Cryptography and Network Security Chapter 10 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Cryptography and Network SecurityNetwork Security

Chapter 10Chapter 10

Fifth EditionFifth Edition

by William Stallingsby William Stallings

Lecture slides by Lawrie BrownLecture slides by Lawrie Brown

Chapter 10 – Chapter 10 – Other Public Key Other Public Key CryptosystemsCryptosystems

Amongst the tribes of Central Australia every man, woman, Amongst the tribes of Central Australia every man, woman, and child has a secret or sacred name which is bestowed and child has a secret or sacred name which is bestowed by the older men upon him or her soon after birth, and by the older men upon him or her soon after birth, and which is known to none but the fully initiated members of which is known to none but the fully initiated members of the group. This secret name is never mentioned except the group. This secret name is never mentioned except upon the most solemn occasions; to utter it in the hearing of upon the most solemn occasions; to utter it in the hearing of men of another group would be a most serious breach of men of another group would be a most serious breach of tribal custom. When mentioned at all, the name is spoken tribal custom. When mentioned at all, the name is spoken only in a whisper, and not until the most elaborate only in a whisper, and not until the most elaborate precautions have been taken that it shall be heard by no precautions have been taken that it shall be heard by no one but members of the group. The native thinks that a one but members of the group. The native thinks that a stranger knowing his secret name would have special stranger knowing his secret name would have special power to work him ill by means of magic.power to work him ill by means of magic.

——The Golden Bough, The Golden Bough, Sir James George FrazerSir James George Frazer

Diffie-Hellman Key ExchangeDiffie-Hellman Key Exchange

first public-key type scheme proposed first public-key type scheme proposed by Diffie & Hellman in 1976 along with the by Diffie & Hellman in 1976 along with the

exposition of public key conceptsexposition of public key concepts note: now know that note: now know that WilliamsonWilliamson (UK CESG) (UK CESG)

secretly proposed the concept in 1970 secretly proposed the concept in 1970 is a practical method for public exchange is a practical method for public exchange

of a secret keyof a secret key used in a number of commercial productsused in a number of commercial products

Diffie-Hellman Key ExchangeDiffie-Hellman Key Exchange

a public-key distribution scheme a public-key distribution scheme cannot be used to exchange an arbitrary message cannot be used to exchange an arbitrary message rather it can establish a common key rather it can establish a common key known only to the two participants known only to the two participants

value of key depends on the participants (and value of key depends on the participants (and their private and public key information) their private and public key information)

based on exponentiation in a finite (Galois) field based on exponentiation in a finite (Galois) field (modulo a prime or a polynomial) - easy(modulo a prime or a polynomial) - easy

security relies on the difficulty of computing security relies on the difficulty of computing discrete logarithms (similar to factoring) – harddiscrete logarithms (similar to factoring) – hard

Diffie-Hellman SetupDiffie-Hellman Setup

all users agree on global parameters:all users agree on global parameters: large prime integer or polynomial large prime integer or polynomial qq aa being a primitive root mod being a primitive root mod qq

each user (eg. A) generates their keyeach user (eg. A) generates their key chooses a secret key (number): chooses a secret key (number): xxAA < q < q

compute their compute their public keypublic key: : yyAA = = aaxxAA mod q mod q

each user makes public that key each user makes public that key yyAA

Diffie-Hellman Key ExchangeDiffie-Hellman Key Exchange

shared session key for users A & B is Kshared session key for users A & B is KABAB: :

KKABAB = = aaxxA.A.xxBB mod q mod q

= y= yAA

xxBB mod q (which mod q (which BB can compute) can compute)

= y= yBB

xxAA mod q (which mod q (which AA can compute) can compute)

KKABAB is used as session key in private-key is used as session key in private-key encryption scheme between Alice and Bobencryption scheme between Alice and Bob

if Alice and Bob subsequently communicate, if Alice and Bob subsequently communicate, they will have the they will have the samesame key as before, unless key as before, unless they choose new public-keys they choose new public-keys

attacker needs an x, must solve discrete logattacker needs an x, must solve discrete log

Diffie-Hellman Example Diffie-Hellman Example

users Alice & Bob who wish to swap keys:users Alice & Bob who wish to swap keys: agree on prime agree on prime q=353q=353 and and aa=3=3 select random secret keys:select random secret keys:

A chooses A chooses xxAA=97, =97, B chooses B chooses xxBB=233=233 compute respective public keys:compute respective public keys:

yyAA==3397 97 mod 353 = 40 mod 353 = 40 (Alice)(Alice)

yyBB==33233233 mod 353 = 248 mod 353 = 248 (Bob)(Bob)

compute shared session key as:compute shared session key as: KKABAB= y= yBB

xxAA mod 353 = mod 353 = 2482489797 = 160= 160 (Alice)(Alice)

KKABAB= y= yAA

xxBB mod 353 = mod 353 = 4040233233 = 160 = 160 (Bob)(Bob)

Key Exchange ProtocolsKey Exchange Protocols users could create random private/public users could create random private/public

D-H keys each time they communicateD-H keys each time they communicate users could create a known private/public users could create a known private/public

D-H key and publish in a directory, then D-H key and publish in a directory, then consulted and used to securely consulted and used to securely communicate with themcommunicate with them

both of these are vulnerable to a Man-in-both of these are vulnerable to a Man-in-the-Middle Attackthe-Middle Attack

authentication of the keys is neededauthentication of the keys is needed

Man-in-the-Middle AttackMan-in-the-Middle Attack1.1. Darth prepares by creating two private / public keys Darth prepares by creating two private / public keys

2.2. Alice transmits her public key to BobAlice transmits her public key to Bob

3.3. Darth intercepts this and transmits his first public key to Darth intercepts this and transmits his first public key to Bob. Darth also calculates a shared key with AliceBob. Darth also calculates a shared key with Alice

4.4. Bob receives the public key and calculates the shared key Bob receives the public key and calculates the shared key (with Darth instead of Alice) (with Darth instead of Alice)

5.5. Bob transmits his public key to Alice Bob transmits his public key to Alice

6.6. Darth intercepts this and transmits his second public key Darth intercepts this and transmits his second public key to Alice. Darth calculates a shared key with Bobto Alice. Darth calculates a shared key with Bob

7.7. Alice receives the key and calculates the shared key (with Alice receives the key and calculates the shared key (with Darth instead of Bob)Darth instead of Bob)

Darth can then intercept, decrypt, re-encrypt, forward all Darth can then intercept, decrypt, re-encrypt, forward all messages between Alice & Bobmessages between Alice & Bob

ElGamal CryptographyElGamal Cryptography

public-key cryptosystem related to D-Hpublic-key cryptosystem related to D-H uses exponentiation in a finite fielduses exponentiation in a finite field with security based difficulty of computing with security based difficulty of computing

discrete logarithms, as in D-Hdiscrete logarithms, as in D-H each user (eg. A) generates their keyeach user (eg. A) generates their key

chooses a secret key (number): chooses a secret key (number): 1 < 1 < xxAA < q-1 < q-1

compute their compute their public keypublic key: : yyAA = = aaxxAA mod q mod q

ElGamal Message ExchangeElGamal Message Exchange

Bob encrypts a message to send to A computingBob encrypts a message to send to A computing represent message represent message MM in range in range 0 <= M <= q-10 <= M <= q-1

• longer messages must be sent as blockslonger messages must be sent as blocks chose random integer chose random integer k k with with 1 <= k <= q-11 <= k <= q-1 compute one-time key compute one-time key K = yK = yAA

kk mod q mod q

encrypt M as a pair of integers encrypt M as a pair of integers (C(C11,C,C22) ) wherewhere• CC1 1 = = aa

kk mod q ; mod q ; CC22 = KM mod q = KM mod q

A then recovers message byA then recovers message by recovering key K as recovering key K as K = K = CC11

xxAA mod q mod q computing M as computing M as M = CM = C22 K K-1-1 mod q mod q

a unique k must be used each timea unique k must be used each time otherwise result is insecureotherwise result is insecure

ElGamal Example ElGamal Example use field GF(19) use field GF(19) q=19 q=19 and and aa=10=10 Alice computes her key:Alice computes her key:

A chooses A chooses xxAA=5 & =5 & computes computes yyAA==10105 5 mod 19 = 3mod 19 = 3

Bob send message Bob send message m=17m=17 as as (11,5) (11,5) byby chosing random chosing random k=6k=6 computing computing K = yK = yAA

kk mod q = 3 mod q = 3

66 mod 19 = 7 mod 19 = 7

computing computing CC1 1 = = aakk mod q = 10 mod q = 10

66 mod 19 = 11; mod 19 = 11;

CC22 = KM mod q = 7.17 mod 19 = 5 = KM mod q = 7.17 mod 19 = 5

Alice recovers original message by computing:Alice recovers original message by computing: recover recover K = K = CC11

xxAA mod q = mod q = 11115 5 mod 19 = 7mod 19 = 7

compute inverse compute inverse KK-1-1 = 7 = 7-1-1 = 11 = 11 recover recover M = CM = C22 K K-1-1 mod q = 5.11 mod 19 = 17 mod q = 5.11 mod 19 = 17

Elliptic Curve CryptographyElliptic Curve Cryptography

majority of public-key crypto (RSA, D-H) majority of public-key crypto (RSA, D-H) use either integer or polynomial arithmetic use either integer or polynomial arithmetic with very large numbers/polynomialswith very large numbers/polynomials

imposes a significant load in storing and imposes a significant load in storing and processing keys and messagesprocessing keys and messages

an alternative is to use elliptic curvesan alternative is to use elliptic curves offers same security with smaller bit sizesoffers same security with smaller bit sizes newer, but not as well analysednewer, but not as well analysed

Real Elliptic CurvesReal Elliptic Curves an an elliptic curve is defined by an elliptic curve is defined by an

equation in two variables x & y, with equation in two variables x & y, with coefficientscoefficients

consider a cubic elliptic curve of formconsider a cubic elliptic curve of form yy22 = = xx33 + + ax ax + + bb where x,y,a,b are all real numberswhere x,y,a,b are all real numbers also define zero point Oalso define zero point O

consider set of points E(a,b) that satisfyconsider set of points E(a,b) that satisfy have addition operation for elliptic curvehave addition operation for elliptic curve

geometrically sum of P+Q is reflection of the geometrically sum of P+Q is reflection of the intersection Rintersection R

Real Elliptic Curve ExampleReal Elliptic Curve Example

Finite Elliptic CurvesFinite Elliptic Curves

Elliptic curve cryptography uses curves Elliptic curve cryptography uses curves whose variables & coefficients are finitewhose variables & coefficients are finite

have two families commonly used:have two families commonly used: prime curves prime curves EEpp(a,b)(a,b) defined over Z defined over Zpp

• use integers modulo a primeuse integers modulo a prime• best in softwarebest in software

binary curves binary curves EE22mm(a,b)(a,b) defined over GF(2 defined over GF(2nn))• use polynomials with binary coefficientsuse polynomials with binary coefficients• best in hardwarebest in hardware

Elliptic Curve CryptographyElliptic Curve Cryptography

ECC addition is analog of modulo multiplyECC addition is analog of modulo multiply ECC repeated addition is analog of ECC repeated addition is analog of

modulo exponentiationmodulo exponentiation need “hard” problem equiv to discrete logneed “hard” problem equiv to discrete log

Q=kPQ=kP, where Q,P belong to a prime curve, where Q,P belong to a prime curve is “easy” to compute Q given k,Pis “easy” to compute Q given k,P but “hard” to find k given Q,Pbut “hard” to find k given Q,P known as the elliptic curve logarithm problemknown as the elliptic curve logarithm problem

Certicom example: Certicom example: EE2323(9,17)(9,17)

ECC Diffie-HellmanECC Diffie-Hellman

can do key exchange analogous to D-Hcan do key exchange analogous to D-H users select a suitable curve users select a suitable curve EEqq(a,b)(a,b) select base point select base point G=(xG=(x11,y,y11))

with large order with large order nn s.t. s.t. nG=OnG=O A & B select private keys A & B select private keys nnAA<n, n<n, nBB<n<n compute public keys: compute public keys: PPAA=n=nAAG, G, PPBB=n=nBBGG compute shared key: compute shared key: KK=n=nAAPPBB,, KK=n=nBBPPAA

same since same since KK=n=nAAnnBBGG attacker would need to find attacker would need to find kk, hard, hard

ECC Encryption/DecryptionECC Encryption/Decryption

several alternatives, will consider simplestseveral alternatives, will consider simplest must first encode any message M as a point on must first encode any message M as a point on

the elliptic curve Pthe elliptic curve Pmm

select suitable curve & point G as in D-Hselect suitable curve & point G as in D-H each user chooses private key each user chooses private key nnAA<n<n

and computes public key and computes public key PPAA=n=nAAGG

to encrypt Pto encrypt Pmm : : CCmm={kG, P={kG, Pmm+kP+kPbb}}, , kk random random

decrypt Cdecrypt Cmm compute: compute:

PPmm++kkPPbb––nnBB((kGkG) = ) = PPmm++kk((nnBBGG)–)–nnBB((kGkG) = ) = PPmm

ECC SecurityECC Security

relies on elliptic curve logarithm problemrelies on elliptic curve logarithm problem fastest method is “Pollard rho method”fastest method is “Pollard rho method” compared to factoring, can use much compared to factoring, can use much

smaller key sizes than with RSA etcsmaller key sizes than with RSA etc for equivalent key lengths computations for equivalent key lengths computations

are roughly equivalentare roughly equivalent hence for similar security ECC offers hence for similar security ECC offers

significant computational advantagessignificant computational advantages

Comparable Key Sizes for Comparable Key Sizes for Equivalent SecurityEquivalent Security

Symmetric scheme

(key size in bits)

ECC-based scheme

(size of n in bits)

RSA/DSA(modulus size in

bits)

56 112 512

80 160 1024

112 224 2048

128 256 3072

192 384 7680

256 512 15360

Pseudorandom Number Pseudorandom Number Generation (PRNG) based on Generation (PRNG) based on

Asymmetric CiphersAsymmetric Ciphers asymmetric encryption algorithm produce asymmetric encryption algorithm produce

apparently random output apparently random output hence can be used to build a hence can be used to build a

pseudorandom number generator (PRNG)pseudorandom number generator (PRNG) much slower than symmetric algorithmsmuch slower than symmetric algorithms hence only use to generate a short hence only use to generate a short

pseudorandom bit sequence (eg. key)pseudorandom bit sequence (eg. key)

PRNG based on RSAPRNG based on RSA

have Micali-Schnorr PRNG using RSAhave Micali-Schnorr PRNG using RSA in ANSI X9.82 and ISO 18031in ANSI X9.82 and ISO 18031

SummarySummary

have considered:have considered: Diffie-Hellman key exchangeDiffie-Hellman key exchange ElGamal cryptographyElGamal cryptography Elliptic Curve cryptographyElliptic Curve cryptography Pseudorandom Number Generation (PRNG) Pseudorandom Number Generation (PRNG)

based on Asymmetric Ciphers (RSA & ECC)based on Asymmetric Ciphers (RSA & ECC)