4/19/2010 Chapter 10 – Other Public Key Cryptosystems Cryptography and Network Security Amongst the tribes of Central Australia every man, woman, and child has a secret or sacred name which is bestowed by the older Chapter 10 men upon him or her soon after birth, and which is known to none but the fully initiated members of the group. This secret name is never mentioned except upon the most solemn occasions; to utter it in the hearing of men of another group Fifth Edition would be a most serious breach of tribal custom. When mentioned at all, the name is spoken only in a whisper, and not by William Stallings until the most elaborate precautions have been taken that it shall be heard by no one but members of the group. The native thinks that a stranger knowing his secret name would have special Lecture slides by Lawrie Brown power to work him ill by means of magic. — The Golden Bough, Sir James George Frazer Diffie ‐ Hellman Key Exchange Diffie ‐ Hellman Key Exchange • a public ‐ key distribution scheme • first public ‐ key type scheme proposed – cannot be used to exchange an arbitrary message • by Diffie & Hellman in 1976 along with the – rather it can establish a common key exposition of public key concepts – known only to the two participants – note: now know that Williamson (UK CESG) t k th t Willi (UK CESG) • value of key depends on the participants (and their l f k d d th ti i t ( d th i private and public key information) secretly proposed the concept in 1970 • based on exponentiation in a finite (Galois) field • is a practical method for public exchange of a (modulo a prime or a polynomial) ‐ easy secret key • security relies on the difficulty of computing discrete • used in a number of commercial products logarithms (similar to factoring) – hard Diffie ‐ Hellman Setup Diffie ‐ Hellman Key Exchange • shared session key for users A & B is K AB : • all users agree on global parameters: xA.xB mod q K AB = a – large prime integer or polynomial q xB mod q (which B can compute) = y A – a being a primitive root mod q xA mod q (which A can compute) = y B • each user (eg. A) generates their key h ( A) t th i k • K AB is used as session key in private ‐ key encryption K i d i k i i t k ti scheme between Alice and Bob – chooses a secret key (number): x A < q • if Alice and Bob subsequently communicate, they will xA mod q – compute their public key : y A = a have the same key as before, unless they choose • each user makes public that key y A new public ‐ keys • attacker needs an x, must solve discrete log 1
4/19/2010 Diffie ‐ Hellman Example Key Exchange Protocols • users could create random private/public D ‐ H • users Alice & Bob who wish to swap keys: keys each time they communicate • agree on prime q=353 and a=3 • users could create a known private/public D ‐ H • select random secret keys: key and publish in a directory, then consulted – A chooses x A =97, B chooses x B =233 and used to securely communicate with them • compute respective public keys: 97 mod 353 = 40 – y A = 3 (Alice) • both of these are vulnerable to a meet ‐ in ‐ the ‐ 233 mod 353 = 248 – y B = 3 (Bob) Middle Attack • compute shared session key as: • authentication of the keys is needed 97 = 160 xA mod 353 = 248 – K AB = y B (Alice) 233 = 160 xB mod 353 = 40 – K AB = y A (Bob) Man ‐ in ‐ the ‐ Middle Attack ElGamal Cryptography 1. Darth prepares by creating two private / public keys • public ‐ key cryptosystem related to D ‐ H 2. Alice transmits her public key to Bob 3. Darth intercepts this and transmits his first public key to Bob. • so uses exponentiation in a finite (Galois) Darth also calculates a shared key with Alice • with security based difficulty of computing 4. Bob receives the public key and calculates the shared key (with discrete logarithms as in D H discrete logarithms, as in D ‐ H Darth instead of Alice) Darth instead of Alice) 5. Bob transmits his public key to Alice • each user (eg. A) generates their key 6. Darth intercepts this and transmits his second public key to – chooses a secret key (number): 1 < x A < q-1 Alice. Darth calculates a shared key with Bob xA mod q 7. Alice receives the key and calculates the shared key (with Darth – compute their public key : y A = a instead of Bob) Darth can then intercept, decrypt, re ‐ encrypt, forward all messages between Alice & Bob ElGamal Message Exchange ElGamal Example • use field GF(19) q=19 and a=10 • Bob encrypt a message to send to A computing • Alice computes her key: – represent message M in range 0 <= M <= q-1 5 mod 19 = 3 – A chooses x A =5 & computes y A =10 • longer messages must be sent as blocks • Bob send message m=17 as (11,5) by – chose random integer k with 1 <= k <= q-1 – chosing random k=6 chosing random k 6 k – compute one ‐ time key K = y A compute one time key K mod q d k mod q = 3 6 mod 19 = 7 – computing K = y A – encrypt M as a pair of integers (C 1 ,C 2 ) where k mod q = 10 6 mod 19 = 11; k mod q ; C 2 = KM mod q – computing C 1 = a • C 1 = a C 2 = KM mod q = 7.17 mod 19 = 5 • A then recovers message by • Alice recovers original message by computing: xA mod q – recovering key K as K = C 1 5 mod 19 = 7 xA mod q = 11 – recover K = C 1 – computing M as M = C 2 K -1 mod q – compute inverse K -1 = 7 -1 = 11 • a unique k must be used each time – recover M = C 2 K -1 mod q = 5.11 mod 19 = 17 – otherwise result is insecure 2
4/19/2010 Elliptic Curve Cryptography Real Elliptic Curves • an elliptic curve is defined by an equation in • majority of public ‐ key crypto (RSA, D ‐ H) use two variables x & y, with coefficients either integer or polynomial arithmetic with • consider a cubic elliptic curve of form very large numbers/polynomials – y 2 = x 3 + ax + b • imposes a significant load in storing and • imposes a significant load in storing and – where x,y,a,b are all real numbers processing keys and messages – also define zero point O • an alternative is to use elliptic curves • consider set of points E(a,b) that satisfy • have addition operation for elliptic curve • offers same security with smaller bit sizes – geometrically sum of P+Q is reflection of the • newer, but not as well analysed intersection R Real Elliptic Curve Example Finite Elliptic Curves • Elliptic curve cryptography uses curves whose variables & coefficients are finite • have two families commonly used: – prime curves E p (a,b) defined over Z p • use integers modulo a prime • best in software – binary curves E 2m (a,b) defined over GF(2 n ) • use polynomials with binary coefficients • best in hardware Elliptic Curve Cryptography ECC Diffie ‐ Hellman • ECC addition is analog of modulo multiply • can do key exchange analogous to D ‐ H • ECC repeated addition is analog of modulo • users select a suitable curve E q (a,b) exponentiation • select base point G=(x 1 ,y 1 ) • need “hard” problem equiv to discrete log need hard problem equiv to discrete log – with large order n s.t. nG=O ith l d t G O – Q=kP , where Q,P belong to a prime curve • A & B select private keys n A <n, n B <n – is “easy” to compute Q given k,P • compute public keys: P A =n A G, P B =n B G – but “hard” to find k given Q,P • compute shared key: K=n A P B , K=n B P A – known as the elliptic curve logarithm problem – same since K=n A n B G • Certicom example: E 23 (9,17) • attacker would need to find k , hard 3
4/19/2010 ECC Encryption/Decryption ECC Security • relies on elliptic curve logarithm problem • several alternatives, will consider simplest • must first encode any message M as a point on the • fastest method is “Pollard rho method” elliptic curve P m • compared to factoring, can use much smaller • select suitable curve & point G as in D ‐ H select suitable curve & point G as in D ‐ H k key sizes than with RSA etc i h i h SA • each user chooses private key n A <n • for equivalent key lengths computations are • and computes public key P A =n A G roughly equivalent • to encrypt P m : C m ={kG, P m +kP b } , k random • hence for similar security ECC offers significant • decrypt C m compute: computational advantages P m + k P b –n B ( kG ) = P m + k (n B G )–n B ( kG ) = P m Comparable Key Sizes for Pseudorandom Number Equivalent Security Generation (PRNG) based on Asymmetric Ciphers Symmetric ECC-based RSA/DSA scheme scheme (modulus size in asymmetric encryption algorithm produce (key size in bits) (size of n in bits) bits) apparently random output 56 56 112 112 512 512 hence can be used to build a pseudorandom 80 160 1024 number generator (PRNG) 112 224 2048 much slower than symmetric algorithms 128 256 3072 hence only use to generate a short 192 384 7680 pseudorandom bit sequence (eg. key) 256 512 15360 PRNG based on RSA PRNG based on ECC have Micali ‐ Schnorr PRNG using RSA • dual elliptic curve PRNG in ANSI X9.82 and ISO 18031 – NIST SP 800 ‐ 9, ANSI X9.82 and ISO 18031 • some controversy on security /inefficiency • algorithm for i = 1 to k do set s i = x(s i-1 P ) set r i = lsb 240 (x(s i Q)) end for return r 1 , . . . , r k • only use if just have ECC 4
4/19/2010 Summary • have considered: – Diffie ‐ Hellman key exchange – ElGamal cryptography – Elliptic Curve cryptography Elliptic Curve cryptography – Pseudorandom Number Generation (PRNG) based on Asymmetric Ciphers (RSA & ECC) 5
Recommend
More recommend