homework #4 solutions brian a. lamacchia [email protected] [email protected] portions ©...

Homework #4Homework #4SolutionsSolutions

Brian A. LaMacchiaBrian A. [email protected]@[email protected]@microsoft.com

Portions © 2002-2006, Brian A. LaMacchia. This material is provided without warranty of any kind including, without limitation, warranty of non-infringement or suitability for any purpose. This material is not guaranteed to be error free and is intended for instructional use only.

January 31, 2006January 31, 2006 Practical Aspects of Modern CryptographyPractical Aspects of Modern Cryptography 22

Question 1aQuestion 1a Question 1(a): Compute the relative Question 1(a): Compute the relative

cost of RSA encryption to RSA cost of RSA encryption to RSA decryption in SSL in terms of decryption in SSL in terms of modular multiplications mod n. modular multiplications mod n. The server’s public key is (n, e), where The server’s public key is (n, e), where

n is a 1024-bit composite, n = p*q (p, q n is a 1024-bit composite, n = p*q (p, q 512-bit primes), and e = 2512-bit primes), and e = 21616+1. +1.

The server’s private decryption The server’s private decryption exponent is d where ed exponent is d where ed 1 mod (p-1)(q- 1 mod (p-1)(q-1). Assume for this problem that half 1). Assume for this problem that half the bits in d are 1’s and |d| = 1024.the bits in d are 1’s and |d| = 1024.


Question 1aQuestion 1a Recall Josh's description of how to multiply Recall Josh's description of how to multiply

fastfast Follow the bits in the exponent (high to low, Follow the bits in the exponent (high to low,

ignoring the high bit since it's always 1), a 0 is a ignoring the high bit since it's always 1), a 0 is a square and a 1 is a square followed by a side square and a 1 is a square followed by a side multiply.multiply.

So the cost of exponentiating is determined by So the cost of exponentiating is determined by the size of the exponent and the number of 1 the size of the exponent and the number of 1 bits it has.bits it has.

The cost of encrypting (exponentiating to The cost of encrypting (exponentiating to e) is thus going to involve 16 squares and e) is thus going to involve 16 squares and 1 side multiply, since |e| = 17 and has only 1 side multiply, since |e| = 17 and has only the high & low bit set. the high & low bit set.

The cost of decrypting (exponentiating to The cost of decrypting (exponentiating to d) is going to involve 1023 squares and d) is going to involve 1023 squares and 511 side multiplies (because |d| = 1024 511 side multiplies (because |d| = 1024 and half the bits in d are 1s).and half the bits in d are 1s).


Question 1b - Question 1b - Rebalanced RSARebalanced RSA n = pq, |p| = |q| = 512, p, q primen = pq, |p| = |q| = 512, p, q prime Server chooses the decryption Server chooses the decryption

exponent d first such thatexponent d first such that d d r1 mod p-1, d r1 mod p-1, d r2 mod q-1, |r1| = | r2 mod q-1, |r1| = |

r2| = 160r2| = 160 Assume half the bits in r1 & r2 are 1sAssume half the bits in r1 & r2 are 1s

The server then computes e such The server then computes e such that ed that ed 1 mod (p-1)(q-1). 1 mod (p-1)(q-1). |e| = 1024, assume half the bits in e are |e| = 1024, assume half the bits in e are

1s1s Encryption E(X) = XEncryption E(X) = Xee mod n mod n Decryption D(X) is now done by Decryption D(X) is now done by

computing Xcomputing Xr1 r1 mod p, Xmod p, Xr2r2 mod q, and mod q, and using CRT to construct Xusing CRT to construct Xdd mod n. mod n.


Question 1bQuestion 1b Question 1(b): Compute the Question 1(b): Compute the

relative cost of RSA encryption relative cost of RSA encryption to RSA decryption in the to RSA decryption in the Rebalanced RSA case for |n| = Rebalanced RSA case for |n| = 1024, |r1| = |r2| = 160, again in 1024, |r1| = |r2| = 160, again in terms of modular terms of modular multiplications in the multiplications in the exponentiations. exponentiations.

What’s the speedup for a server What’s the speedup for a server compared to the “regular” RSA compared to the “regular” RSA in Question 1(a)? in Question 1(a)?


Question 1bQuestion 1b We proceed as in 1(a), looking at the We proceed as in 1(a), looking at the

sizes and number of 1 bits in the sizes and number of 1 bits in the various exponents.various exponents.

Encrypting: e is now "full size“, so |Encrypting: e is now "full size“, so |e| = 1024 and half the bits in e are e| = 1024 and half the bits in e are 1s1s Computing XComputing Xee mod n will involve 1023 mod n will involve 1023

squares and 511 side multipliessquares and 511 side multiplies Decrypting: we need to compute XDecrypting: we need to compute Xr1r1

mod p and Xmod p and Xr2r2 mod q. mod q. |r|r11| = |r| = |r22| = 160 (by definition), and each | = 160 (by definition), and each

has 80 1 bits.has 80 1 bits. Each exponentiation will involve 159 Each exponentiation will involve 159

squares and 79 side multiplies. So squares and 79 side multiplies. So together, the server has to perform 318 together, the server has to perform 318 squares and 158 side multiplies.squares and 158 side multiplies.


Question 1bQuestion 1b

Just comparing the number of Just comparing the number of exponentiations, we've reduced the exponentiations, we've reduced the server's workload from 1023 squares server's workload from 1023 squares & 511 side multiplies to 318 squares & 511 side multiplies to 318 squares and 158 side multiplies, which is and 158 side multiplies, which is about a 3.2X speedup for the server. about a 3.2X speedup for the server. Plus,Plus, the server gets to do these the server gets to do these

calculations mod p and mod q, which calculations mod p and mod q, which means it's dealing with smaller means it's dealing with smaller numbers.numbers.

The client is a lot slower.The client is a lot slower. 1023 squares and 511 side multiplies 1023 squares and 511 side multiplies

vs. 16 squares and 1 side multiply in vs. 16 squares and 1 side multiply in 1(a).1(a).


Question 2 – IPSEC Question 2 – IPSEC costcost C sends data to S in packets of C sends data to S in packets of

varying length; for each varying length; for each packetpacket S S and C have to perform an IKE key and C have to perform an IKE key establishment once to agree on a establishment once to agree on a symmetric encryption key, and then symmetric encryption key, and then perform repeated symmetric perform repeated symmetric encryptions until the entire packet encryptions until the entire packet is encrypted. is encrypted.

Assume the following performance Assume the following performance characteristics for C’s encryption characteristics for C’s encryption capabilities:capabilities: C can perform IKE key establishment C can perform IKE key establishment

with S in 25,000 with S in 25,000 s to derive a s to derive a symmetric encryption key for the symmetric encryption key for the session.session.

C can perform a single symmetric C can perform a single symmetric encryption operation on a 16-byte encryption operation on a 16-byte plaintext in 0.25 plaintext in 0.25 s. s.


Question 2aQuestion 2a Question 2(a): If the average Question 2(a): If the average

packet of data sent from C to S packet of data sent from C to S is 1KB (1024 bytes) in length, is 1KB (1024 bytes) in length, what’s the maximum bandwidth what’s the maximum bandwidth that can be achieved between C that can be achieved between C and S? and S?

Encrypting each packet requires Encrypting each packet requires one IKE key establishment and one IKE key establishment and some number of symmetric some number of symmetric encryption operations.encryption operations. Bandwidth = bits/secondBandwidth = bits/second


Question 2a - SolutionQuestion 2a - Solution For a 1K packet, we need one For a 1K packet, we need one

IKE + (1K/16) block encryptionsIKE + (1K/16) block encryptions The IKE takes 25000 The IKE takes 25000 s s The block encryptions take 64*.25 The block encryptions take 64*.25

s = 16 s = 16 ss The total time is 25016 The total time is 25016 s, and s, and

we’ve processed 1K bytes in that we’ve processed 1K bytes in that time, or about 40933 bytes/sec.time, or about 40933 bytes/sec.


Question 2a - SolutionQuestion 2a - Solution But wait, what about the additional But wait, what about the additional

bytes ESP adds?bytes ESP adds? No effect on bandwidth limits from No effect on bandwidth limits from

encryption, but ESP does add overhead, so encryption, but ESP does add overhead, so it’s fair to look at that cost too.it’s fair to look at that cost too.

We don’t know the actual wire speed, We don’t know the actual wire speed, but we know that ESP adds some bytes but we know that ESP adds some bytes to each packet.to each packet. Assume 56 bytes added to each packetAssume 56 bytes added to each packet So we have to send 1024+56 = 1080 bytes So we have to send 1024+56 = 1080 bytes

to actually transmit 1024 data bytes.to actually transmit 1024 data bytes. 1080/1024 = 1024/X 1080/1024 = 1024/X X = 970.9 bytes X = 970.9 bytes 970.9 bytes in 25016 970.9 bytes in 25016 s = 38811 s = 38811

bytes/secbytes/sec


Question 2bQuestion 2b Question 2(b): Now assume the Question 2(b): Now assume the

average packet is 100KB; average packet is 100KB; what’s the maximum achievable what’s the maximum achievable bandwidth?bandwidth?

What’s the maximum bandwidth What’s the maximum bandwidth in the limiting case (i.e. one in the limiting case (i.e. one persistent session with an persistent session with an infinite-length packet to be infinite-length packet to be sent)?sent)?


Question 2b - SolutionQuestion 2b - Solution For a 100K packet, we need one IKE + For a 100K packet, we need one IKE +

(1K/16) block encryptions(1K/16) block encryptions The IKE takes 25000 The IKE takes 25000 s, 100K = 102400 s, 100K = 102400

bytes bytes (100K/16) block encryptions take (100K/16) block encryptions take

(100K/16)*.25 (100K/16)*.25 s = 6400*.25 s = 6400*.25 s = 1600 s = 1600 ss Total time: 26600 Total time: 26600 s, or about 3,849,624 s, or about 3,849,624

bytes/sec.bytes/sec. Adding in 56 header bytes, we have to Adding in 56 header bytes, we have to

send 102456 bytes instead of 102400 send 102456 bytes instead of 102400 bytes.bytes. 102456/102400 = 102400/X 102456/102400 = 102400/X X = 102344 X = 102344

bytesbytes 102344 bytes in 26600 102344 bytes in 26600 s = 3,847,518 s = 3,847,518

bytes/secbytes/sec In the limit, the limiting factor is that In the limit, the limiting factor is that

it takes .25it takes .25s to encrypt 16 bytes, so s to encrypt 16 bytes, so that's an upper limit of 64,000,000 that's an upper limit of 64,000,000 bytes/sec.bytes/sec.


Question 3 – KDC Question 3 – KDC EavesdroppingEavesdropping KDC, S and C are members of the KDC, S and C are members of the

same Kerberos realmsame Kerberos realm When C obtains a ticket for S, KDC When C obtains a ticket for S, KDC

assigns ephemeral key Kassigns ephemeral key KC,SC,S KDC knows KKDC knows KC,S C,S and can eavesdrop and can eavesdrop

on all traffic protected with Kon all traffic protected with KC,SC,S

Assume KDC is passive (i.e. KDC Assume KDC is passive (i.e. KDC cannot modify messages it sees on cannot modify messages it sees on the wire).the wire).

Question 3(a): Show how C and S Question 3(a): Show how C and S can establish key K’ known only to can establish key K’ known only to themthem


Question 3aQuestion 3a Key establishment is easy, Key establishment is easy,

right? All we have to do is have right? All we have to do is have C and S perform a Diffie-C and S perform a Diffie-Hellman key exchange.Hellman key exchange.




But how do C and S know But how do C and S know they’re talking to each other they’re talking to each other while doing so?while doing so?





One of the benefits of Kerberos One of the benefits of Kerberos is that it give you mutual is that it give you mutual authentication “for free”authentication “for free” C and S authenticate each other C and S authenticate each other

as a side-effect of running the as a side-effect of running the Kerberos protocol.Kerberos protocol.


Question 3aQuestion 3a So one way to solve the problem is to add mutual So one way to solve the problem is to add mutual

authentication to Diffie-Hellman. Here’s how:authentication to Diffie-Hellman. Here’s how: First, have C and S run the Kerberos protocol to First, have C and S run the Kerberos protocol to

obtain shared secret Kobtain shared secret KC,SC,S (known to C, S and the (known to C, S and the KDC).KDC).

Now have C and S run ephemeral Diffie-Hellman Now have C and S run ephemeral Diffie-Hellman (using some common set of parameters).(using some common set of parameters).

Initialization: each party (C and S) chooses a secret Initialization: each party (C and S) chooses a secret exponent (a and b respectively)exponent (a and b respectively) C computes A = gC computes A = gaa mod p, S computes B = g mod p, S computes B = gbb mod p mod p

C C S: A, HMAC-SHA1(A, K S: A, HMAC-SHA1(A, KC,SC,S).). S verifies the keyed MAC and knows that A really S verifies the keyed MAC and knows that A really

came from C.came from C. S S C: B, HMAC-SHA1(B, K C: B, HMAC-SHA1(B, KC,SC,S).).

C verifies the keyed MAC and knows that B really C verifies the keyed MAC and knows that B really came from S.came from S.

C computes BC computes Baa mod p to get K’ = g mod p to get K’ = gabab mod p. mod p. S computes AS computes Abb mod p to get K’ = g mod p to get K’ = gabab mod p. mod p. Now C and S hold a new shared secret, K’, which is Now C and S hold a new shared secret, K’, which is

unknown to the KDC.unknown to the KDC. C and S used KC and S used KC,S C,S to authenticate a later, public key-to authenticate a later, public key-

based exchange.based exchange.



What happens if the KDC is What happens if the KDC is active?active?



What happens if the KDC is What happens if the KDC is active?active?

If the KDC is active then it can If the KDC is active then it can intercept messages, rewrite A & intercept messages, rewrite A & B to A' and B' and conduct a B to A' and B' and conduct a man-in-the-middle attack.man-in-the-middle attack.


Man-in-the-MiddleMan-in-the-Middle

An active KDC can play a man-An active KDC can play a man-in-the-middle attack. in-the-middle attack. KDC can also defeat the modified KDC can also defeat the modified

D-H in 3(a) because it knows KD-H in 3(a) because it knows KC,SC,S

Server SServer SClient CClient C KDCKDC

gga’a’ mod p mod pggaa mod p mod p

ggbb mod p mod pggb’b’ mod p mod p

NegotiatedNegotiatedkey: gkey: gab’ab’ mod p mod p

NegotiatedNegotiatedkey: gkey: ga’ba’b mod p mod p


Question 3c (Extra Question 3c (Extra Credit)Credit) Assume C and S are jointly members Assume C and S are jointly members

of two independent Kerberos of two independent Kerberos realms:realms: Realm 1: KDC1, yielding key KRealm 1: KDC1, yielding key KC,S,1C,S,1 Realm 2: KDC2, yielding key KRealm 2: KDC2, yielding key KC,S,2C,S,2

Assuming that KDC1 and KDC2 do Assuming that KDC1 and KDC2 do not collude with each other, devise a not collude with each other, devise a protocol between C and S to create protocol between C and S to create an encrypted channel that is secure an encrypted channel that is secure against active eavesdropping from against active eavesdropping from both KDC1 and KDC2. both KDC1 and KDC2.

> 3c) With two independent keys, so > 3c) With two independent keys, so long as the KDCs don't collude they long as the KDCs don't collude they can't play man-in-the-middle.can't play man-in-the-middle.


Question 3c (Extra Question 3c (Extra Credit)Credit) With two independent keys With two independent keys

shared between C and S, so shared between C and S, so long as the KDCs don't collude long as the KDCs don't collude neither can perform a man-in-neither can perform a man-in-the-middle attack.the-middle attack. ““Independent” here means Independent” here means

“Neither key is known to both “Neither key is known to both KDC1 and KDC2”.KDC1 and KDC2”.

Solution: as in 3(a) above, but Solution: as in 3(a) above, but use both keys in the HMAC use both keys in the HMAC authenticatorsauthenticators Neither KDC1 or KDC2 knows both, Neither KDC1 or KDC2 knows both,

so even if they’re active they can’t so even if they’re active they can’t switch messages on C or Sswitch messages on C or S


Question 3cQuestion 3c C and S run Kerberos in both realms, C and S run Kerberos in both realms,

obtaining Kobtaining KC,S,1C,S,1 and K and KC,S,2C,S,2 Now have C and S run ephemeral Diffie-Now have C and S run ephemeral Diffie-

Hellman (using some common set of Hellman (using some common set of parameters).parameters).

Initialization: C computes A = gInitialization: C computes A = gaa mod p, S mod p, S computes B = gcomputes B = gbb mod p mod p

C C S: A, HMAC-SHA1(A, K S: A, HMAC-SHA1(A, KC,S,1,C,S,1,KKC,S,2C,S,2).). S verifies the keyed MAC and knows that A S verifies the keyed MAC and knows that A

really came from C.really came from C. S S C: B, HMAC-SHA1(B, K C: B, HMAC-SHA1(B, KC,S,1,C,S,1,KKC,S,2C,S,2).).

C verifies the keyed MAC and knows that B C verifies the keyed MAC and knows that B really came from S.really came from S.

C computes BC computes Baa mod p to get K’ = g mod p to get K’ = gabab mod p. mod p. S computes AS computes Abb mod p to get K’ = g mod p to get K’ = gabab mod p. mod p. Now C and S hold a new shared secret, K’, Now C and S hold a new shared secret, K’,

which is unknown to the KDC.which is unknown to the KDC.

homework #4 solutions brian a. lamacchia [email protected] [email protected] portions ©...

Documents