Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Cryptography: Helping Number Theorists Bring Home the Bacon Since 1977 Dan Shumow SDE Windows Core Security [email protected] Windows Core Security 1 © 2006 Microsoft Corp Outline • Introduction • Symmetric Key Encryption • Key Distribution: Diffie-Hellman Key Generation • Elliptic Curve Cryptography Windows Core Security 2 © 2006 Microsoft Corp Introduction • Cryptography, what is it and why should we care? – Cryptography is the science of communicating secretly. – Today so much communication is done over the internet and radio waves, and these media are very prone to eavesdropping. Cryptography allows people to communicate securely across these media. Windows Core Security 3 © 2006 Microsoft Corp Cryptography Allows Alice to communicate with Bob without being overheard by Eavesdropper Eve. Eve Bob Alice Windows Core Security 4 © 2006 Microsoft Corp Symmetric Key Encryption • • • • • Alice and Bob share a key K. They use an encryption function c=Ek(p). p is the plaintext and c is the ciphertext. It has to be reversible: p=Dk(c). If Alice wants to send Bob a message m she computes c = EK(m) and sends Bob c. • Bob computes m = DK(c). Windows Core Security 5 © 2006 Microsoft Corp Symmetric Key Encryption • Want it to be hard to compute p given c. So if Eve doesn’t know K it is hard for her to compute m even if she intercepts c. • Want Ek and Dk to be easy to compute. So there is little overhead to communication • Want K to be hard to calculate given p and c. Otherwise if Eve can guess parts of the message she can recover the key. Windows Core Security 6 © 2006 Microsoft Corp Symmetric Key Encryption Examples: – Substitution Ciphers: Substitute each letter in the alphabet for another one. – One Time Pads: A key that is the same length as the message, used only once. – Modern Ciphers • Stream Ciphers: RC4 • Block Ciphers: DES, AES Windows Core Security 7 © 2006 Microsoft Corp Symmetric Key Encryption Attacks on Encryption Algorithms: – Substitution Ciphers: Frequency Attacks – One Time Pads are provably secure. – Modern Attacks: • Linear Cryptanalysis looks for a linear relationship between plaintext and ciphertext. (Known Plaintext Attack.) • Differential Cryptanalysis looks at how differences in plaintext cause differences in ciphertext. (Chosen Plaintext Attack.) Windows Core Security 8 © 2006 Microsoft Corp Symmetric Key Encryption Modern Encryption Algorithm Design Techniques – Confusion and Diffusion • Diffusion means many bits of the plaintext (possibly all) affect each bit of the ciphertext. • Confusion means there is a low statistical bias of bits in the ciphertext. – Non-Linearity: The encryption function is not linear (represented by a small matrix) • Prevents Linear Cryptanalysis. Windows Core Security 9 © 2006 Microsoft Corp Symmetric Key Encryption Problem: Key Distribution – Can’t keep using same key, Eve will eventually recover K. – Need to establish shared secret key: • Could agree to physically meet and establish keys. • But what if you want to communicate with someone on the other side of the world? Key distribution is a big problem. Windows Core Security 10 © 2006 Microsoft Corp Diffie-Hellman Key Generation Basic Idea: 1. Alice and Bob agree on an integer g. 2. (a) Alice secretly chooses integer x, computes X = gx and sends it to Bob. (b) Bob secretly chooses integer y, computes Y = gy and sends it to Alice. 3. (a) Alice computes Yx=(gy)x=gxy. (b) Bob computes Xy=(gx)y=gxy. 4. Alice and Bob both share gxy which they can use to create a secret key. Windows Core Security 11 © 2006 Microsoft Corp Diffie-Hellman Key Generation Wait!! It’s not secure. If Eve overhears what g, X, and Y are she can compute: x = loggX and y = loggY And use this information to calculate gxy. To make this secure Alice and Bob pick a large prime number P and reduce everything mod P (take the remainder after division by P) Windows Core Security 12 © 2006 Microsoft Corp Diffie-Hellman Key Generation New and Improved Idea: 1. Alice and Bob agree on an integer g and prime P. 2. (a) Alice secretly chooses integer x, computes X = gx mod P and sends it to Bob. (b) Bob secretly chooses integer y, computes Y = gy mod P and sends it to Alice. 3. (a) Alice computes Yx mod P =(gy)x mod P =gxy mod P. (b) Bob computes Xy mod P =(gx)y mod P =gxy mod P . 4. Alice and Bob both share the value gxy mod P which they can use to create a secret key. Windows Core Security 13 © 2006 Microsoft Corp Diffie-Hellman Key Generation By adding the prime P into the equation we now need to make sure that g is a “generator” of P. This means that for every integer x in {1,2,3,…,P-1} there exists an integer d such that: x = gd mod P. d is called the “discrete log” of g mod P. Windows Core Security 14 © 2006 Microsoft Corp Diffie-Hellman Key Generation Why Does This Work? 1. Because the positive integers less than P form a multiplicative, cyclic group with generator g. 2. It is hard to compute the discrete log of a generator mod P. Given these two things: 1. This algorithm works. 2. It is hard for Eve to calculate gxy mod P. Windows Core Security 15 © 2006 Microsoft Corp Groups • A group is a set G with a binary operation ·:G×G→G with the following properties: 1. Associativity: a(bc)=(ab)c 2. Identity Element: there exists e in G, such that for all a in G ea=ae=a. 3. Inverses: for all a in G there exists an element a-1 in G such that aa-1 = a-1a = e Windows Core Security 16 © 2006 Microsoft Corp Special Groups • Abelian Groups are groups that have a fourth axiom 4. Commutative: for all a and b in G ab = ba • Cyclic Groups are groups that have a generator g. Where g is an element of G such that for all a in G: a = gx where x is a positive integer. Note that all Cyclic groups are Abelian. Can you see why? Windows Core Security 17 © 2006 Microsoft Corp Special Groups • • Multiplicative Groups are groups where the operation is called multiplication. Example: the group of n×n invertible matrices. Additive Groups are groups where the operation is called addition. Additive Groups are abelian. Example: the integers. Windows Core Security 18 © 2006 Microsoft Corp Diffie-Hellman Key Generation What does this all mean for Diffie-Hellman Key Generation? Answer: It means that Diffie-Hellman will work as a key exchange algorithm in any cyclic group where computing discrete logarithms is hard. Windows Core Security 19 © 2006 Microsoft Corp Elliptic Curve Cryptography • Elliptic Curves are a way of modifying existing crypto systems like DH to make them “stronger.” • “Stronger” means the expected time of an attack is longer with equal key sizes. • This allows us to use smaller key sizes and therefore speed up the whole process. • This makes ECC very useful for small devices like phones or other embedded systems. Windows Core Security 20 © 2006 Microsoft Corp Elliptic Curves • An Elliptic Curve is such an alternate cyclic group. The group consists of all points of the form: y2 = x3 + ax + b. Where x, y, a, and b are all elements of a field F. Windows Core Security 21 © 2006 Microsoft Corp Fields • A field is a set that has mathematical operations multiplication and addition that behave in nice ways. • Basically a field is any set that you can do everything from your high school algebra class in. Windows Core Security 22 © 2006 Microsoft Corp Fields A field F is a set S along with two binary operations (+,·) that have the following properties: 1. S contains two distinct elements 0 and 1 2. (S-{0},·) is a multiplicative group, with identity 1. 3. (S,+) is an additive group, with identity 0. 4. Multiplication is distributive on the left and the right: a·(b+c) = a·b+a·c (a+b)·c = a·c+b·c Windows Core Security 23 © 2006 Microsoft Corp Elliptic Curves Group operation: Let P = (xP,yP) and Q = (xQ,yQ) be points on the an Elliptic Curve E. Then: R = P + Q = (xR,yR) is defined by: xR= s2-xP-xQ yR=-yP+s(xP-xR) where: s = (yP-yQ)/(xP-xQ) if xP≠xQ or s = (3xP2+a)/(2yP2) if xP=xQ Identity: A “point at infinity” is added to the set of points on the curve. This point is infinitely far along the y access. Windows Core Security 24 © 2006 Microsoft Corp Elliptic Curves Intuition: If you have 2 points on this curve, they define a line that intersects the curve at 1 other point. Addition is derived from this. Inverses are reflections about the x access. Windows Core Security 25 © 2006 Microsoft Corp Elliptic Curve Cryptography Newer and more Improved Idea: 1. Alice and Bob agree on an Elliptic Curve E (specified by the field F and parameters a, b) and a base point g on E. 2. (a) Alice secretly chooses integer x, computes X = xg and sends it to Bob. (b) Bob secretly chooses integer y, computes Y = yg and sends it to Alice. 3. (a) Alice computes: xY = x(yg) =xyg. (b) Bob computes: yX = y(xg) =yxg=xyg. 4. Alice and Bob both share the point xyg which they can use to create a secret key. Windows Core Security 26 © 2006 Microsoft Corp Elliptic Curve Cryptography • In the preceding example all math is done in the group defined by E. Exponentiation is taken to be iterative addition. • Because Elliptic Curves are groups we are guaranteed that we can perform all these operations. • Computing logarithms in elliptic curves is difficult, so Eve can not recover the secret values and determine the shared value xyg. Windows Core Security 27 © 2006 Microsoft Corp References • Eric W. Weisstein. "Elliptic Curve." From MathWorld--A Wolfram Web Resource. http://mathworld.wolfram.com/EllipticCurve.html • Eric W. Weisstein et al. "Group." From MathWorld--A Wolfram Web Resource. http://mathworld.wolfram.com/Group.html • Eric W. Weisstein. "Field." From MathWorld--A Wolfram Web Resource. http://mathworld.wolfram.com/Field.html • http://en.wikipedia.org/wiki/Group_%28mathematics%29 • http://en.wikipedia.org/wiki/Field_(mathematics) • http://en.wikipedia.org/wiki/Elliptic_curves Windows Core Security 28 © 2006 Microsoft Corp