Public Key Cryptography

advertisement
Lecture 9 – Asymmetric Cryptography
Page 1
Computer and Network Security
Dahlia Malkhi, Shlomo Kipnis
The Hebrew University of Jerusalem
Lecture 9 - Asymmetric Cryptography
The Public Key Model
Asymmetric Cryptography (also called Public-Key Cryptography) was a real
breakthrough in cryptography. The major change between asymmetric cryptography and
the ‘traditional’ symmetric cryptography is that, in asymmetric cryptography, the key
for the encryption is not the same as the key for the decryption. Each user has 2 keys: a
Public Key, which is known to all, and a Private Key, which is kept secret (private).
Denote Bob’s public key by pub(B), and denote Bob’s private key by prv(B).
The first use of publickey cryptography is for encrypting messages to Bob. Any one
who wishes to send an encrypted message to Bob will use Bob’s public key. To decrypt
the message, Bob’s private key is needed, and only Bob knows it.
pub(B)
Alice
Message
Encryption
prv(B)
Cipher
Decryption
Bob
Message
The second use of public key cryptography is for message signing by Bob. Bob’s
private key is used by Bob to generate a signature. Any one is able to verify Bob’s
signature using Bob’s public key. Denote the signature of the message M by (M).
Alice
Message,
Yes/No
pub(B)
Verification
prv(B)
Message,
(M)
Authentication
Bob
Message
The encryption (or verification) algorithm and the decryption (or authentication)
algorithms may or may not be the same.
A major requirement is that a transformation from the public key to the private key is
difficult (although the keys need to have some kind of a mathematical relationship
between them). Realization requires existence of a trap-door function f , where f(x) is
easy to compute for anyone who knows the public key, but f -1(x) is infeasible to
compute, but easy to compute when the private key is known (the “trapdoor”).
The attacks on public-key cryptosystems are the following:

Brute-force key search attack.

Compute the private key from the public key (believed, but not proved, to be not
feasible in all existing systems).

Chosen plain-text / cipher-text attacks to reveal the private key.
Computer and Network Security
Dahlia Malkhi, Shlomo Kipnis
The Hebrew University of Jerusalem
Lecture 9 – Asymmetric Cryptography
Page 2
History of Public Key Cryptography
1976 – Diffie & Hellman published an article ‘Public Key Cryptography’ that presented
the model. They got a patent but never used it to license the technology. They
also came up with a protocol for a Key Exchange protocol based on their
method.
Merkle invented a public key encryption method based the knapsack problem.
The method was broken since.
1977 – Rivest, Shamir, and Adleman invented the RSA scheme which provides
Encryption, Signature, and Key Exchange. RSA became the most popular
method for public key cryptography.
Since – Many other methods implemented the public key model. For example:
El Gamal – Encryption, Signature, and Key Exchange (developed by El Gamal).
DSS – Digital Signature Standard (developed by NIST).
DH – Key exchange (developed by Diffie and Hellman).
Knapsack Method
This public key method was developed by Merkle, and was broken by Adi Shamir using
chosen plaintext attack.
The method is based on the knapsack problem: a combinatorial question of determining
which objects can fit into a container (such as a knapsack), where the knapsack’s weight
capacity is given and each object has a particular weight. The problem is to find a subset
of the objects that can fit into the knapsack.
The mathematical description of the knapsack problem is as follows:
a = (a1, a2,…,an )
x = (x1, x2,…,xn )
S =  ai xi
weight vector - ai is the weight of object i, and ai is an integer.
selection vector - xi is 1 if object i is in the knapsack, 0 otherwise.
the total weight of the knapsack.
This problem is considered NP-Hard – there are 2n possible subsets to check.
The general approach for encryption and decryption using the knapsack problem:
k = (a1, a2,…,an )
x = (x1, x2,…,xn )
C =  ai xi
the key, ai is an integer.
the plaintext message in bits (message length is n bits).
the corresponding ciphertext.
Note that for a cipher C, there may be more than one decryption (not a single vector x).
This depends on the key k. For example, if k = (1,2,3,5) and C = 5, then both the vector
x = 0110 and the vector x = 0001 are potential decryption values of C.
A superincreasing (SI) vector is a vector a = (a1, a2,…,an ) where (a1+a2+…+ai-1) < ai
(every element is larger than the sum of all the elements before it).
It is easy to see that if k is a SI vector, then there will be only one decryption. The
decryption algorithm, given C and k, will then be the following:
Start with the vector x=(0…0). Repeat this until C is zero: Find the biggest ai such that
ai < C. Subtract ai from C and put ‘1’ at xi.
We would like to use the above knowledge to construct two keys. The private key will
include a SI vector. Using the private key, it will be easy to decrypt a cipher C. The
public key will be a non-SI vector. Using the public key, it will be easy to encrypt the
message M, but it is difficult to decrypt the cipher C of the message M.
The “hard knapsack” scheme is as follows:
Lecture 9 – Asymmetric Cryptography
Page 3
Computer and Network Security
Dahlia Malkhi, Shlomo Kipnis
The Hebrew University of Jerusalem

Choose at random a superincreasing vector kprv of length n.

Choose an integer m, larger than the sum of the elements of kprv.

Choose an integer w, relatively prime to m. Relatively prime means that the Greatest
Common Divisor of the numbers w and m is 1, that is gcd(w, m) = 1.

Calculate a new vector, kpub = w * kprv (mod m). Note that, most probably, this
vector will not be a superincreasing vector.

Calculate w-1 modulo m. Since w and m are relatively prime, there exists a unique
multiplicative inverse w-1, modulo m, such that w-1 * kpub = kprv (mod m).
We will calculate w-1 using Euclid’s Algorithm: if gcd(a,b)=Ω, there exists U and V
such that Ua + Vb = Ω. In our example, since gcd(w, m) = 1, then U*m +V*w = 1.
If we take modulo m, then we get V*w = 1 (mod m). V is the desired w-1.

Send kpub as the public key, and store (kprv , w-1, m) as the private key.
Anyone who wants to send a message x will use the public key to calculate C = kpub  x.
Since finding x (when C is given) is difficult, this becomes a secure transmission.
However, decrypting C is possible using the following equations:
C
=>
=
w-1*C
kpub  x = w kprv x (mod m)
(mod m) =
w-1*w
(since kpub = w kprv)
kprv x (mod m) = kprv  x (mod m)
Calculating the value of S = w-1*C (mod m), leaves the equation:
S = kprv  x (mod m). Now, since the vector kprv is superincreasing, finding x from S is
easy (as was outlined above).
Diffie-Hellman Key-Exchange Protocol
The following protocol by Diffie and Hellman was proposed in 1976 to establish a
shared secret key between two parties, Alice and Bob, who have never seen each other.
A large prime p and a generator g of Z*p are known to all. Each party picks at random a
number in Z*p, as his private key, and computes g to the power of his random number
(mod p) as his public key. Suppose Alice picked a random private key x and Bob picked
a random private key y. The way Alice and Bob generate a shared symmetric secret key
is described in the following diagram:
Alice
Bob
x
g
gy
 
Now Alice (who has x) calculates g y
(who has y)
 
calculates g x
number gxy.
y
x
 g xy , and Bob
 g xy . They have a common secret – the
An eavesdropper E cannot resolve this number from seeing gx and gy. The numbers x
and y are hidden well, being the exponent of the generator g.
A possible attack on the Diffie-Hellman Key-Exchange protocol is the Man-in-theMiddle attack. In this attack, Eve simulates Alice’s actions against Bob and simulates
Bob’s actions against Alice. Both Alice and Bob think that they have a session key with
each other, but they actually speak with Eve. In order to do that, Eve makes up two
private keys: a and b (not necessarily different), and their corresponding public keys.
Computer and Network Security
Dahlia Malkhi, Shlomo Kipnis
The Hebrew University of Jerusalem
Lecture 9 – Asymmetric Cryptography
Page 4
This attack is illustrated in a diagram below.
Bob
Eve
Alice
x
g
ga
Here Eve shares gax with Alice, and Eve shares gby with Bob.
Both Alice and Bob belive the key they are holding is shared
with the other, not with Eve.
Eve is now able to impersonate Alice to Bob and Bob to
Alice, and they both will not have a clue.
gb
gy
There is no way to prevent spoofing. Only if we assume that
Eve is not active, then the Diffie-Hellman protocol is good as is. Otherwise, one needs
to add authentication between A and B. An Authenticated Diffie-Hellman protocol is
used in many systems.
El-Gamal Protocols
Taher El-Gamal developed the algorithms below in the early 1980’s while at Stanford.
El-Gamal algorithms use similar principles to those used in the Diffie-Hellman
protocols. El-Gamal schemes are simple, efficient, and not patented. This is why the
DSS – the US government standard for signatures – is based on El-Gamal.
El-Gamal Encryption
A large prime p and a generator g of Z*p are known to all. Bob picks a  Z*p at random
as his constant private key, and computes b=ga (mod p) as his constant public key.
When Alice wants to encrypt a message M for Bob, she picks k  Zp-1at random. Then,
she computes c1 = gk (mod p), and c2 = M*bk (mod p). She sends (c1,c2) to Bob.
Bob computes:
c2 M  b k
g ak


M

M
c1a
g ka
g ka
The key k is temporary, a different key is chosen for each message. This way, even
when the same message is sent again, te encryption will be different.
El-Gamal Signatures
A large prime p and a generator g of Z*p are known to all. Bob picks a  Z*p at random
as his constant private key, and computes b=ga (mod p) as his constant public key.
When Bob wishes to sign message M, he picks k  Zp-1 such that gcd(k, p-1) = 1. Then,
he computes r = gk (mod p), and s = (M-r*a)/k (mod p-1). He sends (r,s) to Alice.
Alice accepts the message as coming from Bob, if: g m  b r  r s .
This checking verifies the message M, because:
b r  r s  g ar  g ks  g arks (mod p)
M  ar
(mod p  1)
k
Only one who knows the private key can generate r and s that pass the verification.
Then, g M  g ar  ks (mod p)  M  ar  ks(mod p  1)  s 
Computer and Network Security
Dahlia Malkhi, Shlomo Kipnis
The Hebrew University of Jerusalem
Lecture 9 – Asymmetric Cryptography
Page 5
The RSA Algorithm
The pioneering paper by Diffie & Hellman introduced a new approach to cryptography
and challenged cryptographers to come up with a cryptographic algorithm that met the
requirements for public-key systems. One of the first and most popular responses to the
challenge was developed in 1977 by Ron Rivest, Adi Shamir, and Len Adleman at MIT.
The algorithm is called RSA by the first letters of the names of its creators. It was first
published in 1978.
The RSA scheme is based on the difficult problem of factoring a number n that is the
product of two unknown large primes p and q. The difficulty of this problem is not
proved, but it is believed to be so. Note that if we know that one of the two factors is
small then the problem is no longer difficult.
The RSA Algorithm
Suppose you want to generate asymmetric keys, to be used for encrypting messages
destined at you or for signing your own messages.

Choose two large primes p and q (probably around 512 or 1024 bits each). Multiply
them and call the result n. The factors p and q will remain secret. The product n = pq
is made public.

Compute (n). Since you know p and q, you can compute (n) = (p-1)(q-1).

Choose a small odd number e that is relatively prime to (n).


Find the number d such that d = e-1 (mod (n)). Such d always exists because
gcd(e, (n)) = 1. Thus, there exist u and v that: ue + v(n) = gcd(e, (n)) = 1. The
needed ‘d’ is the ‘u’ that was just found.
Publish <e, n> as your public key, and save <d, n> as your private key.
Encrypting a message M (must be smaller than n), can be done by anyone who holds
the public key. The ciphertext is C = Me (mod n). Only you, holding the private key,
can decrypt C, by computing M = Cd (mod n).
Signing a message M (must be smaller than n), can be done only by you. Compute the
signature S = Md (mod n). Anyone that knows the corresponding public key can verify
the signature by checking whether M = Se (mod n).
Correctness
Let us prove that D(E(M)) = Med = M (mod n).
Notice that:
(1) M(n) (mod p) = M(p-1)(q-1) (mod p).
(2) M(p-1) = 1 (mod p) (by Fermat’s Little theorem, and because p is prime)
(3) ed = 1 (mod (n)).
From (1) and (2)  M(n) (mod p) = 1  Mk(n) = 1 (mod p) for all integer k.
 Mk(n)+1 = M (mod p)
From (3)  Med = M (mod p).
Similarly, for the second prime q, we have Med = M (mod q).
Now, using the Chinese Remainders Theorem, we have: Med = M (mod pq).
Lecture 9 – Asymmetric Cryptography
Page 6
Computer and Network Security
Dahlia Malkhi, Shlomo Kipnis
The Hebrew University of Jerusalem
Properties of RSA
It is computationally easy to generate public-private key pairs, to encrypt messages
using public keys and to decrypt cipher-text using private keys. RSA keys must be
sufficiently large to prevent brute-force attacks, and hence, RSA encryption is relatively
slow.
It is believed to be computationally infeasible to decrypt a cipher-text without the
private key, or to find the private key.
The encryption and decryption functions can be applied in any order, that is because
D(E(M)) = Med = Mde = E(D(M)).
Attacks on RSA
Both the authors of the RSA algorithm and the RSA corp. published challenges to
break. The history of the factorization of n to p and q is described in the following table:
Decimal digits
100
110
120
129
130
140
155
Bits
332
365
398
428
431
465
512
Year
1991
1992
1993
1994
1996
1999
?
MIPS years
7
75
830
5000
500
1000
?
Algorithm
Quadratic sieve
Number field sieve
?
It is reasonable to assume that breaking a 512-bit (155 digit) key is within reach.
Timing attacks (Kocher 1996):
This effective attack came from completely unexpected direction – a cipher-text attack
that determines the RSA private-key from the time it takes to decipher a message.
The essential idea is the following. Suppose M d exponentiation is done bit-by-bit from
high to low (other algorithms for modular exponentiation work similarly). Each bit bi in
the secret key determines whether a multiplication d*M is done at the i’th step. Find
values M for which this multiplication dominates the computation time, to determine the
value of bit bi.
It is possible to prevent timing attacks by computing the exponent in constant time or
introducing random delays. Both of these techniques affect the performance.
Another way to prevent timing attacks is called Blinding - instead of computing Md, use
a random value r and compute (M (re))d = Md r. Then, divide the result by r.
Pitfalls of RSA
Message Composition:
Suppose that an eavesdropper intercepts two encrypted messages – C1 = M1e (mod n)
and C2 = M2e (mod n). He can now construct a false “secret” message M that will be
combined from M1 and M2, and he can send its encrypted form. This is because:
C1*C2 = M1e (mod n) * M2e (mod n) = (M1* M2)e (mod n).
To overcome these types of attacks, it is suggested to use a fixed format of messages to
be encrypted. For this purpose, RSA Laboratories has developed a set of standards
known as PKCS (Public Key Cryptography Standard). A fixed format of the message
Computer and Network Security
Dahlia Malkhi, Shlomo Kipnis
The Hebrew University of Jerusalem
Lecture 9 – Asymmetric Cryptography
Page 7
before encryption dramatically reduces the probability that the product of several
messages will have the proper format.
Signing for Decryption / vice-versa:
Since both the Signing operation and the Decryption operation use the same algorithm
and the user’s private key, several problems may arise if the same key is used both for
signing and encryption. A possible attack is that somebody can force you to sign a
message that an adversary cannot sign himself. You may think that you decrypt the
message while in fact you are signing and providing a signature for an adversary.
To overcome this type of attack, it is recommended to use separate keys for Signing and
for Decryption. In addition, one may add extra fields to the messages with a clear
distinction between Signing and Decryption.
Small Encryption Exponent:
The fact that small ‘e’ is chosen can be used to break RSA with repeated messages. In
order to avoid repetition, sequencing can be added.
Small ‘e’ with small messages M < n (1/e) can break the RSA code by computing roots.
Salting the messages, to bring them to a ‘safe’ length, prevents that attach.
Download