Créer une présentation
Télécharger la présentation

Télécharger la présentation
## Public Key Cryptography

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -

**Public Key Cryptography**David Brumley dbrumley@cmu.edu Carnegie Mellon University Credits: Many slides from Dan Boneh’s June 2012 Courseracrypto class, which is awesome!**Key management**Problem: Communicating among n users. Total: O(n) keys per user k1,2 U1 U2 k1,4 k3,2 k4,2 k1,3 U4 U3 k4,3**One Solution: Trusted Third Party (TTP)**Everyone needs only one key U1 U2 k1,TTP k2,TTP TTP k4,TTP k3,TTP U4 U3 Can we remove the TTP as a communication and privacy bottleneck?**Session Keys and Removing TTP Privacy Concerns**Alice (ka) Bob (kb) TTP (kt) 2. Choose random KAB 1. E(kt, “talk to bob”) 3. E(ka, “A,B” || KAB) ticket = E(kb, “A,B” || Kab) 4. E(Kab, “Hi.”) ticket = E(kb, “A,B” || Kab) Basis for Kerberos 5. D(kb, “A,B” || Kab) D(Kab, “Hi.”)**Security Analysis**Suppose (E,D) is secure (i.e., semantically secure). ✓ Eve sees messages, but learns nothing about kab ✗TTP needed to set up every session ✗TTP can decrypt everything Alice (ka) Bob (kb) TTP (kt) Eve Sees All Traffic**Key question**Can we generate shared keys without an onlinetrusted 3rd party? Answer: yes! Starting point of public-key cryptography: • Merkle (1974), Diffie-Hellman (1976), RSA (1977) • More recently: ID-based enc. (BF 2001), Functional enc. (BSW 2011)**The Diffie-Hellman Protocol**Whitfield Diffie Martin Hellman**Bob**Goal: establish shared key for security against eavesdroppers without a TTP Alice Eve**Discrete Log: A Review**Recall: Logarithms are the inverse of exponentiation. by = x is equivalent to logb(x) = y Consider arithmetic mod p, where p is a prime. The discrete log to the base b of x is an integer y such that by mod p = x. Example. Let p = 17. Then: 34 mod 17 = 81 mod 17 = 13. So 34 = 13 (mod p) And the discrete log3(13) = 4**Discrete Log Example**Fix a prime p>2 and g in (Zp)* of order q. Consider the function: f( x ) = gx in Zp Now, consider the inverse function: Dlogg (gx) = x where x in {0, …, q-2} Example: Let g = 2 in Z11. Dlog2(2x)=y s.t. y = 2x mod 11**Easy: Given b, y, and p, compute by by mod p**• See “Handbook of Applied Cryptography”, available free online Believed Hard: Given b, p, x, compute y such that by mod p = x. The “Discrete Log” problemA candidate One Way Function**Key Exchange with Discrete Log**Setup: Fix a public large prime p (~600 digits ≈ 2048 bits) and a public number g between 0 and p. Bob Alice 4. gb mod p 3. ga mod p 1. Pick a from [0,p-1) 2. Pick b from [0,p-1) 5. Compute k = (ga)b mod p 5. Compute k = (gb)a mod p 6. Use k for symmetric (authenticated) encryption.**1. Pick a from [0,p-1)**2. Pick b from [0,p-1) Eveobserves: g, ga, gb Goal: compute a (or b) (i.e., calculate the discrete log) or compute gab Bob Alice 4. gb mod p 3. ga mod p 5. Compute (ga)b mod pas secret key 6. Compute (gb)a mod pas secret key Eve**How hard is the DH function mod p?**Suppose prime p is n-bits long. Best known algorithm (GNFS)*: Can we do DH another way that is faster? Slow transition to elliptic curve * O-hat means left lots of lower-order terms off**MITM Adversary**As described, Diffie-Hellman is insecureagainst activeMan In The Middle (MITM) attacks Alice MITM Bob gamod p gm mod p gm mod p gb mod p gmb mod p gma mod p**Last few slides: establish shared key (only) without TTP.**What about actual encryption? Public Channel Bob Alice c c D E Eve**Public Key Encryption**Public KeyBob Private KeyBob Public Channel Bob Alice c c D E Eve**Public Key Encryption**Def: a public-key encryption system is a triple of algorithms (G, E, D) • G(): randomized alg. outputs a key pair (pk, sk) • E(pk, m): randomized alg. that takes m∈M and outputs c ∈C • D(sk,c): determisitic alg. that takes c∈Cand outputs m ∈ M or ⊥ Consistency: ∀(pk, sk) output by G : ∀m∈M: D(sk, E(pk, m) ) = m Note: Without randomization, an attacker can determine E(pk,m1) = E(pk,m2) when m1=m2**m0 , m1 M : |m0| = |m1|**c E(pk, mb) pk b’ {0,1} Semantic Security For b=0,1 define experiments EXP(b) (i.e., EXP(0) and EXP(1)): Def:Enc =(G,E,D) is sem. secure (a.k.a IND-CPA) if for all efficient A:AdvSS[A,Enc] = |Pr[EXP(0)=1] – Pr[EXP(1)=1] | < negligible b Chal. Adv. A (pk,sk)G() EXP(b) No query encryptions of messages. Why?**Establishing a shared secret**Alice Bob (pk, sk) ⟵ G() “Alice”, pk choose random x ∈ {0,1}128 “Bob”, C = E(pk,x) D(sk,c) = x x is shared key**Security (eavesdropping)**Adversary sees pk, E(pk, x)and wants x ∈M Semantic security means the adversary cannot distinguish {pk, E(pk, x), x }from {pk, E(pk, x), rand∈M} Note: protocol is also vulnerable to MITM attack**Public key encryption: constructions**Constructions generally rely on hard problems from number theory and algebra**Notation**Let N denotes a n-bit positive integer. Notation: (In powerpoint, we will sometimes use Zn since it doesn’t have fancy latex fonts.) Can do addition and multiplication modulo N**Intractable problems with composites**Suppose N=pq is a 1024 bit number where |p| = |q|. Let ϕ(N) = (p-1)(q-1) Easy Problems: • Computing xy mod N • Inverting elements. If z = x mod N, finding x-1 Hard Problems: • Factor N • Given xy mod N, compute the y’th root (when gcd(y, ϕ(N)) = 1)**The factoring problem**Gauss (1805):“The problem of distinguishing prime numbers from composite numbers and of resolving the latter into their prime factors is known to be one of the most important and useful in arithmetic.” Current world record: RSA-768 (232 digits) • Work: two years on hundreds of machines • Factoring a 1024-bit integer: about 1000 times harder ⇒ likely possible this decade**Trapdoor functions (TDF)**Def: a trapdoor func. X⟶Y is a triple of efficient algs. (G, F, F-1) • G(): randomized alg. outputs a key pair (pk, sk) • F(pk,⋅): det. alg. that defines a function X ⟶ Y • F-1(sk,⋅): a function Y ⟶ X that inverts F(pk,⋅) ∀(pk, sk) output by G ∀x∈X: F-1(sk, F(pk, x) ) = x**Arithmetic Mod Composites**Let N = pq where p,q are prime ZN = {0,1,2,…,N-1} ; (ZN)* = {invertible elements in ZN} Facts: x ZN is invertible gcd(x,N) = 1 • Number of elements in (ZN)* is (N) = (p-1)(q-1) = N-p-q+1 Euler’s thm: x (ZN)* : x(N) = 1**The RSA trapdoor permutation**First publishedin Scientific American, Aug. 1977 Very widely used: • SSL/TLS: certificates and key-exchange • Secure e-mail and file systems … many others**The RSA trapdoor permutation**G(): choose random primes p,q 1024 bits. Set N=pq. choose integers e, d s.t.e⋅d = 1 mod (p-1)(q-1) output pk = (N, e) , sk = (N, d) F( pk, x ): ; RSA(x) = xe(in ZN) F-1( sk, y)= yd ; yd = RSA(x)d=xed=xk(N)+1 = (x(N))k x= x**The RSA assumption**RSA is assumed to be a one-way permutation For all efficient algs. A: Pr[ A(N,e,y) = y1/e ] < negligible where p,q n-bit primes, Npq, yZN***Textbook RSA is insecure**Textbook RSA encryption: • public key: (N,e) Encrypt: c ⟵ me (in ZN) • secret key: (N,d)Decrypt: cd ⟶ m Insecure cryptosystem!! • Is not semantically secure and many attacks exist ⇒ The RSA trapdoor permutation is not an encryption scheme !**RSA encryption in practice**Never use textbook RSA. RSA in practice: Main questions: • How should the preprocessing be done? • Can we argue about security of resulting system? int. msg ciphertext msg key Preprocessing RSA**00..0**01 msg rand. H + G + plaintext to encrypt with RSA PKCS1 v2.0: OAEP Preprocessing function: OAEP [BR94] Thm[FOPS’01] : If RSA is a trap-door permutation, then RSA-OAEP is secure when H,G are perfect hash functions (technically, random oracle). In practice: use SHA-256 for H and G check padon decryption.reject CT if invalid. {0,1}n-1**Is RSA a one-way permutation?**To invert the RSA one-way func. (without d) attacker must compute: xfrom c = xe(mod N). How hard is computing e’th roots modulo N ?? Best known algorithm: • Step 1: factor N (hard) • Step 2: compute e’throots modulo p and q (easy)**Implementation attacks**Timing attack: [Kocher et al. 1997], [BB’04] The time it takes to compute cd (mod N) can expose d. Power attack: [Kocher et al. 1999] The power consumption of a smartcard while it is computing cd(mod N) can expose d. Faults attack: [BDL’97] A computer error during cd(mod N) can expose d. (common defense: check output with 10% slowdown)**RSA Key Generation Trouble [Heninger et al./Lenstra et al.]**OpenSSL RSA key generation (abstract): Suppose poor entropy at startup: • Same p will be generated by multiple devices, but different q • N1 , N2 : RSA keys from different devices ⇒ gcd(N1,N2) = p prng.seed(seed) p = prng.generate_random_prime() prng.add_randomness(bits) q = prng.generate_random_prime() N = p*q**RSA Key Generation Trouble [Heninger et al./Lenstra et al.]**Experiment: factors0.4% of public HTTPS keys! Lesson: Make sure random number generator is properly seeded when generating keys**Background**We will use a bit of number theory to construct: • Key exchange protocols • Digital signatures • Public-key encryption More info: http://shoup.net/ntb/ntb-v2.pdf http://cseweb.ucsd.edu/~mihir/cse107/ and other places across the web.**Modular Arithmetic**Defn: a = b mod N iff a-b = kN Addition and multiplication work as expected, e.g., x(y+z) = x*y + x*z Examples: 9 + 8 = 5 \text{~in $\Z_{12}$ because~} &9+8 = 17 \text{~and~} 17 - 5 = 12\\ 5 \times 7 = 11 \text{~in $Z_{12}$ because~} &5*7 = 35 \text{~and~} 35 - 11 = 2\times 12\\ 5 - 7 = 10 \text{~in $Z_{12}$ because~} &5-7 = -2 \text{~and~} -2 - 10 = -1 \times 12\\**Greatest Common Divisor**Def: for integers x,y, gcd(x,y) is the greatest common divisor of x and y. Fact: for all integers x, y there exists integers a,b such that: a*x +b*y = gcd(x,y) and a,b can be found efficiently with the extended Euclidian algorithm Example: gcd(12, 18) = 6 2*12 + (-1)*18 = 6 Def: If gcd(x,y) = 1, then we say x and y are relative primes.**Modular Inversion**Over the rationals the inverse of 2 is ½. What about modulo N? Def: The inverseof an integer x is an integer y such that x*y = 1 mod N, and is denoted x-1 Example: Let N be an odd integer. Then the inverse of 2 is (N+1)/2 Proof:**Which Elements Have Inverses?**Thm: an element x only has an inverse mod N iffgcd(x, N) = 1 Computing: Calculate gcd(x,N) using extended Euclidian to come up with ax + bN = 1. Then a*x =1 mod N, so a is the inverse for x. Example: For N = 12, we have the following invertible elements: gcd(0, 12) = 0 gcd(1, 12) = 1 gcd(2, 12) = 2 gcd(3, 12) = 3 gcd(4, 12) = 4 gcd(5, 12) = 1 gcd(6, 12) = 6 gcd(7, 12) = 1 gcd(8, 12) = 4 gcd(9, 12) = 3 gcd(10, 12) = 2 gcd(11, 12) = 1**Twinkle Twinkle Little Star**Def: Let Z* be the set of invertible elements (i.e., the set {x in N | gcd(x, N) = 1}) Example: Zp* = {1, 2, 3, ..., p-1} for all primes p Z12* = {1, 5, 7, 11}