SlideShare a Scribd company logo

Network and Information Security unit2.ppt.ppt

Download as PPT, PDF
Vivekananda Gn, profile picture
Vivekananda Gn

The document provides an overview of public key cryptography, detailing its principles, applications, and the RSA algorithm. It discusses key generation, encryption and decryption processes, as well as the requirements for secure public key systems, highlighting the importance of generating secure keys and addressing potential vulnerabilities. The RSA algorithm is presented as a significant method for public key encryption, illustrating its operational mechanisms and security considerations.

Engineering
Related topics:
Information Security
1 of 102
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
B. Tech. Information Technology By Dr. G.N. Vivekananda Associate Professor SCORE, VIT, Vellore Text Books:  William Stallings, “Cryptography and Network Security- Principles and Practice”, 2020, 8th Edition, Pearson Publishers.  Michael E Whitman and Herbert J Mattord, “Principles of Information Security”, 2017, 6th Edition, Course Technology Inc. BITE401L Network and Information Security Module 2
2 Module II: Public Key Cryptography ●Need and Principles of Public Key Cryptosystems ●RSA Algorithm ●El Gamal Cryptographic System ●Elliptic Curve Cryptography ●Public Key Distribution and Management ●Diffie-Hellman Key Exchange Contents
3 Need and Principles of Public Key Cryptosystems • Public-Key Cryptosystems • Applications for Public-Key Cryptosystems • Requirements for Public-Key Cryptography • Public-Key Cryptanalysis
Symmetric key Encryption Plaintext input Plaintext output Encryption Algorithm (e.g. AES) Decryption Algorithm (reverse of encryption algorithm) Secret key shared by sender and recipient X Secret key shared by sender and recipient K Transmitted cipher text Y = E(K, X) K X
Plaintext input Plaintext output Encryption Algorithm (e.g. RSA) Decryption Algorithm X Transmitted cipher text Y = E(PUa, X) X Bob’s Public key ring Alice Ted Mike Joy Alice’s public key PUa Alice’s private key PRa Asymmetric key Encryption with Public Key Bob Alice  The entire encrypted message serves as a confidentiality.
Plaintext input Plaintext output Encryption Algorithm (e.g. RSA) Decryption Algorithm X Transmitted cipher text Y = E(PRb, X) X Alice’s Public key ring Bob Ted Mike Joy Bob’s public key PUb Bob’s private key PRb Asymmetric key Encryption with Private Key Bob Alice  The entire encrypted message serves as a digital signature.
Authentication and Confidentiality Message source Encryption Algorithm Encryption Algorithm Decryption Algorithm Decryption Algorithm Message Dest. X Y Y X Z Key pair source Key pair source PRa PUa PRb PUb Source A Source B Z = E(PUb, E(PRa, X)) X = D(PUa, D(PRB, Z))
8 Principles of public-key cryptosystems Symmetric encryption has two difficult problems.  Key distribution problem  Symmetric encryption requires either  that two communicants already share a key or  the use of key distribution center (KDC).  If the KDC is compromised, …  Hard to be used for “digital signatures”
9 Public-Key Cryptosystems Public-key algorithms use two separate key.  Public key and private key  It is computationally infeasible to determine the private key given only knowledge of the cryptographic algorithm and the public key.  Normally, public key is used for encryption and private key is used for decryption.  In some algorithms such as RSA, either of the two keys can be used for encryption, with the other used for decryption.
10 Public-Key Cryptosystems A public-key encryption scheme has six ingredients.  Plaintext  Encryption algorithm  Ciphertext  Decryption algorithm  Public and private key  One is for encryption and the other is for decryption.
11 Public-Key Cryptosystems The use of public-key encryption  Each user generate his/her public and private keys.  Each user places the public key in a public register and keeps the private key secret.  If Bob wants to send a message to Alice, Bog encrypts the message using Alice’s public key.  Alice decrypts the ciphertext using her private key.
12 Public-Key Cryptosystems The use of public-key encryption. (Bob sends a message to Alice.)
13 Public-Key Cryptosystems A public-key encryption scheme : Secrecy
14 Public-Key Cryptosystems The use of public-key encryption to provide authentication.
15 Public-Key Cryptosystems A public-key encryption scheme : Authentication
16 Public-Key Cryptosystems A public-key encryption scheme : Secrecy and authentication
17 Applications for Public-Key Cryptosystems The use of public-key cryptosystems  Encryption/decryption (provide secrecy)  Digital signatures (provide authentication)  Key exchange (of session keys) Some algorithms are suitable for all applications, others can be used only for one or two.
18 Requirements for Public-Key Cryptography Diffie and Hellman did lay out the conditions that such algorithms must fulfill when A sends a message to B. 1. It is easy for B to generate his/her public and private key. 2. It is easy for A to encrypt a message M using B’s public key. 3. It is easy for B to decrypt the ciphertext using B’s private key. ) (M E C b KU  )] ( [ ) ( M E D C D M b b b KU KR KR  
19 Requirements for Public-Key Cryptography 4. It is infeasible for an opponent, knowing the public key, KUb , to determine the private key, KRb . 5. It is infeasible for an opponent, knowing the public key, KUb , and a ciphertext, C, to recover the original message, M. 6. (Optional) The encryption and decryption functions can be applied in either order. )] ( [ )] ( [ M E D M D E M b b b b KR KU KR KU  
20 Requirements for Public-Key Cryptography These requirements are hard to achieve so only two algorithms (RSA, elliptic curve cryptography) have received widespread acceptance. Why the requirements are so formidable?  The requirements needs a trap-door one-way function.
21 Requirements for Public-Key Cryptography One-way function  A one-to-one function such that  The calculation of the function is easy  but the calculation of the inverse is infeasible. Easy  A problem can be solved in polynomial time. Infeasible  It is hard to invert a function for virtually all inputs, not for the worst case or even average case. Y = f(X) easy X = f-1 (Y) infeasible
22 Requirements for Public-Key Cryptography Trap-door one-way function  Easy to calculate in one direction and infeasible to calculate in the other direction unless certain additional information is known.  Thus, the development of a practical public-key scheme depends on discovery of a suitable trap-door one-way function. Y = fk(X) easy, if k and X are known X = fk -1 (Y) easy, if k and Y are known X = fk -1 (Y) infeasible, if Y is known but k is not known
23 Public-Key Cryptanalysis Brute-force attacks for private keys  Countermeasure: use large keys  The key size must be large enough to make brute-force attack impractical but small enough for practical encryption and decryption. Computing the private key given the public key  No algorithms are proven safe from this attack.
24 Public-Key Cryptanalysis A probable-message attack  Suppose that a message were a 56-bit DES key.  An opponent could encrypt all possible keys using the public key.  He could decipher any message by matching the transmitted ciphertext.  Countermeasure  Large key size (?)  Append some random bits to messages.
Applications for Public-Key Cryptosystems  Encryption/decryption: The sender encrypts a message with the recipient’s public key.  Digital signature: The sender “signs” a message with its private key. Signing is achieved by a cryptographic algorithm applied to the message or to a small block of data that is a function of the message.  Key exchange: Two sides cooperate to exchange a session key. Several different approaches are possible, involving the private key(s) of one or both parties.
26 RSA Algorithm • Description of the Algorithm • The Security of RSA
27 The RSA Algorithm Developed in 1977 by Rivest, Shamir, and Adleman at MIT. The RSA scheme is a block cipher in which the plaintext / ciphertext are integers between 0 and n – 1 for some n. A typical size for n is 1024 bits, or 309 decimal digits.  n = pq
28 Description of the RSA Algorithm Plaintext is encrypted in blocks.  Each block have a binary value less than some number n.  That is, the block size must be less than or equal to log2(n).  The block size is k bits, where 2k < n ≤ 2k+1 .
29 Description of the RSA Algorithm Encryption/Decryption  M : plaintext block  C : ciphertext block  public key: {e, n}  private key: {d, n}. n M n M n C M n M C ed d e d e mod mod ) ( mod mod    
30 Requirements for Public-Key Cryptography Diffie and Hellman’s requirements 1. It is easy for B to generate his/her public and private key.  It should be easy for B to find values of e, d, and n. 2. It is easy for A to encrypt a message M using B’s public key.  It should be easy to calculate Me . 3. It is easy for B to decrypt the ciphertext using B’s private key.  It should be easy to calculate Cd . 4. It is infeasible for an opponent, knowing the public key, KUb , to determine the private key, KRb .  It is infeasible to determine d given e and n. 5. It is infeasible for an opponent, knowing the public key, KUb , and a ciphertext, C, to recover the original message, M. 6. (Optional) The encryption and decryption functions can be applied in either order.
31 Description of the RSA Algorithm First requirement  It should be easy to find values of e, d, n such that for all M < n. n M M ed mod 
32 Description of the RSA Algorithm A corollary to Euler’s theorem  Given two prime numbers, p and q, and two integer, n and m, such that n = pq and 0 < m < n, and arbitrary integer k, n m m n m m q p k n k mod mod 1 ) 1 )( 1 ( 1 ) (        where Φ(n) is the Euler totient function, which is the number of positive integers less than n and relatively prime to n.
33 Description of the RSA Algorithm If we select e and d such that they satisfy . is equivalent to saying According to the rules of modular arithmetic, this is true only if e (and therefore d) is relatively prime to Φ(n). 1 ) (   n k ed  ) ( mod ) ( mod 1 1 n e d n ed      1 ) ), ( gcd(  e n  n M M ed mod  1 ) (   n k ed 
34 Description of the RSA Algorithm RSA’s ingredient. Public key consist of {e, n} and a private key consist of {d, n} p, q, two prime numbers (private, chosen) n = pq (public, calculated) e, with gcd(Φ(n), e) = 1 1 < e < Φ(n) (public, chosen) (private, calculated) ) ( mod 1 n e d   
35 Description of the RSA Algorithm RSA’s scheme  Suppose user B wishes to send the message M to A.  User A has published its public key, KU={e, n}.  B calculates C = Me (mod n) and transmits C.  Then, user A decrypts by calculating M = Cd (mod n). (use KR={d, n})
36 Description of the RSA Algorithm RSA algorithm (example) : the keys generating  Select two prime number, p = 17 and q = 11.  Calculate n = pq = 17 X 11 = 187.  Calculate Φ(n) = (p – 1)(q – 1) = 16 X 10 = 160.  Select e = 7 (e is relatively prime to Φ(n)).  Determine d, de = 1 mod 160 (Using extended Euclid’s algorithm).  d = 23
37 Description of the RSA Algorithm 11 187 mod 432 , 894 187 mod ) 132 77 88 ( 187 mod 88 132 187 mod ) 77 77 ( 187 mod 536 , 969 , 59 187 mod 88 77 187 mod ) 88 88 ( 187 mod 7744 187 mod 88 88 187 mod 88 187 mod )] 187 mod 88 ( ) 187 mod 88 ( ) 187 mod 88 [( 187 mod 88 7 4 2 1 1 2 4 7                  88 187 mod 243 , 720 , 79 187 mod ) 33 33 55 121 11 ( 187 mod 11 33 187 mod ) 55 55 ( 881 , 358 , 214 187 mod 11 55 187 mod ) 121 121 ( 187 mod 641 , 14 187 mod 11 121 187 mod ) 11 11 ( 187 mod 11 11 187 mod 11 187 mod )] 187 mod 11 ( ) 187 mod 11 ( ) 187 mod 11 ( ) 187 mod 11 ( ) 187 mod 11 [( 187 mod 11 23 8 4 2 1 8 8 4 2 1 23                         Encryption Decryption
38 The Security of RSA Three possible approaches to attacking the RSA.  Brute force  Mathematical attacks  Timing attacks Brute force  trying all possible private keys  Countermeasures: Use a large key space.
39 The Security of RSA Mathematical attacks  Factor n into its two prime factors. This enables calculation of Φ(n) and determination of d.  Determine Φ(n) directly, without first determining p and q. This enable determination of d.  This is equivalent to factoring n.  Determine d directly, without first determining Φ(n).  With presently known algorithms, this appears to be at least as time-consuming as the factoring problem.
40 The Security of RSA  Focused on the task of factoring n into its two prime factors.
41 The Security of RSA To avoid values of n that may be factored more easily, the algorithm’s inventors suggest constraints on p and q.  p and q should differ in length by only a few digits.  Both (p – 1) and (q – 1) should contain a large prime factor.  gcd (p – 1, q – 1) should be small. In addition, it has been demonstrated that if e < n and d < n1/4 , then d can be easily determined.
RSA Algorithm  RSA is a block cipher in which the Plaintext and Ciphertext are represented as integers between 0 and n-1 for some n.  Large messages can be broken up into a number of blocks.  Each block would then be represented by an integer. Step-1: Generate Public key and Private key Step-2: Encrypt message using Public key Step-3: Decrypt message using Private key
Step-1: Generate Public key and Private key  Select two large prime numbers: p and q  Calculate modulus : n = p * q  Calculate Euler’s totient function : φ(n) = (p-1) * (q-1)  Select e such that e is relatively prime to φ(n) and 1 < e < φ(n)  Determine d such that d * e ≡ 1 (mod φ(n))  Publickey : PU = { e, n }  Privatekey : PR = { d, n } Two numbers are relatively prime if they have no common factors other than 1.
Step-1: Generate Public key and Private key  Select two large prime numbers: p = 3 and q = 11  Calculate modulus : n = p * q, n = 33  Calculate Euler’s totient function : φ(n) = (p-1) * (q-1) φ(n) = ( 3 – 1 ) * ( 11 – 1 ) = 20  Select e such that e is relatively prime to φ(n) and 1 < e < φ(n)  We have several choices for e : 7, 11, 13, 17, 19 Let’s take e = 7  Determine d such that d * e ≡ 1 (mod φ(n))  ? * 7 ≡ 1 (mod 20), 3 * 7 ≡ 1 (mod 20)  Public key : PU = { e, n } , PU = { 7, 33 }  Private key : PR = { d, n }, PR = { 3, 33 } • This is equivalent to finding d which satisfies de = 1 + j.φ(n) where j is any integer. • We can rewrite this as d = (1 + j. φ(n)) / e
Step-2 : Encrypt Message  Encryption Using Public key: C = Me mod n Ciphertext Input Message Publickey For message M = 14 C = 147 mod 33 C = [(141 mod 33) X (142 mod 33) X (144 mod 33)] mod 33 C = (14 X 31 X 4) mod 33 = 1736 mod 33 C = 20 PU = { e, n } , PU = { 7, 33 }
Step-3 : Decrypt Message  Encryption Using Public key: M = Cd mod n Plaintext Message Cipher Message Privatekey For Ciphertext C = 20 M = 203 mod 33 M = [(201 mod 33) X (202 mod 33)] mod 33 M = (20 X 4) mod 33 = 80 mod 33 M = 14 PR = { d, n } , PR = { 3, 33 }
Example RSA Algorithm 14 7 mod 33 = 20 Plaintext 14 Plaintext 14 20 3 mod 33 = 14 Ciphertext 20 PU = 7, 33 PR = 3, 33 Encryption Decryption
RSA Example  Find n, φ(n), e, d for p=7 and q= 19 then demonstrate encryption and decryption for M = 6 n = p * q = 7 * 19 = 133 φ(n) = ( p – 1 ) * ( q – 1) = 108 Finding e relatively prime to 108 e = 2 => GCD( 2, 108 ) = 2 (no) e = 3 => GCD( 3, 108 ) = 3 (no) e = 5 => GCD( 5, 108 ) = 1 (Yes) • Finding d such that (d * e ) mod φ(n) = 1 • We can rewrite this as d = (1 + j . φ(n)) / e j = 0 => d = 1 / 5 = 0.2  integer ? (no) j = 1 => d = 109 / 5 = 21.8  integer ? (no) j = 2 => d = 217 / 5 = 43.4  integer ? (no) j = 3 => d = 325 / 5 = 65 integer ? (yes) Public key : PU = { e, n } = {5, 133} Private key : PR = { d, n } = {65, 133}
RSA Example – cont…  Encryption: C = Me mod n For message M = 6 C = 65 mod 133 C = 7776 mod 33 C = 62 PU = { e, n } , PU = { 5, 133 }  Decryption: M = Cd mod n For C = 62 M = 6265 mod 133 M = 2666 mod 33 M = 6 PR = { d, n } , PU = { 65, 133 }
RSA Example  P and Q are two prime numbers. P=7, and Q=17. Take public key E=5. If plain text value is 10, then what will be cipher text value according to RSA algorithm?  n = 119  φ(n) = 96  e = 5  d = 77  PU = { 5, 119 }  PR = {77, 119}  C = 105 mod 119 => C = 40
ElGamal Cryptographic System  public-key cryptosystem related to D-H  so uses exponentiation in a finite (Galois)  with security based difficulty of computing discrete logarithms, as in D-H  each user (eg. A) generates their key  chooses a secret key (number): 1 < xA < q-1  compute their public key: yA = a xA mod q
ElGamal Message Exchange  Bob encrypt a message to send to A computing  represent message M in range 0 <= M <= q-1 • longer messages must be sent as blocks  chose random integer k with 1 <= k <= q-1  compute one-time key K = yA k mod q  encrypt M as a pair of integers (C1,C2) where • C1 = a k mod q ; C2 = KM mod q  A then recovers message by  recovering key K as K = C1 xA mod q  computing M as M = C2 K-1 mod q  a unique k must be used each time  otherwise result is insecure
ElGamal Example  use field GF(19) q=19 and a=10  Alice computes her key:  A chooses xA=5 & computes yA=10 5 mod 19 = 3  Bob send message m=17 as (11,5) by  chosing random k=6  computing K = yA k mod q = 3 6 mod 19 = 7  computing C1 = a k mod q = 10 6 mod 19 = 11; C2 = KM mod q = 7.17 mod 19 = 5  Alice recovers original message by computing:  recover K = C1 xA mod q = 11 5 mod 19 = 7  compute inverse K-1 = 7-1 = 11  recover M = C2 K-1 mod q = 5.11 mod 19 = 17
Elliptic Curve Cryptography  majority of public-key crypto (RSA, D-H) use either integer or polynomial arithmetic with very large numbers/polynomials  imposes a significant load in storing and processing keys and messages  an alternative is to use elliptic curves  offers same security with smaller bit sizes  newer, but not as well analysed
Real Elliptic Curves  an elliptic curve is defined by an equation in two variables x & y, with coefficients  consider a cubic elliptic curve of form  y2 = x3 + ax + b  where x,y,a,b are all real numbers  also define zero point O  consider set of points E(a,b) that satisfy  have addition operation for elliptic curve  geometrically sum of P+Q is reflection of the intersection R
Real Elliptic Curve Example
Finite Elliptic Curves  Elliptic curve cryptography uses curves whose variables & coefficients are finite  have two families commonly used:  prime curves Ep(a,b) defined over Zp • use integers modulo a prime • best in software  binary curves E2m(a,b) defined over GF(2n ) • use polynomials with binary coefficients • best in hardware
Elliptic Curve Cryptography  ECC addition is analog of modulo multiply  ECC repeated addition is analog of modulo exponentiation  need “hard” problem equiv to discrete log  Q=kP, where Q,P belong to a prime curve  is “easy” to compute Q given k,P  but “hard” to find k given Q,P  known as the elliptic curve logarithm problem  Certicom example: E23(9,17)
ECC Diffie-Hellman  can do key exchange analogous to D-H  users select a suitable curve Eq(a,b)  select base point G=(x1,y1)  with large order n s.t. nG=O  A & B select private keys nA<n, nB<n  compute public keys: PA=nAG, PB=nBG  compute shared key: K=nAPB, K=nBPA  same since K=nAnBG  attacker would need to find k, hard
ECC Encryption/Decryption  several alternatives, will consider simplest  must first encode any message M as a point on the elliptic curve Pm  select suitable curve & point G as in D-H  each user chooses private key nA<n  and computes public key PA=nAG  to encrypt Pm : Cm={kG, Pm+kPb}, k random  decrypt Cm compute: Pm+kPb–nB(kG) = Pm+k(nBG)–nB(kG) = Pm
ECC Security  relies on elliptic curve logarithm problem  fastest method is “Pollard rho method”  compared to factoring, can use much smaller key sizes than with RSA etc  for equivalent key lengths computations are roughly equivalent  hence for similar security ECC offers significant computational advantages
Comparable Key Sizes for Equivalent Security Symmetric scheme (key size in bits) ECC-based scheme (size of n in bits) RSA/DSA (modulus size in bits) 56 112 512 80 160 1024 112 224 2048 128 256 3072 192 384 7680 256 512 15360
63 Public Key Distribution and Management • Key management and distribution • Symmetric key distribution using symmetric encryption • Symmetric key distribution asymmetric encryption • Distribution of public keys • X.509 certificates • Public key infrastructure (PKI)
INS is very Interesting Subject Key Distribution  Key distribution is the function that delivers a key to two parties who wish to exchange secure encrypted data.  Some sort of mechanism or protocol is needed to provide for the secure distribution of keys.  Key distribution often involves the use of master keys, which are infrequently used and are long lasting, and session keys, which are generated and distributed for temporary use between two parties.
INS is very Interesting Subject Key Hierarchy  Communication between end systems is encrypted using a temporary key, often referred to as a session key.  Session keys are transmitted in encrypted form, using a master key that is shared by the key distribution center and an end system or user
Simple Secret Key Distribution 1. A generates a public/private key pair {PUa, PRa} and transmits a message to B consisting of PUa and an identifier of A, IDA. 2. B generates a secret key, Ks, and transmits it to A, encrypted with A's public key. 3. A computes D(PRa, E(PUa, Ks)) to recover the secret key. Because only A can decrypt the message, only A and B will know the identity of Ks. 4. A discards PUa and PRa and B discards PUa. Initiator A Initiator B (2) E(PUa , Ks) (1) PUa || IDA
Secret Key Distribution with Confidentiality & Authentication 1. A uses B's public key to encrypt a message to B containing an identifier of A (IA) and a nonce (N1), which is used to identify this transaction uniquely. 2. B sends a message to A encrypted with PUa and containing A's (N1) as well as a new nonce generated by B (N2). Because only B could have decrypted message (1), the presence of N1 in message (2) assures A that the correspondent is B. Initiator A Initiator B (1) E(PUb,[N1||IDA]) (2) E(PUa,[N1|| N2]) (3) E(PUb,N2]) (4) E(Pub,E(PRa,Ks))
Secret Key Distribution with Confidentiality & Authentication 3. A returns N2, encrypted using B's public key, to assure B that its correspondent is A. 4. A selects a secret key Ks and sends M = E(PUb, E(PRa, Ks)) to B. Encryption with B's public key ensures that only B can read it; encryption with A's private key ensures that only A could have sent it. 5. B computes D(PUa, D(PRb, M)) to recover the secret key. Initiator A Initiator B (1) E(PUb,[N1||IDA]) (2) E(PUa,[N1|| N2]) (3) E(PUb,N2]) (4) E(Pub,E(PRa,Ks))
INS is very Interesting Subject Symmetric key distribution using symmetric encryption  Two parties A and B, key distribution can be achieved in a number of ways, as follows: 1. A can select a key and physically deliver key to B. 2. Third party can select the key and physically deliver it to A and B. 3. If A and B have previously and recently used a key, one party can transmit the new key to the other, encrypted using the old key. 4. If A and B each has an encrypted connection to a third party C,
INS is very Interesting Subject Key Distribution Scenario Key Distribution Center (Key) Initiator A Initiator B (1) IDA || IDB || N1 (2) E(Ka, [Ks || IDA || IDB || N1]) || E(Kb, [Ks || IDA]) (3) E(Kb, [Ks || IDA]) (4) E(Ks, N2]) (5) E(Ks, f(N2))
INS is very Interesting Subject Key Distribution Scenario 1. A requests from the KDC a session key to protect a logical connection to B. The message includes the identity of A and B and a unique nonce N1. 2. The KDC responds with a message encrypted using Ka that includes a one-time session key Ks to be used for the session, the original request message to enable A to match response with appropriate request, and info for B 3. A stores the session key for use in the upcoming session and forwards to B the information from the KDC for B, namely, E(Kb, [Ks || IDA]). 4. At this point, a session key has been securely delivered to A and B, and they may begin their protected exchange. 5. Using the new session key for encryption B sends a nonce N2 to A. 6. Also using Ks, A responds with f(N2). These steps assure B that the original message it received (step 3) was not a replay. Note that the actual key distribution involves only steps 1 through 3 but that steps 4 and 5, as well as 3, perform an authentication function.
INS is very Interesting Subject Distribution of Public Keys 1. Public announcement 2. Publicly available directory 3. Public-key authority 4. Public-key certificates
INS is very Interesting Subject 1. Public Announcement  Some user could pretend to be user A and send a public key to another participant or broadcast such a public key.  Until such time as user A discovers the forgery and alerts other participants, the forger is able to read all encrypted messages intended for A and can use the forged keys for authentication
INS is very Interesting Subject 2. Publicly Available Directory 1. The authority maintains a directory with a {name, public key} entry for each participant. 2. Each participant registers a public key with the directory authority. 3. A participant may replace the existing key with a new one at any time. 4. Participants could also access the directory electronically. For this purpose, secure, authenticated communication from the authority to the participant is mandatory.
3. Public-Key Authority Initiator A Initiator B (6) E(PUa , [N1 || N2]) Public-Key Authority (1) Request || T1 (2) E(PRauth, [PUb || Request || T1]) (4) Request || T2 (5) E(PRauth, [PUa || Request || T2]) (3) E (PUb, [IDa, N1]) (7) E(PUb, N2)
INS is very Interesting Subject 3. Public-Key Authority – Cont… 1. A sends a timestamped message to the public-key authority containing a request for the current public key of B. 2. The authority responds with a message that is encrypted using the authority’s private key . 3. Message contains PUb, Original request, Original time stamp T1 A stores B’s public key and also uses it to encrypt a message to B containing an identifier of A(IDa) and a nonce(N1) , which is used to identify this transaction uniquely. 4, 5. B retrieves A’s public key from the authority in the same manner as A retrieved B’s public key. 6. B sends a message to A encrypted with PUa and containing A’s nonce(N1) as well as a new nonce generated by B(N2). Because only B could have decrypted message (3), the presence of N1 in message (6) assures A that the correspondent is B. 7. A returns N2, which is encrypted using B’s public key, to assure B that its correspondent is A.
INS is very Interesting Subject 4. Public-Key Certificates  Any participant can read a certificate to determine the name and public key of the certificate’s owner.  Any participant can verify that the certificate originated from the certificate authority and is not counterfeit.  Only the certificate authority can create and update certificates.  Any participant can verify the currency of the certificate.
4. Public-Key Certificates – Cont… Initiator A Initiator B (2) CA (1) CA Certificate Authority PUa CA = E(PRauth, [T1 || IDa || PUa]) PUb CA = E(PRauth, [T2 || IDb || PUb])
INS is very Interesting Subject 4. Public-Key Certificates – Cont…  Each participant applies to the certificate authority, supplying a public key and requesting a certificate.  For participant A, the authority provides a certificate of the form CA = E (PRauth, [T || IDa || PUa] )  A may then pass this certificate on to any other participant, who reads and verifies the certificate as follows: D(PUauth, CA) = D(PUauth, E (PRauth, [T || IDa || PUa] )) = (T || IDa || PUa)
INS is very Interesting Subject X.509 Certificates  X.509 defines the format for public-key certificates. used in a variety of applications.  X.509 defines a framework for the provision of authentication services by the X.500 directory to its users.  The directory may serve as a repository of public-key certificates.  Each certificate contains the public key of a user and is signed with the private key of a trusted certification authority.
X.509 Formats Version Certificate serial number Algorithm Parameters Issuer name Not before Not after Subject name Algorithms Parameters Key Issuer Unique identifier Extensions Algorithms Parameters Encrypted hash Signature algorithm identifier Proof of validity Subject’s public key info Signature Subject Unique identifier Version 1 Version 2 Version 3 All Version s
INS is very Interesting Subject X.509 Format – Cont…  Version: Differentiates among successive versions of the certificate format; the default is version 1.  Serial number: An integer value unique within the issuing CA that is unambiguously associated with this certificate.  Signature algorithm identifier: The algorithm used to sign the certificate together with any associated parameters.  Issuer name: X.500 name of the CA that created and signed this certificate.  Period of validity: Consists of two dates: the first and last on which the certificate is valid.  Subject name: The name of the user to whom this certificate refers.
INS is very Interesting Subject X.509 Format – Cont…  Subject’s public-key information: The public key of the subject, plus an identifier of the algorithm for which this key is to be used, together with any associated parameters.  Issuer unique identifier: An optional-bit string field used to identify uniquely the issuing CA in the event the X.500 name has been reused for different entities.  Subject unique identifier: An optional-bit string field used to identify uniquely the subject in the event the X.500 name has been reused for different entities.  Extensions: A set of one or more extension fields.
INS is very Interesting Subject Public-Key Certificate Use H E D CA information Bob’s Public key Bob’s ID information H Generate hash code of unsigned certificate Encrypt hash code with CA's private key to form signature Decrypt signature with CA's public key to recover hash code Recipient can verify signature by comparing hash code values Signed Certificate Unsigned certificate: contains user ID, user's public key
INS is very Interesting Subject Public key Infrastructure (PKI)  A public-key infrastructure (PKI) is defined as the set of hardware, software, people, policies, and procedures needed to create, manage, store, distribute, and revoke digital certificates based on asymmetric cryptography.  The principal objective for developing a PKI is to enable secure, convenient, and efficient acquisition of public keys.
INS is very Interesting Subject Public key Infrastructure (PKI)
INS is very Interesting Subject Public key Infrastructure (PKI) – Cont…  End entity: A generic term used to denote end users, devices (e.g., servers, routers), or any other entity that can be identified in the subject field of a public-key certificate.  Certification authority (CA): The issuer of certificates and (usually) certificate revocation lists (CRLs).  Registration authority (RA): An optional component that can assume a number of administrative functions from the CA.  CRL issuer: An optional component that a CA can delegate to publish CRLs.  Repository: A generic term used to denote any method for storing certificates and CRLs so that they can be retrieved by end entities.
Diffie-Hellman Key Exchange  The purpose of the Diffie-Hellman algorithm is to enable two users to securely exchange a key that can be used for subsequent encryption of message.  This algorithm depends for its effectiveness on the difficulty of computing discrete logarithms. Primitive root  Let be a prime number  Then is a primitive root for , if the powers of modulo generates all integers from 1 to – 1 in some permutation.  Example: p = 7 then primitive root is 3 because powers of 3 mod 7 generates all the integers from 1 to 6 𝑎𝑚𝑜𝑑 𝑝,𝑎2 𝑚𝑜𝑑𝑝 ,…,𝑎𝑝−1 𝑚𝑜𝑑𝑝
Discrete Logarithm  For any integer and a primitive root of prime number , we can find a unique exponent such that  The exponent is referred as the discrete logarithm of for the base , mod . It expressed as below.  User A and User B agree on two large prime numbers q and α. User A and User B can use insecure channel to agree on them.  User A selects a random integer and calculates 𝑏=𝑎𝑖 (𝑚𝑜𝑑 𝑝) h 𝑤 𝑒𝑟𝑒 0 ≤𝑖 ≤(𝑝−1) 𝑏d log𝑎,𝑝 (𝑏)
Diffie-Hellman Key Exchange – Cont… Global Public Elements prime number < and is primitive root of User A Key Generation Select private Calculate public User B Key Generation Select private Calculate public
Diffie-Hellman Key Exchange – Cont… User A Key Generation Select private Calculate public User B Key Generation Select private Calculate public Calculation of Secret Key by User A Calculation of Secret Key by User b
Diffie-Hellman Key Exchange – Cont… User A Key Generation Private , Public User B Key Generation Private , Public Secret Key by User A : Secret Key by User B :
Network and Information Security unit2.ppt.ppt
Diffie-Hellman Key Exchange Example  Alice and bob agrees on a prime number  as primitive root of  Alice selects a private integer  Alice computes =>  Bob selects a private integer  Bob computes =>  Alice sends to Bob and Bob sends to Alice  Alice computes key =>  Bob computes key =>
Diffie-Hellman Key Exchange Illustration
Diffie-Hellman Key Exchange  first public-key type scheme proposed  by Diffie & Hellman in 1976 along with the exposition of public key concepts  note: now know that Williamson (UK CESG) secretly proposed the concept in 1970  is a practical method for public exchange of a secret key  used in a number of commercial products
Diffie-Hellman Key Exchange  a public-key distribution scheme  cannot be used to exchange an arbitrary message  rather it can establish a common key  known only to the two participants  value of key depends on the participants (and their private and public key information)  based on exponentiation in a finite (Galois) field (modulo a prime or a polynomial) - easy  security relies on the difficulty of computing discrete logarithms (similar to factoring) – hard
Diffie-Hellman Setup  all users agree on global parameters:  large prime integer or polynomial q  a being a primitive root mod q  each user (eg. A) generates their key  chooses a secret key (number): xA < q  compute their public key: yA = a xA mod q  each user makes public that key yA
Diffie-Hellman Key Exchange  shared session key for users A & B is KAB: KAB = a xA.xB mod q = yA xB mod q (which B can compute) = yB xA mod q (which A can compute)  KAB is used as session key in private-key encryption scheme between Alice and Bob  if Alice and Bob subsequently communicate, they will have the same key as before, unless they choose new public-keys  attacker needs an x, must solve discrete log
Diffie-Hellman Example  users Alice & Bob who wish to swap keys:  agree on prime q=353 and a=3  select random secret keys:  A chooses xA=97, B chooses xB=233  compute respective public keys:  yA=3 97 mod 353 = 40 (Alice)  yB=3 233 mod 353 = 248 (Bob)  compute shared session key as:  KAB= yB xA mod 353 = 248 97 = 160 (Alice)  KAB= yA xB mod 353 = 40 233 = 160 (Bob)
Key Exchange Protocols  users could create random private/public D-H keys each time they communicate  users could create a known private/public D-H key and publish in a directory, then consulted and used to securely communicate with them  both of these are vulnerable to a meet-in- the-Middle Attack  authentication of the keys is needed
Dr. G.N. Vivekananda Associate Professor School of Computer Science Engineering & Information Systems Vellore Institute of Technology, Vellore BITE401L Network and Information Security

More Related Content

DOCX
Unit 3(1)
Vinod Kumar Gorrepati
 
DOC
Unit 3(1)
Vinod Kumar Gorrepati
 
PDF
12- Public-key Cryptography and RSA the lecture on cryptography
arsh4share
 
PDF
Vtu network security(10 ec832) unit 3 notes.
Jayanth Dwijesh H P
 
PPTX
CNS 3RD UNIT PPT.pptx
pjeraids
 
PPTX
Ch9
Mahender Kumar
 
PPTX
Information and data security public key cryptography and rsa
Mazin Alwaaly
 
PPTX
Module-2 Public-Key Cryptography and RSA.pptx
AmbikaVenkatesh4
 
Unit 3(1)
Vinod Kumar Gorrepati
 
Unit 3(1)
Vinod Kumar Gorrepati
 
12- Public-key Cryptography and RSA the lecture on cryptography
arsh4share
 
Vtu network security(10 ec832) unit 3 notes.
Jayanth Dwijesh H P
 
CNS 3RD UNIT PPT.pptx
pjeraids
 
Ch9
Mahender Kumar
 
Information and data security public key cryptography and rsa
Mazin Alwaaly
 
Module-2 Public-Key Cryptography and RSA.pptx
AmbikaVenkatesh4
 

Similar to Network and Information Security unit2.ppt.ppt (20)

PDF
2. public key cryptography and RSA
Dr.Florence Dayana
 
PPTX
Module2.pptx
ShilpaShettyA1
 
PPT
Rsa diffi-network security-itt
rameshvvv
 
PPTX
Cryptography Key Management.pptx
SurendraBasnet6
 
PPT
Introduction to cryptography
Suresh Thammishetty
 
PPTX
Cryptography and network security
patisa
 
PPTX
Unit-III_3R-CRYPTO_2021-22_VSM.pptx
VishwanathMahalle
 
PDF
Pooguzhali
NIVEDHINIMANIVANNAN
 
PPTX
Public key algorithm
Prateek Pandey
 
PDF
Generate an Encryption Key by using Biometric Cryptosystems to secure transfe...
IOSR Journals
 
PPT
Rsa
ismaelhaider
 
PPTX
Unit 3
KRAMANJANEYULU1
 
PPT
ch09_rsa_nemo.ppt
ChandraB15
 
PDF
IRJET- Secure Data on Multi-Cloud using Homomorphic Encryption
IRJET Journal
 
PPTX
IOT_DEPARTMENT_CST_433_PSI__RSA_unit2.pptx
archibhartiya
 
PDF
Lecture12
Hardik Padhy
 
PPT
Ch09
Joe Christensen
 
PDF
Ch12 Encryption
phanleson
 
PDF
Survey on asymmetric key cryptography algorithms
Editor Jacotech
 
PPT
Public Key Cryptography and RSA algorithm
Indra97065
 
2. public key cryptography and RSA
Dr.Florence Dayana
 
Module2.pptx
ShilpaShettyA1
 
Rsa diffi-network security-itt
rameshvvv
 
Cryptography Key Management.pptx
SurendraBasnet6
 
Introduction to cryptography
Suresh Thammishetty
 
Cryptography and network security
patisa
 
Unit-III_3R-CRYPTO_2021-22_VSM.pptx
VishwanathMahalle
 
Pooguzhali
NIVEDHINIMANIVANNAN
 
Public key algorithm
Prateek Pandey
 
Generate an Encryption Key by using Biometric Cryptosystems to secure transfe...
IOSR Journals
 
Rsa
ismaelhaider
 
Unit 3
KRAMANJANEYULU1
 
ch09_rsa_nemo.ppt
ChandraB15
 
IRJET- Secure Data on Multi-Cloud using Homomorphic Encryption
IRJET Journal
 
IOT_DEPARTMENT_CST_433_PSI__RSA_unit2.pptx
archibhartiya
 
Lecture12
Hardik Padhy
 
Ch09
Joe Christensen
 
Ch12 Encryption
phanleson
 
Survey on asymmetric key cryptography algorithms
Editor Jacotech
 
Public Key Cryptography and RSA algorithm
Indra97065
 
Ad

More from Vivekananda Gn (20)

PPTX
Stream Ciphers and Block Ciphers in Security.pptx
Vivekananda Gn
 
PPTX
Introduction to Network and Information Security.pptx
Vivekananda Gn
 
PPT
Network and Information Security unit 1.ppt
Vivekananda Gn
 
PPT
Sorting and Searching in Data Structures.ppt
Vivekananda Gn
 
PPT
Trees Traversals Expressions in Data structures.ppt
Vivekananda Gn
 
PPT
STACKS AND QUEUES in Data Structures.ppt
Vivekananda Gn
 
PPT
Introduction to Data structures and Trees.ppt
Vivekananda Gn
 
PPTX
Virtualization concepts in Operating systems.pptx
Vivekananda Gn
 
PPTX
Unix Commands and Shells Scripts in OS.pptx
Vivekananda Gn
 
PPTX
Security and Protection in operating systems.pptx
Vivekananda Gn
 
PPTX
Concurrency and Inter-Process communication.pptx
Vivekananda Gn
 
PPTX
Unix-Linux Operating Systems and its concepts
Vivekananda Gn
 
PPTX
Network-Administration-ITA3011 BCA VIT Vellore
Vivekananda Gn
 
PPTX
project Idea on Online food ordering system
Vivekananda Gn
 
PPT
Software Architecture and Design Details Module
Vivekananda Gn
 
PPT
memory allocation techniques in operating systems
Vivekananda Gn
 
PPT
virtual memory concepts in operating systems
Vivekananda Gn
 
PPTX
user authentication in cryptography and network security.pptx
Vivekananda Gn
 
PPTX
vector processing, pipelining - computer organization.pptx
Vivekananda Gn
 
PPTX
OS Building and Booting in Fundamentals of OS
Vivekananda Gn
 
Stream Ciphers and Block Ciphers in Security.pptx
Vivekananda Gn
 
Introduction to Network and Information Security.pptx
Vivekananda Gn
 
Network and Information Security unit 1.ppt
Vivekananda Gn
 
Sorting and Searching in Data Structures.ppt
Vivekananda Gn
 
Trees Traversals Expressions in Data structures.ppt
Vivekananda Gn
 
STACKS AND QUEUES in Data Structures.ppt
Vivekananda Gn
 
Introduction to Data structures and Trees.ppt
Vivekananda Gn
 
Virtualization concepts in Operating systems.pptx
Vivekananda Gn
 
Unix Commands and Shells Scripts in OS.pptx
Vivekananda Gn
 
Security and Protection in operating systems.pptx
Vivekananda Gn
 
Concurrency and Inter-Process communication.pptx
Vivekananda Gn
 
Unix-Linux Operating Systems and its concepts
Vivekananda Gn
 
Network-Administration-ITA3011 BCA VIT Vellore
Vivekananda Gn
 
project Idea on Online food ordering system
Vivekananda Gn
 
Software Architecture and Design Details Module
Vivekananda Gn
 
memory allocation techniques in operating systems
Vivekananda Gn
 
virtual memory concepts in operating systems
Vivekananda Gn
 
user authentication in cryptography and network security.pptx
Vivekananda Gn
 
vector processing, pipelining - computer organization.pptx
Vivekananda Gn
 
OS Building and Booting in Fundamentals of OS
Vivekananda Gn
 
Ad

Recently uploaded (20)

PPTX
Internet of Things (IOT) - A guide to understanding
Davies Chacko
 
PPTX
CYBER-CRIMES AND SECURITY A guide to understanding
Davies Chacko
 
PDF
Well-logging-methods_new................
ZafriFarid
 
PPT
Project quality management in manufacturing
BarMusaTetik
 
PPTX
Geodesy 1.pptx...............................................
abhi1361yadav
 
PPTX
Fundamentals of Mechanical Engineering.pptx
MdMowdudAhmed
 
PPTX
Construction Project Organization Group 2.pptx
vj5agdales
 
PDF
BIO-INSPIRED HORMONAL MODULATION AND ADAPTIVE ORCHESTRATION IN S-AI-GPT
ijaia
 
PPTX
additive manufacturing of ss316l using mig welding
premcdr7799
 
PDF
Mitigating Risks through Effective Management for Enhancing Organizational Pe...
IJAEMSJORNAL
 
PPTX
Sustainable Sites - Green Building Construction
mhdumerali
 
PDF
PREDICTION OF DIABETES FROM ELECTRONIC HEALTH RECORDS
ijaia
 
PDF
Level 2 – IBM Data and AI Fundamentals (1)_v1.1.PDF
KSRIHARISASANKA
 
PDF
Enhancing Cyber Defense Against Zero-Day Attacks using Ensemble Neural Networks
IJCNCJournal
 
PPTX
CARTOGRAPHY AND GEOINFORMATION VISUALIZATION chapter1 NPTE (2).pptx
abhi1361yadav
 
PPTX
6ME3A-Unit-II-Sensors and Actuators_Handouts.pptx
anukaranugi
 
PPTX
Current and future trends in Computer Vision.pptx
Subramanyam Natarajan
 
PDF
A SYSTEMATIC REVIEW OF APPLICATIONS IN FRAUD DETECTION
IJNSA Journal
 
PDF
PPT on Performance Review to get promotions
prashant593122
 
PDF
Automation-in-Manufacturing-Chapter-Introduction.pdf
pcmth867
 
Internet of Things (IOT) - A guide to understanding
Davies Chacko
 
CYBER-CRIMES AND SECURITY A guide to understanding
Davies Chacko
 
Well-logging-methods_new................
ZafriFarid
 
Project quality management in manufacturing
BarMusaTetik
 
Geodesy 1.pptx...............................................
abhi1361yadav
 
Fundamentals of Mechanical Engineering.pptx
MdMowdudAhmed
 
Construction Project Organization Group 2.pptx
vj5agdales
 
BIO-INSPIRED HORMONAL MODULATION AND ADAPTIVE ORCHESTRATION IN S-AI-GPT
ijaia
 
additive manufacturing of ss316l using mig welding
premcdr7799
 
Mitigating Risks through Effective Management for Enhancing Organizational Pe...
IJAEMSJORNAL
 
Sustainable Sites - Green Building Construction
mhdumerali
 
PREDICTION OF DIABETES FROM ELECTRONIC HEALTH RECORDS
ijaia
 
Level 2 – IBM Data and AI Fundamentals (1)_v1.1.PDF
KSRIHARISASANKA
 
Enhancing Cyber Defense Against Zero-Day Attacks using Ensemble Neural Networks
IJCNCJournal
 
CARTOGRAPHY AND GEOINFORMATION VISUALIZATION chapter1 NPTE (2).pptx
abhi1361yadav
 
6ME3A-Unit-II-Sensors and Actuators_Handouts.pptx
anukaranugi
 
Current and future trends in Computer Vision.pptx
Subramanyam Natarajan
 
A SYSTEMATIC REVIEW OF APPLICATIONS IN FRAUD DETECTION
IJNSA Journal
 
PPT on Performance Review to get promotions
prashant593122
 
Automation-in-Manufacturing-Chapter-Introduction.pdf
pcmth867
 

Network and Information Security unit2.ppt.ppt

  • 1. B. Tech. Information Technology By Dr. G.N. Vivekananda Associate Professor SCORE, VIT, Vellore Text Books:  William Stallings, “Cryptography and Network Security- Principles and Practice”, 2020, 8th Edition, Pearson Publishers.  Michael E Whitman and Herbert J Mattord, “Principles of Information Security”, 2017, 6th Edition, Course Technology Inc. BITE401L Network and Information Security Module 2
  • 2. 2 Module II: Public Key Cryptography ●Need and Principles of Public Key Cryptosystems ●RSA Algorithm ●El Gamal Cryptographic System ●Elliptic Curve Cryptography ●Public Key Distribution and Management ●Diffie-Hellman Key Exchange Contents
  • 3. 3 Need and Principles of Public Key Cryptosystems • Public-Key Cryptosystems • Applications for Public-Key Cryptosystems • Requirements for Public-Key Cryptography • Public-Key Cryptanalysis
  • 4. Symmetric key Encryption Plaintext input Plaintext output Encryption Algorithm (e.g. AES) Decryption Algorithm (reverse of encryption algorithm) Secret key shared by sender and recipient X Secret key shared by sender and recipient K Transmitted cipher text Y = E(K, X) K X
  • 5. Plaintext input Plaintext output Encryption Algorithm (e.g. RSA) Decryption Algorithm X Transmitted cipher text Y = E(PUa, X) X Bob’s Public key ring Alice Ted Mike Joy Alice’s public key PUa Alice’s private key PRa Asymmetric key Encryption with Public Key Bob Alice  The entire encrypted message serves as a confidentiality.
  • 6. Plaintext input Plaintext output Encryption Algorithm (e.g. RSA) Decryption Algorithm X Transmitted cipher text Y = E(PRb, X) X Alice’s Public key ring Bob Ted Mike Joy Bob’s public key PUb Bob’s private key PRb Asymmetric key Encryption with Private Key Bob Alice  The entire encrypted message serves as a digital signature.
  • 7. Authentication and Confidentiality Message source Encryption Algorithm Encryption Algorithm Decryption Algorithm Decryption Algorithm Message Dest. X Y Y X Z Key pair source Key pair source PRa PUa PRb PUb Source A Source B Z = E(PUb, E(PRa, X)) X = D(PUa, D(PRB, Z))
  • 8. 8 Principles of public-key cryptosystems Symmetric encryption has two difficult problems.  Key distribution problem  Symmetric encryption requires either  that two communicants already share a key or  the use of key distribution center (KDC).  If the KDC is compromised, …  Hard to be used for “digital signatures”
  • 9. 9 Public-Key Cryptosystems Public-key algorithms use two separate key.  Public key and private key  It is computationally infeasible to determine the private key given only knowledge of the cryptographic algorithm and the public key.  Normally, public key is used for encryption and private key is used for decryption.  In some algorithms such as RSA, either of the two keys can be used for encryption, with the other used for decryption.
  • 10. 10 Public-Key Cryptosystems A public-key encryption scheme has six ingredients.  Plaintext  Encryption algorithm  Ciphertext  Decryption algorithm  Public and private key  One is for encryption and the other is for decryption.
  • 11. 11 Public-Key Cryptosystems The use of public-key encryption  Each user generate his/her public and private keys.  Each user places the public key in a public register and keeps the private key secret.  If Bob wants to send a message to Alice, Bog encrypts the message using Alice’s public key.  Alice decrypts the ciphertext using her private key.
  • 12. 12 Public-Key Cryptosystems The use of public-key encryption. (Bob sends a message to Alice.)
  • 13. 13 Public-Key Cryptosystems A public-key encryption scheme : Secrecy
  • 14. 14 Public-Key Cryptosystems The use of public-key encryption to provide authentication.
  • 15. 15 Public-Key Cryptosystems A public-key encryption scheme : Authentication
  • 16. 16 Public-Key Cryptosystems A public-key encryption scheme : Secrecy and authentication
  • 17. 17 Applications for Public-Key Cryptosystems The use of public-key cryptosystems  Encryption/decryption (provide secrecy)  Digital signatures (provide authentication)  Key exchange (of session keys) Some algorithms are suitable for all applications, others can be used only for one or two.
  • 18. 18 Requirements for Public-Key Cryptography Diffie and Hellman did lay out the conditions that such algorithms must fulfill when A sends a message to B. 1. It is easy for B to generate his/her public and private key. 2. It is easy for A to encrypt a message M using B’s public key. 3. It is easy for B to decrypt the ciphertext using B’s private key. ) (M E C b KU  )] ( [ ) ( M E D C D M b b b KU KR KR  
  • 19. 19 Requirements for Public-Key Cryptography 4. It is infeasible for an opponent, knowing the public key, KUb , to determine the private key, KRb . 5. It is infeasible for an opponent, knowing the public key, KUb , and a ciphertext, C, to recover the original message, M. 6. (Optional) The encryption and decryption functions can be applied in either order. )] ( [ )] ( [ M E D M D E M b b b b KR KU KR KU  
  • 20. 20 Requirements for Public-Key Cryptography These requirements are hard to achieve so only two algorithms (RSA, elliptic curve cryptography) have received widespread acceptance. Why the requirements are so formidable?  The requirements needs a trap-door one-way function.
  • 21. 21 Requirements for Public-Key Cryptography One-way function  A one-to-one function such that  The calculation of the function is easy  but the calculation of the inverse is infeasible. Easy  A problem can be solved in polynomial time. Infeasible  It is hard to invert a function for virtually all inputs, not for the worst case or even average case. Y = f(X) easy X = f-1 (Y) infeasible
  • 22. 22 Requirements for Public-Key Cryptography Trap-door one-way function  Easy to calculate in one direction and infeasible to calculate in the other direction unless certain additional information is known.  Thus, the development of a practical public-key scheme depends on discovery of a suitable trap-door one-way function. Y = fk(X) easy, if k and X are known X = fk -1 (Y) easy, if k and Y are known X = fk -1 (Y) infeasible, if Y is known but k is not known
  • 23. 23 Public-Key Cryptanalysis Brute-force attacks for private keys  Countermeasure: use large keys  The key size must be large enough to make brute-force attack impractical but small enough for practical encryption and decryption. Computing the private key given the public key  No algorithms are proven safe from this attack.
  • 24. 24 Public-Key Cryptanalysis A probable-message attack  Suppose that a message were a 56-bit DES key.  An opponent could encrypt all possible keys using the public key.  He could decipher any message by matching the transmitted ciphertext.  Countermeasure  Large key size (?)  Append some random bits to messages.
  • 25. Applications for Public-Key Cryptosystems  Encryption/decryption: The sender encrypts a message with the recipient’s public key.  Digital signature: The sender “signs” a message with its private key. Signing is achieved by a cryptographic algorithm applied to the message or to a small block of data that is a function of the message.  Key exchange: Two sides cooperate to exchange a session key. Several different approaches are possible, involving the private key(s) of one or both parties.
  • 26. 26 RSA Algorithm • Description of the Algorithm • The Security of RSA
  • 27. 27 The RSA Algorithm Developed in 1977 by Rivest, Shamir, and Adleman at MIT. The RSA scheme is a block cipher in which the plaintext / ciphertext are integers between 0 and n – 1 for some n. A typical size for n is 1024 bits, or 309 decimal digits.  n = pq
  • 28. 28 Description of the RSA Algorithm Plaintext is encrypted in blocks.  Each block have a binary value less than some number n.  That is, the block size must be less than or equal to log2(n).  The block size is k bits, where 2k < n ≤ 2k+1 .
  • 29. 29 Description of the RSA Algorithm Encryption/Decryption  M : plaintext block  C : ciphertext block  public key: {e, n}  private key: {d, n}. n M n M n C M n M C ed d e d e mod mod ) ( mod mod    
  • 30. 30 Requirements for Public-Key Cryptography Diffie and Hellman’s requirements 1. It is easy for B to generate his/her public and private key.  It should be easy for B to find values of e, d, and n. 2. It is easy for A to encrypt a message M using B’s public key.  It should be easy to calculate Me . 3. It is easy for B to decrypt the ciphertext using B’s private key.  It should be easy to calculate Cd . 4. It is infeasible for an opponent, knowing the public key, KUb , to determine the private key, KRb .  It is infeasible to determine d given e and n. 5. It is infeasible for an opponent, knowing the public key, KUb , and a ciphertext, C, to recover the original message, M. 6. (Optional) The encryption and decryption functions can be applied in either order.
  • 31. 31 Description of the RSA Algorithm First requirement  It should be easy to find values of e, d, n such that for all M < n. n M M ed mod 
  • 32. 32 Description of the RSA Algorithm A corollary to Euler’s theorem  Given two prime numbers, p and q, and two integer, n and m, such that n = pq and 0 < m < n, and arbitrary integer k, n m m n m m q p k n k mod mod 1 ) 1 )( 1 ( 1 ) (        where Φ(n) is the Euler totient function, which is the number of positive integers less than n and relatively prime to n.
  • 33. 33 Description of the RSA Algorithm If we select e and d such that they satisfy . is equivalent to saying According to the rules of modular arithmetic, this is true only if e (and therefore d) is relatively prime to Φ(n). 1 ) (   n k ed  ) ( mod ) ( mod 1 1 n e d n ed      1 ) ), ( gcd(  e n  n M M ed mod  1 ) (   n k ed 
  • 34. 34 Description of the RSA Algorithm RSA’s ingredient. Public key consist of {e, n} and a private key consist of {d, n} p, q, two prime numbers (private, chosen) n = pq (public, calculated) e, with gcd(Φ(n), e) = 1 1 < e < Φ(n) (public, chosen) (private, calculated) ) ( mod 1 n e d   
  • 35. 35 Description of the RSA Algorithm RSA’s scheme  Suppose user B wishes to send the message M to A.  User A has published its public key, KU={e, n}.  B calculates C = Me (mod n) and transmits C.  Then, user A decrypts by calculating M = Cd (mod n). (use KR={d, n})
  • 36. 36 Description of the RSA Algorithm RSA algorithm (example) : the keys generating  Select two prime number, p = 17 and q = 11.  Calculate n = pq = 17 X 11 = 187.  Calculate Φ(n) = (p – 1)(q – 1) = 16 X 10 = 160.  Select e = 7 (e is relatively prime to Φ(n)).  Determine d, de = 1 mod 160 (Using extended Euclid’s algorithm).  d = 23
  • 37. 37 Description of the RSA Algorithm 11 187 mod 432 , 894 187 mod ) 132 77 88 ( 187 mod 88 132 187 mod ) 77 77 ( 187 mod 536 , 969 , 59 187 mod 88 77 187 mod ) 88 88 ( 187 mod 7744 187 mod 88 88 187 mod 88 187 mod )] 187 mod 88 ( ) 187 mod 88 ( ) 187 mod 88 [( 187 mod 88 7 4 2 1 1 2 4 7                  88 187 mod 243 , 720 , 79 187 mod ) 33 33 55 121 11 ( 187 mod 11 33 187 mod ) 55 55 ( 881 , 358 , 214 187 mod 11 55 187 mod ) 121 121 ( 187 mod 641 , 14 187 mod 11 121 187 mod ) 11 11 ( 187 mod 11 11 187 mod 11 187 mod )] 187 mod 11 ( ) 187 mod 11 ( ) 187 mod 11 ( ) 187 mod 11 ( ) 187 mod 11 [( 187 mod 11 23 8 4 2 1 8 8 4 2 1 23                         Encryption Decryption
  • 38. 38 The Security of RSA Three possible approaches to attacking the RSA.  Brute force  Mathematical attacks  Timing attacks Brute force  trying all possible private keys  Countermeasures: Use a large key space.
  • 39. 39 The Security of RSA Mathematical attacks  Factor n into its two prime factors. This enables calculation of Φ(n) and determination of d.  Determine Φ(n) directly, without first determining p and q. This enable determination of d.  This is equivalent to factoring n.  Determine d directly, without first determining Φ(n).  With presently known algorithms, this appears to be at least as time-consuming as the factoring problem.
  • 40. 40 The Security of RSA  Focused on the task of factoring n into its two prime factors.
  • 41. 41 The Security of RSA To avoid values of n that may be factored more easily, the algorithm’s inventors suggest constraints on p and q.  p and q should differ in length by only a few digits.  Both (p – 1) and (q – 1) should contain a large prime factor.  gcd (p – 1, q – 1) should be small. In addition, it has been demonstrated that if e < n and d < n1/4 , then d can be easily determined.
  • 42. RSA Algorithm  RSA is a block cipher in which the Plaintext and Ciphertext are represented as integers between 0 and n-1 for some n.  Large messages can be broken up into a number of blocks.  Each block would then be represented by an integer. Step-1: Generate Public key and Private key Step-2: Encrypt message using Public key Step-3: Decrypt message using Private key
  • 43. Step-1: Generate Public key and Private key  Select two large prime numbers: p and q  Calculate modulus : n = p * q  Calculate Euler’s totient function : φ(n) = (p-1) * (q-1)  Select e such that e is relatively prime to φ(n) and 1 < e < φ(n)  Determine d such that d * e ≡ 1 (mod φ(n))  Publickey : PU = { e, n }  Privatekey : PR = { d, n } Two numbers are relatively prime if they have no common factors other than 1.
  • 44. Step-1: Generate Public key and Private key  Select two large prime numbers: p = 3 and q = 11  Calculate modulus : n = p * q, n = 33  Calculate Euler’s totient function : φ(n) = (p-1) * (q-1) φ(n) = ( 3 – 1 ) * ( 11 – 1 ) = 20  Select e such that e is relatively prime to φ(n) and 1 < e < φ(n)  We have several choices for e : 7, 11, 13, 17, 19 Let’s take e = 7  Determine d such that d * e ≡ 1 (mod φ(n))  ? * 7 ≡ 1 (mod 20), 3 * 7 ≡ 1 (mod 20)  Public key : PU = { e, n } , PU = { 7, 33 }  Private key : PR = { d, n }, PR = { 3, 33 } • This is equivalent to finding d which satisfies de = 1 + j.φ(n) where j is any integer. • We can rewrite this as d = (1 + j. φ(n)) / e
  • 45. Step-2 : Encrypt Message  Encryption Using Public key: C = Me mod n Ciphertext Input Message Publickey For message M = 14 C = 147 mod 33 C = [(141 mod 33) X (142 mod 33) X (144 mod 33)] mod 33 C = (14 X 31 X 4) mod 33 = 1736 mod 33 C = 20 PU = { e, n } , PU = { 7, 33 }
  • 46. Step-3 : Decrypt Message  Encryption Using Public key: M = Cd mod n Plaintext Message Cipher Message Privatekey For Ciphertext C = 20 M = 203 mod 33 M = [(201 mod 33) X (202 mod 33)] mod 33 M = (20 X 4) mod 33 = 80 mod 33 M = 14 PR = { d, n } , PR = { 3, 33 }
  • 47. Example RSA Algorithm 14 7 mod 33 = 20 Plaintext 14 Plaintext 14 20 3 mod 33 = 14 Ciphertext 20 PU = 7, 33 PR = 3, 33 Encryption Decryption
  • 48. RSA Example  Find n, φ(n), e, d for p=7 and q= 19 then demonstrate encryption and decryption for M = 6 n = p * q = 7 * 19 = 133 φ(n) = ( p – 1 ) * ( q – 1) = 108 Finding e relatively prime to 108 e = 2 => GCD( 2, 108 ) = 2 (no) e = 3 => GCD( 3, 108 ) = 3 (no) e = 5 => GCD( 5, 108 ) = 1 (Yes) • Finding d such that (d * e ) mod φ(n) = 1 • We can rewrite this as d = (1 + j . φ(n)) / e j = 0 => d = 1 / 5 = 0.2  integer ? (no) j = 1 => d = 109 / 5 = 21.8  integer ? (no) j = 2 => d = 217 / 5 = 43.4  integer ? (no) j = 3 => d = 325 / 5 = 65 integer ? (yes) Public key : PU = { e, n } = {5, 133} Private key : PR = { d, n } = {65, 133}
  • 49. RSA Example – cont…  Encryption: C = Me mod n For message M = 6 C = 65 mod 133 C = 7776 mod 33 C = 62 PU = { e, n } , PU = { 5, 133 }  Decryption: M = Cd mod n For C = 62 M = 6265 mod 133 M = 2666 mod 33 M = 6 PR = { d, n } , PU = { 65, 133 }
  • 50. RSA Example  P and Q are two prime numbers. P=7, and Q=17. Take public key E=5. If plain text value is 10, then what will be cipher text value according to RSA algorithm?  n = 119  φ(n) = 96  e = 5  d = 77  PU = { 5, 119 }  PR = {77, 119}  C = 105 mod 119 => C = 40
  • 51. ElGamal Cryptographic System  public-key cryptosystem related to D-H  so uses exponentiation in a finite (Galois)  with security based difficulty of computing discrete logarithms, as in D-H  each user (eg. A) generates their key  chooses a secret key (number): 1 < xA < q-1  compute their public key: yA = a xA mod q
  • 52. ElGamal Message Exchange  Bob encrypt a message to send to A computing  represent message M in range 0 <= M <= q-1 • longer messages must be sent as blocks  chose random integer k with 1 <= k <= q-1  compute one-time key K = yA k mod q  encrypt M as a pair of integers (C1,C2) where • C1 = a k mod q ; C2 = KM mod q  A then recovers message by  recovering key K as K = C1 xA mod q  computing M as M = C2 K-1 mod q  a unique k must be used each time  otherwise result is insecure
  • 53. ElGamal Example  use field GF(19) q=19 and a=10  Alice computes her key:  A chooses xA=5 & computes yA=10 5 mod 19 = 3  Bob send message m=17 as (11,5) by  chosing random k=6  computing K = yA k mod q = 3 6 mod 19 = 7  computing C1 = a k mod q = 10 6 mod 19 = 11; C2 = KM mod q = 7.17 mod 19 = 5  Alice recovers original message by computing:  recover K = C1 xA mod q = 11 5 mod 19 = 7  compute inverse K-1 = 7-1 = 11  recover M = C2 K-1 mod q = 5.11 mod 19 = 17
  • 54. Elliptic Curve Cryptography  majority of public-key crypto (RSA, D-H) use either integer or polynomial arithmetic with very large numbers/polynomials  imposes a significant load in storing and processing keys and messages  an alternative is to use elliptic curves  offers same security with smaller bit sizes  newer, but not as well analysed
  • 55. Real Elliptic Curves  an elliptic curve is defined by an equation in two variables x & y, with coefficients  consider a cubic elliptic curve of form  y2 = x3 + ax + b  where x,y,a,b are all real numbers  also define zero point O  consider set of points E(a,b) that satisfy  have addition operation for elliptic curve  geometrically sum of P+Q is reflection of the intersection R
  • 57. Finite Elliptic Curves  Elliptic curve cryptography uses curves whose variables & coefficients are finite  have two families commonly used:  prime curves Ep(a,b) defined over Zp • use integers modulo a prime • best in software  binary curves E2m(a,b) defined over GF(2n ) • use polynomials with binary coefficients • best in hardware
  • 58. Elliptic Curve Cryptography  ECC addition is analog of modulo multiply  ECC repeated addition is analog of modulo exponentiation  need “hard” problem equiv to discrete log  Q=kP, where Q,P belong to a prime curve  is “easy” to compute Q given k,P  but “hard” to find k given Q,P  known as the elliptic curve logarithm problem  Certicom example: E23(9,17)
  • 59. ECC Diffie-Hellman  can do key exchange analogous to D-H  users select a suitable curve Eq(a,b)  select base point G=(x1,y1)  with large order n s.t. nG=O  A & B select private keys nA<n, nB<n  compute public keys: PA=nAG, PB=nBG  compute shared key: K=nAPB, K=nBPA  same since K=nAnBG  attacker would need to find k, hard
  • 60. ECC Encryption/Decryption  several alternatives, will consider simplest  must first encode any message M as a point on the elliptic curve Pm  select suitable curve & point G as in D-H  each user chooses private key nA<n  and computes public key PA=nAG  to encrypt Pm : Cm={kG, Pm+kPb}, k random  decrypt Cm compute: Pm+kPb–nB(kG) = Pm+k(nBG)–nB(kG) = Pm
  • 61. ECC Security  relies on elliptic curve logarithm problem  fastest method is “Pollard rho method”  compared to factoring, can use much smaller key sizes than with RSA etc  for equivalent key lengths computations are roughly equivalent  hence for similar security ECC offers significant computational advantages
  • 62. Comparable Key Sizes for Equivalent Security Symmetric scheme (key size in bits) ECC-based scheme (size of n in bits) RSA/DSA (modulus size in bits) 56 112 512 80 160 1024 112 224 2048 128 256 3072 192 384 7680 256 512 15360
  • 63. 63 Public Key Distribution and Management • Key management and distribution • Symmetric key distribution using symmetric encryption • Symmetric key distribution asymmetric encryption • Distribution of public keys • X.509 certificates • Public key infrastructure (PKI)
  • 64. INS is very Interesting Subject Key Distribution  Key distribution is the function that delivers a key to two parties who wish to exchange secure encrypted data.  Some sort of mechanism or protocol is needed to provide for the secure distribution of keys.  Key distribution often involves the use of master keys, which are infrequently used and are long lasting, and session keys, which are generated and distributed for temporary use between two parties.
  • 65. INS is very Interesting Subject Key Hierarchy  Communication between end systems is encrypted using a temporary key, often referred to as a session key.  Session keys are transmitted in encrypted form, using a master key that is shared by the key distribution center and an end system or user
  • 66. Simple Secret Key Distribution 1. A generates a public/private key pair {PUa, PRa} and transmits a message to B consisting of PUa and an identifier of A, IDA. 2. B generates a secret key, Ks, and transmits it to A, encrypted with A's public key. 3. A computes D(PRa, E(PUa, Ks)) to recover the secret key. Because only A can decrypt the message, only A and B will know the identity of Ks. 4. A discards PUa and PRa and B discards PUa. Initiator A Initiator B (2) E(PUa , Ks) (1) PUa || IDA
  • 67. Secret Key Distribution with Confidentiality & Authentication 1. A uses B's public key to encrypt a message to B containing an identifier of A (IA) and a nonce (N1), which is used to identify this transaction uniquely. 2. B sends a message to A encrypted with PUa and containing A's (N1) as well as a new nonce generated by B (N2). Because only B could have decrypted message (1), the presence of N1 in message (2) assures A that the correspondent is B. Initiator A Initiator B (1) E(PUb,[N1||IDA]) (2) E(PUa,[N1|| N2]) (3) E(PUb,N2]) (4) E(Pub,E(PRa,Ks))
  • 68. Secret Key Distribution with Confidentiality & Authentication 3. A returns N2, encrypted using B's public key, to assure B that its correspondent is A. 4. A selects a secret key Ks and sends M = E(PUb, E(PRa, Ks)) to B. Encryption with B's public key ensures that only B can read it; encryption with A's private key ensures that only A could have sent it. 5. B computes D(PUa, D(PRb, M)) to recover the secret key. Initiator A Initiator B (1) E(PUb,[N1||IDA]) (2) E(PUa,[N1|| N2]) (3) E(PUb,N2]) (4) E(Pub,E(PRa,Ks))
  • 69. INS is very Interesting Subject Symmetric key distribution using symmetric encryption  Two parties A and B, key distribution can be achieved in a number of ways, as follows: 1. A can select a key and physically deliver key to B. 2. Third party can select the key and physically deliver it to A and B. 3. If A and B have previously and recently used a key, one party can transmit the new key to the other, encrypted using the old key. 4. If A and B each has an encrypted connection to a third party C,
  • 70. INS is very Interesting Subject Key Distribution Scenario Key Distribution Center (Key) Initiator A Initiator B (1) IDA || IDB || N1 (2) E(Ka, [Ks || IDA || IDB || N1]) || E(Kb, [Ks || IDA]) (3) E(Kb, [Ks || IDA]) (4) E(Ks, N2]) (5) E(Ks, f(N2))
  • 71. INS is very Interesting Subject Key Distribution Scenario 1. A requests from the KDC a session key to protect a logical connection to B. The message includes the identity of A and B and a unique nonce N1. 2. The KDC responds with a message encrypted using Ka that includes a one-time session key Ks to be used for the session, the original request message to enable A to match response with appropriate request, and info for B 3. A stores the session key for use in the upcoming session and forwards to B the information from the KDC for B, namely, E(Kb, [Ks || IDA]). 4. At this point, a session key has been securely delivered to A and B, and they may begin their protected exchange. 5. Using the new session key for encryption B sends a nonce N2 to A. 6. Also using Ks, A responds with f(N2). These steps assure B that the original message it received (step 3) was not a replay. Note that the actual key distribution involves only steps 1 through 3 but that steps 4 and 5, as well as 3, perform an authentication function.
  • 72. INS is very Interesting Subject Distribution of Public Keys 1. Public announcement 2. Publicly available directory 3. Public-key authority 4. Public-key certificates
  • 73. INS is very Interesting Subject 1. Public Announcement  Some user could pretend to be user A and send a public key to another participant or broadcast such a public key.  Until such time as user A discovers the forgery and alerts other participants, the forger is able to read all encrypted messages intended for A and can use the forged keys for authentication
  • 74. INS is very Interesting Subject 2. Publicly Available Directory 1. The authority maintains a directory with a {name, public key} entry for each participant. 2. Each participant registers a public key with the directory authority. 3. A participant may replace the existing key with a new one at any time. 4. Participants could also access the directory electronically. For this purpose, secure, authenticated communication from the authority to the participant is mandatory.
  • 75. 3. Public-Key Authority Initiator A Initiator B (6) E(PUa , [N1 || N2]) Public-Key Authority (1) Request || T1 (2) E(PRauth, [PUb || Request || T1]) (4) Request || T2 (5) E(PRauth, [PUa || Request || T2]) (3) E (PUb, [IDa, N1]) (7) E(PUb, N2)
  • 76. INS is very Interesting Subject 3. Public-Key Authority – Cont… 1. A sends a timestamped message to the public-key authority containing a request for the current public key of B. 2. The authority responds with a message that is encrypted using the authority’s private key . 3. Message contains PUb, Original request, Original time stamp T1 A stores B’s public key and also uses it to encrypt a message to B containing an identifier of A(IDa) and a nonce(N1) , which is used to identify this transaction uniquely. 4, 5. B retrieves A’s public key from the authority in the same manner as A retrieved B’s public key. 6. B sends a message to A encrypted with PUa and containing A’s nonce(N1) as well as a new nonce generated by B(N2). Because only B could have decrypted message (3), the presence of N1 in message (6) assures A that the correspondent is B. 7. A returns N2, which is encrypted using B’s public key, to assure B that its correspondent is A.
  • 77. INS is very Interesting Subject 4. Public-Key Certificates  Any participant can read a certificate to determine the name and public key of the certificate’s owner.  Any participant can verify that the certificate originated from the certificate authority and is not counterfeit.  Only the certificate authority can create and update certificates.  Any participant can verify the currency of the certificate.
  • 78. 4. Public-Key Certificates – Cont… Initiator A Initiator B (2) CA (1) CA Certificate Authority PUa CA = E(PRauth, [T1 || IDa || PUa]) PUb CA = E(PRauth, [T2 || IDb || PUb])
  • 79. INS is very Interesting Subject 4. Public-Key Certificates – Cont…  Each participant applies to the certificate authority, supplying a public key and requesting a certificate.  For participant A, the authority provides a certificate of the form CA = E (PRauth, [T || IDa || PUa] )  A may then pass this certificate on to any other participant, who reads and verifies the certificate as follows: D(PUauth, CA) = D(PUauth, E (PRauth, [T || IDa || PUa] )) = (T || IDa || PUa)
  • 80. INS is very Interesting Subject X.509 Certificates  X.509 defines the format for public-key certificates. used in a variety of applications.  X.509 defines a framework for the provision of authentication services by the X.500 directory to its users.  The directory may serve as a repository of public-key certificates.  Each certificate contains the public key of a user and is signed with the private key of a trusted certification authority.
  • 81. X.509 Formats Version Certificate serial number Algorithm Parameters Issuer name Not before Not after Subject name Algorithms Parameters Key Issuer Unique identifier Extensions Algorithms Parameters Encrypted hash Signature algorithm identifier Proof of validity Subject’s public key info Signature Subject Unique identifier Version 1 Version 2 Version 3 All Version s
  • 82. INS is very Interesting Subject X.509 Format – Cont…  Version: Differentiates among successive versions of the certificate format; the default is version 1.  Serial number: An integer value unique within the issuing CA that is unambiguously associated with this certificate.  Signature algorithm identifier: The algorithm used to sign the certificate together with any associated parameters.  Issuer name: X.500 name of the CA that created and signed this certificate.  Period of validity: Consists of two dates: the first and last on which the certificate is valid.  Subject name: The name of the user to whom this certificate refers.
  • 83. INS is very Interesting Subject X.509 Format – Cont…  Subject’s public-key information: The public key of the subject, plus an identifier of the algorithm for which this key is to be used, together with any associated parameters.  Issuer unique identifier: An optional-bit string field used to identify uniquely the issuing CA in the event the X.500 name has been reused for different entities.  Subject unique identifier: An optional-bit string field used to identify uniquely the subject in the event the X.500 name has been reused for different entities.  Extensions: A set of one or more extension fields.
  • 84. INS is very Interesting Subject Public-Key Certificate Use H E D CA information Bob’s Public key Bob’s ID information H Generate hash code of unsigned certificate Encrypt hash code with CA's private key to form signature Decrypt signature with CA's public key to recover hash code Recipient can verify signature by comparing hash code values Signed Certificate Unsigned certificate: contains user ID, user's public key
  • 85. INS is very Interesting Subject Public key Infrastructure (PKI)  A public-key infrastructure (PKI) is defined as the set of hardware, software, people, policies, and procedures needed to create, manage, store, distribute, and revoke digital certificates based on asymmetric cryptography.  The principal objective for developing a PKI is to enable secure, convenient, and efficient acquisition of public keys.
  • 86. INS is very Interesting Subject Public key Infrastructure (PKI)
  • 87. INS is very Interesting Subject Public key Infrastructure (PKI) – Cont…  End entity: A generic term used to denote end users, devices (e.g., servers, routers), or any other entity that can be identified in the subject field of a public-key certificate.  Certification authority (CA): The issuer of certificates and (usually) certificate revocation lists (CRLs).  Registration authority (RA): An optional component that can assume a number of administrative functions from the CA.  CRL issuer: An optional component that a CA can delegate to publish CRLs.  Repository: A generic term used to denote any method for storing certificates and CRLs so that they can be retrieved by end entities.
  • 88. Diffie-Hellman Key Exchange  The purpose of the Diffie-Hellman algorithm is to enable two users to securely exchange a key that can be used for subsequent encryption of message.  This algorithm depends for its effectiveness on the difficulty of computing discrete logarithms. Primitive root  Let be a prime number  Then is a primitive root for , if the powers of modulo generates all integers from 1 to – 1 in some permutation.  Example: p = 7 then primitive root is 3 because powers of 3 mod 7 generates all the integers from 1 to 6 𝑎𝑚𝑜𝑑 𝑝,𝑎2 𝑚𝑜𝑑𝑝 ,…,𝑎𝑝−1 𝑚𝑜𝑑𝑝
  • 89. Discrete Logarithm  For any integer and a primitive root of prime number , we can find a unique exponent such that  The exponent is referred as the discrete logarithm of for the base , mod . It expressed as below.  User A and User B agree on two large prime numbers q and α. User A and User B can use insecure channel to agree on them.  User A selects a random integer and calculates 𝑏=𝑎𝑖 (𝑚𝑜𝑑 𝑝) h 𝑤 𝑒𝑟𝑒 0 ≤𝑖 ≤(𝑝−1) 𝑏d log𝑎,𝑝 (𝑏)
  • 90. Diffie-Hellman Key Exchange – Cont… Global Public Elements prime number < and is primitive root of User A Key Generation Select private Calculate public User B Key Generation Select private Calculate public
  • 91. Diffie-Hellman Key Exchange – Cont… User A Key Generation Select private Calculate public User B Key Generation Select private Calculate public Calculation of Secret Key by User A Calculation of Secret Key by User b
  • 92. Diffie-Hellman Key Exchange – Cont… User A Key Generation Private , Public User B Key Generation Private , Public Secret Key by User A : Secret Key by User B :
  • 94. Diffie-Hellman Key Exchange Example  Alice and bob agrees on a prime number  as primitive root of  Alice selects a private integer  Alice computes =>  Bob selects a private integer  Bob computes =>  Alice sends to Bob and Bob sends to Alice  Alice computes key =>  Bob computes key =>
  • 96. Diffie-Hellman Key Exchange  first public-key type scheme proposed  by Diffie & Hellman in 1976 along with the exposition of public key concepts  note: now know that Williamson (UK CESG) secretly proposed the concept in 1970  is a practical method for public exchange of a secret key  used in a number of commercial products
  • 97. Diffie-Hellman Key Exchange  a public-key distribution scheme  cannot be used to exchange an arbitrary message  rather it can establish a common key  known only to the two participants  value of key depends on the participants (and their private and public key information)  based on exponentiation in a finite (Galois) field (modulo a prime or a polynomial) - easy  security relies on the difficulty of computing discrete logarithms (similar to factoring) – hard
  • 98. Diffie-Hellman Setup  all users agree on global parameters:  large prime integer or polynomial q  a being a primitive root mod q  each user (eg. A) generates their key  chooses a secret key (number): xA < q  compute their public key: yA = a xA mod q  each user makes public that key yA
  • 99. Diffie-Hellman Key Exchange  shared session key for users A & B is KAB: KAB = a xA.xB mod q = yA xB mod q (which B can compute) = yB xA mod q (which A can compute)  KAB is used as session key in private-key encryption scheme between Alice and Bob  if Alice and Bob subsequently communicate, they will have the same key as before, unless they choose new public-keys  attacker needs an x, must solve discrete log
  • 100. Diffie-Hellman Example  users Alice & Bob who wish to swap keys:  agree on prime q=353 and a=3  select random secret keys:  A chooses xA=97, B chooses xB=233  compute respective public keys:  yA=3 97 mod 353 = 40 (Alice)  yB=3 233 mod 353 = 248 (Bob)  compute shared session key as:  KAB= yB xA mod 353 = 248 97 = 160 (Alice)  KAB= yA xB mod 353 = 40 233 = 160 (Bob)
  • 101. Key Exchange Protocols  users could create random private/public D-H keys each time they communicate  users could create a known private/public D-H key and publish in a directory, then consulted and used to securely communicate with them  both of these are vulnerable to a meet-in- the-Middle Attack  authentication of the keys is needed
  • 102. Dr. G.N. Vivekananda Associate Professor School of Computer Science Engineering & Information Systems Vellore Institute of Technology, Vellore BITE401L Network and Information Security

Editor's Notes

  • #13: data confidentiality 의 제공
  • #20: boil down to : 결국 ~ 으로 되다. 필수사항은 결국 trap-door one-way function 이 필요하게 된다.
  • #21: boil down to : 결국 ~ 으로 되다. 필수사항은 결국 trap-door one-way function 이 필요하게 된다.
  • #31: n 보다 작고 n과 relatively prime 인 양의 정수의 개수가 파이(n)
  • #32: 앞장과 비슷한 모양을 하고 있는데 ed 가 K*phi(n)+1 가 같
  • #33: field 는 곱셈의 인버스를 가지고 있음. 이것이 Z_phi_n 에서 인버스를 가지려면 e 나 d가 relatively prime 인 관계이어야 한다.
  • #51: In 1984, T. Elgamal announced a public-key scheme based on discrete logarithms, closely related to the Diffie-Hellman technique [ELGA84, ELGA85]. The ElGamal cryptosystem is used in some form in a number of standards including the digital signature standard (DSS) and the S/MIME email standard. As with Diffie-Hellman, the global elements of ElGamal are a prime number q and a, which is a primitive root of q. User A generates a private/public key pair as shown. The security of ElGamal is based on the difficulty of computing discrete logarithms, to recover either x given y, or k given K (next slide).
  • #52: Any user B that has access to A's public key can encrypt a message as shown. These steps correspond to Figure 9.1a in that Alice generates a public/private key pair; Bob encrypts using Alice's public key; and Alice decrypts using her private key. See text for details of why these steps result in M being recovered. Note that K functions as a one-time key, used to encrypt and decrypt the message. If a message must be broken up into blocks and sent as a sequence of encrypted blocks, a unique value of k should be used for each block. If k is used for more than one block, knowledge of one block m of the message enables the user to compute other blocks as shown in the text. The basic idea with El Gamal encryption is to choose a random key, protect it, then use it to scramble the message by multiplying the message with it. Two bits of info have to be sent: the first to recover this temporary key, the second the actual scrambled message. See that El Gamal encryption involves 1 modulo exponentiation and a multiplication (vs 1 exponentiation for RSA).
  • #53: Here is an example of ElGamal from the text using the prime field GF(19); that is, q = 19. It has primitive roots {2, 3, 10, 13, 14, 15}, as shown in Table 8.3. We choose a = 10. Alice generates a key pair as shown. Suppose Bob wants to send the message with the value M = 17. Then he computes the ciphertext pair (11, 5) and sends this to Alice. Alice recovers the message by first recovering K, then computing its inverse (using the Extended Euclids Algorithm – see Ch 4), and finally recovering M.
  • #54: A major issue with the use of Public-Key Cryptography, is the size of numbers used, and hence keys being stored. Recently, an alternate approach has emerged, elliptic curve cryptography (ECC), which performs the computations using elliptic curve arithmetic instead of integer or polynomial arithmetic. Already, ECC is showing up in standardization efforts, including the IEEE P1363 Standard for Public-Key Cryptography. The principal attraction of ECC, compared to RSA, is that it appears to offer equal security for a far smaller key size, thereby reducing processing overhead. Although the theory of ECC has been around for some time, it is only recently that products have begun to appear and that there has been sustained cryptanalytic interest in probing for weaknesses. Accordingly, the confidence level in ECC is not yet as high as that in RSA.
  • #55: An elliptic curve is defined by an equation in two variables, with coefficients. For cryptography, the variables and coefficients are restricted to elements in a finite field, which results in the definition of a finite abelian group (see Ch 4 for details of an abelian group). Before looking at this, we first look at elliptic curves in which the variables and coefficients are real numbers. This case is perhaps easier to visualize. Elliptic curves are not ellipses. They are so named because they are described by cubic equations, similar to those used for calculating the circumference of an ellipse. For our purpose, we can consider cubic equations for elliptic curves of the form shown here. Also included in the definition of an elliptic curve is a single element denoted O and called the point at infinity or the zero point. Now, consider the set of points E(a, b) consisting of all of the points (x, y) that satisfy this equation together with the element O. Using a different value of the pair (a, b) results in a different set E(a, b). See text for detailed rules of addition and relation to zero point O. Can derive an algebraic interpretation of addition, based on computing gradient of tangent and then solving for intersection with curve. There is also an algebraic description of additions over elliptic curves, see text.
  • #56: Stallings Figure 10.4b “Example of Elliptic Curves”, illustrates the geometric interpretation of elliptic curve addition, as follows: If three points on an elliptic curve lie on a straight line, their sum is O. hence define addition as: O serves as the additive identity. Thus O = –O; for any point P on the elliptic curve, P + O = P. In what follows, we assume P <> O and Q <> O. The negative of a point P is the point with the same x coordinate but the negative of the y coordinate; that is, if P = (x, y), then –P = (x, –y). These two points can be joined by a vertical line & that P + (–P) = P – P = O. To add two points P and Q with different x coordinates, draw a straight line between them and find the third point of intersection R. There is a unique point R that is the point of intersection (unless the line is tangent to the curve at either P or Q, in which case we take R = P or R = Q, respectively). To form a group structure, we need to define addition on these three points as follows: P + Q = –R. ie. P + Q to be the mirror image (with respect to the x axis) of the third point of intersection as shown on slide. The geometric interpretation of the preceding item also applies to two points, P and –P, with the same x coordinate. The points are joined by a vertical line, which can be viewed as also intersecting the curve at the infinity point. We therefore have P + (–P) = O, consistent with item (2). To double a point Q, draw the tangent line and find the other point of intersection S. Then Q + Q = 2Q = –S. With the preceding list of rules, it can be shown that the set E(a, b) is an abelian group.
  • #57: Elliptic curve cryptography makes use of elliptic curves in which the variables and coefficients are all restricted to elements of a finite field. Two families of elliptic curves are used in cryptographic applications: prime curves over Zp (best for software use), and binary curves over GF(2m) (best for hardware use). There is no obvious geometric interpretation of elliptic curve arithmetic over finite fields. The algebraic interpretation used for elliptic curve arithmetic over does readily carry over. See text for detailed discussion.
  • #58: Elliptic Curve Cryptography uses addition as an analog of modulo multiply, and repeated addition as an analog of modulo exponentiation. The “hard” problem is the elliptic curve logarithm problem. We give an example taken from the Certicom Web site (www.certicom.com). Consider the group E23(9, 17). This is the group defined by the equation y2 mod 23 = (x3 + 9x + 17) mod 23. What is the discrete logarithm k of Q = (4, 5) to the base P = (16, 5)? The brute-force method is to compute multiples of P until Q is found. Thus P = (16, 5); 2P = (20, 20); 3P = (14, 14); 4P = (19, 20); 5P = (13, 10); 6P = (7, 3); 7P = (8, 7); 8P = (12, 17) ; 9P = (4, 5). Because 9P = (4, 5) = Q, the discrete logarithm Q = (4, 5) to the base P = (16, 5) is k = 9. In a real application, k would be so large as to make the brute-force approach infeasible.
  • #59: Illustrate here the elliptic curve analog of Diffie-Hellman key exchange, which is a close analogy given elliptic curve multiplication equates to modulo exponentiation. Key exchange using elliptic curves can be done in the following manner. First pick a large integer q, which is either a prime number p or an integer of the form 2m and elliptic curve parameters a and b for Equation (10.5) or Equation (10.7). This defines the elliptic group of points Eq(a, b). Next, pick a base point G = (x1, y1) in Eq(a, b) whose order is a very large value n. The order n of a point G on an elliptic curve is the smallest positive integer n such that nG = O. So Eq(a, b) and G are parameters of the cryptosystem known to all participants. A key exchange between users A and B can then be accomplished as shown. To break this scheme, an attacker would need to be able to compute k given G and kG, which is assumed hard.
  • #60: Several approaches to encryption/decryption using elliptic curves have been analyzed in the literature. This one is an analog of the ElGamal public-key encryption algorithm. The sender must first encode any message M as a point on the elliptic curve Pm (there are relatively straightforward techniques for this). Note that the ciphertext is a pair of points on the elliptic curve. The sender masks the message using random k, but also sends along a “clue” allowing the receiver who know the private-key to recover k and hence the message. For an attacker to recover the message, the attacker would have to compute k given G and kG, which is assumed hard.
  • #61: The security of ECC depends on how difficult it is to determine k given kP and P. This is referred to as the elliptic curve logarithm problem. The fastest known technique for taking the elliptic curve logarithm is known as the Pollard rho method. Compared to factoring integers or polynomials, can use much smaller numbers for equivalent levels of security.
  • #62: Stallings Table 10.3 - “ Comparable Key Sizes in Terms of Computational Effort for Cryptanalysis” ompares various algorithms by showing comparable key sizes in terms of computational effort for cryptanalysis. As can be seen, a considerably smaller key size can be used for ECC compared to RSA. Furthermore, for equal key lengths, the computational effort required for ECC and RSA is comparable. Thus, there is a computational advantage to using ECC with a shorter key length than a comparably secure RSA.
  • #96: This chapter continues our overview of public-key cryptography systems (PKCSs), and begins with a description of one of the earliest and simplest PKCS, Diffie-Hellman key exchange. This first published public-key algorithm appeared in the seminal paper by Diffie and Hellman that defined public-key cryptography [DIFF76b] and is generally referred to as Diffie-Hellman key exchange. The concept had been previously described in a classified report in 1970 by Williamson (UK CESG) - and subsequently declassified in 1987, see [ELLI99]. The purpose of the algorithm is to enable two users to securely exchange a key that can then be used for subsequent encryption of messages. The algorithm itself is limited to the exchange of secret values. A number of commercial products employ this key exchange technique.
  • #97: The purpose of the algorithm is to enable two users to securely exchange a key that can then be used for subsequent encryption of messages. The algorithm itself is limited to the exchange of secret values, which depends on the value of the public/private keys of the participants. The Diffie-Hellman algorithm uses exponentiation in a finite (Galois) field (modulo a prime or a polynomial), and depends for its effectiveness on the difficulty of computing discrete logarithms.
  • #98: In the Diffie-Hellman key exchange algorithm, there are two publicly known numbers: a prime number q and an integer a that is a primitive root of q. The prime q and primitive root a can be common to all using some instance of the D-H scheme. Note that the primitive root a is a number whose powers successively generate all the elements mod q. Users Alice and Bob choose random secrets x's, and then "protect" them using exponentiation to create their public y's. For an attacker monitoring the exchange of the y's to recover either of the x's, they'd need to solve the discrete logarithm problem, which is hard.
  • #99: The actual key exchange for either party consists of raising the others "public key' to power of their private key. The resulting number (or as much of as is necessary) is used as the key for a block cipher or other private key scheme. For an attacker to obtain the same value they need at least one of the secret numbers, which means solving a discrete log, which is computationally infeasible given large enough numbers. Note that if Alice and Bob subsequently communicate, they will have the same key as before, unless they choose new public-keys.
  • #100: Here is an example of Diffie-Hellman from the text using prime q=353, showing how each computes its public key, and then how after they exchange public keys, each can compute the common secret key.I n this simple example, it would be possible by brute force to determine the secret key 160. In particular, an attacker E can determine the common key by discovering a solution to the equation 3a mod 353 = 40 or the equation 3b mod 353 = 248. The brute-force approach is to calculate powers of 3 modulo 353, stopping when the result equals either 40 or 248. The desired answer is reached with the exponent value of 97, which provides 397 mod 353 = 40. With larger numbers, the problem becomes impractical.
  • #101: Now consider a simple protocol that makes use of the Diffie-Hellman calculation. Suppose that user A wishes to set up a connection with user B and use a secret key to encrypt messages on that connection. User A can generate a one-time private key XA, calculate YA, and send that to user B. User B responds by generating a private value XB, calculating YB, and sending YB to user A. Both users can now calculate the key. The necessary public values q and a would need to be known ahead of time. Alternatively, user A could pick values for q and a and include those in the first message.