public key model
DESCRIPTION
Public Key Model. Public Key Encryption. Public Key Signature. Public-Key Cryptanalysis. Brute-force attack (Try all possible keys) Derive private key from public key – Try to find the relationship between the public key and the private key and compute the private key from the public one. - PowerPoint PPT PresentationTRANSCRIPT
8. Cryptography part 2 1
Public Key Model
8. Cryptography part 2 2
Public Key Encryption
8. Cryptography part 2 3
Public Key Signature
8. Cryptography part 2 4
Public-Key CryptanalysisBrute-force attack (Try all possible keys)Derive private key from public key
– Try to find the relationship between the public key and the private key and compute the private key from the public one.
Probable-message attack– The public key is known.– Encrypt all possible messages– Try to find a match between the ciphertext and one of the
encrypted messages.– Example: Prof. sends encrypted of letter grades to his students based
on their public key.
8. Cryptography part 2 5
History of Public-Key
1976 – Diffie & Hellman suggested public-key model for encryption and signatures
1976 – Diffie & Hellman developed public-key protocol for key-exchange based on Discrete Log Problem
1977- Rivest, Shamir, Adelman developed RSA public-key scheme for encryption and signatures based on the Number Factoring Problem
1980’s - El-Gamal developed public-key protocols forencryption and signatures based on Discrete Log Prob
8. Cryptography part 2 6
Revolution in Cryptography
Diffie & Hellman sought to solve 2 problems– Find a secure way to distribute keys– Provide digital signature for documentPublic key cryptography is based on rigorous
mathematical theory, rather than substitutions and permutations.
• It is asymmetric – requires two different keys: private & public
8. Cryptography part 2 7
Diffie-Hellman Key Exchange (I)
See: W. Diffie and ME Hellman, "New Directions in Cryptography", in IEEE Transactions on Information Theory, IT-22 no 6 (November 1976) p. 644-654– The first public key algorithm– Allows two users to agree on a secret key over a public
channel – No encryption, decryption, nor authentication– p is a large prime number (about 512 bits), g < p and g is a
primitive root of p.– p and g are publicly known
8. Cryptography part 2 8
Diffie-Hellman Key Exchange (II)
8. Cryptography part 2 9
Diffie-Hellman Key Exchange (III)
8. Cryptography part 2 10
Diffie-Hellman ExampleAlice and Bob want to establish a shared secret key and
have agree on n=353 (prime) and g=3They select the random secret values:
– Alice chooses Xa=97, Bob chooses Xb=233They derive the public keys:
– Ta= gXa mod n = 397 mod 353 = 40 (Alice’s)– Tb= gXb mod n = 3233 mod 353 = 248 (Bob’s)
They derive the shared secret keyK = Tb
Xa mod n = 24897 mod 353 = 160 (Alice’s)K = Ta
Xb mod n = 40233 mod 353 = 160 (Bob’s)
8. Cryptography part 2 11
Diffie-Hellman Man-in-the-middle
8. Cryptography part 2 12
Diffie-Hellman Scheme
Security factors– Discrete logarithm very difficult.– Shared key (the secret) itself never transmitted.Disadvantages:– Expensive exponential operation– Cannot be used to encrypt anything.– No authentication, so you cannot sign anything
8. Cryptography part 2 13
RSA (Rivest, Shamir, Adleman)See: R. Rivest, A. Shamir, and L. Adleman, "A Method
for Obtaining Digital Signatures and Public-Key Cryptosystems", CACM 21, pp. 120--126, Feb. 1978The first public key encryption and signature systemSupports both public key encryption and digital signature.
• Theoretical basis:Factorization of large numbers is hard.Variable key length (usually 1024 bits).Variable plaintext block size.Plaintext must be “smaller” than the key.Ciphertext block size is the same length as the key.
8. Cryptography part 2 14
The RSA Algorithm
To generate a key pair:– Pick large primes p and q (do not disclose
them)– Let n = p*q – For the public key, choose e that is relatively
prime to ø(n)=(p-1)(q-1).public key = <e,n>– For private key, find d that is the multiplicative
inverse of e mod ø(n), i.e., e*d
8. Cryptography part 2 15
Using RSA
Given pubKey = <e, n> and privKey = <d, n>If Message = mThen: encryption: c = me mod n, m < ndecryption: m = cd mod nsignature: s = md mod n, m < nverification: m = se mod n
8. Cryptography part 2 16
Example of RSA (1)Choose p = 7 and q = 17.Compute n = p*q= 119.Compute (n)=(p-1)(q-1)=96.Select e = 5, (a relatively prime to (n).)Compute d = _77_such that e*d=1 mod (n).• Public key: <5,119>• Private key: <77,119>• Message = 19• Encryption: 195 mod 119 = 66• Decryption: 6677 mod 119 = 19
8. Cryptography part 2 17
Example of RSA (2)
p = 7, q = 11, n = 77Alice chooses e = 17, making d = 53Bob wants to send Alice secret message HELLO (07 04 11 11 14)– 0717 mod 77 = 28; 0417 mod 77 = 16– 1117 mod 77 = 44; – 1117 mod 77 = 44– 1417 mod 77 = 42• Bob sends 28 16 44 44 42
8. Cryptography part 2 18
Example of RSA (3)
Alice receives 28 16 44 44 42Alice uses private key, d = 53, to decrypt message:– 2853 mod 77 = 07; 1653 mod 77 = 04– 4453 mod 77 = 11; 4453 mod 77 = 11– 4253 mod 77 = 14• Alice translates 07 04 11 11 14 to HELLONo one else could read it, as only Alice knows herprivate key (needed for decryption)
8. Cryptography part 2 19
Digital Signatures in RSA
RSA has an important property: Encryption and decryption are symmetric
Encryption followed by decryption yields the original– (Me mod n)d mod n = MDecryption followed by encryption yields the original– (Md mod n)e mod n = M– Because e and d are symmetric ine*d = 1 mod (p-1)*(q-1)
8. Cryptography part 2 20
Signature example in RSA
p = 7, q = 11, n = 77Alice chooses e = 17, making d = 53Alice wants to send message HELLO (07 04 11 11 14)
so that Bob knows it is from Alice, and has not been modified in transit
– 0753 mod 77 = 35, 0453 mod 77 = 09– 1153 mod 77 = 44, 1153 mod 77 = 44– 1453 mod 77 = 49• Alice sends 35 09 44 44 49
8. Cryptography part 2 21
Verify senderBob receives 35 09 44 44 49He uses Alice’s public key, e = 17, n = 77, to decrypt it:– 3517 mod 77 = 07, 0917 mod 77 = 04– 4417 mod 77 = 11,4417 mod 77 = 11– 4917 mod 77 = 14• Bob has 07 04 11 11 14 HELLO
Only Alice has her private key, so no one else could have created a correct signature
The (deciphered) signature matches the transmitted plaintext, so the plaintext was not altered
8. Cryptography part 2 22
The Security of RSA
• Attacks against RSA– Brute force: Try all possible private keys• Can be defeated by using a large key space– Mathematical attacks• Factor n into n=p*q.• Determine.Determine ø (n) directly: equivalent to factoring n. Determine d directly: at least as difficult as factoring n.
8. Cryptography part 2 23
The Security of RSA (Cont’d)Factoring a large integer is very hard!If you can factor the number n then, given public key
<e,n>, you can find d, and hence the private key by:– Knowing factors p, q, such that, n = p*q– Then ø(n) =(p-1)(q-1)– Then d such that e*d = 1 mod ø(n)• Ways to make n difficult to factor– p and q should differ in length by only a few digits– Both (p-1) and (q-1) should contain a large prime factor– gcd(p-1, q-1) should be small.
– d > n1/4.
8. Cryptography part 2 24
RSA versusversus DES
• Fastest implementations of RSA can encryptkilobits/second• Fastest implementations of DES can encryptmegabits/second• RSA could be used for secure exchange of DES keys• This 1000-fold difference in speed is likely to remainindependent of technology advances