Upload
oswald-benson
View
215
Download
0
Embed Size (px)
DESCRIPTION
RSA To encrypt message M compute – c = M e mod N To decrypt ciphertext c compute – M = c d mod N 3 CS 450/650 Lecture 9: RSA
Citation preview
Lecture 9 Overview
RSA• Invented by Cocks (GCHQ), independently, by
Rivest, Shamir and Adleman (MIT)• Two keys e and d used for Encryption and
Decryption– The keys are interchangeable • M = D(d, E(e, M) ) = D(e, E(d, M) )
– Public key encryption• Based on problem of factoring large numbers– Not in NP-complete– Best known algorithm is exponential
2CS 450/650 Lecture 9: RSA
RSA• To encrypt message M compute– c = Me mod N
• To decrypt ciphertext c compute– M = cd mod N
3CS 450/650 Lecture 9: RSA
• Let p and q be two large prime numbers• Let N = pq
• Choose e relatively prime to (p1)(q1)– a prime number larger than p-1 and q-1
• Find d such that ed mod (p1)(q1) = 1
Key Choice
4CS 450/650 Lecture 9: RSA
RSA• Recall that e and N are public
• If attacker can factor N, he can use e to easily find d – since ed mod (p1)(q1) = 1
• Factoring the modulus breaks RSA• It is not known whether factoring is the only
way to break RSA5CS 450/650 Lecture 9: RSA
Does RSA Really Work?
• Given c = Me mod N we must show – M = cd mod N = Med mod N
• We’ll use Euler’s Theorem– If x is relatively prime to N then x(N) mod N =1• (n): number of positive integers less than n that are
relatively prime to n.• If p is prime then, (p) = p-1
6CS 450/650 Lecture 9: RSA
Does RSA Really Work?• Facts: – ed mod (p 1)(q 1) = 1– ed = k(p 1)(q 1) + 1 by definition of mod– (N) = (p 1)(q 1)– Then ed 1 = k(p 1)(q 1) = k(N)
• Med = M(ed-1)+1 = MMed-1 = MMk(N) = M(M(N)) k mod N = M1 k mod N = M mod N
7CS 450/650 Lecture 9: RSA
More Efficient RSA• Modular exponentiation example– 520 = 95367431640625 = 25 mod 35
• A better way: repeated squaring – Note that 20 = 2 10, 10 = 2 5, 5 = 2 2 + 1, 2 = 1 2– 51= 5 mod 35– 52= (51) 2 = 52 = 25 mod 35– 55= (52) 2 51 = 252 5 = 3125 = 10 mod 35– 510 = (55) 2 = 102 = 100 = 30 mod 35– 520 = (510) 2 = 302 = 900 = 25 mod 35
• No huge numbers and it’s efficient!
CS 450/650 Lecture 9: RSA 8
Symmetric vs AsymmetricSecret Key (Symmetric) Public Key (Asymmetric)
Number of keys 1 2
Protection of key Must be kept secret One key must be kept secret; the other can be freely exposed
Best uses Cryptographic workhorse; secrecy and integrity of datasingle characters to blocks of data, messages, files
Key exchange, authentication
Key distribution Must be out-of-band Public key can be used to distribute other keys
Speed Fast Slow; typically, 10,000 times slower than secret key
CS 450/650 Fundamentals of Integrated Computer Security 9
Lecture 10Cryptographic Hash Functions
CS 450/650
Fundamentals of Integrated Computer Security
Slides are modified from Hesham El-Rewini
Cryptographic Hash Functions• Message Digest Functions – Protect integrity– Create a message digest or fingerprint of a digital
document– MD4, MD5, SHA
• Message Authentication Codes (MACs) – Protect both integrity and authenticity– Produce fingerprints based on both a given
document and a secret key
CS 450/650 Lecture 10: Hash Functions 11
Message Digest Functions• Checksums fingerprint of a message– If message changes, checksum will not match
• Most checksums are good in detecting accidental changes made to a message– They are not designed to prevent an adversary
from intentionally changing a message resulting a message with the same checksum• Message digests are designed to protect against this
possibility
CS 450/650 Lecture 10: Hash Functions 12
One-Way Hash Functions
Example• M = “Elvis”• H(M) = (“E” + “L” + “V” + “I” + “S”) mod 26• H(M) = (5 + 12 + 22 + 9 + 19) mod 26• H(M) = 67 mod 26• H(M) = 15
HHMM H(M) = H(M) = hh
CS 450/650 Lecture 10: Hash Functions 13
Collision
Example• x = “Viva”• Y = “Vegas”• H(x) = H(y) = 2
HHxx H(x)H(x)
HHyy H(y) H(y) ==
CS 450/650 Lecture 10: Hash Functions 14
Collision-resistant, One-way hash fnc.
• Given M, – it is easy to compute h
• Given any h, – it is hard to find any M such that H(M) = h
• Given M1, it is difficult to find M2 – such that H(M1) = H(M2)
• Functions that satisfy these criteria are called message digest – They produce a fixed-length digest (fingerprint)
CS 450/650 Lecture 10: Hash Functions 15
Message Authentication Codes• A message authentication code (MAC) is a
key-dependent message digest function– MAC(M,k) = h
CS 450/650 Lecture 10: Hash Functions 16
A MAC Based on a Block Cipher
M1
Encrypt
k
M1
Encrypt
k
XOR
M1
Encrypt
k
XOR
… MAC
CS 450/650 Lecture 10: Hash Functions 17
Secure Hash Algorithm (SHA)
Secure Hash Algorithm (SHA)
• SHA-0 1993• SHA-1 1995• SHA-2 2002– SHA-224, SHA-256, SHA-384, SHA-512
SHA-1SHA-1A message A message composed of composed of b bitsb bits
160-bit 160-bit message message digestdigest
CS 450/650 Lecture 8: Secure Hash Algorithm 19
Step 1 -- Padding• Padding the total length of a padded
message is multiple of 512– Every message is padded even if its length is already
a multiple of 512• Padding is done by appending to the input– A single bit, 1– Enough additional bits, all 0, to make the final 512
block exactly 448 bits long– A 64-bit integer representing the length of the
original message in bits
CS 450/650 Lecture 8: Secure Hash Algorithm 20
Padding (cont.)
Message Message length1 0…0
64 bits
Multiple of 512
1 bit
CS 450/650 Lecture 8: Secure Hash Algorithm 21
Example• M = 01100010 11001010 1001 (20 bits)
• Padding is done by appending to the input– A single bit, 1– 427 0s– A 64-bit integer representing 20
• Pad(M) = 01100010 11001010 10011000 … 00010100
Example• Length of M = 500 bits
• Padding is done by appending to the input:– A single bit, 1– 459 0s– A 64-bit integer representing 500
• Length of Pad(M) = 1024 bits
Step 2 -- Dividing Pad(M)• Pad (M) = B1, B2, B3, …, Bn
• Each Bi denote a 512-bit block
• Each Bi is divided into 16 32-bit words– W0, W1, …, W15
CS 450/650 Lecture 8: Secure Hash Algorithm 24
Step 3 – Compute W16 – W79
• To Compute word Wj (16<=j<=79)
– Wj-3, Wj-8, Wj-14 , Wj-16 are XORed
– The result is circularly left shifted one bit
CS 450/650 Lecture 8: Secure Hash Algorithm 25
Initialize 32-bit words• A = H0 = 67452301
• B = H1 = EFCDAB89
• C = H2 = 98BADCFE
• D = H3 = 10325476
• E = H4 = C3D2E1F0
• K0 – K19 = 5A827999
• K20 – K39 = 6ED9EBA1
• K40 – K49 = 8F1BBCDC
• K60 – K79 = CA62C1D6
CS 450/650 Lecture 8: Secure Hash Algorithm 26
Step 5 – Loop For j = 0 … 79
TEMP = CircLeShift_5 (A) + fj(B,C,D) + E + Wj + Kj
E = D; D = C; C = CircLeShift_30(B); B = A; A = TEMP
Done
+ addition (ignore overflow)
CS 450/650 Lecture 8: Secure Hash Algorithm 27
Four functions • For j = 0 … 19 – fj(B,C,D) = (B AND C) OR (B AND D) OR (C AND D)
• For j = 20 … 39 – fj(B,C,D) = (B XOR C XOR D)
• For j = 40 … 59 – fj(B,C,D) = (B AND C) OR ((NOT B) AND D)
• For j = 60 … 79 – fj(B,C,D) = (B XOR C XOR D)
CS 450/650 Lecture 8: Secure Hash Algorithm 28
Step 6 – Final • H0 = H0 + A
• H1 = H1 + B
• H2 = H2 + C
• H3 = H3 + D
• H4 = H4 + E
CS 450/650 Lecture 8: Secure Hash Algorithm 29
Done• Once these steps have been performed on
each 512-bit block (B1, B2, …, Bn) of the padded message, – the 160-bit message digest is given by
H0 H1 H2 H3 H4
CS 450/650 Lecture 8: Secure Hash Algorithm 30
SHAOutput
size (bits)
Internal state size
(bits)
Block size
(bits)
Max message size (bits)
Word size
(bits)Rounds Operations Collisions
found
SHA-0 160 160 512 264 − 1 32 80 +, and, or, xor, rot Yes
SHA-1 160 160 512 264 − 1 32 80 +, and, or, xor, rot
None (251 attack)
SHA-2
256/224 256 512 264 − 1 32 64 +, and, or, xor, shr, rot None
512/384 512 1024 2128 − 1 64 80 +, and, or, xor, shr, rot None
CS 450/650 Lecture 8: Secure Hash Algorithm 31