09/08/10 1

Cryptography and Cryptography and

Network SecurityNetwork Security

Chapter 10Chapter 10

Fifth EditionFifth Edition

by William Stallingsby William Stallings

Lecture slides by Lawrie BrownLecture slides by Lawrie Brown

09/08/10 2

Chapter 10 � Chapter 10 � Other Public Key Other Public Key

CryptosystemsCryptosystems

Amongst the tribes of Central Australia every man, woman, Amongst the tribes of Central Australia every man, woman,

and child has a secret or sacred name which is bestowed and child has a secret or sacred name which is bestowed

by the older men upon him or her soon after birth, and by the older men upon him or her soon after birth, and

which is known to none but the fully initiated members of which is known to none but the fully initiated members of

the group. This secret name is never mentioned except the group. This secret name is never mentioned except

upon the most solemn occasions; to utter it in the hearing of upon the most solemn occasions; to utter it in the hearing of

men of another group would be a most serious breach of men of another group would be a most serious breach of

tribal custom. When mentioned at all, the name is spoken tribal custom. When mentioned at all, the name is spoken

only in a whisper, and not until the most elaborate only in a whisper, and not until the most elaborate

precautions have been taken that it shall be heard by no precautions have been taken that it shall be heard by no

one but members of the group. The native thinks that a one but members of the group. The native thinks that a

stranger knowing his secret name would have special stranger knowing his secret name would have special

power to work him ill by means of magic.power to work him ill by means of magic.

��The Golden Bough, The Golden Bough, Sir James George FrazerSir James George Frazer

09/08/10 3

Diffie-Hellman Key ExchangeDiffie-Hellman Key Exchange

� first public-key type scheme proposed first public-key type scheme proposed

� by Diffie & Hellman in 1976 along with the by Diffie & Hellman in 1976 along with the

exposition of public key conceptsexposition of public key concepts� note: now know that note: now know that WilliamsonWilliamson (UK CESG) (UK CESG)

secretly proposed the concept in 1970 secretly proposed the concept in 1970

� is a practical method for public exchange is a practical method for public exchange

of a secret keyof a secret key

� used in a number of commercial productsused in a number of commercial products

09/08/10 4

Diffie-Hellman Key ExchangeDiffie-Hellman Key Exchange

� a public-key distribution scheme a public-key distribution scheme � cannot be used to exchange an arbitrary message cannot be used to exchange an arbitrary message � rather it can establish a common key rather it can establish a common key � known only to the two participants known only to the two participants

� value of key depends on the participants (and value of key depends on the participants (and their private and public key information) their private and public key information)

� based on exponentiation in a finite (Galois) field based on exponentiation in a finite (Galois) field (modulo a prime or a polynomial) - easy(modulo a prime or a polynomial) - easy

� security relies on the difficulty of computing security relies on the difficulty of computing discrete logarithms (similar to factoring) � harddiscrete logarithms (similar to factoring) � hard

09/08/10 5

Diffie-Hellman SetupDiffie-Hellman Setup

� all users agree on global parameters:all users agree on global parameters:� large prime integer or polynomial large prime integer or polynomial qq

� aa being a primitive root mod being a primitive root mod qq

� each user (eg. A) generates their keyeach user (eg. A) generates their key

� chooses a secret key (number): chooses a secret key (number): xxAA < q < q

� compute their compute their public keypublic key: : yyAA = = aaxxAA mod q mod q

� each user makes public that key each user makes public that key yyAA

09/08/10 6

Diffie-Hellman Key ExchangeDiffie-Hellman Key Exchange

� shared session key for users A & B is Kshared session key for users A & B is KABAB: :

KKABAB = = aaxxA.A.xxBB

mod q mod q

= y= yAA

xxBB mod q (which mod q (which BB can compute) can compute)

= y= yBB

xxAA mod q (which mod q (which AA can compute) can compute)

� KKABAB is used as session key in private-key is used as session key in private-key

encryption scheme between Alice and Bobencryption scheme between Alice and Bob� if Alice and Bob subsequently communicate, if Alice and Bob subsequently communicate,

they will have the they will have the samesame key as before, unless key as before, unless they choose new public-keys they choose new public-keys

� attacker needs an x, must solve discrete logattacker needs an x, must solve discrete log

09/08/10 7

Diffie-Hellman Example Diffie-Hellman Example

� users Alice & Bob who wish to swap keys:users Alice & Bob who wish to swap keys:� agree on prime agree on prime q=353q=353 and and aa=3=3� select random secret keys:select random secret keys:

� A chooses A chooses xxAA=97, =97, B chooses B chooses xxBB=233=233

� compute respective public keys:compute respective public keys:� yyAA==33

97 97

mod 353 = 40 mod 353 = 40 (Alice)(Alice)

� yyBB==33233233

mod 353 = 248 mod 353 = 248 (Bob)(Bob)

� compute shared session key as:compute shared session key as:� KKABAB= y= y

BB

xxAA mod 353 = mod 353 = 248248

9797

= 160= 160 (Alice)(Alice)

� KKABAB= y= yAA

xxBB mod 353 = mod 353 = 4040

233233

= 160 = 160 (Bob)(Bob)

09/08/10 8

Key Exchange ProtocolsKey Exchange Protocols

� users could create random private/public users could create random private/public D-H keys each time they communicateD-H keys each time they communicate

� users could create a known private/public users could create a known private/public D-H key and publish in a directory, then D-H key and publish in a directory, then consulted and used to securely consulted and used to securely communicate with themcommunicate with them

� both of these are vulnerable to a meet-in-both of these are vulnerable to a meet-in-the-Middle Attackthe-Middle Attack

� authentication of the keys is neededauthentication of the keys is needed

09/08/10 9

Man-in-the-Middle AttackMan-in-the-Middle Attack

1.1. Darth prepares by creating two private / public keys Darth prepares by creating two private / public keys

2.2. Alice transmits her public key to BobAlice transmits her public key to Bob

3.3. Darth intercepts this and transmits his first public key to Darth intercepts this and transmits his first public key to

Bob. Darth also calculates a shared key with AliceBob. Darth also calculates a shared key with Alice

4.4. Bob receives the public key and calculates the shared key Bob receives the public key and calculates the shared key

(with Darth instead of Alice) (with Darth instead of Alice)

5.5. Bob transmits his public key to Alice Bob transmits his public key to Alice

6.6. Darth intercepts this and transmits his second public key Darth intercepts this and transmits his second public key

to Alice. Darth calculates a shared key with Bobto Alice. Darth calculates a shared key with Bob

7.7. Alice receives the key and calculates the shared key (with Alice receives the key and calculates the shared key (with

Darth instead of Bob)Darth instead of Bob)

� Darth can then intercept, decrypt, re-encrypt, forward all Darth can then intercept, decrypt, re-encrypt, forward all

messages between Alice & Bobmessages between Alice & Bob

09/08/10 10

ElGamal CryptographyElGamal Cryptography

� public-key cryptosystem related to D-Hpublic-key cryptosystem related to D-H� so uses exponentiation in a finite (Galois)so uses exponentiation in a finite (Galois)� with security based difficulty of computing with security based difficulty of computing

discrete logarithms, as in D-Hdiscrete logarithms, as in D-H

� each user (eg. A) generates their keyeach user (eg. A) generates their key

� chooses a secret key (number): chooses a secret key (number): 1 < 1 < xxAA < q-1 < q-1

� compute their compute their public keypublic key: : yyAA = = aaxxAA mod q mod q

09/08/10 11

ElGamal Message ExchangeElGamal Message Exchange

� Bob encrypt a message to send to A computingBob encrypt a message to send to A computing� represent message represent message MM in range in range 0 <= M <= q-10 <= M <= q-1

� longer messages must be sent as blockslonger messages must be sent as blocks

� chose random integer chose random integer k k with with 1 <= k <= q-11 <= k <= q-1

� compute one-time key compute one-time key K = yK = yAA

kk

mod q mod q

� encrypt M as a pair of integers encrypt M as a pair of integers (C(C11,C,C22) ) wherewhere

� CC1 1 = = aakk

mod q ; mod q ; CC22 = KM mod q = KM mod q

� A then recovers message byA then recovers message by� recovering key K as recovering key K as K = K = CC11

xxAA mod q mod q

� computing M as computing M as M = CM = C22 K K

-1-1 mod q mod q

� a unique k must be used each timea unique k must be used each time� otherwise result is insecureotherwise result is insecure

09/08/10 12

ElGamal Example ElGamal Example � use field GF(19) use field GF(19) q=19 q=19 and and aa=10=10

� Alice computes her key:Alice computes her key:� A chooses A chooses xxAA=5 & =5 & computes computes yyAA==1010

5 5

mod 19 = 3mod 19 = 3

� Bob send message Bob send message m=17m=17 as as (11,5) (11,5) byby� chosing random chosing random k=6k=6

� computing computing K = yK = yAA

kk

mod q = 3 mod q = 366

mod 19 = 7 mod 19 = 7

� computing computing CC1 1 = = aakk

mod q = 10 mod q = 1066

mod 19 = 11; mod 19 = 11;

CC22 = KM mod q = 7.17 mod 19 = 5 = KM mod q = 7.17 mod 19 = 5

� Alice recovers original message by computing:Alice recovers original message by computing:� recover recover K = K = CC11

xxAA mod q = mod q = 11115 5

mod 19 = 7mod 19 = 7

� compute inverse compute inverse KK-1-1 = 7 = 7-1-1 = 11 = 11

� recover recover M = CM = C22 K K

-1-1 mod q = 5.11 mod 19 = 17 mod q = 5.11 mod 19 = 17

09/08/10 13

Elliptic Curve CryptographyElliptic Curve Cryptography

� majority of public-key crypto (RSA, D-H) majority of public-key crypto (RSA, D-H)

use either integer or polynomial arithmetic use either integer or polynomial arithmetic

with very large numbers/polynomialswith very large numbers/polynomials

� imposes a significant load in storing and imposes a significant load in storing and

processing keys and messagesprocessing keys and messages

� an alternative is to use elliptic curvesan alternative is to use elliptic curves

� offers same security with smaller bit sizesoffers same security with smaller bit sizes

� newer, but not as well analysednewer, but not as well analysed

09/08/10 14

Real Elliptic CurvesReal Elliptic Curves� an an elliptic curve is defined by an elliptic curve is defined by an

equation in two variables x & y, with equation in two variables x & y, with coefficientscoefficients

� consider a cubic elliptic curve of formconsider a cubic elliptic curve of form� yy22 = = xx33 + + ax ax + + bb� where x,y,a,b are all real numberswhere x,y,a,b are all real numbers� also define zero point Oalso define zero point O

� consider set of points E(a,b) that satisfyconsider set of points E(a,b) that satisfy� have addition operation for elliptic curvehave addition operation for elliptic curve

� geometrically sum of P+Q is reflection of geometrically sum of P+Q is reflection of the intersection Rthe intersection R

09/08/10 16

Finite Elliptic CurvesFinite Elliptic Curves

� Elliptic curve cryptography uses curves Elliptic curve cryptography uses curves

whose variables & coefficients are finitewhose variables & coefficients are finite

� have two families commonly used:have two families commonly used:

� prime curves prime curves EEpp(a,b)(a,b) defined over Z defined over Zpp

� use integers modulo a primeuse integers modulo a prime

� best in softwarebest in software

� binary curves binary curves EE22mm(a,b)(a,b) defined over GF(2 defined over GF(2nn))

� use polynomials with binary coefficientsuse polynomials with binary coefficients

� best in hardwarebest in hardware

09/08/10 17

Elliptic Curve CryptographyElliptic Curve Cryptography

� ECC addition is analog of modulo multiplyECC addition is analog of modulo multiply� ECC repeated addition is analog of ECC repeated addition is analog of

modulo exponentiationmodulo exponentiation� need �hard� problem equiv to discrete logneed �hard� problem equiv to discrete log

� Q=kPQ=kP, where Q,P belong to a prime curve, where Q,P belong to a prime curve� is �easy� to compute Q given k,Pis �easy� to compute Q given k,P� but �hard� to find k given Q,Pbut �hard� to find k given Q,P� known as the elliptic curve logarithm problemknown as the elliptic curve logarithm problem

� Certicom example: Certicom example: EE2323(9,17)(9,17)

09/08/10 18

ECC Diffie-HellmanECC Diffie-Hellman

� can do key exchange analogous to D-Hcan do key exchange analogous to D-H� users select a suitable curve users select a suitable curve EEqq(a,b)(a,b)

� select base point select base point G=(xG=(x11,y,y11))

� with large order with large order nn s.t. s.t. nG=OnG=O

� A & B select private keys A & B select private keys nnAA<n, n<n, nBB<n<n

� compute public keys: compute public keys: PPAA=n=nAAG, G, PPBB=n=nBBGG

� compute shared key: compute shared key: KK=n=nAAPPBB,, KK=n=nBBPPAA

� same since same since KK=n=nAAnnBBGG

� attacker would need to find attacker would need to find kk, hard, hard

09/08/10 19

ECC Encryption/DecryptionECC Encryption/Decryption

� several alternatives, will consider simplestseveral alternatives, will consider simplest

� must first encode any message M as a point on must first encode any message M as a point on

the elliptic curve Pthe elliptic curve Pmm

� select suitable curve & point G as in D-Hselect suitable curve & point G as in D-H

� each user chooses private key each user chooses private key nnAA<n<n

� and computes public key and computes public key PPAA=n=nAAGG

� to encrypt Pto encrypt Pmm : : CCmm={kG, P={kG, Pmm+kP+kP

bb}}, , kk random random

� decrypt Cdecrypt Cmm compute: compute:

PPmm++kkPPbb��nnBB((kGkG) = ) = PPmm++kk((nnBBGG)�)�nnBB((kGkG) = ) = PPmm

09/08/10 20

ECC SecurityECC Security

� relies on elliptic curve logarithm problemrelies on elliptic curve logarithm problem

� fastest method is �Pollard rho method�fastest method is �Pollard rho method�

� compared to factoring, can use much compared to factoring, can use much

smaller key sizes than with RSA etcsmaller key sizes than with RSA etc

� for equivalent key lengths computations for equivalent key lengths computations

are roughly equivalentare roughly equivalent

� hence for similar security ECC offers hence for similar security ECC offers

significant computational advantagessignificant computational advantages

09/08/10 21

Comparable Key Sizes for Comparable Key Sizes for

Equivalent SecurityEquivalent SecuritySymmetric

scheme

(key size in bits)

ECC-based

scheme

(size of n in bits)

RSA/DSA

(modulus size in

bits)

56 112 512

80 160 1024

112 224 2048

128 256 3072

192 384 7680

256 512 15360

09/08/10 22

Pseudorandom Number Pseudorandom Number

Generation (PRNG) based on Generation (PRNG) based on

Asymmetric CiphersAsymmetric Ciphers� asymmetric encryption algorithm produce asymmetric encryption algorithm produce

apparently random output apparently random output

� hence can be used to build a hence can be used to build a

pseudorandom number generator pseudorandom number generator

(PRNG)(PRNG)

� much slower than symmetric algorithmsmuch slower than symmetric algorithms

� hence only use to generate a short hence only use to generate a short

pseudorandom bit sequence (eg. key)pseudorandom bit sequence (eg. key)

09/08/10 24

PRNG based on ECCPRNG based on ECC

� dual elliptic curve PRNGdual elliptic curve PRNG� NIST SP 800-9, ANSI X9.82 and ISO 18031NIST SP 800-9, ANSI X9.82 and ISO 18031

� some controversy on security /inefficiencysome controversy on security /inefficiency

� algorithmalgorithmfor i = 1 to k do for i = 1 to k do

set sset sii = x(s = x(s

i-1 i-1 P ) P )

set rset rii = lsb = lsb

240240 (x(s (x(sii Q)) Q))

end for end for

return rreturn r11 , . . . , r , . . . , r

kk

� only use if just have ECConly use if just have ECC

09/08/10 25

SummarySummary

� have considered:have considered:� Diffie-Hellman key exchangeDiffie-Hellman key exchange

� ElGamal cryptographyElGamal cryptography

� Elliptic Curve cryptographyElliptic Curve cryptography

� Pseudorandom Number Generation (PRNG) Pseudorandom Number Generation (PRNG)

based on Asymmetric Ciphers (RSA & ECC)based on Asymmetric Ciphers (RSA & ECC)