crypto Digital Signature Diffie Hell man.ppt

1
Computer Security
Modern Cryptography:
Public Key Cryptosystems

2
What Problems are We Solving?
• Public key cryptography came about as a solution to two
problems:
– Key Distribution
• With private key cryptosystems, a major problem is how keys are
distributed to a set of message senders and recipients.
– Digital Signatures
• Could a method be found that would guarantee, to the satisfaction of all
parties, that a digital message had been sent by a particular person?

3
Secret Key Distribution
• Assume that we have n people,
each of whom needs to
communicate with all the others
privately.
• We therefore need a separate
secret key for each pair of
people.
• How many keys do we need to
distribute, in total?
2
)
1
( 
n
n
• How does this value change,
as we increase n?
Number of Secret Keys Required
0
5
10
15
20
25
30
35
40
45
50
1 2 3 4 5 6 7 8 9 10
Number of People
Number
of
Keys
It increases very rapidly!

4
Diffie/Hellman
• In 1976, Whitfield Diffie and Martin Hellman, then at
Stanford University, came up with a method that addressed
both problems.
– Their method was radically different from all previous methods
used in cryptography -- it is a Public Key Cryptosytem
• It uses two different keys:
– One key for encryption, and
– A different key for decryption

5
• Public Key cryptography relies on the following:
– It is computationally infeasible to determine the decryption key,
given only knowledge of the cryptographic algorithm and the
encryption key (and vice versa)
• In some public key algorithms (including RSA):
– Either of the two keys can be used for encryption, with the other
being used for decryption.

6
• The components of a public key encryption scheme are:
– Plaintext, P
– An Encryption Algorithm, E
– A Public Key, KU and a Private key, KR
• A pair of keys which have been selected so that if one is used for
encryption, the other is used for decryption
– Ciphertext, C
– A Decryption Algorithm, D

7
• A public key cryptosystem can be used to provide confidentiality:
– Each user generates a pair of keys
– Each user makes one of the two keys public; the matching key is kept
private
– If Bob wishes to send a secret message to Alice, he encrypts the
message using Alice's public key
– When Alice receives the message, she decrypts it using her private
key. Only Alice knows her private key.
)
(P
E
C Alice
KU

)
(C
D
P Alice
KR


8
• However, a public key cryptosystem can also be used to
provide authentication:
– Bob encrypts a message with his private key (which only he knows),
and sends it to Alice:
– Alice decrypts the received message using Bob's public key:
)
(P
E
C Bob
KR

)
(P
E
C Bob
KU


9
Digital Signatures
• In this case, Bob is said to have digitally signed the
message; the message constitutes a digital signature.
– Because it is impossible to alter the message without access to Bob's
private key, the message is authenticated in terms of:
• Its source (it really came from Bob)
• Its data integrity (it is the same message that Bob sent)

10
Digital Signatures
• Normally, a digital signature is not an encryption of the entire
message. This approach is not terribly efficient.
• A more efficient method is to encrypt a small block of bits, called
an authenticator, that is a function of the document.
– It must be infeasible to change the document without changing the
authenticator
– If the authenticator is encrypted with Bob's (the sender's) private
key, it functions as a signature that verifies:
• Origin
• Content
• Sequencing
• The message (in plaintext) is accompanied by its authenticator.

11
Digital Signatures
• Note that digital signatures provide authentication, but not
confidentiality.
– Since the public key is known to all, anyone can decrypt the
message.

12
Digital Signatures
• However, it is possible to provide both, using a double use of the
public key scheme:
– The first encryption provides the digital signature.
– The second provides the confidentiality.
))
(
(
))
(
(
C
D
D
P
P
E
E
C
Alice
Bob
Bob
Alice
KR
KU
KR
KU



13
Public Key Cryptography Requirements
• Diffie and Hellman laid out the following requirements:
– It is computationally easy for a party (Bob) to generate a key pair KUBob and
KRBob
– It is computationally easy for a sender (Alice), knowing the public key,
KUBob, and the message to be encrypted, P, to generate the corresponding
ciphertext
– It is computationally easy for the receiver (Bob) to decrypt the resulting
ciphertext using the private key, KRBob, to recover the original message
– It is computationally infeasible for an attacker, knowing the public key,
KUBob, to determine the private key, KRBob.
• One useful, but not strictly necessary, additional requirement:
– The encryption and decryption functions can be applied in either order:
))
(
(
))
(
( P
E
D
P
D
E
P Bob
Bob
Bob
Bob KR
KU
KR
KU 


14
RSA
• Diffie and Hellman demonstrated the possibility of public key
cryptography, but did not immediately come up with a practical
implementation.
• However, they did challenge their colleagues to come up with
one.
• The challenge was answered in 1977 by Ron Rivest, Adi Shamir,
and Leonard Adleman, at MIT.
– They came up with the RSA algorithm
– Since its inception, RSA has dominated as the most widely accepted
and implemented public key algorithm.

15
The Mathematics of RSA
• RSA achieves its security from the difficulty of factoring
large numbers.
– The public and private keys are functions of a pair of large
(on the order of hundreds or even thousands of binary
digits) prime numbers.
– Based on a One-Way Trapdoor Function:
• Given the publicly known values n and e, it is easy to compute
me
mod n
from m, but not the other way around.
• If you know the factorization of n, then it is easy to do the inverse
calculation; the factorization of n is the trapdoor information.

16
• To generate the two keys:
– Choose two random large prime numbers, p and q. (For maximum
security, make them of equal length).
– Compute the product of the two: n = pq
– Then, randomly choose the encryption key, e, such that
e and ( = (p - 1)(q - 1) ) *
are relatively prime.
– Use the extended Euclidean algorithm to compute the decryption
key, d, the multiplicative inverse of , such that:
(Note that d and n are also relatively prime.)
)
1
)(
1
(
mod
:
or
)
1
)(
1
(
mod
1
1







q
p
e
d
q
p
ed
)
(
mod n
e 
)
(n

*Remember Euler's totient function?

17
• The pair of numbers (e, n) is the public key
• The number d is the private key
• The prime numbers p and q are no longer needed, and can
be discarded (but never divulged!)

18
• To encrypt a block of plaintext, P, the encryption formula is:
• Decryption is:
Why does Ped
= P?
n
P
C e
mod

  )
mod
all
(
:
since
mod
n
P
P
P
C
n
C
P
ed
d
e
d
d





19
 
 
 
 
 
n
m
n
m
n
m
m
m
m
p
n
m
kcn
m
kcpq
m
m
cp
m
cp
m
p
m
q
m
m
q
m
n
a
n
a
k
k
n
q
p
k
n
k
n
n
p
q
q
n
mod
theorem
s
Euler'
by
,
mod
1
mod
:
is
this
of
form
e
alternativ
An
.
for
Similarly,
mod
:
by
sides
both
g
multiplyin
and,
,
then
,
of
multiple
a
is
If
mod
1
:
and
mod
1
:
so
mod
1
:
prime
relatively
are
that
and
every
for
that,
says
Theorem
s
Euler'
)
(
1
)
1
)(
1
(
1
)
(
1
)
(
)
(
)
(
)
(
)
(
)
(































20
• So, to satisfy all the above math requirements:
– We choose p, q, two prime numbers
– We calculate n = pq
– We choose e, with
– We calculate
and so:
)
(
1
;
1
)
),
(
gcd( n
e
e
n 
 


)
(
mod
1
n
e
d 


)
(
mod
)
(
mod
1
:
ly
equivalent
or
1
)
(
1
n
e
d
n
ed
n
k
ed









21
Exponentiating with Big Numbers
• Remember how we talked about exponentiation mod n?
– The numbers we're talking about (n, p, q, e, d) are thousands of
binary digits long, so if we tried to raise something which is
thousands of binary digits to the power of something that is also
thousands of binary digits long:
"Raising a 150-digit number to a 150-digit power by this method
[conventional computer arithmetic] would exhaust the capacity of all
existing computers for more than the expected lifetime of the universe,
and this would not be cost-effective." (Textbook, p. 154)
– However, if you use modular reduction after each multiplication,
exponentiation mod n remains within reasonable bounds.

22
Finding Large Prime Numbers
• We learned earlier now to come up with a set of small prime
numbers (Sieve of Eratosthenes), but this is not a practical
algorithm for very large primes.
• It turns out that there is no known practical method for absolutely
determining that a number of this size is prime.
• However, there is a test for whether a number is probably prime;
the more time we spend testing a number the more sure we are
that the number is prime.

23
• We can use Euler's Theorem:
– For any a relatively prime to n,
– In the case where n is prime, , and the theorem takes on
a different form and name: Fermat's Theorem:
n
a n
mod
1
)
(


1
)
( 
n
n

p
a
p
a
p
p
mod
1
,
0
and
prime
is
If
1





24
• Does hold even when n is not prime?
• The fact that it usually does not can be used to provide a
primality test:
– Pick a number a < n
– Compute an-1
mod n, and see if the result is 1
– If it is not 1, n is clearly not prime.
– If it is 1, n may or may not be prime, with a certain probability
• If n is a randomly generated number of about a hundred digits, the
probability that n is not prime, but an-1
mod n = 1, is about 1 in 1013
• We can improve on this by trying multiple values of a
n
an
mod
1
1



25
• The method of choice for testing whether a number is prime is the
Rabin-Miller test:
– Choose a random number, p, to test.
– Calculate b, where b is the number of times 2 divides p – 1
• That is, 2b
is the largest power of 2 that divides p – 1
– Then, calculate m, such that :
1. Choose a random number, a, such that a < p
2. Set j = 0 and z = am
mod p
3. If z = 1, or if z = p – 1, then p passes the test and may be prime
4. If j > 0 and z = 1, then p is not prime
5. Set j = j + 1. If j < b and , then set z = z2
mod p, and go back to step 4.
If z = p – 1, then p passes the test and may be prime.
6. If j = b and , then p is not prime.
m
p b


 2
1
1

p
z
1

p
z

26
• Here's an algorithm for generating a large prime number
given by Schneier*:
1.Generate a random n-bit number p
2.Set the high- and low-order bits to 1
– Ensures that the prime is odd, and of the required length
3.Check that p is not divisible by small primes (say, less than 2000)
4.Perform the Rabin-Miller test for some random a.
– If a passes, generate another random a, and repeat
– Do five such tests
– If p fails one of the tests, generate another p and try again.
*Advanced Cryptography, Second Edition, by Bruce Schneier, Wiley

27
Key Management
• With public keys, we still have to worry about how the keys are distributed.
• There are a number of approaches:
– Public announcement
• Subject to forgery
– Publicly available directory of public keys
• Responsibility of some trusted entity or organization (Key Distribution Center)
• Subject to tampering
– Public Key Authority
• Directory with public/private key for PKA
• Could be a bottleneck
– Public Key Certificates
• Removes need to always go through a PKA to get a key
• The PKA becomes a Certification Authority (CA)
• CA issues certificate which contains public key and other information for a person or
organization.

28
Diffie-Hellman Key Exchange
• Diffie and Hellman published the first public key algorithm
– Referred to as Diffie-Hellman Key Exchange
– Used in a number of commercial products.
– Oldest public key system still in use
– Less general than RSA
• It does neither encryption nor signatures
• Diffie-Hellman allows two individuals to agree on a shared
private key, by exchanging public messages.

29
• Diffie-Hellman key exchange depends for its effectiveness on the
difficulty of computing discrete logarithms:
– We define a generator or primitive or primitive root of a prime number p as
one whose powers generate all the integers from 1 to p - 1. So, if a is a
primitive root of p, then the numbers:
a mod p, a2
mod p, a3
mod p, ... ap-1
mod p
are distinct and consist of the integers from 1 through p - 1 (in some
permutation)
– For any integer b and a generator a of p, we can find a unique exponent i
such that:
– The exponent i is referred to as the discrete logarithm (or index) of b for
the base a, mod p. It is the inverse of modular exponentiation, and finding
the discrete logarithm i, given b, is known to be a hard problem.
1)
-
(
0
where
mod p
i
p
a
b i




30
• Here is what Diffie-Hellman key exchange involves:
– First, Alice and Bob agree on a large prime, p, and g, such that g is a
generator mod p. The numbers don't have to be secret.
– Then the protocol goes as follows:
1) Alice chooses a random large integer x and sends Bob
X = gx
mod n
2) Bob chooses a random large integer y and sends Alice
Y = gy
mod n
3) Alice computes
k = Yx
mod n
4) Bob computes
k' = Xy
mod n
'
mod
mod
mod
k
n
X
n
g
n
Y
k
y
xy
x





31
1) Alice chooses a random large
integer x and sends Bob
X = gx
mod n
2) Bob chooses a random large integer
y and sends Carol
Y = gy
mod n
3) Carol chooses a random large
integer z and sends Alice
Z = gz
mod n
4) Alice sends Bob
Z' = Zx
mod n
5) Bob sends Carol
X' = Xy
mod n
6) Carol sends Alice
Y' = Yz
mod n
7) Alice computes
k = Y'x
mod n
8) Bob computes
k = Z'y
mod n
9) Carol computes
k = X'z
mod n
• This protocol can also be extended to work with three or more people:

32
Man-in-the-Middle Attack
• One problem with Diffie-Hellman is that there is no
authentication, and so the protocol is subject to a man-in-
the-middle attack:
– Alice generates gx
and sends it to "Bob"
– Eve intercepts the message:
• Generates gv
, and sends it to Bob in place of Alice's message
– Bob receives gv
, generates gy
, and sends it to "Alice"
– Eve intercepts the message:
• Generates gw
, and sends it to Alice in place of Bob's message
– Alice computes k = (gw
)x
– Bob computes k' = (gv
)y
– Eve computes k = (gx
)w
and k' = (gy
)v

33
Man-in-the-Middle Attack
• There are a number of techniques to defend against such an
attack:
– Each person can have a "somewhat permanent" public and secret
number, instead of creating one for each message exchange. This
can be considered to be a kind of Digital Phonebook.
– If Alice and Bob share some kind of secret which then can use to
authenticate each other, then they can use this secret to verify each
other's messages indeed came from the person they expected.

34
Encryption with Diffie-Hellman
• Another disadvantage with Diffie-Hellman is that, in order for Alice and
Bob to communicate, they first have to have an active exchange, where
they both have to be present.
– We can solve this as follows:
• Alice computes a personal public key, consisting of (pA, gA, TA), where:
for her private key SA.
• Bob does likewise, to produce (pB, gB, TB)
• These public keys are displayed in a reliable public place.
• If Alice wants to send Bob an encrypted message, she picks a random number SA,
• She uses KAB to encrypt the message using any secret key cipher
• Bob eventually computes the same expressions with A and B reversed, to calculate
the value of KAB, which allows him to decrypt the message
p
g
T A
S
A
A mod

B
S
B
AB
B
S
B
p
T
K
p
g
A
A
mod
:
computes
then
and
,
mod
computes


35
Diffie-Hellman and Safe Primes
• Diffie-Hellman works with any prime p and any number g
• However, it it less secure if p and g don't have additional mathematical
properties
– It turns out that things work better if (p – 1)/2 is also a prime.
• Such a prime is called a Safe Prime
– It's also better if :
numbers)
mod
all
of
half
almost
for
(true
mod
1
for which
,
mod
1 2
/
)
1
(
p
p
g
p
g p



 

36
Digital Signature Standard (DSS)
• NIST has proposed an algorithm for digital signatures:
– Based on ElGamal, an alternative signature scheme, which is harder to
understand than RSA.
• NIST published DSS in 1991, as a proposed standard for digital
signatures.
– Generated lots of debate; still continues
– Why ElGamal, and not RSA?
– Mandated 512-bit (p) /160-bit (q) moduli ?
– If an attacker breaks DSS for (p, q, g), breaks all keys for that triple.
With RSA, the attacker would only have broken a single key.
– Trapdoor primes require you have to trust the source
– Performance vs RSA
– Secret numbers required (problematic)
– Patent issues

37
Elliptic Curve Cryptography (ECC)
• There are known subexponential (but superpolynomial)
algorithms for breaking RSA and Diffie-Hellman
• Mathematicians do not (yet) have subexponential
algorithms for breaking ciphers based on the mathematics
of Elliptic Curves.
– As a result, it is believed that Elliptic Curve Cryptography (ECC) is
more secure for a given key size than other forms of cryptography.
– For some cryptographic schemes, it is possible to replace modular
multiplication with elliptic curve multiplication directly:
• ECC Diffie-Hellman
• ECC ElGamal
• etc.

38
• An Elliptic Curve is a set of points in a coordinate plane
which satisfy an equation of the form:
• We need some mathematical operation on 2 points in the
set which will always produce a point also in the set.
– Called "multiplication"
– Must be associative (to allow repeated squaring for exponentiation)
(gx
)y
= gxy
= (gy
)x
– Determining discrete logs must also be hard to do:
• Knowing g and gx
, it is disproportionately difficult to compute x.
e
dx
cx
x
by
axy
y 




 2
3
2

39
• In ECC, there are at least two types of arithmetic that
satisfy these requirements:
– Zp arithmetic (modular arithmetic with a large prime p as the
modulus)
– GF(2n
) arithmetic, which can be done with shifts and XORs.
(Modular arithmetic of polynomials with coefficients mod 2)
• ECC can be faster, because it is computationally no more
difficult, and because it can use shorter keys to accomplish
the same level of security.

40
Summary
• We've covered a number of topics:
– Key Distribution
– RSA
– Diffie-Hellman
– Authentication
– Digital Signatures and Certificates
– Elliptic Curve Cryptography

crypto Digital Signature Diffie Hell man.ppt

More Related Content

Similar to crypto Digital Signature Diffie Hell man.ppt (20)

More from SuryaBasnet3 (20)

Recently uploaded (20)

crypto Digital Signature Diffie Hell man.ppt