EE 418 Network Security and Cryptography Lecture #10

Transcription

1 EE 418 Network Security and Cryptography Lecture #10 November 1, 2016 RSA and ElGamal Public Key Cryptosystems. Introduction to Key Distribution. Diffie-Hellman Key Distribution. Lecture notes prepared by Professor Radha Poovendran. Tamara Bonaci Department of Electrical Engineering University of Washington, Seattle Outline: 1. Review: Public Key Cryptography The Discrete logarithm problem ElGamal cryptosystem 2. Introduction to Key Distribution Problem 3. Diffie-Hellman Key Distribution 1 Review: Public Key Cryptography and RSA Cryptosystem Last lecture, we continued our discussion about public key cryptography. In a public key cryptosystem, there are two keys: a public encryption key, i.e., a key known to everyone and a private decryption key that is kept private and known only to a person whom a ciphertext was intended for. Under a public key cryptosystem, anyone can encrypt a message to send to Alice using her public key, P K A, but only Alice can decrypt the message using her private key SK A. The figure below presents a block diagram of a secure communication using public key cryptosystem. Plaintext ENC Ciphertext CHANNEL Ciphertext DEC Plaintext Bob Public key PK A Private key SK A Alice Fig. 1. Schematic of public key-based encryption and decryption. In this lecture, we will continue our discussion about the ElGamal cryptosystem. In doing so, let s first recall the definition of the discrete logarithm problem. 1.1 The Discrete Logarithm Problem Let s consider the set of integers modulo p, denoted as Z p. The set of integers in Z p that are relatively prime to p is denoted as Z p. As an example, when p = 13, Z 13 = {1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12}. Theorem 1. There exists an element α Z p, denoted as a primitive element, such that for every y Z p and for some x it holds that: y = α x (mod p) (1) 1

2 We omit the proof for this theorem, put let s consider the following example. Example 2: When p = 13, one of the primitive elements is equal to α = 2, leading to the elements {2, 2 2 = 4, 2 3 = 8, 2 4 = 3 (mod 13), 2 5 = 6, 2 6 = 12, 2 7 = 2 (mod 13) = 11 (mod 13), 2 8 = 4 (mod 13) = 9 (mod 13), 2 9 = 8 (mod 13) = 5 (mod 13), 2 10 = 10, 2 11 = 7, 2 12 = 1} = Z 13. Definition 1 (Discrete Logarithm Problem). Let s assume p is a prime number, and α and β are two nonzero integers (mod p). Let s now consider the equality: β α x (mod p) (2) The problem of finding x that satisfies equation (2) is known as the discrete logarithm problem. To date, no efficient algorithm for computing the discrete logarithm has been found. The assumption that the discrete logarithm problem is difficult is the basis for the ElGamal cryptosystem. For small primes p, of course, one can hand compute the set of elements, and do trial and error. For example, when p = 13, given α = 2 and β = 8,one can find that 2 3 = 8, and solve for a = 3. Therefore, typically the value of p needs to be very large (100 digit primes). 2 ElGamal Cryptosystem The ElGamal cryptosystem was developed by Taher ElGamal in The basic idea of ElGamal is as follows: 1. To encrypt, Bob generates a random number r and multiplies it by the plaintext x to obtain ciphertext Y = xr. Bob then transmits the ciphertext to Alice. 2. To decrypt, Alice follows an algorithm to remove the random number r, and retrieve the original plaintext. Since Bob generates a different random number during each instance of the encryption algorithm, a different ciphertext is generated even when the same plaintext is encrypted multiple times. Unlike RSA, whose security is based on the difficulty of factoring large integers, ElGamal bases its security on the difficulty of the Discrete Logarithm Problem. ElGamal has not been patented, which along with its randomized nature has contributed to its wide adoption. Ideas underlying the ElGamal cryptosystem have been incorporated into digital signature schemes and the Elliptic Curve Cryptography. We now describe the key generation, encryption, and decryption algorithms for ElGamal. 2.1 Key Generation Key generation consists of the following steps: 1. Choosing a large prime number p and an integer α satisfying 1 α (p 1). Number α must be a primitive root, i.e., every integer z with 1 z (p 1) can be written as z = α w mod p for some w. 2. Picking an integer a satisfying 1 a (p 1), and then computing β = α a mod p. 3. The public key is defined by P K = (α, β, p) and the private key is defined by SK = a. As usual, public key P K is published, while the private key SK is kept secret. As an example of typical ElGamal key lengths, the GNU Privacy Guard (an open-source package from encrypting ) uses a key length of 2048 bits. 2.2 Encryption ElGamal encryption consists of the following steps: 1. Generate a random integer k satisfying 1 k (p 2). 2

3 2. Compute Y 1 and Y 2 as Y 1 = α k mod p Y 2 = xβ k mod p 3. The ciphertext is given by (Y 1, Y 2 ) and is transmitted to Alice. Note that Bob chooses a different random integer k for each encrypted message that is sent. Hence, the same plaintext will yield a different ciphertext if it is encrypted twice using the ElGamal cryptosystem. 2.3 Decryption Alice decrypts a received ciphertext (Y 1, Y 2 ) as x = Y 2 (Y a 1 ) 1 mod p. Here (Y a 1 ) 1 denotes the inverse of Y a 1, defined as the unique integer satisfying (Y a 1 ) 1 (Y a 1 ) = 1 mod p. A schematic illustration of ElGamal is given in Figure 2. Key Generation: Generate prime p, integer α Generate a, compute β = α a mod p P K A = (α, β, p), SK A = a Alice Alice publishes P K A = (α, β, p) Bob knows: P K A = (α, β, p) Decryption: x = Y 2(Y a 1 ) 1 mod p Y 1 = α k mod p Y 2 = xβ k mod p Bob Encryption: Generate random integer k Compute ciphertext (Y 1, Y 2): Y 1 = α k mod p, Y 2 = xβ k mod p Fig. 2. Schematic illustration of ElGamal key generation, encryption, and decryption. Theorem 2. ElGamal cryptosystem is a well-defined cryptosystem. Proof. In order to prove that a cryptosystem is a well-defined cryptosystem, we need to prove that: Let s start from the following ElGamal decryption equation: Using ElGamal encryption equations: d(y, a) = d(e(x, α, β, p)) = x (3) x = Y 2 (Y a 1 ) 1 (mod p) (4) Y 1 = α k (mod p) Y 2 = xβ k (mod p) (5) 3

4 we can rewrite equation (4) as: x = xβ k [(α k ) a ] 1 = xβ k ( }{{} α a β ) k = xβ k β k (6) 2.4 Example of ElGamal Key Generation, Encryption, and Decryption An example of ElGamal key generation by Alice is: 1. Generate prime p = 2579 and α = Choose secret a = 765, and compute β = α a mod p = mod 2579 = Publish P K A = (α, β, p) = (2, 949, 2579). In order to encrypt the plaintext x = 1299, Bob carries out the following steps: 1. Generate a random number k = Compute Y 1 = α k mod p = mod 2579 = 435 mod 2579 Y 2 = xβ k mod p = 1299(949) 853 mod 2579 = 2396 mod The ciphertext is given by (Y 1, Y 2 ) = (435, 2396). Alice decrypts the received ciphertext (Y 1, Y 2 ) = (435, 2396) as x = Y 2 (Y a 1 ) 1 mod 2579 = 2396( ) 1 mod 2579 = 1299 mod Security of ElGamal Cryptosystem In order to decrypt an ElGamal ciphertext, the private key a is needed. The public key (α, β, p) and private key a are related by β = α a mod p. This resembles the problem of taking a logarithm of a real number, i.e., finding x such that y = e x, and is referred to as the Discrete Logarithm Problem (DLP). Analogous to RSA and factorization, known attacks on ElGamal require solving the DLP. Since there are currently no efficient algorithms for solving DLP, ElGamal is believed to be secure. 3 Introduction to Key Distribution Cryptographic primitives including encryption/decryption, message authentication, and digital signatures require the communicating parties Alice and Bob to agree on a shared secret key, or to obtain one another s valid public keys. Ensuring that Alice and Bob have valid cryptographic keys is the goal of key management, and today we focus on agreeing on a shared secret key over a public (insecure) channel. 4 Diffie-Hellman Key Exchange One efficient and secure method to agree on a shared secret key over an insecure channel relies on public key cryptography, and it is referred to as the Diffie-Hellman key exchange. The Diffie-Hellman key exchange was proposed by Witfield Diffie and Martin Hellman in 1976, and it was covered by U.S. patent 4,200,770, which has expired. The advantage of this approach is that symmetric key cryptosystems are typically much more efficient than public key cryptosystems. 4

5 The Diffie-Hellman protocol consists of the following steps, which are illustrated in Figure 3: 1. Alice and Bob agree on a prime number p and an integer α, with 1 α (p 1), such that α is a primitive root of the set Z p = {1, 2,..., p 1}, i.e., any integer z Z p can be expressed as z = α w ( mod p) for some integer w. Since (α, p) do not need to be secret, Alice and Bob can agree upon them in the clear. For example, Alice can post (α, p) in some public register, such as IETF RFC 5114, which provides several 1024-bit primes p, and corresponding integers α. 2. Alice generates an integer u A with 1 u A (p 1). Alice computes β A = α u A (mod p) and transmits β A to Bob. 3. Bob computes an integer u B with 1 u B (p 1). Bob computes β B = α u B (mod p) and transmits β B to Bob. 4. Alice computes K AB = (β B ) u A = α u Au B (mod p). Bob computes K AB = (β A ) u B = α u Au B (mod p). Alice and Bob communicate using key K AB. Alice α a (mod p) Bob α b (mod p) K A = α ab (mod p) K B = α ab (mod p) Fig. 3. The Diffie-Hellman key exchange. The main idea of the Diffie-Hellman protocol is that K AB compute the same key K = K AB = K BA : = K BA = α ab, i.e., Alice and Bob can both K A = (β B ) u A (α u B ) u A α u Au B (α u A ) u B (β A ) u B = K B (mod p). Example: Let p = , α = Suppose that Alice selects u A = 357 and computes: β A = α u A (mod p) = (mod ) = Now, suppose that Bob selects u B = 199 and computes β B = α u B compute a common key as: (mod p) = Alice and Bob then K = β u B A (mod p) = βu A B (mod p) = Two Types of Diffie-Hellman Problems We typically distinguish between two types of Diffie-Hellman problems: The computational Diffie-Hellman problem (CDH), and The decision Diffie-Hellman problem (DCH) 5

6 Computational Diffie-Hellman Problem (CDH): Let p be a prime and let α be a corresponding primitive root (generator) of the set of integers coprime to p, Z p. Given two elements: β a = α a (mod p) β b = α b (mod p) find an element X such that: X = α ab (mod p) (7) Decision Diffie-Hellman Problem (DDH): Let p be a prime, and let α be a corresponding primitive root (generator) of the set of integers coprime to p, Z p. Given three elements, β a = α a (mod p), β b = α b (mod p), and X, determine if: X = α ab (mod p) (8) Observe that if we can solve the CDH problem, then we can solve the DDH problem. Suppose that we are given β a, β b, and X. Suppose further that we have an algorithm that solves the CDH problem, so that given βa = α a mod p and βb = α b mod p,the algorithm returns Z = α ab mod p.then to solve DDH, we run the CDH algorithm, and then check to see if Z = X. We say that (solving) the DDH problem reduces to (solving) the CDH problem. Furthermore, if we can solve the discrete logarithm problem (DLP), then we can readily solve CDH (and hence DDH). Suppose that we are given β a and β b. Given an algorithm for solving DLP, we run the algorithm on β a and β b to obtain a and b satisfying β a = α a mod p and β b = α b mod p. We then compute ab and set X = α ab mod p. We say that (solving) the DDH reduces to (solving) DLP. Hence, solving the DDH problem implies that one can solve the CDH problem, which in turn implies that one can solve the DLP problem. 4.2 Security of Diffie-Hellman Key Exchange The security of the Diffie-Hellman key exchange is based on the computational difficulty of solving the Diffie-Hellman problem: let s assume that an attacker Eve wants to compute K = α ab, based on knowing β a and β b, but without knowing a or b. This is the definition of the CDH problem. Currently, which with the right choices of (α, p), no efficient algorithm for solving this problem is known, and hence the Diffie-Hellman key exchange is believed to be secure. Man-in-the-Middle Attack against the Diffie-Hellman Key Exchange: The difficulty of solving CDH implies that a passive eavesdropper cannot compute the secret key determined by the Diffie-Hellman key distribution scheme. Note, however, that the Diffie-Hellman scheme alone does not give Alice a method for verifying that she is agreeing on a key with Bob, instead of a third party pretending to be Bob (and, similarly, Bob has no way to verify that he is talking to Alice). This leaves the Diffie-Hellman key agreement scheme vulnerable to a man-in-the-middle attack by an active attacker who is capable of exchanging messages with Alice and Bob. The man-in-the-middle attack is shown in Figure 4, where Eve initiates two runs of the DH key agreement protocol, one with Alice and another with Bob. Alice and Bob then complete the respective protocol runs by returning their shares to Eve, thus establishing shared keys with Eve. The result of the man-in-the-middle attack is that both Alice and Bob think that they have agreed on keys with each other, but in fact both have agreed on keys with Eve. Any message that is encrypted using the shared keys will then be readable by Eve. If we can build authentication mechanism so that Alice and Bob can be sure that they are indeed talking to Bob and Alice respectively, then man-in-the-middle attack can be thwarted. Sources for Today s Lecture: 1. Douglas R. Stinson, Cryptography, Theory and Practice, 3rd edition. CRC Press, 2005, p and Wade Trappe and Lawrence C. Washington Introduction to Cryptography with Coding Theory. Prentice Hall, 2002, p and Charlie Kaufman, Radia Perlman, and Mike Speciner Network Security: Private Communication in Public World, 2nd Edition. Prentice Hall, 2002, p and and

7 Handout # Man in the Middle Attack on Di e-hellman The di culty of solving CDH implies that a passive eavesdropper cannot compute the secret key determined by the Di e-hellman key distribution scheme. Note, however, that the Di e-hellman scheme alone does not give Alice a method for verifying that she is agreeing on a key with Bob instead of a third party pretending to be Bob (and, similarly, Bob has no way to verify that he is talking to Alice). This leaves the Di e-hellman key agreement scheme vulnerable to a man in the middle attack by an active adversary who is capable of exchanging messages with Alice and Bob. The man in the middle attack is shown in Figure 2, where Eve initiates two runs of the DH key agreement protocol, one with Alice and another with Bob. Alice and Bob then complete the respective protocol runs by returning their shares to Eve, thus establishing shared keys with Eve. Alice Eve Bob b' (mod p) a' (mod p) a (mod p) b (mod p) K A = ab (mod p) K B = a b (mod p) Fig. 2. Man in the middle attack against the Di e-hellman key distribution scheme. Fig. 4. The man-in-the-middle attack against the Diffie-Hellman key exchange. The result of the man in the middle attack is that both Alice and Bob think that they have agreed on keys with each other, but in fact both have agreed on keys with Eve. Any message that is encrypted using the shared keys will then be readable by Eve. If we can build authentication mechanism so that Alice and Bob can be sure that they are indeed talking to Bob and Alice respectively, then Man in the Middle attack will be thwarted. 7