Session 3 of 3-day course in Engineering Cryptographic Applications held at ACM Theater Tyson's Corner for Microstrategy, Inc.
Key Agreement
Asymmetric Cryptography
RSA
Public Key Protocols
TLS
2. Recap: Symmetric Encryption
Alice
Bob
Ciphertext
Plaintext
AES
AES
Plaintext
Insecure Channel
Key
Key
Assuming we generate strong keys, use an appropriate cipher
mode, and correctly implement a secure symmetric encryption
primitive, we can securely encrypt long messages so even an
adversary with $Quadrillions cannot learn anything interesting.
Assumes a secret already shared between Alice and Bob.
Amplifies that secret to send more data later.
evans@virginia.edu
Engineering Crypto Applications
1
3. Plan for Today
Insecure Channel
Secure Channel
petitions.gov
1. Key Agreement Protocols
2. Solving the remote authentication problem
Asymmetric Encryption, Public-Key Protocols
evans@virginia.edu
Engineering Crypto Applications
2
6. Merkle’s Puzzles: Key Agreement
Alice
1. Generate N random keys:
k0, …, kn-1
2. For each, send
Eki(“key #” + i)
EE37(“key #” ++37)
in random order
k
(“key #” 82)
k
E82 (“key #” + 22)
k22
…
evans@virginia.edu
Engineering Crypto Applications
5
7. Merkle’s Puzzles: Key Agreement
Alice
1. Generate N random keys:
k0, …, kn-1
2. For each, send
Eki(“key #” + i)
EE37(“key #” ++37)
in random order
k
(“key #” 82)
k
E82 (“key #” + 22)
k22
…
evans@virginia.edu
Engineering Crypto Applications
6
8. Alice
1. Generate N random keys:
k0, …, kn-1
2. For each, send
Eki(“key #” + i)
EE37(“key #” ++37)
in random order
k
(“key #” 82)
Bob
k
E82 (“key #” + 22)
k22
…
x
3. Randomly select one of the
received messages.
4. Try all possible keys until finding
kx that decrypts the message to
“key #x”
5. Send x (in clear) to Alice
Shared secret kx
evans@virginia.edu
Engineering Crypto Applications
7
9. Bob
Alice
Security
Generate N random keys:
k0, …, kn-1
2. For each, send
Eki(“key #” + i)
in random order
1.
3.
4.
x
5.
Randomly select one of the
received messages.
Try all possible keys until
finding kx that decrypts the
message to “key #x”
Send x (in clear) to Alice
Shared secret kx
evans@virginia.edu
Engineering Crypto Applications
8
10. Bob
Alice
Security
Generate N random keys:
k0, …, kn-1
2. For each, send
Eki(“key #” + i)
in random order
1.
3.
4.
x
5.
Randomly select one of the
received messages.
Try all possible keys until
finding kx that decrypts the
message to “key #x”
Send x (in clear) to Alice
Shared secret kx
Suppose each key is 56 bits:
Alice has to generate N keys and do N encryptions
Bob has to do 256 max work to brute force
Eve has to do ½N × 255 expected work
So, if 296 is infeasible, N = 242 could work
evans@virginia.edu
Engineering Crypto Applications
9
11. Can we do better?
CRYPTO 2009: Actually is impossible to do better!
Any scheme like this, even with perfect
primitives, can be broken by an adversary
who can do N 2 encryptions (where Alice
and Bob do N encryptions).
To do better, we need some magic math!
evans@virginia.edu
Engineering Crypto Applications
10
12. Time for a Revolution!
“We stand today on the brink of a revolution in cryptography.
The development of cheap digital hardware has freed it from
the design limitations of mechanical computing and brought the
cost of high grade cryptographic devices down to where they can
be used in such commercial applications as remote cash
dispensers and computer terminals. In turn, such applications
create a need for new types of cryptographic systems which
minimize the necessity of secure key distribution channels and
supply the equivalent of a written signature. At the same
time, theoretical developments in information theory and
computer science show promise of providing provably secure
cryptosystems, changing this ancient art into a science.”
Whit Diffie and Martin Hellman, November 1976.
evans@virginia.edu
Engineering Crypto Applications
11
21. “Padlocks” Key Agreement
• We relied on: DA(EB(EA(M))) = EB(M)
• Is this true for AES?
No way! AES (and any strong
symmetric primitive) must involve
non-linear transformations that are
not commutative.
• What operations is it true for?
Multiplication
evans@virginia.edu
Engineering Crypto Applications
20
23. Diffie-Hellman Key Agreement
Alice
Bob
1. Choose and publish:
q (large prime number)
(primitive root of q)
2. Generate random XA
4. Generate random XB.
XA mod q.
3. Send YA=
5. Send YB= XB mod q.
K = (YB) XA mod q
evans@virginia.edu
K = (YA)XB mod q
Engineering Crypto Applications
22
24. Key Agreement Requirements
Correctness: Both participants get the same key
Security: An eavesdropper cannot find K from
all intercepted values
evans@virginia.edu
Engineering Crypto Applications
23
25. Key Agreement Correctness
Correctness: Both participants get the same key
YA= XA mod q
K = (YB) XA mod q
evans@virginia.edu
YB= XB mod q
K = (YA)XB mod q
Engineering Crypto Applications
24
26. Key Agreement Correctness
Correctness: Both participants get the same key
YA =
XA mod
q
K = (YB) XA mod q
YB=
XB mod
q
K = (YA)XB mod q
= ( XB mod q)XA mod q = ( XA mod q)XB mod q
= ( XBXA mod q) mod q = ( XAXB mod q) mod q
= XBXA mod q
= XAXB mod q
Multiplication commutes (just like the padlocks)!
evans@virginia.edu
Engineering Crypto Applications
25
27. Security
Alice
Bob
1. Choose and publish:
q (large prime number)
(primitive root of q)
2. Generate random XA
4. Generate random XB.
XA mod q.
3. Send YA=
5. Send YB= XB mod q.
K = (YB) XA mod q
K = (YA)XB mod q
An eavesdropper cannot find K from all intercepted values:
q, , YA, YB
evans@virginia.edu
Engineering Crypto Applications
26
28. Primitive Roots
is a primitive root of Bob for all
q if
1 n < q, there is some m,
1. Choose and publish:
1 m < q such that
q (large prime number)
m = n mod q
(primitive root of q) prime numbers have primitive
All
2. Generate random XA roots.
Alice
3. Send YA=
XA mod
q.
4. Generate random XB.
5. Send YB= XB mod q.
Discrete logarithm problem: given , n, and q find
the one 0 XA m < q such that
K = mYB) mod q
(
K = (YA)XB mod q
= n mod q
For good choices of q, this is believed to be hard.
evans@virginia.edu
Engineering Crypto Applications
27
29. Security of Diffie-Hellman
DiscreteAlice
logarithm problem: given , n, andBobfind
q
the one 0 m < q such
1. Choose and publish: that
m = n mod q
q (large prime number)
For good choices of q, this is believed to be hard.
(primitive root of q)
2. Generate random XA
4. Generate random XB.
XA mod q.
3. Send YA=
5. Send Y = XB mod q.
K = (YB) XA mod q
B
Eavesdropper cannot find K from intercepted values: q, , YA, YB
If they could, could solve discrete log problem which is hard:
given YA= XA mod q find XA
evans@virginia.edu
Engineering Crypto Applications
28
30. What about Mallory?
Insecure Channel
(e.g., the Internet)
Ciphertext
Plaintext
Encrypt
Decrypt
Alice
Plaintext
Bob
Mallory
(active attacker)
evans@virginia.edu
Engineering Crypto Applications
29
31. Secure from Active Eavesdropper?
Bob
Alice
Public: q,
XB
XA
K = (YB)
evans@virginia.edu
XA mod
K = (YA)XB mod q
q
Engineering Crypto Applications
30
35. Does D-H Solve This?
Insecure Channel
petitions.gov
How does TJ know he’s really talking to petitions.gov?
How can he establish a secure channel to transmit password?
evans@virginia.edu
Engineering Crypto Applications
34
37. Asymmetry
Required
Messages: everyone
should be able to send
Alice a message that only
Alice can read
Signatures: Bob should be
able to verify Alice signed
a message, but not
impersonate Alice
evans@virginia.edu
Engineering Crypto Applications
36
39. Asymmetric Cryptosystem
(with Kerckhoffs’ Principle)
Alice
Plaintext
Bob
Ciphertext
E
D
Plaintext
Insecure Channel
KUA
KRA
Correctness: DKU (EKR (m)) = m
A
A
Security: given EKR (m), E, KUA, and D, cannot
A
learn anything interesting about m or KRA.
evans@virginia.edu
Engineering Crypto Applications
38
40. Providing Asymmetry
Need a function f that is:
Easy to compute:
given x, easy to compute f (x)
Hard to invert:
given f (x), hard to compute x
Has a trap-door:
given f (x) and t,
easy to compute x
No function (publicly) known with these properties until 1977…
evans@virginia.edu
Engineering Crypto Applications
39
43. RSA Cryptosystem
Ee(M ) = Me mod n
Dd(C ) = Cd mod n
n = pq
p, q are prime
d is relatively prime to (p – 1)(q – 1)
ed 1 mod (p – 1)(q – 1)
evans@virginia.edu
Engineering Crypto Applications
42
44. Correctness of RSA
Ee(M ) = Me mod n
Dd(C ) = Cd mod n
evans@virginia.edu
Engineering Crypto Applications
43
45. Correctness of RSA
Ee(M ) = Me mod n
Dd(C ) = Cd mod n
Dd(Ee(M )) = (Me mod n)d mod n
= Med mod n
= M This step depends on choosing e and d to
have this property: uses Fermat’s little
theorem and Euler’s Totient theorem
evans@virginia.edu
Engineering Crypto Applications
44
46. Bonus: Works in Both Orders
Ee(M ) = Me mod n
Dd(C ) = Cd mod n
Ee (Dd(M )) = (Md mod n)e mod n
= Mde mod n
=M
evans@virginia.edu
Engineering Crypto Applications
45
47. Providing Asymmetry
Need a function f that is:
Easy to compute:
given x, easy to compute f (x)
Hard to invert:
given f (x), hard to compute x
Has a trap-door:
given f (x) and t,
easy to compute x
evans@virginia.edu
Does RSA satisfy these?
Engineering Crypto Applications
46
48. Easy (Enough) to Compute
Easy to compute:
given x, easy to compute f (x)
Ee(M ) =
evans@virginia.edu
e mod
M
Engineering Crypto Applications
n
47
49. Easy (Enough) to Compute
Ee(M ) = Me mod n
a m +n = a m × a n
a2b = ab × ab
Compute Me in about log2e multiplications
Be careful not to have a timing side channel though!
evans@virginia.edu
Engineering Crypto Applications
48
50. Hard to Invert
Given Ee(M ) and e and n, hard to compute M.
If attacker can factor n = pq, easy to find d:
d = e-1 mod (p – 1)(q – 1)
All other attacks are equivalent to factoring n.
No one seems to know a fast way to factor, except
with a quantum computer (and no one seems to yet
know how to build a large one).
For reasonable security, n should be 2048 bits (comparable to
112-bit symmetric key) – believed sufficient until 2030.
evans@virginia.edu
Engineering Crypto Applications
49
51. Easy to Invert with Trapdoor
e mod
M
Ee(M ) =
n
Dd(C ) = Cd mod n
evans@virginia.edu
Engineering Crypto Applications
50
52. Using RSA: Confidentiality
Alice
Sends confidential
messages to Bob using
his public key
Plaintext
E
Bob
Selects two large primes p, q
Computes ed 1 mod (p – 1)(q – 1)
Publishes n = pq and e, keeps d secret
Ciphertext
D
Plaintext
Insecure Channel
KRB
KUB
Private Key: KRB = d
Bob’s Public Key: KUB = (n, e)
(private exponent)
(modulus, public exponent)
Over 1000x slower than AES! Only use when asymmetry is needed.
evans@virginia.edu
Engineering Crypto Applications
51
53. Using RSA: Signatures
Alice
Sends confidential
messages to Bob using
his public key
Plaintext
E
Bob
Selects two large primes p, q
Computes ed 1 mod (p – 1)(q – 1)
Publishes n = pq and e, keeps d secret
Ciphertext
D
Plaintext
Insecure Channel
KRB
KUB
Private Key: KRB = d
Bob’s Public Key: KUB = (n, e)
(private exponent)
(modulus, public exponent)
Over 1000x slower than AES! Only use when asymmetry is needed.
evans@virginia.edu
Engineering Crypto Applications
52
54. Using RSA: Signatures
Alice
Verifies message is
from Bob using his
public key
Verified
Message
E
Bob
Selects two large primes p, q
Computes ed 1 mod (p – 1)(q – 1)
Publishes n = pq and e, keeps d secret
Signed Message
D
Message
Insecure Channel
KRB
KUB
Private Key: KRB = d
Bob’s Public Key: KUB = (n, e)
(private exponent)
(modulus, public exponent)
Over 1000x slower than AES! Only use when asymmetry is needed.
evans@virginia.edu
Engineering Crypto Applications
53
55. Elliptic Curve
Asymmetric Cryptosystems
Elliptic curve discrete
logarithm problem: given
points P and Q on an
elliptic curve, it is hard to
find an integer k such that
Q = kP (unless you know
trapdoor).
evans@virginia.edu
y2 = x3 – 7 (mod p)
Engineering Crypto Applications
54
56. RSA
1977
ECC
1985
Discovery
(previously discovered in 1969
by GHCQ and perhaps earlier
by NSA)
(adoption limited until ~2005)
“Hard” Problem
Factoring
Discrete Log on Elliptic
Curve
Key Size (~112-bit)
2048 bits (768 bits broken)
224 bits (112 bits broken)
Backdoor Risk
None
Curves selected by NSA
Quantum
Computing Risk
Known fast factoring
algorithms (Shor’s)
Similar (variation of Shor’s
algorithm solves Discrete Log)
Implementation
Challenges
Avoiding weak keys, timing
side channels
Fast operations on elliptic
curves, leaks on invalid inputs
evans@virginia.edu
Engineering Crypto Applications
55
57. RSA
ECC
1985
Lattice Ciphers
(adoption limited
until ~2005)
1996
Factoring
Discrete Log on
Elliptic Curve
Lattice Problems
(e.g., closest vector)
Key Size
(~112-bit)
2048 bits
(768 bits broken)
224 bits
(112 bits broken)
1,000,000 bits
Backdoor Risk
None
Curves selected by NSA
Little
Quantum
Computing
Risk
Known fast
factoring
algorithms
(Shor’s)
Similar (variation of
Shor’s algorithm
solves Discrete Log)
Only if P = NP
Discovery
1977
“Hard”
Problem
Implementation
Challenges
evans@virginia.edu
Avoiding weak
Fast operations on
keys, timing side elliptic curves, leaks
channels Engineering Crypto Applications
on invalid inputs
Only simple arithmetic
(but 10Ks of them)
56
59. Using Asymmetry: Signatures
Alice
Bob
Verifies message is from
Bob using his public key
Verified
Message
E
Generates KUB and KRB
Publishes KUB
Signed Message
D
Message
Insecure Channel
KRB
KUB
Over 1000x slower than AES! (with both RSA and ECC)
What if we need to sign long (bigger than n ~ 2048 bits) messages?
evans@virginia.edu
Engineering Crypto Applications
58
62. Simple Login Protocol
Eve can’t decrypt
without KRpetitions.
petitions.gov
EKUpetitions(“tj” + password)
evans@virginia.edu
Engineering Crypto Applications
DKRpetitions(c)
61
63. Getting Public Keys
• Public keys only useful if you know
you have the right one!
• Secure on-line directory?
What is petitions.gov public key?
keys.gov
KUpetitions
evans@virginia.edu
Engineering Crypto Applications
62
71. SSL (Secure Sockets Layer)
Simplified TLS Handshake Protocol
Client
Verify Certificate
using KUCA
Check identity
matches URL
Generate
random K
Server
Hello
KRCA[Server Identity, KUS]
How did client get KUCA?
EKUS (K)
Decrypt
using
KRS
Secure channel using K
evans@virginia.edu
Engineering Crypto Applications
70
73. How does
VarySign decide
if it should give
certificate to
requester?
Certificates
VarySign.com
petitions.gov, KUPetitions
CP = KRVarySign*“petitions.gov”, KUPetitions]
TJ
CP
Verifies using KUVarySign
evans@virginia.edu
Petitions
Engineering Crypto Applications
72
74. $1500 for 1 year
evans@virginia.edu
Engineering Crypto Applications
$399
73
78. CRL Checking
Mozilla Firefox
Google Chrome
On-line checking is
expensive and may fail
Attacker-in-the-middle
can make it fail
evans@virginia.edu
Engineering Crypto Applications
77
79. SSL (Secure Sockets Layer)
Simplified TLS Handshake Protocol
Client
Server
Hello
some extra steps:
Verify Actual TLS hasKRCA[Server Identity, KUS]
Certificate
using KUCA
- Negotiate versions
CheckAgree
- identity
matches URL
on which ciphers to use (many
options, but beware!)
Generate
Decrypt
-randomauthenticate client also
Can K
KU (K)
E [K]
KUS
S
using
KRS
Secure channel using K
evans@virginia.edu
Engineering Crypto Applications
78
80. Summary
• Many useful applications require asymmetry
– Confidentiality without shared key, signatures
– Others we will cover next week
• Asymmetric cryptosystems can be built using
hard problems in number theory with
trapdoors: RSA (factoring), ECC (discrete log)
• Asymmetric ciphers are very expensive: need
to combine with hashes and symmetric crypto
evans@virginia.edu
Engineering Crypto Applications
79
83. Plan for Final Meeting:
Applications of Asym Crypto
Secure Computation
Future of Cryptosystems
open to
requests!
evans@virginia.edu
MightBeEvil.com/crypto
evans@virginia.edu
Engineering Crypto Applications
82