Upload
mildred-webster
View
213
Download
1
Embed Size (px)
Citation preview
Problems with symmetric (private-key) encryption1) secure distribution of keys
2) large number of keys
Solution to both problems: Public-key (asymmetric) encryption
plaintext ciphertext
encryption algorithm decryption algorithm
plaintext
keypub keypriv
D( E(message, kpub), kpriv) = message
Data transmission via public-key encryption
Every user maintains a unique pair of keys: one private and one public.
Public keys are available for anyone to use.
For Lena to send a message to Ole, she first encrypts using Ole’s public key. This ensuresthat only Ole will be able to read the message.
lena ole
Note that this preserves data confidentiality, but does not ensure authenticity.
pub priv
Public-key Encryption - the Concept
Computationally easy to generate a pair of keys -- (Kpub, Kpriv)
Computationally easy to encrypt -- E(plaintext, Kpub) ciphertext
Proposed in 1976 by Witfield Diffie & Martin Hellman
Necessary Properties
Computationally easy to decrypt -- D(ciphertext, Kpriv) plaintext
Computationally infeasible to determine Kpriv, even knowing E, D, and Kpub
Computationally infeasible to decrypt without Kpriv, even knowing E, D, and Kpub
An Additional Useful Property
Keys can be used in the opposite order for encryption/decryption --D( E(plaintext, Kpriv), Kpub) plaintext
Encryption Algorithm (apply to each part of the transmission)
• Begin with two large primes (p and q). • n = p*q (Note that n should be more than 200 digits - roughly 512 bits.)
• Select e relatively prime to (p-1)*(q-1).
E(message, e, n) = (messagee) mod n
• Select d so that (e*d) mod ((p-1)*(q-1)) = 1.
• public key: (e, n) private key: (d, n)
Decryption Algorithm (apply to each part of the transmission)D(message, d, n) = (messaged) mod n
Side note: (p-1)*(q-1) comes from Euler’s definition of totient
(n) = number of positive integers less than n that are relatively prime to n.
Rivest-Shamir-Adelman (1978) is the best known of current public-key encryption methods.
more theory: www. di-mgt.com.au/rsa_theory.html
Example (note that numbers are artificially small.)
HI MOM SEND
3 2 32 28 24 28 32 18 30 21 27 7 8 26 12 14 12 26 18 4 13 3
p = 2 q = 17
Therefore, n = p*q = 34
Select e = 3Note that (p-1)*(q-1) = 16. (3 and 16 are relatively prime.)
d = 11 because e*d = 3*11 = 33 and 33 mod 16 = 1
Treat alphabet as integers from zero, and include blank: A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 23 25 26
H 77e mod n = 73 mod 34 = 3
to encipher H
I 88e mod n = 83 mod 34 = 2
to encipher I7 H3d mod n = 311 mod 34 = 7
to decipher 3
8 I2d mod n = 211 mod 34 = 8
to decipher 2
3 2 32 28 24 28 32 18 30 21 27
Issues1) The values of p, q, and (n) are not divulged.2) Cryptanalysis of RSA accomplished by finding the prime factors of a large number.3) Factoring is not known to be an NP problem, but the best known algorithms are exponential.4) To date no serious security flaws have been discovered.
Finding p and q• Verifying that p and q are prime requires testing potential factors.• A practical alternative (Solovay & Strassen algorithm) tests a number
to any desired probability of being prime.
RSA-100RSA-100 100100 332332 19911991 77 Quadratic SieveQuadratic Sieve
RSA-129RSA-129 129129 428428 19941994 50005000 Quadratic SieveQuadratic Sieve
RSA-130RSA-130 130130 431431 19961996 10001000 Generalized num field SieveGeneralized num field Sieve
RSA-155RSA-155 155155 512512 19991999 80008000 Generalized num field SieveGeneralized num field Sieve
dec.digits bits Year MIPS-yrs Attack/factoring Method
Key Size EffortCrack History
512 1024 1536 2048
104
108
1012
1016
1020
MIP
S-y
ears
req
uir
ed f
or f
acto
rin
g
Key Size (in bits)
• Another factoring method (Special Number Field Sieve) is faster.
• Key sizes of 1024 to 2048 appear to be safe for the near future.
Genera
l number
field sie
ve
Special number field sie
ve
Generally, the strength of a public-key algorithm depends upon key size.
Suppose Lena sends a very short message - say one byte
E( LenasByte, KOlePub ) encipheredByte
Suppose the man in the middle (Hagar) intercepts encipheredByte
How can Hagar discover LenasByte ?
Note: This particular vulnerability is unique to public-key cryptosystems.
Solution: Append random bits to otherwise short messages, making them longer.
Other Public-key CryptosystemsElliptic Curve Cryptography (ECC)
• several different ciphers• based upon cubic equations of the form: y2 +axy + by = x3 + cx2 + dx + e • appears to have computational speed advantages over RSA• “test of time”?
Efficient?• RSA can be as much as 10,00 times slower than symmetric algorithms (Multiplication used in place of bit manipulation and table lookup/indexing). • to improve computation: (a * b) mod n = [(a mod n) * (b mod n)] mod n
Diffie-Hellman Key Exchange• not a full system, but a key-exchange technique built on public key concept
Digital Signature Standard (DSS)• not a full system, but a technique for implementing digital signatures built on
public key concept
The additional property of RSA & elliptic curve ciphers: D(E(plaintext, kpub), kpriv) = plaintext
D(E(plaintext, kpriv), kpub) = plaintext
Confidential transmission1) Lena encrypts the message using Ole’s public key.2) The message from (1) is transmitted.3) Ole decrypts message using his private key.
lena ole
Confidential & Authenticated transmission1) Lena encrypts the message (or part of it) using her private key.2) Lena uses Ole’s public key to encrypt the result of (1).3) The message from (2) is transmitted.4) Ole decrypts the message with his private key.5) Ole decrypts the result of (4) (or appropriate part) with Lena’s public key.