1 COSC 350: Codes and Ciphers Public-Key Cryptography March 26, 2002 Prof. Dorothy E. Denning.
-
Upload
kellie-fisher -
Category
Documents
-
view
221 -
download
0
description
Transcript of 1 COSC 350: Codes and Ciphers Public-Key Cryptography March 26, 2002 Prof. Dorothy E. Denning.
![Page 1: 1 COSC 350: Codes and Ciphers Public-Key Cryptography March 26, 2002 Prof. Dorothy E. Denning.](https://reader036.fdocuments.net/reader036/viewer/2022062413/5a4d1b447f8b9ab0599a2a8f/html5/thumbnails/1.jpg)
1
COSC 350: Codes and Ciphers
Public-Key Cryptography
March 26, 2002
Prof. Dorothy E. Denning
![Page 2: 1 COSC 350: Codes and Ciphers Public-Key Cryptography March 26, 2002 Prof. Dorothy E. Denning.](https://reader036.fdocuments.net/reader036/viewer/2022062413/5a4d1b447f8b9ab0599a2a8f/html5/thumbnails/2.jpg)
2
Public-Key Cryptography
Each user has a unique public-private key pairAlice - KApriv, KApub
Bob - KBpriv, KBpub
The public key can be given to anyoneThe private key is not shared with anyone, including a trusted
third party (authentication server)The public key is a one-way function of the private-key (hard
to compute private key from public one)Used for key distribution/agreement, message encryption, and
digital signatures
![Page 3: 1 COSC 350: Codes and Ciphers Public-Key Cryptography March 26, 2002 Prof. Dorothy E. Denning.](https://reader036.fdocuments.net/reader036/viewer/2022062413/5a4d1b447f8b9ab0599a2a8f/html5/thumbnails/3.jpg)
3
Origins of Public Key
Concept credited to Diffie and Hellman, 1976“New Directions in Cryptography”
Motivation - They wanted a scheme whereby Alice could send a message to Bob without the need for Alice and Bob to share a secret or for a Trusted Third Party -- called “public-key” because Alice & Bob need only exchange public keys to set up a secret channel
Invented earlier by British at CESGhttp://www.cesg.gov.uk/about/nsecret.htm
![Page 4: 1 COSC 350: Codes and Ciphers Public-Key Cryptography March 26, 2002 Prof. Dorothy E. Denning.](https://reader036.fdocuments.net/reader036/viewer/2022062413/5a4d1b447f8b9ab0599a2a8f/html5/thumbnails/4.jpg)
4
![Page 5: 1 COSC 350: Codes and Ciphers Public-Key Cryptography March 26, 2002 Prof. Dorothy E. Denning.](https://reader036.fdocuments.net/reader036/viewer/2022062413/5a4d1b447f8b9ab0599a2a8f/html5/thumbnails/5.jpg)
5
Public-Key Agreement
Method whereby Alice and Bob can agree on a secret key to use with DES, AES, or some other symmetric encryption algorithm
They do this after exchanging only public keysThey each compute a secret session key K from their
own private key and the other’s public key. They both arrive at the same K independently
![Page 6: 1 COSC 350: Codes and Ciphers Public-Key Cryptography March 26, 2002 Prof. Dorothy E. Denning.](https://reader036.fdocuments.net/reader036/viewer/2022062413/5a4d1b447f8b9ab0599a2a8f/html5/thumbnails/6.jpg)
6
Diffie-Hellman Method
Shared prime p and generator gAlice: private xa and public ya = gxa mod p
xa = logg ya mod p (hard to compute)
Bob: private xb and public yb = gxb mod pThey swap public keysAlice computes: K = ybxa mod p = gxb xa mod pBob computes: K = yaxb mod p = gxa xb mod p
![Page 7: 1 COSC 350: Codes and Ciphers Public-Key Cryptography March 26, 2002 Prof. Dorothy E. Denning.](https://reader036.fdocuments.net/reader036/viewer/2022062413/5a4d1b447f8b9ab0599a2a8f/html5/thumbnails/7.jpg)
7
Math Strength
Depends on difficulty of computing the discrete logarithm
The best known methods are exponentially hard - same as factoring
e.g., given n, find p, q where n = p * qNeed to use numbers on the order of 768 bits (230
digits) or biggerImplementations typically use 512 (155), 1024 (310)
or 2048 (621) bits (digits).
![Page 8: 1 COSC 350: Codes and Ciphers Public-Key Cryptography March 26, 2002 Prof. Dorothy E. Denning.](https://reader036.fdocuments.net/reader036/viewer/2022062413/5a4d1b447f8b9ab0599a2a8f/html5/thumbnails/8.jpg)
8
On The Fly Approach
Alice and Bob generate xa, xb, ya, yb on the flyThey exchange ya and yb and compute KWhat are drawbacks?What applications are appropriate?
![Page 9: 1 COSC 350: Codes and Ciphers Public-Key Cryptography March 26, 2002 Prof. Dorothy E. Denning.](https://reader036.fdocuments.net/reader036/viewer/2022062413/5a4d1b447f8b9ab0599a2a8f/html5/thumbnails/9.jpg)
9
Permanent
Alice and Bob generate permanent keys and deposit ya and yb in public database (key center)
Alice gets yb from database (or from Bob)Alice computes K = ybxa mod p = gxb xa mod p Alice -> Bob: ya, C = EK(M)
(or Bob could get ya from database)Bob computes K = yaxb mod p = gxa xb mod p Bob decrypts C with K to get MWhat are drawbacks?
![Page 10: 1 COSC 350: Codes and Ciphers Public-Key Cryptography March 26, 2002 Prof. Dorothy E. Denning.](https://reader036.fdocuments.net/reader036/viewer/2022062413/5a4d1b447f8b9ab0599a2a8f/html5/thumbnails/10.jpg)
10
Hybrid Approach
Alice & Bob generate xa, xb and deposit public keys ya, yb
Alice gets yb from database (or from Bob)Alice generates temporary pair xt, yt Alice computes K = ybxt mod p = gxb xt mod p Alice -> Bob: yt, EK(M)
Bob computes K = ytxb mod p = gxt xb mod p and decrypts M
![Page 11: 1 COSC 350: Codes and Ciphers Public-Key Cryptography March 26, 2002 Prof. Dorothy E. Denning.](https://reader036.fdocuments.net/reader036/viewer/2022062413/5a4d1b447f8b9ab0599a2a8f/html5/thumbnails/11.jpg)
11
Public-Key Encryption
The public and private keys are used for message encryption and decryption for purpose of secrecy
Alice encrypts message to Bob with Bob’s public key
Bob decrypts messages to him with his private keyIn practice, public-key encryption is used to encrypt
and decrypt messages that contain symmetric keys (e.g., for DES/AES), and the symmetric keys are used to encrypt/decrypt the data
![Page 12: 1 COSC 350: Codes and Ciphers Public-Key Cryptography March 26, 2002 Prof. Dorothy E. Denning.](https://reader036.fdocuments.net/reader036/viewer/2022062413/5a4d1b447f8b9ab0599a2a8f/html5/thumbnails/12.jpg)
12
Sending Messages
To send message M to Bob, only Bob’s keys usedAlice -> Bob: C = EBpub(M)Bob decrypts: M = DBpriv(C)
In practice, use to distribute symmetric key KAlice -> Bob: CK = EBpub(K), CM = EK(M) Bob decrypts: K = DBpriv(CK), M = DK(CM)Alice and Bob then use K to encrypt/decrypt messages
![Page 13: 1 COSC 350: Codes and Ciphers Public-Key Cryptography March 26, 2002 Prof. Dorothy E. Denning.](https://reader036.fdocuments.net/reader036/viewer/2022062413/5a4d1b447f8b9ab0599a2a8f/html5/thumbnails/13.jpg)
13
RSA Method
Ron Rivest, Adi Shamir, Leonard Adleman1977 -- all at MIT at the time
Basic idea: an exponentiation cipher where the modulus is the product of two large primes
Mathematical strength is derived from the difficulty of factoring a number into its primes
![Page 14: 1 COSC 350: Codes and Ciphers Public-Key Cryptography March 26, 2002 Prof. Dorothy E. Denning.](https://reader036.fdocuments.net/reader036/viewer/2022062413/5a4d1b447f8b9ab0599a2a8f/html5/thumbnails/14.jpg)
14
![Page 15: 1 COSC 350: Codes and Ciphers Public-Key Cryptography March 26, 2002 Prof. Dorothy E. Denning.](https://reader036.fdocuments.net/reader036/viewer/2022062413/5a4d1b447f8b9ab0599a2a8f/html5/thumbnails/15.jpg)
15
At Crypto 82
![Page 16: 1 COSC 350: Codes and Ciphers Public-Key Cryptography March 26, 2002 Prof. Dorothy E. Denning.](https://reader036.fdocuments.net/reader036/viewer/2022062413/5a4d1b447f8b9ab0599a2a8f/html5/thumbnails/16.jpg)
16
RSA
Pick primes p and q and compute n = p * qPick e, d such that e * d = 1 mod (n)
(n) = (p-1) * (q-1)(e, n) is public key(d, n) is private key - (p, q) also part of private key, but not
used after computation of d and eEncrypt: C = Me mod nDecrypt: M = Cd mod n
![Page 17: 1 COSC 350: Codes and Ciphers Public-Key Cryptography March 26, 2002 Prof. Dorothy E. Denning.](https://reader036.fdocuments.net/reader036/viewer/2022062413/5a4d1b447f8b9ab0599a2a8f/html5/thumbnails/17.jpg)
17
Example
p = 53, q = 61, n = 53 * 61 = 3233pick e = 71compute d such that
71 * d = 1 mod (52 * 60) get d = 791
Let M = 1704C = 170471 mod 3233 = 3106.M = 3106791 mod 3233 = 1704.
![Page 18: 1 COSC 350: Codes and Ciphers Public-Key Cryptography March 26, 2002 Prof. Dorothy E. Denning.](https://reader036.fdocuments.net/reader036/viewer/2022062413/5a4d1b447f8b9ab0599a2a8f/html5/thumbnails/18.jpg)
18
Theory
Proof sketch for (n) = (p-1) * (q-1)(n) = # primes < n relatively prime to nconsider the n=pq numbers 0, 1, ..., pq-1all are relatively prime to n except for 0 and
p-1 elements: q, 2q, 3q, ..., (p-1)qq-1 elements: p, 2p, 3p, ..., (q-1)p
so (n) = pq - [(p-1) + (q-1) + 1]= pq - p - q + 1 = (p-1)(q-1)
![Page 19: 1 COSC 350: Codes and Ciphers Public-Key Cryptography March 26, 2002 Prof. Dorothy E. Denning.](https://reader036.fdocuments.net/reader036/viewer/2022062413/5a4d1b447f8b9ab0599a2a8f/html5/thumbnails/19.jpg)
19
Factoring
Given a number n, find primes p1, p2, ..., pk such that n = p1 * p2 * ... * pk
For RSA, there are known to be only 2 factors:n = p * q
Factoring arbitrary numbers is harder than factoring special types of numbers, e.g., numbers of the form n = 2s - 1 (Mersenne number)
Breaking RSA can be no harder than factoring, but could be easier
![Page 20: 1 COSC 350: Codes and Ciphers Public-Key Cryptography March 26, 2002 Prof. Dorothy E. Denning.](https://reader036.fdocuments.net/reader036/viewer/2022062413/5a4d1b447f8b9ab0599a2a8f/html5/thumbnails/20.jpg)
20
History of FactoringYear # Digits Method1970 41 Continued Fraction - Morrison-Brillhart1980 501982 551983 621984 721991 100 Quadratic Sieve1993 120 Quadratic Sieve1994 129 Quadratic Sieve (RSA predicted 40 quadrilllion years!)1996 130 Number Field Sieve (1000 MIPS yrs)1999 140 Number Field Sieve (2000 MIPS yrs, 8.9 CPU yrs)2000 155 Number Field Sieve (35.7 CPU yrs) (512 bits)???? 174 RSA challenge not yet factored (576 bits)
![Page 21: 1 COSC 350: Codes and Ciphers Public-Key Cryptography March 26, 2002 Prof. Dorothy E. Denning.](https://reader036.fdocuments.net/reader036/viewer/2022062413/5a4d1b447f8b9ab0599a2a8f/html5/thumbnails/21.jpg)
21
Proposed Advances
• The Weizmann Institute Key Locating Engine (TWINKLE)– code breaking machine design by Adi Shamir– 6-by-6-inch electro-optical computer– measures light from diodes to perform calculations to break keys
• Daniel Bernstein proposal to NSF– special purpose hardware to facilitate sieving and matrix reduction– trades time for memory– would allow factorization of numbers with 3 times as many bits
for large n• might need 3,072-bit key instead of 1,024-bit key
![Page 22: 1 COSC 350: Codes and Ciphers Public-Key Cryptography March 26, 2002 Prof. Dorothy E. Denning.](https://reader036.fdocuments.net/reader036/viewer/2022062413/5a4d1b447f8b9ab0599a2a8f/html5/thumbnails/22.jpg)
22
Quadratic Sievefastest algorithm for numbers up to 110 digitsAug. 93 - Mar. 94 - 129-digit number factored in effort led
by Arjen LenstraUsed double large prime variation of the multiple
polynomial QS600 people, 1,600 machines on the Internet using e-mail to
communicateEquivalent to about 5,000 MIPS years
1 MIPS year is computation over 1 year at rate of 1 M instructions/sec
![Page 23: 1 COSC 350: Codes and Ciphers Public-Key Cryptography March 26, 2002 Prof. Dorothy E. Denning.](https://reader036.fdocuments.net/reader036/viewer/2022062413/5a4d1b447f8b9ab0599a2a8f/html5/thumbnails/23.jpg)
23
Number Field Sieve
fastest method for numbers > 110 digits1996 - 130-digit number factored on the Internet --
again led by LenstraTook only 500 MIPS years!Lenstra estimated that 50,000 Pentium PCs could
break a 155 digit (512-bit key) in a few daysT = exp((1.923 + O(1))(ln(n)1/3(ln(ln(n)))2/3)
![Page 24: 1 COSC 350: Codes and Ciphers Public-Key Cryptography March 26, 2002 Prof. Dorothy E. Denning.](https://reader036.fdocuments.net/reader036/viewer/2022062413/5a4d1b447f8b9ab0599a2a8f/html5/thumbnails/24.jpg)
24
RSA-512 Factored
Factored August 22, 1999Used General Number Field Sieve
line sieving and lattice sieving35.7 CPU years; 8000 MIPS yearsElapsed time: 7.4 months
Polynomial selection: 9 weeksSieving: 3.7 months produced over 124 million relations
11 sites participatedMatrix solution: 224 CPU hours and 3.2 GB memory on Cray C916 to solve matrix with about 6.7 million rows and columns
![Page 25: 1 COSC 350: Codes and Ciphers Public-Key Cryptography March 26, 2002 Prof. Dorothy E. Denning.](https://reader036.fdocuments.net/reader036/viewer/2022062413/5a4d1b447f8b9ab0599a2a8f/html5/thumbnails/25.jpg)
25
QS and NFS
Use random square factoringFind x and y such that x2 = y2 mod nThen
x2 - y2 = 0 mod n => (x-y)(x+y) = 0 mod nIf x y mod n then
gcd(x-y, n) yields a prime factor of n probability of this is at least 1/2
So trick is generating numbers that are squares
![Page 26: 1 COSC 350: Codes and Ciphers Public-Key Cryptography March 26, 2002 Prof. Dorothy E. Denning.](https://reader036.fdocuments.net/reader036/viewer/2022062413/5a4d1b447f8b9ab0599a2a8f/html5/thumbnails/26.jpg)
26
Random Square Factoring
• Two-phase process– 1) Sieving/collection
• Find number to put into a matrix• Takes gobs of time for large numbers• Effort can be distributed
– 2) Matrix reduction/solution• Find entries in matrix that, when combined, give pairs (x, y) of
squares• Takes reasonable time, but not distributable• Uses gobs of memory
![Page 27: 1 COSC 350: Codes and Ciphers Public-Key Cryptography March 26, 2002 Prof. Dorothy E. Denning.](https://reader036.fdocuments.net/reader036/viewer/2022062413/5a4d1b447f8b9ab0599a2a8f/html5/thumbnails/27.jpg)
27
factor n = 24961factor base = {-1,2, 3, 5, 13, 23}compute m = sqrt n = 157
i z b factorization of b a v1 0 -312 -1 * 23 * 3 * 13 157 1 1 1 0 1 02 1 3 3 158 0 0 1 0 0 03 -1 -625 -1 * 54 156 1 0 0 0 0 04 2 320 26 * 5 159 0 0 0 1 0 05 -2 -936 -1 * 23 * 32 * 13 155 1 1 0 0 1 06 4 960 26 * 3 * 5 161 0 0 1 1 0 07 -6 -2160 -1 * 24 * 33 * 5 151 1 0 1 1 0 0
a = z + mb = a2 - n so b = a2 mod n
want x, y such that x2 = y2 mod n
b3 * b6 * b7 = a32 * a62 * a72 = (a3 * a6 * a7)2 mod n
x = a3 * a6 * a7 mod n = 156 * 161 * 151 mod n = 23405
y2 = b3 * b6 * b7 mod n = 210 * 34 * 56 mod ny = - 25 * 32 * 53 mod n = 13922
gcd (x-y, n) = gcd (9483, 24961) = 109 = first factor
compute n/109 = 229 = second factor
![Page 28: 1 COSC 350: Codes and Ciphers Public-Key Cryptography March 26, 2002 Prof. Dorothy E. Denning.](https://reader036.fdocuments.net/reader036/viewer/2022062413/5a4d1b447f8b9ab0599a2a8f/html5/thumbnails/28.jpg)
28
Generating Primes
• For RSA, need to generate primes p, q• Other ciphers also require prime numbers• Guaranteed - prove the number has no factors
– must attempt to factor, which is not feasible for very large numbers
• Probabilistic - no guarantee– but can say with some very high probability that
number is prime– much faster - practical even for very large numbers
![Page 29: 1 COSC 350: Codes and Ciphers Public-Key Cryptography March 26, 2002 Prof. Dorothy E. Denning.](https://reader036.fdocuments.net/reader036/viewer/2022062413/5a4d1b447f8b9ab0599a2a8f/html5/thumbnails/29.jpg)
29
Sieve of Eratosthenes
Invented around 200 B.C.Finds all primes less than NWrite down all numbers 2, 3, 4, 5, ..., NDelete multiples of 2 greater than 2Delete multiples of 3 greater than 3Continue up to sqrt(N)When done, have all primes < NTotally impractical for 200 digit numbers!
![Page 30: 1 COSC 350: Codes and Ciphers Public-Key Cryptography March 26, 2002 Prof. Dorothy E. Denning.](https://reader036.fdocuments.net/reader036/viewer/2022062413/5a4d1b447f8b9ab0599a2a8f/html5/thumbnails/30.jpg)
30
Practical Method
Prick random n-bit number pSet low-order and high-order bit to 1Is p divisible by small primes 3, 5, 7, 11, …?
go up to primes < 256 or 20003, 5, 7 - eliminates 54% of odd numbersall primes < 256 eliminates 76%
Do Rabin-Miller test 5 times. If pass all 5 tests, consider p to be prime
![Page 31: 1 COSC 350: Codes and Ciphers Public-Key Cryptography March 26, 2002 Prof. Dorothy E. Denning.](https://reader036.fdocuments.net/reader036/viewer/2022062413/5a4d1b447f8b9ab0599a2a8f/html5/thumbnails/31.jpg)
31
Rabin-Miller TestProbabilistic testDetails in SchneierSuppose p passes the test.The probability that p is prime is at least 3/4. Thus,
the probability that p is not prime is at most 1/4.Do test t times. If p passes all t times, then the
probability that p is not prime is at most (1/4)t. for t = 5, this is 1/1024
![Page 32: 1 COSC 350: Codes and Ciphers Public-Key Cryptography March 26, 2002 Prof. Dorothy E. Denning.](https://reader036.fdocuments.net/reader036/viewer/2022062413/5a4d1b447f8b9ab0599a2a8f/html5/thumbnails/32.jpg)
32
Odds of SuccessPick p at random - what are the chances that it is prime?Let z = # primes between 1 and NPrime Number Theorem:
z approaches N/ln(N) as z gets largeFor N = 10,000,000 N/ln(N) = 620,421 and z = 664,579
So odds are about 7/100For 100 digit numbers, odds are 1/115
![Page 33: 1 COSC 350: Codes and Ciphers Public-Key Cryptography March 26, 2002 Prof. Dorothy E. Denning.](https://reader036.fdocuments.net/reader036/viewer/2022062413/5a4d1b447f8b9ab0599a2a8f/html5/thumbnails/33.jpg)
33
Strong Primes
Defeat certain factoring methodsProperties
(p-1)/2 and (q-1)/2 should be primegcd(p-1, q-1) should be small both p-1 and q-1 should have large prime
factors, denoted p’ and q’both p’-1 and q’-1 should have large prime factors
Schneier recommends against using strong primes
![Page 34: 1 COSC 350: Codes and Ciphers Public-Key Cryptography March 26, 2002 Prof. Dorothy E. Denning.](https://reader036.fdocuments.net/reader036/viewer/2022062413/5a4d1b447f8b9ab0599a2a8f/html5/thumbnails/34.jpg)
34
Practical Considerationsfor Exponentiation Ciphers
Block messages according to the modulus sizeUse method of fast exponentiation
repeated squaring and multiplication for each 0 bit, square (multiply by itself)for each 1 bit, multiply and then square
(no square on last bit)if exponent has t bits, # of multiplies is T where
t <= T <= 2t - 1
![Page 35: 1 COSC 350: Codes and Ciphers Public-Key Cryptography March 26, 2002 Prof. Dorothy E. Denning.](https://reader036.fdocuments.net/reader036/viewer/2022062413/5a4d1b447f8b9ab0599a2a8f/html5/thumbnails/35.jpg)
35
Example
25 = 1 1 0 0 1a25 mod n = a16 * a8 * a mod nhow many multiplies?
89 = 1 0 1 1 0 0 1a89 mod n = a64 * a16 * a8 * a mod nhow many multiplies?
![Page 36: 1 COSC 350: Codes and Ciphers Public-Key Cryptography March 26, 2002 Prof. Dorothy E. Denning.](https://reader036.fdocuments.net/reader036/viewer/2022062413/5a4d1b447f8b9ab0599a2a8f/html5/thumbnails/36.jpg)
36
Fast Exponentiationfunction fastexp(a, z, n) - “return az mod n”a1 := a; z1 := z; x:= 1;while z1 != 0 do begin while z1 mod 2 = 0 do begin “square a1 while z1 is even” z1 := z1 div 2; a1 := (a1 * a1) mod n end; z1 := z1 - 1; x := (a1 * x) mod n “multiply”end;fastexp := x;end
![Page 37: 1 COSC 350: Codes and Ciphers Public-Key Cryptography March 26, 2002 Prof. Dorothy E. Denning.](https://reader036.fdocuments.net/reader036/viewer/2022062413/5a4d1b447f8b9ab0599a2a8f/html5/thumbnails/37.jpg)
37
Digital Signatures: Objectives
Message integrity and authenticitydetect tampering and bogus messages
Source/sender authenticitydetect forgeries
Non-repudiationsender cannot disavow signing a messagea third party -- court -- can resolve dispute
![Page 38: 1 COSC 350: Codes and Ciphers Public-Key Cryptography March 26, 2002 Prof. Dorothy E. Denning.](https://reader036.fdocuments.net/reader036/viewer/2022062413/5a4d1b447f8b9ab0599a2a8f/html5/thumbnails/38.jpg)
38
Public-Key Signatures
Signer has a public-private key pairThe signature is produced with the private key
only signer can do thisThe signature is validated with the public key
anyone can do this, including the intended recipient and a third party judge
No keys of the receiver are used
![Page 39: 1 COSC 350: Codes and Ciphers Public-Key Cryptography March 26, 2002 Prof. Dorothy E. Denning.](https://reader036.fdocuments.net/reader036/viewer/2022062413/5a4d1b447f8b9ab0599a2a8f/html5/thumbnails/39.jpg)
39
Sending a Signed Message
Alice sends a signed message to Bob using her private key. Bob validates with her public key
Alice -> Bob: (M, S) where S = signApriv(h(M)) for hashing function h
Bob checks: validateApub(M, S)
Hashing function h is public and not keyedS is function of entire message M
![Page 40: 1 COSC 350: Codes and Ciphers Public-Key Cryptography March 26, 2002 Prof. Dorothy E. Denning.](https://reader036.fdocuments.net/reader036/viewer/2022062413/5a4d1b447f8b9ab0599a2a8f/html5/thumbnails/40.jpg)
40
RSA Signatures
Let (e, n) be Alice’s public key and (d, n) her private key
Alice -> Bob: (M, S) where S = signApriv(h(M)) = (h(M))d mod n
Bob checks: validateApub(M, S):
h1 = h(M)h2 = Se mod n [ = (h(M))d e mod n = h(M) ]if h1 = h2 then accept else reject
![Page 41: 1 COSC 350: Codes and Ciphers Public-Key Cryptography March 26, 2002 Prof. Dorothy E. Denning.](https://reader036.fdocuments.net/reader036/viewer/2022062413/5a4d1b447f8b9ab0599a2a8f/html5/thumbnails/41.jpg)
41
Why Hashing
Reduces time to sign and space for signatureAlso important for securitySuppose don’t hash: what happens if you ask Alice
to sign a message sent to her?C = EApub(M) = Me mod n
S = signApriv(M) = Md mod n
![Page 42: 1 COSC 350: Codes and Ciphers Public-Key Cryptography March 26, 2002 Prof. Dorothy E. Denning.](https://reader036.fdocuments.net/reader036/viewer/2022062413/5a4d1b447f8b9ab0599a2a8f/html5/thumbnails/42.jpg)
42
Digital Signature Standard (DSS)
FIPS PUB 186, adopted 1994Uses variant of methods invented by ElGamal and
Schnorr, which in turn were based on Diffie-Hellman
Uses exponentiations in modular arithmetic where security is based on difficulty of computing the discrete log (as for DH)
Uses SHA for hashing
![Page 43: 1 COSC 350: Codes and Ciphers Public-Key Cryptography March 26, 2002 Prof. Dorothy E. Denning.](https://reader036.fdocuments.net/reader036/viewer/2022062413/5a4d1b447f8b9ab0599a2a8f/html5/thumbnails/43.jpg)
43
DSSpublic values shared by group
p - prime number - 512-1024 bitsq - 160-bit value (most computation mod q)g = h(p-1)/q mod p where h < (p-1) and g > 1
user private keyx - any number less than q
user public keyy = gx mod p
![Page 44: 1 COSC 350: Codes and Ciphers Public-Key Cryptography March 26, 2002 Prof. Dorothy E. Denning.](https://reader036.fdocuments.net/reader036/viewer/2022062413/5a4d1b447f8b9ab0599a2a8f/html5/thumbnails/44.jpg)
44
![Page 45: 1 COSC 350: Codes and Ciphers Public-Key Cryptography March 26, 2002 Prof. Dorothy E. Denning.](https://reader036.fdocuments.net/reader036/viewer/2022062413/5a4d1b447f8b9ab0599a2a8f/html5/thumbnails/45.jpg)
45
Notes
Verification is slower than with RSABoth RSA and DSS are used extensively -- many
products support bothDSS not designed for encryption -- use with Diffie-
Hellman key exchange
![Page 46: 1 COSC 350: Codes and Ciphers Public-Key Cryptography March 26, 2002 Prof. Dorothy E. Denning.](https://reader036.fdocuments.net/reader036/viewer/2022062413/5a4d1b447f8b9ab0599a2a8f/html5/thumbnails/46.jpg)
46
Encrypt & Sign With RSA
Alice generates K & computes CK = EBpub(K)CM = EK(M) S = signApriv(M)
Alice -> Bob: CK, CM, S Bob computes
K = DBpriv(CK) M = DK(CM) validateApub(M, S)
![Page 47: 1 COSC 350: Codes and Ciphers Public-Key Cryptography March 26, 2002 Prof. Dorothy E. Denning.](https://reader036.fdocuments.net/reader036/viewer/2022062413/5a4d1b447f8b9ab0599a2a8f/html5/thumbnails/47.jpg)
47
ciphertextkey
ciphertextmessage
signature
Dear Bob …
Love,Alice
hash sign
enc
enc dec
dec
ok?
random K
KBobpub
KSAlicepriv
Dear Bob …
KK
Alice Bob
sent to Bob
KBobpriv
KSAlicepub
certificate
password
password
![Page 48: 1 COSC 350: Codes and Ciphers Public-Key Cryptography March 26, 2002 Prof. Dorothy E. Denning.](https://reader036.fdocuments.net/reader036/viewer/2022062413/5a4d1b447f8b9ab0599a2a8f/html5/thumbnails/48.jpg)
48
E-Mail In PracticeAlice composes message M to Bob and clicks button “send
signed and encrypted”Alice’s system prompts Alice for password, which unlocks her
private signature keyAlice’s system looks up Bob’s public key-encrypting key. It
generates K, and computes CK, CM, and SWhen Bob gets message, he clicks on button “decrypt and
validate”Bob’s system prompts him for a password, which unlocks his
private key-encrypting key. It decrypts CK and then CMBob’s system looks up Alice’s public signature key and
validates S. It displays M and whether S was OK
![Page 49: 1 COSC 350: Codes and Ciphers Public-Key Cryptography March 26, 2002 Prof. Dorothy E. Denning.](https://reader036.fdocuments.net/reader036/viewer/2022062413/5a4d1b447f8b9ab0599a2a8f/html5/thumbnails/49.jpg)
49
Login AuthenticationChallenge-Response
Alice logs onto serverServer sends Alice a challenge MAlice returns M and her signature S of itServer validates S and knows it is Alice
![Page 50: 1 COSC 350: Codes and Ciphers Public-Key Cryptography March 26, 2002 Prof. Dorothy E. Denning.](https://reader036.fdocuments.net/reader036/viewer/2022062413/5a4d1b447f8b9ab0599a2a8f/html5/thumbnails/50.jpg)
50
Elliptic Curve Cryptography
Can implement schemes analogous to Diffie-Hellman and DSA using elliptic curves mod p instead of the integers mod p
Computing discrete logs is thought to be much harder in elliptic curve than integers mod p
Comparable security with shorter keys160 bits comparable to 1024 RSA/DH108 bits broken in 4 months using 9,500 computers
So less storage needed for keysOrder of magnitude speedup
![Page 51: 1 COSC 350: Codes and Ciphers Public-Key Cryptography March 26, 2002 Prof. Dorothy E. Denning.](https://reader036.fdocuments.net/reader036/viewer/2022062413/5a4d1b447f8b9ab0599a2a8f/html5/thumbnails/51.jpg)
51
Elliptic Curves
An elliptic curve is a set of points (x,y) that solve an equation of a particular form, e.g.,
y2 mod p = x3 + ax + b mod p where a, b < p and
4a3 + 27b2 != 0 mod p (then a group)Can compute over the numbers on an elliptic curve -
there is a group operationTutorial at
<http://www.certicom.com/research/online.html>
![Page 52: 1 COSC 350: Codes and Ciphers Public-Key Cryptography March 26, 2002 Prof. Dorothy E. Denning.](https://reader036.fdocuments.net/reader036/viewer/2022062413/5a4d1b447f8b9ab0599a2a8f/html5/thumbnails/52.jpg)
52
EC Arithmetic Rules
1. infinity + infinity = infinity2. (x, y) + infinity = (x, y)3. (x, y) + (x, -y) = infinity4. (x1, y1) + (x2, y2)5. 2 (x, y)
scalar multiplication by doubling and adding
![Page 53: 1 COSC 350: Codes and Ciphers Public-Key Cryptography March 26, 2002 Prof. Dorothy E. Denning.](https://reader036.fdocuments.net/reader036/viewer/2022062413/5a4d1b447f8b9ab0599a2a8f/html5/thumbnails/53.jpg)
53
<http://www.certicom.com/research/online.html>
Elliptic curve over real numbers
![Page 54: 1 COSC 350: Codes and Ciphers Public-Key Cryptography March 26, 2002 Prof. Dorothy E. Denning.](https://reader036.fdocuments.net/reader036/viewer/2022062413/5a4d1b447f8b9ab0599a2a8f/html5/thumbnails/54.jpg)
54
<http://www.certicom.com/research/online.html>
![Page 55: 1 COSC 350: Codes and Ciphers Public-Key Cryptography March 26, 2002 Prof. Dorothy E. Denning.](https://reader036.fdocuments.net/reader036/viewer/2022062413/5a4d1b447f8b9ab0599a2a8f/html5/thumbnails/55.jpg)
55
<http://www.certicom.com/research/online.html>
![Page 56: 1 COSC 350: Codes and Ciphers Public-Key Cryptography March 26, 2002 Prof. Dorothy E. Denning.](https://reader036.fdocuments.net/reader036/viewer/2022062413/5a4d1b447f8b9ab0599a2a8f/html5/thumbnails/56.jpg)
56
Elliptic curve overfinite field Fp
(integers mod p)where p = 23
<http://www.certicom.com/research/online.html>
![Page 57: 1 COSC 350: Codes and Ciphers Public-Key Cryptography March 26, 2002 Prof. Dorothy E. Denning.](https://reader036.fdocuments.net/reader036/viewer/2022062413/5a4d1b447f8b9ab0599a2a8f/html5/thumbnails/57.jpg)
57
EC Diffie-Hellman
Global values: p, a, b, P - P is (x, y) point on curveAlice’s private key dA (integer), public key QA = dA PBob’s private key dB, public key QB = dB PAlice and Bob exchange QA and QB
Alice computes secret value (also point on curve)S = dA QB = dA dB P
Bob computes secret valueS = dB QA = dB dA P
Alice and Bob compute symmetric key K from Se.g., K = x where S = (x, y)
![Page 58: 1 COSC 350: Codes and Ciphers Public-Key Cryptography March 26, 2002 Prof. Dorothy E. Denning.](https://reader036.fdocuments.net/reader036/viewer/2022062413/5a4d1b447f8b9ab0599a2a8f/html5/thumbnails/58.jpg)
58
Key Lengths
Symmetric RSA,DH/DSA
ECC,Hash
Breakable 56 512 112
Adequate 80 1,024 161
StrongNear term
128 3,072 256
Long term 256 15,360 512
Don B. Johnson, “ECC, Future Resiliency and High Security Systems”
![Page 59: 1 COSC 350: Codes and Ciphers Public-Key Cryptography March 26, 2002 Prof. Dorothy E. Denning.](https://reader036.fdocuments.net/reader036/viewer/2022062413/5a4d1b447f8b9ab0599a2a8f/html5/thumbnails/59.jpg)
59
Public Key Cryptography StandardsPKCS #1: RSA Cryptography Standard PKCS #2: incorporated into PKCS #1 PKCS #3: Diffie-Hellman Key Agreement Standard PKCS #4: incorporated into PKCS #1 PKCS #5: Password-Based Cryptography Standard PKCS #6: Extended-Certificate Syntax Standard PKCS #7: Cryptographic Message Syntax Standard PKCS #8: Private-Key Information Syntax Standard PKCS #9: Selected Attribute Types PKCS #10: Certification Request Syntax Standard PKCS #11: Cryptographic Token Interface Standard PKCS #12: Personal Information Exchange Syntax Standard PKCS #13: Elliptic Curve Cryptography Standard PKCS #15: Cryptographic Token Information Format Standard
http://www.rsasecurity.com/rsalabs/pkcs/