CSCE 790 Lecture 6 PublicKey Cryptosystems

1
CSCE 790 Lecture 6Public-Key Cryptosystems
2
Reading assignment

• Reading assignments for January 31
• Required
• Oppliger Ch 5.4, 5.5, 5.6,5.7,5.8
• Reading assignments for Febr. 5 7
• Required
• Oppliger Ch 5.4, 5.5, 5.6,5.7,5.8
• Oppliger Ch 6

3
Conventional (Secret Key) Cryptosystem
Plaintext M
Ciphertext C
Plaintext M
Encryption
Decryption
Sender
Recipient
K
K
Secure channel
CE(K,M) MD(K,C)
Key source
4
Secret-Key Encryption

• Single, secret key
• Key distribution problem of secret key systems
• Establish key before communication
• Need n(n-1)/2 keys with n different parties
• Do NOT provide electronic signatures
• Faster than public-key encryption

5
Key Distribution

• Both parties must have the same key
• Key must be protected from access by others
• Frequent key changes are desirable ? limit
  disclosure threat
• ?
• Strength of cryptosystem depends on
• KEY DISTRIBUTION

6
Key Distribution Scenarios

• Communicating parties Sender and Recipient
• A selects key K and physically delivers it to R
• Third party selects K and physically delivers it
  to S and R
• If S and R had a previous key K, they use K to
  encrypt and send new key
• If S and R has an encrypted connection to a third
  party KDC, KDC can deliver K to S and R through
  the encrypted link

7
Key Distribution Scenarios

• Options 1 and 2 (physical delivery) difficult
  for geographically distributed environment
• Option 3 (use old key to send new key) if a
  previous key is compromised, then all subsequent
  keys are compromised too
• Option 4 (Key Distribution Center) widely used,
  if KDC is trusted and protected it is secure.
  Each party must be registered with KDC

8
Key Distribution Center
KDC
Request N1
EK-SKsessionRequestN1EK-R(KsessionID-S)
EK-R(KsessionID-S)
EKsession(N2)
Sender
Recipient
EKsession(f(N2))
9
(public) (private)
10
Public-Key Encryption

• Two keys one is private one is public
• Solves the key distribution problem (but need
  reliable channel)
• Provides electronic signatures
• Slower than secret-key encryption

11
Public-Key Encryption

• Security requirement
• One of the keys must be kept secret
• Impossible (at least impractical) to decipher
  message if no other information is available
• Knowledge of algorithm, one of the keys, and
  samples of ciphertext must be insufficient to
  determine the other key

12
Public Key Cryptosystem

• Concept conceived by Diffie and Hellman in 1976
• Rivest, Shamir, and Adleman (RSA) describe a
  public key system in 1978
• Many proposals have been broken
• e.g., Merkle-Hellman proposal broken by Shamir
• Serious candidates (public domain)
• RSA
• El Gamal

13
Modular Arithmetic

• Results stay in the underlying range of numbers
• ,-, can be applied before or after the modulus
  is taken with similar results
• Modulus remainder after division, that is
  if b a mod n then acnb
• Examples
• 0 9 mod 3
• 2 12 mod 5
• 2 12 mod 10

14
Notation

• Sender S, recipient R
• C E(KE-R, M)
• M D(KD-R,C)
• KE-R public key of R
• KD-R private key of R
• E encryption alg.
• D decryption alg.
• M plaintext
• C ciphertext

15
RSA

• Public key (n,e)
• Secret key (n,d)
• n is a 200 digit number
• C Me mod n
• M Cd mod n (Me)d mod n Med mod n M
  mod n

16
RSA

• Sender and receiver know n
• Sender knows e
• Only receiver knows d
• Need
• Find values e,d,n such that Med mod n M mod n
• Easy to calculate Me mod n, Cd mod n for all M lt
  n
• Infeasible to determine d give e

17
1. Generate RSA Keys

• Generation of public and private keys
• Choose 2 large (100 digit) numbers p and q
• Compute n pq
• Choose e relatively prime to ?(n) (p-1)(q-1)
• Compute d such that ed 1 mod (p-1)(q-1)
• Publish (n,e)
• Secret (n,d), p, q

18
1. Generate RSA Keys

• Determine two prime numbers p and q
• Need to prevent discovery of p and q by
  exhaustive method ? p and q must be large
• Finding p and q must be efficient ? no useful
  technique to find arbitrary large primes (methods
  to test primality)
• Select either e or d and calculate the other
• Euclids Algorithm
• Calculates the greates common divisor of two
  integers and
• If gcd1 determines the inverse of one of the
  integers, modulo the other

19
Example Key Generation
Choose 2 large numbers p7, q17 Compute
npq 717119 Choose relative prime to
(p-1)(q-1) 61696, e5 Compute d 51 mod
9677 Publish (5,119) Keep (77,119), 7, 17
20
2. Encryption/Decryption

• Both involves raising an integer to an integer
  power, mod n
• If exponentiation is done on integers, then
  reduced ? huge intermediate results
• Use properties of modular arithmetic
• (a mod n)(b mod n) mod n (ab) mod n

21
Example - Encryption

• Let M 19, e5, d77
• Encrypt
• 195 mod 119 2,476,099 mod 119 66
• Decrypt
• 6677 mod 119 19 mod 119

22
Cryptanalytic Considerations

• Attacks on RSA
• Brute force try all keys
• Factor n into its two prime factors, calculate
• ?(n) (p-1)(q-1), determine d of
• ed 1 mod (p-1)(q-1)
• Determine ?(n) directly without p and q, then
  calculate d
• Determine d directly

23
Security of RSA

• How hard is it to compute d given (n,e)?
• Compute d such that ed 1 mod (p-1)(q-1)
• If factorization of n into pq is known Easy
• Otherwise Hard
• Security of RSA is no better than the complexity
  of the factoring problem

24
RSA versus DES

• RSA kilobits/second
• DES megabits/second
• ?
• DES is about 100 times faster than RSA

25
RSA versus DES

• Key size
• RSA selected by user
• DES 64 bits (56 effective)

26
Digital Signatures in RSA

• RSA Property encryption and decryption are
  commutative
• Encryption followed by decryption yields the
  original message
• (Me mod n)d mod n M
• Decryption followed by encryption yields the
  original message
• (Md mod n)e mod n M
• Cryptosystems that preserve message length have
  this property

27
(No Transcript)
28
Signature and Encryption
R
Encrypted Signed Plaintext
S
Signed Plaintext
Signed Plaintext
Plaintext
Plaintext
D
E
D
E
KD-A
KE-R
KD-R
KE-A
29
Signature and Encryption

• We could do the encryption first, followed by the
  signature.
• Adv. signature first parties, other than B can
  verify the signature
• DES can be used for encryption

30
Public-Key Distribution

• Public announcement
• Publicly available directory
• Public-key authority
• Public-key certificates

31
Public announcement
KE-J.S.
KE-J.S.
KE-J.S.
KE-J.S.
John Smith
KE-J.S.
KE-J.S.
Bad Uncontrolled distribution ? easy to
forge
32
Publicly available directory
Better but not Good enough ? Directory could Be
compromised
Public Key Directory
KE-J.S.
KE-M.R..
John Smith
Mary Rose
33
Public-key authority
Public-Key Authority
1. Request Time1
4. Request Time2
2. EKD-AuthKE-RRequestTime1
5. EKD-AuthKE-SRequestTime2
3. EKE-R(ID-AN1)
Sender
Recipient
6. EKE-S(N1N2)
7. EKE-R(N2)
34
Public-key certificates
Certificate Authority
KE-R
KE-S
C-SEKD-CAuthTime1,ID-S,KE-S
CREKD-CAuthTime2,ID-R,KE-R
1. C-S
Sender
Recipient
2. C-R
35
Public-key distribution of Secret keys

• Simple secret key distribution
• Secret key distribution with confidentiality and
  authentication
• Diffie-Hellman Key Exchange

36
Simple secret key distribution

• KE-S ID-S
• 2. E KE-S(Ksession)

Sender
Recipient
Vulnerable to active attack!
37
With confidentiality and authentication

• E KE-RN1ID-A
• 2. E KE-SN1N2
• 3. E KE-RN2
• 4. E KE-R E KD-S(Ksession)

Sender
Recipient
38
Diffie-Hellman Key Exchange

• Proposed in 1976
• First public key algorithm
• Allows group of users to agree on secret key over
  insecure channel
• Cannot be used to encrypt and decrypt messages

39
Diffie-Hellman Key Exchange

• Example
• A and B want to agree on shared secret key
• They agree on two large numbers n and g, such
  that 1ltgltn
• A choose random x and computes Xgx mod n and
  sends X to B
• B chooses random y and computes Ygy mod n and
  sends Y
• A computes k Yx mod n
• B computer k Xy mod n
• Note k k gyx mod n

40
Diffie-Hellman Key Exchange

• Requires no prior communication between A and B
• Security depends on difficulty of computing x
  given Xgx mod n
• Choices for g and n are critical both n and
  (n-1)/2 should be prime, n should be large
• Susceptible to intruder in the middle attack
  (active intruder)