public-key protocols
DESCRIPTION
Session 3 of 3-day course in Engineering Cryptographic Applications held at ACM Theater Tyson's Corner for Microstrategy, Inc. Key Agreement Asymmetric Cryptography RSA Public Key Protocols TLSTRANSCRIPT
![Page 1: Public-Key Protocols](https://reader037.vdocuments.mx/reader037/viewer/2022103114/554fb106b4c9057b298b50e0/html5/thumbnails/1.jpg)
Microstrategy Course18 October 2013
David EvansUniversity of Virginiawww.cs.virginia.edu/evans
Day 3: Public Key Protocols
Engineering Cryptographic Applications
![Page 2: Public-Key Protocols](https://reader037.vdocuments.mx/reader037/viewer/2022103114/554fb106b4c9057b298b50e0/html5/thumbnails/2.jpg)
Engineering Crypto Applications 2
Recap: Symmetric Encryption
AES AESPlaintextCiphertext
PlaintextInsecure Channel
Key Key
Assuming we generate strong keys, use an appropriate cipher mode, and correctly implement a secure symmetric encryption primitive, we can securely encrypt long messages so even an adversary with $Quadrillions cannot learn anything interesting.
Alice Bob
Assumes a secret already shared between Alice and Bob.Amplifies that secret to send more data later.
![Page 3: Public-Key Protocols](https://reader037.vdocuments.mx/reader037/viewer/2022103114/554fb106b4c9057b298b50e0/html5/thumbnails/3.jpg)
Engineering Crypto Applications 3
Plan for Today
1. Key Agreement Protocols2. Solving the remote authentication problem
Asymmetric Encryption, Public-Key Protocols
petitions.govInsecure ChannelSecure Channel
![Page 5: Public-Key Protocols](https://reader037.vdocuments.mx/reader037/viewer/2022103114/554fb106b4c9057b298b50e0/html5/thumbnails/5.jpg)
Engineering Crypto Applications [email protected]
Asymmetric Key Agreement
Ralph Merkle (born 1952)
Merkle’s Puzzles
(1974)
![Page 6: Public-Key Protocols](https://reader037.vdocuments.mx/reader037/viewer/2022103114/554fb106b4c9057b298b50e0/html5/thumbnails/6.jpg)
Engineering Crypto Applications 6
Merkle’s Puzzles: Key Agreement
Alice
1. Generate N random keys: k0, …, kn-12. For each, send Eki(“key #” + i) in random order
Ek37(“key #” + 37) Ek82(“key #” + 82) Ek22(“key #” + 22) …
![Page 7: Public-Key Protocols](https://reader037.vdocuments.mx/reader037/viewer/2022103114/554fb106b4c9057b298b50e0/html5/thumbnails/7.jpg)
Engineering Crypto Applications [email protected]
Alice
1. Generate N random keys: k0, …, kn-12. For each, send Eki(“key #” + i) in random order
Ek37(“key #” + 37) Ek82(“key #” + 82) Ek22(“key #” + 22) …
Merkle’s Puzzles: Key Agreement
![Page 8: Public-Key Protocols](https://reader037.vdocuments.mx/reader037/viewer/2022103114/554fb106b4c9057b298b50e0/html5/thumbnails/8.jpg)
Engineering Crypto Applications [email protected]
Alice
1. Generate N random keys: k0, …, kn-12. For each, send Eki(“key #” + i) in random order
Ek37(“key #” + 37) Ek82(“key #” + 82) Ek22(“key #” + 22) …
Bob
3. Randomly select one of the received messages.
4. Try all possible keys until finding kx that decrypts the message to “key #x”
5. Send x (in clear) to AlicexShared secret kx
![Page 9: Public-Key Protocols](https://reader037.vdocuments.mx/reader037/viewer/2022103114/554fb106b4c9057b298b50e0/html5/thumbnails/9.jpg)
Engineering Crypto Applications 9
Security
Alice
1. Generate N random keys: k0, …, kn-12. For each, send Eki(“key #” + i) in random order
Bob
3. Randomly select one of the received messages.
4. Try all possible keys until finding kx that decrypts the message to “key #x”
5. Send x (in clear) to Alicex
Shared secret kx
![Page 10: Public-Key Protocols](https://reader037.vdocuments.mx/reader037/viewer/2022103114/554fb106b4c9057b298b50e0/html5/thumbnails/10.jpg)
Engineering Crypto Applications 10
Security
Alice
1. Generate N random keys: k0, …, kn-12. For each, send Eki(“key #” + i) in random order
Bob
3. Randomly select one of the received messages.
4. Try all possible keys until finding kx that decrypts the message to “key #x”
5. Send x (in clear) to Alicex
Shared secret kx
Suppose each key is 56 bits:Alice has to generate N keys and do N encryptionsBob has to do 256 max work to brute forceEve has to do ½N × 255 expected workSo, if 296 is infeasible, N = 242 could work
![Page 11: Public-Key Protocols](https://reader037.vdocuments.mx/reader037/viewer/2022103114/554fb106b4c9057b298b50e0/html5/thumbnails/11.jpg)
Engineering Crypto Applications 11
Can we do better?
CRYPTO 2009: Actually is impossible to do better!
Any scheme like this, even with perfect primitives, can be broken by an adversary who can do N 2 encryptions (where Alice and Bob do N encryptions).
To do better, we need some magic math!
![Page 12: Public-Key Protocols](https://reader037.vdocuments.mx/reader037/viewer/2022103114/554fb106b4c9057b298b50e0/html5/thumbnails/12.jpg)
Engineering Crypto Applications 12
Time for a Revolution!
“We stand today on the brink of a revolution in cryptography. The development of cheap digital hardware has freed it from the design limitations of mechanical computing and brought the cost of high grade cryptographic devices down to where they can be used in such commercial applications as remote cash dispensers and computer terminals. In turn, such applications create a need for new types of cryptographic systems which minimize the necessity of secure key distribution channels and supply the equivalent of a written signature. At the same time, theoretical developments in information theory and computer science show promise of providing provably secure cryptosystems, changing this ancient art into a science.”
Whit Diffie and Martin Hellman, November 1976.
![Page 14: Public-Key Protocols](https://reader037.vdocuments.mx/reader037/viewer/2022103114/554fb106b4c9057b298b50e0/html5/thumbnails/14.jpg)
Engineering Crypto Applications [email protected]
Padlocked Boxes
MST
RAlice’s Padlock
Alice’s Padlock Key
EA(M)Alice
![Page 15: Public-Key Protocols](https://reader037.vdocuments.mx/reader037/viewer/2022103114/554fb106b4c9057b298b50e0/html5/thumbnails/15.jpg)
Engineering Crypto Applications [email protected]
Padlocked Boxes
Shady Sammy’s Slimy Shipping Service
Alice’s Padlock Key
Alice
![Page 16: Public-Key Protocols](https://reader037.vdocuments.mx/reader037/viewer/2022103114/554fb106b4c9057b298b50e0/html5/thumbnails/16.jpg)
Engineering Crypto Applications [email protected]
Padlocked Boxes
Alice
MST
R
Bob
Bob’s Padlock
Bob’s Padlock Key
Alice’s Padlock Key
EB( )EA(M)
![Page 17: Public-Key Protocols](https://reader037.vdocuments.mx/reader037/viewer/2022103114/554fb106b4c9057b298b50e0/html5/thumbnails/17.jpg)
Engineering Crypto Applications [email protected]
Padlocked Boxes
Alice MST
R
BobAlice’s Padlock Key
EB(EA(M))
Bob’s Padlock Key
![Page 18: Public-Key Protocols](https://reader037.vdocuments.mx/reader037/viewer/2022103114/554fb106b4c9057b298b50e0/html5/thumbnails/18.jpg)
Engineering Crypto Applications [email protected]
Padlocked Boxes
MST
R
Alice’s Padlock Key
DA(EB(EA(M))) = EB(M)Alice
Bob
Bob’s Padlock Key
![Page 19: Public-Key Protocols](https://reader037.vdocuments.mx/reader037/viewer/2022103114/554fb106b4c9057b298b50e0/html5/thumbnails/19.jpg)
Engineering Crypto Applications [email protected]
Padlocked Boxes
MST
R
EB(M)Alice
Bob
Bob’s Padlock Key
![Page 20: Public-Key Protocols](https://reader037.vdocuments.mx/reader037/viewer/2022103114/554fb106b4c9057b298b50e0/html5/thumbnails/20.jpg)
Engineering Crypto Applications [email protected]
Padlocked Boxes
MST
R
MSTR
Alice
Bob
Bob’s Padlock Key
![Page 21: Public-Key Protocols](https://reader037.vdocuments.mx/reader037/viewer/2022103114/554fb106b4c9057b298b50e0/html5/thumbnails/21.jpg)
Engineering Crypto Applications 21
“Padlocks” Key Agreement
• We relied on: DA(EB(EA(M))) = EB(M)• Is this true for AES?
• What operations is it true for?
No way! AES (and any strong symmetric primitive) must involve non-linear transformations that are not commutative.
Multiplication
![Page 22: Public-Key Protocols](https://reader037.vdocuments.mx/reader037/viewer/2022103114/554fb106b4c9057b298b50e0/html5/thumbnails/22.jpg)
Engineering Crypto Applications 22
Diffie-Hellman(-Merkle) Key Agreement
Martin HellmanWhit Diffie
![Page 23: Public-Key Protocols](https://reader037.vdocuments.mx/reader037/viewer/2022103114/554fb106b4c9057b298b50e0/html5/thumbnails/23.jpg)
Engineering Crypto Applications [email protected]
Diffie-Hellman Key AgreementAlice Bob
1. Choose and publish: q (large prime number)
(primitive root of q)2. Generate random XA3. Send YA= XA mod q. 4. Generate random XB.
5. Send YB= XB mod q.K = (YB) XA mod q K = (YA)XB mod q
![Page 24: Public-Key Protocols](https://reader037.vdocuments.mx/reader037/viewer/2022103114/554fb106b4c9057b298b50e0/html5/thumbnails/24.jpg)
Engineering Crypto Applications 24
Key Agreement Requirements
Correctness: Both participants get the same key
Security: An eavesdropper cannot find K from all intercepted values
![Page 25: Public-Key Protocols](https://reader037.vdocuments.mx/reader037/viewer/2022103114/554fb106b4c9057b298b50e0/html5/thumbnails/25.jpg)
Engineering Crypto Applications 25
Key Agreement Correctness
Correctness: Both participants get the same key
K = (YB) XA mod q K = (YA)XB mod qYA= XA mod q YB= XB mod q
![Page 26: Public-Key Protocols](https://reader037.vdocuments.mx/reader037/viewer/2022103114/554fb106b4c9057b298b50e0/html5/thumbnails/26.jpg)
Engineering Crypto Applications 26
Key Agreement Correctness
Correctness: Both participants get the same key
K = (YB) XA mod q K = (YA)XB mod qYA= XA mod q YB= XB mod q= (XB mod q)XA mod q= (XBXA mod q) mod q= XBXA mod q
= (XA mod q)XB mod q= (XAXB mod q) mod q= XAXB mod qMultiplication commutes (just like the padlocks)!
![Page 27: Public-Key Protocols](https://reader037.vdocuments.mx/reader037/viewer/2022103114/554fb106b4c9057b298b50e0/html5/thumbnails/27.jpg)
Engineering Crypto Applications [email protected]
SecurityAlice Bob
1. Choose and publish: q (large prime number)
(primitive root of q)2. Generate random XA3. Send YA= XA mod q. 4. Generate random XB.
5. Send YB= XB mod q.K = (YB) XA mod q K = (YA)XB mod qAn eavesdropper cannot find K from all intercepted values: q, , YA, YB
![Page 28: Public-Key Protocols](https://reader037.vdocuments.mx/reader037/viewer/2022103114/554fb106b4c9057b298b50e0/html5/thumbnails/28.jpg)
Engineering Crypto Applications [email protected]
Primitive RootsAlice Bob
1. Choose and publish: q (large prime number) (primitive root of q)
2. Generate random XA3. Send YA= XA mod q. 4. Generate random XB.
5. Send YB= XB mod q.K = (YB) XA mod q K = (YA)XB mod q
is a primitive root of q if for all 1 n < q, there is some m, 1 m < q such that m = n mod q
All prime numbers have primitive roots.
Discrete logarithm problem: given , n, and q find the one 0 m < q such that
m = n mod qFor good choices of q, this is believed to be hard.
![Page 29: Public-Key Protocols](https://reader037.vdocuments.mx/reader037/viewer/2022103114/554fb106b4c9057b298b50e0/html5/thumbnails/29.jpg)
Engineering Crypto Applications [email protected]
Security of Diffie-HellmanAlice Bob
1. Choose and publish: q (large prime number) (primitive root of q)
2. Generate random XA3. Send YA= XA mod q. 4. Generate random XB.
5. Send YB= XB mod q.K = (YB) XA mod q
Discrete logarithm problem: given , n, and q find the one 0 m < q such that
m = n mod qFor good choices of q, this is believed to be hard.
Eavesdropper cannot find K from intercepted values: q, , YA, YB If they could, could solve discrete log problem which is hard:
given YA= XA mod q find XA
![Page 30: Public-Key Protocols](https://reader037.vdocuments.mx/reader037/viewer/2022103114/554fb106b4c9057b298b50e0/html5/thumbnails/30.jpg)
Engineering Crypto Applications 30
What about Mallory?
Encrypt DecryptPlaintextCiphertext
Plaintext
Alice Bob
Mallory(active attacker)
Insecure Channel (e.g., the Internet)
![Page 31: Public-Key Protocols](https://reader037.vdocuments.mx/reader037/viewer/2022103114/554fb106b4c9057b298b50e0/html5/thumbnails/31.jpg)
Engineering Crypto Applications [email protected]
Secure from Active Eavesdropper?Alice
Public: q,
XA
YA= XA mod qBob
XBYB= XB mod qK = (YB) XA mod q K = (YA)XB mod q
![Page 32: Public-Key Protocols](https://reader037.vdocuments.mx/reader037/viewer/2022103114/554fb106b4c9057b298b50e0/html5/thumbnails/32.jpg)
Engineering Crypto Applications [email protected]
Alice
Public: q,
XA
YA= XA mod qBob
XBYB= XB mod qKAM = (YM) XA mod q KBM = (YM)XB mod q
Mallory(active attacker)YM= XM mod q
XM
YM= XM mod q
![Page 33: Public-Key Protocols](https://reader037.vdocuments.mx/reader037/viewer/2022103114/554fb106b4c9057b298b50e0/html5/thumbnails/33.jpg)
Engineering Crypto Applications [email protected]
Alice
Public: q,
XA
YA= XA mod qBob
XBYB= XB mod qKAM = (YM) XA mod q KBM = (YM)XB mod q
Mallory(active attacker)YM= XM mod q
XM
YM= XM mod q
KAM = (YA) XM mod qKBM = (YB) XM mod q
![Page 34: Public-Key Protocols](https://reader037.vdocuments.mx/reader037/viewer/2022103114/554fb106b4c9057b298b50e0/html5/thumbnails/34.jpg)
Engineering Crypto Applications [email protected]
Alice
Public: q,
XA
YA= XA mod qBob
XBYB= XB mod qKAM = (YM) XA mod q KBM = (YM)XB mod q
Mallory(active attacker)YM= XM mod q
XM
YM= XM mod q
KAM = (YA) XM mod qKBM = (YB) XM mod q
![Page 35: Public-Key Protocols](https://reader037.vdocuments.mx/reader037/viewer/2022103114/554fb106b4c9057b298b50e0/html5/thumbnails/35.jpg)
Engineering Crypto Applications 35
Does D-H Solve This?
petitions.govInsecure Channel
How does TJ know he’s really talking to petitions.gov?How can he establish a secure channel to transmit password?
![Page 37: Public-Key Protocols](https://reader037.vdocuments.mx/reader037/viewer/2022103114/554fb106b4c9057b298b50e0/html5/thumbnails/37.jpg)
Engineering Crypto Applications 37
Asymmetry Required
Messages: everyone should be able to send Alice a message that only Alice can readSignatures: Bob should be able to verify Alice signed a message, but not impersonate Alice
![Page 38: Public-Key Protocols](https://reader037.vdocuments.mx/reader037/viewer/2022103114/554fb106b4c9057b298b50e0/html5/thumbnails/38.jpg)
Engineering Crypto Applications 38
Asymmetric Cryptosystem
E DPlaintextCiphertext
PlaintextInsecure Channel
Alice Bob
Correctness: D(E(m)) = mSecurity: given E(m) and E , cannot learn anything interesting about m or D
![Page 39: Public-Key Protocols](https://reader037.vdocuments.mx/reader037/viewer/2022103114/554fb106b4c9057b298b50e0/html5/thumbnails/39.jpg)
Engineering Crypto Applications 39
Asymmetric Cryptosystem(with Kerckhoffs’ Principle)
E DPlaintextCiphertext
PlaintextInsecure Channel
Alice Bob
Correctness: DKUA(EKRA (m)) = mSecurity: given EKRA(m), E, KUA, and D,
cannot learn anything interesting about m or KRA.
KRA KUA
![Page 40: Public-Key Protocols](https://reader037.vdocuments.mx/reader037/viewer/2022103114/554fb106b4c9057b298b50e0/html5/thumbnails/40.jpg)
Engineering Crypto Applications 40
Providing AsymmetryNeed a function f that is:Easy to compute:
given x, easy to compute f (x)Hard to invert:
given f (x), hard to compute xHas a trap-door:
given f (x) and t, easy to compute x
No function (publicly) known with these properties until 1977…
![Page 42: Public-Key Protocols](https://reader037.vdocuments.mx/reader037/viewer/2022103114/554fb106b4c9057b298b50e0/html5/thumbnails/42.jpg)
Engineering Crypto Applications [email protected]
![Page 43: Public-Key Protocols](https://reader037.vdocuments.mx/reader037/viewer/2022103114/554fb106b4c9057b298b50e0/html5/thumbnails/43.jpg)
Engineering Crypto Applications 43
RSA Cryptosystem
Ee(M ) = Me mod nDd(C ) = Cd mod n n = pq p, q are primed is relatively prime to (p – 1)(q – 1)ed 1 mod (p – 1)(q – 1)
![Page 44: Public-Key Protocols](https://reader037.vdocuments.mx/reader037/viewer/2022103114/554fb106b4c9057b298b50e0/html5/thumbnails/44.jpg)
Engineering Crypto Applications 44
Correctness of RSAEe(M ) = Me mod nDd(C ) = Cd mod n
![Page 45: Public-Key Protocols](https://reader037.vdocuments.mx/reader037/viewer/2022103114/554fb106b4c9057b298b50e0/html5/thumbnails/45.jpg)
Engineering Crypto Applications 45
Correctness of RSAEe(M ) = Me mod nDd(C ) = Cd mod n
Dd(Ee(M )) = (Me mod n)d mod n = Med mod n = MThis step depends on choosing e and d to have this property: uses Fermat’s little theorem and Euler’s Totient theorem
![Page 46: Public-Key Protocols](https://reader037.vdocuments.mx/reader037/viewer/2022103114/554fb106b4c9057b298b50e0/html5/thumbnails/46.jpg)
Engineering Crypto Applications 46
Bonus: Works in Both OrdersEe(M ) = Me mod nDd(C ) = Cd mod n
Ee (Dd(M )) = (Md mod n)e mod n = Mde mod n = M
![Page 47: Public-Key Protocols](https://reader037.vdocuments.mx/reader037/viewer/2022103114/554fb106b4c9057b298b50e0/html5/thumbnails/47.jpg)
Engineering Crypto Applications 47
Providing AsymmetryNeed a function f that is:Easy to compute:
given x, easy to compute f (x)Hard to invert:
given f (x), hard to compute xHas a trap-door:
given f (x) and t, easy to compute x
Does RSA satisfy these?
![Page 48: Public-Key Protocols](https://reader037.vdocuments.mx/reader037/viewer/2022103114/554fb106b4c9057b298b50e0/html5/thumbnails/48.jpg)
Engineering Crypto Applications 48
Easy (Enough) to ComputeEasy to compute:
given x, easy to compute f (x)
Ee(M ) = Me mod n
![Page 49: Public-Key Protocols](https://reader037.vdocuments.mx/reader037/viewer/2022103114/554fb106b4c9057b298b50e0/html5/thumbnails/49.jpg)
Engineering Crypto Applications 49
Easy (Enough) to Compute
Ee(M ) = Me mod nam +n = am × ana2b = ab × abCompute Me in about log2e multiplications
Be careful not to have a timing side channel though!
![Page 50: Public-Key Protocols](https://reader037.vdocuments.mx/reader037/viewer/2022103114/554fb106b4c9057b298b50e0/html5/thumbnails/50.jpg)
Engineering Crypto Applications 50
Hard to Invert
Given Ee(M ) and e and n, hard to compute M. If attacker can factor n = pq, easy to find d:d = e-1 mod (p – 1)(q – 1)All other attacks are equivalent to factoring n.
No one seems to know a fast way to factor, except with a quantum computer (and no one seems to yet know how to build a large one).
For reasonable security, n should be 2048 bits (comparable to 112-bit symmetric key) – believed sufficient until 2030.
![Page 51: Public-Key Protocols](https://reader037.vdocuments.mx/reader037/viewer/2022103114/554fb106b4c9057b298b50e0/html5/thumbnails/51.jpg)
Engineering Crypto Applications 51
Easy to Invert with Trapdoor
Ee(M ) = Me mod nDd(C ) = Cd mod n
![Page 52: Public-Key Protocols](https://reader037.vdocuments.mx/reader037/viewer/2022103114/554fb106b4c9057b298b50e0/html5/thumbnails/52.jpg)
Engineering Crypto Applications 52
Using RSA: Confidentiality
E DPlaintextCiphertext
PlaintextInsecure Channel
Alice Bob
KUBKRB
Private Key: KRB = d (private exponent)Bob’s Public Key: KUB = (n, e)
(modulus, public exponent)
Selects two large primes p, q Computes ed 1 mod (p – 1)(q – 1)Publishes n = pq and e, keeps d secret
Sends confidential messages to Bob using his public key
Over 1000x slower than AES! Only use when asymmetry is needed.
![Page 53: Public-Key Protocols](https://reader037.vdocuments.mx/reader037/viewer/2022103114/554fb106b4c9057b298b50e0/html5/thumbnails/53.jpg)
Engineering Crypto Applications 53
Using RSA: Signatures
E DPlaintextCiphertext
PlaintextInsecure Channel
Alice Bob
KUBKRB
Private Key: KRB = d (private exponent)Bob’s Public Key: KUB = (n, e)
(modulus, public exponent)
Selects two large primes p, q Computes ed 1 mod (p – 1)(q – 1)Publishes n = pq and e, keeps d secret
Sends confidential messages to Bob using his public key
Over 1000x slower than AES! Only use when asymmetry is needed.
![Page 54: Public-Key Protocols](https://reader037.vdocuments.mx/reader037/viewer/2022103114/554fb106b4c9057b298b50e0/html5/thumbnails/54.jpg)
Engineering Crypto Applications 54
Using RSA: Signatures
E DVerified Message
Signed MessageMessage
Insecure Channel
Alice Bob
KUBKRB
Private Key: KRB = d (private exponent)Bob’s Public Key: KUB = (n, e)
(modulus, public exponent)
Selects two large primes p, q Computes ed 1 mod (p – 1)(q – 1)Publishes n = pq and e, keeps d secret
Verifies message is from Bob using his public key
Over 1000x slower than AES! Only use when asymmetry is needed.
![Page 55: Public-Key Protocols](https://reader037.vdocuments.mx/reader037/viewer/2022103114/554fb106b4c9057b298b50e0/html5/thumbnails/55.jpg)
Engineering Crypto Applications 55
Elliptic Curve Asymmetric Cryptosystems
Elliptic curve discrete logarithm problem: given points P and Q on an elliptic curve, it is hard to find an integer k such that Q = kP (unless you know trapdoor).
y2 = x3 – 7 (mod p)
![Page 56: Public-Key Protocols](https://reader037.vdocuments.mx/reader037/viewer/2022103114/554fb106b4c9057b298b50e0/html5/thumbnails/56.jpg)
Engineering Crypto Applications [email protected]
RSA ECC
Discovery1977
(previously discovered in 1969 by GHCQ and perhaps earlier
by NSA)
1985(adoption limited until ~2005)
“Hard” Problem Factoring Discrete Log on Elliptic Curve
Key Size (~112-bit) 2048 bits (768 bits broken) 224 bits (112 bits broken)
Backdoor Risk None Curves selected by NSA
Quantum Computing Risk
Known fast factoring algorithms (Shor’s)
Similar (variation of Shor’s algorithm solves Discrete Log)
Implementation Challenges
Avoiding weak keys, timing side channels
Fast operations on elliptic curves, leaks on invalid inputs
![Page 57: Public-Key Protocols](https://reader037.vdocuments.mx/reader037/viewer/2022103114/554fb106b4c9057b298b50e0/html5/thumbnails/57.jpg)
Engineering Crypto Applications [email protected]
RSA ECC Lattice Ciphers
Discovery 1977 1985
(adoption limited until ~2005)
1996
“Hard” Problem Factoring Discrete Log on
Elliptic CurveLattice Problems
(e.g., closest vector)Key Size
(~112-bit)2048 bits
(768 bits broken)224 bits
(112 bits broken) 1,000,000 bitsBackdoor
Risk None Curves selected by NSA Little
Quantum Computing
Risk
Known fast factoring
algorithms (Shor’s)
Similar (variation of Shor’s algorithm
solves Discrete Log)Only if P = NP
Implementation Challenges
Avoiding weak keys, timing side
channels
Fast operations on elliptic curves, leaks
on invalid inputsOnly simple arithmetic
(but 10Ks of them)
![Page 59: Public-Key Protocols](https://reader037.vdocuments.mx/reader037/viewer/2022103114/554fb106b4c9057b298b50e0/html5/thumbnails/59.jpg)
Engineering Crypto Applications 59
Using Asymmetry: Signatures
E DVerified Message
Signed MessageMessage
Insecure Channel
Alice Bob
KUBKRB
Generates KUB and KRB
Publishes KUBVerifies message is from Bob using his public key
Over 1000x slower than AES! (with both RSA and ECC)
What if we need to sign long (bigger than n ~ 2048 bits) messages?
![Page 60: Public-Key Protocols](https://reader037.vdocuments.mx/reader037/viewer/2022103114/554fb106b4c9057b298b50e0/html5/thumbnails/60.jpg)
Engineering Crypto Applications 60
Verified Message Message
Message Digests
E DVerified Message
Digest
Message
Alice Bob
KUBKRB
H
Mes
sage
Dig
est
H=
Sign
ed M
essa
ge
H is a cryptographic hash function:one-way: given H(x) cannot find preimage xstrong collision-resistant:
hard to find pair x and y where H(x) = H(y)
![Page 61: Public-Key Protocols](https://reader037.vdocuments.mx/reader037/viewer/2022103114/554fb106b4c9057b298b50e0/html5/thumbnails/61.jpg)
Engineering Crypto Applications 61
Authentication
petitions.govInsecure Channel
How does TJ know he’s really talking to petitions.gov?How can he establish a secure channel to transmit password?
![Page 62: Public-Key Protocols](https://reader037.vdocuments.mx/reader037/viewer/2022103114/554fb106b4c9057b298b50e0/html5/thumbnails/62.jpg)
Engineering Crypto Applications 62
Simple Login Protocol
petitions.gov
EKUpetitions(“tj” + password) DKRpetitions(c)
Eve can’t decrypt without KRpetitions.
![Page 63: Public-Key Protocols](https://reader037.vdocuments.mx/reader037/viewer/2022103114/554fb106b4c9057b298b50e0/html5/thumbnails/63.jpg)
Engineering Crypto Applications 63
Getting Public Keys
• Public keys only useful if you know you have the right one!• Secure on-line directory?
keys.gov
What is petitions.gov public key?
KUpetitions
![Page 64: Public-Key Protocols](https://reader037.vdocuments.mx/reader037/viewer/2022103114/554fb106b4c9057b298b50e0/html5/thumbnails/64.jpg)
Engineering Crypto Applications 64
Moving Directory Off-Line
TrustMe.com
TJ
Petitions
petitions.gov, KUPetitions
CP = KRTrustMe[“petitions.gov”, KUPetitions]
CPVerifies using KUTrustMe
![Page 66: Public-Key Protocols](https://reader037.vdocuments.mx/reader037/viewer/2022103114/554fb106b4c9057b298b50e0/html5/thumbnails/66.jpg)
Engineering Crypto Applications [email protected]
![Page 67: Public-Key Protocols](https://reader037.vdocuments.mx/reader037/viewer/2022103114/554fb106b4c9057b298b50e0/html5/thumbnails/67.jpg)
Engineering Crypto Applications [email protected]
![Page 68: Public-Key Protocols](https://reader037.vdocuments.mx/reader037/viewer/2022103114/554fb106b4c9057b298b50e0/html5/thumbnails/68.jpg)
Engineering Crypto Applications 68
SSL (Secure Sockets Layer)Simplified TLS Handshake Protocol
Client ServerHello
KRCA[Server Identity, KUS]Verify Certificate using KUCA
Check identity matches URL
Generate random K EKUS (K)
Decryptusing KRS
Secure channel using K
![Page 69: Public-Key Protocols](https://reader037.vdocuments.mx/reader037/viewer/2022103114/554fb106b4c9057b298b50e0/html5/thumbnails/69.jpg)
Engineering Crypto Applications [email protected]
![Page 70: Public-Key Protocols](https://reader037.vdocuments.mx/reader037/viewer/2022103114/554fb106b4c9057b298b50e0/html5/thumbnails/70.jpg)
Engineering Crypto Applications [email protected]
![Page 71: Public-Key Protocols](https://reader037.vdocuments.mx/reader037/viewer/2022103114/554fb106b4c9057b298b50e0/html5/thumbnails/71.jpg)
Engineering Crypto Applications 71
SSL (Secure Sockets Layer)Simplified TLS Handshake Protocol
Client ServerHello
KRCA[Server Identity, KUS]Verify Certificate using KUCA
Check identity matches URL
Generate random K
Decryptusing KRS
Secure channel using K
How did client get KUCA?
EKUS (K)
![Page 72: Public-Key Protocols](https://reader037.vdocuments.mx/reader037/viewer/2022103114/554fb106b4c9057b298b50e0/html5/thumbnails/72.jpg)
Engineering Crypto Applications [email protected]
![Page 73: Public-Key Protocols](https://reader037.vdocuments.mx/reader037/viewer/2022103114/554fb106b4c9057b298b50e0/html5/thumbnails/73.jpg)
Engineering Crypto Applications 73
Certificates
VarySign.com
TJ
Petitions
petitions.gov, KUPetitions
CPVerifies using KUVarySign
How does VarySign decide if it should give certificate to requester?
CP = KRVarySign[“petitions.gov”, KUPetitions]
![Page 75: Public-Key Protocols](https://reader037.vdocuments.mx/reader037/viewer/2022103114/554fb106b4c9057b298b50e0/html5/thumbnails/75.jpg)
Engineering Crypto Applications [email protected]
![Page 76: Public-Key Protocols](https://reader037.vdocuments.mx/reader037/viewer/2022103114/554fb106b4c9057b298b50e0/html5/thumbnails/76.jpg)
Engineering Crypto Applications 76
Limiting Damage
VarySign.com
TJ
Petitions
petitions.gov, KUPetitions
CP = KRVarySign [“petitions.gov”, cert ID, Expiration, KUPetitions]
CPVerifies using KUVarySign
![Page 77: Public-Key Protocols](https://reader037.vdocuments.mx/reader037/viewer/2022103114/554fb106b4c9057b298b50e0/html5/thumbnails/77.jpg)
Engineering Crypto Applications 77
Certificate Revocation
VarySign.com
Client
Petitions
petitions.gov, KUPetitions
CP = KRVarySign[“petitions.gov”, cert ID, Expiration, KUPetitions]
CPVerifies using KUVarySign
Certificate Revocation List (CRL)
<cert ID, date>…
![Page 78: Public-Key Protocols](https://reader037.vdocuments.mx/reader037/viewer/2022103114/554fb106b4c9057b298b50e0/html5/thumbnails/78.jpg)
Engineering Crypto Applications 78
CRL Checking
Mozilla Firefox
Google Chrome On-line checking is expensive and may fail
Attacker-in-the-middle can make it fail
![Page 79: Public-Key Protocols](https://reader037.vdocuments.mx/reader037/viewer/2022103114/554fb106b4c9057b298b50e0/html5/thumbnails/79.jpg)
Engineering Crypto Applications 79
SSL (Secure Sockets Layer)Simplified TLS Handshake Protocol
Client ServerHello
KRCA[Server Identity, KUS]Verify Certificate using KUCA
Check identity matches URL
Generate random K KUS [K]
Decryptusing KRS
Secure channel using K
EKUS (K)
Actual TLS has some extra steps:- Negotiate versions- Agree on which ciphers to use (many
options, but beware!)- Can authenticate client also
![Page 80: Public-Key Protocols](https://reader037.vdocuments.mx/reader037/viewer/2022103114/554fb106b4c9057b298b50e0/html5/thumbnails/80.jpg)
Engineering Crypto Applications 80
Summary
• Many useful applications require asymmetry– Confidentiality without shared key, signatures– Others we will cover next week
• Asymmetric cryptosystems can be built using hard problems in number theory with trapdoors: RSA (factoring), ECC (discrete log)
• Asymmetric ciphers are very expensive: need to combine with hashes and symmetric crypto
![Page 82: Public-Key Protocols](https://reader037.vdocuments.mx/reader037/viewer/2022103114/554fb106b4c9057b298b50e0/html5/thumbnails/82.jpg)
Engineering Crypto Applications [email protected]
![Page 83: Public-Key Protocols](https://reader037.vdocuments.mx/reader037/viewer/2022103114/554fb106b4c9057b298b50e0/html5/thumbnails/83.jpg)
Engineering Crypto Applications 83
[email protected]/crypto
Plan for Final Meeting:Applications of Asym Crypto
Secure ComputationFuture of Cryptosystems
open to requests!
![Page 84: Public-Key Protocols](https://reader037.vdocuments.mx/reader037/viewer/2022103114/554fb106b4c9057b298b50e0/html5/thumbnails/84.jpg)
Engineering Crypto Applications [email protected]
![Page 85: Public-Key Protocols](https://reader037.vdocuments.mx/reader037/viewer/2022103114/554fb106b4c9057b298b50e0/html5/thumbnails/85.jpg)
Engineering Crypto Applications [email protected]
![Page 86: Public-Key Protocols](https://reader037.vdocuments.mx/reader037/viewer/2022103114/554fb106b4c9057b298b50e0/html5/thumbnails/86.jpg)
Engineering Crypto Applications [email protected]
![Page 87: Public-Key Protocols](https://reader037.vdocuments.mx/reader037/viewer/2022103114/554fb106b4c9057b298b50e0/html5/thumbnails/87.jpg)
Engineering Crypto Applications [email protected]