NetworkSecurity_Chapter3
Download
Report
Transcript NetworkSecurity_Chapter3
Chapter 3
Public Key Cryptography
MSc. NGUYEN CAO DAT
Dr. TRAN VAN HOAI
BK
TP.HCM
Outline
Finite Fields
Number Theory
Public Key Cryptography
▫ Diffie Helman
▫ RSA
▫ El Gamal
2
BK
TP.HCM
Finite Fields
• Concept of groups, rings, fields
• Modular arithmetic with integers
• Euclid’s algorithm for GCD
• Finite fields GF(p)
3
BK
TP.HCM
Group
a set of elements or “numbers”
with some operation whose result is also in the
set (closure)
obeys:
▫ associative law:
(a.b).c = a.(b.c)
▫ has identity e:e.a = a.e = a
▫ has inverses a-1:
a.a-1 = e
if commutative
a.b = b.a
▫ then forms an abelian group
BK
TP.HCM
Cyclic Group
define exponentiation as repeated application
of operator
▫ example:
a3 = a.a.a
and let identity be: e=a0
a group is cyclic if every element is a power of
some fixed element
▫ ie b = ak
for some a and every b in group
a is said to be a generator of the group
BK
TP.HCM
Ring
a set of “numbers”
with two operations (addition and multiplication)
which form:
an abelian group with addition operation
and multiplication:
▫ has closure
▫ is associative
▫ distributive over addition:
a(b+c) = ab + ac
if multiplication operation is commutative, it
forms a commutative ring
if multiplication operation has an identity and no
zero divisors, it forms an integral domain
BK
TP.HCM
Field
a set of numbers
with two operations which form:
▫ abelian group for addition
▫ abelian group for multiplication (ignoring 0)
▫ ring
have hierarchy with more axioms/laws
▫ group -> ring -> field
BK
TP.HCM
Modular Arithmetic
define modulo operator “a mod n” to be
remainder when a is divided by n
use the term congruence for: a = b mod n
▫ when divided by n, a & b have same remainder
▫ eg. 100 = 34 mod 11
b is called a residue of a mod n
▫ since with integers can always write: a = qn + b
▫ usually chose smallest positive remainder as residue
ie. 0 <= b <= n-1
▫ process is known as modulo reduction
eg. -12 mod 7 = -5 mod 7 = 2 mod 7 = 9 mod 7
BK
TP.HCM
Divisors
say a non-zero number b divides a if for some
m have a=mb (a,b,m all integers)
that is b divides into a with no remainder
denote this b|a
and say that b is a divisor of a
eg. all of 1,2,3,4,6,8,12,24 divide 24
BK
TP.HCM
Modular Arithmetic Operations
is 'clock arithmetic'
uses a finite number of values, and loops back
from either end
modular arithmetic is when do addition &
multiplication and modulo reduce answer
can do reduction at any point, ie
▫ a+b mod n = [a mod n + b mod n] mod n
BK
TP.HCM
Modular Arithmetic
can do modular arithmetic with any group of
integers:
Zn = {0, 1, … , n-1}
form a commutative ring for addition
with a multiplicative identity
note some peculiarities
▫ if (a+b)=(a+c) mod n
then b=c mod n
▫ but if (a.b)=(a.c) mod n
then b=c mod n only if a is relatively prime to n
BK
TP.HCM
Modulo 8 Addition Example
+
0
1
2
3
4
5
6
7
0
0
1
2
3
4
5
6
7
1
1
2
3
4
5
6
7
0
2
2
3
4
5
6
7
0
1
3
3
4
5
6
7
0
1
2
4
4
5
6
7
0
1
2
3
5
5
6
7
0
1
2
3
4
6
6
7
0
1
2
3
4
5
7
7
0
1
2
3
4
5
6
BK
TP.HCM
Greatest Common Divisor (GCD)
a common problem in number theory
GCD (a,b) of a and b is the largest number that
divides evenly into both a and b
▫ eg GCD(60,24) = 12
often want no common factors (except 1) and
hence numbers are relatively prime
▫ eg GCD(8,15) = 1
▫ hence 8 & 15 are relatively prime
BK
TP.HCM
Euclidean Algorithm
an efficient way to find the GCD(a,b)
uses theorem that:
▫ GCD(a,b) = GCD(b, a mod b)
Euclidean Algorithm to compute GCD(a,b) is:
EUCLID(a,b)
1.
2.
3.
4.
5.
6.
A = a; B = b
if B = 0 return
R = A mod B
A = B
B = R
goto 2
A = gcd(a, b)
BK
TP.HCM
Example GCD(1970,1066)
1970 = 1 x 1066 + 904
1066 = 1 x 904 + 162
904 = 5 x 162 + 94
162 = 1 x 94 + 68
94 = 1 x 68 + 26
68 = 2 x 26 + 16
26 = 1 x 16 + 10
16 = 1 x 10 + 6
10 = 1 x 6 + 4
6 = 1 x 4 + 2
4 = 2 x 2 + 0
gcd(1066, 904)
gcd(904, 162)
gcd(162, 94)
gcd(94, 68)
gcd(68, 26)
gcd(26, 16)
gcd(16, 10)
gcd(10, 6)
gcd(6, 4)
gcd(4, 2)
gcd(2, 0)
BK
TP.HCM
Galois Fields
finite fields play a key role in cryptography
can show number of elements in a finite field
must be a power of a prime pn
known as Galois fields
denoted GF(pn)
in particular often use the fields:
▫ GF(p)
▫ GF(2n)
BK
TP.HCM
Galois Fields GF(p)
GF(p) is the set of integers {0,1, … , p-1} with
arithmetic operations modulo prime p
these form a finite field
▫ since have multiplicative inverses
hence arithmetic is “well-behaved” and can do
addition, subtraction, multiplication, and division
without leaving the field GF(p)
BK
TP.HCM
GF(7) Multiplication Example
0 1 2 3 4 5 6
0 0 0 0 0 0 0 0
1 0 1 2 3 4 5 6
2 0 2 4 6 1 3 5
3 0 3 6 2 5 1 4
4 0 4 1 5 2 6 3
5 0 5 3 1 6 4 2
6 0 6 5 4 3 2 1
BK
TP.HCM
Finding Inverses
EXTENDED EUCLID(m, b)
1. (A1, A2, A3)=(1, 0, m);
(B1, B2, B3)=(0, 1, b)
2. if B3 = 0
return A3 = gcd(m, b); no inverse
3. if B3 = 1
return B3 = gcd(m, b); B2 = b–1 mod m
4. Q = A3 div B3
5. (T1, T2, T3)=(A1 – Q B1, A2 – Q B2, A3 – Q B3)
6. (A1, A2, A3)=(B1, B2, B3)
7. (B1, B2, B3)=(T1, T2, T3)
8. goto 2
BK
TP.HCM
Inverse of 550 in GF(1759)
Q
A1
A2
A3
B1
B2
B3
—
1
0
1759
0
1
550
3
0
1
550
1
–3
109
5
1
–3
109
–5
16
5
21
–5
16
5
106
–339
4
1
106
–339
4
–111
355
1
BK
TP.HCM
Modular Polynomial Arithmetic
can compute in field GF(2n)
▫ polynomials with coefficients modulo 2
▫ whose degree is less than n
▫ hence must reduce modulo an irreducible poly of
degree n (for multiplication only)
form a finite field
can always find an inverse
▫ can extend Euclid’s Inverse algorithm to find
BK
TP.HCM
Number Theory
Prime Numbers and Prime Factorisation
Basic theorem of arithmetic (every number can
be expressed as a product of prime powers),
LCM, GCD.
Computing GCD using the Euclidean Algorithm
(Chapter 4.3)
Modular arithmetic operations (Chapter 4.2)
Computing modular multiplicative inverse using
extended Euclidean Algorithm (Chapter 4.4)
22
BK
TP.HCM
Prime Numbers
prime numbers only have divisors of 1 and self
▫ they cannot be written as a product of other numbers
▫ note: 1 is prime, but is generally not of interest
eg. 2,3,5,7 are prime, 4,6,8,9,10 are not
prime numbers are central to number theory
list of prime number less than 200 is:
2 3 5 7 11 13 17 19 23 29 31 37 41 43 47 53 59
61 67 71 73 79 83 89 97 101 103 107 109 113 127
131 137 139 149 151 157 163 167 173 179 181 191
193 197 199
23
BK
TP.HCM
Prime Factorisation
to factor a number n is to write it as a product
of other numbers: n=a x b x c
note that factoring a number is relatively hard
compared to multiplying the factors together to
generate the number
the prime factorisation of a number n is when
its written as a product of primes
▫ eg. 91=7x13 ; 3600=24x32x52
24
BK
TP.HCM
Relatively Prime Numbers & GCD
two numbers a, b are relatively prime if have
no common divisors apart from 1
▫ eg. 8 & 15 are relatively prime since factors of 8 are
1,2,4,8 and of 15 are 1,3,5,15 and 1 is the only
common factor
conversely can determine the greatest common
divisor by comparing their prime factorizations
and using least powers
▫ eg. 300=21x31x52 18=21x32 hence
GCD(18,300)=21x31x50=6
25
BK
TP.HCM
Notations
26
BK
TP.HCM
Ring vs. Field
Consider the two equations
2x + 2y ≡ 22 mod 56
2x + 2y ≡ 22 mod 31
We cannot reduce the first equation to x + y ≡ 11 mod
56.
We can reduce the second equation to x + y ≡ 11 mod
31.
Why? (need to multiply by the multiplicative inverse of 2)
As all numbers have multiplicative inverses we can
easily solve systems of linear equations in a field. Not so
simple in rings.
27
BK
TP.HCM
Euclidean Algorithm
28
BK
TP.HCM
Extended Euclidean Algorithm
29
BK
TP.HCM
Square and Multiply Algorithm(1/2)
See Figures 9.7 in the text book.
Compute y = ax mod n. Large a; x; n (say 300
digits long).
Let b(r ) … b(0) be the binary representation of
the exponent x (an r + 1 bit number)
Square and multiply algorithm requires r + 1 to
2(r + 1)
multiplications (1000 to 2000 multiplications for
300 digit exponents)
30
BK
TP.HCM
Square and Multiply Algorithm(2/2)
z=1;
for i=r downto 0
z=z*z mod n
if (b(i) = 1)
z = z*a mod n
endif;
endfor;
31
BK
TP.HCM
Fermat's Little Theorem
ap-1 ≡ 1 mod p
▫ where p is prime and gcd(a,p)=1
also ap ≡ a mod p
useful in public key and primality testing
32
BK
TP.HCM
Euler Phi Function
when doing arithmetic modulo n
complete set of residues is: 0..n-1
reduced set of residues is those numbers
(residues) which are relatively prime to n
▫ eg for n=10,
▫ complete set of residues is {0,1,2,3,4,5,6,7,8,9}
▫ reduced set of residues is {1,3,7,9}
number of elements in reduced set of residues
is called the Euler Phi Function ø(n)
33
BK
TP.HCM
Euler Phi Function
to compute ø(n) need to count number of
residues to be excluded
in general need prime factorization, but
▫ for p (p prime)
ø(p)
▫ for p.q (p,q prime; p ≠ q)
ø(pq)
= p-1
=(p-1)x(q-1)
eg.
ø(37) = 36
ø(21) = (3–1)x(7–1) = 2x6 = 12
34
BK
TP.HCM
Euler's Theorem
a generalisation of Fermat's Theorem
aø(n) ≡ 1 mod n
▫ for any a,n where gcd(a,n)=1
eg.
a=3;n=10; ø(10)=4;
hence 34 = 81 = 1 mod 10
a=2;n=11; ø(11)=10;
hence 210 = 1024 = 1 mod 11
35
BK
TP.HCM
Public-Key Cryptography
developed to address two key issues:
▫ key distribution – how to have secure
communications in general without having to trust
a KDC with your key
▫ digital signatures – how to verify a message
comes intact from the claimed sender
public invention due to Whitfield Diffie & Martin
Hellman at Stanford Uni in 1976
▫ known earlier in classified community
36
BK
TP.HCM
Public-Key Cryptography
public-key/two-key/asymmetric cryptography
involves the use of two keys:
▫ a public-key, which may be known by anybody, and
can be used to encrypt messages, and verify
signatures
▫ a private-key, known only to the recipient, used to
decrypt messages, and sign (create) signatures
is asymmetric because
▫ those who encrypt messages or verify signatures
cannot decrypt messages or create signatures
37
BK
TP.HCM
Public-Key Cryptography
38
BK
TP.HCM
Public-Key Characteristics
Public-Key algorithms rely on two keys where:
▫ it is computationally infeasible to find decryption key
knowing only algorithm & encryption key
▫ it is computationally easy to en/decrypt messages
when the relevant (en/decrypt) key is known
▫ either of the two related keys can be used for
encryption, with the other used for decryption (for
some algorithms)
39
BK
TP.HCM
Inverse Problems
Most PKC algorithms rely on difficult inverse
problems.
Factorization Problem: Given large p and q it is
easy to compute n = p*q. But given n it is
impractical to factorize n into the constituent
primes.
Discrete Logarithm Problem: Let α = ga mod p.
Given a; g; p computing α is trivial. However
given α ; g and p it is impractical to compute a
40
BK
TP.HCM
Factoring Problem
For a large n with large prime factors, factoring
is a hard problem
have seen slow improvements over the years
▫ as of May-05 best is 200 decimal digits (663) bit with
LS
biggest improvement comes from improved
algorithm
▫ cf QS to GNFS to LS
41
BK
TP.HCM
Factoring Problem
For a large n with large prime factors, factoring
is a hard problem
See Table 9.4
▫ have seen slow improvements over the years
as of May-05 best is 200 decimal digits (663) bit with LS
▫ biggest improvement comes from improved
algorithm
▫ QS(Quadratic Sieve) to GNFS(Generalized Number
Field Sieve) to LS(Lattice Sieve)
42
BK
TP.HCM
Discrete Logarithm Problem
the inverse problem to exponentiation is to find
the discrete logarithm of a number modulo p
that is to find x such that y = gx (mod p)
this is written as x = dlogg y (mod p)
whilst exponentiation is relatively easy, finding
discrete logarithms is generally a hard problem
BK
TP.HCM
Public-Key Cryptosystems
Authentication and Secrecy
44
BK
TP.HCM
Public-Key Applications
can classify uses into 3 categories:
▫ encryption/decryption (provide secrecy)
▫ digital signatures (provide authentication)
▫ key exchange (of session keys)
some algorithms are suitable for all uses, others
are specific to one
45
BK
TP.HCM
Diffie Helman Key Exchange
46
BK
TP.HCM
DH Example
47
BK
TP.HCM
RSA
by Rivest, Shamir & Adleman of MIT in 1977
best known & widely used public-key scheme
RSA scheme is a block cipher
Plaintext and ciphertext are integers between 0
and (n-1)
A typical size for n is 1024 bits, or 309 decimal
digits
48
BK
TP.HCM
RSA Key Setup
each user generates a public/private key pair
by:
selecting two large primes at random - p, q
computing their system modulus n=p.q
▫ note ø(n)=(p-1)(q-1)
selecting at random the encryption key e
where 1<e<ø(n), gcd(e,ø(n))=1
solve following equation to find decryption key d
▫ e.d=1 mod ø(n) and 0≤d≤n
publish their public encryption key: PU={e,n}
keep secret private decryption key: PR={d,n}
49
BK
TP.HCM
RSA Use
to encrypt a message M the sender:
▫ obtains public key of recipient PU={e,n}
▫ computes: C = Me mod n, where 0≤M<n
to decrypt the ciphertext C the owner:
▫ uses their private key PR={d,n}
▫ computes: M = Cd mod n
note that the message M must be smaller than
the modulus n (block if needed)
50
BK
TP.HCM
Why RSA Works
because of Euler's Theorem:
▫ aø(n)mod n = 1 where gcd(a,n)=1
in RSA have:
▫
▫
▫
▫
n=p.q
ø(n)=(p-1)(q-1)
carefully chose e & d to be inverses mod ø(n)
hence e.d=1+k.ø(n) for some k
hence :
Cd = Me.d = M1+k.ø(n) = M1.(Mø(n))k
= M1.(1)k = M1 = M mod n
51
BK
TP.HCM
RSA Example - Key Setup
Select primes: p=17 & q=11
Compute n = pq =17 x 11=187
Compute ø(n)=(p–1)(q-1)=16 x 10=160
Select e: gcd(e,160)=1; choose e=7
Determine d: de=1 mod 160 and d < 160
Value is d=23 since 23x7=161= 160+1
6. Publish public key PU={7,187}
7. Keep secret private key PR={23,187}
1.
2.
3.
4.
5.
52
BK
TP.HCM
RSA Example - En/Decryption
sample RSA encryption/decryption is:
given message M = 88 (nb. 88<187)
encryption:
C = 887 mod 187 = 11
decryption:
M = 1123 mod 187 = 88
53
BK
TP.HCM
Efficient Encryption
encryption uses exponentiation to power e
hence if e small, this will be faster
▫ often choose e=65537 (216-1)
▫ also see choices of e=3 or e=17
but if e too small (eg e=3) can attack
▫ using Chinese remainder theorem
if e fixed must ensure gcd(e,ø(n))=1
▫ ie reject any p or q not relatively prime to e
54
BK
TP.HCM
Efficient Decryption
decryption uses exponentiation to power d
▫ this is likely large, insecure if not
can use the Chinese Remainder Theorem
(CRT) to compute mod p & q separately. then
combine to get desired answer
▫ approx 4 times faster than doing directly
only owner of private key who knows values of
p & q can use this technique
55
BK
TP.HCM
RSA Key Generation
users of RSA must:
▫ determine two primes at random - p, q
▫ select either e or d and compute the other
primes p,q must not be easily derived from
modulus n=p.q
▫ means must be sufficiently large
▫ typically guess and use probabilistic test
exponents e, d are inverses, so use Inverse
algorithm to compute the other
56
BK
TP.HCM
Generating Large Primes
Say we need to generate a 150 digit prime
Generate a random odd number with 150 digits
Check if it is a prime
If not increment number by two and check again
till we \stumble upon" a prime
57
BK
TP.HCM
Prime Distribution
prime number theorem states that primes occur
roughly every (ln n) integers
but can immediately ignore evens
so in practice need only test 0.5 ln(n)
numbers of size n to locate a prime
▫ note this is only the “average”
▫ sometimes primes are close together
▫ other times are quite far apart
58
BK
TP.HCM
Primality Testing
Traditionally sieve using trial division
▫ ie. divide by all numbers (primes) in turn less than the
square root of the number
▫ only works for small numbers
Alternatively can use statistical primality tests
based on properties of primes
▫ for which all primes numbers satisfy property
▫ but some composite numbers, called pseudo-primes,
also satisfy the property
Can use a slower deterministic primality test
59
BK
TP.HCM
Miller Rabin Algorithm
a test based on Fermat’s Theorem
algorithm is:
TEST (n) is:
1. Find integers k, q, k > 0, q odd, so that (n–1)=2kq
2. Select a random integer a, 1<a<n–1
3. if aq mod n = 1 then return (“maybe prime");
4. for j = 0 to k – 1 do
j
5. if (a2 q mod n = n-1)
then return(" maybe prime ")
6. return ("composite")
60
BK
TP.HCM
Probabilistic Considerations
if Miller-Rabin returns “composite” the number is
definitely not prime
otherwise is a prime or a pseudo-prime
chance it detects a pseudo-prime is < 1/4
hence if repeat test with different random a then
chance n is prime after t tests is:
▫ Pr(n prime after t tests) = 1-4-t
▫ eg. for t=10 this probability is > 0.99999
61
BK
TP.HCM
RSA Security
possible approaches to attacking RSA are:
▫ brute force key search (infeasible given size of
numbers)
▫ mathematical attacks (based on difficulty of
computing ø(n), by factoring modulus n)
▫ timing attacks (on running of decryption)
▫ chosen ciphertext attacks (given properties of
RSA)
62
BK
TP.HCM
Timing Attacks
developed by Paul Kocher in mid-1990’s
exploit timing variations in operations
▫ eg. multiplying by small vs large number
▫ or IF's varying which instructions executed
infer operand size based on time taken
RSA exploits time taken in exponentiation
countermeasures
▫ use constant exponentiation time
▫ add random delays
▫ blind values used in calculations
63
BK
TP.HCM
Chosen Ciphertext Attacks
• RSA is vulnerable to a Chosen Ciphertext
Attack (CCA)
• attackers chooses ciphertexts & gets decrypted
plaintext back
• choose ciphertext to exploit properties of RSA to
provide info to help cryptanalysis
• can counter with random pad of plaintext
• or use Optimal Asymmetric Encryption Padding
(OASP)
64
BK
TP.HCM
El Gamal
Based on the difficulty of discrete log problem
(like DH)
All entities agree on a prime p (say 200 digits
long) and a generator g
Alice chooses a random value a as her private
key (a < p also has typically the same number of
digits as p)
Alice compute α = ga mod p as her public key.
65
BK
TP.HCM
El Gamal
66
BK
TP.HCM
El Gamal Example
67