Introduction to Cryptography

Similar documents
CSCE 465 Computer & Network Security

Universal Padding Schemes for RSA

Overview of Public-Key Cryptography

Outline. Computer Science 418. Digital Signatures: Observations. Digital Signatures: Definition. Definition 1 (Digital signature) Digital Signatures

Digital Signatures. Prof. Zeph Grunschlag

Introduction. Digital Signature

CIS 6930 Emerging Topics in Network Security. Topic 2. Network Security Primitives

Computer Security: Principles and Practice

Secure Network Communication Part II II Public Key Cryptography. Public Key Cryptography

Network Security. Computer Networking Lecture 08. March 19, HKU SPACE Community College. HKU SPACE CC CN Lecture 08 1/23

Network Security CS 5490/6490 Fall 2015 Lecture Notes 8/26/2015

Cryptography and Network Security Chapter 9

Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2010

Public Key Cryptography and RSA. Review: Number Theory Basics

Lecture 15 - Digital Signatures

Lukasz Pater CMMS Administrator and Developer

Forward Secrecy: How to Secure SSL from Attacks by Government Agencies

Network Security. Gaurav Naik Gus Anderson. College of Engineering. Drexel University, Philadelphia, PA. Drexel University. College of Engineering

Advanced Cryptography

Digital signatures. Informal properties

Index Calculation Attacks on RSA Signature and Encryption

Network Security. Abusayeed Saifullah. CS 5600 Computer Networks. These slides are adapted from Kurose and Ross 8-1

SECURITY IN NETWORKS

7! Cryptographic Techniques! A Brief Introduction

Public Key Cryptography: RSA and Lots of Number Theory

Introduction to Cryptography CS 355

Public Key Cryptography. c Eli Biham - March 30, Public Key Cryptography

Network Security. Abusayeed Saifullah. CS 5600 Computer Networks. These slides are adapted from Kurose and Ross 8-1

Cryptosystems. Bob wants to send a message M to Alice. Symmetric ciphers: Bob and Alice both share a secret key, K.

Cryptographic Hash Functions Message Authentication Digital Signatures

Cryptography and Network Security

CS 758: Cryptography / Network Security

Public Key (asymmetric) Cryptography

Digital Signatures. Murat Kantarcioglu. Based on Prof. Li s Slides. Digital Signatures: The Problem

Cryptography & Network Security

1 Signatures vs. MACs

Authenticated Encryption: Relations among Notions and Analysis of the Generic Composition Paradigm By Mihir Bellare and Chanathip Namprempre

Network Security. Security Attacks. Normal flow: Interruption: 孫 宏 民 Phone: 國 立 清 華 大 學 資 訊 工 程 系 資 訊 安 全 實 驗 室

1 Digital Signatures. 1.1 The RSA Function: The eth Power Map on Z n. Crypto: Primitives and Protocols Lecture 6.

Overview of Cryptographic Tools for Data Security. Murat Kantarcioglu

Cryptographic hash functions and MACs Solved Exercises for Cryptographic Hash Functions and MACs

Chapter 10. Network Security

Cryptography. Jonathan Katz, University of Maryland, College Park, MD

Notes on Network Security Prof. Hemant K. Soni

Public-Key Cryptanalysis

Chapter 7: Network security

RSA Attacks. By Abdulaziz Alrasheed and Fatima

Network Security. Omer Rana

Network Security. HIT Shimrit Tzur-David

1 Domain Extension for MACs

IT Networks & Security CERT Luncheon Series: Cryptography

Network Security. Chapter 2 Basics 2.2 Public Key Cryptography. Public Key Cryptography. Public Key Cryptography

Symmetric Key cryptosystem

CRYPTOGRAPHY IN NETWORK SECURITY

CSCI-E46: Applied Network Security. Class 1: Introduction Cryptography Primer 1/26/16 CSCI-E46: APPLIED NETWORK SECURITY, SPRING

SECURITY IMPROVMENTS TO THE DIFFIE-HELLMAN SCHEMES

Part I. Universität Klagenfurt - IWAS Multimedia Kommunikation (VK) M. Euchner; Mai Siemens AG 2001, ICN M NT

Final Exam. IT 4823 Information Security Administration. Rescheduling Final Exams. Kerberos. Idea. Ticket

Elements of Applied Cryptography Public key encryption

Digital Signatures. What are Signature Schemes?

Digital signatures are one of the most important inventions/applications of modern cryptography.

Computer Networks. Network Security 1. Professor Richard Harris School of Engineering and Advanced Technology

Principles of Network Security

Privacy-Providing Signatures and Their Applications. PhD Thesis. Author: Somayeh Heidarvand. Advisor: Jorge L. Villar

Software Tool for Implementing RSA Algorithm

Public Key Cryptography Overview


CSC474/574 - Information Systems Security: Homework1 Solutions Sketch

Cryptography and Network Security Department of Computer Science and Engineering Indian Institute of Technology Kharagpur

Common Pitfalls in Cryptography for Software Developers. OWASP AppSec Israel July The OWASP Foundation

Principles of Public Key Cryptography. Applications of Public Key Cryptography. Security in Public Key Algorithms

CPSC 467b: Cryptography and Computer Security

DIGITAL SIGNATURES 1/1

Chosen Ciphertext Attacks Against Protocols Based on the RSA Encryption Standard PKCS #1

Lecture 9: Application of Cryptography

Symmetric Mechanisms for Authentication in IDRP

The Exact Security of Digital Signatures How to Sign with RSA and Rabin

Digital Signature. Raj Jain. Washington University in St. Louis

The Order of Encryption and Authentication for Protecting Communications (Or: How Secure is SSL?)

SFWR ENG 4C03 - Computer Networks & Computer Security

What is network security?

The Mathematics of the RSA Public-Key Cryptosystem

Advanced Topics in Cryptography and Network Security

Lecture 6 - Cryptography

Signature Schemes. CSG 252 Fall Riccardo Pucella

AN IMPLEMENTATION OF HYBRID ENCRYPTION-DECRYPTION (RSA WITH AES AND SHA256) FOR USE IN DATA EXCHANGE BETWEEN CLIENT APPLICATIONS AND WEB SERVICES

Cryptography and Network Security

Textbook: Introduction to Cryptography 2nd ed. By J.A. Buchmann Chap 12 Digital Signatures

Mathematical Model Based Total Security System with Qualitative and Quantitative Data of Human

Capture Resilient ElGamal Signature Protocols

CIS 5371 Cryptography. 8. Encryption --

Security. Contents. S Wireless Personal, Local, Metropolitan, and Wide Area Networks 1

Applied Cryptography Public Key Algorithms

Fully homomorphic encryption equating to cloud security: An approach

EXAM questions for the course TTM Information Security May Part 1

8th ACM Conference on Computer and Communications Security November 2001 Philadelphia - Pennsylvania - USA

Network Security (2) CPSC 441 Department of Computer Science University of Calgary

Cryptography and Network Security

Mathematics of Internet Security. Keeping Eve The Eavesdropper Away From Your Credit Card Information

Transcription:

Introduction to Cryptography Part 2: public-key cryptography Jean-Sébastien Coron January 2007

Public-key cryptography Invented by Diffie and Hellman in 1976. Revolutionized the field. Each user now has two keys A public key A private key Should be hard to compute the private key from the public key. Enables: Asymmetric encryption Digital signatures Key exchange Identification, and many other functionalities Alice s Public key Keygen function Alice s Private key

Public-key encryption Solves the key distribution issue BOB ALICE Insecure M E C C D channel M Alice s public-key Alice s private-key

RSA Invented by Rivest, Shamir and Adleman in 1977. Still the most widely used PK algorithm. Public key: n=p.q and e Primes p and q remain secret. Privatekey: d such that e.d=1 mod (p-1)(q-1)

RSA Encryption using public n,e: c=m e mod n Decryption using private d: m=c d mod n Decryption works because: m=c d =(m e ) d =m e.d =m because: e.d=1 mod f

RSA: trapdoor one-way permutation Trapdoor unknown: x easy f(x) hard Trapdoor known: x easy f(x) Asymmetric encryption: Everybody can encrypt to Alice using Only Alice can decrypt using easy

Implementation of RSA Required: computing with large integers more than 1024 bits. In software big integer library: GMP, NTL In hardware Cryptoprocessor for smart-card Hardware accelerator for PC.

Speed of RSA RSA much slower than AES and other secret key algorithms. to encrypt long messages, encrypt a symmetric key K with RSA, and encrypt the long message with K. M E K BOB RSA (C 1,C 2 ) Insecure channel (C 1,C 2 ) ALICE RSA E K M Alice s public-key Alice s private-key

Security of RSA Security of RSA is based on the hardness of factorization Given n=p.q, no known efficient algorithm to recover p and q. Factorization record: 663 bits (2005) Public modulus n must be large enough At least 1024 bits. 2048 bits is better. Factoring is just one line of attack not necessarily the most practical more attacks to take into account

Attacks against RSA Dictionary attack If only two possible messages m 0 and m 1, then only two ciphertexts c 0 =m 0e [n] and c 1 =m 1e [n]. Encryption must be probabilistic (or nonstatic). Coppersmith s attack (1996) Applies for RSA with small e, when some part of the message is known

Attacks against RSA Chosen-ciphertext attack: Given ciphertext c to be decrypted Generate a random r Ask for the decryption of the random looking ciphertext c =c * (r e )[n] One gets m =c d =c d *(r e ) d =c d *r=m * r[n] This enables to compute m=m /r [n]

Attacks against RSA One cannot use plain RSA encryption one must add some randomness one must apply some preformatting to the message Example: PKCS#1 v1.5 Encryption: m(m)=0002 r 00 m, then c=m(m) d [n] Decryption: recover m(m), check redundancy. Bleichenbacher s attack against PKCS#1 v1.5 Appeared in 1998. Could be use against web-servers using SSL protocol.

Security of RSA (and other cryptosystems) To be rigorous when speaking about security, one must specify the attacker s goal: does he need to recover the key or only decrypt a particular ciphertext or less? the attacker s power: does he get only the user s public-key, or more?

Attacker s goal One may think that the adversary s goal is always to recover the private key. complete break may be too ambitious in practice BOB ALICE Insecure M E C C D channel M EVE? Alice s public-key Alice s private-key

Attacker s goal More modest goal: being able to decrypt one ciphertext. or recover some information about a plaintext (for example, the first character) BOB ALICE Insecure M E C C D «hello» channel M Alice s public-key EVE M=«h????» Alice s private-key

Attack models Specify the power of the attacker Public-key only the attacker gets only the public-key Weakest adversary BOB ALICE Insecure M E C C D channel M EVE Alice s public-key Alice s private-key

Attack models Ciphertext-only attack the attacker gets only a set of ciphertexts primitive ciphers (Ceasar s cipher, monoalphabetic substitution cipher) were vulnerable. BOB ALICE Insecure M E C C D channel M EVE

Attack models Known-plaintext attack Attack has access to plaintext/ciphertext pairs. In practice, attacker may have some hint on some plaintexts. Used during WW2 to break Enigma cipher. BOB ALICE Insecure M E C C D channel M EVE

Attack models Chosen plaintext attack Attacker can obtain encryption of plaintexts of his choice. For PK encryption, equivalent to PK only attack. BOB ALICE Insecure M E C C D channel M EVE

Chosen-ciphertext attack Most powerful attack The attacker can obtain decryption of messages of his choice May be realistic in practice attacker gets access to a decryption machine encryption algorithm used in a more complex protocol in which users can obtain decryption of chosen ciphertexts. BOB ALICE Insecure M E C C D channel M EVE

Attack scenario One must specify the attacker s goal (total break, partial decryption ) The attack model (chosen plaintext, chosen ciphertext ) Strongest security model: combines weakest goal: obtaining only one bit of information about a plaintext strongest adversary: chosen ciphertext attack

Strongest security notion Indistinguishability under adaptive chosen ciphertext attack (IND-CCA2) Formalized in 1991 by Rackoff et Simon A ciphertext should give no information about the corresponding plaintext, even under an adaptive chosen-ciphertext attack. Has become standard security notion for encryption.

IND-CCA2 schemes OAEP Designed by Bellare and Rogaway in 1994. Appears in PKCS#1 v2.1 standard. Cramer-Shoup (1998) Based on discrete-log. Proven secure without the random oracle model.

OAEP Ciphertext is c=(s t) e [n] M 0 r s G H t

Digital signature A bit string that depends on the message m and the user s public-key Only Alice can sign a message using her private-key ALICE Anybody can verify Alice s signature of m given her public-key BOB m m s S V s Alice s private-key yes/no Alice s public-key

Digital signature A digital signature provides: Authenticity: only Alice can produce a signature of a message valid under her public-key. Integrity: the signed message cannot be modified. Non-repudiation: Alice cannot later claim that she did not sign the message

Signing with RSA Public key: n=p.q and e Private key: d such that e.d=1 mod (p-1)(q-1) Signing using private d: s=m d mod n Verifying using public n,e: check that m=s e mod n ISO 9796-2, PKCS#1 v2.1

Attacks against RSA signatures Givens 1 =m 1d mod n and s 2 =m 2d mod n one can compute the signature of m 1 *m 2 without knowing d s = s 1 *s 2 =(m 1d )*(m 2d ) mod n =(m 1 *m 2 ) d mod n One cannot use plain RSA signature One must apply some pre-formatting to the message to cancel the mathematical structure.

RSA signature To prevent these attacks, one uses a hash function - PKCS#1 v1.5 : m(m)=0001 FF FF00 c H(m) - ISO 9796-2: m(m)=6a m[1] H(m) BC

Attack scenario for signature We must specify schemes the adversary s goal the adversary s power Adversary s goal Controlled forgery: the adversary produces the signature of a message of his choice Existential forgery: the adversary produces the signature of a (possibly meaningless) message

Adversary s power No-message attack The adversary gets only the public-key Known message attack The adversary obtains a set of pairs message/signatures Chosen message attack The adversary can obtain the signature of any message of his choice, adaptively.

Strongest security notion Combines weakest goal with strongest adversary Existential unforgeability under an adaptive chosen message attack Defined by Goldwasser, Micali and Rivest in 1988 It must be infeasible for an attacker to forge the signature of a message, even if he can obtain signature of messages of his choice.

PSS Example of secure signature schemes Designed by Bellare and Rogaway in 1996 IEEE P1363a standard and PKCS#1 v2.1 2 variants: PSS and PSS-R that provides message recovery. M r H G s=(w s) d mod n w s

Conclusion What is cryptography? Cryptography s aim it to construct protocols that achieve some goal despite the presence of an adversary Scientific approach: To be rigorous, one must define what it means to be secure Then one tries to construct schemes that satisfies the definition, in a provable way.

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information