Introduction to Public-Key Cryptography

Similar documents
Introduction to Cryptography and Security Mechanisms: Unit 5. Public-Key Encryption

CSCI 454/554 Computer and Network Security. Topic 5.2 Public Key Cryptography

Outline. CSCI 454/554 Computer and Network Security. Introduction. Topic 5.2 Public Key Cryptography. 1. Introduction 2. RSA

Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2010

Outline. Public Key Cryptography. Applications of Public Key Crypto. Applications (Cont d)

Public Key Algorithms

Public-Key Cryptography

Public-Key Encryption, Key Exchange, Digital Signatures CMSC 23200/33250, Autumn 2018, Lecture 7

Public-Key Cryptanalysis

CS408 Cryptography & Internet Security

Public-Key Cryptography. Professor Yanmin Gong Week 3: Sep. 7

Post-Quantum Cryptography A Collective Challenge

Chapter 9 Public Key Cryptography. WANG YANG

CS 6324: Information Security More Info on Key Establishment: RSA, DH & QKD

POST-QUANTUM CRYPTOGRAPHY VIENNA CYBER SECURITY WEEK DR. DANIEL SLAMANIG

E-th roots and static Diffie-Hellman using index calculus

Relaxing IND-CCA: Indistinguishability Against Chosen. Chosen Ciphertext Verification Attack

Asymmetric Primitives. (public key encryptions and digital signatures)

Lecture 20 Public key Crypto. Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Slides from Miller and Bailey s ECE 422

CSC 474/574 Information Systems Security

Digital Signatures. Luke Anderson. 7 th April University Of Sydney.

Lecture 2 Applied Cryptography (Part 2)

Advanced Security for Systems Engineering VO 09: Applied Cryptography

Introduction to Cryptography Lecture 7

Distributed Systems. 26. Cryptographic Systems: An Introduction. Paul Krzyzanowski. Rutgers University. Fall 2015

CSE 127: Computer Security Cryptography. Kirill Levchenko

Key Exchange. Secure Software Systems

Introduction to Cryptography Lecture 7

Outline. From last time. Feistel cipher. Some DES history DES. Block ciphers and modes of operation

The transition to post-quantum cryptography. Peter Schwabe February 19, 2018

Cryptography Today. Ali El Kaafarani. Mathematical Institute Oxford University. 1 of 44

Implementation and Benchmarking of Elliptic Curve Cryptography Algorithms

RSA. Public Key CryptoSystem

Crypto CS 485/ECE 440/CS 585 Fall 2017

Applied Cryptography and Computer Security CSE 664 Spring 2018

The most important development from the work on public-key cryptography is the digital signature. Message authentication protects two parties who

The Application of Elliptic Curves Cryptography in Embedded Systems

ASYMMETRIC (PUBLIC-KEY) ENCRYPTION. Mihir Bellare UCSD 1

Lecture 3.4: Public Key Cryptography IV

Cryptography V: Digital Signatures

Introduction. Cambridge University Press Mathematics of Public Key Cryptography Steven D. Galbraith Excerpt More information

Encryption. INST 346, Section 0201 April 3, 2018

Intro to Public Key Cryptography Diffie & Hellman Key Exchange

L13. Reviews. Rocky K. C. Chang, April 10, 2015

Abhijith Chandrashekar and Dushyant Maheshwary

Public Key Encryption

RSA (algorithm) History

CS 395T. Formal Model for Secure Key Exchange

Cryptography and Network Security. Sixth Edition by William Stallings

Lecture 9: Public-Key Cryptography CS /05/2018

Securely Combining Public-Key Cryptosystems

Outline. Block cipher, basic idea. From last time. Pseudorandom permutation. Confusion and diffusion. Block ciphers and modes of operation

Introduction to Cryptography. Vasil Slavov William Jewell College

What did we talk about last time? Public key cryptography A little number theory

NIST Post- Quantum Cryptography Standardiza9on

Introduction to Post-Quantum Cryptography

Introduction to Post-Quantum Cryptography

Cryptography V: Digital Signatures

ASYMMETRIC (PUBLIC-KEY) ENCRYPTION. Mihir Bellare UCSD 1

Acronyms. International Organization for Standardization International Telecommunication Union ITU Telecommunication Standardization Sector

Great Theoretical Ideas in Computer Science. Lecture 27: Cryptography

8/30/17. Introduction to Post-Quantum Cryptography. Features Required from Today s Ciphers. Secret-key (Symmetric) Ciphers

Cryptographic protocols

Understanding Cryptography by Christof Paar and Jan Pelzl. Chapter 9 Elliptic Curve Cryptography

Public Key Algorithms

Public Key Cryptography

RSA Cryptography in the Textbook and in the Field. Gregory Quenell

RSA (material drawn from Avi Kak Lecture 12, Lecture Notes on "Computer and Network Security" Used in asymmetric crypto.

PUBLIC KEY CRYPTO. Anwitaman DATTA SCSE, NTU Singapore CX4024. CRYPTOGRAPHY & NETWORK SECURITY 2018, Anwitaman DATTA

Introduction to Cryptography and Security Mechanisms. Abdul Hameed

Diffie-Hellman, discrete logs, the NSA, and you. J. Alex Halderman University of Michigan

Post-Quantum Cryptography

UNCLASSIFIED INFORMATION TECHNOLOGY SECURITY GUIDANCE

Chair for Network Architectures and Services Department of Informatics TU München Prof. Carle. Network Security

Overview. Public Key Algorithms I

Analysis, demands, and properties of pseudorandom number generators

Introduction to Cryptography Lecture 11

Cryptography: More Primitives

Understanding Cryptography A Textbook for Students and Practitioners by Christof Paar and Jan Pelzl. Chapter 6 Introduction to Public-Key Cryptography

Public Key Cryptography, OpenPGP, and Enigmail. 31/5/ Geek Girls Carrffots GVA

ECC Elliptic Curve Cryptography. Foundations of Cryptography - ECC pp. 1 / 31

Public Key Cryptography

UNIVERSITY OF MASSACHUSETTS Dept. of Electrical & Computer Engineering. Introduction to Cryptography ECE 597XX/697XX

Understanding Cryptography A Textbook for Students and Practitioners by Christof Paar and Jan Pelzl. Chapter 6 Introduction to Public-Key Cryptography

Public Key Encryption. Modified by: Dr. Ramzi Saifan

Practical Attacks on Implementations

New Public Key Cryptosystems Based on the Dependent RSA Problems

Cryptography and Network Security Chapter 13. Digital Signatures & Authentication Protocols

This chapter continues our overview of public-key cryptography systems (PKCSs), and begins with a description of one of the earliest and simplest

Public Key Cryptography 2. c Eli Biham - December 19, Public Key Cryptography 2

Notes for Lecture 14

Cryptography. Lecture 12. Arpita Patra

Chapter 9. Public Key Cryptography, RSA And Key Management

Key Exchange. References: Applied Cryptography, Bruce Schneier Cryptography and Network Securiy, Willian Stallings

Kurose & Ross, Chapters (5 th ed.)

Workshop Challenges Startup code in PyCharm Projects

Introduction to Network Security Missouri S&T University CPE 5420 Data Integrity Algorithms

Cryptography and Network Security. Sixth Edition by William Stallings

Computer Security: Principles and Practice

Chapter 7 Public Key Cryptography and Digital Signatures

Transcription:

Introduction to Public-Key Cryptography Nadia Heninger University of Pennsylvania June 11, 2018

We stand today on the brink of a revolution in cryptography. Diffie and Hellman, 1976

Symmetric cryptography AES k (m) * Toy protocol for illustration purposes only; not secure.

Public key crypto idea # 1: Key exchange Solving key distribution without trusted third parties Key Exchange AES k (m) k = KDF(kex) k = KDF(kex) * Toy protocol for illustration purposes only; not secure.

Textbook Diffie-Hellman [Diffie Hellman 1976] Public Parameters G a cyclic group (e.g. F p, or an elliptic curve) g group generator Key Exchange g a g b a g ab g ab b

Finite-Field Diffie-Hellman Public Parameters p a prime q a subgroup order; q (p 1) g a generator of multiplicative group of order q F p Key Exchange g a mod p g b mod p g ab mod p g ab mod p

The Discrete Log Problem Problem: Given g a mod p, compute a. Solving this problem permits attacker to compute shared key by computing a and raising (g b ) a. Discrete log is in NP and conp not NP-complete (unless P=NP or similar). Shor s algorithm solves discrete log with a quantum computer in polynomial time.

The Computational Diffie-Hellman problem Problem: Given g a mod p, g b mod p, compute g ab mod p. Exactly problem of computing shared key from public information. Reduces to discrete log in some cases: Diffie-Hellman is as strong as discrete log for certain primes [den Boer 1988] both problems are (probabilistically) polynomial-time equivalent if the totient of p 1 has only small prime factors Towards the equivalence of breaking the Diffie-Hellman protocol and computing discrete logarithms [Maurer 1994] if... an elliptic curve with smooth order can be construted efficiently, then... [the discrete log] can be reduced efficiently to breakingthe Diffie-Hellman protocol Computational Diffie-Hellman Assumption: No efficient algorithm to solve this problem.

Decisional Diffie-Hellman problem Problem: Given g a mod p, g b mod p, distinguish g ab mod p from random. Decisional Diffie-Hellman Assumption: No efficient algorithm has better than negligible advantage. Required for most security proofs.

Selecting parameters for finite-field Diffie-Hellman For 128-bit security: Choose 256-bit q. Pollard rho/baby step-giant step algorithm: O( q)

Selecting parameters for finite-field Diffie-Hellman For 128-bit security: Choose 256-bit q. Pollard rho/baby step-giant step algorithm: O( q) Choose prime group order q. (Pohlig-Hellman algorithm: as secure as largest factor of q.)

Selecting parameters for finite-field Diffie-Hellman For 128-bit security: Choose 256-bit q. Pollard rho/baby step-giant step algorithm: O( q) Choose prime group order q. (Pohlig-Hellman algorithm: as secure as largest factor of q.) Choose 256-bit exponents a, b. Pollard lambda algorithm: O( a)

Selecting parameters for finite-field Diffie-Hellman For 128-bit security: Choose 256-bit q. Pollard rho/baby step-giant step algorithm: O( q) Choose prime group order q. (Pohlig-Hellman algorithm: as secure as largest factor of q.) Choose 256-bit exponents a, b. Pollard lambda algorithm: O( a) Choose 2048-bit prime modulus p. Number field sieve algorithm: O(exp(1.92 ln p 1/3 (ln ln p) 2/3 ))

Selecting parameters for finite-field Diffie-Hellman For 128-bit security: Choose 256-bit q. Pollard rho/baby step-giant step algorithm: O( q) Choose prime group order q. (Pohlig-Hellman algorithm: as secure as largest factor of q.) Choose 256-bit exponents a, b. Pollard lambda algorithm: O( a) Choose 2048-bit prime modulus p. Number field sieve algorithm: O(exp(1.92 ln p 1/3 (ln ln p) 2/3 )) Choose nothing-up-my-sleeve p (e.g. digits of π, e) Special number field sieve: O(exp(1.53 ln p 1/3 (ln ln p) 2/3 ))

Real-world finite field DH implementation choices 1024-bit primes remain common in practice. Many standardized, hard-coded primes. 1024-bit primes baked into SSH, IPsec, but have been deprecated by some implementations. NIST recommends working within smaller order subgroup (e.g. 160 bits for 1024-bit prime) Many implementations use short exponents (e.g. 256 bits) DDH often false in practice: many implementations generate full group mod p. Support for FF-DH has dropped rapidly in TLS in favor of ECDH.

My personal recommendation Don t use prime-field Diffie-Hellman at all. Too many implementation vulnerabilities. ECDH is more secure (classically) as far as we know.

Elliptic-Curve Diffie-Hellman Public Parameters E an elliptic curve g a group generator ga gb gab gab

Selecting parameters for elliptic-curve Diffie-Hellman For 128-bit security: Choose a 256-bit curve. (ECDH keys are shorter because fewer strong attacks.) See Craig s talk later today! Real-world implementation choices for ECDH ECDH rapidly becoming more common than FF-DH. NIST p256 most common curve.

Post-quantum Diffie-Hellman Promising Candidate: Supersingular Isogeny Diffie-Hellman See Craig s talk on Friday for more! Diffie-Hellman from lattices: situation is complex. See Douglas s talk later today for more!

Idea # 2: Key encapsulation/public-key encryption Solving key distribution without trusted third parties c = KEM(k) AES k (m) k = DEC(c) * Toy protocol for illustration purposes only; not secure.

Textbook RSA Encryption [Rivest Shamir Adleman 1977] Public Key N = pq modulus e encryption exponent Private Key p, q primes d decryption exponent (d = e 1 mod (p 1)(q 1)) public key = (N, e) ciphertext = message e mod N message = ciphertext d mod N

Factoring Problem: Given N, compute its prime factors. Computationally equivalent to computing private key d. Factoring is in NP and conp not NP-complete (unless P=NP or similar). Shor s algorithm factors integers on a quantum computer in polynomial time.

eth roots mod N Problem: Given N, e, and c, compute x such that x e c mod N. Equivalent to decrypting an RSA-encrypted ciphertext. Not known whether it reduces to factoring: Breaking RSA may not be equivalent to factoring [Boneh Venkatesan 1998] an algebraic reduction from factoring to breaking low-exponent RSA can be converted into an efficient factoring algorithm Breaking RSA generically is equivalent to factoring [Aggarwal Maurer 2009] a generic ring algorithm for breaking RSA in Z N can be converted into an algorithm for factoring RSA assumption : This problem is hard.

A garden of attacks on textbook RSA Unpadded RSA encryption is homomorphic under multiplication. Let s have some fun! Attack: Malleability Given a ciphertext c = Enc(m) = m e mod N, attacker can forge ciphertext Enc(ma) = ca e mod N for any a. Attack: Chosen ciphertext attack Given a ciphertext c = Enc(m) for unknown m, attacker asks for Dec(ca e mod N) = d and computes m = da 1 mod N. So in practice always use padding on messages.

RSA PKCS #1 v1.5 padding m = 00 02 [random padding string] 00 [data] Encrypter pads message, then encrypts padded message using RSA public key. Decrypter decrypts using RSA private key, strips off padding to recover original data. Q: What happens if a decrypter decrypts a message and the padding isn t in correct format? A: Throw an error?

RSA PKCS #1 v1.5 padding m = 00 02 [random padding string] 00 [data] Encrypter pads message, then encrypts padded message using RSA public key. Decrypter decrypts using RSA private key, strips off padding to recover original data. Q: What happens if a decrypter decrypts a message and the padding isn t in correct format? A: Throw an error? Bleichenbacher padding oracle attack. OAEP and variants are CCA-secure padding, but nobody uses them.

Selecting parameters for RSA encryption Choose 2048-bit modulus N. Number field sieve factoring: O(exp(1.92 ln p 1/3 (ln ln p) 2/3 )) Choose e 65537. Avoids Coppersmith-type small exponent attacks. If you can, use Shoup RSA-KEM or similar. Send r e mod N, derive k = KDF(r). My personal recommendation: Just don t use RSA. (ECDH is probably better for key agreement.)

Real-world implementation choices for RSA Most of the internet has moved to at least 2048-bit keys. Nearly everyone uses e = 65537. Almost nobody uses e > 32 bits. RSA key exchange supported by default for TLS. PKCS#1v1.5 is universally used. Padding oracle protection: if padding error, generate random secret and continue handshake with random secret. Many implementations use safe primes (p 1 = 2q) or have special form (p 1 = hq) for prime q.

Other PKE/KEM systems ElGamal: Public-key encryption from discrete log. Weirdly only used by PGP. Post-Quantum KEMs: Ring-LWE, etc. See Douglas s talk later today.

Idea #3: Digital Signatures Solving the authentication problem. g a g b s = Sign(g a, g b ) AES k (m) k = KDF(g ab ) Verify(s) k = KDF(g ab ) * Toy protocol for illustration purposes only; not secure.

Textbook RSA Signatures [Rivest Shamir Adleman 1977] Public Key N = pq modulus e encryption exponent Private Key p, q primes d decryption exponent (d = e 1 mod (p 1)(q 1)) public key = (N, e) signature = message d mod N message = signature e mod N

eth roots mod N Problem: Given N, e, and c, compute x such that x e c mod N. Equivalent to selective forgery of RSA signatures.

Attacking textbook RSA signatures Attack: Signature forgery 1. Attacker wants Sign(x). 2. Attacker computes z = xy e mod N for some y. 3. Attacker asks signer for s = Sign(z) = z d mod N. 4. Attacker computes Sign(x) = sy 1 mod N. Countermeasures: Always use padding with RSA. Hash-and-sign paradigm. Positive viewpoint: Signature blinding.

RSA PKCS #1 v1.5 signature padding m = 00 01 [FF FF FF... FF FF] 00 [data H(m)] Signer hashes and pads message, then signs padded message using RSA private key. Verifier verifies using RSA public key, strips off padding to recover hash of message. Q: What happens if a decrypter doesn t correctly check padding length?

RSA PKCS #1 v1.5 signature padding m = 00 01 [FF FF FF... FF FF] 00 [data H(m)] Signer hashes and pads message, then signs padded message using RSA private key. Verifier verifies using RSA public key, strips off padding to recover hash of message. Q: What happens if a decrypter doesn t correctly check padding length? A: Bleichenbacher low exponent signature forgery attack.

Setting parameters for RSA signatures Same guidance as RSA encryption. Use ECDSA instead.

Real-world implementation choices for RSA signatures RSA remains default signature scheme for most protocols. Some highly important keys remain 1024-bit. (DNSSEC root was 1024 bits until 2016, long-lived TLS certs, etc.) Nearly everyone uses exponent e = 65537. PKCS#1v.1.5 padding used everywhere. Same RSA keys used for encryption and signatures in TLS.

DSA (Digital Signature Algorithm) Public Key p prime q prime, divides (p 1) g generator of subgroup of order q mod p y = g x mod p Private Key x private key Verify u 1 = H(m)s 1 mod q u 2 = rs 1 mod q r? = g u 1 y u 2 mod p mod q Sign Generate random k. r = g k mod p mod q s = k 1 (H(m) + xr) mod q

DSA Security Assumptions Discrete Log Breaking DSA is equivalent to computing discrete logs in the random oracle model. [Pointcheval, Vaudenay 96]

A garden of attacks on DSA nonces Public Key p, q, g domain parameters Private Key x private key y = g x mod p Signature: (r, s 1 ) r = g k mod p mod q s 1 = k 1 (H(m 1 ) + xr) mod q DSA nonce known easily compute private key.

A garden of attacks on DSA nonces Public Key p, q, g domain parameters Private Key x private key y = g x mod p Signature: (r, s 1 ) r = g k mod p mod q s 1 = k 1 (H(m 1 ) + xr) mod q Signature: (r, s 2 ) r = g k mod p mod q s 2 = k 1 (H(m 2 ) + xr) mod q DSA nonce known easily compute private key. s 1 s 2 = k 1 (H(m 1 ) H(m 2 )) mod q DSA nonce reused easily compute nonce.

A garden of attacks on DSA nonces Public Key p, q, g domain parameters Private Key x private key y = g x mod p Signature: (r, s 1 ) r = g k mod p mod q s 1 = k 1 (H(m 1 ) + xr) mod q Signature: (r, s 2 ) r = g k mod p mod q s 2 = k 1 (H(m 2 ) + xr) mod q DSA nonce known easily compute private key. DSA nonce reused easily compute nonce. Biased DSA nonces compute nonces. (Hidden number problem and variants.)

Setting parameters for (EC)DSA Same security considerations as Diffie-Hellman. Prefer ECDSA over DSA for classical adversaries. Generate k deterministically. RFC 6979: k = HMAC x (m)

Real-world implementation choices for (EC)DSA. FF-DSA widely supported in SSH, but not other protocols (TLS or IPsec). ECDSA is rapidly becoming more common. NIST p256 most common curve. Nonce generation remains a common source of implementation vulnerabilities.

Post-quantum signatures Many candidates: Hash-based signatures. Lattice-based signatures.... Future cryptographic best practices TBD. See Douglas s talk later today.

TLS cipher suite statistics from the ICSI notary

Summary of Public Key Algorithms in Practice Old and Current Future busted practice hotness Key exchange FF-DH ECDH SIDH Key encapsulation RSA Ring-LWE Signatures RSA ECDSA Hashes? Lattices?

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback