Public Key Cryptography

advertisement
S. Erfani, ECE Dept., University of Windsor
0688-590-18 Network Security
Public Key Cryptography
5.1 Introduction
Public-key encryption finds use in message authentication and key
distribution. In this chapter, we look at motivation for public-key encryption
and then examine the most important public-key algorithms, namely, RSA
and Diffie–Hellman. We introduce applications such as digital signatures.
Note that if three users, Alice, Bob, and Casey want to exchange
information securely, three keys required; call these keys kAB, kAC, kBC. If
we add a fourth user, Dana, and establish channels with the other three
users, another key is required, one to connect Dana to each of the existing
three users. Each time we add a new user to a system of n users , n
additional keys are needed.
In general, an n-user system requires n x (n-1) / 2 keys. Therefore:
a) As the number of users grows, the number of keys increases
very rapidly.
b) Determining and distributing these keys is a problem.
c) Maintaining security for the keys already distributed and
inventory them is a serious problem.
Definition 1: Asymmetric Encryption System
In this cryptosystem each user has two keys; a public key and a
private key. The user publish the public key freely. The keys operate as
inverse. Let kub be user’s public key, and let KRb be the corresponding
private key. Then,
P = dkRb (ekUb (P))
That is, a user can decrypt with a private key what someone else has
encrypted with the corresponding public key. Futhermore,
P = dkUb (ekRb (P))
The public-key cryptosystem is shown in Figure1 (below). There is a
source Alice, which produces a message in plaintext, X = [X1, X2, ---, Xn].
Cryptanalyst
Oct. 7, 2003
^X
1
S. Erfani, ECE Dept., University of Windsor
0688-590-18 Network Security
Source A
Message Source
X
Destination B
Encryption
Algorithm
Y
Destination
Decryption^KRb X
Algorithm
KRb
KUb
Key Pair Source
Figure1: Public Key Cryptosystem
The M elements of X are letters of alphabet. The message is intended for
destination Bob. Bob generates a related pair of keys: a public key and a
private key, KRb. KRb is known only to Bob, whereas KUb is publicly
available and therefore accessible by Alice. With the message X and the
encryption key KUb as input, Alice forms the ciphertext Y = [ Y1, Y2, -----,
YM]
Y=
eKUb (X)
The intended receiver, i.e., Bob, in procession of the matching private key,
is able to invert the transformation:
X = dKRb ( Y )
An opponent, Oscar, observing Y and having access to KU b but not
having access to KRb or X, tries to recover X and/or KRb. It is also
assumed that Oscar does have knowledge of the encryption and
decryption algorithms. Thus, Oscar attempts to recover X and KR b by
generating estimates X and KRb.
5.2
Authentication Using Public-Key CryptoSystem
We mentioned earlier that either of the two related keys can be used for
encryption, with the other being used for decryption. This enables an
Oct. 7, 2003
2
S. Erfani, ECE Dept., University of Windsor
0688-590-18 Network Security
effective authentication scheme to be implemented as shown in Fig 2 ( on
the next page ).
In this case Alice prepares a message to Bob and encrypt it using Alice’s
private key before transmitting it :
Y=
eKRa (X)
Cryptanalyst
^KRa
Source A
Message Source
Destination B
Encryption
Algorithm
X
Y
Decryption
Algorithm
Destination
X
KUa
KRa
Key Pair Source
Figure2: Authentication using Public-Key Cryptosystem
Bob can decrypt the message using Alice’s public key. Because the
message was encrypted using Alice’s private key, only Alice could have
prepared the message. Therefore, the entire encrypted message serves
as a digital signature. In addition, it is impossible to alter the message
without access to Alice’s private key, so the message is authenticated
both in terms of source and in terms of data integrity.
Oct. 7, 2003
3
S. Erfani, ECE Dept., University of Windsor
0688-590-18 Network Security
Note 1: A more efficient way of achieving the same results is to encrypt a
small block of hits that is a function of the plaintext. Such a block, called
an authentication, must have the property that it is infeasible to change the
plaintext document without changing the authentication. If the
authentication is encrypted with the render’s private key, it serves as a
signature that verifies origin, content and sequencing.
Definition2 – Digital Signature
The render signs a message with its private key. Signing is achieved by a
cryptographic algorithm applied to the message or to a small block of data
that is a function of the message.
Note 2: As noticed, the authentication process just described does not
provide confidentiality. That is, the message being sent is safe from
alteration but not from eavesdropping. It is, however, possible to provide
both the authentication and confidentiality by a double use of the publickey scheme, as described below.
5.3
Secrecy and Authentication Using Public Key Cryptosystem
As shown in figure 3, in this case, we begin as before by encrypting a
message, using the sender’s private key, KRa:
Source A
X
Message
source
Destination B
Y
Encryption
Algorithm
Z
Encryption
Algorithm
Y
Decryption
Algorithm
X
Decryption
Algorithm
Message
Destination
KRb
KUb
KRa
Key Pair
Source
Key Pair
Source
KUa
Figure 3. Secrecy and Authentication
Oct. 7, 2003
4
S. Erfani, ECE Dept., University of Windsor
Y=
0688-590-18 Network Security
eKRa (X)
This provides the digital signature. Next, we encrypt again, using the
receiver’s public key, KUb:
Z = eKUb (Y) = eKUb (eKRa (X))
The final ciphertext, Z, can be decrypted only by the intended receiver,
who has alone the matching private key KRb and public key of the
receiver, KUa:
X = dKUa (Y) = dKUa (dKRb (Z))
Thus, confidentiality is provided. The disadvantage of this approach is that
the public-key algorithm, which is complex, must be exercised four times
than two in each communication.
5.4
Requirements for Public-Key cryptosystem
The cryptosystem shown in figs. 1-3 depends on a cryptographic algorithm
based on two related key, Driffine and Hellman postulated system without
demonstrating that such algorithms exist. However, they did lay out the
conditions that such algorithms must fulfill in their paper published in 1976
as:
(1) It should be computationally easy for a party, Bob, to generate a pair
(Public Key KUb, Private Key KRb).
(2) It should be computationally easy for a sender Alice, knowing the
public key and the message to be encrypted, M, to generate the
corresponding ciphertext:
C=
e
KUb (M)
(3) It is computationally easy for the receiver Bob to decrypt the resulting
ciphertext using the private key to recover the original message:
M=
dKRb (c) = dKRb (eKUb(M))
(4) it should be computationally infeasible for an opponent, Oscar,
knowing the public key, KUb, to determine the private key, KRb.
Oct. 7, 2003
5
S. Erfani, ECE Dept., University of Windsor
0688-590-18 Network Security
(5) It should be computationally infeasible for an opponent, Oscar,
knowing the public key, KUb and a ciphertext, C, to recover the original
message, M.
We added a 6th requirement that, although useful, is not necessary for all
public-key applications:
(6) The encryption and decryption function can be applied in either order:
M=
eKUb(dKRb (M))
Note 1: The requirements boils down to the need for a trap-door one-way
function. A one-way function (not to be confused with one-way hash
function!) is one that maps a domain into a range such that every function
value has a unique inverse, such that the calculation of the function is
infeasible:
Y = f (x)
easy
X = f-1(Y)
infeasible
Note 2: Generally, easy is defined to mean a problem that can be solved
in polynomial time as a function of input length. Such algorithms belong to
the class P.
Note 3: In general, we can say a problem is infeasible if the effort to solve
it grows faster than polynomial time as s function of input size.
Note 4: A trap-door one-way function is a family of invertible function f k(.),
such that:
Y = fk(X)
easy, if k and X are known.
X = fk-1(X)
easy, if k and Y are known.
X = fk-1(X)
infeasible, if Y is known but k is not known.
Note 5: The development of a practical public-key scheme depends on
discovery of a suitable trap-door one-way function.
Oct. 7, 2003
6
Download