ee579t/3 #1 spring 2003 © 2000-2003, richard a. stanley ee579t / cs525t network security 3:...

Spring 2003© 2000-2003, Richard A. Stanley

EE579T/3 #1

EE579T / CS525TNetwork Security

3: Asymmetric Cryptography

Prof. Richard A. Stanley


EE579T/3 #2

Overview of Tonight’s Class

• Review of last week’s class

• Class projects overview

• Security in the news

• Asymmetric cryptography


EE579T/3 #3

Last Week -1

• Symmetric key cryptography uses one key, shared by all users of the cipher

• There are many weaknesses to basic crypto algorithms like the Vernam cipher

• Feistel ciphers provide a more complex algorithm that permits iterative encryption

• Feistel cipher decryption uses same process as encryption, making process simpler


EE579T/3 #4

Last Week - 2

• Block ciphers are widely used• Most commonly used block cipher today is

TDEA, operating in one of 4 modes• TDEA is limited by 64-bit block and key

size, provides poor software implementation• AES chosen to replace TDEA• Should be several years of coexistence


EE579T/3 #5

Network Security in the News

• Saturday, January 25th, Internet traffic slows dramatically due to a worm

• We’ll study worms more later in the course, but this particular worm exploited a fault in the Microsoft SQL Server software

• Patch for this fault has been around for some time, but many systems unpatched

• This is the story line for many security issues


EE579T/3 #6

Course Projects• Teams or individuals?

• Identify, through research, a meaningful network security problem (reported on as historical or one you can hypothesize)

• Analyze the problem– Why did it occur?– How could you have prevented or mitigated it?

• Prepare report and present to the class


EE579T/3 #7

DES Enciphering Computation

Feistel round


EE579T/3 #8

DES Decryption• As DES is a Feistel cipher, decryption uses the

same engine as does encryption

• For decryption:– The DES engine is precisely the same as the

encryption engine -- it is not run in reverse (e.g. with the input coming in the “bottom”)

– Instead, the key schedule is run in reverse; i.e. the first subkey used is K16, then K15, etc., finishing with K1


EE579T/3 #9

Cipher Function, f(Rn,Kn)


EE579T/3 #10

DES Mathematics

• Only two functions used– XOR– Data permutation or shifting

• At the heart of the DES engine, inside the f-box, is a Vernam cipher machine!

• Vernam, by itself, is insecure. What makes DES secure?


EE579T/3 #11

Symmetric Crypto Keys

• Ideally, are purely random numbers• This is possible because:

– The keys are prepositioned at each end

– Random numbers can be generated by capturing stellar noise, diode shot noise, etc.

– The parties need only agree on where in the key stream to start

– The key does not have to obey any mathematical function other than randomness

• Many implementations use pseudo-random


EE579T/3 #12

Key Types

• Permanent – Used for a fixed, prearranged period of time– Typically used for applications such as key

distribution, government communications, etc.

• Session– Valid only for current communications session– Destroyed after session terminates


EE579T/3 #13

Key Distribution Problem

• Secret keys must be prepositioned at all locations before secure communications can occur.

• How to do this?– Secure physical transport– Secure electronic transport

• The search for a way to accomplish this led to the development of public key cryptography, which we will study next class


EE579T/3 #14

Asymmetric Cryptography• Also known as public key cryptography• Until Diffie-Hellman in 1976, this concept was

heretical. It is still counterintuitive.– NSA, British Secret Service claim to have invented

years before, but kept secret

• Key has two parts– Public: everybody knows or can know– Private: only holder knows critical!!!

• Based on large prime numbers


EE579T/3 #15

The Original Goal

• Diffie and Hellman did not set out to invent a new kind of cryptography

• The goal was to find a way to establish symmetrical session keys without prior placement of the keys by some other means– i.e. to solve the key distribution problem

• This is still the primary use of the D-H exchange


EE579T/3 #16

But then...

• Diffie-Hellman key exchanges proved immensely useful

• Others found that there other uses for this general crypto principle and algorithms were developed for encrypting data– RSA– El Gamal– etc.


EE579T/3 #17

Asymmetric CryptographyAlice

Bob’s public key

Bob

Bob’s private key

Alice’s message

Crypto algorithm-NOT the same as

for symmetric crypto


EE579T/3 #18

Something Different

• Clearly, asymmetric crypto differs in a basic way from symmetric crypto– The keys are mathematically related, and

cannot be purely random numbers– The algorithms are quite different from the

universe of Feistel ciphers and S-boxes

• Is this a replacement for symmetric crypto, or a complement to it?


EE579T/3 #19

Asymmetric Crypto Properties

• The encryption function is one-way• The encryption process is fungible

– Can encrypt with public key and decrypt with private key, and vice versa

• So what?– Could this approach be used to sign documents?– Can a signed document be used for authentication?


EE579T/3 #20

Modulus Arithmetic• In modulus arithmetic, the “value” of a

number is the remainder when the number is divided by the modulus– e.g. 11 mod 5 = 1

• Clearly, there are many numbers that have the same modular representation– e.g. 21 mod 5 = 1 , 41 mod 5 = 1, etc.

• For a modulus of n, the maximum value is n-1


EE579T/3 #21

So What?

• Asymmetric cryptography is based on modulus arithmetic

• Modulus arithmetic makes it computation-ally infeasible to recover the number whose modulus is stated, provided certain conditions are met

• You can cheat: the Windows calculator has a modulus arithmetic mode


EE579T/3 #22

Diffie-Hellman Key Exchange-1

• Alice and Bob agree on a large prime, n, and an integer g, where g is primitive mod n. These need not be kept secret

• Alice chooses a large random integer x and sends to Bob: X=gx mod n

• Bob chooses a large random integer y and sends to Alice: Y=gy mod n

• NB: x and y are never transmitted


EE579T/3 #23

Diffie-Hellman Key Exchange-2• Alice computes k=Yx mod n• Bob computes k’=Xy mod n• But k = k’ = gxy mod n • Therefore, Bob and Alice now have a secret

key, k, that they can share for communications

• Eavesdroppers know only n, g, X, and Y, not x or y, which are required to compute k


EE579T/3 #24

Diffie-Hellman Security

• D-H security depends on the difficulty of factoring large numbers (size of n)

• It is computationally infeasible to recover x and y from the data known to an eavesdropper by any means other than exhaustive key search

• Caveats– n must be large

– ((n-1)/2) should also be prime

– g can be small -- even one digit


EE579T/3 #25

Diffie-Hellman Drawbacks

• Slow!– Computationally intensive– Requires several communications exchanges

• Example:– Using D-H to set up a session key in a cellular

telephone could take nearly one minute!

• So, other key exchange protocols have been established that are more efficient


EE579T/3 #26

Why Do We Want to Do This?

• Symmetric cryptography is fast

• Asymmetric cryptography is slow – As much as 1000X slower than symmetric

• Therefore, we want to use the slow asymmetric crypto -- which does not require prepositioning of keys -- to create and/or exchange symmetric session keys so that data can be exchanged quickly


EE579T/3 #27

Crypto Weaknesses

• All cryptosystems depend on the security of the key for their security– If a symmetric system, he who has the key

reads the mail– Asymmetric systems rely on the private key

remaining private. Is this a good assumption?

• Attacks on assumptions work better than attacks on the front door


EE579T/3 #28

Cryptosystems Compared

• Symmetric key– Same key both ends

– Key management a problem; requires secure side channel

– Fast

– Message length < key length

• Asymmetric key– Two keys

• Public key, known to all

• Private key, known to owner alone

– Key management less of a problem

– Computationally intensive, so it is slow


EE579T/3 #29

Asymmetric Crypto Uses?

• Only good for key exchange?

• As it turns out, NO– Other algorithms useful for providing data

secrecy, like symmetric cryptography– Can be used to provide

• confidentiality

• integrity

• authenticity

Next time!


EE579T/3 #30

RSA Encryption Algorithm

• Ron Rivest, Adi Shamir, Len Adelman– First published 1978, from MIT– Block cipher, asymmetric key– Plain and cipher texts are integers between 0

and n-1, for some n that is part of the keys

• Like all asymmetric key systems, RSA depends for security on the difficulty of factoring large numbers


EE579T/3 #31

RSA Mechanics

• C = ciphertext– C = Me mod n

• M = plaintext– M = Cd mod n = (Me)d mod n = Med mod n

• Both parties know n, e

• Only the receiving party knows d


EE579T/3 #32

Therefore...

• Public key: KU = {e,n}

• Private key: KR = {d,n}

• Requirements for this to work:– e, d, n exist such that Med = M mod n for all

M<n– Easy to calculate Me and C for M<n– Infeasible to calculate d given e, n

• Computationally secure if e, n sufficiently large


EE579T/3 #33

Important Definitions

• Euler’s totient function, (n) – Defined as the number of positive integers < n

and relatively prime to n– Can show that if n=pq, (n) = (p-1)(q-1)

• Relatively prime numbers– a and b (integers) are relatively prime if they

have no prime factors in common• i.e. only common prime factor is unity


EE579T/3 #34

RSA Example

• Select two primes: p = 7, q = 17

• Calculate n = pq = 7 x 17 = 119

• Calculate (n) = (p-1)(q-1) = 6 x 16 = 96

• Select e relatively prime to & less than (n) – In this example e = 5

• Calculate d = e-1 mod (n) = 77

• KU = {5, 119} KR = {77, 119}Public key Private key

This bit is perhaps unclear


EE579T/3 #35

Another View

• d = e-1 mod (n) looks difficult, as e-1 < 1

• Multiply both sides by e, which gives– de = 1 mod (n), where (n) = 96 in this case

• e has been selected as being 5, therefore we must now find the value for d that satisfies the above equation

• 77 is that value, as 5 x 77 = 1 mod 96– 77 x 5 = 385 = 4 x 96 + 1


EE579T/3 #36

RSA Encrypt/Decrypt

• Using KU, KR we have calculated, let M=19 (plaintext)– KU = {5, 119} KR = {77, 119}

• Encryption:– Me mod n = 195 mod 119 = 66 = C (ciphertext)

• Decryption– Cd mod n = 6677 mod 119 = 19 = M (plaintext)

• Q.E.D.

Public key e , n Private key d, n


EE579T/3 #37

RSA Importance

• With Diffie-Hellman, RSA is the most widely used asymmetric key algorithm

• RSA was patented by its inventors, but the patents expired in 2000

• RSA is now freely usable by anyone, and is widely incorporated into common products, such as web browsers, VPN devices, etc.


EE579T/3 #38

Breaking RSA

• Discover the private key, d– Easy to do if p and q, factors of n, are known– Hard part is factoring n– Factoring 129-digit n has been done

• Find eth roots mod n– Not known to be equivalent to factoring– No general methods known

• Brute force key search


EE579T/3 #39

Practical RSA Security• Choose sufficiently large n

– 129 digits 428 bits, which has been factored– Too close to 512 bits for comfort– So, choose n > 1000 bits (1024, 2048, 4096)

• Not all implementations allow key > 2048

– Evaluate how long security is required, as longer keys require more computation, and are therefore slower to encrypt/decrypt

• Guard the private key carefully!


EE579T/3 #40

Hashing: the Final Tool

• Encryption seeks to obscure plaintext with a key, so that the plaintext can be recovered

• Hash functions produce fixed-length output given variable-length input, such that the hash output will change substantially if even a single bit of the input is changed– Similar to checksum or CRC for data integrity– Depends on hash function being one-way


EE579T/3 #41

Hash Function Uses / Benefits

• Verify the integrity of a block of data– e.g. a message

• Faster to compute than encrypted version of input

• Always produces an output of known and fixed length– Useful in many applications


EE579T/3 #42

Hash Function Requirements

• Hash value h = H(x), where H is the hash function of some input x– Input x can be of any length

– Output H(x) has fixed length

– H(x) relatively easy to compute for any x

– H(x) is one-way

– H(x) is collision-free


EE579T/3 #43

Hashing Terms

• One way– H(x) is one way if it is computationally infeasible to

find x such that H(x) = h

– i.e. H(x) is hard to invert

• Collisions– weakly collision-free: given x, computationally

infeasible to find y x such that H(x) = H(y)

– strongly collision-free: computationally infeasible to find any two messages x and y such that H(x) = H(y)


EE579T/3 #44

Hash Function Example

Source: RSA Laboratories, Inc.


EE579T/3 #45

Common Hash Functions

Algorithm MD2 MD4 MD5 SHA-1

Output length 128 bits 128 bits 128 bits 160 bits

Block size 128 bits 512 bits 512 bits 512 bits

Specification RFC 1319 RFC 1320 RFC 1321 FIPS 180-1


EE579T/3 #46

Types of Hash

• “Standard”– Message is input to the hash function– Hash calculated according to the standard– Same message always produces same hash

• Keyed, or secure, hash– Message is one input to the hash function– Secret key is another input (cf. next slide)– Output depends on both key and message


EE579T/3 #47

Hash Function Example

Source: RSA Laboratories, Inc.


EE579T/3 #48

So What?

• Hash functions can be used to provide– Fast integrity check on data

• Asymmetric key cryptography can provide– Session key negotiation– User authentication (with some help)

• We now have all the cryptographic tools needed to provide confidentiality, integrity, and authentication


EE579T/3 #49

Summary• Both symmetric and asymmetric crypto have their uses

in communications

• Symmetric keys can be purely random, but asymmetric keys are mathematically related

• Symmetric crypto is much faster than asymmetric, which leads to combining the types in practical applications

• Combining symmetric, asymmetric, and hash functions can go a long ways towards mitigating network security problems.


EE579T/3 #50

Homework

• Read Stallings, remainder of Chapter 3

• Read Stallings, Chapter 4

• Do problems 3.2, 3.5a, 3.5d, 3.6, 3.10, 3.12

• If you have not already done so, finalize your project team, and select a candidate research topic. This information is due next week at the latest.

ee579t/3 #1 spring 2003 © 2000-2003, richard a. stanley ee579t / cs525t network security 3:...

Documents