Public key encryp4on: defini4ons and security

Similar documents
Public key encryption: definitions and security

The ElGamal Public- key System

Online Cryptography Course. Basic key exchange. Trusted 3 rd par7es. Dan Boneh

Public-Key Cryptography. Professor Yanmin Gong Week 3: Sep. 7

Computer Security Course. Public Key Crypto. Slides credit: Dan Boneh

CS155. Cryptography Overview

CS408 Cryptography & Internet Security

ASYMMETRIC (PUBLIC-KEY) ENCRYPTION. Mihir Bellare UCSD 1

ASYMMETRIC (PUBLIC-KEY) ENCRYPTION. Mihir Bellare UCSD 1

Course Map. COMP 7/8120 Cryptography and Data Security. Learning Objectives. How to use PRPs (Block Ciphers)? 2/14/18

Introduction to Cryptography Lecture 7

CS155. Cryptography Overview

Ac,ve a4acks on CPA- secure encryp,on

RSA. Public Key CryptoSystem

RSA Cryptography in the Textbook and in the Field. Gregory Quenell

Introduction to Cryptography Lecture 7

Relaxing IND-CCA: Indistinguishability Against Chosen. Chosen Ciphertext Verification Attack

Security of Cryptosystems

Authenticated Encryption

Authenticated Encryption

Cryptography Lecture 4. Attacks against Block Ciphers Introduction to Public Key Cryptography. November 14, / 39

Chapter 11 : Private-Key Encryption

Hash Functions, Public-Key Encryption CMSC 23200/33250, Autumn 2018, Lecture 6

Chapter 9. Public Key Cryptography, RSA And Key Management

Applied Cryptography and Computer Security CSE 664 Spring 2018

CSCI 454/554 Computer and Network Security. Topic 5.2 Public Key Cryptography

Introduction to Cryptography and Security Mechanisms: Unit 5. Public-Key Encryption

Outline. CSCI 454/554 Computer and Network Security. Introduction. Topic 5.2 Public Key Cryptography. 1. Introduction 2. RSA

Cryptography Overview

Public-Key Encryption, Key Exchange, Digital Signatures CMSC 23200/33250, Autumn 2018, Lecture 7

Outline. Public Key Cryptography. Applications of Public Key Crypto. Applications (Cont d)

Lecture 15: Public Key Encryption: I

Tuesday, January 17, 17. Crypto - mini lecture 1

CS 4770: Cryptography. CS 6750: Cryptography and Communication Security. Alina Oprea Associate Professor, CCIS Northeastern University

Network Security Technology Project

Chapter 9 Public Key Cryptography. WANG YANG

Cryptography Overview

CS Network Security. Nasir Memon Polytechnic University Module 7 Public Key Cryptography. RSA.

Relaxing IND-CCA: Indistinguishability Against Chosen Ciphertext Verification Attack

CS6750: Cryptography and Communica7on Security

Security: Cryptography

0x1A Great Papers in Computer Security

INTERNATIONAL JOURNAL OF ELECTRONICS AND COMMUNICATION ENGINEERING & TECHNOLOGY (IJECET)

Public-key encipherment concept

Public Key Algorithms

Asymmetric Primitives. (public key encryptions and digital signatures)

Cryptography. Andreas Hülsing. 6 September 2016

Information Security CS526

Encryption. INST 346, Section 0201 April 3, 2018

Cryptographic Hash Functions

18733: Applied Cryptography Anupam Datta (CMU) Basic key exchange. Dan Boneh

Public Key Algorithms

Lecture 3.4: Public Key Cryptography IV

Security and Cryptography 1. Stefan Köpsell, Thorsten Strufe. Module 5: Pseudo Random Permutations and Block Ciphers

Public Key Encryption

Workshop Challenges Startup code in PyCharm Projects

Defending Computer Networks Lecture 20: More Encryp1on. Stuart Staniford Adjunct Professor of Computer Science

Lecture 20 Public key Crypto. Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Slides from Miller and Bailey s ECE 422

Computer Security: Crypto & Web Security

Public-Key Cryptography

Auth. Key Exchange. Dan Boneh

Secure Multiparty Computation

Overview. Public Key Algorithms I

CS 161 Computer Security

Advanced Cryptography 1st Semester Symmetric Encryption

Introduction. CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell

CSC 474/574 Information Systems Security

Homomorphic Encryption

If DDH is secure then ElGamal is also secure w.r.t IND-CPA

CS573 Data Privacy and Security. Cryptographic Primitives and Secure Multiparty Computation. Li Xiong

Encryption from the Diffie-Hellman assumption. Eike Kiltz

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017

RSA (material drawn from Avi Kak Lecture 12, Lecture Notes on "Computer and Network Security" Used in asymmetric crypto.

Chapter 3 Public Key Cryptography

Public Key Cryptography and the RSA Cryptosystem

Encrypted Data Deduplication in Cloud Storage

Modular arithme.c and cryptography

Introduction to Public-Key Cryptography

RSA (algorithm) History

Public Key Encryption. Modified by: Dr. Ramzi Saifan

Digital Signatures. Luke Anderson. 7 th April University Of Sydney.

INDIAN INSTITUTE OF TECHNOLOGY KHARAGPUR Stamp / Signature of the Invigilator

Lecture 9: Public-Key Cryptography CS /05/2018

Computational Security, Stream and Block Cipher Functions

Introduction. Cambridge University Press Mathematics of Public Key Cryptography Steven D. Galbraith Excerpt More information

Crypto CS 485/ECE 440/CS 585 Fall 2017

What did we talk about last time? Public key cryptography A little number theory

Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2010

Randomness Extractors. Secure Communication in Practice. Lecture 17

Public Key Cryptography

: Practical Cryptographic Systems March 25, Midterm

Part VI. Public-key cryptography

Lecture 2 Applied Cryptography (Part 2)

symmetric cryptography s642 computer security adam everspaugh

LECTURE NOTES ON PUBLIC- KEY CRYPTOGRAPHY. (One-Way Functions and ElGamal System)

Kurose & Ross, Chapters (5 th ed.)

CS 161 Computer Security

Computer Security CS 526

SECURE AND ANONYMOUS HYBRID ENCRYPTION FROM CODING THEORY

Homework 2: Symmetric Crypto Due at 11:59PM on Monday Feb 23, 2015 as a PDF via websubmit.

Transcription:

Online Cryptography Course Dan Boneh Public Key Encryp4on from trapdoor permuta4ons Public key encryp4on: defini4ons and security

Public key encryp4on Bob: generates (PK, SK) and gives PK to Alice Alice Bob m c c m E D pk sk

Applica4ons Session setup (for now, only eavesdropping security) Alice Generate (pk, sk) x pk E(pk, x) Bob choose random x (e.g. 48 bytes) Non- interac3ve applica3ons: (e.g. Email) Bob sends email to Alice encrypted using pk alice Note: Bob needs pk alice (public key management) Dan Boneh

Public key encryp4on Def: a public- key encryp4on system is a triple of algs. (G, E, D) G(): randomized alg. outputs a key pair (pk, sk) E(pk, m): randomized alg. that takes m M and outputs c C D(sk,c): det. alg. that takes c C and outputs m M or Consistency: (pk, sk) output by G : m M: D(sk, E(pk, m) ) = m

Security: eavesdropping For b=0,1 define experiments EXP(0) and EXP(1) as: b Chal. (pk,sk) G() pk m 0, m 1 M : m 0 = m 1 c E(pk, m b ) Adv. A b {0,1} EXP(b) Def: E =(G,E,D) is sem. secure (a.k.a IND- CPA) if for all efficient A: Adv SS [A,E] = Pr[EXP(0)=1] Pr[EXP(1)=1] < negligible

Rela4on to symmetric cipher security Recall: for symmetric ciphers we had two security no4ons: One- 4me security and many- 4me security (CPA) We showed that one- 4me security many- 4me security For public key encryp4on: One- 4me security many- 4me security (CPA) (follows from the fact that aaacker can encrypt by himself) Public key encryp4on must be randomized Dan Boneh

Security against ac4ve aaacks What if aaacker can tamper with ciphertext? to: caroline@gmail body mail server (e.g. Gmail) Caroline pk server aaacker: to: aaacker@gmail body sk server Aaacker is given decryp4on of msgs that start with to: a;acker aaacker Dan Boneh

(pub- key) Chosen Ciphertext Security: defini4on Dan Boneh E = (G,E,D) public- key enc. over (M,C). For b=0,1 define EXP(b): pk Chal. Adv. A b (pk,sk) G() CCA phase 1: c i C m i D(k, c i ) challenge: m 0, m 1 M : m 0 = m 1 c E(pk, m b ) CCA phase 2: c i C : c i c m i D(k, c i ) b {0,1}

Chosen ciphertext security: defini4on Def: E is CCA secure (a.k.a IND- CCA) if for all efficient A: Adv CCA [A,E] = Pr[EXP(0)=1] Pr[EXP(1)=1] is negligible. Example: Suppose (to: alice, body) (to: david, body) b Chal. pk Adv. A (pk,sk) G() chal.: (to:alice, 0), (to:alice, 1) c E(pk, m b ) c (to: david, b) CCA phase 2: c = (to: david, b) m D(sk, c ) c b Dan Boneh

Ac4ve aaacks: symmetric vs. pub- key Recall: secure symmetric cipher provides authen3cated encryp3on [ chosen plaintext security & ciphertext integrity ] Roughly speaking: a;acker cannot create new ciphertexts Implies security against chosen ciphertext aaacks In public- key sefngs: Aaacker can create new ciphertexts using pk!! So instead: we directly require chosen ciphertext security Dan Boneh

This and next module: construc4ng CCA secure pub- key systems End of Segment

Online Cryptography Course Dan Boneh Public Key Encryp4on from trapdoor permuta4ons Construc4ons Goal: construct chosen- ciphertext secure public- key encryp4on Dan Boneh

Trapdoor func4ons (TDF) Def: a trapdoor func. X Y is a triple of efficient algs. (G, F, F - 1 ) G(): randomized alg. outputs a key pair (pk, sk) F(pk, ): det. alg. that defines a func4on X Y F - 1 (sk, ): defines a func4on Y X that inverts F(pk, ) More precisely: (pk, sk) output by G x X: F - 1 (sk, F(pk, x) ) = x

Secure Trapdoor Func4ons (TDFs) (G, F, F - 1 ) is secure if F(pk, ) is a one- way func4on: can be evaluated, but cannot be inverted without sk Chal. (pk,sk) G() Adv. A R x X pk, y F(pk, x) x Def: (G, F, F - 1 ) is a secure TDF if for all efficient A: Adv OW [A,F] = Pr[ x = x ] < negligible

Public- key encryp4on from TDFs (G, F, F - 1 ): secure TDF X Y (E s, D s ) : symmetric auth. encryp4on defined over (K,M,C) H: X K a hash func4on We construct a pub- key enc. system (G, E, D): Key genera4on G: same as G for TDF

Public- key encryp4on from TDFs (G, F, F - 1 ): secure TDF X Y (E s, D s ) : symmetric auth. encryp4on defined over (K,M,C) H: X K a hash func4on E( pk, m) : R x X, y F(pk, x) k H(x), c E s (k, m) output (y, c) D( sk, (y,c) ) : x F - 1 (sk, y), k H(x), m D s (k, c) output m

In pictures: F(pk, x) E s ( H(x), m ) header body Security Theorem: If (G, F, F - 1 ) is a secure TDF, (E s, D s ) provides auth. enc. and H: X K is a random oracle then (G,E,D) is CCA ro secure.

Incorrect use of a Trapdoor Func4on (TDF) Never encrypt by applying F directly to plaintext: E( pk, m) : output c F(pk, m) D( sk, c ) : output F - 1 (sk, c) Problems: Determinis4c: cannot be seman4cally secure!! Many aaacks exist (next segment) Dan Boneh

Next step: construct a TDF End of Segment

Online Cryptography Course Dan Boneh Public Key Encryp4on from trapdoor permuta4ons The RSA trapdoor permuta4on

Review: trapdoor permuta4ons Three algorithms: (G, F, F - 1 ) G: outputs pk, sk. pk defines a func4on F(pk, ): X X F(pk, x): evaluates the func4on at x F - 1 (sk, y): inverts the func4on at y using sk Secure trapdoor permuta4on: The func4on F(pk, ) is one- way without the trapdoor sk Dan Boneh

Review: arithme4c mod composites Let N = p q where p,q are prime Z N = {0,1,2,,N- 1} ; (Z N ) * = {inver4ble elements in Z N } Facts: x Z N is inver4ble gcd(x,n) = 1 Number of elements in (Z N ) * is ϕ(n) = (p- 1)(q- 1) = N- p- q+1 Euler s thm: x (Z N ) * : x ϕ(n) = 1

The RSA trapdoor permuta4on First published: Scien4fic American, Aug. 1977. Very widely used: SSL/TLS: cer4ficates and key- exchange Secure e- mail and file systems many others

The RSA trapdoor permuta4on G(): choose random primes p,q 1024 bits. Set N=pq. choose integers e, d s.t. e d = 1 (mod ϕ(n) ) output pk = (N, e), sk = (N, d) F( pk, x ): ; RSA(x) = x e (in Z N ) F - 1 ( sk, y) = y d ; y d = RSA(x) d = x ed = x kϕ(n)+ 1 = (x ϕ(n) ) k x = x

The RSA assump4on RSA assump4on: RSA is one- way permuta4on For all efficient algs. A: Pr[ A(N,e,y) = y 1/e ] < negligible R R where p,q n- bit primes, N pq, y Z * N

Review: RSA pub- key encryp4on (ISO std) (E s, D s ): symmetric enc. scheme providing auth. encryp4on. H: Z N K where K is key space of (E s,d s ) G(): generate RSA params: pk = (N,e), sk = (N,d) E(pk, m): (1) choose random x in Z N (2) y RSA(x) = x e, k H(x) (3) output (y, E s (k,m) ) D(sk, (y, c) ): output D s ( H(RSA - 1 (y)), c) Dan Boneh

Textbook RSA is insecure Textbook RSA encryp4on: public key: (N,e) Encrypt: c m e (in Z N ) secret key: (N,d) Decrypt: c d m Insecure cryptosystem!! Is not seman4cally secure and many aaacks exist The RSA trapdoor permuta4on is not an encryp4on scheme!

A simple aaack on textbook RSA random session- key k Web Browser CLIENT HELLO SERVER HELLO (e,n) c=rsa(k) Web Server d Suppose k is 64 bits: k {0,,2 64 }. Eve sees: c= k e in Z N If k = k 1 k 2 where k 1, k 2 < 2 34 (prob. 20%) then c/k 1 e = k 2 e in Z N Step 1: build table: c/1 e, c/2 e, c/3 e,, c/2 34e. 4me: 2 34 Step 2: for k 2 = 0,, 2 34 test if k 2 e is in table. 4me: 2 34 Output matching (k 1, k 2 ). Total aaack 4me: 2 40 << 2 64 Dan Boneh

End of Segment Dan Boneh

Online Cryptography Course Dan Boneh Public Key Encryp4on from trapdoor permuta4ons PKCS 1

RSA encryp4on in prac4ce Never use textbook RSA. RSA in prac4ce (since ISO standard is not often used) : msg key Preprocessing RSA ciphertext Main ques4ons: How should the preprocessing be done? Can we argue about security of resul4ng system?

PKCS1 v1.5 PKCS1 mode 2: (encryp4on) 16 bits 02 random pad FF msg RSA modulus size (e.g. 2048 bits) Resul4ng value is RSA encrypted Widely deployed, e.g. in HTTPS

Aaack on PKCS1 v1.5 (Bleichenbacher 1998) PKCS1 used in HTTPS: Is this PKCS1? 02 d Web Server c yes: con4nue no: error c= Aaacker ciphertext aaacker can test if 16 MSBs of plaintext = 02 Chosen- ciphertext aaack: to decrypt a given ciphertext c do: Choose r Z N. Compute c r e c = (r PKCS1(m)) e Send c to web server and use response Dan Boneh

Baby Bleichenbacher compute x c d in Z N is msb=1? 1 d Web Server c yes: con4nue no: error c= Aaacker ciphertext Suppose N is N = 2 n (an invalid RSA modulus). Then: Sending c reveals msb( x ) Sending 2 e c = (2x) e in Z N reveals msb(2x mod N) = msb 2 (x) Sending 4 e c = (4x) e in Z N reveals msb(4x mod N) = msb 3 (x) and so on to reveal all of x Dan Boneh

HTTPS Defense (RFC 5246) A"acks discovered by Bleichenbacher and Klima et al. can be avoided by trea9ng incorrectly forma"ed message blocks in a manner indis9nguishable from correctly forma"ed RSA blocks. In other words: 1. Generate a string R of 46 random bytes 2. Decrypt the message to recover the plaintext M 3. If the PKCS#1 padding is not correct pre_master_secret = R Dan Boneh

PKCS1 v2.0: OAEP New preprocessing func4on: OAEP [BR94] check pad on decryp4on. reject CT if invalid. msg 01 00..0 rand. + H G + plaintext to encrypt with RSA {0,1} n- 1 Thm [FOPS 01] : RSA is a trap- door permuta4on RSA- OAEP is CCA secure when H,G are random oracles in prac4ce: use SHA- 256 for H and G

OAEP Improvements OAEP+: [Shoup 01] m W(m,r) r trap- door permuta4on F F- OAEP+ is CCA secure when H,G,W are random oracles. + H G + During decryp4on validate W(m,r) field. SAEP+: [B 01] RSA (e=3) is a trap- door perm RSA- SAEP+ is CCA secure when H,W are random oracle. m + W(m,r) H r

m W(m,r) r How would you decrypt an SAEP ciphertext ct? + x H r RSA ciphertext (x,r) RSA - 1 (sk,ct), (x,r) RSA - 1 (sk,ct), (x,r) RSA - 1 (sk,ct), (m,w) x H(r), output m if w = W(m,r) (m,w) r H(x), output m if w = W(m,r) (m,w) x H(r), output m if r = W(m,x)

Subtle4es in implemen4ng OAEP [M 00] OAEP- decrypt(ct): error = 0; if ( RSA -1 (ct) > 2 n-1 ) { error =1; goto exit; } if ( pad(oaep -1 (RSA -1 (ct)))!= 01000 ) { error = 1; goto exit; } Problem: 4ming informa4on leaks type of error Aaacker can decrypt any ciphertext Lesson: Don t implement RSA- OAEP yourself!

End of Segment Dan Boneh

Online Cryptography Course Dan Boneh Public Key Encryp4on from trapdoor permuta4ons Is RSA a one- way func4on?

Is RSA a one- way permuta4on? To invert the RSA one- way func. (without d) aaacker must compute: x from c = x e (mod N). How hard is compu4ng e th roots modulo N?? Best known algorithm: Step 1: factor N (hard) Step 2: compute e th roots modulo p and q (easy)

Shortcuts? Must one factor N in order to compute e th roots? To prove no shortcut exists show a reduc4on: Efficient algorithm for e th roots mod N efficient algorithm for factoring N. Oldest problem in public key cryptography. Some evidence no reduc4on exists: (BV 98) Algebraic reduc4on factoring is easy.

How not to improve RSA s performance To speed up RSA decryp4on use small private key d ( d 2 128 ) c d = m (mod N) Wiener 87: if d < N 0.25 then RSA is insecure. BD 98: if d < N 0.292 then RSA is insecure (open: d < N 0.5 ) Insecure: priv. key d can be found from (N,e)

Wiener s aaack Recall: e d = 1 (mod ϕ(n) ) k Z : e d = k ϕ(n) + 1 ϕ(n) = N- p- q+1 N ϕ(n) p+q 3 N d N 0.25 /3 Con4nued frac4on expansion of e/n gives k/d. e d = 1 (mod k) gcd(d,k)=1 can find d from k/d Dan Boneh

End of Segment Dan Boneh

Online Cryptography Course Dan Boneh Public Key Encryp4on from trapdoor permuta4ons RSA in prac4ce

RSA With Low public exponent To speed up RSA encryp4on use a small e: c = m e (mod N) Minimum value: e=3 ( gcd(e, ϕ(n) ) = 1) Recommended value: e=65537=2 16 +1 Encryp4on: 17 mul4plica4ons Asymmetry of RSA: fast enc. / slow dec. ElGamal (next module): approx. same 4me for both.

Key lengths Security of public key system should be comparable to security of symmetric cipher: RSA Cipher key- size Modulus size 80 bits 1024 bits 128 bits 3072 bits 256 bits (AES) 15360 bits

Implementa4on aaacks Timing a;ack: [Kocher et al. 1997], [BB 04] The 4me it takes to compute c d (mod N) can expose d Power a;ack: [Kocher et al. 1999) The power consump4on of a smartcard while it is compu4ng c d (mod N) can expose d. Faults a;ack: [BDL 97] A computer error during c d (mod N) can expose d. A common defense:: check output. 10% slowdown.

An Example Fault Aaack on RSA (CRT) A common implementa4on of RSA decryp4on: x = c d in Z N decrypt mod p: decrypt mod q: x p = c d in Z p x q = c d in Z q combine to get x = c d in Z N Suppose error occurs when compu4ng x q, but no error in x p Then: output is x where x = c d in Z p but x c d in Z q (x ) e = c in Z p but (x ) e c in Z q gcd( (x ) e - c, N) = p

RSA Key Genera4on Trouble [Heninger et al./lenstra et al.] OpenSSL RSA key genera4on (abstract): prng.seed(seed) Suppose poor entropy at startup: p = prng.generate_random_prime() prng.add_randomness(bits) q = prng.generate_random_prime() N = p*q Same p will be generated by mul4ple devices, but different q N 1, N 2 : RSA keys from different devices gcd(n 1,N 2 ) = p Dan Boneh

RSA Key Genera4on Trouble [Heninger et al./lenstra et al.] Experiment: factors 0.4% of public HTTPS keys!! Lesson: Make sure random number generator is properly seeded when genera4ng keys

Further reading Why chosen ciphertext security maaers, V. Shoup, 1998 Twenty years of aaacks on the RSA cryptosystem, D. Boneh, No4ces of the AMS, 1999 OAEP reconsidered, V. Shoup, Crypto 2001 Key lengths, A. Lenstra, 2004

End of Segment Dan Boneh

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback