cryptography and network security chapter 10 · 09/08/10 1 cryptography and network security...
TRANSCRIPT
09/08/10 1
Cryptography and Cryptography and
Network SecurityNetwork Security
Chapter 10Chapter 10
Fifth EditionFifth Edition
by William Stallingsby William Stallings
Lecture slides by Lawrie BrownLecture slides by Lawrie Brown
09/08/10 2
Chapter 10 � Chapter 10 � Other Public Key Other Public Key
CryptosystemsCryptosystems
Amongst the tribes of Central Australia every man, woman, Amongst the tribes of Central Australia every man, woman,
and child has a secret or sacred name which is bestowed and child has a secret or sacred name which is bestowed
by the older men upon him or her soon after birth, and by the older men upon him or her soon after birth, and
which is known to none but the fully initiated members of which is known to none but the fully initiated members of
the group. This secret name is never mentioned except the group. This secret name is never mentioned except
upon the most solemn occasions; to utter it in the hearing of upon the most solemn occasions; to utter it in the hearing of
men of another group would be a most serious breach of men of another group would be a most serious breach of
tribal custom. When mentioned at all, the name is spoken tribal custom. When mentioned at all, the name is spoken
only in a whisper, and not until the most elaborate only in a whisper, and not until the most elaborate
precautions have been taken that it shall be heard by no precautions have been taken that it shall be heard by no
one but members of the group. The native thinks that a one but members of the group. The native thinks that a
stranger knowing his secret name would have special stranger knowing his secret name would have special
power to work him ill by means of magic.power to work him ill by means of magic.
��The Golden Bough, The Golden Bough, Sir James George FrazerSir James George Frazer
09/08/10 3
Diffie-Hellman Key ExchangeDiffie-Hellman Key Exchange
� first public-key type scheme proposed first public-key type scheme proposed
� by Diffie & Hellman in 1976 along with the by Diffie & Hellman in 1976 along with the
exposition of public key conceptsexposition of public key concepts� note: now know that note: now know that WilliamsonWilliamson (UK CESG) (UK CESG)
secretly proposed the concept in 1970 secretly proposed the concept in 1970
� is a practical method for public exchange is a practical method for public exchange
of a secret keyof a secret key
� used in a number of commercial productsused in a number of commercial products
09/08/10 4
Diffie-Hellman Key ExchangeDiffie-Hellman Key Exchange
� a public-key distribution scheme a public-key distribution scheme � cannot be used to exchange an arbitrary message cannot be used to exchange an arbitrary message � rather it can establish a common key rather it can establish a common key � known only to the two participants known only to the two participants
� value of key depends on the participants (and value of key depends on the participants (and their private and public key information) their private and public key information)
� based on exponentiation in a finite (Galois) field based on exponentiation in a finite (Galois) field (modulo a prime or a polynomial) - easy(modulo a prime or a polynomial) - easy
� security relies on the difficulty of computing security relies on the difficulty of computing discrete logarithms (similar to factoring) � harddiscrete logarithms (similar to factoring) � hard
09/08/10 5
Diffie-Hellman SetupDiffie-Hellman Setup
� all users agree on global parameters:all users agree on global parameters:� large prime integer or polynomial large prime integer or polynomial qq
� aa being a primitive root mod being a primitive root mod qq
� each user (eg. A) generates their keyeach user (eg. A) generates their key
� chooses a secret key (number): chooses a secret key (number): xxAA < q < q
� compute their compute their public keypublic key: : yyAA = = aaxxAA mod q mod q
� each user makes public that key each user makes public that key yyAA
09/08/10 6
Diffie-Hellman Key ExchangeDiffie-Hellman Key Exchange
� shared session key for users A & B is Kshared session key for users A & B is KABAB: :
KKABAB = = aaxxA.A.xxBB
mod q mod q
= y= yAA
xxBB mod q (which mod q (which BB can compute) can compute)
= y= yBB
xxAA mod q (which mod q (which AA can compute) can compute)
� KKABAB is used as session key in private-key is used as session key in private-key
encryption scheme between Alice and Bobencryption scheme between Alice and Bob� if Alice and Bob subsequently communicate, if Alice and Bob subsequently communicate,
they will have the they will have the samesame key as before, unless key as before, unless they choose new public-keys they choose new public-keys
� attacker needs an x, must solve discrete logattacker needs an x, must solve discrete log
09/08/10 7
Diffie-Hellman Example Diffie-Hellman Example
� users Alice & Bob who wish to swap keys:users Alice & Bob who wish to swap keys:� agree on prime agree on prime q=353q=353 and and aa=3=3� select random secret keys:select random secret keys:
� A chooses A chooses xxAA=97, =97, B chooses B chooses xxBB=233=233
� compute respective public keys:compute respective public keys:� yyAA==33
97 97
mod 353 = 40 mod 353 = 40 (Alice)(Alice)
� yyBB==33233233
mod 353 = 248 mod 353 = 248 (Bob)(Bob)
� compute shared session key as:compute shared session key as:� KKABAB= y= y
BB
xxAA mod 353 = mod 353 = 248248
9797
= 160= 160 (Alice)(Alice)
� KKABAB= y= yAA
xxBB mod 353 = mod 353 = 4040
233233
= 160 = 160 (Bob)(Bob)
09/08/10 8
Key Exchange ProtocolsKey Exchange Protocols
� users could create random private/public users could create random private/public D-H keys each time they communicateD-H keys each time they communicate
� users could create a known private/public users could create a known private/public D-H key and publish in a directory, then D-H key and publish in a directory, then consulted and used to securely consulted and used to securely communicate with themcommunicate with them
� both of these are vulnerable to a meet-in-both of these are vulnerable to a meet-in-the-Middle Attackthe-Middle Attack
� authentication of the keys is neededauthentication of the keys is needed
09/08/10 9
Man-in-the-Middle AttackMan-in-the-Middle Attack
1.1. Darth prepares by creating two private / public keys Darth prepares by creating two private / public keys
2.2. Alice transmits her public key to BobAlice transmits her public key to Bob
3.3. Darth intercepts this and transmits his first public key to Darth intercepts this and transmits his first public key to
Bob. Darth also calculates a shared key with AliceBob. Darth also calculates a shared key with Alice
4.4. Bob receives the public key and calculates the shared key Bob receives the public key and calculates the shared key
(with Darth instead of Alice) (with Darth instead of Alice)
5.5. Bob transmits his public key to Alice Bob transmits his public key to Alice
6.6. Darth intercepts this and transmits his second public key Darth intercepts this and transmits his second public key
to Alice. Darth calculates a shared key with Bobto Alice. Darth calculates a shared key with Bob
7.7. Alice receives the key and calculates the shared key (with Alice receives the key and calculates the shared key (with
Darth instead of Bob)Darth instead of Bob)
� Darth can then intercept, decrypt, re-encrypt, forward all Darth can then intercept, decrypt, re-encrypt, forward all
messages between Alice & Bobmessages between Alice & Bob
09/08/10 10
ElGamal CryptographyElGamal Cryptography
� public-key cryptosystem related to D-Hpublic-key cryptosystem related to D-H� so uses exponentiation in a finite (Galois)so uses exponentiation in a finite (Galois)� with security based difficulty of computing with security based difficulty of computing
discrete logarithms, as in D-Hdiscrete logarithms, as in D-H
� each user (eg. A) generates their keyeach user (eg. A) generates their key
� chooses a secret key (number): chooses a secret key (number): 1 < 1 < xxAA < q-1 < q-1
� compute their compute their public keypublic key: : yyAA = = aaxxAA mod q mod q
09/08/10 11
ElGamal Message ExchangeElGamal Message Exchange
� Bob encrypt a message to send to A computingBob encrypt a message to send to A computing� represent message represent message MM in range in range 0 <= M <= q-10 <= M <= q-1
� longer messages must be sent as blockslonger messages must be sent as blocks
� chose random integer chose random integer k k with with 1 <= k <= q-11 <= k <= q-1
� compute one-time key compute one-time key K = yK = yAA
kk
mod q mod q
� encrypt M as a pair of integers encrypt M as a pair of integers (C(C11,C,C22) ) wherewhere
� CC1 1 = = aakk
mod q ; mod q ; CC22 = KM mod q = KM mod q
� A then recovers message byA then recovers message by� recovering key K as recovering key K as K = K = CC11
xxAA mod q mod q
� computing M as computing M as M = CM = C22 K K
-1-1 mod q mod q
� a unique k must be used each timea unique k must be used each time� otherwise result is insecureotherwise result is insecure
09/08/10 12
ElGamal Example ElGamal Example � use field GF(19) use field GF(19) q=19 q=19 and and aa=10=10
� Alice computes her key:Alice computes her key:� A chooses A chooses xxAA=5 & =5 & computes computes yyAA==1010
5 5
mod 19 = 3mod 19 = 3
� Bob send message Bob send message m=17m=17 as as (11,5) (11,5) byby� chosing random chosing random k=6k=6
� computing computing K = yK = yAA
kk
mod q = 3 mod q = 366
mod 19 = 7 mod 19 = 7
� computing computing CC1 1 = = aakk
mod q = 10 mod q = 1066
mod 19 = 11; mod 19 = 11;
CC22 = KM mod q = 7.17 mod 19 = 5 = KM mod q = 7.17 mod 19 = 5
� Alice recovers original message by computing:Alice recovers original message by computing:� recover recover K = K = CC11
xxAA mod q = mod q = 11115 5
mod 19 = 7mod 19 = 7
� compute inverse compute inverse KK-1-1 = 7 = 7-1-1 = 11 = 11
� recover recover M = CM = C22 K K
-1-1 mod q = 5.11 mod 19 = 17 mod q = 5.11 mod 19 = 17
09/08/10 13
Elliptic Curve CryptographyElliptic Curve Cryptography
� majority of public-key crypto (RSA, D-H) majority of public-key crypto (RSA, D-H)
use either integer or polynomial arithmetic use either integer or polynomial arithmetic
with very large numbers/polynomialswith very large numbers/polynomials
� imposes a significant load in storing and imposes a significant load in storing and
processing keys and messagesprocessing keys and messages
� an alternative is to use elliptic curvesan alternative is to use elliptic curves
� offers same security with smaller bit sizesoffers same security with smaller bit sizes
� newer, but not as well analysednewer, but not as well analysed
09/08/10 14
Real Elliptic CurvesReal Elliptic Curves� an an elliptic curve is defined by an elliptic curve is defined by an
equation in two variables x & y, with equation in two variables x & y, with coefficientscoefficients
� consider a cubic elliptic curve of formconsider a cubic elliptic curve of form� yy22 = = xx33 + + ax ax + + bb� where x,y,a,b are all real numberswhere x,y,a,b are all real numbers� also define zero point Oalso define zero point O
� consider set of points E(a,b) that satisfyconsider set of points E(a,b) that satisfy� have addition operation for elliptic curvehave addition operation for elliptic curve
� geometrically sum of P+Q is reflection of geometrically sum of P+Q is reflection of the intersection Rthe intersection R
09/08/10 16
Finite Elliptic CurvesFinite Elliptic Curves
� Elliptic curve cryptography uses curves Elliptic curve cryptography uses curves
whose variables & coefficients are finitewhose variables & coefficients are finite
� have two families commonly used:have two families commonly used:
� prime curves prime curves EEpp(a,b)(a,b) defined over Z defined over Zpp
� use integers modulo a primeuse integers modulo a prime
� best in softwarebest in software
� binary curves binary curves EE22mm(a,b)(a,b) defined over GF(2 defined over GF(2nn))
� use polynomials with binary coefficientsuse polynomials with binary coefficients
� best in hardwarebest in hardware
09/08/10 17
Elliptic Curve CryptographyElliptic Curve Cryptography
� ECC addition is analog of modulo multiplyECC addition is analog of modulo multiply� ECC repeated addition is analog of ECC repeated addition is analog of
modulo exponentiationmodulo exponentiation� need �hard� problem equiv to discrete logneed �hard� problem equiv to discrete log
� Q=kPQ=kP, where Q,P belong to a prime curve, where Q,P belong to a prime curve� is �easy� to compute Q given k,Pis �easy� to compute Q given k,P� but �hard� to find k given Q,Pbut �hard� to find k given Q,P� known as the elliptic curve logarithm problemknown as the elliptic curve logarithm problem
� Certicom example: Certicom example: EE2323(9,17)(9,17)
09/08/10 18
ECC Diffie-HellmanECC Diffie-Hellman
� can do key exchange analogous to D-Hcan do key exchange analogous to D-H� users select a suitable curve users select a suitable curve EEqq(a,b)(a,b)
� select base point select base point G=(xG=(x11,y,y11))
� with large order with large order nn s.t. s.t. nG=OnG=O
� A & B select private keys A & B select private keys nnAA<n, n<n, nBB<n<n
� compute public keys: compute public keys: PPAA=n=nAAG, G, PPBB=n=nBBGG
� compute shared key: compute shared key: KK=n=nAAPPBB,, KK=n=nBBPPAA
� same since same since KK=n=nAAnnBBGG
� attacker would need to find attacker would need to find kk, hard, hard
09/08/10 19
ECC Encryption/DecryptionECC Encryption/Decryption
� several alternatives, will consider simplestseveral alternatives, will consider simplest
� must first encode any message M as a point on must first encode any message M as a point on
the elliptic curve Pthe elliptic curve Pmm
� select suitable curve & point G as in D-Hselect suitable curve & point G as in D-H
� each user chooses private key each user chooses private key nnAA<n<n
� and computes public key and computes public key PPAA=n=nAAGG
� to encrypt Pto encrypt Pmm : : CCmm={kG, P={kG, Pmm+kP+kP
bb}}, , kk random random
� decrypt Cdecrypt Cmm compute: compute:
PPmm++kkPPbb��nnBB((kGkG) = ) = PPmm++kk((nnBBGG)�)�nnBB((kGkG) = ) = PPmm
09/08/10 20
ECC SecurityECC Security
� relies on elliptic curve logarithm problemrelies on elliptic curve logarithm problem
� fastest method is �Pollard rho method�fastest method is �Pollard rho method�
� compared to factoring, can use much compared to factoring, can use much
smaller key sizes than with RSA etcsmaller key sizes than with RSA etc
� for equivalent key lengths computations for equivalent key lengths computations
are roughly equivalentare roughly equivalent
� hence for similar security ECC offers hence for similar security ECC offers
significant computational advantagessignificant computational advantages
09/08/10 21
Comparable Key Sizes for Comparable Key Sizes for
Equivalent SecurityEquivalent SecuritySymmetric
scheme
(key size in bits)
ECC-based
scheme
(size of n in bits)
RSA/DSA
(modulus size in
bits)
56 112 512
80 160 1024
112 224 2048
128 256 3072
192 384 7680
256 512 15360
09/08/10 22
Pseudorandom Number Pseudorandom Number
Generation (PRNG) based on Generation (PRNG) based on
Asymmetric CiphersAsymmetric Ciphers� asymmetric encryption algorithm produce asymmetric encryption algorithm produce
apparently random output apparently random output
� hence can be used to build a hence can be used to build a
pseudorandom number generator pseudorandom number generator
(PRNG)(PRNG)
� much slower than symmetric algorithmsmuch slower than symmetric algorithms
� hence only use to generate a short hence only use to generate a short
pseudorandom bit sequence (eg. key)pseudorandom bit sequence (eg. key)
09/08/10 24
PRNG based on ECCPRNG based on ECC
� dual elliptic curve PRNGdual elliptic curve PRNG� NIST SP 800-9, ANSI X9.82 and ISO 18031NIST SP 800-9, ANSI X9.82 and ISO 18031
� some controversy on security /inefficiencysome controversy on security /inefficiency
� algorithmalgorithmfor i = 1 to k do for i = 1 to k do
set sset sii = x(s = x(s
i-1 i-1 P ) P )
set rset rii = lsb = lsb
240240 (x(s (x(sii Q)) Q))
end for end for
return rreturn r11 , . . . , r , . . . , r
kk
� only use if just have ECConly use if just have ECC
09/08/10 25
SummarySummary
� have considered:have considered:� Diffie-Hellman key exchangeDiffie-Hellman key exchange
� ElGamal cryptographyElGamal cryptography
� Elliptic Curve cryptographyElliptic Curve cryptography
� Pseudorandom Number Generation (PRNG) Pseudorandom Number Generation (PRNG)
based on Asymmetric Ciphers (RSA & ECC)based on Asymmetric Ciphers (RSA & ECC)