key management and elliptic curves
TRANSCRIPT
Key Management and Elliptic Curves• Key Management
– Distribution of Public Keys– Public-key Distribution of Secret Keys– Diffie-Hellman Key Exchange
• Elliptic Curves– Mathematical foundations– Elliptic curves over real numbers, Zp, and GF(2m)– Key exchange using Elliptic Curve Cryptography– Elliptic Curve Encryption/Decryption– Security of Elliptic Curve Cryptography
Public Announcement of Public Keys• Announcing your key to the world
– This is what is done by PGP (pretty good privacy)– Weakness: someone can pretend to be you, announce a
public key (knowing the private key), and then receive all encrypted email sent by others and intended for you
– We need to look at other approaches with more security
Publicly Available Directory• Steps in the process
– Register your name and public key with the directory– Authentication occurs at this time– The user can replace the public key at any time– The entire directory is published periodically– Access to the directory can be done electronically
• This is more secure, but improvements are possible
Public-Key Authority - 1• Steps in the process
1. Send a request to the public key authority for the current public key of user B
2. The authority sends a response using its private key; the user is able to decrypt using the authority’s public key; the response will include B’s public key, the original request and the original timestamp
3. Store B’s public key and send an encrypted message that includes your identifier and a “nonce”
4. User B gets your public key using steps 1 and 25. B replies by sending A’s nonce as well as a new
nonce6. Return B’s nonce to ensure the channel is secure
Public-Key Authority - 2
Public-Key Certificates - 1• Using an authority is time consuming; an
alternative approach is to use certificates• We now have a certificate authority
1. Any participant can read a certificate determining the name and public key of the owner
2. Any participant can determine the info originated from the certificate authority
3. Only the certificate authority can update certificates4. Any participant can determine the currency of the
certificate• Users can simply exchange certificates to share
their public keys
Public-Key Certificates - 2
Try to Answer the Questions Asked• How can any participant determine the information
originated from the certificate authority?
• How does the timestamp help eliminate forgery?
Simple Secret Key Distribution - 1• Suppose users A and B want to exchange a secret key
– User A generates a public key and private key and contacts B– User B generates a secret key and transmits it to A, encrypted
with A’s public key– A decrypts the message to recover the secret key– All public/private keys are discarded and communications
proceeds using the secret key and symmetric encryption
• The risk seems minimal since the exchange of a secret key happens quickly
Simple Secret Key Distribution - 2• If there is an active attack by an eavesdropper E,
the following sequence may occur– User A generates a public key and private key and contacts B– User E intercepts this message, creates another public key and
private key and transmits the public key and A’s identity to B– User B generates a secret key and transmits it to A, encrypted
with A’s public key– User E intercepts this message and learns the secret key– E transmits the secret key to A and proceeds to listen in on all
subsequent messages
• What is lacking here is authentication that messages really come from the expected source and not an eavesdropper
Distribution with Confidentiality & Authentication• We assume that A and B have exchanged public
keys by one of the schemes outlined earlier– A uses B’s public key to encrypt and transmit A’s
identifier and a nonce N1 that is used to identify this transmission
– B sends A a message encrypted with A’s public key that contains N1 and a new nonce N2 generated by B
– A returns N2 encrypted to assure B that the message came from A
– A sends B a secret key encrypted using B’s public key, so only B can read it, and A’s private key so B can insure the message came from A
– B can apply decryption to recover the secret key
A Pictorial View• The information exchange to insure
confidentiality and authenticity is shown below
A Hybrid Scheme• How it works
– A public key distribution center (KDC) shares a secret master key with each user
– Secret session keys are shared encrypted with the master key
• Advantages of this approach– Performance is improved in applications that require
frequent session key exchanges– Public key encryption is only used occasionally to
update the master key– This approach is easily overlaid on an existing KDC
scheme
The Diffie-Hellman Key Exchange• This is the first published public key algorithm
– This approach is only used to exchange a secret key– Security is based on the difficulty of computing
discrete logarithms• Here is some mathematical background
– For prime p we find a primitive root, we call it a– For an integer b we find the exponent i such that
b ≡ ai mod p where 0 <= i <= (p-1)– i is the index, namely inda,p(b)
Steps in the Calculation- A prime q and α, a primitive root of q, are known- User A selects a random integer XA < q and computes
YA = αXA mod q; similarly user B selects a random integer XB < q and computes YB = αXB mod q
- Each side keeps its X value private and make the Y value public
- User A computes K = (YB)XA mod q- User B computes K = (YA)XB mod q- These calculations produce the same secret key- Attacking the secret of user B, the opponent must
compute XB = indα,q(YB) - Security lies in the difficulty in calculating discrete
logarithms
The Algorithm
A Sample Calculation• Suppose q = 353 and primitive root α = 3. A and
B select secret keys XA = 97 and XB = 233.• Each computes a public key
– YA = 397 mod 353 = 40– YB = 3233 mod 353 = 248
• After exchanging public keys, A and B each computes the secret key for symmetric encryption– K = (YB)XA mod 353 = 24897 mod 353 = 160– K = (YA)XB mod 353 = 40233 mod 353 = 160
• The attacker knows q = 353, α = 3, YA = 40 and YB = 248 and must solve 3a mod 353 = 40 or 3b = mod 353 = 248; for large values this is very hard
Steps in the Process• Here is a communications protocol
• Of course, this protocol is symmetric, B could initiate the exchange
Group Work• Given q = 71 and primitive root α = 7• Suppose XA = 5, what is A’s public key?
• Suppose XB = 12, what is B’s public key?
• What is the shared private key?
Elliptic Curve Arithmetic• Use of RSA and problems with RSA
– RSA is very widely used so codebreakers have concentrated on breaking this scheme
– To insure security keys have become larger and larger making it more computationally intensive
• Elliptic Curve Cryptography (ECC)– Beginning to challenge the dominance of RSA– ECC offers equal security to RSA with smaller keys– Confidence in ECC is not as high as RSA since
codebreakers have not probed its weaknesses– Security in ECC depends on the difficulty of solving
the discrete logarithm problem
Abelian Groups• Remember of definition of abelian groups
– What is closure?– What is associativity?– What is an identity element?– What are inverse elements?– What is commutativity?
• In Diffie-Hellman keys are generated by exponentiation (repeated multiplication)
• In ECC keys are generated by multiplication (repeated addition)
Elliptic Curves over Real Numbers• Elliptic curve equations
– In general, y2 + axy + by = x3 + cx2 + dx + e– We consider, y2 = x3 + ax + b, to plot this curve we
need to compute y = √x3 + ax + b• On the next two slides we show two sample
elliptical curves where we specify curves by E(a,b)– We also have to include the element O, the point at
infinity (also known as the zero point)– The first curve is E(-1,0), namely y2 = x3 – x– The second curve is E(1,1), namely y2 = x3 + x + 1
An Example
Curve
E(-1,0)
AnotherCurve
E(1,1)
Geometric Description of Addition• E(a,b) defines a group provided there are no
repeated factors, this requires 4a3 + 27b2 ≠ 0• Addition of points P and Q
– O, the infinity point, is the additive identity– If P has coordinates (x,y) then –P is at (x,-y)– To add P and Q, connect them with a line, the third
point of intersection is R = –(P+Q)– This is true for Q itself, Q + -Q = O– To add a point to itself, Q + Q = 2Q is the point where
the tangent line intersects the curve
Algebraic Description of Addition∆ is the slope of the line connecting P and Q
∆ = (yP – yQ)/(xP – xQ)xR = ∆2 - xP – xQ
yR = - yP + ∆ (xP – xR)Suppose that P + P = R
PP
PR x
yaxx 2
23
22
−⎟⎟⎠
⎞⎜⎜⎝
⎛ +=
PRPP
PR yxx
yaxy −−⎟⎟⎠
⎞⎜⎜⎝
⎛ += )(
23 2
Group Work• Consider the curve y2 = x3 – 36x over real numbers
– Let P = (-3.5, 9.5) and Q = (-2.5, 8.5), find P + Q
– Find 2P
Elliptic Curves over Zp• Our sample curve
– y2 mod p = (x3 + ax + b) mod p– one solution: a = 1, b = 1, x = 9, y = 7, p = 23
• Finding more points– If p = 23, a = 1, b = 1, the curve is E23(1,1)– The next slide shows the points that satisfy the
equation, including the (9,7) above– A plot of these points is also shown– Notice that the points (except for one) are symmetric
about the line y = 11.5
Elliptic Curve
E23(1,1)
Group Work - 1• Given E11(1,6) defined by y2 = x3 + x + 6• Find all points by calculating the right hand side
for all values of x
A Sample Calculation - 1• Additive inverse
– P + -P = O, let P = (13,7), -P = (13,-7) = (13,16) why?• Addition
⎜⎜⎜⎜⎜
⎝
⎛
=⎟⎟⎠
⎞⎜⎜⎝
⎛ +
≠⎟⎟⎠
⎞⎜⎜⎝
⎛
−
−
=
−−=−−=
QPifpy
ax
QPifpxxyy
pyxxypxxx
P
P
PQ
PQ
PRPR
QPR
mod2
3
mod
mod))((mod)(
2
2
λ
λλ
A Sample Calculation - 2• Multiplication: 4P = P + P + P + P• An example of simple addition
2023mod16423mod)10)173(11(1723mod10923mod)9311(
1123mod6323mod
39107
)7,9()10,3(
2
=−=−−===−−=
=⎟⎠⎞
⎜⎝⎛ −=⎟
⎠⎞
⎜⎝⎛
−−
=
==
R
R
yx
QandP
λ
Group Work - 2• Given E11(1,6) defined by y2 = x3 + x + 6• Give G = (2, 7) find multiples 2G to 13G
Elliptic curves over GF(2m)• The basic equation is y2 + xy = x3 + ax2 + b• if P is (xP, yP) then –P is (xP, xP + yP)• if Q is (xQ, yQ) and
P ≠ ±Q then if R = 2P then
⎟⎟⎠
⎞⎜⎜⎝
⎛
+
+=
++−=++++=
PQ
PQ
PRRPR
QPR
xxyy
yxxxyaxxx
λ
λλλ
)(
2
P
PP
PRR
R
xyx
xxyax
+=
++=++=
λ
λλλ
2
2
)1(
Elliptic Curve Cryptography• An Overview
– Given Q = kP where Q, P are in Ep(a,b) and k < p– It is relatively easy to calculate Q given k and P– It is difficult to determine k given Q and P– This is the discrete log problem for elliptic curves
• An example calculation– Let P = (16,5) and Q = (4,5) in E23(9,7) defined by the
equation y2 mod 23 = (x3 + 9x + 17) mod 23– To find k we can use a brute force approach: 2P =
(20,20), 3P = (14, 14), …, 9P = (4, 5) so k = 9– For large numbers this approach is impractical
Key Exchange using Elliptic Curves• Steps of the key exchange
– Select a large integer q to define Eq(a, b)– The order n of a point G is the smallest positive integer
n such that nG = O.– Pick a base point G in Eq(a, b) with a very large order– G and Eq(a, b) are parameters known to all participants– A selects nA < n its private key; A calculates public key
PA = nA x G in Eq(a, b) – In a similar manner B selects nB and generates PB
– A generates secret key K = nA x PB and B generates secret key K = nB x PA ; these values are equal
ECC Key Exchange
A Numeric Example• The values and calculations
– P = 211 in Ep(0, -4) and G = (2, 2)– One calculates 240 G = O– A sets nA = 121 and PA = 121(2, 2) = (115, 48)– B sets nB = 203 and PA = 203(2, 2) = (130, 203)– The shared key is 121(130, 203) = 203(115, 48) =
(161, 69)
Group Work• Suppose we are using E11(1,6)• Let G = (10,2)• Suppose A selects nA = 5, find A’s public key
• Suppose B selects nB = 7, find B’s public key
• Show how both A and B find the secret key
Elliptic Curve Encryption/Decryption• The initial calculations are similar to the key
exchange– Select a large integer q to define Eq(a, b) and a base
point G in Eq(a, b) with a very large order– A selects nA, its private key, and calculates public key
PA = nA x G in Eq(a, b); B selects nB and calculates PB
– To encrypt Pm and send to B, A selects a random positive integer k and generates the pair Cm
Cm = (kG, Pm + kPB)– B decrypts by multiplying the first point by B’s secret
key and subtracting the result from the second pointPm + kPB – nB(kG) = Pm
An Example Calculation• Give p = 751 and Ep(-1, 188)
– The curve is y2 = x3 – x + 188– Let G be (0, 376)– Suppose the message Pm = (562, 201)– A selects k = 386 and uses PB = (201, 5)– Calculating 386(0, 376) = (676, 558)– And (562, 201) + 386(201, 5) = (385, 328)– So A sends [(676, 558), (385, 328)]
Group Work• Given E11(1,6), G = (2, 7) and nB = 7
– Find B’s public key PB
– A wants to send Pm = (10, 9) and k = 3; find Cm
– Show the calculations that let B recover Pm
Security of Elliptic Curve Cryptography• Pollard rho is the fastest method known to find
discrete algorithms• ECC can have the same level of security as RSA
with smaller key sizes