290 likes | 455 Views
CS461/ECE422 Spring 2012. Public Key Encryption. Reading Material. Text Chapters 2 and 21 Handbook of Applied Cryptography, Chapter 8 http://www.cacr.math.uwaterloo.ca/hac/. Symmetric keys & Distribution. Every pair of people must share a secret key E.g.: Alice, Bob, Carol, David:
E N D
CS461/ECE422 Spring 2012 Public Key Encryption Nikita Borisov — UIUC
Reading Material • Text Chapters 2 and 21 • Handbook of Applied Cryptography, Chapter 8 • http://www.cacr.math.uwaterloo.ca/hac/ Nikita Borisov — UIUC
Symmetric keys & Distribution • Every pair of people must share a secret key • E.g.: Alice, Bob, Carol, David: KAB, KAC, KAD,KBC, KBD, KCD • How do you keep track of them all? • O(N2) keys for N people • How do you exchange them? • Must use a secure, out-of-band channel Nikita Borisov — UIUC
Public Key Cryptography • Cryptographers to the rescue! • Two keys: • Private key known only to owner • Public key available to anyone • One key pair per person • O(N) keys Merkle, Hellman, Diffie Nikita Borisov — UIUC
Public Cryptography Functionality • Public key encryption • Use public key to encrypt, private key to decrypt • RSA, ElGamal, ECIES • Public key signatures (similar to MAC) • Use private key to sign, public key to verify • RSA, DSA, ECDSA • Symmetric key distribution • Agree on a secret symmetric key over a public channel • Diffie-Hellman, ECDH, MQV, ECMQV Nikita Borisov — UIUC
Public-Key Cryptography Slide #9-6 Nikita Borisov — UIUC
General Facts about Public Key Systems • Public Key Systems are much slower than Symmetric Key Systems • RSA 100 to 1000 times slower than DES. 10,000 times slower than AES? • Generally used in conjunction with a symmetric system for bulk encryption • Public Key Systems are based on “hard” problems • Factoring large composites of primes, discrete logarithms, elliptic curves • Only a handful of public key systems perform both encryption and signatures Slide #9-7 Nikita Borisov — UIUC
Diffie-Hellman • The first public key algorithm • A key exchange algorithm, not for encryption or decryption • Set up: p prime, g is coprime with p • Alice -> Bob: gx (mod p), x random • Bob -> Alice: gy (mod p), y random • Alice and Bob compute: • (gx)y = (gy)x • Establish a secret key over a public channel Nikita Borisov — UIUC
Example: • p=23, g=5 • Alice picks x=6, sends Bob • 56 mod 23 = 8 • Bob picks y=15, sends Bob • 515 mod 23 = 19 • Alice computes: • 196 mod 23 = 2 • Bob computes: • 815 mod 23 = 2 Nikita Borisov — UIUC
Diffie-Hellman Security • Charlie has gx, gy needs to find gxy • Called “Diffie-Hellman Problem” • Fastest way: find x given gx • I.e. take logggx(mod p) • Discrete Logarithm Problem • Fastest known way is super-polynomial Nikita Borisov — UIUC
Real public DH values • For IPSec and SSL, there are a small set of g's and p's published that all standard implementations support. • Group 1 and 2 • http://tools.ietf.org/html/rfc2409 • Group 5 and newer proposed values • http://tools.ietf.org/html/draft-ietf-ipsec-ike-modp-groups-00 Nikita Borisov — UIUC
Diffie-Hellman and Man-in-the-Middle Bob Alice Eve Nikita Borisov — UIUC
RSA • by Rivest, Shamir& Adleman of MIT in 1977 • best known & widely used public-key scheme • based on exponentiation in a finite (Galois) field over integers modulo a prime • nb. exponentiation takes O((log n)3) operations (easy) • uses large integers (eg. 1024 bits) • security due to cost of factoring large numbers • nb. factorization takes O(elog n log log n) operations (hard) Slide #9-13 Nikita Borisov — UIUC
Modular Arithmetic • a mod b = x if for some k >= 0, bk + x = a • Associativity, Commutativity, and Distributivity hold in Modular Arithmetic • Inverses also exist in modular arithmetic • a + (-a) mod n = 0 • a * a-1 mod n = 1 Nikita Borisov — UIUC
Modular Arithmetic • Reducibility also holds • (a + b) mod n = (a mod n + b mod n) mod n • a * b mod n = ((a mod n) * b mod n) mod n • Fermat’s Thm: if p is any prime integer and a is an integer, then ap mod p = a • Corollary: ap-1 mod p = 1 if a != 0 and a is relatively prime to p Nikita Borisov — UIUC
Background • Totient function (n) • Number of positive integers less than n and relatively prime to n • Relatively prime means with no factors in common with n • Example: (10) = ? • 4 because 1, 3, 7, 9 are relatively prime to 10 • Example: (p) = ? where p is a prime • p-1 because all lower numbers are relatively prime • (pq) = (p-1)(q-1) when p, q are both prime Slide #9-16 Nikita Borisov — UIUC
Background • Euler generalized Fermat’s Theorem for composite numbers. • Fermat's Thmap-1=1 mod p if a != 0 • Euler’s Thm: x(n)=1 mod n • Works for any n Nikita Borisov — UIUC
RSA Algorithm • Choose two large prime numbers p, q • Let n = pq; then (n) = (p–1)(q–1) • Choose e < n such that e is relatively prime to (n). • Compute d such that ed mod (n) = 1 • Public key: (e, n); private key: d • Encipher: C = Me mod n • Decipher: M = Cd mod n • Generically: F(V, x) = Vx mod n Slide #9-18 Nikita Borisov — UIUC
Working through the equations • C = RSA(M, e) = Me mod n • M’ = RSA-1(C, d) • M’ = (Me mod n)d mod n • M’ = Med mod n • ed mod (n) = 1 • ed = k* (n) + 1 • M’ = (M mod n * Mk (n) mod n) mod n • By Euler’s theorem (Mk)(n) mod n = 1 • M’ = M mod n Nikita Borisov — UIUC
Example • p = 11, q = 17 • n = 187, (n) = 10*16 = 160 • Let e = 3, then d = 107 (107 * 3 = 321) • (can find this using Euclidian algorithm) • M = 29 • C = 293 = 24389 = 79 (mod 187) • M’ = 79107 = 111198458817782001560345203757362612455385730171461711652460776161878666503078037332114481897840666397054046667342677228042126488058019906317675811153792810865237482705174079886893643689363009468423234159 = 29 (mod 187) Nikita Borisov — UIUC
Modular Exponentiation • Don’t need to compute huge numbers • 293 (mod 187) = (292 mod 187) * 29 mod 187 = (841 mod 187) * 29 mod 187 = 93*29 mod 187 = 2697 mod 187 = 79 • Even better: square/multiply • M11 = ((M2)2*M)2*M • This is reasonably fast • Only 1000 or so times slower than DES Nikita Borisov — UIUC
RSA security • Charlie knows e, n, and receives Me (mod n) • How to find M? • Best known way is to factor n • Find p and q, find (n), find d • No proof that there isn’t a faster way • Factoring n is believed to be hard • Best algorithm is GNFS • Complexity is sub-exponential but superpolynomial • Largest factored number had 768 bits • (About 2000-CPU years on an 2.2 GHz Opteron) • Current recommendations are to use 1500-2000 bits Nikita Borisov — UIUC
RSA Security • Note: RSA as described is insecure! • Why? • Deterministic encryption: Me = M’eif and only if M=M’ • Even worse than in the symmetric case because Charlie can try many possibilities for M • Semantic security • Adversary picks m1 and m2 and is provided with Encrypt(mi), must guess i • Requires randomized encryption Nikita Borisov — UIUC
Padding • Introduce randomness to message • P = r || M, where r is random • Encryption: Pe • Decryption: (Pe)d, discard random prefix • (Actually, still not quite secure, see RSA-OAEP for proper usage) Nikita Borisov — UIUC
Hybrid Encryption • How do we encrypt messages longer than 1024 bits? • Break into blocks, use RSA on each block (slow, potentially insecure) • Use a hybrid between RSA and AES • Pick random key K • Send: RSAEncrypt(K), AES-CBC-Encrypt(K, M) • Must ensure K is random! Nikita Borisov — UIUC
RSA Signatures • RSA is symmetric • RSADec(RSAEnc(M)) = RSAEnc(RSADec(M)) = Med (mod n) = M • To “sign” a message, Alice computes S = Md(mod n) • Bob verifies that Se = Med = M (mod n) • No one other than Alice could have generated S • Not even Bob • Bob can show S to third parties (non-repudiation) Nikita Borisov — UIUC
Hash functions • How do we sign messages longer than 1024 bits? • Use a hash function Nikita Borisov — UIUC
Hash functions in signatures • Alice sends RSASign(h(M)) • Bob computes h(M), verifies signature • Security: • Bob cannot generate a signature because: • He can’t produce a signature on a chosen message • He can’t solve h(M) = S’efor M because h is one way • Alice is nevertheless committed to her signature • Cannot find M1, M2 such that h(M1) = h(M2) Nikita Borisov — UIUC
Key Points • Public Key systems enable multiple operations • Confidentiality (key encryption) • Integrity and nonrepudiation • Symmetric key exchange • Slower than symmetric crypto, but still practical • Especially in hybrid modes • Must be careful how they are used • Padding, hash functions Nikita Borisov — UIUC