Demonstration
Outline
• Some�Math�Essentials�&�History • Asymmetric�signatures�and�key�exchange ISA�662 • Asymmetric�encryption� Internet�Security�Protocols • Symmetric�MACs
Lecture�2
ISA�662 1 2
Beauty�of�Mathematics Prime�Numbers�(I)
x Percentage Percentage x/(ln x - 1) Percentage Demonstration 1,000 168 16.8% 169 16.9% 10,000 1,229 12.3% 1,218 12.2% Pick�a�number�from�10�to�99 100,000 9,592 9.6% 9,512 9.5% At�the�2�digits,�for�example: 1,000,000 78,498 7.8% 78,030 7.8% 10,000,000 664,579 6.6% 661,459 6.6% If�you�chose�51,�you�would�add�5+1=6 100,000,000 5,761,455 5.8% 5,740,304 5.7% Then�subtract�the�result�from�the�original�number 1,000,000,000 50,847,534 5.1% 50,701,542 5.1% 10,000,000,000 455,052,511 4.6% 454,011,971 4.5% So�51�6=45 • Prime�numbers�“thin�out” as�the�numbers�get�larger (Demonstration�shown�in�class) • There�are�25�primes�<100,�so�density�is�1�in�4. • Ten�digit�number,�density�is�1�in�23. • Hundred�digit�number,�density�is�1�in�230.
3 4
Division�(I) Division�(II)
(also�called�counting�numbers)
5 6
1 Division�(III) Common�Divisors�(I)
7 8
Common�Divisors�(II) Euler’s�Totient Function�(I)
• Leonhard�Euler� – Swiss�mathematician�and�physicist – First�to�use�the�term�function. – Lived�in�the�1700’s
in�Z
* • Totient function�ø(n):�|Zn | – number�of�integers�less�than� n and�relatively�prime�to� n – If� n is�prime,�ø(n)= n�1 – If� n=p∗q,�and� p, q are�primes,�ø(n)=( p�1)( q�1)� – If� p is�prime�and� k>0,�ø(pk)�=( p�1)� pk�1
9 10
Euler’s�Totient Function�(II) Motivation�1� Key�Distribution�Problem� • Examples: • In�a�secret�key�cryptosystem,�the�secret�key�must�be� ø(7)=�7*(1�(1/7))=6��{1,2,3,4,5,6} transmitted�via�a�secure�channel Or�ø(7)�=7�1=6,�because�7�is�prime • Inconvenient – n�parties�want�to�communicate�with�each�other,�how�many�keys� total�keys�are�needed�and�how�many�other�keys�must�each�n� ø(10)=�10*(1�(1/2)*(1�(1/5))=4��{1,3,7,9} store?� n�entities�– There�will�be�n(n�1)�/�2�keys�total ø(18)=�18*(1�(1/2)*(1�(1/3))=6��{1,5,7,11,13,17} Each�entity�has�to�store�n�1�keys • Insecure ø(21)=�21*(1�(1/3)*(1�(1/7))=12� – Is�the�secure�channel�really�secure?� {1,2,4,5,8,10,11,13,16,17,19,20} Or�ø(21)=�ø(3.7)=�ø(3).�ø(7)=��2.6�=�12 • Public�key�cryptosystem�solves�the�problem – Public�key�known�by�everyone�– telephone�directory – Privacy�key�is�never�transmitted 11 12
2 How�many�Symmetric�Keys�needed? Motivation�2� Digital�Signature
Administration�Problems: Total Keys n Keys Stored • In�a�secret�key�cryptosystem,�authentication�and� – Adding�new�entities 2 2 1 non�repudiation�may�be�difficult – Removing�existing�entities 3 3 2 4 6 3
– Changing�keys 5 10 4 • Authentication 6 15 5 – You�must�share�a�secret�key�with�someone�in�order�to� 7 21 6
8 28 7 verify�his�signature
9 36 8
10 45 9 • Non�repudiation 11 55 10 – “I�didn’t�sign�it.�You�did�since�you�also�have�the�key” 12 66 11 13 78 12 • Public�key�cryptosystem�solves�the�problem 14 91 13 15 105 14 – Verification�of�signature�needs�only�the�public�key – One�is�solely�responsible�for�his�private�key
13 14
Public�Key�Algorithms Requirements�for�Public�Key�Algorithms
• Public�key�algorithms�covered�in�this�class • It�is�computationally�easy�to� – RSA:�encryption�and�digital�signature – generate�a�(public,�private)�key�pair. – to�generate�a�ciphertext�using�the�public�key. – Diffie�Hellman:�key�exchange – to�decrypt�the�ciphertext�using�the�private�key. – DSA:�digital�signature – to�sign�with�the�private�key. • Number�theory�underlies�most�of�public�key� – to�verify�the�signature�with�the�public�key. algorithms. • It�is�computationally�infeasible�to� – determine�the�private�key�from�the�public�key. – recover�the�message�from�the�ciphertext�and�the�public�key. – forge�a�signature.
15 16
The�Big�Picture The�Basic�Idea • Confidentiality: encipher�using�public�key,� decipher�using�private�key Plain- Plain- • Integrity/authentication: encipher�using�private� text Encryption Ciphertext Decryption text key,�decipher�using�public�key Algorithm INSECURE CHANNEL Algorithm A B Plain- Plain- A B text Encryption Ciphertext Decryption text B's Public Key B's Private Key Algorithm Algorithm RE ‘Signature’ LIA BL E C HA NN EL B's Public Key B's Private Key B's Public Key B 17 AA B18
3 Public�Key�Model Public�Key�Encryption�
19 20
Public�Key�Signatures Use�of�Public�Key�Cryptosystems
• Encryption/decryption – The�sender�encrypts�a�message�with�the�receiver’s�public�key – Only�the�receiver�can�decrypt�the�message. • Digital�signature – The�sender�signs�a�message�with�its�private�key. – Authentication�and�non�repudiation • Key�exchange – Two�sides�cooperate�to�exchange�a�session�key. – Secret�key�cryptosystems�are�often�used�with�the�session�key.
21 22
Goals�of�Public�Key�Cryptanalysis� Public�Key�Cryptanalysis�
• Given�the�public�key,�cipher�text,�signature,�to • Brute�force�attack – Try�all�possible�keys – find�out�the�private�key • Derivation�of�private�key�from�public�key – find�out�the�message�encrypted – Try�to�find�the�relationship�between�the�public�key�and�the� private�key�and�compute�the�private�key�from�the�public�one. – forge�the�signature • Probable�message�attack – The�public�key�is�known. – Encrypt�all�possible�messages – Try�to�find�a�match�between�the�ciphertext�and�one�of�the�above� encrypted�messages. – Example:�Prof.�sends�encrypted�messages�of�letter�grades�to�his� students�based�on�their�public�key.
23 24
4 History�of�Public�Key�Schemes� Revolution�in�Cryptography
• 1976�– Diffie &�Hellman�suggested�the�public�key�model� • Diffie &�Hellman�sought�to�solve�2�problems� for�encryption�and�signatures – Find�a�secure�way�to�distribute�keys�in�the�public • 1976�– Diffie &�Hellman�developed�public�key�protocol� for�key�exchange�based�on�Discrete�Log�Problem – Provide�digital�signature�for�document • 1977� Rivest,�Shamir,�Adelman developed�RSA�public� • Public�key�cryptography�is�based�on�rigorous� key�scheme�for�encryption�and�signatures�based�on�the� mathematical�theory,�rather�than�substitutions�and� Number�Factoring�Problem permutations. • 1980’s� El�Gamal developed�public�key�protocols�for� encryption�and�signatures�based�on�Discrete�Log�Problem • It�is�asymmetric�– requires�two�different�keys:� private�key�&�public�key
25 26
Diffie�Hellman�Key�Exchange�(I) Diffie�Hellman�Key�Exchange�(II)
• Published�in – W.�Diffie and�ME�Hellman,�" New�Directions�in�Cryptography ",� in�IEEE�Transactions�on�Information�Theory,�IT�22�no�6� (November�1976)�p.�644�654� • The�first�public�key�algorithm • Allows�two�users�to�agree�on�a�secret�key�over�public� channel • No�encryption,�decryption,�nor�authentication • What’s�involved? – p is�a�large�prime�number�(about�512�bits),� g < p and� g is�a� primitive�root�of� p. – p and g are�publicly�known
27 28
Diffie�Hellman�Key�Exchange�(III) Diffie�Hellman�Man�in�the�middle
29 30
5 Diffie�Hellman�Example Hard�Number�Theory�Problems
Alice�and�Bob�want�to�establish�a�shared�secret�key • T = gs mod� p • Have�agree�on�the�value� n=353�(prime)�and� g=3 – Given� T, g, p ,�it�is�computationally�infeasible�to�compute�the� • Select�the�random�secret�values: value�of� s (discrete�logarithm)
– Alice�chooses�Xa=97,�Bob�chooses�Xb=233 – This�is�the�basis�of�the�Diffie�Hellman,�El�Gamal,�and�DSS� • Derive�the�public�keys: Public�Key�Schemes. Xa 97 –Ta=� g mod� n =�3 mod�353�=�40�����(Alice’s) • Another�difficult�number�theory�problem,�it�is�to�compute� Xb 233 –Tb=� g mod� n =�3 mod�353�=�248��(Bob’s) the�product�of�two�primes� p and� q to�obtain�n=pq.��But�it�is� • Derive�the�shared�secret�key difficult�to�factor�the�composite�number�n�into�its�two� Xa 97 – K�=�Tb mod� n =�248 mod�353�=�160���(Alice’s) prime�factors�p�and�q. Xb 233 – K�=�Ta mod� n =�40 mod�353�=�160���(Bob’s) – This�is�the�basis�of�the�RSA�Public�Key�scheme
31 32
Diffie�Hellman�Scheme Diffie�Hellman�in�Phone�Book�Mode
• Security�factors • DH�is�subject�to�active�man�in�the�middle�attack� – Discrete�logarithm�very�difficult. because�their�public�key�component�may�be�intercepted� and�substituted – Shared�key�(the�secret)�itself�never�transmitted. • Phone�book�mode�allows�everyone�to�generate�the� • Disadvantages: public�key�component�in�advance�and�publish�them� – Expensive�exponential�operation through�other�reliable�means – Cannot�be�used�to�encrypt�anything. • All�communicating�parties�agree�on�their�common�< g,� – No�authentication,�so�you�can�not�sign�anything. p> • Essential�requirement :�authenticity�of�the�public�key.
33 34
RSA�(Rivest,�Shamir,�Adleman) Number�Factoring
• Published�in – R.�Rivest,�A.�Shamir,�and�L.�Adleman,�" A�Method�for�Obtaining� Digital�Signatures�and�Public�Key�Cryptosystems ",�CACM�21,� pp.�120��126,�Feb.�1978� – The�first�public�key�encryption�and�signature�system • Support�both�public�key�encryption�and�digital�signature. • Assumption/theoretical�basis: – Factorization�of�large�primes�is�hard. • Variable�key�length�(usually�1024�bits). • Variable�plaintext�block�size. – Plaintext�must�be�“smaller” than�the�key. – Ciphertext�block�size�is�the�same�as�the�key�length. How�about�Tomorrow’s�computers?��
35 36
6 Quantum�Computing The�RSA�Algorithm
• A�classical�computer�has�a�memory�made�up�of�bits,�where�each�bit�holds�either� a�one�or�a�zero.�The�device�computes�by�manipulating�those�bits, i.e.�by� • To�generate�key�pair: transporting�these�bits�from�memory�to�(possibly�a�suite�of)�logic�gates�and� back.�A�quantum�computer�maintains�a�set�of�qubits.� – Pick�large�primes� p and� q
• A�qubit can�hold�a�one,�or�a�zero,�or�a�superposition�of�these.�A�quantum� – Let� n =� p*q,�keep� p and� q to�yourself! computer�operates�by�manipulating�those�qubits,�i.e.�by�transporting�these�bits� from�memory�to�(possibly�a�suite�of)�quantum�logic�gates�and�back. – For�public�key,��choose� e that�is�relatively�prime�to� ø(n) =(p-1)(q-1). • Qubits for�a�quantum�computer�can�be�implemented�using�particles�with�two� spin�states:�"up"�and�"down";�in�fact�any�system,�possessing�an�observable� public�key�=�< e,n > quantity�A�which�is�conserved�under�time�evolution�and�such�that A�has�at�least� two�discrete�and�sufficiently�spaced�consecutive�eigenvalues,�is�a�suitable� – For�private�key,�find� d that�is�the�multiplicative�inverse� candidate�for�implementing�a�qubit. of� e mod� ø(n), i.e.,� e*d =�1�mod� ø(n) Information�Source:�Wikipedia – Private�key�=�< d,n>.
37 38
How�Does�RSA�Work? An�Example
• Given�pubKey =�< e, n >�and�privKey =�< d, n > • Choose� p =�7�and� q =�17. • Message�=�m • Compute� n =� p*q= 119 . • Compute� φ(n)=( p�1)( q�1)=96. – encryption:� c =� me mod� n,� m < n • Select� e =�5,�which�is�relatively�prime�to� φ(n). d – decryption:� m =� c mod� n • Compute� d =�_77_ such�that� e*d=1�mod� φ(n). d – signature:� s =� m mod� n,� m <� n • Public�key:�<5,119> – verification:� m =� se mod� n • Private�key:�<77,119> • Message�=�19 • Encryption:�19 5 mod�119�=�66 • Decryption:�66 77 mod�119�=�19.
39 40
Example:�Encryption Example:�Decryption
• p =�7,� q =�11,� n =�77 • Alice�receives� 28 16 44 44 42 • Alice�chooses� e =�17,�making� d =�53 • Alice�uses�private�key,� d = 53 ,�to�decrypt� • Bob�wants�to�send�Alice�secret�message� HELLO message: (07 04 11 11 14) – 28 53 mod�77�=�07 – 07 17 mod�77�=�28 – 16 53 mod�77�=�04 – 04 17 mod�77�=�16 – 44 53 mod�77�=�11 – 11 17 mod�77�=�44 – 44 53 mod�77�=�11 – 11 17 mod�77�=�44 – 42 53 mod�77�=�14 – 14 17 mod�77�=�42 • Alice�translates� 07 04 11 11 14 to� HELLO • Bob�sends� 28 16 44 44 42 – No�one�else�could�read�it,�as�only�Alice�knows�her� private�key�and�that�is�needed�for�decryption 41 42
7 Digital�Signatures�in�RSA Digital�Signatures�in�RSA
• RSA�has�an�important�property,�not�shared�by� Plaintext M’ other�public�key�systems Plaintext ? M Plaintext • Encryption�and�decryption�are�symmetric M M d mod n C e mod n – Encryption�followed�by�decryption�yields�the�original� Ciphertext C message (signature) – (M e mod n) d mod n = M – Decryption�followed�by�encryption� also yields�the� original�message A's Private Key d A's Public Key e – (Md mod n) e mod n = M – Because e and d are�symmetric�in AA RELIABLE CHANNEL BB e*d = 1 mod (p-1)*(q-1) 43 44
Compared�To�Encryption�in�RSA Signature�and�Encryption A B A Encrypted B Plaintext Plaintext Signed Signed Signed M M Plaintext Plaintext Plaintext M e mod n C d mod n Plain- Plain- Ciphertext C text text D E D E AA BB
B's Public Key e B's Private Key d
A's Private B's Public B's Private A's Public RELIABLE CHANNEL Key Key Key Key
45 46
Example:�Sign Example:�Verify
• Take� p =�7,� q =�11,� n =�77� • Bob�receives�35�09�44�44�49 • Alice�chooses� e =�17,�making� d =�53 • Bob�uses�Alice’s�public�key,� e =�17,� n =�77,�to�decrypt� • Alice�wants�to�send�Bob�message�HELLO�(07�04� message: 11�11�14)�so�Bob�knows�it�is�from�Alice,�and�it� – 35 17 mod�77�=�07 has�not�been�modified�in�transit – 09 17 mod�77�=�04 17 – 07 53 mod�77�=�35 – 44 mod�77�=�11 17 – 04 53 mod�77�=�09 – 44 mod�77�=�11 – 49 17 mod�77�=�14 – 11 53 mod�77�=�44 – 11 53 mod�77�=�44 • Bob�translates� 07 04 11 11 14 to� HELLO – 14 53 mod�77�=�49 – (Assume)�only�Alice�has�her�private�key,�so�no�one�else�could� have�been�able�to�create�a�correct�signature • Alice�sends�35�09�44�44�49 – The�(deciphered)�signature�matches�the�transmitted�plaintext,�so
47 the�plaintext�is�not�altered 48
8 Example:�Both Class�Exercise
• Alice�wants�to�send�Bob�message�HELLO�both� 1. Find�primes�p�and�q�so�that�12�bit�plaintext� enciphered�and�signed blocks�could�be�encrypted�with�RSA. – Alice’s�keys:�public�(17,�77);�private:�53 – Bob’s�keys:�public:�(37,�77);�private:�13 2. Decrypt�the�ciphertext C=4�using�RSA�with�the� • Alice�does�(does�she�encipher�first�or�sign�first?) private�key�{d=7,�p=3,�q=7} – (07 53 mod�77) 37 mod�77�=�07 – (04 53 mod�77) 37 mod�77�=�37 – (11 53 mod�77) 37 mod�77�=�44 – (11 53 mod�77) 37 mod�77�=�44 – (14 53 mod�77) 37 mod�77�=�14 • Alice�sends�07�37�44�44�14 • What�would�Bob�do�upon�receiving�the�message?
49 50
Class�Exercise RSA�KEY�SIZE
1. Find�primes�p�and�q�so�that�12�bit�plaintext� • In�August�1999�a�group�using�300�workstations�and�PCs� blocks�could�be�encrypted�with�RSA. was�able�to�factor�512�bit�number�in�7�months. – The�primes�P*Q�must�be�>�or�=�to�2 12 =4096. • RSA�Laboratories�currently�recommends�key�sizes�of� – So�let� P=67 and� Q=71 so�P�x�Q�=� 4,757 1024�bits�for�corporate�use�and�2048�bits�for�extremely� 2. Decrypt�the�ciphertext C=4�using�RSA�with�the� valuable�keys�like�the�root�key�pair�used�by�a�certifying� private�key�{d=7,�p=3,�q=7} authority�(rsasecurity.com) – N=p*q • What�does�an�RSA�155�number�look�like? – N=7*3=21 – M=C^d mod�n�� – M=4^7�mod�21 – M=4�
51 52
RSA�155�Number Finding�Large�Prime�Numbers
10263959282974110577205419657399759007165678080380668 • Good�news 334193352190711307779� – Infinite�number�of�prime�numbers� ☺ * 1066034883801684548209272203600187867920795857598929 • Bad�news 22270608237193062808643.� – The�prime�number�ratio�decreases�as�the�prime�number�gets� = big� � 10941738641570527421809707322040357612003732945449 • Brute�force 20599091384213147634998428893478471799725789126733 1/2 24976257528997818337970765372440271467435315933543 – Try�to�divide�n�by�2,…,n 33897� – Impractical�for�large�number!!! • No�known�practical�method�to�determine�if�a�given�large� number�is�prime� � • However�fast�probabilistic�primality test�exists. That�is,�determine�if�a�larger�number�is�likely�to�be�a�prime.
53 54
9 Finding�Large�Prime�Numbers�(Cont’d) The�Security�of�RSA
• Primality test • Attacks�against�RSA – Randomly�pick�0< a 55 56 The�Security�of�RSA�(Cont’d) RSA�Versus�DES • Factoring�large�integer�is�very�hard! • Fastest�implementations�of�RSA�can�encrypt� • But�if�you�can�factor�big�number� n then�given�public�key� 57 58 Digital�Signature�Standard�(DSS) Efficiency�of�signature�schemes • By�NIST • Related�to�El�Gamal • Use�SHA�(SHA�1)�to�generate�the�hash�value�and� Digital�Signature�Algorithm�(DSA)�to�generate� the�digital�signature. • Faster�for�the�signer,�but�not�for�the�verifier:� Potential�application:�smart�cards 59 60 10 Summary�Key�required�lengths One�way�Hash�Functions • Also�known�as�message�digest� • A�function� H(M) = m satisfies – (Fixed�length): M can�be�of�any�length,�whereas� m is�of� fixed�length – (One�way):�computing� H(M)=m is�easy,�but� computing� H-1(m)=M is�computationally�infeasible – (Collision�free):�in�two�forms • Weak�collision�freedom: given�any� M,�difficult�to�find� another� M’ such�that� H(M)=H(M’) • Strong�collision�freedom: difficult�to�find�any� M and� M’ such�that� H(M)=H(M’) 61 62 Why�Those�Requirements? “Hash�Functions�Broken” ? • Many�applications�store� H(p) instead�of�a�password� • Crypto�2004�Rump�session�reported�attacks�on� p MD4,�MD5�and�SHA�0 – Fixed�length: cannot�guess�the�length�of� p from� H(p) (and – MD4’s�attacks�are�done�by�hands H(p) is�easier�to�store) • Crypto�2005�reported�attacks�on�full�SHA�1 – One�way: the�administrator�cannot�learn� p of�others • Should�we�panic? – Collision�free: cannot�submit�incorrect� p matching� H(p) • Most�applications�sign� H(M) instead�of� M 63 Xiaoyun Wang ’s webpage: http://www.infosec.sdu.edu.cn/people/wangxiaoyun.htm 64 “Hash�Functions�Broken” ?�(Cont’d) MESSAGE�AUTHENTICATION�CODES • Nature�of�the�results – Algorithm�that�finds�collision�faster�than�theoretic�bound� INSECURE CHANNEL • MD5�about�one�hour;�SHA�1�2 63 vs 280� (theoretically) Plaintext + MAC Plain- Yes/No – Yes,�the�results�disprove�those�functions�to�be�strong� text collision�free MAC Verification Algorithm M Algorithm V – No,�they�do�not�give�you�a�password�from�its�hash • Brute�force�attacks�do�(refer�to� http://passcracking.com/) A B • Whether�you�should�panic�or�not�depends�on�what� A B you�use�the�hash�functions�for K K MAC = MD of plaintext + K Xiaoyun Wang ’s webpage: http://www.infosec.sdu.edu.cn/people/wangxiaoyun.htm 65 66 11 Hash�Functions�Vs�MAC HMAC • Send�a�message�M�together�with�its�hash� h=H(M) ,� • HMAC�is�a�keyed�hash�message�authentication�code,�which� so�the�recipient�can�verify�M�by�comparing� H(M) is�a�type�of�message�authentication�code�(MAC) with�the�received� h • As�with�any�MAC,�it�may�be�used�to�simultaneously�verify� – Attack: If�anyone�in�the�middle�can�replace� M with� M’ both�the�data�integrity�and�the�authenticity�of�a�message. and� h with�h’=H(M’),�the�recipient�won’t�detect�this • Keyed�hash�functions • h : hash�function� – Also�known�as�message�authentication�codes�(MAC) • K :�a�secret�key� k padded�with�extra�0’s�to�the�block�size�of� the�hash�function – Example: DES�in�CBC�mode:�use�a�key�to�encipher� message�in�CBC�mode�and�use�last� n bits�as�the�MAC� • opad =0x5c5c..5c5c�(outer�padding�)and value. • ipad =0x3636..3636�( inner padding) are two one-block– long hexadecimal constants. 67 • ⊕ exclusive�or,�||�concatenation 68 Example�of�HMAC�use Key�Points • A�pizza�restaurant�that�suffers�from�attackers�that� • Public�key�cryptosystems�has�two�keys place�bogus�Internet�orders�may�insist�that�all�its� • Diffie�Hellman�exchanges�secret�key�via�insecure� customers�deposit�a�secret�key�with�the�restaurant.� channel Along�with�an�order,�a�customer�must�supply�the� • RSA�can�be�used�for�confidentiality�and�integrity order's�HMAC�digest,�computed�using�the� customer's�secret�key.�The�restaurant,�knowing�the� • Cryptographic�Checksums�are�keyed�hash�functions customer's�secret�key,�can�then�verify�that�the�order� originated�from�the�stated�customer�and�has�not� been�tampered�with.� (wiki example) 69 70 12