View
254
Download
0
Embed Size (px)
Citation preview
Fuw-Yi Yang 1
Public Key Cryptography 公開金鑰密碼
Department of Computer Science and Information Engineering, Chaoyang University of Technology朝陽科技大學資工系
Speaker: Fuw-Yi Yang 楊伏夷
伏夷非征番 , 道德經 察政章 (Chapter 58) 伏者潛藏也 道紀章 (Chapter 14) 道無形象 , 視之不可見者曰夷
Fuw-Yi Yang 3
RSA Public Key Cryptosystem 1/3
RSA 公開金鑰密碼系統
ㄚ蜜的 公開金鑰 : n = 77, e = 7 ( 私藏秘密金鑰 d = 43)
任何人寄資料 ( 資料 m = 5) 給ㄚ蜜 : 密文 c = me mod 77 = 5 7 mod 77 = 5 5 5 5 5 5 5 mod 77 = 125 5 125 mod 77 = 48 5 48 mod 77 = 9 48 mod 77 = 47
將密文 c = 47 經由公開網路傳遞給ㄚ蜜
Fuw-Yi Yang 4
RSA Public Key Cryptosystem 2/3
RSA 公開金鑰密碼系統
ㄚ蜜的 公開金鑰 : n = 77, e = 7 ( 私藏秘密金鑰 d = 43)
當ㄚ蜜收到密文 c 時 , 解密 : 密文 c = 47 資料 m = cd mod 77 = 47 43 mod 77 = 47 47 … 47 mod 77 = 23 53 47 mod 77 = 5 Note: 23 =4710 mod 77, 53 =4732 mod 77
Fuw-Yi Yang 5
RSA Public Key Cryptosystem 3/3
RSA 公開金鑰密碼系統
破密者知道ㄚ蜜的公開金鑰 : n = 77, e = 7 卻無法解出其私藏秘密金鑰 d = 43, 因為分解因素是待解的數學難題之一 .例如 : n 是兩個大質數的乘積且 n 的值約為 21024 ( 約為 10310 ) 若使用 10 G Hz CPU, 分解因素耗時 10300 秒 或 1.157 * 10295 天
Fuw-Yi Yang 6
RSA Public Key Cryptosystem 1/2
RSA 公開金鑰密碼系統—簽章
ㄚ蜜的 公開金鑰 : n = 77, e = 7 ( 私藏秘密金鑰 d = 43)
ㄚ蜜簽署資料 ( 資料 m = 5): 簽體 s = md mod 77 = 5 43 mod 77 = 5 ... 5 mod 77 = 23 48 mod 77 = 26 mod 77 (53 = 48 mod 77, 540 = 23 mod 77)
Fuw-Yi Yang 7
RSA Public Key Cryptosystem 2/2
RSA 公開金鑰密碼系統—簽章
ㄚ蜜的 公開金鑰 : n = 77, e = 7 ( 私藏秘密金鑰 d = 43)
任何人收到 (s = 26 與 m = 5 ) 皆可驗證之 : 計算 v = se mod 77 = 267 mod 77 = 26 26 26 26 26 26 26 mod 77 = 20 20 26 mod 77 = 5 mod 77 (263 = 20 mod 77)
驗證 m 與 v 是否相等
William Stallings, Fuw-Yi Yang 8
The Finite Field – Groups 1/2
Groups: A group G, denoted by {G, }, is a set of elements with a binary operation such that:(A1) Closure: a, b G implies that a b G (A2) Associative: a, b, c G implies that a (b c) = (a b) c (A3) Identity: For all a in G, there is an element e in G s.t. a = a e = e a(A4) Inverse: For all a in G, there exists an element b (a-1) in G, s.t. e = a b
Abelian group: (A5 Commutative law: a b = b a for all a, b in G
William Stallings, Fuw-Yi Yang 9
The Finite Field – Groups -2/2
Example: { , }G = {1, 2, 3, 4,5, 6}, is modular multiplication (mod 7) 5 3 mod 7 = 1, (5-1 = 3, 3-1 = 5) 2 6 mod 7 = 5, 6 2 mod 7 = 5, (Abelian group)
*7Z
William Stallings, Fuw-Yi Yang 10
The Finite Field – Rings 1/5
Rings: A ring G, denoted by {R, +, }, is a set of elements with two binary operations, addition + and multiplication such that:(A1)~(A5): R is an abelian group with respect to addition(M1) Closure under : a,b R implies that a b R (M2) Associative: a,b,c R implies that a (b c) = (a b) c (M3) Distributive: a (b + c) = a b + a c
(a + b) c = a c + b c for all a,b,c in R, (M4) Commutative law: a b = b a for all a, b in R
William Stallings, Fuw-Yi Yang 11
The Finite Field – Rings (integral domain) 2/5
Integral Domain:
(M5) Multiplicative identity: there is an element 1 in R s.t. a = a 1 = 1 a(M6) No zero divisors: If a, b in R and a b = 0, then either a = 0 or b = 0
William Stallings, Fuw-Yi Yang 12
The Finite Field – Fields 3/5
Fields: A field F, denoted by {F, +, }, is a set of elements with two binary operations, addition + and multiplication such that:(A1)~(M6): F is an integral domain(M7): Multiplicative inverse: For each a in F, except 0, there is an element a-1 in F s.t. a a-1 = a-1 a = 1Example: Finite field of order pn : Galois field GF(pn)
William Stallings, Fuw-Yi Yang 13
The Finite Field – GF(7)-addition 4/5
modulo 7
+ 0 1 2 3 4 5 6
0 0 1 2 3 4 5 6
1 1 2 3 4 5 6 0
2 2 3 4 5 6 0 1
3 3 4 5 6 0 1 2
4 4 5 6 0 1 2 3
5 5 6 0 1 2 3 4
6 6 0 1 2 3 4 5
William Stallings, Fuw-Yi Yang 14
The Finite Field – GF(7)-multiplication 5/5
modulo 7
0 1 2 3 4 5 6
0
1 1 2 3 4 5 6
2 2 4 6 1 3 5
3 3 6 2 5 1 4
4 4 1 5 2 6 3
5 5 3 1 6 4 2
6 6 5 4 3 2 1
William Stallings, Fuw-Yi Yang 15
The Finite Field – GF(7)-multiplication 5/5
modulo 7
0 1 2 3 4 5 6
0
1 1 2 3 4 5 6
2 2 4 6 1 3 5
3 3 6 2 5 1 4
4 4 1 5 2 6 3
5 5 3 1 6 4 2
6 6 5 4 3 2 1
Fuw-Yi Yang 16
Anonymous User Identification 1/15
1. T. S. Wu and C. L. Hsu, “Efficient user identification scheme with key distribution preserving anonymity for distributed computer networks,” Computers & Security, Vol. 23(2), pp. 120-125, 2004.
2. K. Mangipudi and R. Katti, “A secure identification and key agreement protocol with user anonymity (SIKA) ,” Computers & Security, Vol. 25, pp. 420-425, 2006.
3. W. B. Lee and C. C. Chang, “User identification and key distribution maintaining anonymity for distributed computer network,” Computer Systems Science and Engineering, Vol. 15, No. 4, July 2000, pp. 113-116.
4. Y. Yang, S. Wang, F. Bao, J. Wang and R. H. Deng, “New efficient user identification and key distribution scheme providing enhanced security,” Computers & Security, Vol. 23, pp. 697-704, 2004.
//5. C. C. yang, Y. L. Tang, R. C. wang and H. L. Yang, “A secure and efficient authentication protocol for anonymous channel in wireless communications,” Applied mathematics and computation, Vol. ??, pp. ??, 2005.
Fuw-Yi Yang 17
Anonymous User Identification 2/15
W. B. Lee and C. C. Chang
1. Key generation: Smart Card Producing Center SCPC chooses large primes p and q, computes N = p q, g ZN
*,
hash function f, and e, d such that e d = 1 mod (N). Public key: N, e, g, f; Secret key: p, q, d (N) denotes the Euler totient function, i.e. the cardinality of
ZN* = {a| a ZN and gcd(a, N) = 1}.
ex. Z15* = {1, 2, 4, 7, 8, 11, 13, 14}.
H is a collision-resistant hash function, H: {0, 1}* {0, 1}l. ex. Given the pre-image, it is easy to find the image of H; given the image it is difficult to find the its image.
Fuw-Yi Yang 18
Anonymous User Identification 3/15
W. B. Lee and C. C. Chang
1. Key generation: SCPC In a secure way, SCPC sends each user Ui or provider Pj
(with identity IDi or IDj) a secret token Si = (IDi)d mod N .
2. Anonymous user identification:
Fuw-Yi Yang 19
Anonymous User Identification 4/15
W. B. Lee and C. C. Chang
Ui Pj
request
z z = gk mod N
x = Si zt1gf(T) t2 mod N
y1 = ge t1 mod N
y2 = ge t2 mod N
x, y1, y2, T
Check T, and whether an existing user’s ID satisfies
IDi = xe/(y1ky2
f(T)) mod N
Fuw-Yi Yang 20
Anonymous User Identification 5/15
W. B. Lee and C. C. Chang
Ui Pj
z = gk mod N
x = Si zt1gf(T) t2 mod N
= (IDi)dgk t1gf(T) t2 mod N
y1 = ge t1 mod N
y2 = ge t2 mod N
Kij = ze t1 = ge k t1 mod N
IDi = xe/y1ky2
f(T)
=(IDi)degekt1gef(T)t2 /gekt1gef(T)t2
= (IDi)d e
= IDi mod N
Kij = y1k = ge k t1 mod N
Fuw-Yi Yang 21
Anonymous User Identification 6/15
Weakness of W. B. Lee and C. C. Chang [1]
Ui Pj
1. No authentication of Pj
2. Assume that compromise of Kij
x = Si zt1gf(T) t2 mod N
y1 = ge t1 mod N
y2 = ge t2 mod N
Kij = ze t1 = ge k t1 mod N
IDi = xe/y1ky2
f(T) mod N
Kij = y1k = ge k t1 mod N
Known Kij = y1k , IDi is computed.
Fuw-Yi Yang 22
Anonymous User Identification 7/15
T. S. Wu and C. L. Hsu
1. Key generation: SCPC In a secure way, SCPC sends each user Ui or provider Pj
(with identity IDi or IDj) a secret token Si = (IDi)d mod N .
2. Anonymous user identification:
Fuw-Yi Yang 23
Anonymous User Identification 8/15
T. S. Wu and C. L. Hsu
Ui Pj
request
z z = Sj gk mod N
a = ze/IDj = ge k mod N
x = Si f(at || T) mod N
y = ge t mod N
x, y, T
Check T, and whether an existing user’s ID satisfies
IDi = (x/f(yk || T)e mod N
Fuw-Yi Yang 24
Anonymous User Identification 9/15
T. S. Wu and C. L. Hsu
Ui Pj
z = Sj gk mod N
a = ze/IDj = ge k mod N
x = Si f(at || T) mod N
y = ge t mod N
Kij=atx = gektx mod N
Check T,
IDi = (x/f(yk || T)e
= [(IDi)df(at||T)/f(yk||T)]e
= [(IDi)df(gekt||T)/f(gekt||T)]e
= (IDi)de
= IDi mod N
Kij=ykx = gektx mod N
Fuw-Yi Yang 25
Anonymous User Identification 10/15
Weakness of T. S. Wu and C. L. Hsu [4]
Ui Pj
Disclosure of user’s token Si
a = ze/IDj = ge k mod N
x = Si f(at || T) mod N
y = ge t mod N
Kij=atx = gektx mod N
Check T,
IDi = (x/f(yk || T)e
= [(IDi)df(at||T)/f(yk||T)]e
= [(IDi)df(gekt||T)/f(gekt||T)]e
= IDi mod N
Si= (x/f(yk || T)
= [(IDi)df(at||T)/f(yk||T)] mod N
Fuw-Yi Yang 26
Anonymous User Identification 11/15
Y. Yang et al.
1. Key generation: SCPC In a secure way, SCPC sends each user Ui or provider Pj
(with identity IDi or IDj) a secret token Si = (IDi)d mod N .
2. Anonymous user identification:
Fuw-Yi Yang 27
Anonymous User Identification 12/15
Y. Yang et al.
Ui Pj
request
z z = gk / Sj mod N
a = zeIDj = ge k mod N
Kij=at = ge k t mod N
x = ge t mod N
s = gt (Si)h(x, T) mod N
y = EKij(IDi)
s, x, y, T Kij=xk = ge k t mod N
IDi = DKij(y)
Check IDi user list and
x (IDi)h(x, T) = se mod N
Fuw-Yi Yang 28
Anonymous User Identification 13/15
Weakness of Y. Yang et al. [2]
Ui Middle man Pj
My comments: compromise of session key Kij will disclose user’s identity.
[2]’s comments: DOS attack
Shown below
Other attacks: homomorphic attack on secret token. z' z = gk / Sj mod N
a' = (z')eIDj mod N
K'ij=(a')t mod N
x = ge t mod N
s = gt (Si)h(x, T) mod N
y' = EK'ij(IDi)
Ui believes that a valid session key is derived.
s, x, y', T Kij=xk = ge k t mod N
IDi = DKij(y)
Check IDi user list and
x (IDi)h(x, T) = se mod N
It is easy to see, Pj abort.Yangfy: (IDi)h(x, T) = se / x mod N
test whether IDi ‘s participation
Fuw-Yi Yang 29
Anonymous User Identification 14/15
K. Mangipudi and R. Katti
1. Key generation: SCPC In a secure way, SCPC sends each user Ui or provider Pj
(with identity IDi or IDj) a secret token Si = (IDi)d mod N.Server’s public key: Ns = ps qs, es, gsZNs
Secret key: ds
2. Anonymous user identification:
Fuw-Yi Yang 30
Anonymous User Identification 15/15
Y. Yang et al.
Ui Pj
req
z, T, w
z = gk / Sj mod N
w = (gs)H(z, T, IDs)ds mod Ns
Ck wes = (gs)H(z, T, IDs) mod Ns
a = ze IDj = ge k mod N
Kij=at = ge k t mod N
x = ge t mod N
s = gt (Si)H(x, T) mod N
y = EKij(IDi)
s, x, y, T
Kij=xk = ge k t mod N
IDi = DKij(y)
Check IDi user list and
x (IDi)h(x, T) = se mod N
Fuw-Yi Yang 31
Anonymous User Identification
Weakness of K. Mangipudi and R. Katti By yangfy
Ui Pj
My comments: compromise of session key Kij will disclose user’s identity.
Server’s public key is not required.
req Other attacks: homomorphic attack on secret token.
Check IDi user list is not required.
z, T, w
z = gk / Sj mod N
w = (gs)H(z, T, IDs)ds mod Ns
a = ze IDj = ge k mod N
Kij=at = ge k t mod N
x = ge t mod N
s = gt (Si)H(x, T) mod N
y = EKij(IDi)
s, x, y, T
Kij=xk = ge k t mod N
IDi = DKij(y)
Check IDi user list and
x (IDi)h(x, T) = se mod N
Fuw-Yi Yang 32
Deniable Authentication protocol 1/15
1. L. Fan, C. X. Xu and J. H. Li, “Deniable authentication protocol based on Diffie-Hellman algorithm,” Electronics Letters, Vol. 38(4), pp. 705-706, 2002.
2. C. Dwork, M. Naor and A. Sahai, “Concurrent zero-knowledge,” Proceedings of the Thirtieth Annual ACM Symposium on the Theory of Computing STOC’98, pp. 409-418, 1998.
3. Y. Aumann and M. Rabin, “Efficient deniable authentication of long messages,” Int. Conf. on Theoretical Computer Science in Honor of Professor Manuel Blum’s 60th birthday, 1998. (http://www.cs.cityu.edu.hk/dept/video.html)
4. Y. Aumann and M. Rabin, “Authentication enhanced security and error correcting codes,” Advances in Cryptology-CRYPTO’98, LNCS 1462, pp. 299-303, 1998.
5. X. Deng, C. H. Lee and H. Zhu, “Deniable authentication protocols,” IEE Proceedings Computers and Digital Techniques, Vol. 148(2), pp. 101-104, 2001.
Fuw-Yi Yang 33
Deniable Authentication protocol 2/15
Aumann and Rabin 1/2
Features: 1. receiver is able to authenticate the source of a message received. 2. the receiver cannot prove the source of the message to a third party.PD: public known directory, containing a set of public data and encoding rules. N = pq (no one knows the value of p and q)R: Receiver S: SenderX: x1x2…xn message sent to R by SC(X): y1y2…ym encoding of message X. C is a public encoding rule.I: i1i2…ik k different indices between 1 and m.S select a set of random number: g1
(0) , g1(1) ,…,gm
(0) , gm(1)
S computes square of them: Gj(e) = (gj
(e))2…mod N, j = 1,…,m, e = 0, 1S publishes at Gj
(e), j = 1,…,m, e = 0, 1 at PD.
Fuw-Yi Yang 34
Deniable Authentication protocol 2/15Aumann and Rabin 2/2
S
To deniably authenticate
one bit of encoded
R
message C(X).
A = a2 mod N A i i R I (the ith bit)
i = a gi(e) mod N
e = yi
i Check that
(i)2 = A Gi(e) mod N
R simulate S as follows:
1. Choose i
2. Known yi
3. i R ZN*
4. A = (i)2 /Gi(e) mod N
Fuw-Yi Yang 35
Deniable Authentication protocol 2/15
Deng et al. 1/2
Like the scheme of Aumann and Rabin, except that C(.) is replaced by a collision resistant hash function.
PD: public known directory, containing a set of public data and encoding rules. N = pq (no one knows the value of p and q)R: Receiver S: SenderX: x1x2…xn message sent to R by S
H(X): z1z2…zm encoding of message X, |zi| = s (block size ). H is a public hash function.S select a set of random number: g1 , g2 ,…,gm S computes square of them: Gj = (gj)2…mod N, j = 1,…,mS publishes at Gj, j = 1,…,m, at PD.EPKR() denote the public key encryption algorithm, which is secure against CCA.
Fuw-Yi Yang 36
Deniable Authentication protocol 2/15Deng et al. 2/2
S
To deniably authenticate
one block of encoded
R
message H(X).
A = a2 mod N A i i R{1,…,m} (the ith
block)
i = a gimod N
i = H(i )zi
(Apply hash function zi times with input i )
EPKR(i ), i Decrypt the ciphertext to obtain the clear message i , and Check that
i = H(i )zi and
(i)2 = A Gi mod N
Fuw-Yi Yang 37
Deniable Authentication protocol 2/15
Deng et al. 1/2
Lemma 1: The protocol described in Section 3.1is deniable. Proof: Simulation can be performed by R as follows:1. Choose i R{1,…,m}2. i R ZN
*
3. EPKR(i )4. A = (i)2 /Gi mod N5. i = H(i )zi
Thus, (A, i, EPKR(i), i ) is a simulation of the message block zi.Note that the simulation is indistinguishable from the actual message authenticator
(EPKR(i), i) computed by S.
Fuw-Yi Yang 38
Deniable Authentication protocol 2/15
Deng et al. 1/2
Lemma 2: The protocol described in Section 3.1authenticates the source of the message.
Proof:1. If a simulator is not the receiver R, then the simulation described in Lemma 1 does
not work.2. If someone sends the square root of A Gi mod N to R, then they either know both
square roots of A and Gi or two factors of N.
Fuw-Yi Yang 39
Deniable Authentication protocol 2/15
Deng et al. Based on DLP 1/2
PD: public known directory, containing a set of public data and encoding rules. p = 2 q + 1, g Zp
* is of order q.R: Receiver S: SenderX: x1x2…xn message sent to R by S
H(X): z1z2…zm encoding of message X, |zi| = s (block size ). H is a public hash function.S select a set of random number: r1 , r2 ,…,rm Zq
*.S computes : Gj = (g)rj…mod N, j = 1,…,mS publishes at Gj, j = 1,…,m at PD.EPKR() denote the public key encryption algorithm, which is secure against CCA.
Fuw-Yi Yang 40
Deniable Authentication protocol 2/15Deng et al. Based on DLP 2/2
S
To deniably authenticate
one block of encoded
R
message H(X).
A = ga mod p A i i R{1,…,m} (the ith
block)
i = a + ri mod q
i = H(i )zi
(Apply hash function zi times with input i )
EPKR(i ), i Decrypt the ciphertext to obtain the clear message i , and Check that
i = H(i )zi and
gui = AGi mod p.