63 views

Uploaded by rohan

save

You are on page 1of 64

JooSeok Song

2007. 11. 13. Tue

**Private-Key Cryptography
**

traditional private/secret/single key

cryptography uses one key

shared by both sender and receiver

if this key is disclosed communications are

compromised

also is symmetric, parties are equal

hence does not protect sender from receiver

forging a message & claiming is sent by sender

CCLAB

**Public-Key Cryptography
**

probably most significant advance in the 3000

year history of cryptography

uses two keys – a public & a private key

asymmetric since parties are not equal

uses clever application of number theoretic

concepts to function

complements rather than replaces private key

crypto

CCLAB

and verify signatures – a private-key. and can be used to encrypt messages. known only to the recipient.Public-Key Cryptography public-key/two-key/asymmetric cryptography involves the use of two keys: – a public-key. used to decrypt messages. which may be known by anybody. and sign (create) signatures is asymmetric because – those who encrypt messages or verify signatures cannot decrypt messages or create signatures CCLAB .

Public-Key Cryptography CCLAB .

Why Public-Key Cryptography? developed to address two key issues: – key distribution – how to have secure communications in general without having to trust a KDC with your key – digital signatures – how to verify a message comes intact from the claimed sender public invention due to Whitfield Diffie & Martin Hellman at Stanford Uni in 1976 – known earlier in classified community CCLAB .

with the other used for decryption (in some schemes) CCLAB .Public-Key Characteristics Public-Key algorithms rely on two keys with the characteristics that it is: – computationally infeasible to find decryption key knowing only algorithm & encryption key – computationally easy to en/decrypt messages when the relevant (en/decrypt) key is known – either of the two related keys can be used for encryption.

Public-Key Cryptosystems

CCLAB

**Public-Key Applications
**

can classify uses into 3 categories:

– encryption/decryption (provide secrecy)

– digital signatures (provide authentication)

– key exchange (of session keys)

** some algorithms are suitable for all uses, others
**

are specific to one

CCLAB

**Security of Public Key Schemes
**

like private key schemes brute force exhaustive

search attack is always theoretically possible

but keys used are too large (>512bits)

security relies on a large enough difference in

difficulty between easy (en/decrypt) and hard

(cryptanalyse) problems

more generally the hard problem is known, its

just made too hard to do in practise

requires the use of very large numbers

hence is slow compared to private key schemes

CCLAB

RSA. Private-Key Algorithms: Rijndael.Cryptography Outline Introduction: terminology. security Primitives: – one-way functions – one-way trapdoor functions – one-way hash functions Protocols: digital signatures. Digital Cash CCLAB 296.. … Case Studies: Kerberos.3 Page 11 . key exchange. cryptanalysis. ElGamal. . DES Public-Key Algorithms: Knapsack.

the security of most protocols rely on their existence. CCLAB 296.3 Page 12 . not known to exist. This is true even if we assume P NP. Unfortunately.Primitives: One-Way Functions (Informally): A function Y = f(x) is one-way if it is easy to compute y from x but “hard” to compute x from y Building block of most cryptographic protocols And.

One-way functions: possible definition 1. F(x) is polynomial time 2.3 Page 13 . F-1(x) is NP-hard What is wrong with this definition? CCLAB 296.

One-way functions: better definition For most x no single PPT (probabilistic polynomial time) algorithm can compute x given y Roughly: at most a 1/|x|k fraction of instances x are easy for any k and as |x| -> This definition can be used to make the probability of hitting an easy instance arbitrarily small. CCLAB 296.3 Page 14 .

… generates all values < p). Discrete Log: y = gx mod p where p is prime and g is a “generator” (i.v) y = f(u.3 Page 15 .Some examples (conjectures) Factoring: x = (u. DES with known message m: y = DESx(m) This would assume a family of DES functions of increasing key size (for asymptotics) CCLAB 296..v) = u*v If u and v are prime it is hard to recover them from y.e. g2. g1. g3.

who should be able to decrypt y? CCLAB 296.e.One-way functions in public-key protocols y = ciphertext m = plaintext k = public key Consider: y = Ek(m) (i. f = Ek) Everyone knows k and thus f Ek(m) needs to be easy Ek-1(y) should be hard Otherwise eavesdropper could decrypt y.. But what about the intended recipient.3 Page 16 .

e.3 Page 17 .One-way functions in private-key protocols y = ciphertext m = plaintext k = key Is y = Ek(m) (i. f = Ek) a one-way function with respect to y and m? f is not easy to compute unless k is known So what do one-way functions have to do with private-key protocols? CCLAB 296.

e.One-way functions in private-key protocols y = ciphertext m = plaintext k = key How about y = Ek(m) = E(k. f = Em) should this be a one-way function? In a known-plaintext attack we know a (y.3 Page 18 .m) = Em(k) (i. CCLAB 296.m) pair. The m along with E defines f Em(k) needs to be easy Em-1(y) should be hard Otherwise we could extract the key k.

g. e random) p or q or d (where ed = 1 mod (p-1)(q-1)) can be used as trapdoors In public-key algorithms f(x) = public key (e.One-Way Trapdoor Functions A one-way function with a “trapdoor” The trapdoor is a key that makes it easy to invert the function y = f(x) Example: RSA (conjecture) y = xe mod n Where n = pq (p..g. prime.3 Page 19 . q.. d in RSA) CCLAB 296. e and n in RSA) Trapdoor = private key (e. q. p.

3 Page 20 . CCLAB 296.One-way Hash Functions Y = h(x) where – y is a fixed length independent of the size of x. In general this means h is not invertible since it is many to one. – Calculating y from x is easy – Calculating any x such that y = h(x) give y is hard Used in digital signatures and other protocols.

factorization takes O(e log n log log n) operations (hard) CCLAB .RSA by Rivest. exponentiation takes O((log n)3) operations (easy) uses large integers (eg. 1024 bits) security due to cost of factoring large numbers – nb. Shamir & Adleman of MIT in 1977 best known & widely used public-key scheme based on exponentiation in a finite (Galois) field over integers modulo a prime – nb.

p. q computing their system modulus N=p.ø(N))=1 solve following equation to find decryption key d – e.RSA Key Setup each user generates a public/private key pair by: selecting two large primes at random . gcd(e.p.N} keep secret private decryption key: KR={d.q} CCLAB .d=1 mod ø(N) and 0≤d≤N publish their public encryption key: KU={e.q – note ø(N)=(p-1)(q-1) selecting at random the encryption key e where 1<e<ø(N).

p.N} – computes: C=Me mod N.RSA Use to encrypt a message M the sender: – obtains public key of recipient KU={e. where 0≤M<N to decrypt the ciphertext C the owner: – uses their private key KR={d.q} – computes: M=Cd mod N note that the message M must be smaller than the modulus N (block if needed) CCLAB .

4. but is generally not of interest eg.5.Prime Numbers prime numbers only have divisors of 1 and self – they cannot be written as a product of other numbers – note: 1 is prime.6. 2.10 are not prime numbers are central to number theory list of prime number less than 200 is: 2 3 5 7 11 13 17 19 23 29 31 37 41 43 47 53 59 61 67 71 73 79 83 89 97 101 103 107 109 113 127 131 137 139 149 151 157 163 167 173 179 181 191 193 197 199 CCLAB .8.9.7 are prime.3.

3600=24×32×52 CCLAB . 91=7×13 .Prime Factorisation to factor a number n is to write it as a product of other numbers: n=a × b × c note that factoring a number is relatively hard compared to multiplying the factors together to generate the number the prime factorisation of a number n is when its written as a product of primes – eg.

2.5.8 and of 15 are 1.Relatively Prime Numbers & GCD two numbers a. 8 & 15 are relatively prime since factors of 8 are 1.300)=21×31×50=6 CCLAB .15 and 1 is the only common factor conversely can determine the greatest common divisor by comparing their prime factorizations and using least powers – eg.4. 300=21×31×52 18=21×32 hence GCD(18.3. b are relatively prime if have no common divisors apart from 1 – eg.

Fermat's Theorem ap-1 mod p = 1 – where p is prime and gcd(a.p)=1 also known as Fermat’s Little Theorem useful in public key and primality testing CCLAB .

3.2.6.3.7.Euler Totient Function ø(n) when doing arithmetic modulo n complete set of residues is: 0.5.9} number of elements in reduced set of residues is called the Euler Totient Function ø(n) CCLAB .4.n-1 reduced set of residues is those numbers (residues) which are relatively prime to n – eg for n=10.1..7.9} – reduced set of residues is {1. – complete set of residues is {0.8.

Euler Totient Function ø(n) to compute ø(n) need to count number of elements to be excluded in general need prime factorization.q) = (p-1)(q-1) eg.q prime) ø(p.q (p. – ø(37) = 36 – ø(21) = (3–1)×(7–1) = 2×6 = 12 CCLAB . but – for p (p prime) ø(p) = p-1 – for p.

n=11. – – – – CCLAB a=3. hence 210 = 1024 = 1 mod 11 . ø(10)=4.Euler's Theorem a generalisation of Fermat's Theorem aø(n)mod N = 1 – where gcd(a. hence 34 = 81 = 1 mod 10 a=2.n=10.N)=1 eg. ø(11)=10.

Why RSA Works because of Euler's Theorem: aø(n)mod N = 1 – where gcd(a. (1)q = M1 = M mod N CCLAB .ø(N) = M1.d=1+k.N)=1 in RSA have: – – – – N=p.(Mø(N))q = M1.ø(N) for some k hence : Cd = (Me)d = M1+k.q ø(N)=(p-1)(q-1) carefully chosen e & d to be inverses mod ø(N) hence e.

choose e=7 Determine d: de=1 mod 160 and d < 160 Value is d=23 since 23×7=161= 10×160+1 6. 3.160)=1. Select primes: p=17 & q=11 Compute n = pq =17×11=187 Compute ø(n)=(p–1)(q-1)=16×10=160 Select e : gcd(e.11} CCLAB . 5. Publish public key KU={7. 4.17.RSA Example 1. Keep secret private key KR={23. 2.187} 7.

88<187) encryption: C = 887 mod 187 = 11 decryption: M = 1123 mod 187 = 88 CCLAB .RSA Example cont sample RSA encryption/decryption is: given message M = 88 (nb.

75 = 74.7 = 10 mod 11 – eg. efficient algorithm for exponentiation concept is based on repeatedly squaring base and multiplying in the ones that are needed to compute the result look at binary representation of exponent only takes O(log2 n) multiples for number n – eg.3 = 4 mod 11 CCLAB .71 = 3.Exponentiation can use the Square and Multiply Algorithm a fast.31 = 5. 3129 = 3128.

Exponentiation CCLAB .

q must not be easily derived from modulus N=p.p.q – means must be sufficiently large – typically guess and use probabilistic test exponents e. so use Inverse algorithm to compute the other CCLAB .RSA Key Generation users of RSA must: – determine two primes at random . q – select either e or d and compute the other primes p. d are inverses.

by factoring modulus N) – timing attacks (on running of decryption) CCLAB .RSA Security three approaches to attacking RSA: – brute force key search (infeasible given size of numbers) – mathematical attacks (based on difficulty of computing ø(N).

hence find ø(N) and then d – determine ø(N) directly and find d – find d directly currently believe all equivalent to factoring – have seen slow improvements over the years as of Aug-99 best is 130 decimal digits (512) bit with GNFS – biggest improvement comes from improved algorithm cf “Quadratic Sieve” to “Generalized Number Field Sieve” – barring dramatic breakthrough 1024+ bit RSA secure ensure p.q.Factoring Problem mathematical approach takes 3 forms: – factor N=p. q of similar size and matching other constraints CCLAB .

multiplying by small vs large number – or IF's varying which instructions executed infer operand size based on time taken RSA exploits time taken in exponentiation countermeasures – use constant exponentiation time – add random delays – blind values used in calculations CCLAB .Timing Attacks developed in mid-1990’s exploit timing variations in operations – eg.

security .Summary have considered: – – – – – – – CCLAB prime numbers Fermat’s and Euler’s Theorems Primality Testing Chinese Remainder Theorem Discrete Logarithms principles of public-key cryptography RSA algorithm. implementation.

e = 7. What is the plaintext M? CCLAB 41 . you intercept the ciphertext C = 10 sent to a user whose public key is e = 5. as in Figure 1. 187 KR = 23. n = 35. Perform encryption and decryption using RSA algorithm. M = 5 ② p = 5. 187 Figure 1. e = 3. M = 9 Encryption Plaintext 88 887 mod 187 = 11 Decryption Ciphertext 11 11 23 mod 187 = 88 KU = 7.Assignments 1. Example of RSA Algorithm Plaintext 88 2. q = 11. for the following: ① p = 3. q = 11. In a public-key system using RSA.

Introduction Discovered by Whitfield Diffie and Martin Hellman – “New Directions in Cryptography” Diffie-Hellman key agreement protocol – – – – CCLAB Exponential key agreement Allows two users to exchange a secret key Requires no prior secrets Real-time over an untrusted network .

No known successful attack strategies* Requires two large numbers. and (G).Introduction Based on the difficulty of computing discrete logarithms of large numbers. a primitive root of P CCLAB . one prime (P).

Implementation P and G are both publicly available numbers – P is at least 512 bits Users pick private values a and b Compute public values – x = ga mod p – y = gb mod p Public values x and y are exchanged CCLAB .

. Inc. 2001 by NetIP. CISSP.Implementation CCLAB Copyright. and Keith Palmgren.

Implementation Compute shared. private key – ka = ya mod p – kb = xb mod p Algebraically it can be shown that ka = kb – Users now have a symmetric secret key to encrypt CCLAB .

CISSP.Implementation CCLAB Copyright. Inc. 2001 by NetIP. and Keith Palmgren. .

– They decide to use the Diffie-Hellman protocol CCLAB . Alice and Bob wish to have a secure conversation.Example Two Internet users.

G = 9 Alice and Bob compute public values – X = 94 mod 23 = 6561 mod 23 = 6 – Y = 93 mod 23 = 729 mod 23 = 16 Alice and Bob exchange public numbers CCLAB .Example Alice and Bob get public numbers – P = 23.

Applications Diffie-Hellman is currently used in many protocols. namely: – Secure Sockets Layer (SSL)/Transport Layer Security (TLS) – Secure Shell (SSH) – Internet Protocol Security (IPSec) – Public Key Infrastructure (PKI) CCLAB .

Digital Signature Model CCLAB .

Digital Signature Model CCLAB .

Digital Signature Requirements must depend on the message signed must use information unique to sender to prevent both forgery and denial must be relatively easy to produce must be relatively easy to recognize & verify be computationally infeasible to forge with new message for existing digital signature with fraudulent digital signature for given message be practical save digital signature in storage CCLAB .

Direct Digital Signatures involve only sender & receiver assumed receiver has sender’s public-key digital signature made by sender signing entire message or hash with private-key can encrypt using receivers public-key important that sign first then encrypt message & signature security depends on sender’s private-key CCLAB .

A) generates their key – chooses a secret key (number): 1 < xA < q-1 – compute their public key: yA = axA mod q CCLAB . related to D-H – so uses exponentiation in a finite (Galois) – with security based difficulty of computing discrete logarithms.ElGamal Digital Signatures signature variant of ElGamal. as in D-H use private key for encryption (signing) uses public key for decryption (verification) each user (eg.

0 <= m <= (q-1) – chose random integer K with 1 <= K <= (q-1) and gcd(K.S2) any user B can verify the signature by computing – V1 = am mod q – V2 = yAS1 S1S2 mod q – signature is valid if V1 = V2 CCLAB .ElGamal Digital Signature Alice signs a message M to Bob by computing – the hash m = H(M).q-1)=1 – compute temporary key: S1 = ak mod q – compute K-1 the inverse of K mod (q-1) – compute the value: S2 = K-1(m-xAS1) mod (q-1) – signature is:(S1.

ElGamal Signature Example use field GF(19) q=19 and a=10 Alice computes her key: – A chooses xA=16 & computes yA=1016 mod 19 = 4 Alice signs message with hash m=14 as (3.34 = 5184 = 16 mod 19 – since 16 = 16 signature is valid CCLAB .3) mod 18 = 4 any user B can verify the signature by computing – V1 = 1014 mod 19 = 16 – V2 = 43.5)=1 computing S1 = 105 mod 19 = 3 finding K-1 mod (q-1) = 5-1 mod 18 = 11 computing S2 = 11(14-16.4): – – – – choosing random K=5 which has gcd(18.

Digital Signature Standard (DSS) US Govt approved signature scheme designed by NIST & NSA in early 90's published as FIPS-186 in 1991 revised in 1993. 1996 & then 2000 uses the SHA hash algorithm DSS is the standard. DSA is the algorithm FIPS 186-2 (2000) includes alternative RSA & elliptic curve signature variants DSA is digital signature only unlike RSA is a public-key technique CCLAB .

DSS vs RSA Signatures CCLAB .

Digital Signature Algorithm (DSA) creates a 320 bit signature with 512-1024 bit security smaller and faster than RSA a digital signature scheme only security depends on difficulty of computing discrete logarithms variant of ElGamal & Schnorr schemes CCLAB .

q.DSA Key Generation have shared global public key values (p.g): – choose 160-bit prime number q – choose a large prime p with 2L-1 < p < 2L where L= 512 to 1024 bits and is a multiple of 64 such that q is a 160 bit prime divisor of (p-1) – choose g = h(p-1)/q where 1<h<p-1 and h(p-1)/q mod p > 1 users choose private & compute public key: – choose random private key: x<q – compute public key: y = gx mod p CCLAB .

and never be reused then computes signature pair: r = (gk mod p)mod q s = [k-1(H(M)+ xr)] mod q sends signature (r.s) with message M CCLAB . k must be random. k<q nb.DSA Signature Creation to sign a message M the sender: generates a random signature key k. be destroyed after use.

recipient computes: w = u1= u2= v = s-1 mod q [H(M)w ]mod q (rw)mod q [(gu1 yu2)mod p ]mod q if v=r then signature is verified see Appendix A for details of proof why CCLAB .DSA Signature Verification having received M & signature (r.s) to verify a signature.

DSS Overview CCLAB .

- Dna Based Strong CipherUploaded bypantilt
- Electronic Payment System & SecurityUploaded byVikram Nenwani
- IRJET-Online Secure payment System using shared ImagesUploaded byIRJET Journal
- Networksecurity.docUploaded byRakesh
- Rsa Algorithm (1)Uploaded bytheconqueror01
- IT ACT 2000 SlidesUploaded byAmit Yadav
- Online Secure payment System using shared ImagesUploaded byAnonymous CUPykm6DZ
- pre desUploaded byHarpreet Singh
- CryptographyUploaded bysravnumas
- Final Report RSAUploaded byMounesh Panchal
- pki_rsa.pdfUploaded bymalachiel
- Lab3-RSAUploaded bystrokenfilled
- CryptographyUploaded byArya Chinnu
- Encryption ReviewUploaded byadiltsa
- Comparative Analysis of Discrete Logarithm and RSA Algorithm in Data CryptographyUploaded byijcsis
- Security in VanetsUploaded byEduardo Topan Joice Orzechowski
- Use of Cryptography in Data Security over Computer Networks by TigerHATSUploaded byTigerHATS
- Great Encryption algo.pdfUploaded byAnonymous zaUbpXjq
- Chapter8 OverviewUploaded byEuber Chaia
- Secure Data Access in Cloud ComputingUploaded byAjay Tarade
- Secure Sharing of Data in the Cloud EnvironmentUploaded byIRJET Journal
- Cryptography and Network SecurityUploaded byMary Helen
- Mã hóa lai Hibrid EncryptionUploaded byCaohien Tran
- Computer Security and Cryptography A simple PresentationUploaded byAlex C Punnen
- Quantum CryptographyUploaded byParikshit Sharma
- The effect of Encryption algorithms Delay on TCP Traffic over data networksUploaded byInternational Organization of Scientific Research (IOSR)
- 62_Yearly Q&AUploaded bySurya Sekhar Samanta
- E CommerceUploaded byKapil Kafle
- No Network is 100Uploaded byAngelDayana
- Inter Vehicle CommunicationUploaded byashar dhyey

- DSS ClassifiedMarkingsUploaded byDmitry Andrianov
- TLS SSL Hardening and Compatibliy Report 2011Uploaded byThierry Zoller
- Chapter 05Uploaded byMohammad Bilal Mirza
- Chapter 9Uploaded bymad maran
- Midterm Tit 704Uploaded bymm8871
- Gloassire It SecurityUploaded byAnonymous RuB6o4
- Electronic ContractUploaded byIlaya_Raja_9572
- DES_Manual.pdfUploaded byrzaidi921
- Air Philippines v PenswellUploaded bymceline19
- Protecting Privacy When Disclosing Information: K Anonymity And Its Enforcement Through SuppressionUploaded byiiradmin
- A Novel Fair Anonymous Contract Signing Protocol for E-Commerce ApplicationsUploaded byAIRCC - IJNSA
- Data encryption using LSB matching algorithm and Reserving Room before EncryptionUploaded byAnonymous 7VPPkWS8O
- Network Security Tutorial (1).docxUploaded byAmine Tellibi
- Bibliografia criptografia conferenciaUploaded bypayo
- Ch3 Cryptanalysis for Classical CryptoUploaded byAhmad Sardouk
- A Novel Irreversible Transformation Scheme for Biometric Template ProtectionUploaded byIOSRjournal
- FypUploaded byJaveria Jan
- 02_CriptografiaSimétricaUploaded bynegaoademar
- CriptografiaUploaded byAguedo Huamani
- Efficient Group Key Management Schemes for Multicast Dynamic Communication SystemsUploaded byYasir Malik
- Wireless LAN 802.1X 01Uploaded bykds20850
- Cryptography and Network Security - Lecture Notes, Study Materials and Important questions answersUploaded byBrainKart Com
- WEP WPA WPA2 Overview.pdfUploaded byspa33
- IRJET-A Study Paper on Homomorphic Encryption in Cloud ComputingUploaded byIRJET Journal
- victor_villagra.pdfUploaded byRiskiana Resa
- Tesina di Maturità su The Imitation Game [Liceo Scientifico]Uploaded bymskx4
- A Cipher Design with Automatic Key Generation using the Combination of Substitution and Transposition Techniques and Basic Arithmetic and Logic OperationsUploaded bythesij
- rfc4346.pdfUploaded bylogickee7972
- Authentication Mechanisms for Signature Based Cryptography by Using Hierarchical SchemeUploaded byIJMTER
- Efficient Implementation of 1024-Bit SymmetricUploaded byTalha Naqash