Birthday Problem
• Strong collision resistant:
– How many tries to find two messages with same digest, if hash results are random?
• Generally, n inputs, k possible outputs
– n(n-1)/2 pairs of inputs
– Each pair has 1/k probability to share same output
– Need about k/2 pairs to have 50% probability for a matching pair, i.e. n >
4
Applications of Hash
• Authentication
• Computing MAC with hash
– Difference between MAC and hash: with and without secret key
• Encryption with message digest
• Using secret key for hash
5
MD2
• Input: an arbitrary number of octets
• Output: 128-bit message digest
• Basic idea:
– Pad message to be a multiple of 16 octets.
– Calculate and append a 16-octet checksum.
– Final pass to calculate digest.
6
MD2 Padding
• Number of padding octets
– 16 octets: if message is a multiple of 16 octets.
– number of octets (1-15) to make the message a multiple of 16 octets: otherwise.
– Each padding octet specifies number of octets padded.
7
MD4 Message Padding
• Message with padding must be a multiple of 16 32-bit words (i.e. 512 bits).
– Adding a 1 bit, followed 0 bits to leave message 64 bits less than a multiple of 512 bits.
– A 64-bit quantity representing number of bits in unpadded message, mod 264, is appended.
8
MD4 Digest Computation
• Digest has 128 bits or 4 32-bit words.
• Message processed in 512-bit (16 32-bit words) blocks.
• Final result as digest.
• Each stage makes three passes over message block.
9
MD4 Digest Computation
• Input to each stage
– 16-word message: m0, m1, m2,...m15
– 4-word digest: d0, d1, d2, d3
– Initialization before first stage: d0 = 6745230116, d1
= efcdab8916, d2 = 98badcfe16, and d3 = 1032547616
– Each pass modifies d0, d1, d2, d3 using m0, m1, m2,...m15
11
MD4 Digest Computation
• Operations
– : floor of number x
– ~x: bitwise complement
– x∧y: bitwise and
– x∨y: bitwise or
– x⊕y: bitwise exclusive or
– x+y: binary sum, with carry out bit discarded
– x y: rotate x to left by y bits
12
MD4 Message Digest Pass 1
• Selection function: F(x,y,z)=(x∧y)∨(~x∧z)
• For each word i of message: d(-i)∧3 = (d(-i)∧3 + F(d(1-i)∧3, d(2-i)∧3, d(3-i)∧3) + mi) S1(i∧3)
• where S1(i) = 3 + 4i so cycling over 3, 7, 11, 15
13
MD4 Message Digest Pass 2
• Majority function: G(x,y,z)=(x∧y)∨(x∧z) ∨(y∧z)
• For each word i of message: d(-i)∧3 = (d(-i)∧3 + G(d(1-i)∧3, d(2-i)∧3, d(3-i)∧3) + mX(i) + c) S2(i∧3)
• where X(i)= 4i – 15 , exchanging low order and high order pairs of bits in 4-bit number i
• c = = 5a82799916
• S2(0) = 3, S2(1) = 5, S2(2) = 9, S2(3) = 13
14
MD4 Message Digest Pass 3
• Function H(x,y,z)=x⊕y⊕z
• For each word i of message: d(-i)∧3 = (d(-i)∧3 + H(d(1-i)∧3, d(2-i)∧3, d(3-i)∧3) + mR(i) + c’) S2(i∧3)
• where R(i) = , i.e. reversing order of bits in 4-bit number i
• c’ = = 6ed9eba116
• S3(0) = 3, S3(1) = 9, S3(2) = 11, S3(3) = 15
15
MD5 Message Digest Computation
• Message padding same as in MD4
• Digest has 128 bits or 4 32-bit words
– Initialized to d0 = 6745230116, d1 = efcdab8916, d2 = 98badcfe16, and d3 = 1032547616
• Message processed in 512-bit (16 32-bit words) blocks
• Each stage takes four passes over message block
– each pass modifies d0, d1, d2, d3 using m0, m1, m2,...m15
16
MD5 Message Digest Pass 1
• F(x,y,z)=(x∧y)∨(~x∧z)
• d(-i)∧3 = d(1-i)∧3 + (d(-i)∧3 + F(d(1-i)∧3, d(2-i)∧3, d(3-i)∧3) + mi + Ti) S1(i∧3)
• where S1(i) = 7 + 5i
• E.g.
17
MD5 Message Digest Pass 2
• G(x,y,z)=(x∧y)∨(x∧z) ∨(y∧z)
• d(-i)∧3 = d(1-i)∧3 + (d(-i)∧3 + G(d(1-i)∧3, d(2-i)∧3, d(3-i)∧3) + m(5i+1)∧15 + Ti+17) S2(i∧3)
• where S2(i) = i(i+7)/2 + 5
• E.g.
18
MD5 Message Digest Pass 3
• H(x,y,z)=x⊕y⊕z
• d(-i)∧3 = d(1-i)∧3 + (d(-i)∧3 + H(d(1-i)∧3, d(2-i)∧3, d(3-i)∧3) + m(3i+5)∧15 + Ti+33) S3(i∧3)
• where S3(0) = 4, S3(1) = 11, S3(2) = 16, S3(3) = 23
• E.g.
19
MD5 Message Digest Pass 4
• I(x,y,z)=y⊕(x∨~z)
• d(-i)∧3 = d(1-i)∧3 + (d(-i)∧3 + I(d(1-i)∧3, d(2-i)∧3, d(3-i)∧3) + m(7i)∧15 + Ti+49) S4(i∧3)
• where S4(i) = (i+3)(i+4)/2
• E.g.
20
SHA-1
• Input: message length at most 264 bits
• Output: 160-bit digest, as 5 32-bit words ABCDE
– Initialized as A = 6745230116, B = efcdab8916, C = 98badcfe16, D = 1032547616, E = c3d2e1f016
21
SHA-1 Operation
• Padding same as MD4 and MD5
• 512-bit message block used to create 5*512-bit chunk
– First 512 bits are original block
– Otherwise, Wn = (Wn-3 ⊕Wn-8 ⊕Wn-14 ⊕Wn-16) 1
– Now 80 words W0, W1, ...W79
22
SHA-1 Operation
• For each word wt t = 0 to 79, update ABCDE
• B = old A
• C = old B 30
• D = old C
• E = old D23
SHA-256
• Message is processed in 512-bit blocks sequentially, just like SHA-1
• Message digest 256 bits instead of SHA-1’s 160 bits
• 64 rounds instead of 80 rounds of compression
• Algorithm structure same as SHA-1– Step 1: Padding bits
– Step 2: Appending length as 64 bit unsigned
– Step 3: Buffer initiation
– Step 4: Processing of message
– Step 5: Output
25
HMAC Operation
• Input: variable-length key, variable-size message
• Output: fixed-size MAC, depending on algorithm
• Idea:
– Prepend key to
message, digest it
– Prepend key to
result, digest it
27
HMAC Operation
• Key processing
– If fewer than 512 bits, pad 0 to 512 bits
– If more than 512 bits, digest key first then pad 0
• Input of first digest
–⊕ padded key with constant of value 3616
– Concatenate key with message
• Input of second digest
–⊕ padded key with constant of value 5c16
– Concatenate key with first digest28
Overview
• Traditional secret/single/private key cryptography uses one key.
– Symmetric, since parties are equal.
• Public key cryptography uses two keys
– Public key: known to everyone
– Private key: known to owner only
– Asymmetric since parties are not equal.
31
Overview
• Different public key algorithms have different functions
– Encryption and digital signatures: RSA, ECC
– Digital signatures: DSS, ElGamal
– Key establishment: Diffie-Hellman
– Authentication: zero knowledge proof systems
32
Modular Arithmetic
• Most public key algorithms are based on modular arithmetic.
• Modular arithmetic uses the non-negative integers less than some positive integer n, performs ordinary arithmetic operations, and then replaces the result with its remainder when divided by n.
– x modulo n or mod n
33
Modular Arithmetic
• Modular addition, example
– 2 + 2 = 4
– 3 + 9 = 2
– Can be used
as a cipher
• Modular subtraction can be done by adding x's additive inverse (-x).
– Since 4 + 6 = 0, -4 = 6
34
Modular Arithmetic
• Modular multiplication
– Multiplication by 1, 3, 7, or 9 works as a cipher.
– Multiplication by any other number will not.
35
Modular Arithmetic
• Modular division can be done by multiplying x's multiplicative inverse (x-1).
– Only the numbers {1, 3, 7, 9} have multiplicative inverses mod 10.
– Since 3 * 7 = 1, 3-1 =7
– Generally, Euclid's Algorithm to find multiplicative inverse.
36
Modular Arithmetic
• What's special about the numbers {1, 3, 7, 9}?
– Relatively prime to 10
– x relatively prime to y: gcd(x, y) = 1
– gcd(3, 10) = 1, gcd(6, 10) = 2
• In general, for mod n, all numbers relatively prime to n will have multiplicative inverses, and none of the other numbers will.
– mod n multiplication by any number x relatively prime to n will work as a cipher.
37
Modular Arithmetic
• How many numbers less than n are relatively prime to n?
• Totient function: φ(n)
– If n is prime, then all the integers {1, 2,...n-1} are relatively prime to n, so φ(n) = n-1.
– If n is a product of two distinct primes, say p and q, then there are (p-1)(q-1) numbers relatively prime to n, so φ(n) = (p-1)(q-1).
38
Modular Arithmetic
• Modular exponentiation is ordinary exponentiation mod n.
– 46 = 6 mod 10, since 46 = 4096 & 4096 = 6 mod 10
39
Modular Arithmetic
• Exponentiation by 3 would work as a cipher.
• Exponentiation by 2 would not.
• How to find exponentiative inverse?
• xy mod n is the same as x(y mod φ(n)) mod n
– Columns 1 and 5 are the same, and 2 and 6 are the same, and 3 and 7 are the same.
• Euler's Theorem: if y = 1 mod φ(n), then for any number x with gcd(x, n) = 1, x y = x mod n.
40
RSA
• Named after inventors: Rivest, Shamir, and Adleman
• Variable key length
– Commonly used key length 512-2048 bits
– Longer key for enhanced security
• Variable block size in RSA
– Plaintext block must be smaller than key length.
– Ciphertext block will be the length of the key.
41
RSA
• Much slower than secret key algorithms like DES and IDEA.
• Not tend to encrypt long messages:
– Encrypt a secret key for key distribution, and then secret key cryptography to encrypt message.
– Encrypt hash of message as digital signature.
42
RSA
• Choose two large primes p and q
– Secret, easy to break if known
• n = p * q
– Hard to factor large numbers
• Public key <e,n>
– e: relatively prime to φ(n) = (p-1)(q-1)
• Private key <d,n>
– d: multiplicative inverse of e mod φ(n)
43
RSA
• Encryption: c = me mod n
• Decryption: m = cd mod n
• Sign message: s = md mod n
• Verify signature: m = se mod n
44
RSA Example - Key Setup
1. Select primes: p=17 & q=11
2. Compute n = pq =17 x 11=187
3. Compute ø(n)=(p–1)(q-1)=16 x 10=160
4. Select e: gcd(e,160)=1; choose e=7
5. Determine d: de=1 mod 160 and d < 160Value is d=23 since 23x7=161= 1x160+1
6. Publish public key PU={7,187}
7. Keep secret private key PR={23,187}
45
RSA Example - En/Decryption
1. sample RSA encryption/decryption is:
2. given message M = 88 (note 88<187)
3. encryption:
C = 887 mod 187 = 11
4. decryption:
M = 1123 mod 187 = 88
46
Extended Euclidean Algorithm
• Calculate multiplicative inverse: d = e-1 mod n
• Notations:
– # of steps: 0, 1, 2…
– qi: quotient at step i
– pi: p0 = 0, p1 = 1, pi = pi-2 - pi-1 qi-2 (mod n)
47
Extended Euclidean Algorithm
• Algorithm description:
– Start by Dividing greater # by less one
– In each following step, replace greater # by less one, and less # by reminder
– If the last non-zero remainder occurs at step k, then if this remainder is 1, e has an inverse and it is pk+2.
– If the remainder is not 1, then e does not have an inverse.
48
Extended Euclidean Algorithm
• Example: 15-1 mod 26
Step 0: 26 = 15*1 + 11 p0 = 0
Step 1: 15 = 11*1 + 4 p1 = 1
Step 2: 11 = 4*2 + 3 p2 = 0 - 1*1 mod 26 = 25
Step 3: 4 = 3*1 + 1 p3 = 1 - 25*1 mod 26 = -24 mod 26 = 2
Step 4: 3 = 1*3 + 0 p4 = 25 - 2*2 mod 26 = 21
p5 = 2 - 21*1 mod 26 = -19 mod 26 = 7
49
Why Does RSA Work?
• RSA does arithmetic mod n, where n = pq.
• d is multiplicative inverse of e mod φ(n) = (p-1)(q-1)
• de = 1 mod φ(n), and thus xde = x mod n
• Decryption: cd mod n = (me mod n)d mod n
= med mod n
= m mod n
• Signature: se mod n = med mod n = m mod n
50
Why is RSA Secure?
• Factoring a big number is hard.
– To factor a 512-bit number with best known techniques would take about 30,000 MIPS-years.
• If you can factor quickly, you can break RSA.
– Given public key <e,n>
– Factor n to obtain p and q, s.t. n = p * q
– Calculate φ(n) = (p-1)(q-1)
– Calculate d = e-1 mod φ(n)
– Get private key <d,n>
51
Possible Misuse of RSA
• Send Alice a message, which is the name of a person in the class.
• Encrypt the name with Alice’s public key.
• Attacker cannot decrypt the ciphertext.
• But can encrypt every name in the class and compare it with the ciphertext.
– Brute force attack.
• How to improve?
52
Efficiency of RSA
• Encryption, decryption, signing, and verifying signatures all involve
– taking a large number,
– raising it to a large power, and
– finding the remainder mod a large number.
• 12354 mod 678
– Direct calculation: 12354 has about 100 digits
– Fast
53
Efficiency of RSA
• Faster
• If exponent not a power of 2
– 54 is 1101102. Compute 123 raised to a sequence of powers: 12, 112, 1102, 11012, 110112, 1101102.
– Each successive power is either twice the preceding power or one more than.
54
Efficiency of RSA
• Faster
• In other words
– 54 =(((((1)2+1)2)2+1)2+1)2, so
– 12354 = (((((123)2123)2)2123)2123)2 = 87 mod 678
55
Efficiency of RSA
• In general, to perform exponentiation of a base to an exponent, start with your value set to 1.
• As read the exponent in binary bit by bit from high-order bit to low-order bit, square your value, and if the bit is a 1 you then multiply by the base.
• Perform modular reduction after each operation to keep the intermediate results small.
56
Exponentiation
f = 1
for i = k downto 0
do f = (f x f) mod n
if bi == 1 then
f = (f x a) mod n
return f
a: base
b = bk…b0: binary exponent
k: number of bits for power
f: result
57
Generating RSA Keys
• p and q are primes, which thin out as numbers get big.
– probability of random number n being prime: 1/ln n
• Test whether a number is prime.
– Naive method: divide n by all numbers
• Test the probability of a number being prime.
– Euler's Theorem: For any a relatively prime to n, aφ(n) = 1 mod n.
– If n is a prime, φ(n) = n – 1.
– Fermat's Theorem: If p is prime and 0 < a < p, ap-1 = 1 mod p.
58
Generating RSA Keys
• For a number n, pick a number a < n, compute an-1 mod n, and see if the answer is 1.
– If it is not 1, n is certainly not prime.
– If it is 1, n may or may not be prime.
– If n is a randomly generated number of about a hundred digits, the probability that n isn't prime but an-1 mod n = 1 is about 1 in 1013.
59
Generating RSA Keys
• Cost of such a mistake.
– RSA might fail; could not decrypt a message.
– Attacks might compute private key easier.
• If risk of 1 in 1013 is unacceptable, the primality test can be made more reliable.
– By trying many values for a, we can make the probability of falsely identifying n as prime inconceivably small.
60
Generating RSA Keys
• Find e that is relatively prime to (p-1)(q-1)
– After p and q are selected, choose e at random. Test if e is relatively prime to (p-1)(q-1). If not, continue.
– Don't pick p and q first. Instead, first choose e, then select p and q carefully so that (p-1) and (q-1) are guaranteed to be relatively prime to e.
• e can be small or even constant, since d is hard to calculate.
– But d must not be small, why?
61
Generating RSA Keys
• Popular value of e: 3
– Fast encryption
– If m is small, needs to be padded with a random number before encryption; otherwise, m =
– Can choose p or q by selecting an odd number, multiplying by 3 and add 2.
• Popular value of e: 65537
– 216+1, two 1s in binary format, easy encryption
– Large prime number
62
RSA Threats
• x < n is a signature of xe mod n.
• Smooth number: product of small primes.
• If the attacker sees signature on m1 and m2, she can compute signature on m1·m2, and on m1/m2, and m1
j, and on m1j·m2
k.
– (m12)d mod n = (m1
d)2 mod n = (m1d mod n)2 mod n
63
RSA Threats
• If e = 3
– Attacker sees m3 mod n1, m3 mod n2, and m3 mod n3 and knows <3, n1>, <3, n2>, <3, n3>.
– Attacker can compute m3 mod n1n2n3.
– Since m is smaller than each ni, m3 will be smaller
than n1n2n3, so m3 mod n1n2n3 will just be m3.
– Therefore, the bad guy can compute the ordinary cube root of m3, giving m.
64
Example
• Perform encryption and decryption using the RSA algorithm for: p = 11, q = 11, e = 7, M = 5.
65
Public-Key Cryptography Standard (PKCS)
• A set of standards tor recommend encodings for RSA
• Threats that PKCS deals with:
– encrypting guessable messages
– signing smooth numbers
– multiple recipients of a message when e = 3
– encrypting messages that are less than a third the length of n when e = 3
– signing messages where the information is in the high-order part and e = 3
66
Public-Key Cryptography Standard (PKCS)
• Encryption: standard for formatting a message to be encrypted with RSA.
– First octet guarantees message smaller than n
– Second octet: PKCS type for encryption
– Nonzero second octet guarantees to be more than a third the length of n
– Random padding infeasible for attacker to guess
– Different paddings for different recipients
67
Public-Key Cryptography Standard (PKCS)
• Signing: standard for formatting a message to be encrypted with RSA
– First octet of 0 ensures quantity be less than n
– Second octet: PKCS type for signing
– Padding ensures a non-smooth number
– Digest type to indicate digest function
68
Diffie-Hellman
• Oldest public key system.
• Allow two individuals to agree a shared key.
– Start with on secrets.
– Exchange messages only in public.
• Weakness: no authentication
– Will see an attack later.
69
Diffie-Hellman
• Publicly known: p and g
– p is a large prime, g is a number less than p
• Each chooses a 512-bit number at random and keeps it secret, SA and SB.
– TA = mod p
– TB = mod p
– Exchange TA and TB to calculate shared key
70
Diffie-Hellman
• Nobody else can calculate in a reasonable amount of time,
• Even though they know and .
– Discrete logarithms are hard.
71
Diffie-Hellman Example
• users A & B who wish to swap keys:
• agree on prime p=353 and g=3
• select random secret keys:– A chooses SA=97, B chooses SB=233
• compute respective public keys:– TA=3
97 mod 353 = 40 (Alice)
– TB=3233
mod 353 = 248 (Bob)
• compute shared session key as:– KAB= TB
SA mod 353 = 24897
= 160 (A)
– KAB= TASB mod 353 = 40
233= 160 (B)
72
Man-in-the-Middle Attack
• No way for Alice to know TB is from Bob.
• Assume Mr. X in the middle between A and B.
– X intercepts and , and sends instead
73
Defenses Against Man-in-the-Middle Attack
• Diffie-Hellman alone cannot detect the intruder in the middle.
• Published Diffie-Hellman numbers:
– Use permanent public and secret number.
– Every one publishes public number.
– Compute key by own secret number and public number of other party.
• Authenticated Diffie-Hellman.
74
Encryption with Diffie-Hellman
• Communicate without active exchange first.
• Bob publishes <pB, gB, TB>, TB = mod pB
• Alice Selects SA
– Compute mod pB and KAB = mod pB
– Use KAB to encrypt message
• Bob
– Compute KAB = mod pB
– Use KAB to decrypt message
75
ElGamal Signatures
• Each has long-term public/private key pair.
– Public key: <g, p, T>
– Secret key: S, where gS mod p = T
• Different public/private key pair for each msg
– For message m, choose random number Sm and compute gSm mod p = Tm.
– Compute message digest of dm = MD(m|Tm)
– Calculate signature X = Sm + dmS mod (p-1)
76
ElGamal Signatures
• Transmit m, X, and Tm, to verify signature,
– Compute dm
– Check that gX = TmTdm mod p, because
77
Digital Signature Standard (DSS)
• NIST proposed the Digital Signature Algorithm (DSA). As a standard it is known as DSS.
• Based on ElGamal but faster.
• DSS allows the signer to precalculate its inverse before it even has a message.
– Taking inverses is the most computationally expensive part of DSS.
78
Digital Signature Standard (DSS)
• Generate p and q (which will be public).
– q: 160-bit prime, p: 512-bit prime p of the form kq+1
– Expensive operation, but not often.
• Generate g (which will be public).
– gq = 1 mod p
– Done by taking random h, g = h(p-1)/q, gq = hp-1 = 1
• Choose long-term public/private key pair <T, S>.
– Choose random S < q and set T = gS mod p
79
Digital Signature Standard (DSS)
• Choose a per message public/private key pair <Tm, Sm>.
– Choose random Sm and set Tm = ((gSm mod p) mod q)
– Can calculate Sm-1 mod q in advance
• Calculate a message digest dm of the message.
– Hash algorithm SHS (Secure Hash Standard) generates 160-bit digest.
• Compute the signature X = Sm-1(dm + STm) mod q.
80
Digital Signature Standard (DSS)
• Transmit all relevant information:
– message m, per msg public number Tm, signature X.
– T, p, q, and g are publicly known.
• Verify the signature:
– Calculate the mod q inverse of the signature, X-1
– Calculate dm
– Calculate x = dm· X-1 mod q
– Calculate y = Tm· X-1 mod q
– Calculate z = (gx · Ty mod p) mod q
– If z = Tm, then the signature is verified.
81
Why Does the Verification Procedure Work
• Let v = (dm + STm)-1 mod q. Then
– X-1 = (Sm-1(dm + STm))-1 = Sm(dm + STm)-1 = Smv mod q,
– x = dm· X-1 = dmSmv mod q,
– y = Tm· X-1 = TmSmv mod q,
–
82
Why Is This Secure
• Difficulty of discrete logarithms.
• Signing something does not divulge the private key S.
• Nobody should be able to generate a signature for a given message without knowing S.
• Nobody should be able to generate a message that matches a given signature.
• Nobody should be able to modify a signed message in a way that keeps the same signature valid.
83
Per-Message Secret Number
• Unique secret number per message Sm
• If Sm is known
– Xm = Sm-1(dm + STm) mod q
– Tm = gSm mod p mod q
– (XmSm - dm)Tm-1 mod q = S mod q
• If m and m' are signed using the same Sm
– (Xm - Xm')-1(dm - dm') mod q = Sm mod q
84
Elliptic Curve Cryptography (ECC)
• Secure with much smaller key sizes
• Define arithmetic operation based on elliptic curves
– Addition, multiplication, exponentiation
• Two types of arithmetic
– Zp arithmetic (modular arithmetic with large prime p as modulus): for hardware implementation
– GF(2n) arithmetic, which can be done with shifts and ⊕s: for software implementaion
85