Electronic Payment Systems 20-763 Lecture 6 Epayment Security II

20-763 ELECTRONIC PAYMENT SYSTEMS

FALL 2002

COPYRIGHT © 2002 MICHAEL I. SHAMOS

Electronic Payment Systems20-763

Lecture 6Epayment Security II


FALL 2002


Public-Key (Asymmetric) Encryption

1. USERS WANT TO SEND PLAINTEXT TO RECIPIENT WEBSITE

2. SENDERS USE SITE’S PUBLIC KEY FOR ENCRYPTION

3. SITE USES ITS PRIVATE KEY FOR DECRYPTION

4. ONLY WEBSITE CAN DECRYPT THE CIPHERTEXT. NO ONE ELSE KNOWS HOW

SOURCE: STEIN, WEB SECURITY


FALL 2002


Public-Key Encryption• Alice wants to send Bob a secure message M.• Alice uses Bob’s public key to encrypt M.• Bob uses his private key to decrypt M.• Bob is the ONLY ONE who can do this,

so M is secure.• Problem: Anyone could have sent it. Was it really Alice?

ALICE’SCLEARTEXT

ALICE’SCODEDTEXT

ALICE’SCODEDTEXT

ALICE’SCLEARTEXT

TRANSM ISSION

BOB DECRYPTS WITHHIS PRIVATE KEY

ALICE ENCRYPTS WITHBOB’S PUBLIC KEY

BOB’SPUBLIC

KEY

BOB’SPRIVATE

KEY


FALL 2002


Digital Authentication• Alice wants to send Bob a message M so that Bob is sure Alice

is the sender.• Alice uses her own private key to encrypt M.• Bob uses Alice’s public key to decrypt M.• Alice is the ONLY ONE who could have sent it.• Problem 1: Anyone can read it! Problem 2: Replay attack!

ALICE’SCLEARTEXT

ALICE’SCODEDTEXT

ALICE’SCODEDTEXT

ALICE’SCLEARTEXT

TRANSM ISSION

BOB DECRYPTS WITHALICE’S PUBLIC KEY

ALICE ENCRYPTS WITHHER PRIVATE KEY

ALICE’SPRIVATE

KEY

ALICE’SPUBLIC

KEY


FALL 2002


Secure Authenticated Messages• Alice must send Bob a secret & authenticated message M so

Bob is sure it was sent by Alice. Use both encryption and signature.

ALICE’SCODEDTEXT

ALICE’SCODEDTEXT

(AUTHENTICATED)

ALICE’SCLEARTEXT

BOB DECRYPTS WITHALICE’S PUBLIC KEY

ALICE ENCRYPTS WITHHER PRIVATE KEY

ALICE ENCRYPTS WITHBOB’S PUBLIC KEY

ALICE’SCODED AND

SIGNED TEXT

ALICE’SCODED AND

SIGNED TEXT

T R A NSMI

T

ALICE’SCLEAR TEXT

(DECRYPTED ANDAUTHENTICATED)

BOB DECRYPTS WITHHIS PRIVATE KEY

BOB’S PUBLIC

ALICE’S PUBLIC

BOB’S PRIVATE

ALICE’S PRIVATE

4 KEYSNEEDED:


FALL 2002


One-Way Trapdoor Function

• A function that is easy to compute• Computationally difficult to invert without knowing the

secret (the “trapdoor”)• Example: f (x, y) = x•y• Given f (x, y), it is difficult to find either x or y• Given f (x, y) and x (the secret), it is easy to find y• Any one-way trapdoor function can be used in public-

key cryptography.


FALL 2002


Rivest-Shamir-Adelman (RSA)

• It is easy to multiply two numbers but apparently hard to factor a number into a product of two others.

• Given p, q, it is easy to compute n = p • q• Example: p = 5453089; q = 3918067• Easy to find n = 21365568058963• Given n, hard to find two numbers p, q with p • q = n• Now suppose n = 7859112349338149

What are p and q such that p • q = n ?• Multiplication is a one-way function• RSA exploits this fact in public-key encryption


FALL 2002


RSA Encryption

• Select two large prime numbers p, q (e.g. 1024 bits)• Let n = p • q• Choose a small odd integer e that does not divide

m = (p - 1)(q - 1). Then x(p-1)(q-1) = 1 (mod n)• Compute d = e-1(mod m)

– That is, d • e gives remainder 1 when divided by m– Then xe

•d = x (mod n) (by Fermat’s “Little” Theorem)

• Public key is the pair (e, n)• Private key is the pair (d, n)• Knowing (e, n) is of no help in finding d. Still need p

and q, which involves factoring n


FALL 2002


0 1 2 3 4 5 6

0 0 0 0 0 0 0 0

1 0 1 2 3 4 5 6

2 0 2 4 6 1 3 5

3 0 3 6 2 5 1 4

4 0 4 1 5 2 6 3

5 0 5 3 1 6 4 2

6 0 6 5 4 3 2 1

MULTIPLICATIONMOD 7

INVERSE OF 5 IS 3

Multiplicative InversesOver Finite Fields

• The inverse e-1 of a number e satisfies e-1 • e = 1• The inverse of 5 is 1/5• If we only allow numbers from 0 to n-1 (mod n), then for special

values of n, each e has a unique inverse

6 • 2 = 12WHEN DIVIDED BY 7GIVES REMAINDER 5

EACH ROW EXCEPTTHE ZERO ROWHAS EXACTLY ONE 1

EACH ELEMENT HASA UNIQUE INVERSE


FALL 2002


RSA Encryption

• Message M is a number

• To encrypt message M using key (e, n):• Compute C(M) = M

e (mod n)

• To decrypt message C using key (d, n):• Compute P(C) = C

d (mod n)

• Note that P(C(M)) = C(P(M)) = (M e)d (mod n)

= M e•d (mod n) = M

because e • d = 1 and m = (p-1)(q-1) • DEMO


FALL 2002


RSA Example

p = 61; q = 53n = pq = 3233 (modulus, can be given to others)e = 17 (public exponent, can be given to others)d = 2753 (private exponent, kept secret!)PUBLIC KEY = (3233, 17)PRIVATE KEY = (3233, 2753)

To encrypt 123, compute 12317 (mod 3233) = 337587917446653715596592958817679803 mod 3233 = 855

To decrypt 855, compute 8552753 (mod 3233) = 123 (intermediate value has 8072 digits)

SOURCE: FRANCIS LITTERIO

37 digits


FALL 2002


Trapdoor Functions for Cryptogrpahy

• Any one-way trapdoor function f(x) can be used for public-key cryptography

• Alice wants to send message m to Bob• Bob’s public key e is a parameter to the trapdoor

function fe(x) (the inverse fe -1(x) is easy to compute

knowing Bob’s private key d but difficult without d)

• Alice computes fe(m), sends it to Bob

• Bob computes fe -1(fe(m)) = m (easy if d is known)

• Eavesdropper Eve can’t compute m = fe -1(fe(m))

without the trapdoor d to find the inverse fe -1


FALL 2002


Digital Signatures

• A handwritten signature is a function of the signer only, not the message

• Handwritten signatures can be copied and forged• The digital equivalent of a handwritten signature

would be useless in eCommerce• Must be able to

– Compare it with the “real” signature; AND– Must be sure it isn’t copied or forged

• How can A prove his identity over the Internet?


FALL 2002


Digital Signatures

• A digital signature is a function of both the signer and the message

• A digital signature is a digest of the message encrypted with the signer’s private key

MESSAGE M (LONG)

HASH

SIG

USE SECURE HASH ALGORITHM (SHA) TO PRODUCE HASH (MESSAGE DIGEST)

ENCRYPT HASH USING SIGNER’S PRIVATE KEYPRIVATE KEYOF MR. A

THIS IS THE DIGITAL SIGNATUREOF MR. A ON MESSAGE M


FALL 2002


Authentication by Digital Signature

MESSAGE (LONG)

HASHHASH

RECIPIENT USES SHATO COMPUTE HASH

RECIPIENT DECRYPTS SIGWITH SIGNER’S PUBLIC KEY

MESSAGE (LONG)SIG

IF HASHES ARE EQUAL, MESSAGE IS AUTHENTIC.

WHY? IF ANY BIT OF M OR SIG IS ALTERED, HASH CHANGES.

RECIPIENT RECEIVES SIG + MESSAGE

=?


FALL 2002


Digital Signature• Message digest encrypted with signer’s private key

MESSAGE (LONG)SIG

APPEND SIGNATURE TO MESSAGE; SEND BOTH

MESSAGE (LONG)

HASH

SIG

USE SHA TO PRODUCE HASH (MESSAGE DIGEST)

ENCRYPT HASH WITH SIGNER’S PRIVATE KEY

Recipient decrypts SIG with signer’s public key.Recipient computes the message digest.If it matches the SIG, the SIG is genuine AND the message has not been altered!

PRIVATE KEY


FALL 2002


Discrete Logarithms

• If ab = c, we say that logac = b

• Example: 232 = 4294927296 so log2(4294927296) = 32

• Computing ab and logac are both easy for real numbers

• In a finite field, it is easy to calculate c = ab mod p but given c, a and p it is very difficult to find b

• This is the “discrete logarithm” problem

• Analogy: Given x it is easy to find two real numbers y, z such that x = y•z

• Given an integer n it is hard to find two integers p, q such that n = p•q


FALL 2002


Diffie-Hellman Key Exchange• Object: allow Alice and Bob to exchange a secret key• Protocol has two public parameters: a prime p and a

number g < p such that given 0 < n < p there is some k such that gk = n (g is called a generator)

• Alice and Bob generate random private values a, b between 1 and p-2

• Alice’s public value is ga (mod p); Bob’s is gb (mod p)• Alice and Bob share their public values• Alice computes (gb)a (mod p) = gba

• Bob computes (ga)b (mod p) = gab = gba

• Let key = gab. Now both Alice and Bob have it.• No one else can compute it -- they don’t know a or b


FALL 2002


El Gamal Encryption

• Based on the discrete logarithm

• Bob’s public key is (p, q, r)• Bob’s private key is s such that r = qs mod p

• Alice sends Bob the message m by picking a random secret number k and sending

(a, b) = (qk mod p, mrk mod p)• Bob computes

b (as )-1 mod p = mrk (qks)-1 = mqks (qks)-1 = m

• (Bob knows s; nobody else can do this)


FALL 2002


Elliptic Curve Cryptography (ECC)

• An elliptic curve is the set of points (x, y) satisfyingy2 + axy + by = x3 + cx2 + dx + e

x

y

An elliptic curve has the property that aline drawn between two points of the curveintersects the curve at a single point.(Warning: need to include the point at infinity.)

This allows us to define P + Q so that the sumis always another point on the curve.

If the sum P + Q is always on the curve, so arethe points P, P + P, P + P + P, . . . = P, 2P, 3P, 4P, . . .

ONLINE TUTORIAL


FALL 2002


Elliptic Curve Operations

SOURCE: INTEGRITY SCIENCES

The point at infinity Ois an identity elementfor addition


FALL 2002


Elliptic Curves Over Finite Fields

• Select a large prime number p

• Choose two non-negative integers a and b with4a2 + 27b2 0 (mod p)

• The pairs (x, y) with x, y < p that satisfyy2 = x3 + ax + b (mod p) are the elliptic group mod p– addition is closed and associative (x + y) + z = x + (y + z)

– there is an identity element O such that x + O = x

– every element x has an inverse x-1 such that x + x-1 = O

• If y = k x (mod p), then given k and x it is easy to find y but given x and y it is computationally hard to find k

• So elliptic curves can be used for cryptography


FALL 2002


Elliptic Curves for El Gamal

• Multiplication in the elliptic group corresponds to exponentiation of real numbers

• Solving y = k x (mod p) for k in the elliptic group is similar to solving c = ab (mod p) for b in El Gamal (discrete logarithm)

• Choose a special point g of the group (called a generator)

• Bob’s private key is s; Bob’s public key is (g, s g)

• A plaintext message m is transformed to a point x in the group

• Alice encrypts x by picking a random value k and sending(k g, x + k s g)

• Bob decrypts by computing (x + k s g) - (k g) s = x

Alice sent him these Bob knows s (his private key)

g and sg are public; Alice knows x and k

Can’t find sfrom g and sg


FALL 2002


Security of ECC versus RSA

GRAPHIC: RICHARD SOUTHERN

ECC Advantages

1. The elliptic curve logarithmproblem is harder than thediscrete logarithm problem.

2. Key size in ECC is muchsmaller for a given securitylevel.

3. ECC is complicated; fewerpeople understand it.

4. ECC is not patented.


FALL 2002


Birthday Attacks

• Dave’s birthday is Jan. 29. How many people must be in a room for the probability to be > 1/2 that someone else was born on Jan. 29?

• Probability that 1 person was not born on Jan. 29 =364/365.

• Probability that n people were not born on Jan. 29 is p(n) = (364/365)n. Now choose n so that p(n) < 0.5

• log p(n) < n log (364/635)• n > log(1/2)/log(364/365) 253• If n = 183 (half of 366), p(n) = 0.6053. Less then

40% chance that someone else has same birthday


FALL 2002


Birthday Probabilities

• Suppose a year has d days. How many people must be in a room for the probability to be > 1/2 that some pair of people have the same birthday?

• Label the people 1 … n• Probability that person i has no birthday in common with

people 1 … i -1 is (d - i + 1)/d, so

• If d = 365 and n = 23, p(n) 0.4927• If d = 365 and n = 50, p(n) 0.0296• For large d, taking n 1.17 gives p(n) > 1/2

n

d d

idn

2

1)(p

d


FALL 2002


Attacking Hash Algorithms• If two strings M and M* can be found such that

H(M) = H(M*) then a hash algorithm can be compromised• Let M = PO for $100; M* = PO for $100,000• John digitally signs H(M), so it can’t be altered!• If H(M*) = H(M) then we can “prove” in court that John

signed the $100,000 PO• Birthday attack: If the hash length is b bits, then d = 2

b ; = 2

b/2

• Try about 2 b/2 small variations of the message. Prob.

~ 50% we will find one that hashes to the same value• If the digest is 64 bits, try 232 variations. Possible!

d


FALL 2002


Major Ideas• Digital signature = message digest encrypted with signer’s private

key• Dual signature: two people sign a document without being able to

read the other person’s content• Blind signature: one person signs a document without being able

to read it• Any trapdoor function can be used for public-key cryptography• Great care must be used with public-key systems to avoid

protocol failure (allowing cracking through mistakes)• Elliptic-curve cryptography (ECC) is replacing RSA

– Shorter keys for the same level of security


FALL 2002


QA&

Date post:	31-Jan-2016
Category:	Documents
Upload:	alena
View:	22 times
Download:	0 times

Electronic Payment Systems 20-763 Lecture 6 Epayment Security II

Documents