Public Key Cryptography

1
Public Key Cryptography
2
Public Key Cryptography

• why we might want to consider an alternative to a
  secret key system using key distribution, and
• what we're looking for in public key
  cryptography.

3
Problem of Key Distribution

• there is one difficultly inherent in all KDC
  mechanisms.
• it seems like you must already have agreed on a
  key in order to securely distribute the next key
• it won't work after your system has been
  compromised (when you have to start over again)
• it won't work initially (when you have not yet
  agreed on a key).
• You move the vulnerability away from "people
  trying to figure out a message" to the KDCs.

4
Problem of Key Distribution

• However, we can imagine a physical solution to
  the problem
• "Alice sends a secret to Bob, but they don't
  share a key", which is identical to the two
  problems mentioned above

5
Solution
6
Solution

• Alice puts a secret in a box, which she locks
  with her own lock. Only Alice has the key to this
  lock.
• Alice then ships the box to Bob.
• Bob adds his own lock to this box in parallel, so
  that now the box has two locks
• Bob then ships the box back to Alice.
• Alice, knowing that the box is secure with Bob's
  lock, then takes her own lock off the box (with
  her key).
• Alice sends the box back to Bob
• Bob then removes his lock and receives the secret
  (which could have been a new shared key).

7
Solution

• We have successfully shared a secret without
  exposing it
• We did not possess a shared key initially
• We don't care who is able to actually lock our
  mechanism
• We want to make sure that only somebody with a
  key can unlock it
• It should be cheap to unlock our mechanism with
  the key, but very expensive to try to unlock it
  without the key

8
Solution

• In a mathematical sense
• What we're looking for is called a 1-way
  trap-door function
• To apply this idea to a cryptosystem, we would
  want an encryption mechanism that is a 1-way
  function
• easy to compute but hard to invert
• Our decryption of this resulting value should be
  easy if you know about the trap door

9
Solution

• Diffie - Hellman Key Exchange
• allows two principals to agree on a shared key
  even though they exchange messages in public
• In the protocol, there is no authentication
• either side could be be spoofed by an active
  wiretapper
• The protocol can easily be extended into one that
  does also implement the necessary authentication.
  

10
Diffie - Hellman Key Exchange
11
Diffie - Hellman Key Exchange

• The first step is to choose a large prime number
  p (around 512 bits).
• The second is to choose an integer g where g lt p
  (with some other technical restrictions.)
• At this point, A can compute
• (TB)SA (gSB mod p)SA (gSB)SA mod p
  ((gSBSA) mod p).
• Similarly B can compute
• (TA)SB . . . ((gSASB) mod p).
• Therefore, ((gSASB) mod p) ((gSBSA) mod p) is
  the final shared key.

12
Diffie - Hellman Key Exchange

• A wiretapper can see all the messages that are
  sent,
• but can't do anything without having a fast way
  to compute logs in finite fields, which is
  assumed to be hard.
• One problem with Diffie-Hellman is that it does
  not generalize to send arbitrary messages.

13
Physical Analogy for Diffie-Hellman Key Exchange

• We have two principals,A and B, each with a
  3-liter paint pot that contains 1-liter of yellow
  paint. We will use E to denote a passive
  wiretapper. We can assume that mixed paint cannot
  be deconstructed into original colors.
• A adds to her 1 liter of yellow paint a secret
  color SA. B also adds to his 1 liter of yellow
  paint a secret color SB.
• A and B swap pots. E is able to observe the 2,
  2-liter mixtures be exchanged, but E cannot
  deduce what color was added to either mixture, E
  can only deduce the relative color balance in the
  combined 4 liter mixture 2 yellow SA SB
  (YYSASB).
• A adds SA to B's pot. The result (YSASB) is the
  key. B adds SB to A's pot. The result (YSBSA)
  is the key.
• Notice A and B have computed the same key, but E
  gets a different one.

14
Public Key Cryptography

• In public key cryptography, some keys are known
  to everyone, so it would seem that the key
  distribution problem vanishes
• The basic idea of a public key cryptosystem is to
  have two keys
• a private (secret) key and
• a public key.
• Anyone can know the public key

15
Public Key Cryptography

• Plaintext to a principal B is encrypted using B's
  public key.
• B decrypts the enciphered text using its private
  key.
• As long as B is the only one who knows the
  private key, then only B can decrypt messages
  encrypted under B's public key.

16
Public Key Cryptography

• Some public key cryptography schemes also allow
  plaintext to be run through the decryption
  algorithm (using the private key).
• What is produced is referred to as signed text
  and it can be "deciphered" using the public key
• Only the possessor of a private key can create
  text that is decipherable using the public key.
• The functionality of signed text cannot be
  replicated using secret key/symmetric
  cryptography.

17
Public Key Cryptography

• Public key cryptography is usually much slower
  than secret key cryptography
• it is rarely used to encrypt an entire message.
• a message is encrypted using shared key
  cryptography (with a secret key).
• That secret key is then encrypted using public
  key cryptography
• the encrypted message and key are sent.
• This is called hybrid encryption
• can allow for complex structures in implementing
  our secrecy requirements

18
History of Public Key Cryptography

• (United States)
• 1975 Diffie imagines asymmetric cryptography
  (Diffie Hellman)
• 1976 Diffie-Hellman key exchange
• April 1977 RSA (Rivest, Shamir, Adelman)
• (United Kingdom
• 1969 Government Communications Headquarters
  (GCHQ) - succesor to Bletchly Park - asks James
  Ellis to look into the key distribution problem.
  Ellis recalls a Bell Labs report about adding
  noise to a signal, transmitting it, and then
  removing the noise.
• 1973 Clifford Cocks (recent Cambridge Math Ph.D)
  joins GCHQ. He hears about Ellis idea and
  searches for a suitable function, and he thinks
  of RSA. GCHQ now could do public key encryption.
• January 1974 Malcolm Williamson, in an effort to
  try to break Cock's work, discovers
  Diffie-Hellman.

19
Uses of Public-Key Cryptography

• secrecy,
• authentication, and
• digital signatures

20
Uses of Public-Key Cryptography

• Secrecy is obtained when principal A encrypts a
  message m using B's public key. Thereafter, the
  only way to decrypt m is to know the private key
  of B. (see Figure below)

21
Uses of Public-Key Cryptography

• In secret key cryptography, doing authentication
  requires having a different key for each pair of
  principals in public key cryptography, each
  principal needs to know just its own private key.
  An example of a public-key authentication
  protocol is

22
Uses of Public-Key Cryptography

• Digital signatures are used to prove that a
  message was generated by a particular principal.
• Assume that the cryptosystem has the additional
  property wherein a message m "decrypted" under a
  private key, and then "encrypted" using the
  corresponding public key produces m.
• To create a signed message, A will encrypt a
  message using its own private key and send that
  encrypted message to B.
• B looks up A's public key and uses it to decrypt
  the message.
• This is not completely practical since it
  requires running the decryption on an entire
  message, which can be expensive.
• A solution is to compute a hash of the message
  and sign that.

23
Uses of Public-Key Cryptography

• A hash is a function that digests information. It
  takes a message as input and outputs a short bit
  string (say, 128 bits).
• An example of a 1-bit hash would be a function
  that returns the parity of the message.

24
Uses of Public-Key Cryptography

• Think of a hash as a succint summary of a message
  that has four properties
• It is computationally infeasible to determine the
  input message m based on the digest of that
  message hash(m), which means the digest must
  convey no information about the original message
• It is infeasible to find any message with a given
  digest value, which means we can't attack by
  replacing a message m1 with another message m2
  with the same hash value

25
Uses of Public-Key Cryptography

• Think of a hash as a succint summary of a message
  that has four properties
• It is infeasible to find 2 messages with a given
  hash. If we don't have this property, then it is
  possible a person could sign a message, then the
  signature could be cut and pasted on to another
  message with the same hash.
• And finally, changing even 1-bit of the input
  gets completely different output, so that
  syntactically similar messages generate very
  different outputs and it is not likely that two
  bit-strings with the same hash value could be
  mistaken for each other.

26
Uses of Public-Key Cryptography

• These properties make a message-text substitution
  attack difficult given a hash.
• Suppose that message m is sent along with a
  signed hash value for m.
• The properties of the hash function would make it
  difficult for an attacker to substitute another
  meaningful message that has the same hash value
  as the original.

27
Uses of Public-Key Cryptography

• We can easily have multiple signatures as well as
  build up a chain of signatures which establishes
  a valid history. This chaining of signatures can
  be used to prove such a claim as "Alice had
  signed the message when I got it.".

28
Examples of Public-Key Cryptosystems

• Merkle's Puzzles
• one of the first public key cryptographic systems
  to be described
• It allows A and B to agree on a secret key
• Principal A invents a million keys and a million
  puzzles, where each puzzle encodes a different
  one of the keys
• Each puzzle is assumed to take at least two
  minutes to solve and fit into 96 bits
• A sends these puzzles to B
• B then picks a puzzle at random and solves it
• B encrypts a pre-arranged string (say 0000) with
  the key from the puzzle it solved
• B sends this encrypted string back to A. A trys
  each of the million keys on the message it
  receives from B
• The one that decrypts the message and obtains the
  pre-arranged string is the secret key that A will
  use henceforth to communicate with B.

29
Examples of Public-Key Cryptosystems

• Merkle's Puzzles
• A wiretapper C could steal the million puzzles.
• However, C would need to crack all million of the
  puzzles in order to discover the secret key.
• If the wiretapper didn't know the pre-arranged
  string, then it can't even use a known-plaintext
  attack.
• Since cracking each puzzle requires at least 2
  minutes, the wiretapper would need on average 330
  days to find the key.

30
Examples of Public-Key Cryptosystems

• RSA
• RSA (Rivest Shamir Adelman)
• RSA is usually used to encrypt a private key and
  then send that with along with a message
  encrypted by the private key.
• It uses a variable key length (usually 512 bits)
  and a variable block size that is not greater
  than the key length.

31
Examples of Public-Key Cryptosystems

• RSA works as follows
• Choose two large primes (say, 256 bits each) p
  and q. These must be kept secret.
• Compute n pq. The number n is not secret. This
  systems works under the assumption that factoring
  n is computationally intractable.
• Chose e such that e is relatively prime to (has
  no common factors other than 1 with) (p-1)(q-1).
  The number e is usually chosen to be small. 3 and
  64437 are popular.
• The public key is the pair (e, n). Note that e
  doesn't have to be secret. The private key is (d,
  n) where d is the multiplicative inverse of e mod
  (p-1)(q-1).

32
Examples of Public-Key CryptosystemsRSA

• To encrypt a message m, compute me mod n and send
  the result as ciphertext.
• To decrypt ciphertext c m cd mod n.
• RSA can also be used for digital signatures.
• To sign a message m s md mod n. To check a
  signature m se mod n.
• A lot of number theory is needed to prove that
  this technique works.
• One necessary theorem is m (me mod n)d mod n.

33
Examples of Public-Key Cryptosystems

• Certification Authorities (Public Key
  Infrastructure)
• KDC is no longer necessary
• How can one principal learn the public key
  another?
• How does one principal know they have the right
  public key and haven't been spoofed by an
  intruder?
• It turns out that some sort of server is still
  needed to certify which public keys belong to
  whom.

34
Examples of Public-Key Cryptosystems

• A certification authority (CA) is a trusted
  server that generates certificates of the form
  name, public keyCA where CA is the
  certification authority's signature (private) key
• All hosts are preconfigured with the
  certification authority's public key
• any host can check the signature on these
  certificates
• CA is more attractive than a KDC because a CA it
  doesn't need to be on-line.
• Certificates can be stored anyplace and forwarded
  anywhere as they are needed.

35
Examples of Public-Key Cryptosystems

• One problem is that if a principal's private key
  is compromised, then all those certificates
  (wherever they are) will cause the wrong public
  key to be used.
• Since there isn't a single authority that
  everyone trusts, updating all those certificates
  is not feasible.
• A solution is to require that certificates have
  expiration dates.
• This will limit damage but not rule it out
  entirely.