Public Key Cryptography

Similar documents
Lecture 2 Applied Cryptography (Part 2)

Outline. CSCI 454/554 Computer and Network Security. Introduction. Topic 5.2 Public Key Cryptography. 1. Introduction 2. RSA

Outline. Public Key Cryptography. Applications of Public Key Crypto. Applications (Cont d)

Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2010

CSCI 454/554 Computer and Network Security. Topic 5.2 Public Key Cryptography

Public Key Algorithms

CSC 474/574 Information Systems Security

Chapter 9 Public Key Cryptography. WANG YANG

Public Key Cryptography

Distributed Systems. 26. Cryptographic Systems: An Introduction. Paul Krzyzanowski. Rutgers University. Fall 2015

Chapter 9. Public Key Cryptography, RSA And Key Management

Overview. Public Key Algorithms I

RSA (material drawn from Avi Kak Lecture 12, Lecture Notes on "Computer and Network Security" Used in asymmetric crypto.

Network Security. Chapter 4 Public Key Cryptography. Public Key Cryptography (4) Public Key Cryptography

Public Key Algorithms

Public Key Algorithms

ISA 662 Internet Security Protocols. Outline. Prime Numbers (I) Beauty of Mathematics. Division (II) Division (I)

Computer Security. 08. Cryptography Part II. Paul Krzyzanowski. Rutgers University. Spring 2018

Public-key encipherment concept

Digital Signature. Raj Jain

CS669 Network Security

Chapter 3 Public Key Cryptography

Public Key (asymmetric) Cryptography

CSE 127: Computer Security Cryptography. Kirill Levchenko

Public Key Cryptography and the RSA Cryptosystem

CSC/ECE 774 Advanced Network Security

The most important development from the work on public-key cryptography is the digital signature. Message authentication protects two parties who

Cryptography Symmetric Cryptography Asymmetric Cryptography Internet Communication. Telling Secrets. Secret Writing Through the Ages.

Applied Cryptography and Computer Security CSE 664 Spring 2018

Public-Key Cryptography. Professor Yanmin Gong Week 3: Sep. 7

This chapter continues our overview of public-key cryptography systems (PKCSs), and begins with a description of one of the earliest and simplest

Cryptography and Network Security

1. Digital Signatures 2. ElGamal Digital Signature Scheme 3. Schnorr Digital Signature Scheme 4. Digital Signature Standard (DSS)

Computer Security 3/23/18

4 PKI Public Key Infrastructure

RSA (algorithm) History

Chapter 7 Public Key Cryptography and Digital Signatures

Cryptography and Network Security. Sixth Edition by William Stallings

Key Management and Distribution

Introduction to Cryptography and Security Mechanisms: Unit 5. Public-Key Encryption

Public Key Cryptography, OpenPGP, and Enigmail. 31/5/ Geek Girls Carrffots GVA

Topics. Number Theory Review. Public Key Cryptography

Introduction to Cryptography Lecture 7

Tuesday, January 17, 17. Crypto - mini lecture 1

Chair for Network Architectures and Services Department of Informatics TU München Prof. Carle. Network Security

Public Key Encryption. Modified by: Dr. Ramzi Saifan

ASYMMETRIC CRYPTOGRAPHY

Number Theory and RSA Public-Key Encryption

Computer Security: Principles and Practice

Key Exchange. References: Applied Cryptography, Bruce Schneier Cryptography and Network Securiy, Willian Stallings

RSA. Public Key CryptoSystem

PUBLIC KEY CRYPTO. Anwitaman DATTA SCSE, NTU Singapore CX4024. CRYPTOGRAPHY & NETWORK SECURITY 2018, Anwitaman DATTA

Cryptography (DES+RSA) by Amit Konar Dept. of Math and CS, UMSL

Channel Coding and Cryptography Part II: Introduction to Cryptography

Outline. Data Encryption Standard. Symmetric-Key Algorithms. Lecture 4

Basics of Cryptography

Introduction to Cryptography and Security Mechanisms. Abdul Hameed

Public-Key Cryptography

Part VI. Public-key cryptography

CS Network Security. Nasir Memon Polytechnic University Module 7 Public Key Cryptography. RSA.

CSE 3461/5461: Introduction to Computer Networking and Internet Technologies. Network Security. Presentation L

1.264 Lecture 28. Cryptography: Asymmetric keys

Some Stuff About Crypto

Iqbal Singh Deptt. of Computer Science, Bhagwant University, Rajasthan, India

Cryptography and Network Security Chapter 10. Fourth Edition by William Stallings

Introduction to Cryptography Lecture 7

Lecture 6: Overview of Public-Key Cryptography and RSA

Public Key Cryptography and RSA

Introduction. Cambridge University Press Mathematics of Public Key Cryptography Steven D. Galbraith Excerpt More information

(a) Symmetric model (b) Cryptography (c) Cryptanalysis (d) Steganography

Lecture 30. Cryptography. Symmetric Key Cryptography. Key Exchange. Advanced Encryption Standard (AES) DES. Security April 11, 2005

What did we talk about last time? Public key cryptography A little number theory

Cryptographic Systems

A SIGNATURE ALGORITHM BASED ON DLP AND COMPUTING SQUARE ROOTS

Encryption. INST 346, Section 0201 April 3, 2018

10.1 Introduction 10.2 Asymmetric-Key Cryptography Asymmetric-Key Cryptography 10.3 RSA Cryptosystem

1. Diffie-Hellman Key Exchange

Elements of Cryptography and Computer and Networking Security Computer Science 134 (COMPSCI 134) Fall 2016 Instructor: Karim ElDefrawy

Kurose & Ross, Chapters (5 th ed.)

The Application of Elliptic Curves Cryptography in Embedded Systems

Chapter 3. Principles of Public-Key Cryptosystems

Lecture 6 - Cryptography

UNIT III 3.1DISCRETE LOGARITHMS

Digital Signatures. Luke Anderson. 7 th April University Of Sydney.

Understanding Cryptography A Textbook for Students and Practitioners by Christof Paar and Jan Pelzl. Chapter 6 Introduction to Public-Key Cryptography

Secure Multiparty Computation

Cryptography V: Digital Signatures

APNIC elearning: Cryptography Basics

Public Key Cryptography 2. c Eli Biham - December 19, Public Key Cryptography 2

CRC Press has granted the following specific permissions for the electronic version of this book:

Sankalchand Patel College of Engineering, Visnagar Department of Computer Engineering & Information Technology. Question Bank

The evolving storage encryption market

Chair for Network Architectures and Services Department of Informatics TU München Prof. Carle. Network Security

Elliptic Curve Public Key Cryptography

Crypto CS 485/ECE 440/CS 585 Fall 2017

L13. Reviews. Rocky K. C. Chang, April 10, 2015

Encryption Details COMP620

Math236 Discrete Maths with Applications

Public-Key Cryptanalysis

Abhijith Chandrashekar and Dushyant Maheshwary

Transcription:

Public Key Cryptography Giuseppe F. Italiano Universita` di Roma Tor Vergata italiano@disp.uniroma2.it Motivation Until early 70s, cryptography was mostly owned by government and military Symmetric cryptography not ideal for commercialization Enormous key distribution problem; most parties may have never physically met Must ensure authentication, to avoid impersonation, fabrication Few researchers (Diffie, Hellman, Merkle), in addition to the IBM group, started exploring Cryptography because they realized it is critical to the forthcoming digital world Privacy Effective commercial relations Payment Voting Public-Key Cryptography First proposed by Diffie and Hellman, and independently by Merkle (1976) Idea: use separate keys to encrypt and decrypt Merkle proposed puzzles, and then knapsack problems Pair of keys is generated by each user Public key is advertised Private key is kept secret, and is computationally infeasible to discover from the public key and ciphertexts Each key can decrypt messages encrypted using the other key Applications: Encryption Authentication (Digital Signature) Key Exchange (to establish Session Key) 1

Public-Key Cryptography Find function s.t. its inverse difficult to compute (one way) Arithmetic modulo n : say, compute x s.t. 453 x = 5787 (mod 21997) x 1 2 3 4 5 6 3 x 3 9 27 81 243 729 3 x (mod 7) 3 2 6 4 5 1 Diffie-Hellman Key Exchange Alice First public-key algorithm, based on the difficulty of computing discrete logarithms modulo n Protocol: Use key exchange protocol to establish session key Use session key to encrypt actual communication Algorithm: Choose a large prime n, and a primitive root g select x X=g x mod n Y=g y mod n select y Bob Compute K=Y x mod n K=g xy mod n Compute K=X y mod n Public-Key Encryption Sender uses the public key of the receiver to encrypt Receiver uses her private key to decrypt 2

Authentication Using Public-Key The sender encrypts the message with his own private key The receiver, by decrypting, verifies key possession Public-Key Algorithms: Requirements It is computationally easy to generate a pair of keys It is computationally easy to encrypt using the public key It is computationally easy to decrypt using the private key It is computationally infeasible to compute the private key from the public key It is computationally infeasible to recover the plaintext from the public key and ciphertext Either of the related keys can decrypt a message encrypted using the other key Note: it should be computationally infeasible to decrypt using same key used for encryption RSA Developed by Rivest, Shamir, and Adleman (1977), and is most widely used Classified version of RSA developed by GCHQ (Ellis and Cocks) in 1973 Gets its security from the difficulty of factoring large numbers Works as a block cipher, where each plaintext/ciphertext block is integer between 0 and n Algorithm: Receiver chooses e, d The values of e, and n are made public; d is kept secret Encryption: C=M e mod n Decryption: M=C d mod n = M ed mod n Requisite: Find e, d such that M=M ed mod n, for all M<n Make sure that d cannot be computed from n and e, not even if a ciphertext is available 3

RSA Key Generation Select primes p and q, n = pq Calculate Φ(n) = (p-1)(q-1) Euler totient of n number of integers between 1 and n that are relatively prime to n, i.e., {m gcd(m,n)=1} Select integer e < Φ(n) such that gcd(φ(n),e) = 1 Calculate d such that d = e -1 mod Φ(n), i.e. ed = 1 mod Φ(n) Note: The message could have been encrypted with d and decrypted by e RSA Key Generation: Why it Works Fermat s Little Theorem For a prime p, a such that gcd(a,p) = 1: a (p-1) = 1 mod p Euler s extension For primes p,q, a such that gcd(a,pq) = 1: a (p-1)(q-1) = 1 mod pq Show first M ed mod p = M k(p-1)(q-1)+1 mod p = M mod p Two cases: (1) p divides M or (2) gcd(m,p)=1 (1) M mod p = 0 thus M k(p-1)(q-1)+1 mod p = 0 RSA Key Generation: Why it Works Fermat: prime p, a s.t. gcd(a,p) = 1: a (p-1) = 1 mod p Show M ed mod p = M k(p-1)(q-1)+1 mod p = M mod p Two cases: (1) p divides M or (2) gcd(m,p)=1 (2) M k(p-1)(q-1)+1 mod p = (M mod p) (M (p-1) mod p) k(q-1) = (M mod p) (1) k(q-1) = M mod p Similarly M ed mod q = M k(p-1)(q-1)+1 mod q = M mod q Hence: M ed mod n = M k(p-1)(q-1)+1 mod n = M mod n 4

RSA Key Generation: Why it Works In summary: M ed mod n = M k(p-1)(q-1)+1 mod n = 1xM = M To generate primes, use primality test For a non-prime, Fermat s theorem will usually fail on a random a Carmichael numbers are very rare exception, and if chosen decryption won t work. Can reduce the probability by checking more a s Primes are dense enough (almost one of every k k-bit numbers) GCD to select e takes O(log n) time Calculate d = e -1 mod n using Euler extended GCD algorithm Exponentiation (Encrypt/Decrypt) takes O(log n) time RSA gets its security from the difficulty of factoring n = pq RSA: Why it Works (Summary) Since ed = 1 mod Φ(n), there exists an integer k such that ed = 1 + k Φ(n). If gcd(m, p) = 1 then by Fermat s theorem M p-1 = 1 mod p Raising both sides to k(q-1) and then multiplying both sides by M: M 1+k (p-1) (q-1) = M mod p On the other hand, if gcd(m, p) = p, then last congruence again valid since each side congruent to 0 modulo p. Hence, in all cases M ed = M mod p By same argument, M ed = M mod q Since p and q are distinct primes: M ed = M mod n RSA Example Key Generation Select p = 7, q = 17, n = pq = 119, Φ(119) = 96 Select e = 5; Calculate d = 77 5

Attacks on RSA Algorithm If one could factor n, which is available, into p and q, then d could be deduced, and then the message deciphered If one could guess the value of (p-1)(q-1), even without factoring n, then again d could be deduced Attacks on RSA Protocol Chosen ciphertext attack Attack: get sender to sign (decrypt) a chosen message Inputs: original ciphertext C = M e Construct X = R e mod n, for a random R Y = XC mod n T = R -1 mod n Ask sender to sign Y, obtaining U = Y d mod n Compute TU mod n = R -1 Y d mod n = R -1 X d C d mod n = C d mod n = M Exploits preservation of multiplication under mod Conclusion: never sign a random message sign only hashes use different keys for encryption and signature Other precautions when implementing RSA protocol Do not use same n for multiple users Can decipher using two encryption (public) keys, without any decryption key Always pad messages with random numbers, making sure that M is about same size as n If e is small, there is an attack that uses e(e+1)/2 linearly dependent messages Do not choose low values for e and d For e, see above, and there is also attack on small d s 6

Other Public-Key Algorithms Merkle-Hellman Knapsack Algorithms First public-key cryptography algorithm (1976) Encode a message as as series of solutions to knapsack problems (NP- Hard). Easy (superincreasing) knapsack serves as private key, and a hard knapsack as a public key. Broken by Shamir and Zippel in 1980, showing a reconstruction of superincreasing knapsacks from the normal knapsacks Rabin Based on difficulty of finding square roots modulo n Encryption is faster: C=M 2 mod n Decryption is a bit complicated and the plaintext has to be selected from 4 possibilities El Gamal Based on difficulty of calculating discrete logarithms in a finite field Elliptic Curves can be used to implement El Gamal and Diffie- Hellman faster Digital Signatures Main sources: Network Security Essential / Stallings Applied Cryptography / Schneier Handbook of Applied Cryptography / Menezes, van Oorschot, Vanstone Public-Key Digital Signature The sender encrypts the message with his own private key The receiver, by decrypting, verifies key possession 7

Digital Signatures The entire message, encrypted with the private key, serves as the digital signature Computationally expensive Anyone can decrypt the original message Alternatively, a digest can be used Should be short Prevent decryption of the original message Prevent modification of original message Difficult to fake signature for A hash code of the message (e.g., SHA-1) If only source authentication is needed, a different message can be used Digital Signature Algorithm (DSA) Proposed in 1991 by NIST as a standard (DSS) Based on difficulty of computing discrete logarithms (like Diffie-Hellman and El Gamal) Encountered resistance because RSA was already de-facto standard Cannot be used for encryption or key distribution Faster than RSA in signature, but slower in verification Significant investment in RSA by large corporations Concerns about NSA backdoor Key size was increased from 512 to up-to 1024 bits Description of DSA Public parameters p is a prime number with up to 1024 bits q is a 160-bit factor of (p-1), and itself prime g=h (p-1)/q mod p x is the private key and is smaller than q y=g x mod p is the public key H(M) is the secure hash code of the message Signature Generate a random k<q Compute and send r=(g k mod p) mod q Compute and send s=k -1 (H(M)+xr) mod q Verification Compute w=s -1 mod q Compute u1=h(m)w mod q; u2=rw mod q Compute v=(g u1 *y u2 mod p) mod q If v=r then the signature is verified 8

Key Management for Public-Key Cryptography Main sources: Network Security Essential / Stallings Applied Cryptography / Schneier Handbook of Applied Cryptography / Menezes, van Oorschot, Vanstone Certificate Authority: Verifying the Public Key How to ensure that Charles doesn t pretend to be Bob by publishing a public-key for Bob. Then, using a Man-in-the-Middle attack, Charles can read the message and reencrypt-resend to Bob Bob prepares certificate with his identifying information and his public key (X.509) The Certificate Authority (CA) verifies the details and sign Bob s certificate Bob can publish the signed certificate More on Key Management Alice may have more than one key e.g., personal key and work key Where shall Alice store her keys Alice may not want to trust her work administrator with her personal banking key Distributed certification V1.0 CA certifies Agents who certify companies who certify employees Distributed Certification V2.0 (a la PGP) Alice will present her certificate with introducers who will vow for her Key Escrow US American Escrowed Encryption Standard suggests that private keys be broken in half and kept by two Government agencies Clipper for cellular phone encryption Capstone for computer communication 9

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback