Download Understanding Public Key Cryptography & Key Agreement with Diffie-Hellman Protocol and more Study notes Computer Science in PDF only on Docsity!
CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger
CSE 543 - Computer Security
Lecture 5 - Public Key Cryptosystems
September 11, 2007
URL: http://www.cse.psu.edu/~tjaeger/cse543-f07/
1
CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger Page Key Distribution/Agreement
- Key Distribution is the process where we assign and transfer keys to a participant - Out of band (e.g., passwords, simple) - During authentication (e.g., Kerberos) - As part of communication (e.g., skip-encryption)
- Key Agreement is the process whereby two parties negotiate a key - 2 or more participants
- Typically, key distribution/agreement this occurs in conjunction with or after authentication. - However, many applications can pre-load keys
CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger Page Diffie-Hellman Protocol
- For two participants p 1 and p 2
- Setup: We pick a prime number p and a base g (< p )
- This information is public
- E.g., p=13 , g=
- Step 1: Each principal picks a private value x (< p-1 )
- Step 2: Each principal generates and communicates a new value y = g x mod p
- Step 3: Each principal generates the secret shared key z z = y x mod p
- Perform a neighbor exchange.
CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger Page Attacks on Diffie-Hellman
- This is key agreement, not authentication.
- You really don’t know anything about who you have exchanged keys with
- The man in the middle …
- Alice and Bob think they are talking directly to each other, but Mallory is actually performing two separate exchanges
- You need to have an authenticated DH exchange
- The parties sign the exchanges (more or less)
- See Schneier for a intuitive description
A B
CSE543 Computer (and Network) Security - Fall 2005 - Professor McDanielCSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger RSA (Rivest, Shamir, Adelman)
- A dominant public key algorithm
- The algorithm itself is conceptually simple
- Why it is secure is very deep (number theory)
- Use properties of exponentiation modulo a product of large primes "A method for obtaining Digital Signatures and Public Key Cryptosystems“, Communications of the ACM, Feb., 1978 21(2) pages 120-126.
CSE543 Computer (and Network) Security - Fall 2005 - Professor McDanielCSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger RSA Key Generation
- Pick two large primes p and q
- Calculate n = pq
- Pick e such that it is relatively prime to phi(n) = (q-1)(p-1) - “Euler’s Totient Function”
d ~= e
mod phi(n) or
de mod phi(n) = 1
- p=3, q=
- n = 3*11 = 33
- phi(n) = (2*10) = 20
- e = 7 | GCD(20,7) = 1
- “Euclid’s Algorithm” d = 7-1 mod 20 d = 7 mod 20 = 1 d = 3
CSE543 Computer (and Network) Security - Fall 2005 - Professor McDanielCSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger Encryption using private key …
- Encryption and Decryption E(k - ,P) : ciphertext = plaintext d mod n D(k
,C) : plaintext = ciphertext e mod n
- E.g.,
- E({3,45},4) = 4 3 mod 33 = 64 mod 33 = 31
- D({7,45},19) = 31 7 mod 33 = 27,512,614,111 mod 33 = 4
- Q: Why encrypt with private key?
CSE543 Computer (and Network) Security - Fall 2005 - Professor McDanielCSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger Digital Signatures
- Models physical signatures in digital world
- Association between private key and document
- … and indirectly identity and document.
- Asserts that document is authentic and non- reputable
- To sign a document
- Given document d, private key k-
- Signature S(d) = E( k -, h(d) )
- Validation
- Given document d, signature S(d), public key k+
- Validate D(k +, S(d)) = H(d)
CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger Page Needham-Schroeder Public Key
- Does It Still Look OK?
- Message a.1: A --> B : A,B, {NA, A}PKB
- A initiates protocol with fresh value for B
- Message a.2: B --> A : B,A, {NA, NB}PKA
- B demonstrates knowledge of NA and challenges A
- Message a.3: A --> B : A,B, {NB}PKB
- A demonstrates knowledge of NB
- A and B are the only ones who can read NA and NB
CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger Page Gavin Lowe’s Attack on N-S Public Key
- An active intruder X participates...
- Message a.1: A --> X : A,X, {NA, A}PKX
- Message b.1: X(A) --> B : A,B, {NA, A}PKB
- X as A initiates protocol with fresh value for B
- Message b.2: B --> X(A) : B,A, {NA, NB}PKA
- Message a.2: X --> A : X,A, {NA, NB}PKA
- X asks A to demonstrates knowledge of NB
- Message a.3: A --> X : A,X, {NB}PKX
- Message b.3: X(A) --> B : A,B, {NB}PKB
- X completes the protocol as A
CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger Page The Fix
- It’s Trivial
- Message a.1: A --> B : A,B, {NA, A}PKB
- A initiates protocol with fresh value for B
- Message a.2: B --> A : B,A, {NA, NB, B }PKA
- B demonstrates knowledge of NA and challenges A
- Message a.3: A --> B : A,B, {NB}PKB
- A demonstrates knowledge of NB
CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger Page Impact on Protocol Analysis
- Protocol Analysis Took a Black Eye
- BAN Logic Is Insufficient
- BAN Logic Is Misleading
- Protocol Analysis Became a Hot Topic
- Lowe’s FDR
- Meadow’s NRL Analyzer
- Millen’s Interrogator
- Rubin’s Non-monotonic protocols
- ....
- In the end, could find known flaws, but...
- attacker model is too complex
CSE543 Computer (and Network) Security - Fall 2005 - Professor McDanielCSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger Review: secret vs. public key crypto.
- Secret key cryptography
- Symmetric keys, where A single key (k) is used is used for E and D
- D( E( p, k ), k ) = p
- All (intended) receivers
have access to key
determines who has access
to encrypted data
- E.g., password encrypted email
- Also known as symmetric
key cryptography
- Public key cryptography
- Each key pair consists of a public and private component: k+ (public key), k- (private key) D( E(p, k+), k- ) = p D( E(p, k-), k+ ) = p
- Public keys are distributed (typically) through public key certificates
- Anyone can communicate secretly with you if they have your certificate
- E.g., SSL-based web commerce
CSE543 Computer (and Network) Security - Fall 2005 - Professor McDanielCSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger The symmetric/asymmetric key tradeoff
- Symmetric (shared) key systems
- Efficient (Many MB/sec throughput)
- Difficult key management
- Kerberos
- Key agreement protocols
- Asymmetric (public) key systems
- Slow algorithms (so far …)
- Easy (easier) key management
- PKI - public key infrastructures
- Webs of trust (PGP)