Cryptography and Cryptography and Network SecurityNetwork Security

Chapter 10Chapter 10

Fourth EditionFourth Edition

by William Stallingsby William Stallings

Chapter 10 – Chapter 10 – Key Management; Key Management; Other Public Key CryptosystemsOther Public Key Cryptosystems

No Singhalese, whether man or woman, would No Singhalese, whether man or woman, would venture out of the house without a bunch of keys venture out of the house without a bunch of keys in his hand, for without such a talisman he would in his hand, for without such a talisman he would fear that some devil might take advantage of his fear that some devil might take advantage of his weak state to slip into his body.weak state to slip into his body.

——The Golden Bough, The Golden Bough, Sir James George FrazerSir James George Frazer

Key ManagementKey Management

public-key encryption helps address public-key encryption helps address key key distribution problemsdistribution problems

have two aspects of this:have two aspects of this: distribution of public keysdistribution of public keys use of public-key encryption to use of public-key encryption to distribute distribute

secret keyssecret keys

Distribution of Public KeysDistribution of Public Keys

can be considered as using one of:can be considered as using one of: public announcementpublic announcement publicly available directorypublicly available directory public-key authoritypublic-key authority public-key certificatespublic-key certificates

Public AnnouncementPublic Announcement

users distribute public keys to recipients or users distribute public keys to recipients or broadcast to community at largebroadcast to community at large eg. append PGP keys to email messages or eg. append PGP keys to email messages or

post to news groups or email listpost to news groups or email list major weakness is forgerymajor weakness is forgery

anyone can create a key claiming to be anyone can create a key claiming to be someone else and broadcast itsomeone else and broadcast it

until forgery is discovered can masquerade as until forgery is discovered can masquerade as claimed userclaimed user

Publicly Available DirectoryPublicly Available Directory

can obtain greater security by registering can obtain greater security by registering keys with a public directorykeys with a public directory

directory must be trusted with properties:directory must be trusted with properties: contains {name,public-key} entriescontains {name,public-key} entries participants register securely with directoryparticipants register securely with directory participants can replace key at any timeparticipants can replace key at any time directory is periodically publisheddirectory is periodically published directory can be accessed electronicallydirectory can be accessed electronically

still vulnerable to tampering or forgerystill vulnerable to tampering or forgery

Public-Key AuthorityPublic-Key Authority

improve security by tightening control over improve security by tightening control over distribution of keys from directorydistribution of keys from directory

has properties of directoryhas properties of directory and requires users to know public key for and requires users to know public key for

the directorythe directory then users interact with directory to obtain then users interact with directory to obtain

any desired public key securelyany desired public key securely does require real-time access to directory does require real-time access to directory

when keys are neededwhen keys are needed

Public-Key AuthorityPublic-Key Authority

Public-Key CertificatesPublic-Key Certificates

certificates allow key exchange without certificates allow key exchange without real-time access to real-time access to public-key authoritypublic-key authority

a certificate a certificate binds binds identityidentity to to public keypublic key usually with other info such as period of usually with other info such as period of

validity, rights of use etcvalidity, rights of use etc with all contents with all contents signedsigned by a trusted by a trusted

Public-Key or Certificate Authority (CA)Public-Key or Certificate Authority (CA) can be verified by anyone who knows the can be verified by anyone who knows the

public-key authorities public-key public-key authorities public-key

Public-Key CertificatesPublic-Key Certificates

Public-Key DPublic-Key Distribution of Secret istribution of Secret KeysKeys

use previous methods to obtain public-keyuse previous methods to obtain public-key can use for secrecy or authenticationcan use for secrecy or authentication but public-key algorithms are slowbut public-key algorithms are slow so usually want to use private-key so usually want to use private-key

encryption to protect message contentsencryption to protect message contents hence need a session keyhence need a session key have several alternatives for negotiating a have several alternatives for negotiating a

suitable sessionsuitable session

Simple Secret Key Simple Secret Key DistributionDistribution

proposed by Merkle in 1979proposed by Merkle in 1979 A generates a new temporary public key pairA generates a new temporary public key pair A sends B the public key and their identityA sends B the public key and their identity B generates a session key K sends it to A B generates a session key K sends it to A

encrypted using the supplied public keyencrypted using the supplied public key A decrypts the session key and both useA decrypts the session key and both use

problem is that an opponent can intercept problem is that an opponent can intercept and impersonate both halves of protocoland impersonate both halves of protocol

Public-Key Distribution of Secret Public-Key Distribution of Secret KeysKeys

if have securely exchanged public-keys:if have securely exchanged public-keys:

Hybrid Key DistributionHybrid Key Distribution

retain use of private-key KDCretain use of private-key KDC shares secret master key with each usershares secret master key with each user distributes session key using master keydistributes session key using master key public-key used to distribute master keyspublic-key used to distribute master keys

especially useful with widely distributed usersespecially useful with widely distributed users rationalerationale

performanceperformance backward compatibilitybackward compatibility

Diffie-Hellman Key ExchangeDiffie-Hellman Key Exchange

first public-key type scheme proposed first public-key type scheme proposed by Diffie & Hellman in 1976 along with the by Diffie & Hellman in 1976 along with the

exposition of public key conceptsexposition of public key concepts note: now know that note: now know that WilliamsonWilliamson (UK CESG) (UK CESG)

secretly proposed the concept in 1970 secretly proposed the concept in 1970 is a practical method for public exchange is a practical method for public exchange

of a secret keyof a secret key used in a number of commercial productsused in a number of commercial products

Diffie-Hellman Key ExchangeDiffie-Hellman Key Exchange

a public-key distribution scheme a public-key distribution scheme cannot be used to exchange an arbitrary message cannot be used to exchange an arbitrary message rather it can establish a common key rather it can establish a common key known only to the two participants known only to the two participants

value of key depends on the participants (and value of key depends on the participants (and their private and public key information) their private and public key information)

based on exponentiation in a finite (Galois) field based on exponentiation in a finite (Galois) field (modulo a prime or a polynomial) - easy(modulo a prime or a polynomial) - easy

security relies on the difficulty of computing security relies on the difficulty of computing discrete logarithms (similar to factoring) – harddiscrete logarithms (similar to factoring) – hard

Diffie-Hellman SetupDiffie-Hellman Setup

all users agree on global parameters:all users agree on global parameters: large prime integer or polynomial large prime integer or polynomial qq aa being a primitive root mod being a primitive root mod qq

each user (eg. A) generates their keyeach user (eg. A) generates their key chooses a secret key (number): chooses a secret key (number): xxAA < q < q

compute their compute their public keypublic key: : yyAA = = aaxxAA mod q mod q

each user makes public that key each user makes public that key yyAA

Diffie-Hellman Key ExchangeDiffie-Hellman Key Exchange

shared session key for users A & B is Kshared session key for users A & B is KABAB: :

KKABAB = = aaxxA.A.xxBB mod q mod q

= y= yAA

xxBB mod q (which mod q (which BB can compute) can compute)

= y= yBB

xxAA mod q (which mod q (which AA can compute) can compute)

KKABAB is used as session key in private-key is used as session key in private-key encryption scheme between Alice and Bobencryption scheme between Alice and Bob

if Alice and Bob subsequently communicate, they if Alice and Bob subsequently communicate, they will have the will have the samesame key as before, unless they key as before, unless they choose new public-keys choose new public-keys

attacker needs an x, must solve discrete logattacker needs an x, must solve discrete log

Diffie-Hellman Example Diffie-Hellman Example

users Alice & Bob who wish to swap keys:users Alice & Bob who wish to swap keys: agree on prime agree on prime q=353q=353 and and aa=3=3 select random secret keys:select random secret keys:

A chooses A chooses xxAA=97, =97, B chooses B chooses xxBB=233=233 compute respective public keys:compute respective public keys:

yyAA==3397 97 mod 353 = 40 mod 353 = 40 (Alice)(Alice)

yyBB==33233233 mod 353 = 248 mod 353 = 248 (Bob)(Bob)

compute shared session key as:compute shared session key as: KKABAB= y= yBB

xxAA mod 353 = mod 353 = 2482489797 = 160 = 160 (Alice)(Alice)

KKABAB= y= yAAxxBB mod 353 = mod 353 = 4040

233233 = 160 = 160 (Bob)(Bob)

Key Exchange ProtocolsKey Exchange Protocols users could create random private/public users could create random private/public

D-H keys each time they communicateD-H keys each time they communicate users could create a known private/public users could create a known private/public

D-H key and publish in a directory, then D-H key and publish in a directory, then consulted and used to securely consulted and used to securely communicate with themcommunicate with them

both of these are vulnerable to a meet-in-both of these are vulnerable to a meet-in-the-Middle Attackthe-Middle Attack

authentication of the keys is neededauthentication of the keys is needed

Elliptic Curve CryptographyElliptic Curve Cryptography

majority of public-key crypto (RSA, D-H) majority of public-key crypto (RSA, D-H) use either integer or polynomial arithmetic use either integer or polynomial arithmetic with very large numbers/polynomialswith very large numbers/polynomials

imposes a significant load in storing and imposes a significant load in storing and processing keys and messagesprocessing keys and messages

an alternative is to use elliptic curvesan alternative is to use elliptic curves offers same security with smaller bit sizesoffers same security with smaller bit sizes newer, but not as well analysednewer, but not as well analysed

Real Elliptic CurvesReal Elliptic Curves an an elliptic curve is defined by an elliptic curve is defined by an

equation in two variables x & y, with equation in two variables x & y, with coefficientscoefficients

consider a cubic elliptic curve of formconsider a cubic elliptic curve of form yy22 = = xx33 + + ax ax + + bb where x,y,a,b are all real numberswhere x,y,a,b are all real numbers also define zero point Oalso define zero point O

have addition operation for elliptic curvehave addition operation for elliptic curve geometrically sum of Q+R is reflection of geometrically sum of Q+R is reflection of

intersection Rintersection R

Real Elliptic Curve ExampleReal Elliptic Curve Example

Finite Elliptic CurvesFinite Elliptic Curves

Elliptic curve cryptography uses curves Elliptic curve cryptography uses curves whose variables & coefficients are finitewhose variables & coefficients are finite

have two families commonly used:have two families commonly used: prime curves prime curves EEpp(a,b)(a,b) defined over Z defined over Zpp

• use integers modulo a primeuse integers modulo a prime• best in softwarebest in software

binary curves binary curves EE22mm(a,b)(a,b) defined over GF(2 defined over GF(2nn))• use polynomials with binary coefficientsuse polynomials with binary coefficients• best in hardwarebest in hardware

Elliptic Curve CryptographyElliptic Curve Cryptography

ECC addition is analog of modulo multiplyECC addition is analog of modulo multiply ECC repeated addition is analog of ECC repeated addition is analog of

modulo exponentiationmodulo exponentiation need “hard” problem equiv to discrete logneed “hard” problem equiv to discrete log

Q=kPQ=kP, where Q,P belong to a prime curve, where Q,P belong to a prime curve is “easy” to compute Q given k,Pis “easy” to compute Q given k,P but “hard” to find k given Q,Pbut “hard” to find k given Q,P known as the elliptic curve logarithm problemknown as the elliptic curve logarithm problem

Certicom example: Certicom example: EE2323(9,17)(9,17)

ECC Diffie-HellmanECC Diffie-Hellman

can do key exchange analogous to D-Hcan do key exchange analogous to D-H users select a suitable curve users select a suitable curve EEpp(a,b)(a,b) select base point select base point G=(xG=(x11,y,y11))

with large order n s.t. with large order n s.t. nG=OnG=O A & B select private keys A & B select private keys nnAA<n, n<n, nBB<n<n compute public keys: compute public keys: PPAA=n=nAAG, G, PPBB=n=nBBGG compute shared key: compute shared key: KK=n=nAAPPBB,, KK=n=nBBPPAA

same since same since KK=n=nAAnnBBGG

ECC Encryption/DecryptionECC Encryption/Decryption

several alternatives, will consider simplestseveral alternatives, will consider simplest must first encode any message M as a point on must first encode any message M as a point on

the elliptic curve Pthe elliptic curve Pmm

select suitable curve & point G as in D-Hselect suitable curve & point G as in D-H each user chooses private key each user chooses private key nnAA<n<n

and computes public key and computes public key PPAA=n=nAAGG

to encrypt Pto encrypt Pmm : : CCmm={kG, P={kG, Pmm+kP+kPbb}}, k random, k random

decrypt Cdecrypt Cmm compute: compute:

PPmm++kkPPbb––nnBB((kGkG) = ) = PPmm++kk((nnBBGG)–)–nnBB((kGkG) = ) = PPmm

ECC SecurityECC Security

relies on elliptic curve logarithm problemrelies on elliptic curve logarithm problem fastest method is “Pollard rho method”fastest method is “Pollard rho method” compared to factoring, can use much compared to factoring, can use much

smaller key sizes than with RSA etcsmaller key sizes than with RSA etc for equivalent key lengths computations for equivalent key lengths computations

are roughly equivalentare roughly equivalent hence for similar security ECC offers hence for similar security ECC offers

significant computational advantagessignificant computational advantages

Comparable Key Sizes for Comparable Key Sizes for Equivalent SecurityEquivalent Security

Symmetric scheme

(key size in bits)

ECC-based scheme

(size of n in bits)

RSA/DSARSA/DSA

(modulus size in bits)

5656 112 512

80 160 1024

112 224 2048

128 256 3072

192 384 7680

256 512 15360

SummarySummary

have considered:have considered: distribution of public keysdistribution of public keys public-key distribution of secret keyspublic-key distribution of secret keys Diffie-Hellman key exchangeDiffie-Hellman key exchange Elliptic Curve cryptographyElliptic Curve cryptography