emerging key-recovery-service
TRANSCRIPT
![Page 1: Emerging key-recovery-service](https://reader035.vdocuments.net/reader035/viewer/2022062708/558864e8d8b42a4f0e8b462f/html5/thumbnails/1.jpg)
© RSA 1998
Why Standards?
• Many reasons:– interoperability– stability– assurance
• De facto or de jure?
![Page 2: Emerging key-recovery-service](https://reader035.vdocuments.net/reader035/viewer/2022062708/558864e8d8b42a4f0e8b462f/html5/thumbnails/2.jpg)
RSA Data Security, Inc.
Emerging Standards for Public-Key Cryptography
SEIKO INSTRUMENTS PAGER PAL
![Page 3: Emerging key-recovery-service](https://reader035.vdocuments.net/reader035/viewer/2022062708/558864e8d8b42a4f0e8b462f/html5/thumbnails/3.jpg)
© RSA 1998
Introduction
• As research matures, it can be made “standard”– ’70s and ’80s research in public-key
cryptography leads to standards in ’90s
• This talk is a snapshot of some of the standards efforts — and the interesting issues they raise
![Page 4: Emerging key-recovery-service](https://reader035.vdocuments.net/reader035/viewer/2022062708/558864e8d8b42a4f0e8b462f/html5/thumbnails/4.jpg)
RSA Data Security, Inc.
SEIKO INSTRUMENTS PAGER PAL
Part I:
Survey of Standards Efforts
![Page 5: Emerging key-recovery-service](https://reader035.vdocuments.net/reader035/viewer/2022062708/558864e8d8b42a4f0e8b462f/html5/thumbnails/5.jpg)
© RSA 1998
Outline
I. Survey of Standards Efforts
II. A General Model for Public-Key Standards
III. Strong Primes: A Recurring Technical Debate
IV. Some Research Motivated by Standards
![Page 6: Emerging key-recovery-service](https://reader035.vdocuments.net/reader035/viewer/2022062708/558864e8d8b42a4f0e8b462f/html5/thumbnails/6.jpg)
© RSA 1998
Some Public-Key Standards Efforts
• ANSI X9F1
• IEEE P1363
• ISO/IEC JTC1 SC27
• US NIST
![Page 7: Emerging key-recovery-service](https://reader035.vdocuments.net/reader035/viewer/2022062708/558864e8d8b42a4f0e8b462f/html5/thumbnails/7.jpg)
© RSA 1998
ANSI X9F1 Efforts
• Some ANSI documents (drafts)– X9.30DSA signatures– X9.31RSA/RW signatures (rDSA)– X9.42 DH/MQV key agreement– X9.44 RSA key transport– X9.62 elliptic curve signatures– X9.63 EC key agreement / transport– X9.79 prime generation
![Page 8: Emerging key-recovery-service](https://reader035.vdocuments.net/reader035/viewer/2022062708/558864e8d8b42a4f0e8b462f/html5/thumbnails/8.jpg)
© RSA 1998
ANSI X9F1
• Financial Services / Data and Information Security / Cryptographic Tools
• Corporate membership
• Quarterly meetings in North America
• www.x9.org
![Page 9: Emerging key-recovery-service](https://reader035.vdocuments.net/reader035/viewer/2022062708/558864e8d8b42a4f0e8b462f/html5/thumbnails/9.jpg)
© RSA 1998
IEEE P1363
• Standard Specifications for Public-Key Cryptography
• Sponsored by IEEE Microprocessor Standards Committee
• Individual participation
• Meetings mostly in North America
• grouper.ieee.org/groups/1363
![Page 10: Emerging key-recovery-service](https://reader035.vdocuments.net/reader035/viewer/2022062708/558864e8d8b42a4f0e8b462f/html5/thumbnails/10.jpg)
SEIKO INSTRUMENTS PAGER PAL
© RSA 1998
![Page 11: Emerging key-recovery-service](https://reader035.vdocuments.net/reader035/viewer/2022062708/558864e8d8b42a4f0e8b462f/html5/thumbnails/11.jpg)
© RSA 1998
IEEE P1363 Coverage
• Three types of technique:– key agreement, signature, encryption
• From three families:– DL: discrete logarithm– EC: elliptic curve– IF: integer factorization
• Also, number theory background, security considerations
![Page 12: Emerging key-recovery-service](https://reader035.vdocuments.net/reader035/viewer/2022062708/558864e8d8b42a4f0e8b462f/html5/thumbnails/12.jpg)
SEIKO INSTRUMENTS PAGER PAL
© RSA 1998
![Page 13: Emerging key-recovery-service](https://reader035.vdocuments.net/reader035/viewer/2022062708/558864e8d8b42a4f0e8b462f/html5/thumbnails/13.jpg)
© RSA 1998
IEEE P1363a
• Standard Specifications for Public-Key Cryptography: Additional Techniques
• In preparation
• More techniques, probably same families– identification likely to be added
![Page 14: Emerging key-recovery-service](https://reader035.vdocuments.net/reader035/viewer/2022062708/558864e8d8b42a4f0e8b462f/html5/thumbnails/14.jpg)
SEIKO INSTRUMENTS PAGER PAL
© RSA 1998
![Page 15: Emerging key-recovery-service](https://reader035.vdocuments.net/reader035/viewer/2022062708/558864e8d8b42a4f0e8b462f/html5/thumbnails/15.jpg)
© RSA 1998
ISO/IEC JTC1 SC27
• International Organization for Standardization / International Electrotechnical Commission / Information Technology / IT Security Techniques
• National representation, with experts
• Meetings throughout the world
• www.iso.ch
![Page 16: Emerging key-recovery-service](https://reader035.vdocuments.net/reader035/viewer/2022062708/558864e8d8b42a4f0e8b462f/html5/thumbnails/16.jpg)
SEIKO INSTRUMENTS PAGER PAL
© RSA 1998
![Page 17: Emerging key-recovery-service](https://reader035.vdocuments.net/reader035/viewer/2022062708/558864e8d8b42a4f0e8b462f/html5/thumbnails/17.jpg)
© RSA 1998
SC27 Efforts
• Some ISO/IEC documents– 9796 Signatures with message recovery– 9798 Entity authentication– 11770Key management– 13888Nonrepudiation– 14888Signatures with appendix
• Symmetric and public-key techniques
![Page 18: Emerging key-recovery-service](https://reader035.vdocuments.net/reader035/viewer/2022062708/558864e8d8b42a4f0e8b462f/html5/thumbnails/18.jpg)
SEIKO INSTRUMENTS PAGER PAL
© RSA 1998
![Page 19: Emerging key-recovery-service](https://reader035.vdocuments.net/reader035/viewer/2022062708/558864e8d8b42a4f0e8b462f/html5/thumbnails/19.jpg)
© RSA 1998
U.S. NIST FIPS
• National Institute of Standards and Technology– part of U.S. Department of Commerce
• Federal Information Processing Standards (FIPS)
• Computer Security Act (1987) gives charter for government cryptography standards
• www.nist.gov
![Page 20: Emerging key-recovery-service](https://reader035.vdocuments.net/reader035/viewer/2022062708/558864e8d8b42a4f0e8b462f/html5/thumbnails/20.jpg)
SEIKO INSTRUMENTS PAGER PAL
© RSA 1998
![Page 21: Emerging key-recovery-service](https://reader035.vdocuments.net/reader035/viewer/2022062708/558864e8d8b42a4f0e8b462f/html5/thumbnails/21.jpg)
© RSA 1998
NIST Efforts
• Some FIPS:– 186 Digital Signature Standard– 196 Entity Authentication– new Key Exchange / Agreement
• Others of interest:– 46-2 Data Encryption Standard– 180-1 Secure Hash Standard– new Advanced Encryption Standard
![Page 22: Emerging key-recovery-service](https://reader035.vdocuments.net/reader035/viewer/2022062708/558864e8d8b42a4f0e8b462f/html5/thumbnails/22.jpg)
© RSA 1998
Comparing the Efforts
• Different goals:– ISO, IEEE: general building blocks– ANSI: US banking requirements– NIST: US government, commercial
• Coordination:– IEEE, ANSI technical convergence– NIST will accept ANSI signature standards for
government purposes– ISO TC68 adopts ANSI X9F1
![Page 23: Emerging key-recovery-service](https://reader035.vdocuments.net/reader035/viewer/2022062708/558864e8d8b42a4f0e8b462f/html5/thumbnails/23.jpg)
© RSA 1998
Application Standards of Interest
• S/MIME: messaging
• SSL / TLS: communications
• SET: bank card payments
• PKIX: public-key infrastructure
![Page 24: Emerging key-recovery-service](https://reader035.vdocuments.net/reader035/viewer/2022062708/558864e8d8b42a4f0e8b462f/html5/thumbnails/24.jpg)
© RSA 1998
RSA Laboratories’ PKCS
• Public-Key Cryptography Standards
• Informal, intervendor effort coordinated by RSA Laboratories
• Periodic workshops
• www.rsa.com/rsalabs/pubs/PKCS/
![Page 25: Emerging key-recovery-service](https://reader035.vdocuments.net/reader035/viewer/2022062708/558864e8d8b42a4f0e8b462f/html5/thumbnails/25.jpg)
© RSA 1998
PKCS Efforts
• Revisions and new documents:– PKCS #1 RSA Cryptography
• v2.0 draft in review, includes Bellare-Rogaway OAEP
– PKCS #5 Password-Based Encryption– PKCS #13 Elliptic Curve Cryptography– PKCS #14 Pseudorandom Generation– PKCS #15(?) Smart Card File Formats
![Page 26: Emerging key-recovery-service](https://reader035.vdocuments.net/reader035/viewer/2022062708/558864e8d8b42a4f0e8b462f/html5/thumbnails/26.jpg)
RSA Data Security, Inc.
SEIKO INSTRUMENTS PAGER PAL
Part II:
A General Model for Public-Key Standards
![Page 27: Emerging key-recovery-service](https://reader035.vdocuments.net/reader035/viewer/2022062708/558864e8d8b42a4f0e8b462f/html5/thumbnails/27.jpg)
© RSA 1998
A General Model
• Framework with abstraction, generally following P1363
• Three levels:– primitives– schemes– protocols
• … plus key management
![Page 28: Emerging key-recovery-service](https://reader035.vdocuments.net/reader035/viewer/2022062708/558864e8d8b42a4f0e8b462f/html5/thumbnails/28.jpg)
© RSA 1998
P1363 Naming Convention
• General form:– family type - instance
• where– family is DL, EC, IF
– type is one of:• SP: Signature Primitive
• SSA: Signature Scheme with Appendix
• etc.
– instance is a particular algorithm, e.g., DSA, DH, RSA
![Page 29: Emerging key-recovery-service](https://reader035.vdocuments.net/reader035/viewer/2022062708/558864e8d8b42a4f0e8b462f/html5/thumbnails/29.jpg)
© RSA 1998
Primitives
• Basic mathematical operations
• Low-level implementation– e.g., crypto-accelerator, software module
• Computational security– enhanced when combined with additional
techniques in a scheme
![Page 30: Emerging key-recovery-service](https://reader035.vdocuments.net/reader035/viewer/2022062708/558864e8d8b42a4f0e8b462f/html5/thumbnails/30.jpg)
© RSA 1998
Types of Primitive
• Secret value derivation– shared secret value from public key(s),
party’s private key(s)
• Signature and verification
• Encryption and decryption
![Page 31: Emerging key-recovery-service](https://reader035.vdocuments.net/reader035/viewer/2022062708/558864e8d8b42a4f0e8b462f/html5/thumbnails/31.jpg)
© RSA 1998
Example: DLSP-DSA / DLVP-DSA
• DSA signature / verification primitives
• DLSP-DSA ((p, q, g, x), m):– r = (gk mod p) mod q, k random– s = k-1 (m + xr) mod q
• DLVP-DSA ((p, q, g, y), m, (r, s))– r =? (gm/s yr/s mod p) mod q
![Page 32: Emerging key-recovery-service](https://reader035.vdocuments.net/reader035/viewer/2022062708/558864e8d8b42a4f0e8b462f/html5/thumbnails/32.jpg)
© RSA 1998
Primitives in P1363
• Secret Value Derivation– DH, MQV in DL, EC families
• Signature / Verification:– DSA, Nyberg-Rueppel in DL, EC families– RSA with and w/o absolute value– Rabin-Williams
• Encryption / Decryption:– RSA
![Page 33: Emerging key-recovery-service](https://reader035.vdocuments.net/reader035/viewer/2022062708/558864e8d8b42a4f0e8b462f/html5/thumbnails/33.jpg)
© RSA 1998
Schemes
• Related operations combining primitives, additional techniques– a framework with options
• Medium-level implementation– e.g., cryptographic service library
• Complexity-theoretic security (ideally)– completed when appropriately applied in a
protocol
![Page 34: Emerging key-recovery-service](https://reader035.vdocuments.net/reader035/viewer/2022062708/558864e8d8b42a4f0e8b462f/html5/thumbnails/34.jpg)
© RSA 1998
Types of Scheme
• Key agreement
• Signature– with appendix– with message recovery
• Encryption
• Identification (in P1363a)
![Page 35: Emerging key-recovery-service](https://reader035.vdocuments.net/reader035/viewer/2022062708/558864e8d8b42a4f0e8b462f/html5/thumbnails/35.jpg)
© RSA 1998
Additional Techniques
• Encoding method– maps between message, data to be
processed by primitive– for signatures, encryption schemes
• Key derivation function– maps from shared secret value to key– for key agreement schemes
![Page 36: Emerging key-recovery-service](https://reader035.vdocuments.net/reader035/viewer/2022062708/558864e8d8b42a4f0e8b462f/html5/thumbnails/36.jpg)
© RSA 1998
Example: DL/ECSSA
• DL/EC signature scheme– options: SP / VP / encoding method
• Signature operation (privKey, M):– S = SP (privKey, Encode (M))
• Verification operation (pubKey, M, S):– VP (pubKey, Encode (M), S) [DSA]– Encode (M) =? VP (pubKey, S) [NR]
![Page 37: Emerging key-recovery-service](https://reader035.vdocuments.net/reader035/viewer/2022062708/558864e8d8b42a4f0e8b462f/html5/thumbnails/37.jpg)
© RSA 1998
Encoding Methods for Signatures
• DL/EC signatures– Hash (M)
• IF signatures with appendix– Pad || HashID || Hash (M)
• IF signatures wit h message recovery– ISO9796-1 (M)
![Page 38: Emerging key-recovery-service](https://reader035.vdocuments.net/reader035/viewer/2022062708/558864e8d8b42a4f0e8b462f/html5/thumbnails/38.jpg)
© RSA 1998
Related Scheme Operations
• Domain parameter generation
• Domain parameter validation
• Key pair generation
• Public key validation
• Private key validation
![Page 39: Emerging key-recovery-service](https://reader035.vdocuments.net/reader035/viewer/2022062708/558864e8d8b42a4f0e8b462f/html5/thumbnails/39.jpg)
© RSA 1998
Schemes in P1363
• Key agreement– three DL/EC generic: DH1, DH2, MQV
• Signature with appendix– DL/EC generic– IF generic
• Signature with message recovery– IF generic
• Encryption– IF generic
![Page 40: Emerging key-recovery-service](https://reader035.vdocuments.net/reader035/viewer/2022062708/558864e8d8b42a4f0e8b462f/html5/thumbnails/40.jpg)
© RSA 1998
Protocols
• Sequence of operations to be performed by parties to achieve some security goal
• High-level implementation– applications, services
• “Real” security– but depends on implementation
considerations
• (No protocols in P1363)
![Page 41: Emerging key-recovery-service](https://reader035.vdocuments.net/reader035/viewer/2022062708/558864e8d8b42a4f0e8b462f/html5/thumbnails/41.jpg)
© RSA 1998
Types of Protocol
• Key establishment– key agreement– key transport
• Entity authentication
• Data origin authentication
• Data confidentiality
![Page 42: Emerging key-recovery-service](https://reader035.vdocuments.net/reader035/viewer/2022062708/558864e8d8b42a4f0e8b462f/html5/thumbnails/42.jpg)
RSA Data Security, Inc.
SEIKO INSTRUMENTS PAGER PAL
Part III:“Strong” Primes:
A Recurring Technical Debate
![Page 43: Emerging key-recovery-service](https://reader035.vdocuments.net/reader035/viewer/2022062708/558864e8d8b42a4f0e8b462f/html5/thumbnails/43.jpg)
© RSA 1998
What is a “Strong” Prime?
• RSA key pair consists of– public key (n, e)– private key (n, d)– where n = pq, p and q are large primes, and
ed 1 mod (p-1)(q-1)
• A prime p is strong if p’, the largest factor of p-1, is large
• Are strong primes necessary?
![Page 44: Emerging key-recovery-service](https://reader035.vdocuments.net/reader035/viewer/2022062708/558864e8d8b42a4f0e8b462f/html5/thumbnails/44.jpg)
© RSA 1998
Early ’80s: Yes
• Pollard’s p-1 method (1974) can factor n in about p’ operations, so p’ should be large
• Gordon (1984) gives method for generating RSA keys efficiently with strong prime factors– X.509 (1988) also mentions conditions
• Related conditions on p+1, p’-1, etc.
![Page 45: Emerging key-recovery-service](https://reader035.vdocuments.net/reader035/viewer/2022062708/558864e8d8b42a4f0e8b462f/html5/thumbnails/45.jpg)
© RSA 1998
Late ’80s / Early ’90s: No
• Lenstra’s ECM (1987) can factor n in O(exp (2 ln p ln ln p)1/2) operations, so p should be large
• … but if p is large and random, then p’ will be large with high probability
• Rivest (unpublished) argues that strong primes don’t help– but don’t hurt either
![Page 46: Emerging key-recovery-service](https://reader035.vdocuments.net/reader035/viewer/2022062708/558864e8d8b42a4f0e8b462f/html5/thumbnails/46.jpg)
© RSA 1998
Late ’90s: Maybe
• What about signature repudiation?– Dishonest user chooses n with weak prime
– Later, disavows signature, claiming that someone factored n by p-1 method
• ANSI X9.31 (1998) standardizes on strong primes for banking– also, generates primes as one-way function of
seed
• Still, are strong primes necessary?
![Page 47: Emerging key-recovery-service](https://reader035.vdocuments.net/reader035/viewer/2022062708/558864e8d8b42a4f0e8b462f/html5/thumbnails/47.jpg)
RSA Data Security, Inc.
SEIKO INSTRUMENTS PAGER PAL
Part IV:Some Research Motivated By
Standards
![Page 48: Emerging key-recovery-service](https://reader035.vdocuments.net/reader035/viewer/2022062708/558864e8d8b42a4f0e8b462f/html5/thumbnails/48.jpg)
© RSA 1998
Standards and Research
• Just as mature research is standardized, so standards efforts promote additional research
• Areas of research:– efficient implementation– cryptanalysis– components in the “framework”
![Page 49: Emerging key-recovery-service](https://reader035.vdocuments.net/reader035/viewer/2022062708/558864e8d8b42a4f0e8b462f/html5/thumbnails/49.jpg)
© RSA 1998
Authenticated Encryption Schemes
• Problem:– Construct authenticated encryption
schemes for DL, EC, IF families with similar properties to OAEP, but with variable message length
• Several solutions proposed for P1363a
![Page 50: Emerging key-recovery-service](https://reader035.vdocuments.net/reader035/viewer/2022062708/558864e8d8b42a4f0e8b462f/html5/thumbnails/50.jpg)
© RSA 1998
Model
• C = Encrypt (pubKey, M, P)
• M = Decrypt (privKey, C, P)– M message– C ciphertext– P encoding parameters
• M, C, P arbitrary length
![Page 51: Emerging key-recovery-service](https://reader035.vdocuments.net/reader035/viewer/2022062708/558864e8d8b42a4f0e8b462f/html5/thumbnails/51.jpg)
© RSA 1998
Desired Properties
• One application of underlying primitive
• Plaintext-aware encryption– no partial information about M– cannot generate C without M
• hence, cannot modify M
• Binding of P to M– cannot modify P
• Weaker assumptions– i.e., not just random oracle model
![Page 52: Emerging key-recovery-service](https://reader035.vdocuments.net/reader035/viewer/2022062708/558864e8d8b42a4f0e8b462f/html5/thumbnails/52.jpg)
© RSA 1998
OAEP for RSA
• As in P1363 (and PKCS #1 v2.0 draft):• Encrypt (pubKey, M, P):
– EM = Encode (M, P)– C = EP (pubKey, EM)
• Decrypt (privKey, C, P):– EM = DP (privKey, C)– M = Decode (EM, P)
• M, C bounded, P arbitrary length
![Page 53: Emerging key-recovery-service](https://reader035.vdocuments.net/reader035/viewer/2022062708/558864e8d8b42a4f0e8b462f/html5/thumbnails/53.jpg)
© RSA 1998
OAEP Encoding
• Encode (M, P)– EM = maskedSeed || maskedDB where
• maskedSeed = seed G (maskedDB)
• maskedDB = DB G (seed)
• DB = H (P) || pad || M
• seed random
• H hash function, G mask generation function
• Decode (C, P): an exercise
![Page 54: Emerging key-recovery-service](https://reader035.vdocuments.net/reader035/viewer/2022062708/558864e8d8b42a4f0e8b462f/html5/thumbnails/54.jpg)
© RSA 1998
Limitations
• EM must be shorter than RSA modulus, so length of M is bounded
• Assumes encryption primitive — but DL/EC only has secret value derivation primitive
• Relies on random oracle model for G
![Page 55: Emerging key-recovery-service](https://reader035.vdocuments.net/reader035/viewer/2022062708/558864e8d8b42a4f0e8b462f/html5/thumbnails/55.jpg)
© RSA 1998
IF Encryption Ideas
1. Encrypt only part of EM (various)– removes bound on length of M– which part?
2. Construct G only partly from random oracle (Bellare, Rogaway 1996)
3. Add more “rounds” to OAEP (Johnson, Matyas, Peyravian 1996)
– may reduce assumptions, need for seed
![Page 56: Emerging key-recovery-service](https://reader035.vdocuments.net/reader035/viewer/2022062708/558864e8d8b42a4f0e8b462f/html5/thumbnails/56.jpg)
© RSA 1998
DL/EC Encryption Ideas
• General: Generate shared secret value K as in key agreement scheme, combine with M, P
1. Encode M as in OAEP, exclusive-OR K with part of result (various)
2. Combine with MACs, reduced r.o. methods (Bellare, Rogaway 1996)
3. Combine with universal hash functions, mask generation (Zheng 1996)
![Page 57: Emerging key-recovery-service](https://reader035.vdocuments.net/reader035/viewer/2022062708/558864e8d8b42a4f0e8b462f/html5/thumbnails/57.jpg)
© RSA 1998
Some Other Recent Results
• Security of “unified model” of DH key agreement (Blake-Wilson, Johnson, Menezes 1997)
• RSA key validation (Liskov, Silverman 1997)
• Storage-efficient basis conversion (Kaliski, Yin 1998)
![Page 58: Emerging key-recovery-service](https://reader035.vdocuments.net/reader035/viewer/2022062708/558864e8d8b42a4f0e8b462f/html5/thumbnails/58.jpg)
© RSA 1998
Conclusions
• Research in cryptology and data security is leading to standards, and vice versa
• Several standards efforts for different sectors, but coordinated
• General model for public-key standards emerging
• … and some technical debate continues