Docstoc

Cryptography

Document Sample
Cryptography Powered By Docstoc
					   Cryptography




        NWS – Cryptography
        Prof. Dr. S. Heiss / 1
IT-Security: Threats

   Eavesdropping, Sniffing
   Spoofing, Replaying attacks
   Unauthorized Access, Impersonation
   Denial of Services (DoS)
   Misuse of resources


                       C
                                Charly


        A              m                            B
        Alice                                       Bob

                          NWS – Cryptography
                           Prof. Dr. S. Heiss / 2
IT-Security: Aims

   Confidentiality                            C
   Integrity                                   I
   Availability                                 A
   Authentication


   Access Control



   Non-Repudiation

                      NWS – Cryptography
                      Prof. Dr. S. Heiss / 3
IT-Security: Techniques

   Confidentiality      Encryption
   Integrity            MAC, MIC, Digital Signature
   Availability         Filter, Firewall, Robust Impl.
   Authentication       MAC, Key (physical token),
                          Biometric identification
   Access Control       Secure Configurations, Best
                          Security Practices, Security
                          awareness of users, Policies
   Non-Repudiation      Digital Signature

                      NWS – Cryptography
                      Prof. Dr. S. Heiss / 4
Cryptographic Algorithms

   Symmetric Ciphers
   MACs (Message Authentication Code)

   Message Digests (Hash Functions)
   Cryptographic secure Pseudo Random Number
    Generators (PRNGs)

   Asymmetric Ciphers
   Digital Signatures
   Key derivation algorithms / schemes

                         NWS – Cryptography
                         Prof. Dr. S. Heiss / 5
Kerkhoff's Principle

   Kerckhoffs von Nieuwenhof (1835-1903):
    − The security of a cryptographic algorithm should not
      depend on its nondisclosure.


    − Today's best practice: Only use and implement well-
      known algorithms that have been thoroughly investi-
      gated by the community of international distinguished
      cryptographers. (E.g.: Contest for election of AES)


    − Do not rely on “Security by obscurity” !


                            NWS – Cryptography
                            Prof. Dr. S. Heiss / 6
   Symmetric Ciphers
                         k


       Ek                            Dk




            NWS – Cryptography
            Prof. Dr. S. Heiss / 7
Symmetric Ciphers




   k                                                       k


  A                                                    B
             m




             Ek                                   Dk


             c = Ek(m)




                     NWS – Cryptography
                         Prof. Dr. S. Heiss / 8
Symmetric Ciphers

   Key exchange:
    − Alice and Bob must share a secret key, which has to
      be exchanged over a secure channel, before it can be
      used to encrypt messages.


   Key storage:
    − Keys have to be securely managed and stored.




                           NWS – Cryptography
                           Prof. Dr. S. Heiss / 9
Symmetric Ciphers

   Aim of constructions of cipher algorithms:
    − No attack has a better performance than a
      Brute-Force attack.
      This means: The size of the key space |K|
      (number of possible keys) is directly
      proportional to the security of the algorithm.




                            NWS – Cryptography
                             Prof. Dr. S. Heiss / 10
Types of Symmetric Ciphers

   Stream ciphers


   Block ciphers
    Modes of operandi:
    − ECB (Electronic Codebook Modus)
    − CBC (Cipher Block Chaining Modus)
    − CFB (Cipher Feedback Modus)
    − OFB (Output Feedback Modus)




                           NWS – Cryptography
                           Prof. Dr. S. Heiss / 11
   Symmetric Ciphers
          Stream Ciphers




              NWS – Cryptography
              Prof. Dr. S. Heiss / 12
One Time Pad (OTP)


1
                    1
1 0 0 1 0 1 0 0 0 0 m1 ...                  Plaintext (Bitstream)




                                            One Time Pad k (generated
1 1k 0 0 1 0 1 1 0 0Ek ...
   0                 1
                                            by a true random process)




0 1 0 1 0 0 0 1 1 0 1 0 k...
                  c = E (m)                 Ciphertext




                               NWS – Cryptography
                               Prof. Dr. S. Heiss / 13
One Time Pad (OTP) - Pros

   A truely randomly generated one time pad is the
    only cipher that guarantees absolut (provable)
    security.
    (The only information that can be deduced from
    eavesdropping is the length of the plaintext.)




                       NWS – Cryptography
                        Prof. Dr. S. Heiss / 14
One Time Pad (OTP) - Cons
   Key establishment
     The one time pad has to be exchanged over some other
     secure channel prior to its use.
   Key length
     The one time pad (key) has to be as long as the plaintext.
   Reusability
     Reusage of a one time pad is strictly prohibited, as it would
     allow an attack by statistical analysis.
   Key generation
     Costly, as a physicaly true random process has to be used.
                           NWS – Cryptography
                           Prof. Dr. S. Heiss / 15
Synchronous Stream Ciphers


1
                    1
1 0 0 1 0 1 0 0 0 0 m1 ...                 plaintext (bit stream)


                                           k є K = (F2)s
1           s                              k є K , where K is the
    k
0 1 0 ... 1 0       Ek                             key space




0 1 0 1 0 0 0 1 1 0 1 0 ...                ciphertext




                              NWS – Cryptography
                              Prof. Dr. S. Heiss / 16
Additive Synchronous Stream Ciphers


                                     1
                m                    1 0 0 1 0 1 0 0 0 0 1 1 ...



1           s
    k
0 1 0 ... 1 0   Ek
                                     1 1 0 0 0 1 0 1 1 0 0 1 ...




                c = Ek(m)            0 1 0 1 0 0 0 1 1 0 1 0 ...



                        NWS – Cryptography
                        Prof. Dr. S. Heiss / 17
Additive Synchronous Stream Ciphers – Pros

   The keystream is independent of the plaintext.
    (Keystream can be precalculated.)
   Encryption is a simple (fast) XOR operation.
   Decryption = Encryption




                        NWS – Cryptography
                        Prof. Dr. S. Heiss / 18
Additive Synchronous Stream Ciphers – Cons

   Key establishment: The key has to be
    exchanged over some other secure channel
    prior to its use.
   Reusability: Reusage of the same key is strictly
    prohibited, as it compromises the encryption
    scheme.
   Integrity of data is not protected: Single bits can
    be switched by an attacker.




                         NWS – Cryptography
                         Prof. Dr. S. Heiss / 19
Construction of key stream generators


      0 1 0 ... 1 0 k                   k: key bits

      0 1 0 ... 1 0 seed                seed: small truly random
                                        h: key scheduling algorithm
            h
                                              sequence

      0 1 0 ... 1 0 s                   s: state bits



       f         g

                                0 1 0 1 0 0 0 1 1 0 1 0 ...
                                  key stream
                                  pseudorandom bit sequence


                           NWS – Cryptography
                           Prof. Dr. S. Heiss / 20
Example: RC4 Stream Cipher

   Developed 1987 by Ron Rivest for RSA Data
    Security Inc.
   Anonymously disclosed in 1994
   Specified in IEEE 802.11 to be used for WEP.




                        NWS – Cryptography
                        Prof. Dr. S. Heiss / 21
Example: RC4 Stream Cipher

   Usually used in a 8 bit Version:

    − State consists of 28 .8 bits (256 bytes S(0),..,S(255))

    − Key consists of up to 256 bytes K0,K1,...,Kl-1

    − The key scheduling algo. h=KSA(K) defines a
      permutation S є S256.

    − The state update function f switches two entries of S.

    − The pseudo random output generating functions f and g
       are denoted as PRGA. They do not take k as input.

                            NWS – Cryptography
                              Prof. Dr. S. Heiss / 22
Example: RC4 Stream Cipher

     0 1 0 ... 1 0 k              k: key ,...,K
                                 k: (K0,K1bits l-1)


             h                      h: key scheduling algorithm


     0 1 0 ... 1 0 s    // s: s: state bits
                               (S(0),S(1),...,S(255))
                            Initialization:
                        for( int i=0; i < 256; ++i )
            0
         0 S(0)
           S(0)          S[i] = (byte)i;
                        int j = 0;
       f 1 S(1) g
            1
           S(1)

                        // Scrambling:
            2
         2 S(2)
           S(2)
                          0 1 int i=0; 0 1 0 ...
                        for( 0 1 0 0 0 1 1i<256; ++i ) {
         0 S(3)
            3
         3 S(3)           j = (j+S[i]+K[i%l]) & 0xff;
                            key stream
                          byte t = S[i];
         j    j
             S(j)
             S(j)         S[i] = S[j];
                          S[j] = t;
        255 S(255)
        255 255         }
                       NWS – Cryptography
                       Prof. Dr. S. Heiss / 23
Example: RC4 Stream Cipher

       1 ...
     0 0 0S(0) 1 0 k              k: key ,...,K
                                 k: (K0,K1bits l-1)
       i   S(i)
            h                       h: key scheduling algorithm
       j   S(j)
                i
     0 1 0 ... 1j0 s
     255 S(255)           // Initialization:
                           s: s: 0,S1,...,S255)
                               (S state bits
                          int i = 0;
                          int j = 0;

       f          g     // f and g:
                        byte prga() {
                         0 1= (i+1) 1 1 0 1 0 ...
                          i 0 1 0 0 0 & 0xff;
                          j = (j+S[i]) & 0xff;
                            key t = S[i];
                          byte stream
                          S[i] = S[j];
                          S[j] = t;
                          return S[(S[i]+S[j])&0xff];
                       NWS – Cryptography
                        }
                       Prof. Dr. S. Heiss / 24
Symmetric Ciphers – Stream Ciphers




     Stream Ciphers based on LFSRs




                       NWS – Cryptography
                       Prof. Dr. S. Heiss / 25
Shift Registers

    LFSR = linear feedback shift register of length L :

       L-1        L-2           2                      1   0
        0         1             0                      1   0   0

                                                               1

                                                               0


                                                               1

                                                               0

                             NWS – Cryptography
                             Prof. Dr. S. Heiss / 26
Feedback Shift Registers

    LFSR = linear feedback shift register of length L :

       L-1       L-2            2                      1   0
        0         1             0                      1   0   0

                                                               1

                        boolean function                       0


                                                               1

                                                               0

                             NWS – Cryptography
                             Prof. Dr. S. Heiss / 27
Linear Feedback Shift Registers

    LFSR = linear feedback shift register of length L :

       L-1       L-2             2                      1   0
        0         1              0                      1   0   0

                                                                1

                                                                0

    1 + 1.x 1 + 0.x 2         + 1.x L-2 + 0.x L-1 + 1.x L
                                                                1
    Connection Polynomial :
                      .
      c(x) = 1 + x + . . + x L-2 + x L є F2 [x]                 0

                             NWS – Cryptography
                              Prof. Dr. S. Heiss / 28
Properties of LFSRs

 Some facts about LFSR:




    (1) If (sL-1,sL-2,...,s1,s0) is the initial state of a LFSR with
    connection polynomial
                              .
            c(x) = 1 + c1.x +. . + cL-1.x L-1 + cL.x L ,

    then the output sequence (s0,s1,s2,...) is determined by
    the following recursion for j ≥ L :
                             .
              sj = c1.sj-1 +. . + cL-1.sj-L+1 + cL.sj-L .

                               NWS – Cryptography
                                Prof. Dr. S. Heiss / 29
Properties of LFSRs




     (2) Every output sequence (s0,s1,s2,...) of a LFSR with
     connection polynomial

                               ..
             c(x) = 1 + c1.x +. + cL-1.x L-1 + cL.x L ,

     is periodic if and only if cL ≠ 0 .



                               NWS – Cryptography
                               Prof. Dr. S. Heiss / 30
Properties of LFSRs




     (3) If c(x) has degree L and is irreducible over F2 , then
     the period of every non-trivial output sequence is given
     by the smallest positive integer N , such that c(x) divides
     x N + 1 . (Remark: N is always a divisor of 2L-1 .)

     (4) If c(x) has degree L and is primitive over F2 , then the
     period of every non-trivial output sequence has maximal
     possible output length 2L-1 .
                             NWS – Cryptography
                             Prof. Dr. S. Heiss / 31
Properties of LFSRs




     (5) Output sequences (s0,s1,s2,...) of maximum-length
     LSFRs (m-sequences) have good statistical properties.
     But :
     (6) Knowledge of L output bits in a row allows the
     calculation of all following bits.

     This makes the keystream generated by the output of a
     LFSR vulnerable to known-plaintext attacks.

                              NWS – Cryptography
                              Prof. Dr. S. Heiss / 32
LFSRs in Key Stream Generators




    Breaking Linearity:

    - Usage of nonlinear combinations of the output sequences
      of several LFSRs.

    - Usage of nonlinear filtering functions on the output of a
      single LFSR

    - Usage of the output of LFSRs to control the clock of other
      LFSRs

                            NWS – Cryptography
                            Prof. Dr. S. Heiss / 33
Stream Cipher defined in Bluetooth




                                                  (Bluetooth, 1.2, H 4.4)


                        NWS – Cryptography
                        Prof. Dr. S. Heiss / 34
Stream Cipher defined in Bluetooth




                                                  (Bluetooth, 1.2, H 4.4)


                        NWS – Cryptography
                        Prof. Dr. S. Heiss / 35
   Symmetric Ciphers
          Block Ciphers




              NWS – Cryptography
              Prof. Dr. S. Heiss / 36
Block Ciphers



                 m                       n bit plaintext (block length n)



                                         k є K (key space K )
  k               Ek




                c = Ek(m)                n bit cipher text



                            NWS – Cryptography
                            Prof. Dr. S. Heiss / 37
Block Ciphers


1                         n
1 0 0 1 0 1 0 0 0 ... 0 0 0
                   m                       m є (F2)n (block)
                                           n bit Klartext (Blocklänge n )


                                           k є K = (F2)s
1           s                              k є K (key space K )
    k
0 1 0 ... 1 0       Ek                     E : K x (F2)n → (F2)n

                                           Ek : (F2)n → (F2)n
1                         n
1 1 0 0 0 0 0 1 1 c = Ek(m)
                  ... 1 0 1                n bit 2)n (cipher
                                           c є (FGeheimtext block)



                              NWS – Cryptography
                              Prof. Dr. S. Heiss / 38
Block Ciphers

   How many different block ciphers can be defined for
    the encryption of blocks of length n ?


   Why not use random permutations of the set of all
    2n blocks of length n for the construction of block
    ciphers?




                          NWS – Cryptography
                          Prof. Dr. S. Heiss / 39
Design of Block Ciphers

   A block cipher shall exhibit the same statistical features
    as a random permutation of all 2n blocks of length n.
   Encryption and Decryption shall be efficiently
    implementable in SW and HW (runtime performance,
    memory requirements).
   Block ciphers are usually organized in rounds, where the
    following types of basic operations are repeatedly
    executed:
    − Permutations of the bits of a block.
    − Substitutions (S-Boxes) of values in subblocks.


                            NWS – Cryptography
                             Prof. Dr. S. Heiss / 40
Block Ciphers

   The length of plaintext data must be a multiple of n.
    − Padding operations are needed.
   Simply encrypting data block by block (ECB modus)
    may allow dictionary attacks. To prevent such attacks,
    use:
    − CBC modus
    − Random IV values

                    ECB   Electronic Code Book
                    CBC   Cipher Block Chaining
                    IV    Initialization Vector




                            NWS – Cryptography
                            Prof. Dr. S. Heiss / 41
ECB mode (Electronic Code Book)


        B1         B2                             B3        Bn




    k    Ek    k    Ek               k             Ek   k    Ek




        C1         C2                             C3        Cn

                        NWS – Cryptography
                        Prof. Dr. S. Heiss / 42
CBC mode (Cipher Block Chaining) - Encryption


           B1        B2                             B3        Bn

  IV




       k    Ek   k    Ek               k             Ek   k    Ek




           C1        C2                             C3        Cn

                          NWS – Cryptography
                          Prof. Dr. S. Heiss / 43
CBC mode (Cipher Block Chaining) - Decryption


         C1        C2                             C3        Cn




     k    Dk   k    Dk               k             Dk   k    Dk
IV




         B1        B2                             B3        Bn

                        NWS – Cryptography
                        Prof. Dr. S. Heiss / 44
CFB mode (Cipher Feedback) - Encryption

         IV




     k    Ek       k    Ek               k             Ek        k    Ek




B1            B2             B3                             Bn
         C1            C2                             C3             Cn

                        NWS – Cryptography
                            Prof. Dr. S. Heiss / 45
CFB mode (Cipher Feedback) - Decryption

        IV




    k    Ek        k    Ek               k             Ek        k    Ek




              C1                 C2                         C3             Cn
        B1             B2                             B3             Bn

                        NWS – Cryptography
                            Prof. Dr. S. Heiss / 46
OFB mode (Output Feedback) - Encryption

         IV




     k    Ek       k    Ek               k             Ek        k    Ek




B1            B2             B3                             Bn
         C1            C2                             C3             Cn

                        NWS – Cryptography
                            Prof. Dr. S. Heiss / 47
OFB mode (Output Feedback) - Decryption

         IV




     k    Ek       k    Ek               k             Ek        k    Ek




C1            C2              C3                            Cn
         B1            B2                             B3             Bn

                        NWS – Cryptography
                            Prof. Dr. S. Heiss / 48
CTR mode (Counter) - Encryption


        CTR         CTR+1                   CTR+2             CTR+n -1




    k     Ek   k      Ek               k             Ek   k       Ek


   B1          B2                   B3                    Bn

        C1           C2                             C3          Cn

                          NWS – Cryptography
                          Prof. Dr. S. Heiss / 49
CTR mode (Counter) - Decryption


         CTR        CTR+1                   CTR+2             CTR+n -1




    k     Ek   k      Ek               k             Ek   k       Ek


    C1         C2                    C3                   Cn

         B1          B2                             B3          Bn

                          NWS – Cryptography
                          Prof. Dr. S. Heiss / 50
Frequently used Block Ciphers

    DES (Data Encryption Standard)
    − Effective key length: 56 bit
    − Block length: 64 bit
    − Developed by IBM (Predecessor: Lucifer Algo.)
    − US Federal Standard FIPS 46, published 1977.
    − DES was/is specified in many standards to be used for
      cryptographic usages (ANSI-standards, HBCI, ...)
    − Main weakness: short key length




                             NWS – Cryptography
                             Prof. Dr. S. Heiss / 51
Frequently used Block Ciphers

    Triple-DES (3DES, DES-EDE)
    − Effective key length: 168 bit (EDE modus: 112 bit)
    − Effective security: 112 bit
    − Main weakness: Weak performance




                             NWS – Cryptography
                             Prof. Dr. S. Heiss / 52
Frequently used Block Ciphers

   AES (Advanced Encryption Standard)
    − Specified key lengths: 128, 192, 256 bit
    − Block length: 128 bit
    − Winning algorithm (Rijndal algorithm) from an
      international contest (organised by NIST).
    − US Federal Standard FIPS PUB 197, published 2001.




                              NWS – Cryptography
                              Prof. Dr. S. Heiss / 53
   Hash Functions
    (Message Digest, Digital Fingerprint)


                       H




                  NWS – Cryptography
                  Prof. Dr. S. Heiss / 54
Hash Functions


             m
    0 1 1 ..............          A Hash (Digital Fingerprint,
                                  Message Digest) H is a
                                  mapping of the set of all binary
                                  sequences of finite length
                 H
                                  (m1,m2,m3,...) to the set of
                                  binary sequences of some
                                  fixed length n
    0 1 0 ... 1 0
         h = H(m)                               (h1,h2,...,hn) є (F2)n .


                           NWS – Cryptography
                           Prof. Dr. S. Heiss / 55
Hash Functions

   Preimage resistence:

    Given a sequence (h1,h2,...,hn) є (F2)n , it is practically

    impossible to find a sequence (s1,s2,s3,...) with

    H(s1,s2,s3,...) = (h1,h2,...,hn) .

   Collision resistence:
    It is practically not possible to find to sequences
    (s1,s2,s3,...) and (t1,t2,t3,...) with

    H(s1,s2,s3,...) = H(t1,t2,t3,...) .


                             NWS – Cryptography
                             Prof. Dr. S. Heiss / 56
Message digest – Integrity check


                m                                               m' = m ?


  A                                                               B
                         H                                 H



                        h = H(m)
                                                         ?
  0 1 0 ... 1 0                                          = 0 1 0 ... 1 0
(digital fingerprint)


                              NWS – Cryptography
                               Prof. Dr. S. Heiss / 57
Hash Functions - Applications

   Integrity checks
    − Example: Check of MD5 message digest after some
      file download
   Protection of secrets
    − Example: Password files
   Construction of PRNGs and stream ciphers
   Construction of MAC's (keyed hash)




                            NWS – Cryptography
                            Prof. Dr. S. Heiss / 58
Hash Functions – Important Examples

   MD5:        n = 128    (RFC 1321, 1992)

   RIPMD-160   n = 160    (RIPEMD-160, ~1992)

   SHA-1:      n = 160     (FIPS 180-1, 1993)

   SHA-256:    n = 256     (FIPS 180-2, 2002)

   SHA-384:    n = 384     (FIPS 180-2, 2002)

   SHA-512:    n = 512     (FIPS 180-2, 2002)

   SHA-224:    n = 224     (FIPS 180-2), 2002)




                          NWS – Cryptography
                          Prof. Dr. S. Heiss / 59
 Iterated Hash Functions – General Model




See:
Handbook of Applied Cryptography,
Chapter 9



                                    NWS – Cryptography
                                    Prof. Dr. S. Heiss / 60
Hash Functions – Weaknesses

   Collisions for Hash Functions MD4, MD5, HAVAL-128 and
    RIPEMD, Xiaoyun Wang, Dengguo Feng, Xuejia Lai, Hongbo
    Yu, August 2004 (http://eprint.iacr.org/2004/199.pdf)





                          NWS – Cryptography
                          Prof. Dr. S. Heiss / 61
   MAC Algorithms
    (Message Authentication Codes)

                           MACk
            k




                 NWS – Cryptography
                 Prof. Dr. S. Heiss / 62
Message Authentication Codes


             m
    0 1 1 ..............




                    MACk
     k



    0 1 0 ... 1 0
         s = MACk(m)


                           NWS – Cryptography
                           Prof. Dr. S. Heiss / 63
Message Authentication Codes

Hash algorithm, that depends on a key
   Protection of message authenticity within a (closed)
    group of users with a common secret key.



Basic MAC methods:
   CBC MAC based on a symmetric block cipher
   HMAC (Hash MAC) based on a hash function
                                                            MAC based on a
                   ...                                ...   symmetric algorithm


                                    kM

                           NWS – Cryptography
                            Prof. Dr. S. Heiss / 64
CBC MAC


          B1        B2                         B3       Bn

IV




     k    Ek   k   Ek             k            Ek   k   Ek




                   MACk (B1 | B2 | ... | Bn )


                    NWS – Cryptography
                     Prof. Dr. S. Heiss / 65
HMAC

RFC 2104 - Keyed-Hashing for Message Authentication

   Hash function H, using a compression function which
    compresses b bytes from the input per round. (Example: b
    = 64 for SHA-1.)

   Hash output length h (Example: h = 20 für SHA-1.)

   HMAC(data) = H( k XOR opad | H( k XOR ipad | data ) )

     ipad = 0x36 | 0x36 | ... | 0x36 (b Bytes)

     opad = 0x5c | 0x5c | ... | 0x5c (b Bytes)



                          NWS – Cryptography
                           Prof. Dr. S. Heiss / 66
   Asymmetric Cryptography
    (Public Key Cryptography)

             kpub            kpriv




                    NWS – Cryptography
                    Prof. Dr. S. Heiss / 67
Asymmetric Cryptography

   Problem: Usage of symmetric ciphers require the
    exchange of secret keys over some secure channel.
   Basic Idea: Usage of a mathematical operation, whose
    inversion is not computational feasible (-> complexity
    theory) without the knowledge of a key value (trap door
    function).

    − Factorization of integers
    − Calculation of discrete logarithms in ℤp
    − Calculation of discrete logarithms in groups
      defined by elliptic curves over finite fields


                           NWS – Cryptography
                           Prof. Dr. S. Heiss / 68
Asymmetric Cryptography

   First published solutions:
    − W. Diffie, M.E. Hellman, New Directions in
      Cryptography, 1976
    − R.C. Merkle, Secure Communication over Insecure
      Channels, 1978
    − R.L. Rivest, A. Shamir, L.M. Adleman, A Method for
      Obtaining Digital Signatures and Public-Key
      Cryptosystems, 1978




                           NWS – Cryptography
                            Prof. Dr. S. Heiss / 69
Asymmetric Cryptography

   Applications of public key cryptography:

    − Key derivation algorithms / schemes
    − Asymmetric Ciphers (encryption without a shared
      secret key)
    − Digital Signatures




                           NWS – Cryptography
                           Prof. Dr. S. Heiss / 70
Key Derivation




     kA,pub        kA,priv                   kB,pub         kB,priv




    0 1 0 ... 1 0                                  0 1 0 ... 1 0

  k = F( kA,priv, kB,pub )                    k = F( kB,priv, kA,pub )




                             NWS – Cryptography
                             Prof. Dr. S. Heiss / 71
Asymmetric Ciphers



                                                          kpub       kpriv




 A                                                               B
               m




               Ekpub                             Dkpriv



               c = Ekpub(m)



                       NWS – Cryptography
                       Prof. Dr. S. Heiss / 72
Digital Signature (Signing)



                                                 kpub       kpriv

                                                        m


                                                            B

                       NWS – Cryptography
                       Prof. Dr. S. Heiss / 73
Digital Signature (Verifying)



                                                  kpub       kpriv

                                                         m


 A                                                           B
                    Ok / False




                        NWS – Cryptography
                        Prof. Dr. S. Heiss / 74
   Key Derivations
       kA,pub        kA,priv                      kB,pub          kB,priv




      0 1 0 ... 1 0                                      0 1 0 ... 1 0

    k = F( kA,priv, kB,pub )                       k = F( kB,priv, kA,pub )

                               NWS – Cryptography
                               Prof. Dr. S. Heiss / 75
Diffie-Hellman (DH) key derivation

    Key derivation scheme proposed by W. Diffie and M.E.
     Hellman in New Directions in Cryptography (1976).
    Based on the mathematical (computational) problem of
     finding discrete logarithms.
    Applications
    − IPsec-IKE (Internet Key Exchange), RFC 4306
    − ...




                           NWS – Cryptography
                           Prof. Dr. S. Heiss / 76
Discrete Logarithms



   Let        ,
         b ∈ ℕ. n ∈ ℕ.
   DL-Problem:
   Exercise:     Determine for a given

                 power                             e
                                  c = b mod n

                 the exponent
                                   e . = log b c.




                         NWS – Cryptography
                         Prof. Dr. S. Heiss / 77
Diffie-Hellman (DH) key derivation

                    n ∈ ℕ primenumber
                    b ∈ {2, 3,... ,n−2}


beA mod n        eA   kA,priv       beB mod n                 eB kB,priv




    0 1 0 ... 1 0                                    0 1 0 ... 1 0

      F( B A,priv, kB,pub
  k = (bek) eA mod n )                          k = F( ekB,priv, kA,pub )
                                                    (b A) eB mod n

                            NWS – Cryptography
                                Prof. Dr. S. Heiss / 78
Diffie-Hellman (DH) key derivation

                  n ∈ ℕ primenumber
                   b ∈ {2, 3,... ,n−2}

   n -1 should have a big prime factor q, such that q
    divides the order of b.
   The order of b should be large.




                           NWS – Cryptography
                           Prof. Dr. S. Heiss / 79
   Asymmetric Ciphers
    (Public Key Encryption Schemes)

             kpub            kpriv




                    NWS – Cryptography
                    Prof. Dr. S. Heiss / 80
RSA public key encryption scheme

    Public key encryption scheme proposed by R.L. Rivest,
     A. Shamir, L.M. Adleman in A Method for Obtaining
     Digital Signatures and Public-Key Cryptosystems
     (1978)
    Depends on the mathematical (computational) problem
     of factorizing integers.
    Applications
    − SSL (Secure Socket Layer) / TLS (Transport Layer
      Security)
    − ...


                           NWS – Cryptography
                           Prof. Dr. S. Heiss / 81
Fermat's Lemma

If p is a prime number and z any number coprime
to p, i.e. gcd(p,z) = 1, then
                    z(p-1) ≡ 1 (mod p)

Sketch of proof:
  ➔   Put t = (1⋅2⋅3⋅...⋅(p-1)) mod p
  ➔   The mapping : ℤp  ℤp, (x) = (x⋅z) mod p is
      bijectiv.
  ➔   It follows that t ≡ 1⋅2⋅3⋅...⋅(p-1) ≡
      (1⋅z)⋅(2⋅z)⋅(3⋅z)⋅...⋅((p-1)⋅z) ≡ t⋅z (p-1) (mod p)

                         NWS – Cryptography
                         Prof. Dr. S. Heiss / 82
A consequence of Fermat's Lemma


Let p, q prime numbers (p ≠ q) and r∈ℤ with
r ≡ 1 (mod lcm( p-1, q-1 )). Then
            z r ≡ z (mod (p⋅q)) for all z∈ℤ.

Proof:
  ➔   If z ≡ 0 (mod p), then z r ≡ 0 (mod p).
  ➔
      If p does not divide z and r = 1 + n(p – 1), then z r
      = z⋅(z (p-1))n ≡ z (mod p).
  ➔
      Similarly z r ≡ z (mod q).

                           NWS – Cryptography
                           Prof. Dr. S. Heiss / 83
Generation of an RSA key pair

    Chose two random primes p and q (> 2500)
    Put n = pq, v = lcm (p - 1, q - 1)
    Define a public exponent e with
                        gcd( e, v ) = 1
    Determine the private exponent d with
                       ed ≡ 1 (mod v)
    Key pair (kpub, kpriv):

              kpub = (n,e)                        kpriv = (n,d)

                               NWS – Cryptography
                               Prof. Dr. S. Heiss / 84
RSA encryption and decryption


    Encryption of a message m (< n):             kpub = (n,e)

                 c = E(m) = me mod n

    Decryption of c:
                                                  kpriv = (n,d)
                    D(c) = cd mod n

 e⋅d ≡ 1 (mod v) and little Fermat:
    D(c) = cd mod n = (me)d mod n
     = med mod n


                        NWS – Cryptography
                        Prof. Dr. S. Heiss / 85
RSA encryption and decryption



                                                      kpub   kpriv




  A         m        Dkpriv (Ekpub (m)) = m
                                                             B
             Ekpub                           Dkpriv



            c = Ekpub(m)



                        NWS – Cryptography
                        Prof. Dr. S. Heiss / 86
RSA signature algorithm



           Ekpub (Dkpriv (m)) = m



  A                                                          B
            m                                          m<n
                 ?
                 =




              Ekpub                           Dkpriv


                                    s = md mod n



                         NWS – Cryptography
                         Prof. Dr. S. Heiss / 87
RSA signature algorithm



           Ekpub (Dkpriv (m)) = m

            m                                         m<n


 A                                                           B
                  ?
                  =




                  Ekpub                             Dkpriv


                                     s = md mod n



                          NWS – Cryptography
                          Prof. Dr. S. Heiss / 88
Generation of an RSA key pair

    Chose two random primes p and q (> 2500)
    Put n = pq, v = lcm (p - 1, q - 1)
    Define a public exponent e with
                        gcd( e, v ) = 1
    Determine the private exponent d with
                       ed ≡ 1 (mod v)
    Key pair (kpub, kpriv):

              kpub = (n,e)                        kpriv = (n,d)

                               NWS – Cryptography
                               Prof. Dr. S. Heiss / 89
Generation of an RSA key pair with a given e

    Chose a public exponent e
    Chose two random primes p and q (> 2500) with
     gcd (e, p – 1) = gcd (e, q – 1) = 1.
    Put n = pq, v = lcm (p - 1, q - 1)
    Determine the private exponent d with
                       ed ≡ 1 (mod v)
    Key pair (kpub, kpriv):

              kpub = (n,e)                        kpriv = (n,d)


                               NWS – Cryptography
                               Prof. Dr. S. Heiss / 90
Math for RSA key pair generation

    Chose a public exponent e
    Chose two random primes p and q (> 2500) with
     gcd (e, p – 1) = gcd (e, q – 1) = 1.
    Put n = pq, v = lcm (p - 1, q - 1)
    Determine the private exponent d with
                       ed ≡ 1 (mod v)
    Key pair (kpub, kpriv):

              kpub = (n,e)                        kpriv = (n,d)


                               NWS – Cryptography
                               Prof. Dr. S. Heiss / 91
Math for RSA key pair generation

    Chose a public exponent e
    Chose two random primes p and q (> 2500) with
     gcd (e, p – 1) = gcd (e, q – 1) = 1.
    Put n = pq, v = lcm (p - 1, q - 1)
    Determine the private exponent d with
                       ed ≡ 1 (mod v)
    Key pair (kpub, kpriv):

              kpub = (n,e)                        kpriv = (n,d)


                               NWS – Cryptography
                               Prof. Dr. S. Heiss / 92
Math for RSA key pair generation

    Chose a public exponent e
    Chose two random primes p and q (> 2500) with
     gcd (e, p – 1) = gcd (e, q – 1) = 1.
    Put n = pq, v = lcm (p - 1, q - 1)
    Determine the private exponent d with
                       ed ≡ 1 (mod v)
    Key pair (kpub, kpriv):

              kpub = (n,e)                        kpriv = (n,d)


                               NWS – Cryptography
                               Prof. Dr. S. Heiss / 93
Math for RSA key pair generation

    Chose a public exponent e
    Chose two random primes p and q (> 2500) with
     gcd (e, p – 1) = gcd (e, q – 1) = 1.
    Put n = pq, v = lcm (p - 1, q - 1)
    Determine the private exponent d with
                       ed ≡ 1 (mod v)
    Key pair (kpub, kpriv):

              kpub = (n,e)                        kpriv = (n,d)


                               NWS – Cryptography
                               Prof. Dr. S. Heiss / 94
Prime number theorem

    Euclid: There are infinitely many primes
    Prime number theorem
           limx→∞ π(x) / (x / ln(x)) = 1

     − Conjectured by Gauss (1792) and Legendre (1798)
     − Chebyshev (1851): If convergent, then lim = 1
     − Riemann (1859): Connection with Zeta function
     − 1896: Proofs of Hadamard and Poussin
     − 1949: Elementary proof of Selberg and Erdös


                         NWS – Cryptography
                          Prof. Dr. S. Heiss / 95
Prime number tests

    Deterministic tests
     − Sieve of Eratosthenes
     − Miller (1975)
     − Adleman, Pomerance, Rumley (1983)
     − Agrawal, Kayal, Saxena (2004)
    Probabilistic tests
     − Miller-Rabin
     − Solovay-Strassen
     − Goldwasser-Killian
                            NWS – Cryptography
                            Prof. Dr. S. Heiss / 96
Miller-Rabin prime number test

   Fermat's lemma
If z is a natural number < p and
              z(p-1) ≡ 1 (mod p) ,
 then p is not a prime number.

    Miller-Rabin
If p is not a prime number, and z a randomly chosen
number. Then with probability > ¾:
     z(p-1) ≡ 1 (mod p) or
     za ≡ -1 (mod p) and z2a ≡ 1 (mod p) for some a.

                             NWS – Cryptography
                             Prof. Dr. S. Heiss / 97
Math for RSA decryption


    Decryption of c:                               kpriv = (n,d)

                     D(c) = cd mod n



    c and d are of size similar to n




                          NWS – Cryptography
                          Prof. Dr. S. Heiss / 98
Chinese remainder theorem (CRT)

Assume p and q are coprime numbers. Then for every
pair of numbers (a,b), there exists a unique non-negative
integer x < pq with
     x ≡ a (mod p)     and       x ≡ b (mod q) .

    Extended Euclidean algorithm gives v,w with:
      1 = vp + wq
    x = (vp)b + (wq)a (mod pq)            satisfies claim
    Example: Find x with x ≡ 2 (mod 5) and x ≡ 4 (mod 7)
       3⋅5 + (-2)⋅7 = 1,         15⋅4 - 14⋅2 = 32

                           NWS – Cryptography
                           Prof. Dr. S. Heiss / 99
RSA CRT private key

   Substitute parameter d with ed ≡ 1 (mod v) by:

    − d1 with e.d1 ≡ 1 (mod (p-1))              ( d1 = d mod (p-1) )

    − d2 with e.d2 ≡ 1 (mod (q-1))              ( d2 = d mod (q-1) )

    − q* with q.q* ≡ 1 (mod p)


   RSA decryption of c = me mod (pq) :
    − m1 = cd1 mod p
    − m2 = cd2 mod q

    − m = m2 + q . [ q* (m1 – m2) mod p ]

                          NWS – Cryptography
                           Prof. Dr. S. Heiss / 100

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:22
posted:8/27/2011
language:English
pages:100