key) Encryption

Ralph Merkle, Martin Hellman, Whitfield Diffie (1977)


   Ronald Rivest                      Adi Shamir




                                            Len Adleman
Contributions

Diffie & Hellman showed that encryption
 with pairs of keys was possible

Rivest, Shamir & Adleman created a cost-
 effective method, and then
 commercialized it which make it readily
 accessible to users

September, 2006
 A revolution of sorts

Diffie & Hellman (1976) sought to solve 2 problems:
   better way to distribute keys
   provide for a digital document signature
public key encryption is based on mathematical
 functions, not on substitution & permutation
asymmetric – two different keys
it does not displace block ciphers (symmetric keys)
   Why not? Because it costs too much



September, 2006
Basics

Each user generates a pair of keys
Each user places one key in a publicly
 accessible place
Each user keeps the other key secret

              EKR(M) = C       EKU(C) = M

Where, M = plaintext (message); C = ciphertext
KR = restricted (private) key KU = unrestricted (public) key

September, 2006
Requirements for Public Key
 Computationally EASY to
     generate a pair of keys (public KU, private KR)
     encrypt, given key KU & message M
     decrypt, given key KR & encrypted message, C
 Computationally INFEASIBLE to
     determine private key KR, knowing public key
      KU
     recover original message (M), given public key
      KU & ciphertext, C, for message M
September, 2006
 First of two uses
 Confidentiality
       A wants to send message to B
       A encrypts message with B’s public key
       A sends encrypted message to B
       B decrypts message with its private key

       (and by the way, B’s public key will not
        “decrypt” the encrypted message)


September, 2006
 Second of two uses
Authentication, or digital signature
    A wants to send message to B in a way that B
     can be assured that A (and no one else) sent it
    A encrypts message with A’s private key (sign!)
    A sends encrypted/signed message to B
    B decrypts message with A’s public key
    B then knows that
          only A could have sent it
          data integrity assured, once encrypted (if whole
           message is encrypted)
September, 2006
How do you distribute the
Public Key?
Digression

What does the receiver know about a
 message once it is “correctly” decrypted?
     Plaintext is readable, i.e. understandable
     If a “bit flipped”, then resulting plaintext is
      unintelligible; remember “avalanche” property


Both the cryptanalyst and a legitimate
 receiver know when they decrypt and read
 plaintext
September, 2006
Comparisons – Preview *
                     Symmetric                          Asymmetric
•#
• of Keys             1                                 2

•Protection of key
•                     Must be kept secret               One secret; One public

•Best Uses
•                     Crypto “workhorse”;               Key distribution, authentication
                      secrecy & integrity of data–
                      single characters to blocks
                      of data, messages, files

•Key Distribution
•                     Must be “out-of-band”             Public key can be used to distribute
                                                        other keys

•Speed
•                     Fast - based on addition,         Slow; complex mathematics (e.g.
                      masks, and shifts                 exponentiation); typically 10,000 times
                                                        slower than symmetric keys

•Key Lengths
•                     40, 128, 256, 512                 512, 1024, 2048

•Examples
•                     DES, 3DES, AES,                   RSA, El Gamal, Merkle-Hellman,
                      Blowfish, Twofish, IDEA           Elliptic Curve
September, 2006                    Primary Source: Security in Computing, Pfleeger&Pfleeger, p. 75
Some Misconceptions about
Symmetric vs Asymmetric encryption

One is superior to the other

Public key encryption replaces symmetric
 encryption

Public key encryption makes key
 distribution trivially easy

September, 2006
RSA (Rivest, Shamir, Adelman) Algorithm

 plaintext and ciphertext are (considered)
  integers between 0 and n-1, some n
 public KU = {e, n} and public KR = {d, n}

 for plaintext M and ciphertext C
       C = Me mod n
       M = Cd mod n = (Me)d mod n = Med mod n

      Why so prevalent? Because RSA Inc. commercialized it
September, 2006
RSA Important properties
 There exists e, d, n such that
             Med = M mod n for all M < n

 Easy to calculate Me and Cd
              for all values of M < n

 Infeasible to determine d, given e and n

September, 2006
Modulo arithmetic – review
a mod n is the remainder of a divided by n
So, values of a mod n are all between 0 and n-1
      24 mod 7 = 3     5 mod 7 = 5
a = b mod n means a mod n = b mod n
        i.e. give the same remainder
a=b mod n means a = b + kn (k negative or positive)
a and b are congruent mod n
24 mod 7 = 10 mod 7 = 3, so 24 =10 = 3 mod 7
September, 2006
RSA: computing e, n, and d
select 2 prime numbers p, q (p not = q)
calculate n = p * q (n is the modulus)
calculate ø(n) = (p-1) * (q-1)
select e such that
     e is relatively prime to ø(n) and 1 < e < ø(n)
determine d such that
     d * e = 1 mod ø(n)


September, 2006
RSA: computing e, n, and d
select prime numbers p = 7, q = 17
calculate n = p * q = 119
calculate ø(n) = (p-1) * (q-1) = 6 * 16 = 96
select e = 5 such that
     e is relative prime to ø(n) and e < ø(n)
determine d = 77 such that
     d * e = 1 mod ø(n) and d < ø(n)
     5 * 77 = 385 = 4 * 96 + 1

September, 2006
RSA: applying e, n, and d
KU = {5, 119} and KR = {77, 119}
let plaintext M = 19
Encryption C = Me mod n
    C = EKU(19) = 195 mod 119 = 2,476,099 mod 119
                      = 66
Decryption M = Cd mod n
    M = DKR(66) = 6677 mod 119
               = <big number> mod 119
               = 19 mod 119
               = 19
September, 2006
RSA -- getting parameters “right”

need to choose suitably large p, q
e is usually chosen to be small
typically e may be the same for all users
originally a value of 3 was suggested, but
 it is regarded as too small currently
216 -1 = 65535 is typical used
the decryption exponent d will be large

September, 2006
Practical aspects of RSA

 So why is RSA so much slower than DES?
    today’s computer’s can't directly handle
     numbers larger than 32- or 64-bits

    need multiple precision arithmetic requiring
     libraries to handle large numbers




September, 2006
Is Public Key Crypto Secure?
 A 128 bit key would be a number between 1 and
  340,282,366,920,938,000,000,000,000,000,000,000,000
 How many prime numbers are between 1 and this number?
      approximately n / ln(n) which is about 2^128 / ln( 2^128 ) =
        3,835,341,275,459,350,000,000,000,000,000,000,000

 How long would it take to find all of these prime numbers if you could
  calculate one trillion of these numbers per second?
      More than 121,617,874,031,562,000 years (i.e., about 10 million times
       longer than the universe has existed so far.)
      Reference: http://www.livinginternet.com/?i/is_crypt_pkc_inv.htm



 Answer – Yes, but know its limitations (e.g. plaintext attacks, block
  sizes, etc.)

September, 2006
Speeding up RSA
modulo arithmetic permits reducing
 intermediate results, because
 (a*b) mod n = [(a mod n)*(b mod n)]mod n
     195 mod 119 = 2,476,099 mod 119 = ?
           = [(191 mod 119) * ( 192 mod 119) *
                         (192 mod 119)] mod 119
     Note: 192 mod 119 = 361 mod 119 = 4
     195 mod 119 = [19 * 4 * 4] mod 119
                 = 304 mod 119 = 66
September, 2006
Speeding up RSA

usual multiplication takes O(n2) bit ops
faster technique: Schonhage-Strassen Integer
    Multiplication Algorithm:
     breaks each integer into blocks, & uses them as coefficients of a
      polynomial
     evaluates these polynomials at suitable points, & multiplies the
      resultant values
     interpolates these values to form the coefficients of the product
      polynomial
     combines the coefficients to form the product of the original
      integer


September, 2006
Attacks on RSA
Brute force – try all possible private keys
    Depends on length of the key


Mathematical attack – factor n into its two
 primes

Timing attack – use measurement of the
 decryption time to guess values

September, 2006
RSA security rests on factoring
security of RSA is assumed to rest on the
 difficulty of computing ø(n),
 i.e. finding (p-1), (q-1)
best known theoretical factoring algorithms
 take years (assume 1 binary op per nanosec)
 when number of decimal digits in n exceed
 100
so, 1024 + bits looks secure for now

September, 2006
Breaking RSA
RSA inventors offered $100 reward for
 finding a plaintext sentence enciphered via
 RSA
public key had 129 decimal digits (~ 428 bits)
RSA predicted 40 quadrillion years was
 needed
1994 -- a group claimed the prize after 8
 months of work (1600 computers used)

September, 2006
Elliptic Curve Cryptography
RSA challenger – uses fewer bits than RSA, so is
 computationally cheaper
Based on cubic equations of form:
     y2 + axy + by = x3 +cx2 + dx + e
                         … real a, b, c, d, e
Define a form of addition on points on curve -
 multiple additions are the counterpart of modular
 exponentiation in RSA

Less experience, so it is not as trusted as RSA


September, 2006
                  Applications




September, 2006
Digital Signature

Construct that authenticates both the origin
 & content of a message
     In a manner that is provable to a third party
E.g. A sends EA-R [M]; B has EA-U [M], M
       where M = EA-U [EA-R [M]]

Repudiation problem:
                A says “My key was stolen”

September, 2006
Key Distribution

A sends/posts A’s public key
All others can see it

Forgery problem: Z posts a key and says
 that it is A’s public key
     Z can read what others send to A
     Until A alerts others to the forged key


September, 2006
Public Key Certificate
Create a trusted third party
     Key distribution center (KDC) or certificate authority
      (CA)
     Maintains a registry of user keys
     Creates certificates: [ID of A, A’s public key]
     Certificate signed by CA
          Encrypted with KDC’s private key
Use: user gives CA the user’s public key
     User obtains certificate; publishes certificate
     Assumed valid until user informs CA that key is invalid

September, 2006
Key distribution -- using certificates
   A and B register with the CA
   A and B exchange certificates
   A creates secret (shared) session key
   A encrypts session key with A’s private key
   A then encrypts with B’s public key
   A sends to B

September, 2006
     We need a more formal way of
     describing these exchanges!


     Let’s talk about security protocols!

September, 2006
Backups




September, 2006
Why?
 Why should it be the case that
              if M is plaintext & C is ciphertext
 & if C = Me mod n, that

 M = Cd mod n = (Me)d mod n = Med mod n,

 I.e. what makes us think that there even
 exists an e and d such that Med mod n = M?


September, 2006
Theory behind RSA
 if n = pq where p, q are primes, then:
     xø(n) = 1 mod n
     for all x not divisible by p or q, ie gcd(x,ø(n))=1
     where ø(n)=(p-1)(q-1)
 RSA chooses e & d to be inverses mod ø(n)
                             ie e*d=1+q*ø(n)
 therefore
     M = Cd = Med = M1+q*ø(n) =
     M1 *(M ø(n) )q = M1*(1)q = M1 mod N
September, 2006
Speeding up RSA (cont)

Discrete Fourier Transform, & the
 Convolution Theorem are used to speed
 up the interpolation stage
results in multiplying in O(n log n) bit ops
 (versus O(n2)
special hardware is a possibility



September, 2006