CS469_669_Chap3_F09

8/3/2019 CS469_669_Chap3_F09

1/72

Chapter 3Chapter 3PublicPublic--Key Cryptography andKey Cryptography and

Message AuthenticationMessage Authentication

Dr. Sameer Abufardeh

Dept. of Computer ScienceNorth Dakota State University

S.A.1

8/3/2019 CS469_669_Chap3_F09

2/72

Slide 1

S.A.1 saSameer, 10/2/2009

8/3/2019 CS469_669_Chap3_F09

3/72

CS 469/669 Network Security Chap 3 - Dr. S. Abufardeh 2

OUTLINEOUTLINE

Approaches to Message Authentication

Secure Hash Functions and HMAC

Public-Key Cryptography Principles

Public-Key Cryptography Algorithms

Digital Signatures

Key Management

8/3/2019 CS469_669_Chap3_F09

4/72

Recall Security ServicesRecall Security Services Confidentiality protection from passive attacks

Authentication you are who you say you are

Integrity received as sent, no modifications,

insertions, shuffling or replays


8/3/2019 CS469_669_Chap3_F09

5/72

Security AttacksSecurity Attacks


Release ofmessage contents

Traffic

analysis

eavesdropping, monitoring transmissions

conventional encryption helped here

Passive threats

8/3/2019 CS469_669_Chap3_F09

6/72

Security AttacksSecurity Attacks


Masquerade Denial of

service

Active threats

Replay Modification ofmessage contents

Message authentication helpspreventsthese!

8/3/2019 CS469_669_Chap3_F09

7/72

WhatIs Message Authentication?WhatIs Message Authentication?

Its all about the source, of course!

Procedure that allows communicating parties toverify that received messages are authentic

Protection against active attack (falsification of

data and transactions)


8/3/2019 CS469_669_Chap3_F09

8/72


AuthenticationAuthentication

Requirements - must be able to verify that:

1. Message source is authentic masquerading,2. Contents unaltered message modification3. Sometimes,timely sequencing replay

(Msg. timeliness not artificially delayed or replayed).

8/3/2019 CS469_669_Chap3_F09

9/72


Approaches to Message AuthenticationApproaches to Message Authentication

Authentication Using Conventional Encryption Only the sender and receiver should know the shared key

Include a time stamp

Include error detection code and sequence number

Message Authentication without Message Encryption

An authentication tag is generated and appended to each message E.g.,Hash without encryption.

Message read independent of authentication function

No message confidentiality

Message Authentication Code (MAC) use a secret key to generate a small block of data that is appendedto the

message

Assume: A and B share a common secret keyKAB

MACM= F(KAB,M)

8/3/2019 CS469_669_Chap3_F09

10/72


8/3/2019 CS469_669_Chap3_F09

11/72

One Way Hash Function

One Way Hash Function

Hash function accepts a variable size messageM

as input and produces a fixed-size message digest

H(M) as output No secret key as input

Message digest is sent with the message for

authentication

Produces a fingerprint of the message


8/3/2019 CS469_669_Chap3_F09

12/72


OneOne--way HASH functionway HASH function(Using Encryption)(Using Encryption)

Shared key

Authenticity is assured

Message digest H(M)

8/3/2019 CS469_669_Chap3_F09

13/72


OneOne--way HASH functionway HASH function(Using Encryption)(Using Encryption)

Digital signature No key distribution

Less computation since message does nothave to be encrypted

8/3/2019 CS469_669_Chap3_F09

14/72


OneOne--way HASH functionway HASH function

Ideally We Would Like To Avoid Encryption

Encryption software is slow

Encryption hardware costs arent cheap

Hardware optimized toward large data sizes

Algorithms covered bypatents

Algorithms subject to export control

8/3/2019 CS469_669_Chap3_F09

15/72


A & B should share a secret value (e.g., a random #).

Secret value is added before the hash and removed before transmission.

OneOne--way HASH functionway HASH function(Without Encryption)(Without Encryption)

No encryption for message authenticationSecret value never sent; cant modify the message

Important technique for Digital Signatures

Assumes secret value SAB

MDM||M

MDM = H(SAB||M)

8/3/2019 CS469_669_Chap3_F09

16/72


Secure HASH FunctionsSecure HASH Functions

Purpose of a HASH function is to produce a fingerprint.

Properties of a HASH function H :

1. H can be applied to a block of data at any size

2. H produces a fixed length output

8/3/2019 CS469_669_Chap3_F09

17/72



Purpose of a HASH function is to produce afingerprint.


1. H can be applied to a block of data at any size2. H produces a fixed length output

8/3/2019 CS469_669_Chap3_F09

18/72





4. For any given h, it is computationally infeasible tofind x such that H(x) = h (one way property - hardto invert).

- given a hash code h findaninput(x) which hasthesame hash code h

Itseasytogeneratea hash codegivenamessage,butvirtuallyimpossibletogenerateamessagegivenahash code.

Thispropertyisimportantfor whenauthenticationtechniqueusingasecretvalue.(seeslide 14)

8/3/2019 CS469_669_Chap3_F09

19/72





5. For any given block x, it is computationally infeasible to findwith H(y) = H(x) (weak collision property).

Guaranteesthatitisimpossibletofindanalternativemessagewith thesame hash valueasthegivenmessage.

given : x H(x) findanothery whereH(y) = H(x)

Preventsforgery whenanencryptedhash codeisused

(seeslides 11 & 12)

xy {

8/3/2019 CS469_669_Chap3_F09

20/72



Purpose of a HASH function is to produce a fingerprint.


6. It is computationally infeasible to find any pair (x, y) two distinctinputs, such that H(x) = H(y) (strong collision property).

- collisionresistance

Protectsagainstaclassofsophisticatedattackknow asthebirthdayattack

Birthday attacks (time complexity 2n/2

)

Reduce the strength of an m-bit hash function from 2n to 2n/2

8/3/2019 CS469_669_Chap3_F09

21/72

Attacks on hash functionsAttacks on hash functions

Birthday attacks (time complexity 2n/2 )

Probability of collision is > 1/2 We need n >= 128 up to 160

Pseudo-collision and compression function attacks

Chaining attacks

Attacks based on properties of underlying cipher.


8/3/2019 CS469_669_Chap3_F09

22/72


Simple Hash FunctionSimple Hash Function The input is divided into a sequence of n-bit blocks.

The input is processed one block at a time in an iterative fashion

to produce an n-bit hash function.

1 2 ...i i i imC b b b!

Problem: Eliminate predictability of data

One-bit circular shift for each block is used to randomize the input

Rotate current hash value to the left by one bit

XOR the block into the hash value

8/3/2019 CS469_669_Chap3_F09

23/72


Secure Hash Algorithm SHASecure Hash Algorithm SHA--11 SHA was developed by NIST in 1993 and revised in 1995.

The revised version is called SHA-1.

The input is less than bits .

The output is a fixed 160 bit message digest (MD).

Steps of SHA-1: see next slide

642

8/3/2019 CS469_669_Chap3_F09

24/72


Secure Hash Algorithm SHASecure Hash Algorithm SHA--11Step 1: Append padding bits. The message is padded so its length is congruent to448 modulo 512.

Step 2: Append length. A block of 64 bits is appended to the message. This blockis an unsigned integer equal to the length of the message before padding.

Step 3: Initialize MD buffer. A 160 bit buffer is used to hold intermediate and final

results of the hash function. The buffer is represented as five 32

bit registers (A,B,C, D, E) and initialized which are initialized to some constants (32-bit integers).

Step 4: Process message in 512 bit (16-word) blocks. This module consists of fourrounds of processing of20 steps each. The four rounds have similar structure, buteach uses a different primitive logical function referred to as f1, f2, f3 and f4. Theheart of the alg. is a module compression function, that consists of four rounds of

processing, and each round has 20 steps.

Step 5: Output. After all L 512-bit blocks have been processed, the output from theLth stage is the 160-bit message digest.

8/3/2019 CS469_669_Chap3_F09

25/72


Message Digest Generation UsingMessage Digest Generation Using

SHASHA--11

Every bit of the hash code is a function of every bit of the input!

8/3/2019 CS469_669_Chap3_F09

26/72

SHASHA--1 Compression Function1 Compression Function

each round has 20 steps which replaces the 5 buffer words thus:

(A,B,C,D,E)

8/3/2019 CS469_669_Chap3_F09

27/72


SHASHA--1: Processing of single 5121: Processing of single 512--Bit BlockBit Block f a logical function,

different for each round.

K a constant, differentfor each round.

Each round updates thecontents of the 160-bitbuffer, i.e., the 5

registers ABCDE. Following certain rule,

the 512 bit messageblock is used to create5x512 bit chunk, whichis then divided into

eighty 32-bit words

0 1 79, ,...,W W W

8/3/2019 CS469_669_Chap3_F09

28/72


SHASHA--1: Processing of single 5121: Processing of single 512--Bit BlockBit Block Update of the 160-bit

vector: ABCDE

B = old A; C = old B (left shift 30

bits)

D = old C;

E = old D

A = E + A (left shift 5bits) +Wt + K+ f(t,B,C,D)

where t is the step #.

The addition is done foreach of the five words(32-bit), using modulo2^32.

2

1

( , , , )

the output of the 4th roundq q

f t B C D B C D

CV CV

!

!

8/3/2019 CS469_669_Chap3_F09

29/72

Revised Secure Hash Standard

Revised Secure Hash Standard

NIST issued revision FIPS 180-2 in 2002

adds 3 additional versions of SHA

SHA-256, SHA-384, SHA-512 designed for compatibility with increased security

provided by the AES cipher

structure & detail is similar to SHA-1

hence analysis should be similar

but security levels are rather higher

8/3/2019 CS469_669_Chap3_F09

30/72

SHASHA--512 Overview512 Overview

CS 469/669 Network Security Chap 3 - Dr. S. Abufardeh

29

8/3/2019 CS469_669_Chap3_F09

31/72

SHASHA--512 Process512 Process Step 1: Append padding bits

Step 2: Append length

Step 3: Initialize hash buffer

Step 4: Process the message in 1024-bit (128-

word) blocks, which forms the heart of the

algorithm Step 5: Output the final state value as the

resulting hash


8/3/2019 CS469_669_Chap3_F09

32/72

SHASHA--512 Compression Function512 Compression Function heart of the algorithm

processing message in 1024-bit blocks

consists of 80 rounds updating a 512-bit buffer

using a 64-bit value Wt derived from the

current message block

and a round constant based on cube root of first80 prime numbers

8/3/2019 CS469_669_Chap3_F09

33/72

SHASHA--512 Round Function512 Round Function

The elements are:

Ch(e,f,g) = (e AND f) XOR (NOT e AND g)Maj(a,b,c) = (a AND b) XOR (a AND c) XOR (b AND c)

(a) = ROTR(a,28) XOR ROTR(a,34) XOR ROTR(a,39)

(e) = ROTR(e,14) XOR ROTR(e,18) XOR ROTR(e,41)

+ = addition modulo 2^64

Kt = a 64-bit additive constant

Wt = a 64-bit word derived from the current 512-bit input block.

8/3/2019 CS469_669_Chap3_F09

34/72

02/27/06 Hofstra University Network Security Course, CSC290A 33

MD5 Message DigestMD5 Message Digest

Ron Rivest - 1992

specified as Internet standard RFC1321

Input: arbitrary Output: 128-bit digest

Was the most widely used secure hash algorithm

until recently

in recent times have both brute-force & cryptanalytic

concerns

Security of 128-bit hash code has become

questionable (1996, 2004)

8/3/2019 CS469_669_Chap3_F09

35/72

MD5 OverviewMD5 Overview

1. Pad message so its length is 448 mod 512

2. Append a 64-bit original length value to message

3. Initialise 4-word (128-bit) MD buffer (A,B,C,D)

4. Process message in 16-word (512-bit) blocks: Using 4 rounds of 16 bit operations on message block

& buffer

Add output to buffer input to form new buffer value

5. Output hash value is the final buffer value

8/3/2019 CS469_669_Chap3_F09

36/72

MD5 OverviewMD5 Overview

8/3/2019 CS469_669_Chap3_F09

37/72

MD5 Compression FunctionMD5 Compression Function

8/3/2019 CS469_669_Chap3_F09

38/72

Functions and RandomFunctions and Random

NumbersNumbers F(x,y,z) == (xy)(~x z)

selection function

G(x,y,z) == (x z) (y ~ z)

H(x,y,z) == xy z

I(x,y,z) == y(x ~z)

8/3/2019 CS469_669_Chap3_F09

39/72

SHASHA--11 vs.vs. MD5MD5

brute force attack on SHA-1 is harder (160 vs 128

bits for MD5)

SHA-1 not vulnerable to any known attacks(compared to MD4/5)

SHA-1 a little slower than MD5 (80 vs 64 steps)

both designed as simple and compact

SHA-1 optimised for big endian CPU's (vs MD5

which is optimised for little endian CPUs)

8/3/2019 CS469_669_Chap3_F09

40/72

WhirlpoolWhirlpool

Based on the use of block cipher for compression

endorsed by European NESSIE project

uses modified AES internals as compressionfunction

with performance comparable to dedicated

algorithms like SHA

8/3/2019 CS469_669_Chap3_F09

41/72

Whirlpool OverviewWhirlpool Overview

8/3/2019 CS469_669_Chap3_F09

42/72

Whirlpool BlockWhirlpool Block CipherCipher

designed specifically for hash function use

with security and efficiency of AES

but with Msg. length is < 2^512-bit as input and512-bit Msg. digest.

similar structure & functions as AES but

input is mapped row wise

has 10 rounds

uses different S-box design & values

8/3/2019 CS469_669_Chap3_F09

43/72

Whirlpool Block CipherWWhirlpool Block CipherW

8/3/2019 CS469_669_Chap3_F09

44/72

Whirlpool Performance &Whirlpool Performance &

SecuritySecurity Whirlpool is a very new proposal

hence little experience with use

but many AES findings should apply

does seem to need more h/w than SHA, but with

better resulting performance

8/3/2019 CS469_669_Chap3_F09

45/72


HMAC (HASH MAC)HMAC (HASH MAC) Instead of using encryption algorithms, one may develop a

MAC derived from a hash function, such as SHA-1. Motivations:

Hash functions execute faster in software than encryptoinalgorithms such as DES.

Library code for hash functions is widely available.

No export restrictions on hash functions from the US.

A hash function (e.g., SHA-1) was not designed for use as aMAC and can not be used directly to create a MAC,

since it does not rely on a secret key.

E.g., D could create a hash code and claim it is B.

HMAC was proposed, which can create a MAC using a

hash function and a secret key. HMAC has been used in IP-security, SSL/TLS, etc.

8/3/2019 CS469_669_Chap3_F09

46/72


HMAC StructureHMAC Structure

HMAC DesignObjectives:

To use available hashfunctions.

To allow for easyreplaceability of the embeddedhash function.

To preserve the original

performance of the hashfunction

To use and handle keys in asimple way

To have a well-understoodcryptographic analysis of the

strength of the auth.mechanism. : K padded with zeros on the

left so it isbbits

ipad: 00110110 repeatedb/8

opad: 01011100 repeatedb/8

+ +

KHMAC (M)=H[(K opad)||H[(K ipad)||M]]

K

8/3/2019 CS469_669_Chap3_F09

47/72

HMAC SecurityHMAC Security

proved security of HMAC relates to that of theunderlying hash algorithm

attacking HMAC requires either:brute force attack on key used

birthday attack (but since keyed would need toobserve a very large number of messages)

choose hash function used based on speed versessecurity constraints

8/3/2019 CS469_669_Chap3_F09

48/72


PublicPublic--Key Cryptography PrinciplesKey Cryptography Principles

The use of two keys has consequences in: key

distribution, confidentiality and authentication.

The scheme has six ingredients:

Plaintext

Encryption algorithm

Public key

Private key

Ciphertext Decryption algorithm

8/3/2019 CS469_669_Chap3_F09

49/72


Encryption using PublicEncryption using Public--Key systemKey system

Encryption

8/3/2019 CS469_669_Chap3_F09

50/72


Authentication usingAuthentication using PublicPublic--Key SystemKey System

Authintication

8/3/2019 CS469_669_Chap3_F09

51/72


Applications for PublicApplications for Public--KeyKey

CryptosystemsCryptosystems Three categories:

Encryption/decryption: The sender encrypts a

message with the recipients public key. Digital signature: The sender signs a

message with its private key.

Key exchange: Two sides cooperate to

exhange a session key.

8/3/2019 CS469_669_Chap3_F09

52/72


51

Requirements for PublicRequirements for Public--Key CryptographyKey Cryptography

1. Computationally easy for a party B to generate a pair (public key KUb,

private key KRb)2. Computationally Easy for a sender A knowing the public key and the

message M to generate a ciphertext:

3. Easy for the receiver B to decrypt ciphertext using its private key:

4. Computationally infeasible for an opponent to determine private key (KRb)

knowing public key (KUb)

5. Computationally infeasible for an opponent to recover message M, knowing

KUb and ciphertext C

6. Either of the two keys can be used for encryption, with the other used for

decryption:

)(MECKUb!

)]([)( MEDCDMKUbKRbKRb !!

)]([)]([ MEDMEDMKRbKUbKUbKRb !!

8/3/2019 CS469_669_Chap3_F09

53/72


52

PublicPublic--Key Cryptographic AlgorithmsKey Cryptographic Algorithms

The most widely used are RSA and Diffie-Hellman

RSA - Ron Rivest, Adi Shamir and Len Adleman atMIT, in 1977.

ACM Turing award in 2002.

RSA is a block cipher Application s: Encryption/decryption, Digital signature, and Key

exchange

Diffie-Hellman Application s: Exchange a secret key securely

Based on the difficulty of computing discrete logarithms

8/3/2019 CS469_669_Chap3_F09

54/72

Prime NumbersPrime Numbers Aprimenumbercanbedivided, withoutaremainder,onlyby

itselfandby 1. For example, 17 can be divided only by 17 and by 1.

Some facts:

The only even prime number is 2. All other even numbers can be

divided by 2.

If the sum of a number's digits is a multiple of 3, that number can be

divided by 3.

No prime number greater than 5 ends in a 5. Any number greater than

5 that ends in a 5 can be divided by 5.

Zero and 1 are not considered prime numbers.

Except for 0 and 1, a number is either a prime number or a composite

number. A composite number is defined as any number, greater than 1,

that is not prime.


8/3/2019 CS469_669_Chap3_F09

55/72

PrimalityPrimality TestTest

Deterministic: tests determine with absolute

certainty whether a number is prime.

Probabilistic: tests can potentially (although with

very small probability) falsely identify a

composite number as prime (although not vice

versa).


8/3/2019 CS469_669_Chap3_F09

56/72

Relatively Prime Numbers & GCDRelatively Prime Numbers & GCD

Tw

onumbers

are

called

relati

vely

prime

or

co-prime

if

they havenocommondivisorsgreaterthan 1.

Using the notation GCD(m,n) to denote the greatest

commondivisor, two integers m and n and are relatively

prime ifGCD(m,n) = 1

Example 1: 26 and 51 are relative primes.

Example 2: 81 and 343 are relative primes.


8/3/2019 CS469_669_Chap3_F09

57/72


The Euler Phi(The Euler Phi() orTotient function) orTotient function Totient function (n) , is defined as thenumberofpositive

integers

nth

atare

relati

vely

prime

to

(i.e.,

do

not

contain

any

factorincommon with), where 1 iscountedasbeingrelatively

primetoallnumbers.

Ifn is a multiple of twoprime numbers,p and q,

then (n) = (p-1)(q-1).

That is, there are (p-1)(q-1) numbers in Rwhich are

relatively prime to n.

Example : p =3, q =5, n = 15

(15) = (3-1)(5-1)

= 2 * 4= 8

(n) is always even for n 3. By convention, (0) = 1

8/3/2019 CS469_669_Chap3_F09

58/72


The RSA AlgorithmThe RSA Algorithm Key GenerationKey Generation

{

Th RSA Al ithTh RSA Al ith E /DE /D

8/3/2019 CS469_669_Chap3_F09

59/72


The RSA AlgorithmThe RSA Algorithm Enc./Dec.Enc./Dec.

Encryption:

Plaintext: M < n Ciphertext: C = Me (mod n)

Decryption:

Ciphertext: C

Plaintext: M = Cd (mod n)= Med (mod n)

The plaintext and ciphertext are integers between 0 ~ n-1 for some large

integern.

Both sender and receiver must know n and e, and only receiver knows d.

The security of RSA comes from the computational difficulty of factoring

large numbers.

For largep & q, ifn is known, it is hard to findp & q.

The size of a key in RSA typically refers to the size ofn.

E.g., length ofn - 1024-bits or about 300 decimal digits.

8/3/2019 CS469_669_Chap3_F09

60/72

02/27/06 Hofstra University Network Security Course, CSC290A 59

RSA RequirementsRSA Requirements

It ispossible to find values ofe, d, n

such thatMed = Mmodn for all M

8/3/2019 CS469_669_Chap3_F09

61/72


An example ofRSA AlgorithmAn example ofRSA Algorithm1. p = 17; q = 11.

2. n = p x q = 1873.

4. Select e that is relatively prime to , and e

8/3/2019 CS469_669_Chap3_F09

62/72


DiffieDiffie--Hellman Key ExchangeHellman Key Exchange

Diffie-Hellman algorithm enables two users to

exchange a secret key securely. For a given prime numberp, a is called aprimitive root

ofp if:

The numbers

are distinct and consist of the integers from 1~p in somepermutation.

For any b

8/3/2019 CS469_669_Chap3_F09

63/72


DiffieDiffie--Hellman Key ExchangeHellman Key Exchange User A B

A selects a random integer

B independently selects a randominteger

Both A and B make its public

value available to the other

side.

An attackerD could know

q, but not

To find out XB (and then K), D

must compute a discrete log:

XB = dlog ,q(YB) which has been proved very

difficult.

32 8 1(mod 7)! !

AX

BX

, &A BY YE &A BX X

/A BY Y

8/3/2019 CS469_669_Chap3_F09

64/72


DiffieDiffie--Hellman Key ExchangeHellman Key Exchange -- AlogorithmAlogorithm

( ) mod

( mod ) mod

(by the property of mod)

( ) mod

mod( ) mod

(by the property of mod)

( mod ) mod

( ) mod

A

B A

B A

B A

A B

A B

B

X

BX X

X X

X X

X X

X X

X

A

K Y q

q q

q

qq

q q

Y q

E

E

EE

E

!

!

!

!

!

!

!

At the end, user A and B will share a secret

key K, which is not known to others.

8/3/2019 CS469_669_Chap3_F09

65/72

ExampleExample

A & B wish to exchange a key.

Prime numberq = 71, and its primitive root = 7

Generate, XA = 5 and XB = 12 random integers < q

A computes his Public key YA = 75 mod 71 = 51

B computes his Public key YB = 712 mod 71 = 4

After they exchange the public keys:

Each can computer the Shared secret keyK

A computesK= 45 mod 71 = 30

B computesK= 5112 mod 71 = 30


8/3/2019 CS469_669_Chap3_F09

66/72

Breaking ofBreaking of DiffieDiffie--HellmanHellman The Diffie-Hellman key exchange is vulnerable to a man-in-the-middle

attack. Alice & Bob wish to exchange keys, and Carol is the opponent

In this attack, an opponent Carol intercepts Alice's public value and sends

her own public value to Bob.

When Bob transmits his public value, Carol substitutes it with her own and

sends it to Alice. Carol and Alice thus agree on one shared key and Carol and Bob agree on

another shared key.

After this exchange, Carol simply decrypts any messages sent out by Alice

or Bob, and then reads and possibly modifies them before re-encrypting

with the appropriate key and transmitting them to the other party. This vulnerability is presentbecause Diffie-Hellman key exchange does

not authenticate the participants. Possible solutions include the use of

digital signatures and other protocol variants.


8/3/2019 CS469_669_Chap3_F09

67/72

Defeating the manDefeating the man--inin--thethe--middle attackmiddle attack

Prior to execution of the protocol, the two parties Alice andBob each obtain a public/private key pair and a certificate

for the public key.

Prime numberp, and its primitive root

During the protocol, Alice computes a signature on certain

messages, covering the public value XA mod p. Bob

proceeds in a similar way.

Even though Carol is still able to intercept messages

between Alice and Bob, she cannot forge signatureswithout Alice's private key and Bob's private key. Hence,

the enhanced protocol defeats the man-in-the-middle

attack. (see slide 70 for more details)CS 469/669 Network Security Chap 3 - Dr. S. Abufardeh 66

8/3/2019 CS469_669_Chap3_F09

68/72


Other PublicOther Public--Key CryptographicKey Cryptographic

AlgorithmsAlgorithms Digital Signature Standard (DSS)

Makes use of the SHA-1

Not for encryption or key echange

Only for digital signature Elliptic-Curve Cryptography (ECC)

Good security for a small key size (compared with RSA,1024-bit key) e.g., sensor nodes.

Low confidence level (only being deployed in product for a

few years), compared with RSA (tested for 30 years). Very complex

8/3/2019 CS469_669_Chap3_F09

69/72

RSA &RSA & DiffiDiffi--HelmanHelman

RSA depends on the difficulty of factoring largeprime numbers.

Diffi-Helman depends on the difficulty ofcomputing discrete logarithms.


8/3/2019 CS469_669_Chap3_F09

70/72

Two aspects:

The distribution of Public-Key

The use of Public-Key encryption to distributesecret keys.


Key ManagementKey Management

KK M tM t

8/3/2019 CS469_669_Chap3_F09

71/72

Henric Johnson 70

KeyKey Management:Management:

PublicPublic--Key Certificate UseKey Certificate Use

Distributing Shared Secret KeysDistributing Shared Secret Keys

8/3/2019 CS469_669_Chap3_F09

72/72


Distributing Shared Secret KeysDistributing Shared Secret Keys

by using Publicby using Public--Key AlgorithmsKey Algorithms

How to distribute shared secret key?

Using Diffie-Hellman key exchange. No authentication of the two parties.

Using public-key certificate. Bob Alice (public key KUa;private key KRa)

If Bob obtained Alices public key KUaby public-key certificate, then

Bob is assured that KUa is a valid key. Bob prepare a message.

Encrypt that message using conventional encryption (e.g., DES) with aone-time conventional session key K(a new key).

Encrypt the session key Kusing public-key encryption with Alicespublic key KUa.

Attach the encrypted session key Kto the message and send it to Alice. Only Alice can decrypt the session key K(by her private key KRa) and

recover the orginal message.

EK[message] + EKUa[K]

CS469_669_Chap3_F09

Documents

Transcript of CS469_669_Chap3_F09