security engineering - PowerPoint PPT Presentation

1 / 35

About This Presentation

Title:

security engineering

Description:

elec 5610. handout 8 :: asymmetric crypto. 1. security engineering. matt barrie ... Calculate the four square roots m1, m2, m3, m4 of c (remember quadratic residues) ... – PowerPoint PPT presentation

Number of Views:132

Avg rating:3.0/5.0

Slides: 36

Provided by: mattb7

Category:

more less

Transcript and Presenter's Notes

Title: security engineering

1
security engineering

matt barrie
ltmattb_at_alumni.stanford.orggt

2
origins of public key cryptography

Cryptoarchaeology?
Diffie and Hellman Merkle (Stanford) 1976
invented the concept separately.
RSA invented (Rivest, Shamir, Adelman) 1976.
Clifford Cocks wrote a variant of RSA (GCHQ)
1973
James Ellis (GCHQ) 1967 proved public key
possible.
NSA claims they invented it even earlier ...
Jim Frazer (NSA - retired) says a 1962 NSA memo
on command control of nuclear weapons was the
basis for its invention!
Circumstantial evidence the STU-III secure
telephone used PKI in the mid 1970s, well before
certificates were in the civilian world.
The black sector is far ahead of the civilian
sector.

3
NSA memo 160 June 1962
4
public key cryptography

Otherwise known as asymmetric cryptography.
Each entity has a public key e and a private key
d.
The public key is associated with the encryption
algorithm, and the private key the decryption
algorithm.
The public key and the encryption algorithm need
not be a secret and is often published in a
directory.
Public key encryption alone provides
confidentiality, not data origin authentication
nor integrity (since the encryption key and
algorithm is known).
Public key decryption can be used to provide
authentication guarantees.

5
example
Alice
Bob
Looks up Bobs public key e, sends c Ee(m)
(e.g. directory, email footer, home page)
Decrypts message m Dd(c)
Directory
Alice e Bob f ...
6
public key cryptography

Problems
Asymmetric (public key) crypto is much slower
than symmetric (private key) crypto
Public key crypto often used to transport keys
used for bulk data encryption by symmetric
algorithms (commonly known as session keys).
Public key crypto also used to encrypt small
things (e.g. credit card transactions, PIN
numbers, etc.)
It is imperative to ensure that the public key
from directory, email etc. is correct otherwise
one is vulnerable to an impersonation attack.
Since the attacker knows the encryption algorithm
and key, they can always perform a chosen
plaintext attack.

7
el gamal cryptosystem

El Gamal (Stanford)
Security is based upon the discrete log problem.
Key generation
Alice generates random g, a and prime p.
Alice calculates ga (mod p).
Alices public key is p, g and ga (which she can
publish).
The variable a is the private key used to
decrypt.
Public Directory
Alice p, g, ga
Bob q, h, hb

8
el gamal cryptosystem

To send a message to Alice
retrieve p, g, ga from directory
choose a random k relatively prime to p-1
compute y1 gk
for message m ? Zp compute y2 (ga)k m (mod p)
send (y1 , y2) to Alice
To decypher the message
compute y1a gak (mod p)
compute g-ak
compute y2g-ak m to retrieve the message
The security of the algorithm relies on not being
able to calculate the DL of y1.

9
RSA

Rivest, Shamir, Adelman (MIT) 1976-7
Most widely used public key cryptosystem
Security relies on the factoring of large
composites.
Key Generation
Generate two large random (and distinct)
primes (gt 1024 bits), each roughly the same
size.
Compute n pq and F(n) Zn (p-1)(q-1)
From Eulers theorem, aF(n) 1 (mod n), so
choose encyphering exponent e and decyphering
exponent d such that e.d 1 mod F(n).
The public key is e, n.
The private key is d.
p, q and F(n) are secret (only used during key
generation).

10
RSA

RSA Encryption
Obtain Alices public key n, e
Represent the message as an integer 0, n-1
Compute c me mod n
Send cyphertext c to Alice.
RSA Decryption
Alice computes
cd mod n (me)d mod n
med mod n
m1 kF(n) mod n
m.(mF(n))k mod n
m since mF(n) 1 (mod
n)

11
chinese remainder theorem

If you know the factorisation of n ( pq), then
you can use the Chinese Remainder Theorem to
solve a system of equations
x a1 (mod m1)
x a2 (mod m2) x a3 (mod m3)
where gcd(mi, mj) 1 (i.e. relatively prime)
The CRT states that there exists a simultaneous
solution to these equations where any two such
solutions are congruent to each other mod M (M
m1m2 m3 m4)

12
chinese remainder theorem proof

Proof by direct solution
For each i, define
Mi M/mi ?i?jmj
By the Euclidean Algorithm, calculate Ni such
that
NiMi 1 mod mi
The solution to the system of simultaneous
equations is
x Si1..r ai Mi Ni

13
CRT example

Solve the following system of equations
x a1 (mod 7)
x a2 (mod 11) x a3 (mod 13)
Now M m1m2 m3 1001
To find Ns (e.g. N1)
N1 x M1 1 (mod 7)
N1 x 11 x 13 1 (mod 7)
N1 x 3 1 (mod 7)
Using Eulers generalisation
F(m1) 7 - 1 6
So N1 3F-1 mod 7 35 mod 7 5 mod 7

14
CRT example

Solving for the other Ns
M1 143, N1 5
M2 91, N2 4
M3 77, N3 12
So
x Si1..r ai Mi Ni
x 715 a1 364 a3 924 a3 (mod 1001)

15
factoring attack on RSA

The RSA problem is to recover m from c me mod
n, knowing only n and e.
Suppose n can be factored into p and q.
Then F(n) (p-1)(q-1) can be computed.
Therefore d can be computed as e.d 1 mod F(n)
Therefore we can recover the message m
Fact The problem of computing the RSA decryption
exponent from the public key (n,e) and the
problem of factoring n are computationally
equivalent.
When performing key generation, it is imperative
that the primes p and q are selected to make
factoring npq difficult (e.g. by picking p and q
roughly equal size).

16
small encryption exponent attack on RSA

In order to improve the speed of RSA, often a
small encryption exponent is used (e.g. 2161 is
quite popular).
If a group of entities all use the same
encryption exponent, it is clear that they must
have their own distinct modulus. If they are the
same, then other users can obviously calculate
others private keys d.
But say Alice wishes to send messages to three
parties, all with a small encryption exponent (e
3)
c1 m3 (mod n1)
c2 m3 (mod n2) c3 m3 (mod n3)

17
small encryption exponent attack on RSA

Observing c1, c2, c3 and knowing n1, n2, n3 we
can compute using the CRT
x m3 mod n1n3n3
But since m lt ni for n 1 .. 3 (otherwise
information is lost during encryption)
x m3
i.e. m x1/3
Thus a small encryption exponent should not be
used to send the same message (or the same with
variations) to several entities.
Salting the plaintext (padding with random bits)
can help avoid this attack.

18
other attacks on RSA

Small decryption exponent
In a similar manner, a small decryption exponent
should also be avoided.
Forward search attack
Note since the encryption key is public, if the
message space is small or predictable, an
attacker can try brute force on the message
space.
Salting the plaintext may help to prevent this
attack.

19
homomorphic properties of RSA

Suppose
c1 m1e mod n c2 m2e mod n
Then
c1 c2 (m1m2)e mod n
Using this property we can attack RSA
Suppose we want Alice to reveal the decryption of
c me mod n

20
homomorphic properties of RSA

Bob sends to Alice
(!c) cxe mod n
Alice computes
(!c)d (cxe)d mod n
cdxed mod n
mxed mod n
mx mod n
If Alice reveals this information, Bob can
compute
m (mx)x-1 mod n

21
rabin public key cryptosystem

Public key n pq
Private key p, q (roughly the same size)
Encryption
c m2 mod n
Decryption
Calculate the four square roots m1, m2, m3, m4 of
c (remember quadratic residues).
The message sent was one of these roots.
From before, we note that the finding of square
roots mod n without knowing the prime
factorisation of n is computationally equivalent
to factoring.

22
square and multiply

In RSA and Discrete Log, a common operation is
exponentiation, i.e. calculating ge where g, e
are large numbers (300 digits).
A simple approach to this is to use
square-and-multiply
g23 g16 . g4 . g2 . g1
In this example we take 7 multiplication
(assuming squaring is computationally equivalent
to multiplying).
Algorithm
z ? 1, y ? g
for i 0 .. n-1
if ei 1 then z ? zy check bit position
y ? y2

23
addition chains

Using addition chains, we can be a little more
efficient
e.g. g, g2, g3, g5, g10, g20, g23
This takes only 6 multiplications (versus 7).
An addition chain is used to minimise the number
of multiplications required.
The addition chain of length s for exponent e is
a sequence of positive integers u0 .. us and
associated sequence w0 .. ws of pairs of
integers wi (i1, i2) with the property that
(1) u0 1, us e
(2) ui ui1 ui2

24
addition chains - example

Take e 15 (i.e. calculate g15)
i 0 1 2 3 4
5
wi (0,0) (0,1) (2,2) (3,3) (2,4)
gi g g2 g3 g6
g12 g15
Algorithm
g0 ? g
for i 0 .. s
gi ? gi1gi2
Finding the shortest addition chain is
computationally hard (NP-hard). It is akin to
solving the TSP.

25
definitions in complexity theory

A polynomial time algorithm is one where the
worst case running time of the algorithm is O(nk)
where n is the input size and k is some constant.
Polynomial time algorithms are said to be good or
efficient.
Any algorithm which cannot be bounded as such is
said to be an exponential-time algorithm.
The complexity class P is the set of all decision
problems which are solvable in polynomial time.
The complexity class NP is the set of all
decision problems which an answer can be verified
in polynomial time, given some extra information
called a certificate.

26
complexity theory

Fact P is a subset of NP
Unknown Is P NP?
Example of a problem in NP
Given a positive integer n, is n composite?
That is, are there integers a, b gt 1 such that n
ab?
If L1 and L2 are two decision problems, L1 is
said to polynomial reduce to L2 (L1 P L2) if
there is an algorithm that solves L1 which uses
as a subroutine an algorithm that solves L2, and
runs in polynomial time.
Two problems are said to be computationally
equivalent if L1 P L2 and L2 P L1.

27
summary symmetric crypto

Advantages of symmetric-key crypto
Can be designed to have high throughput rates
Keys are relatively short (128 bits .. 256 bits)
Symmetric cyphers can be used as primitives to
construct other constructs such as pseudo random
number generators (PRNGs).
Symmetric cyphers can be used to construct
stronger cyphers
e.g. simple substitutions and permutations can be
used to create stronger cyphers
All known attacks involve exhaustive key
search.
Disadvantages of symmetric-key crypto
In a two party network, the key must remain
secret at both ends
Sound practice dictates the key needs to be
changed frequently (e.g. each session).
In a large network, n! keys are required which
creates a massive problem for key management.

28
summary asymmetric crypto

Advantages of asymmetric-key crypto
Only the private key needs to remain secret
The administration of keys on a network requires
the presence of only a functionally trusted
(honest and fair) TTP.
Depending on the mode of usage, the public and
private key pairs may be used for long periods of
time (upper bound Moores Law).
In large networks, n keys are required instead of
n!
Disadvantages of asymmetric-key crypto
Throughput rates are typically very slow (all
known algorithms)
Key sizes are typically much larger (1024 .. 4096
bits)
Security is based upon the presumed difficulty of
a small set of number-theoretic problems and all
known are subject to short-cut attacks (e.g.
knowing the prime factorisation of n)
Public key crypto does not have an extensive
history in the public world.

29
combining cryptosystems

Symmetric and asymmetric crypto are complementary
Public key crypto can be used to establish a key
for fast symmetric crypto (e.g. a session key).
Alice and Bob take advantage of the long term
benefits of public key crypto and publish their
public keys in a directory.
Public key crypto is good for key management and
signatures (explained later)
Private key crypto is good for encryption and
some data integrity applications.

30
symmetric crypto key length

Security of a symmetric cypher is based on
strength of the algorithm
length of the key
Assuming the strength of the algorithm is perfect
(impossible in practice) then brute force is the
best attack.
Hardware attack estimates (2001)
Cost (USD) 40-bit 56-bit 64-bit 128-bit
100k 0.25s 4.4hrs 46d 1018 yrs
1M 25ms 26min 4.6d 1017 yrs
100M 0.25ms 15min 67min 1015 yrs
1G 25us 1.6s 7.5min 1014 yrs

31
interesting ways to break symmetric cyphers

Virus / Worms
What if Code Red or Melissa brute forced a
cypher?
Melissa infected 800k machines
Cracking DES _at_ 5Mkeys/s (PIII_at_1GHz) Melissa-DES
would brute force the key space in 5 hours.
In 2000 a worm did just that
http//www.distributed.net/trojans.html.en
Chinese Lottery
Say a 1Mkey/s chip was built into every radio and
TV sold in China.
Each chip is designed to brute force when a
signal is received over the air.
If 10 of the people in China have a radio or TV,
the 56-bit DES keyspace can be exhausted in 12
minutes.

32
asymmetric crypto key length

The security of all current, known public key
algorithms is based upon the presumed difficulty
of a small set of number-theoretic problems.
All known are subject to short-cut attacks (e.g.
knowing the prime factorisation of n). Tomorrow
we might figure out how do to this factorisation
easily (DNA? Quantum?).
In 1977, Ron Rivest said that factoring a
125-digit number would take 40 quadrillion years.
In 1999, a 512-bit (155 digit) number was
factored.
Year digits 512-bit complexity Year
digits 512-bit
1983 71 gt 20,000,000 times 1993 120 gt 500 times
1985 80 gt 2,000,000 1994 129 gt 100
1988 90 gt 250,000 1999 140 4
1989 100 gt 30,000 1999 155 1
(8.4k MIPS years)

33
how long should a key be?

Type of Traffic Lifetime Min. Key Length
Tactical Military Information minutes /
hours 56-64 bits
Product Announcements / MA days / weeks 64 bits
Long Term Business Plans years 64 bits
Trade Secrets (Recipe for Coke) decades 112 bits
H-bomb Secrets gt 40 years 128 bits
Identities of Spies gt 50 years 128 bits
Personal Affairs gt 50 years 128 bits
Diplomatic Embarassments gt 65 years 192 bits
U.S. Census Data 100 years 192 bits
Symmetric versus Asymmetric (as of 1999)
56 bits vs gt 384 bits
64 bits vs gt 512 bits
80 bits vs gt 768 bits
128 bits vs gt 2304 bits
Note with every day that goes by, these
estimates change (theyre already incorrect!)