Cryptography and Network Security Chapter 10
30
Cryptography and Cryptography and Network Security Network Security Chapter 10 Chapter 10 Fifth Edition Fifth Edition by William Stallings by William Stallings
description
Cryptography and Network Security Chapter 10. Fifth Edition by William Stallings. Chapter 10 – Other Public Key Cryptosystems. - PowerPoint PPT Presentation
Transcript of Cryptography and Network Security Chapter 10
Cryptography and Cryptography and Network SecurityNetwork Security
Chapter 10Chapter 10
Fifth EditionFifth Edition
by William Stallingsby William Stallings
Chapter 10 – Chapter 10 – Other Public Key Other Public Key CryptosystemsCryptosystems
No Singhalese, whether man or woman, would No Singhalese, whether man or woman, would venture out of the house without a bunch of keys venture out of the house without a bunch of keys in his hand, for without such a talisman he would in his hand, for without such a talisman he would fear that some devil might take advantage of his fear that some devil might take advantage of his weak state to slip into his body.weak state to slip into his body.
——The Golden Bough, The Golden Bough, Sir James George FrazerSir James George Frazer
Diffie-Hellman Key ExchangeDiffie-Hellman Key Exchange
first public-key type scheme proposed first public-key type scheme proposed by Diffie & Hellman in 1976 along with the by Diffie & Hellman in 1976 along with the
exposition of public key conceptsexposition of public key concepts is a practical method for public exchange is a practical method for public exchange
of a secret keyof a secret key used in a number of commercial productsused in a number of commercial products
Diffie-Hellman Key ExchangeDiffie-Hellman Key Exchange
a public-key distribution scheme a public-key distribution scheme cannot be used to exchange an arbitrary message cannot be used to exchange an arbitrary message rather it can establish a common key rather it can establish a common key known only to the two participants known only to the two participants
value of key depends on the participants (and value of key depends on the participants (and their private and public key information) their private and public key information)
based on exponentiation in a finite (Galois) field based on exponentiation in a finite (Galois) field (modulo a prime or a polynomial) - easy(modulo a prime or a polynomial) - easy
security relies on the difficulty of computing security relies on the difficulty of computing discrete logarithms (similar to factoring) – harddiscrete logarithms (similar to factoring) – hard
Discrete LogsDiscrete Logs
))(mod( qbLogx a
Find x
We denote this as
Why is this hard?
Given )(modqab x
Diffie-Hellman SetupDiffie-Hellman Setup
all users agree on global parameters:all users agree on global parameters: large prime integer or polynomial large prime integer or polynomial qq aa being a primitive root mod being a primitive root mod qq
each user (eg. A) generates their keyeach user (eg. A) generates their key chooses a secret key (number): chooses a secret key (number): xxAA < q < q
compute their compute their public keypublic key: : yyAA = = aaxxAA mod q mod q
each user makes public that key each user makes public that key yyAA
Diffie-Hellman Key ExchangeDiffie-Hellman Key Exchange
shared session key for users A & B is Kshared session key for users A & B is KABAB: :
KKABAB = = aaxxA.A.xxBB mod q mod q
= y= yAA
xxBB mod q (which mod q (which BB can compute) can compute)
= y= yBB
xxAA mod q (which mod q (which AA can compute) can compute)
KKABAB is used as session key in private-key is used as session key in private-key encryption scheme between Alice and Bobencryption scheme between Alice and Bob
if Alice and Bob subsequently communicate, they if Alice and Bob subsequently communicate, they will have the will have the samesame key as before, unless they key as before, unless they choose new public-keys choose new public-keys
attacker needs an x, must solve discrete logattacker needs an x, must solve discrete log
Diffie-Hellman Example Diffie-Hellman Example
users Alice & Bob who wish to swap keys:users Alice & Bob who wish to swap keys: agree on prime agree on prime q=353q=353 and and aa=3=3 select random secret keys:select random secret keys:
A chooses A chooses xxAA=97, =97, B chooses B chooses xxBB=233=233 compute respective public keys:compute respective public keys:
yyAA==3397 97 mod 353 = 40 mod 353 = 40 (Alice)(Alice)
yyBB==33233233 mod 353 = 248 mod 353 = 248 (Bob)(Bob)
compute shared session key as:compute shared session key as: KKABAB= y= yBB
xxAA mod 353 = mod 353 = 2482489797 = 160 = 160 (Alice)(Alice)
KKABAB= y= yAAxxBB mod 353 = mod 353 = 4040
233233 = 160 = 160 (Bob)(Bob)
Key Exchange ProtocolsKey Exchange Protocols users could create random private/public users could create random private/public
D-H keys each time they communicateD-H keys each time they communicate users could create a known private/public users could create a known private/public
D-H key and publish in a directory, then D-H key and publish in a directory, then consulted and used to securely consulted and used to securely communicate with themcommunicate with them
both of these are vulnerable to a meet-in-both of these are vulnerable to a meet-in-the-Middle Attackthe-Middle Attack
authentication of the keys is neededauthentication of the keys is needed
Man-i-the-middle attack on Man-i-the-middle attack on Diffie-HellmanDiffie-Hellman
1.1. Darth prepares for the attack by generating two random private keys Darth prepares for the attack by generating two random private keys XXD1D1 and X and XD2D2 and then computing the corresponding and then computing the corresponding public keys public keys YYD1D1=a =a XX
D1D1 mod q and Y mod q and YD2D2 =a =a XXD2D2 mod q mod q
2.2. Alice Alice transmitstransmits YYAA to Bob. to Bob.
3.3. Darth intercepts Darth intercepts YYAA but transmits Y but transmits YD1D1 to Bob. Darth also calculates to Bob. Darth also calculates
K2 = (YK2 = (YAA) ) XXD2D2 mod q. mod q.
4.4. Bob receives Bob receives YYD1D1 and calculates K1 = (Y and calculates K1 = (YD1D1))XXBB mod q. mod q.
5.5. Bob transmits Bob transmits YYBB to Alice. to Alice.
6.6. Darth intercepts Darth intercepts YYBB but transmits Y but transmits YD2D2 to Alice. Darth calculates K1 to Alice. Darth calculates K1
= (Y= (YBB) ) XXD1D1 mod q. mod q.
7.7. Alice receives Alice receives YYD2D2 and calculates K2 = (Y and calculates K2 = (YD2D2))XXAA mod q. mod q.
Allice and Bob think they share a secret key, but actually Bob and Allice and Bob think they share a secret key, but actually Bob and Darth share K1, and Alice and Darth share K2.Darth share K1, and Alice and Darth share K2.
ElGamal CryptosystemElGamal Cryptosystem
Another public-key cryptosystem like RSA. Another public-key cryptosystem like RSA. Bob publishes (Bob publishes (, p, , p, ), where 1 < m < p ), where 1 < m < p
and and ==aa
Alice chooses secret k, computes and Alice chooses secret k, computes and sends to Bob the pair (r,t) wheresends to Bob the pair (r,t) where r=r=kk (mod p) (mod p) t = t = kkm (mod p)m (mod p)
Bob calculates: trBob calculates: tr-a-a=m (mod p)=m (mod p) Why does this decrypt?Why does this decrypt?
ElGamal CryptosystemElGamal CryptosystemBob publishes (Bob publishes (, p, , p, ), where 1 ), where 1
< m < p and < m < p and ==aa
Alice chooses secret k, Alice chooses secret k, computes and sends to Bob computes and sends to Bob the pair (r,t) wherethe pair (r,t) where
r=r=kk (mod p) (mod p) t = t = kkm (mod p)m (mod p)
Bob finds: Bob finds: trtr-a-a=m (mod p)=m (mod p) Why does this work?Why does this work?
Multiplying m by Multiplying m by kk scrambles it. scrambles it.
Eve sees Eve sees , p, , p, , r, t. If she only , r, t. If she only knew a or k!knew a or k!
Knowing a allows decryption.Knowing a allows decryption.
Knowing k also allows decryption. Knowing k also allows decryption. Why?Why?
Can’t find k from r or t.Can’t find k from r or t. Why?Why?
Elliptic Curve CryptographyElliptic Curve Cryptography
majority of public-key crypto (RSA, D-H) majority of public-key crypto (RSA, D-H) use either integer or polynomial arithmetic use either integer or polynomial arithmetic with very large numbers/polynomialswith very large numbers/polynomials
imposes a significant load in storing and imposes a significant load in storing and processing keys and messagesprocessing keys and messages
an alternative is to use elliptic curvesan alternative is to use elliptic curves offers same security with smaller bit sizesoffers same security with smaller bit sizes newer, but not as well analysednewer, but not as well analysed
Elliptic Curve CryptographyElliptic Curve CryptographyAbelian GroupAbelian Group
A set of elements G and operation * A set of elements G and operation * among elements (G,among elements (G,**) with some ) with some
Axioms:Axioms: (A1) Closure: (A1) Closure: a,ba,b G, G, a*ba*b G G (A2) associative law:(A2) associative law:(a*b)*c = a*(b*c)(a*b)*c = a*(b*c) (A3) has identity (A3) has identity ee: : e*a = a*e = ae*a = a*e = a (A4) has inverses (A4) has inverses aa-1-1:: a*aa*a-1-1 = e = e (A5) commutative law (A5) commutative law a*b = b*aa*b = b*a
Elliptic Curve CryptographyElliptic Curve CryptographyOperationsOperations
If the operation If the operation ** is x, and we perform all is x, and we perform all operations mod q, operations mod q,
a x a x ... x a = aa x a x ... x a = akk mod q mod q
If the operation If the operation ** is +, is +,a + a + ... + a = k aa + a + ... + a = k a
k
k
Real Elliptic CurvesReal Elliptic Curves an an elliptic curve is defined by an equation in elliptic curve is defined by an equation in
two variables x & y, with coefficientstwo variables x & y, with coefficients consider a cubic elliptic curve of formconsider a cubic elliptic curve of form
yy22 = = xx33 + + ax ax + + bb where x,y,a,b are all real numberswhere x,y,a,b are all real numbers also define zero point Oalso define zero point O Note: More general form of the elliptical curve Note: More general form of the elliptical curve
(Weierstrass equation):(Weierstrass equation):yy22 + axy + by = x + axy + by = x33 + cx + cx22 + dx + e + dx + e
can be transformed to the form: can be transformed to the form: yy22 = = xx33 + + ax ax + + bb have addition operation for elliptic curvehave addition operation for elliptic curve
geometrically sum of Q+R is reflection of geometrically sum of Q+R is reflection of intersection Rintersection R
Real Elliptic Curve ExampleReal Elliptic Curve Example
-
-
- -
-
),( pp yxP
R=
Elliptic Curve CryptographyElliptic Curve Cryptography),( ),,( QQPP yxQyxP QPR
),( RR yxR
PQ
PQ
xx
yy
Slope of the line between Slope of the line between PP and and QQ
)(
2
RPPR
QPR
xxyy
xxx
0 ,2 PyPPPR
),( RR yxR
PRPP
PR
PP
PR
yxxy
axy
xy
axx
)(2
3
22
3
2
22
Elliptic Curve CryptographyElliptic Curve Cryptography
ECC addition is analog of modulo multiplyECC addition is analog of modulo multiply ECC repeated addition is analog of ECC repeated addition is analog of
modulo exponentiationmodulo exponentiation need “hard” problem equiv to discrete logneed “hard” problem equiv to discrete log
Q= kP = P+P+…+PQ= kP = P+P+…+P, where , where Q,PQ,P belong to a belong to a prime curveprime curve
is “easy” to compute is “easy” to compute QQ given given k, Pk, P but “hard” to find but “hard” to find kk given given Q, PQ, P known as the elliptic curve logarithm problemknown as the elliptic curve logarithm problem
Finite Elliptic CurvesFinite Elliptic Curves
Elliptic curve cryptography uses curves Elliptic curve cryptography uses curves whose variables & coefficients are finitewhose variables & coefficients are finite
have two families commonly used:have two families commonly used: prime curves prime curves EEpp(a,b)(a,b) defined over Z defined over Zpp
• use integers modulo a primeuse integers modulo a prime• best in softwarebest in software
binary curves binary curves EE22mm(a,b)(a,b) defined over GF(2 defined over GF(2nn))• use polynomials with binary coefficientsuse polynomials with binary coefficients• best in hardwarebest in hardware
Certicom example: E23(1,1)
All operations work mod 23.
Not all values for x and y satisfy y2 = x3 + x + 1
For x=9, only y=7 and y=16
ECC Diffie-HellmanECC Diffie-Hellman
can do key exchange analogous to D-Hcan do key exchange analogous to D-H users select a suitable curve users select a suitable curve EEpp(a,b)(a,b) select base point select base point G=(xG=(x11,y,y11))
with large order n s.t. with large order n s.t. nG=OnG=O A & B select private keys A & B select private keys nnAA<n, n<n, nBB<n<n compute public keys: compute public keys: PPAA=n=nAAG, G, PPBB=n=nBBGG compute shared key: compute shared key: KK=n=nAAPPBB,, KK=n=nBBPPAA
same since same since KK=n=nAAnnBBGG
ECC Encryption/DecryptionECC Encryption/Decryption
several alternatives, will consider simplestseveral alternatives, will consider simplest must first encode any message M as a point on must first encode any message M as a point on
the elliptic curve Pthe elliptic curve Pmm
select suitable curve & point G as in D-Hselect suitable curve & point G as in D-H each user chooses private key each user chooses private key nnAA<n<n
and computes public key and computes public key PPAA=n=nAAGG
to encrypt Pto encrypt Pmm : : CCmm={kG, P={kG, Pmm+kP+kPbb}}, k random, k random
decrypt Cdecrypt Cmm compute: compute:
PPmm++kkPPbb––nnBB((kGkG) = ) = PPmm++kk((nnBBGG)–)–nnBB((kGkG) = ) = PPmm
ECC SecurityECC Security
relies on elliptic curve logarithm problemrelies on elliptic curve logarithm problem fastest method is “Pollard rho method”fastest method is “Pollard rho method” compared to factoring, can use much compared to factoring, can use much
smaller key sizes than with RSA etcsmaller key sizes than with RSA etc for equivalent key lengths computations for equivalent key lengths computations
are roughly equivalentare roughly equivalent hence for similar security ECC offers hence for similar security ECC offers
significant computational advantagessignificant computational advantages
Comparable Key Sizes for Comparable Key Sizes for Equivalent SecurityEquivalent Security
Symmetric scheme
(key size in bits)
ECC-based scheme
(size of n in bits)
RSA/DSARSA/DSA
(modulus size in bits)
5656 112 512
80 160 1024
112 224 2048
128 256 3072
192 384 7680
256 512 15360
Legal use of ECCLegal use of ECC
A lot of ECC techniques are patented by A lot of ECC techniques are patented by the company Certicomthe company Certicom
NSA bought some patents from them and NSA bought some patents from them and made the royalty free via NIST made the royalty free via NIST standardisationstandardisation
BUT …BUT …
SummarySummary
have considered:have considered: distribution of public keysdistribution of public keys public-key distribution of secret keyspublic-key distribution of secret keys Diffie-Hellman key exchangeDiffie-Hellman key exchange EllGamal encryptionEllGamal encryption Elliptic Curve cryptographyElliptic Curve cryptography
