Lecture 9: Public-Key Cryptography CS /05/2018

Similar documents
Public-Key Cryptography. Professor Yanmin Gong Week 3: Sep. 7

CSCI 454/554 Computer and Network Security. Topic 5.2 Public Key Cryptography

Outline. CSCI 454/554 Computer and Network Security. Introduction. Topic 5.2 Public Key Cryptography. 1. Introduction 2. RSA

Outline. Public Key Cryptography. Applications of Public Key Crypto. Applications (Cont d)

Cryptography III. Public-Key Cryptography Digital Signatures. 2/1/18 Cryptography III

Public Key Algorithms

Cryptography V: Digital Signatures

Relaxing IND-CCA: Indistinguishability Against Chosen. Chosen Ciphertext Verification Attack

Cryptography V: Digital Signatures

Chapter 9 Public Key Cryptography. WANG YANG

Applied Cryptography and Computer Security CSE 664 Spring 2018

Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2010

CSC 474/574 Information Systems Security

Network Security Technology Project

Introduction to Public-Key Cryptography

Secure Multiparty Computation

Slides by Kent Seamons and Tim van der Horst Last Updated: Oct 7, 2013

Relaxing IND-CCA: Indistinguishability Against Chosen Ciphertext Verification Attack

Chapter 11 : Private-Key Encryption

Lecture 6: Symmetric Cryptography. CS 5430 February 21, 2018

Cryptography & Key Exchange Protocols. Faculty of Computer Science & Engineering HCMC University of Technology

RSA (material drawn from Avi Kak Lecture 12, Lecture Notes on "Computer and Network Security" Used in asymmetric crypto.

CSE 127: Computer Security Cryptography. Kirill Levchenko

1.264 Lecture 28. Cryptography: Asymmetric keys

Overview. Public Key Algorithms I

CS408 Cryptography & Internet Security

CS573 Data Privacy and Security. Cryptographic Primitives and Secure Multiparty Computation. Li Xiong

Lecture 3.4: Public Key Cryptography IV

Distributed Systems. 26. Cryptographic Systems: An Introduction. Paul Krzyzanowski. Rutgers University. Fall 2015

Computer Security. 08. Cryptography Part II. Paul Krzyzanowski. Rutgers University. Spring 2018

Lecture 15: Cryptographic algorithms

Key Exchange. Secure Software Systems

Public Key Cryptography

ISA 662 Internet Security Protocols. Outline. Prime Numbers (I) Beauty of Mathematics. Division (II) Division (I)

Digital Signatures. Luke Anderson. 7 th April University Of Sydney.

Introduction to Cryptography and Security Mechanisms: Unit 5. Public-Key Encryption

Technological foundation

CS Protocol Design. Prof. Clarkson Spring 2017

CS 161 Computer Security

ASYMMETRIC CRYPTOGRAPHY

Introduction to Cryptography. Vasil Slavov William Jewell College

CS 6324: Information Security More Info on Key Establishment: RSA, DH & QKD

Cryptography and Network Security. Sixth Edition by William Stallings

Hash Functions, Public-Key Encryption CMSC 23200/33250, Autumn 2018, Lecture 6

Lecture 19: cryptographic algorithms

Lecture 07: Private-key Encryption. Private-key Encryption

Computer Security 3/23/18

LECTURE NOTES ON PUBLIC- KEY CRYPTOGRAPHY. (One-Way Functions and ElGamal System)

PUBLIC KEY CRYPTO. Anwitaman DATTA SCSE, NTU Singapore CX4024. CRYPTOGRAPHY & NETWORK SECURITY 2018, Anwitaman DATTA

Lecture 6: Overview of Public-Key Cryptography and RSA

Remote E-Voting System

Public Key Encryption. Modified by: Dr. Ramzi Saifan

Security. Communication security. System Security

06/02/ Local & Metropolitan Area Networks. 0. Overview. Terminology ACOE322. Lecture 8 Network Security

Cryptography Lecture 4. Attacks against Block Ciphers Introduction to Public Key Cryptography. November 14, / 39

Public-Key Cryptography

APNIC elearning: Cryptography Basics

Computer Security CS 526

Encryption. INST 346, Section 0201 April 3, 2018

Public-Key Cryptanalysis

CS Protocols. Prof. Clarkson Spring 2016

Public-key Cryptography: Theory and Practice

Cryptography and Network Security. Sixth Edition by William Stallings

Introduction. CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell

RSA Cryptography in the Textbook and in the Field. Gregory Quenell

Introduction to Cryptography and Security Mechanisms. Abdul Hameed

Chapter 3 Public Key Cryptography

Great Theoretical Ideas in Computer Science. Lecture 27: Cryptography

Encryption Details COMP620

Public-key encipherment concept

CPSC 467: Cryptography and Computer Security

Cryptography (DES+RSA) by Amit Konar Dept. of Math and CS, UMSL

Computer Security: Principles and Practice

Cryptography Symmetric Cryptography Asymmetric Cryptography Internet Communication. Telling Secrets. Secret Writing Through the Ages.

Cryptography (Overview)

Cryptology Part 1. Terminology. Basic Approaches to Cryptography. Basic Approaches to Cryptography: (1) Transposition (continued)

Using Cryptography CMSC 414. October 16, 2017

Public-Key Encryption, Key Exchange, Digital Signatures CMSC 23200/33250, Autumn 2018, Lecture 7

Public Key Cryptography

Security: Cryptography

Lecture III : Communication Security Mechanisms

More on Cryptography CS 136 Computer Security Peter Reiher January 19, 2017

CPSC 467: Cryptography and Computer Security

CSE 3461/5461: Introduction to Computer Networking and Internet Technologies. Network Security. Presentation L

Study Guide for the Final Exam

CS 161 Computer Security

Lecture 2 Applied Cryptography (Part 2)

Kurose & Ross, Chapters (5 th ed.)

Applied Cryptography Protocol Building Blocks

T Cryptography and Data Security

Paper presentation sign up sheet is up. Please sign up for papers by next class. Lecture summaries and notes now up on course webpage

Asymmetric Primitives. (public key encryptions and digital signatures)

CS 161 Computer Security

Cryptography Basics. IT443 Network Security Administration Slides courtesy of Bo Sheng

CS 470 Spring Security. Mike Lam, Professor. a.k.a. Why on earth do Alice and Bob need to talk so much?!? Content taken from the following:

9/30/2016. Cryptography Basics. Outline. Encryption/Decryption. Cryptanalysis. Caesar Cipher. Mono-Alphabetic Ciphers

CS 470 Spring Security. Mike Lam, Professor. a.k.a. Why on earth do Alice and Bob need to share so many secrets?!?

ICT 6541 Applied Cryptography Lecture 8 Entity Authentication/Identification

LECTURE 4: Cryptography

Understanding Cryptography A Textbook for Students and Practitioners by Christof Paar and Jan Pelzl. Chapter 6 Introduction to Public-Key Cryptography

Transcription:

Lecture 9: Public-Key Cryptography CS 5430 3/05/2018

Crypto Thus Far

Key pairs Instead of sharing a key between pairs of principals......every principal has a pair of keys public key: published for the world to see private key: kept secret and never shared

Protocol to exchange encrypted message 1. A: c = Enc(m; K_B) 2. A -> B: c 3. B: m = Dec(c; k_b) key pair: (K_B, k_b) public key written with uppercase letter private key written with lowercase letter

Public keys 0. B: (K_B, k_b) = Gen(len) 1.... All public keys published in "phonebook" So A can lookup B's key to send message Length of phonebook is O(n) So quadratic problem reduced to linear! Eliminates key distribution problem!

RSA [Rivest, Shamir, Adleman 1977] Shared Turing Award in 2002: ingenious contribution to making public-key crypto Pick primes p, q Choose e, d such that ed = 1 mod (p 1)(q 1) PK = (n, e) SK = (p, q, d) c = m 5 mod n m = c 6 mod n

Textbook RSA is insecure Deterministic: given same plaintext and key, always produces the same ciphertext Several other attacks, too Solution: incorporate a nonce in the message before encrypting Called padding but encoding might be a better term Don t implement yourself; use OAEP implementation in your crypto library (Optimal Asymmetric Encryption Padding)

Problems of length Asymmetric encryption uses big integers, not byte arrays all messages must be encoded as integers modulus dictates maximum integer that can be encrypted big integer operations are slow say, 1 to 3 orders of magnitude slower than block ciphers So the problems we had before crop up again... what if message length is too short? actually that's okay: a small integer is still an integer what if message length is too long? in theory could use block modes like with symmetric encryption in practice, that's too inefficient...

HYBRID ENCRYPTION

Hybrid encryption Assume: Symmetric encryption scheme (Gen_S, Enc_S, Dec_S) Asymmetric encryption scheme (Gen_A, Enc_A, Dec_A) Use asymmetric encryption to establish a shared session key Avoids quadratic problem, assuming existence of phonebook Session key will be short, so avoids inefficiency Use symmetric encryption to exchange long plaintext encrypted under session key Gain efficiency of block cipher and mode

Protocol to exchange encrypted message 0. B: (K_B, k_b) = Gen_A(len_A) 1. A: k_s = Gen_S(len_S) c1 = Enc_A(k_s; K_B) c2 = Enc_S(m; k_s) //mode 2. A -> B: c1, c2 3. B: k_s = Dec_A(c1; k_b) m = Dec_S(c2; k_s)

Session keys If key compromised, only those messages encrypted under it are disclosed Used for a brief period then discarded cryptoperiod: length of time for which key is valid in this case, for a single (long) message not intended for reuse in future messages only intended for unidirectional usage: A->B, not B->A why? A chose the key, not B

Encryption We can now protect confidentiality of messages against Dolev-Yao attacker efficiently, thanks to hybrid of symmetric and asymmetric encryptionhonebook of public keys But what about integrity...?

DIGITAL SIGNATURES

Recall: Key pairs Instead of sharing a key between pairs of principals......every principal has a pair of keys public key: published for the world to see private key: kept secret and never shared

Key pair terminology Public key Private key Encryption Digital signatures Encryption key Verification key Decryption key Signing key

Digital signature scheme Sign(m; k): sign message m with key k, producing signature s as output Ver(m; s; K): verify signature s on message m with key K Gen(len): generate a key pair (K,k) of length len Sign

Protocol to exchange signed message 0. A: (K_A,k_A) = Gen(len) 1. A: s = Sign(m; k_a) 2. A -> B: m, s 3. B: accept if Ver(m; s; K_A) Message is sent in plaintext: no protection of confidentiality Goal is to detect modification not prevent...what if message is too long for asymmetric algorithms?

Security of digital signatures Must be hard to forge signature for a message without knowledge of key...like handwritten signatures Even if in possession of multiple (message, signature) pairs for that key...unlike handwritten signatures

RSA Core ideas are the same as RSA encryption Common mistake: RSA sign = encrypt with private key Truth (in real world, outside of textbooks): there's a core RSA function R that works with either K or k RSA encrypt = do some prep work on m then call R with K RSA sign = do different prep work on m then call R with k Prep work: recall textbook RSA is insecure (For encryption: OAEP) For signatures: PSS (probabilistic signature scheme) Also need to handle long messages

Signatures with hashing 1. A: s = Sign(H(m); k_a) 2. A -> B: m, s 3. B: accept if Ver(H(m); s; K_A) So common a practice that I won't bother to write the hashing from now on

DSA DSA: Digital Signature Algorithm [Kravitz 1991] Standardized by NIST and made available royalty-free in 1991/1993 Used for decades without any serious attacks Closely related to Elgamal encryption

Blind signatures [Chaum 1983] Purpose: signer doesn t know what they are signing Two additional algorithms: Blind and Unblind Unblind(Sign(Blind(m); k)) = Sign(m; k) Uses: e-cash, e-voting

Group signatures [Chaum and van Heyst 1991] Purpose: one member of group signs anonymously on behalf of group Introduces a group manager who controls membership Two new protocols: Join and Revoke, to manage membership One new algorithm: Open, which manager can run to reveal who signed a message

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback