CSIS 0327 Computer & Network Security -...

transcript

CSIS 0327 Computer & Network Security

September 2006

Public Key CryptoSystems:RSA and Others

Dr Lucas Hui(CYC307, 28592190, hui@cs.hku.hk)

Problem of Symmetric Encryption• A key is owned by more than one person• No ‘nonrepudiation’ property

– A third party cannot determine whether a message is generated by the message sender or receiver

• Key management problem is complicate– N persons needs N(N1) pair of keys– E.g. 5 persons (15), Ki,j is the key for communication of i and j

• Person 1 keeps K1,2 , K1,3 , K1,4 and K1,5

– Complicate procedures exist for • A new coming subject, • An exiting subject• Subjects renewing their keys

Symmetric Encryption CryptoSystem

Secure channel

• Y = EK(X), X = DK(Y)

Decryption Algo D

Cryptanalyst

Encryption Algo E

Key source

Mesg source

Mesg DestinationY

X’ , K’

Both A and B have K, and so either one alone can generate X !!

Person BPerson A

Public key system• A.k.a. asymmetric key system • Each party X has two keys, one private key Xprv, one public key

Xpub (E.g. A has private key Aprv and public key Apub)• The private key and public key together forms a key pair

– You cannot generate a random private key V, and a random public key U, and just call them a key pair

– You have to use a sophisticated ‘keygeneration’ procedure to generate a keypair

• Private key is secret to the owner, public key is open to public• Xpub(Xprv(M)) = Xprv(Xpub(M)) = M• Mathematically, given the public key, it is extremely difficult to find

the private key• Mathematically, given the private key, it is extremely difficult to find

the public key• Security strength always depends on key length• Can be used in digital signature, encryption, and other advanced

• Data Encryption : A sends a confidential message M to B– A sends Bpub(M) to B, B decrypts with Bprv

• Digital Signature: A sends a signed message M to B– A sends Aprv(M) to B, B decrypts with Apub

• The ‘encryption’ and ‘signature’ functions can be used together, or just use one function.

• Often combined with hash functions and symmetric key systems

• Public Key Cryptosystem examples:– RSA– DSA (for digital signature only)– Elliptic curves

Public Key Cryptosystem• A has public key Apub, & private key Aprv• From Apub, almost impossible to find Aprv• From Aprv, almost impossible to find Apub• Apub is known to all; Aprv is secret to A

A : Aprv

M M C’

Apub Aprv

M C” M

Data Encryption using Public Key Cryptosystems

• A sends a confidential message M to B– A sends Bpub(M) to B, B decrypts with Bprv– No other subjects can read M

• Provide no authenticity– Any other subject can pretend to be A, to send

Bpub(M) to B

A : M B C

M C B :

Confidentiality in Public Key Cryptosystem

Decryption Algo D

Cryptanalyst

Encryption Algo E

Key Pair source

Mesg source

Mesg DestinationY

X’ , Bprv’

Secret Channel

Symmetric Key Vs Pub Key SystemSymmetric Key Encryption• Needed to work

– Sender & receiver use same algo & same key for encryption & decryption

• Needed for security– Key must be kept secret– Practically impossible to

decipher a message– Knowledge of algo +

samples of ciphers must be insufficient to determine the key

Public Key Encryption• Needed to work

– One algo, a pair of keys, 1 for encryption, 1 for decryption. Sender & receiver must have a matched pair of keys

• Needed for security– One of the two keys must

be kept secret– Practically impossible to

decipher a message – Knowledge of algo + one

of the keys + samples of ciphers must be insufficient to determine the key

Digital Signature using Public Key Cryptosystems

• A sends a signed message M to B– A sends Aprv(M) to B, B decrypts with Apub– Only A has Aprv, so Aprv(M) must be generated

by A• No confidentiality

– Any one tapping Aprv(M) can decrypt it with Apub

A : M B C

M C B :

Authenticity in Public Key Cryptosystem

Decryption Algo D

Cryptanalyst

Encryption Algo E

Key Pair source

Mesg source

Mesg DestinationY

X’ , Aprv’

Secret Channel

Confidentiality & Authenticity in Public Key Cryptosystem

Dec Alg

Cryptanalyst

Enc Alg

Key Pair source

Mesg source

Mesg Destination

X’ , Aprv’, Bprv’

Secret Channel

Enc Alg

Dec Alg

Key Pair source

BprvBpub

Requirement of PKC• Practical publickey cryptosystem depends on

discovery of a suitable trapdoor oneway function fk

– Y = fk(X) computationally easy, if k and X are known

– X = fk1(Y) computationally easy, if k and Y are

known– X = fk

1(Y) computationally infeasible, if Y is known, k is unknown

– E.g. fk is using the public key, and fk1 is using the

private key

Modular Arithmetic I

• modular arithmetic is 'clock arithmetic' • a congruence a = b mod n says when divided by n

that a and b have the same remainder – 100 = 34 mod 11

• Note: the above expression is a common, but a bit relaxed way of writing “100 mod 11 = 34 mod 11”, or “100 =mod 11 34”

– usually have 0 <= b <= n1 – 12 mod 7 = 5 mod 7 = 2 mod 7 = 9 mod 7 – b is called the residue of a mod n

• can do arithmetic with integers modulo n with all results from 0 to n – 1

Modular Arithmetic II

• Addition– a+b mod n

• Subtraction – ab mod n = a+(b) mod n

• Multiplication – a . b mod n, derived from repeated addition, can get

a.b=0 where neither a,b=0 – Eg. 2 . 5 mod 10

• Division– a/b mod n, is multiplication by inverse of b: a/b = a .

b1 mod n. (If n is prime, b1 mod n exists s.t b.b1 = 1 mod n)

– Eg. 2 . 3=1 mod 5 hence 4/2 = 4 . 3 = 2 mod 5

Modular Arithmetic III• Integers modulo n with addition and multiplication

form a commutative ring with the laws of – Associative: (a+b)+c = a+(b+c) mod n – Commutative: a+b = b+a mod n – Distributive: (a+b).c = (a.c)+(b.c) mod n

• also can chose whether to do an operation and then reduce modulo n, or reduce then do the operation, since reduction is a homomorphism from the ring of integers to the ring of integers modulo n– a +/ b mod n = [ a mod n +/ b mod n] mod n – (the above laws also hold for multiplication)

• if n is constrained to be a prime number p then this forms a Galois Field modulo p denoted GF(p) and all the normal laws associated with integer arithmetic work

Exponentiation in GF(p)

• many encryption algorithms use exponentiation raising a number a (base) to some power b (exponent) mod p – b = ae mod p

• exponentiation is basically repeated multiplication, which take s O(n) multiples for a number n

• A better method is the squareandmultiply algorithm, only takes O(log2 n) multiples for a number n

Square & Multiply Exponentiation

• b = me mod p• Represents e in binary form (e.g. m20 be m10100)• Let e = ek e k1 e k2 … e1 (ek is the most significant bit, e1

is the least significant bit)– d = 1 – for j = k downto 1 do {– d = d * d mod p– if ej == 1 then {d = d * m mod p}– }– Return d

• E.g. compute m10100 (mod p), then – We have d = 1, 1, m1, m10, m100, m101, m1010, m10100.

• Need (n1) ‘squaring’ (n is number of bits in e) & (k – 1) ‘multiplication’ (k is number of ‘1bit’ in e)

Square & Multiply Exponentiation Examples(sq): squaring, (X): multiplying by m

To compute m10000 :

To compute m11111 :

m10 m100 m1000 m10000

m1 m10 m100 m1000 m10000

m10 m100 m1010 m10100

m1 m10 m101 m1010 m10100

(sq)(X)

To compute m10100 :

m10 m110 m1110 m11110

m1 m11 m111 m1111 m11111

(sq)(X) (X) (X) (X)

1 0 1 0 0

Two Important Theorems∀ ϕ(n) is the Euler totient function (no. of positive numbers

< n and relatively prime to n)• Note that 1 is relatively prime to every other integer• Theorem (Euler's Generalization, Euler Totient Thm)

– let gcd(a,n)=1 then – aϕ(n) mod n = 1

• Fermat's Theorem – let p be a prime and gcd(a,p)=1 then – ap1 mod p = 1

Discrete Logarithm Problem

• The inverse problem to exponentiation is that of finding the discrete logarithm of a number modulo p – find x where ax = b mod p

• While exponentiation is relatively easy, finding discrete logarithms is generally a hard problem, with no easy way

• Note that talking logarithm in real number is very easy, so the modulo arithmetic plays an important role here

RSA• Invented by Ron Rivest, Adi Shamir, and Len

Adleman in MIT (1978)• reversible publickey system (can be used in both

encryption and digital signature)• security based on factorization• RSA key generation

– Generate large primes p, q.– Compute n (the modulus) = p * q– Compute ϕ(n) = (p1)(q1)– Generate e relatively prime to (p1)*(q1) (I.e. gcd(ϕ(n) ,

e)=1 )– Compute d = e1 mod ((p1)*(q1))– Public key is (e,n), Private key is (d,n)– 1024bit RSA means n has 1024 bits– the data must have value < n (since taking mod n).

RSA• Public key is (e,n), Private key is (d,n)• RSA Encryption basic scheme

– m (< n) is the message– use public key (e,n) to encrypt, compute c = m e

mod n– use private key (d,n) to decrypt, compute m = c d

mod n• Digital signature

– m (< n) is the message– use private key (d,n) to sign (“encrypt”), compute s

= m d mod n– use public key (d,n) to verify (“decrypt”), check

whether m ?= s e mod n

RSA• execution slower than block ciphers• Tricks to speed up RSA

– Mathematical technique : addition chain, Chinese Remainder Theorem

– Encryption hardware : cryptocard– Assembly code, microcode implementation for

software systems– Short exponent (for public key only) : e.g. 3, 216+1

• security based on factorization• Attack on RSA mainly on factorization• Patent issued Sep 29, 1983. Expired at 2000

Attack on RSA• Given (d,n), find e• by factorization

– Factor n into p and q– Compute e = d1 mod ((p1)*(q1))– prevent by using large n (standard in 1999 : more than 700

bit modulus, therefore using 1024bit RSA is popular)• Special mathematical attack on special cases, e.g.:

– if m e < n, then we can solve the equation directly– if p and q has some special property, the RSA system is

easier to break– usually prevented by checking in the key generation time

(when generating p and q)• Timing attack: depends on running time of decryption• Remark (by Shamir) : Cryptography is not broken,

only bypassed!!

Timing Attack on RSA• Find the private key (bit by bit) by the running time of decryption (only

need ciphertexts)• Square&multiply exponentiation : 1 square operation per key bit, and 1

multiply operations per key bit which is “1” (d = d * m)• [Simplified illustration] : for certain d & a, the operation “d = d * m” takes

a long time. So long that we can distinguish whether “d=d*m” is executed or not (use this to determine a “1” bit or a “0” bit in the exponent)

• Determine the private key bit by bit by above, from leftmost bit.• In real case, not that easy to achieve, but still a threat.• Countermeasures exists• Inspire other approaches like power consumption, sound generated by

machine (announced by Shamir, Dec 2004) etc.

Countermeasures of Timing Attack on RSA

• Constant exponentiation time : compute x=d*m in all cases

• Random delay• Blinding : transforming the message m to another

value before performing exponentiationBlinding example (compute m = cd mod n)5. Generate a secret random number r between 0 and

n16. Compute c’ = c * re mod n (e is the public key)7. Compute m’ = c’d mod n by exponentiation ( = cd rde

mod n = cd r mod n, since red mod n = r mod n)8. Compute m = m’ r 1 mod n

(= cd rde r –1 mod n = cd r r –1 mod n) = cd mod n

RSA Example (with small p,q)• RSA key generation

– Generate primes p, q. (say p = 7, q = 13)– Compute n (the modulus) = p * q ( n = 91)– Compute ϕ(n) = (p1)(q1) (ϕ(n)= 6*12 = 72)– Generate e relatively prime to (p1)*(q1) (say e = 5) – Compute d = e1 mod ((p1)*(q1)) (d = 29, since 5*29 = 145 =

2*72+1)– Public key is (e,n), Private key is (d,n) (public key is (5,91), private

key is (29, 91)– This is a 7bit RSA (and can only handle data up to 6bits, so nbit

RSA can only handle (n1)bit data objects)• RSA usage

– Let the message m = 5, for digital signature usage, the signed value is 5 29 mod 91 = 31. For verificaiton purpose, 31 5 mod 91 = 5

– Let the message m = 5, for data encryption usage, the cipher is 5 5 mod 91 = 31. For decryption, 31 29 mod 91 = 5

– Let the message be 14, for data encryption usage, the cipher is 14 5 mod 91 = 14. For decryption, 14 29 mod 91 = 14

Calculation of inverse • ‘Primitive’ method : try and error

– E.g. Inverse of 20 mod 33– Try : 33*1 + 1 , 33* 2 + 1 , 33* 3 + 1, etc– We get : 34, 67, 100, 133, ….– We knows that 20 * 5 = 100– So 20 –1 mod 33 = 5– Only work for small numbers

• Extended Euclid’s Algorithm– The General Solution

Euclid’s Algorithm • To find GCD (Greatest Common Divisor)• Divide C0 by C1, let Quotient = Q2, Rem = C2

1612914517441193

5501769C (Remainder)Q (Quotient)

Euclid’s Algorithm• To find GCD of d and f (i.e. ? = gcd(d,f) )• Set up the table of Q and C• Initialize

– C0 = f– C1 = d

• Iterate– Divide Ci1 by Ci, let Quotient = Qi+1,

Remainder = Ci+1

• Until Ci is 0 • Answer is Ci1.

Extended Euclid’s Algorithm• To find multiplicative inverse (i.e. find d –1 (mod) f )• Principle : Try to set up equation of the form

– Ai f + Bi d = Ci (**)• Initially :

– A0 = 1, B0 = 0, C0 = f– A1 = 0, B1 = 1, C1 = d

• Iteratively :– Find A i+1, B i+1, C i+1 from A i, B i, C i (and C i1 ),

preserving condition (**)• Finally :

– Cn = 1, so An f + Bn d = 1– Which means (Bn) d = 1 + ( An) f,– Or B n = d 1 (mod f)

Calculation of inverse• To find multiplicative inverse (of 550 mod 1769)

? (Ans)

????55010

176901CBAQ

One Step• How to find A i+1, B i+1, C i+1 from A i, B i, C i ,C i

1?• E.g.

– A0 f + B0 d = Co

– A1 f + B1 d = C1

– To find : A2 f + B2 d = C2

– Divide C 0 by C 1, let Quotient = Q 2, Rem = C 2– Now C1 Q2 + C2 = C0

– So C2 = C0 (C1) (Q2)– Now, by ‘design’, let

• B2 = B0 – (B1 ) (Q2 )• A2 = A0 – (A1 ) (Q2 )

– We satisfy (**) : A2 f + B2 d = C2

Why satisfy (**) : A2 f + B2 d = C2

Since: A2 f + B2 d

= (A0 – A1 Q2) f + (B0 – B1 Q2) d

= A0 f + B0 d – A1 Q2 f – B1 Q2 d

= (A0 f + B2 d) – Q2 (A1 f + B1 d)

= C0 – C1 Q2

Calculation of inverse• Find inverse of 550 mod 1769

? (Ans)

119??355010

176901CBAQ

? (Ans)

1193 = 0 3*11 = (13*0)355010

176901CBAQ

? (Ans)

7413 = 1 4*(3)4 = 0 – 4*14

119313

176901

E.g. Calculation of inverse• Completed table (550 1 mod 1769 = 550)

1550 (Ans)1714

311937113742311645141292991

45165174134411931355010

176901CBAQ

Summary of Extended Euclid’s Algorithm

• To find the inverse of d mod f• Set up the table of Q,A,B,C• Initialize

– A0 = 1, B0 = 0, C0 = f– A1 = 0, B1 = 1, C1 = d

• Iterate– Divide Ci1 by Ci, let Quotient = Qi+1, Rem = Ci+1

– Compute Bi+1 = Bi1 – (Bi) (Qi+1)– Compute Ai+1 = Ai1 – (A1) (Qi+1)

• Until Ci is 1 (if Ci goes to 0 without equal to1, that means GCD(d,f) is not 1, and there is no answer)

• Answer is Bi.

Why RSA works?Proof of med = m (mod n) in RSA

• Known facts: n = p * q where p, q are primes d = e 1 mod (p1)(q1) or: e d = k(p1)(q1) + 1 for integer k

• Proof 1: (a simple and incomplete proof)For message m, m ed (mod n)= m k(p1)(q1)+ 1 (mod n)= ( m (p1)(q1) ) k * m 1 (mod n)= ( 1 ) k * m (mod n) (if gcd(m,n) =1)= m (mod n)

(This proof does not cover cases where m is a multiple of p or q)

Why RSA works? : Proof of med = m (mod n) in RSA (2)

• Proof 2: (a complete proof)Step 1: Try to prove: for message m, m ed = m (mod p)Observe p is a prime, so gcd (m,p) = 1 or p[Case 1.1:] If gcd(m,p) = 1, we have m ed (mod p) = m k(p1)(q1)+ 1 (mod p) = ( m (p1) ) (q1)k * m 1 (mod p) = ( 1 ) (q1)k * m (mod p) = m (mod p)[Case 1.2:] gcd(m,p) = p, so m is a multiple of p, thus m ed (mod p) = 0 = m (mod p)In both cases, we have proven that m ed = m (mod p).

Why RSA works? : Proof of med = m (mod n) in RSA (3)

• Proof 2: (a complete proof cont’d)Step 1: we have proven: for message m, m ed = m (mod p).Step 2: by similar arguments, we can prove m ed = m (mod q).Step 3: Try to prove: m ed = m (mod n):From step 1: m ed – m = 0 (mod p), so m ed – m is a multiple of p.From step 2: m ed – m = 0 (mod q), so m ed – m is a multiple of q.Since p and q are different primes, so m ed – m must be a multiple of

p*q = n.So we have proven m ed – m = 0 (mod n), or m ed = m (mod n).

Blind Signature : achieve anonymity• In ecash systems, let the customer to generate an e

cash note number, without letting the bank to know the number. But the bank can still sign on it.

• To establish the secret identity of a spy• To protect RSA from timing attack, etc.

Anonymity of Ecash

• Usually achieved by cryptographic techniques.• Idea : Bank (B) does not know the Customer’s (C)

identification, when an ecash token is issued.• Example :

– C receives a “ecash request software” from B– C uses the software to generate a ‘note number’ X

(can have more details)– C sends a request to B, asking B to sign on X– B, after authenticating the request, knowing that the

request is generated from a valid software, sign on X, the result is a valid ecash token (with number X)

– B issue the token to C, and deduce C’s money– But B does not know X!!! How?

Idea of Blind Signature

This is a document

Normal Signing This is a document

James Ho

‘Blinding’

This is a document

James Ho

Blind Signing

‘Unblinding’

“blind signer”

Using ‘blindsignature’ in Ecash• Example :

– C receives a “ecash request software” from B– C uses the software to generate a ‘note number’ X (can

have more details)– C transforms X into another number Y– C sends a request to B, asking B to sign on Y– B, after authenticating the request, knowing that the

request is generated from a valid software, sign on Y, the result is a transformed valid ecash token

– B issue the transformed token to C, & deduce C’s money– C extract the valid token (with note number X) from the

transformed token– In some “notso anonymous’ schemes, C’s identification

can be opened. The scheme is very complicated.

Blind Signature Scheme Eg.Customer C wants B to sign on a ‘note number’ X• RSA scheme is used, (d,n) is B’s private key, (e,n) is B’s

public key• C generates a ‘blinding factor’ R• C computes Y = (X Re) mod n, and sends to B• B signs on Y : compute Z =

Yd mod n = (XRe)d mod n = (Xd Red) mod n.

(Since R ed = R mod n, so Z = (Xd R) mod n.)• B sends Z = (Xd R) mod n to C, C multiplies Z by R1

(mod n), and obtain Xd mod n, which is the signed ‘note number’ by B.

• Problem how can B knows that C are not presenting meaningful message (like ‘B owes C one million’) for B to sign?

Reference: “Frontiers of Electronic Commerce”, Kalakota & Winston, 1996, AddisonWesley.

Blind Signature Scheme: Secret ID establishment

• C is a spy, B is head of the government treasury department

• C wants to use a secret ID (say “Little sparrow”)• C wants B to sign a message like

– “The government agrees to pay Little sparrow 1 million dollars”

• But, C does not want B to know the fact that Little Sparrow is his secret identity

• Solution 1: use a blind signature scheme.• Problem of solution 1: B wants to know that the

document to be signed is of the correct content.

Blind Signature Scheme: Secret ID establishment (2)

• Solution 2: To protect the blind signer B, and C as well.• C generates 10 different secret IDs, each one make the

message “The government agrees to pay XXX 1 million dollars” where XXX is the secret ID.

• C blinds every message with different blinding factor, and send to B for blind signatures

• B randomly chooses 9 messages, and asks C to supply the blinding factors.

• C gives the 9 blinding factors.• B retrieves the plain text of the 9 message by the 9 blinding

factors received from C. If all 9 messages are normal request of the correct format, then B can believe (with high probability) that the remaining unopened message is a normal request

• B blindly sign on the unopened message, and send it to C.• Key idea: C does not know B’s choices!!

El Gamal Signature Scheme• Key generation:

– Generate a prime p, a random number g (often known as ‘generator’), and a random number x

– Private key is x– Compute y = gx mod p, the public key is (y,g,p)

• To sign a message m:– Choose a random number k such that gcd (k, p1) = 1– Compute a = gk mod p– Find k1 mod p1, and compute b = (m – x*a) k1 mod p1.

This means find b such that m = x*a + k*b (mod p1)– The signer keeps k in secret– The signature is (a,b)– Note: the signature size is double as the message size

El Gamal Signature Scheme (2)• To sign a message m:

– Choose a random number k such that gcd (k, p1) = 1– Compute a = gk mod p– Find k1 mod p1, and compute b = (m – x*a) k1 mod

p1. The signature is (a,b)• To verify a signature (a,b):

– Check whether ya * ab = gm (mod p). Iff yes, the signature is correct.

• The El Gamal Encryption scheme is different from the El Gamal signature scheme

DSA (Digital Signature Algorithm)• Designed by NIST and NSA, and is the US federal

standard signature scheme (used with SHA hash alg.)• Based on variant on the El Gamal and Schnorr

algoirthm• Have to work together with a hash function (designed to

be SHA)• A ‘signature only’ algorithm, cannot be used as an

encryption engine.• The DSA routine can be used to perform RSA and El

Gamal encryption! (Most likely not intended by the designer)

Elliptic Curve Cryptography (simplified illustration)

• Elliptic Curve (E.C.):– y2 + axy + by = x3 + cx2 + dx + e

• Consider an E.C. over a finite field (e.g. “mod p” where p is prime)• Consider operations of points on an E.C. + O (a point of “infinity”)• Two points P(x,y) & Q(x,y) can be added together: R = P + Q• P + O = P• P(x,y), then –P = (x, y)• For “mod p” finite field, R(x3,y3) = P(x1,y1) + Q(x2,y2) is given by

– x3 = L2 – x1 – x2 (mod p)– y3 = L(x1x3) – y1 (mod p)– where L = (y2y1)/(x2x1) (mod p) if P != Q,– or L = (3(x1)2 + a)/(2 y1) (mod p) if P == Q.

• Scalar Multiplication– Repeated addition of the same point– 4P = P + P + P + P

Elliptic Curve Cryptography• ECDLP

– Elliptic Curve DL• Given P and G, and for some n: P = nG. n is called the elliptic

curve discrete logarithm of P. – Known P, G and P = nG, to find n is difficult.

• ECC– A publickey cryptosystem based on the structure of the group

of points of an elliptic curve– Suppose that the base point G on E has prime order r,

• The private key s is a integer modulo r.• The corresponding public key W is a point on E defined by W = sG

• Advantages– More complex math structure, so that the key is much shorter

than other public key cryptosystems’ such as RSA to achieve the same security level.

CSIS 0327 Computer & Network Security -...

Documents