Lecture 2 Applied Cryptography (Part 2)

Similar documents
Chapter 9. Public Key Cryptography, RSA And Key Management

Chapter 3 Public Key Cryptography

Public Key Algorithms

Kurose & Ross, Chapters (5 th ed.)

Public Key Algorithms

ח'/סיון/תשע "א. RSA: getting ready. Public Key Cryptography. Public key cryptography. Public key encryption algorithms

Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2010

Public Key Algorithms

Overview. Public Key Algorithms I

Public Key (asymmetric) Cryptography

Public Key Cryptography

CSCI 454/554 Computer and Network Security. Topic 5.2 Public Key Cryptography

Outline. CSCI 454/554 Computer and Network Security. Introduction. Topic 5.2 Public Key Cryptography. 1. Introduction 2. RSA

Public Key Cryptography

Outline. Public Key Cryptography. Applications of Public Key Crypto. Applications (Cont d)

Chapter 7 Public Key Cryptography and Digital Signatures

CS669 Network Security

CSC 474/574 Information Systems Security

Cryptography and Network Security Chapter 10. Fourth Edition by William Stallings

The most important development from the work on public-key cryptography is the digital signature. Message authentication protects two parties who

Spring 2010: CS419 Computer Security

Chapter 9 Public Key Cryptography. WANG YANG

Cryptography and Network Security

Encryption. INST 346, Section 0201 April 3, 2018

CS Computer Networks 1: Authentication

Distributed Systems. 26. Cryptographic Systems: An Introduction. Paul Krzyzanowski. Rutgers University. Fall 2015

Cristina Nita-Rotaru. CS355: Cryptography. Lecture 17: X509. PGP. Authentication protocols. Key establishment.

ISA 662 Internet Security Protocols. Outline. Prime Numbers (I) Beauty of Mathematics. Division (II) Division (I)

Public-Key Cryptography. Professor Yanmin Gong Week 3: Sep. 7

Lecture 30. Cryptography. Symmetric Key Cryptography. Key Exchange. Advanced Encryption Standard (AES) DES. Security April 11, 2005

Key Management and Distribution

ASYMMETRIC CRYPTOGRAPHY

1. Diffie-Hellman Key Exchange

This chapter continues our overview of public-key cryptography systems (PKCSs), and begins with a description of one of the earliest and simplest

Module: Cryptographic Protocols. Professor Patrick McDaniel Spring CMPSC443 - Introduction to Computer and Network Security

Key Exchange. References: Applied Cryptography, Bruce Schneier Cryptography and Network Securiy, Willian Stallings

What did we talk about last time? Public key cryptography A little number theory

Chapter 8 Security. Computer Networking: A Top Down Approach. 6 th edition Jim Kurose, Keith Ross Addison-Wesley March 2012

Digital Signature. Raj Jain

CS 6324: Information Security More Info on Key Establishment: RSA, DH & QKD

RSA (material drawn from Avi Kak Lecture 12, Lecture Notes on "Computer and Network Security" Used in asymmetric crypto.

Crypto Basics. Recent block cipher: AES Public Key Cryptography Public key exchange: Diffie-Hellmann Homework suggestion

Elements of Cryptography and Computer and Networking Security Computer Science 134 (COMPSCI 134) Fall 2016 Instructor: Karim ElDefrawy

Lecture 6 - Cryptography

Public Key Cryptography and the RSA Cryptosystem

Public-key encipherment concept

Diffie-Hellman. Part 1 Cryptography 136

Number Theory and RSA Public-Key Encryption

CSC/ECE 774 Advanced Network Security

CS 161 Computer Security

RSA (algorithm) History

Lecture 6: Overview of Public-Key Cryptography and RSA

Cryptography and Network Security. Sixth Edition by William Stallings

1. Digital Signatures 2. ElGamal Digital Signature Scheme 3. Schnorr Digital Signature Scheme 4. Digital Signature Standard (DSS)

Chapter 3. Principles of Public-Key Cryptosystems

Cryptography (Overview)

Public Key Encryption. Modified by: Dr. Ramzi Saifan

Applied Cryptography and Computer Security CSE 664 Spring 2018

CPSC 467b: Cryptography and Computer Security

UNIT III 3.1DISCRETE LOGARITHMS

Ref:

CSE 127: Computer Security Cryptography. Kirill Levchenko

SECURITY IN NETWORKS

Digital Signatures. Luke Anderson. 7 th April University Of Sydney.

Contents Digital Signatures Digital Signature Properties Direct Digital Signatures

PUBLIC KEY CRYPTO. Anwitaman DATTA SCSE, NTU Singapore CX4024. CRYPTOGRAPHY & NETWORK SECURITY 2018, Anwitaman DATTA

Public-Key Cryptography

Computer Networks 1 (Mạng Máy Tính 1) Lectured by: Dr. Phạm Trần Vũ

ICS 180 May 4th, Guest Lecturer: Einar Mykletun

Chair for Network Architectures and Services Department of Informatics TU München Prof. Carle. Network Security

Information Security. message M. fingerprint f = H(M) one-way hash. 4/19/2006 Information Security 1

L13. Reviews. Rocky K. C. Chang, April 10, 2015

Introduction to Cryptography Lecture 7

Computer Security. 08. Cryptography Part II. Paul Krzyzanowski. Rutgers University. Spring 2018

Topics. Number Theory Review. Public Key Cryptography

CSC 8560 Computer Networks: Network Security

Lecture 1 Applied Cryptography (Part 1)

ASYMMETRIC (PUBLIC-KEY) ENCRYPTION. Mihir Bellare UCSD 1

14. Internet Security (J. Kurose)

SECURITY IN NETWORKS 1

Cryptographic Systems

1.264 Lecture 28. Cryptography: Asymmetric keys

CS 470 Spring Security. Mike Lam, Professor. a.k.a. Why on earth do Alice and Bob need to share so many secrets?!?

Network Security. Chapter 4 Public Key Cryptography. Public Key Cryptography (4) Public Key Cryptography

Tuesday, January 17, 17. Crypto - mini lecture 1

Introduction to Cryptography and Security Mechanisms. Abdul Hameed

Cryptography Symmetric Cryptography Asymmetric Cryptography Internet Communication. Telling Secrets. Secret Writing Through the Ages.

Channel Coding and Cryptography Part II: Introduction to Cryptography

ASYMMETRIC (PUBLIC-KEY) ENCRYPTION. Mihir Bellare UCSD 1

Public Key Cryptography 2. c Eli Biham - December 19, Public Key Cryptography 2

CS Network Security. Nasir Memon Polytechnic University Module 7 Public Key Cryptography. RSA.

Study Guide to Mideterm Exam

Introduction to Cryptography Lecture 7

CS 161 Computer Security

CS408 Cryptography & Internet Security

Lecture 9a: Secure Sockets Layer (SSL) March, 2004

Public-key Cryptography: Theory and Practice

Great Theoretical Ideas in Computer Science. Lecture 27: Cryptography

Total points: 71. Total time: 75 minutes. 9 problems over 7 pages. No book, notes, or calculator

Key Management. Digital signatures: classical and public key Classic and Public Key exchange. Handwritten Signature

Transcription:

Lecture 2 Applied Cryptography (Part 2) Patrick P. C. Lee Tsinghua Summer Course 2010 2-1

Roadmap Number theory Public key cryptography RSA Diffie-Hellman DSA Certificates Tsinghua Summer Course 2010 2-2

Number Theory Number theory deals with the arithmetic operations of cryptographic algorithms Not only to understand how an algorithm works, but also why it works Most public key algorithms are based on modular arithmetic. Tsinghua Summer Course 2010 2-3

Modular Arithmetic If m and n are two integers and n > 0, the remainder of m divided by n is the smallest non-negative integer that differs from m by a multiple of n For 3, 13 and -7 divided by 10, remainder = 3 In modular arithmetic, two integers are equivalent if they differ by a multiple of n Tsinghua Summer Course 2010 2-4

Modular Arithmetic General rules: a + b mod n = [(a mod n) + (b mod n)] mod n a - b mod n = [(a mod n) - (b mod n)] mod n a * b mod n = [(a mod b) * (b mod n)] mod n E.g., 12 * 25 mod 7 = (12 mod 7) * (25 mod 7) mod 7 = 5 *4 mod 7 = 6. Note that a b mod n = (a mod n) b mod n But a b mod n a bmod n mod n We sometimes drop mod n for brevity Tsinghua Summer Course 2010 2-5

Primes A positive integer p is prime iff it is evenly divisible by exactly two positive integers (itself and 1) Question: is the set of primes infinite? Many crypto algorithms work on very large primes, which can be found efficiently using randomized algorithms Tsinghua Summer Course 2010 2-6

Greatest Common Divisor (GCD) The GCD of two integers is the largest integer that evenly divides them gcd(0, x) = x Two integers are relatively prime if their GCD = 1. For two integers a and b, a is the multiplicative inverse mod n of b (and vice versa) if a * b mod n = 1 (or a -1 = b mod n) Both GCD and multiplicative inverse can be found efficiently via Euclid s algorithm Tsinghua Summer Course 2010 2-7

GCD vs. Multiplicative Inverse Facts: a -1 = x (mod n) has a unique solution x if a and n are relatively prime a -1 (mod n) doesn t exist if a and n are not relatively prime If n is prime, all integers 1, 2,, n-1 are relatively prime to n Tsinghua Summer Course 2010 2-8

Chinese Remainder Theorem Let n 1, n 2,..., n k be positive integers that are pairwise relatively prime. Then for any given integers a 1, a 2,, a k, there exists an integer x, where 0 < x < n 1 n 2 n k such that x = a 1 (mod n 1 ), x = a 2 (mod n 2 ),, x = a k (mod n k ). Tsinghua Summer Course 2010 2-9

Z n * Z n is the set of all integers modulo n. Z n * is the set of mod n integers that are relatively prime to n. E.g., If n is prime, then Z n * = {1, 2,, n-1} Note that 0 is not in Z n * Z n * is closed under multiplication (i.e., if a, b are in Z n *, then ab is in Z n *) Tsinghua Summer Course 2010 2-10

Euler Totient Function Φ(n) Euler Totient function Φ(n) is defined as the number of elements in Z n *. E.g., if n is prime, then Φ(n) = n-1 If n = pq for primes p and q, what is Φ(n)? Euler Theorem: For all a in Z n *, a Φ(n) = 1 mod n. Fermat s Little Theorem: If n is prime and for any integer a that is relative prime to n, a n-1 = 1 mod n Tsinghua Summer Course 2010 2-11

Roadmap Number theory Public key cryptography RSA Diffie-Hellman DSA Certificates Tsinghua Summer Course 2010 2-12

Public Key Cryptography Symmetric key cryptography Assumption: both sender and receiver share the same secret key But how to agree on the same key first? Public key cryptography Use two keys public and private keys Public key for encryption known to everyone Private key for decryption known to receiver only Complement symmetric key crypto Tsinghua Summer Course 2010 2-13

Public Key Cryptography K B + K B - Bob s public key Bob s private key plaintext message, m encryption algorithm ciphertext + K (m) B decryption algorithm plaintext message - + m = K (K (m)) B B Requirements: m = K - B K + B (m) Given K + B, computationally infeasible to tell K - B Tsinghua Summer Course 2010 2-14

RSA Developed by Rivest, Shamir & Adleman of MIT in 1977 Best known & widely used public-key scheme Based on exponentiation in Z n *over integers Exponentiation takes O((log n) 3 ) operations (easy) uses large integers (eg. 1024 bits) security due to cost of factoring large numbers Factorization takes O(e log n log log n ) operations (hard) Tsinghua Summer Course 2010 2-15

RSA: Create Public/Private Key Pair Choose two large prime numbers p and q (e.g., 1024 bits each) Compute n = pq. Hence Φ(n) = (p-1)(q-1). Choose e (e < n) relatively prime to Φ(n) Compute d s.t. ed = 1 mod Φ(n) Public key is (n, e). Private key is (n, d). Note that p and q must be kept secret. Tsinghua Summer Course 2010 2-16

RSA: Encryption/Decryption Given message m < n, encryption: c = m e mod n decryption: m = c d mod n Why it works? c d = m ed mod n = m Φ(n)k + 1 mod n (for some k) = m (by Euler s theorem) Tsinghua Summer Course 2010 2-17

RSA Example: Key Setup Select primes: p=17 & q=11 Calculate n = pq =17 x 11=187 Calculate ø(n)=(p 1)(q-1)=16x10=160 Select e: gcd(e,160)=1; choose e=7 Determine d: de=1 mod 160 and d < 160 Value is d=23 since 23x7=161= 10x160+1 Publish public key PU={7,187} Keep secret private key PR={23,187} Tsinghua Summer Course 2010 2-18

RSA Example: En/Decryption sample RSA encryption/decryption is: given message M = 88 (88<187) encryption: C = 88 7 mod 187 = 11 decryption: M = 11 23 mod 187 = 88 Tsinghua Summer Course 2010 2-19

Security of RSA Main assumption (fact): factoring a large number n = pq is hard. Fact: The problem of computing d from the public key (n, e), and the problem of factoring n, are computationally equivalent Tsinghua Summer Course 2010 2-20

Efficiency of RSA Fact: RSA is no less secure (by far) if e is always chosen to be the same number Typical values of e: 3 and 65537. If e = 3, some practical constraints need to be imposed If m is small, then c = m 3 is small. Attackers can readily determine m by computing the ordinary cube root. Tsinghua Summer Course 2010 2-21

Attacks on RSA If e = 3, and the same message m is sent encrypted to three different parties with different moduli (e.g., c i = m 3 mod n i for i=1, 2, 3), then an attacker can determine m from c i. How? Attacker can efficiently find x s.t. x = c i mod n 1 n 2 n 3. Since m < n i for each i, m 3 < n 1 n 2 n 3, by Chinese Remainder Theorem, x = m 3. Also, m 3 mod n 1 n 2 n 3 will just be m 3. Then m can be obtained by the cube root of m 3. Tsinghua Summer Course 2010 2-22

Attacks on RSA Scenario: a central authority selects a single RSA modulus n, and distributes a distinct encryption/decryption exponent pair (e i, d i ) to each entity in a network. Common modulus attack: if a single message m were encrypted and sent to two or more entities in the network, then there is a technique by which an eavesdropper could recover m Design rule: each n must be associated with a unique (e, d). Tsinghua Summer Course 2010 2-23

Public-Key Cryptography Standard (PKCS) Useful to have some standard for encoding of information that is signed or encrypted via RSA, so that different implementations can interwork, and pitfalls are avoided. PKCS defines the encoding of RSA keys, signatures, encrypted messages. You ll know more when using OpenSSL. Tsinghua Summer Course 2010 2-24

Roadmap Number theory Public key cryptography RSA Diffie-Hellman DSA Certificates Tsinghua Summer Course 2010 2-25

Diffie-Hellman Key Exchange First public-key type scheme proposed Earlier than RSA By Diffie & Hellman in 1976 along with the exposition of public key concepts note: now know that Williamson (UK CESG) secretly proposed the concept in 1970 A practical method for public exchange of a secret key Tsinghua Summer Course 2010 2-26

Diffie-Hellman Key Exchange A public-key distribution scheme cannot be used to exchange an arbitrary message rather it can establish a common key known only to the two participants Can be extended to more than two parties value of key depends on the participants (and their private and public key information) based on exponentiation in Z n * (modulo a prime or a polynomial) - easy security relies on the difficulty of computing discrete logarithms (similar to factoring) hard Tsinghua Summer Course 2010 2-27

Diffie-Hellman Setup Two users A and B agree on global (public) parameters: large prime integer p gbeing a generator (primitive root) mod p Each user (eg. A) generates their key chooses a secret key (number): x A < p compute their public key: y A = g xa mod p each user makes public that key y A Tsinghua Summer Course 2010 2-28

Diffie-Hellman Key Exchange Key exchange process: A sends to B: y A = g xa B sends to A: y B = g xb shared session key for users A & B is K AB : K AB = g xa.xb mod p = y xb A mod p (which B can compute) = y xa B mod p (which A can compute) K AB is used as session key in private-key encryption scheme between Alice and Bob attacker needs an x, must solve discrete log Tsinghua Summer Course 2010 2-29

Diffie-Hellman Example users Alice & Bob who wish to swap keys: agree on prime p=353 and g=3 select random secret keys: A chooses x A =97, B chooses x B =233 compute respective public keys: y A =3 97 mod 353 = 40 (Alice) y B =3 233 mod 353 = 248 (Bob) compute shared session key as: K AB = y B xa mod 353 = 248 97 = 160 (Alice) K AB = y A xb mod 353 = 40 233 = 160 (Bob) Tsinghua Summer Course 2010 2-30

Man-in in-the-middle Attack on DH Alice Trudy Bob g xa g xt g xt g xb K AT = g xaxt K AT = g xaxt K BT = g xbxt K BT = g xbxt Trudy can intercept messages between Alice and Bob Why MITM attack work? Alice and Bob can t verify if the public keys are actually from Alice and Bob, respectively Tsinghua Summer Course 2010 2-31

Defenses Against MITM Authenticated Key Exchange Examples: Encrypt public keys with pre-shared secret Encrypt public keys with other side s public keys Sign DH values with private keys will show how this approach works in a moment Tsinghua Summer Course 2010 2-32

Digital Signatures Digital signatures provide the ability to: verify author, date & time of signature authenticate message contents be verified by third parties to resolve disputes Analogous to hand-written signaturs Goal is similar to Message Authentication Code (MAC), but using public key crypto. Tsinghua Summer Course 2010 2-33

Roadmap Number theory Public key cryptography RSA Diffie-Hellman DSA Certificates Tsinghua Summer Course 2010 2-34

Digital Signatures: Idea Encryption/decryption Sender encrypts with public key Receiver decrypts with private key Signature/verification two main operations Sender signs with private key Receiver verifies with public key Can be directly based on RSA, but we will show more efficient approaches. Tsinghua Summer Course 2010 2-35

Digital Signatures: Naive Approach Naive approach: sign message m directly Bob s message, m Dear Alice Oh, how I have missed you. I think of you all the time! (blah blah blah) Bob K B - Public key encryption algorithm Bob s private key K B - (m) Bob s message, m, signed (encrypted) with his private key Tsinghua Summer Course 2010 2-36

large message m + Digital Signatures: Signed Bob sends digitally signed message: Message Digest H: Hash function Bob s private key K B - H(m) digital signature (encrypt) encrypted msg digest - K B (H(m)) Alice verifies signature and integrity of digitally signed message: large message m H: Hash function H(m) Bob s public key K B + equal? encrypted msg digest - K B (H(m)) digital signature (decrypt) H(m) Tsinghua Summer Course 2010 2-37

Digital Signatures with Signing before encrypting: Encryption Alice signs the message with her private key S A (M) Alice encrypts the message and signature with Bob s public key E B (S A (M)) Bob decrypts message with his private key D B (E B (S A (M))) = S A (M) Bob verifies with Alice s public key V A (S A (M)) = M Why sign before encrypt, but not sign after encrypt? Tsinghua Summer Course 2010 2-38

Digital Signature Standard (DSS) DSS a US Govt approved signature standard designed by NIST & NSA in early 90's based on the SHA hash algorithm DSS is the standard, DSA is the algorithm DSA digital signature only unlike RSA, cannot be used for encryption and key exchange It is a public-key technique Tsinghua Summer Course 2010 2-39

DSA vs. RSA Tsinghua Summer Course 2010 2-40

Digital Signature Algorithm (DSA) Creates a 320 bit signature with 512-1024 bit security Smaller and faster than RSA A digital signature scheme only, not for encryption or key exchange Security depends on difficulty of computing discrete logarithms Details not covered here. Tsinghua Summer Course 2010 2-41

Digital Signature with Key Exchange Let s revisit Diffie-Hellman Key Exchange A sends to B: g xa, sign A (g XA ) B sends to A: g xb, sign B (g XB ) A and B verify with B s and A s public keys, resp. This defends against MITM attack (why?) But, how A and B obtain the public keys for signatures in the first place? Tsinghua Summer Course 2010 2-42

Roadmap Number theory Public key cryptography RSA Diffie-Hellman DSA Certificates Tsinghua Summer Course 2010 2-43

Public Key Infrastructure (PKI) We need some trusted public key authority to authenticate keys Public key infrastructure (PKI) consists of the components necessary to securely distribute public/private keys. Tsinghua Summer Course 2010 2-44

Public Key Certificates Certificates allow key exchange without realtime access to public-key authority A certificate binds identity to public key usually with other info such as period of validity, rights of use etc with all contents signed by a trusted Public-Key or Certificate Authority (CA) can be verified by anyone who knows the publickey authorities public-key usually pre-installed in applications Tsinghua Summer Course 2010 2-45

Operations on Certificate Certification authority (CA): binds public key to particular entity (e.g., Bob). Bob registers his public key with CA. Bob provides proof of identity to CA. CA creates certificate binding Bob to his public key. certificate containing Bob s public key digitally signed by CA CA says this is Bob s public key Bob s identifying information Bob s public key K B + digital signature (encrypt) CA private key K - CA K B + certificate for Bob s public key, signed by CA Tsinghua Summer Course 2010 2-46

Operations on Certificates When Alice wants Bob s public key: gets Bob s certificate (Bob or elsewhere). apply CA s public key to Bob s certificate, get Bob s public key K B + digital signature (decrypt) K B + Bob s public key CA public key K + CA Tsinghua Summer Course 2010 2-47

Long-term/Short term/short-term Keys Certificates aim to bind keys. But how are they different with the key exchange algorithms (e.g., Diffie-Hellman)? Certificates deal with long-term public/private keys, which remain the same for a very long time Key exchange algorithms deal with shortterm public/private keys, which change in every session Tsinghua Summer Course 2010 2-48

X.509 Authentication Service X.509 defines framework for authentication services directory may store public-key certificates with public key of user signed by certification authority It also defines authentication protocols It uses public-key crypto & digital signatures algorithms not standardised, but RSA recommended X.509 certificates are widely used have 3 versions Tsinghua Summer Course 2010 2-49

X.509 Certificate patrick_cert.crt.txt CRL discussed later Tsinghua Summer Course 2010 2-50

Obtaining a Certificate Any user with access to CA can get any certificate from it Only the CA can modify a certificate Because certificates cannot be forged, they can be placed in a public directory Tsinghua Summer Course 2010 2-51

CA Hierarchy If both users share a common CA then they are assumed to know its public key Otherwise CA's must form a hierarchy Use certificates linking members of hierarchy to validate other CA's each CA has certificates for clients (forward) and parent (backward) Tsinghua Summer Course 2010 2-52

CA Hierarchy Use Denote CA<<A>> certificate for A signed by CA X and W can mutually verify each other Cert of X signed by W Cert of W signed by X Cert of Z signed by X Tsinghua Summer Course 2010 2-53

CA Hierarchy Use Chains of certificates: A acquires B certificate using chain: X<<W>>W<<V>>V<<Y>>Y<<Z>>Z<<B>> B acquires A certificate using chain: Z<<Y>>Y<<V>>V<<W>>W<<X>>X<<A>> Each user only needs to contact one CA (A contacts X, B contacts Z), and unwraps the certificates signed by other CAs through the chain of trusts Tsinghua Summer Course 2010 2-54

Certificate Revocation certificates have a period of validity may need to revoke before expiry, eg: 1.user's private key is compromised 2.user is no longer certified by this CA 3.CA's certificate is compromised CA s maintain list of revoked certificates the Certificate Revocation List (CRL) users should check certificates with CA s CRL Tsinghua Summer Course 2010 2-55

References Kaufman et al., Ch. 5, 6, 7 Stallings, Ch. 8 14 Kurose & Ross, Ch. 8 Tsinghua Summer Course 2010 2-56

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback