Your SlideShare is downloading. ×
Public-Key Protocols
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Public-Key Protocols

363

Published on

Session 3 of 3-day course in Engineering Cryptographic Applications held at ACM Theater Tyson's Corner for Microstrategy, Inc. …

Session 3 of 3-day course in Engineering Cryptographic Applications held at ACM Theater Tyson's Corner for Microstrategy, Inc.

Key Agreement
Asymmetric Cryptography
RSA
Public Key Protocols
TLS

Published in: Technology, Education
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
363
On Slideshare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
14
Comments
0
Likes
2
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Engineering Cryptographic Applications Day 3: Public Key Protocols David Evans University of Virginia www.cs.virginia.edu/evans Microstrategy Course 18 October 2013
  • 2. Recap: Symmetric Encryption Alice Bob Ciphertext Plaintext AES AES Plaintext Insecure Channel Key Key Assuming we generate strong keys, use an appropriate cipher mode, and correctly implement a secure symmetric encryption primitive, we can securely encrypt long messages so even an adversary with $Quadrillions cannot learn anything interesting. Assumes a secret already shared between Alice and Bob. Amplifies that secret to send more data later. evans@virginia.edu Engineering Crypto Applications 1
  • 3. Plan for Today Insecure Channel Secure Channel petitions.gov 1. Key Agreement Protocols 2. Solving the remote authentication problem Asymmetric Encryption, Public-Key Protocols evans@virginia.edu Engineering Crypto Applications 2
  • 4. Key Agreement evans@virginia.edu Engineering Crypto Applications 3
  • 5. Merkle’s Puzzles (1974) Asymmetric Key Agreement Ralph Merkle (born 1952) evans@virginia.edu Engineering Crypto Applications 4
  • 6. Merkle’s Puzzles: Key Agreement Alice 1. Generate N random keys: k0, …, kn-1 2. For each, send Eki(“key #” + i) EE37(“key #” ++37) in random order k (“key #” 82) k E82 (“key #” + 22) k22 … evans@virginia.edu Engineering Crypto Applications 5
  • 7. Merkle’s Puzzles: Key Agreement Alice 1. Generate N random keys: k0, …, kn-1 2. For each, send Eki(“key #” + i) EE37(“key #” ++37) in random order k (“key #” 82) k E82 (“key #” + 22) k22 … evans@virginia.edu Engineering Crypto Applications 6
  • 8. Alice 1. Generate N random keys: k0, …, kn-1 2. For each, send Eki(“key #” + i) EE37(“key #” ++37) in random order k (“key #” 82) Bob k E82 (“key #” + 22) k22 … x 3. Randomly select one of the received messages. 4. Try all possible keys until finding kx that decrypts the message to “key #x” 5. Send x (in clear) to Alice Shared secret kx evans@virginia.edu Engineering Crypto Applications 7
  • 9. Bob Alice Security Generate N random keys: k0, …, kn-1 2. For each, send Eki(“key #” + i) in random order 1. 3. 4. x 5. Randomly select one of the received messages. Try all possible keys until finding kx that decrypts the message to “key #x” Send x (in clear) to Alice Shared secret kx evans@virginia.edu Engineering Crypto Applications 8
  • 10. Bob Alice Security Generate N random keys: k0, …, kn-1 2. For each, send Eki(“key #” + i) in random order 1. 3. 4. x 5. Randomly select one of the received messages. Try all possible keys until finding kx that decrypts the message to “key #x” Send x (in clear) to Alice Shared secret kx Suppose each key is 56 bits: Alice has to generate N keys and do N encryptions Bob has to do 256 max work to brute force Eve has to do ½N × 255 expected work So, if 296 is infeasible, N = 242 could work evans@virginia.edu Engineering Crypto Applications 9
  • 11. Can we do better? CRYPTO 2009: Actually is impossible to do better! Any scheme like this, even with perfect primitives, can be broken by an adversary who can do N 2 encryptions (where Alice and Bob do N encryptions). To do better, we need some magic math! evans@virginia.edu Engineering Crypto Applications 10
  • 12. Time for a Revolution! “We stand today on the brink of a revolution in cryptography. The development of cheap digital hardware has freed it from the design limitations of mechanical computing and brought the cost of high grade cryptographic devices down to where they can be used in such commercial applications as remote cash dispensers and computer terminals. In turn, such applications create a need for new types of cryptographic systems which minimize the necessity of secure key distribution channels and supply the equivalent of a written signature. At the same time, theoretical developments in information theory and computer science show promise of providing provably secure cryptosystems, changing this ancient art into a science.” Whit Diffie and Martin Hellman, November 1976. evans@virginia.edu Engineering Crypto Applications 11
  • 13. Padlocked Boxes MSTR Alice evans@virginia.edu Engineering Crypto Applications 12
  • 14. Padlocked Boxes EA(M) Alice’s Padlock Alice Alice’s Padlock Key evans@virginia.edu Engineering Crypto Applications 13
  • 15. Padlocked Boxes Shady Sammy’s Slimy Shipping Service Alice Alice’s Padlock Key evans@virginia.edu Engineering Crypto Applications 14
  • 16. Padlocked Boxes EB( EA(M)) Bob’s Padlock Alice Bob Alice’s Padlock Key Bob’s Padlock Key evans@virginia.edu Engineering Crypto Applications 15
  • 17. Padlocked Boxes EB(EA(M)) Alice Bob Alice’s Padlock Key Bob’s Padlock Key evans@virginia.edu Engineering Crypto Applications 16
  • 18. Padlocked Boxes DA(EB(EA(M))) = EB(M) Alice Bob Alice’s Padlock Key Bob’s Padlock Key evans@virginia.edu Engineering Crypto Applications 17
  • 19. Padlocked Boxes EB(M) Alice Bob Bob’s Padlock Key evans@virginia.edu Engineering Crypto Applications 18
  • 20. Padlocked Boxes MSTR Alice Bob Bob’s Padlock Key evans@virginia.edu Engineering Crypto Applications 19
  • 21. “Padlocks” Key Agreement • We relied on: DA(EB(EA(M))) = EB(M) • Is this true for AES? No way! AES (and any strong symmetric primitive) must involve non-linear transformations that are not commutative. • What operations is it true for? Multiplication evans@virginia.edu Engineering Crypto Applications 20
  • 22. Diffie-Hellman(-Merkle) Key Agreement Whit Diffie evans@virginia.edu Martin Hellman Engineering Crypto Applications 21
  • 23. Diffie-Hellman Key Agreement Alice Bob 1. Choose and publish: q (large prime number) (primitive root of q) 2. Generate random XA 4. Generate random XB. XA mod q. 3. Send YA= 5. Send YB= XB mod q. K = (YB) XA mod q evans@virginia.edu K = (YA)XB mod q Engineering Crypto Applications 22
  • 24. Key Agreement Requirements Correctness: Both participants get the same key Security: An eavesdropper cannot find K from all intercepted values evans@virginia.edu Engineering Crypto Applications 23
  • 25. Key Agreement Correctness Correctness: Both participants get the same key YA= XA mod q K = (YB) XA mod q evans@virginia.edu YB= XB mod q K = (YA)XB mod q Engineering Crypto Applications 24
  • 26. Key Agreement Correctness Correctness: Both participants get the same key YA = XA mod q K = (YB) XA mod q YB= XB mod q K = (YA)XB mod q = ( XB mod q)XA mod q = ( XA mod q)XB mod q = ( XBXA mod q) mod q = ( XAXB mod q) mod q = XBXA mod q = XAXB mod q Multiplication commutes (just like the padlocks)! evans@virginia.edu Engineering Crypto Applications 25
  • 27. Security Alice Bob 1. Choose and publish: q (large prime number) (primitive root of q) 2. Generate random XA 4. Generate random XB. XA mod q. 3. Send YA= 5. Send YB= XB mod q. K = (YB) XA mod q K = (YA)XB mod q An eavesdropper cannot find K from all intercepted values: q, , YA, YB evans@virginia.edu Engineering Crypto Applications 26
  • 28. Primitive Roots is a primitive root of Bob for all q if 1 n < q, there is some m, 1. Choose and publish: 1 m < q such that q (large prime number) m = n mod q (primitive root of q) prime numbers have primitive All 2. Generate random XA roots. Alice 3. Send YA= XA mod q. 4. Generate random XB. 5. Send YB= XB mod q. Discrete logarithm problem: given , n, and q find the one 0 XA m < q such that K = mYB) mod q ( K = (YA)XB mod q = n mod q For good choices of q, this is believed to be hard. evans@virginia.edu Engineering Crypto Applications 27
  • 29. Security of Diffie-Hellman DiscreteAlice logarithm problem: given , n, andBobfind q the one 0 m < q such 1. Choose and publish: that m = n mod q q (large prime number) For good choices of q, this is believed to be hard. (primitive root of q) 2. Generate random XA 4. Generate random XB. XA mod q. 3. Send YA= 5. Send Y = XB mod q. K = (YB) XA mod q B Eavesdropper cannot find K from intercepted values: q, , YA, YB If they could, could solve discrete log problem which is hard: given YA= XA mod q find XA evans@virginia.edu Engineering Crypto Applications 28
  • 30. What about Mallory? Insecure Channel (e.g., the Internet) Ciphertext Plaintext Encrypt Decrypt Alice Plaintext Bob Mallory (active attacker) evans@virginia.edu Engineering Crypto Applications 29
  • 31. Secure from Active Eavesdropper? Bob Alice Public: q, XB XA K = (YB) evans@virginia.edu XA mod K = (YA)XB mod q q Engineering Crypto Applications 30
  • 32. Alice Bob Public: q, XB XA Mallory (active attacker) KAM = (YM) XA mod q evans@virginia.edu XM Engineering Crypto Applications KBM = (YM)XB mod q 31
  • 33. Bob Alice Public: q, XB XA Mallory (active attacker) KAM = (YM) XA mod q XM KBM = (YM)XB mod q KAM = (YA) XM mod q KBM = (YB) XM mod q evans@virginia.edu Engineering Crypto Applications 32
  • 34. Bob Alice Public: q, XB XA Mallory (active attacker) KAM = (YM) XA mod q XM KBM = (YM)XB mod q KAM = (YA) XM mod q KBM = (YB) XM mod q evans@virginia.edu Engineering Crypto Applications 33
  • 35. Does D-H Solve This? Insecure Channel petitions.gov How does TJ know he’s really talking to petitions.gov? How can he establish a secure channel to transmit password? evans@virginia.edu Engineering Crypto Applications 34
  • 36. evans@virginia.edu Engineering Crypto Applications 35
  • 37. Asymmetry Required Messages: everyone should be able to send Alice a message that only Alice can read Signatures: Bob should be able to verify Alice signed a message, but not impersonate Alice evans@virginia.edu Engineering Crypto Applications 36
  • 38. Asymmetric Cryptosystem Alice Plaintext E Bob Ciphertext D Plaintext Insecure Channel Correctness: D(E(m)) = m Security: given E(m) and E , cannot learn anything interesting about m or D evans@virginia.edu Engineering Crypto Applications 37
  • 39. Asymmetric Cryptosystem (with Kerckhoffs’ Principle) Alice Plaintext Bob Ciphertext E D Plaintext Insecure Channel KUA KRA Correctness: DKU (EKR (m)) = m A A Security: given EKR (m), E, KUA, and D, cannot A learn anything interesting about m or KRA. evans@virginia.edu Engineering Crypto Applications 38
  • 40. Providing Asymmetry Need a function f that is: Easy to compute: given x, easy to compute f (x) Hard to invert: given f (x), hard to compute x Has a trap-door: given f (x) and t, easy to compute x No function (publicly) known with these properties until 1977… evans@virginia.edu Engineering Crypto Applications 39
  • 41. Len Adleman evans@virginia.edu Adi Shamir Engineering Crypto Applications Ron Rivest 40
  • 42. evans@virginia.edu Engineering Crypto Applications 41
  • 43. RSA Cryptosystem Ee(M ) = Me mod n Dd(C ) = Cd mod n n = pq p, q are prime d is relatively prime to (p – 1)(q – 1) ed 1 mod (p – 1)(q – 1) evans@virginia.edu Engineering Crypto Applications 42
  • 44. Correctness of RSA Ee(M ) = Me mod n Dd(C ) = Cd mod n evans@virginia.edu Engineering Crypto Applications 43
  • 45. Correctness of RSA Ee(M ) = Me mod n Dd(C ) = Cd mod n Dd(Ee(M )) = (Me mod n)d mod n = Med mod n = M This step depends on choosing e and d to have this property: uses Fermat’s little theorem and Euler’s Totient theorem evans@virginia.edu Engineering Crypto Applications 44
  • 46. Bonus: Works in Both Orders Ee(M ) = Me mod n Dd(C ) = Cd mod n Ee (Dd(M )) = (Md mod n)e mod n = Mde mod n =M evans@virginia.edu Engineering Crypto Applications 45
  • 47. Providing Asymmetry Need a function f that is: Easy to compute: given x, easy to compute f (x) Hard to invert: given f (x), hard to compute x Has a trap-door: given f (x) and t, easy to compute x evans@virginia.edu Does RSA satisfy these? Engineering Crypto Applications 46
  • 48. Easy (Enough) to Compute Easy to compute: given x, easy to compute f (x) Ee(M ) = evans@virginia.edu e mod M Engineering Crypto Applications n 47
  • 49. Easy (Enough) to Compute Ee(M ) = Me mod n a m +n = a m × a n a2b = ab × ab Compute Me in about log2e multiplications Be careful not to have a timing side channel though! evans@virginia.edu Engineering Crypto Applications 48
  • 50. Hard to Invert Given Ee(M ) and e and n, hard to compute M. If attacker can factor n = pq, easy to find d: d = e-1 mod (p – 1)(q – 1) All other attacks are equivalent to factoring n. No one seems to know a fast way to factor, except with a quantum computer (and no one seems to yet know how to build a large one). For reasonable security, n should be 2048 bits (comparable to 112-bit symmetric key) – believed sufficient until 2030. evans@virginia.edu Engineering Crypto Applications 49
  • 51. Easy to Invert with Trapdoor e mod M Ee(M ) = n Dd(C ) = Cd mod n evans@virginia.edu Engineering Crypto Applications 50
  • 52. Using RSA: Confidentiality Alice Sends confidential messages to Bob using his public key Plaintext E Bob Selects two large primes p, q Computes ed 1 mod (p – 1)(q – 1) Publishes n = pq and e, keeps d secret Ciphertext D Plaintext Insecure Channel KRB KUB Private Key: KRB = d Bob’s Public Key: KUB = (n, e) (private exponent) (modulus, public exponent) Over 1000x slower than AES! Only use when asymmetry is needed. evans@virginia.edu Engineering Crypto Applications 51
  • 53. Using RSA: Signatures Alice Sends confidential messages to Bob using his public key Plaintext E Bob Selects two large primes p, q Computes ed 1 mod (p – 1)(q – 1) Publishes n = pq and e, keeps d secret Ciphertext D Plaintext Insecure Channel KRB KUB Private Key: KRB = d Bob’s Public Key: KUB = (n, e) (private exponent) (modulus, public exponent) Over 1000x slower than AES! Only use when asymmetry is needed. evans@virginia.edu Engineering Crypto Applications 52
  • 54. Using RSA: Signatures Alice Verifies message is from Bob using his public key Verified Message E Bob Selects two large primes p, q Computes ed 1 mod (p – 1)(q – 1) Publishes n = pq and e, keeps d secret Signed Message D Message Insecure Channel KRB KUB Private Key: KRB = d Bob’s Public Key: KUB = (n, e) (private exponent) (modulus, public exponent) Over 1000x slower than AES! Only use when asymmetry is needed. evans@virginia.edu Engineering Crypto Applications 53
  • 55. Elliptic Curve Asymmetric Cryptosystems Elliptic curve discrete logarithm problem: given points P and Q on an elliptic curve, it is hard to find an integer k such that Q = kP (unless you know trapdoor). evans@virginia.edu y2 = x3 – 7 (mod p) Engineering Crypto Applications 54
  • 56. RSA 1977 ECC 1985 Discovery (previously discovered in 1969 by GHCQ and perhaps earlier by NSA) (adoption limited until ~2005) “Hard” Problem Factoring Discrete Log on Elliptic Curve Key Size (~112-bit) 2048 bits (768 bits broken) 224 bits (112 bits broken) Backdoor Risk None Curves selected by NSA Quantum Computing Risk Known fast factoring algorithms (Shor’s) Similar (variation of Shor’s algorithm solves Discrete Log) Implementation Challenges Avoiding weak keys, timing side channels Fast operations on elliptic curves, leaks on invalid inputs evans@virginia.edu Engineering Crypto Applications 55
  • 57. RSA ECC 1985 Lattice Ciphers (adoption limited until ~2005) 1996 Factoring Discrete Log on Elliptic Curve Lattice Problems (e.g., closest vector) Key Size (~112-bit) 2048 bits (768 bits broken) 224 bits (112 bits broken) 1,000,000 bits Backdoor Risk None Curves selected by NSA Little Quantum Computing Risk Known fast factoring algorithms (Shor’s) Similar (variation of Shor’s algorithm solves Discrete Log) Only if P = NP Discovery 1977 “Hard” Problem Implementation Challenges evans@virginia.edu Avoiding weak Fast operations on keys, timing side elliptic curves, leaks channels Engineering Crypto Applications on invalid inputs Only simple arithmetic (but 10Ks of them) 56
  • 58. Applications of Asymmetric Cryptosystems evans@virginia.edu Engineering Crypto Applications 57
  • 59. Using Asymmetry: Signatures Alice Bob Verifies message is from Bob using his public key Verified Message E Generates KUB and KRB Publishes KUB Signed Message D Message Insecure Channel KRB KUB Over 1000x slower than AES! (with both RSA and ECC) What if we need to sign long (bigger than n ~ 2048 bits) messages? evans@virginia.edu Engineering Crypto Applications 58
  • 60. Message Digests Alice Verified Verified Message Message Digest E Message D KRB KUB Message Digest H Signed Message = Bob Message H H is a cryptographic hash function: one-way: given H(x) cannot find preimage x strong collision-resistant: hard to find pair x and y where H(x) = H(y) evans@virginia.edu Engineering Crypto Applications 59
  • 61. Authentication Insecure Channel petitions.gov How does TJ know he’s really talking to petitions.gov? How can he establish a secure channel to transmit password? evans@virginia.edu Engineering Crypto Applications 60
  • 62. Simple Login Protocol Eve can’t decrypt without KRpetitions. petitions.gov EKUpetitions(“tj” + password) evans@virginia.edu Engineering Crypto Applications DKRpetitions(c) 61
  • 63. Getting Public Keys • Public keys only useful if you know you have the right one! • Secure on-line directory? What is petitions.gov public key? keys.gov KUpetitions evans@virginia.edu Engineering Crypto Applications 62
  • 64. Moving Directory Off-Line TrustMe.com petitions.gov, KUPetitions CP = KRTrustMe*“petitions.gov”, KUPetitions] TJ CP Verifies using KUTrustMe evans@virginia.edu Petitions Engineering Crypto Applications 63
  • 65. Anyone use this? evans@virginia.edu Engineering Crypto Applications 64
  • 66. evans@virginia.edu Engineering Crypto Applications 65
  • 67. evans@virginia.edu Engineering Crypto Applications 66
  • 68. SSL (Secure Sockets Layer) Simplified TLS Handshake Protocol Client Verify Certificate using KUCA Server Hello KRCA[Server Identity, KUS] Check identity matches URL Generate random K EKUS (K) Decrypt using KRS Secure channel using K evans@virginia.edu Engineering Crypto Applications 67
  • 69. evans@virginia.edu Engineering Crypto Applications 68
  • 70. evans@virginia.edu Engineering Crypto Applications 69
  • 71. SSL (Secure Sockets Layer) Simplified TLS Handshake Protocol Client Verify Certificate using KUCA Check identity matches URL Generate random K Server Hello KRCA[Server Identity, KUS] How did client get KUCA? EKUS (K) Decrypt using KRS Secure channel using K evans@virginia.edu Engineering Crypto Applications 70
  • 72. evans@virginia.edu Engineering Crypto Applications 71
  • 73. How does VarySign decide if it should give certificate to requester? Certificates VarySign.com petitions.gov, KUPetitions CP = KRVarySign*“petitions.gov”, KUPetitions] TJ CP Verifies using KUVarySign evans@virginia.edu Petitions Engineering Crypto Applications 72
  • 74. $1500 for 1 year evans@virginia.edu Engineering Crypto Applications $399 73
  • 75. evans@virginia.edu Engineering Crypto Applications 74
  • 76. Limiting Damage VarySign.com petitions.gov, KUPetitions CP = KRVarySign *“petitions.gov”, cert ID, Expiration, KUPetitions] TJ CP Verifies using KUVarySign evans@virginia.edu Petitions Engineering Crypto Applications 75
  • 77. Certificate Revocation Certificate Revocation List (CRL) <cert ID, date> … VarySign.com petitions.gov, KUPetitions CP = KRVarySign*“petitions.gov”, cert ID, Expiration, KUPetitions] Client CP Petitions Verifies using KUVarySign evans@virginia.edu Engineering Crypto Applications 76
  • 78. CRL Checking Mozilla Firefox Google Chrome On-line checking is expensive and may fail Attacker-in-the-middle can make it fail evans@virginia.edu Engineering Crypto Applications 77
  • 79. SSL (Secure Sockets Layer) Simplified TLS Handshake Protocol Client Server Hello some extra steps: Verify Actual TLS hasKRCA[Server Identity, KUS] Certificate using KUCA - Negotiate versions CheckAgree - identity matches URL on which ciphers to use (many options, but beware!) Generate Decrypt -randomauthenticate client also Can K KU (K) E [K] KUS S using KRS Secure channel using K evans@virginia.edu Engineering Crypto Applications 78
  • 80. Summary • Many useful applications require asymmetry – Confidentiality without shared key, signatures – Others we will cover next week • Asymmetric cryptosystems can be built using hard problems in number theory with trapdoors: RSA (factoring), ECC (discrete log) • Asymmetric ciphers are very expensive: need to combine with hashes and symmetric crypto evans@virginia.edu Engineering Crypto Applications 79
  • 81. SSL Test evans@virginia.edu Engineering Crypto Applications 80
  • 82. evans@virginia.edu Engineering Crypto Applications 81
  • 83. Plan for Final Meeting: Applications of Asym Crypto Secure Computation Future of Cryptosystems open to requests! evans@virginia.edu MightBeEvil.com/crypto evans@virginia.edu Engineering Crypto Applications 82
  • 84. evans@virginia.edu Engineering Crypto Applications 83
  • 85. evans@virginia.edu Engineering Crypto Applications 84
  • 86. evans@virginia.edu Engineering Crypto Applications 85
  • 87. evans@virginia.edu Engineering Crypto Applications 86

×