CMSC 414 Computer and Network Security Lecture 7

  • Slides: 21
Download presentation
CMSC 414 Computer and Network Security Lecture 7 Jonathan Katz

CMSC 414 Computer and Network Security Lecture 7 Jonathan Katz

Public-key cryptography

Public-key cryptography

The public-key setting ¨ A party (Alice) generates a public key along with a

The public-key setting ¨ A party (Alice) generates a public key along with a matching secret key (aka private key) ¨ The public key is widely distributed, and is assumed to be known to anyone (Bob) who wants to communicate with Alice – We will discuss later how this can be ensured ¨ Alice’s public key is also known to the attacker! ¨ Alice’s secret key remains secret ¨ Bob may or may not have a public key of his own

The public-key setting pk c = Encpk(m)

The public-key setting pk c = Encpk(m)

Private- vs. public-key I ¨ Disadvantages of private-key cryptography – Need to securely share

Private- vs. public-key I ¨ Disadvantages of private-key cryptography – Need to securely share keys • What if this is not possible? • Difficult to distribute/manage keys in a large organization • Private-key crypto requires private+authenticated channel to share keys; public-key crypto requires authenticated channel – Consider communication in an n-party network: each party must store n-1 secret keys – Inapplicable in open systems (i. e. , e-commerce) • Need to know in advance the parties with whom you will communicate • Not suited for “many-to-one” communication

Private- vs. public-key II ¨ Why study private-key setting at all? – Private-key is

Private- vs. public-key II ¨ Why study private-key setting at all? – Private-key is orders of magnitude more efficient – Private-key still has domains of applicability • Military settings, disk encryption, … • Bidirectional, “one-to-one” authenticated communication – Public-key crypto is “harder” to get right • Need stronger assumptions, easier to attack – Can combine private-key primitives with public-key techniques to get the best of both (for encryption) • So still need to understand the private-key setting! – Can distribute keys using trusted entities (KDCs)

Private- vs. public-key III ¨ Public-key cryptography is not a cure-all – Still requires

Private- vs. public-key III ¨ Public-key cryptography is not a cure-all – Still requires authenticated distribution of public keys • May (sometimes) be just as hard as sharing a key • Technically speaking, requires only an authenticated channel instead of an authenticated + private channel – Not clear with whom you are communicating (unless the sender has a public key) – Can be too inefficient for certain applications

Cryptographic primitives Private-key setting Public-key setting Confidentiality Private-key encryption Public-key encryption Integrity Message authentication

Cryptographic primitives Private-key setting Public-key setting Confidentiality Private-key encryption Public-key encryption Integrity Message authentication codes Digital signature schemes

Public-key encryption ¨ Key-generation algorithm: randomized algorithm that outputs (pk, sk) ¨ Encryption algorithm:

Public-key encryption ¨ Key-generation algorithm: randomized algorithm that outputs (pk, sk) ¨ Encryption algorithm: – Takes a public key and a message (plaintext), and outputs a ciphertext; c Epk(m) ¨ Decryption algorithm: – Takes a private key and a ciphertext, and outputs a message (or perhaps an error); m = Dsk(c) ¨ Correctness: for all (pk, sk), Dsk(Epk(m)) = m

Security? ¨ Just as in the case of private-key encryption, but the attacker gets

Security? ¨ Just as in the case of private-key encryption, but the attacker gets to see the public key pk – For all m 0, m 1, no adversary running in time T, given pk and an encryption of m 0 or m 1, can determine the encrypted message with probability better than 1/2 + ¨ Public-key encryption must be randomized (even to achieve security against ciphertext-only attacks) ¨ In the public-key setting, security against ciphertext-only attacks implies security against chosen-plaintext attacks – And security for encryption of multiple messages

El Gamal encryption ¨ We have already (essentially) seen one encryption scheme: Receiver p,

El Gamal encryption ¨ We have already (essentially) seen one encryption scheme: Receiver p, g Sender p, g, h. A = gx h. A = g. x mod p c = (KBA m) mod p h. B, c h. B = gy mod p KAB = (h. B)x KBA = (h. A)y

El Gamal encryption ¨ (Some aspects of the actual scheme are simplified) ¨ Key

El Gamal encryption ¨ (Some aspects of the actual scheme are simplified) ¨ Key generation – Choose a large prime p, and an element g Zp* – Choose random x {0, …, p-2}, set h=gx – The public key is (p, g, h), and the private key is x ¨ Encryption – View the message m as an element of Zp* – Choose random r {0, …, p-2} – The ciphertext is (gr, hr m) ¨ To decrypt ciphertext (c 1, c 2) output c 2/c 1 x

Security? ¨ Security of El Gamal encryption is equivalent to the decisional Diffie-Hellman assumption

Security? ¨ Security of El Gamal encryption is equivalent to the decisional Diffie-Hellman assumption ¨ Best known algorithm for decisional Diffie- Hellman in Zp* runs in time ≈ exp(log p 1/3) – So if p is a 1024 -bit prime, best current attack on El Gamal encryption requires time ≈ 260 ¨ In other groups, the Diffie-Hellman problem is currently ‘harder’ – E. g. , for elliptic curve groups, best current algorithms require time exp(log |G|/2) – Can use ~120 -bit group elements to get 260 security

RSA background ¨ N=pq, p and q distinct, odd primes ¨ (N) = (p-1)(q-1)

RSA background ¨ N=pq, p and q distinct, odd primes ¨ (N) = (p-1)(q-1) – Easy to compute (N) given the factorization of N – Hard to compute (N) without the factorization of N ¨ Fact: for all x ZN*, it holds that x (N) = 1 mod N – Proof: take CMSC 456! ¨ If ed=1 mod (N), then for all x it holds that (xe)d = x mod N I. e. , given d, we can compute eth roots

We have an asymmetry! ¨ Let e be relatively prime to (N) – Needed

We have an asymmetry! ¨ Let e be relatively prime to (N) – Needed so that ed=1 mod (N) has a solution ¨ Given e and the factors of N, can compute d and hence compute eth roots ¨ Without the factorization of N, no apparent way to compute eth roots ¨ Let’s use this to encrypt…

Hardness of computing eth roots? ¨ The RSA problem: – Given N, e, and

Hardness of computing eth roots? ¨ The RSA problem: – Given N, e, and c, compute c 1/e mod N ¨ If factoring is easy, then the RSA problem is easy ¨ We know of no other way to solve the RSA problem besides factoring N – But we do not know how to prove that the RSA problem is as hard as factoring ¨ The upshot: we believe factoring is hard, and we believe the RSA problem is hard

How hard is factoring? ¨ Best current algorithms for factoring N=pq a product of

How hard is factoring? ¨ Best current algorithms for factoring N=pq a product of two equal-length primes, run in time ≈ exp(log N 1/3) ¨ So need |N| ≈ 1024 for reasonable security ¨ Currently |N| ≈ 2048 recommended for good security margins

RSA key generation ¨ Generate random primes p, q of sufficient length ¨ Compute

RSA key generation ¨ Generate random primes p, q of sufficient length ¨ Compute N=pq and (N) = (p-1)(q-1) ¨ Compute e and d such that ed = 1 mod (N) – e must be relatively prime to (N) – Typical choice: e = 3; other choices possible ¨ Public key = (N, e); private key = (N, d)

“Textbook RSA” encryption ¨ Public key (N, e); private key (N, d) ¨ To

“Textbook RSA” encryption ¨ Public key (N, e); private key (N, d) ¨ To encrypt a message m ZN*, compute c = me mod N ¨ To decrypt a ciphertext c, compute m = cd mod N ¨ Correctness clearly holds… ¨ …what about security?

Textbook RSA is insecure! ¨ It is deterministic! ¨ Furthermore, it can be shown

Textbook RSA is insecure! ¨ It is deterministic! ¨ Furthermore, it can be shown that the ciphertext leaks specific information about the plaintext

Padded RSA ¨ Introduce randomization… ¨ Public key (N, e); private key (N, d)

Padded RSA ¨ Introduce randomization… ¨ Public key (N, e); private key (N, d) – Say |N| = 1024 bits ¨ To encrypt m {0, 1}895, – Choose random r {0, 1}128 – Compute c = (r | m)e mod N ¨ Decryption done in the natural way… ¨ Essentially this is standardized as PKCS #1 v 1. 5 (since superseded)