slides

advertisement
Public Key
Encryption
Dan Fleck
CS 469: Security Engineering
1
Coming up: Public Key Encryption
These slides are modified with permission from Bill Young (Univ of Texas)
Public Key Encryption
• In 1976, Whitfield Diffie and Martin Hellman proposed public
key encryption (asymmetric encryption) in which different
keys are used for encryption and decryption.
• In 1997, it was disclosed that asymmetric key algorithms had
been developed in the early 1970’s by the British
Government’s Communication Headquarters (GCHQ). They
referred to the technique as non-secret encryption.
2
Coming up: Public Key Encryption
Public Key Encryption
Use a publicly disclosed key to encrypt and a secret key to
decrypt.
The requisite relationship is:
P = {{P}K pub }K priv
We’ll denote the public key for principal A by Ka and the private
key will be denoted Ka−1
3
Coming up: Public Key Systems
Public Key Systems
Also, for some public key systems, RSA in particular, encryption
and decryption commute and either key can be used in either
function. That is:
{{P}K }K -1 = P = {{P}K -1 }K
This is crucial in some uses of RSA. But is not true for most public
key cryptosystems.
4
Coming up: Public Key Systems
Public Key Systems
The basis of any public key system is the identification of a oneway function: easily computed, but difficult to invert without
additional information.
Example: It is easy to multiply two large primes p1 and p2.
However, it is very difficult to factor p1p2 to recover p1 and p2.
But, given p1p2 and either of p1 or p2, it is straightforward to
recover the other, simply by dividing.
5
Coming up: Efficiency of Encryption
Efficiency of Encryption
Public key systems largely solve the key distribution problem.
Why?
A public key encryption may take 10,000 times as long to
perform as a symmetric encryption; the computation depends
on more complex operations, not on simple bit-wise operations.
Symmetric encryption remains the work horse of commercial
cryptography, with asymmetric encryption playing some
important special functions.
6
Coming up: Lessons
Lessons
• Devising an asymmetric encryption algorithm depends on
identifying a one-way function, easy to compute but hard to
invert.
• Public key systems largely solve the key distribution problem.
• Asymmetric algorithms are generally much less efficient than
symmetric algorithms.
7
Coming up: RSA Algorithm
RSA Algorithm
The Rivest-Shamir-Adelman (RSA) algorithm relies on the
difficulty of factoring large numbers.
Two keys, e and d, are used for encryption and decryption. The
algorithm is such that:
{{P}d }e = P = {{P}e }d
A plaintext block P is encrypted as (Pe mod n). d is chosen so
that:
e d
(P ) mod n = P
An interceptor would have to factor Pe to recover the plaintext.
The legitimate receiver knows d and merely computes,
(P e )d mod n = P
which is much easier.
Coming up: Other Public Key Algorithms
8
Other Public Key Algorithms
A public key system can be based on any one-way function. A
rich source is the set of NP-complete problems. These are
infeasible to solve, but a solution can be checked in polynomial
time.
Merkle and Hellman proposed a public key system based on the
knapsack problem: given a set of integers and a target sum, find
a subset of the integers that sum to the target.
The algorithm is theoretically very secure, but has practical
weaknesses.
9
Coming up: Elliptic Curve Cryptography
Elliptic Curve Cryptography
• Elliptical Curve Cryptography (ECC) is
a newer public key encryption system
(1985) using elliptic curves instead of
prime numbers
• Some say 164 bit key is equivalent to
other systems 1024 bit key (another
say 256 bit = 3076 RSA bits)
• 112-bit key ECC broken using 200
Playstation 3s running continuously
for 3.5 months.
• G=start point per curve
• k=random private key, public key=kG
Source:http://en.wikipedia.org/wiki/Elliptic_curve_cryptography#Cryptographic_schemes
Coming up: Authentication with Public Keys
10
Authentication with Public Keys
Assume Ka is A’s public key. Suppose B sends the following
message to A: {M}Ka . What assurances does A have?
1. No-one intercepting the message could read it. Why?
2. He can’t be sure it actually came from B. Why not?
Thus, encryption with the public key is a privacy transformation,
but not an authenticity transformation.
11
10
Coming up: Authentication with Public Keys
Authentication with Public Keys
Using RSA, B send {M}Kb-1 to A. If A can decrypt it using Kb, what
assurance is gained?
1. A is sure it originated with B. Why?
2. But someone intercepting the message might read it. Why?
Thus, encryption with private key is an authenticity transformation,
not a privacy transformation.
Note this only works in RSA, because:
{{P}d }e = P = {{P}e }d
In other public key systems, you typically need two pairs of keys: one
pair for privacy and the other pair for “signing” (authenticity).
Coming up: Lessons
12
11
Lessons
• RSA is the most widely used public key cryptosystem.
• RSA is symmetric in the use of keys; most public key schemes
are not.
• A public key encryption can be used for authenticity or for
privacy but not both at once.
13
12
Coming up: Cryptographic Hash Functions
Cryptographic Hash
Functions
Dan Fleck
CS 469: Security Engineering
14
13
Coming up: Hash Functions
These slides are modified with permission from Bill Young (Univ of Texas)
Hash Functions
• A hash function is a function that converts variable-sized text
into a small datum, usually a fixed size integer.
A cryptographic hash function has the additional qualities:
• it is difficult to construct a text that has a given hash,
• it is difficult to modify a given text without changing its hash,
• it is unlikely that two different messages will have the same
hash.
The hash value is sometimes called a message digest.
Cryptographic hash functions are used to protect integrity.
Coming up: Vocabulary
15
14
Vocabulary
A function f is preimage resistant if, given h, it is hard to find any
m such that h = f (m).
A function f is second preimage resistant if, given an input m1, it
is hard to find m2 ≠ m1 such that f (m1) = f (m2). This is
sometimes called weak collision resistance.
A function f is (strong) collision resistant if it is hard to find two
messages m1 and m2 such that f (m1) = f (m2).
16
15
Coming up: Birthday Attacks
Birthday Attacks
If a function f(x) yields any of H different outputs with equal
probability and H is sufficiently large, then we expect to obtain a
pair of different arguments x1 and x2 with f (x1) = f (x2) after
evaluating the function for about 1.25* H different arguments
on average.
What does this mean for a hash value of 128 bits? for 160 bits?
17
16
Coming up: Cryptographic Hash Functions
Cryptographic Hash Functions
Hash functions usually are used for integrity, not confidentiality.
• In a document retrieval system containing legal records, it may
be important to know that the copy retrieved is identical to
that stored.
• In a secure communications system, the correct transmission
of messages may override confidentiality concerns.
A cryptographic hash function “binds” the bytes of a file
together in a way that makes seal any alterations to the file
apparent. We say that we the file to make it tamper-proof
(actually tamper-resistant).
Coming up: Using a Hash Function
18
17
Using a Hash Function
The process is as follows:
• Given a sensitive file f , compute the hash function h(f ) and
store the result securely.
• Each time the file is used or accessed, recompute the hash.
• Compare it to the stored value.
If the two values match, it is likely that no changes have
occurred to the file.
19
18
Coming up: Common Hash Algorithms
Common Hash Algorithms
Two widely used cryptographic hash functions are:
MD5: (Message Digest 5) invented by Ron Rivest and RSA Labs;
SHA-1/SHA-2/SHS: (Secure Hash Algorithm or Standard) similar
to MD5.
MD5 hashes a message of any size to a 128-bit digest. SHA/SHS
produce a 160-bit digest.
20
19
Coming up: Lessons
Lessons
• A cryptographic hash function takes an arbitrary text and
produces a fixed size bit string that depends on each value of
the text.
• It should be difficult to find collisions—values that hash to the
same result.
• A hash can be used to show with high probability that a text
has not changed.
21
20
Coming up: Key Exchange
Key Exchange
Dan Fleck
CS 469: Security Engineering
22
21
Coming up: The Key Exchange Problem
These slides are modified with permission from Bill Young (Univ of Texas)
The Key Exchange Problem
Suppose you want to establish a secure communication channel
with someone you don’t know. We call this a situation of mutual
suspicion. This is extremely common.
• You submit your income tax on-line.
• You send your credit card information to a shopping website.
• You wish to exchange encrypted email with another party.
Once you agree on a shared secret (key) the communication can
proceed. But how do you exchange the key? This is the key
exchange problem.
Coming up: Key Exchange: Attempt 1
23
22
Key Exchange: Attempt 1
Suppose both parties S and R have a public / private RSA key pair
for asymmetric communication. Say S chooses a new symmetric
key K and sends to R the following message:
R can decrypt the message using S’s public key to retrieve K.
What is wrong with this scheme?
{K}K -1
s
Answer: Any eavesdropper can intercept the message and
decrypt it using S’s public key to retrieve K.
Coming up: Key Exchange: Attempt 2
24
23
Key Exchange: Attempt 2
Instead, suppose S sends to R the following message:
{K}K R
Since only R can decrypt this message, confidentiality is assured.
What’s wrong this time?
Now R doesn’t have any assurance that the message actually
came from S. An intruder may be “spoofing” (pretending to be
S) to obtain information that R intends only for S.
Can we preserve both confidentiality and authentication with
one transaction?
Coming up: Key Exchange (Cont.)
25
26
Key Exchange (Cont.)
A third attempt is for S to send R the following:
{{K}K -1 }KR
S
How does R extract K? What assurances does this provide?
1. Since, no one but R can decrypt the message, confidentiality
is assured.
2. No one but S could have performed the inner encryption, so
authentication is accomplished.
This notion of nested encryptions is very useful in a variety of
cryptographic protocols. Could you have done the encryptions in
the other order?
Coming up: Lessons
26
24
Lessons
• Public key cryptosystems can be used for key exchange, but
you have to do it carefully.
• Key exchange requires both confidentiality and authentication.
27
25
Coming up: Diffie-Hellman Key Exchange
Diffie-Hellman Key
Exchange
Dan Fleck
CS 469: Security Engineering
28
27
Coming up: Diffie-Hellman Key Exchange
These slides are modified with permission from Bill Young (Univ of Texas)
Diffie-Hellman Key Exchange
• The question of key exchange was one of the first problems
addressed by a cryptographic protocol. This was prior to the
invention of public key cryptography.
• The Diffie-Hellman key agreement protocol (1976) was the
first practical method for establishing a shared secret over an
unsecured communication channel.
• The point is to agree on a key that two parties can use for a
symmetric encryption, in such a way that an eavesdropper
cannot obtain the key.
29
28
Coming up: Diffie-Hellman Algorithm
Diffie-Hellman Algorithm
Steps in the algorithm:
1. Alice and Bob agree on a prime number p and a base g.
2. Alice chooses a secret number a, and sends Bob (ga mod p).
3. Bob chooses a secret number b, and sends Alice (gb mod p).
4. Alice computes ((gb mod p)a mod p).
5. Bob computes ((ga mod p)b mod p).
Both Alice and Bob can use this number as their key. Notice that
p and g need not be protected.
Coming up: Diffie-Hellman Example
30
29
Diffie-Hellman Example
1.
2.
3.
4.
5.
Alice and Bob agree on p = 23 and g = 5.
Alice chooses a = 6 and sends 56 mod 23 = 8.
Bob chooses b = 15 and sends 515 mod 23 = 19.
Alice computes 196 mod 23 = 2.
Bob computes 815 mod 23 = 2.
Then 2 is the shared secret
Clearly, much larger values of a, b, and p are required. An
eavesdropper cannot discover this value even if she knows p
and g and can obtain each of the messages.
Coming up: Diffie-Hellman Security
31
30
Diffie-Hellman Security
Suppose p is a prime of around 300 digits, and a and b at least
100 digits each.
Discovering the shared secret given g, p, ga mod p and gb mod p
would take longer than the lifetime of the universe, using the
best known algorithm. This is called the discrete logarithm
problem.
32
31
Coming up: Lessons
Lessons
• How can two parties agree on a secret value when all of their
messages might be overheard by an eavesdropper?
• The Diffie-Hellman algorithm accomplishes this, and is still
widely used.
• With sufficiently large inputs, Diffie-Hellman is very secure.
33
32
End of presentation
Download