Outline ISA 662 Internet Security Protocols Some Math Essentials & History Asymmetric signatures and key exchange Asymmetric encryption Symmetric MACs Lecture 2 ISA 662 1 2 Beauty of Mathematics Demonstration Pick a number from 10 to 99 At the 2 digits, for example: If you chose 51, you would add 5+1=6 Then subtract the result from the original number So 51-6=45 (Demonstration shown in class) Prime Numbers (I) x 1,000 10,000 100,000 1,000,000 10,000,000 100,000,000 1,000,000,000 10,000,000,000 Percentage 168 1,229 9,592 78,498 664,579 5,761,455 50,847,534 455,052,511 Percentage 16.8% 12.3% 9.6% 7.8% 6.6% 5.8% 5.1% 4.6% 454,011,971 Prime numbers thin out as the numbers get larger There are 25 primes <100, so density is 1 in 4. Ten digit number, density is 1 in 23. Hundred digit number, density is 1 in 230. x/(lnx - 1) 169 1,218 9,512 78,030 661,459 5,740,304 50,701,542 Percentage 16.9% 12.2% 9.5% 7.8% 6.6% 5.7% 5.1% 4.5% 3 4 Division (I) Division (II) (also called counting numbers) 5 6 1
Division (III) Common Divisors (I) 7 8 Common Divisors (II) Euler s Totient Function (I) Leonhard Euler Swiss mathematician and physicist First to use the term function. Lived in the 1700 s in Z Totient function ø(n): Z n* number of integers less than n and relatively prime to n If n is prime, ø(n)=n-1 If n=p q, and p, q are primes, ø(n)=(p-1)(q-1) If p is prime and k>0, ø(p k ) =(p-1) p k-1 9 10 Euler s Totient Function (II) Examples: ø(7)= 7*(1-(1/7))=6 {1,2,3,4,5,6} Or ø(7) =7-1=6, because 7 is prime ø(10)= 10*(1-(1/2)*(1-(1/5))=4 {1,3,7,9} ø(18)= 18*(1-(1/2)*(1-(1/3))=6 {1,5,7,11,13,17} ø(21)= 21*(1-(1/3)*(1-(1/7))=12 {1,2,4,5,8,10,11,13,16,17,19,20} Or ø(21)= ø(3.7)= ø(3). ø(7)= 2.6 = 12 11 Motivation 1- Key Distribution Problem In a secret key cryptosystem, the secret key must be transmitted via a secure channel Inconvenient n parties want to communicate with each other, how many keys total keys are needed and how many other keys must each n store? n entities There will be n(n-1) / 2 keys total Each entity has to store n-1 keys Insecure Is the secure channel really secure? Public key cryptosystem solves the problem Public key known by everyone telephone directory Privacy key is never transmitted 12 2
How many Symmetric Keys needed? Administration Problems: Adding new entities Removing existing entities Changing keys n 2 3 4 5 6 7 8 9 10 11 12 13 14 15 Total Keys 2 3 6 10 15 21 28 36 45 55 66 78 91 105 Keys Stored 1 2 3 4 5 6 7 8 9 10 11 12 13 14 Motivation 2- Digital Signature In a secret key cryptosystem, authentication and non-repudiation may be difficult Authentication You must share a secret key with someone in order to verify his signature Non-repudiation I didn t sign it. You did since you also have the key Public key cryptosystem solves the problem Verification of signature needs only the public key One is solely responsible for his private key 13 14 Public Key Algorithms Public key algorithms covered in this class RSA: encryption and digital signature Diffie-Hellman: key exchange DSA: digital signature Number theory underlies most of public key algorithms. Requirements for Public-Key Algorithms It is computationally easy to generate a (public, private) key pair. to generate a ciphertext using the public key. to decrypt the ciphertext using the private key. to sign with the private key. to verify the signature with the public key. It is computationally infeasible to determine the private key from the public key. recover the message from the ciphertext and the public key. forge a signature. 15 16 A The Big Picture Encryption Algorithm B's Public Key Ciphertext INSECURE CHANNEL Decryption Algorithm B's Private Key B The Basic Idea Confidentiality: encipher using public key, decipher using private key Integrity/authentication: encipher using private key, decipher using public key Encryption Algorithm Ciphertext Signature Decryption Algorithm RELIABLE CHANNEL B's Public Key 17 A B's Public Key B's Private Key B 18 3
Public Key Model Public Key Encryption 19 20 Public Key Signatures Use of Public-Key Cryptosystems Encryption/decryption The sender encrypts a message with the receiver s public key Only the receiver can decrypt the message. Digital signature The sender signs a message with its private key. Authentication and non-repudiation Key exchange Two sides cooperate to exchange a session key. Secret key cryptosystems are often used with the session key. 21 22 Goals of Public-Key Cryptanalysis Given the public key, cipher text, signature, to find out the private key find out the message encrypted forge the signature Public-Key Cryptanalysis Brute-force attack Try all possible keys Derivation of private key from public key Try to find the relationship between the public key and the private key and compute the private key from the public one. Probable-message attack The public key is known. Encrypt all possible messages Try to find a match between the ciphertext and one of the above encrypted messages. Example: Prof. sends encrypted messages of letter grades to his students based on their public key. 23 24 4
History of Public-Key Schemes 1976 Diffie & Hellman suggested the public-key model for encryption and signatures 1976 Diffie & Hellman developed public-key protocol for key-exchange based on Discrete Log Problem 1977- Rivest, Shamir, Adelman developed RSA publickey scheme for encryption and signatures based on the Number Factoring Problem 1980 s- El-Gamal developed public-key protocols for encryption and signatures based on Discrete Log Problem Revolution in Cryptography Diffie & Hellman sought to solve 2 problems Find a secure way to distribute keys in the public Provide digital signature for document Public key cryptography is based on rigorous mathematical theory, rather than substitutions and permutations. It is asymmetric requires two different keys: private key & public key 25 26 Diffie-Hellman Key Exchange (I) Diffie-Hellman Key Exchange (II) Published in W. Diffie and ME Hellman, "New Directions in Cryptography", in IEEE Transactions on Information Theory, IT-22 no 6 (November 1976) p. 644-654 The first public key algorithm Allows two users to agree on a secret key over public channel No encryption, decryption, nor authentication What s involved? p is a large prime number (about 512 bits), g < p and g is a primitive root of p. p and g are publicly known 27 28 Diffie-Hellman Key Exchange (III) Diffie-Hellman Man-in-the-middle 29 30 5
Diffie-Hellman Example Alice and Bob want to establish a shared secret key Have agree on the value n=353 (prime) and g=3 Select the random secret values: Alice chooses X a =97, Bob chooses X b =233 Derive the public keys: T a = g Xa mod n = 3 97 mod 353 = 40 (Alice s) T b = g Xb mod n = 3 233 mod 353 = 248 (Bob s) Derive the shared secret key K = T b Xa mod n = 248 97 mod 353 = 160 (Alice s) K = T a Xb mod n = 40 233 mod 353 = 160 (Bob s) Hard Number Theory Problems T = g s mod p Given T, g, p, it is computationally infeasible to compute the value of s (discrete logarithm) This is the basis of the Diffie-Hellman, El-Gamal, and DSS Public-Key Schemes. Another difficult number theory problem, it is to compute the product of two primes p and q to obtain n=pq. But it is difficult to factor the composite number n into its two prime factors p and q. This is the basis of the RSA Public-Key scheme 31 32 Diffie-Hellman Scheme Security factors Discrete logarithm very difficult. Shared key (the secret) itself never transmitted. Disadvantages: Expensive exponential operation Cannot be used to encrypt anything. No authentication, so you can not sign anything. Diffie-Hellman in Phone Book Mode DH is subject to active man-in-the-middle attack because their public key-component may be intercepted and substituted Phone book mode allows everyone to generate the public key-component in advance and publish them through other reliable means All communicating parties agree on their common <g, p> Essential requirement: authenticity of the public key. 33 34 RSA (Rivest, Shamir, Adleman) Published in R. Rivest, A. Shamir, and L. Adleman, "A Method for Obtaining Digital Signatures and Public-Key Cryptosystems", CACM 21, pp. 120--126, Feb. 1978 The first public key encryption and signature system Support both public key encryption and digital signature. Assumption/theoretical basis: Factorization of large primes is hard. Variable key length (usually 1024 bits). Variable plaintext block size. must be smaller than the key. Ciphertext block size is the same as the key length. Number Factoring How about Tomorrow s computers? 35 36 6
Quantum Computing A classical computer has a memory made up of bits, where each bit holds either a one or a zero. The device computes by manipulating those bits, i.e. by transporting these bits from memory to (possibly a suite of) logic gates and back. A quantum computer maintains a set of qubits. A qubit can hold a one, or a zero, or a superposition of these. A quantum computer operates by manipulating those qubits, i.e. by transporting these bits from memory to (possibly a suite of) quantum logic gates and back. Qubits for a quantum computer can be implemented using particles with two spin states: "up" and "down"; in fact any system, possessing an observable quantity A which is conserved under time evolution and such that A has at least two discrete and sufficiently spaced consecutive eigenvalues, is a suitable candidate for implementing a qubit. Information Source: Wikipedia The RSA Algorithm To generate key pair: Pick large primes p and q Let n = p*q, keep p and q to yourself! For public key, choose e that is relatively prime to ø(n) =(p-1)(q-1). public key = <e,n> For private key, find d that is the multiplicative inverse of e mod ø(n), i.e., e*d = 1 mod ø(n) Private key = <d,n>. 37 38 How Does RSA Work? Given pubkey = <e, n> and privkey = <d, n> Message = m encryption: c = m e mod n, m < n decryption: m = c d mod n signature: s = m d mod n, m < n verification: m = s e mod n An Example Choose p = 7 and q = 17. Compute n = p*q= 119. Compute φ(n)=(p-1)(q-1)=96. Select e = 5, which is relatively prime to φ(n). Compute d = _77_such that e*d=1 mod φ(n). Public key: <5,119> Private key: <77,119> Message = 19 Encryption: 19 5 mod 119 = 66 Decryption: 66 77 mod 119 = 19. 39 40 Example: Encryption Example: Decryption p = 7, q = 11, n = 77 Alice chooses e = 17, making d = 53 Bob wants to send Alice secret message HELLO (07 04 11 11 14) 07 17 mod 77 = 28 04 17 mod 77 = 16 11 17 mod 77 = 44 11 17 mod 77 = 44 14 17 mod 77 = 42 Bob sends 28 16 44 44 42 41 Alice receives 28 16 44 44 42 Alice uses private key, d = 53, to decrypt message: 28 53 mod 77 = 07 16 53 mod 77 = 04 44 53 mod 77 = 11 44 53 mod 77 = 11 42 53 mod 77 = 14 Alice translates 07 04 11 11 14 to HELLO No one else could read it, as only Alice knows her private key and that is needed for decryption 42 7
Digital Signatures in RSA RSA has an important property, not shared by other public key systems Encryption and decryption are symmetric Encryption followed by decryption yields the original message (M e mod n) d mod n = M Decryption followed by encryption also yields the original message (M d mod n) e mod n = M Because e and d are symmetric in e*d = 1 mod (p-1)*(q-1) 43 Digital Signatures in RSA M A M d mod n A's Private Keyd M Ciphertext C (signature) RELIABLE CHANNEL? C e mod n A's Public Key e M B 44 Compared To Encryption in RSA Signature and Encryption M A M e mod n Ciphertext C C d mod n M B A D Signed Encrypted Signed Signed E D E B B's Public Key e B's Private Key d RELIABLE CHANNEL A's Private Key B's Public Key B's Private Key A's Public Key 45 46 Example: Sign Take p = 7, q = 11, n = 77 Alice chooses e = 17, making d = 53 Alice wants to send Bob message HELLO (07 04 11 11 14) so Bob knows it is from Alice, and it has not been modified in transit 07 53 mod 77 = 35 04 53 mod 77 = 09 11 53 mod 77 = 44 11 53 mod 77 = 44 14 53 mod 77 = 49 Alice sends 35 09 44 44 49 47 Example: Verify Bob receives 35 09 44 44 49 Bob uses Alice s public key, e = 17, n = 77, to decrypt message: 35 17 mod 77 = 07 09 17 mod 77 = 04 44 17 mod 77 = 11 44 17 mod 77 = 11 49 17 mod 77 = 14 Bob translates 07 04 11 11 14 to HELLO (Assume) only Alice has her private key, so no one else could have been able to create a correct signature The (deciphered) signature matches the transmitted plaintext, so the plaintext is not altered 48 8
Example: Both Alice wants to send Bob message HELLO both enciphered and signed Alice s keys: public (17, 77); private: 53 Bob s keys: public: (37, 77); private: 13 Alice does (does she encipher first or sign first?) (07 53 mod 77) 37 mod 77 = 07 (04 53 mod 77) 37 mod 77 = 37 (11 53 mod 77) 37 mod 77 = 44 (11 53 mod 77) 37 mod 77 = 44 (14 53 mod 77) 37 mod 77 = 14 Alice sends 07 37 44 44 14 What would Bob do upon receiving the message? Class Exercise 1. Find primes p and q so that 12-bit plaintext blocks could be encrypted with RSA. 2. Decrypt the ciphertext C=4 using RSA with the private key {d=7, p=3, q=7} 49 50 Class Exercise 1. Find primes p and q so that 12-bit plaintext blocks could be encrypted with RSA. The primes P*Q must be > or = to 2 12 =4096. So let P=67 and Q=71 so P x Q = 4,757 2. Decrypt the ciphertext C=4 using RSA with the private key {d=7, p=3, q=7} N=p*q N=7*3=21 M=C^d mod n M=4^7 mod 21 M=4 RSA KEY SIZE In August 1999 a group using 300 workstations and PCs was able to factor 512-bit number in 7 months. RSA Laboratories currently recommends key sizes of 1024 bits for corporate use and 2048 bits for extremely valuable keys like the root key pair used by a certifying authority (rsasecurity.com) What does an RSA-155 number look like? 51 52 RSA-155 Number 10263959282974110577205419657399759007165678080380668 334193352190711307779 * 1066034883801684548209272203600187867920795857598929 22270608237193062808643. = 10941738641570527421809707322040357612003732945449 20599091384213147634998428893478471799725789126733 24976257528997818337970765372440271467435315933543 33897 Finding Large Prime Numbers Good news Infinite number of prime numbers Bad news The prime number ratio decreases as the prime number gets big Brute-force Try to divide n by 2,,n 1/2 Impractical for large number!!! No known practical method to determine if a given large number is prime However fast probabilistic primality test exists. That is, determine if a larger number is likely to be a prime. 53 54 9
Finding Large Prime Numbers (Cont d) Primality test Randomly pick 0<a<n, see if a n-1 mod n=1? If a n-1 mod n 1, n is not prime for sure If a n-1 mod n=1, n is very likely to be prime. The false positive rate is 10-13 for 100 digit number Exist n>0 such that a n-1 mod n=1 for all 0<a<n Implication We may (with small probability) choose some nonprime numbers for p & q, which would fail RSA operations (encryption/decryption, signature/verification) The Security of RSA Attacks against RSA Brute force: Try all possible private keys Can be defeated by using a large key space Mathematical attacks Factor n into n=p*q. Determine ø(n) directly: equivalent to factoring n. Determine d directly: at least as difficult as factoring n. 55 56 The Security of RSA (Cont d) Factoring large integer is very hard! But if you can factor big number n then given public key <e,n>, you can find d, and hence the private key by: Knowing factors p, q, such that, n = p*q Then ø(n) =(p-1)(q-1) Then d such that e*d = 1 mod ø(n) Ways to make n difficult to factor p and q should differ in length by only a few digits Both (p-1) and (q-1) should contain a large prime factor gcd(p-1, q-1) should be small. d > n 1/4. RSA Versus DES Fastest implementations of RSA can encrypt kilobits/second Fastest implementations of DES can encrypt megabits/second It is often proposed that RSA be used for secure exchange of DES keys This 1000-fold difference in speed is likely to remain independent of technology advances 57 58 Digital Signature Standard (DSS) Efficiency of signature schemes By NIST Related to El Gamal Use SHA (SHA-1) to generate the hash value and Digital Signature Algorithm (DSA) to generate the digital signature. Faster for the signer, but not for the verifier: Potential application: smart cards 59 60 10
Summary-Key required lengths One-way Hash Functions Also known as message digest A function H(M) = m satisfies (Fixed length): M can be of any length, whereas m is of fixed length (One-way): computing H(M)=m is easy, but computing H -1 (m)=m is computationally infeasible (Collision-free): in two forms Weak collision-freedom: given any M, difficult to find another M such that H(M)=H(M ) Strong collision-freedom: difficult to find any M and M such that H(M)=H(M ) 61 62 Why Those Requirements? Many applications store H(p) instead of a password p Fixed length: cannot guess the length of p from H(p) (and H(p) is easier to store) One-way: the administrator cannot learn p of others Collision-free: cannot submit incorrect p matching H(p) Most applications sign H(M) instead of M Hash Functions Broken? Crypto 2004 Rump session reported attacks on MD4, MD5 and SHA-0 MD4 s attacks are done by hands Crypto 2005 reported attacks on full SHA-1 Should we panic? 63 Xiaoyun Wang s webpage: http://www.infosec.sdu.edu.cn/people/wangxiaoyun.htm 64 Hash Functions Broken? (Cont d) MESSAGE AUTHENTICATION CODES Nature of the results Algorithm that finds collision faster than theoretic bound MD5 about one hour; SHA-1 2 63 vs 2 80 (theoretically) Yes, the results disprove those functions to be strong collision-free No, they do not give you a password from its hash Brute force attacks do (refer to http://passcracking.com/) Whether you should panic or not depends on what you use the hash functions for A MAC Algorithm M K INSECURE CHANNEL + MAC MAC = MD of plaintext + K Verification Algorithm V K Yes/No B Xiaoyun Wang s webpage: http://www.infosec.sdu.edu.cn/people/wangxiaoyun.htm 65 66 11
Hash Functions Vs MAC HMAC Send a message M together with its hash h=h(m), so the recipient can verify M by comparing H(M) with the received h Attack: If anyone in the middle can replace M with M and h with h =H(M ), the recipient won t detect this Keyed hash functions Also known as message authentication codes (MAC) Example: DES in CBC mode: use a key to encipher message in CBC mode and use last n bits as the MAC value. 67 HMAC is a keyed-hash message authentication code, which is a type of message authentication code (MAC) As with any MAC, it may be used to simultaneously verify both the data integrity and the authenticity of a message. h : hash function K : a secret key k padded with extra 0 s to the block size of the hash function opad=0x5c5c..5c5c (outer padding )and ipad=0x3636..3636 (inner padding) are two one-block long hexadecimal constants. exclusive or, concatenation 68 Example of HMAC use A pizza restaurant that suffers from attackers that place bogus Internet orders may insist that all its customers deposit a secret key with the restaurant. Along with an order, a customer must supply the order's HMAC digest, computed using the customer's secret key. The restaurant, knowing the customer's secret key, can then verify that the order originated from the stated customer and has not been tampered with. (wiki example) Key Points Public key cryptosystems has two keys Diffie-Hellman exchanges secret key via insecure channel RSA can be used for confidentiality and integrity Cryptographic Checksums are keyed hash functions 69 70 12