public key cryptographyict.siit.tu.ac.th/~steven/css322y12s2/unprotected/css322...public key crypto...
TRANSCRIPT
![Page 1: Public Key Cryptographyict.siit.tu.ac.th/~steven/css322y12s2/unprotected/CSS322...Public Key Crypto Principles RSA Di e-Hellman Others Security of Di e-Hellman Key Exchange I Insecure](https://reader034.vdocuments.us/reader034/viewer/2022042910/5f3f69c635b80c19792cc750/html5/thumbnails/1.jpg)
CSS322
Public Key Crypto
Principles
RSA
Diffie-Hellman
Others
Public Key Cryptography
CSS322: Security and Cryptography
Sirindhorn International Institute of TechnologyThammasat University
Prepared by Steven Gordon on 31 October 2012CSS322Y12S2L07, Steve/Courses/2012/s2/css322/lectures/rsa.tex, r2531
![Page 2: Public Key Cryptographyict.siit.tu.ac.th/~steven/css322y12s2/unprotected/CSS322...Public Key Crypto Principles RSA Di e-Hellman Others Security of Di e-Hellman Key Exchange I Insecure](https://reader034.vdocuments.us/reader034/viewer/2022042910/5f3f69c635b80c19792cc750/html5/thumbnails/2.jpg)
CSS322
Public Key Crypto
Principles
RSA
Diffie-Hellman
Others
Contents
Principles of Public-Key Cryptosystems
The RSA Algorithm
Diffie-Hellman Key Exchange
Other Public-Key Cryptosystems
![Page 3: Public Key Cryptographyict.siit.tu.ac.th/~steven/css322y12s2/unprotected/CSS322...Public Key Crypto Principles RSA Di e-Hellman Others Security of Di e-Hellman Key Exchange I Insecure](https://reader034.vdocuments.us/reader034/viewer/2022042910/5f3f69c635b80c19792cc750/html5/thumbnails/3.jpg)
CSS322
Public Key Crypto
Principles
RSA
Diffie-Hellman
Others
Birth of Public-Key Cryptosystems
I Beginning to 1960’s: permutations and substitutions(Caesar, rotor machines, DES, . . . )
I 1960’s: NSA secretly discovered public-keycryptography
I 1970: first known (secret) report on public-keycryptography by CESG, UK
I 1976: Diffie and Hellman public introduction topublic-key cryptography
I Avoid reliance on third-parties for key distributionI Allow digital signatures
![Page 4: Public Key Cryptographyict.siit.tu.ac.th/~steven/css322y12s2/unprotected/CSS322...Public Key Crypto Principles RSA Di e-Hellman Others Security of Di e-Hellman Key Exchange I Insecure](https://reader034.vdocuments.us/reader034/viewer/2022042910/5f3f69c635b80c19792cc750/html5/thumbnails/4.jpg)
CSS322
Public Key Crypto
Principles
RSA
Diffie-Hellman
Others
Principles of Public-Key Cryptosystems
I Symmetric algorithms used same secret key forencryption and decryption
I Asymmetric algorithms in public-key cryptography useone key for encryption and different but related key fordecryption
I Characteristics of asymmetric algorithms:I Require: Computationally infeasible to determine
decryption key given only algorithm and encryption keyI Optional: Either of two related keys can be used for
encryption, with other used for decryption
![Page 5: Public Key Cryptographyict.siit.tu.ac.th/~steven/css322y12s2/unprotected/CSS322...Public Key Crypto Principles RSA Di e-Hellman Others Security of Di e-Hellman Key Exchange I Insecure](https://reader034.vdocuments.us/reader034/viewer/2022042910/5f3f69c635b80c19792cc750/html5/thumbnails/5.jpg)
CSS322
Public Key Crypto
Principles
RSA
Diffie-Hellman
Others
Public and Private Keys
Public Key
I For secrecy: used in encryption
I For authentication: used in decryption
I Available to anyone
Private Key
I For secrecy: used in decryption
I For authentication: used in decryption
I Secrect, known only by owner
Public-Private Key Pair
I User A has pair of related keys, public and private:(PUa, PRa)
![Page 6: Public Key Cryptographyict.siit.tu.ac.th/~steven/css322y12s2/unprotected/CSS322...Public Key Crypto Principles RSA Di e-Hellman Others Security of Di e-Hellman Key Exchange I Insecure](https://reader034.vdocuments.us/reader034/viewer/2022042910/5f3f69c635b80c19792cc750/html5/thumbnails/6.jpg)
CSS322
Public Key Crypto
Principles
RSA
Diffie-Hellman
Others
Encryption with Public Key
![Page 7: Public Key Cryptographyict.siit.tu.ac.th/~steven/css322y12s2/unprotected/CSS322...Public Key Crypto Principles RSA Di e-Hellman Others Security of Di e-Hellman Key Exchange I Insecure](https://reader034.vdocuments.us/reader034/viewer/2022042910/5f3f69c635b80c19792cc750/html5/thumbnails/7.jpg)
CSS322
Public Key Crypto
Principles
RSA
Diffie-Hellman
Others
Encryption with Private Key
![Page 8: Public Key Cryptographyict.siit.tu.ac.th/~steven/css322y12s2/unprotected/CSS322...Public Key Crypto Principles RSA Di e-Hellman Others Security of Di e-Hellman Key Exchange I Insecure](https://reader034.vdocuments.us/reader034/viewer/2022042910/5f3f69c635b80c19792cc750/html5/thumbnails/8.jpg)
CSS322
Public Key Crypto
Principles
RSA
Diffie-Hellman
Others
Conventional vs Public-Key Encryption
![Page 9: Public Key Cryptographyict.siit.tu.ac.th/~steven/css322y12s2/unprotected/CSS322...Public Key Crypto Principles RSA Di e-Hellman Others Security of Di e-Hellman Key Exchange I Insecure](https://reader034.vdocuments.us/reader034/viewer/2022042910/5f3f69c635b80c19792cc750/html5/thumbnails/9.jpg)
CSS322
Public Key Crypto
Principles
RSA
Diffie-Hellman
Others
Secrecy in a Public Key Cryptosystem
![Page 10: Public Key Cryptographyict.siit.tu.ac.th/~steven/css322y12s2/unprotected/CSS322...Public Key Crypto Principles RSA Di e-Hellman Others Security of Di e-Hellman Key Exchange I Insecure](https://reader034.vdocuments.us/reader034/viewer/2022042910/5f3f69c635b80c19792cc750/html5/thumbnails/10.jpg)
CSS322
Public Key Crypto
Principles
RSA
Diffie-Hellman
Others
Authentication in a Public Key Cryptosystem
![Page 11: Public Key Cryptographyict.siit.tu.ac.th/~steven/css322y12s2/unprotected/CSS322...Public Key Crypto Principles RSA Di e-Hellman Others Security of Di e-Hellman Key Exchange I Insecure](https://reader034.vdocuments.us/reader034/viewer/2022042910/5f3f69c635b80c19792cc750/html5/thumbnails/11.jpg)
CSS322
Public Key Crypto
Principles
RSA
Diffie-Hellman
Others
Secrecy and Authentication in a Public KeyCryptosystem
![Page 12: Public Key Cryptographyict.siit.tu.ac.th/~steven/css322y12s2/unprotected/CSS322...Public Key Crypto Principles RSA Di e-Hellman Others Security of Di e-Hellman Key Exchange I Insecure](https://reader034.vdocuments.us/reader034/viewer/2022042910/5f3f69c635b80c19792cc750/html5/thumbnails/12.jpg)
CSS322
Public Key Crypto
Principles
RSA
Diffie-Hellman
Others
Applications of Public Key Cryptosystems
I Secrecy, encryption/decryption of messages
I Digital signature, sign message with private key
I Key exchange, share secret session keys
![Page 13: Public Key Cryptographyict.siit.tu.ac.th/~steven/css322y12s2/unprotected/CSS322...Public Key Crypto Principles RSA Di e-Hellman Others Security of Di e-Hellman Key Exchange I Insecure](https://reader034.vdocuments.us/reader034/viewer/2022042910/5f3f69c635b80c19792cc750/html5/thumbnails/13.jpg)
CSS322
Public Key Crypto
Principles
RSA
Diffie-Hellman
Others
Requirements of Public-Key Cryptography
1. Computationally easy for B to generate pair (PUb,PRb)
2. Computationally easy for A, knowing PUb and messageM, to generate ciphertext:
C = E(PUb,M)
3. Computationally easy for B to decrypt ciphertext usingPRb:
M = D(PRb,C ) = D[PRb,E(PUb,M)]
4. Computationally infeasible for attacker, knowing PUb
and C , to determine PRb
5. Computationally infeasible for attacher, knowing PUb
and C , to determine M
6. (Optional) Two keys can be applied in either order:
M = D[PUb,E(PRb,M)] = D[PRb,E(PUb,M)]
![Page 14: Public Key Cryptographyict.siit.tu.ac.th/~steven/css322y12s2/unprotected/CSS322...Public Key Crypto Principles RSA Di e-Hellman Others Security of Di e-Hellman Key Exchange I Insecure](https://reader034.vdocuments.us/reader034/viewer/2022042910/5f3f69c635b80c19792cc750/html5/thumbnails/14.jpg)
CSS322
Public Key Crypto
Principles
RSA
Diffie-Hellman
Others
Requirements of Public-Key Cryptography
6 requirements lead to need for trap-door one-way function
I Every function value has unique inverse
I Calculation of function is easy
I Calculation of inverse is infeasible, unless certaininformation is known
Y = fk(X ) easy, if k and Y are known
X = f −1k (Y ) easy, if k and Y are known
X = f −1k (Y ) infeasible, if Y is known but k is not
I What is easy? What is infeasible?I Computational complexity of algorithm gives an
indicationI Easy if can be solved in polynomial time as function of
input
![Page 15: Public Key Cryptographyict.siit.tu.ac.th/~steven/css322y12s2/unprotected/CSS322...Public Key Crypto Principles RSA Di e-Hellman Others Security of Di e-Hellman Key Exchange I Insecure](https://reader034.vdocuments.us/reader034/viewer/2022042910/5f3f69c635b80c19792cc750/html5/thumbnails/15.jpg)
CSS322
Public Key Crypto
Principles
RSA
Diffie-Hellman
Others
Public-Key Cryptanalysis
Brute Force Attacks
I Use large key to avoid brute force attacks
I Public key algorithms less efficient with larger keys
I Public-key cryptography mainly used for keymanagement and signatures
Compute Private Key from Public Key
I No known feasible methods using standard computing
Probable-Message Attack
I Encrypt all possible M ′ using PUb—for the C ′ thatmatches C , attacker knows M
I Only feasible of M is short
I Solution for short messages: append random bits tomake it longer
![Page 16: Public Key Cryptographyict.siit.tu.ac.th/~steven/css322y12s2/unprotected/CSS322...Public Key Crypto Principles RSA Di e-Hellman Others Security of Di e-Hellman Key Exchange I Insecure](https://reader034.vdocuments.us/reader034/viewer/2022042910/5f3f69c635b80c19792cc750/html5/thumbnails/16.jpg)
CSS322
Public Key Crypto
Principles
RSA
Diffie-Hellman
Others
Contents
Principles of Public-Key Cryptosystems
The RSA Algorithm
Diffie-Hellman Key Exchange
Other Public-Key Cryptosystems
![Page 17: Public Key Cryptographyict.siit.tu.ac.th/~steven/css322y12s2/unprotected/CSS322...Public Key Crypto Principles RSA Di e-Hellman Others Security of Di e-Hellman Key Exchange I Insecure](https://reader034.vdocuments.us/reader034/viewer/2022042910/5f3f69c635b80c19792cc750/html5/thumbnails/17.jpg)
CSS322
Public Key Crypto
Principles
RSA
Diffie-Hellman
Others
RSA
I Ron Rivest, Adi Shamir and Len Adleman
I Created in 1978; RSA Security sells related products
I Most widely used public-key algorithm
I Block cipher: plaintext and ciphertext are integers
![Page 18: Public Key Cryptographyict.siit.tu.ac.th/~steven/css322y12s2/unprotected/CSS322...Public Key Crypto Principles RSA Di e-Hellman Others Security of Di e-Hellman Key Exchange I Insecure](https://reader034.vdocuments.us/reader034/viewer/2022042910/5f3f69c635b80c19792cc750/html5/thumbnails/18.jpg)
CSS322
Public Key Crypto
Principles
RSA
Diffie-Hellman
Others
The RSA Algorithm
I Plaintext encrypted in blocks, each block binary valueless than n
I In practice, block size i bits where 2i < n ≤ 2i+1; n is1024 bits
I Encryption of plaintext M:
C = Me mod n
I Decryption of ciphertext C :
M = Cd mod n= (Me)d mod n = Med mod n
I Sender A and receiver B know n; Sender A knows e;Receiver B knows d
I PUb = {e, n}, PRb = {d , n}
![Page 19: Public Key Cryptographyict.siit.tu.ac.th/~steven/css322y12s2/unprotected/CSS322...Public Key Crypto Principles RSA Di e-Hellman Others Security of Di e-Hellman Key Exchange I Insecure](https://reader034.vdocuments.us/reader034/viewer/2022042910/5f3f69c635b80c19792cc750/html5/thumbnails/19.jpg)
CSS322
Public Key Crypto
Principles
RSA
Diffie-Hellman
Others
Requirements of the RSA Algorithm
1. Possible to find values of e, d , n such thatMed mod n = M for all M < n
2. Easy to calculate Me mod n and Cd mod n for allvalues of M < n
3. Infeasible to determine d given e and n
I Requirement 1 met if e and d are relatively prime
I Choose primes p and q, and calculate:
n = pq1 < e < φ(n)ed ≡ 1 (mod φ(n)) or d ≡ e−1 (mod φ(n))
I n and e are public; p, q and d are private
![Page 20: Public Key Cryptographyict.siit.tu.ac.th/~steven/css322y12s2/unprotected/CSS322...Public Key Crypto Principles RSA Di e-Hellman Others Security of Di e-Hellman Key Exchange I Insecure](https://reader034.vdocuments.us/reader034/viewer/2022042910/5f3f69c635b80c19792cc750/html5/thumbnails/20.jpg)
CSS322
Public Key Crypto
Principles
RSA
Diffie-Hellman
Others
The RSA Algorithm
![Page 21: Public Key Cryptographyict.siit.tu.ac.th/~steven/css322y12s2/unprotected/CSS322...Public Key Crypto Principles RSA Di e-Hellman Others Security of Di e-Hellman Key Exchange I Insecure](https://reader034.vdocuments.us/reader034/viewer/2022042910/5f3f69c635b80c19792cc750/html5/thumbnails/21.jpg)
CSS322
Public Key Crypto
Principles
RSA
Diffie-Hellman
Others
Example of RSA Algorithm
![Page 22: Public Key Cryptographyict.siit.tu.ac.th/~steven/css322y12s2/unprotected/CSS322...Public Key Crypto Principles RSA Di e-Hellman Others Security of Di e-Hellman Key Exchange I Insecure](https://reader034.vdocuments.us/reader034/viewer/2022042910/5f3f69c635b80c19792cc750/html5/thumbnails/22.jpg)
CSS322
Public Key Crypto
Principles
RSA
Diffie-Hellman
Others
RSA Processing of Multiple Blocks
![Page 23: Public Key Cryptographyict.siit.tu.ac.th/~steven/css322y12s2/unprotected/CSS322...Public Key Crypto Principles RSA Di e-Hellman Others Security of Di e-Hellman Key Exchange I Insecure](https://reader034.vdocuments.us/reader034/viewer/2022042910/5f3f69c635b80c19792cc750/html5/thumbnails/23.jpg)
CSS322
Public Key Crypto
Principles
RSA
Diffie-Hellman
Others
Example of RSA Processing of Multiple Blocks
![Page 24: Public Key Cryptographyict.siit.tu.ac.th/~steven/css322y12s2/unprotected/CSS322...Public Key Crypto Principles RSA Di e-Hellman Others Security of Di e-Hellman Key Exchange I Insecure](https://reader034.vdocuments.us/reader034/viewer/2022042910/5f3f69c635b80c19792cc750/html5/thumbnails/24.jpg)
CSS322
Public Key Crypto
Principles
RSA
Diffie-Hellman
Others
Computational Efficiency of RSA
I Encryption and decryption require exponentiationI Very large numbers; using properties of modular
arithmetic makes it easier:
[(a mod n)× (b mod n)] mod n = (a× b) mod n
I Choosing eI Values such as 3, 17 and 65537 are popular: make
exponentiation fasterI Small e vulnerable to attack: add random padding to
each M
I Choosing dI Small d vulnerable to attackI Decryption using large d made faster using Chinese
Remainder Theorem and Fermat’s Theorem
I Choosing p and qI p and q must be very large primesI Choose random odd number and test if its prime
(probabilistic test)
![Page 25: Public Key Cryptographyict.siit.tu.ac.th/~steven/css322y12s2/unprotected/CSS322...Public Key Crypto Principles RSA Di e-Hellman Others Security of Di e-Hellman Key Exchange I Insecure](https://reader034.vdocuments.us/reader034/viewer/2022042910/5f3f69c635b80c19792cc750/html5/thumbnails/25.jpg)
CSS322
Public Key Crypto
Principles
RSA
Diffie-Hellman
Others
Security of RSA
I Brute-Force attack: choose large d (but makesalgorithm slower)
I Mathematical attacks:
1. Factor n into its two prime factors2. Determine φ(n) directly, without determining p or q3. Determine d directly, without determining φ(n)
I Factoring n is considered fastest approach; hence usedas measure of RSA security
I Timing attacks: practical, but countermeasures easy toadd (e.g. random delay). 2 to 10% performance penalty
I Chosen ciphertext attack: countermeasure is to usepadding (Optimal Asymmetric Encryption Padding)
![Page 26: Public Key Cryptographyict.siit.tu.ac.th/~steven/css322y12s2/unprotected/CSS322...Public Key Crypto Principles RSA Di e-Hellman Others Security of Di e-Hellman Key Exchange I Insecure](https://reader034.vdocuments.us/reader034/viewer/2022042910/5f3f69c635b80c19792cc750/html5/thumbnails/26.jpg)
CSS322
Public Key Crypto
Principles
RSA
Diffie-Hellman
Others
MIPS-Years Needed To Factor
![Page 27: Public Key Cryptographyict.siit.tu.ac.th/~steven/css322y12s2/unprotected/CSS322...Public Key Crypto Principles RSA Di e-Hellman Others Security of Di e-Hellman Key Exchange I Insecure](https://reader034.vdocuments.us/reader034/viewer/2022042910/5f3f69c635b80c19792cc750/html5/thumbnails/27.jpg)
CSS322
Public Key Crypto
Principles
RSA
Diffie-Hellman
Others
Progress in Factorization
See http://www.rsa.com/rsalabs/node.asp?id=2092
for update. RSA-768 has been solved.
![Page 28: Public Key Cryptographyict.siit.tu.ac.th/~steven/css322y12s2/unprotected/CSS322...Public Key Crypto Principles RSA Di e-Hellman Others Security of Di e-Hellman Key Exchange I Insecure](https://reader034.vdocuments.us/reader034/viewer/2022042910/5f3f69c635b80c19792cc750/html5/thumbnails/28.jpg)
CSS322
Public Key Crypto
Principles
RSA
Diffie-Hellman
Others
Contents
Principles of Public-Key Cryptosystems
The RSA Algorithm
Diffie-Hellman Key Exchange
Other Public-Key Cryptosystems
![Page 29: Public Key Cryptographyict.siit.tu.ac.th/~steven/css322y12s2/unprotected/CSS322...Public Key Crypto Principles RSA Di e-Hellman Others Security of Di e-Hellman Key Exchange I Insecure](https://reader034.vdocuments.us/reader034/viewer/2022042910/5f3f69c635b80c19792cc750/html5/thumbnails/29.jpg)
CSS322
Public Key Crypto
Principles
RSA
Diffie-Hellman
Others
Diffie-Hellman Key Exchange
I Diffie and Hellman proposed public key cryptosystem in1976
I Algorithm for exchanging secret key (not for secrecy ofdata)
I Based on discrete logarithms
I Easy to calculate exponentials modulo a prime
I Infeasible to calculate inverse, i.e. discrete logarithm
![Page 30: Public Key Cryptographyict.siit.tu.ac.th/~steven/css322y12s2/unprotected/CSS322...Public Key Crypto Principles RSA Di e-Hellman Others Security of Di e-Hellman Key Exchange I Insecure](https://reader034.vdocuments.us/reader034/viewer/2022042910/5f3f69c635b80c19792cc750/html5/thumbnails/30.jpg)
CSS322
Public Key Crypto
Principles
RSA
Diffie-Hellman
Others
Diffie-Hellman Key Exchange Algorithm
![Page 31: Public Key Cryptographyict.siit.tu.ac.th/~steven/css322y12s2/unprotected/CSS322...Public Key Crypto Principles RSA Di e-Hellman Others Security of Di e-Hellman Key Exchange I Insecure](https://reader034.vdocuments.us/reader034/viewer/2022042910/5f3f69c635b80c19792cc750/html5/thumbnails/31.jpg)
CSS322
Public Key Crypto
Principles
RSA
Diffie-Hellman
Others
Diffie-Hellman Key Exchange
![Page 32: Public Key Cryptographyict.siit.tu.ac.th/~steven/css322y12s2/unprotected/CSS322...Public Key Crypto Principles RSA Di e-Hellman Others Security of Di e-Hellman Key Exchange I Insecure](https://reader034.vdocuments.us/reader034/viewer/2022042910/5f3f69c635b80c19792cc750/html5/thumbnails/32.jpg)
CSS322
Public Key Crypto
Principles
RSA
Diffie-Hellman
Others
Security of Diffie-Hellman Key Exchange
I Insecure against man-in-the-middle-attack
I Countermeasure is to use digital signatures andpublic-key certificates
![Page 33: Public Key Cryptographyict.siit.tu.ac.th/~steven/css322y12s2/unprotected/CSS322...Public Key Crypto Principles RSA Di e-Hellman Others Security of Di e-Hellman Key Exchange I Insecure](https://reader034.vdocuments.us/reader034/viewer/2022042910/5f3f69c635b80c19792cc750/html5/thumbnails/33.jpg)
CSS322
Public Key Crypto
Principles
RSA
Diffie-Hellman
Others
Contents
Principles of Public-Key Cryptosystems
The RSA Algorithm
Diffie-Hellman Key Exchange
Other Public-Key Cryptosystems
![Page 34: Public Key Cryptographyict.siit.tu.ac.th/~steven/css322y12s2/unprotected/CSS322...Public Key Crypto Principles RSA Di e-Hellman Others Security of Di e-Hellman Key Exchange I Insecure](https://reader034.vdocuments.us/reader034/viewer/2022042910/5f3f69c635b80c19792cc750/html5/thumbnails/34.jpg)
CSS322
Public Key Crypto
Principles
RSA
Diffie-Hellman
Others
Other Public-Key Cryptosystems
ElGamal Cryptosystem
I Similar concepts to Diffie-Hellman
I Used in Digital Signature Standard and secure email
Elliptic Curve Cryptography
I Uses elliptic curve arithmetic (instead of modulararithmetic in RSA)
I Equivalent security to RSA with smaller keys (betterperformance)
I Used for key exchange and digital signatures