Cryptography and Network Security Chapter 10

Cryptography and Cryptography and

Network Security Network Security

Chapter 10 Chapter 10

Fifth Edition Fifth Edition by William Stallings by William Stallings Lecture slides by

Lecture slides by Lawrie Lawrie Brown Brown (with edits by RHB)

(with edits by RHB)

Chapter 10

Chapter 10 – – Other Public Key Other Public Key Cryptosystems

Cryptosystems

Amongst the tribes of Central Australia every man, woman, Amongst the tribes of Central Australia every man, woman, and child has a secret or sacred name which is bestowed and child has a secret or sacred name which is bestowed by the older men upon him or her soon after birth, and by the older men upon him or her soon after birth, and which is known to none but the fully initiated members of which is known to none but the fully initiated members of the group. This secret name is never mentioned except the group. This secret name is never mentioned except upon the most solemn occasions; to utter it in the hearing of upon the most solemn occasions; to utter it in the hearing of men of another group would be a most serious breach of men of another group would be a most serious breach of tribal custom. When mentioned at all, the name is spoken tribal custom. When mentioned at all, the name is spoken only in a whisper, and not until the most elaborate

only in a whisper, and not until the most elaborate precautions have been taken that it shall be heard by no precautions have been taken that it shall be heard by no one but members of the group. The native thinks that a one but members of the group. The native thinks that a stranger knowing his secret name would have special stranger knowing his secret name would have special power to work him ill by means of magic.

power to work him ill by means of magic.

——The Golden Bough, The Golden Bough, Sir James George FrazerSir James George Frazer

Outline Outline

• • will consider: will consider:

––Diffie-Diffie-Hellman key exchangeHellman key exchange ––ElGamalElGamalcryptographycryptography

––Elliptic Curve cryptographyElliptic Curve cryptography

––Pseudorandom Number Generation (PRNG) Pseudorandom Number Generation (PRNG) based on Asymmetric Ciphers (RSA & ECC) based on Asymmetric Ciphers (RSA & ECC)

Diffie

Diffie- -Hellman Key Exchange Hellman Key Exchange

• • first public- first public -key type scheme proposed key type scheme proposed

• • by Diffie by Diffie & Hellman in 1976 along with the & Hellman in 1976 along with the exposition of public key concepts

exposition of public key concepts

––note: now know that note: now know that WilliamsonWilliamson(UK CESG) (UK CESG) secretly proposed the concept in 1970

secretly proposed the concept in 1970

• • is a practical method for public exchange is a practical method for public exchange (really

(really creation creation) of a secret key ) of a secret key

• • used in a number of commercial products used in a number of commercial products

Diffie

Diffie- -Hellman Key Exchange Hellman Key Exchange

•

• a publica public--key distribution scheme key distribution scheme

––cannot be used to exchange an arbitrary message cannot be used to exchange an arbitrary message ––rather it can establish a common key rather it can establish a common key

––known only to the two participants known only to the two participants

•• value of key depends on the participants (and value of key depends on the participants (and their private and public key information)

their private and public key information)

•• based on exponentiation in a finite (Galois) field based on exponentiation in a finite (Galois) field (modulo a prime or a polynomial)

(modulo a prime or a polynomial) –– easyeasy

•• security relies on the difficulty of computing security relies on the difficulty of computing discrete logarithms (similar to factoring)

discrete logarithms (similar to factoring) –– hardhard

Diffie

Diffie- -Hellman Setup Hellman Setup

• • all users agree on global parameters: all users agree on global parameters:

––large prime integer or polynomial large prime integer or polynomial qq ––aabeing a primitive root mod qbeing a primitive root mod q

• • each user (eg each user ( eg. A) generates their key . A) generates their key

–

– chooses a secret key (number): chooses a secret key (number): xx_AA<<qq –

– compute their compute their public keypublic key: : yy_AA==aa^xxAAmodmodqq

• • each user makes public that key y each user makes public that key y

Diffie

Diffie- -Hellman Key Exchange Hellman Key Exchange

•• shared session key for users A & B is shared session key for users A & B is KK_ABAB: :

KK_ABAB==aa^xxA.A.xxBBmodmodqq

==yy_AA^xxBBmodmodq q (which B(which Bcan compute)can compute)

==yy_BB^xxAAmodmodq q (which A(which Acan compute)can compute)

•• KK_ABAB is used as session key in private-is used as session key in private-key key encryption scheme between Alice and Bob encryption scheme between Alice and Bob

•• if Alice and Bob subsequently communicate, if Alice and Bob subsequently communicate, they will have the

they will have the samesamekey as before, unless key as before, unless they choose new public

they choose new public--keys keys

•• attacker needs an attacker needs an xx, must solve discrete log, must solve discrete log

Diffie

Diffie- -Hellman Example Hellman Example

•

• users Alice & Bob who wish to swap keys:users Alice & Bob who wish to swap keys:

•• agree on prime agree on prime qq ==353353and and aa==33

•• select random secret keys:select random secret keys:

–

– A chooses xA chooses x_AA==97, 97, B chooses xB chooses x_BB==233233

•• compute respective public keys:compute respective public keys:

––yy_AA==33⁹⁷⁹⁷modmod353353==40 40 (Alice)(Alice) ––yy_BB==33²³³²³³modmod353353==248 248 (Bob)(Bob)

•• compute shared session key as:compute shared session key as:

–

– KK_ABAB==yy_BB^xxAAmodmod353353==248248⁹⁷⁹⁷==160160 (Alice)(Alice) ––KK_ABAB==yy_AA^xxBBmodmod353353==4040²³³²³³==160 160 (Bob)(Bob)

Key Exchange Protocols Key Exchange Protocols

• • users could create random private/public users could create random private/public D- D -H keys each time they communicate H keys each time they communicate

• • users could create a known private/public users could create a known private/public D- D -H key and publish in a directory, then H key and publish in a directory, then consulted and used to securely

consulted and used to securely communicate with them

communicate with them

• • both of these are vulnerable to a Man- both of these are vulnerable to a Man -in in- - the- the -Middle Attack Middle Attack

• • (so authentication of the keys is needed) (so authentication of the keys is needed)

Man Man -in - in- -the the -Middle Attack - Middle Attack

1.1. Darth prepares by creating two private / public keys Darth prepares by creating two private / public keys 2.2. Alice transmits her public key to BobAlice transmits her public key to Bob

3.3. Darth intercepts this and transmits his first public key to Darth intercepts this and transmits his first public key to Bob. Darth also calculates a shared key with Alice Bob. Darth also calculates a shared key with Alice

4.4. Bob receives the public key and calculates the shared key Bob receives the public key and calculates the shared key (with Darth instead of Alice)

(with Darth instead of Alice) 5.

5. Bob transmits his public key to Alice Bob transmits his public key to Alice 6.

6. Darth intercepts this and transmits his second public key Darth intercepts this and transmits his second public key to Alice. Darth calculates a shared key with Bob

to Alice. Darth calculates a shared key with Bob

7.7. Alice receives the key and calculates the shared key (with Alice receives the key and calculates the shared key (with Darth instead of Bob)

Darth instead of Bob)

•• Darth can then intercept, decrypt, re-Darth can then intercept, decrypt, re-encrypt, forward all encrypt, forward all messages between Alice & Bob

messages between Alice & Bob

ElGamal

ElGamal Cryptography Cryptography

• • public- public -key cryptosystem related to D key cryptosystem related to D- -H H

• • uses exponentiation in a finite (Galois) field uses exponentiation in a finite (Galois) field

• • with security based difficulty of computing with security based difficulty of computing discrete logarithms, as in D

discrete logarithms, as in D- -H H

• • each user (eg each user ( eg. A) generates their key . A) generates their key

––chooses a secret key (number): chooses a secret key (number): 11 <<xx_AA<<qq--11 ––compute their compute their public keypublic key: : yy_AA ==aa^xxAA modmod qq

ElGamal

ElGamal Message Exchange Message Exchange

•• Bob encrypt a message to send to AliceBob encrypt a message to send to Alice

–

– Bob represents message MBob represents message M in range in range 00 <=<=MM<=<=qq--11

•• longer messages must be sent as blockslonger messages must be sent as blocks

––Bob chooses random integer kBob chooses random integer kwith 1with 1 <=<=kk<=<=qq--11 ––Bob computes one-Bob computes one-time key time key KK==yy_AA^kkmodmodqq

––Bob encrypts MBob encrypts Mas a pair of integers (Cas a pair of integers (C₁₁,C,C₂₂))wherewhere

•

•CC₁₁==aa^kkmodmodqq;;CC₂₂==KMKMmodmodqq

•• Alice then recovers message byAlice then recovers message by

––recovering key Krecovering key K as as KK==CC₁₁^xxAAmodmodqq(cf. D-(cf. D-H)H) ––computing Mcomputing M as as MM==CC₂₂KK^--11modmodqq

•

• a unique secret a unique secret kk must be used each timemust be used each time

––otherwise result is insecureotherwise result is insecure

ElGamal

ElGamal Example Example

•• use field GF(19) use field GF(19) qq==19 and 19 and aa ==1010

•• Alice computes her key:Alice computes her key:

––chooses xchooses x_AA==55; ; computes computes yy_AA==1010⁵⁵modmod1919==33

•• Bob send message Bob send message mm ==1717as (11,5)as (11,5) byby

––choosing random kchoosing random k==66 –

– computing computing KK==yy_AA^kkmodmodqq==33⁶⁶modmod1919==77

––computing computing CC₁₁==aa^kkmodmodqq==1010⁶⁶modmod1919==1111; ; C

C₂₂==KMKMmodmodqq==7.177.17modmod1919==55

•• Alice recovers original message by computing:Alice recovers original message by computing:

––recover Krecover K ==CC₁₁^xAxAmodmodqq==1111⁵⁵modmod1919==77 ––compute inverse compute inverse KK^-1-1==77^--11==1111

––recover Mrecover M ==CC₂₂KK^--11modmodqq==5.115.11modmod1919==1717

Elliptic Curve Cryptography Elliptic Curve Cryptography

• • majority of public- majority of public -key crypto (RSA, D key crypto (RSA, D- -H) H) use either integer or polynomial arithmetic use either integer or polynomial arithmetic with very large numbers/polynomials

with very large numbers/polynomials

• • imposes a significant load in storing and imposes a significant load in storing and processing keys and messages

processing keys and messages

• • an alternative is to use elliptic curves an alternative is to use elliptic curves

• • offers same security with smaller bit sizes offers same security with smaller bit sizes

• • newer, not as well analysed newer, not as well analysed (but becoming (but becoming increasingly accepted)

increasingly accepted)

Real Elliptic Curves Real Elliptic Curves

•

• an elliptic curve is defined by an equation in an elliptic curve is defined by an equation in two variables

two variables xx and yand y, , with real coefficients with real coefficients

•• consider a cubic elliptic curve of formconsider a cubic elliptic curve of form

–

– yy²²==xx³³++axax++bb

–– where x,y,a,bwhere x,y,a,bare all real numbersare all real numbers –– also define zero point Oalso define zero point O

•• consider set of points E(a,bconsider set of points E(a,b)) that satisfythat satisfy

•• have addition operation for elliptic curvehave addition operation for elliptic curve

–– geometrically sum of Pgeometrically sum of P++QQis reflection of the is reflection of the intersection

intersection RR

Real Elliptic Curve Example Real Elliptic Curve Example

Line gives NEGATIVE

of sum

NEGATION

sum

Real Elliptic Curve Example Real Elliptic Curve Example

Line gives NEGATIVE

of sum

NEGATION

sum

Finite Elliptic Curves Finite Elliptic Curves

• • Elliptic curve cryptography uses curves Elliptic curve cryptography uses curves whose variables and coefficients are finite whose variables and coefficients are finite

• • have two families commonly used: have two families commonly used:

–

– prime curves prime curves EE_pp(a,b)(a,b) defined over Zdefined over Z_pp

•

• use integers modulo a prime puse integers modulo a prime p

•• best in softwarebest in software

––binary curves binary curves EE₂₂mm(a,b)(a,b)defined over GF(2defined over GF(2^mm))

•• use polynomials with binary coefficientsuse polynomials with binary coefficients

•• best in hardwarebest in hardware

E

(1,1) Points on E

(1,1)

E

(g

,1) Points on E

(g

,1)

Elliptic Curve Cryptography Elliptic Curve Cryptography

• • ECC addition is analog of modulo multiply ECC addition is analog of modulo multiply

•

• ECC repeated addition is analog of ECC repeated addition is analog of modulo exponentiation

modulo exponentiation

• • need “ need “hard hard” ” problem equiv to discrete log problem equiv to discrete log

––QQ==kP, where kP, where Q,PQ,P belong to a prime curvebelong to a prime curve ––is is “easy“easy”” to compute Qto compute Q given given k,Pk,P

–

–but “but “hardhard””to find kto find k given Q,Pgiven Q,P

––known as the elliptic curve logarithm problemknown as the elliptic curve logarithm problem

• • Certicom Certicom example: E example: E

(9,17) (9,17)

ECC Diffie ECC Diffie- -Hellman Hellman

• • can do key exchange analogous to D- can do key exchange analogous to D -H H

• • users select a suitable curve E users select a suitable curve E

(a,b) (a,b )

• • select base point G select base point G = = (x (x

,y ,y

) )

––with large order with large order nn s.t. s.t. nGnG==OO

• • A & B select private keys n A & B select private keys n

< < n n , , n n

< < n n

• • compute public keys: P compute public keys: P

= = n n

G G , , P P

= = n n

G G

• • compute shared key: K compute shared key: K = = n n

P P

, , K K = = n n

P P

–

– same since same since KK ==nn_AAnn_BBGG

• • attacker would need to find K attacker would need to find K , , hard hard

ECC Encryption/Decryption ECC Encryption/Decryption

•• several alternatives, simplest like ElGamalseveral alternatives, simplest like ElGamal

•• must first encode any message Mmust first encode any message M as a point on as a point on the elliptic curve

the elliptic curve PP_mm

•

• select suitable curve and point Gselect suitable curve and point Gas in D-as in D-HH

•• receiver chooses private key nreceiver chooses private key n_AA <<nn

•• receiver computes public key Preceiver computes public key P_AA==nn_AAGG

•• sender chooses private random key ksender chooses private random key k

•

• sender encrypts Psender encrypts P_mm : C: C_mm=={{kGkG,, PP_mm ++kPkP_bb}}

•• decrypt Cdecrypt C_mmcompute: compute:

PP_mm++kkPP_bb––nn_BB((kGkG))==PP_mm++k(k(nn_BBG)G)––nn_BB(k(kGG))==PP_mm

ECC Security ECC Security

• • relies on elliptic curve logarithm problem relies on elliptic curve logarithm problem

•

• fastest method is “ fastest method is “Pollard rho method Pollard rho method” ”

• • compared to factoring, can use much compared to factoring, can use much smaller key sizes than with RSA etc smaller key sizes than with RSA etc

• • for equivalent key lengths computations for equivalent key lengths computations are roughly equivalent

are roughly equivalent

• • hence for similar security ECC offers hence for similar security ECC offers significant computational advantages significant computational advantages

Comparable Key Sizes for Comparable Key Sizes for

Equivalent Security Equivalent Security

Symmetric scheme (key size in bits)

ECC-based scheme (size of n in bits)

RSA/DSA (modulus size in

bits)

56 112 512

80 160 1024

112 224 2048

128 256 3072

192 384 7680

256 512 15360

Pseudorandom Number Pseudorandom Number Generation (PRNG) based on Generation (PRNG) based on

Asymmetric Ciphers Asymmetric Ciphers

•

• asymmetric encryption algorithm produce asymmetric encryption algorithm produce apparently random output

apparently random output

•

• hence can be used to build a hence can be used to build a

pseudorandom number generator (PRNG) pseudorandom number generator (PRNG)

• • much slower than symmetric algorithms much slower than symmetric algorithms

• • hence only use to generate a short hence only use to generate a short pseudorandom bit sequence (

pseudorandom bit sequence (eg eg. key) . key)

PRNG based on RSA PRNG based on RSA

• • have Micali have Micali- -Schnorr Schnorr PRNG using RSA PRNG using RSA

––in ANSI X9.82 and ISO 18031in ANSI X9.82 and ISO 18031

PRNG based on ECC PRNG based on ECC

• • dual elliptic curve PRNG dual elliptic curve PRNG

–

–NIST SP 800-NIST SP 800-9, ANSI X9.82 and ISO 180319, ANSI X9.82 and ISO 18031

• • some controversy on security / inefficiency some controversy on security / inefficiency

• • algorithm algorithm

s

s₀₀ = random{0...#E(GF(p))-= random{0...#E(GF(p))-1}1}

for i = 1 to k do for i = 1 to k do

set sset s_ii = x_coord_of(s= x_coord_of(s_i-i-11P ) P ) set

set rr_ii = lsb= lsb₂₄₀₂₄₀(x_coord_of(s(x_coord_of(s_iiQ)) Q)) end for

end for return r

return r₁₁ , . . . , , . . . , rr_kk

• • only use if just have ECC only use if just have ECC