public-key protocols

Microstrategy Course18 October 2013

David EvansUniversity of Virginiawww.cs.virginia.edu/evans

Day 3: Public Key Protocols

Engineering Cryptographic Applications

Engineering Crypto Applications 2

Recap: Symmetric Encryption

[email protected]

AES AESPlaintextCiphertext

PlaintextInsecure Channel

Key Key

Assuming we generate strong keys, use an appropriate cipher mode, and correctly implement a secure symmetric encryption primitive, we can securely encrypt long messages so even an adversary with $Quadrillions cannot learn anything interesting.

Alice Bob

Assumes a secret already shared between Alice and Bob.Amplifies that secret to send more data later.


Plan for Today

1. Key Agreement Protocols2. Solving the remote authentication problem

Asymmetric Encryption, Public-Key Protocols

[email protected]

petitions.govInsecure ChannelSecure Channel


Key [email protected]

Engineering Crypto Applications [email protected]

Asymmetric Key Agreement

Ralph Merkle (born 1952)

Merkle’s Puzzles

(1974)


Merkle’s Puzzles: Key Agreement

[email protected]

Alice

1. Generate N random keys: k0, …, kn-12. For each, send Eki(“key #” + i) in random order

Ek37(“key #” + 37) Ek82(“key #” + 82) Ek22(“key #” + 22) …


Alice



Merkle’s Puzzles: Key Agreement


Alice



Bob

3. Randomly select one of the received messages.

4. Try all possible keys until finding kx that decrypts the message to “key #x”

5. Send x (in clear) to AlicexShared secret kx


Security

[email protected]

Alice


Bob



5. Send x (in clear) to Alicex

Shared secret kx


Security

[email protected]

Alice


Bob



5. Send x (in clear) to Alicex

Shared secret kx

Suppose each key is 56 bits:Alice has to generate N keys and do N encryptionsBob has to do 256 max work to brute forceEve has to do ½N × 255 expected workSo, if 296 is infeasible, N = 242 could work


Can we do better?

[email protected]

CRYPTO 2009: Actually is impossible to do better!

Any scheme like this, even with perfect primitives, can be broken by an adversary who can do N 2 encryptions (where Alice and Bob do N encryptions).

To do better, we need some magic math!


Time for a Revolution!

[email protected]

“We stand today on the brink of a revolution in cryptography. The development of cheap digital hardware has freed it from the design limitations of mechanical computing and brought the cost of high grade cryptographic devices down to where they can be used in such commercial applications as remote cash dispensers and computer terminals. In turn, such applications create a need for new types of cryptographic systems which minimize the necessity of secure key distribution channels and supply the equivalent of a written signature. At the same time, theoretical developments in information theory and computer science show promise of providing provably secure cryptosystems, changing this ancient art into a science.”

Whit Diffie and Martin Hellman, November 1976.


Padlocked Boxes

Alice

MSTR


Padlocked Boxes

MST

RAlice’s Padlock

Alice’s Padlock Key

EA(M)Alice


Padlocked Boxes

Shady Sammy’s Slimy Shipping Service


Alice


Padlocked Boxes

Alice

MST

R

Bob

Bob’s Padlock

Bob’s Padlock Key


EB( )EA(M)


Padlocked Boxes

Alice MST

R

BobAlice’s Padlock Key

EB(EA(M))

Bob’s Padlock Key


Padlocked Boxes

MST

R


DA(EB(EA(M))) = EB(M)Alice

Bob

Bob’s Padlock Key


Padlocked Boxes

MST

R

EB(M)Alice

Bob

Bob’s Padlock Key


Padlocked Boxes

MST

R

MSTR

Alice

Bob

Bob’s Padlock Key


“Padlocks” Key Agreement

• We relied on: DA(EB(EA(M))) = EB(M)• Is this true for AES?

• What operations is it true for?

[email protected]

No way! AES (and any strong symmetric primitive) must involve non-linear transformations that are not commutative.

Multiplication


Diffie-Hellman(-Merkle) Key Agreement

[email protected]

Martin HellmanWhit Diffie


Diffie-Hellman Key AgreementAlice Bob

1. Choose and publish: q (large prime number)

(primitive root of q)2. Generate random XA3. Send YA= XA mod q. 4. Generate random XB.

5. Send YB= XB mod q.K = (YB) XA mod q K = (YA)XB mod q


Key Agreement Requirements

Correctness: Both participants get the same key

Security: An eavesdropper cannot find K from all intercepted values

[email protected]


Key Agreement Correctness


[email protected]

K = (YB) XA mod q K = (YA)XB mod qYA= XA mod q YB= XB mod q


Key Agreement Correctness


[email protected]

K = (YB) XA mod q K = (YA)XB mod qYA= XA mod q YB= XB mod q= (XB mod q)XA mod q= (XBXA mod q) mod q= XBXA mod q

= (XA mod q)XB mod q= (XAXB mod q) mod q= XAXB mod qMultiplication commutes (just like the padlocks)!


SecurityAlice Bob

1. Choose and publish: q (large prime number)

(primitive root of q)2. Generate random XA3. Send YA= XA mod q. 4. Generate random XB.

5. Send YB= XB mod q.K = (YB) XA mod q K = (YA)XB mod qAn eavesdropper cannot find K from all intercepted values: q, , YA, YB


Primitive RootsAlice Bob

1. Choose and publish: q (large prime number) (primitive root of q)

2. Generate random XA3. Send YA= XA mod q. 4. Generate random XB.

5. Send YB= XB mod q.K = (YB) XA mod q K = (YA)XB mod q

is a primitive root of q if for all 1 n < q, there is some m, 1 m < q such that m = n mod q

All prime numbers have primitive roots.

Discrete logarithm problem: given , n, and q find the one 0 m < q such that

m = n mod qFor good choices of q, this is believed to be hard.


Security of Diffie-HellmanAlice Bob

1. Choose and publish: q (large prime number) (primitive root of q)

2. Generate random XA3. Send YA= XA mod q. 4. Generate random XB.

5. Send YB= XB mod q.K = (YB) XA mod q

Discrete logarithm problem: given , n, and q find the one 0 m < q such that

m = n mod qFor good choices of q, this is believed to be hard.

Eavesdropper cannot find K from intercepted values: q, , YA, YB If they could, could solve discrete log problem which is hard:

given YA= XA mod q find XA


What about Mallory?

Encrypt DecryptPlaintextCiphertext

Plaintext

Alice Bob

Mallory(active attacker)

Insecure Channel (e.g., the Internet)

[email protected]


Secure from Active Eavesdropper?Alice

Public: q,

XA

YA= XA mod qBob

XBYB= XB mod qK = (YB) XA mod q K = (YA)XB mod q


Alice

Public: q,

XA

YA= XA mod qBob

XBYB= XB mod qKAM = (YM) XA mod q KBM = (YM)XB mod q

Mallory(active attacker)YM= XM mod q

XM

YM= XM mod q


Alice

Public: q,

XA

YA= XA mod qBob

XBYB= XB mod qKAM = (YM) XA mod q KBM = (YM)XB mod q

Mallory(active attacker)YM= XM mod q

XM

YM= XM mod q

KAM = (YA) XM mod qKBM = (YB) XM mod q


Does D-H Solve This?

[email protected]

petitions.govInsecure Channel

How does TJ know he’s really talking to petitions.gov?How can he establish a secure channel to transmit password?


Asymmetric Cryptography

[email protected]


Asymmetry Required

[email protected]

Messages: everyone should be able to send Alice a message that only Alice can readSignatures: Bob should be able to verify Alice signed a message, but not impersonate Alice


Asymmetric Cryptosystem

[email protected]

E DPlaintextCiphertext


Alice Bob

Correctness: D(E(m)) = mSecurity: given E(m) and E , cannot learn anything interesting about m or D


Asymmetric Cryptosystem(with Kerckhoffs’ Principle)

[email protected]



Alice Bob

Correctness: DKUA(EKRA (m)) = mSecurity: given EKRA(m), E, KUA, and D,

cannot learn anything interesting about m or KRA.

KRA KUA


Providing AsymmetryNeed a function f that is:Easy to compute:

given x, easy to compute f (x)Hard to invert:

given f (x), hard to compute xHas a trap-door:

given f (x) and t, easy to compute x

[email protected]

No function (publicly) known with these properties until 1977…


Ron RivestLen Adleman Adi Shamir


RSA Cryptosystem

Ee(M ) = Me mod nDd(C ) = Cd mod n n = pq p, q are primed is relatively prime to (p – 1)(q – 1)ed 1 mod (p – 1)(q – 1)

[email protected]


Correctness of RSAEe(M ) = Me mod nDd(C ) = Cd mod n

[email protected]


Correctness of RSAEe(M ) = Me mod nDd(C ) = Cd mod n

[email protected]

Dd(Ee(M )) = (Me mod n)d mod n = Med mod n = MThis step depends on choosing e and d to have this property: uses Fermat’s little theorem and Euler’s Totient theorem


Bonus: Works in Both OrdersEe(M ) = Me mod nDd(C ) = Cd mod n

[email protected]

Ee (Dd(M )) = (Md mod n)e mod n = Mde mod n = M


Providing AsymmetryNeed a function f that is:Easy to compute:

given x, easy to compute f (x)Hard to invert:

given f (x), hard to compute xHas a trap-door:

given f (x) and t, easy to compute x

[email protected]

Does RSA satisfy these?


Easy (Enough) to ComputeEasy to compute:

given x, easy to compute f (x)

[email protected]

Ee(M ) = Me mod n


Easy (Enough) to Compute

[email protected]

Ee(M ) = Me mod nam +n = am × ana2b = ab × abCompute Me in about log2e multiplications

Be careful not to have a timing side channel though!


Hard to Invert

[email protected]

Given Ee(M ) and e and n, hard to compute M. If attacker can factor n = pq, easy to find d:d = e-1 mod (p – 1)(q – 1)All other attacks are equivalent to factoring n.

No one seems to know a fast way to factor, except with a quantum computer (and no one seems to yet know how to build a large one).

For reasonable security, n should be 2048 bits (comparable to 112-bit symmetric key) – believed sufficient until 2030.


Easy to Invert with Trapdoor

[email protected]

Ee(M ) = Me mod nDd(C ) = Cd mod n


Using RSA: Confidentiality

[email protected]



Alice Bob

KUBKRB

Private Key: KRB = d (private exponent)Bob’s Public Key: KUB = (n, e)

(modulus, public exponent)

Selects two large primes p, q Computes ed 1 mod (p – 1)(q – 1)Publishes n = pq and e, keeps d secret

Sends confidential messages to Bob using his public key

Over 1000x slower than AES! Only use when asymmetry is needed.


Using RSA: Signatures

[email protected]



Alice Bob

KUBKRB




Sends confidential messages to Bob using his public key



Using RSA: Signatures

[email protected]

E DVerified Message

Signed MessageMessage

Insecure Channel

Alice Bob

KUBKRB




Verifies message is from Bob using his public key



Elliptic Curve Asymmetric Cryptosystems

Elliptic curve discrete logarithm problem: given points P and Q on an elliptic curve, it is hard to find an integer k such that Q = kP (unless you know trapdoor).

[email protected]

y2 = x3 – 7 (mod p)

https://www.wolframalpha.com/input/?i=y%5E2+=+x%5E3+++7


RSA ECC

Discovery1977

(previously discovered in 1969 by GHCQ and perhaps earlier

by NSA)

1985(adoption limited until ~2005)

“Hard” Problem Factoring Discrete Log on Elliptic Curve

Key Size (~112-bit) 2048 bits (768 bits broken) 224 bits (112 bits broken)

Backdoor Risk None Curves selected by NSA

Quantum Computing Risk

Known fast factoring algorithms (Shor’s)

Similar (variation of Shor’s algorithm solves Discrete Log)

Implementation Challenges

Avoiding weak keys, timing side channels

Fast operations on elliptic curves, leaks on invalid inputs


RSA ECC Lattice Ciphers

Discovery 1977 1985

(adoption limited until ~2005)

1996

“Hard” Problem Factoring Discrete Log on

Elliptic CurveLattice Problems

(e.g., closest vector)Key Size

(~112-bit)2048 bits

(768 bits broken)224 bits

(112 bits broken) 1,000,000 bitsBackdoor

Risk None Curves selected by NSA Little

Quantum Computing

Risk

Known fast factoring

algorithms (Shor’s)

Similar (variation of Shor’s algorithm

solves Discrete Log)Only if P = NP

Implementation Challenges

Avoiding weak keys, timing side

channels

Fast operations on elliptic curves, leaks

on invalid inputsOnly simple arithmetic

(but 10Ks of them)


Applications of Asymmetric Cryptosystems

[email protected]


Using Asymmetry: Signatures

[email protected]

E DVerified Message

Signed MessageMessage

Insecure Channel

Alice Bob

KUBKRB

Generates KUB and KRB

Publishes KUBVerifies message is from Bob using his public key

Over 1000x slower than AES! (with both RSA and ECC)

What if we need to sign long (bigger than n ~ 2048 bits) messages?


Verified Message Message

Message Digests

[email protected]

E DVerified Message

Digest

Message

Alice Bob

KUBKRB

H

Mes

sage

Dig

est

H=

Sign

ed M

essa

ge

H is a cryptographic hash function:one-way: given H(x) cannot find preimage xstrong collision-resistant:

hard to find pair x and y where H(x) = H(y)


Authentication

[email protected]

petitions.govInsecure Channel

How does TJ know he’s really talking to petitions.gov?How can he establish a secure channel to transmit password?


Simple Login Protocol

[email protected]

petitions.gov

EKUpetitions(“tj” + password) DKRpetitions(c)

Eve can’t decrypt without KRpetitions.


Getting Public Keys

• Public keys only useful if you know you have the right one!• Secure on-line directory?

[email protected]

keys.gov

What is petitions.gov public key?

KUpetitions


Moving Directory Off-Line

[email protected]

TrustMe.com

TJ

Petitions

petitions.gov, KUPetitions

CP = KRTrustMe[“petitions.gov”, KUPetitions]

CPVerifies using KUTrustMe


Anyone use this?

[email protected]


SSL (Secure Sockets Layer)Simplified TLS Handshake Protocol

Client ServerHello

KRCA[Server Identity, KUS]Verify Certificate using KUCA

Check identity matches URL

Generate random K EKUS (K)

Decryptusing KRS

Secure channel using K

[email protected]



Client ServerHello



Generate random K

Decryptusing KRS


[email protected]

How did client get KUCA?

EKUS (K)


Certificates

[email protected]

VarySign.com

TJ

Petitions


CPVerifies using KUVarySign

How does VarySign decide if it should give certificate to requester?

CP = KRVarySign[“petitions.gov”, KUPetitions]


$1500 for 1 year $399


Limiting Damage

[email protected]

VarySign.com

TJ

Petitions


CP = KRVarySign [“petitions.gov”, cert ID, Expiration, KUPetitions]



Certificate Revocation

[email protected]

VarySign.com

Client

Petitions


CP = KRVarySign[“petitions.gov”, cert ID, Expiration, KUPetitions]


Certificate Revocation List (CRL)

<cert ID, date>…


CRL Checking

[email protected]

Mozilla Firefox

Google Chrome On-line checking is expensive and may fail

Attacker-in-the-middle can make it fail



Client ServerHello



Generate random K KUS [K]

Decryptusing KRS


[email protected]

EKUS (K)

Actual TLS has some extra steps:- Negotiate versions- Agree on which ciphers to use (many

options, but beware!)- Can authenticate client also


Summary

• Many useful applications require asymmetry– Confidentiality without shared key, signatures– Others we will cover next week

• Asymmetric cryptosystems can be built using hard problems in number theory with trapdoors: RSA (factoring), ECC (discrete log)

• Asymmetric ciphers are very expensive: need to combine with hashes and symmetric crypto

[email protected]


SSL Test

[email protected]


[email protected]/crypto

Plan for Final Meeting:Applications of Asym Crypto

Secure ComputationFuture of Cryptosystems

open to requests!

[email protected]

public-key protocols

Technology

crypto applications14

crypto applications13

crypto applications18

crypto applications19

crypto applications16

crypto applications17

crypto applications15

crypto applications8