EE 418 Network Security and Cryptography Lecture #10

Similar documents
SFWR ENG 4C03 - Computer Networks & Computer Security

SECURITY IMPROVMENTS TO THE DIFFIE-HELLMAN SCHEMES

Overview of Public-Key Cryptography

CIS 5371 Cryptography. 8. Encryption --

Public Key Cryptography. c Eli Biham - March 30, Public Key Cryptography

The application of prime numbers to RSA encryption

Lecture 3: One-Way Encryption, RSA Example

CSCE 465 Computer & Network Security

Outline. Computer Science 418. Digital Signatures: Observations. Digital Signatures: Definition. Definition 1 (Digital signature) Digital Signatures

The Mathematics of the RSA Public-Key Cryptosystem

Cryptography and Network Security Chapter 10

Lecture 17: Re-encryption

CSC474/574 - Information Systems Security: Homework1 Solutions Sketch

Forward Secrecy: How to Secure SSL from Attacks by Government Agencies

Computer Security: Principles and Practice

Elliptic Curve Cryptography Methods Debbie Roser Math\CS 4890

CIS 6930 Emerging Topics in Network Security. Topic 2. Network Security Primitives

Outline. CSc 466/566. Computer Security. 8 : Cryptography Digital Signatures. Digital Signatures. Digital Signatures... Christian Collberg

Capture Resilient ElGamal Signature Protocols

Lecture Note 5 PUBLIC-KEY CRYPTOGRAPHY. Sourav Mukhopadhyay

Public Key (asymmetric) Cryptography

A Factoring and Discrete Logarithm based Cryptosystem

Advanced Cryptography

NEW DIGITAL SIGNATURE PROTOCOL BASED ON ELLIPTIC CURVES

Network Security. Computer Networking Lecture 08. March 19, HKU SPACE Community College. HKU SPACE CC CN Lecture 08 1/23

Cryptography and Network Security

Elliptic Curve Cryptography

CUNSHENG DING HKUST, Hong Kong. Computer Security. Computer Security. Cunsheng DING, HKUST COMP4631

Notes on Network Security Prof. Hemant K. Soni

Public Key Cryptography: RSA and Lots of Number Theory

Software Implementation of Gong-Harn Public-key Cryptosystem and Analysis

Symmetric Key cryptosystem

Secure Network Communication Part II II Public Key Cryptography. Public Key Cryptography

CPSC 467b: Cryptography and Computer Security

Elements of Applied Cryptography Public key encryption

A short primer on cryptography

CS 758: Cryptography / Network Security

Computer Science A Cryptography and Data Security. Claude Crépeau

A New Efficient Digital Signature Scheme Algorithm based on Block cipher

Network Security. Abusayeed Saifullah. CS 5600 Computer Networks. These slides are adapted from Kurose and Ross 8-1

A SOFTWARE COMPARISON OF RSA AND ECC

Cryptography and Network Security Department of Computer Science and Engineering Indian Institute of Technology Kharagpur

CS Computer Security Third topic: Crypto Support Sys

Digital Signatures. Prof. Zeph Grunschlag

Computer Networks. Network Security 1. Professor Richard Harris School of Engineering and Advanced Technology

Cryptographic hash functions and MACs Solved Exercises for Cryptographic Hash Functions and MACs

Introduction. Digital Signature

Cryptography and Network Security Chapter 9

Digital Signatures. (Note that authentication of sender is also achieved by MACs.) Scan your handwritten signature and append it to the document?

Principles of Public Key Cryptography. Applications of Public Key Cryptography. Security in Public Key Algorithms

Digital Signature. Raj Jain. Washington University in St. Louis

Discrete Mathematics, Chapter 4: Number Theory and Cryptography

International Journal of Information Technology, Modeling and Computing (IJITMC) Vol.1, No.3,August 2013

Software Tool for Implementing RSA Algorithm

Overview of Cryptographic Tools for Data Security. Murat Kantarcioglu

Final Exam. IT 4823 Information Security Administration. Rescheduling Final Exams. Kerberos. Idea. Ticket

Network Security. Chapter 2 Basics 2.2 Public Key Cryptography. Public Key Cryptography. Public Key Cryptography

Public Key Cryptography and RSA. Review: Number Theory Basics

Shor s algorithm and secret sharing

Lecture 6 - Cryptography

Signature Schemes. CSG 252 Fall Riccardo Pucella

Applied Cryptography Public Key Algorithms

Network Security. Gaurav Naik Gus Anderson. College of Engineering. Drexel University, Philadelphia, PA. Drexel University. College of Engineering

Lecture 13: Factoring Integers

Paillier Threshold Encryption Toolbox

U.C. Berkeley CS276: Cryptography Handout 0.1 Luca Trevisan January, Notes on Algebra

Identity-Based Encryption from the Weil Pairing

Number Theory and Cryptography using PARI/GP

SECURITY IN NETWORKS

RSA Attacks. By Abdulaziz Alrasheed and Fatima

Math 319 Problem Set #3 Solution 21 February 2002

QUANTUM COMPUTERS AND CRYPTOGRAPHY. Mark Zhandry Stanford University

CRYPTOGRAPHY IN NETWORK SECURITY

1 Digital Signatures. 1.1 The RSA Function: The eth Power Map on Z n. Crypto: Primitives and Protocols Lecture 6.

CS 348: Computer Networks. - Security; 30 th - 31 st Oct Instructor: Sridhar Iyer IIT Bombay

Mathematics of Internet Security. Keeping Eve The Eavesdropper Away From Your Credit Card Information

YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE

An Efficient and Secure Key Management Scheme for Hierarchical Access Control Based on ECC

Number Theory. Proof. Suppose otherwise. Then there would be a finite number n of primes, which we may

IMPROVED SECURITY MEASURES FOR DATA IN KEY EXCHANGES IN CLOUD ENVIRONMENT

DIGITAL SIGNATURES 1/1

Network Security CS 5490/6490 Fall 2015 Lecture Notes 8/26/2015

Digital signatures. Informal properties

Lukasz Pater CMMS Administrator and Developer

CS549: Cryptography and Network Security

Crittografia e sicurezza delle reti. Digital signatures- DSA

3-6 Toward Realizing Privacy-Preserving IP-Traceback

Efficient and Robust Secure Aggregation of Encrypted Data in Wireless Sensor Networks

Solutions to Problem Set 1

Discrete logarithms within computer and network security Prof Bill Buchanan, Edinburgh Napier

Cryptography Exercises

Cryptography and Network Security: Summary

A New Generic Digital Signature Algorithm

Network Security [2] Plain text Encryption algorithm Public and private key pair Cipher text Decryption algorithm. See next slide

Introduction to Cryptography CS 355

Lecture 25: Pairing-Based Cryptography

Security in Distributed Systems. Network Security

Basic Algorithms In Computer Algebra

Digital Signatures. Murat Kantarcioglu. Based on Prof. Li s Slides. Digital Signatures: The Problem

Transcription:

EE 418 Network Security and Cryptography Lecture #10 November 1, 2016 RSA and ElGamal Public Key Cryptosystems. Introduction to Key Distribution. Diffie-Hellman Key Distribution. Lecture notes prepared by Professor Radha Poovendran. Tamara Bonaci Department of Electrical Engineering University of Washington, Seattle Outline: 1. Review: Public Key Cryptography The Discrete logarithm problem ElGamal cryptosystem 2. Introduction to Key Distribution Problem 3. Diffie-Hellman Key Distribution 1 Review: Public Key Cryptography and RSA Cryptosystem Last lecture, we continued our discussion about public key cryptography. In a public key cryptosystem, there are two keys: a public encryption key, i.e., a key known to everyone and a private decryption key that is kept private and known only to a person whom a ciphertext was intended for. Under a public key cryptosystem, anyone can encrypt a message to send to Alice using her public key, P K A, but only Alice can decrypt the message using her private key SK A. The figure below presents a block diagram of a secure communication using public key cryptosystem. Plaintext ENC Ciphertext CHANNEL Ciphertext DEC Plaintext Bob Public key PK A Private key SK A Alice Fig. 1. Schematic of public key-based encryption and decryption. In this lecture, we will continue our discussion about the ElGamal cryptosystem. In doing so, let s first recall the definition of the discrete logarithm problem. 1.1 The Discrete Logarithm Problem Let s consider the set of integers modulo p, denoted as Z p. The set of integers in Z p that are relatively prime to p is denoted as Z p. As an example, when p = 13, Z 13 = {1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12}. Theorem 1. There exists an element α Z p, denoted as a primitive element, such that for every y Z p and for some x it holds that: y = α x (mod p) (1) 1

We omit the proof for this theorem, put let s consider the following example. Example 2: When p = 13, one of the primitive elements is equal to α = 2, leading to the elements {2, 2 2 = 4, 2 3 = 8, 2 4 = 3 (mod 13), 2 5 = 6, 2 6 = 12, 2 7 = 2 (mod 13) = 11 (mod 13), 2 8 = 4 (mod 13) = 9 (mod 13), 2 9 = 8 (mod 13) = 5 (mod 13), 2 10 = 10, 2 11 = 7, 2 12 = 1} = Z 13. Definition 1 (Discrete Logarithm Problem). Let s assume p is a prime number, and α and β are two nonzero integers (mod p). Let s now consider the equality: β α x (mod p) (2) The problem of finding x that satisfies equation (2) is known as the discrete logarithm problem. To date, no efficient algorithm for computing the discrete logarithm has been found. The assumption that the discrete logarithm problem is difficult is the basis for the ElGamal cryptosystem. For small primes p, of course, one can hand compute the set of elements, and do trial and error. For example, when p = 13, given α = 2 and β = 8,one can find that 2 3 = 8, and solve for a = 3. Therefore, typically the value of p needs to be very large (100 digit primes). 2 ElGamal Cryptosystem The ElGamal cryptosystem was developed by Taher ElGamal in 1985. The basic idea of ElGamal is as follows: 1. To encrypt, Bob generates a random number r and multiplies it by the plaintext x to obtain ciphertext Y = xr. Bob then transmits the ciphertext to Alice. 2. To decrypt, Alice follows an algorithm to remove the random number r, and retrieve the original plaintext. Since Bob generates a different random number during each instance of the encryption algorithm, a different ciphertext is generated even when the same plaintext is encrypted multiple times. Unlike RSA, whose security is based on the difficulty of factoring large integers, ElGamal bases its security on the difficulty of the Discrete Logarithm Problem. ElGamal has not been patented, which along with its randomized nature has contributed to its wide adoption. Ideas underlying the ElGamal cryptosystem have been incorporated into digital signature schemes and the Elliptic Curve Cryptography. We now describe the key generation, encryption, and decryption algorithms for ElGamal. 2.1 Key Generation Key generation consists of the following steps: 1. Choosing a large prime number p and an integer α satisfying 1 α (p 1). Number α must be a primitive root, i.e., every integer z with 1 z (p 1) can be written as z = α w mod p for some w. 2. Picking an integer a satisfying 1 a (p 1), and then computing β = α a mod p. 3. The public key is defined by P K = (α, β, p) and the private key is defined by SK = a. As usual, public key P K is published, while the private key SK is kept secret. As an example of typical ElGamal key lengths, the GNU Privacy Guard (an open-source package from encrypting email) uses a key length of 2048 bits. 2.2 Encryption ElGamal encryption consists of the following steps: 1. Generate a random integer k satisfying 1 k (p 2). 2

2. Compute Y 1 and Y 2 as Y 1 = α k mod p Y 2 = xβ k mod p 3. The ciphertext is given by (Y 1, Y 2 ) and is transmitted to Alice. Note that Bob chooses a different random integer k for each encrypted message that is sent. Hence, the same plaintext will yield a different ciphertext if it is encrypted twice using the ElGamal cryptosystem. 2.3 Decryption Alice decrypts a received ciphertext (Y 1, Y 2 ) as x = Y 2 (Y a 1 ) 1 mod p. Here (Y a 1 ) 1 denotes the inverse of Y a 1, defined as the unique integer satisfying (Y a 1 ) 1 (Y a 1 ) = 1 mod p. A schematic illustration of ElGamal is given in Figure 2. Key Generation: Generate prime p, integer α Generate a, compute β = α a mod p P K A = (α, β, p), SK A = a Alice Alice publishes P K A = (α, β, p) Bob knows: P K A = (α, β, p) Decryption: x = Y 2(Y a 1 ) 1 mod p Y 1 = α k mod p Y 2 = xβ k mod p Bob Encryption: Generate random integer k Compute ciphertext (Y 1, Y 2): Y 1 = α k mod p, Y 2 = xβ k mod p Fig. 2. Schematic illustration of ElGamal key generation, encryption, and decryption. Theorem 2. ElGamal cryptosystem is a well-defined cryptosystem. Proof. In order to prove that a cryptosystem is a well-defined cryptosystem, we need to prove that: Let s start from the following ElGamal decryption equation: Using ElGamal encryption equations: d(y, a) = d(e(x, α, β, p)) = x (3) x = Y 2 (Y a 1 ) 1 (mod p) (4) Y 1 = α k (mod p) Y 2 = xβ k (mod p) (5) 3

we can rewrite equation (4) as: x = xβ k [(α k ) a ] 1 = xβ k ( }{{} α a β ) k = xβ k β k (6) 2.4 Example of ElGamal Key Generation, Encryption, and Decryption An example of ElGamal key generation by Alice is: 1. Generate prime p = 2579 and α = 2. 2. Choose secret a = 765, and compute β = α a mod p = 2 765 mod 2579 = 949. 3. Publish P K A = (α, β, p) = (2, 949, 2579). In order to encrypt the plaintext x = 1299, Bob carries out the following steps: 1. Generate a random number k = 853. 2. Compute Y 1 = α k mod p = 2 853 mod 2579 = 435 mod 2579 Y 2 = xβ k mod p = 1299(949) 853 mod 2579 = 2396 mod 2579 3. The ciphertext is given by (Y 1, Y 2 ) = (435, 2396). Alice decrypts the received ciphertext (Y 1, Y 2 ) = (435, 2396) as x = Y 2 (Y a 1 ) 1 mod 2579 = 2396(435 765 ) 1 mod 2579 = 1299 mod 2579. 2.5 Security of ElGamal Cryptosystem In order to decrypt an ElGamal ciphertext, the private key a is needed. The public key (α, β, p) and private key a are related by β = α a mod p. This resembles the problem of taking a logarithm of a real number, i.e., finding x such that y = e x, and is referred to as the Discrete Logarithm Problem (DLP). Analogous to RSA and factorization, known attacks on ElGamal require solving the DLP. Since there are currently no efficient algorithms for solving DLP, ElGamal is believed to be secure. 3 Introduction to Key Distribution Cryptographic primitives including encryption/decryption, message authentication, and digital signatures require the communicating parties Alice and Bob to agree on a shared secret key, or to obtain one another s valid public keys. Ensuring that Alice and Bob have valid cryptographic keys is the goal of key management, and today we focus on agreeing on a shared secret key over a public (insecure) channel. 4 Diffie-Hellman Key Exchange One efficient and secure method to agree on a shared secret key over an insecure channel relies on public key cryptography, and it is referred to as the Diffie-Hellman key exchange. The Diffie-Hellman key exchange was proposed by Witfield Diffie and Martin Hellman in 1976, and it was covered by U.S. patent 4,200,770, which has expired. The advantage of this approach is that symmetric key cryptosystems are typically much more efficient than public key cryptosystems. 4

The Diffie-Hellman protocol consists of the following steps, which are illustrated in Figure 3: 1. Alice and Bob agree on a prime number p and an integer α, with 1 α (p 1), such that α is a primitive root of the set Z p = {1, 2,..., p 1}, i.e., any integer z Z p can be expressed as z = α w ( mod p) for some integer w. Since (α, p) do not need to be secret, Alice and Bob can agree upon them in the clear. For example, Alice can post (α, p) in some public register, such as IETF RFC 5114, which provides several 1024-bit primes p, and corresponding integers α. 2. Alice generates an integer u A with 1 u A (p 1). Alice computes β A = α u A (mod p) and transmits β A to Bob. 3. Bob computes an integer u B with 1 u B (p 1). Bob computes β B = α u B (mod p) and transmits β B to Bob. 4. Alice computes K AB = (β B ) u A = α u Au B (mod p). Bob computes K AB = (β A ) u B = α u Au B (mod p). Alice and Bob communicate using key K AB. Alice α a (mod p) Bob α b (mod p) K A = α ab (mod p) K B = α ab (mod p) Fig. 3. The Diffie-Hellman key exchange. The main idea of the Diffie-Hellman protocol is that K AB compute the same key K = K AB = K BA : = K BA = α ab, i.e., Alice and Bob can both K A = (β B ) u A (α u B ) u A α u Au B (α u A ) u B (β A ) u B = K B (mod p). Example: Let p = 12987461, α = 3606738. Suppose that Alice selects u A = 357 and computes: β A = α u A (mod p) = 3606728357 (mod 12987461) = 7317197. Now, suppose that Bob selects u B = 199 and computes β B = α u B compute a common key as: (mod p) = 138432. Alice and Bob then K = β u B A (mod p) = βu A B (mod p) = 11829605. 4.1 Two Types of Diffie-Hellman Problems We typically distinguish between two types of Diffie-Hellman problems: The computational Diffie-Hellman problem (CDH), and The decision Diffie-Hellman problem (DCH) 5

Computational Diffie-Hellman Problem (CDH): Let p be a prime and let α be a corresponding primitive root (generator) of the set of integers coprime to p, Z p. Given two elements: β a = α a (mod p) β b = α b (mod p) find an element X such that: X = α ab (mod p) (7) Decision Diffie-Hellman Problem (DDH): Let p be a prime, and let α be a corresponding primitive root (generator) of the set of integers coprime to p, Z p. Given three elements, β a = α a (mod p), β b = α b (mod p), and X, determine if: X = α ab (mod p) (8) Observe that if we can solve the CDH problem, then we can solve the DDH problem. Suppose that we are given β a, β b, and X. Suppose further that we have an algorithm that solves the CDH problem, so that given βa = α a mod p and βb = α b mod p,the algorithm returns Z = α ab mod p.then to solve DDH, we run the CDH algorithm, and then check to see if Z = X. We say that (solving) the DDH problem reduces to (solving) the CDH problem. Furthermore, if we can solve the discrete logarithm problem (DLP), then we can readily solve CDH (and hence DDH). Suppose that we are given β a and β b. Given an algorithm for solving DLP, we run the algorithm on β a and β b to obtain a and b satisfying β a = α a mod p and β b = α b mod p. We then compute ab and set X = α ab mod p. We say that (solving) the DDH reduces to (solving) DLP. Hence, solving the DDH problem implies that one can solve the CDH problem, which in turn implies that one can solve the DLP problem. 4.2 Security of Diffie-Hellman Key Exchange The security of the Diffie-Hellman key exchange is based on the computational difficulty of solving the Diffie-Hellman problem: let s assume that an attacker Eve wants to compute K = α ab, based on knowing β a and β b, but without knowing a or b. This is the definition of the CDH problem. Currently, which with the right choices of (α, p), no efficient algorithm for solving this problem is known, and hence the Diffie-Hellman key exchange is believed to be secure. Man-in-the-Middle Attack against the Diffie-Hellman Key Exchange: The difficulty of solving CDH implies that a passive eavesdropper cannot compute the secret key determined by the Diffie-Hellman key distribution scheme. Note, however, that the Diffie-Hellman scheme alone does not give Alice a method for verifying that she is agreeing on a key with Bob, instead of a third party pretending to be Bob (and, similarly, Bob has no way to verify that he is talking to Alice). This leaves the Diffie-Hellman key agreement scheme vulnerable to a man-in-the-middle attack by an active attacker who is capable of exchanging messages with Alice and Bob. The man-in-the-middle attack is shown in Figure 4, where Eve initiates two runs of the DH key agreement protocol, one with Alice and another with Bob. Alice and Bob then complete the respective protocol runs by returning their shares to Eve, thus establishing shared keys with Eve. The result of the man-in-the-middle attack is that both Alice and Bob think that they have agreed on keys with each other, but in fact both have agreed on keys with Eve. Any message that is encrypted using the shared keys will then be readable by Eve. If we can build authentication mechanism so that Alice and Bob can be sure that they are indeed talking to Bob and Alice respectively, then man-in-the-middle attack can be thwarted. Sources for Today s Lecture: 1. Douglas R. Stinson, Cryptography, Theory and Practice, 3rd edition. CRC Press, 2005, p. 233 246 and 393 453. 2. Wade Trappe and Lawrence C. Washington Introduction to Cryptography with Coding Theory. Prentice Hall, 2002, p. 165 175 and 236 246. 3. Charlie Kaufman, Radia Perlman, and Mike Speciner Network Security: Private Communication in Public World, 2nd Edition. Prentice Hall, 2002, p. 147 165 and 307 365 and 371 401. 6

Handout #6 3 1.1 Man in the Middle Attack on Di e-hellman The di culty of solving CDH implies that a passive eavesdropper cannot compute the secret key determined by the Di e-hellman key distribution scheme. Note, however, that the Di e-hellman scheme alone does not give Alice a method for verifying that she is agreeing on a key with Bob instead of a third party pretending to be Bob (and, similarly, Bob has no way to verify that he is talking to Alice). This leaves the Di e-hellman key agreement scheme vulnerable to a man in the middle attack by an active adversary who is capable of exchanging messages with Alice and Bob. The man in the middle attack is shown in Figure 2, where Eve initiates two runs of the DH key agreement protocol, one with Alice and another with Bob. Alice and Bob then complete the respective protocol runs by returning their shares to Eve, thus establishing shared keys with Eve. Alice Eve Bob b' (mod p) a' (mod p) a (mod p) b (mod p) K A = ab (mod p) K B = a b (mod p) Fig. 2. Man in the middle attack against the Di e-hellman key distribution scheme. Fig. 4. The man-in-the-middle attack against the Diffie-Hellman key exchange. The result of the man in the middle attack is that both Alice and Bob think that they have agreed on keys with each other, but in fact both have agreed on keys with Eve. Any message that is encrypted using the shared keys will then be readable by Eve. If we can build authentication mechanism so that Alice and Bob can be sure that they are indeed talking to Bob and Alice respectively, then Man in the Middle attack will be thwarted. 7

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information