ee579t/3 #1 spring 2003 © 2000-2003, richard a. stanley ee579t / cs525t network security 3:...
Post on 21-Dec-2015
217 Views
Preview:
TRANSCRIPT
Spring 2003© 2000-2003, Richard A. Stanley
EE579T/3 #1
EE579T / CS525TNetwork Security
3: Asymmetric Cryptography
Prof. Richard A. Stanley
Spring 2003© 2000-2003, Richard A. Stanley
EE579T/3 #2
Overview of Tonight’s Class
• Review of last week’s class
• Class projects overview
• Security in the news
• Asymmetric cryptography
Spring 2003© 2000-2003, Richard A. Stanley
EE579T/3 #3
Last Week -1
• Symmetric key cryptography uses one key, shared by all users of the cipher
• There are many weaknesses to basic crypto algorithms like the Vernam cipher
• Feistel ciphers provide a more complex algorithm that permits iterative encryption
• Feistel cipher decryption uses same process as encryption, making process simpler
Spring 2003© 2000-2003, Richard A. Stanley
EE579T/3 #4
Last Week - 2
• Block ciphers are widely used• Most commonly used block cipher today is
TDEA, operating in one of 4 modes• TDEA is limited by 64-bit block and key
size, provides poor software implementation• AES chosen to replace TDEA• Should be several years of coexistence
Spring 2003© 2000-2003, Richard A. Stanley
EE579T/3 #5
Network Security in the News
• Saturday, January 25th, Internet traffic slows dramatically due to a worm
• We’ll study worms more later in the course, but this particular worm exploited a fault in the Microsoft SQL Server software
• Patch for this fault has been around for some time, but many systems unpatched
• This is the story line for many security issues
Spring 2003© 2000-2003, Richard A. Stanley
EE579T/3 #6
Course Projects• Teams or individuals?
• Identify, through research, a meaningful network security problem (reported on as historical or one you can hypothesize)
• Analyze the problem– Why did it occur?– How could you have prevented or mitigated it?
• Prepare report and present to the class
Spring 2003© 2000-2003, Richard A. Stanley
EE579T/3 #8
DES Decryption• As DES is a Feistel cipher, decryption uses the
same engine as does encryption
• For decryption:– The DES engine is precisely the same as the
encryption engine -- it is not run in reverse (e.g. with the input coming in the “bottom”)
– Instead, the key schedule is run in reverse; i.e. the first subkey used is K16, then K15, etc., finishing with K1
Spring 2003© 2000-2003, Richard A. Stanley
EE579T/3 #10
DES Mathematics
• Only two functions used– XOR– Data permutation or shifting
• At the heart of the DES engine, inside the f-box, is a Vernam cipher machine!
• Vernam, by itself, is insecure. What makes DES secure?
Spring 2003© 2000-2003, Richard A. Stanley
EE579T/3 #11
Symmetric Crypto Keys
• Ideally, are purely random numbers• This is possible because:
– The keys are prepositioned at each end
– Random numbers can be generated by capturing stellar noise, diode shot noise, etc.
– The parties need only agree on where in the key stream to start
– The key does not have to obey any mathematical function other than randomness
• Many implementations use pseudo-random
Spring 2003© 2000-2003, Richard A. Stanley
EE579T/3 #12
Key Types
• Permanent – Used for a fixed, prearranged period of time– Typically used for applications such as key
distribution, government communications, etc.
• Session– Valid only for current communications session– Destroyed after session terminates
Spring 2003© 2000-2003, Richard A. Stanley
EE579T/3 #13
Key Distribution Problem
• Secret keys must be prepositioned at all locations before secure communications can occur.
• How to do this?– Secure physical transport– Secure electronic transport
• The search for a way to accomplish this led to the development of public key cryptography, which we will study next class
Spring 2003© 2000-2003, Richard A. Stanley
EE579T/3 #14
Asymmetric Cryptography• Also known as public key cryptography• Until Diffie-Hellman in 1976, this concept was
heretical. It is still counterintuitive.– NSA, British Secret Service claim to have invented
years before, but kept secret
• Key has two parts– Public: everybody knows or can know– Private: only holder knows critical!!!
• Based on large prime numbers
Spring 2003© 2000-2003, Richard A. Stanley
EE579T/3 #15
The Original Goal
• Diffie and Hellman did not set out to invent a new kind of cryptography
• The goal was to find a way to establish symmetrical session keys without prior placement of the keys by some other means– i.e. to solve the key distribution problem
• This is still the primary use of the D-H exchange
Spring 2003© 2000-2003, Richard A. Stanley
EE579T/3 #16
But then...
• Diffie-Hellman key exchanges proved immensely useful
• Others found that there other uses for this general crypto principle and algorithms were developed for encrypting data– RSA– El Gamal– etc.
Spring 2003© 2000-2003, Richard A. Stanley
EE579T/3 #17
Asymmetric CryptographyAlice
Bob’s public key
Bob
Bob’s private key
Alice’s message
Crypto algorithm-NOT the same as
for symmetric crypto
Spring 2003© 2000-2003, Richard A. Stanley
EE579T/3 #18
Something Different
• Clearly, asymmetric crypto differs in a basic way from symmetric crypto– The keys are mathematically related, and
cannot be purely random numbers– The algorithms are quite different from the
universe of Feistel ciphers and S-boxes
• Is this a replacement for symmetric crypto, or a complement to it?
Spring 2003© 2000-2003, Richard A. Stanley
EE579T/3 #19
Asymmetric Crypto Properties
• The encryption function is one-way• The encryption process is fungible
– Can encrypt with public key and decrypt with private key, and vice versa
• So what?– Could this approach be used to sign documents?– Can a signed document be used for authentication?
Spring 2003© 2000-2003, Richard A. Stanley
EE579T/3 #20
Modulus Arithmetic• In modulus arithmetic, the “value” of a
number is the remainder when the number is divided by the modulus– e.g. 11 mod 5 = 1
• Clearly, there are many numbers that have the same modular representation– e.g. 21 mod 5 = 1 , 41 mod 5 = 1, etc.
• For a modulus of n, the maximum value is n-1
Spring 2003© 2000-2003, Richard A. Stanley
EE579T/3 #21
So What?
• Asymmetric cryptography is based on modulus arithmetic
• Modulus arithmetic makes it computation-ally infeasible to recover the number whose modulus is stated, provided certain conditions are met
• You can cheat: the Windows calculator has a modulus arithmetic mode
Spring 2003© 2000-2003, Richard A. Stanley
EE579T/3 #22
Diffie-Hellman Key Exchange-1
• Alice and Bob agree on a large prime, n, and an integer g, where g is primitive mod n. These need not be kept secret
• Alice chooses a large random integer x and sends to Bob: X=gx mod n
• Bob chooses a large random integer y and sends to Alice: Y=gy mod n
• NB: x and y are never transmitted
Spring 2003© 2000-2003, Richard A. Stanley
EE579T/3 #23
Diffie-Hellman Key Exchange-2• Alice computes k=Yx mod n• Bob computes k’=Xy mod n• But k = k’ = gxy mod n • Therefore, Bob and Alice now have a secret
key, k, that they can share for communications
• Eavesdroppers know only n, g, X, and Y, not x or y, which are required to compute k
Spring 2003© 2000-2003, Richard A. Stanley
EE579T/3 #24
Diffie-Hellman Security
• D-H security depends on the difficulty of factoring large numbers (size of n)
• It is computationally infeasible to recover x and y from the data known to an eavesdropper by any means other than exhaustive key search
• Caveats– n must be large
– ((n-1)/2) should also be prime
– g can be small -- even one digit
Spring 2003© 2000-2003, Richard A. Stanley
EE579T/3 #25
Diffie-Hellman Drawbacks
• Slow!– Computationally intensive– Requires several communications exchanges
• Example:– Using D-H to set up a session key in a cellular
telephone could take nearly one minute!
• So, other key exchange protocols have been established that are more efficient
Spring 2003© 2000-2003, Richard A. Stanley
EE579T/3 #26
Why Do We Want to Do This?
• Symmetric cryptography is fast
• Asymmetric cryptography is slow – As much as 1000X slower than symmetric
• Therefore, we want to use the slow asymmetric crypto -- which does not require prepositioning of keys -- to create and/or exchange symmetric session keys so that data can be exchanged quickly
Spring 2003© 2000-2003, Richard A. Stanley
EE579T/3 #27
Crypto Weaknesses
• All cryptosystems depend on the security of the key for their security– If a symmetric system, he who has the key
reads the mail– Asymmetric systems rely on the private key
remaining private. Is this a good assumption?
• Attacks on assumptions work better than attacks on the front door
Spring 2003© 2000-2003, Richard A. Stanley
EE579T/3 #28
Cryptosystems Compared
• Symmetric key– Same key both ends
– Key management a problem; requires secure side channel
– Fast
– Message length < key length
• Asymmetric key– Two keys
• Public key, known to all
• Private key, known to owner alone
– Key management less of a problem
– Computationally intensive, so it is slow
Spring 2003© 2000-2003, Richard A. Stanley
EE579T/3 #29
Asymmetric Crypto Uses?
• Only good for key exchange?
• As it turns out, NO– Other algorithms useful for providing data
secrecy, like symmetric cryptography– Can be used to provide
• confidentiality
• integrity
• authenticity
Next time!
Spring 2003© 2000-2003, Richard A. Stanley
EE579T/3 #30
RSA Encryption Algorithm
• Ron Rivest, Adi Shamir, Len Adelman– First published 1978, from MIT– Block cipher, asymmetric key– Plain and cipher texts are integers between 0
and n-1, for some n that is part of the keys
• Like all asymmetric key systems, RSA depends for security on the difficulty of factoring large numbers
Spring 2003© 2000-2003, Richard A. Stanley
EE579T/3 #31
RSA Mechanics
• C = ciphertext– C = Me mod n
• M = plaintext– M = Cd mod n = (Me)d mod n = Med mod n
• Both parties know n, e
• Only the receiving party knows d
Spring 2003© 2000-2003, Richard A. Stanley
EE579T/3 #32
Therefore...
• Public key: KU = {e,n}
• Private key: KR = {d,n}
• Requirements for this to work:– e, d, n exist such that Med = M mod n for all
M<n– Easy to calculate Me and C for M<n– Infeasible to calculate d given e, n
• Computationally secure if e, n sufficiently large
Spring 2003© 2000-2003, Richard A. Stanley
EE579T/3 #33
Important Definitions
• Euler’s totient function, (n) – Defined as the number of positive integers < n
and relatively prime to n– Can show that if n=pq, (n) = (p-1)(q-1)
• Relatively prime numbers– a and b (integers) are relatively prime if they
have no prime factors in common• i.e. only common prime factor is unity
Spring 2003© 2000-2003, Richard A. Stanley
EE579T/3 #34
RSA Example
• Select two primes: p = 7, q = 17
• Calculate n = pq = 7 x 17 = 119
• Calculate (n) = (p-1)(q-1) = 6 x 16 = 96
• Select e relatively prime to & less than (n) – In this example e = 5
• Calculate d = e-1 mod (n) = 77
• KU = {5, 119} KR = {77, 119}Public key Private key
This bit is perhaps unclear
Spring 2003© 2000-2003, Richard A. Stanley
EE579T/3 #35
Another View
• d = e-1 mod (n) looks difficult, as e-1 < 1
• Multiply both sides by e, which gives– de = 1 mod (n), where (n) = 96 in this case
• e has been selected as being 5, therefore we must now find the value for d that satisfies the above equation
• 77 is that value, as 5 x 77 = 1 mod 96– 77 x 5 = 385 = 4 x 96 + 1
Spring 2003© 2000-2003, Richard A. Stanley
EE579T/3 #36
RSA Encrypt/Decrypt
• Using KU, KR we have calculated, let M=19 (plaintext)– KU = {5, 119} KR = {77, 119}
• Encryption:– Me mod n = 195 mod 119 = 66 = C (ciphertext)
• Decryption– Cd mod n = 6677 mod 119 = 19 = M (plaintext)
• Q.E.D.
Public key e , n Private key d, n
Spring 2003© 2000-2003, Richard A. Stanley
EE579T/3 #37
RSA Importance
• With Diffie-Hellman, RSA is the most widely used asymmetric key algorithm
• RSA was patented by its inventors, but the patents expired in 2000
• RSA is now freely usable by anyone, and is widely incorporated into common products, such as web browsers, VPN devices, etc.
Spring 2003© 2000-2003, Richard A. Stanley
EE579T/3 #38
Breaking RSA
• Discover the private key, d– Easy to do if p and q, factors of n, are known– Hard part is factoring n– Factoring 129-digit n has been done
• Find eth roots mod n– Not known to be equivalent to factoring– No general methods known
• Brute force key search
Spring 2003© 2000-2003, Richard A. Stanley
EE579T/3 #39
Practical RSA Security• Choose sufficiently large n
– 129 digits 428 bits, which has been factored– Too close to 512 bits for comfort– So, choose n > 1000 bits (1024, 2048, 4096)
• Not all implementations allow key > 2048
– Evaluate how long security is required, as longer keys require more computation, and are therefore slower to encrypt/decrypt
• Guard the private key carefully!
Spring 2003© 2000-2003, Richard A. Stanley
EE579T/3 #40
Hashing: the Final Tool
• Encryption seeks to obscure plaintext with a key, so that the plaintext can be recovered
• Hash functions produce fixed-length output given variable-length input, such that the hash output will change substantially if even a single bit of the input is changed– Similar to checksum or CRC for data integrity– Depends on hash function being one-way
Spring 2003© 2000-2003, Richard A. Stanley
EE579T/3 #41
Hash Function Uses / Benefits
• Verify the integrity of a block of data– e.g. a message
• Faster to compute than encrypted version of input
• Always produces an output of known and fixed length– Useful in many applications
Spring 2003© 2000-2003, Richard A. Stanley
EE579T/3 #42
Hash Function Requirements
• Hash value h = H(x), where H is the hash function of some input x– Input x can be of any length
– Output H(x) has fixed length
– H(x) relatively easy to compute for any x
– H(x) is one-way
– H(x) is collision-free
Spring 2003© 2000-2003, Richard A. Stanley
EE579T/3 #43
Hashing Terms
• One way– H(x) is one way if it is computationally infeasible to
find x such that H(x) = h
– i.e. H(x) is hard to invert
• Collisions– weakly collision-free: given x, computationally
infeasible to find y x such that H(x) = H(y)
– strongly collision-free: computationally infeasible to find any two messages x and y such that H(x) = H(y)
Spring 2003© 2000-2003, Richard A. Stanley
EE579T/3 #44
Hash Function Example
Source: RSA Laboratories, Inc.
Spring 2003© 2000-2003, Richard A. Stanley
EE579T/3 #45
Common Hash Functions
Algorithm MD2 MD4 MD5 SHA-1
Output length 128 bits 128 bits 128 bits 160 bits
Block size 128 bits 512 bits 512 bits 512 bits
Specification RFC 1319 RFC 1320 RFC 1321 FIPS 180-1
Spring 2003© 2000-2003, Richard A. Stanley
EE579T/3 #46
Types of Hash
• “Standard”– Message is input to the hash function– Hash calculated according to the standard– Same message always produces same hash
• Keyed, or secure, hash– Message is one input to the hash function– Secret key is another input (cf. next slide)– Output depends on both key and message
Spring 2003© 2000-2003, Richard A. Stanley
EE579T/3 #47
Hash Function Example
Source: RSA Laboratories, Inc.
Spring 2003© 2000-2003, Richard A. Stanley
EE579T/3 #48
So What?
• Hash functions can be used to provide– Fast integrity check on data
• Asymmetric key cryptography can provide– Session key negotiation– User authentication (with some help)
• We now have all the cryptographic tools needed to provide confidentiality, integrity, and authentication
Spring 2003© 2000-2003, Richard A. Stanley
EE579T/3 #49
Summary• Both symmetric and asymmetric crypto have their uses
in communications
• Symmetric keys can be purely random, but asymmetric keys are mathematically related
• Symmetric crypto is much faster than asymmetric, which leads to combining the types in practical applications
• Combining symmetric, asymmetric, and hash functions can go a long ways towards mitigating network security problems.
Spring 2003© 2000-2003, Richard A. Stanley
EE579T/3 #50
Homework
• Read Stallings, remainder of Chapter 3
• Read Stallings, Chapter 4
• Do problems 3.2, 3.5a, 3.5d, 3.6, 3.10, 3.12
• If you have not already done so, finalize your project team, and select a candidate research topic. This information is due next week at the latest.
top related