public-key protocols
DESCRIPTION
Session 3 of 3-day course in Engineering Cryptographic Applications held at ACM Theater Tyson's Corner for Microstrategy, Inc. Key Agreement Asymmetric Cryptography RSA Public Key Protocols TLSTRANSCRIPT
Microstrategy Course18 October 2013
David EvansUniversity of Virginiawww.cs.virginia.edu/evans
Day 3: Public Key Protocols
Engineering Cryptographic Applications
Engineering Crypto Applications 2
Recap: Symmetric Encryption
AES AESPlaintextCiphertext
PlaintextInsecure Channel
Key Key
Assuming we generate strong keys, use an appropriate cipher mode, and correctly implement a secure symmetric encryption primitive, we can securely encrypt long messages so even an adversary with $Quadrillions cannot learn anything interesting.
Alice Bob
Assumes a secret already shared between Alice and Bob.Amplifies that secret to send more data later.
Engineering Crypto Applications 3
Plan for Today
1. Key Agreement Protocols2. Solving the remote authentication problem
Asymmetric Encryption, Public-Key Protocols
petitions.govInsecure ChannelSecure Channel
Engineering Crypto Applications 4
Engineering Crypto Applications [email protected]
Asymmetric Key Agreement
Ralph Merkle (born 1952)
Merkle’s Puzzles
(1974)
Engineering Crypto Applications 6
Merkle’s Puzzles: Key Agreement
Alice
1. Generate N random keys: k0, …, kn-12. For each, send Eki(“key #” + i) in random order
Ek37(“key #” + 37) Ek82(“key #” + 82) Ek22(“key #” + 22) …
Engineering Crypto Applications [email protected]
Alice
1. Generate N random keys: k0, …, kn-12. For each, send Eki(“key #” + i) in random order
Ek37(“key #” + 37) Ek82(“key #” + 82) Ek22(“key #” + 22) …
Merkle’s Puzzles: Key Agreement
Engineering Crypto Applications [email protected]
Alice
1. Generate N random keys: k0, …, kn-12. For each, send Eki(“key #” + i) in random order
Ek37(“key #” + 37) Ek82(“key #” + 82) Ek22(“key #” + 22) …
Bob
3. Randomly select one of the received messages.
4. Try all possible keys until finding kx that decrypts the message to “key #x”
5. Send x (in clear) to AlicexShared secret kx
Engineering Crypto Applications 9
Security
Alice
1. Generate N random keys: k0, …, kn-12. For each, send Eki(“key #” + i) in random order
Bob
3. Randomly select one of the received messages.
4. Try all possible keys until finding kx that decrypts the message to “key #x”
5. Send x (in clear) to Alicex
Shared secret kx
Engineering Crypto Applications 10
Security
Alice
1. Generate N random keys: k0, …, kn-12. For each, send Eki(“key #” + i) in random order
Bob
3. Randomly select one of the received messages.
4. Try all possible keys until finding kx that decrypts the message to “key #x”
5. Send x (in clear) to Alicex
Shared secret kx
Suppose each key is 56 bits:Alice has to generate N keys and do N encryptionsBob has to do 256 max work to brute forceEve has to do ½N × 255 expected workSo, if 296 is infeasible, N = 242 could work
Engineering Crypto Applications 11
Can we do better?
CRYPTO 2009: Actually is impossible to do better!
Any scheme like this, even with perfect primitives, can be broken by an adversary who can do N 2 encryptions (where Alice and Bob do N encryptions).
To do better, we need some magic math!
Engineering Crypto Applications 12
Time for a Revolution!
“We stand today on the brink of a revolution in cryptography. The development of cheap digital hardware has freed it from the design limitations of mechanical computing and brought the cost of high grade cryptographic devices down to where they can be used in such commercial applications as remote cash dispensers and computer terminals. In turn, such applications create a need for new types of cryptographic systems which minimize the necessity of secure key distribution channels and supply the equivalent of a written signature. At the same time, theoretical developments in information theory and computer science show promise of providing provably secure cryptosystems, changing this ancient art into a science.”
Whit Diffie and Martin Hellman, November 1976.
Engineering Crypto Applications [email protected]
Padlocked Boxes
MST
RAlice’s Padlock
Alice’s Padlock Key
EA(M)Alice
Engineering Crypto Applications [email protected]
Padlocked Boxes
Shady Sammy’s Slimy Shipping Service
Alice’s Padlock Key
Alice
Engineering Crypto Applications [email protected]
Padlocked Boxes
Alice
MST
R
Bob
Bob’s Padlock
Bob’s Padlock Key
Alice’s Padlock Key
EB( )EA(M)
Engineering Crypto Applications [email protected]
Padlocked Boxes
Alice MST
R
BobAlice’s Padlock Key
EB(EA(M))
Bob’s Padlock Key
Engineering Crypto Applications [email protected]
Padlocked Boxes
MST
R
Alice’s Padlock Key
DA(EB(EA(M))) = EB(M)Alice
Bob
Bob’s Padlock Key
Engineering Crypto Applications [email protected]
Padlocked Boxes
MST
R
EB(M)Alice
Bob
Bob’s Padlock Key
Engineering Crypto Applications [email protected]
Padlocked Boxes
MST
R
MSTR
Alice
Bob
Bob’s Padlock Key
Engineering Crypto Applications 21
“Padlocks” Key Agreement
• We relied on: DA(EB(EA(M))) = EB(M)• Is this true for AES?
• What operations is it true for?
No way! AES (and any strong symmetric primitive) must involve non-linear transformations that are not commutative.
Multiplication
Engineering Crypto Applications 22
Diffie-Hellman(-Merkle) Key Agreement
Martin HellmanWhit Diffie
Engineering Crypto Applications [email protected]
Diffie-Hellman Key AgreementAlice Bob
1. Choose and publish: q (large prime number)
(primitive root of q)2. Generate random XA3. Send YA= XA mod q. 4. Generate random XB.
5. Send YB= XB mod q.K = (YB) XA mod q K = (YA)XB mod q
Engineering Crypto Applications 24
Key Agreement Requirements
Correctness: Both participants get the same key
Security: An eavesdropper cannot find K from all intercepted values
Engineering Crypto Applications 25
Key Agreement Correctness
Correctness: Both participants get the same key
K = (YB) XA mod q K = (YA)XB mod qYA= XA mod q YB= XB mod q
Engineering Crypto Applications 26
Key Agreement Correctness
Correctness: Both participants get the same key
K = (YB) XA mod q K = (YA)XB mod qYA= XA mod q YB= XB mod q= (XB mod q)XA mod q= (XBXA mod q) mod q= XBXA mod q
= (XA mod q)XB mod q= (XAXB mod q) mod q= XAXB mod qMultiplication commutes (just like the padlocks)!
Engineering Crypto Applications [email protected]
SecurityAlice Bob
1. Choose and publish: q (large prime number)
(primitive root of q)2. Generate random XA3. Send YA= XA mod q. 4. Generate random XB.
5. Send YB= XB mod q.K = (YB) XA mod q K = (YA)XB mod qAn eavesdropper cannot find K from all intercepted values: q, , YA, YB
Engineering Crypto Applications [email protected]
Primitive RootsAlice Bob
1. Choose and publish: q (large prime number) (primitive root of q)
2. Generate random XA3. Send YA= XA mod q. 4. Generate random XB.
5. Send YB= XB mod q.K = (YB) XA mod q K = (YA)XB mod q
is a primitive root of q if for all 1 n < q, there is some m, 1 m < q such that m = n mod q
All prime numbers have primitive roots.
Discrete logarithm problem: given , n, and q find the one 0 m < q such that
m = n mod qFor good choices of q, this is believed to be hard.
Engineering Crypto Applications [email protected]
Security of Diffie-HellmanAlice Bob
1. Choose and publish: q (large prime number) (primitive root of q)
2. Generate random XA3. Send YA= XA mod q. 4. Generate random XB.
5. Send YB= XB mod q.K = (YB) XA mod q
Discrete logarithm problem: given , n, and q find the one 0 m < q such that
m = n mod qFor good choices of q, this is believed to be hard.
Eavesdropper cannot find K from intercepted values: q, , YA, YB If they could, could solve discrete log problem which is hard:
given YA= XA mod q find XA
Engineering Crypto Applications 30
What about Mallory?
Encrypt DecryptPlaintextCiphertext
Plaintext
Alice Bob
Mallory(active attacker)
Insecure Channel (e.g., the Internet)
Engineering Crypto Applications [email protected]
Secure from Active Eavesdropper?Alice
Public: q,
XA
YA= XA mod qBob
XBYB= XB mod qK = (YB) XA mod q K = (YA)XB mod q
Engineering Crypto Applications [email protected]
Alice
Public: q,
XA
YA= XA mod qBob
XBYB= XB mod qKAM = (YM) XA mod q KBM = (YM)XB mod q
Mallory(active attacker)YM= XM mod q
XM
YM= XM mod q
Engineering Crypto Applications [email protected]
Alice
Public: q,
XA
YA= XA mod qBob
XBYB= XB mod qKAM = (YM) XA mod q KBM = (YM)XB mod q
Mallory(active attacker)YM= XM mod q
XM
YM= XM mod q
KAM = (YA) XM mod qKBM = (YB) XM mod q
Engineering Crypto Applications [email protected]
Alice
Public: q,
XA
YA= XA mod qBob
XBYB= XB mod qKAM = (YM) XA mod q KBM = (YM)XB mod q
Mallory(active attacker)YM= XM mod q
XM
YM= XM mod q
KAM = (YA) XM mod qKBM = (YB) XM mod q
Engineering Crypto Applications 35
Does D-H Solve This?
petitions.govInsecure Channel
How does TJ know he’s really talking to petitions.gov?How can he establish a secure channel to transmit password?
Engineering Crypto Applications 37
Asymmetry Required
Messages: everyone should be able to send Alice a message that only Alice can readSignatures: Bob should be able to verify Alice signed a message, but not impersonate Alice
Engineering Crypto Applications 38
Asymmetric Cryptosystem
E DPlaintextCiphertext
PlaintextInsecure Channel
Alice Bob
Correctness: D(E(m)) = mSecurity: given E(m) and E , cannot learn anything interesting about m or D
Engineering Crypto Applications 39
Asymmetric Cryptosystem(with Kerckhoffs’ Principle)
E DPlaintextCiphertext
PlaintextInsecure Channel
Alice Bob
Correctness: DKUA(EKRA (m)) = mSecurity: given EKRA(m), E, KUA, and D,
cannot learn anything interesting about m or KRA.
KRA KUA
Engineering Crypto Applications 40
Providing AsymmetryNeed a function f that is:Easy to compute:
given x, easy to compute f (x)Hard to invert:
given f (x), hard to compute xHas a trap-door:
given f (x) and t, easy to compute x
No function (publicly) known with these properties until 1977…
Engineering Crypto Applications [email protected]
Ron RivestLen Adleman Adi Shamir
Engineering Crypto Applications [email protected]
Engineering Crypto Applications 43
RSA Cryptosystem
Ee(M ) = Me mod nDd(C ) = Cd mod n n = pq p, q are primed is relatively prime to (p – 1)(q – 1)ed 1 mod (p – 1)(q – 1)
Engineering Crypto Applications 44
Correctness of RSAEe(M ) = Me mod nDd(C ) = Cd mod n
Engineering Crypto Applications 45
Correctness of RSAEe(M ) = Me mod nDd(C ) = Cd mod n
Dd(Ee(M )) = (Me mod n)d mod n = Med mod n = MThis step depends on choosing e and d to have this property: uses Fermat’s little theorem and Euler’s Totient theorem
Engineering Crypto Applications 46
Bonus: Works in Both OrdersEe(M ) = Me mod nDd(C ) = Cd mod n
Ee (Dd(M )) = (Md mod n)e mod n = Mde mod n = M
Engineering Crypto Applications 47
Providing AsymmetryNeed a function f that is:Easy to compute:
given x, easy to compute f (x)Hard to invert:
given f (x), hard to compute xHas a trap-door:
given f (x) and t, easy to compute x
Does RSA satisfy these?
Engineering Crypto Applications 48
Easy (Enough) to ComputeEasy to compute:
given x, easy to compute f (x)
Ee(M ) = Me mod n
Engineering Crypto Applications 49
Easy (Enough) to Compute
Ee(M ) = Me mod nam +n = am × ana2b = ab × abCompute Me in about log2e multiplications
Be careful not to have a timing side channel though!
Engineering Crypto Applications 50
Hard to Invert
Given Ee(M ) and e and n, hard to compute M. If attacker can factor n = pq, easy to find d:d = e-1 mod (p – 1)(q – 1)All other attacks are equivalent to factoring n.
No one seems to know a fast way to factor, except with a quantum computer (and no one seems to yet know how to build a large one).
For reasonable security, n should be 2048 bits (comparable to 112-bit symmetric key) – believed sufficient until 2030.
Engineering Crypto Applications 51
Easy to Invert with Trapdoor
Ee(M ) = Me mod nDd(C ) = Cd mod n
Engineering Crypto Applications 52
Using RSA: Confidentiality
E DPlaintextCiphertext
PlaintextInsecure Channel
Alice Bob
KUBKRB
Private Key: KRB = d (private exponent)Bob’s Public Key: KUB = (n, e)
(modulus, public exponent)
Selects two large primes p, q Computes ed 1 mod (p – 1)(q – 1)Publishes n = pq and e, keeps d secret
Sends confidential messages to Bob using his public key
Over 1000x slower than AES! Only use when asymmetry is needed.
Engineering Crypto Applications 53
Using RSA: Signatures
E DPlaintextCiphertext
PlaintextInsecure Channel
Alice Bob
KUBKRB
Private Key: KRB = d (private exponent)Bob’s Public Key: KUB = (n, e)
(modulus, public exponent)
Selects two large primes p, q Computes ed 1 mod (p – 1)(q – 1)Publishes n = pq and e, keeps d secret
Sends confidential messages to Bob using his public key
Over 1000x slower than AES! Only use when asymmetry is needed.
Engineering Crypto Applications 54
Using RSA: Signatures
E DVerified Message
Signed MessageMessage
Insecure Channel
Alice Bob
KUBKRB
Private Key: KRB = d (private exponent)Bob’s Public Key: KUB = (n, e)
(modulus, public exponent)
Selects two large primes p, q Computes ed 1 mod (p – 1)(q – 1)Publishes n = pq and e, keeps d secret
Verifies message is from Bob using his public key
Over 1000x slower than AES! Only use when asymmetry is needed.
Engineering Crypto Applications 55
Elliptic Curve Asymmetric Cryptosystems
Elliptic curve discrete logarithm problem: given points P and Q on an elliptic curve, it is hard to find an integer k such that Q = kP (unless you know trapdoor).
y2 = x3 – 7 (mod p)
Engineering Crypto Applications [email protected]
RSA ECC
Discovery1977
(previously discovered in 1969 by GHCQ and perhaps earlier
by NSA)
1985(adoption limited until ~2005)
“Hard” Problem Factoring Discrete Log on Elliptic Curve
Key Size (~112-bit) 2048 bits (768 bits broken) 224 bits (112 bits broken)
Backdoor Risk None Curves selected by NSA
Quantum Computing Risk
Known fast factoring algorithms (Shor’s)
Similar (variation of Shor’s algorithm solves Discrete Log)
Implementation Challenges
Avoiding weak keys, timing side channels
Fast operations on elliptic curves, leaks on invalid inputs
Engineering Crypto Applications [email protected]
RSA ECC Lattice Ciphers
Discovery 1977 1985
(adoption limited until ~2005)
1996
“Hard” Problem Factoring Discrete Log on
Elliptic CurveLattice Problems
(e.g., closest vector)Key Size
(~112-bit)2048 bits
(768 bits broken)224 bits
(112 bits broken) 1,000,000 bitsBackdoor
Risk None Curves selected by NSA Little
Quantum Computing
Risk
Known fast factoring
algorithms (Shor’s)
Similar (variation of Shor’s algorithm
solves Discrete Log)Only if P = NP
Implementation Challenges
Avoiding weak keys, timing side
channels
Fast operations on elliptic curves, leaks
on invalid inputsOnly simple arithmetic
(but 10Ks of them)
Engineering Crypto Applications 59
Using Asymmetry: Signatures
E DVerified Message
Signed MessageMessage
Insecure Channel
Alice Bob
KUBKRB
Generates KUB and KRB
Publishes KUBVerifies message is from Bob using his public key
Over 1000x slower than AES! (with both RSA and ECC)
What if we need to sign long (bigger than n ~ 2048 bits) messages?
Engineering Crypto Applications 60
Verified Message Message
Message Digests
E DVerified Message
Digest
Message
Alice Bob
KUBKRB
H
Mes
sage
Dig
est
H=
Sign
ed M
essa
ge
H is a cryptographic hash function:one-way: given H(x) cannot find preimage xstrong collision-resistant:
hard to find pair x and y where H(x) = H(y)
Engineering Crypto Applications 61
Authentication
petitions.govInsecure Channel
How does TJ know he’s really talking to petitions.gov?How can he establish a secure channel to transmit password?
Engineering Crypto Applications 62
Simple Login Protocol
petitions.gov
EKUpetitions(“tj” + password) DKRpetitions(c)
Eve can’t decrypt without KRpetitions.
Engineering Crypto Applications 63
Getting Public Keys
• Public keys only useful if you know you have the right one!• Secure on-line directory?
keys.gov
What is petitions.gov public key?
KUpetitions
Engineering Crypto Applications 64
Moving Directory Off-Line
TrustMe.com
TJ
Petitions
petitions.gov, KUPetitions
CP = KRTrustMe[“petitions.gov”, KUPetitions]
CPVerifies using KUTrustMe
Engineering Crypto Applications [email protected]
Engineering Crypto Applications [email protected]
Engineering Crypto Applications 68
SSL (Secure Sockets Layer)Simplified TLS Handshake Protocol
Client ServerHello
KRCA[Server Identity, KUS]Verify Certificate using KUCA
Check identity matches URL
Generate random K EKUS (K)
Decryptusing KRS
Secure channel using K
Engineering Crypto Applications [email protected]
Engineering Crypto Applications [email protected]
Engineering Crypto Applications 71
SSL (Secure Sockets Layer)Simplified TLS Handshake Protocol
Client ServerHello
KRCA[Server Identity, KUS]Verify Certificate using KUCA
Check identity matches URL
Generate random K
Decryptusing KRS
Secure channel using K
How did client get KUCA?
EKUS (K)
Engineering Crypto Applications [email protected]
Engineering Crypto Applications 73
Certificates
VarySign.com
TJ
Petitions
petitions.gov, KUPetitions
CPVerifies using KUVarySign
How does VarySign decide if it should give certificate to requester?
CP = KRVarySign[“petitions.gov”, KUPetitions]
Engineering Crypto Applications [email protected]
$1500 for 1 year $399
Engineering Crypto Applications [email protected]
Engineering Crypto Applications 76
Limiting Damage
VarySign.com
TJ
Petitions
petitions.gov, KUPetitions
CP = KRVarySign [“petitions.gov”, cert ID, Expiration, KUPetitions]
CPVerifies using KUVarySign
Engineering Crypto Applications 77
Certificate Revocation
VarySign.com
Client
Petitions
petitions.gov, KUPetitions
CP = KRVarySign[“petitions.gov”, cert ID, Expiration, KUPetitions]
CPVerifies using KUVarySign
Certificate Revocation List (CRL)
<cert ID, date>…
Engineering Crypto Applications 78
CRL Checking
Mozilla Firefox
Google Chrome On-line checking is expensive and may fail
Attacker-in-the-middle can make it fail
Engineering Crypto Applications 79
SSL (Secure Sockets Layer)Simplified TLS Handshake Protocol
Client ServerHello
KRCA[Server Identity, KUS]Verify Certificate using KUCA
Check identity matches URL
Generate random K KUS [K]
Decryptusing KRS
Secure channel using K
EKUS (K)
Actual TLS has some extra steps:- Negotiate versions- Agree on which ciphers to use (many
options, but beware!)- Can authenticate client also
Engineering Crypto Applications 80
Summary
• Many useful applications require asymmetry– Confidentiality without shared key, signatures– Others we will cover next week
• Asymmetric cryptosystems can be built using hard problems in number theory with trapdoors: RSA (factoring), ECC (discrete log)
• Asymmetric ciphers are very expensive: need to combine with hashes and symmetric crypto
Engineering Crypto Applications [email protected]
Engineering Crypto Applications 83
[email protected]/crypto
Plan for Final Meeting:Applications of Asym Crypto
Secure ComputationFuture of Cryptosystems
open to requests!
Engineering Crypto Applications [email protected]
Engineering Crypto Applications [email protected]
Engineering Crypto Applications [email protected]
Engineering Crypto Applications [email protected]