Escolar Documentos
Profissional Documentos
Cultura Documentos
PDM CSE
1/335
Syllabus
Encryption and De-encryption Terminology and Background: and De-encryption cryptosystem , Plain text and cipher. encryption cryptoanalysis. Intro. to cipher, monoalphabetic, substation ploy alphabet . Secure encryption systems Hard problems: complexity NP- complete problems characteristic of NP complete, the meaning of completeness , NP completeness and cryptography, properties of arithmetic operation inverse prime GCD, Modular arithmetic, Properties of modular arithmetic, computing the inverse, Fermats theory algo. for computing inverses, random number generation. Public key encryption systems: concept and characteristic, introduction to merkellhellman knapsacks RSA , digital signatures, DSS Hash algorithms: hash concept , description of hash algorithms , MD4 ,MD5, SHA1, SHA2 Secure secret key systems: DES, AES Applied cryptography protocols practices, key management protocols Operating system , database, program security Network Security.
PDM CSE 2/335
100
150
30
50
PDM CSE
3/335
References
Security in Computing (Second Edition)- Charles P Pfleeger, 1996,Prentice-Hall International,Inc
Applied Cryptography Protocols, Algorithms and Source Code in C(Second edition), Bruce Schneier, 1995,John Wiley.
Security Technologies for the world wide web,Rolf Oppliger,Artech House,Inc. Digital Certificates Applied interest Security ,Jalal Feghhi,Jalli feghhi and Peter Williams,Addison Wesley Longman. The World web Security FAQ, Lincoln D Stein, World Wide Web Consortium(Online) Available at http:www.w3.org/Security/Faq/www-securityfaq.html. Cryptographic Message Syntax Standard,Public-Key Cryptography Standard,RSA Laborateories[Online] available at http://www.rsasecurity.com/rsalabs/pkcs7/index.html
PDM CSE 4/335
PDM CSE
5/335
Security
In general, security is the quality or state of being secure to be free from danger. It means to be protected from adversaries, from those who would do harm, intentionally or otherwise.
PDM CSE
6/335
PDM CSE
8/335
The 1960s
Advanced Research Project Agency (ARPA) began to examine feasibility of redundant networked communications Larry Roberts developed ARPANET from its inception
PDM CSE
9/335
Development of the ARPANET Program Plan Source: Courtesy of Dr. Lawrence Roberts
PDM CSE 10/335
PDM CSE
11/335
MULTICS
Early focus of computer security research was a system called Multiplexed Information and Computing Service (MULTICS) First operating system created with security as its primary goal Mainframe, time-sharing OS developed in mid-1960s by General Electric (GE), Bell Labs, and Massachusetts Institute of Technology (MIT) Several MULTICS key players created UNIX Primary purpose of UNIX was text processing
PDM CSE
13/335
The 1990s
Networks of computers became more common; so too did the need to interconnect networks Internet became first manifestation of a global network of networks Initially based on de facto standards In early Internet deployments, security was treated as a low priority
PDM CSE
15/335
2000 to Present
The Internet brings millions of computer networks into communication with each othermany of them unsecured Ability to secure a computers data influenced by the security of every computer to which it is connected Growing threat of cyber attacks has increased the need for improved security
PDM CSE
16/335
Communications security- to protect an organizations communications media, technology, and content Network security- to protect networking components, connections, and contents Information security- to protect information assets
PDM CSE
18/335
Information Security
Information security, therefore, is the protection of information and its critical elements, including the systems and hardware that use, store, and transmit that information.
PDM CSE
19/335
PDM CSE
21/335
PDM CSE
22/335
PDM CSE
25/335
PDM CSE
PDM CSE
29/335
PDM CSE
32/335
Security as Art
No hard and fast rules nor many universally accepted complete solutions. No manual for implementing security through entire system.
PDM CSE
33/335
Security as Science
Dealing with technology designed to operate at high levels of performance. Specific conditions cause virtually all actions that occur in computer systems. Nearly every fault, security hole, and systems malfunction are a result of interaction of specific hardware and software. If developers had sufficient time, they could resolve and eliminate faults.
PDM CSE 34/335
Social science examines the behaviour of individuals interacting with systems Security begins and ends with the people that interact with the system Security administrators can greatly reduce levels of risk caused by end users, and create more acceptable and supportable security profiles
PDM CSE 35/335
PDM CSE
36/335
PDM CSE
39/335
Investigation
What problem is the system being developed to solve? Objectives, constraints, and scope of project are specified Preliminary cost-benefit analysis is developed At the end, feasibility analysis is performed to assess economic, technical, and behavioural feasibilities of the process
PDM CSE
43/335
Analysis
Consists of assessments of: The organization Current systems Capability to support proposed systems Analysts determine what new system is expected to do and how it will interact with existing systems Ends with documentation of findings and update of feasibility analysis
PDM CSE 44/335
Logical Design
Main factor is business need Applications capable of providing needed services are selected Data support and structures capable of providing the needed inputs are identified Technologies to implement physical solution are determined Feasibility analysis performed at the end
PDM CSE
45/335
Physical Design
Technologies to support the alternatives identified and evaluated in the logical design are selected Components evaluated on make-or-buy decision Feasibility analysis performed
Entire solution presented to end-user representatives for approval
PDM CSE 46/335
Implementation
Needed software created Components ordered, received, and tested Users trained and documentation created Feasibility analysis prepared Users presented with system for performance review and acceptance test
PDM CSE
47/335
PDM CSE
49/335
Investigation
Identifies process, outcomes, goals, and constraints of the project Begins with Enterprise Information Security Policy (EISP) Organizational feasibility analysis is performed
PDM CSE
50/335
Analysis
Documents from investigation phase are studied Analysis of existing security policies or programs, along with documented current threats and associated controls Includes analysis of relevant legal issues that could impact design of the security solution Risk management task begins
PDM CSE
51/335
Logical Design
Creates and develops blueprints for information security Incident response actions planned: Continuity planning Incident response Disaster recovery Feasibility analysis to determine whether project should be continued or outsourced
PDM CSE 52/335
Physical Design
Needed security technology is evaluated, alternatives are generated, and final design is selected At end of phase, feasibility study determines readiness of organization for project
PDM CSE
53/335
Implementation
Security solutions are acquired, tested, implemented, and tested again Personnel issues evaluated; specific training and education programs conducted Entire tested package is presented to management for final approval
PDM CSE
54/335
PDM CSE
55/335
PDM CSE
56/335
Senior Management
Chief Information Officer (CIO) Senior technology officer Primarily responsible for advising senior executives on strategic planning Chief Information Security Officer (CISO) Primarily responsible for assessment, management, and implementation of IS in the organization Usually reports directly to the CIO
PDM CSE 57/335
PDM CSE
58/335
Data Responsibilities
Data owner: responsible for the security and use of a particular set of information Data custodian: responsible for storage, maintenance, and protection of information Data users: end users who work with information to perform their daily jobs supporting the mission of the organization
PDM CSE
59/335
PDM CSE
60/335
Security Attack
Security Attack -Any action that compromises the security of information owned by an organization Information security is about how to prevent attacks, or failing that, to detect attacks on information-based systems. Often threat & attack used to mean same thing. According to RFC 2828: Threat- A potential for violation of security, which exists when there is a circumstance, capability, action, or event that could breach security and cause harm. Attack- An assault on system security that derives from an intelligent threat; that is, an intelligent act that is a deliberate attempt ( especially in the sense of a method or technique ) to evade security services and violate the security policy of a system. Have a wide range of attacks We can focus of generic types of attacks passive active
PDM CSE
61/335
Passive Attacks
PDM CSE
62/335
Active Attacks
PDM CSE
63/335
Security Service
A communication service that enhance security of data processing systems and information transfers of an organization. Intended to counter security attacks Using one or more security mechanisms Often replicates functions normally associated with physical documents. which, for example, have signatures, dates; need protection from disclosure, tampering, or destruction; be notarized or witnessed; be recorded or licensed
PDM CSE
64/335
Security Services
X.800: a service provided by a protocol layer of communicating open systems, which ensures adequate security of the systems or of data transfers
RFC 2828: a processing or communication service provided by a system to give a specific kind of protection to system resources
PDM CSE 65/335
Security Mechanism
Feature designed to detect, prevent, or recover from a security attack No single mechanism that will support all services required However one particular element underlies many of the security mechanisms in use: cryptographic techniques hence our focus on this topic
PDM CSE
67/335
PDM CSE
68/335
PDM CSE
69/335
PDM CSE
71/335
Symmetric Encryption
Conventional / private-key / single-key Sender and recipient share a common key All classical encryption algorithms are private-key As only type prior to invention of public-key in 1970s.
PDM CSE
72/335
PDM CSE
73/335
Requirements
two requirements for secure use of symmetric encryption:
a strong encryption algorithm a secret key known only to sender / receiver
mathematically have:
Y = EK(X) X = DK(Y)
Cryptography
Characterize cryptographic system by:
Type of encryption operations used
substitution / transposition / product
PDM CSE
75/335
Cryptanalysis
Objective to recover key not just message General approaches:
cryptanalytic attack brute-force attack
PDM CSE
76/335
Cryptanalytic Attacks
ciphertext only Only know algorithm & ciphertext, is statistical, know or can identify plaintext known plaintext know/suspect plaintext & ciphertext chosen plaintext select plaintext and obtain ciphertext chosen ciphertext select ciphertext and obtain plaintext chosen text select plaintext or ciphertext to en/decrypt
PDM CSE 77/335
More Definitions
Unconditional security No matter how much computer power or time is available, the cipher cannot be broken since the ciphertext provides insufficient information to uniquely determine the corresponding plaintext. Computational security Given limited computing resources (eg time needed for calculations is greater than age of universe), the cipher cannot be broken.
PDM CSE
78/335
128
168 26 characters (permutation)
2127 s
2167 s
PDM CSE
79/335
PDM CSE
80/335
Caesar Cipher
Earliest known substitution cipher given by Julius Caesar First attested use in military affairs Replaces each letter by 3rd letter on example:
meet me after the toga party PHHW PH DIWHU WKH WRJD SDUWB
PDM CSE
81/335
Caesar Cipher
can define transformation as:
abcdefghijklmnopqrstuvwxyz DEFGHIJKLMNOPQRSTUVWXYZABC
Monoalphabetic Cipher
Rather than just shifting the alphabet Could shuffle (jumble) the letters arbitrarily Each plaintext letter maps to a different random ciphertext letter hence key is 26 letters long
Plain: abcdefghijklmnopqrstuvwxyz Cipher: DKVQFIBJWPESCXHTMYAUOLRGZN Plaintext: ifwewishtoreplaceletters Ciphertext: WIRFRWAJUHYFTSDVFSFUUFYA
PDM CSE 83/335
PDM CSE
84/335
other letters like Z,J,K,Q,X are fairly rare have tables of single, double & triple letter frequencies for various languages
PDM CSE 85/335
PDM CSE
86/335
Use in Cryptanalysis
key concept - Monoalphabetic substitution ciphers do not change relative letter frequencies discovered by Arabian scientists in 9th century calculate letter frequencies for ciphertext compare counts/plots against known values
PDM CSE
87/335
Example Cryptanalysis
given ciphertext:
UZQSOVUOHXMOPVGPOZPEVSGZWSZOPFPESXUDBMETSXAIZ VUEPHZHMDZSHZOWSFPAPPDTSVPQUZWYMXUZUHSX EPYEPOPDZSZUFPOMBZWPFUPZHMDJUDTMOHMQ
count relative letter frequencies (see text) guess P & Z are e and t guess ZW is th and hence ZWP is the proceeding with trial and error finally get:
it was disclosed yesterday that several informal but direct contacts have been made with political representatives of the viet cong in moscow
PDM CSE
88/335
Playfair Cipher
Not even the large number of keys in a monoalphabetic cipher provides security One approach to improving security was to encrypt multiple letters the Playfair Cipher is an example Invented by Charles Wheatstone in 1854, but named after his friend Baron Playfair
PDM CSE 89/335
A B I/J S X
R D K T Z
90/335
it can be broken, given a few hundred letters since still has much of plaintext structure
PDM CSE 92/335
Polyalphabetic Ciphers
Polyalphabetic substitution ciphers Improve security using multiple cipher alphabets make cryptanalysis harder with more alphabets to guess and flatter frequency distribution use a key to select which alphabet is used for each letter of the message use each alphabet in turn repeat from start after end of key is reached
PDM CSE 93/335
Vigenre Cipher
simplest Polyalphabetic substitution cipher effectively multiple Caesar ciphers key is multiple letters long K = k1 k2 ... kd ith letter specifies ith alphabet to use use each alphabet in turn repeat from start after d letters in message decryption simply works in reverse
PDM CSE
94/335
PDM CSE
95/335
Aids
simple aids can assist with en/decryption a Saint-Cyr Slide is a simple manual aid
a slide with repeated alphabet line up plaintext 'A' with key letter, eg 'C' then read off any mapping for key letter
can bend round into a cipher disk or expand into a Vigenre Tableau
PDM CSE 96/335
if not, then need to determine number of alphabets, since then can attach each
PDM CSE 97/335
Kasiski Method
method developed by Babbage / Kasiski repetitions in ciphertext give clues to period so find same plaintext an exact period apart which results in the same ciphertext of course, could also be random fluke eg repeated VTW in previous example suggests size of 3 or 9 then attack each monoalphabetic cipher individually using same techniques as before
PDM CSE 98/335
Autokey Cipher
ideally want a key as long as the message Vigenre proposed the autokey cipher with keyword is prefixed to message as key knowing keyword can recover the first few letters use these in turn on the rest of the message but still have frequency characteristics to attack eg. given key deceptive
key: deceptivewearediscoveredsav plaintext: wearediscoveredsaveyourself ciphertext:ZICVTWQNGKZEIIGASXSTSLVVWLA
PDM CSE 99/335
One-Time Pad
if a truly random key as long as the message is used, the cipher will be secure called a One-Time pad is unbreakable since ciphertext bears no statistical relationship to the plaintext since for any plaintext & any ciphertext there exists a key mapping one to other can only use the key once though problems in generation & safe distribution of key
PDM CSE 100/335
Transposition Ciphers
now consider classical transposition or permutation ciphers these hide the message by rearranging the letter order without altering the actual letters used can recognise these since have the same frequency distribution as the original text
PDM CSE 101/335
giving ciphertext
MEMATRHTGPRYETEFETEOAAT
PDM CSE
102/335
PDM CSE
103/335
Product Ciphers
ciphers using substitutions or transpositions are not secure because of language characteristics hence consider using several ciphers in succession to make harder, but:
two substitutions make a more complex substitution two transpositions make more complex transposition but a substitution followed by a transposition makes a new much harder cipher
PDM CSE
104/335
Rotor Machines
before modern ciphers, rotor machines were most common complex ciphers in use widely used in WW2
German Enigma, Allied Hagelin, Japanese Purple
implemented a very complex, varying substitution cipher used a series of cylinders, each giving one substitution, which rotated and changed after each letter was encrypted with 3 cylinders have 263=17576 alphabets
PDM CSE 105/335
PDM CSE
106/335
Steganography
An alternative to encryption Hides existence of message
using only a subset of letters/words in a longer message marked in some way using invisible ink hiding in LSB in graphic image or sound file
Has drawbacks
high overhead to hide relatively few info bits
PDM CSE
107/335
PDM CSE
108/335
Computational Complexity
Recall from our sorting examples at the start of class that we could prove that any sort would have to do at least some minimal amount of work (lower bound)
We proved this using decision trees
PDM CSE
109/335
// Sorts an array of 3 items void sortthree(int s[]) { a=s[1]; b=s[2]; c=s[3]; if (a < b) { if (b < c) { S = a,b,c; b<c } else { if (a < c) { S = a,c,b; } else { S = c,a,b; a,b,c a<c }} } else if (b < c) { if (a < c) { S = b,a,c; a,c,b c,a,b } else { S = b,c,a; }} else { S = c,b,a; } PDM CSE }
a<b
b<c
a<c
c,b,a
b,a,c
b,c,a
110/335
Decision Trees
A decision tree can be created for every comparison-based sorting algorithm
The following is a decision tree for a 3 element Exchange sort
Note that c < b means that the Exchange sort compares the array item whose current value is c with the one whose current value is b not that it compares s[3] to s[2].
PDM CSE
111/335
b<a
c<a
a<b
c<b
c,b,a
b,c,a
b,a,c
c,a,b
a,c,b
a,b,c
PDM CSE
112/335
Decision Trees
So what does this tell us
Note that there are 6 leaves in each of the examples given (each N=3)
In general there will be N! leaves in a decision tree corresponding to the N! permutations of the array
The number of comparisons (work) is equal to the depth of the tree (from root to leaf)
Worst case behavior is the path from the root to the deepest leaf
PDM CSE 113/335
Decision Trees
Thus, to get a lower bound on the worst case behavior we need to find the shortest tree possible that can still hold N! leaves
No comparison-based sort could do better
PDM CSE
114/335
Decision Trees
According to Lemma 7.4 (p. 291):
log2(N!) >= n log2(n) 1.45n
Applying Big-O
d must be at least O(n log2(n))
No comparison-based sorting algorithm can have a running time better than O(n log2(n))
PDM CSE 115/335
Polynomial-Time Algorithms
A polynomial-time algorithm is one whose worst-case running time is bounded above by a polynomial function
Poly-time examples: 2n, 3n, n5, n log(n), n100000 Non-poly-time examples: 2n, 20.000001n, n!
Poly-time is important because for large problem sizes, all non-poly-time algorithms will take forever to execute
PDM CSE
117/335
Intractability
In Computer Science, a problem is called intractable if it is impossible to solve it with a polynomial-time algorithm
Let me stress that intractability is a property of the problem, not just of any one algorithm to solve the problem
There can be no poly-time algorithm that solves the problem if the problem is to be considered intractable And just because one non-poly-time algorithm exists for the problem does not make it intractable
PDM CSE 118/335
Problems that have not been proven to be intractable, but for which poly-time algorithms have never been found
No one has found a poly-time algorithm, but no one has proven that one doesnt exist either
The interesting thing is that tons of problems fall into the 3rd category and almost none into the second
PDM CSE 119/335
Poly-time Category
Any problem for which we have found a polytime algorithm
Sorting, searching, matrix multiplication, chained matrix multiplication, shortest paths, minimal spanning tree, etc.
PDM CSE
120/335
Intractable Category
Two types of problems
Those that require a non-polynomial amount of output
Determining all Hamiltonian Circuits
(n 1)! Circuits in worst case
Those that produce a reasonable amount of output, but the processing time is just too long
These are called undecidable problems Very few of these, but one classic is the Halting Problem
Takes as input any algorithm and any input and will tell you if the algorithm halts when run on the input
PDM CSE 121/335
Unknown Category
Many problems belong in the category
0-1 Knapsack, Traveling Salesperson, m-coloring, Hamiltonian Circuits, etc. In general, any problem that we had to solve using backtracking or bounded backtracking falls into this category
PDM CSE
122/335
The Theory of NP
In the following slides we will show a close and interesting relationship among many of the problem in the Unknown Category It will be more convenient to develop this theory restricting ourselves to decision problems
Problems that have a yes/no answer We can always convert non-decision problems into decision problems
In 0/1 Knapsack instead of just asking for the optimal profit, we can instead ask if the optimal profit exceeds some number In graph coloring instead of just asking the minimal number of colors we can instead ask if the minimal number is less than m
PDM CSE
123/335
The Set P
The set P is the set of all decision problems that can be solved by polynomial-time algorithms What problems are in P?
Obviously all the ones we have found poly-time solutions for (sorting, etc) What about problems like Traveling Salesperson?
PDM CSE 124/335
The Set NP
The set NP is the set of all decision problems that can be solved by a polynomial-time nondeterministic algorithm
A poly-time non-deterministic algorithm is an algorithm that is broken into 2 stages:
Guessing (non-deterministic) stage Verification (deterministic) stage
Non-deterministic Algorithms
For Traveling Salesperson:
The guessing stage simply guesses possible tours The verification stage takes a tour from the guessing stage and decides yes/no
is it a tour that has a total weight of no greater than x?
Note that the purpose of this type of algorithm is for theory and classification there are usually much better ways to actually implement the algorithm
PDM CSE
126/335
NP
There are thousands of problems that have been proven to be in NP Further note that all problems in P are also in NP
The guessing stage can do anything it wants The verification stage can just run the algorithm
PDM CSE
127/335
P and NP
Here is the way the picture of the sets is usually drawn That is, we know that P is a subset of NP However, we dont know if it is a proper subset
PDM CSE 128/335
P and NP
That is, no one has ever proven that there exists a problem in NP that is not in P So, NP P could be an empty set
If it is then we say that P = NP
The question of whether P = NP is one of the more intriguing and important questions in all of Computer Science
PDM CSE
129/335
P = NP?
To prove that P NP we would have to find a single problem in NP that is not in P To prove P = NP we would have to find a poly-time algorithm for each problem in NP
This route sounds much harder, but over the next few slides we will show a way to simplify this proof
If you prove either you get an A in the class, not to mention famous
And if you prove P = NP then you also become rich!
PDM CSE 130/335
NP-Complete Problems
Over the next few slides we develop the background for a new set called NP-Complete This set will help us in attempting to prove that P = NP
PDM CSE
131/335
Reducibility
If there exists a poly-time transformation algorithm from decision problem A to decision problem B, then we say A is poly-time reducible to B (or A reduces to B)
AB
PDM CSE
132/335
NP-Complete Problems
A problem B is called NP-Complete if
It is in NP and For every other problem A in NP, A B
By the previous theorem if we could show that any NP-complete problem is in P then we could conclude that P = NP So, Cook basically proved that CNF-Satisfiability is NP-complete
Cook did not reduce all other NP problems to CNFSatisfiability, instead he did it by exploiting common properties of all NP problems
PDM CSE 133/335
NP-Complete Problems
Now we can use transitivity to get:
A problem C is NP-complete if:
It is in NP and For some other NP-complete problem B, B C
Researchers have spent the last 30 years creating transformation for these problems and we now have a list of hundreds of NP-complete problems
If any of these NP-complete problems can be proven to be in P then P = NP
And, additionally, we also have a way to solve all the NP problems (poly-time transformations to the poly-time problem)
PDM CSE
134/335
Even if an encryption algorithm uses a hard problem, the interceptor does not always have to solve it to crack the encryption.
There may always be a secret, easy solution. An interceptor may look for the easy solution instead of trying to solve the hard problem. This type of exposure can happen with the Merkle-Hellman Knapsack algorithm. (will talk about it later on)
PDM CSE 136/335
PDM CSE
138/335
Modular Arithmetic
can do modular arithmetic with any group of integers: Zn = {0, 1, , n-1} form a commutative ring for addition with a multiplicative identity note some peculiarities
if (a+b)=(a+c) mod n then b=c mod n but if (a.b)=(a.c) mod n then b=c mod n only if a is relatively prime to n
PDM CSE 139/335
1 1 2 3 4 5 6 7 0
2 2 3 4 5 6 7 0 1 3 3 4 5 6 7 0 1 2
4 4 5 6 7 0 1 2 3
5 5 6 7 0 1 2 3 4 6 6 7 0 1 2 3 4 5 7 7 0 1 2 3 4 5 6
PDM CSE 140/335
often want no common factors (except 1) and hence numbers are relatively prime
eg GCD(8,15) = 1 hence 8 & 15 are relatively prime
PDM CSE 141/335
Euclidean Algorithm
an efficient way to find the GCD(a,b) uses theorem that:
GCD(a,b) = GCD(b, a mod b)
PDM CSE
142/335
Example GCD(1970,1066)
1970 = 1 x 1066 + 904 gcd(1066, 904) 1066 = 1 x 904 + 162 gcd(904, 162) 904 = 5 x 162 + 94 gcd(162, 94) 162 = 1 x 94 + 68 gcd(94, 68) 94 = 1 x 68 + 26 gcd(68, 26) 68 = 2 x 26 + 16 gcd(26, 16) 26 = 1 x 16 + 10 gcd(16, 10) 16 = 1 x 10 + 6 gcd(10, 6) 10 = 1 x 6 + 4 gcd(6, 4) 6 = 1 x 4 + 2 gcd(4, 2) 4 = 2 x 2 + 0 gcd(2, 0)
PDM CSE 143/335
Finding Inverses
EXTENDED EUCLID(m, b)
1. (A1, A2, A3)=(1, 0, m); (B1, B2, B3)=(0, 1, b) 2. if B3 = 0 return A3 = gcd(m, b); no inverse 3. if B3 = 1 return B3 = gcd(m, b); B2 = b1 mod m 4. Q = A3 div B3 5. (T1, T2, T3)=(A1 Q B1, A2 Q B2, A3 Q B3) 6. (A1, A2, A3)=(B1, B2, B3) 7. (B1, B2, B3)=(T1, T2, T3) 8. goto 2
PDM CSE
144/335
3 5
1
0 1
0
1 3
1759
550 109
0
1 5
1
3 16
550
109 5
21
1
5
106
16
339
5
4
106
111
339
355
4
1
PDM CSE
145/335
Polynomial Arithmetic
can compute using polynomials
f(x) = anxn + an-1xn-1 + + a1x + a0 = aixi
nb. not interested in any specific value of x which is known as the indeterminate
PDM CSE
147/335
Polynomial Division
can write any polynomial in the form:
f(x) = q(x) g(x) + r(x) can interpret r(x) as being a remainder r(x) = f(x) mod g(x)
if have no remainder say g(x) divides f(x) if g(x) has no divisors other than itself & 1 say it is irreducible (or prime) polynomial arithmetic modulo an irreducible polynomial forms a field
PDM CSE 149/335
Polynomial GCD
can find greatest common divisor for polys
c(x) = GCD(a(x), b(x)) if c(x) is the poly of greatest degree which divides both a(x), b(x)
Prime Numbers
prime numbers only have divisors of 1 and self
they cannot be written as a product of other numbers note: 1 is prime, but is generally not of interest
eg. 2,3,5,7 are prime, 4,6,8,9,10 are not prime numbers are central to number theory list of prime number less than 200 is:
2 3 5 7 11 13 17 19 23 29 31 37 41 43 47 53 59 61 67 71 73 79 83 89 97 101 103 107 109 113 127 131 137 139 149 151 157 163 167 173 179 181 191 193 197 199
PDM CSE 152/335
Prime Factorisation
to factor a number n is to write it as a product of other numbers: n=a x b x c note that factoring a number is relatively hard compared to multiplying the factors together to generate the number the prime factorisation of a number n is when its written as a product of primes
eg. 91=7x13 ; 3600=24x32x52
PDM CSE 153/335
conversely can determine the greatest common divisor by comparing their prime factorizations and using least powers
eg. 300=21x31x52 18=21x32 hence GCD(18,300)=21x31x50=6
PDM CSE
154/335
Fermat's Theorem
ap-1 = 1 (mod p)
where p is prime and gcd(a,p)=1
PDM CSE
155/335
Primality Testing
often need to find large prime numbers traditionally sieve using trial division
ie. divide by all numbers (primes) in turn less than the square root of the number only works for small numbers
Probabilistic Considerations
if Miller-Rabin returns composite the number is definitely not prime otherwise is a prime or a pseudo-prime chance it detects a pseudo-prime is < 1/4 hence if repeat test with different random a then chance n is prime after t tests is:
Pr(n prime after t tests) = 1-4-t eg. for t=10 this probability is > 0.99999
PDM CSE 158/335
Prime Distribution
prime number theorem states that primes occur roughly every (ln n) integers but can immediately ignore evens so in practice need only test 0.5 ln(n) numbers of size n to locate a prime
note this is only the average sometimes primes are close together other times are quite far apart
PDM CSE 159/335
Random Numbers
many uses of random numbers in cryptography
nonces in authentication protocols to prevent replay session keys public key generation keystream for a one-time pad
PDM CSE
160/335
PDM CSE
161/335
note that an attacker can reconstruct sequence given a small number of values have possibilities for making this harder
PDM CSE 162/335
PDM CSE
163/335
PDM CSE
164/335
unpredictable, passes next-bit test security rests on difficulty of factoring N is unpredictable given any run of bits slow, since very large numbers must be used too slow for cipher use, good for key generation
PDM CSE 165/335
starting to see such h/w in new CPU's problems of bias or uneven distribution in signal
have to compensate for this when sample and use best to only use a few noisiest bits from each sample
PDM CSE 166/335
PDM CSE
167/335
Private-Key Cryptography
Traditional private/secret/single key cryptography uses one key Shared by both sender and receiver If this key is disclosed communications are compromised Also in symmetric, parties are equal Hence does not protect sender from receiver forging a message & claiming is sent by sender
PDM CSE 168/335
Public-Key Cryptography
Probably most significant advance in the 3000 year history of cryptography Uses two keys a public & a private key Asymmetric since parties are not equal Uses clever application of number theoretic concepts to function Complements rather than replaces private key crypto
PDM CSE 169/335
Public invention due to Whitfield Diffie & Martin Hellman at Stanford Uni in 1976
known earlier in classified community
PDM CSE 170/335
Public-Key Cryptography
Public-key/Two-key/Asymmetric cryptography involves the use of two keys:
A public-key, which may be known by anybody, and can be used to encrypt messages, and verify signatures A private-key, known only to the recipient, used to decrypt messages, and sign (create) signatures
Is asymmetric because
those who encrypt messages or verify signatures cannot decrypt messages or create signatures
PDM CSE
171/335
Public-Key Cryptography
PDM CSE
172/335
Public-Key Characteristics
Public-Key algorithms rely on two keys where:
It is computationally infeasible to find decryption key knowing only algorithm & encryption key It is computationally easy to en/decrypt messages when the relevant (en/decrypt) key is known Either of the two related keys can be used for encryption, with the other used for decryption (for some algorithms)
PDM CSE
173/335
Public-Key Cryptosystems
PDM CSE
174/335
Public-Key Applications
Can classify uses into 3 categories:
Encryption/Decryption (provide secrecy) Digital signatures (provide authentication) Key exchange (of session keys)
Some algorithms are suitable for all uses, others are specific to one
PDM CSE
175/335
RSA ALGORITHM
PDM CSE
176/335
RSA
By Rivest, Shamir & Adleman of MIT in 1977 Best known & widely used public-key scheme Based on exponentiation in a finite (Galois) field over integers modulo a prime
Exponentiation takes O((log n)3) operations (easy)
Uses large integers (eg. 1024 bits) Security due to cost of factoring large numbers
Factorization takes O(e log n log log n) operations (hard)
PDM CSE
177/335
Publish their public encryption key: PU={e,n} Keep secret private decryption key: PR={d,n}
PDM CSE 178/335
RSA Use
To encrypt a message M the sender:
obtains public key of recipient PU={e,n} computes: C = Me mod n, where 0M<n
Note that the message M must be smaller than the modulus n (block if needed)
PDM CSE 179/335
In RSA have:
n=p.q (n)=(p-1)(q-1) carefully chose e & d to be inverses mod (n) hence e.d=1+k.(n) for some k
PDM CSE
180/335
PDM CSE
181/335
decryption:
M = 1123 mod 187 = 88
PDM CSE
182/335
Exponentiation
Can use the Square and Multiply Algorithm A fast, efficient algorithm for exponentiation Concept is based on repeatedly squaring base And multiplying in the ones that are needed to compute the result Look at binary representation of exponent Only takes O(log2 n) multiples for number n
eg. 75 = 74.71 = 3.7 = 10 mod 11 eg. 3129 = 3128.31 = 5.3 = 4 mod 11
PDM CSE 183/335
Exponentiation
c = 0; f = 1 for i = k downto 0 do c = 2 x c f = (f x f) mod n if bi == 1 then c=c+1 f = (f x a) mod n return f
PDM CSE 184/335
Efficient Encryption
Encryption uses exponentiation to power e Hence if e small, this will be faster
often choose e=65537 (216-1) also see choices of e=3 or e=17
Efficient Decryption
Decryption uses exponentiation to power d
this is likely large, insecure if not
Can use the Chinese Remainder Theorem (CRT) to compute mod p & q separately. then combine to get desired answer
approx 4 times faster than doing directly
Only owner of private key who knows values of p & q can use this technique
PDM CSE 186/335
RSA Security
Possible approaches to attacking RSA are:
Brute force key search (infeasible given size of numbers) Mathematical attacks (based on difficulty of computing (n), by factoring modulus n) Timing attacks (on running of decryption) Chosen ciphertext attacks (given properties of RSA)
PDM CSE 188/335
Factoring Problem
Mathematical approach takes 3 forms:
factor n=p.q, hence compute (n) and then d determine (n) directly and compute d find d directly
Timing Attacks
Developed by Paul Kocher in mid-1990s Exploit timing variations in operations
eg. multiplying by small vs large number or IF's varying which instructions executed
Infer operand size based on time taken RSA exploits time taken in exponentiation Countermeasures
use constant exponentiation time add random delays blind values used in calculations
PDM CSE 190/335
must be relatively easy to produce must be relatively easy to recognize & verify be computationally infeasible to forge
with new message for existing digital signature with fraudulent digital signature for given message
requires suitable level of trust in arbiter can be implemented with either private or public-key algorithms arbiter may or may not see message
PDM CSE 194/335
Authentication Protocols
used to convince parties of each others identity and to exchange session keys may be one-way or mutual key issues are
confidentiality to protect session keys timeliness to prevent replay attacks
published protocols are often found to have flaws and need to be modified
PDM CSE 195/335
Replay Attacks
where a valid signed message is copied and later resent
simple replay repetition that can be logged repetition that cannot be detected backward replay without modification
countermeasures include
use of sequence numbers (generally impractical) timestamps (needs synchronized clocks) challenge/response (using unique nonce)
PDM CSE 196/335
Needham-Schroeder Protocol
original third-party key distribution protocol for session between A B mediated by KDC protocol overview is:
1. A->KDC: IDA || IDB || N1 2. KDC -> A: EKa[Ks || IDB || N1 || EKb[Ks||IDA] ] 3. A -> B: EKb[Ks||IDA] 4. B -> A: EKs[N2] 5. A -> B: EKs[f(N2)]
PDM CSE 198/335
Needham-Schroeder Protocol
used to securely distribute a new session key for communications between A & B but is vulnerable to a replay attack if an old session key has been compromised
then message 3 can be resent convincing B that is communicating with A
Denning AS Protocol
Denning 81 presented the following:
1. A -> AS: IDA || IDB 2. AS -> A: EPRas[IDA||PUa||T] || EPRas[IDB||PUb||T] 3. A -> B: EPRas[IDA||PUa||T] || EPRas[IDB||PUb||T] || EPUb[EPRas[Ks||T]]
note session key is chosen by A, hence AS need not be trusted to protect it timestamps prevent replay but require synchronized clocks
PDM CSE 201/335
One-Way Authentication
required when sender & receiver are not in communications at same time (eg. email) have header in clear so can be delivered by email system may want contents of body protected & sender authenticated
PDM CSE
202/335
Public-Key Approaches
have seen some public-key approaches if confidentiality is major concern, can use:
A->B: EPUb[Ks] || EKs[M] has encrypted session key, encrypted message
PDM CSE
205/335
PDM CSE
207/335
choose g = h(p-1)/q
where h<p-1, h(p-1)/q (mod p) > 1
Hash Algorithms
PDM CSE
211/335
Message Authentication
message authentication is concerned with: protecting the integrity of a message validating identity of originator non-repudiation of origin (dispute resolution) will consider the security requirements then three alternative functions used: message encryption message authentication code (MAC) hash function
PDM CSE 212/335
Security Requirements
Disclosure Traffic analysis Masquerade Content modification Sequence modification Timing modification Source repudiation Destination repudiation
PDM CSE 213/335
Message Encryption
Message encryption by itself also provides a measure of authentication If symmetric encryption is used then:
receiver know sender must have created it since only sender and receiver now key used know content cannot of been altered if message has suitable structure, redundancy or a checksum to detect any changes
PDM CSE 214/335
Message Encryption
If public-key encryption is used: encryption provides no confidence of sender since anyone potentially knows public-key however if sender signs message using their private-key then encrypts with recipients public key have both secrecy and authentication again need to recognize corrupted messages but at cost of two public-key uses on message
PDM CSE 215/335
Appended to message as a signature Receiver performs same computation on message and checks it matches the MAC Provides assurance that message is unaltered and comes from sender
PDM CSE 216/335
PDM CSE
217/335
MAC Properties
A MAC is a cryptographic checksum
MAC = CK(M) condenses a variable-length message M using a secret key K to a fixed-sized authenticator
Is a many-to-one function
potentially many messages have same MAC but finding these needs to be very difficult
PDM CSE 219/335
PDM CSE
220/335
Hash Functions
Condenses arbitrary message to fixed size
h = H(M)
Usually assume that the hash function is public and not keyed
cf. MAC which is keyed
Hash used to detect changes to message Can use in various ways with message Most often to create a digital signature
PDM CSE 221/335
PDM CSE
222/335
Can be applied to any sized message M Produces fixed-length output h Is easy to compute h=H(M) for any message M Given h is infeasible to find x s.t. H(x)=h
one-way property weak collision resistance
5. Given x is infeasible to find y s.t. H(y)=H(x) 6. Is infeasible to find any x,y s.t. H(y)=H(x)
strong collision resistance
PDM CSE
223/335
PDM CSE
224/335
Birthday Attacks
might think a 64-bit hash is secure but by Birthday Paradox is not birthday attack works thus:
opponent generates 2 /2 variations of a valid message all with essentially the same meaning m opponent also generates 2 /2 variations of a desired fraudulent message two sets of messages are compared to find pair with same hash (probability > 0.5 by birthday paradox) have user sign the valid message, then substitute the forgery which will have a valid signature
m
PDM CSE
227/335
PDM CSE
228/335
PDM CSE
230/335
based on design of MD4 with key differences produces 160-bit hash values recent 2005 results on security of SHA-1 have raised concerns on its use in future applications
PDM CSE 231/335
designed for compatibility with increased security provided by the AES cipher structure & detail is similar to SHA-1 hence analysis should be similar but security levels are rather higher
PDM CSE 232/335
SHA-512 Overview
PDM CSE
233/335
PDM CSE
235/335
PDM CSE
236/335
Whirlpool
now examine the Whirlpool hash function endorsed by European NESSIE project uses modified AES internals as compression function addressing concerns on use of block ciphers seen previously with performance comparable to dedicated algorithms like SHA
PDM CSE 237/335
Whirlpool Overview
PDM CSE
238/335
PDM CSE
240/335
PDM CSE
241/335
HMAC
specified as Internet standard RFC2104 uses hash function on the message:
HMACK = Hash[(K+ XOR opad) || Hash[(K+ XOR ipad)||M)]]
where K+ is the key padded out to size and opad, ipad are specified padding constants overhead is just 3 more hash calculations than the message needs alone any hash function can be used
eg. MD5, SHA-1, RIPEMD-160, Whirlpool
PDM CSE 243/335
HMAC Overview
PDM CSE
244/335
HMAC Security
proved security of HMAC relates to that of the underlying hash algorithm attacking HMAC requires either:
brute force attack on key used birthday attack (but since keyed would need to observe a very large number of messages)
CMAC
previously saw the DAA (CBC-MAC) widely used in govt & industry but has message size limitation can overcome using 2 keys & padding thus forming the Cipher-based Message Authentication Code (CMAC) adopted by NIST SP800-38B
PDM CSE 246/335
CMAC Overview
PDM CSE
247/335
PDM CSE
248/335
PDM CSE
249/335
Stream ciphers process messages a bit or byte at a time when en/decrypting Many current ciphers are block ciphers Block cipher have broader range of applications
PDM CSE 250/335
PDM CSE
251/335
PDM CSE
252/335
PDM CSE
253/335
PDM CSE
256/335
PDM CSE
257/335
PDM CSE
258/335
Encrypts 64-bit data using 56-bit key Has widespread use Has been considerable controversy over its security
PDM CSE
259/335
DES History
IBM developed Lucifer cipher
by team led by Feistel in late 60s used 64-bit data blocks with 128-bit key
Then redeveloped as a commercial cipher with input from NSA and others In 1973 NBS issued request for proposals for a national cipher standard IBM submitted their revised Lucifer which was eventually accepted as the DES
PDM CSE 260/335
Subsequent events and public analysis show in fact design was appropriate Use of DES has flourished
especially in financial applications still standardised for legacy application use
PDM CSE 261/335
PDM CSE
262/335
Initial Permutation IP
First step of the data computation IP reorders the input data bits Even bits to LH half, odd bits to RH half Quite regular in structure (easy in h/w)
PDM CSE
263/335
PDM CSE
265/335
Substitution Boxes S
Have eight S-boxes which map 6 to 4 bits Each S-box is actually 4 little 4 bit boxes
outer bits 1 & 6 (row bits) select one row of 4 inner bits 2-5 (col bits) are substituted result is 8 lots of 4 bits, or 32 bits
Example:
S(18 09 12 3d 11 17 38 39) = 5fd25e03
PDM CSE 266/335
PDM CSE
267/335
DES Decryption
Decrypt must unwind steps of data computation With Feistel design, do encryption steps again using sub-keys in reverse order (SK16 SK1)
IP undoes final FP step of encryption 1st round with SK16 undoes 16th encrypt round . 16th round with SK1 undoes 1st encrypt round then final FP undoes initial encryption IP thus recovering original data value
PDM CSE 268/335
Avalanche Effect
Key desirable property of encryption algo. Where a change of one input or key bit results in changing approx half output bits Making attempts to home-in by guessing keys impossible DES exhibits strong avalanche
PDM CSE
269/335
Still must be able to recognize plaintext Must now consider alternatives to DES
PDM CSE 270/335
Differential Cryptanalysis
One of the most significant recent (public) advances in cryptanalysis Known by NSA in 70's cf DES design Murphy, Biham & Shamir published in 90s Powerful method to analyse block ciphers Used to analyse most current block ciphers with varying degrees of success DES reasonably resistant to it, cf Lucifer
PDM CSE 273/335
Differential Cryptanalysis
A statistical attack against Feistel ciphers Uses cipher structure not previously used Design of S-P networks has output of function f influenced by both input & key Hence cannot trace values back through cipher without knowing value of the key Differential cryptanalysis compares two related pairs of encryptions
PDM CSE 274/335
With a known difference in the input Searching for a known difference in output When same subkeys are used
PDM CSE
275/335
Differential Cryptanalysis
Have some input difference giving some output difference with probability p If find instances of some higher probability input / output difference pairs occurring Can infer sub-key that was used in round Then must iterate process over many rounds (with decreasing probabilities)
PDM CSE 276/335
Differential Cryptanalysis
PDM CSE
277/335
Differential Cryptanalysis
Perform attack by repeatedly encrypting plaintext pairs with known input XOR until obtain desired output XOR When found
if intermediate rounds match required XOR have a right pair if not then have a wrong pair, relative ratio is S/N for attack
For large numbers of rounds, probability is so low that more pairs are required than exist with 64-bit inputs Biham and Shamir have shown how a 13-round iterated characteristic can break the full 16-round DES
PDM CSE 278/335
Linear Cryptanalysis
Another recent development Also a statistical method Must be iterated over rounds, with decreasing probabilities Developed by Matsui et al in early 90's Based on finding linear approximations Can attack DES with 243 known plaintexts, easier but still in practise infeasible
PDM CSE 279/335
Linear Cryptanalysis
Find linear approximations with prob p !=
P[i1,i2,...,ia] C[j1,j2,...,jb] = K[k1,k2,...,kc]
where ia,jb,kc are bit locations in P,C,K
Gives linear equation for key bits Get one key bit using max likelihood alg Using a large number of trial encryptions Effectiveness given by: |p1/2|
PDM CSE 280/335
PDM CSE
281/335
Function f:
provides confusion, is nonlinear, avalanche have issues of how S-boxes are selected
Key schedule
complex sub-key creation, key avalanche
PDM CSE 282/335
PDM CSE
283/335
Origins
Clear a replacement for DES was needed
have theoretical attacks that can break it have demonstrated exhaustive key search attacks
Can use Triple-DES but slow, has small blocks US NIST issued call for ciphers in 1997 15 candidates accepted in Jun 98 5 were shortlisted in Aug-99 Rijndael was selected as the AES in Oct-2000 Issued as FIPS PUB 197 standard in Nov-2001
PDM CSE 284/335
AES Requirements
Private key symmetric block cipher 128-bit data, 128/192/256-bit keys Stronger & faster than Triple-DES Active life of 20-30 years (+ archival use) Provide full specification & design details Both C & Java implementations NIST have released all submissions & unclassified analysis
PDM CSE 285/335
Final criteria
general security ease of software & hardware implementation implementation attacks flexibility (in en/decrypt, keying, other factors)
PDM CSE 286/335
AES Shortlist
After testing and evaluation, shortlist in Aug-99:
MARS (IBM) - complex, fast, high security margin RC6 (USA) - v. simple, v. fast, low security margin Rijndael (Belgium) - clean, fast, good security margin Serpent (Euro) - slow, clean, v. high security margin Twofish (USA) - complex, v. fast, high security margin
Then subject to further analysis & comment Saw contrast between algorithms with
few complex rounds verses many simple rounds which refined existing ciphers versus new proposals
PDM CSE 287/335
Designed to be:
resistant against known attacks speed and code compactness on many CPUs design simplicity
PDM CSE
288/335
Rijndael
Data block of 4 columns of 4 bytes is state Key is expanded to array of words Has 9/11/13 rounds in which state undergoes:
byte substitution (1 S-box used on every byte) shift rows (permute bytes between groups/columns) mix columns (subs using matrix multipy of groups) add round key (XOR state with key material) view as alternating XOR key & scramble data bytes
Initial XOR key material & incomplete last round With fast XOR & table lookup implementation
PDM CSE 289/335
Rijndael
PDM CSE
290/335
Byte Substitution
A simple substitution of each byte Uses one table of 16x16 bytes containing a permutation of all 256 8-bit values Each byte of state is replaced by byte indexed by row (left 4-bits) & column (right 4-bits)
eg. byte {95} is replaced by byte in row 9 column 5 which has value {2A}
S-box constructed using defined transformation of values in GF(28) Designed to be resistant to all known attacks
PDM CSE 291/335
Byte Substitution
PDM CSE
292/335
Shift Rows
A circular byte shift in each
1st row is unchanged 2nd row does 1 byte circular shift to left 3rd row does 2 byte circular shift to left 4th row does 3 byte circular shift to left
Decrypt inverts using shifts to right Since state is processed by columns, this step permutes bytes between the columns
PDM CSE
293/335
Shift Rows
PDM CSE
294/335
Mix Columns
Each column is processed separately Each byte is replaced by a value dependent on all 4 bytes in the column Effectively a matrix multiplication in GF(28) using prime poly m(x) =x8+x4+x3+x+1
PDM CSE
295/335
Mix Columns
PDM CSE
296/335
Mix Columns
Can express each col as 4 equations
to derive each new byte in col
PDM CSE
297/335
PDM CSE
299/335
AES Round
PDM CSE
300/335
PDM CSE
302/335
AES Decryption
AES decryption is not identical to encryption since steps done in reverse But can define an equivalent inverse cipher with steps as for encryption
but using inverses of each step with a different key schedule
AES Decryption
PDM CSE
305/335
Implementation Aspects
Can efficiently implement on 8-bit CPU
byte substitution works on bytes using a table of 256 entries shift rows is simple byte shift add round key works on byte XORs mix columns requires matrix multiply in GF(28) which works on byte values, can be simplified to use table lookups & byte XORs
PDM CSE 306/335
Implementation Aspects
Can efficiently implement on 32-bit CPU
redefine steps to use 32-bit words can precompute 4 tables of 256-words then each column in each round can be computed using 4 table lookups + 4 XORs at a cost of 4Kb to store tables
Designers believe this very efficient implementation was a key factor in its selection as the AES cipher
PDM CSE
307/335
Key Management
Public-key encryption helps address key distribution problems Have two aspects of this:
distribution of public keys use of public-key encryption to distribute secret keys
PDM CSE
308/335
PDM CSE
309/335
Public Announcement
Users distribute public keys to recipients or broadcast to community at large
eg. append PGP( pretty good privacy) keys to email messages or post to news groups or email list
Public-Key Authority
Improve security by tightening control over distribution of keys from directory Has properties of directory Requires users to know public key for the directory Then users interact with directory to obtain any desired public key securely
does require real-time access to directory when keys are needed(The technique is known as catching)
PDM CSE 312/335
Public-Key Authority
PDM CSE
313/335
Public-Key Certificates
Certificates allow key exchange without realtime access to public-key authority A certificate binds identity to public key
usually with other info such as period of validity, rights of use etc
With all contents signed by a trusted PublicKey or Certificate Authority (CA) Can be verified by anyone who knows the public-key authorities public-key
PDM CSE 314/335
Public-Key Certificates
PDM CSE
315/335
Problem is that an opponent can intercept and impersonate both halves of protocol
PDM CSE 317/335
PDM CSE
318/335
Rationale
performance backward compatibility
PDM CSE 319/335
It is a practical method for public exchange of a secret key Used in a number of commercial products
PDM CSE 320/335
Value of key depends on the participants (and their private and public key information) Based on exponentiation in a finite (Galois) field (modulo a prime or a polynomial) - easy Security relies on the difficulty of computing discrete logarithms (similar to factoring) hard
PDM CSE 321/335
Diffie-Hellman Setup
All users agree on global parameters:
large prime integer or polynomial q a being a primitive root mod q
KAB is used as session key in private-key encryption scheme between Alice and Bob If Alice and Bob subsequently communicate, they will have the same key as before, unless they choose new public-keys Attacker needs an x, must solve discrete log
PDM CSE 323/335
Diffie-Hellman Example
Users Alice & Bob who wish to swap keys: Agree on prime q=353 and a=3 Select random secret keys:
A chooses xA=97, B chooses xB=233
xA
97
(Alice) (Bob)
324/335
PDM CSE
328/335
ECC Diffie-Hellman
can do key exchange analogous to D-H users select a suitable curve Ep(a,b) select base point G=(x1,y1)
with large order n s.t. nG=O
A & B select private keys nA<n, nB<n compute public keys: PA=nAG, PB=nBG compute shared key: K=nAPB, K=nBPA
same since K=nAnBG
PDM CSE 331/335
ECC Encryption/Decryption
several alternatives, will consider simplest must first encode any message M as a point on the elliptic curve Pm select suitable curve & point G as in D-H each user chooses private key nA<n and computes public key PA=nAG to encrypt Pm : Cm={kG, Pm+kPb}, k random
decrypt Cm compute:
Pm+kPbnB(kG) = Pm+k(nBG)nB(kG) = Pm
PDM CSE 332/335
ECC Security
relies on elliptic curve logarithm problem fastest method is Pollard rho method compared to factoring, can use much smaller key sizes than with RSA etc for equivalent key lengths computations are roughly equivalent hence for similar security ECC offers significant computational advantages
PDM CSE 333/335
PDM CSE
335/335