CSCE 715: Network Systems Security

CSCE 715:Network Systems Security

Chin-Tser [email protected]

University of South Carolina

09/09/2010 2

Insufficiencies with Symmetric Encryption

Symmetric encryption is not enough to address two key issues key distribution – how to have

secure communications in general without having to trust a KDC with your key?

digital signatures – how to verify that a received message really comes from the claimed sender?

09/09/2010 3

Thoughts about KDC

What good would it do after all to develop

impenetrable cryptosystems, if their users were forced to

share their keys with a KDC that could be

compromised by either burglary or subpoena?

- Whitfield Diffie

09/09/2010 4

Advent of Asymmetric Encryption

Probably most significant advance in the 3000 year history of cryptography

Use two keys: a public key and a private key

Asymmetric since parties are not equal

Clever application of number theory concepts instead of merely substitution and permutation

09/09/2010 5

How Asymmetric Encryption Works

Asymmetric encryption uses two keys that are related to each other a public key, which may be known to

anybody, is used to encrypt messages, and verify signatures

a private key, known only to the owner, is used to decrypt messages encrypted by the matching public key, and create signatures

the key used to encrypt messages or verify signatures cannot decrypt messages or create signatures

09/09/2010 6

Asymmetric Encryptionfor Confidentiality

09/09/2010 7

Asymmetric Encryptionfor Authentication

09/09/2010 8

Public-Key Cryptosystems

09/09/2010 9

Public-Key Characteristics Public-Key algorithms rely on two keys

where: it is computationally infeasible to find

decryption key knowing only algorithm & encryption key

it is computationally easy to en/decrypt messages when the relevant (en/decrypt) key is known

either of the two related keys can be used for encryption, with the other used for decryption (for some algorithms)

09/09/2010 10

Applications for Asymmetric Encryption

Three categories Encryption/decryption: sender

encrypts a message with receiver’s public key

Digital signature: sender “signs” a message with its private key

Key exchange: two sides exchange a session key

09/09/2010 11

Security of Asymmetric Encryption

Like symmetric schemes brute-force exhaustive search attack is always theoretically possible, but keys used are too large (>512bits)

Not more secure than symmetric encryption, dependent on size of key

Security relies on a large enough difference in difficulty between easy (en/decrypt) and hard (cryptanalyse) problems

Generally the hard problem is known, just that it is made too hard to do in practice

Require using very large numbers, so is slow compared to symmetric schemes

09/09/2010 12

RSA Invented by Rivest, Shamir & Adleman of MIT in

1977 Best known and widely used public-key scheme Based on exponentiation in a finite (Galois)

field over integers modulo a prime exponentiation takes O((log n)3) operations

(easy) Use large integers (e.g. 1024 bits) Security due to cost of factoring large numbers

factorization takes O(e log n log log n) operations (hard)

09/09/2010 13

RSA Key Setup Each user generates a public/private key pair

by select two large primes at random: p, q compute their system modulus n=p·q

note ø(n)=(p-1)(q-1) select at random the encryption key e

where 1<e<ø(n), gcd(e,ø(n))=1 solve following equation to find decryption key d

e·d=1 mod ø(n) and 0≤d≤n publish their public encryption key: KU= {e,n} keep secret private decryption key: KR= {d,n}

09/09/2010 14

RSA Usage To encrypt a message M:

sender obtains public key of receiver KU={e,n}

computes: C=Me mod n, where 0≤M<n To decrypt the ciphertext C:

receiver uses its private key KR={d,n} computes: M=Cd mod n

Message M must be smaller than the modulus n (cut into blocks if needed)

09/09/2010 15

Why RSA Works Euler's Theorem:aø(n) mod n = 1 where gcd(a,n)=1

In RSA, we have n=p·q ø(n)=(p-1)(q-1) carefully chosen e and d to be inverses mod ø(n) hence e·d=1+k·ø(n) for some k

Hence :Cd = (Me)d = M1+k·ø(n) = M1 = M mod n

09/09/2010 16

RSA Example: Computing Keys

1. Select primes: p=17, q=112. Compute n=pq=17×11=1873. Compute ø(n)=(p–1)(q-1)=16×10=1604. Select e: gcd(e,160)=1 and e<160

choose e=7

5. Determine d: de=1 mod 160 and d<160 d=23 since 23×7=161=1×160+1

6. Publish public key KU={7,187}7. Keep secret private key KR={23,187}

09/09/2010 17

RSA Example: Encryption and Decryption

Given message M = 88 (88<187) Encryption:

C = 887 mod 187 = 11 Decryption:

M = 1123 mod 187 = 88

RSA Example:Processing of Multiple Blocks

09/09/2010 18

09/09/2010 19

Exponentiation Use a property of modular arithmetic[(a mod n)(b mod n)]mod n = (ab)mod n

Use the Square and Multiply Algorithm to multiply the ones that are needed to compute the result

Look at binary representation of exponent Only take O(log2 n) multiples for number n

e.g. 75 = 74·71 = 3·7 = 10 (mod 11) e.g. 3129 = 3128·31 = 5·3 = 4 (mod 11)

09/09/2010 20

RSA Key Generation Users of RSA must:

determine two primes at random - p,q select either e or d and compute the other

Primes p,q must not be easily derived from modulus n=p·q means p,q must be sufficiently large typically guess and use probabilistic test

Exponents e, d are multiplicative inverses, so use Inverse algorithm to compute the other

09/09/2010 21

Security of RSA

Four approaches to attacking RSA brute force key search (infeasible given

size of numbers) mathematical attacks (based on

difficulty of computing ø(n), by factoring modulus n)

timing attacks (on running of decryption) chosen ciphertext attacks (given

properties of RSA)

09/09/2010 22

Factoring Problem Mathematical approach takes 3 forms:

factor n=p·q, hence find ø(n) and then d determine ø(n) directly and find d find d directly

Currently believe all equivalent to factoring have seen slow improvements over the years

as of May-05 best is 200 decimal digits (663 bits) with LS biggest improvement comes from improved algorithm

cf “Quadratic Sieve” to “Generalized Number Field Sieve” to “Lattice Sieve”

1024+ bit RSA is secure barring dramatic breakthrough ensure p, q of similar size and matching other constraints

09/09/2010 23

Timing Attacks Developed in mid-1990’s Exploit timing variations in operations

e.g. multiplying by small vs large number Infer operand size based on time taken RSA exploits time taken in

exponentiation Countermeasures

use constant exponentiation time add random delays blind values used in calculations

09/09/2010 24

Chosen Ciphertext Attacks RSA is vulnerable to a Chosen Ciphertext

Attack (CCA) attackers chooses ciphertexts and gets

decrypted plaintext back choose ciphertext to exploit properties of

RSA to provide info to help cryptanalysis can counter with random pad of plaintext or use Optimal Asymmetric Encryption

Padding (OAEP)

09/09/2010 25

Next Class

Key management Key exchange Diffie-Hellman key exchange

protocol Elliptic curve cryptography Read Chapters 11 and 12