cryptography and network security chapter 909/08/10 1 cryptography and network security chapter 9...
TRANSCRIPT
![Page 1: Cryptography and Network Security Chapter 909/08/10 1 Cryptography and Network Security Chapter 9 Fifth Edition by William Stallings Lecture slides by Lawrie Brown 09/08/10 2 Chapter](https://reader035.vdocuments.mx/reader035/viewer/2022081515/5ee159ffad6a402d666c4403/html5/thumbnails/1.jpg)
09/08/10 1
Cryptography and Cryptography and
Network SecurityNetwork Security
Chapter 9Chapter 9
Fifth EditionFifth Edition
by William Stallingsby William Stallings
Lecture slides by Lawrie BrownLecture slides by Lawrie Brown
09/08/10 2
Chapter 9 � Chapter 9 � Public Key Public Key
Cryptography and RSACryptography and RSA
Every Egyptian received two names, which were Every Egyptian received two names, which were
known respectively as the true name and the known respectively as the true name and the
good name, or the great name and the little good name, or the great name and the little
name; and while the good or little name was name; and while the good or little name was
made public, the true or great name appears to made public, the true or great name appears to
have been carefully concealed.have been carefully concealed.
��The Golden Bough, The Golden Bough, Sir James George FrazerSir James George Frazer
![Page 2: Cryptography and Network Security Chapter 909/08/10 1 Cryptography and Network Security Chapter 9 Fifth Edition by William Stallings Lecture slides by Lawrie Brown 09/08/10 2 Chapter](https://reader035.vdocuments.mx/reader035/viewer/2022081515/5ee159ffad6a402d666c4403/html5/thumbnails/2.jpg)
09/08/10 3
Private-Key CryptographyPrivate-Key Cryptography
� traditional traditional private/secret/single keyprivate/secret/single key cryptography uses cryptography uses oneone key key
� shared by both sender and receiver shared by both sender and receiver � if this key is disclosed communications if this key is disclosed communications
are compromised are compromised � also is also is symmetricsymmetric, parties are equal , parties are equal � hence does not protect sender from hence does not protect sender from
receiver forging a message & claiming is receiver forging a message & claiming is sent by sender sent by sender
09/08/10 4
Public-Key CryptographyPublic-Key Cryptography
� probably most significant advance in the probably most significant advance in the
3000 year history of cryptography 3000 year history of cryptography
� uses uses twotwo keys � a public & a private key keys � a public & a private key
� asymmetricasymmetric since parties are since parties are notnot equal equal
� uses clever application of number uses clever application of number
theoretic concepts to functiontheoretic concepts to function
� complements complements rather thanrather than replaces replaces
private key cryptoprivate key crypto
![Page 3: Cryptography and Network Security Chapter 909/08/10 1 Cryptography and Network Security Chapter 9 Fifth Edition by William Stallings Lecture slides by Lawrie Brown 09/08/10 2 Chapter](https://reader035.vdocuments.mx/reader035/viewer/2022081515/5ee159ffad6a402d666c4403/html5/thumbnails/3.jpg)
09/08/10 5
Why Public-Key Cryptography?Why Public-Key Cryptography?
� developed to address two key issues:developed to address two key issues:� key distributionkey distribution � how to have secure � how to have secure
communications in general without having to communications in general without having to trust a KDC with your keytrust a KDC with your key
� digital signaturesdigital signatures � how to verify a message � how to verify a message comes intact from the claimed sendercomes intact from the claimed sender
� public invention due to Whitfield Diffie & public invention due to Whitfield Diffie & Martin Hellman at Stanford Uni in 1976Martin Hellman at Stanford Uni in 1976� known earlier in classified communityknown earlier in classified community
09/08/10 6
Public-Key CryptographyPublic-Key Cryptography
� public-key/two-key/asymmetricpublic-key/two-key/asymmetric cryptography cryptography involves the use of involves the use of twotwo keys: keys: � a a public-keypublic-key, which may be known by anybody, and , which may be known by anybody, and
can be used to can be used to encrypt messagesencrypt messages, and , and verify verify signaturessignatures
� a related a related private-keyprivate-key, known only to the recipient, used , known only to the recipient, used to to decrypt messagesdecrypt messages, and , and signsign (create) (create) signatures signatures
� infeasible to determine private key from publicinfeasible to determine private key from public� is is asymmetricasymmetric because because
� those who encrypt messages or verify signatures those who encrypt messages or verify signatures cannotcannot decrypt messages or create signatures decrypt messages or create signatures
![Page 4: Cryptography and Network Security Chapter 909/08/10 1 Cryptography and Network Security Chapter 9 Fifth Edition by William Stallings Lecture slides by Lawrie Brown 09/08/10 2 Chapter](https://reader035.vdocuments.mx/reader035/viewer/2022081515/5ee159ffad6a402d666c4403/html5/thumbnails/4.jpg)
09/08/10 7
Public-Key CryptographyPublic-Key Cryptography
![Page 5: Cryptography and Network Security Chapter 909/08/10 1 Cryptography and Network Security Chapter 9 Fifth Edition by William Stallings Lecture slides by Lawrie Brown 09/08/10 2 Chapter](https://reader035.vdocuments.mx/reader035/viewer/2022081515/5ee159ffad6a402d666c4403/html5/thumbnails/5.jpg)
09/08/10 9
Public-Key CryptosystemsPublic-Key Cryptosystems
![Page 6: Cryptography and Network Security Chapter 909/08/10 1 Cryptography and Network Security Chapter 9 Fifth Edition by William Stallings Lecture slides by Lawrie Brown 09/08/10 2 Chapter](https://reader035.vdocuments.mx/reader035/viewer/2022081515/5ee159ffad6a402d666c4403/html5/thumbnails/6.jpg)
09/08/10 11
Public-Key RequirementsPublic-Key Requirements
� Public-Key algorithms rely on two keys where:Public-Key algorithms rely on two keys where:� it is computationally infeasible to find decryption key it is computationally infeasible to find decryption key
knowing only algorithm & encryption keyknowing only algorithm & encryption key
� it is computationally easy to en/decrypt messages it is computationally easy to en/decrypt messages
when the relevant (en/decrypt) key is knownwhen the relevant (en/decrypt) key is known
� either of the two related keys can be used for either of the two related keys can be used for
encryption, with the other used for decryption (for encryption, with the other used for decryption (for
some algorithms)some algorithms)
� these these are formidable requirements which are formidable requirements which
only a few algorithms have satisfiedonly a few algorithms have satisfied
09/08/10 12
Public-Key RequirementsPublic-Key Requirements� need a trapdoor one-way functionneed a trapdoor one-way function
� one-way function hasone-way function has� Y = f(X) easy Y = f(X) easy
� X = fX = f�1�1(Y) infeasible(Y) infeasible
� a trap-door one-way function hasa trap-door one-way function has� Y = fY = f
kk(X) easy, if k and X are known(X) easy, if k and X are known
� X = fX = fkk�1�1(Y) easy, if k and Y are known(Y) easy, if k and Y are known
� X = fX = fkk�1�1(Y) infeasible, if Y known but k not known(Y) infeasible, if Y known but k not known
� a practical public-key scheme depends on a practical public-key scheme depends on
a suitable trap-door one-way functiona suitable trap-door one-way function
![Page 7: Cryptography and Network Security Chapter 909/08/10 1 Cryptography and Network Security Chapter 9 Fifth Edition by William Stallings Lecture slides by Lawrie Brown 09/08/10 2 Chapter](https://reader035.vdocuments.mx/reader035/viewer/2022081515/5ee159ffad6a402d666c4403/html5/thumbnails/7.jpg)
09/08/10 13
Security of Public Key SchemesSecurity of Public Key Schemes� like private key schemes brute force like private key schemes brute force
exhaustive searchexhaustive search attack is always attack is always theoretically possible theoretically possible
� but keys used are too large (>512bits) but keys used are too large (>512bits) � security relies on a security relies on a large enoughlarge enough difference in difference in
difficulty between difficulty between easyeasy (en/decrypt) and (en/decrypt) and hardhard (cryptanalyse) problems(cryptanalyse) problems
� more generally the more generally the hardhard problem is known, but problem is known, but is made hard enough to be impractical to break is made hard enough to be impractical to break
� requires the use of requires the use of very large numbersvery large numbers� hence is hence is slowslow compared to private key compared to private key
schemesschemes
09/08/10 14
RSARSA
� by Rivest, Shamir & Adleman of MIT in 1977 by Rivest, Shamir & Adleman of MIT in 1977
� best known & widely used public-key scheme best known & widely used public-key scheme
� based on exponentiation in a finite (Galois) field based on exponentiation in a finite (Galois) field
over integers modulo a prime over integers modulo a prime � nb. exponentiation takes O((log n)nb. exponentiation takes O((log n)33) operations (easy) ) operations (easy)
� uses large integers (eg. 1024 bits)uses large integers (eg. 1024 bits)
� security due to cost of factoring large numbers security due to cost of factoring large numbers � nb. factorization takes O(e nb. factorization takes O(e log n log log nlog n log log n) operations (hard) ) operations (hard)
![Page 8: Cryptography and Network Security Chapter 909/08/10 1 Cryptography and Network Security Chapter 9 Fifth Edition by William Stallings Lecture slides by Lawrie Brown 09/08/10 2 Chapter](https://reader035.vdocuments.mx/reader035/viewer/2022081515/5ee159ffad6a402d666c4403/html5/thumbnails/8.jpg)
09/08/10 15
RSA En/decryptionRSA En/decryption
� to encrypt a message M the sender:to encrypt a message M the sender:� obtains obtains public keypublic key of recipient of recipient PU={e,n}PU={e,n}
� computes: computes: C = MC = Mee mod n mod n, where , where 00��MM<<nn
� to decrypt the ciphertext C the owner:to decrypt the ciphertext C the owner:� uses their private key uses their private key PR={d,n}PR={d,n}
� computes: computes: M = CM = Cdd mod n mod n
� note that the message M must be smaller note that the message M must be smaller
than the modulus n (block if needed)than the modulus n (block if needed)
09/08/10 16
RSA Key SetupRSA Key Setup
� each user generates a public/private key pair each user generates a public/private key pair by: by:
� selecting two large primes at random: selecting two large primes at random: p, qp, q � computing their system modulus computing their system modulus n=p.qn=p.q
� note note ø(n)=(p-1)(q-1)ø(n)=(p-1)(q-1)
� selecting at random the encryption key selecting at random the encryption key ee� where where 1<e<ø(n), gcd(e,ø(n))=1 1<e<ø(n), gcd(e,ø(n))=1
� solve following equation to find decryption key solve following equation to find decryption key dd � e.d=1 mod ø(n) and 0e.d=1 mod ø(n) and 0��dd��nn
� publish their public encryption key: PU={e,n} publish their public encryption key: PU={e,n} � keep secret private decryption key: PR={d,n} keep secret private decryption key: PR={d,n}
![Page 9: Cryptography and Network Security Chapter 909/08/10 1 Cryptography and Network Security Chapter 9 Fifth Edition by William Stallings Lecture slides by Lawrie Brown 09/08/10 2 Chapter](https://reader035.vdocuments.mx/reader035/viewer/2022081515/5ee159ffad6a402d666c4403/html5/thumbnails/9.jpg)
09/08/10 17
Why RSA WorksWhy RSA Works
� because of Euler's Theorem:because of Euler's Theorem:� aaø(n)ø(n)mod n = 1 mod n = 1 where where gcd(a,n)=1gcd(a,n)=1
� in RSA have:in RSA have:� n=p.qn=p.q
� ø(n)=(p-1)(q-1)ø(n)=(p-1)(q-1) � carefully chose carefully chose ee & & dd to be inverses to be inverses mod ø(n)mod ø(n) � hence hence e.d=1+k.ø(n)e.d=1+k.ø(n) for some for some kk
� hence :hence :CCdd = M = Me.d e.d = M= M1+k.ø(n)1+k.ø(n) = M = M11.(M.(Mø(n)ø(n)))kk
= M= M11.(1).(1)kk = M = M11 = M mod n = M mod n
09/08/10 18
RSA Example - Key SetupRSA Example - Key Setup
1.1. Select primes: Select primes: pp=17 & =17 & qq=11=11
2.2. CalculateCalculate n n = = pq pq =17=17 x x 11=18711=187
3.3. CalculateCalculate ø(ø(nn)=()=(p�p�1)(1)(q-q-1)=161)=16xx10=16010=160
4.4. Select Select ee:: gcd(e,160)=1; gcd(e,160)=1; choose choose ee=7=7
5.5. Determine Determine dd:: de=de=1 mod 1601 mod 160 and and d d < 160< 160 Value is Value is d=23d=23 since since 2323xx7=161= 107=161= 10xx160+1160+1
6.6. Publish public key Publish public key PU={7,187}PU={7,187}
7.7. Keep secret private key Keep secret private key PR={23,PR={23,187}187}
![Page 10: Cryptography and Network Security Chapter 909/08/10 1 Cryptography and Network Security Chapter 9 Fifth Edition by William Stallings Lecture slides by Lawrie Brown 09/08/10 2 Chapter](https://reader035.vdocuments.mx/reader035/viewer/2022081515/5ee159ffad6a402d666c4403/html5/thumbnails/10.jpg)
09/08/10 19
RSA Example - En/DecryptionRSA Example - En/Decryption
� sample RSA encryption/decryption is: sample RSA encryption/decryption is:
� given message given message M = 88M = 88 (nb. (nb. 88<18788<187))
� encryption:encryption:
C = 88C = 8877 mod 187 = 11 mod 187 = 11
� decryption:decryption:
M = 11M = 112323 mod 187 = 88 mod 187 = 88
09/08/10 20
ExponentiationExponentiation
� can use the Square and Multiply Algorithmcan use the Square and Multiply Algorithm
� a fast, efficient algorithm for exponentiation a fast, efficient algorithm for exponentiation
� concept is based on repeatedly squaring base concept is based on repeatedly squaring base
� and multiplying in the ones that are needed to and multiplying in the ones that are needed to
compute the result compute the result
� look at binary representation of exponent look at binary representation of exponent
� only takes O(logonly takes O(log22 n) multiples for number n n) multiples for number n
� eg. eg. 7755 = 7 = 744.7.711 = 3.7 = 10 mod 11 = 3.7 = 10 mod 11
� eg. eg. 33129129 = 3 = 3128128.3.311 = 5.3 = 4 mod 11 = 5.3 = 4 mod 11
![Page 11: Cryptography and Network Security Chapter 909/08/10 1 Cryptography and Network Security Chapter 9 Fifth Edition by William Stallings Lecture slides by Lawrie Brown 09/08/10 2 Chapter](https://reader035.vdocuments.mx/reader035/viewer/2022081515/5ee159ffad6a402d666c4403/html5/thumbnails/11.jpg)
09/08/10 21
ExponentiationExponentiation
c = 0; f = 1c = 0; f = 1
for i = k downto 0 for i = k downto 0
do c = 2 x cdo c = 2 x c
f = (f x f) mod nf = (f x f) mod n
if bif bii == 1 == 1 then then
c = c + 1c = c + 1
f = (f x a) mod n f = (f x a) mod n
return freturn f
09/08/10 22
Efficient EncryptionEfficient Encryption
� encryption uses exponentiation to power encryption uses exponentiation to power ee
� hence if e small, this will be fasterhence if e small, this will be faster� often choose e=65537 (2often choose e=65537 (21616-1)-1)� also see choices of e=3 or e=17also see choices of e=3 or e=17
� but if e too small (eg e=3) can attackbut if e too small (eg e=3) can attack� using Chinese remainder theorem & 3 using Chinese remainder theorem & 3
messages with different moduliimessages with different modulii
� if e fixed must ensure if e fixed must ensure gcd(e,ø(n))=1gcd(e,ø(n))=1
� ie reject any p or q not relatively prime to eie reject any p or q not relatively prime to e
![Page 12: Cryptography and Network Security Chapter 909/08/10 1 Cryptography and Network Security Chapter 9 Fifth Edition by William Stallings Lecture slides by Lawrie Brown 09/08/10 2 Chapter](https://reader035.vdocuments.mx/reader035/viewer/2022081515/5ee159ffad6a402d666c4403/html5/thumbnails/12.jpg)
09/08/10 23
Efficient DecryptionEfficient Decryption
� decryption uses exponentiation to power decryption uses exponentiation to power dd� this is likely large, insecure if notthis is likely large, insecure if not
� can use the Chinese Remainder Theorem can use the Chinese Remainder Theorem (CRT) to compute mod p & q separately. (CRT) to compute mod p & q separately. then combine to get desired answerthen combine to get desired answer� approx 4 times faster than doing directlyapprox 4 times faster than doing directly
� only owner of private key who knows only owner of private key who knows values of p & q can use this technique values of p & q can use this technique
09/08/10 24
RSA Key GenerationRSA Key Generation
� users of RSA must:users of RSA must:� determine two primes determine two primes at random - at random - p, qp, q � select either select either ee or or dd and compute the other and compute the other
� primes primes p,qp,q must not be easily derived must not be easily derived from modulus from modulus n=p.qn=p.q
� means must be sufficiently largemeans must be sufficiently large� typically guess and use probabilistic testtypically guess and use probabilistic test
� exponents exponents ee, , dd are inverses, so use are inverses, so use Inverse algorithm to compute the otherInverse algorithm to compute the other
![Page 13: Cryptography and Network Security Chapter 909/08/10 1 Cryptography and Network Security Chapter 9 Fifth Edition by William Stallings Lecture slides by Lawrie Brown 09/08/10 2 Chapter](https://reader035.vdocuments.mx/reader035/viewer/2022081515/5ee159ffad6a402d666c4403/html5/thumbnails/13.jpg)
09/08/10 25
RSA SecurityRSA Security
� possible approaches to attacking RSA possible approaches to attacking RSA
are:are:� brute force key search - infeasible given size brute force key search - infeasible given size
of numbersof numbers
� mathematical attacks - based on difficulty of mathematical attacks - based on difficulty of
computing ø(n), by factoring modulus ncomputing ø(n), by factoring modulus n
� timing attacks - on running of decryptiontiming attacks - on running of decryption
� chosen ciphertext attacks - given properties chosen ciphertext attacks - given properties
of RSAof RSA
09/08/10 26
Factoring ProblemFactoring Problem
� mathematical approach takes 3 forms:mathematical approach takes 3 forms:� factor factor n=p.qn=p.q, hence compute , hence compute ø(n)ø(n) and then and then dd� determine determine ø(n)ø(n) directly and directly and compute compute dd� find d directlyfind d directly
� currently believe all equivalent to factoringcurrently believe all equivalent to factoring� have seen slow improvements over the years have seen slow improvements over the years
� as of May-05 best is 200 decimal digits (663) bit with LS as of May-05 best is 200 decimal digits (663) bit with LS
� biggest improvement comes from improved biggest improvement comes from improved algorithmalgorithm
� cf QS to GHFS to LScf QS to GHFS to LS
� currently assume 1024-2048 bit RSA is securecurrently assume 1024-2048 bit RSA is secure� ensure p, q of similar size and matching other constraintsensure p, q of similar size and matching other constraints
![Page 14: Cryptography and Network Security Chapter 909/08/10 1 Cryptography and Network Security Chapter 9 Fifth Edition by William Stallings Lecture slides by Lawrie Brown 09/08/10 2 Chapter](https://reader035.vdocuments.mx/reader035/viewer/2022081515/5ee159ffad6a402d666c4403/html5/thumbnails/14.jpg)
09/08/10 27
Progress in Progress in FactoringFactoring
![Page 15: Cryptography and Network Security Chapter 909/08/10 1 Cryptography and Network Security Chapter 9 Fifth Edition by William Stallings Lecture slides by Lawrie Brown 09/08/10 2 Chapter](https://reader035.vdocuments.mx/reader035/viewer/2022081515/5ee159ffad6a402d666c4403/html5/thumbnails/15.jpg)
09/08/10 29
Timing AttacksTiming Attacks
� developed by Paul Kocher in mid-1990�sdeveloped by Paul Kocher in mid-1990�s� exploit timing variations in operationsexploit timing variations in operations
� eg. multiplying by small vs large number eg. multiplying by small vs large number � or IF's varying which instructions executedor IF's varying which instructions executed
� infer operand size based on time taken infer operand size based on time taken � RSA exploits time taken in exponentiationRSA exploits time taken in exponentiation� countermeasurescountermeasures
� use constant exponentiation timeuse constant exponentiation time� add random delaysadd random delays� blind values used in calculationsblind values used in calculations
09/08/10 30
Chosen Ciphertext AttacksChosen Ciphertext Attacks
� RSA is vulnerable to a Chosen Ciphertext RSA is vulnerable to a Chosen Ciphertext Attack (CCA)Attack (CCA)
� attackers chooses ciphertexts & gets attackers chooses ciphertexts & gets decrypted plaintext backdecrypted plaintext back
� choose ciphertext to exploit properties of choose ciphertext to exploit properties of RSA to provide info to help cryptanalysisRSA to provide info to help cryptanalysis
� can counter with random pad of plaintextcan counter with random pad of plaintext� or use Optimal Asymmetric Encryption or use Optimal Asymmetric Encryption
Padding (OASP)Padding (OASP)
![Page 16: Cryptography and Network Security Chapter 909/08/10 1 Cryptography and Network Security Chapter 9 Fifth Edition by William Stallings Lecture slides by Lawrie Brown 09/08/10 2 Chapter](https://reader035.vdocuments.mx/reader035/viewer/2022081515/5ee159ffad6a402d666c4403/html5/thumbnails/16.jpg)
09/08/10 32
SummarySummary
� have considered:have considered:� principles of public-key cryptographyprinciples of public-key cryptography
� RSA algorithm, implementation, securityRSA algorithm, implementation, security