You are here … CNS Lecture 9 Attacks & Defenses Cryptography Applied crypto • Risk assessment •Random numbers •SSH • Viruses Security through mathematics •Hash functions •PGP more public key crypto • Unix security • MD5, SHA,RIPEMD •S/Mime ECC authentication • •Classical + stego •SSL Applied crypto Network security Firewalls,vpn,IPsec,IDS ssh •Number theory •Kerberos • Forensics pgp •Symmetric key •IPsec PKI DES, Rijndael, RC5 •Crypto APIs •Public key •Coding securely Assignment 8 due 10/28/06 RSA, DSA, D-H,ECC CNS Lecture 9 - 2 Public key crypto OpenSSL • Diffie-Hellman key establishment •genrsa, gendh, gendsa -- generate keys –Discrete logs X = gx mod p genrsa –des3 –out ca.key 1024 • RSA •rsautl -- encrypt/decrypt sign/verify –Factoring integers, n = pq c = me mod n •Plus the hash (md5, sha) and encrypt (AES, • DSS DES) commands –Discrete logs, sign only • ECC •API for doing rand, big numbers, find prime, D-H, encrypt/decrypt, sign/verify BIG integers (1000-bit) CNS Lecture 9 - 3 CNS Lecture 9 - 4 ECC – elliptic curve cryptography Stacking balls • Based on elliptic curve arithmetic (old field of mathematics) • Great moments in elliptic curves • Form of public key encryption • How many balls do you need to stack in the –More security per bit than any other public key crypto arrangement 1 on top of 4 on top of 9 on top of 16 … –Efficient hardware implementations 12 + 22 +32+42 …+x2 so that they form a perfect square when –Suitable for cryptocards, cell phones, PDAs collapsed? The sum is x(x+1)(2x+1)/6 – Free software (few? licensing restrictions) So you want y2 = (2x3 + 3x2 + x)/6 an elliptic curve! –Strength not based on factoring (just in case ☺ ) –Strength/operation similar to Diffie-Hellman –Mathematics more complex than RSA/D-H, so smaller keys and Lots of (x,y) solutions, including negative and fractional faster (10x) in hardware tennis balls, but only two solutions in whole tennis balls! ☺ (1,1) or (24,70) 4900 balls in a pyramid 24 balls high, or 70 by 70 square CNS Lecture 9 - 5 CNS Lecture 9 - 6 1 Elliptic curves Elliptic curve addition • Elliptic curves are NOT ellipses • • Described by cubic equations of the form To double a point, P+P = 2P =R, y2 = x3 + ax + b E(a,b) (geometric) draw a tangent to P, P = (x,y) is a point on the curve if (x,y) is in E(a,b) its reflection is R -P = (x, -y) • Multiplication is defined as repeated forms a group over addition if (4a3 + 27b2) ≠ 0 additions nP = P+P+ … +P there is an additive identity O • Algebraically • Addition over E(a,b) (geometric) 2 P + Q where P and Q are points in E(a,b) ⎛ 3x2 + a ⎞ Draw line thru P and Q, where line intersects curve x = ⎜ P ⎟ − 2x (R ), the result is the mirror image (reflection) R ⎜ 2y ⎟ P of R ⎝ P ⎠ Algebraically x = λ2 -x – x ⎛ 3x2 + a ⎞ R P Q ⎜ P ⎟ λ – yR = (xP −x R ) − y p yR = -yP + (xP xR) ⎜ ⎟ 2y p where λ = (yQ – yP)/(xQ – xP) ⎝ ⎠ Certicom’s ECC tutorial CNS Lecture 9 - 7 CNS Lecture 9 - 8 Elliptic curves over Zp ECC encryption Equations of form (prime curves) y2 mod p = (x3 + ax + b) mod p E (a,b) p • Eq(a,b) and point G are published 3 2 forms a group over addition if (4a + 27b ) mod p ≠ 0 (p is a BIG prime) • each user selects random private key na, public key is Ka = na G Variables and coefficients are in the set of integers [0 … p-1] • encode message as a point M on the curve (tricky but doable, PKCS #13) • Alice encrypts M to Bob using Bob’s public key Kb Rules for addition: generate random r, send the following message to Bob x = (λ2 –x –x ) mod p R P Q C = {X, Y} where X= rG and Y= M + rK y = (λ(x –x )- y ) mod p m b R P R P • Bob decrypts by calculating where λ = ((y –y )/(x –x )) mod p if P ≠ Q Q P Q P – or λ = ((3x 2 + a)/(2y )) mod p if P = Q Y nbX = M + rKb -nbrG = M + rnbG-nbrG = M P P • Easy to calculate X = rG Example: E23(1,1) attacker has to find r given X and G -- real hard for large 160-bit primes! y2 = x3 + x + 1 mod 23 –Sort of discrete logarithm problem for elliptic curves –Repeated additions (rather than multiplications as in D-H) –Best method to find k given X, use Pollard Rho method, exponential time algorithm with complexity O(√n) CNS Lecture 9 - 9 For real crypto, BIG integers (160 bits) CNS Lecture 9 - 10 ECC discrete logs ECC key establishment In the elliptic curve group defined by 2 3 D-H equivalent, though 5 to 10 times faster. y = x + 9x + 17 over F23, n “additions” rather than n multiplications What is the discrete logarithm k of Q = (4,5) to the base P = (16,5)? One (brute force) way to find k is to compute multiples of P until Q is found. The first few multiples of P are: The “generator”, base point, G, has a high order, nG = 0 (n is large) P = (16,5) 2P = (20,20) 3P = (14,14) 4P = (19,20) 5P = (13,10) 6P = (7,3) 7P = (8,7) 8P = (12,17) 9P = (4,5) Since 9P = (4,5) = Q, the discrete logarithm of Q to the base P is k = 9. Algorithms/encodings: PKCS 13 In a real application, k and the modules would be large enough (e.g. 160 bits) such that it would be infeasible to determine k in this manner. ANSI X9.62 X9.63 ECDH in OpenSSL (ssl) CNS Lecture 9 - 11 CNS Lecture 9 - 12 2 ECC digital signatures Elliptic curves over GF(2m) • TLS and OpenSSL ECDSA • Algorithm like DSA, generate a verifier of the hash of message polynomial arithmetic (again!), cubic equation where variables and • Sign: coefficients are all in GF(2m ) (m =160 for today’s crypto) – Given equation info E (a,b) and base point G order n p y2 + xy = x3 + ax2 + b (group if b is non-zero) – given message hash h – Given Alice’s private/public key kA and QA (where QA = kAG) Rules for addition: (uses polynomial arithmetic) – Generate big random integer z and point on curve Z=zG = (x,y) – -1 set r = x mod n and s = z (h + rkA) mod n P ≠ Q P = Q – Send message and verifier pair r and s x = λ2+ λ + x + x + a x = λ2+ λ + a • Verify R P Q R 2 – Regenerate hash h’, calculate u = h’s-1 u =rs-1 mod n yR = λ(xP + xR ) + xR + yP yR = xP + ( λ+1)xR 1 2 λ λ – Calculate point on curve Z’ = u1G + u2QA where = (yQ+yP)/(xQ + xP) where = xP + yP/xP Z’ == Z if h == h’ verified hash the same -1 -1 -1 -1 u1G + u2QA = h’s G + rs kAG = h’z(h+rKA) G + rz(h+rkA) kAG -1 • Efficient in hardware (add is XOR, multiply is shifts and XORs) = zG (h+rKA) (h’ + rkA) = zG a point (x’, y’) signature valid if x’ mod n == r Orthonormal basis is even faster in hardware Certicom’s ECC tutorial for squaring (just a rotate). CNS Lecture 9 - 13 CNS Lecture 9 - 14 4 g0 = (0001) g1 = (0010) g2 = (0100) g3 = (1000) 4 Poly arithmetic over GF(2 ) g4 = (0011) g5 = (0110) g6 = (1100) g7 = (1011) ECC over GF(2 ) -- example g8 = (0101) g9 = (1010) g10 = (0111) g11 = (1110) g12 = (1111) g13 = (1101 g14 = (1001) g15 =(0001) g0 = (0001) g1 = (0010) g2 = (0100) g3 = (1000) 4 4 • Mod irreducible polynomial (x + x + 1) • Irreducible polynomial x + x +1 g4 = (0011) g5 = (0110) g6 = (1100) g7 = (1011) generator g = (0010) 8 9 10 11 • Elements of set are {0000,0001,0010,0011, … 1111} g = (0101) g = (1010) g = (0111) g = (1110) • Elliptic curve g12 = (1111) g13 = (1101 g14 = (1001) g15 =(0001) • Addition and subtraction just XOR y2 + xy = x3 + g4x2 + 1 • Multiplication is done mod x4 + x + 1 • generator g (e.g. 0010) is an element whose powers gi generate 5 3 the entire set Is (g , g ) a point on the curve? (g3)2 + g5g3 = (g5)3 + g4(g5)2 + 1 • Multiplicative inverse of gi is g –i mod 15 g6 + g8 = g15 + g14 + 1 g7 = 1011 g -7 mod 15 = g8 = 0101, to check (1100) + (0101) = (0001) + (1001) + (0001) does 1011 x 0101 = 0001 ? (1001) = (1001) (x3 + x + 1)(x2 + 1) mod (x4 + x 1) x5 + x2 + x + 1 (divide by x4 + x + 1), get remainder of 1, so g7 is multiplicative inverse of g8 CNS Lecture 9 - 15 CNS Lecture 9 - 16 ECC challenge Using ECC m • Certicom challenge over Zp and/or over GF(2 ) • Excellent for hardware implementations Challenge End Date Elliptic Curve Iterations Machine Days Operations per second • OpenSSL supports ECC in the API and at the command level ECC2-79 Dec. 16, 1997 1.7 x 1012 170000 116 m ECC2-89 Feb. 9, 1998 1.8 x 1013 187000 1114 –ECCDH and ECCDSA over either GF(p) or GF(2 ) ECC2-95 May 21, 1998 2.2 x 1013 149000 1709 ECC2-109 April 27, 2004 2600 computers 17 months –Lots of different curves with different strengths (160 to 571 bits) ECCp-79 Dec. 6, 1997 1.4 x 1012 314000 52 ECCp-89 Jan. 12, 1998 2.4 x 1013 388000 716 –API includes routines for encoding/conversion and SSL/TLS support ECCp-97 Mar.