Asymmetric Cryptography

Similar documents
Chapter 4 Asymmetric Cryptography

Network Security. Chapter 4 Asymmetric Cryptography

Chapter 8 Public-key Cryptography and Digital Signatures

Definition: For a positive integer n, if 0<a<n and gcd(a,n)=1, a is relatively prime to n. Ahmet Burak Can Hacettepe University

L7. Diffie-Hellman (Key Exchange) Protocol. Rocky K. C. Chang, 5 March 2015

CIS 551 / TCOM 401 Computer and Network Security

Lecture 1: Introduction to Public key cryptography

10 Public Key Cryptography : RSA

Asymmetric Encryption

Public-Key Cryptosystems CHAPTER 4

Public Key Algorithms

Lemma 1.2. (1) If p is prime, then ϕ(p) = p 1. (2) If p q are two primes, then ϕ(pq) = (p 1)(q 1).

CPSC 467b: Cryptography and Computer Security

CRYPTOGRAPHY AND NUMBER THEORY

RSA. Ramki Thurimella

LECTURE 5: APPLICATIONS TO CRYPTOGRAPHY AND COMPUTATIONS

Cryptography IV: Asymmetric Ciphers

Lecture V : Public Key Cryptography

8.1 Principles of Public-Key Cryptosystems

THE RSA CRYPTOSYSTEM

Mathematics of Cryptography

Lecture Notes, Week 6

Security Issues in Cloud Computing Modern Cryptography II Asymmetric Cryptography

Slides by Kent Seamons and Tim van der Horst Last Updated: Oct 1, 2013

Cryptography. pieces from work by Gordon Royle

CIS 6930/4930 Computer and Network Security. Topic 5.2 Public Key Cryptography

Topics in Cryptography. Lecture 5: Basic Number Theory

Public Key 9/17/2018. Symmetric Cryptography Review. Symmetric Cryptography: Shortcomings (1) Symmetric Cryptography: Analogy

Public Key Cryptography

Number Theory. Modular Arithmetic

Eindhoven University of Technology MASTER. Kleptography cryptography with backdoors. Antheunisse, M. Award date: 2015

Discrete Mathematics GCD, LCM, RSA Algorithm

MATH 158 FINAL EXAM 20 DECEMBER 2016

Cryptography and RSA. Group (1854, Cayley) Upcoming Interview? Outline. Commutative or Abelian Groups

Question: Total Points: Score:

Intro to Public Key Cryptography Diffie & Hellman Key Exchange

Cryptography. P. Danziger. Transmit...Bob...

An Introduction to Probabilistic Encryption

My brief introduction to cryptography

Introduction to Modern Cryptography. Benny Chor

Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur

Outline. Available public-key technologies. Diffie-Hellman protocol Digital Signature. Elliptic curves and the discrete logarithm problem

Number Theory. CSS322: Security and Cryptography. Sirindhorn International Institute of Technology Thammasat University CSS322. Number Theory.

New Variant of ElGamal Signature Scheme

Encryption: The RSA Public Key Cipher

The security of RSA (part 1) The security of RSA (part 1)

Methods of Public-Key Cryptography. Émilie Wheeler

1 Number Theory Basics

Public Key Cryptography

Algorithmic Number Theory and Public-key Cryptography

Introduction to Cryptography. Lecture 6

ENEE 457: Computer Systems Security 10/3/16. Lecture 9 RSA Encryption and Diffie-Helmann Key Exchange

Introduction to Cryptography. Lecture 8

1 Recommended Reading 1. 2 Public Key/Private Key Cryptography Overview RSA Algorithm... 2

Other Public-Key Cryptosystems

Number Theory & Modern Cryptography

Theme : Cryptography. Instructor : Prof. C Pandu Rangan. Speaker : Arun Moorthy CS

Introduction to Modern Cryptography. Benny Chor

CS483 Design and Analysis of Algorithms

Mathematical Foundations of Public-Key Cryptography

during transmission safeguard information Cryptography: used to CRYPTOGRAPHY BACKGROUND OF THE MATHEMATICAL

Introduction to Cybersecurity Cryptography (Part 5)

Other Public-Key Cryptosystems

YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE

Introduction to Public-Key Cryptosystems:

Network Security Technology Spring, 2018 Tutorial 3, Week 4 (March 23) Due Date: March 30

Number Theory: Applications. Number Theory Applications. Hash Functions II. Hash Functions III. Pseudorandom Numbers

Cryptography. Course 1: Remainder: RSA. Jean-Sébastien Coron. September 21, Université du Luxembourg

RSA RSA public key cryptosystem

NUMBER THEORY FOR CRYPTOGRAPHY

The RSA Cipher and its Algorithmic Foundations

Ti Secured communications

CPE 776:DATA SECURITY & CRYPTOGRAPHY. Some Number Theory and Classical Crypto Systems

Gurgen Khachatrian Martun Karapetyan

2. Cryptography 2.5. ElGamal cryptosystems and Discrete logarithms

Polynomial Interpolation in the Elliptic Curve Cryptosystem

Addition. Ch1 - Algorithms with numbers. Multiplication. al-khwārizmī. al-khwārizmī. Division 53+35=88. Cost? (n number of bits) 13x11=143. Cost?

CPSC 467: Cryptography and Computer Security

Security II: Cryptography exercises

CPSC 467b: Cryptography and Computer Security

and Other Fun Stuff James L. Massey

CS March 17, 2009

Lecture 4 Chiu Yuen Koo Nikolai Yakovenko. 1 Summary. 2 Hybrid Encryption. CMSC 858K Advanced Topics in Cryptography February 5, 2004

Great Theoretical Ideas in Computer Science

A Knapsack Cryptosystem Based on The Discrete Logarithm Problem

CPSC 467: Cryptography and Computer Security

Discrete Logarithm Problem

Cryptanalysis on An ElGamal-Like Cryptosystem for Encrypting Large Messages

OWO Lecture: Modular Arithmetic with Algorithmic Applications

Digital Signature Scheme Based on a New Hard Problem

Fundamentals of Modern Cryptography

The Elliptic Curve in https

RSA Algorithm. Factoring, EulerPhi, Breaking RSA. Çetin Kaya Koç Spring / 14

A New Knapsack Public-Key Cryptosystem Based on Permutation Combination Algorithm

Introduction to Cybersecurity Cryptography (Part 4)

19. Coding for Secrecy

Lecture 7: ElGamal and Discrete Logarithms

Lecture 14: Hardness Assumptions

Public-Key Encryption: ElGamal, RSA, Rabin

8 Elliptic Curve Cryptography

Transcription:

Asymmetric Cryptography Chapter 4 Asymmetric Cryptography Introduction Encryption: RSA Key Exchange: Diffie-Hellman General idea: Use two different keys -K and +K for encryption and decryption Given a random ciphertext c = E(+K, m) and +K it should be infeasible to compute m = D(-K, c) = D(-K, E(+K, m)) This implies that it should be infeasible to compute -K when given +K The key -K is only known to one entity A and is called A s private key -K A The key +K can be publicly announced and is called A s public key +K A Applications: Encryption: If B encrypts a message with A s public key +K A, he can be sure that only A can decrypt it using -K A Signing: If A encrypts a message with his own private key -K A, everyone can verify this signature by decrypting it with A s public key +K A Attention: It is crucial, that everyone can verify that he really knows A s public key and not the key of an adversary! [NetSec/SysSec], WS 2008/2009 4.1 [NetSec/SysSec], WS 2008/2009 4.2 Design of Asymmetric Cryptosystems RSA Mathematical Background (Modular Arithmetic) Difficulty: Find an encryption algorithm and a key generating method to construct two keys -K, +K such that it is not possible to decipher E(+K, m) with the knowledge of +K Constraints: The key length should be manageable Encrypted messages should not be arbitrarily longer than unencrypted messages (we would tolerate a small constant factor) Encryption and decryption should not consume too much resources (time, memory) Basic idea: Take a problem in the area of mathematics / computer science, that is hard to solve when knowing only +K, but easy to solve when knowing -K Knapsack problems: basis of first working algorithms, which were unfortunately almost all proven to be insecure Factorization problem: basis of the RSA algorithm Discrete logarithm problem: basis of Diffie-Hellman and ElGamal We say b is congruent a mod n if it has the same remainder like a when divided by n. So, n divides (a-b), and we write b a mod n E.g., 4 11 mod 7, 25 11 mod 7 Greatest common divisor Let a, b Z and d = gcd(a, b). Then there exists m, n Z such that: d = m a + n b Euler totient of n: Φ(n) Let Φ(n) denote the number of positive integers less than n and relatively prime to n Examples: Φ(4) = 2, Φ(15) = 8 If p is prime Φ(p) = p 1 Let n and b be positive and relatively prime integers, i.e. gcd(n, b) = 1 b Φ(n) 1 mod n Euclidean Algorithm The algorithm Euclid given a, b computes gcd(a, b) int Euclid(int a, b) { if (b = 0) { return(a);} return(euclid(b, a MOD b); } Extended Euclidean Algorithm The algorithm ExtEuclid given a, b computes d, m, n such that: d = gcd(a, b) = m a + n b struct{int d, m, n} ExtEuclid(int a, b) { int d, d, m, m, n, n ; if (b = 0) {return(a, 1, 0); } (d, m, n ) = ExtEuclid(b, a MOD b); (d, m, n) = (d, n, m - a / b n ); return(d, m, n); } For more information, please refer to undergraduate CS classes or to the NetSec slides WS 2006/2007 [NetSec/SysSec], WS 2008/2009 4.3 [NetSec/SysSec], WS 2008/2009 4.4

RSA in a Nutshell RSA Encryption / Decryption Invented by R. Rivest, A. Shamir and L. Adleman [RSA78] Key generation Select p, q p and q both prime, p q Calculate n n = p x q Calculate Φ(n) Φ(n) = (p -1)(q -1) Select integer e gcd(φ(n), e) = 1; 1 < e < Φ(n) Calculate d d x e mod Φ(n) = 1 (extended Euclid) Public key +K = {e, n} Private key -K = {d, n} Encryption Plaintext Ciphertext Decryption Ciphertext Plaintext M < n (what about 0, 1,?) C = M e mod n C M = C d mod n Let p, q be distinct large primes and n = p q. Assume, we have also two integers e and d such that d e 1modΦ(n) Let M be an integer that represents the message to be encrypted, with M positive, smaller than and relatively prime to n. Example: Encode with <blank> = 99, A = 10, B = 11,..., Z = 35 So HELLO would be encoded as 1714212124. If necessary, break M into blocks of smaller messages: 17142 12124 To encrypt, compute: C = M e MOD n This can be done efficiently using the square-and-multiply algorithm To decrypt, compute: M = C d MOD n Proof d e 1modΦ(n) k Z: (d e) - 1 = k Φ(n) (d e) = k Φ( n) + 1 we have: M E d M (e d) M (k Φ( n) + 1) 1 k M M mod n [NetSec/SysSec], WS 2008/2009 4.5 [NetSec/SysSec], WS 2008/2009 4.6 RSA Encryption / Decryption RSA Security As (d e) = (e d) the operation also works in the opposite direction, that means you can encrypt with d and decrypt with e The security of the scheme lies in the difficulty of factoring n = p q as it is easy to compute Φ(n) and then d, when p and q are known This property allows to use the same keys d and e for: Receiving messages that have been encrypted with one s public key Sending messages that have been signed with one s private key This class will not teach why it is difficult to factor large n s, as this would require to dive deep into mathematics If p and q fulfill certain properties, the best known algorithms are exponential in the number of digits of n Please be aware that if you choose p and q in an unfortunate way, there might be algorithms that can factor more efficiently and your RSA encryption is not at all secure: Thus, p and q should be about the same bit length and sufficiently large (p - q) should not be too small If you want to choose a small encryption exponent, e.g. 3, there might be additional constraints, e.g. gcd(p - 1, 3) = 1 and gcd(q -1, 3) = 1 The security of RSA also depends on the primes generated being truly random (like every key creation method for any algorithm) Moral: If you are to implement RSA by yourself, ask a mathematician or better a cryptographer to check your design [NetSec/SysSec], WS 2008/2009 4.7 [NetSec/SysSec], WS 2008/2009 4.8

RSA Security Diffie-Hellman Mathematical Background Side channel attacks Finite groups Optimizations for use of RSA in embedded systems depend on the Chinese remainder theorem (CRT) Applications Smart cards (token, banking) Pay-per-view TV and many others Use (and storage) of p and q allows to calculate m e mod p, which can be efficiently manipulated to compute m e mod n Introducing computation errors allows to reveal the prime p p = gcd(s -s,n) with s and s being the bogus and correct signatures Implementation using square and multiply Most RSA implementations rely on the square-and-multiply algorithm for the exponentiations Timing attacks can by used to guess the private key Abelian group (S, ): set S and a binary operation with the following properties: closure, identity, associativity, commutativity and inverse elements Finite group: Abelian group plus finite set of elements, i.e. S < Primitive root, generator Let (S, ) be a group, g S and g a := g g... g (a times with a Z + ) Then g is called a primitive root of (S, ) : {g a 1 a S } = S Examples: 1 is a primitive root of (Z n, + n ) 3 is a primitive root of (Z * 7, 7 ) (Z * n, n ) does have a primitive root n {2, 4, p, 2 p e } where p is an odd prime and e Z + [A. G. Voyiatzis, An Introduction to Side Channel Cryptanalysis of RSA, ACM Crossroads, vol. 11.3, 2004] [NetSec/SysSec], WS 2008/2009 4.9 [NetSec/SysSec], WS 2008/2009 4.10 Diffie-Hellman Mathematical Background Definition: discrete logarithm Let p be prime, g be a primitive root of (Z * p, p ) and c be any element of Z * p. Then there exists z such that: g z c mod p z is called the discrete logarithm of c modulo p to the base g Example: 6 is the discrete logarithm of 1 modulo 7 to the base 3 as 3 6 1 mod 7 The Diffie-Hellman key exchange was first published in the landmark paper [DH76], which also introduced the fundamental idea of asymmetric cryptography The DH exchange in its basic form enables two parties A and B to agree upon a shared secret using a public channel: Public channel means, that a potential attacker E (E stands for eavesdropper) can read all messages exchanged between A and B The calculation of the discrete logarithm z when given g, c, and p is a computationally difficult problem and the asymptotical runtime of the best known algorithms for this problem is exponential in the bit length of p E A B insecure network For more information, please refer to undergraduate CS classes or to the NetSec slides WS 2006/2007 [NetSec/SysSec], WS 2008/2009 4.11 [NetSec/SysSec], WS 2008/2009 4.12

Key Exchange Procedure A chooses a prime p, a primitive root g of Z * p, and a random number q: A and B can agree upon the values p and g prior to any communication, or A can choose p and g and send them with his first message A computes v = g q MOD p and sends to B: {p, g, v} B chooses a random number r: B computes w = g r MOD p and sends to A: {p, g, w} (or just {w}) Both sides compute the common secret: A computes s = w q MOD p B computes s = v r MOD p As g (q r) MOD p = g (r q) MOD p it holds: s = s The mathematical basis for the DH exchange is the problem of finding discrete logarithms in finite fields An attacker Eve (E) who is listening to the public channel can only compute the secret s, if she is able to compute either q or r which are the discrete logarithms of v, w modulo p to the base g It is important, that A and B can be sure, that the attacker is not able to alter messages, as in this case he might launch a man-in-the-middle attack Remark: The DH exchange is not an asymmetric encryption algorithm, but is nevertheless introduced here as it goes well with the mathematical flavor of this lecture... :o) Remark: In practice the number g does not necessarily need to be a primitive root of p, it is sufficient if it generates a large subgroup of Z * p [NetSec/SysSec], WS 2008/2009 4.13 [NetSec/SysSec], WS 2008/2009 4.14 Man-in-the-middle attack Eve generates to random numbers q and r : Eve computes v = g q MOD p and w = g r MOD p When A sends {p, g, v} she intercepts the message Then, E sends to B: {p, g, v } When B sends {p, g, w} she intercepts the message as well E sends to A: {p, g, w } When the supposed shared secret is computed we get: A computes s 1 = w q MOD p = v r MOD p the latter computed by E B computes s 2 = v r MOD p = w q MOD p the latter computed by E So, in fact A and E have agreed upon a shared secret s 1, similarly E and B have agreed upon a shared secret s 2 E can now use the shared secret to intercept all the messages encrypted by this key to forge and re-encrypt the messages without being noticed Two countermeasures against the man-in-the-middle attack: The shared secret is authenticated after it has been agreed upon We will treat this in the section on key management A and B use a so-called interlock protocol after agreeing on a shared secret: For this they have to exchange messages that E has to relay before she can decrypt / re-encrypt them The content of these messages has to be checkable by A and B This forces E to invent messages and she can be detected One technique to prevent E from decrypting the messages is to split them into two parts and to send the second part before the first one. If the encryption algorithm used inhibits certain characteristics E can not encrypt the second part before she receives the first one. As A will only send the first part after he received an answer (the second part of it) from B, E is forced to invent two messages, before she can get the first parts. [NetSec/SysSec], WS 2008/2009 4.15 [NetSec/SysSec], WS 2008/2009 4.16

Conclusion Summary (what do I need to know) Asymmetric cryptography allows to use two different keys for: Encryption / Decryption Signing / Verifying The most practical algorithms that are still considered to be secure are: RSA, based on the difficulty of factoring Diffie-Hellman (not an asymmetric algorithm, but a key agreement protocol) ElGamal, like DH based on the difficulty of computing discrete logarithms As their security is entirely based on the difficulty of certain mathematical problems, algorithmic advances constitute their biggest threat Principles of asymmetric cryptography +K, -K for encryption and signing Mathematical problems that are hard to solve Factorization, discrete logarithm RSA Key generation Encryption / decryption (how?, why does it work?) Practical considerations: Asymmetric cryptographic operations are magnitudes slower than symmetric ones Therefore, they are often not used for encrypting / signing bulk data Symmetric techniques are used to encrypt / compute a cryptographic hash value and asymmetric cryptography is just used to encrypt a key / hash value Diffie-Hellman key exchange Key generation procedure Man-in-the-middle attack [NetSec/SysSec], WS 2008/2009 4.17 [NetSec/SysSec], WS 2008/2009 4.18 Additional References [Bre88a] D. M. Bressoud. Factorization and Primality Testing. Springer, 1988. [Cor90a] T. H. Cormen, C. E. Leiserson, R. L. Rivest. Introduction to Algorithms. The MIT Press, 1990. [DH76] W. Diffie, M. E. Hellman. New Directions in Cryptography. IEEE Transactions on Information Theory, IT-22, pp. 644-654, 1976. [ElG85a] T. ElGamal. A Public Key Cryptosystem and a Signature Scheme based on Discrete Logarithms. IEEE Transactions on Information Theory, Vol.31, Nr.4, pp. 469-472, July 1985. [Kob87a] N. Koblitz. A Course in Number Theory and Cryptography. Springer, 1987. [Men93a] A. J. Menezes. Elliptic Curve Public Key Cryptosystems. Kluwer Academic Publishers, 1993. [Niv80a] I. Niven, H. Zuckerman. An Introduction to the Theory of Numbers. John Wiley & Sons, 4 th edition, 1980. [RSA78] R. Rivest, A. Shamir und L. Adleman. A Method for Obtaining Digital Signatures and Public Key Cryptosystems. Communications of the ACM, February 1978. [NetSec/SysSec], WS 2008/2009 4.19

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback