CN-4.ppt

(1)

Cryptography and

Network Security

Chapter 10

Fourth Edition Fourth Edition by William Stallings by William Stallings

(2)

Chapter 10 –

Key Management;

Other Public Key Cryptosystems

No Singhalese, whether man or woman, would No Singhalese, whether man or woman, would

venture out of the house without a bunch of keys venture out of the house without a bunch of keys in his hand, for without such a talisman he would in his hand, for without such a talisman he would fear that some devil might take advantage of his fear that some devil might take advantage of his

weak state to slip into his body. weak state to slip into his body.

—

(3)

Key Management

 public-key encryption helps address _{public-key encryption helps address}key _key

distribution problems distribution problems

 have two aspects of this:_{have two aspects of this:}

 distribution of public keysdistribution of public keys

 use of public-key encryption to use of public-key encryption to distribute distribute secret keys

(4)

Distribution of Public Keys

 can be considered as using one of:_{can be considered as using one of:}

 public announcementpublic announcement

 publicly available directorypublicly available directory

 public-key authoritypublic-key authority

(5)

Public Announcement

 users distribute public keys to recipients or _{users distribute public keys to recipients or}

broadcast to community at large broadcast to community at large

 eg. append PGP keys to email messages or eg. append PGP keys to email messages or post to news groups or email list

post to news groups or email list  major weakness is forgery_{major weakness is forgery}

 anyone can create a key claiming to be anyone can create a key claiming to be someone else and broadcast it

someone else and broadcast it

 until forgery is discovered can masquerade as until forgery is discovered can masquerade as claimed user

(6)

Publicly Available Directory

 can obtain greater security by registering _{can obtain greater security by registering}

keys with a public directory keys with a public directory

 directory must be trusted with properties:_{directory must be trusted with properties:}  contains {name,public-key} entriescontains {name,public-key} entries

 participants register securely with directoryparticipants register securely with directory

 participants can replace key at any timeparticipants can replace key at any time

 directory is periodically publisheddirectory is periodically published

 directory can be accessed electronicallydirectory can be accessed electronically

(7)

Public-Key Authority

 improve security by tightening control over _{improve security by tightening control over}

distribution of keys from directory distribution of keys from directory

 has properties of directory_{has properties of directory}

 and requires users to know public key for _{and requires users to know public key for}

the directory the directory

 then users interact with directory to obtain _{then users interact with directory to obtain}

any desired public key securely any desired public key securely

 does require real-time access to directory does require real-time access to directory when keys are needed

(8)

(9)

Public-Key Certificates

 certificates allow key exchange without _{certificates allow key exchange without}

real-time access to

real-time access to public-key authoritypublic-key authority

 a certificate _{a certificate}binds _bindsidentity_identity to _topublic key_{public key}  usually with other info such as period of usually with other info such as period of

validity, rights of use etc validity, rights of use etc

 with all contents _{with all contents}signed_signed by a trusted _{by a trusted}

Public-Key or Certificate Authority (CA) Public-Key or Certificate Authority (CA)

 can be verified by anyone who knows the _{can be verified by anyone who knows the}

(10)

(11)

Public-Key D

istribution of Secret

Keys

 use previous methods to obtain public-key_{use previous methods to obtain public-key}  can use for secrecy or authentication_{can use for secrecy or authentication}

 but public-key algorithms are slow_{but public-key algorithms are slow}  so usually want to use private-key _{so usually want to use private-key}

encryption to protect message contents encryption to protect message contents

 hence need a session key_{hence need a session key}

 have several alternatives for negotiating a _{have several alternatives for negotiating a}

(12)

Simple Secret Key

Distribution

 proposed by Merkle in 1979_{proposed by Merkle in 1979}

 A generates a new temporary public key pairA generates a new temporary public key pair

 A sends B the public key and their identityA sends B the public key and their identity

 B generates a session key K sends it to A B generates a session key K sends it to A encrypted using the supplied public key

encrypted using the supplied public key  A decrypts the session key and both useA decrypts the session key and both use

 problem is that an opponent can intercept _{problem is that an opponent can intercept}

(13)

Public-Key Distribution of Secret

Keys

(14)

Hybrid Key Distribution

 retain use of private-key KDC_{retain use of private-key KDC}

 shares secret master key with each user_{shares secret master key with each user}  _{distributes session key using master key}_{distributes session key using master key}

 public-key used to distribute master keys_{public-key used to distribute master keys}

 especially useful with widely distributed usersespecially useful with widely distributed users

 rationale_rationale

 performanceperformance

(15)

Diffie-Hellman Key Exchange

 first public-key type scheme proposed _{first public-key type scheme proposed}

 by Diffie & Hellman in 1976 along with the _{by Diffie & Hellman in 1976 along with the}

exposition of public key concepts exposition of public key concepts

 note: now know that note: now know that WilliamsonWilliamson (UK CESG) (UK CESG) secretly proposed the concept in 1970

secretly proposed the concept in 1970

 is a practical method for public exchange _{is a practical method for public exchange}

of a secret key of a secret key

(16)

Diffie-Hellman Key Exchange

 a public-key distribution scheme _{a public-key distribution scheme}

 cannot be used to exchange an arbitrary message cannot be used to exchange an arbitrary message  rather it can establish a common key rather it can establish a common key

 known only to the two participants known only to the two participants

 value of key depends on the participants (and _{value of key depends on the participants (and} their private and public key information)

their private and public key information)

 based on exponentiation in a finite (Galois) field _{based on exponentiation in a finite (Galois) field} (modulo a prime or a polynomial) - easy

(modulo a prime or a polynomial) - easy

 security relies on the difficulty of computing _{security relies on the difficulty of computing}

(17)

Diffie-Hellman Setup

 all users agree on global parameters:_{all users agree on global parameters:}

 large prime integer or polynomial large prime integer or polynomial qq  aa being a primitive root mod being a primitive root mod qq

 each user (eg. A) generates their key_{each user (eg. A) generates their key}

 chooses a secret key (number): chooses a secret key (number): xx

A

A < q < q

 compute their compute their public keypublic key: : yy

A

A = = aa

x

x_A_A

mod q

(18)

Diffie-Hellman Key Exchange

 _{shared session key for users A & B is K}_{shared session key for users A & B is K}

AB

AB: : K

K_AB_AB = = aaxxA.A.xxBB_{mod q}_{mod q}

= y

= y_A_AxxBB_{mod q (which}_{mod q (which}_B_B_{can compute)}_{can compute)}

= y

= y_B_BxxAA_{mod q (which}_{mod q (which}_A_A_{can compute)}_{can compute)}

 _K_K

AB

AB is used as session key in private-key is used as session key in private-key

encryption scheme between Alice and Bob

 if Alice and Bob subsequently communicate, they _{if Alice and Bob subsequently communicate, they} will have the

will have the samesame key as before, unless they key as before, unless they choose new public-keys

choose new public-keys

(19)

Diffie-Hellman Example

 users Alice & Bob who wish to swap keys:_{users Alice & Bob who wish to swap keys:}  agree on prime _{agree on prime}_q=353_q=353 and _and_a_a₌₃₌₃

 select random secret keys:_{select random secret keys:}

 A chooses A chooses xx

A

A=97, =97, B chooses B chooses xxBB=233=233

 compute respective public keys:_{compute respective public keys:}

 _y_y

A

A==33

97

mod 353 = 40

mod 353 = 40 (Alice)(Alice) 

y

y_B_B==33233233_{mod 353 = 248}_{mod 353 = 248} (Bob)(Bob)

 compute shared session key as:_{compute shared session key as:}



K

K_AB_AB= y= y_B_BxxAA_{mod 353 =}_{mod 353 =}₂₄₈₂₄₈9797_{= 160}_{= 160} _(Alice)_(Alice)



K

(20)

Key Exchange Protocols

 users could create random private/public _{users could create random private/public}

D-H keys each time they communicate D-H keys each time they communicate

 users could create a known private/public _{users could create a known private/public}

D-H key and publish in a directory, then D-H key and publish in a directory, then

consulted and used to securely consulted and used to securely

communicate with them communicate with them

 both of these are vulnerable to a meet-in-_{both of these are vulnerable to a}

meet-in-the-Middle Attack the-Middle Attack

(21)

Elliptic Curve Cryptography

 majority of public-key crypto (RSA, D-H) _{majority of public-key crypto (RSA, D-H)}

use either integer or polynomial arithmetic use either integer or polynomial arithmetic

with very large numbers/polynomials with very large numbers/polynomials

 imposes a significant load in storing and _{imposes a significant load in storing and}

processing keys and messages processing keys and messages

 an alternative is to use elliptic curves_{an alternative is to use elliptic curves}

(22)

Real Elliptic Curves

 an _anelliptic curve is defined by an _{elliptic curve is defined by an}

equation in two variables x & y, with equation in two variables x & y, with

coefficients coefficients

 consider a cubic elliptic curve of form_{consider a cubic elliptic curve of form}  yy22 = = xx33 + + ax ax + + bb

 where x,y,a,b are all real numberswhere x,y,a,b are all real numbers

 also define zero point Oalso define zero point O

 have addition operation for elliptic curve_{have addition operation for elliptic curve}  geometrically sum of Q+R is reflection of geometrically sum of Q+R is reflection of

(23)

(24)

Finite Elliptic Curves

 Elliptic curve cryptography uses curves _{Elliptic curve cryptography uses curves}

whose variables & coefficients are finite whose variables & coefficients are finite

 have two families commonly used:_{have two families commonly used:}

 prime curves prime curves EE

p

p(a,b)(a,b) defined over Z defined over Zpp

• use integers modulo a prime_{use integers modulo a prime}

• best in software_{best in software}

 binary curves binary curves EE

2

2mm(a,b)(a,b) defined over GF(2 defined over GF(2nn))

• use polynomials with binary coefficients_{use polynomials with binary coefficients}

(25)

Elliptic Curve Cryptography

 ECC addition is analog of modulo multiply_{ECC addition is analog of modulo multiply}  ECC repeated addition is analog of modulo _{ECC repeated addition is analog of modulo}

exponentiation exponentiation

 need “hard” problem equiv to discrete log_{need “hard” problem equiv to discrete log}

 Q=kPQ=kP, where Q,P belong to a prime curve, where Q,P belong to a prime curve

 is “easy” to compute Q given k,Pis “easy” to compute Q given k,P

 but “hard” to find k given Q,Pbut “hard” to find k given Q,P

 known as the elliptic curve logarithm problemknown as the elliptic curve logarithm problem

 _{Certicom example:}_{Certicom example:}_E_E

23

(26)

ECC Diffie-Hellman

 can do key exchange analogous to D-H_{can do key exchange analogous to D-H}  _{users select a suitable curve}_{users select a suitable curve}_E_E

p

p(a,b)(a,b)

 _{select base point}_{select base point}_G=(x_G=(x

1

1,y,y11))

 with large order n s.t. with large order n s.t. nG=OnG=O  _{A & B select private keys}_{A & B select private keys}_n_n

A

A<n, n<n, nBB<n<n

 _{compute public keys:}_{compute public keys:}_P_P

A

A=n=nAAG, G, PPBB=n=nBBGG

 _{compute shared key:}_{compute shared key:}_K_K_=n_=n

A

APPBB,, KK=n=nBBPPAA

 same since same since KK=n=n

A

(27)

ECC Encryption/Decryption

 several alternatives, will consider simplest_{several alternatives, will consider simplest}

 must first encode any message M as a point on _{must first encode any message M as a point on} the elliptic curve P

the elliptic curve P_m_m

 select suitable curve & point G as in D-H_{select suitable curve & point G as in D-H}

 each user chooses private key each user chooses private key n_n_A_A<n_<n  and computes public key and computes public key _P_P

A

A=n=nAAGG

 to encrypt Pto encrypt P_m_m : : C_C_m_m={kG, P_{={kG, P}_m_m+kP_+kP_b_b}_}, k random, k random  decrypt Cdecrypt C_m_m compute: compute:

P

(28)

ECC Security

 relies on elliptic curve logarithm problem_{relies on elliptic curve logarithm problem}

 fastest method is “Pollard rho method”_{fastest method is “Pollard rho method”}  compared to factoring, can use much _{compared to factoring, can use much}

smaller key sizes than with RSA etc smaller key sizes than with RSA etc

 for equivalent key lengths computations _{for equivalent key lengths computations}

are roughly equivalent are roughly equivalent

 hence for similar security ECC offers _{hence for similar security ECC offers}

(29)

Comparable Key Sizes for

Equivalent Security

Symmetric scheme

(key size in bits)

ECC-based scheme

(size of n in bits)

RSA/DSA

RSA/DSA

(modulus size in bits)

56

56 112 512

80 160 1024

112 224 2048

128 256 3072

192 384 7680

(30)

Summary

 have considered:_{have considered:}

 distribution of public keysdistribution of public keys

 public-key distribution of secret keyspublic-key distribution of secret keys

 Diffie-Hellman key exchangeDiffie-Hellman key exchange