Public Key Cryptography Kurose & Ross, Chapters 8.28.3 (5 th ed.) Slides adapted from: J. Kurose & K. Ross \ Computer Networking: A Top Down Approach (5 th ed.) AddisonWesley, April 2009. Copyright 19962010, J.F Kurose and K.W. Ross, All Rights Reserved. symmetric crypto requires sender, receiver know shared secret Q: how to agree on in first place (particularly if never met )? public cryptography radically different approach [Diffie Hellman76, RSA78] sender, receiver do not share secret public encryption known to all private decryption known only to receiver 82 Public cryptography Public encryption algorithms plaintext, m encryption algorithm ciphertext K (m) B decryption algorithm public ob s private B plaintext m = K (K (m)) Requirements: 1 2.. need K ( ) and K ( ) such that K (K (m)) = m given public K B, it should be impossible to compute private RSA: Rivest, Shamir, Adelson algorithm 83 84 Prerequisite: modular arithmetic RSA: getting ready x mod n = remainder of x when divide by n Facts: [(a mod n) (b mod n)] mod n = (ab) mod n [(a mod n) (b mod n)] mod n = (ab) mod n [(a mod n) * (b mod n)] mod n = (a*b) mod n Thus (a mod n) d mod n = a d mod n Example: x=14, n=10, d=2: (x mod n) d mod n = 4 2 mod 10 = 6 x d = 14 2 = 196 x d mod 10 = 6 A is a bit pattern. A bit pattern can be uniquely represented by an integer number. Thus encrypting a is equivalent to encrypting a number. Example m= 10010001. This is uniquely represented by the decimal number 145. To encrypt m, we encrypt the corresponding number, which gives a new number (the ciphertext). 85 86 1
RSA: Creating public/private pair RSA: Encryption, decryption 1. Choose two large prime numbers p, q. (e.g., 1024 bits each) 2. Compute n = pq, z = (p1)(q1) 3. Choose e (with e<n) that has no common factors with z. (e, z are relatively prime ). 4. Choose d such that ed1 is exactly divisible by z. (in other words: ed mod z = 1 ). 5. Public is (n,e). Private is (n,d). 0. Given (n,e) and (n,d) as computed above 1. To encrypt m (<n), compute c = m e mod n 2. To decrypt received bit pattern, c, compute m = c d mod n Magic happens! m = (m e d mod n) mod n c 87 88 RSA example: Why does RSA work? Bob chooses p=5, q=7. Then n=35, z=24. e=5 (so e, z relatively prime). d=29 (so ed1 exactly divisible by z). Encrypting 8bit s. encrypt: decrypt: bit pattern m m e c = m e mod n 0000l000 12 24832 17 c c d m = c d mod n 17 481968572106750915091411825223071697 12 Must show that c d mod n = m where c = m e mod n Fact: for any x and y: x y mod n = x (y mod z) mod n where n= pq and z = (p1)(q1) Thus, c d mod n = (m e mod n) d mod n = m ed mod n = m (ed mod z) mod n = m 1 mod n = m 89 810 RSA: another important property The following property will be very useful later: Why K (K (m)) = m = K (K (m))? K (K (m)) = m = K (K (m)) Follows directly from modular arithmetic: use public first, followed by private use private first, followed by public (m e mod n) d mod n = m ed mod n = m de mod n = (m d mod n) e mod n Result is the same! 811 812 2
Why is RSA Secure? Session s suppose you know public (n,e). How hard is it to determine d? essentially need to find factors of n without knowing the two factors p and q. fact: factoring a big number is hard. Generating RSA s have to find big primes p and q approach: make good guess then apply testing rules (see Kaufman) Exponentiation is computationally intensive DES is at least 100 times faster than RSA Session, K S Bob and Alice use RSA to exchange a symmetric K S Once both have K S, they use symmetric cryptography 813 814 Chapter 8 roadmap Message Integrity 8.1 What is network security? 8.2 Principles of cryptography 8.3 Message integrity 8.4 Securing email 8.5 Securing TCP connections: SSL 8.6 Network layer security: IPsec 8.7 Securing wireless LANs 8.8 Operational security: firewalls and IDS allows communicating parties to verify that received s are authentic. Content of has not been altered Source of is who/what you think it is Message has not been replayed Sequence of s is maintained let s first talk about digests 815 816 Message Digests function H( ) that takes as input an arbitrary length and outputs a fixedlength string: note that H( ) is a manyto1 function H( ) is often called a hash function large m H: Hash Function desirable properties: easy to calculate irreversibility: Can t determine m from collision resistance: computationally difficult to produce m and m such that = H(m ) seemingly random output Internet checksum: poor digest Internet checksum has some properties of hash function: produces fixed length digest (16bit sum) of input is manytoone but given with given hash value, it is easy to find another with same hash value. e.g.,: simplified checksum: add 4byte chunks at a time: I O U 1 0 0. 9 9 B O B ASCII format 49 4F 55 31 30 30 2E 39 39 42 D2 42 B2 C1 D2 AC I O U 9 0 0. 1 9 B O B different s but identical checksums! ASCII format 49 4F 55 39 30 30 2E 31 39 42 D2 42 B2 C1 D2 AC 817 818 3
Hash Function Algorithms MD5 hash function widely used (RFC 1321) computes 128bit digest in 4step process. SHA1 is also used. US standard [NIST, FIPS PUB 1801] 160bit digest Message Authentication Code (MAC) s s = shared secret s H( ) H( ) compare Authenticates sender Verifies integrity No encryption! Also called ed hash Notation: MD m = H(s m) ; send m MD m 819 820 Endpoint authentication Playback attack want to be sure of the originator of the endpoint authentication assuming Alice and Bob have a shared secret, will MAC provide endpoint authentication? we do know that Alice created. but did she send it? MAC = f(msg,s) Transfer $1M from Bill to Trudy MAC Transfer $1M from Bill to Trudy MAC 821 822 Defending against playback attack: nonce MAC = f(msg,s,r) I am Alice R Transfer $1M from Bill to Susan MAC Digital Signatures cryptographic technique analogous to handwritten s. sender (Bob) ly signs document, establishing he is document owner/creator. goal is similar to that of MAC, except now use public cryptography verifiable, nonforgeable: recipient (Alice) can prove to someone that Bob, and no one else (including Alice), must have signed document 823 824 4
Digital Signatures simple for m: Bob signs m by encrypting with his private, creating signed, (m), m Dear Alice Oh, how I have missed you. I think of you all the time! (blah blah blah) Bob K private B Public encryption algorithm (m), m, signed (encrypted) with his private 825 Digital = signed digest Bob sends ly signed : large m H: Hash function private (encrypt) encrypted msg digest () Alice verifies and integrity of ly signed : large m H: Hash function public equal? encrypted msg digest () (decrypt) 826 Digital Signatures (more) suppose Alice receives msg m, (m) Alice verifies m signed by Bob by applying public to (m) then checks ( (m) ) = m. if ( (m) ) = m, whoever signed m must have used private. Alice thus verifies that: Bob signed m. no one else signed m. Bob signed m and not m. Nonrepudiation: Alice can take m, and (m) to court and prove that Bob signed m. Public certification motivation: Trudy plays pizza prank on Bob Trudy creates email order: Dear Pizza Store, Please deliver to me four pepperoni pizzas. Thank you, Bob Trudy signs order with her private Trudy sends order to Pizza Store Trudy sends to Pizza Store her public, but says it s public. Pizza Store verifies ; then delivers four pizzas to Bob. Bob doesn t even like Pepperoni 827 828 Certification Authorities Certification authority (): binds public to particular entity, E. E (person, router) registers its public with. E provides proof of identity to. creates certificate binding E to its public. certificate containing E s public ly signed by says this is E s public identifying information public (encrypt) private K certificate for public, signed by Certification Authorities when Alice wants public : gets certificate (Bob or elsewhere). apply s public to certificate, get public (decrypt) public K public K B 829 830 5
Certificates: summary primary standard X.509 (RFC 2459) certificate contains: issuer name entity name, address, domain name, etc. entity s public (signed with issuer s private ) PublicKey Infrastructure (PKI) certificates, certification authorities often considered heavy Why study computer networks? An interface between theory (algorithms, mathematics) and practice Understanding the design principles of a truly complex system Industryrelevant knowledge Fun! Challenges in teaching computer networks Students feedback 831 6