Cryptography and Network Security Chapter 9 doc
Bạn đang xem bản rút gọn của tài liệu. Xem và tải ngay bản đầy đủ của tài liệu tại đây (1.16 MB, 27 trang )
Cryptography and
Cryptography and
Network Security
Network Security
Chapter 9
Chapter 9
Fourth Edition
Fourth Edition
by William Stallings
by William Stallings
Lecture slides by Lawrie Brown
Lecture slides by Lawrie Brown
Chapter 9 –
Chapter 9 –
Public Key
Public Key
Cryptography and RSA
Cryptography and RSA
Every Egyptian received two names,
Every Egyptian received two names,
which were known respectively as the
which were known respectively as the
true name and the good name, or the
true name and the good name, or the
great name and the little name; and
great name and the little name; and
while the good or little name was made
while the good or little name was made
public, the true or great name appears
public, the true or great name appears
to have been carefully concealed.
to have been carefully concealed.
The Golden Bough,
The Golden Bough,
Private-Key Cryptography
Private-Key Cryptography
Public-Key Cryptography
Public-Key Cryptography
!
!
"###
"###
$
$
%
%
Why Public-Key
Why Public-Key
Cryptography?
Cryptography?
$&
$&
key distribution
key distribution
– how to have secure
– how to have secure
communications in general without having to trust a
communications in general without having to trust a
KDC with your key
KDC with your key
digital signatures
digital signatures
– how to verify a message comes
– how to verify a message comes
intact from the claimed sender
intact from the claimed sender
'!()
'!()
*+, /0
*+, /0
known earlier in classified community
known earlier in classified community
Public-Key Cryptography
Public-Key Cryptography
1$1
1$1
$
$
&
&
a
a
public-key
public-key
, which may be known by anybody, and
, which may be known by anybody, and
can be used to
can be used to
encrypt messages
encrypt messages
, and
, and
verify
verify
signatures
signatures
a
a
private-key
private-key
, known only to the recipient, used to
, known only to the recipient, used to
decrypt messages
decrypt messages
, and
, and
sign
sign
(create)
(create)
signatures
signatures
those who encrypt messages or verify signatures
those who encrypt messages or verify signatures
cannot
cannot
decrypt messages or create signatures
decrypt messages or create signatures
Public-Key Cryptography
Public-Key Cryptography
Public-Key Characteristics
Public-Key Characteristics
213$
213$
$&
$&
it is computationally infeasible to find decryption key
it is computationally infeasible to find decryption key
knowing only algorithm & encryption key
knowing only algorithm & encryption key
it is computationally easy to en/decrypt messages
it is computationally easy to en/decrypt messages
when the relevant (en/decrypt) key is known
when the relevant (en/decrypt) key is known
either of the two related keys can be used for
either of the two related keys can be used for
encryption, with the other used for decryption (for
encryption, with the other used for decryption (for
some algorithms)
some algorithms)
Public-Key Cryptosystems
Public-Key Cryptosystems
Public-Key Applications
Public-Key Applications
"&
"&
encryption/decryption
encryption/decryption
(provide secrecy)
(provide secrecy)
digital signatures
digital signatures
(provide authentication)
(provide authentication)
key exchange
key exchange
(of session keys)
(of session keys)
!
!
Security of Public Key Schemes
Security of Public Key Schemes
4
4
$
$
567-89
567-89
:
:
)$
)$
59
59
59
59
$
$
$
$
RSA
RSA
; <*=> //
; <*=> //
$ $1
$ $1
4!59
4!59
!
!
nb. exponentiation takes O((log n)
nb. exponentiation takes O((log n)
3
3
) operations (easy)
) operations (easy)
5?-#8@9
5?-#8@9
nb. factorization takes O(e
nb. factorization takes O(e
log n log log n
log n log log n
) operations (hard)
) operations (hard)
RSA Key Setup
RSA Key Setup
&
&
$1
$1
p, q
p, q
n=p.q
n=p.q
note
note
ø(n)=(p-1)(q-1)
ø(n)=(p-1)(q-1)
e
e
•
where 1<
where 1<
e<ø(n), gcd(e,ø(n))=1
e<ø(n), gcd(e,ø(n))=1
$!
$!
d
d
e.d=1 mod ø(n) and 0
e.d=1 mod ø(n) and 0
≤
≤
d
d
≤
≤
n
n
&2,ABC
&2,ABC
&2;ABC
&2;ABC
RSA Use
RSA Use
*&
*&
obtains
obtains
public key
public key
of recipient
of recipient
PU={e,n}
PU={e,n}
computes:
computes:
C = M
C = M
e
e
mod n
mod n
, where
, where
0
0
≤
≤
M
M
<
<
n
n
4D$&
4D$&
uses their private key
uses their private key
PR={d,n}
PR={d,n}
computes:
computes:
M = C
M = C
d
d
mod n
mod n
*
*
59
59
Why RSA Works
Why RSA Works
EF>&
EF>&
a
a
ø(n)
ø(n)
mod n = 1
mod n = 1
where
where
gcd(a,n)=1
gcd(a,n)=1
;<&
;<&
n=p.q
n=p.q
ø(n)=(p-1)(q-1)
ø(n)=(p-1)(q-1)
carefully chose
carefully chose
e
e
&
&
d
d
to be inverses
to be inverses
mod ø(n)
mod ø(n)
hence
hence
e.d=1+k.ø(n)
e.d=1+k.ø(n)
for some
for some
k
k
&
&
C
C
d
d
= M
= M
e.d
e.d
= M
= M
1+k.ø(n)
1+k.ø(n)
= M
= M
1
1
.(M
.(M
ø(n)
ø(n)
)
)
k
k
= M
= M
1
1
.(1)
.(1)
k
k
= M
= M
1
1
= M mod n
= M mod n
RSA Example - Key Setup
RSA Example - Key Setup
-?
-?
&
&
p
p
=17 &
=17 &
q
q
=11
=11
8?
8?
D
D
n
n
=
=
pq
pq
=17
=17
x
x
11=187
11=187
"?
"?
D
D
ø(
ø(
n
n
)=(
)=(
p–
p–
1)(
1)(
q-
q-
1)=16
1)=16
x
x
10=160
10=160
@?
@?
e
e
&
&
gcd(e,160)=1;
gcd(e,160)=1;
e
e
=7
=7
7?
7?
(
(
d
d
&
&
de=
de=
1 mod 160
1 mod 160
d
d
<
<
160
160
G
G
d=23
d=23
23
23
x
x
7=161=
7=161=
10
10
x
x
160+1
160+1
0?
0?
2
2
PU={7,187}
PU={7,187}
/?
/?
3
3
PR={23,
PR={23,
187}
187}
RSA Example - En/Decryption
RSA Example - En/Decryption
;<&
;<&
M = 88
M = 88
5?
5?
88<187
88<187
9
9
&
&
C = 88
C = 88
7
7
mod 187 = 11
mod 187 = 11
&
&
M = 11
M = 11
23
23
mod 187 = 88
mod 187 = 88
Exponentiation
Exponentiation
*<
*<
)4
)4
4
4
H5
H5
8
8
9
9
eg.
eg.
7
7
5
5
= 7
= 7
4
4
.7
.7
1
1
= 3.7 = 10 mod 11
= 3.7 = 10 mod 11
eg.
eg.
3
3
129
129
= 3
= 3
128
128
.3
.3
1
1
= 5.3 = 4 mod 11
= 5.3 = 4 mod 11
Exponentiation
Exponentiation
c = 0; f = 1
c = 0; f = 1
for i = k downto 0
for i = k downto 0
do c = 2 x c
do c = 2 x c
f = (f x f) mod n
f = (f x f) mod n
if b
if b
i
i
== 1
== 1
then
then
c = c + 1
c = c + 1
f = (f x a) mod n
f = (f x a) mod n
return f
return f
Efficient Encryption
Efficient Encryption
4$
4$
$
$
often choose e=65537 (2
often choose e=65537 (2
16
16
-1)
-1)
also see choices of e=3 or e=17
also see choices of e=3 or e=17
5A"9
5A"9
using Chinese remainder theorem & 3 messages with
using Chinese remainder theorem & 3 messages with
different modulii
different modulii
!4
!4
gcd(e,ø(n))=1
gcd(e,ø(n))=1
ie reject any p or q not relatively prime to e
ie reject any p or q not relatively prime to e
Efficient Decryption
Efficient Decryption
4$
4$
this is likely large, insecure if not
this is likely large, insecure if not
D;>
D;>
5D;>9 ?
5D;>9 ?
$
$
approx 4 times faster than doing directly
approx 4 times faster than doing directly
$$$
$$$
RSA Key Generation
RSA Key Generation
;<&
;<&
determine two primes
determine two primes
at random -
at random -
p, q
p, q
select either
select either
e
e
or
or
d
d
and compute the other
and compute the other
p,q
p,q
n=p.q
n=p.q
means must be sufficiently large
means must be sufficiently large
typically guess and use probabilistic test
typically guess and use probabilistic test
4
4
e
e
d
d
=
=
RSA Security
RSA Security
;<&
;<&
brute force key search (infeasible given size of
brute force key search (infeasible given size of
numbers)
numbers)
mathematical attacks (based on difficulty of
mathematical attacks (based on difficulty of
computing ø(n), by factoring modulus n)
computing ø(n), by factoring modulus n)
timing attacks (on running of decryption)
timing attacks (on running of decryption)
chosen ciphertext attacks (given properties of RSA)
chosen ciphertext attacks (given properties of RSA)
Factoring Problem
Factoring Problem
"&
"&
factor
factor
n=p.q
n=p.q
, hence compute
, hence compute
ø(n)
ø(n)
and then d
and then d
determine
determine
ø(n)
ø(n)
directly and
directly and
compute
compute
d
d
find d directly
find d directly
have seen slow improvements over the years
have seen slow improvements over the years
•
as of May-05 best is 200 decimal digits (663) bit with LS
as of May-05 best is 200 decimal digits (663) bit with LS
biggest improvement comes from improved algorithm
biggest improvement comes from improved algorithm
•
cf QS to GHFS to LS
cf QS to GHFS to LS
currently assume 1024-2048 bit RSA is secure
currently assume 1024-2048 bit RSA is secure
•
ensure p, q of similar size and matching other constraints
ensure p, q of similar size and matching other constraints
Timing Attacks
Timing Attacks
231 #I
231 #I
4
4
eg. multiplying by small vs large number
eg. multiplying by small vs large number
or IF's varying which instructions executed
or IF's varying which instructions executed
;<4
;<4
4
4
use constant exponentiation time
use constant exponentiation time
add random delays
add random delays
blind values used in calculations
blind values used in calculations
