Lecture 6: Key Exchange
advertisement
Lecture 6: Key Exchange The era of “electronic mail” [Potter1977] may soon be upon us; we must ensure that two important properties of the current “paper mail” system are preserved: (a) messages are private, and (b) messages can be signed. R. Rivest, A. Shamir and L. Adleman. A Method for Obtaining Digital Signatures and Public-Key Cryptosystems. Communications of the ACM, January 1978. (The original RSA paper.) CS551: Security and Privacy University of Virginia Computer Science David Evans http://www.cs.virginia.edu/~evans Menu • • • • • • PS1 RC6 Proof Challenge (Vic Ludwig) Key Distribution (Greg Lamm) Diffie-Hellman Key Agreement Intro to Public-Key Cryptosystems Return PS1 30 Aug 2000 University of Virginia CS 551 2 PS1 • Problem 2 – Process more interesting than answer • Problem 4 – Even a “provably perfect” scheme breaks in practice – Bonus question: • any 98 agents obtain no information • any 99 agents can determine message • key data O(100 * n) 30 Aug 2000 University of Virginia CS 551 3 RC6 Proof Vic Ludwig 30 Aug 2000 University of Virginia CS 551 4 U.S. Army Key Distribution Greg Lamm U.S. Army Distribution • Two Distribution Schemes – Physically – OTAR • Three Types of Distributions – Initial (Staging Area) – Operating Procedures – Compromise (Equipment or Keys) • A tactical network (voice/data) can have over 20 keys. – Key Types • Transmission Encryption Key (TEK)-128 bit • Key Encryption Key (KEK)-128 bit • Key Distribution is Technology + People 30 Aug 2000 University of Virginia CS 551 6 Staging Area Key Distribution DREAR 2BDE 1-62 ADA BSA 45 CSB DMAIN DTAC • Close Connectivity • Static Environment • Data/Voice Network • Key Distributed – Physically • Test OTAR Tactical Network Key Distribution DREAR 2BDE 1-62 ADA BSA 45 CSB DMAIN DTAC • Dispersed Connectivity • Dynamic Environment • Data/Voice Network • Key Distributed – OTAR FM Key Distribution AVN TOC AVN FARP 1-14 TOC 2d BDE ALT NCS 1-14 SCOUTS DTAC 1-27 TOC NCS 2d BDE TOC 1-27 SCOUTS DREAR 45 CSG MAIN 30 Aug 2000 45 CSG FWD • Dispersed Connectivity • NCS issues key distribution by SOP University of Virginia CS 551 9 Key Distribution Problems NCS TEK 1 damaged TEK 1 1 ALT NCS TEK 2 2 3 4 5 6 • Multiple Key Distributors • Issuing a second key at the staging area • Good for compromise • Bad if it is not the same (only testing TEK 1) • Labeling Keys with name rather than code • Key Training, Handling Protection 30 Aug 2000 Universityand of Virginia CS 551 7 10 Public-Key Cryptosystems 30 Aug 2000 University of Virginia CS 551 11 Public-Key Cryptosystems • Distributing secret keys is hard and expensive • Can two people communicate securely without having to meet first and establish a key? 30 Aug 2000 University of Virginia CS 551 12 Trust a Third Party Keys “R” Us knows KA, KB ... Generates random KAB E (“Alice” || KAB, KB) E (“Bob”, KA) E (KAB, KA) E (KAB, KB) E (M, KAB) Alice 30 Aug 2000 University of Virginia CS 551 Bob 13 Merkle’s Puzzles • Ralph Merkle [1974] • Alice generates 220 messages: “This is puzzle x. The secret is y.” (x and y are random numbers) • Encrypts each message using symmetric cipher with a different key. • Sends all encrypted messages to Bob 30 Aug 2000 University of Virginia CS 551 14 Merkle’s Puzzles, cont. • Bob chooses random message, performs brute-force attack to recover plaintext and key k • Bob sends x (clear) to Alice • Alice and Bob use k to encrypt messages 30 Aug 2000 University of Virginia CS 551 15 Is this secure? • Alice: symmetric cipher DES ~255 expected brute force work to break DES • Eve: has to break the 220 to find which one matches x. ~ 219 * 255 expected work • Alice and Bob change keys frequently enough since it is less work to agree to a new key 30 Aug 2000 University of Virginia CS 551 16 Birth of Public Key Cryptosystems • 1969 – ARPANet born: 4 sites – Whitfield Diffie starts thinking about strangers sending messages securely • 1974 – Whitfield Diffie gives talk at IBM lab – Audience member mentions that Matrin Hellman (Stanford prof) had spoke about key distribution • That night – Diffie starts driving 5000km to Palo Alto • Diffie, Hellman and Ralph Merkle work on key distribution problem 30 Aug 2000 University of Virginia CS 551 17 We stand today on the brink of a revolution in cryptography. Diffie and Hellman, “New Directions in Cryptography”, IEEE Transactions on Information Theory, November 1976. 30 Aug 2000 University of Virginia CS 551 18 Analogy due to Simon Singh, The Code Book. Secret Paint Mixing Alice Bob Yellow paint (public) Alice’s Secret Color Bob’s Secret Color CA = Yellow + Purple CB = Yellow + Red Eve K = Yellow + Red + Purple 30 Aug 2000 K = Yellow + Purple + Red University of Virginia CS 551 19 Diffie-Hellman Key Agreement 1. Choose public numbers: q (large prime number), (generator mod q) 2. A generates random XA and sends B: YA = XA mod q. 3. B generates random XB and sends A: YB = XB mod q. 4. A calculates secret key: K = (YB) XA mod q. 5. B calculates secret key: K = (YA) XB mod q. 30 Aug 2000 University of Virginia CS 551 20 What’s a generator? • is a generator mod q if for all 0 n < q, there is some 1 m < q such that m = n mod q • Is m unique? – Yes: Proof by counting. • Discrete logarithm: given , n, and q find 0 m < q such that m = n mod q. 30 Aug 2000 University of Virginia CS 551 21 Example • What is a generator for q = 11? 21 11 2 22 11 4 23 11 8 24 = 16 11 5 25 = 32 11 10 26 = 64 11 9 27 = 128 11 7 28 = 256 11 3 29 = 512 11 6 210 = 1024 11 1 If q is prime, there must be a generator. 30 Aug 2000 University of Virginia CS 551 22 Diffie-Hellman Example 1. Choose public numbers: q (large prime number), (generator mod q): q = 11, = 2 2. A generates random XA and sends B: YA = XA mod q. XA = 4, YA = 24 mod 11 = 16 mod 11 = 5 3. B generates random XB and sends A: YB = XB mod q. XB = 6, YB = 26 mod 11 = 64 mod 11 = 9 Example from Tom Dunigan’s notes: http://www.cs.utk.edu/~dunigan/cs594-cns00/class14.html 30 Aug 2000 University of Virginia CS 551 23 Diffie-Hellman Example, cont. q = 11, = 2 XA = 4, YA = 5 XB = 6, YB = 9 4. A calculates secret key: K = (YB) XA mod q. K = 94 mod 11 = 6561 mod 11 = 5. 5. B calculates secret key: K = (YA) XB mod q. K = 56 mod 11 = 15625 mod 11 = 5. 30 Aug 2000 University of Virginia CS 551 24 Is it magic? Things to Prove: 1. They generate the same keys: K = (YB) XA mod q = (YA) XB mod q 2. An eavesdropper cannot find K from any transmitted value: q, , YA, YB 30 Aug 2000 University of Virginia CS 551 25 1. Keys Agree • Prove K = (YB)XA mod q = (YA)XB mod q. (YB)XA mod q = (XB mod q)XA mod q = (XB)XA mod q = XBXA mod q (YA)XB mod q = (XA mod q)XB mod q = (XA)XB mod q = XAXB mod q QED. Stallings: “by the rules of modular arithmetic” 30 Aug 2000 University of Virginia CS 551 26 Modular Exponentiation (a mod q)b mod q = ab mod q (7 mod 6)2 mod 6 = 72 mod 6 12 mod 6 = 49 mod 6 Proof by example? 30 Aug 2000 University of Virginia CS 551 27 Modular Exponentiation • First prove: (a * b) mod q = (a mod q) * (b mod q) mod q • Then, by induction, (a mod q)b mod q = ab mod q since ab = a * ab-1 and a1 = a. 30 Aug 2000 University of Virginia CS 551 28 Modular Arithmetic (a * b) mod n = x x + (n * d0) = a * b x = a * b – (n * d0) a mod n = y y = a – (n * d1) b mod n = z z = b – (n * d2) (a mod n) * (b mod n) mod n = (a – (n * d1)) * (b – (n * d2)) mod n = (a * b + (a * (n * d2) – b * (n * d1) + (n * d1)(n * d2)) mod n = a * b mod n (all terms with n * are 0 mod n) 30 Aug 2000 University of Virginia CS 551 29 2. Secure from Eavesdropper • • • An eavesdropper cannot find K from any transmitted value: q, , YA, YB K = (YB)XA mod q = (YA)XB mod q To find K without XA or XB we need to find x and y such that (YB) x mod q = (YA)y mod q Finding discrete logarithms is (probably) hard! (More on this later...) 30 Aug 2000 University of Virginia CS 551 30 Diffie-Hellman Use • • • • SSL Cisco encrypting routers Sun secure RPC etc... 30 Aug 2000 University of Virginia CS 551 31 Public-Key Cryptography • Same paper introduced concept of Public-Key Cryptography • Private algorithm: E • Public algorithm: D • Identity: E (D (m)) = D (E (m)) = m • Secure: cannot determine E from D • But didn’t know how to find suitable E and D 30 Aug 2000 University of Virginia CS 551 32 Who really invented public-key cryptography? • General Communications Headquarters, Cheltenham (formed from Bletchley Park after WWII) • 1969 – James Ellis asked to work on key distribution problem • Secure telephone conversations by adding “noise” to line • Late 1969 – idea for PK, but function 30 Aug 2000 University of Virginia CS 551 33 RSA & Diffie-Hellman • Asks Clifford Cocks, Cambridge mathematics graduate, for help • He discovers RSA (four years early) • Then (with Malcolm Williamson) discovered Diffie-Hellman • Kept secret until 1997! • NSA claims they had it even earlier 30 Aug 2000 University of Virginia CS 551 34 Charge • Next time: – Rivest, Shamir, Adelman: First solution to finding suitable E and D • Identity: E (D (m)) = D (E (m)) = m • Secure: cannot determine E from D • Read the paper! – Go somewhere appropriate – Identify 2 questionable statements in the paper 30 Aug 2000 University of Virginia CS 551 35
