Ti Secured communications

Transcription

1 Ti Secured communications Pekka Jäppinen September 20, 2007 Pekka Jäppinen, Lappeenranta University of Technology: September 20, 2007

2 Relies on use of two keys: Public and private Sometimes called Public key systems Idea of publickey cryptosystem was first publicly suggested by Whitfield Diffie and Martin Hellman Encryption is conducted with the recipients public key, decryption with corresponding private key (secret key) After encryption only the recipient (or who ever knows the secret key) may decrypt the message Some algorithms can be used also for digital signatures Pekka Jäppinen, Lappeenranta University of Technology: September 20, /28

3 encryption with the signers secret key. (more on digital signatures lecture) Different kind of mathematical approaches have been developed to accomplish the result every approach relies on modular algebra e.g. calulcating in fields RSA, ElGamal, DSA (only for signing), ECC Pekka Jäppinen, Lappeenranta University of Technology: September 20, /28

4 RSA DEveloped by Ron Rivest, Adi Shamir, Leonard Adleman Key generation for RSA 1. Generate two big primes p and q, which are roughly the same size. (Has same amount of digits) 2. Calculate n = pq and φ = (p 1)(q 1) 3. Select random key e, 1 < e < φ so that gcd(e,φ) = 1. (Thus e and φ are relatively prime) 4. Calculate key d, 1 < d < φ, so that ed φ 1 i.e. d = e 1 mod(φ) (for example using extended euclidean algorithm on formulaed φk = 1) Pekka Jäppinen, Lappeenranta University of Technology: September 20, /28

5 5. Public key is (n,e), private key is d. p,q and φ should be kept secret. Encrypting and decrypting a message Divide message M in blocks that are smaller than n (i.e. is size of n is 2 65 the block size should be 64 bits on maximum. Encrypt the blocks using formula, where i is the block number Decryption is done with formula c i = M e i mod n M i = c d i mod n Proof: c d i = (M e i )d = M ed i = M k φ+1 i = M i M kφ i = M i 1 (mod n) Pekka Jäppinen, Lappeenranta University of Technology: September 20, /28

6 from key generation: ed φk = 1 ed = 1 + φk Remember the Euler s theorem a φ(p) p 1 if gcd (a,p) = 1 RSA works both ways > Encryption can be done with either public or private key. Decryption is thus done with the key not used in encryption. Pekka Jäppinen, Lappeenranta University of Technology: September 20, /28

7 Example p = 47 q = 71 n = p q = 3337 e cannot have common divisor with (p 1)(q 1) = = 3220 kanssa. Choose e = 79 ; gcd(79,3220) = 1 Calculate d = 79 1 mod 3220 = 1019 Let the message be which is same as integer 688 Encryption: mod 3337 = 1570, which in binary form is the encrypted message Decryption: mod 3337 = 688 Pekka Jäppinen, Lappeenranta University of Technology: September 20, /28

8 Speeding up RSA Choosing e cleverly can speed up the RSA calculations, Common choices are 3, 17 ja = ,has only two 1 bits in binary form (first and last bit), which speeds up calculations. For example X.509 recommends for e Algorithm for speed up can be found for example at: alg.html There are risks on using small e (see RSA security If p and q has been stored it is possible to speed up operations done with private key by using chinese remainder theorem Pekka Jäppinen, Lappeenranta University of Technology: September 20, /28

9 Roughly 4 times faster than plain exponentation Algorithm for this can be found for example at: alg.html Pekka Jäppinen, Lappeenranta University of Technology: September 20, /28

10 RSA security The security is presumed to rely on the hardness of factoring Try to factor n in order to find p and q, to be able to calculate d Current factorization methods base on quadratic sieve method. In 1994 a number with 129 digits (~428 bits) was factorized with Quadratic sieve. In 2005 number with 200 digits was factorized (663 bits), with lattice sieve algortihm There is no mathematical proof that n has to be factored in order to find out decryotion key d and message m. (no-one just don t know any other way.) Attack against value φ is not easier than factoring n. (φ is about the size of n, factoring is as hard) Pekka Jäppinen, Lappeenranta University of Technology: September 20, /28

11 Trying all possible d s has also the same complexity. Brute force attack Try all possible decryption keys d to find message when d is big enough this is at least as slow as factoring n Timing attacks measuring the time how long it takes to decrypt a message to determine the private key counter measure: Blinding e.g. multiple the cipher text with random number that is also encrypted before decrypting the message Attacks against RSA implementation or use. Common modulus attack Pekka Jäppinen, Lappeenranta University of Technology: September 20, /28

12 The implementation of RSA gives same modulus to all users. Same message is encrypted with two different keys that has same modulus (due to bad RSA implementation) c 1 = m e 1 mod n c 2 = m e 2 mod n Cryptoanalyst now knows values n,e 1,e 2,c 1,c 2 If gcd(e 1,e 2 ) = 1, which is very likely, the analyst can use extended euclidean algorithm to calculate r and s so thatre 1 +se 2 = 1 Let s presume r is in this case negative (one of the values has to be) Using extended euclideaan algorithm calculate c 1 1, after which you can calculate the original message (c 1 1 ) r c s 2 = m mod n Pekka Jäppinen, Lappeenranta University of Technology: September 20, /28

13 Several attacks when RSA is used for both encrypting and making digital signatures (these will be discussed on signatures lectures). Notes on using small encryption exponent If e(e+1) 2 linearly dependant messages are encrypted with different public keys, which have same e there is an attack against the system. If the messages are identical it is enough to have e messages to make the attack. Menezes et al. p.288 for more details to those interested. It is good idea to pad messages with random characters, to prevent such attacks (more about padding in block cipher lesson) Pekka Jäppinen, Lappeenranta University of Technology: September 20, /28

14 ElGamal Taher Elgamal, 1985 Creation of keys: Choose prime p and two random numbeers g and x which both are smaller than p Calculate y = g x mod p Public key is {y,g, p} Private key is x Signing message M with ElGamal Pekka Jäppinen, Lappeenranta University of Technology: September 20, /28

15 Choose random number k so that gcd(k, p 1) = 1 Calculate a = g k mod p Solve b from equation M = (xa + xb) mod (p 1) Signature pair is {a,b}, random number k stays secret To verify signature calculate that y a a b mod p = g M mod p (verifier do not know private key x) Every new signature requires new random k If k is revealed it is possible to solve the secret key DSA (Digital signature algorithm) is based on ElGamal algorithm Encryption with ElGamal Choose random number k so that gcd(k, p 1) = 1 Calculate a = g k mod p b = y k M mod p Pekka Jäppinen, Lappeenranta University of Technology: September 20, /28

16 Secret message is pair {a,b}, which is twice as long as original message Decryption Calculate M = b a xmod p Proof: a x p g kx and b a x p y k M a x p g xk M g xk p M ElGamal is just slighly modified diffie-hellman key-exchange protocol Security relies on the hardness of computing Discrete logarithms instead of factoring big integer like in RSA. In order to find secret key x by knowing public key {y,g, p} attacker has to solev discrete logarithm y = g x mod p Pekka Jäppinen, Lappeenranta University of Technology: September 20, /28

17 Knapsacks Idea is to gather different weights in the sack and inform the total weight Merkle-Hellman knapsack (first knapsack problem based cipher 1978) Super-Increasing set. Esim: A{1,3,7,12,30} Choose pair {n,m}, where m > SUM(A) and has no common factors with m e.g. their gcd is 1. For example: {13,55} gcd(13,55) = 1 and SUM(A) = 53 Public key is A i n mod m J{13,39,36,46,5} Encryption with public key Pekka Jäppinen, Lappeenranta University of Technology: September 20, /28

18 Divide the message in blocks which size in bits are same as the terms in sack (in this case 5) Add the values in sack on the position of 1-bits of message together For example if block is 01101: = = 80 To decrypt the key owner calculates n 1 mod m 13 1 mod 55 = 17 The cipher text is then multiplied with inverse of n with modulus m. During the decryption of the message the encrypted message is multiplied with the inverse of n and modulus m is taken from result. From the result, bit values are found out by using the secret key A. J = A n mod m A = J n 1 mod m A{1,3,7,12,30} mod 55 = = 10,12 > 10,10 7 = 3,3 3 = 0,1 > Pekka Jäppinen, Lappeenranta University of Technology: September 20, /28

19 Security of knapsacks: All known knapsack problem based algorithms have been broken. Pekka Jäppinen, Lappeenranta University of Technology: September 20, /28

20 Elliptic curves Elliptic curve is y 2 = x 3 + ax + b, where x, y, a and b are real numbers. Figure 1: Sample elliptic curves from wolfram.mathworld.com if x 3 + ax + b has no repeated factors (or if 4a b 2 0) the curve can be used to form a group for elliptic curve cryptography (ECC) Pekka Jäppinen, Lappeenranta University of Technology: September 20, /28

21 Adding points in elliptic curve group. Draw a line between points and calculate the 3rd point in curve that the line crosses. Then take reflection in the x axis of this point to get the result. If there is no third point crossed, the result is called point of infinity. Let s calculate P + Q = R where P = (xp,yp) and Q = (xq,yq) and P,Q are not negative of each other e.g. R 0 s = P y Q y P x Q x e.g. (slope of the line through P and Q) R x = s 2 P x Q x and R y = P y + s(p x R x ) Adding point to itself (e.g. P+P=2P) Draw a tangent for the selected point P in curve, calculate where the tangent crosses the curve. Then take reflection in the x axis of this point to get the result i.e. 2P to calculate with higher multipliers: 3P=2P+P, 4P=2(2P) and so on. Pekka Jäppinen, Lappeenranta University of Technology: September 20, /28

22 Calculate R when 2P = R 0 s = 3P2 x +a 2P Y R X = s 2 2P x and R y = s(p x R x ) P y Elliptic curve mod p Reducing the area on which the points may be on some field p let s assume curve: y 2 5 x 3 + 4x + 4 in mod 5 the values for x can be 0,1,2,3,4 and point of infinity x 5 0 y = 4 y 2, 2 y 5 2,3 (5-2=3)(2 2 = 4and 3 2 = 9 9mod 5 = 4) x 5 1 y y 5 2,3 x 5 2 y y 5 0 x 5 3 y 2 5 3No solution x 5 4 y y 5 2,3 x = y = Pekka Jäppinen, Lappeenranta University of Technology: September 20, /28

23 Thus the points for curve in mod 5 are (0,2),(0,3),(1,2),(1,3),(2,0),(4,2),(4,3 and (, ) Adding points is done as normal though remember a b = a b 1 adding points (1,2) and (4,3) in above curve together 3 2 slope m , ( ) x 3 5 m 2 x 1 x y 3 5 m(x 1 x 3 ) y 1 5 2(1 4) Thus: (1,2) + (4,3) = (4,2) Elliptic curve discrete logarithm problem(ecdlp): Given two points G and Y on an elliptic curve such that Y = kg (that is, Y is G added to itself k times), find the integer k. In discrete logratihm we have to try all possible powers, in elliptic curve we have to try all k Like in discrete logartihms the calculations can be done much Pekka Jäppinen, Lappeenranta University of Technology: September 20, /28

24 faster when the multiplier k is known Pekka Jäppinen, Lappeenranta University of Technology: September 20, /28

25 Elliptic curve cryptography (ECC) Let s first define the curve y 2 5 x 3 + ax + b mod p e.g.e p (a,b) Generation of keys: First select base point B in the curve Pick random integer k, which is the secret key Compute point K by scalar multiplication K=k*B Public key is [K,B,a,b,p] secret key [k,b,a,b,p] Encryption First Message is described as point M on curve Select randon integer r and compute C 0 = r B and C 1 = M + r K Pekka Jäppinen, Lappeenranta University of Technology: September 20, /28

26 The cipher text is point pair [C 0 C 1 ] Decryption calculate: C 1 k C 2 = M Proof: C 1 = M + rk, C 0 = r B and K=k*B thus: M + rk k(r B) M + r(k B) k(r B) = M ECDSA (Elliptic curve digital signature algorithm) Signatures with Elliptic curves can be done in similar fashion than ElGamal Pekka Jäppinen, Lappeenranta University of Technology: September 20, /28

27 Diffie-hellman type key exchange with elliptic curves First decide elliptic curve and choose point P A chooses random number k and calculates multiplied P i.e. kp and sends this to B B chooses random number l and calculates multiplied P i.e. lp and sends this to A Now A can calculate shared key by multiplying the received lp with k i.e. k(lp). B gets the same point by multiplying the gained results from a with his own secret i.e. l(kp) Pekka Jäppinen, Lappeenranta University of Technology: September 20, /28

28 The shared key is point lkp==klp Pekka Jäppinen, Lappeenranta University of Technology: September 20, /28

29 Elliptic curve efficiency Elliptic curves can have smaller key size than RSA or other discrete logarithm based asymmetric systems. (224 bit ECC key is equivalent to 2048 bit RSA key from security point of view) ECC is overall a bit faster than RSA (ECC with 160 bit key vs RSA 1024 bit key) ECC is faster in decryption (and signing) while slower in encryption (and verifying) than RSA. Elliptic curves have several patent issues, which has slowed down their use Pekka Jäppinen, Lappeenranta University of Technology: September 20, /28