Cryptography Outline
Introduction: terminology, cryptanalysis, security 15-853:Algorithms in the Real World Primitives: one-way functions, trapdoors, … Protocols: digital signatures, key exchange, .. Cryptography 3 and 4 Number Theory: groups, fields, … Private-Key Algorithms: Rijndael, DES Public-Key Algorithms: – Diffie-Hellman Key Exchange – El-Gamal, RSA, Blum-Goldwasser – Quantum Cryptography Case Studies: Kerberos, Digital Cash
15-853 Page 1 15-853 Page 2
Public Key Cryptosystems One-way trapdoor functions
Introduced by Diffie and Hellman in 1976. Both Public-Key and Digital signatures make use of one-way trapdoor functions. Plaintext Public Key systems Public Key: K = public key 1 K1 Encryption Ek(M) = C – Encode: c = f(m) K2 = private key – Decode: m = f-1(c) using trapdoor Cyphertext Digital signatures Digital Signatures: K Decryption D (C) = M – Sign: c = f-1(m) using trapdoor 2 k K1 = private key – Verify: m = f(c) K2 = public key Original Plaintext
Typically used as part of a more complicated protocol.
15-853 Page 3 15-853 Page 4
1 Example of TLS (previously SSL) Public Key History TLS (Transport Layer Security) is the standard for the web (https), and voice over IP. Some algorithms Protocol (somewhat simplified): Bob -> amazon.com – Diffie-Hellman, 1976, key-exchange based on discrete logs B->A: client hello: protocol version, acceptable ciphers – Merkle-Hellman, 1978, based on “knapsack problem”
A->B: server hello: cipher, session ID, |amazon.com|verisign – McEliece, 1978, based on algebraic coding theory hand- B->A: key exchange, {masterkey} – RSA, 1978, based on factoring amazon’s public key shake A->B: server finish: ([amazon,prev-messages,masterkey])key1 – Rabin, 1979, security can be reduced to factoring B->A: client finish: ([bob,prev-messages,masterkey])key2 – ElGamal, 1985, based on discrete logs A->B: server message: (message1,[message1])key1 data – Blum-Goldwasser, 1985, based on quadratic residues B->A: client message: (message2,[message2]) key2 – Elliptic curves, 1985, discrete logs over Elliptic curves |h| = Certificate issuer – Chor-Rivest, 1988, based on knapsack problem = Issuer,
Diffie-Hellman Key Exchange Person-in-the-middle attack
A group (G,*) and a primitive element (generator) g is made public. – Alice picks a, and sends ga to Bob ga gc – Bob picks b and sends gb to Alice Alice – The shared key is gab Mallory Bob Note the shared key is easy for Alice or Bob to gd gb compute, but assuming discrete logs are hard is Key = gad Key = gcb hard for anyone else to compute. 1 1 Can someone see a problem with this protocol? Mallory gets to listen to everything.
15-853 Page 7 15-853 Page 8
2 ElGamal ElGamal Public-key Cryptosystem
Based on the difficulty of the discrete log problem. (G,*) is a group Encode: Invented in 1985 • α a generator for G Pick random k ∈ Z|G| Digital signature and Key-exchange variants • a ∈ Z E(m) = (y1, y2) – Digital signature is AES standard |G| = (α k, m * βk) • β = αa – Public Key used by TRW (avoided RSA patent) G is selected so that it Decode: Works over various groups a -1 is hard to solve the D(y) = y2 * (y1 ) k ka -1 – Zp, discrete log problem. = (m * β ) * (α ) – Multiplicative group GF(pn), = m * βk * (βk)-1 = m – Elliptic Curves Public Key: (α, β) and some description of G You need to know a to Private Key: a easily decode y!
15-853 Page 9 15-853 Page 10
ElGamal: Example Merkle-Hellman
Gets “security” from the Subet Sum (also called * Encode: 7 G = Z11 knapsack) which is NP-hard to solve in general. Pick random k = 4 • α = 2 Subset Sum (Knapsack): Given a sequence W = {w ,w , E(m) = (24, 7 * 34) 0 1 • a = 8 …,w }, w ∈ Z of weights and a sum S, calculate a = (5, 6) n-1 i • β = 28 (mod 11) = 3 boolean vector B, such that: Decode: (5, 6) 8 -1 D(y) = 6 * (5 ) = 6 * 4-1 = 6 * 3 (mod 11) * = 7 Even deciding if there is a solution is NP-hard. Public Key: (2, 3), Z11 Private Key: a = 8
15-853 Page 11 15-853 Page 12
3 Merkle-Hellman Merkle-Hellman
W is superincreasing if: What we need Encode: n y = E(m) = ∑i=1 mi w’i It is easy to solve the subset-sum problem for • w1, , wn superincreasing superincreasing W in O(n) time. Decode: integers Main idea of Merkle-Hellman: z = a-1 y mod p n • p > ∑i=1 wi and prime -1 n – Hide the easy case by multiplying each w by a = a ∑i=1 mi w’i mod p i • a, 1 ≤ a ≤ n -1 n constant a modulo a prime p = a ∑i=1 miaiwi mod p • w’ = a w mod p n i i = ∑i=1 mi wi – Knowing a and p allows you to retrieve the Solve subset sum prob: Public Key: w’i superincreasing sequence (w1, , wn, z) Private Key: wi, p, a, obtaining m1, mn
15-853 Page 13 15-853 Page 14
RSA Merkle Hellman: Problem Name after Rivest, Shamir and Adleman (1978) but Was broken by Shamir in 1984. apparently invented by Clifford Cocks in 1973. Shamir showed how to use integer programming to Based on difficulty of factoring. * solve the particular class of Subset Sum problems Used to hide the size of a group Zn since: in polynomial time. . Factoring has not been reduced to RSA Lesson: don’t leave your trapdoor loose. – an algorithm that generates m from c does not give an efficient algorithm for factoring On the other hand, factoring has been reduced to finding the private-key. – there is an efficient algorithm for factoring given one that can find the private key from the public key.
15-853 Page 15 15-853 Page 16
4 RSA Public-key Cryptosystem RSA continued
Why it works: What we need: Public Key: (e,n) D(c) = cd mod n • p and q, primes of Private Key: d = med mod n approximately the 1 + k(p-1)(q-1) same size Encode: = m mod n = m1 + k φ(n) mod n • n = pq m ∈ Zn φ(n) = (p-1)(q-1) E(m) = me mod n = m(m φ(n))k mod n * • e ∈ Z φ(n) = m • d = e-1 mod φ(n) Why is this argument not quite sound? Decode: * φ(n) d What if m ∉ Zn then m ≠ 1 mod n D(c) = c mod n Answer 1: Not hard to show that it still works. Answer 2: jackpot – you’ve factored n
15-853 Page 17 15-853 Page 18
RSA computations Security of RSA
To generate the keys, we need to Warning: – Find two primes p and q. Generate candidates – Do not use this or any other algorithm naively! and use primality testing to filter them. Possible security holes: – Find e-1 mod (p-1)(q-1). Use Euclid’s – Need to use “safe” primes p and q. In particular algorithm. Takes time log2(n) p-1 and q-1 should have large prime factors. To encode and decode – p and q should not have the same number of digits. – Take me or cd. Use the power method. Can use a middle attack starting at sqrt(n). Takes time log(e) log2(n) and log(d) log2(n) . – e cannot be too small In practice e is selected to be small so that encoding – Don’t use same n for different e’s. is fast. – You should always “pad”
15-853 Page 19 15-853 Page 20
5 Algorithm to factor given d and e RSA Performance
If an attacker has an algorithm that generates d Performance: (600Mhz PIII) (from: ssh toolkit): from e, then he/she can factor n in PPT. Variant Algorithm Bits/key Mbits/sec of the Rabin-Miller primality test. 1024 .35sec/key RSA Keygen Function TryFactor(e,d,n) LasVegas algorithm 2048 2.83sec/key 1. write ed – 1 as 2sr, r odd Probability of pass 1024 1786/sec 3.5 RSA Encrypt 2. choose w at random < n is > .5. 2048 672/sec 1.2 r 3. v = w mod n Will return p or q 1024 74/sec .074 4. if v = 1 then return(fail) RSA Decrypt if it passes. 2048 12/sec .024 5. while v ≠ 1 mod n Try until you pass. ElGamal Enc. 1024 31/sec .031 6. v = v 0 ElGamal Dec. 1024 61/sec .061 7. v = v2 mod n DES-cbc 56 95 8. if v0 = n - 1 then return(fail) twofish-cbc 128 140 9. return(pass, gcd(v0 + 1, n)) Rijndael 128 180 15-853 Page 21 15-853 Page 22
RSA in the “Real World” Factoring in the Real World
Part of many standards: PKCS, ITU X.509, Quadratic Sieve (QS): ANSI X9.31, IEEE P1363 Used by: SSL, PEM, PGP, Entrust, … – Used in 1994 to factor a 129 digit (428-bit) number. 1600 Machines, 8 months. The standards specify many details on the implementation, e.g. Number field Sieve (NFS): – e should be selected to be small, but not too small – Used in 1999 to factor 155 digit (512-bit) number. – “multi prime” versions make use of n = pqr… 35 CPU years. At least 4x faster than QS this makes it cheaper to decode especially in – Used in 2003-2005 to factor 200 digits (663 bits) parallel (uses Chinese remainder theorem). 75 CPU years ($20K prize)
15-853 Page 23 15-853 Page 24
6 Probabilistic Encryption BBS “secure” random bits
For RSA one message goes to one cipher word. This BBS (Blum, Blum and Shub, 1984) means we might gain information by running Epublic – Based on difficulty of factoring, or finding (M). square roots modulo n = pq. Fixed For a particular bit seq. Probabilistic encryption maps every M to many C • p and q are primes such • Seed: random x randomly. Cryptanalysists can’t tell whether that p = q = 3 (mod 4) relatively prime to n. C = Epublic(M). 2 • n = pq (is called a Blum • Initial state: x0 = x integer) th 2 • i state: xi = (xi-1) ElGamal is an example (based on the random k), but it th • i bit: lsb of xi doubles the size of message. Note that:
Therefore knowing p and q allows us to find x0 from xi
15-853 Page 25 15-853 Page 26
Blum-Goldwasser: A stream cypher Quantum Cryptography
Public key: n (= pq) Private key: p or q In quantum mechanics, there is no way to take a measurement without potentially changing the Encrypt: mi (0 ≤ i < l) xor ci (0 ≤ i < l) state. E.g.
bi – Measuring position, spreads out the momentum lsb – Measuring spin horizontally, “spreads out” the 2 Random x x mod n x i BBS spin probability vertically Related to Heisenberg’s uncertainty principal
ci (l ≤ i < l + log n) = xl Decrypt: Using p and q, find
Use this to regenerate the bi and hence mi
15-853 Page 27 15-853 Page 28
7 Using photon polarization Quantum Key Exchange
1. Alice sends bob photon stream randomly polarized in one of 4 polarizations: = or ? (equal probability) 2. Bob measures photons in random orientations = or ? (equal probability) e.g.: x + + x x x + x (orientations used) \ | - \ / / - \ (measured polarizations) and tells Alice in the open what orientations he used, but not what he measured. measure measure diagonal square 3. Alice tells Bob in the open which are correct
destroys state 4. Bob and Alice keep the correct values Susceptible to a man-in-the-middle attack
15-853 Page 29 15-853 Page 30
In the “real world” Cryptography Outline
Not yet used in practice, but experiments have Introduction: terminology, cryptanalysis, security verified that it works. Primitives: one-way functions, trapdoors, … IBM has working system over 30cm at 10bits/sec. Protocols: digital signatures, key exchange, .. More recently, up to 10km of fiber. Number Theory: groups, fields, … Private-Key Algorithms: Rijndael, DES Public-Key Algorithms: Knapsack, RSA, El-Gamal, … Case Studies: – Kerberos – Digital Cash (not this year)
15-853 Page 31 15-853 Page 32
8 Kerberos Kerberos
A key-serving system based on Private-Keys (DES). Assumptions Kerberos Ticket Granting Service (TGS) • Built on top of TCP/IP networks 2 1 3 • Many “clients” (typically users, but perhaps 4 software) Client Server 5 • Many “servers” (e.g. file servers, compute servers, print servers, …) • User machines and servers are potentially insecure 1. Request ticket-granting-ticket (TGT) without compromising the whole system 2.
15-853 Page 33 15-853 Page 34
Kerberos V Message Formats Kerberos Notes
C = client S = server K = key All machines have to have synchronized clocks T = timestamp V = time range – Must not be able to reuse authenticators TGS = Ticket Granting Service A = Net Address Servers should store all previous and valid tickets – Help prevent replays Ticket Granting Ticket: TC,TGS = TGS,{C,A,V,KC,TGS}KTGS Server Ticket: TC,S = S, {C,A,V,KC,S }KS Client keys are typically a one-way hash of the password. Clients do not keep these keys. Authenticator: AC,S = {C,T,[K]}KC,S Kerberos 5 uses CBC mode for encryption Kerberos 4 1. Client to Kerberos: {C,TGS}KC was insecure because it used a nonstandard mode. 2. Kerberos to Client: {KC,TGS}KC, TC,TGS 3. Client to TGS: AC,TGS, TC,TGS 4. TGS to Client: {K }K , T Possibly C,S C,TGS C,S repeat 5. Client to Server: AC,S, TC,S 15-853 Page 35 15-853 Page 36
9