Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Lehrstuhl für Informatik 4 Kommunikation und verteilte Systeme Lehrstuhl für Informatik 4 Kommunikation und verteilte Systeme Principles of Public Key Cryptography Chapter 2: Security Techniques Background • Secret Key Cryptography • Public Key Cryptography • Hash Functions • Authentication Chapter 3: Security on Network and Transport Layer Chapter 4: Security on the Application Layer 2.2: Public Key Cryptography • Principles of public key cryptography • Number theory and algebraic foundations • Classical public key cryptography • Newer public key cryptography Chapter 5: Security Concepts for Networks Also called asymmetric cryptography • Different from secret key cryptography, algorithms for encoding and decoding differ considerably • Working with two keys → A private key d (known only to the owner) → A public key e (known by possibly everyone) • Public key cryptography principle (e.g. RSA): plaintext encryption cipher text public key e private key d cipher text decryption plaintext • More easily configurable than secret key cryptography, but slower • Often combined with secret key: authentication and distribution of a secret key (e.g. Diffie-Hellman for establishment of a shared secret) Page 1 Chapter 2.2: Public Key Cryptography Lehrstuhl für Informatik 4 Kommunikation und verteilte Systeme Security in Public Key Algorithms Digital signatures (e.g. RSA, ElGamal, DSS) • Associate a value with a message, like a checksum • This value can only be generated by using the private key d ( = decryption) • It is readable for everyone knowing the public key e ( = encryption) • Similar to hand-written signature (authenticity without the chance to forge it) Security in many public key algorithms is based on the difficulty to factorise and compute discrete logarithms Factorising → Find the prime factors for a given number → One of the oldest problems in number theory, very time consuming → Most popular method: Quadratic Sieve signing signed message private key d public key e signed message verification plaintext Authentication (zero knowledge proof systems) • A generates a random number and encrypts it with the public key of B • B decrypts the message with its private key and sends back the random number to A • If A gets back the original random number, B is authenticated Chapter 2.2: Public Key Cryptography Page 2 Lehrstuhl für Informatik 4 Kommunikation und verteilte Systeme Applications of Public Key Cryptography plaintext Chapter 2.2: Public Key Cryptography Page 3 Discrete logarithm → Problem to find the inverse to modular exponentiation: Find an x with ax = b mod n for given a and b → Not all discrete logarithms have solutions → Very time consuming process to find solutions for big numbers → Frequently used method: Index-Calculus method Chapter 2.2: Public Key Cryptography Page 4 Lehrstuhl für Informatik 4 Kommunikation und verteilte Systeme Lehrstuhl für Informatik 4 Kommunikation und verteilte Systeme Basics for Public Key Cryptography: Number Theory / Modular Arithmetic Arithmetic Operations modulo n Arithmetic computing modulo n • Arithmetic operations are performed as usual, but the result is replaced by its remainder when divided by n (e.g. 3 + 9 = 12 ≡ 2 mod 10) Number theory provides basic knowledge to understand how and why public key algorithms work → Necessary concepts for understanding public key algorithms → Most public key algorithms are based on modular arithmetic Modular addition • Given: c = x + k mod n, with c, x, k ∈ Zn → if x + k < n : c=a+b → if x + k ≥ n : c = j, where x + k = i ⋅ n + j and j < n • Can be used to encrypt digits: each number x out of a range of numbers is unambiguously mapped onto another number c from this range • Caesar Cipher: add a constant k to each number • Decryption needs subtraction. This can be replaced by an addition of the inverse value Modular arithmetic → Operates on a ring (Zn, +, ⋅), where Zn is a set of non-negative integers smaller than some positive integer n +: Zn × Zn → Zn is a function that • is associative and commutative • has a neutral element 0 ∈ Zn • has a inverse element x-1 to each x ∈ Zn, i.e. x + x-1 = 0 ⋅: Zn × Zn → Zn is an associative function (it is not necessarily commutative) + and ⋅ have left and right exchangeability → Needed for public key cryptography: addition, multiplication, exponentiation → Computations of these functions are performed modulo n Page 5 Chapter 2.2: Public Key Cryptography Lehrstuhl für Informatik 4 Kommunikation und verteilte Systeme Chapter 2.2: Public Key Cryptography 0 0 1 2 3 4 5 6 7 8 9 1 1 2 3 4 5 6 7 8 9 0 2 2 3 4 5 6 7 8 9 0 1 3 3 4 5 6 7 8 9 0 1 2 4 4 5 6 7 8 9 0 1 2 3 5 5 6 7 8 9 0 1 2 3 4 6 6 7 8 9 0 1 2 3 4 5 7 7 8 9 0 1 2 3 4 5 6 8 8 9 0 1 2 3 4 5 6 7 9 9 0 1 2 3 4 5 6 7 8 Page 6 Chapter 2.2: Public Key Cryptography Lehrstuhl für Informatik 4 Kommunikation und verteilte Systeme Arithmetic Operations modulo n * 0 1 2 3 4 5 6 Modular multiplication 0 0 0 0 0 0 0 0 1 0 1 2 3 4 5 6 • Given: c = x ⋅ k mod n, with c, x, k ∈ Zn 2 0 2 4 6 8 0 2 → if x ⋅ k < n : c=x⋅k 3 0 3 6 9 2 5 8 → if x ⋅ k ≥ n : c = j, 4 0 4 8 2 6 0 4 5 0 5 0 5 0 5 0 where x ⋅ k = i ⋅ n + j and j < n 6 0 6 2 8 4 0 6 • Encryption only works with special keys k 7 0 7 4 1 8 5 2 Example for n = 10: only k ∈{1, 3, 7, 9} is 8 0 8 6 4 2 0 8 usable as (simple) cipher key 9 0 9 8 7 6 5 4 → only for these values the mapping is unambiguous → for other values of k, an information loss occurs • Only use keys k relatively prime to n → k and n share no other common factor than 1 • Decryption works by multiplication of cipher text c with the multiplicative inverse k-1, i.e. k ⋅ k-1 = 1 mod n (e.g. 7-1 = 3 mod 10, because 7 ⋅ 3 = 1 mod 10) → Multiplicative inverse for n = 10 only exists for 1,3,7, and 9 + 0 1 2 3 4 5 6 7 8 9 Arithmetic Operations modulo n 7 0 7 4 1 8 5 2 9 6 3 8 0 8 6 4 2 0 8 6 4 2 9 0 9 8 7 6 5 4 3 2 1 Page 7 Modular exponential • Given: c = xk mod n, with c, x, k ∈ Zn → if xk < n : c = xk → if xk ≥ n : c = j, where xk = i ⋅ n + j and j < n • Note: difference to modular multiplication: xk mod n ≠ xk+n mod n • Encryption only works with special keys k -1 • Decryption needs an inverse k-1 with xk⋅k = 1 • But: inverse k-1 does not exist in each case Chapter 2.2: Public Key Cryptography xy 0 1 2 3 4 5 6 7 8 9 0 1 0 1 1 1 2 1 3 1 4 1 5 1 6 1 7 1 8 1 9 2 0 1 4 9 6 5 6 9 4 1 3 0 1 8 7 4 5 8 3 2 9 4 0 1 6 1 6 5 6 1 6 1 5 0 1 2 3 4 5 6 7 8 9 6 0 1 4 9 6 5 6 9 4 1 7 0 1 8 7 4 5 6 3 2 9 8 0 1 6 1 6 5 6 1 6 1 9 0 1 2 3 4 5 6 7 8 9 Page 8 Lehrstuhl für Informatik 4 Kommunikation und verteilte Systeme Lehrstuhl für Informatik 4 Kommunikation und verteilte Systeme Finding Modular Inverses • • • • The Euclidean Algorithm Finding multiplicative inverses to x is a very time consuming process If x has 100 digits, no Brute Force attack is possible Useful: x relatively prime to n → a multiplicative inverse x-1 mod n exists Computing multiplicative inverse by the Euclidean Algorithm Euclidean algorithm → Determines the greatest common divisor (gcd) of x and n → Given x and n, it finds an y with x ⋅ y = 1 mod n (if one exists) → If x is relatively prime to n: gcd(x, n) = 1 → Idea: Replace x and n with smaller numbers with the same gcd If one number becomes zero, the other one is the gcd → Faster algorithm: the smaller the numbers are, the faster the computation of gcd is. Replace the bigger number with its remainder divided by the smaller number Chapter 2.2: Public Key Cryptography Example: gcd(6, 14)? → gcd(6, 14-6) → gcd(6,8) → gcd(6,2) → gcd(4,2) → gcd(2,2) → gcd(2,0) →=2 Page 9 Lehrstuhl für Informatik 4 Kommunikation und verteilte Systeme function int gcd(int x, int y) begin int r2 = x; int r1 = y; int q; int help; while (r1 > 0) begin q = r2 / r1; help = r1; r1 = r2 % r1 // (r2 mod r1) r2 = help; end return r2; end Page 10 Chapter 2.2: Public Key Cryptography Lehrstuhl für Informatik 4 Kommunikation und verteilte Systeme Multiplicative Inverse by Euclidean Algorithm Computing the Multiplicative Inverse Initialisation: u-2 = 1, v-2 = 0, u-1 = 0, v-1 = 1, r-2 = x, r-1 = y, i=0 How to find a multiplicative inverse x-1 to x mod n, such that x ⋅ x-1 = 1 mod n, with the euclidean algorithm? Multiplicative inverse for x mod n: a u exists with u ⋅ x = 1 mod n ⇒ u ⋅ x differs from 1 by a multiple of n ⇒ There is a v with u ⋅ x + v ⋅ n = 1 Computing gcd(x, n) can compute such a v and a u, if gcd(x, n) = 1 ⇒ If gcd(x, n) = 1, u is the multiplicative inverse to x Repeat: if rn-1 = 0 ⇒ gcd(x, y) = rn-2 else divide rn-2 by rn-1 to get quotient qn and remainder rn Keep track of: ui = ui-2 - qi ⋅ ui-1, vi = vi-2 - qi ⋅ vi-1 Could there be more than one u mod n with u ⋅ x = 1 mod n? → Suppose: m ⋅ x = 1 mod n ⇒ m ⋅ x ⋅ u = u mod n But u ⋅ x = 1 mod n ⇒ m ⋅ 1 = u mod n ⇒m=u Chapter 2.2: Public Key Cryptography The algorithm • Note: gcd(0, y) = y • In general: if d denotes a divisor of x and y ⇒ x = i ⋅ d, y = j · d ⇒ x - y = i ⋅ d - j ⋅ d = (i - j) ⋅ d ⇒ If x > 0, replace gcd(x, y) with gcd(x-y, y) • Efficiency: x and y should be as small as possible • Assume, d is the maximum of all divisors (achieved by division x mod y) ⇒ gcd(x, y) = gcd(x mod y, y) • If y > x, exchange x and y Example: r5 = 0 ⇒ gcd(407, 595) = r4 = 1, multiplicative inverse u4 (= 407-1 mod 595) = 288 Page 11 Chapter 2.2: Public Key Cryptography i -2 -1 0 1 2 3 4 5 qi 0 1 2 6 15 2 ri ui vi 407 1 0 595 0 1 407 1 0 188 -1 1 31 3 -2 2 -19 13 1 288 -197 0 -595 407 Page 12 Lehrstuhl für Informatik 4 Kommunikation und verteilte Systeme Lehrstuhl für Informatik 4 Kommunikation und verteilte Systeme The Euler Function Φ(n) Finding Prime Numbers Computing Φ(n) • If n is prime ⇒ all numbers 1, ..., n - 1 are relatively prime to n ⇒ Φ(n) = n - 1 Problem with Euclidean algorithm: how to find x mod n with gcd(x, n) = 1? Naive method: divide x by all numbers ≤ n ⇒ Takes too long of your lifetime Practical solutions: there is no hundred percent that large number is prime But: there are tests for determining that a number is probably prime → Use properties 1.) gcd(x, n) = 1, if x and n are relatively prime (x and n are relatively prime, if there are integers u and v with u ⋅ x + v ⋅ n = 1) 2.) Φ(n), the totient function, denotes the number of integers relatively prime to n Chapter 2.2: Public Key Cryptography Page 13 Lehrstuhl für Informatik 4 Kommunikation und verteilte Systeme • If n is a prime or a product of different primes ⇒ x·y mod n = x·y mod Φ(n) mod n • Example for n = 10 (= 5 ⋅ 2) Relatively prime to n: {1, 3, 7, 9} ⇒ Φ(n) = (5 - 1) ⋅ (2 - 1) = 4 ⇒ Column i + 4 is the same as column i • Important special case: y = 1 mod Φ(n) ⇒ for any x·yKey = xCryptography mod Φ(n) = x mod n Chapter 2.2: x: Public xy 0 1 2 3 4 5 6 7 8 9 0 1 0 1 1 1 2 1 3 1 4 1 5 1 6 1 7 1 8 1 9 2 0 1 4 9 6 5 6 9 4 1 3 0 1 8 7 4 5 8 3 2 9 4 0 1 6 1 6 5 6 1 6 1 5 0 1 2 3 4 5 6 7 8 9 6 0 1 4 9 6 5 6 9 4 1 7 0 1 8 7 4 5 6 3 2 9 8 0 1 6 1 6 5 6 1 6 1 9 0 1 2 3 4 5 6 7 8 9 Page 14 Lehrstuhl für Informatik 4 Kommunikation und verteilte Systeme Euler's Theorem and Fermat's Theorem Prime Tests Euler's Theorem • For any a relatively prime to n holds: a·Φ(n) = 1 mod n If n is prime: Φ(n) = n - 1. In this case: • If the simple prime test fails: A cryptosystem like RSA might fail, a message cannot be decrypted An attacker might be able to compute keys easier • "Solution": test n with other values for a Problem: Carmichael numbers (very rare) Some Carmichael numbers: No primes, but for all a holds: an - 1 = 1 mod n 561 = 3 ⋅ 11 ⋅ 17 • Enhanced prime test is needed: 1105 = 5 ⋅ 13 ⋅ 17 41041 = 7 ⋅ 11 ⋅ 13 ⋅ 41 Miller-Rabin prime test 825265 = 5 ⋅ 7 ⋅ 17 ⋅ 19 ⋅ 73 • Improved method to find prime numbers Fermat's Theorem • If n is a prime and 0 < a < n ⇒ a·n - 1 = 1 mod n → Good rule for determining primes → But: what about n with an - 1 = 1 mod n, where n is no prime? → Find primes by a simple prime test • Choose an a with a < n and compute an - 1 mod n. • If the result is not 1, n is no prime • If the result is 1, n may be a prime (e.g., if n has 100 digits, the probability for n to be no prime is 10-13) Chapter 2.2: Public Key Cryptography • If n is a product of primes p and q ⇒ There are p·q candidates {(j·p + i·q)| i=1..q, j=1..p} for numbers relatively prime to n ⇒ But from them, there are p multiples of q and q multiples of p ⇒ (p + q - 1) numbers are not relatively prime to n ⇒ Φ(n) = p·q - (p + q - 1) = (p - 1)·(q - 1) i=2 i+4 • Probabilistic prime test • Basic foundation: for a prime n holds: 1.) n - 1 can always be expressed by 2b ⋅ c, where c is an odd number 2.) Each square root (modulo n) of 1 can only be ±1 (e.g. 4 is a square root of 1 mod 15, because 4 ⋅ 4 = 16 = 1 mod 15, thus 15 can not be a prime) Page 15 Chapter 2.2: Public Key Cryptography Page 16 Lehrstuhl für Informatik 4 Kommunikation und verteilte Systeme Lehrstuhl für Informatik 4 Kommunikation und verteilte Systeme Miller-Rabin Algorithm • • • • Miller-Rabin Algorithm - Example Use Fermat's theorem: an - 1 = 1 mod n Pick a random number n and test if it is prime Test n with the division by smaller primes to speed up the process If you think a prime has been found: pick an a by random Miller-Rabin algorithm: compute r = ac mod n if r = 1 mod n ⇒ n is prime else for i = 0 to b - 1 do if r = -1 mod n ⇒ n is prime else r = r2 mod n ⇒ n is not prime // is the first mod n-square root 1? // else: an-1 only can become 1 by squaring -1 in // one of the b square operations // now: test on allowed square root. Because the // result before was not 1, it only can become // 1 by squaring -1. Search for a -1 // prepare testing the next square root // only non-allowed square roots found Chapter 2.2: Public Key Cryptography Page 17 Choose n = 15 as a possible prime → n - 1 = 14 = 2 ⋅ 7 → b = 1, c = 7 → Pick randomly a = 5 → Compute ac = 57 = 78125 = 5 mod 15 (this is not 1 nor -1, and: 52 = 25 = 10 mod 15) → no prime found Choose n = 13 as a possible prime → n - 1 = 12 = 22 ⋅ 3 → b = 2, c = 3 → Pick randomly a = 5 → Compute 53 = 125 = 8 mod 13 → Compute 82 = 64 = -1 mod 13 → -1 is an allowed square root of 1, thus 13 is (possibly) prime Other variant: pick randomly a = 4 → Compute 47 = 16384 = 4 mod 15 (this is not 1 nor -1, and: 42 = 16 = 1 mod 15) → This means, 4 is a square root of 1 mod 15 → no prime found Other try: pick randomly a = 3 → compute 33 = 27 = 1 mod 13 → 13 is (possibly) prime Chapter 2.2: Public Key Cryptography Lehrstuhl für Informatik 4 Kommunikation und verteilte Systeme Page 18 Lehrstuhl für Informatik 4 Kommunikation und verteilte Systeme Classical Public Key Cryptography RSA Developed by Rivest, Shamir, and Adleman Purpose: encryption and decryption of data • Variable key length → Long key used for high security needs → Short key used for efficient encryption processes → Common key length: 512 bit • Variable plaintext length → Must be shorter than the key • Cipher text blocks → Length of the key • RSA • Public-key cryptography standard (PKCS) • Rabin cryptosystem • Diffie-Hellman cryptosystem • ElGamal cryptosystem • Merkle-Hellman cryptosystem Much slower than secret key algorithms like DES or IDEA • Only used for short messages • Important purpose: transmission of secret keys Chapter 2.2: Public Key Cryptography Page 19 Chapter 2.2: Public Key Cryptography Page 20 Lehrstuhl für Informatik 4 Kommunikation und verteilte Systeme Lehrstuhl für Informatik 4 Kommunikation und verteilte Systeme RSA Key Generation Usage Scenarios for RSA Generate a public key and a corresponding private key 1.) Choose two large primes p and q of 256 bit each (p and q must be a secret!) n is public, but factorisation into 2.) Compute n = p ⋅ q p and q is computationally infeasible 3.) Compute Φ(n) = (p - 1) ⋅ (q - 1) 4.) Choose e relatively prime to Φ(n) 5.) Find d with d ⋅ e = 1 mod Φ(n) (d is the multiplicative inverse to e) ⇒ <e, n> is public key ⇒ <d, n> is private key Digital signatures • Similar to encryption/decryption process • Sender encrypts message m with his private key: s = md mod n • Each receiver can read the signed message using the public key of the sender: m = se mod n Why do these keys work? • We use modular arithmetic (mod n) with p ⋅ q = n • d and e were chosen to be d ⋅ e = 1 mod Φ(n) • Because n is product of distinct primes, for all x: ⇒ xd ⋅ e = x1 mod Φ(n) = x mod n Chapter 2.2: Public Key Cryptography Page 21 Lehrstuhl für Informatik 4 Kommunikation und verteilte Systeme Chapter 2.2: Public Key Cryptography Page 22 Lehrstuhl für Informatik 4 Kommunikation und verteilte Systeme Why is RSA (relatively) secure? How to determine p, q, e and d 1.) Finding big primes p and q • For a 10-digit number, the chance of finding a prime is 1 in 23 • For a 100-digit number, the chance is only 1 in 230 → Pick random numbers until you find a prime → Use Fermat's theorem and the Rabin-Miller algorithm to test if a random number is prime Breaking RSA means finding d from knowing e and n… • Attacker only knows: d is the exponential inverse to e mod Φ(n) • Simple approach: knowing p and q you can compute Φ(n) (this is a kind of trapdoor) • However: an attacker does not know p and q • Attacker needs to factorise n to obtain p and q → Factorising large numbers is difficult → The best algorithms are too slow → And: Brute Force attack is less efficient than factorising 2.) Finding d and e for p and q • Choose e as relatively prime to (p - 1) · (q - 1) a.) by choosing e at random and test if it is relatively prime to (p - 1) · (q - 1) b.) by choosing e first and then determine matching p and q → RSA is not less secure if always the same e is chosen → If e is small or its binary representation has few '1's, the operations for encryption and signature verification will become much more efficient → Use Euclidean algorithm to determine d with e ⋅ d = 1 mod Φ(n) Note: do not choose a small d; d is a secret, thus it should be hard to determine But it is possible to misuse RSA! • Assume that an attacker knows the context of a message from A • The attacker could encrypt messages with the public key eA • If a match is found, the attacker has found the message Chapter 2.2: Public Key Cryptography Encryption and decryption • Encrypt message m using the public key of the receiver: c = me mod n • Decrypt cipher text c with the private key of the receiver: m = cd mod n Page 23 Chapter 2.2: Public Key Cryptography Page 24 Lehrstuhl für Informatik 4 Kommunikation und verteilte Systeme Lehrstuhl für Informatik 4 Kommunikation und verteilte Systeme Using small public keys Using small public keys Let “e” be a small constant → Public key operations become faster, while leaving private key operations unchanged → Popular values for “e” are 3 and 65537 Case of “e = 3” → Maximizes performance → Apparently it does not weaken security of RSA (when some practical constraints on its use are considered) → Problems with e = 3 • Small messages m with m3 mod n = m3. → Problem: it only takes the cubic root to decrypt → Solution: padding message with a random number before encryption • If a message is sent to 3 or more receivers, m can be derived from the three encrypted values and the public keys of the receivers • Find p and q so that 3 is relatively prime to (p - 1) · (q – 1) (practical problem: there are many numbers which 3 is not relatively prime to) Chapter 2.2: Public Key Cryptography Page 25 Lehrstuhl für Informatik 4 Kommunikation und verteilte Systeme Case of “e = 65537” • Is equivalent to 216 + 1, and it is prime • The binary representation contains only two 1s → Only 17 multiplications are necessary to to compute any me → Much faster than the 768 (on the average) multiplications necessary for a randomly chosen 512 bit value • The problems mentioned for e = 3 are avoided Page 26 Chapter 2.2: Public Key Cryptography Lehrstuhl für Informatik 4 Kommunikation und verteilte Systeme Public Key Cryptography Standard (PKCS) Example: PKCS#1 How could different implementations interwork? → Standards for encoding of information that will be encrypted or signed PKCS#1 (encryption) • Standard format for messages to be encrypted with RSA Public Key Cryptography Standard → Set of standards PKCS#1 - PKCS#9 → Definition of encoding RSA public keys, RSA private keys, RSA signatures, short RSA-encrypted messages (typically secret keys), and short RSA-signed messages (typically a message digest) → Designed to deal with • Encrypting guessable messages • Signing smooth numbers • Multiple recipients of a message for e = 3 • For e = 3, encrypting messages that are less than a third of the length of n • For e = 3, signing messages where the information is in the high-order part Consists of • Preceding 0: the message remains smaller than the modulus • 2: denotes a message which is to be encrypted • Random bytes (padding): – Each byte is chosen independently to make it harder to guess the message – Independent padding for each recipient – Make message long enough to avoid problems with m3 < n for e = 3 • Next 0: marks the beginning data 0 Chapter 2.2: Public Key Cryptography Page 27 2 ≥ 8 random non-zero bytes Chapter 2.2: Public Key Cryptography 0 data Page 28 Lehrstuhl für Informatik 4 Kommunikation und verteilte Systeme Lehrstuhl für Informatik 4 Kommunikation und verteilte Systeme Example: PKCS#1 Rabin Cryptosystem PKCS#1 (signature) • Standard format for messages to be signed with RSA • Data are typically a Message Digest of 128 Bit → Padding is required Rabin cryptosystem • “Secure” because of the difficulty to find square roots modulo a composite number • Nearly as difficult as factorising large numbers Consists of: • Preceding 0: the message remains smaller than the modulus • 1: denotes a message which is to be signed • Random bytes (padding): make the data bigger than 128 byte • Next 0: marks the begin of data • Digest type standardises, how to tell another party which digest function was used 0 1 ≥ 8 bytes of ff16 0 Rabin algorithm • Choose primes p and q, both congruent to 3 mod 4 → p and q form the private key → n = p ⋅ q is the public key • Encryption of message m in the range {0, ..., n - 1} c = m2 mod n digest type and message digest Chapter 2.2: Public Key Cryptography Page 29 Lehrstuhl für Informatik 4 Kommunikation und verteilte Systeme Chapter 2.2: Public Key Cryptography Page 30 Lehrstuhl für Informatik 4 Kommunikation und verteilte Systeme Decryption in the Rabin Cryptosystem Decryption is more complex • Receiver knows p and q • Solve the two congruencies using the so-called Chinese remainder problem • Compute: t1 = c(p + 1) / 4 mod p t2 = p - c(p + 1) / 4 mod p t3 = c(q + 1) / 4 mod q t4 = q - c(q + 1) / 4 mod q • Choose integers a = q ⋅ (q-1 mod p) and b = p ⋅ (p-1 mod q) • Possible solutions are m1 = (a ⋅ t1 + b ⋅ t3) mod n m2 = (a ⋅ t1 + b ⋅ t4) mod n m3 = (a ⋅ t2 + b ⋅ t3) mod n m4 = (a ⋅ t2 + b ⋅ t4) mod n • One of these results equals m… • If m is normal text, it is no problem to find the right mi • Otherwise, add a known header to m before encryption Chapter 2.2: Public Key Cryptography Diffie-Hellman Cryptosystem Oldest public key cryptosystem • Offers better performance than RSA • Less general than RSA (does neither encryption nor signatures) Purpose: two persons can agree upon a secret number (e.g. a shared key), which cannot be computed by intercepting the publicly exchanged messages • After the exchange of two public messages both communication partners know a secret number • Having agreed on a secret number, they can use e.g. DES for communication → Diffie-Hellman actually used for key establishment → Remaining problem: no authentication between the partners Page 31 Chapter 2.2: Public Key Cryptography Page 32 Lehrstuhl für Informatik 4 Kommunikation und verteilte Systeme Lehrstuhl für Informatik 4 Kommunikation und verteilte Systeme Diffie-Hellman Algorithm Bucket-Brigade Attack on Diffie-Hellman Problem in Diffie-Hellman: no authentication between A and B → If A obtains Tb, he cannot know for sure if B has sent it Algorithm for key establishment • Choose a prime p with 512 bit • Choose a number g < p with some restrictions → p and g are public! • A randomly chooses a 512 bit number Sa and computes Ta = gSa mod p • B randomly chooses a 512 bit number Sb and computes Tb = gSb mod p → Sa and Sb are secret • A and B exchange Ta and Tb • A computes kAB = TbSa mod p = gSa ⋅ Sb mod p • B computes kAB = TaSb mod p = gSa ⋅ Sb mod p → A and B both compute the same secret key gSa ⋅ Sb Bucket-Brigade attack An attacker O obtains Ta and establishes a common secret with A Attack method: p and q are known publicly O A • A sends gSo to O (but believes it is sent to B) S S a g o = 5876 g = 8389 • O computes gSx and sends it to B • • • • Page 33 Lehrstuhl für Informatik 4 Kommunikation und verteilte Systeme shared key kAO = 8389So 9267 shared key kBO 9267So = 5876Sb Chapter 2.2: Public Key Cryptography Page 34 Lehrstuhl für Informatik 4 Kommunikation und verteilte Systeme Diffie-Hellman for Encryption ElGamal Cryptosystem Encryption algorithm using Diffie-Hellman • Each participant chooses a private key Si • Each participant computes a public key <p, g, Ti> with Ti = gSi mod p • Publish all public keys at a trusted public place • Assume, B publishes <p, g, Tb> • A computes kAB = TbSa mod p • A uses kAB as secret key with B to compute a cipher text • A transmits the cipher text and gSa mod p to B • B computes kAB to decrypt the message → The secret key is transmitted only together with the message • Mainly used for digital signatures • Secure because of the difficulty to calculate discrete logarithms in a finite field • Uses same kind of key as Diffie-Hellman For a better security, p and g should have these properties: • p should be a strong prime number, i.e. (p-1)/2 is prime, too • It is desirable to have gx ≠ 1 mod p, x = 0 mod (p - 1) [if p is a strong prime number, this is true for all g ≠ -1 mod p with g(p - 1) / 2 = -1 mod p) • But: this is a costly way for choosing p and g! Chapter 2.2: Public Key Cryptography 5876 → Diffie-Hellman is only secure against passive attacks (i.e. just watching messages) → Protection against active attacks: use trustful and public location to publish gSi for all persons I in advance = 9267 5876 8389 5876Sa Note: It is impossible to compute gSa ⋅ Sb fast enough knowing only Ta and Tb due to the difficulty to compute discrete logarithms, i.e. to compute Sa from knowing gSa Chapter 2.2: Public Key Cryptography B computes gSb and sends it to O O sends gSo back to A O establishes kAO and kBO A and B communicate via O B gSb Page 35 Additionally provides a scheme for signatures • Each person has a long-time key – public key: <g, p, T> – private key: S with gS mod p = T • For each message m to be signed, a new key pair Sm, <g, p, Tm> has to be generated • For the message m to be signed, compute a message digest dm = MD(m|Tm) • Compute the signature X = Sm + dm · S mod (p - 1) • Transmit m together with X and Tm • To verify signature, compute gX, dm, and Tm · Tdm mod p Check: gX = gSm + dm ⋅ S = gSm · gdm ⋅ S = Tm · Tdm mod p Chapter 2.2: Public Key Cryptography Page 36 Lehrstuhl für Informatik 4 Kommunikation und verteilte Systeme Lehrstuhl für Informatik 4 Kommunikation und verteilte Systeme Digital Signature Standard (DSS) Digital Signature Algorithm Digital Signature Algorithm • Generate and publish a 512-bit prime p and a 160-bit prime q with p = k · q + 1 • Generate and publish a g with gq = 1 mod p (use Fermat's theorem) Note: g must not be 1 • Generate a long-term public/private key pair <T, S> as in ElGamal • For each message m generate a separate key pair <Tm, Sm> by choosing Sm and compute Tm = ((gSm mod p) mod q) • For m, compute the message digest dm • Compute the signature X = Sm-1 · (dm + S · Tm) mod q • Transmit m, Tm, and X Digital Signatures with DSS • DSS algorithm is called Digital Signature Algorithm (DSA) • Algorithm to create digital signatures based on ElGamal • Difference to ElGamal is the speed of operations (3 times faster): Instead using a p of 512 bit, for some operations only use a prime q of 160 bit, for which holds: p = k ⋅ p + 1 Note: using ElGamal means to generate a key pair <Sm, Tm> for each message m which has to be signed • If a pair of keys is used only for two different messages, it would expose the signer's private key: → With only two uses, Sm can be deducted → By knowing Sm, the secret key S easily can be computed Chapter 2.2: Public Key Cryptography Page 37 Lehrstuhl für Informatik 4 Kommunikation und verteilte Systeme Chapter 2.2: Public Key Cryptography Page 38 Lehrstuhl für Informatik 4 Kommunikation und verteilte Systeme Merkle-Hellman Cryptosystem Merkle-Hellman in Cryptography Principle: Use a simple Knapsack problem as private key and transform it into a hard one which is used as public key. A message m = (m1, m2, ..., mn, ...) is seen as a solution for the problem, i.e. if mi = 1, mi is in the knapsack Knapsack Problem • Pack a knapsack optimally with n objects of different weights a1, ..., an and overall size g n • Search for an order (ki), ki ∈ {0, 1} for i = 1, ..., n with ∑ ai ⋅ ki = g i =0 • This is an NP hard problem Merkle-Hellman cryptosystem • Based on the knapsack problem • Special type of knapsack problem: i The sizes of the objects form a fast growing sequence with a j +1 > ∑ ai j =1 There is a solution in O(n): Start with the biggest object and find a new smaller knapsack with one object less Chapter 2.2: Public Key Cryptography Signature verification • Calculate the mod q inverse of the signature, X-1 • Calculate the message digest dm • Calculate x = dm · X-1 mod q and y = Tm · X-1 mod q • Calculate z = (gx · Ty mod p ) mod q • If z = Tm, the signature is verified Page 39 Example: • A chooses a Knapsack problem a with a = (ai) = (2, 5, 9, 21, 45, 103, 215, 450, 946) as key • A chooses a prime p = 2003 and a number k = 1289 • A generates a hard Knapsack problem e = (ei) with ei = k ⋅ ai mod p → e = (575, 436, 1586, 1030, 1921, 569, 721, 1183, 1570) • B encrypts a message m = (1, 0, 1, 1, 0, 0, 1, 1, 1) to A by using e → c = 1 ⋅ 575 + 0 ⋅ 436 + 1 ⋅ 1586 + 1 ⋅ 1030 + 0 ⋅ 1921 + 0 ⋅ 569 + 1 ⋅ 721 + 1 ⋅ 1183 + 1 ⋅ 1570 = 6665 (this value is transmitted) • A computes g = k-1 ⋅ c mod p = 317 ⋅ 6665 mod 2003 = 1643 • A solves 1643 for (ai) by choosing the biggest fitting number in (ai) till 1643 is reached: (2, 5, 9, 21, 45, 103, 215, 450, 946) →1 0 1 1 0 0 1 1 1 Page 40 Chapter Public message Key Cryptography → The2.2: original is given by the elements of a Lehrstuhl für Informatik 4 Kommunikation und verteilte Systeme Lehrstuhl für Informatik 4 Kommunikation und verteilte Systeme Modern Public Key Cryptosystems Elliptic Curves – Definition Definition: Let p > 3 be prime. The elliptic curve y2 = x3 + ax + b over Zp is the set of solutions (x,y) ∈ Zp×Zp for the congruence y2 ≡ x3 + ax + b (mod p), where a, b ∈ Zp are constants, so that 4a3 + 27 b2 ≡ O (mod p), together with a special point O called the point of infinity. Classic public key cryptosystems are well analysed • The performance of classic public-key cryptosystems is acceptable • Security: classic public key cryptosystems are not perfectly secure, but computationally secure Modern public key cryptosystems improve the classic ones: • Performance: modern public key cryptosystems have a better performance than the classic ones • Security: modern public key cryptosystems also offer better security (with the same key length) • Example: Elliptic Curve Cryptosystem → Provide security equivalent to classical public key schemes → Shorter key lengths, resulting in faster computing, less complex chips Chapter 2.2: Public Key Cryptography Page 41 Page 42 Chapter 2.2: Public Key Cryptography Lehrstuhl für Informatik 4 Kommunikation und verteilte Systeme Lehrstuhl für Informatik 4 Kommunikation und verteilte Systeme Addition Operation Elliptic Curve - Example Points on the elliptic curve E: y2=x3+x+6 in Z11 Let E be an elliptic curve over Zp, P = (x1, y1), Q = (x2, y2). If x2 = x1 and y2 = -y1, then Q = -P, P + Q := O; otherwise P + Q := (x3, y3), with x3 = λ2 – x1 – x2 y3 = λ(x1 – x3) – y1 and ⎧ y 2 - y1 , if P ≠ Q ⎪x - x ⎪ 2 1 λ=⎨ 2 ⎪ 3 x1 + a , if P = Q ⎪ ⎩ 2y1 Finally, P + O = O + P = P. Chapter 2.2: Public Key Cryptography Page 43 x x3+x+6 mod 11 0 6 in QR(11)? y no [no solution] → E = {O, (2,4), (2,7), (3,5), (3,6), (5,2), (5,9), (7,2), (7,9), (8,3), (8,8), (10,2), (10,9)} Let α = (2,7). Then α is a primitive element: 1 8 no 2 5 yes 4, 7 3 3 yes 5, 6 4 8 no 5 4 yes 6 8 no 7 4 yes 2, 9 8 9 yes 3, 8 9 7 no 10 4 yes 2, 9 α = (2,7) 2α = (5,2) = α + α 3α = (8,3) 4α = (10,2) 5α = (3,6) 6α = (7,9) 7α = (7,2) 8α = (3,5) 9α = (10,9) 10α = (8,8) 12α = (2,4) 11α = (5,9) 2, 9 i.e. (x,y) = (3,5) and (x,y) = (3,6) are points on the elliptic curve Chapter 2.2: Public Key Cryptography Page 44 Lehrstuhl für Informatik 4 Kommunikation und verteilte Systeme Example: ElGamal Encryption with Elliptic Curves Let α = (2,7) and a = 5, so β = 5 α = (3,6) (a is secret and for large numbers can‘t be obtained from α and β in reasonable time) The encryption operation is ek(x,r) = (r α, x + r β) = (y1, y2), ek(x,r) = (r (2,7), x + r (3,6)), where x ∈ E and 0 ≤ r ≤ 12 and the decryption operation is dk(y1,y2) = y2 – ay1 = y2 – 5 y1 Alice wants to send x = (7,9) to Bob; she chooses the random value r = 7. She then computes y1 = 7(2,7) = (7,2) y2 = (7,9) + 7(3,6) = (7,9) + (10,9) = (5,2) Bob receives y = ((7,2),(5,2)) and obtains x = (5,2) – 5(7,2) = (5,2) – (10,9) = (5,2) + (10,2) = (7,9) Chapter 2.2: Public Key Cryptography Page 45