Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Download Principles of Public Key Cryptography Applications of
Document related concepts
Transcript
Lehrstuhl für Informatik 4
Kommunikation und verteilte Systeme
Lehrstuhl für Informatik 4
Kommunikation und verteilte Systeme
Principles of Public Key Cryptography
Chapter 2: Security Techniques Background
• Secret Key Cryptography
• Public Key Cryptography
• Hash Functions
• Authentication
Chapter 3: Security on Network
and Transport Layer
Chapter 4: Security on the Application Layer
2.2: Public Key Cryptography
• Principles of public key
cryptography
• Number theory and
algebraic foundations
• Classical public key
cryptography
• Newer public key
cryptography
Chapter 5: Security Concepts for Networks
Also called asymmetric cryptography
• Different from secret key cryptography, algorithms for encoding and decoding
differ considerably
• Working with two keys
→ A private key d (known only to the owner)
→ A public key e (known by possibly everyone)
• Public key cryptography principle (e.g. RSA):
plaintext
encryption
cipher text
public key e
private key d
cipher text
decryption
plaintext
• More easily configurable than secret key cryptography, but slower
• Often combined with secret key: authentication and distribution of a secret key
(e.g. Diffie-Hellman for establishment of a shared secret)
Page 1
Chapter 2.2: Public Key Cryptography
Lehrstuhl für Informatik 4
Kommunikation und verteilte Systeme
Security in Public Key Algorithms
Digital signatures (e.g. RSA, ElGamal, DSS)
• Associate a value with a message, like a checksum
• This value can only be generated by using the private key d ( = decryption)
• It is readable for everyone knowing the public key e ( = encryption)
• Similar to hand-written signature (authenticity without the chance to forge it)
Security in many public key algorithms is based on the difficulty to
factorise and compute discrete logarithms
Factorising
→ Find the prime factors for a given number
→ One of the oldest problems in number theory, very time consuming
→ Most popular method: Quadratic Sieve
signing
signed message
private key d
public key e
signed message
verification
plaintext
Authentication (zero knowledge proof systems)
• A generates a random number and encrypts it with the public key of B
• B decrypts the message with its private key and sends back the random number to A
• If A gets back the original random number, B is authenticated
Chapter 2.2: Public Key Cryptography
Page 2
Lehrstuhl für Informatik 4
Kommunikation und verteilte Systeme
Applications of Public Key Cryptography
plaintext
Chapter 2.2: Public Key Cryptography
Page 3
Discrete logarithm
→ Problem to find the inverse to modular exponentiation:
Find an x with ax = b mod n for given a and b
→ Not all discrete logarithms have solutions
→ Very time consuming process to find solutions for big numbers
→ Frequently used method: Index-Calculus method
Chapter 2.2: Public Key Cryptography
Page 4
Lehrstuhl für Informatik 4
Kommunikation und verteilte Systeme
Lehrstuhl für Informatik 4
Kommunikation und verteilte Systeme
Basics for Public Key Cryptography:
Number Theory / Modular Arithmetic
Arithmetic Operations modulo n
Arithmetic computing modulo n
• Arithmetic operations are performed as usual, but the result is replaced by its
remainder when divided by n (e.g. 3 + 9 = 12 ≡ 2 mod 10)
Number theory provides basic knowledge to understand how and why public key
algorithms work
→ Necessary concepts for understanding public key algorithms
→ Most public key algorithms are based on modular arithmetic
Modular addition
• Given: c = x + k mod n, with c, x, k ∈ Zn
→ if x + k < n :
c=a+b
→ if x + k ≥ n :
c = j,
where x + k = i ⋅ n + j and j < n
• Can be used to encrypt digits:
each number x out of a range of numbers is
unambiguously mapped onto another
number c from this range
• Caesar Cipher: add a constant k to each number
• Decryption needs subtraction. This can be replaced
by an addition of the inverse value
Modular arithmetic
→ Operates on a ring (Zn, +, ⋅), where
Zn is a set of non-negative integers smaller than some positive integer n
+: Zn × Zn → Zn is a function that
• is associative and commutative
• has a neutral element 0 ∈ Zn
• has a inverse element x-1 to each x ∈ Zn, i.e. x + x-1 = 0
⋅: Zn × Zn → Zn is an associative function (it is not necessarily commutative)
+ and ⋅ have left and right exchangeability
→ Needed for public key cryptography: addition, multiplication, exponentiation
→ Computations of these functions are performed modulo n
Page 5
Chapter 2.2: Public Key Cryptography
Lehrstuhl für Informatik 4
Kommunikation und verteilte Systeme
Chapter 2.2: Public Key Cryptography
0
0
1
2
3
4
5
6
7
8
9
1
1
2
3
4
5
6
7
8
9
0
2
2
3
4
5
6
7
8
9
0
1
3
3
4
5
6
7
8
9
0
1
2
4
4
5
6
7
8
9
0
1
2
3
5
5
6
7
8
9
0
1
2
3
4
6
6
7
8
9
0
1
2
3
4
5
7
7
8
9
0
1
2
3
4
5
6
8
8
9
0
1
2
3
4
5
6
7
9
9
0
1
2
3
4
5
6
7
8
Page 6
Chapter 2.2: Public Key Cryptography
Lehrstuhl für Informatik 4
Kommunikation und verteilte Systeme
Arithmetic Operations modulo n
* 0 1 2 3 4 5 6
Modular multiplication
0 0 0 0 0 0 0 0
1 0 1 2 3 4 5 6
• Given: c = x ⋅ k mod n, with c, x, k ∈ Zn
2 0 2 4 6 8 0 2
→ if x ⋅ k < n :
c=x⋅k
3 0 3 6 9 2 5 8
→ if x ⋅ k ≥ n :
c = j,
4 0 4 8 2 6 0 4
5 0 5 0 5 0 5 0
where x ⋅ k = i ⋅ n + j and j < n
6 0 6 2 8 4 0 6
• Encryption only works with special keys k
7 0 7 4 1 8 5 2
Example for n = 10: only k ∈{1, 3, 7, 9} is
8 0 8 6 4 2 0 8
usable as (simple) cipher key
9 0 9 8 7 6 5 4
→ only for these values the mapping is unambiguous
→ for other values of k, an information loss occurs
• Only use keys k relatively prime to n
→ k and n share no other common factor than 1
• Decryption works by multiplication of cipher text c with the multiplicative
inverse k-1, i.e. k ⋅ k-1 = 1 mod n (e.g. 7-1 = 3 mod 10, because 7 ⋅ 3 = 1 mod 10)
→ Multiplicative inverse for n = 10 only exists for 1,3,7, and 9
+
0
1
2
3
4
5
6
7
8
9
Arithmetic Operations modulo n
7
0
7
4
1
8
5
2
9
6
3
8
0
8
6
4
2
0
8
6
4
2
9
0
9
8
7
6
5
4
3
2
1
Page 7
Modular exponential
• Given: c = xk mod n, with c, x, k ∈ Zn
→ if xk < n : c = xk
→ if xk ≥ n : c = j,
where xk = i ⋅ n + j and j < n
• Note: difference to modular multiplication:
xk mod n ≠ xk+n mod n
• Encryption only works with special keys k
-1
• Decryption needs an inverse k-1 with xk⋅k = 1
• But: inverse k-1 does not exist in each case
Chapter 2.2: Public Key Cryptography
xy
0
1
2
3
4
5
6
7
8
9
0 1
0
1 1
1 2
1 3
1 4
1 5
1 6
1 7
1 8
1 9
2
0
1
4
9
6
5
6
9
4
1
3
0
1
8
7
4
5
8
3
2
9
4
0
1
6
1
6
5
6
1
6
1
5
0
1
2
3
4
5
6
7
8
9
6
0
1
4
9
6
5
6
9
4
1
7
0
1
8
7
4
5
6
3
2
9
8
0
1
6
1
6
5
6
1
6
1
9
0
1
2
3
4
5
6
7
8
9
Page 8
Lehrstuhl für Informatik 4
Kommunikation und verteilte Systeme
Lehrstuhl für Informatik 4
Kommunikation und verteilte Systeme
Finding Modular Inverses
•
•
•
•
The Euclidean Algorithm
Finding multiplicative inverses to x is a very time consuming process
If x has 100 digits, no Brute Force attack is possible
Useful: x relatively prime to n → a multiplicative inverse x-1 mod n exists
Computing multiplicative inverse by the Euclidean Algorithm
Euclidean algorithm
→ Determines the greatest common divisor (gcd) of x and n
→ Given x and n, it finds an y with x ⋅ y = 1 mod n (if one exists)
→ If x is relatively prime to n: gcd(x, n) = 1
→ Idea: Replace x and n with smaller numbers with the same gcd
If one number becomes zero, the other one is the gcd
→ Faster algorithm: the smaller the numbers are, the faster
the computation of gcd is. Replace the bigger number
with its remainder divided by the smaller number
Chapter 2.2: Public Key Cryptography
Example:
gcd(6, 14)?
→ gcd(6, 14-6)
→ gcd(6,8)
→ gcd(6,2)
→ gcd(4,2)
→ gcd(2,2)
→ gcd(2,0)
→=2
Page 9
Lehrstuhl für Informatik 4
Kommunikation und verteilte Systeme
function int gcd(int x, int y)
begin
int r2 = x;
int r1 = y;
int q;
int help;
while (r1 > 0)
begin
q = r2 / r1;
help = r1;
r1 = r2 % r1 // (r2 mod r1)
r2 = help;
end
return r2;
end
Page 10
Chapter 2.2: Public Key Cryptography
Lehrstuhl für Informatik 4
Kommunikation und verteilte Systeme
Multiplicative Inverse by Euclidean Algorithm
Computing the Multiplicative Inverse
Initialisation:
u-2 = 1, v-2 = 0,
u-1 = 0, v-1 = 1,
r-2 = x, r-1 = y, i=0
How to find a multiplicative inverse x-1 to x mod n, such that
x ⋅ x-1 = 1 mod n, with the euclidean algorithm?
Multiplicative inverse for x mod n: a u exists with u ⋅ x = 1 mod n
⇒ u ⋅ x differs from 1 by a multiple of n
⇒ There is a v with u ⋅ x + v ⋅ n = 1
Computing gcd(x, n) can compute such a v and a u, if gcd(x, n) = 1
⇒ If gcd(x, n) = 1, u is the multiplicative inverse to x
Repeat:
if rn-1 = 0 ⇒ gcd(x, y) = rn-2
else divide rn-2 by rn-1 to get quotient qn and remainder rn
Keep track of:
ui = ui-2 - qi ⋅ ui-1,
vi = vi-2 - qi ⋅ vi-1
Could there be more than one u mod n with u ⋅ x = 1 mod n?
→ Suppose: m ⋅ x = 1 mod n
⇒ m ⋅ x ⋅ u = u mod n
But u ⋅ x = 1 mod n
⇒ m ⋅ 1 = u mod n
⇒m=u
Chapter 2.2: Public Key Cryptography
The algorithm
• Note: gcd(0, y) = y
• In general:
if d denotes a divisor of x and y
⇒ x = i ⋅ d, y = j · d
⇒ x - y = i ⋅ d - j ⋅ d = (i - j) ⋅ d
⇒ If x > 0, replace gcd(x, y)
with gcd(x-y, y)
• Efficiency: x and y should be
as small as possible
• Assume, d is the maximum of all
divisors (achieved by division x mod y)
⇒ gcd(x, y) = gcd(x mod y, y)
• If y > x, exchange x and y
Example:
r5 = 0 ⇒ gcd(407, 595) = r4 = 1,
multiplicative inverse u4 (= 407-1 mod 595) = 288
Page 11
Chapter 2.2: Public Key Cryptography
i
-2
-1
0
1
2
3
4
5
qi
0
1
2
6
15
2
ri
ui
vi
407
1
0
595
0
1
407
1
0
188 -1
1
31
3
-2
2
-19 13
1
288 -197
0 -595 407
Page 12
Lehrstuhl für Informatik 4
Kommunikation und verteilte Systeme
Lehrstuhl für Informatik 4
Kommunikation und verteilte Systeme
The Euler Function Φ(n)
Finding Prime Numbers
Computing Φ(n)
• If n is prime ⇒ all numbers 1, ..., n - 1 are relatively prime to n
⇒ Φ(n) = n - 1
Problem with Euclidean algorithm: how to find x mod n with gcd(x, n) = 1?
Naive method: divide x by all numbers ≤ n
⇒ Takes too long of your lifetime
Practical solutions: there is no hundred percent that large number is prime
But: there are tests for determining that a number is probably prime
→ Use properties
1.) gcd(x, n) = 1, if x and n are relatively prime
(x and n are relatively prime, if there are integers u and v with u ⋅ x + v ⋅ n = 1)
2.) Φ(n), the totient function, denotes the number of integers relatively prime to n
Chapter 2.2: Public Key Cryptography
Page 13
Lehrstuhl für Informatik 4
Kommunikation und verteilte Systeme
• If n is a prime or a product of different primes
⇒ x·y mod n = x·y mod Φ(n) mod n
• Example for n = 10 (= 5 ⋅ 2)
Relatively prime to n: {1, 3, 7, 9}
⇒ Φ(n) = (5 - 1) ⋅ (2 - 1) = 4
⇒ Column i + 4 is the same as column i
• Important special case: y = 1 mod Φ(n)
⇒ for any
x·yKey
= xCryptography
mod Φ(n) = x mod n
Chapter
2.2: x:
Public
xy
0
1
2
3
4
5
6
7
8
9
0 1
0
1 1
1 2
1 3
1 4
1 5
1 6
1 7
1 8
1 9
2
0
1
4
9
6
5
6
9
4
1
3
0
1
8
7
4
5
8
3
2
9
4
0
1
6
1
6
5
6
1
6
1
5
0
1
2
3
4
5
6
7
8
9
6
0
1
4
9
6
5
6
9
4
1
7
0
1
8
7
4
5
6
3
2
9
8
0
1
6
1
6
5
6
1
6
1
9
0
1
2
3
4
5
6
7
8
9
Page 14
Lehrstuhl für Informatik 4
Kommunikation und verteilte Systeme
Euler's Theorem and Fermat's Theorem
Prime Tests
Euler's Theorem
• For any a relatively prime to n holds: a·Φ(n) = 1 mod n
If n is prime: Φ(n) = n - 1. In this case:
• If the simple prime test fails:
A cryptosystem like RSA might fail, a message cannot be decrypted
An attacker might be able to compute keys easier
• "Solution": test n with other values for a
Problem: Carmichael numbers (very rare)
Some Carmichael numbers:
No primes, but for all a holds: an - 1 = 1 mod n
561 = 3 ⋅ 11 ⋅ 17
• Enhanced prime test is needed:
1105 = 5 ⋅ 13 ⋅ 17
41041 = 7 ⋅ 11 ⋅ 13 ⋅ 41
Miller-Rabin prime test
825265 = 5 ⋅ 7 ⋅ 17 ⋅ 19 ⋅ 73
• Improved method to find prime numbers
Fermat's Theorem
• If n is a prime and 0 < a < n ⇒ a·n - 1 = 1 mod n
→ Good rule for determining primes
→ But: what about n with an - 1 = 1 mod n, where n is no prime?
→ Find primes by a simple prime test
• Choose an a with a < n and compute an - 1 mod n.
• If the result is not 1, n is no prime
• If the result is 1, n may be a prime
(e.g., if n has 100 digits, the probability for n to be no prime is 10-13)
Chapter 2.2: Public Key Cryptography
• If n is a product of primes p and q
⇒ There are p·q candidates {(j·p + i·q)| i=1..q, j=1..p} for numbers relatively prime to n
⇒ But from them, there are p multiples of q and q multiples of p
⇒ (p + q - 1) numbers are not relatively prime to n
⇒ Φ(n) = p·q - (p + q - 1) = (p - 1)·(q - 1)
i=2
i+4
• Probabilistic prime test
• Basic foundation: for a prime n holds:
1.) n - 1 can always be expressed by 2b ⋅ c, where c is an odd number
2.) Each square root (modulo n) of 1 can only be ±1
(e.g. 4 is a square root of 1 mod 15, because 4 ⋅ 4 = 16 = 1 mod 15, thus 15 can
not be a prime)
Page 15
Chapter 2.2: Public Key Cryptography
Page 16
Lehrstuhl für Informatik 4
Kommunikation und verteilte Systeme
Lehrstuhl für Informatik 4
Kommunikation und verteilte Systeme
Miller-Rabin Algorithm
•
•
•
•
Miller-Rabin Algorithm - Example
Use Fermat's theorem: an - 1 = 1 mod n
Pick a random number n and test if it is prime
Test n with the division by smaller primes to speed up the process
If you think a prime has been found: pick an a by random
Miller-Rabin algorithm:
compute r = ac mod n
if r = 1 mod n
⇒ n is prime
else for i = 0 to b - 1 do
if r = -1 mod n
⇒ n is prime
else
r = r2 mod n
⇒ n is not prime
// is the first mod n-square root 1?
// else: an-1 only can become 1 by squaring -1 in
// one of the b square operations
// now: test on allowed square root. Because the
// result before was not 1, it only can become
// 1 by squaring -1. Search for a -1
// prepare testing the next square root
// only non-allowed square roots found
Chapter 2.2: Public Key Cryptography
Page 17
Choose n = 15 as a possible prime
→ n - 1 = 14 = 2 ⋅ 7
→ b = 1, c = 7
→ Pick randomly a = 5
→ Compute ac = 57 = 78125 = 5 mod 15
(this is not 1 nor -1,
and: 52 = 25 = 10 mod 15)
→ no prime found
Choose n = 13 as a possible prime
→ n - 1 = 12 = 22 ⋅ 3
→ b = 2, c = 3
→ Pick randomly a = 5
→ Compute 53 = 125 = 8 mod 13
→ Compute 82 = 64 = -1 mod 13
→ -1 is an allowed square root of 1,
thus 13 is (possibly) prime
Other variant: pick randomly a = 4
→ Compute 47 = 16384 = 4 mod 15
(this is not 1 nor -1, and:
42 = 16 = 1 mod 15)
→ This means, 4 is a square root of
1 mod 15
→ no prime found
Other try: pick randomly a = 3
→ compute 33 = 27 = 1 mod 13
→ 13 is (possibly) prime
Chapter 2.2: Public Key Cryptography
Lehrstuhl für Informatik 4
Kommunikation und verteilte Systeme
Page 18
Lehrstuhl für Informatik 4
Kommunikation und verteilte Systeme
Classical Public Key Cryptography
RSA
Developed by Rivest, Shamir, and Adleman
Purpose: encryption and decryption of data
• Variable key length
→ Long key used for high security needs
→ Short key used for efficient encryption processes
→ Common key length: 512 bit
• Variable plaintext length
→ Must be shorter than the key
• Cipher text blocks
→ Length of the key
• RSA
• Public-key cryptography standard (PKCS)
• Rabin cryptosystem
• Diffie-Hellman cryptosystem
• ElGamal cryptosystem
• Merkle-Hellman cryptosystem
Much slower than secret key algorithms like DES or IDEA
• Only used for short messages
• Important purpose: transmission of secret keys
Chapter 2.2: Public Key Cryptography
Page 19
Chapter 2.2: Public Key Cryptography
Page 20
Lehrstuhl für Informatik 4
Kommunikation und verteilte Systeme
Lehrstuhl für Informatik 4
Kommunikation und verteilte Systeme
RSA Key Generation
Usage Scenarios for RSA
Generate a public key and a corresponding private key
1.) Choose two large primes p and q of 256 bit each
(p and q must be a secret!)
n is public, but factorisation into
2.) Compute n = p ⋅ q
p and q is computationally infeasible
3.) Compute Φ(n) = (p - 1) ⋅ (q - 1)
4.) Choose e relatively prime to Φ(n)
5.) Find d with d ⋅ e = 1 mod Φ(n)
(d is the multiplicative inverse to e)
⇒ <e, n> is public key
⇒ <d, n> is private key
Digital signatures
• Similar to encryption/decryption process
• Sender encrypts message m with his private key:
s = md mod n
• Each receiver can read the signed message using the public key of the sender:
m = se mod n
Why do these keys work?
• We use modular arithmetic (mod n) with p ⋅ q = n
• d and e were chosen to be d ⋅ e = 1 mod Φ(n)
• Because n is product of distinct primes, for all x:
⇒ xd ⋅ e = x1 mod Φ(n) = x mod n
Chapter 2.2: Public Key Cryptography
Page 21
Lehrstuhl für Informatik 4
Kommunikation und verteilte Systeme
Chapter 2.2: Public Key Cryptography
Page 22
Lehrstuhl für Informatik 4
Kommunikation und verteilte Systeme
Why is RSA (relatively) secure?
How to determine p, q, e and d
1.) Finding big primes p and q
• For a 10-digit number, the chance of finding a prime is 1 in 23
• For a 100-digit number, the chance is only 1 in 230
→ Pick random numbers until you find a prime
→ Use Fermat's theorem and the Rabin-Miller algorithm to test if a random
number is prime
Breaking RSA means finding d from knowing e and n…
• Attacker only knows: d is the exponential inverse to e mod Φ(n)
• Simple approach: knowing p and q you can compute Φ(n)
(this is a kind of trapdoor)
• However: an attacker does not know p and q
• Attacker needs to factorise n to obtain p and q
→ Factorising large numbers is difficult
→ The best algorithms are too slow
→ And: Brute Force attack is less efficient than factorising
2.) Finding d and e for p and q
• Choose e as relatively prime to (p - 1) · (q - 1)
a.) by choosing e at random and test if it is relatively prime to (p - 1) · (q - 1)
b.) by choosing e first and then determine matching p and q
→ RSA is not less secure if always the same e is chosen
→ If e is small or its binary representation has few '1's, the operations for
encryption and signature verification will become much more efficient
→ Use Euclidean algorithm to determine d with e ⋅ d = 1 mod Φ(n)
Note: do not choose a small d; d is a secret, thus it should be hard to determine
But it is possible to misuse RSA!
• Assume that an attacker knows the context of a message from A
• The attacker could encrypt messages with the public key eA
• If a match is found, the attacker has found the message
Chapter 2.2: Public Key Cryptography
Encryption and decryption
• Encrypt message m using the public key of the receiver:
c = me mod n
• Decrypt cipher text c with the private key of the receiver:
m = cd mod n
Page 23
Chapter 2.2: Public Key Cryptography
Page 24
Lehrstuhl für Informatik 4
Kommunikation und verteilte Systeme
Lehrstuhl für Informatik 4
Kommunikation und verteilte Systeme
Using small public keys
Using small public keys
Let “e” be a small constant
→ Public key operations become faster, while leaving private key operations unchanged
→ Popular values for “e” are 3 and 65537
Case of “e = 3”
→ Maximizes performance
→ Apparently it does not weaken security of RSA
(when some practical constraints on its use are considered)
→ Problems with e = 3
• Small messages m with m3 mod n = m3.
→ Problem: it only takes the cubic root to decrypt
→ Solution: padding message with a random number before encryption
• If a message is sent to 3 or more receivers, m can be derived from the three
encrypted values and the public keys of the receivers
• Find p and q so that 3 is relatively prime to (p - 1) · (q – 1)
(practical problem: there are many numbers which 3 is not relatively prime to)
Chapter 2.2: Public Key Cryptography
Page 25
Lehrstuhl für Informatik 4
Kommunikation und verteilte Systeme
Case of “e = 65537”
• Is equivalent to 216 + 1, and it is prime
• The binary representation contains only two 1s
→ Only 17 multiplications are necessary to to compute any me
→ Much faster than the 768 (on the average) multiplications necessary for a
randomly chosen 512 bit value
• The problems mentioned for e = 3 are avoided
Page 26
Chapter 2.2: Public Key Cryptography
Lehrstuhl für Informatik 4
Kommunikation und verteilte Systeme
Public Key Cryptography Standard (PKCS)
Example: PKCS#1
How could different implementations interwork?
→ Standards for encoding of information that will be encrypted or signed
PKCS#1 (encryption)
• Standard format for messages to be encrypted with RSA
Public Key Cryptography Standard
→ Set of standards PKCS#1 - PKCS#9
→ Definition of encoding RSA public keys, RSA private keys, RSA signatures, short
RSA-encrypted messages (typically secret keys), and short RSA-signed messages
(typically a message digest)
→ Designed to deal with
• Encrypting guessable messages
• Signing smooth numbers
• Multiple recipients of a message for e = 3
• For e = 3, encrypting messages that are less than a third of the length of n
• For e = 3, signing messages where the information is in the high-order part
Consists of
• Preceding 0: the message remains smaller than the modulus
• 2: denotes a message which is to be encrypted
• Random bytes (padding):
– Each byte is chosen independently to make it harder to
guess the message
– Independent padding for each recipient
– Make message long enough to avoid problems with
m3 < n for e = 3
• Next 0: marks the beginning data
0
Chapter 2.2: Public Key Cryptography
Page 27
2
≥ 8 random non-zero bytes
Chapter 2.2: Public Key Cryptography
0
data
Page 28
Lehrstuhl für Informatik 4
Kommunikation und verteilte Systeme
Lehrstuhl für Informatik 4
Kommunikation und verteilte Systeme
Example: PKCS#1
Rabin Cryptosystem
PKCS#1 (signature)
• Standard format for messages to be signed with RSA
• Data are typically a Message Digest of 128 Bit
→ Padding is required
Rabin cryptosystem
• “Secure” because of the difficulty to find square roots
modulo a composite number
• Nearly as difficult as factorising large numbers
Consists of:
• Preceding 0: the message remains smaller than the modulus
• 1: denotes a message which is to be signed
• Random bytes (padding): make the data bigger than 128 byte
• Next 0: marks the begin of data
• Digest type standardises, how to tell another party which
digest function was used
0
1
≥ 8 bytes of ff16
0
Rabin algorithm
• Choose primes p and q, both congruent to 3 mod 4
→ p and q form the private key
→ n = p ⋅ q is the public key
• Encryption of message m in the range {0, ..., n - 1}
c = m2 mod n
digest type and message digest
Chapter 2.2: Public Key Cryptography
Page 29
Lehrstuhl für Informatik 4
Kommunikation und verteilte Systeme
Chapter 2.2: Public Key Cryptography
Page 30
Lehrstuhl für Informatik 4
Kommunikation und verteilte Systeme
Decryption in the Rabin Cryptosystem
Decryption is more complex
• Receiver knows p and q
• Solve the two congruencies using the so-called Chinese remainder problem
• Compute: t1 = c(p + 1) / 4 mod p
t2 = p - c(p + 1) / 4 mod p
t3 = c(q + 1) / 4 mod q
t4 = q - c(q + 1) / 4 mod q
• Choose integers a = q ⋅ (q-1 mod p) and b = p ⋅ (p-1 mod q)
• Possible solutions are
m1 = (a ⋅ t1 + b ⋅ t3) mod n
m2 = (a ⋅ t1 + b ⋅ t4) mod n
m3 = (a ⋅ t2 + b ⋅ t3) mod n
m4 = (a ⋅ t2 + b ⋅ t4) mod n
• One of these results equals m…
• If m is normal text, it is no problem to find the right mi
• Otherwise, add a known header to m before encryption
Chapter 2.2: Public Key Cryptography
Diffie-Hellman Cryptosystem
Oldest public key cryptosystem
• Offers better performance than RSA
• Less general than RSA (does neither encryption nor signatures)
Purpose: two persons can agree upon a secret number (e.g. a shared key), which
cannot be computed by intercepting the publicly exchanged messages
• After the exchange of two public messages both communication partners know a
secret number
• Having agreed on a secret number, they can use e.g. DES for communication
→ Diffie-Hellman actually used for key establishment
→ Remaining problem: no authentication between the partners
Page 31
Chapter 2.2: Public Key Cryptography
Page 32
Lehrstuhl für Informatik 4
Kommunikation und verteilte Systeme
Lehrstuhl für Informatik 4
Kommunikation und verteilte Systeme
Diffie-Hellman Algorithm
Bucket-Brigade Attack on Diffie-Hellman
Problem in Diffie-Hellman: no authentication between A and B
→ If A obtains Tb, he cannot know for sure if B has sent it
Algorithm for key establishment
• Choose a prime p with 512 bit
• Choose a number g < p with some restrictions
→ p and g are public!
• A randomly chooses a 512 bit number Sa and computes Ta = gSa mod p
• B randomly chooses a 512 bit number Sb and computes Tb = gSb mod p
→ Sa and Sb are secret
• A and B exchange Ta and Tb
• A computes kAB = TbSa mod p = gSa ⋅ Sb mod p
• B computes kAB = TaSb mod p = gSa ⋅ Sb mod p
→ A and B both compute the same secret key gSa ⋅ Sb
Bucket-Brigade attack
An attacker O obtains Ta and establishes a common secret with A
Attack method: p and q are known publicly
O
A
• A sends gSo to O (but believes it is sent to B)
S
S
a
g o = 5876
g = 8389
• O computes gSx and sends it to B
•
•
•
•
Page 33
Lehrstuhl für Informatik 4
Kommunikation und verteilte Systeme
shared key kAO
=
8389So
9267
shared key kBO
9267So = 5876Sb
Chapter 2.2: Public Key Cryptography
Page 34
Lehrstuhl für Informatik 4
Kommunikation und verteilte Systeme
Diffie-Hellman for Encryption
ElGamal Cryptosystem
Encryption algorithm using Diffie-Hellman
• Each participant chooses a private key Si
• Each participant computes a public key <p, g, Ti> with Ti = gSi mod p
• Publish all public keys at a trusted public place
• Assume, B publishes <p, g, Tb>
• A computes kAB = TbSa mod p
• A uses kAB as secret key with B to compute a cipher text
• A transmits the cipher text and gSa mod p to B
• B computes kAB to decrypt the message
→ The secret key is transmitted only together with the message
• Mainly used for digital signatures
• Secure because of the difficulty to calculate discrete logarithms in a finite field
• Uses same kind of key as Diffie-Hellman
For a better security, p and g should have these properties:
• p should be a strong prime number, i.e. (p-1)/2 is prime, too
• It is desirable to have gx ≠ 1 mod p, x = 0 mod (p - 1) [if p is a strong prime number, this is
true for all g ≠ -1 mod p with g(p - 1) / 2 = -1 mod p)
• But: this is a costly way for choosing p and g!
Chapter 2.2: Public Key Cryptography
5876
→ Diffie-Hellman is only secure against
passive attacks (i.e. just watching messages)
→ Protection against active attacks: use trustful and public
location to publish gSi for all persons I in advance
= 9267
5876
8389
5876Sa
Note: It is impossible to compute gSa ⋅ Sb fast enough knowing only Ta and
Tb due to the difficulty to compute discrete logarithms, i.e. to compute Sa
from knowing gSa
Chapter 2.2: Public Key Cryptography
B computes gSb and sends it to O
O sends gSo back to A
O establishes kAO and kBO
A and B communicate via O
B
gSb
Page 35
Additionally provides a scheme for signatures
• Each person has a long-time key
– public key: <g, p, T>
– private key: S with gS mod p = T
• For each message m to be signed, a new key pair Sm, <g, p, Tm> has to be generated
• For the message m to be signed, compute a message digest dm = MD(m|Tm)
• Compute the signature X = Sm + dm · S mod (p - 1)
• Transmit m together with X and Tm
• To verify signature, compute gX, dm, and Tm · Tdm mod p
Check: gX = gSm + dm ⋅ S = gSm · gdm ⋅ S = Tm · Tdm mod p
Chapter 2.2: Public Key Cryptography
Page 36
Lehrstuhl für Informatik 4
Kommunikation und verteilte Systeme
Lehrstuhl für Informatik 4
Kommunikation und verteilte Systeme
Digital Signature Standard (DSS)
Digital Signature Algorithm
Digital Signature Algorithm
• Generate and publish a 512-bit prime p and a 160-bit prime q with p = k · q + 1
• Generate and publish a g with gq = 1 mod p (use Fermat's theorem)
Note: g must not be 1
• Generate a long-term public/private key pair <T, S> as in ElGamal
• For each message m generate a separate key pair <Tm, Sm> by choosing Sm and
compute Tm = ((gSm mod p) mod q)
• For m, compute the message digest dm
• Compute the signature X = Sm-1 · (dm + S · Tm) mod q
• Transmit m, Tm, and X
Digital Signatures with DSS
• DSS algorithm is called Digital Signature Algorithm (DSA)
• Algorithm to create digital signatures based on ElGamal
• Difference to ElGamal is the speed of operations (3 times faster):
Instead using a p of 512 bit, for some operations only use a prime q of 160 bit,
for which holds: p = k ⋅ p + 1
Note: using ElGamal means to generate a key pair <Sm, Tm> for each message
m which has to be signed
• If a pair of keys is used only for two different messages, it would expose the
signer's private key:
→ With only two uses, Sm can be deducted
→ By knowing Sm, the secret key S easily can be computed
Chapter 2.2: Public Key Cryptography
Page 37
Lehrstuhl für Informatik 4
Kommunikation und verteilte Systeme
Chapter 2.2: Public Key Cryptography
Page 38
Lehrstuhl für Informatik 4
Kommunikation und verteilte Systeme
Merkle-Hellman Cryptosystem
Merkle-Hellman in Cryptography
Principle:
Use a simple Knapsack problem as private key and transform it into a hard one which is used
as public key. A message m = (m1, m2, ..., mn, ...) is seen as a solution for the problem, i.e.
if mi = 1, mi is in the knapsack
Knapsack Problem
• Pack a knapsack optimally with n objects of different weights a1, ..., an and
overall size g
n
• Search for an order (ki), ki ∈ {0, 1} for i = 1, ..., n with ∑ ai ⋅ ki = g
i =0
• This is an NP hard problem
Merkle-Hellman cryptosystem
• Based on the knapsack problem
• Special type of knapsack problem:
i
The sizes of the objects form a fast growing sequence with a j +1 > ∑ ai
j =1
There is a solution in O(n):
Start with the biggest object and find a new smaller knapsack
with one object less
Chapter 2.2: Public Key Cryptography
Signature verification
• Calculate the mod q inverse of the signature, X-1
• Calculate the message digest dm
• Calculate x = dm · X-1 mod q and y = Tm · X-1 mod q
• Calculate z = (gx · Ty mod p ) mod q
• If z = Tm, the signature is verified
Page 39
Example:
• A chooses a Knapsack problem a with a = (ai) = (2, 5, 9, 21, 45, 103, 215, 450, 946) as key
• A chooses a prime p = 2003 and a number k = 1289
• A generates a hard Knapsack problem e = (ei) with ei = k ⋅ ai mod p
→ e = (575, 436, 1586, 1030, 1921, 569, 721, 1183, 1570)
• B encrypts a message m = (1, 0, 1, 1, 0, 0, 1, 1, 1) to A by using e
→ c = 1 ⋅ 575 + 0 ⋅ 436 + 1 ⋅ 1586 + 1 ⋅ 1030 + 0 ⋅ 1921
+ 0 ⋅ 569 + 1 ⋅ 721 + 1 ⋅ 1183 + 1 ⋅ 1570 = 6665 (this value is transmitted)
• A computes g = k-1 ⋅ c mod p = 317 ⋅ 6665 mod 2003 = 1643
• A solves 1643 for (ai) by choosing the biggest fitting number in (ai) till 1643 is reached:
(2, 5, 9, 21, 45, 103, 215, 450, 946)
→1 0 1 1 0 0
1
1 1
Page 40
Chapter
Public message
Key Cryptography
→ The2.2:
original
is given by the elements of a
Lehrstuhl für Informatik 4
Kommunikation und verteilte Systeme
Lehrstuhl für Informatik 4
Kommunikation und verteilte Systeme
Modern Public Key Cryptosystems
Elliptic Curves – Definition
Definition: Let p > 3 be prime. The elliptic curve y2 = x3 + ax + b over
Zp is the set of solutions (x,y) ∈ Zp×Zp for the congruence
y2 ≡ x3 + ax + b (mod p),
where a, b ∈ Zp are constants, so that
4a3 + 27 b2 ≡ O (mod p),
together with a special point O called the point of infinity.
Classic public key cryptosystems are well analysed
• The performance of classic public-key cryptosystems is acceptable
• Security: classic public key cryptosystems are not perfectly secure, but
computationally secure
Modern public key cryptosystems improve the classic ones:
• Performance: modern public key cryptosystems have a better
performance than the classic ones
• Security: modern public key cryptosystems also offer better security (with
the same key length)
• Example: Elliptic Curve Cryptosystem
→ Provide security equivalent to classical public key schemes
→ Shorter key lengths, resulting in faster computing, less complex chips
Chapter 2.2: Public Key Cryptography
Page 41
Page 42
Chapter 2.2: Public Key Cryptography
Lehrstuhl für Informatik 4
Kommunikation und verteilte Systeme
Lehrstuhl für Informatik 4
Kommunikation und verteilte Systeme
Addition Operation
Elliptic Curve - Example
Points on the elliptic curve E: y2=x3+x+6 in Z11
Let E be an elliptic curve over Zp, P = (x1, y1), Q = (x2, y2).
If x2 = x1 and y2 = -y1, then Q = -P, P + Q := O; otherwise P + Q := (x3, y3), with
x3 = λ2 – x1 – x2
y3 = λ(x1 – x3) – y1
and
⎧ y 2 - y1
, if P ≠ Q
⎪x - x
⎪ 2 1
λ=⎨ 2
⎪ 3 x1 + a , if P = Q
⎪
⎩ 2y1
Finally, P + O = O + P = P.
Chapter 2.2: Public Key Cryptography
Page 43
x
x3+x+6 mod 11
0
6
in QR(11)?
y
no
[no solution]
→ E = {O, (2,4), (2,7), (3,5), (3,6), (5,2), (5,9),
(7,2), (7,9), (8,3), (8,8), (10,2), (10,9)}
Let α = (2,7). Then α is a primitive element:
1
8
no
2
5
yes
4, 7
3
3
yes
5, 6
4
8
no
5
4
yes
6
8
no
7
4
yes
2, 9
8
9
yes
3, 8
9
7
no
10
4
yes
2, 9
α =
(2,7)
2α = (5,2) = α + α
3α =
(8,3)
4α = (10,2)
5α =
(3,6)
6α =
(7,9)
7α =
(7,2)
8α =
(3,5)
9α = (10,9)
10α =
(8,8)
12α =
(2,4)
11α =
(5,9)
2, 9
i.e. (x,y) = (3,5) and (x,y) = (3,6) are points on the elliptic curve
Chapter 2.2: Public Key Cryptography
Page 44
Lehrstuhl für Informatik 4
Kommunikation und verteilte Systeme
Example: ElGamal Encryption with Elliptic Curves
Let α = (2,7) and a = 5, so β = 5 α = (3,6)
(a is secret and for large numbers can‘t be obtained from α and β in reasonable time)
The encryption operation is
ek(x,r) = (r α, x + r β) = (y1, y2),
ek(x,r) = (r (2,7), x + r (3,6)), where x ∈ E and 0 ≤ r ≤ 12
and the decryption operation is
dk(y1,y2) = y2 – ay1 = y2 – 5 y1
Alice wants to send x = (7,9) to Bob; she chooses the random value r = 7. She then
computes
y1 = 7(2,7) = (7,2)
y2 = (7,9) + 7(3,6) = (7,9) + (10,9) = (5,2)
Bob receives y = ((7,2),(5,2)) and obtains
x = (5,2) – 5(7,2) = (5,2) – (10,9) = (5,2) + (10,2) = (7,9)
Chapter 2.2: Public Key Cryptography
Page 45
