CMSC 414 Computer and Network Security Lecture 7 - PowerPoint PPT Presentation

1 / 21
About This Presentation
Title:

CMSC 414 Computer and Network Security Lecture 7

Description:

CMSC 414 Computer and Network Security Lecture 7 Jonathan Katz – PowerPoint PPT presentation

Number of Views:138
Avg rating:3.0/5.0
Slides: 22
Provided by: jka58
Learn more at: http://www.cs.umd.edu
Category:

less

Transcript and Presenter's Notes

Title: CMSC 414 Computer and Network Security Lecture 7


1
CMSC 414Computer and Network SecurityLecture 7
  • Jonathan Katz

2
Review El Gamal encryption
  • (Some aspects of the actual scheme are
    simplified)
  • Key generation
  • Choose a large prime p, and an element g ? Zp
  • Choose random x ? 0, , p-2, set hgx
  • The public key is (p, g, h), and the private key
    is x
  • Encryption
  • View the message m as an element of Zp
  • Choose random r ? 0, , p-2
  • The ciphertext is (gr, hr? m)
  • To decrypt ciphertext (c1, c2) output c2/c1x
  • Correctness?

3
Security?
  • Security of El Gamal encryption is based on the
    decisional Diffie-Hellman assumption
  • Best current algorithm for the decisional
    Diffie-Hellman problem in Zp runs in time
    exp(p1/3)
  • So if p is a 1024-bit prime, best current attack
    on El Gamal encryption requires time 260
  • In other groups, the Diffie-Hellman problem is
    currently harder
  • E.g., for elliptic curve groups, best current
    algorithms require time exp(p/2)
  • Can use 120-bit primes to get 260 security

4
RSA background
  • Npq, p and q distinct, odd primes
  • ?(N) (p-1)(q-1) ZN
  • Easy to compute ?(N) given the factorization of N
  • Hard to compute ?(N) without the factorization of
    N
  • For all x ? ZN, it holds that x?(N) 1 mod N
  • If ed1 mod ?(N), then for all m

    (me)d m mod NI.e., given d, we can compute eth
    roots

5
We have an asymmetry!
  • Let e be relatively prime to ?(N)
  • Needed so that ed1 mod ?(N) has a solution
  • Given e and the factors of N, can compute d and
    hence compute eth roots
  • Without the factorization of N, no apparent way
    to compute eth roots

6
Hardness of computing eth roots?
  • The RSA problem
  • Given N, e, and c, compute c1/e mod N
  • If factoring is easy, then the RSA problem is
    easy
  • We know of no other way to solve the RSA problem
    besides factoring N
  • But we do not know how to prove that the RSA
    problem is as hard as factoring
  • The upshot we believe factoring is hard, and we
    believe the RSA problem is hard

7
How hard is factoring?
  • Best current algorithms for factoring Npq a
    product of two equal-length primes, run in time
    exp(N1/3)
  • So need N 1024 for reasonable security
  • Currently N 2048 recommended for good
    security margins

8
We have an asymmetry!
  • Given d (which can be computed from e and the
    factorization of N), possible to compute eth
    roots
  • Without the factorization of N, no apparent way
    to compute eth roots
  • Lets use this to encrypt

9
RSA key generation
  • Generate random p, q of sufficient length
  • Compute Npq and ?(N) (p-1)(q-1)
  • Compute e and d such that ed 1 mod ?(N)
  • e must be relatively prime to ?(N)
  • Typical choice e 3 other choices possible
  • Public key (N, e) private key (N, d)

10
Textbook RSA encryption
  • Public key (N, e) private key (N, d)
  • To encrypt a message m ? ZN, compute
    c me mod N
  • To decrypt a ciphertext c, compute m cd mod N
  • Correctness
  • what about security?

11
Textbook RSA is insecure!
  • It is deterministic!
  • Furthermore, it can be shown that the ciphertext
    leaks specific information about the plaintext

12
Padded RSA
  • Introduce randomization
  • Public key (N, e) private key (N, d)
  • Say N 1024 bits
  • To encrypt m ? 0,1895,
  • Choose random r ? 0,1128
  • Compute c (r m)e mod N
  • Decryption done in the natural way
  • Essentially this is standardized as PKCS 1 v1.5

13
Hybrid encryption
  • Public-key encryption is slow
  • Encrypting block-by-block would be inefficient
    for long messages
  • Hybrid encryption gives the functionality of
    public-key encryption at the (asymptotic)
    efficiency of private-key encryption!

14
Hybrid encryption
message
pk
encrypted message
ciphertext
encapsulated key
k
random!
Enc public-key encryption scheme Enc
private-key encryption scheme
15
Security
  • If public-key component and private-key component
    are secure against chosen-plaintext attacks, then
    hybrid encryption is secure against
    chosen-plaintext attacks

16
Extension
  • How should hybrid encryption be done when sending
    the same message to multiple recipients (e.g.,
    email encryption)?

17
Malleability
  • All the public-key encryption schemes we have
    seen so far are malleable
  • Given ciphertext c that encrypts (unknown)
    message m, possible to generate a ciphertext c
    that encrypts a related message m
  • In the public-key setting, security against
    chosen-ciphertext attacks implies
    non-malleability
  • In many scenarios, malleability/chosen-ciphertext
    attacks are problematic
  • E.g., auction example password example
    Bleichenbacher attack

18
Bleichenbachers attack
  • RSA PKCS 1 v1.5 is actually defined as
    c (00 02 r 0 m)e mod N
  • When decrypting, return an error if formatting is
    not obeyed
  • This enables a chosen-ciphertext attack that
    relies only on the ability to detect errors upon
    decryption

19
Bleichenbachers attack
c Encpk(m)

20
Malleability
  • All the public-key encryption schemes we have
    seen so far are malleable
  • Given a ciphertext c that encrypts an (unknown)
    message m, possible to generate a ciphertext c
    that encrypts a related message m
  • Note the problem is not integrity (there is no
    integrity in public-key encryption, anyway), but
    malleability and/or the ability to conduct a
    chosen-ciphertext attack

21
Malleability in private-key setting
  • Malleability is an issue in the private-key
    setting as well
  • Recall that CBC, OFB, CTR mode are all vulnerable
    to chosen-ciphertext attacks, and are all
    malleable
  • Authenticated encryption schemes (e.g.,
    encrypt-then-authenticate) are secure against
    chosen-ciphertext attacks (and non-malleable)
Write a Comment
User Comments (0)
About PowerShow.com