cns2010handout 9 :: asymmetric crypto1 computer and network security matt barrie

CNS2010 handout 9 :: asymmetric crypto

1

computer and network securitymatt barrie

<[email protected]>


2

origins of public key cryptography

• A tale of cryptoarchaeology…

1976: Diffie and Hellman & Merkle (Stanford) invented the concept separately

1976: RSA invented (Rivest, Shamir, Adelman)1973: Clifford Cocks wrote a varient of RSA (GCHQ)1967: James Ellis (GCHQ) proved public key possible

Even Earlier:• NSA claims they invented public key cryptography earlier

– Jim Frazer (NSA - retired) claims a 1962 NSA memo on command & control of nuclear weapons was the basis for it’s invention.

– Side note: the STU-III secure telephone used PKI in the mid 1970’s, well before certificates were in the civilian world.

• Black sector (esp. the NSA) is way ahead of civilian crypto– Many claim at least 20 years


3

NSA memo 160 :: June 1962


4

public key cryptography

• Sometimes known as asymmetric cryptography.

• Each entity has a public key e and a private key d.

• The public key is associated with the encryption algorithm, and the private key the decryption algorithm.

• The public key and the encryption algorithm need not be a secret and are often published (e.g. in a directory).

• Public key encryption alone provides confidentiality, not data origin authentication nor integrity (since the encryption key and algorithm is known).

• Public key decryption can be used to provide authentication guarantees.


5

example

Alice

Bob

Looks up Bob’s public key e

Sends c = Ee(m)

(e.g. keyserver, directory, email footer, web page)

Decrypts message m’ = Dd(c)

Directory

Alice e

Bob f

...


6

public key cryptography

Problems:• Based on known algorithms, public key crypto is much

slower than private key crypto– Public key crypto often used to negotiate keys used for bulk data

encryption by symmetric algorithms (commonly known as session keys).

– Public key crypto is also used to encrypt small things (e.g. credit card transactions, PIN numbers, etc.)

• Unless the public keys are verified, public key systems are vulnerable to an impersonation attack– How do we know this is really Alice’s public key?

• Since an attacker knows the encryption algorithm and key, they can always perform a chosen plaintext attack– Anyone can send messages to a receiver; there is no

authentication of message source


7

el gamal cryptosystem

• Taher El Gamal (Stanford)• Security is based upon the discrete log problem.

• Key generation:– Alice generates random g, a and prime p.– Alice calculates ga (mod p).– Alice’s public key is p, g and ga (which she can publish).– The variable a is the private key used to decrypt.

Public DirectoryAlice p, g, ga

Bob q, h, hb

…


8

el gamal cryptosystem

• Message encryption:– retrieve p, g, ga from directory– choose a random k relatively prime to (p-1)

– compute y1 = gk

– for message m є Zp* compute y2 = (ga)k m (mod p)

– send (y1 , y2) to Alice

• Message decryption:– compute y1

a = gak (mod p)

– compute g-ak

– compute y2g-ak = m to retrieve the message

• The security of the algorithm relies on not being able to calculate the discrete logarithm of y1 (mod p).


9

RSA

• Rivest, Shamir, Adelman (MIT) (1976)• Most widely used public key cryptosystem• Patent expired in 2000• Security relies on the difficulty of factoring of large

composites

• Key Generation:– Generate two large random (and distinct) large primes (p, q > 1024 bits),

each roughly the same size.– Compute n = pq and Φ(n) = | Zn

* | = (p-1)(q-1)

– From Euler’s theorem

aΦ(n) = 1 (mod n)

so chose encyphering exponent e and decyphering exponent d such that

ed ≡ 1 mod Φ(n)

• The public key is (e, n) and the private key is d• p, q and Φ(n) are secret (only used during key generation)


10

RSA

• Message encryption:– Obtain Alice’s public key (n, e)– Represent the message as an integer [0 .. n-1]– Compute c = me mod n– Send cyphertext c to Alice.

• Message decryption:– Alice computes cd mod n ≡ (me)d mod n

≡ med mod n ≡ m1 + kΦ(n) mod n ≡ m(mΦ(n))k mod n

Using Euler’s theorem mΦ(n) ≡ 1 (mod n) so :

cd mod n ≡ m


11

chinese remainder theorem

• If you know the factorisation of n (where n = pq), then you can use the Chinese Remainder Theorem to solve a system of equations:

x = a1 (mod m1)

x = a2 (mod m2)

x = a3 (mod m3)

where gcd(mi, mj) = 1 (i.e. relatively prime)

• The CRT states that there exists a simultaneous solution to these equations where any two such solutions are congruent to each other mod M (M = m1m2 m3 m4…)


12

chinese remainder theorem

• For each i, define

Mi = M/mi = Πi≠jmj

• By the Euclidean Algorithm, calculate Ni such that

NiMi = 1 mod mi

• The solution to the system of simultaneous equations is

x = Σi=1..r ai Mi Ni


13

CRT example

• Solve the following system of equations:

x = a1 (mod 7)x = a2 (mod 11) x = a3 (mod 13)

• Now M = m1m2 m3 = 7 x 11 x 13 = 1001• To find N’s (e.g. N1): NiMi = 1 mod mi

N1 x M1 = 1 (mod 7) [M1 = 11 x 13]-> N1 x 11 x 13 = 1 (mod 7) [11 x 13 = 3 mod 7]-> N1 x 3 = 1 (mod 7)

• Using Euler’s generalisation:

mΦ(n) ≡ 1 (mod n)Φ(m1) = 7 - 1 = 6

So N1 = 3Φ-1 mod 7 = 35 mod 7 = 5 mod 7


14

CRT example

• Solving for the other N’s:

M1 = 143, N1 = 5 [11x13]

M2 = 91, N2 = 4 [7x13]

M3 = 77, N3 = 12 [11x7]

• So

x = Σi=1..r ai Mi Ni

x = 715 a1 + 364 a2 + 924 a3 (mod 1001)


15

attacks on RSA

1. Factoring attack2. Small encryption exponent attack3. Small decryption exponent attack4. Forward search attack5. Homomorphic attack6. Common modulus attack7. Cycling attack8. Message concealing9. Size of modulus10. Selection of primes


16

factoring attack on RSA

• The RSA problem is to recover m from c ≡ me mod n, knowing only n and e.

• Suppose n can be factored into p and q. • Then Φ(n) = (p-1)(q-1) can be computed.• Therefore d can be computed as ed ≡ 1 mod Φ(n)• Therefore we can recover the message m

Fact: • The problem of computing the RSA decryption exponent

from the public key (n,e) and the problem of factoring n are computationally equivalent.

• When performing key generation, it is imperative that the primes p and q are selected to make factoring n=pq difficult– e.g. by picking p and q roughly equal size


17

small encryption exponent attack on RSA

• In order to improve the speed of RSA, often a small encryption exponent is used (e.g. 216+1 is often used).

• If a group of entities all use the same encryption exponent, it is clear that they must have their own distinct modulus. If they are the same, then other users can obviously calculate other’s private keys d.

• Say Alice wishes to send messages to three parties, all with a small encryption exponent (e = 3):

c1 = m3 (mod n1)

c2 = m3 (mod n2)

c3 = m3 (mod n3)


18

small encryption exponent attack on RSA

• Observing c1, c2, c3 and knowing n1, n2, n3 we use the CRT:

x = m3 mod n1n3n3

• Since m < ni for n (or information is lost during encryption)

x = m3

m = x1/3

• Thus a small encryption exponent should not be used to send the same message (or the same message with variations) to several entities.

• Salting the plaintext (padding with random bits) can help avoid this attack.


19

other attacks on RSA

Small decryption exponent: • Similarly, a small decryption exponent should also be

avoided.

Forward search attack: • Note since the encryption key is public, if the message

space is small or predictable, an attacker can try brute force on the message space. – Salting the plaintext may help to prevent this attack

• Example: a stock trading system– Message format: “{BUY, SELL} DDDD TICKER” where there are

1000 tickers– |M| = 2 x 10000 x 1000 = 20,000,000 possible messages– At 1M guesses / second 20 seconds to guess transmitted message


20

homomorphic properties of RSA

• Suppose

c1 = m1e mod n

c2 = m2e mod n

• Then

c1 c2 = (m1m2)e mod n

• Using this property we can attack RSA

• Suppose we want Alice to reveal the decryption of

c = me mod n


21

homomorphic properties of RSA

• Bob sends to Alice for random x (blinding factor)

(c’) = cxe mod n

• Alice computes

(c’)d = (cxe)d mod n = cdxed mod n = mxed mod n = mx mod n

• If Alice reveals this information, Bob can unblind the message

m = (mx)x-1 mod n


22

size of modulus in RSA

• Powerful attacks on RSA include using a quadratic sieve and number field sieve factoring algorithms to factor the modulus n=pq.

• In 1999, a team led by de Riele factored a 512 bit number.

• In 2001, Dan Bernstein wrote a paper proposing a circuit-based machine with active processing units (with the same density as RAM) that could factor keys roughly 3 times as long with the same computational cost (1536 bits insecure??)– The premise is that algorithms exist where if you increase the number

of processors by n, you decrease the running time by a factor greater than n (!)

– Exploits massive parallelism of small circuit level processing units

• In 2005, a 200 digits (RSA200) was factored in 18 months.


23

size of modulus in RSA

• In 2007, a 1039-bit number (21039-1) (307 digits) was factored in 11 months of computation (a special case) using a “special number field sieve”.– “Unthinkable” in 1990.– “We have more powerful computers, we have come up with

better ways to map the algorithm onto the architecture, and we take better advantage of cache behaviour”.

– Lenstra: Is the writing on the wall for 1024-bit encryption? The answer to that is an unqualified yes”.

• It is recommended today that 4096 bit keys be used and p and q should be about the same bit length (but not too close to each other)

• Advances in factoring are leaps and bounds over advances in brute force of classical cyphers..


24

rabin public key cryptosystem

Public key: n = pqPrivate key: p, q (roughly the same size)Encryption: c = m2 mod n

Decryption:– Calculate the four square roots m1, m2, m3, m4 of c

– The message sent was one of these roots

• Security based on the fact that finding of square roots mod n without knowing the prime factorisation of n is computationally equivalent to factoring.


25

square and multiply

• In RSA and Discrete Log, a common operation is exponentiation– i.e. calculating ge where g, e are large numbers (~300 digits)

• A simple approach to this is to use square-and-multiply

g23 = g16 . g4 . g2 . g1

• In this example we take 7 multiplication (assuming squaring is computationally equivalent to multiplying).

Algorithm:z ← 1, y ← g

for i = 0 .. n-1

if e[i] = 1 then z ← zy # check bit position

y ← y2


26

addition chains

• Using addition chains, we can be a little more efficient:

g, g2, g3, g5, g10, g20, g23 [g2 * g3 = g5, etc]

• This takes only 6 multiplications (versus 7).

• An addition chain is used to minimise the number of multiplications required.

• The addition chain of length s for exponent e is a sequence of positive integers {u0 .. us} and associated sequence {w0 .. ws} of pairs of integers wi = (i1, i2) with the property that:

(1) u0 = 1, us = e

(2) ui = ui1 + ui2


27

addition chains - example

• Take e = 15 (i.e. calculate g15):

i : 0 1 2 3 4 5 wi : (0,0) (0,1) (2,2) (3,3) (2,4)

gi : g g2 g3 g6 g12 g15

Algorithm:g0 ← g

for i = 0 .. s

gi ← gi1gi2

• Finding the shortest addition chain is computationally hard (NP-hard). It is akin to solving the traveling salesman problem.


28

definitions in complexity theory

• A polynomial time algorithm is one where the worst case running time of the algorithm is O(nk) where n is the input size and k is some constant.

• Polynomial time algorithms are said to be good or efficient.

• Any algorithm which cannot be bounded as such is said to be an exponential-time algorithm.

• The complexity class P is the set of all decision problems which are solvable in polynomial time.

• The complexity class NP is the set of all decision problems which an answer can be verified in polynomial time, given some extra information called a certificate.


29

complexity theory

• Fact: P NP • Unknown: Is P = NP?

• Example of a problem in NP:– Given a positive integer n, is n composite?– That is, are there integers a, b > 1 such that n = ab?

• If L1 and L2 are two decision problems, L1 is said to polynomial reduce to L2 (L1 ≤P L2) if there is an algorithm that solves L1 which uses as a subroutine an algorithm that solves L2, and runs in polynomial time.

• Two problems are said to be computationally equivalent if

L1 ≤P L2 and L2 ≤P L1


30

summary: symmetric crypto

• Advantages of symmetric-key crypto:– Can be designed to have high throughput rates– Keys are relatively short (128 bits .. 256 bits)– Symmetric cyphers can be used as primitives to construct other

constructs such as pseudo random number generators (PRNGs).– Symmetric cyphers can be used to construct stronger cyphers

• e.g. simple substitutions and permutations can be used to create stronger cyphers

– All known attacks involve “exhaustive” key search.

• Disadvantages of symmetric-key crypto:– In a two party network, the key must remain secret at both ends

• Sound practice dictates the key needs to be changed frequently (e.g. each session).

– In a large network, n! keys are required which creates a massive problem for key management.


31

summary: asymmetric crypto

• Advantages of asymmetric-key crypto:– Only the private key needs to remain secret– The administration of keys on a network requires the presence of

only a functionally trusted (honest and fair) TTP.– Depending on the mode of usage, the public and private key pairs

may be used for long periods of time (upper bound: Moore’s Law).– In large networks, n keys are required instead of n!

• Disadvantages of asymmetric-key crypto:– Throughput rates are typically very slow (all known algorithms)– Key sizes are typically much larger (1024 .. 4096 bits)– Security is based upon the presumed difficulty of a small set of

number-theoretic problems and all known are subject to short-cut attacks (e.g. knowing the prime factorisation of n)

– Public key crypto does not have an extensive history in the public world.


32

combining cryptosystems

• Symmetric and asymmetric crypto are complementary

• Public key crypto can be used to establish a key for fast symmetric crypto (e.g. a session key)

• Alice and Bob take advantage of the long term benefits of public key crypto and publish their public keys in a directory

• Public key crypto is good for key management and signatures

• Private key crypto is good for encryption and some data integrity applications


33

symmetric crypto key length

• Security of a symmetric cypher is based on– strength of the algorithm– length of the key

• Assuming the strength of the algorithm is perfect (impossible in practice) then brute force is the best attack.

Hardware attack estimates (2005)Cost (USD) 40-bit 56-bit 64-bit 128-bit$100k 0.06s 1.1hrs 11.5d 1018 yrs$1M 6.25ms 6.5min 1.2d 1017 yrs$100M 0.06ms 3.75min 17min 1015 yrs$1G 6.25us 0.4s 1.9min 1014 yrs

• What does Howson’s work impact on these numbers?


34

interesting ways to break symmetric cyphers

• Virus / Worms– What if a worm brute forced a cypher?– Melissa infected ~800k machines– Cracking DES @ 280kkeys/s

([email protected]) Melissa-DES would brute force the key space in 30 hours.

– In 2000 a worm did just that:http://www.distributed.net/trojans.html.en

• Chinese Lottery– Say a 1Mkey/s chip was built into

every radio and TV sold in China.– Each chip is designed to brute force

when a signal is received over the air.– If 10% of the people in China have a

radio or TV, the 56-bit DES key space can be exhausted in 12 minutes.


35

asymmetric crypto key length

• The security of all current, known public key algorithms is based upon the presumed difficulty of a small set of number-theoretic problems.

• All known are subject to short-cut attacks (e.g. knowing the prime factorisation of n). Tomorrow we might figure out how do to this factorisation easily (DNA? Quantum?).

• In 1977, Ron Rivest said that factoring a 125-digit number would take 40 quadrillion years.

• In 2003, a 576-bit (177 digit) number was factored.• In 2007, a 1039-bit (307 digit) number was factored.

Year # digits 512-bit complexity1983 71 > 20,000,000 times1985 80 > 2,000,0001988 90 > 250,0001989 100 > 30,0001993 120 > 500 times1994 129 > 1001999 140 41999 155 1 (300 workstation computing years in 1999)2003 177 .2005 200 (18 months)2007 307 (special case, 11 months)

• Designs are being drawn out for optical / quantum sieving machines that could lead to massive optimisations on these numbers in the near future


36

how long should a key be?

Type of Traffic Lifetime Min. Key Length

Tactical Military Information minutes / hours 64 bitsProduct Announcements / M&A days / weeks 64 bits (too small??)Long Term Business Plans years 64 bits (too small??)Trade Secrets (Recipe for Coke) decades 112 bitsH-bomb Secrets > 40 years 128 bitsIdentities of Spies > 50 years 128 bitsPersonal Affairs > 50 years 128 bitsDiplomatic Embarrassments > 65 years 192 bitsU.S. Census Data 100 years 192 bits

Symmetric versus Asymmetric (as of 1999… way incorrect in 2008!)56 bits vs > 384 bits (56-bit broken in 1997)64 bits vs > 512 bits (1024-bit broken in 2007)80 bits vs > 768 bits128 bits vs > 2304 bits

In 2007, 1024-bit crypto was said to be broken.. Perhaps 64-bits ~= 1024?

Compare with hardware based results for cryptanalysis………..


37

references

• Stallings– §6, §7

• Handbook of Applied Cryptography– read §1– read §3.1, – skim §3.2 - §3.2.3, – read §3.6 - §3.6.2, – skim §3.6.3, – read §8-8.2, 8.4

• For historical interest:– Prehistory of Public Key Cryptography– http://www.research.att.com/~smb/nsam-160/

cns2010handout 9 :: asymmetric crypto1 computer and network security matt barrie

Documents

public key encryption

encryption key

public key decryption

alices public key

public key systems

public key possibleeven

key generation

public keys