CSCI 172/283 Fall 2010 Public Key Cryptography. New paradigm introduced by Diffie and Hellman The mailbox analogy: Bob has a locked mailbox Alice can.

CSCI 172/283Fall 2010

Public Key Cryptography

Public Key CryptographyNew paradigm introduced by Diffie and

HellmanThe mailbox analogy:

Bob has a locked mailboxAlice can insert a letter into the box, but can’t

unlock it to take mail outBob has the key and can take mail out

Encrypt messages to Bob with Bob’s public keyCan freely distribute

Bob decrypts his messages with his private keyOnly Bob knows this

RequirementsHow should a public key scheme work?Three main conditions

It must be computationally easy to encrypt or decrypt a message given the appropriate key

It must be computationally infeasible to derive the private key from the public key

It must be computationally infeasible to determine the private key from chosen plaintext attackAttacker can pick any message, have it encrypted,

and obtain the ciphertext

Exchanging keysAlice and Bob want to communicate using a

block cipher to encrypt their messages, but don’t have shared key

How do Alice and Bob get a shared key?

Solution 1Alice sends the key along with her

encrypted message

Eve sees encrypted message and keyUses key to decrypt message

FAIL!FAIL!

Solution 2Alice sends the key at some time prior to

sending Bob the encrypted message

Eve has to wait longerIf she saw the key transmission, she has the

keyUses key to decrypt message

FAIL!FAIL!

Solution 3 – Use public key cryptoDiffie Hellman Key ExchangeAll users share common modulus, p, and element g

g ≠ 0, g ≠ 1, and g ≠ p-1Alice chooses her private key, kA

Computes KA = gkA mod p and sends it to Bob in the clear

Bob chooses his private key, kBComputes KB = gkB mod p and sends it to Alice in the

clearWhen Alice and Bob want to agree on a shared key,

they compute a shared secret SSA,B = KB

kA mod pSB,A = KA

kB mod p

Why does DH work?SA,B = SB,A

(gkA) kB mod p = (gkB) kA mod p

Eve knowsg and pKA and KB

Why can’t Eve compute the secret?

This was the first public key cryptography scheme

SA,B = KBkA mod p

SB,A = KAkB mod p

Hard problemsPublic key cryptosystems are based on hard

problemsDH is based on the Discrete Logarithm Problem

(DLP)

Given: Multiplicative group GElement a in GOutput b

Find:Unique solution to ax = b in G

x is loga b

No polynomial time algorithm exists to solve this*

*On classical computers

Could it fail?Eve could fool Alice and Bob

Man in the middle / bucket brigade

AliceBobEve

My key is KA

My key is KA

My key is K’A

My key is K’A

My key is KB

My key is KB

My key is K’B

My key is K’B

Alice has no guarantee that the person she’s establishinga key with is actually Bob

RSARivest-Shamir-AdlemanProbably the most well-known public key

schemeFirst, some background

Euler’s TotientTotient function (n)

Number of positive numbers less than n that are relatively prime to nTwo numbers are relatively prime when their

greatest common divisor is 1

Example: (10) = 41, 3, 7, 9

Example: (7) = 61, 2, 3, 4, 5, 6If n is prime, (n) = n-1

RSA keysChoose 2 large primes, p and qN = pq(N) = (p-1)(q-1) Choose e < N such that gcd(e, (N))=1d such that ed = 1 mod (N)

Public key: {N, e}Private key: {d}

p and q must also be kept secret

RSA encryption/decryptionAlice wants to send Bob message m

She knows his public key, {N,e}

AliceBob

c = me mod N

c

m = cd mod N

Toy examplep=7, q=11

N=77(N) = (6)(10) = 60

Bob chooses e=17Uses extended Euclidean algorithm to find

inverse of e mod 60Finds d=53

Bob makes {N, e} public

Toy example (continued)Alice wants to send Bob “HELLO WORLD”Represent each letter as a number 00(A) to

25(Z)26 is a space

Calculates:0717 mod 77 = 28, 0417 mod 77 = 16, …, 0317

mod 77 = 75Sends Bob 28 16 44 44 42 38 22 42 19 44

75 He decrypts each number with his private

key and gets “HELLO WORLD”

What could go wrong?What was wrong with the toy example?

Eve can easily find the encryption of each letter and use that as a key to Alice’s message

Even without knowing the public key, can use statistics to find likely messagesLike cryptogram puzzles

How it should really happenp and q should be at least 512 bits each

N at least 1024 bitsThe message “HELLO WORLD” would be

converted into one very large integerThat integer would be raised to the

public/private exponentFor short message, pad them with a

random string

Is this key yours?How to bind a key to an identity?

PK ParadigmGenkey(some info)

Creates Kpub and Kpriv

Encrypt with Kpub

Decrypt with Kpriv

Certificate binds key to individual

IBEIdentity-Based EncryptionKpub is well-known

Known to be bound to ownerName, email, SSN, etc.

Owner requests a private key from CA

No certificates required

Conclusion by xkcd

http://xkcd.com/538/