CSCE 465 Computer & Network Security: Public Key Public Key Cryptogrophy Cryptogrophy
CSCE 465 Computer & Network Security: Public Key Public Key Cryptogrophy Cryptogrophy
CSCE 465 Computer & Network Security: Public Key Public Key Cryptogrophy Cryptogrophy
Roadmap
Introduction RSA Diffie-Hellman Key Exchange Digital Signature Standard Public key and Certification Authorities (CA)
Introduction
Private key
Also known as asymmetric cryptography Much slower to compute than secret key cryptography
Plaintext
Alice Signs
Applications (Contd)
The digital signature is verifiable by anybody Only one person can sign the message: nonrepudiation
Non-repudiation is only achievable with public key cryptography
Applications (Contd)
2. Communicating securely over an insecure channel
Alice encrypts plaintext using Bobs public key, and Bob decrypts ciphertext using his private key No one else can decrypt the message (because they dont have Bobs private key)
Plaintext
Alice Encrypts
Ciphertext
Bob Decrypts
Plaintext
Applications (Contd)
3. Secure storage on insecure medium
Alice encrypts data using her public key Alice can decrypt later using her private key
4. User Authentication
Bob proves his identity to Alice by using his private key to perform an operation (without divulging his private key) Alice verifies result using Bobs public key
Applications (Contd)
5. Key exchange for secret key crypto
Alice and Bob use public key crypto to negotiate a shared secret key between them
Public-Key Requirements
It must be computationally
easy to generate a public / private key pair hard to determine the private key, given the public key
It must be computationally
easy to encrypt using the public key easy to decrypt using the private key hard to recover the plaintext message from just the ciphertext and the public key
Basis: factorization of large numbers is hard Variable key length (1024 bits or greater) Variable plaintext block size
plaintext block size must be smaller than key size ciphertext block size is same as key size
RSA Operations
For plaintext message m and ciphertext c
Encryption: Decryption:
Signing:
Verification:
Example (Contd)
Suppose plaintext m = 80
Encryption c = 8039 mod 253 = ____ Decryption m = ____79 mod 253 = 80 (c = me mod n) (cd mod n)
Signing (in this case, for entire message m) s = 8079 mod 253 = ____ (s = md mod n) Verification (se mod n) m = ____39 mod 253 = 80
Example (Contd)
Suppose plaintext m = 80
Encryption c = 8039 mod 253 = 37 Decryption m = 3779 mod 253 = 80 (c = me mod n) (cd mod n)
Signing (in this case, for entire message m) s = 8079 mod 253 = 224 (s = md mod n) Verification m = 22439 mod 253 = 80 (se mod n)
10
Another Example
Choose p = 17, q = 11 (both primes)
n = p*q = 187 (n) = (p-1)(q-1) = 160
Example (Contd)
Suppose plaintext m = 88 Encryption
c = 11 = 887 mod 187 (c = me mod n)
why the same???!
Decryption
m = 88 = 1123 mod 187 s = 11 = 8823 mod 187
11
12
Is RSA Secure?
<e,n> is public information If you could factor n into p*q, then
could compute (n) =(p-1)(q-1) could compute d = e-1 mod (n) would know the private key <d,n>!
13
Security (Contd)
At present, key sizes of 1024 bits are considered to be secure, but 2048 bits is better Tips for making n difficult to factor
1. p and q lengths should be similar (ex.: ~500 bits each if key is 1024 bits) 2. both (p-1) and (q-1) should contain a large prime factor 3. gcd(p-1, q-1) should be small 4. d should be larger than n1/4
Mathematical attacks
1. factor n (possible for special cases of n) 2. determine d directly from e, without computing (n)
at least as difficult as factoring n
14
Attacks (Contd)
Probable-message attack (using <e,n>)
encrypt all possible plaintext messages try to find a match between the ciphertext and one of the encrypted messages only works for small plaintext message sizes
00
Solution: pad plaintext message with random text before encryption PKCS #1 v1 specifies this padding format:
02 R1 R2 R3 R4 R5 R6 R7 R8 00 data
squaring algorithm:
m = 1; for i = k-1 downto 1 m = m*m mod n; if di == 1 then m = m*c mod n; return m;
15
Timing Attacks (Contd) The attack proceeds bit by bit Attacker assumed to know c, m Attacker is able to determine bit i of d because for some c and m, the highlighted step is extremely slow if di =1
16
Attacker will not know what the bits of c are Performance penalty: < 10% slowdown in decryption speed
17
Diffie-Hellman Protocol
For negotiating a shared secret key using only public communication Does not provide authentication of communicating parties Whats involved?
p is a large prime number (about 512 bits) g is a primitive root of p, and g < p p and g are publicly known
Bob
Reads g and p
Picks random number SA (and keeps private) Computes public key TA = gSA mod p Sends TA to Bob, reads TB from Bob Computes TBSA mod p
Picks random number SB (and keeps private) Computes public key TB = gSB mod p Sends TB to Alice, reads TA from Alice
18
D-H Example
Let p = 353, g = 3 Let random numbers be SA = 97, SB = 233 Alice computes TA = ___ mod __ = 40 = gSA mod p Bob computes TB = ___ mod ___ = 248 = gSB mod p They exchange TA and TB Alice computes K = __ mod __ = 160 = TBSA mod p Bob computes K = __ mod ___ = 160 = TASB mod p
19
D-H Example
Let p = 353, g = 3 Let random numbers be SA = 97, SB = 233 Alice computes TA = 397 mod 353 = 40 = gSA mod p Bob computes TB = 3233 mod 353 = 248 = gSB mod p They exchange TA and TB Alice computes K = 24897 mod 353 = 160 =TBSA mod p Bob computes K = 40233 mod 353 = 160 =TASB mod p
20
D-H Limitations
Expensive exponential operation is required
possible timing attacks??
Man-In-The-Middle Attack
Trudy impersonates as Alice to Bob, and also impersonates as Bob to Alice
Alice Trudy Bob
K2 = (gSB) SA
21
Solution???
22
Essential requirement: reliability of the published values (no one can substitute false values)
how accomplished???
23
Encryption (Contd)
For Bob to decipher the encrypted message from Alice
1. Bob computes KAB = (gBSA)SB mod pB 2. Bob decrypts message using KAB
Example
Bob publishes <pB, gB, TB> = <401, 5, 51> and keeps secret SB = 58 Steps
1. Alice picks a random secret SA = 17 2. Alice computes gBSA mod pB = ___ mod ___ = 173 3. Alice uses KAB = TBSA mod pB = ___ mod ___ = 360 to encrypt message M 4. Alice sends encrypted message along with (unencrypted) gBSA mod pB = 173 5. Bob computes KAB = (gBSA)SB mod pB = ___ mod ___ = 360 6. Bob decrypts message M using KAB
24
Example
Bob publishes <pB, gB, TB> = <401, 5, 51> and keeps secret SB = 58 Steps
1. Alice picks a random secret SA = 17 2. Alice computes gBSA mod pB = 517 mod 401 = 173 3. Alice uses KAB = TBSA mod pB = 5117 mod 401 = 360 to encrypt message M 4. Alice sends encrypted message along with (unencrypted) gBSA mod pB = 173 5. Bob computes KAB = (gBSA)SB mod pB = 17358 mod 401 = 360 6. Bob decrypts message M using KAB
Picking g and p
Advisable to change g and p periodically
the longer they are used, the more info available to an attacker
Advisable not to use same g and p for everybody For obscure mathematical reasons
(p-1)/2 should be prime g(p-1)/2 should be -1 mod p
25
26
choose g h(p1)/q mod p, where 1 < h < (p 1), such that g > 1 ex.: if h = 2, g = 26 mod 103 = 64 note: g is of order q mod p
ex.: powers of 64 mod 103 = 64 79 9 61 93 81 34 13 8 100 14 72 76 23 30 66 1 17 values
DSA (Contd)
2. User Alice generates a long-term private key xM
random integer with 0 < xM < q
ex.: xM = 13
27
DSA (Contd)
4. Alice randomly picks a private key k such that 0 < k < q, and generates k-1 mod q
ex.: k = 12, 12-1 mod 17 = 10
5. Signing message M
public key r = (gk mod p) mod q
ex.: H(M) = 75
transmitted info = M, r, s
ex.: M, 4, 12
28
29
Is it Secure?
Given yM, it is difficult to compute xM
xM is the discrete log of yM to the base g, mod p
Likewise, given r, it is difficult to compute k Cannot forge a signature without xM Signatures are not repeated (only used once per message) and cannot be replayed
Assessment of DSA
Slower to verify than RSA, but faster signing than RSA Key lengths of 2048 bits and greater are also allowed
30
CA
3 4 6
If a new node is inserted in the network, only that new node and the CA need to be configured with the public key for that node
31
Certificates
A CA is involved in authenticating users public keys by generating certificates A certificate is a signed message vouching that a particular name goes with a particular public key Example:
1. [Alices public key is 876234]carol 2. [Carols public key is 676554]Ted & [Alices public key is 876234]carol
Knowing the CAs public key, users can verify the certificate and authenticate Alices public key
Certificates
Certificates can hold expiration date and time Alice keeps the same certificate as long as she has the same public key and the certificate does not expire Alice can append the certificate to her messages so that others know for sure her public key
32
CA and PKI
PKI: Public Key Infrastructure
Informally, PKI is the infrastructure supporting the use of public key cryptography
CA is one of the most important components of PKI More details discussed later (when introducing authentication protocols)
33