254542 Networks Management and

Security

Lecture 3

Public-Key Cryptography

• Each party will have a public key for encryption and a private key for decryption

• No key transmission

• High scalability

• Either key can be used first (for encryption)!

mmEEpp(m)(m)

M = DM = Dss(E(Epp(m))(m))

Public key, pPublic key, p Private key, sPrivate key, s

Symmetric vs. Asymmetric

• Fast (In software, DES is 100 times as fast as RSA)

• L(c) usually ≤ L(m)• Key management is

difficult• No. of keys is

approximately = (No. of participants)2

• Slower• L(c) ≥ L(m)• No problem in

managing keys• No. of keys = No. of

participants• Non-repudiation

check

RSA: basic ideas

• Ron Rivest, Adi Shamir, and Len Adleman from MIT developed RSA in 1978

• Keys are based on large prime numbers– easy to find– extremely hard to factor their products

• Selection and generation of public and private keys?

RSA: algorithm

• Use 2 large prime numbers, P and Q

• N = P x Q

• Find small E (public exponent) such that it is relatively prime to (P-1) x (Q-1)

• Find D (private exponent) such that (DxE) mod (P-1)(Q-1) = 1

• For encryption C = ME mod N

• For decryption M = CD mod N

RSA: example

• Let’s P = 7 and Q = 17

• N = P x Q = 119 and (P-1)(Q-1) = 96

• 96 = 2 x 2 x 2 x 2 x 2 x 3, therefore E can be 5 (no 2 and 3 as a factor)

• D = 77 since (5x77) mod 96 = 1

• Set M = 6, therefore C = 65 mode 119 = 41

• Decrypting C, M = 4177 mod 119 = 6

Cracking RSA

• Factoring N to find P, Q (and finally D)– complex and time-consuming if N is sufficiently large

• Find Eth root mod N (since C=ME mod N)– No general methods are known– Related messages encrypted with the same E may

give away some clues

• M can be guessed if it is sent to multiple parties– Prevented by random padding

RSA Key Size

• Larger N, higher security, slower process

• P and Q should be roughly of equal length

• In 1999, 512-bit RSA keys was factored in 7 months

• Recommended 1024 bits for corporate use (2048 bits for extremely valuable keys)

RSA in Practice

• Built into current OS by Microsoft, Apple, SUN, Novell

• On Ethernet cards, smart cards, secure telephones

• In protocols such as S/MIME, SSL, and S/WAN

• It’s the most widely used cryptosystem in the world

Elliptic Curve Algorithm

• Let’s E be an elliptic curve• P is a point in E• A random number d is generated• Let’s Q = d x P• Then E, P, Q are public values• And d is a private key• If the curve is big enough, it’s almost

impossible to find d

Hybrid Scheme: Digital Envelope

• A encrypts m using K1, a one-time secret key• A encrypts K1 with B’s public key, K2 (Key wrapping)• A puts c and encrypted symmetric key in a digital envelope,

which is then sent to B• B uses its private key, K3, to decrypt and get K1• B uses K1 to decrypt m

EEk1k1(m) + E(m) + Ek2k2(K1)(K1)AA BB

1.1. DDk3k3(E(Ek2k2(K1)) = K1(K1)) = K1

2.2. DDk1k1(E(Ek1k1(m) = m(m) = m

Advantages of Digital Envelope

• Using a symmetric key to encrypt a long m is fast

• c is of the same size of m

• Using a public key for K1 encryption is relatively fast (since K1 is smaller than m)

• No problem in key exchange

Digital Signature

• For authentication and non-repudiation purpose• A encrypts h(m) with its private key

– ESA(h(m)) = digital signature (DS) of A

• B decrypts A’s DS with A’s public key• B computes h(m) and compares with the hash

value from A’s message. If matched, …– The sender is really A– Message is not altered in transit

Well-known Hashing Functions

• MD5, designed by Ron Rivest– 128-bit output– No known attacks have been proved to break

MD5 (yet)

• SHA-1 (Secure Hash Algorithm)– A modified version of MD5 by NIST and NSA– 160-bit output– Slower but more secure

Problem in Public-key Exchange: Man-in-the-middle Attack

AA

BB

MMmy E=3my E=3

Intercepted and Intercepted and send ‘my E=5’ send ‘my E=5’

insteadinsteadmy E=7my E=7

my E=5my E=5

my E=5my E=5

• How to know the DS is really from A (or B)?How to know the DS is really from A (or B)?

• Timestamp to bind DS to a particular timeTimestamp to bind DS to a particular time

• Need someone who is trusted by everyone Need someone who is trusted by everyone

RSA-based Digital Signature in Practice

• If a third party is needed to check m’s integrity, MD can be computed from c

• Since E is much smaller than D, signature verification is faster than signing

• Certificate(s) may accompany DS to prevent impersonation

Digital Certificate

• A signed document that binds the public key to the identity of a party

• The certifier’s public key is widely trusted• Contains the user name, the user’s public

key, and• The validity date range• Issuer name and its digital signature

• X.509 defines the structure of a digital certificate

Certification Authority (CA)

• A trusted agency that issues digital certificates

• Can issue digital certificates to individuals or organizations

• May be assisted by RA (registration authority) in interaction activities between CA and users

Certificate Creation

• Key generation (by users or by RA)

• Registration by using Certificate Signing Request (CSR) or PKCS #10 (Public key Cryptography Standard)

• User’s credential verification– Checks paper-based evidence (e.g. passport)– Checks Proof of Possession (POP) of D

• CA signs certificates with its private key

CA’s certificate verification

• Alice cannot verify B4’s nor A2’s certificates• Both Alice and Bob can verify root CA• Who signs root CA’s certificate?

Root CARoot CA

22ndnd level CA level CA 22ndnd level CA level CA

33rdrd level CA level CA 33rdrd level CA level CA 33rdrd level CA level CA 33rdrd level CA level CA

AliceAlice BobBob

B1B1 B4B4

A2A2A1A1

Cross-certification

• Alice and Bob live in different countries = different root CAs

• Bob’s root CA is certified by Alice’s root CA

• Alice’s root CA can also be certified by Bob’s root CA

Certificate Revocation

• In case a private key is compromised or lost

• The user must immediately notify CA

• The public key is then added to Certificate Revocation List (CRL)

• The user may need to use a new private key to re-sign documents

Well-known CAs

• Baltimore (http://www.baltimore.com/)• • Entrust Technologies (http://www.entrust.com/)

• RSA Security (http://www.rsasecurity.com/)

• VeriSign (http://www.verisign.com/)

Attacks on CAs

• Cryptanalytic attack on CA’s key pair– CAs use long keys that change regularly– Top-level CAs must use specially long keys

• What if a CA’s key is broken after it expires?– E.g. Forged will or other legal documents etc

• Impersonated CSR by– Forged evidence– Bribery

Key Agreement Protocol

• A.k.a. Key exchange protocol

• Used by multiple parties to agree on a secret key

• Allows a secure key sharing over a insecure medium

• e.g. Diffie-Hellman algorithm

• Public-key cryptography or digital envelope can also be used for key exchange

Diffie-Hellman Key Exchange:initial setup

• A.k.a. exponential key exchange

• Public values p and g (generator) where – p is prime and g ≤ p– For every n between 1 and p-1, there are g

and k such that n = gk mod p

Diffie-Hellman Key Exchange: Algorithm

• Alice and Bob generate random private values a and b (both are integers)

• A’s public value = ga mod p

• B’s public value = gb mod p

• Public values exchanged

• A computes gab = (gb)a mod p = k

• B computes gab = (ga)b mod p = k

Attacks on Diffie-Hellman Algorithm

• Man-in-the-middle !!

• Solution: – digital signature– authenticated Diffie-Hellman (STS: Station to

Station protocol)