Public key cryptography - Villanova...
of 19
/19
Embed Size (px)
Transcript of Public key cryptography - Villanova...
11/13/14
1
Chapter 22
Outline
❀ Public key cryptography " Confidentiality " Authentication " Integrity " Non-repudiation
❀ Key Generation " DH (Diffie-Hellman) " RSA (Rivest-Shamir-Adleman)
❀ Public Key Certificates and PKI
11/13/14
2
Public key concept
❀ Sender, receiver do not share secret key ❀ Each uses a pair of related keys (private, public) ❀ Private decryption key known only to receiver ❀ Public encryption key known to all
Alice’s private key
Alice’s public key
Alice’s public key
❀ Confidentiality without a shared secret " Two parties must share a secret before they can exchange secret messages
using symmetric crypto
❀ Example " Alice wants to send a secret message to Bob
(Alice) The quick brown fox encrypt
0110111010010001 key KBob,public
4f60ce544b43c13f1d
(Bob) 4f60ce544b43c13f1d decrypt
1001001100111010 key KBob,private
The quick brown fox
Public Key Confidentiality
11/13/14
3
(Alice) The quick brown fox encrypt
0110111010010001 key KAlice,private
4f60ce544b43c13f1d
(Bob) 4f60ce544b43c13f1d decrypt
1001001100111010 key KAlice,public
The quick brown fox
Public Key Authentication
❀ Example " Bob wants to authenticate the message as coming from Alice
❀ In reality, the hash of the message is encrypted with the private key to provide a digital signature
(Alice) The quick brown fox... hash function 85d013f4
85d013f4 encrypt
0110111010010001 key KAlice, private
a3ff369b
The quick brown fox... a3ff369b
a3ff369b decrypt
0110111010010001 key KAlice, public
85d013f4
The quick brown fox... hash function 85d013f4 OK
The quick red fox...
The quick red fox... ad917c7f Bad!
Integrity
Authentication
Non-Repudiation
(digest)
(signature)
(Bob extracts signature) (digest)
Digital Signatures
(send to Bob)
11/13/14
4
Public Key Infrastructure
Enable unknown parties’ secure communications
Amazon’s private key
Amazon’s public key
Amazon’s public key
❀ Exchange messages to create a secret session key " Use Amazon’s public key to encrypt a secret key " Then switch to symmetric cryptography " Faster using symmetric key crypto
Outline
❀ Public key cryptography " Confidentiality " Authentication " Integrity " Non-repudiation
❀ Key Generation " DH (Diffie-Hellman) " RSA (Rivest-Shamir-Adleman)
❀ Public Key Certificates and PKI
11/13/14
5
Diffie-Hellman Protocol ❀ Invented by Diffie and Hellman in 1976 ❀ Alice and Bob have never met and share no secrets but need a shared key ❀ Public info: p and g
" p is a large prime number, g is a power generator for the set Zp = {1,2,…p-1} µ For any x in Zp, there is a such that x = gamod p
Pick secret, random b Pick secret, random a
ga mod p, p, and g
gb mod p
Compute k = (ga mod p)b = gab mod p
Compute k= (gb mod p)a = gab mod p
Shared key k = gab mod p
❀ THE FOLLOWING IS AN ASSUMPTION (BELIEF) " Given gx mod p it is mathematically hard to extract x
Shared Key in Diffie-Hellman Protocol ❀ One-time generation of an appropriate prime p and power generator g, 2 ≤ g ≤ p − 2 ❀ Perform the following steps each time Alice (A) and Bob (B) need a shared key
" Alice (A) chooses a random secret a, 1 ≤ a ≤ p − 2, and sends B the message ga
mod p, along with p and g " Bob (B) chooses a random secret b (as his private key), 1 ≤ b ≤ p − 2, and sends
A the message gb mod p " B receives ga mod p and computes the shared key as k = (ga mod p)b mod p " A receives gb mod p and computes the shared key as k = (gb mod p)a mod p " k = (ga mod p)b mod p = gab mod p = (gb mod p)a mod p
❀ Example p = 7 and g = 3: " Alice’s private key = 5, Bob’s private key = 4 " Alice’s public key = 35 mod 7 = 5, Bob’s public key = 34 mod 7 = 4 " Alice’s shared key = 45 mod 7 = 2, Bob’s shared key = 54 mod 7 = 2
11/13/14
6
Man-in-the-middle attack ❀ The Diffie-Hellman key exchange is vulnerable to a man-in-the-middle attack
" An opponent Eve intercepts Alice's public key and sends her own public key to Bob µ When Bob transmits his public key B, Eve subsDtutes it with her own E and sends it to Alice µ Eve and Alice thus agree on one shared key and Eve and Bob agree on another shared key µ AGer this exchange, Eve simply decrypts any messages sent out by Alice or Bob, reads and
modifies them before re-‐encrypDng with her own key and sending them to the other party
Solution to man-in-the-middle attack ❀ The man-in-the-middle attack vulnerability is present because Diffie-Hellman key
exchange does not authenticate the parties ❀ The Station-to-Station (STS) protocol was developed by Diffie, van Oorschot, and Wiener in
1992 to defeat the man-in-the-middle attack " Add digital signatures, signed by the private key, for both ga mod p and gb mod p in the
exchange messages " Eve cannot forge signatures without compromising both Alice's private key and Bob's
private key
11/13/14
7
Outline
❀ Public key cryptography " Confidentiality " Authentication " Integrity " Non-repudiation
❀ Key Generation " DH (Diffie-Hellman) " RSA (Rivest-Shamir-Adleman)
❀ Public Key Certificates and PKI
RSA Public Key Crypto
❀ Invented by Rivest, Shamir, Adleman in 1977 ❀ Key generation:
" Generate large primes p, q µ typically 1024 bits or more in length
" Compute n=pq and ϕ(n)=(p-1)(q-1); n is about 2048 bits in length " Choose small e, relatively prime to ϕ(n), and 1 < e < ϕ(n)
µ Typically, e=216+1=65537 or larger " Compute unique d such that ed = 1 mod ϕ(n) and 1 < d < ϕ(n) " Public key = (e, n); private key = (d, n)
❀ Encryption of m: c = me mod n m < n ❀ Decryption of c: cd mod n = (me)d mod n = m
11/13/14
8
RSA Example ❀ Select primes: p = 5, q = 7 ❀ Calculate n = pq = 5 x 7 = 35 ❀ Calculate ϕ(n) = (p–1)(q-1) = 4 x 6 = 24 ❀ Select e: gcd(e, 24) = 1; choose e = 5 ❀ Determine d: de = 1 mod 24 and d < 24 → d = 5 since 5 x 5 = 25 = 4 x 6 + 1 ❀ Public key = (5, 35) and private key = (5, 35)
❀ Given message m = 9 ( 9 < 35) " Encryption:
µ c = 95 mod 35 = 59049 mod 35 = 4 " Decryption:
µ m = 45 mod 35 = 1024 mod 35 = 9
Public-Key Encryption ❀ Key generation:
" Computationally feasible to generate a pair of (public key PK, private key SK) " Computationally infeasible to determine private key SK from public key PK
❀ The size of a key in the RSA algorithm typically refers to the size of the modulus n " The two primes, p and q, which compose the modulus, should be of roughly equal
length µ This makes the modulus harder to factor than if one of the primes is much smaller
than the other µ If one chooses to use a 2048-‐bit modulus, the primes should each have length
approximately 1024 bits
11/13/14
9
Disadvantages of RSA Public-Key Crypto
❀ Public key crypto computation is 3 orders of magnitude slower than symmetric crypto " Modular exponentiation is an expensive computation " Typical usage: use public-key cryptography to establish a shared secret, then
switch to symmetric crypto µ IPsec, SSL, PGP, etc.
❀ Keys are longer for the same strength " 2048 bits (RSA) rather than 128 bits (AES)
❀ Relies on unproven assumptions that factoring of p and q from given n is computationally infeasible
RSA Challenge ❀ Sponsored by RSA
Security ❀ Let n be an RSA Number
❀ There are prime numbers p and q such that n = pq
❀ The problem is to find these two primes, given only n
❀ Use massively parallel supercomputer to solve the problem
RSA Number Binary digits Cash prize Date Factored by
RSA-‐100 330 April 1991 A. K. Lenstra RSA-‐110 364 April 1992 A. K. Lenstra and M.S.
Manasse RSA-‐120 397 June 1993 T. Denny et al. RSA-‐129 426 $100 USD April 1994 A. K. Lenstra et al. RSA-‐130 430 April 1996 A. K. Lenstra et al. RSA-‐140 463 February 1999 Herman J. J. te Riele et
al. RSA-‐150 496 April 2004 Kazumaro Aoki et al.
RSA-‐155 512 August 1999 Herman J. J. te Riele et al.
RSA-‐160 530 April 2003 Jens Franke et al., University of Bonn
RSA-‐576 576 $10,000 USD December 2003 Jens Franke et al., University of Bonn
RSA-‐640 640 $20,000 USD November 2005 Jens Franke et al., University of Bonn
RSA-‐200 663 May 2005 Jens Franke et al., University of Bonn
RSA-‐704 704 $30,000 USD open RSA-‐768 768 $50,000 USD January 24,
2010 T. Kleinjung et al., EPFL IC LACAL
RSA-‐1536 1536 $150,000 USD open RSA-‐2048 2048 $200,000 USD open
11/13/14
10
RSA vs. DH ❀ RSA:
" Generates a pair of (public, private) keys
" Provides encryption and decryption
" For key agreement " For signature
❀ DH: " Generates one shared key " Does not provide encryption and
decryption (use with DES or AES) " For key agreement " Not for signature
Elliptic Curve Cryptography (ECC) ❀ Elliptic curve (EC) cryptography is the next generation of public key cryptography ❀ Uses elliptic curves over finite fields (variables and coefficients are finite)
" E.g. y2 = x3 + ax + b
❀ Given an elliptic curve and points G and Q the curve, Q = d*G " Q: public key " d: private key
❀ It is feasible to compute Q given d and G " But it is infeasible to find d given Q and G
11/13/14
11
ECC Applications ❀ Key Agreement
" ECDH: Elliptic Curve Diffie-Hellman µ Allows two parDes, each having an ellipDc curve public-‐private key pair, to establish a
shared secret over an insecure channel [ Shared secret maybe directly used as a key, or to derive another key which will
be used to encrypt subsequent communication using a symmetric key cipher
❀ Digital Signatures " ECDSA: Elliptic Curve Digital Signature Algorithm
❀ Benefits " Primary benefit is a smaller key size, for example a 256-bit ECC public key should
provide comparable security to a 3072-bit RSA public key " Requires less computing power
µ Good for mobile devices " Better security
Outline
❀ Public key cryptography " Confidentiality " Authentication " Integrity " Non-repudiation
❀ Key Generation " DH (Diffie-Hellman) " RSA (Rivest-Shamir-Adleman)
❀ Public Key Certificates and PKI
11/13/14
12
Root of Internet security: Public-Key Crypto
❀ Confidentiality without a shared secret " Two parties must share a secret before they can exchange secret messages using
symmetric crypto
❀ Make sure that Alice’s public key is AUTHENTIC " Need a PUBLIC KEY INFRASTRUCTURE for authentication of public key
µ CerDficate authority (CA) µ CerDficate contains public key and signature signed by a CA
Alice’s private key
Alice’s public key
Alice’s public key
Distribution of Public Keys ❀ Public-key certificate
" Signed statement specifying the key and identity
❀ PUBLIC KEY INFRASTRUCTURE " Certificate authority (CA)
µ Responsible for cerDfying public key for Alice µ Re-‐issuance of cerDficates when it expires
" After Alice generates a private/public key pair, she proves her identity and knowledge of the private key to obtain the CA’s certificate for the public key (offline or online)
" Certificate: sigCA(“Alice”, PKAlice) + “Alice” + PKAlice " Every host is pre-configured with CA’s public key in a certificate
µ Root CA cerDficate " Every router/switch can be equipped with CA’s public key in a certificate as well
11/13/14
13
Authenticity of public keys depends on the authenticity of CA’s public key, PKverisign
Public-Key Infrastructure and Certificate
Verisign’s private key
Amazon.com (subject ID) and public key
Hash function
Signature function
Sent to an online customer
CA: Verisign
CA’s certificates are installed by Microsoft, Apple, Firefox, etc.
Verify Amazon’s certificate using PKverisign
Click here for security info
11/13/14
14
Unencrypted connection
Encrypted connection
11/13/14
15
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
❀ Amazon HTTPS servers use ECDHE_RSA_WITH_AES_128_GCM_SHA256 " TLS (Transport Layer Security) is used to transfer data between client and server " ECDHE (Elliptic Curve Diffie Hellman Ephemeral) is used to derive the secret key (128
bits long) for data encryption " RSA is used to verify server’s identity. The server’s public key is then used to exchange
the shared ECDHE key " Client and server use the ECDHE shared key to encrypt data using AES-128 (Advanced
Encryption Standard) and encryption mode GCM (Galois Counter Mode) " SHA256 is not needed for integrity here (AES provides integrity and confidentiality), but
it may be used to provide integrity of the TLS handshake process.
Certificate summary
11/13/14
16
X.509 Certificate format Certificate Version Serial Number Algorithm ID Issuer Validity Not Before Not After Subject Subject Public Key Info Public Key Algorithm Subject Public Key Issuer Unique Identifier (Optional) Subject Unique Identifier (Optional) Extensions (Optional) ... Certificate Signature Algorithm Certificate Signature
Version
Serial No.
Signature Algorithm
Issuer
Valid period
Subject
Subject Public Key Info
Extensions
Signature Algo.
Signature Value
Certificate details
Version
Serial No.
Signature Algorithm
Issuer
Valid period
Subject
Subject Public Key Info
Extensions
Signature Algo.
Signature Value
11/13/14
17
Certificate details
Version
Serial No.
Signature Algorithm
Issuer
Valid period
Subject
Subject Public Key Info
Extensions
Signature Algo.
Signature Value
Signed by Verisign
Certificates Classes ❀ VeriSign introduced the concept of classes of digital certificates:
" Class 1: for individuals µ For email
" Class 2: for organizations µ For proof of idenDty
" Class 3: for server identity and software signing µ VerificaDon of idenDty and authority is done by the issuing cerDficate authority (CA)
" Class 4: for online business transactions between companies " Class 5: for government security
11/13/14
18
Hierarchical Approach ❀ Trusted root authority
" For example, Verisign " Every host must know the public key for verifying root authority’s signatures
µ Installed root CA’s cerDficate by OS when OS is installed µ Installed root CA’s cerDficate by Firefox when Firefox is installed
" Multiple trusted root CAs
❀ Root authority signs certificates for lower-level authorities, lower-level authorities sign certificates for individual users, and so on " Instead of a single root CA certificate, use a certificate chain
µ sigVerisign(“Auburn.edu”, PKAU), sigAU(“Alice”, PKAlice) µ The cerDficate chain, also known as the cer&fica&on path, is a list of cerDficates used
to authenDcate an enDty
Certificate chain, aka certification path
❀ Before a certificate is trusted, it must be verify that it comes from a trusted source " This verification process is called path validation
µ Path validaDon involves processing public key cerDficates and their issuer cerDficates in a hierarchical fashion unDl the cerDficaDon path terminates at a trusted, self-‐signed cerDficate
[ Typically, this is a root CA certificate
11/13/14
19
Certificate Revocation ❀ Reasons to revoke a certificate
" Private key corresponding to the certified public key that has been compromised " Host/user/organization changes
❀ Certificate revocation list (CRL) " CA periodically issues a signed list of revoked certificates
µ Credit card companies used to issue thick books of canceled credit card numbers " CA issues a “delta CRL” containing only updates " Unique serial number is used to check CRL
❀ A host/router/switch can be configured to check against CRL
PKCS Standards ❀ The Public-Key
Cryptography Standards (PKCS) are a set of standards for public-key cryptography, developed by RSA Laboratories in cooperation with an informal consortium, originally including Apple, Microsoft, DEC, Lotus, Sun and MIT
Version Name Comments PKCS #1
2.1 RSA Cryptography Standard
Also defined in RFC 3447. Defines the format of RSA encryption keys, public and private, encryption and signature schemes
PKCS #3
1.4 Diffie-‐Hellman Key Agreement Standard
Also defined in RFC 2631. A cryptographic protocol that allows two parties that have no prior knowledge of each other to jointly establish a shared secret key over an insecure communications channel.
PKCS #6
1.5 Extended-‐Certificate Syntax Standard
Defines extensions to the old v1 X.509 certificate specification and is obsoleted by v3 X.509. This standard describes syntax for extended certificates, consisting of a certificate and a set of attributes, collectively signed by the issuer of the certificate. The intended application of this standard is to extend the certification process beyond just the public key to certify other information about the given entity.
PKCS #7
1.5 Cryptographic Message Syntax Standard
Also defined in RFC 2315. This standard describes general syntax for data that may have cryptography applied to it, such as digital signatures, encryption and digital envelopes. It can also be used for certificate dissemination (for instance as a response to a PKCS#10 message).
PKCS #8
1.2 Private-‐Key Information Syntax Standard
This standard describes syntax for private-‐key information, including a private key for some public-‐key algorithm and a set of attributes. The standard also describes syntax for encrypted private keys.
PKCS #9
2.0 Selected Attribute Types
Defines selected attribute types for use in PKCS #6 extended certificates, PKCS #7 digitally signed messages, PKCS #8 private-‐key information, and PKCS #10 certificate-‐signing requests.
PKCS #10
1.7 Certification Request Standard
Also defined in RFC 2986. This standard describes syntax for a request for certification of a public key, a name, and possibly a set of attributes.
PKCS#12
1.0 Exchange public and private objects
PKCS#12 evolved from the PFX (Personal inFormation eXchange) standard and is used to define a portable file format commonly used to store private keys with accompanying public key certificates, protected with a password-‐based symmetric key.
PKCS #13
under development
Elliptic Curve Cryptography Standard
Public-‐key techniques based on elliptic curve cryptography
