CS CS 134 134 Fa Fall2016 Mi Midterm rm Re Review 1 Co - - PowerPoint PPT Presentation

1

CS CS 134 134 Fa Fall2016 Mi Midterm rm Re Review

2

Attacker or Adversary Your Computer/Phone/Tablet

Co Comp mputer r Se Securi rity: y: Th The Ca Cast of

• f C

Characters

Can be: individuals,

• rganizations, nations …

Your data: financial, health records, intellectual property …

3

Eve(sdropper)

communication channel

Ne Network S Secu curity: Th The Cast of

• f Ch

Characters

Alice Bob

4

Te Terminology (Cr (Cryp yptogr graphy) y)

• Cryptology, Cryptography, Cryptanalysis
• Cipher, Cryptosystem, Encryption scheme
• Encryption/Decryption, Encipher/Decipher
• Privacy/Confidentiality, Authentication, Identification
• Integrity
• Non-repudiation
• Freshness, Timeliness, Causality
• Intruder, Adversary, Interloper, Attacker
• Anonymity, Unlinkability/Untraceability

5

Te Terminology (S (Security) )

• Access Control & Authorization
• Accountability
• Intrusion Detection
• Physical Security
• Tamper-Resistance
• Certification & Revocation

6

At Attacks, Services and Mechanisms

• Security Attack: Any action (or event) that aims to

compromise (undermine) the security of information

• Security Mechanism: A measure (technique or method)

designed to detect, prevent, or recover from, a security attack

• Security Service: something that enhances the security of

data processing systems and information transfers. A “security service” makes use of one or more “security mechanisms”

• Example:

– Security Attack: Eavesdropping (Interception) – Security Mechanism: Encryption – Security Service: Confidentiality

7

Se Securi rity Attacks

• Interruption: attack on availability
• Interception: attack on confidentiality
• Modification: attack on integrity
• Fabrication: attack on authenticity

8

Ma Main Se Securi rity Goals

Integrity Confidentiality Availability Authenticity

9

Security Th Threats: Th Threat vs Attack?

By Injection By Deletion

10

Ex Exampl ple Secur urity y Services

• Confidentiality: to assure information privacy and secrecy
• Authentication: to assert who created or sent data
• Integrity: to show that data has not been altered
• Access control: to prevent misuse of resources
• Availability: to offer access to resources, permanence, non-

erasure Examples of attacks on Availability: – Denial of Service (DoS) Attacks

• e.g., against a name server

– Malware that deletes or encrypts files

11

So Some me Me Methods of Defense

• Cryptography à confidentiality, authentication, identification,

integrity, etc.

• Software Controls (e.g., in databases, operating systems) à

protect users from each other

• Hardware Controls (e.g., smartcards, badges) à authenticate

holders (users)

• Policies (e.g., frequent password changes, separations of duty)

à prevent insider attacks

• Physical Controls (doors, guards, etc.) à control physical

access

12

Cr Cryp yptography y can be use sed at di differ eren ent level els

• Algorithms: encryption, signatures, hashing,

Random Number Generator (RNG)

• Protocols (2 or more parties): key distribution,

authentication, identification, login, payment, etc.

• Systems: electronic cash, secure filesystems,

smartcards, VPNs, e-voting, etc.

• Attacks: on all the above

13

Ty Types of Attainable Security

• Perfect, unconditional or “information theoretic”: the security

is evident free of any (computational/hardness) assumptions

• Reducible or “provable”: security can be shown to be based on

some common (often unproven) assumptions, e.g., the conjectured difficulty of factoring large integers

• Ad hoc: the security seems good often -> “snake oil”…

Take a look at:

http://www.ciphersbyritter.com/GLOSSARY.HTM

14

So Some me Applications of Cr Cryptography

• Network, operating system security
• Protect Internet, phone, space communication
• Electronic payments (e-commerce)
• Database security
• Software/content piracy protection
• Pay TV (e.g., satellite)
• Military communications
• Voting

15

His Historic ical al (Prim imitiv itive) e) Cipher iphers

• Shift (e.g., Caesar): Enck(x) = x+k mod 26
• Affine: Enck1,k2(x) = k1 *x + k2 mod 26
• Substitution: Encperm(x) = perm(x)
• Vigenere: EncK(x) = ( X[0]+K[0], X[1]+K[1], … )
• Vernam: One-Time Pad (OTP)

16

VE VERNAM One-Ti Time Pad (OTP TP): Wo World’s Best Cipher

n i

• tp

p c where c c

• tp
• tp

p p

i i i n n n

< < " Å = = = =

• :

} ,..., { Ciphertext } ,..., { stream pad time

• One

} ,..., { Plaintext

1 1 1

C A B C B A = Å Å =

17

VE VERNAM One-Ti Time Pad (OTP TP): Wo World’s Best Cipher

• Vernam offers perfect information-theoretic

security, but:

• How long does the OTP keystream need to be?
• How do Alice and Bob exchange the keystream?

18

Cryptosystems

Classified along three dimensions:

• Type of operations used for transforming plaintext into

ciphertext

– Binary arithmetic: shifts, XORs, ANDs, etc.

• Typical for conventional encryption

– Integer arithmetic

• Typical for public key encryption
• Number of keys used

– Symmetric or conventional (single key used) – Asymmetric or public-key (2 keys: 1 to encrypt, 1 to decrypt)

• How plaintext is processed:

– One bit at a time – A string of any length – A block of bits

Co Conventional (S (Symme ymmetri ric) ) Cr Cryp yptography

• Alice and Bob share a key KAB which they somehow agree

upon (how?)

• key distribution / key management problem
• ciphertext is roughly as long as plaintext
• examples: Substitution, Vernam OTP, DES, AES

19

plaintext ciphertext

K AB

encryption algorithm decryption algorithm

K AB

plaintext m K (m)

AB

K (m)

AB

m = K (

)

AB

Us Uses es of Conven entio tional al Cryptograp aphy

• Message transmission (confidentiality):
• Communication over insecure channels
• Secure storage: crypt on Unix
• Strong authentication: proving knowledge of a secret

without revealing it:

• See next slide
• Eve can obtain chosen <plaintext, ciphertext> pair
• Challenge should be chosen from a large pool
• Integrity checking: fixed-length checksum for message via

secret key cryptography

• Send MAC along with the message MAC=H(m,K)

20

Ch Challenge-Re Response Authentication Ex Exampl ple

21

K AB

challenge

K AB

ra KAB(ra)

challenge reply

rb KAB(rb)

challenge challenge reply

22

Co Conventional Cr Cryp yptography

• Advantages
• high data throughput
• relatively short key size
• primitives to construct various cryptographic

mechanisms

• Disadvantages
• key must remain secret at both ends
• key must be distributed securely and efficiently
• relatively short key lifetime

Generic Example of Block k Encryp yption

20

24

Cl Classi ssic Fe Feistel Ne Network

“Round Keys” are generated from

• riginal key via

subkey generation algorithm

Fe Feistel Ci Cipher St Stru ructure

• Block Size: larger block sizes mean greater security
• Key Size: larger key size means greater security
• Number of Rounds: multiple rounds offer increasing

security

• Subkey Generation Algorithm: greater complexity will

lead to greater difficulty of cryptanalysis

• Fast Software En/De-cryption: speed of execution of

the algorithm becomes a concern

25

Bl Block k Ci Ciphers

26

• Originated with early 1970's IBM effort to develop

banking security systems

• First result was Lucifer, most common variant has 128-

bit key and block size

• Was not secure in any of its variants
• Called a Feistel or product cipher
• F()-function is a simple transformation, does not have

to be reversible

• Each step is called a round; the more rounds, the

greater the security (to a point)

• Most famous example of this design is DES

Co Conventional Enc Encryp yption St Standard

• Data Encryption Standard (DES)
• Most widely used encryption method

(AES is probably taking over by now)

• Block cipher (in native ECB mode)
• Plaintext processed in 64-bit blocks
• Key is 56 bits

27

Da Data E a Encr cryptio ion S Stan andar ard ( (DE DES) Su Summa mmary

• Permutation/substitution block cipher
• 64-bit data blocks
• 56-bit keys (8 parity bits)
• 16 rounds (shifts, XORs)
• Key schedule
• S-box selection secret …
• DES “aging”
• 2-DES: rendezvous attack
• 3-DES: 112-bit security
• DESx : 118-bit security

46

26

Ba Basi sic St Stru ructure of

• f DE

DES

30

Enc Encryp yption vs vs De Decr cryptio ion in in DE DES

64 Bit Plaintext Initial Permutation 32 Bit L0 32 Bit R0 F(R0,K1) + 32 Bit L1 32 Bit R1 32 Bit L15 32 Bit R15 F(R15,K16) + 32 Bit L16 32 Bit R16 Final Permutation 64 Bit Ciphertext

Encryption Process

DE DES S System

64 Bit Key Permutation Choice 1 56 Bit Key 28 Bit C0 28 Bit D0 Left Shift Right Shift C1 D1 Building Blocks Permuted Choice 2 K1(48 bits) C16 D16 Permuted Choice 2

Key Schedule

K16(48 bits)

27

Br Breaki king DES S (Cr (Cryp yptanalysi sis) s)

DES Key size = 56 bits

• Brute force = 255 attempts on avg
• Differential cryptanalysis è 247 chosen plaintexts
• Linear cryptanalysis è 247 known plaintexts
• Longer than 56 bit keys do not make it any stronger
• More than 16 rounds do not make it any stronger
• DES Key Problems:
• Weak keys (all 0s, all 1s, a few others)
• Key size = 56 bits = 8 * 7-bit ASCII
• Alphanumeric-only password converted to uppercase

8 * ~5-bit chars = 40 bits

33

Br Breaki king DES S (Cr (Cryp yptanalysi sis) s)

Differential Cryptanalysis

• Looks for correlations in F()-function input and output

Linear Cryptanalysis

• Looks for correlations between key and cipher input and
• utput

Related-key Cryptanalysis

• Looks for correlations between key changes and cipher

input/output Differential cryptanalysis discovered in 1990; virtually all block ciphers from before that time are vulnerable... ... except DES. IBM (and the NSA) knew about it 15 years earlier

34

Mo Modes of Operation (n (not just for DES, , for any y block k cipher)

…

ENCRYPTION

… … …

P1 P2 Pi Pi+1 Pn-1 Pn C1 C2 Ci Ci+1 Cn-1 Cn

http://en.wikipedia.org/wiki/Block_cipher_mode_of_operation

35

"Na Native” ” EC ECB Mode

Electronic Code-Book (ECB) Mode

• Input to encryption algorithm is current plaintext block:

Ci = E ( K, Pi ) Pi = D ( K, Ci )

• Duplicate plaintext blocks (patterns) visible in ciphertext
• What if Alice encrypts one word per plaintext block?
• Ciphertext block rearrangement is possible
• To detect it, need explicit block numbering in plaintext
• Parallel encryption and decryption (random access)
• Error in one ciphertext block è one-block loss
• One-block loss in ciphertext?

36

CBC CBC Mo Mode

Cipher-Block Chaining (CBC) Mode

• Input to encryption algorithm is the XOR of current plaintext block and

preceding ciphertext block:

Ci = E ( K, Pi XOR Ci-1 ) C0=IV Pi = D ( K, Ci ) XOR Ci-1

• Duplicate plaintext blocks (patterns) NOT exposed
• Block rearrangement is detectable
• No parallel encryption
• How about parallel decryption?
• Error in one ciphertext block è two-block loss
• One-block ciphertext loss?

37

OF OFB B Mode

Output Feedback (OFB) Mode

• Key-stream is produced by repeated encryption of Vo:

Ci = E ( K, Vi-1 ) XOR Pi V0=IV Pi = E ( K, Vi-1 ) XOR Ci

• Duplicate plaintext blocks (patterns) NOT exposed
• Block rearrangement is detectable
• Key-stream is independent of plaintext
• How does that affect speed of encryption? Parallelism?
• Bit error in one ciphertext block è one-bit error in plaintext
• One-block ciphertext loss è big mess J
• Can encrypt less than block size

39

CF CFB B Mo Mode

Cipher Feedback (CFB) Mode

• Key-stream is produced by re-encryption of preceding ciphertext -- Ci-1:

Ci = Pi XOR E (K, Ci-1) C0=IV Pi = E ( K, Ci-1 ) XOR Ci

• Duplicate plaintext blocks (patterns) NOT exposed
• Block rearrangement is detectable
• Key-stream is dependent on plaintext
• How does that affect speed of encryption? Parallelism?
• Bit error in one ciphertext block è one-bit + one-block loss in plaintext
• Adversary can still selectively flip/change bits
• One-block ciphertext loss è 1-extra-block loss
• Can encrypt less than block size

40

CTR TR Mode

Counter (CTR) Mode

• Key-stream is produced by encryption increasing counter:

Ci = E ( K, CTRi ) XOR Pi CTRi = CTRi-1 + 1 Pi = E ( K, CTRi ) XOR Ci

• Duplicate plaintext blocks (patterns) NOT exposed, unless?
• Block rearrangement is detectable
• Key-stream is independent of plaintext
• Parallel encryption and decryption (random access)
• Bit error in one ciphertext block è one-bit error in plaintext
• One-block ciphertext loss è big mess
• Can encrypt less than block size

41

MA MAC C Mo Mode

Message Authentication Code (MAC) Mode

• Encryption is the same as in CBC mode, but, ciphertext is NOT sent!

Ci = E ( K, Pi XOR Ci-1 ) C0=IV What is sent or stored: P1, . . ., Pn, Cn = MAC Receiver recomputes Cn with K and compares

• Any change in plaintext results in unpredictable changes in MAC

42

Ho How w to St Strengthen DE DES: The he Case e of

• f Do

Double le DE DES

• 2DES: C = DES ( K1, DES ( K2, P ) )
• Seems to be hard to break by “brute force”, approx. 2111 trials
• Assume Eve is trying to break 2DES and has a single (P,C) pair

Meet-in-the-middle (or Rendesvouz) ATTACK:

I. For each possible K’i (where 0 < i < 256) 1. Compute C’i= DES ( K’i , P ) 2. Store: [ K’i, C’i ] in table T (sorted by C’i) II. For each possible K”i (where 0 < i < 256) 1. Compute C”i = DES-1 ( K”i , C ) 2. Lookup C”i in T ç not expensive! 3. If lookup succeeds, output: K1=K’i, K2=K”i TOTAL COST: O(256) operations + O(256) storage

43

DE DES V Var arian iants

• 3-DES (Triple DES)
• C = E(K1, D(K2, E(K1,P) ) ) à 112 effective key bits
• C = E(K3, D(K2, E(K1,P) ) ) à 168 effective key bits
• DESx
• C= K3 XOR E(K2, (K1 XOR P) ) à seems like 184 key bits
• Effective key bits à approx. 118
• 2-DES:
• C = E(K2,E(K1, P)) à rendezvous (meet-in-the-middle attack)
• Another simple variation:
• C = K1 XOR E(K1’, P) à weak!

NOTE: The same variants can be constructed out of any cipher

44

• Asymmetric cryptography
• Invented in 1974-1978 (Diffie-Hellman and Rivest-Shamir-Adleman)
• Two keys: private (SK), public (PK)
• Encryption: with public key;
• Decryption: with private key
• Digital Signatures: Signing by private key; Verification by public key. i.e.,

“encrypt” message digest/hash -- h(m) -- with private key

• Authorship (authentication)
• Integrity: Similar to MAC
• Non-repudiation: can’t do with secret key cryptography
• Much slower than conventional cryptography
• Often used together with conventional cryptography, e.g., to encrypt session keys

43

Pu Public Key Crypto tography

Pu Public Key Crypto tography

44

plaintext message, m ciphertext encryption algorithm decryption algorithm

Bob’s public key

plaintext message PK (m)

B

PK

B

Bob’s private key

SK

B

m = SK (PK (m))

B B

Us Uses es of Public lic Key Cryptograp aphy

• Data transmission (confidentiality):
• Alice encrypts ma using PKB, Bob decrypts it to obtain ma using

SKb.

• Secure Storage: encrypt with own public key, later

decrypt with own private key

• Authentication:
• No need to store secrets, only need public keys.
• Secret key cryptography: need to share secret key for every

person one communicates with

• Digital Signatures (authentication, integrity, non-

repudiation)

45

46

Ø Advantages

l only the private key must be kept secret l relatively long life time of the key l more security services l relatively efficient digital signatures mechanisms

Ø Disadvantages

l low data throughput l much larger key sizes l distribution/revocation of public keys l security based on conjectured hardness of certain

computational problems

Public Key y Cryp yptography

47

Key y Pre-dis distr tributio ibution: n: Di Diffie-Hel Hellman

“New Directions in Cryptography” 1976 * p

System wide parameters : p large prime, a generator in Z − − − Alice's secret: v, public: mod Bob's secret: w, public: mod

v a w b

y a p y a p = =

Alice has: mod Bob has: mod ( ) mod ( ) mod

w b v a v ab b w ba a

y a p y a p K y p K y p = = = = =

48

Public Key y Pre-dis distr tributio ibution: n: Di Diffie-Hel Hellman

*

Diffie Hellman Problem: : mod mod : mod Discrete Log Problem: : mod :

p v w a b vw v a

p large prime, a generator in Z Given y a p and y a p FIND a p Given y a p FIND v − − − = = =

49

Public Key y Pre-dis distr tributio ibution: n: Di Diffie-Hel Hellman

Decision DH Problem: mod , mod : mod

v w a b vw ab

p large prime, a generator Given : y a p y a p Distinguish K a p from a random number! − − = = =

• DH Assumption: DH problem is HARD (not P)
• DL Assumption: DL problem is HARD (not P)
• DDH Assumption: solving DDH problem is HARD (not P)

50

Interactive (Public) Key y Exchange: Di Diffie-Hel Hellman

Eve is passive …

p a y

v a

mod =

Secure communication with Kab Choose random v

p a y

w b

mod =

Choose random w, Compute

p y K

w a ba

mod ) ( =

Compute

( ) mod

v ab b

K y p =

51

Th The M Man-in in-the the-Mi Middle e (Mi MitM) A ) Attack

(assume Eve is an active adversary!)

p a y

v a

mod =

Secure communication with Kab Choose random v

p a y

w b

mod =

Choose random w, Compute

p y K

w a ba

mod ) ( =

Compute

( ) mod

v ab b

K y p =

52

RS RSA (1976-8) 8)

Let n = pq where p,q − large primes e,d ∈R Zn and ed ≡ 1 mod Φ(n) where : Φ(n) = (p −1)(q −1) = pq − p − q −1 Secrets : p,q,d Publics : n,e Encryption : message = m < n E(x) = y = me mod n Decryption : ciphertext = y D( y) = x' = yd mod n

53

Why y does it all work? k?

x ∈ Zn

*

xed = x1modΦ(n) mod n = xc*Φ(n)+1 mod n = x But, recall that: gΦ(n) =1 mod n (Lagrange)

54

Why y is it Secure?

Why: n has unique factors p, q Given p and q, computing (p-1)(q-1) is easy: Use extended Euclidian! Conjecture: breaking RSA is polynomially equivalent to factoring n. Recall that n is very, very large!

) ( 1 n mod ed Φ ≡

55

Speeding up RSA Decryp yption

: C - RSA ciphertext mod( 1) mod( 1) compute: mod mod and solve: mod mod

p q

p q d p d q p q

Let d d p d d q M C p M C q M M p M M q = − = − = = = = ) mod( )] mod ( ) mod ( [

1 1

pq q p p M p q q M M

q p − −

+ =

56

Mo More e on RSA

• Modulus n is unique per user à cannot share n
• What happens if Alice and Bob share the same modulus?
• Alice has (e’,d’,n) and Bob – (e”,d”,n)
• Alice wants to compute d” (Bob’s private key)
• She knows that: e’ * d’= 1 mod phi(n)
• So: e’ * d’ = k * phi(n) + 1 and: e’ * d’ - 1 = k * phi(n)
• Alice just needs to compute inverse of e” mod X
• where X = e’ * d’ – 1 = k * phi(n)
• let’s call this inverse d’”
• and remember that: d”’ * e” = k’ * k * phi(n) + 1
• can we be sure that: d”’ = d” ?
• Is it possible that e” has no inverse mod X?
• Yes, if e”=phi(n) or gcd(e”,k)>1 but this is very, very UNLIKELY!
• For all decryption purposes, d”’ is EQUIVALENT to d”
• Suppose Eve encrypted for Bob: C = (m)e” mod n
• Alice computes:

Cd”’ mod n = me”d”’ mod n = (m) k’ * k * phi(n) + 1 mod n = m

57

El Gamal PK Cryp yptosystem (83)

m p mb b c k m' p k compute p k compute : Decryption c} {k, ciphertext p mb p my c : compute p b k compute Z r random generate Encryption x : secrets y b p publics Z Z C Z P p b y residue public y exponent private x generator element, primitive base, b prime large p

xr rx x x x xr r r p p p p x

= = = = = = = ∈ × = = ≡ − − − −

− − − −

mod ) ( . 3 mod ) ( . 2 mod . 1 . 4 mod mod . 3 mod : . 2 . 1 : , , : mod ;

1 1 1 * * *

58

Di Digital Signa natur tures

A signature scheme: (P,A,K,Sign,Verify) P - plaintext (msgs) A - signatures K - keys Sign - signing function: (P*K)->A Verify - verification function: (P*A*K) à {0,1}

Usually message hash

• Integrity
• Authentication
• Non-Repudiation
• Time-Stamping
• Causality
• Authorization

59

RS RSA Signature Scheme

??? ) ( : ) , ( :

• n

Verificati : ) ( : Signing , : , , : mod 1 and mod and primes (large) two are q p where pq n Let

1 * ) ( e d n

y m m y Verify y signature n mod m y m Sign m message e n Publics d q p Secrets 1) 1)(q (p (n) Φ(n) ed Φ(n) d e Z e = = = =

• =

F º = Î ¹ =

• F

Use the fact that, in RSA, encryption reverses “decryption”

60

RS RSA Signature Scheme (co contd)

• The Good:
• Verification can be cheap (like RSA encryption)
• Mechanically same as RSA decryption function
• Security based on RSA encryption
• Signing is harder but #verify-s > 1 …
• Deterministic
• The Bad:
• Recall that RSA is malleable: signatures can be “massaged”
• Phony “random” signatures
• compute Y=RSA(e,X)=Xe mod n
• X is a signature of Y because Yd=X mod n
• The Ugly:
• Signing requires integrity!
• How to sign multiple blocks?
• Deterministic – needs additional randomization!

61

El El Gama mal Signa natur ture Sche heme me

m xb m xb r xk r m r xb c k m c k r p p p p x

b b b b k y that notice p b p k y Verifying c} {k, e signatur p r xk m c : compute p b k compute Z r random generate Signing x : secrets y b p publics Z Z A Z P p b y residue public y exponent private x generator base, b prime large p

r r r

= = = = = − − = = ∈ × = = ≡ − − − −

− + − − − ) / / ( 1 1 * * *

) ( : ??? mod mod : . 4 1 mod ) ( . 3 mod : . 2 . 1 : , , : mod ;

62

El El Gama mal PK Cryp yptosystem

m p mb b c k m' p k compute p k compute : Decryption c} {k, ciphertext p mb p my c : compute p b k compute Z r random generate Encryption x : secrets y b p publics Z Z C Z P p b y residue public y exponent private x generator element, primitive base, b prime large p

xr rx x x x xr r r p p p p x

= = = = = = = ∈ × = = ≡ − − − −

− − − −

mod ) ( . 3 mod ) ( . 2 mod . 1 . 4 mod mod . 3 mod : . 2 . 1 : , , : mod ;

1 1 1 * * * *

m xb m xb r xk r m r xb c k m c k r p p p p x

b b b b k y that notice p b p k y Verifying c} {k, e signatur p r xk m c : compute p b k compute Z r random generate Signing x : secrets y b p publics Z Z A Z P p b y residue public y exponent private x generator base, b prime large p

r r r

= = = = = − − = = ∈ × = = ≡ − − − −

− + − − − ) / / ( 1 1 * * * *

) ( : ??? mod mod : . 4 1 mod ) ( . 3 mod : . 2 . 1 : , , : mod ;

El El Gama mal Signa natur ture Sch Scheme

63

El El Gama mal Signa natur ture Sche heme me (co contd)

The good:

• Signing is cheap(er)
• Designed as a signature function
• Non-deterministic (randomized)

The bad:

• Need GOOD source of random numbers
• Randomizers cannot be revealed (trace)
• Randomizers cannot be reused

64

Th The D Digi gital S Sign gnature S Standard (D (DSS)

• Why DSS?
• RSA issues: patents, malleability, etc.
• A variant of El Gamal
• Originally for |p|=512 bits, now up to 1024
• Optimized for signature size (320- vs. 1024-bit)
• Signing - 1 exp, verification - 2 exps
• No attacks thus far

65

DS DSS (co contd)

??? mod mod : . 4 1 mod ) ( . 3 mod : . 2 . 1 : , , : , mod ;

1 1 * * * *

p b p k y Verifying c} {k, e signatur p r xk m c : compute p b k compute Z r random generate Signing x : ets y secr b p publics Z Z A Z P p b y residue public y exponent private x generator base, b prime large p

m c k r p p p p x

= = − − = = ∈ × = = ≡ − − − −

− −

p − 512 − bit prime q − 160 − bit prime, (p − 1)%q = 0 b − base, bq ≡1mod p (b = δ ( p−1)/q) x − private exponent y − public residue; y ≡ bx mod p P = Z p

*, A = Zq × Zq

publics : p, q, b, y secrets : x Signing :

• 1. generate random r ∈ Z *

q−1

• 2. compute : k = (br mod p)mod q
• 3. compute : c = (m + xk)r−1 mod q
• 4. signature = {k,c}

Verifying : (bmc−1k kc−1 mod p)mod q = bk mod p ??? notice that : bmc−1ykc−1 = bmr/(m+xbr )(bx )(brr/(m+xbr ) = b(mr+xbrr)/(m+xbr ) = br

66

Ø Public key

l encryption, signatures (esp., non-repudiation) and key

management

Ø Conventional

l encryption and some data integrity applications

Ø Key sizes

l Keys in public key crypto must be larger (e.g., 2048 bits for RSA)

than those in conventional crypto (e.g., 112 bits for 3-DES or 256

bits for AES)

• most attacks on “good” conventional cryptosystems are exhaustive key

search (brute force)

• public key cryptosystems are subject to “short-cut” attacks (e.g.,

factoring large numbers in RSA)

Co Comp mpari riso son Su Summa mmary

67

Id Iden entification

• Public key cryptography can be also used for

IDENTIFICATION

• Identification is an interactive protocol whereby one

party: “prover” (who claims to be, say, Alice) convinces the other party: “verifier” (Bob) that she is indeed Alice

• Identification can be accomplished with public key

digital signatures

• However, signatures reveal information …
• Also, signatures are “transferable”, i.e., anyone can

verify them

68

Fi Fiat-Sh Shamir r Identification Sch Scheme

• In Fiat-Shamir, prover has an RSA modulus n = pq

(factorization is secret).

• Factors themselves are not used in the protocol.
• Unlike RSA, a trusted center can generate a global n,

used by everyone, as long as nobody knows its

• factorization. Trusted center can “forget” the

factorization after computing n.

69

Fi Fiat-Sh Shamir r Identification Sch Scheme

• Secret Key: Prover (P) chooses a random value

1 < S < n (to serve as the key) such that gcd(S,n) = 1

• Public Key: P computes I=S2 mod n, publishes (I,n) as his public

key.

• Purpose of the protocol: P has to convince verifier (V) that he

knows the secret S corresponding to the public key (I,n),

• i.e., to prove that he knows a square root of I mod n, without revealing S or

any portion thereof

70

Prover (Alice) Verifier (Bob) n, I, S n

pick random R; set x=R2 mod n

I, x query = 0 1 R R * S mod n

Check that: R2 = x mod n (RS)2 = xI mod n

Fi Fiat-Sh Shamir r Identification Sch Scheme

71

V wants to authenticate identity of P, who claims to have a public key I. Thus, V asks P to convince him that P knows the secret key S corresponding to I . 1. P chooses at random 1 < R < n and computes: X = R2 mod n 2. P sends X to V 3. V randomly requests from P one of two things (0 or 1):

(a) R

• r

(b) RS mod n

4. P sends requested information

Fi Fiat-Sh Shamir r Id Iden entification Sch Scheme

72

• 5. V checks the correct answer:

a) R2 ?= X (mod n)

• r

b) (R*S)2 ?= X*I (mod n)

• 6. If verification fails, V concludes that P does

not know S

• 7. Protocol is repeated t (usually 20, 30, or log n)

times, and, if each one succeeds, V concludes that P is the claimed party.

Fi Fiat-Sh Shamir r Id Iden entification Sch Scheme

73

CLAIM: Protocol does not reveal ANY information about S or Protocol is ZERO-KNOWLEDGE Proof: We show that no information on S is revealed:

• Clearly, when P sends X or R, he does not reveal any information on S.
• When P sends RS mod n:
• RS mod n is random, since R is random and gcd(S, n) = 1.
• If adversary can compute any information on S from

I, n, X and RS mod n

he can also compute the same information on S from I and n, since he can choose a random T = R’S mod n and compute:

X’ = T2I-1 = (R’)2S2I-1 = (R’)2

Fi Fiat-Sh Shamir r ZK ZK Id Iden entification Sch Scheme

74

Clearly, if P knows S, then V is convinced of his identity. If P does not know S, he can either:

1. know R, but not RS mod n. Since he is choosing R, he cannot multiply it by the unknown value S

• r

2. choose RS mod n, and thus can answer the second question: RS mod n. But, in this case, he cannot answer the

first question R, since he needs to divide by the unknown S.

Se Securi rity

75

Se Securi rity

• In any case, adversary cannot answer both questions, since otherwise

he can compute S as the ratio between the two answers.

• But, we assumed that computing S is hard, equivalent to factoring n.
• Since P does not know in advance (when choosing R or RS mod n)

which question that V will ask, he cannot foresee the required choice. He can succeed in guessing V’s question with probability 1/2 for each question.

• The probability that V fails to catch P in all runs is thus: 2-t (e.g., 1 in

1,000,000,000 for t=20)