public key encryption terminology rsa hash functions csce 522 - farkas
TRANSCRIPT
Public Key Encryption
Terminology RSA Hash functions
CSCE 522 - Farkas
CSCE 522 - Farkas 2Lecture 6
Reading Assignment Reading assignments for current lecture:
Required:Pfleeger: 2.7, …, 2.12
Recommended:Tom Simonite, MIT Technology Review: NSA
Leak Leaves Crypto-math Intact but Highlights Known Workarounds, http://www.dfinews.com/news/2013/09/nsa-leak-leaves-crypto-math-intact-highlights-known-workarounds#.UjdU8X-d6So
CSCE 522 - Farkas
Summary of Secret Key Encryption• Basic methods:
• Substitution • Transposition
• Security: secrecy of secret key
CSCE 522 - Farkas
Compare DES and AESDES AES
Date 1976 1999
Block size 64 bits 128 bits
Key length 56 bits 128, 192, 256 bits
Encryption Substitution, permutation Substitution, shift, mixing
Cryptography Confusion, diffusion Confusion, diffusion
Design Open Open
Design rationale Closed Open
Selection process Secret Secret with public comments
Source IBM, enhanced by NSA Independent Dutch cryptographers
CSCE 522 - Farkas
Weakness of Secret Key Encryption• Secrecy of key
• How to distribute the keys securely?
• Large number of keys
• N(N-1) / 2
• Other issues: no support for
• Third party verification
• Non-repudiation
CSCE 522 - Farkas
Can we provide other methods for confidentiality?
CSCE 522 - Farkas 6
Public-Key EncryptionTwo keys – one is private one is publicSolves the key distribution problem (but need
reliable channel)Provides electronic signaturesSlower than secret-key encryption
CSCE 522 - Farkas 7
Public-Key Encryption
Needed for security:One of the keys must be kept secretImpossible (at least impractical) to decipher
message if no other information is availableKnowledge of algorithm, one of the keys, and
samples of ciphertext must be insufficient to determine the other key
CSCE 522 - Farkas 8
Confidentiality
ASender
BRecipient
Insecure channel
Plaintext PlaintextCiphertextEncryption Alg.
Decryption Alg.
B’s public key B’s private key
(need reliable channel)
CSCE 522 - Farkas 9
Public Key Cryptosystem Concept conceived by Diffie and Hellman in 1976 Rivest, Shamir, and Adleman (RSA) describe a public
key system in 1978 Many proposals have been broken
e.g., Merkle-Hellman proposal broken by Shamir Serious candidates (public domain)
RSAEl Gamal
RSA
CSCE 522 - Farkas
CSCE 522 - Farkas 11
NotationC = E(KE-B, M)M = D(KD-B,C)
KE-B: public key of BKD-B: private key of BE: encryption alg.D: decryption alg.M: plaintextC: ciphertext
CSCE 522 - Farkas 12
RSA Both sender and receiver know n Sender knows e Only receiver knows d Modulus: Remainder after division, i.e., if a mod n=b then
a=c*n+b Need:
Find values e,d,n such that
Easy to calculate Me, Cd for all M < n Infeasible to determine d give e
Med mod n = M mod n
CSCE 522 - Farkas 13
RSAPublic key: (n,e)Private key: (n,d)n is a 200 digit numberC = Me mod nM = Cd mod n
CSCE 522 - Farkas 14
RSA KeysGeneration of public and private keys Choose 2 large (100 digit) prime numbers p and q Compute n = p*q
Choose e > 1 relatively prime to (n) = (p-1)*(q-1) Compute d such that e*d = 1 mod (p-1)*(q-1) Publish (n,e) Secret (n,d), p, q
CSCE 522 - Farkas 15
RSA Keys Example 1.
Choose 2 “large” prime numbers
p=7, q=17 Compute n=p*q
7*17=119 Choose e relative prime to (p-1)*(q-1)
6*16=96, e=5 Compute d = 5–1 mod 96=77 Publish (5,119) Keep (77,119), 7, 17
CSCE 522 - Farkas 16
RSA Key Example 1Let M =19Encrypt
195 mod 119 = 2,476,099 mod 119 = 66Decrypt
6677 mod 119 = 19 mod 119
CSCE 522 - Farkas 17
RSA KeysCompute d such that e*d = 1 mod (p-1)*(q-1)If factorization of n into p*q is known: EasyOtherwise: HardHow hard is it to compute d given (n,e)?Don’t know BUT not harder than factoring n
into p*q Security of RSA is no better than the complexity of the factorization problem
CSCE 522 - Farkas 18
Digital Signatures in RSA RSA Property: encryption and decryption are
commutativeEncryption followed by decryption yields the original
message
(Me mod n)d mod n = MDecryption followed by encryption yields the original
message
(Md mod n)e mod n = M Cryptosystems that preserve message length have this property
CSCE 522 - Farkas 19
Digital Signatures in RSA
AB
Insecure channel
Plaintext PlaintextSigned plaintext
Encryption Alg.
Decryption Alg.
A’s public keyA’s private key(need reliable channel)
Sign Verify
CSCE 522 - Farkas 20
Signature and Encryption
D E D E
A B
Plaintext Plaintext
SignedPlaintext
SignedPlaintext
Encrypted Signed Plaintext
A’s private key
B’s public key
B’s private key
A’s public key
CSCE 522 - Farkas 21
Signature and EncryptionWe could do the encryption first, followed by
the signature.
Adv. signature first: parties, other than B can verify the signature
DES can be used for encryption
CSCE 522 - Farkas 22
Non-repudiationRequires notarized signature, involving a third
party
Large system: hierarchies of notarization
Hash Functions
CSCE 522 - Farkas
CSCE 522 - Farkas 24Lecture 8-9
Hash Functions
Hash function h maps an input x of arbitrary length to a fixed length output h(x) (compression)
Accidental or intentional change to the data will change the hash value
Given h and x, h(x) is easy to compute (ease of computation)
CSCE 522 - Farkas 25Lecture 8-9
Good Hash Function
1. It is easy to compute the hash value for any given message
2. It is infeasible to find a message that has a given hash (one-way property)
3. It is infeasible to modify a message without changing its hash
4. It is infeasible to find two different messages with the same hash (collision-free property)
CSCE 522 - Farkas 26Lecture 8-9
Hash functions
Preimage resistant (one-way): if for all specified outputs, it is computationally infeasible to find any input that hashes to that output
Second-preimage resistent (weak collision resistant): if it is computationally infeasible to find any second input which has the same output as any specified input
Collision resistant (strong collision resistant): if it is computationally infeasible to find any two distinct inputs that has the same output
Use of Hash function
• Message integrity
• Message authentication (hash is signed)
• Protect password files
• Support for intrusion detection
• Support for virus detection
CSCE 522 - FarkasLecture 8-9
CSCE 522 - Farkas 28Lecture 8-9
Hash Algorithms
Input of arbitrary lengthOutput sizeBlock size Rounds Bitwise operations: and, or, xor, not
CSCE 522 - Farkas 29Lecture 8-9
SHA Security
SHA-1: in 2005 security flaws were identified A possible mathematical weakness might exist
SHA-2: no attacks have yet been reported SHA-2 variants are algorithmically similar to
SHA-1 and so efforts are underway to develop improved alternatives
SHA-3: new hash standard is currently under development
CSCE 522 - Farkas 30Lecture 8-9
SHA-2 Family
2001: first published in the draft FIPS PUB 180-2
2002, 2004: FIPS PUB 180-2 modifiedSHA-224, SHA-256, SHA-384, and SHA-512
CSCE 522 - Farkas 31Lecture 8-9
MD5 vs. SHA
Very similar Security: SHA’s digest is 32 bits longer
without algorithm flaws SHA is more secure Speed: SHA has more steps and produces 160-bit
buffer SHA slower Simplicity and compactness: MD5 has more
internal steps with varying buffer modification SHA is simpler
CSCE 522 - Farkas 32Lecture 8-9
Attacks
First preimage attack: given a hash h, find a message m such that hash(m) = h
Second preimage attack: given a fixed message m1, find a different message m2 such that hash(m2) = hash(m1)
Attack complexity: 2n (considered too high for a typical output size of n=160 bits)
Practical attacks: Collision attack
CSCE 522 - Farkas 33Lecture 8-9
Collision AttackCryptographic attackBased on probability theory Given a function ƒ, the goal of the attack is to find
two different inputs x1, x2 such that ƒ(x1) = ƒ(x2), (complexity is 2n/2)
CSCE 522 - Farkas 34Lecture 8-9
Hash Functions
Message digest Used for authenticity (sign hash value of a
message) and integrity purposesAlgorithms:
MD2,MD4,MD5 (128), SHA0 (160) -- insecure
SHA1 (160) – theoretical collision attackSHA-2, SHA-3 (256, 512, 1024) – OK
CSCE 522 - Farkas 35Lecture 8-9
MD6
MD6 was submitted to the NIST SHA-3 competition
July 1, 2009: Rivest posted a comment at NIST that MD6 is not yet ready to be candidated for SHA-3speed issues and inability to supply a proof of security for a faster
reduced-round version
CSCE 522 - Farkas 36
Next Class
Protocol Analysis and hash
How does it work?Chapter 12
CSCE 522 - Farkas
Not required for tests
CSCE 522 - Farkas 38
Arithmetic Identity i: x op i = x Inverse: b is inverse of a under op if a op b = i Prime numbers: p is prime if 1 < p and divisible by
{1,p} only Euclidean algorithm: if x divides a and b then x also
divides a-(k*b)a-(k*b)=x*a1-(k*x*b1)
=x*(a1-(k*b1))=x*d
CSCE 522 - Farkas 39
Greatest common divisor Given a > b, the greatest common divisor
x=gcd(a,b) can be calculated as follows:1. Rewrite a as a=m*b+r, where m=a/b and r is the
remainder
2. If x divides a and b, it also divides r, therefore x=gcd(a,b)=gcd(b,r) b=m’*r+ r’
3. Continue until the remainder is zero
CSCE 522 - Farkas 40
Modular Arithmetic Results stay in the underlying range of numbers +,-,* can be applied before or after the modulus is
taken with similar results Modulus: remainder after division, that is if a mod
n=b then a=c*n+b Examples
9 mod 3 = 012 mod 5 = 212 mod 10 = 2
CSCE 522 - Farkas 41
Modular Arithmetic
Properties: Associative
a+(b+c) mod n = (a+b)+c mod na*(b*c) mod n = (a*b)*c mod n
Commutativea+b mod n = b+a mod n a*b mod n = b*a mod n
Distributive(a*(b+c)) mod n = ((a*b) mod n) + (a*c) mod n)) mod n
Existence of identitiesa+0 mod n = 0+a mod n = aa*1 mod n = 1*a mod n = a
CSCE 522 - Farkas 42
Modular ArithmeticProperties:
Existence of inverses
a+(-a) mod n = 0
a*(a–1) mod n = 1 if a 0 (and gcd(a,n) = 1; see next slide)Reducibility
(a+b) mod n = ((a mod n) + (b mod n)) mod n
(a*b) mod n = ((a mod n) * (b mod n)) mod n
ae mod n = [i=1e (a mod n)] mod n
CSCE 522 - Farkas 43
Modular Arithmetic
a–1 = x mod n
has unique solution if a and n are
relatively prime
CSCE 522 - Farkas 44
Fermat’s and Euler’s Theorem Fermat’s Theorem: For any prime number p and any element a<p
ap mod p = a or ap-1 mod p = 1Inverse of a is x, such that
ax mod p = 1ax mod p = 1= ap-1 mod p
x = ap-2 mod p Euler’s theorem: if a and n are relative primes, then
a(n) mod n = 1 = ax mod nx = a(n)-1 mod n
Example: inverse of 4 mod 54-1 mod 5 = 45-2 mod 5 = 64 mod 5 = 44*4 mod 5 = 16 mod 5 = 1