truong tuan anhanhtt/slidesss/st172/l4_public_key.pdf · 7 cryptography: classical model secret,...
TRANSCRIPT
7
Cryptography: Classical Model
Secret, common key K
ek and dk for each key K:
dk is either the same as ek or easily derived from ek
Disclose dk or ek will make the system insecure
→ Symmetric-key Cryptosystem
Require prior communication of the key K (using a secure
channel)
→ Difficult to achieve in practice
Public-key cryptosystem
8
Public-key Cryptosystem
Was put forward by Diffie and Hellman in1976
The most important cryptosystems: RSAand ElGamal
Computationally infeasible to determine dk
given ek
ek is public
Alice sends to Bob an encrypted message using ek of Bob
Bob is the only one who can decrypt the message using his dk (private key)
10
Public-key Cryptosystem (cont.)
Encryption function is easy to compute
The inverse function (i.e., the decryption
function) should be hard to compute (except for
Bob)
→ one-way function
Example: suppose n is the product of two large
primes p and q; b is a positive integer
11
Trapdoor One-way Functions
From Bob’s view, he does not want ek to be one-
way
→ provide Bob a trapdoor: which consists of secret
information for the inversion of ek
Trapdoor one-way function: a one-way function but
it is easy to invert with the knowledge of a certain
trapdoor
12
Trapdoor One-way Functions (cont.)
Usually, we need to specify a family oftrapdoor one-way functions F
A function f is chosen from F randomly andused as the public encryption function
Its inverse function is the private decryptionfunction
13
Exercise
Implement a very simple public keycryptosystem as follows:
P = C = Z256
K = 0,1,2, …, 255
Where public key + private key = 256
Encryption rule: for each public key kEk(x) = (ASCII_value_of_x + k) mod 256
Decryption rule: for each private key k
Dk(y) = (ASCII_value_of_y + k) mod 256
16
Data Integrity
Data usually transferred over insecure
channel
Many factors affecting the data
Example: Alice sends to Bob a message. Bob
needs to know if the message has been
changed over the channel?
→ Need to assure data integrity
17
Hash Functions
Provide assurance of data integrity
Compute a short “fingerprint” of somedata
▪ If the data is changed, the fingerprint willno longer valid
▪ Check the data integrity by re-computingthe fingerprint and verify that the fingerprinthas not changed
The fingerprint = message digest
18
Hash Functions
Let x be some data, its message digest is h(x) where h
is a hash function
The message digest should be short, commonly 160
bits
Keyed and unkeyed hash functions
▪ Keyed hash functions are often used as message
authentication codes (MACs)
19
Hash Function: Key and Unkeyed
Example: Alice wants to send to Bob message x
Unkeyed hash function:
▪ Alice computes y = h(x), then sends x over the channeland stores y in a secure channel
▪ Bob receives x and reads y and verifies if y = h(x), if yes,Bob is confident that x is originated from Alice
Keyed hash function: Alice and Bob share a secretkey K which determines function hK:
▪ Compute y = hK(x), then send (x, y) over the channel
▪ Bob receives (x, y) and verifies if y = hK(x), if yes, Bob isconfident that neither x or y was modified by attackers
21
Hash Family
Unkeyed hash function:
▪ Also a hash family in which there is only
one possible key
All we want is to prevent the
construction of certain types of valid
pairs by an adversary
22
Security of Hash Function
It is desirable that the only way toproduce a valid pair (x, y) is to firstchoose x and then compute y = h(x) byapplying the function h to x
Other security requirement dependingon the particular applications
Usually, a hash function is considered tobe secured if the following problems aredifficult to solve
Exercises
1. Suppose a.equals(b).
What can you conclude about a.hashCode()
and b.hashCode()? (Assume hashCode() is
properly implemented)
2. Suppose a.hashCode() == b.hashCode().
What can you conclude about a.equals(b)?
(Assume equals() is properly implemented)
26
Exercises: a Simple Hash Function
3. Implement a hash function
int HashMe(string orgString, int tableSize) {
//return the hash value of orgString in tableSize
}
Note: Hash value of a string in a hash table is: calculate
the sum of the ASCII values of letters in the string, then
modulo the sum to the size of the table
27
30
Context
A “conventional” handwritten signature Attached to a document
Specify the person responsible for the document
Used in everyday situations: writing a letter,withdrawing money, signing a contract, …
Electronic document?→ Digital Signatures = Signature Schemes
A method of signing a message stored inelectronic form and can be transmitted over acomputer network
31
Digital vs. Conventional Signatures
Signing a document Conventional Signatures: a part of the physical
document being signed
Digital Signatures: not attached physically to themessage being signed; There is an algorithm to “bind”the signature to the message
Verification Conventional Signatures: compare to authentic
signatures; Not a very secure method
Digital Signatures: can be verified by a publicverification algorithm; Prevent the possibility offorgeries
32
Signature Schemes
A signature Scheme: consists of two
components
A signing algorithm
A verification algorithm
Alice signs a message using the private
signing algorithm
Bob verifies the signature using Alice’s
corresponding public verification algorithm
35
Signature Schemes: Notes
The functions sigK and verK should be
polynomial-time functions
sigK is the private function and verK is the
public function
It should be computationally infeasible for
anyone than Alice to compute a signature y
such that verK(x,y) = true
If Oscar can compute y such that verK(x,y) =
true, then y is a forgery
36
Signature Schemes: An Example
RSA cryptosystem can be used to provide
digital signatures
→RSA signature scheme
Alice signs a message using the RSAdecryption rule dK = sigK
Anyone can verify the signature using theRSA encryption rule eK = verK
Anyone can forge Alice’s RSA signature by
randomly choosing y and computing if x =
eK(y)
38
RSA Signature Scheme: How it works
Alice wishes to send an encrypted, signed
message to Bob (given the plaintext is x)
1. Alice computes her signature y = sigAlice(x)
2. Alice encrypts both x and y using eBob, then z =
eBob(x, y)
3. Alice sends z to Bob
4. Bob receives z
5. Bob decrypts z using dBob to get x, y
6. Bob uses Alice’s public verification function to
check that verAlice(x, y) = true
39
RSA Signature Scheme: How it works
Alice wishes to send an encrypted, signed
message to Bob (given the plaintext is x)
1. Alice encrypts x using eBob, then z = eBob(x)
2. Alice computes her signature y = sigAlice(z)
3. Alice sends (z, y) to Bob
4. Bob receives (z, y)
5. Bob decrypts z using dBob to get x
6. Bob uses Alice’s public verification function to
check that verAlice(z, y) = true
What is the problem?