Outline Public-key crypto basics CSci 5271 Introduction to Computer Security Announcements Day 15: Cryptography part 2: public-key Stephen McCamant Public key encryption and signatures University of Minnesota, Computer Science & Engineering Pre-history of public-key crypto Box and locks analogy Alice wants to send Bob a gift in a First invented in secret at GCHQ locked box Proposed by Ralph Merkle for UC They don’t share a key Berkeley grad. security class project Can’t send key separately, don’t trust UPS First attempt only barely practical Box locked by Alice can’t be opened by Professor didn’t like it Bob, or vice-versa Merkle then found more sympathetic Stanford collaborators named Diffie and Hellman Box and locks analogy Protocol with clip art Alice wants to send Bob a gift in a locked box They don’t share a key Can’t send key separately, don’t trust UPS Box locked by Alice can’t be opened by Bob, or vice-versa Math perspective: physical locks commute
Protocol with clip art Protocol with clip art Protocol with clip art Public key primitives Public-key encryption (generalizes block cipher) Separate encryption key EK (public) and decryption key DK (secret) Signature scheme (generalizes MAC) Separate signing key SK (secret) and verification key VK (public) Modular arithmetic Generators and discrete log Fix modulus ♥ , keep only remainders Modulo a prime ♣ , non-zero values and mod ♥ ✂ have a nice (“group”) structure mod 12: clock face; mod ✷ ✸✷ : ✉♥s✐❣♥❡❞ ❣ is a generator if ❣ ✵ ❀ ❣❀ ❣ ✷ ❀ ❣ ✸ ❀ ✿ ✿ ✿ ✐♥t cover all elements ✰ , ✲ , and ✂ work mostly the same Easy to compute ① ✼ ✦ ❣ ① Division: see Exercise Set 1 Inverse, discrete logarithm , hard for Exponentiation: efficient by square and large ♣ multiply
Diffie-Hellman key exchange Relationship to a hard problem Goal: anonymous key exchange We’re not sure discrete log is hard Public parameters ♣ , ❣ ; Alice and Bob (likely not even NP-complete), but it’s have resp. secrets ❛ , ❜ been unsolved for a long time Alice ✦ Bob: ❆ ❂ ❣ ❛ ✭ mod ♣ ✮ If discrete log is easy (e.g., in P), DH is Bob ✦ Alice: ❇ ❂ ❣ ❜ ✭ mod ♣ ✮ insecure Alice computes ❇ ❛ ❂ ❣ ❜❛ ❂ ❦ Converse might not be true: DH might Bob computes ❆ ❜ ❂ ❣ ❛❜ ❂ ❦ have other problems Categorizing assumptions Key size, elliptic curves Need key sizes ✘ 10 times larger then Math assumptions unavoidable, but can security level categorize Attacks shown up to about 768 bits E.g., build more complex scheme, Elliptic curves: objects from higher math shows it’s “as secure” as DH because it with analogous group structure has the same underlying assumption (Only tenuously connected to ellipses) Commonly “decisional” (DDH) and Elliptic curve algorithms have smaller “computational” (CDH) variants keys, about 2 ✂ security level Outline Note to early readers Public-key crypto basics This is the section of the slides most likely to change in the final version Announcements If class has already happened, make sure you have the latest slides for Public key encryption and signatures announcements
Outline General description Public-key encryption (generalizes Public-key crypto basics block cipher) Separate encryption key EK (public) and Announcements decryption key DK (secret) Signature scheme (generalizes MAC) Public key encryption and signatures Separate signing key SK (secret) and verification key VK (public) RSA setup RSA encryption Choose ♥ ❂ ♣q , product of two large Public key is ✭ ♥❀ ❡ ✮ primes, as modulus Encryption of ▼ is ❈ ❂ ▼ ❡ ✭ mod ♥ ✮ ♥ is public, but ♣ and q are secret Private key is ✭ ♥❀ ❞ ✮ Compute encryption and decryption Decryption of ❈ is ❈ ❞ ❂ ▼ ❡❞ ❂ ▼ exponents ❡ and ❞ such that ✭ mod ♥ ✮ ▼ ❡❞ ❂ ▼ ✭ mod ♥ ✮ RSA signature RSA and factoring Signing key is ✭ ♥❀ ❞ ✮ We’re not sure factoring is hard (likely Signature of ▼ is ❙ ❂ ▼ ❞ ✭ mod ♥ ✮ not even NP-complete), but it’s been unsolved for a long time Verification key is ✭ ♥❀ ❡ ✮ Check signature by ❙ ❡ ❂ ▼ ❞❡ ❂ ▼ If factoring is easy (e.g., in P), RSA is insecure ✭ mod ♥ ✮ Converse might not be true: RSA might Note: symmetry is a nice feature of have other problems RSA, not shared by other systems
Homomorphism Problems with vanilla RSA Multiply RSA ciphertexts ✮ multiply Homomorphism leads to plaintexts chosen-ciphertext attacks This homomorphism is useful for some If message and ❡ are both small interesting applications compared to ♥ , can compute ▼ ✶❂❡ Even more powerful: fully homomorphic over the integers encryption (e.g., both ✰ and ✂ ) Many more complex attacks too First demonstrated in 2009; still very inefficient Hybrid encryption Padding, try #1 Need to expand message (e.g., AES Public-key operations are slow key) size to match modulus In practice, use them just to set up PKCS#1 v. 1.5 scheme: prepend 00 01 symmetric session keys FF FF .. FF ✰ Only pay RSA costs at setup time Surprising discovery ✲ Breaks at either level are fatal (Bleichenbacher’98): allows adaptive chosen ciphertext attacks on SSL Modern “padding” Simpler padding alternative “Key encapsulation mechanism” (KEM) Much more complicated encoding For common case of public-key crypto schemes using hashing, random salts, used for symmetric-key setup Feistel-like structures, etc. Also applies to DH Common examples: OAEP for Choose RSA message r at random encryption, PSS for signing mod ♥ , symmetric key is ❍ ✭ r ✮ Progress driven largely by improvement ✲ Hard to retrofit, RSA-KEM insecure if ❡ in random oracle proofs and r reused with different ♥
Box and locks revisited Next time Alice and Bob’s box scheme fails if an intermediary can set up two sets of boxes Building crypto into more complex Man-in-the-middle (or middleperson) protocols attack Real world analogue: challenges of protocol design and public key distribution
Recommend
More recommend
