View
216
Download
2
Embed Size (px)
Citation preview
Public Key CryptographyPublic Key Cryptography
Alice and Bob agree on a key, without meeting!
Alice and Bob agree on a key, without meeting!
The Problem Remains: How to Get the Key from Alice
to Bob?
The Problem Remains: How to Get the Key from Alice
to Bob?
ATTACKER
(Identity thief)
keySENDER
Alice
(You)
Bob
(An on-line store)
Eve
(Alice’s Credit Card #) The Internet (Alice’s Credit Card #)
key
1324-5465-2255-9988AES ciphertext
RECEIVER
1324-5465-2255-9988Sf&*&3vv*+@@Q
Public-Key CryptographyPublic-Key Cryptography
Whit Diffie and Marty Hellman, New Directions in Cryptography, 1976
Whit Diffie and Marty Hellman, New Directions in Cryptography, 1976
Clifford Cocks and Malcolm Williamson, secret work in the British GCHQ, 1973-74, revealed only in 1997
A Way for Alice and Bob to agree on a secret key
A Way for Alice and Bob to agree on a secret key
through messages that are completely public
through messages that are completely public
The basic idea of Diffie-Hellman key agreementThe basic idea of Diffie-Hellman key agreement
Arrange things so that Alice has a secret number that only Alice knows Bob has a secret number that only Bob knows Alice and Bob then communicate something publicly They somehow compute the same number Only they know the shared number -- that’s the key! No one else can compute this number without
knowing Alice’s secret or Bob’s secret But Alice’s secret number is still hers alone, and
Bob’s is Bob’s alone Sounds impossible …
Arrange things so that Alice has a secret number that only Alice knows Bob has a secret number that only Bob knows Alice and Bob then communicate something publicly They somehow compute the same number Only they know the shared number -- that’s the key! No one else can compute this number without
knowing Alice’s secret or Bob’s secret But Alice’s secret number is still hers alone, and
Bob’s is Bob’s alone Sounds impossible …
One-Way ComputationOne-Way Computation
Easy to compute, hard to “uncompute”What is 28487532223✕72342452989?
Not hard -- easy on a computer -- about 100 digit-by-digit multiplications
What are the factors of
206085796112139733547?Seems to require vast numbers
of trial divisions
Easy to compute, hard to “uncompute”What is 28487532223✕72342452989?
Not hard -- easy on a computer -- about 100 digit-by-digit multiplications
What are the factors of
206085796112139733547?Seems to require vast numbers
of trial divisions
Modular arithmeticModular arithmetic
• Let’s do arithmetic modulo 100
•That is, drop everything but the last 2 digits
• 12 ✕ 12 = 144, which reduces to 44
• 28487532223 ✕ 72342452989 = 206085796112139733547, which reduces to 47
• But you can save yourself a lot of work and get the right answer anyway by doing the reduction ahead of time
• 23 89 = 2047, which reduces to 47✕
Repeated squaringRepeated squaring
• You can compute huge modular powers quickly by repeated squaring
• Suppose you wanted to compute 1765
• 172 = 89, 174 = 21
• 178 = 41, 1716 = 81
• 1732 = 61, 1764 = 21, and 1765 = 21*17 = 57
• 7 multiplications instead of 64
There’s no shortcut for computing logarithms
modulo p
There’s no shortcut for computing logarithms
modulo p Problem: Given x and z, find y such that
xy = z (where everything is modular arithmetic) As far as anyone knows, there are no shortcuts.
The only way to do this is essentially by brute-force search among all possibilities for y.
Example: If the modulus is not 100 but a 500-digit number, finding y so that
xy = zrequires about 10500 steps.
Problem: Given x and z, find y such that xy = z (where everything is modular arithmetic)
As far as anyone knows, there are no shortcuts. The only way to do this is essentially by brute-
force search among all possibilities for y. Example: If the modulus is not 100 but a 500-digit
number, finding y so thatxy = z
requires about 10500 steps.
“Discrete logarithm” problem
“Discrete logarithm” problem
It is easy to compute modular powers but seems to be hard to reverse that operation
For what value of n does 54321n=18789 (modulo 70707)?
Try n=1, 2, 3, 4, … Get 54321n= 54321, 26517, 57660, 40881 … n=43210 works, but no known quick way to
discover that
It is easy to compute modular powers but seems to be hard to reverse that operation
For what value of n does 54321n=18789 (modulo 70707)?
Try n=1, 2, 3, 4, … Get 54321n= 54321, 26517, 57660, 40881 … n=43210 works, but no known quick way to
discover that
Given an equation of the form xy = z
Then it is exponentially harder to compute y given x and z, than it is to compute z given x and y.
For 500-digit numbers, we’re talking about a computing effort of 1700 steps vs. 10500 steps.
Given an equation of the form xy = z
Then it is exponentially harder to compute y given x and z, than it is to compute z given x and y.
For 500-digit numbers, we’re talking about a computing effort of 1700 steps vs. 10500 steps.
The math behind Diffie-Hellman key agreementThe math behind Diffie-Hellman key agreement
Discrete logarithm seems to be a one-way functionDiscrete logarithm seems to be a one-way function
Fix numbers g and p (big numbers, g<p)
Let g * a = ga (mod p)Given a, computing g * a = A is
easyBut it is impossibly hard, given A,
to find an a such that g * a = A.
Fix numbers g and p (big numbers, g<p)
Let g * a = ga (mod p)Given a, computing g * a = A is
easyBut it is impossibly hard, given A,
to find an a such that g * a = A.
Another useful factAnother useful fact
Note that, for any three numbers x, y, z,
(x * y) * z = (x * z) * ysince
(xy)z = xyz = (xz)y
Note that, for any three numbers x, y, z,
(x * y) * z = (x * z) * ysince
(xy)z = xyz = (xz)y
Diffie-Hellman Key AgreementDiffie-Hellman Key Agreement
Shout out A Shout out B
BobAlice
A
Pick a secret number a Pick a secret number b
Main point: Alice and Bob have computed the same number
B
Use this number as the encryption key!
Compute A = g * a Compute B = g * b
Compute B * a Compute A * b
Diffie-Hellman Key AgreementDiffie-Hellman Key Agreement
Eve
Alice and Bob can now use this number as a shared key for encrypted communication
BobAlice
A
Eve the eavesdropper knows and
And (per Kerckhoffs) she also knows the value of p and how to compute *. But going from these back to a or b requires reversing a one-way computation.
B
Let K = a * B = b * A
A B
Secure Internet CommunicationSecure Internet Communication
https://www99.americanexpress.com/ https (with an “s”) indicates a secure, encrypted
communication is going on We are all cryptographers now So is Al Qaeda(?) Internet security depends on difficulty of factoring
numbers -- doing that quickly would require a deep advance in mathematics
https://www99.americanexpress.com/ https (with an “s”) indicates a secure, encrypted
communication is going on We are all cryptographers now So is Al Qaeda(?) Internet security depends on difficulty of factoring
numbers -- doing that quickly would require a deep advance in mathematics
Confidential email from anyone
Confidential email from anyone
Bob picks secret key b and computes his public key B
Bob publishes B in a public directory!Now Anyone can send Bob secret email:
Pick secret key a and compute public key ACompute encryption key K using a and BSend encrypted message and also include
public key A in the same email!Bob computes K using A and b and decrypts
the message!
Bob picks secret key b and computes his public key B
Bob publishes B in a public directory!Now Anyone can send Bob secret email:
Pick secret key a and compute public key ACompute encryption key K using a and BSend encrypted message and also include
public key A in the same email!Bob computes K using A and b and decrypts
the message!
But there’s a problem …But there’s a problem …How can Alice know that the listing
in the directory is really Bob’s?Maybe it is Eve pretending to be
Bob!Certificates and certifying
authorities provide solution to authentication problem
How can Alice know that the listing in the directory is really Bob’s?
Maybe it is Eve pretending to be Bob!
Certificates and certifying authorities provide solution to authentication problem
Eve
Two more problems solved by digital signatures
Two more problems solved by digital signatures
Integrity: When Bob receives a message, he can be sure that it was not modified en route after Alice sent it.
Non-repudiation: Alice cannot later deny that the message was sent. Bob cannot later deny that the message was received.
Digital signatures are a variant on public-key encryption technology
Integrity: When Bob receives a message, he can be sure that it was not modified en route after Alice sent it.
Non-repudiation: Alice cannot later deny that the message was sent. Bob cannot later deny that the message was received.
Digital signatures are a variant on public-key encryption technology
There is a very real and critical danger that unrestrained public discussion of cryptologic matters will seriously damage the ability of this government to conduct signals intelligence and the ability of this government to carry out its mission of protecting national security information from hostile exploitation.-- Admiral Bobby Ray Inman (Director of the NSA, 1979)
Cryptography and National Security
CALEA, October 1994CALEA, October 1994… a telecommunications carrier … shall ensure that its equipment, facilities, or services … are capable of … expeditiously isolating and enabling the government, pursuant to a court order or other lawful authorization, to intercept … all wire and electronic communications carried by the carrier within a service area to or from equipment, facilities, or services of a subscriber of such carrier concurrently with their transmission to or from the subscriber's equipment, facility, or service, or at such later time as may be acceptable to the government …
Government’s big hammer:Crypto export controls
Government’s big hammer:Crypto export controls
Pre-1995: Encryption technology classified by State Department as a munition Illegal to export hardware, software, technical
information, unless you register as an arms dealer and adhere to stringent regulations
Illegal to provide material or technical assistance to non-US citizens (even within the US)
1996: Jurisdiction for crypto exports transferred to Commerce Department, but restrictions remain.
Pre-1995: Encryption technology classified by State Department as a munition Illegal to export hardware, software, technical
information, unless you register as an arms dealer and adhere to stringent regulations
Illegal to provide material or technical assistance to non-US citizens (even within the US)
1996: Jurisdiction for crypto exports transferred to Commerce Department, but restrictions remain.
The basic proposal: escrowed encryptionThe basic proposal:
escrowed encryptionRequire encryption products to have a
back door controlled by a set of keys (“escrowed keys”) that are held by the government or by its licensed agentsMight require this for products that can be
exported, or maybe all encryption productsProposal first unveiled for telephones in
1994 (the “Clipper phone”)Modified in various ways throughout 1994-
1998
Require encryption products to have a back door controlled by a set of keys (“escrowed keys”) that are held by the government or by its licensed agentsMight require this for products that can be
exported, or maybe all encryption productsProposal first unveiled for telephones in
1994 (the “Clipper phone”)Modified in various ways throughout 1994-
1998
The crypto wars, 1994-1998The crypto wars, 1994-1998
Dramatis PersonaeIndustryLaw enforcementNational securityCivil libertarian groups
Dramatis PersonaeIndustryLaw enforcementNational securityCivil libertarian groups
Industry claims and issuesIndustry claims and issues
Customers want security for electronic commerce, for protecting remote access, for confidentiality of business information.
Export restrictions are a pain in the butt.
Providing encryption is cheap, but providing an escrow infrastructure is not, and there’s no commercial demand for it.
Customers want security for electronic commerce, for protecting remote access, for confidentiality of business information.
Export restrictions are a pain in the butt.
Providing encryption is cheap, but providing an escrow infrastructure is not, and there’s no commercial demand for it.
Law enforcement claims and issues
Law enforcement claims and issues
Wiretapping is a critical law-enforcement tool.
Wiretaps are conducted on specific, identified targets under lawful authority.
Many criminals are often sloppy and/or stupid: They won’t use encryption unless it becomes ubiquitous. Some criminals are far from sloppy or stupid: They will use encryption if it is available.
Wiretapping is a critical law-enforcement tool.
Wiretaps are conducted on specific, identified targets under lawful authority.
Many criminals are often sloppy and/or stupid: They won’t use encryption unless it becomes ubiquitous. Some criminals are far from sloppy or stupid: They will use encryption if it is available.
Civil libertarian claims and issues
Civil libertarian claims and issues
As computer communication technology becomes more pervasive, allowing government access to communications becomes much more than traditional wiretapping of phone conversations.
How do we guard against abuse of the system? If we make wiretapping easy, then what are the
checks on its increasing use? There are other tools (bugging, data mining,
DNA matching) that can assist law enforcement. People have less privacy than previously, even without wiretapping.
As computer communication technology becomes more pervasive, allowing government access to communications becomes much more than traditional wiretapping of phone conversations.
How do we guard against abuse of the system? If we make wiretapping easy, then what are the
checks on its increasing use? There are other tools (bugging, data mining,
DNA matching) that can assist law enforcement. People have less privacy than previously, even without wiretapping.
National security establishment claims and
issues
National security establishment claims and
issuesWe can’t tell you, but they are really
serious.We can’t tell you, but they are really
serious.
Legislation, 1997Legislation, 1997
Bills introduced in Congress all over the map, ranging from elimination of export controls to bills that would mandate key escrow, even for domestic use.
Bills introduced in Congress all over the map, ranging from elimination of export controls to bills that would mandate key escrow, even for domestic use.
More recently …More recently …
1998-2000: Crypto export regulations modified and relaxed, but still exist (e.g., can’t export to the C/I/NK/S/S countries)
Sept. 13, 2001: Sen. Judd Gregg (New Hampshire) calls for encryption regulations, saying encryption makers “have as much at risk as we have at risk as a nation, and they should understand that as a matter of citizenship, they have an obligation” to include decryption methods for government agents.
By October, Gregg had changed his mind about introducing legislation.
1998-2000: Crypto export regulations modified and relaxed, but still exist (e.g., can’t export to the C/I/NK/S/S countries)
Sept. 13, 2001: Sen. Judd Gregg (New Hampshire) calls for encryption regulations, saying encryption makers “have as much at risk as we have at risk as a nation, and they should understand that as a matter of citizenship, they have an obligation” to include decryption methods for government agents.
By October, Gregg had changed his mind about introducing legislation.
Why Aren’t Emails Encrypted?Why Aren’t Emails Encrypted?
Email is more like postcards than letters! Standard email software doesn’t make it easy But encrypted-email software is freely available (PGP) Regulations require some businesses to know what
their employees are doing
Email is more like postcards than letters! Standard email software doesn’t make it easy But encrypted-email software is freely available (PGP) Regulations require some businesses to know what
their employees are doing
December 1, 2006