Andreas Steffen, 17.10.2011, 4-PublicKey.pptx 1 Internet Security 1 (IntSi1) Prof. Dr. Andreas...
-
Upload
lorraine-owens -
Category
Documents
-
view
214 -
download
1
Transcript of Andreas Steffen, 17.10.2011, 4-PublicKey.pptx 1 Internet Security 1 (IntSi1) Prof. Dr. Andreas...
Andreas Steffen, 17.10.2011, 4-PublicKey.pptx 1
Internet Security 1 (IntSi1)
Prof. Dr. Andreas Steffen
Institute for Internet Technologies and Applications (ITA)
4 Public KeyCryptography
Andreas Steffen, 17.10.2011, 4-PublicKey.pptx 2
Cryptographical Building Blocks
BlockCipher
s
Stream
Ciphers
Symmetric KeyCryptography
Authentication
Confidentiality
Encryption
HashFunction
s
Challenge
Response
IVs
MACsMICs
MessageDigests
Nonces
PseudoRandom
Random
Sources
Secret Keys
SmartCards
DHRSA
Public KeyCryptography
EllipticCurve
s
Digital Signatures
DataIntegrity
Secure Network Protocols
Non-Repudiatio
n
Andreas Steffen, 17.10.2011, 4-PublicKey.pptx 3
The Secure Key Distribution Problem
Alice
Bob
Carol
Dave
Edna
Fred
KAB, KAC, KAD, KAE, KAF
KAC, KBC, KCD,
KCE, KCF
KAB, KBC, KBD,
KBE, KBF
KAF, KBF, KCF,
KDF, KEF
KAE, KBE, KCE,
KDE, KEF
KAD, KBD, KCD, KDE, KDFsecure
distributionof n2/2 keys
Andreas Steffen, 17.10.2011, 4-PublicKey.pptx 4
Public Key Distribution System
Alice
Bob
Carol
Dave
Edna
Fred
KA
KB
KC
KD
KE
KE
public distribution of n keys
PublicDirectory
Alice : KA
Bob : KB
Carol : KC
Dave : KD
Edna : KE
Fred : KF
Andreas Steffen, 17.10.2011, 4-PublicKey.pptx 5
Public Key Cryptography
• The Inventors• Whitfield Diffie and Martin Hellman 1976• Ralph Merkle 1978
C = fKB(P)
Encryption withone-way function
P = f-1KB(C,TB)
Joe
P = f-1KB(C)
Alice Bob
KBComputation of inverse function is extremely expensive
Trap Door
One-way functionsare often based on well-known hard problems
Andreas Steffen, 17.10.2011, 4-PublicKey.pptx 6
Internet Security 1 (IntSi1)
4.1 RSA Public KeyCryptosystem
Andreas Steffen, 17.10.2011, 4-PublicKey.pptx 7
RSA Public Key Cryptosystem
• The Inventors• R - Ron Rivest• S - Adi Shamir• A - Leonard Adleman
• The One-Way Function• The exponentiation function y = f(x) = xe mod n
can be computed with reasonable effort.
• Its inverse x = f -1(y) is extremely difficult to compute.
• The Hard Problem Securing the Trap Door• The RSA public key algorithm is based on the well-known
hard problem of factoring a large number into its prime factors that has been studied over many centuries.
Andreas Steffen, 17.10.2011, 4-PublicKey.pptx 8
RSA Public Key CryptosystemKey Generation Algorithm
• Step 1: Choose two random large prime numbers p and q• For maximum security, choose p and q of about equal length,
e.g. 1024 … 1536 bits each.
• Step 2: Compute the product n = p·q
• Step 3: Choose a random integer e < (p-1)(q-1)• The numbers e and (p-1)(q-1) must be relatively prime, i.e.
they should not share common prime factors.
• Step 4: Compute the unique inverse d = e-1 mod (p-1)(q-1)• The equation d·e mod (p-1)(q-1) = 1
can be solved using the Euclidian algorithm.
Andreas Steffen, 17.10.2011, 4-PublicKey.pptx 9
RSA Public Key CryptosystemHow to find large random prime numbers
• There are 10305 primes 1024 bits in length or less.
• There are only 1077 atoms in the universe.
• The chance that two people choose the same prime factors for key generation is therefore near to nil !
• To prove that a randomly chosen number is really prime you would have to factor it. Try small factors (3, 5, 7, 11, ...)
• Probabilistic Primality Tests (e.g. Miller–Rabin)
• After passing 5 tests, assume a random number to be prime
is prime
composite number
0 %
100 % 0.1 %
not prime
prime number99.9 %
random number is aResultof
PrimalityTest
Andreas Steffen, 17.10.2011, 4-PublicKey.pptx 10
• (p-1)·(q-1) = 2 · 10 = 2 · 2 · 5 = 20
RSA Public Key CryptosystemKey Generation Example
• p = 3, q = 11: n = p·q = 33
• the public exponent e must be relatively prime to (p-1)·(q-1) , i.e. it cannot contain any factors of 2 and 5 e d e·d e·d mod 20
3 7 21 1 7 3 21 1 9 9 81 111 11 121 113 17 221 117 13 221 119 19 361 1
all possible choices forthe exponents e and d
Andreas Steffen, 17.10.2011, 4-PublicKey.pptx 11
RSA Public Key CryptosystemPublic and Private Keys
• Public Key: modulus n and public exponent e• Publish n and e in a public directory, so that anybody wanting
to send you a confidential message can retrieve it.
• Private Key: modulus n and private exponent d• The private exponent d is your secret. It should be protected
either by storing it in a tamper-proof smart card or when stored on a disk by encrypting it with a symmetric cipher secured by a secret passphrase of your choice.
• The primes p and q that were used for key generation are often kept as part of the private key, because their smaller size (i.e. half the length of the modulus n) allow an efficient implementation of the private key operations (Montgomery multiplication).
Andreas Steffen, 17.10.2011, 4-PublicKey.pptx 12
RSA Public Key CryptosystemEncryption and Decryption
• Encryption of a plaintext block x: y = xe mod n• The sender uses the public key
of the recipient to encrypt x < n.• Decryption of a ciphertext block y: x = yd mod
n• The recipient uses her private key
to recover the plaintext block x
yd = (xe)d = xe·d = xm·(p-1)·(q-1) + 1 = x1 = x (mod n)yd = (xe)d = xe·d = xm·(p-1)·(q-1) + 1 = x1 = x (mod n)
• Without proof:
• Encryption and Decryption are symmetric operations• The order of the exponentiation with the public exponent
e and the private exponent d can be exchanged.
Andreas Steffen, 17.10.2011, 4-PublicKey.pptx 13
e = 1·23 + 1·22 + 0·21 + 1·20
e = 1·8 + 1·4 + 0·2 + 1·1 y = xe =(x8)1 ·(x4)1·(x2)0·(x)1 mod n y = x8·x4·x mod n x2 = x·x mod n, x4 = x2·x2 mod n, x8 = x4·x4 mod n
d = 1·24 + 0·23 + 0·22 + 0·21 + 1·20
d = 1·16 + 0·8 + 0·4 + 0·2 + 1·1 x = yd =(y16)1 ·(y8)0 ·(y4)0·(y2)0·(y)1 mod n x = y16·y mod n y2 = y·y mod n, y4 = y2·y2 mod n, y8 = y4·y4 mod n,
y16 = y8·y8 mod n
RSA Public Key CryptosystemFast Exponentiation Example
• Encryption with Public Key n = 33, e = 13
• Decryption with Private Key n = 33, d = 17
Andreas Steffen, 17.10.2011, 4-PublicKey.pptx 14
RSA Public Key CryptosystemPlaintext to Ciphertext Mapping
• n = 33, e = 13, d = 17 y = xe mod n
x y x y x y x y x y
0 0 8 17 16 4 24 30 32 32 1 1 9 3 17 29 25 16 2 8 10 10 18 24 26 20 3 27 11 11 19 28 27 15 4 31 12 12 20 14 28 7 5 26 13 19 21 21 29 2 6 18 14 5 22 22 30 6 7 13 15 9 23 23 31 25
Andreas Steffen, 17.10.2011, 4-PublicKey.pptx 15
The RSA–768 Challenge
• The Effort• 768 bit number (232 digits) factored in December 2009• Sieving step took 2 years on a cluster of several hundred
computers. • Sieving on a single core 2.2 GHz Opteron processor with 2 GB
of RAM would have taken 1500 years.• 1024 modulus is about 1000 times harder to factor.
1230186684530117755130494958384962720772853569595334792197322452151726400507263657518745202199786469389956474942774063845925192557326303453731548268507917026122142913461670429214311602221240479274737794080665351419597459856902143413
= ?=33478071698956898786044169848212690817704794983713768568912431388982883793878002287614711652531743087737814467999489
*
36746043666799590428244633799627952632279158164343087642676032283815739666511279233373417143396810270092798736308917
Andreas Steffen, 17.10.2011, 4-PublicKey.pptx 16
• Assumed effort: 40 million dollardays = 40M x 1 day = 100k x 400 days
• 56 bits in 1982 RSA: 366 … 527 bits • 64 bits in 1994 RSA: 639 … 746 bits• 72 bits in 2006 RSA: 1007 … 1012 bits• 76 bits in 2012 RSA: 1164 … 1229 bits• 80 bits in 2018 RSA: 1329 … 1478 bits • 88 bits in 2030 RSA: 1698 … 2063 bits • 96 bits in 2042 RSA: 2124 … 2770 bits• 104 bits in 2054 RSA: 2608 … 3607 bits• 112 bits in 2066 RSA: 3154 … 4582 bits• 120 bits in 2078 RSA: 3764 … 5701 bits• 128 bits in 2090 RSA: 4440 … 6974 bits
Cryptographics Strength of RSA Keys
www.keylength.com
Andreas Steffen, 17.10.2011, 4-PublicKey.pptx 17
Internet Security 1 (IntSi1)
4.2 Diffie HellmanKey Exchange Algorithm
Andreas Steffen, 17.10.2011, 4-PublicKey.pptx 18
The Diffie–Hellman Key-Exchange AlgorithmGenerating a Common Secret Key
• Alice and Bob agree on a large prime modulus n, a primitive element g and the one-way function y = f(x) = gx mod n.
• The integers n and g are not secret and can be published.
• Alice chooses a large random integer a and sends BobA = ga mod n
• Bob chooses a large random integer b and sends AliceB = gb mod n
• Alice computess = Ba mod n = gba mod n
• Bob computess = Ab mod n = gab mod n
• Alice and Bob share now the secret key s = gab mod n• Since computing the inverse x = f-1(y) is extremely
difficult, no one listening to the key-exchange can compute the secret key s from the values A, B, n and g.
Andreas Steffen, 17.10.2011, 4-PublicKey.pptx 19
The Diffie–Hellman Key-Exchange AlgorithmPractical Example
y = gx mod nPrime modulus: n = 31Primitive element: g = 3
y 1 3 9 27 19 26 16 17 20 29 25 13 8 24 10 30
x 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
y 28 22 4 12 5 15 14 11 2 6 18 23 7 21 1
x 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30
A: a = 8 A = 38 mod 31 = 20
B: b = 6 B = 36 mod 31 = 16 s = 206 mod 31 = 4
s = 168 mod 31 = 4