cmsc 414 computer and network security lecture 6
DESCRIPTION
CMSC 414 Computer and Network Security Lecture 6. Jonathan Katz. Administrative announcements. Midterm I March 6 GRACE accounts set up Read the essays and papers linked from the course webpage Will discuss next Tuesday and/or Thursday. Public-key cryptography. The public-key setting. - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: CMSC 414 Computer and Network Security Lecture 6](https://reader036.vdocuments.us/reader036/viewer/2022070404/56813be2550346895da50f78/html5/thumbnails/1.jpg)
CMSC 414Computer and Network Security
Lecture 6
Jonathan Katz
![Page 2: CMSC 414 Computer and Network Security Lecture 6](https://reader036.vdocuments.us/reader036/viewer/2022070404/56813be2550346895da50f78/html5/thumbnails/2.jpg)
Administrative announcements
Midterm I– March 6
GRACE accounts set up
Read the essays and papers linked from the course webpage– Will discuss next Tuesday and/or Thursday
![Page 3: CMSC 414 Computer and Network Security Lecture 6](https://reader036.vdocuments.us/reader036/viewer/2022070404/56813be2550346895da50f78/html5/thumbnails/3.jpg)
Public-key cryptography
![Page 4: CMSC 414 Computer and Network Security Lecture 6](https://reader036.vdocuments.us/reader036/viewer/2022070404/56813be2550346895da50f78/html5/thumbnails/4.jpg)
The public-key setting A party (Alice) generates a public key along with
a matching secret key (aka private key)
The public key is widely distributed, and is assumed to be known to anyone (Bob) who wants to communicate with Alice– We will discuss later how this can be ensured
Alice’s public key is also known to the attacker!
Alice’s secret key remains secret
Bob may or may not have a public key of his own
![Page 5: CMSC 414 Computer and Network Security Lecture 6](https://reader036.vdocuments.us/reader036/viewer/2022070404/56813be2550346895da50f78/html5/thumbnails/5.jpg)
The public-key setting
c = Encpk(m)
pk
c = Encpk(m)
pk
![Page 6: CMSC 414 Computer and Network Security Lecture 6](https://reader036.vdocuments.us/reader036/viewer/2022070404/56813be2550346895da50f78/html5/thumbnails/6.jpg)
Private- vs. public-key I
Disadvantages of private-key cryptography– Need to securely share keys
• What if this is not possible?
• Need to know in advance the parties with whom you will communicate
• Can be difficult to distribute/manage keys in a large organization
– O(n2) keys needed for person-to-person communication in an n-party network
• All these keys need to be stored securely
– Inapplicable in open systems (think: e-commerce)
![Page 7: CMSC 414 Computer and Network Security Lecture 6](https://reader036.vdocuments.us/reader036/viewer/2022070404/56813be2550346895da50f78/html5/thumbnails/7.jpg)
Private- vs. public-key II
Why study private-key at all?– Private-key is orders of magnitude more efficient
– Private-key still has domains of applicability• Military settings, disk encryption, …
– Public-key crypto is “harder” to get right• Needs stronger assumptions, more math
– Can combine private-key primitives with public-key techniques to get the best of both (for encryption)
• Still need to understand the private-key setting!
– Can distribute keys using trusted entities (KDCs)
![Page 8: CMSC 414 Computer and Network Security Lecture 6](https://reader036.vdocuments.us/reader036/viewer/2022070404/56813be2550346895da50f78/html5/thumbnails/8.jpg)
Private- vs. public-key III
Public-key cryptography is not a cure-all– Still requires secure distribution of public keys
• May (sometimes) be just as hard as sharing a key
• Technically speaking, requires only an authenticated channel instead of an authenticated + private channel
– Not clear with whom you are communicating (for public-key encryption)
– Can be too inefficient for certain applications
![Page 9: CMSC 414 Computer and Network Security Lecture 6](https://reader036.vdocuments.us/reader036/viewer/2022070404/56813be2550346895da50f78/html5/thumbnails/9.jpg)
Cryptographic primitives
Private-key setting Public-key setting
ConfidentialityPrivate-key encryption
Public-key encryption
IntegrityMessage
authentication codesDigital signature
schemes
![Page 10: CMSC 414 Computer and Network Security Lecture 6](https://reader036.vdocuments.us/reader036/viewer/2022070404/56813be2550346895da50f78/html5/thumbnails/10.jpg)
Public-key encryption
![Page 11: CMSC 414 Computer and Network Security Lecture 6](https://reader036.vdocuments.us/reader036/viewer/2022070404/56813be2550346895da50f78/html5/thumbnails/11.jpg)
Functional definition
Key generation algorithm: randomized algorithm that outputs (pk, sk)
Encryption algorithm:– Takes a public key and a message (plaintext), and
outputs a ciphertext; c Epk(m)
Decryption algorithm:– Takes a private key and a ciphertext, and outputs a
message (or perhaps an error); m = Dsk(c)
Correctness: for all (pk, sk), Dsk(Epk(m)) = m
![Page 12: CMSC 414 Computer and Network Security Lecture 6](https://reader036.vdocuments.us/reader036/viewer/2022070404/56813be2550346895da50f78/html5/thumbnails/12.jpg)
Security? Just as in the case of private-key encryption, but
the attacker gets to see the public key pk
That is:– For all m0, m1, no adversary running in time T, given pk
and an encryption of m0 or m1 can determine the encrypted message with probability better than 1/2 +
Public-key encryption must be randomized (even to achieve security against ciphertext-only attacks)
Security against ciphertext-only attacks implies security against chosen-plaintext attacks
![Page 13: CMSC 414 Computer and Network Security Lecture 6](https://reader036.vdocuments.us/reader036/viewer/2022070404/56813be2550346895da50f78/html5/thumbnails/13.jpg)
El Gamal encryption
We have already (essentially) seen one encryption scheme:
p, g
hA = gx mod p
hB = gy mod p
KAB = (hB)x KBA = (hA)y
p, g, hA = gx
Receiver Sender
c = (KBA . m) mod phB, c
![Page 14: CMSC 414 Computer and Network Security Lecture 6](https://reader036.vdocuments.us/reader036/viewer/2022070404/56813be2550346895da50f78/html5/thumbnails/14.jpg)
Security
If the DDH assumption holds, the El Gamal encryption scheme is secure against chosen-plaintext attacks
![Page 15: CMSC 414 Computer and Network Security Lecture 6](https://reader036.vdocuments.us/reader036/viewer/2022070404/56813be2550346895da50f78/html5/thumbnails/15.jpg)
RSA: background
N=pq, p and q distinct, odd primes
(N) = (p-1)(q-1)– Easy to compute (N) given the factorization of N
– Hard to compute (N) without the factorization of N
Fact: for all x ZN*, it holds that x(N) = 1 mod N
– Proof: take CMSC 456!
If ed=1 mod (N), then for all x it holds that (xe)d = x mod N
![Page 16: CMSC 414 Computer and Network Security Lecture 6](https://reader036.vdocuments.us/reader036/viewer/2022070404/56813be2550346895da50f78/html5/thumbnails/16.jpg)
RSA key generation Generate random p, q of sufficient length
Compute N=pq and (N) = (p-1)(q-1)
Compute e and d such that ed = 1 mod (N) – e must be relatively prime to (N) – Typical choice: e = 3; other choices possible
Public key = (N, e); private key = (N, d)
We have an asymmetry!– Given c=xe mod N, receiver can compute x=cd mod N– No apparent way for anyone else to recover x
![Page 17: CMSC 414 Computer and Network Security Lecture 6](https://reader036.vdocuments.us/reader036/viewer/2022070404/56813be2550346895da50f78/html5/thumbnails/17.jpg)
Hardness of the RSA problem?
The RSA problem:– Compute x given N, e, and xe mod N
If factoring is easy, then the RSA problem is easy
We know of no other way to solve the RSA problem besides factoring N– But we do not know how to prove that the RSA
problem is as hard as factoring
The upshot: we believe factoring is hard, and we believe the RSA problem is hard
![Page 18: CMSC 414 Computer and Network Security Lecture 6](https://reader036.vdocuments.us/reader036/viewer/2022070404/56813be2550346895da50f78/html5/thumbnails/18.jpg)
“Textbook RSA” encryption
Public key (N, e); private key (N, d)
To encrypt a message m ZN*, compute
c = me mod N
To decrypt a ciphertext c, compute m = cd mod N
Correctness clearly holds…
…what about security?
![Page 19: CMSC 414 Computer and Network Security Lecture 6](https://reader036.vdocuments.us/reader036/viewer/2022070404/56813be2550346895da50f78/html5/thumbnails/19.jpg)
Textbook RSA is insecure!
It is deterministic!
Furthermore, it can be shown that the ciphertext leaks specific information about the plaintext
![Page 20: CMSC 414 Computer and Network Security Lecture 6](https://reader036.vdocuments.us/reader036/viewer/2022070404/56813be2550346895da50f78/html5/thumbnails/20.jpg)
Padded RSA Public key (N, e); private key (N, d)
– Say |N| = 1024 bits
To encrypt m {0,1}895, – Choose random r {0,1}128
– Compute c = (r | m)e mod N
Decryption done in the natural way…
Essentially this idea has been standardized as RSA PKCS #1 v1.5
![Page 21: CMSC 414 Computer and Network Security Lecture 6](https://reader036.vdocuments.us/reader036/viewer/2022070404/56813be2550346895da50f78/html5/thumbnails/21.jpg)
Hybrid encryption
Public-key encryption is “slow”
Encrypting “block-by-block” would be inefficient for long messages
Hybrid encryption gives the functionality of public-key encryption at the (asymptotic) efficiency of private-key encryption!
![Page 22: CMSC 414 Computer and Network Security Lecture 6](https://reader036.vdocuments.us/reader036/viewer/2022070404/56813be2550346895da50f78/html5/thumbnails/22.jpg)
Hybrid encryption
Enc’
message
Enck
pk
“encapsulated key”
“encrypted message”
ciphertext
Enc = public-key encryption schemeEnc’ = private-key encryption scheme
![Page 23: CMSC 414 Computer and Network Security Lecture 6](https://reader036.vdocuments.us/reader036/viewer/2022070404/56813be2550346895da50f78/html5/thumbnails/23.jpg)
Security
If public-key component and private-key component are secure against chosen-plaintext attacks, then hybrid encryption is secure against chosen-plaintext attacks
![Page 24: CMSC 414 Computer and Network Security Lecture 6](https://reader036.vdocuments.us/reader036/viewer/2022070404/56813be2550346895da50f78/html5/thumbnails/24.jpg)
Malleability/chosen-ciphertext security All the public-key encryption schemes we have
seen so far are malleable– Given a ciphertext c that encrypts an (unknown)
message m, may be possible to generate a ciphertext c’ that encrypts a related message m’
In many scenarios, this is problematic– E.g., auction example; password example
Note: the problem is not integrity (there is no integrity in public-key encryption, anyway), but malleability