Public Key Cryptography

Similar documents
Overview of Public-Key Cryptography

Public Key Cryptography and RSA. Review: Number Theory Basics

RSA Encryption. Tom Davis October 10, 2003

Cryptography and Network Security Chapter 9

Public Key Cryptography: RSA and Lots of Number Theory

CSC474/574 - Information Systems Security: Homework1 Solutions Sketch

Network Security. Gaurav Naik Gus Anderson. College of Engineering. Drexel University, Philadelphia, PA. Drexel University. College of Engineering

SECURITY IN NETWORKS

Network Security. Abusayeed Saifullah. CS 5600 Computer Networks. These slides are adapted from Kurose and Ross 8-1

Notes on Network Security Prof. Hemant K. Soni

Cryptography and Network Security

Software Tool for Implementing RSA Algorithm

Public Key (asymmetric) Cryptography

Cryptosystems. Bob wants to send a message M to Alice. Symmetric ciphers: Bob and Alice both share a secret key, K.

Elements of Applied Cryptography Public key encryption

Network Security. Computer Networking Lecture 08. March 19, HKU SPACE Community College. HKU SPACE CC CN Lecture 08 1/23

Secure Network Communication Part II II Public Key Cryptography. Public Key Cryptography

The application of prime numbers to RSA encryption

Cryptography and Network Security

Advanced Cryptography

Lukasz Pater CMMS Administrator and Developer

CSCE 465 Computer & Network Security

CIS 6930 Emerging Topics in Network Security. Topic 2. Network Security Primitives

CRYPTOGRAPHY IN NETWORK SECURITY

Network Security. HIT Shimrit Tzur-David

Overview of Cryptographic Tools for Data Security. Murat Kantarcioglu

Symmetric Key cryptosystem

Principles of Public Key Cryptography. Applications of Public Key Cryptography. Security in Public Key Algorithms

Lecture Note 5 PUBLIC-KEY CRYPTOGRAPHY. Sourav Mukhopadhyay

RSA Attacks. By Abdulaziz Alrasheed and Fatima

The Mathematics of the RSA Public-Key Cryptosystem

Introduction to Cryptography CS 355

Discrete Mathematics, Chapter 4: Number Theory and Cryptography

Network Security (2) CPSC 441 Department of Computer Science University of Calgary

An Introduction to the RSA Encryption Method

1 Domain Extension for MACs

Network Security. Abusayeed Saifullah. CS 5600 Computer Networks. These slides are adapted from Kurose and Ross 8-1

CIS 5371 Cryptography. 8. Encryption --

Digital Signatures. Murat Kantarcioglu. Based on Prof. Li s Slides. Digital Signatures: The Problem

7! Cryptographic Techniques! A Brief Introduction

CS 758: Cryptography / Network Security

Applied Cryptography Public Key Algorithms

Shor s algorithm and secret sharing

1 Digital Signatures. 1.1 The RSA Function: The eth Power Map on Z n. Crypto: Primitives and Protocols Lecture 6.

Outline. Computer Science 418. Digital Signatures: Observations. Digital Signatures: Definition. Definition 1 (Digital signature) Digital Signatures

SFWR ENG 4C03 - Computer Networks & Computer Security

Introduction to Computer Security

Digital Signatures. (Note that authentication of sender is also achieved by MACs.) Scan your handwritten signature and append it to the document?

Introduction. Digital Signature

Cryptographic hash functions and MACs Solved Exercises for Cryptographic Hash Functions and MACs

Forward Secrecy: How to Secure SSL from Attacks by Government Agencies

Authentication, digital signatures, PRNG

Mathematics of Internet Security. Keeping Eve The Eavesdropper Away From Your Credit Card Information

Chapter 7: Network security

QUANTUM COMPUTERS AND CRYPTOGRAPHY. Mark Zhandry Stanford University

Computer Security: Principles and Practice

1 Signatures vs. MACs

Network Security. Chapter 2 Basics 2.2 Public Key Cryptography. Public Key Cryptography. Public Key Cryptography

Network Security. Security Attacks. Normal flow: Interruption: 孫 宏 民 Phone: 國 立 清 華 大 學 資 訊 工 程 系 資 訊 安 全 實 驗 室

Outline. CSc 466/566. Computer Security. 8 : Cryptography Digital Signatures. Digital Signatures. Digital Signatures... Christian Collberg

Computer Networks. Network Security 1. Professor Richard Harris School of Engineering and Advanced Technology

Symmetric Mechanisms for Authentication in IDRP

Lecture 9: Application of Cryptography

Table of Contents. Bibliografische Informationen digitalisiert durch

Computing exponents modulo a number: Repeated squaring

Digital Signatures. Meka N.L.Sneha. Indiana State University. October 2015

Basic Algorithms In Computer Algebra

Message Authentication Codes

A Proposal for Authenticated Key Recovery System 1

How To Know If A Message Is From A Person Or A Machine

RSA and Primality Testing

Number Theory. Proof. Suppose otherwise. Then there would be a finite number n of primes, which we may

Improved Online/Offline Signature Schemes

Public Key Cryptography. c Eli Biham - March 30, Public Key Cryptography

Lecture 3: One-Way Encryption, RSA Example

The science of encryption: prime numbers and mod n arithmetic

Mathematical Model Based Total Security System with Qualitative and Quantitative Data of Human

Lecture 6 - Cryptography

Cryptographic Hash Functions Message Authentication Digital Signatures

Cryptography and Network Security Department of Computer Science and Engineering Indian Institute of Technology Kharagpur

Cryptography and Network Security Digital Signature

Module: Applied Cryptography. Professor Patrick McDaniel Fall CSE543 - Introduction to Computer and Network Security

What is network security?

Network Security. Omer Rana

Digital signatures. Informal properties

Digital Signatures. Prof. Zeph Grunschlag

Getting the most from Apple Mail

CSCI-E46: Applied Network Security. Class 1: Introduction Cryptography Primer 1/26/16 CSCI-E46: APPLIED NETWORK SECURITY, SPRING

CS549: Cryptography and Network Security

Practice Questions. CS161 Computer Security, Fall 2008

CS 348: Computer Networks. - Security; 30 th - 31 st Oct Instructor: Sridhar Iyer IIT Bombay

SECURITY IMPROVMENTS TO THE DIFFIE-HELLMAN SCHEMES

Outline. Digital signature. Symmetric-key Cryptography. Caesar cipher. Cryptography basics Digital signature

Index Calculation Attacks on RSA Signature and Encryption

Ch.9 Cryptography. The Graduate Center, CUNY.! CSc Theoretical Computer Science Konstantinos Vamvourellis

Security. Contents. S Wireless Personal, Local, Metropolitan, and Wide Area Networks 1

Strong Encryption for Public Key Management through SSL

Schnorr Signcryption. Combining public key encryption with Schnorr digital signature. Laura Savu, University of Bucharest, Romania

Cryptography: Motivation. Data Structures and Algorithms Cryptography. Secret Writing Methods. Many areas have sensitive information, e.g.

Computer and Network Security. Alberto Marchetti Spaccamela

Transcription:

T H E U N I V E R S I T Y O F B R I T I S H C O L U M B I A Public Key Cryptography EECE 412 1 EECE_412-05-public_crypto.key - October 2, 2014

What is it? Two keys Sender uses recipient s public key to encrypt Receiver uses his private key to decrypt Based on trap door, one way function Easy to compute in one direction Hard to compute in other direction Trap door used to create keys Example: Given p and q, product N=pq is easy to compute, but given N, it is hard to find p and q 2 EECE_412-05-public_crypto.key - October 2, 2014

How is it used? Encryption Suppose we encrypt M with Bob s public key Only Bob s private key can decrypt to find M Digital Signature Sign by encrypting with private key Anyone can verify signature by decrypting with public key But only private key holder could have signed Like a handwritten signature 3 EECE_412-05-public_crypto.key - October 2, 2014

Topic Outline The Random Oracle model for Public Key Cryptosystems Public key encryption and trapdoor oneway permutations Digital signatures Looking under the hood Knapsack RSA Uses of Public Crypto The order of sign and encrypt 4 EECE_412-05-public_crypto.key - October 2, 2014

Public Key Encryption and Trap-door One-Way Permutation as Random Oracle Public Key Encryption Scheme: Key pair (KR, KR -1 ) generation function from random string R KR KR -1 is infeasible C = {M} KR M = {C} KR -1!! Queries Responses H(K 1 ) K 1 H(K 2 ) K2 In: fixed size short string (plaintext) M, Key KR Out: fixed size short string (ciphertext) C 5 EECE_412-05-public_crypto.key - October 2, 2014

Digital Signature as Random Oracle Public Key Signature Scheme: Key pair (σr, VR) generation function VR σr is infeasible S = Sig σr (M) {True, False} = Ver VR (S) Signing Queries Responses Verifying H(K 1 ) K 1 H(K 2 ) K2 Input Any string M + σr S + VR Output S = hash(m) cipher block True or False 6 EECE_412-05-public_crypto.key - October 2, 2014

T H E U N I V E R S I T Y O F B R I T I S H C O L U M B I A Looking Under the Hood 7 EECE_412-05-public_crypto.key - October 2, 2014

T H E U N I V E R S I T Y O F B R I T I S H C O L U M B I A Knapsack Cryptosystem 8 EECE_412-05-public_crypto.key - October 2, 2014

Knapsack Problem Given a set of n weights W 0,W 1,...,W n-1 possible to find a i {0,1} so that and a sum S, is it S = a 0 W 0 +a 1 W 1 +...+ a n-1 W n-1 (technically, this is subset sum problem) Example Weights (62,93,26,52,166,48,91,141) Problem: Find subset that sums to S=302 Answer: 62+26+166+48=302 The (general) knapsack is NP-complete 9 EECE_412-05-public_crypto.key - October 2, 2014

Knapsack Problem General knapsack (GK) is hard to solve But super-increasing knapsack (SIK) is easy SIK: each weight greater than the sum of all previous weights SIK Example Weights (2,3,7,14,30,57,120,251) Problem: Find subset that sums to S=186 Work from largest to smallest weight Answer: 120+57+7+2=186 10 EECE_412-05-public_crypto.key - October 2, 2014

Knapsack Cryptosystem 1. Generate super-increasing knapsack (SIK) 2. Convert SIK into general knapsack (GK) 3. Public Key: GK 4. Private Key: SIK plus conversion factors Easy to encrypt with GK With private key, easy to decrypt (convert ciphertext to SIK) Without private key, must solve GK (???) 11 EECE_412-05-public_crypto.key - October 2, 2014

Knapsack Cryptosystem Let (2,3,7,14,30,57,120,251) be the SIK Choose m = 41 and n = 491 with m, n relatively prime and n greater than sum of elements of SIK General knapsack (2 41) mod 491 = 82 3 41 mod 491 = 123 7 41 mod 491 = 287 14 41 mod 491 = 83 30 41 mod 491 = 248 57 41 mod 491 = 373 120 41 mod 491 = 10 251 41 mod 491 = 471 General knapsack: (82,123,287,83,248,373,10,471) 12 EECE_412-05-public_crypto.key - October 2, 2014

Knapsack Example Private key: (2,3,7,14,30,57,120,251), n = 491, m -1 =12 m 1 mod n = 41 1 mod 491 = 12 (x 1 x) mod n = 1 mod n Public key: (82,123,287,83,248,373,10,471) Throw away: m = 41 Example: Encrypt 150 = 10010110 82 + 83 + 373 + 10 = 548 = C To decrypt, (C m 1 ) mod n = (548 12) mod 491 = 193 mod 491 Solve (easy) SIK with S = 193 Obtain plaintext 10010110 = 150 13 EECE_412-05-public_crypto.key - October 2, 2014

Knapsack Weakness Trapdoor: Convert SIK into general knapsack using modular arithmetic One-way: General knapsack easy to encrypt, hard to solve; SIK easy to solve This knapsack cryptosystem is insecure Broken by Shamir in 1983 with Apple II computer The attack uses lattice reduction General knapsack is not general enough! This special knapsack is easy to solve! 14 EECE_412-05-public_crypto.key - October 2, 2014

T H E U N I V E R S I T Y O F B R I T I S H C O L U M B I A RSA Cocks (GCHQ), independently, by Rivest, Shamir and Adleman (MIT)! 15 EECE_412-05-public_crypto.key - October 2, 2014

Rivest, Shamir, and Adleman 1978 2003 16 EECE_412-05-public_crypto.key - October 2, 2014

basics Let p and q be two large (e.g., 200 digits) prime numbers use probabilistic primality tests to find p & q quickly Let n = p q be the modulus Factoring n is supposed to be hard (i.e., billions of years) e relatively prime to (p-1)(q-1) -- encryption exponent d = e -1 mod (p-1)(q-1) -- decryption exponent Throw Away: p, q Public key: (n, e) Private key: d Notation: public is in cyan, secret is in red 17 EECE_412-05-public_crypto.key - October 2, 2014

encrypting & decrypting To encrypt message M compute C = M e mod n -- fast with modular exponentiation To decrypt C compute M = C d mod n Recall that e and n are public If attacker can factor n, he can use e to easily find d since ed = 1 mod (p 1)(q 1) Factoring the modulus breaks RSA It is not known whether factoring is the only way to break RSA 18 EECE_412-05-public_crypto.key - October 2, 2014

T H E U N I V E R S I T Y O F B R I T I S H C O L U M B I A RSA in the works 19 EECE_412-05-public_crypto.key - October 2, 2014

simple RSA example: initialization Select large primes p = 43, q = 59 Then n = p q = 2537 and (p 1)(q 1) = 2436 Choose e = 13 (relatively prime to 2436) Find d such that ed = 1 mod (p 1)(q 1), we find that d = 937 works note: d exists because gcd(e, (p-1)(q-1)) = 1 Public key: (N, e) = (2537, 13) Private key: d = 937 20 EECE_412-05-public_crypto.key - October 2, 2014

simple RSA example: encryption plain text: M = STOP = (18 19, 14 15) ciphertext: C = M e mod n = (1819 13 mod 2537, 1415 13 mod 2537) = 20 81 21 82 = UDVE fast modular exponentiation 21 EECE_412-05-public_crypto.key - October 2, 2014

simple RSA example: decryption ed = 1 mod (p 1)(q 1) k s.t. ed = k(p-1)(q-1)+1 C d (M e ) d = M de = M 1+ k(p-1)(q-1) (mod n) M p-1 1 mod p and M q-1 1 mod q by Fermat s Little Theorem: If p is prime and a is an integer not divisible by p, then a p-1 1 mod p. Furthermore a p a mod p C d M ((M p-1 ) k(q-1) ) mod p M 1 mod p M mod p C d M ((M q-1 ) k(p-1) ) mod p M 1 mod p M mod q Because gcd(p,q) =1, C d M mod p q by Chinese Remainder Theorem 22 EECE_412-05-public_crypto.key - October 2, 2014

simple RSA example: decryption Decrypt message 0981 0461 M C d mod p q 0981 937 mod 2537 = 0704 = HE 0461 937 mod 2537 = 1115 = LP HELP 23 EECE_412-05-public_crypto.key - October 2, 2014

T H E U N I V E R S I T Y O F B R I T I S H C O L U M B I A Uses for Public Key Crypto 24 EECE_412-05-public_crypto.key - October 2, 2014

Uses for Public Key Crypto Confidentiality Transmitting data over insecure channel Secure storage on insecure media Authentication Digital signature provides integrity and nonrepudiation No non-repudiation with symmetric keys 25 EECE_412-05-public_crypto.key - October 2, 2014

Non-non-repudiation Alice orders 100 shares of stock from Bob Alice computes MAC using symmetric key Stock drops, Alice claims she did not order Can Bob prove that Alice placed the order? No! Since Bob also knows symmetric key, he could have forged message Problem: Bob knows Alice placed the order, but he can t prove it 26 EECE_412-05-public_crypto.key - October 2, 2014

Non-repudiation Alice orders 100 shares of stock from Bob Alice signs order with her private key Stock drops, Alice claims she did not order Can Bob prove that Alice placed the order? Yes! Only someone with Alice s private key could have signed the order This assumes Alice s private key is not stolen (revocation problem) 27 EECE_412-05-public_crypto.key - October 2, 2014

T H E U N I V E R S I T Y O F B R I T I S H C O L U M B I A Sign and Encrypt vs Encrypt and Sign 28 EECE_412-05-public_crypto.key - October 2, 2014

Public Key Notation Sign message M with Alice s private key: [M] Alice Encrypt message M with Alice s public key: {M} Alice Then {[M] Alice } Alice = M [{M} Alice ] Alice = M 29 EECE_412-05-public_crypto.key - October 2, 2014

Confidentiality and Non-repudiation Suppose that we want confidentiality and nonrepudiation Can public key crypto achieve both? Alice sends message to Bob Sign and encrypt {[M] Alice } Bob Encrypt and sign [{M} Bob ] Alice Can the order possibly matter? (see Stamp) 30 EECE_412-05-public_crypto.key - October 2, 2014

Sign and Encrypt M = I love you {[M] Alice } Bob {[M] Alice } Charlie Alice Bob Q: What is the problem? A: Charlie misunderstands crypto! Charlie 31 EECE_412-05-public_crypto.key - October 2, 2014

Encrypt and Sign M = My theory, which is mine, is this:. [{M} Bob ] Alice [{M} Bob ] Charlie Alice Charlie Note that Charlie cannot decrypt M Q: What is the problem? A: Bob misunderstands crypto! Bob 32 32 EECE_412-05-public_crypto.key - October 2, 2014

Summary The Random Oracle model for Public Key Cryptosystems Public key encryption and trapdoor one-way permutations Digital signatures Looking under the hood Knapsack RSA Uses of Public Crypto The order of sign and encrypt 33 EECE_412-05-public_crypto.key - October 2, 2014

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information