CS 494/594 CS 494/594 Computer and Network SecurityComputer and Network Security

Dr. Jinyuan (Stella) Sun

Dept. of Electrical Engineering and Computer Science

University of Tennessee

Fall 2010

1

Public Key CryptographyPublic Key Cryptography

• Modular Arithmetic

RSA• RSA

• Diffie-Hellman

• Elliptic Curve Cryptography

2

Public Key Cryptography Public Key Cryptography

� Aka: asymmetric cryptography, invented in 1970s

� Use two keys: a public key known to everyone, a private key kept secret to the owner

� Encryption/decryption: encryption can be done by Encryption/decryption: encryption can be done by everyone using the recipient’s public key, decryption can be done only by the recipient with his/her private key

� Digital signature: signing is done with signer’s private key, and verification is done with signer’s public key

� Key exchange: establish a shared session key with PKC, SKC is used afterwards

3

Modular ArithmeticModular Arithmetic

� Fundamental to PKC

� Modulo n or mod n: non-negative integers < some integer n, sometimes “mod n” is omitted

� Modular addition� Modular addition

� Modular multiplication

� Modular exponentiation

4

Modular AdditionModular Addition

� Example: mod 10

5 + 5 = 0

3 + 9 = ?

2 + 2 = ?2 + 2 = ?

9 + 9 = ?

� Additive inverse: an additive inverse of x is the number we need to add to x to get 0, e.g., what’s the additive inverse of 4 mod 10?

5

Modular MultiplicationModular Multiplication• Example: 3 × 7 = 1 mod 10

• Multiplicative inverse: if xy = 1 mod n, then x and y are each other’s multiplicative inverse mod n

• Relatively prime: no common factors other than 1

6

• Relatively prime: no common factors other than 1

• Existence of multiplicative inverse: x has multiplicative inverse mod n iff x is relatively prime to n

• Euclid’s algorithm: provides efficient method to find multiplicative inverses mod n

Modular Multiplication (Cont’d)Modular Multiplication (Cont’d)

φ(n): totient function

• number of integers < n and relatively prime to n

• φ(n) = n – 1 if n is prime

7

• φ(pq) = pq – (p + q – 1) = (p – 1)(q – 1), if p and q are prime

Modular ExponentiationModular Exponentiation

• Example: 46 = 4096 = 6 mod 10

• xy mod n = x(y mod φ(n)) mod n

8

• If y = 1 mod φ(n), then xy mod n = x mod n

φ(n) = 4

RSARSA• Named after Rivest, Shamir, and Adleman

• Public key / private key, use one to encrypt and the other to decrypt

• Key length: variable, most commonly 512 bits

• Plaintext block: smaller than the key length

9

• Plaintext block: smaller than the key length

• Ciphertext block: same as key length

•Advantage: Easy key management

• Disadvantage: much slower than secret key algorithms

RSA AlgorithmRSA Algorithm

• Choose two large primes, p and q, >100 bits each

• n = pq, φ(n) = (p – 1)(q – 1)

• Choose e that is relatively prime to φ(n)

10

Choose e that is relatively prime to (n)

• By Euclid’s algorithm, find d that is the multiplicative inverse of e mod φ(n), i.e., ed = 1 mod φ(n)

• Let <e, n> be the public key, <d, n> the private key

Encryption and DecryptionEncryption and Decryption

• Encryption with public key <e, n>: c = me mod n

• Decryption with private key <d, n>: m = cd mod n

11

c d mod n = (m e mod n) d mod n= (m e ) d mod n= m mod n= m

Why is RSA Secure?Why is RSA Secure?

• Given n, it is hard to factor it to get p and q• RSA misuse: Alice uses Bob’s public key to encrypt a message sent to Bob. If Frank knows the

12

encrypt a message sent to Bob. If Frank knows the message is one of many possible messages, he can use the same public key to compute and compare the ciphertexts to find the message (Solution?)

Efficiency of RSA OperationsEfficiency of RSA Operations

• Exponentiation of large numbers of several hundreds of bits• Find big primes, p and q

13

• Find big primes, p and q • Find e and d

ExponentiatingExponentiatingWith Big NumbersWith Big Numbers

• Page 154 – 155

14

Finding Big Primes p and qFinding Big Primes p and q

• The probability of a randomly chosen number n to be prime is 1 / ln n, which is about one in 230 for n of a hundred digit• Test whether a random number n is a prime

15

• Test whether a random number n is a prime- Fermat’s Theorem: if p is a prime and 0 < a < p,

then a p-1 = 1 mod p- For a non-prime n of a hundred bits, the chance

of a n-1 = 1 mod n is about 1 in 1013

- Miller-Rabin algorithm

Finding e and dFinding e and d

• e: can be randomly chosen, relatively prime to φ(n)• d: calculated by Euclid’s algorithm, s.t. ed =1 mod φ(n)• If e is chosen to be small such as 3, the encryption and signature verification will be faster, while the

16

and signature verification will be faster, while the decryption and digital signature remain the same• d should not be small

Popular Values of ePopular Values of e

• 3 and 65537 (216 + 1)•Advantage: computationally efficient- 3: 2 multiplies

17

- 3: 2 multiplies- 65537: 17 multiplies

Problems of e=3Problems of e=3

• Problem 1: c = m e mod n, if e is 3 and m is less than n1/3,

then m 3 < n and thus c = m 3 mod n = m 3 � m = c1/3

Solution: pad m to be larger than n1/3

• Problem 2: If a message is encrypted for three recipients using their public keys, <3, n1> <3, n2> <3, n3> to get three

18

using their public keys, <3, n1> <3, n2> <3, n3> to get three ciphertexts, c1 = m3 mod n1, c2 = m3 mod n2, c3 = m3 mod n3

, an attacker can compute c = m3 mod n1n2n3 by Chinese Remainder Theorem. Since m is smaller than n1, n2, and n3,

c = m3 � m = c1/3

Solution: pad m with different numbers for c1, c2, c3

• Problem 3: Need to choose p and q s.t. 3 is relatively prime to (p-1)(q-1). It is easier to choose eligible p and q for 65537.

Attacks on RSAAttacks on RSA

• Brute-force attacks: trying all possible private keys• Mathematical attacks: trying to factor the product of two primes•Timing attacks: depend on the running time of the

19

•Timing attacks: depend on the running time of the decryption algorithm• Chosen ciphertext attacks: exploit properties of the RSA algorithm

CountermeasuresCountermeasures

• Brute-force attacks: use a large key space• Mathematical attacks: use large enough n (1024-2048 bits), select p and q with constraints•Timing attacks: constant exponentiation time,

20

•Timing attacks: constant exponentiation time, random delay, blinding the ciphertext• Chosen ciphertext attacks: randomly pad the plaintext before encryption, e.g., optimal asymmetric encryption padding (OAEP)

DiffieDiffie--HellmanHellman

• The first public key cryptosystem• But does neither encryption nor signatures

21

signatures• Used for key exchange: Alice and Bob negotiate a shared secret key over a publiccommunication channel

DiffieDiffie--Hellman Hellman Key Key ExchangeExchange

22

Why Is Why Is DiffieDiffie--Hellman Secure?Hellman Secure?

• It is difficult to compute discrete logarithm: knowing g and gx, it is difficult to compute x

23

ManMan--inin--thethe--Middle AttackMiddle AttackAlice

A, gABob

B, gB

gA

gB

KAB=gAB

24

Alice

A, gA

Frank

F, gFBob

B, gB

gA

gF

gF

gB

KAF=gAF KFB=g

FB

KAB=g

CountermeasuresCountermeasures

Publish public numbers:•Alice keeps x private, but publishes X = g x mod p through a reliable, trusted service such as PKI• Bob keeps y private, but publishes Y = g y mod p

25

• Bob keeps y private, but publishes Y = g y mod p•Alice retrieves Y from the trusted service• Bob retrieves X from the trusted service• No place for Frank to get in the middle. The key between Alice and Bob is in fact pre-determined.

Countermeasures (Cont’d)Countermeasures (Cont’d)

Authenticated Diffie-Hellman: • Encrypt the Diffie-Hellman exchange with the pre-shared

secret• Encrypt the Diffie-Hellman public number with the other

26

• Encrypt the Diffie-Hellman public number with the other side’s public key• Sign the Diffie-Hellman public number with your private key• Following the Diffie-Hellman exchange, transmit a hash of the agreed key and the pre-shared secret • Following the Diffie-Hellman exchange, transmit a hash of the pre-shared secret and your public number

Encryption with Encryption with DiffieDiffie--HellmanHellman

• Use Diffie-Hellman to establish a shared secret key, gAB, between Alice and Bob• Encryption: use any secret key encryption

27

• Encryption: use any secret key encryption scheme with the above secret key

Elliptic Curve CryptographyElliptic Curve Cryptography• Known subexponential algorithms for breaking RSA and

Diffie-Hellman (a brute-force attack requires exponential amount of computation), so required key size is large• No known subexponential algorithm for breaking ECC• ECC offers the same security with much smaller key size

28

Comparable key sizes in terms of computational effort for cryptanalysis

AssignmentsAssignments

� Read [Kaufman] Chapter 6

� Homework #1

29