CSCE 715: Network Systems Security

1
CSCE 715Network Systems Security

• Chin-Tser Huang
• huangct_at_cse.sc.edu
• University of South Carolina

2
Key Management

• Asymmetric encryption helps address key
  distribution problems
• Two aspects
• distribution of public keys
• use of public-key encryption to distribute secret
  keys

3
Distribution of Public Keys

• Four alternatives of public key distribution
• Public announcement
• Publicly available directory
• Public-key authority
• Public-key certificates

4
Public Announcement

• Users distribute public keys to recipients or
  broadcast to community at large
• E.g. append PGP keys to email messages or post to
  news groups or email list
• Major weakness is forgery
• anyone can create a key claiming to be someone
  else and broadcast it
• can masquerade as claimed user before forgery is
  discovered

5
Publicly Available Directory

• Achieve greater security by registering keys with
  a public directory
• Directory must be trusted with properties
• contains name, public-key entries
• participants register securely with directory
• participants can replace key at any time
• directory is periodically published
• directory can be accessed electronically
• Still vulnerable to tampering or forgery

6
Public-Key Authority

• Improve security by tightening control over
  distribution of keys from directory
• Has properties of directory
• Require users to know public key for the
  directory
• Users can interact with directory to obtain any
  desired public key securely
• require real-time access to directory when keys
  are needed

7
Public-Key Authority
8
Public-Key Certificates

• Certificates allow key exchange without real-time
  access to public-key authority
• A certificate binds identity to public key
• usually with other info such as period of
  validity, authorized rights, etc
• With all contents signed by a trusted Public-Key
  or Certificate Authority (CA)
• Can be verified by anyone who knows the CAs
  public key

9
Public-Key Certificates
10
Distribute Secret KeysUsing Asymmetric Encryption

• Can use previous methods to obtain public key of
  other party
• Although public key can be used for
  confidentiality or authentication, asymmetric
  encryption algorithms are too slow
• So usually want to use symmetric encryption to
  protect message contents
• Can use asymmetric encryption to set up a session
  key

11
Simple Secret Key Distribution

• Proposed by Merkle in 1979
• A generates a new temporary public key pair
• A sends B the public key and As identity
• B generates a session key Ks and sends encrypted
  Ks (using As public key) to A
• A decrypts message to recover Ks and both use

12
Problem with Simple Secret Key Distribution

• An adversary can intercept and impersonate both
  parties of protocol
• A generates a new temporary public key pair KUa,
  KRa and sends KUa IDa to B
• Adversary E intercepts this message and sends KUe
  IDa to B
• B generates a session key Ks and sends encrypted
  Ks (using Es public key)
• E intercepts message, recovers Ks and sends
  encrypted Ks (using As public key) to A
• A decrypts message to recover Ks and both A and B
  unaware of existence of E

13
Distribute Secret KeysUsing Asymmetric Encryption

• if A and B have securely exchanged public-keys

?
14
Problem with Previous Scenario

• Message (4) is not protected by N2
• An adversary can intercept message (4) and replay
  an old message or insert a fabricated message

15
Order of Encryption Matters

• What can be wrong with the following protocol?
• A?B N
• B?A EKUaEKRbKsN
• An adversary sitting between A and B can get a
  copy of secret key Ks without being caught by A
  and B!

16
Diffie-Hellman Key Exchange

• First publicly proposed public-key type scheme
• By Diffie and Hellman in 1976 along with advent
  of public key concepts
• A practical method for public exchange of secret
  key
• Used in a number of commercial products

17
Diffie-Hellman Key Exchange

• Use to set up a secret key that can be used for
  symmetric encryption
• cannot be used to exchange an arbitrary message
• Value of key depends on the participants (and
  their private and public key information)
• Based on exponentiation in a finite (Galois)
  field (modulo a prime or a polynomial) - easy
• Security relies on the difficulty of computing
  discrete logarithms (similar to factoring) hard

18
Primitive Roots

• From Eulers theorem aø(n) mod n1
• Consider am mod n1, GCD(a,n)1
• must exist for m ø(n) but may be smaller
• once powers reach m, cycle will repeat
• If smallest is m ø(n) then a is called a
  primitive root
• if p is prime and a is a primitive root of p,
  then successive powers of a generate the group
  mod p
• Not every integer has primitive roots

19
Primitive Root Example Power of Integers Modulo
19
20
Discrete Logarithms

• Inverse problem to exponentiation is to find the
  discrete logarithm of a number modulo p
• Namely find x where ax b mod p
• Written as xloga b mod p or xinda,p(b)
• If a is a primitive root of p then discrete
  logarithm always exists, otherwise may not
• 3x 4 mod 13 has no answer
• 2x 3 mod 13 has an answer 4
• While exponentiation is relatively easy, finding
  discrete logarithms is generally a hard problem

21
Diffie-Hellman Setup

• All users agree on global parameters
• large prime integer or polynomial q
• a which is a primitive root mod q
• Each user (e.g. A) generates its key
• choose a private key (number) xA lt q
• compute its public key yA axA mod q
• Each user publishes its public key

22
Diffie-Hellman Key Exchange

• Shared session key for users A and B is KAB
• KAB axA.xB mod q
• yAxB mod q (which B can compute)
• yBxA mod q (which A can compute)
• KAB is used as session key in symmetric
  encryption scheme between A and B
• Attacker needs xA or xB, which requires solving
  discrete log

23
Diffie-Hellman Example

• Given Alice and Bob who wish to swap keys
• Agree on prime q353 and a3
• Select random secret keys
• A chooses xA97, B chooses xB233
• Compute public keys
• yA397 mod 353 40 (Alice)
• yB3233 mod 353 248 (Bob)
• Compute shared session key as
• KAB yBxA mod 353 24897 160 (Alice)
• KAB yAxB mod 353 40233 160 (Bob)

24
Elliptic Curve Cryptography

• Majority of public-key crypto (RSA, D-H) use
  either integer or polynomial arithmetic with very
  large numbers/polynomials
• Imposes a significant load in storing and
  processing keys and messages
• An alternative is to use elliptic curves
• Offers same security with smaller bit sizes

25
Real Elliptic Curves

• An elliptic curve is defined by an equation in
  two variables x and y, with coefficients
• Consider a cubic elliptic curve of form
• y2 x3 ax b
• where x, y, a, b are all real numbers
• also define zero point O
• Have addition operation for elliptic curve
• geometrically, sum of PQ is reflection of
  intersection R

26
Real Elliptic Curve Example
27
Finite Elliptic Curves

• Elliptic curve cryptography uses curves whose
  variables and coefficients are finite
• Two families are commonly used
• prime curves Ep(a,b) defined over Zp
• use integers modulo a prime
• best in software
• binary curves E2m(a,b) defined over GF(2m)
• use polynomials with binary coefficients
• best in hardware

28
Elliptic Curve Cryptography

• ECC addition is analog of modulo multiply
• ECC repeated addition is analog of modulo
  exponentiation
• Need a hard problem equivalent to discrete
  logarithm
• QkP, where Q, P belong to a prime curve
• is easy to compute Q given k, P
• but hard to find k given Q, P
• known as the elliptic curve logarithm problem
• Certicom example E23(9,17)

29
ECC Diffie-Hellman

• Can do key exchange analogous to D-H
• Users select a suitable curve Ep(a,b)
• Select base point G(x1, y1) with large order n
  s.t. nGO
• A and B select private keys nAltn, nBltn
• Compute public keys PAnAG, PBnBG
• Compute shared key KnAPB, KnBPA
• same since KnAnBG

30
ECC Encryption/Decryption

• Must first encode any message M as a point on the
  elliptic curve Pm
• Select suitable curve and point G as in D-H
• Each user chooses private key nAltn and computes
  public key PAnAG
• To encrypt Pm
• CmkG, PmkPB, k random
• To decrypt Cm
• PmkPBnB(kG) Pmk(nBG)nB(kG) Pm

31
ECC Security

• Relies on elliptic curve logarithm problem
• Fastest method is Pollard rho method
• Compared to factoring, can use much smaller key
  sizes than with RSA etc
• For equivalent key lengths computations are
  roughly equivalent
• Hence for similar security ECC offers significant
  computational advantages

32
Comparable Key Sizes
1
33
Next Class

• Hashing functions
• Message digests
• Read Chapters 11 and 12