PKC

Question 1

Public key encryption

Answer 1

• Proposed (in the open literature) by Diffie & Hellman in 1976
• Each party has a public encryption key and a private decryption key
• Computing the private key from the public key should be computationally infeasible
• The public key need not be kept secret but it is also not necessarily known to everyone

Question 2

Public key cryptography

Answer 2

A Public Key Encryption Scheme {eK_p :K_p ∈Κ} and {dK_s :K_s ∈Κ}

has the the following property:

• Knowing eKp and given c ∈ C,it is infeasible to find anm∈M,such thateK_p(m) = c

eK_p can be public information!

Advantage:

• eK_p can be communicated over unsecure channels

Disadvantage

• eK_p and dK_s are computationally more expensive than in symmetric schemes

Question 3

PKI application

Answer 3

Question 4

One way function

Answer 4

A function f: X → Y is called a one-way function if

∀ x ∈ X:

1. Computing f(x) is „easy“,

2. Computing f -1(y) is „hard“ or „infeasible“

Example: modular cube roots

1. Select primes p = 48611 and q = 53993
2. Let n = pq = 2624653723 and X = {1,2,…,n-1}
3. Definef:X→Yby f(x)=x3 modn Example: f(2489991) = 1981394214

It is easy to compute f(x), but computingf -1(y)is infeasible

Question 5

Discrete exponentiation

Answer 5

Discrete exponentiation: h(x):= g^x mod p

• Discrete Logarithm Problem (DLP): givenyfind the logarithm

x so that y = g^x mod p.

For a judicious choices of parameters p and g the DLP is difficult to solve and discrete exponentiation is a one-way function.

Discrete exponentiation is a useful primitive in the construction of cryptographic schemes but it is too slow for many applications.

Question 6

trapdoor functions

Answer 6

A trapdoor one-way function is a one-way function f where, given extra information (the trapdoor information) it is feasible to computef ^-1:

Given y ∈ Img(f), find an x ∈ X such that f(x) = y

Example 1:

- Select primes p = 48611 and q = 53993

• Let n = pq = 2624653723 and X = {1,…,n-1}
• Definef:X→Nasf(x)=x³ mod n
• f(2489991) = 1981394214 (computing f is easy…)

Computing modular cube roots (f-1) is also easy if p and q are known (basic number theory)

Example 2:

• *Factoring of large numbers (RSA):** Every positive integer N has a unique prime factorization, but it is hard to find.
• *(Remark: checking if N is prime is (likely) easier.)**

Question 7

RSA fundamentals

Answer 7

• A prime number is an integer p > 1 whose only factors are 1 and p
• Two natural numbers n and m are relatively prime if n and m have no common factor greater than 1; written: gcd(n,m)=1
• For any natural number n, theEuler functionφ(n), is the number of positive integers less than n that are relatively prime to n

Example: φ(10) = 4 since 1, 3, 7, 9 are relatively prime to 10

1. For p a prime, φ(p) = p^-1

• 2. Forp,qprimes,φ(p⋅q)=φ**(p)**⋅φ**(q*)
• *(see any textbook on number theory for a proof)**

3. φ (p⋅ q)=(p-1) ⋅ (q-1)

Question 8

RSA

Answer 8

1. Choose large primes p and q

2. Let n = p ⋅ q

3. Choose a random encryptionexponent e such that 1 < e < φ(n), and e is relatively prime to φ(n)

φ(n) = (p-1) * (q-1)

4. Derive the decryption exponent d = e^-1modφ(n)dise’s inverse (see Euler)

5. K_p= (n,e) and K_s= (n,d)

Question 9

RSA System:

Answer 9

RSA System:

eKp(x) =xe modn and dKs(c)=cd modn

Consider:

• e* ⋅ d = 1 mod φ(n)
• =* k⋅φ(n)+1 for some k

Then:

x ^ed mod n

= x^{k⋅ φ(n)+1}mod n

= x⋅^xk⋅φ(n) modn

= x ⋅ 1 mod n

= x

Question 10

RSA summary

Answer 10

Public and private keys (e,n) and (d,n) are derived from two secret prime numbers

• Keys are today typically 2048 Bits

Plaintext message is treated as a (large!) binary number

Encryption is exponentiation

• c = xe mod n

To break the encryption, one must be able to factor large numbers

• Hopefully not in P…

Decrpytion uses the trapdoor information d:

• m = cd mod n

Question 11

RSA: examples of real life pitfalls 1

Answer 11

RSA encryption: c = xe mod n

Plaintext: encoded as a natural number x < n

Simple encoding of short plain text as (very) small x

• Possibility of a brute-force search for x
• In case of using a small e (such as e=3): if x^e < n, then invers is simply e√x

Question 12

RSA: examples of real life pitfalls 2

Answer 12

RSA encryption: c = x^e mod n

Assume that x is 64 bit session key: 0 < x < 2⁶⁴

• Attacker sees c
• Assume that x = x₁ * x₂ with x₁,x₂<2³⁴ (prob. approx. 20%)
• This means that c/x₁^e = x₂^e (mod n)

• Build table c/1^e, c/2^e, .. 2/2^{34 e} (2³⁴ operations)
for x₂ = 0, …, 2³⁴ test if x₂e is in table (34 * 2³⁴ operations)

• Total attack time << 2⁶⁴

Answer 13

RSA encryption is homomorphic:

• RSA(m₁ m₂) = RSA(m₁) RSA(m₂) (mod n)

Chosen ciphertext attack to learn cipher text c_m = RSA(m) for some random m

• Assume that oracle decrypts any c ≠ c_m for the attacker
• Attacker may:

1. Encrypt c_r = RSA(r) for some arbitrary r
2. Calculate c = c_mc_r
3. Ask oracle to decrypt c (resulting in value of m*r)
4. Calculate m = m*r * r-1

Question 14

Elliptic curves cryptosystems

Answer 14

• Analogs of existing public-key cryptosystems in which modular arithmetic is replaced by operations defined over elliptic curves
• the security of elliptic curve cryptosystems relies on the underlying hard mathematical problems: Given two points G and Y on an elliptic curve such that

Y = kG (that is, Y is G added k times to itself), find the integer k.

(This problem is known as the elliptic curve discrete logarithm problem)

Question 15

Elliptic curves for cryptography

Answer 15

• Elliptic curve over finite field is a finite set of points
• There is a (complicated) definition of an “addition” operation on these points
• You can define an “integer multiplication” for points (2*P=P+P, 3*P=P+P+P, etc.)
• Elliptic curve discrete logarithm problem: given P and k*P, it is difficult to find k

Cryptographic algorithms based on the discrete logarithm problem can be transformed into elliptic curve algorithms

Question 16

PKI Trade offs

Answer 16

Public Key systems are computationally more expensive than symmetric systems

• Algorithms are harder to implement
• More powerful computers requ’d

There is a formal rationale of security

• based on results of complexity theory

A principal needs one private key and one public key

• n parties need O(n) keys to communicate (compare to symmetric systems…)

Question 17

Digital Signatures

Answer 17

Protect authenticity of documents ‘signed by A’.
More precisely, a cryptographic mechanism for associating

documents with verification keys

A has a public verification key and a private signature key

A procedure is required for B to get an authentic copy of A’s public key

A has to protect the signature key and be sure that the key is only used as intended

Question 18

Encryption with public key

Answer 18

Question 19

Digital Signature

Answer 19

Question 20

Electronic Signature vs Digital Signature

Answer 20

Digital signature: mathematical evidence linking a document to a public key

Electronic signatures: a security service for associating documents with legal persons

• the link between a public key and a person has to be established by procedural means
• This link can be recorded in a certificate

Certificates are not necessary for verifying digital signatures, verification keys are

Question 21

Digital signature misconceptions

Answer 21

Verification is decryption with the public key (as stated in X.509)

• the output of ‘decrypt’ is of type ‘message’, the output of ‘verify’ is of type Boolean, …

A signature binds the signer A to the document

• verification links document and verification key

Digital signatures are legally binding

• even if recognized by law, digital signatures do not guarantee that there is a court with jurisdiction

Question 22

Non-repudiation

Answer 22

Non-repudiation: a technical term introduced to distinguish digital signatures from symmetric key authentication services (MAC), where the verifier has the key for generating the MAC

Calling digital signatures “irrefutable evidence” creates the erroneous impression that they cannot be repudiated in court

The legal system does not have the concept of “irrefutable evidence”

Question 23

Certificates

Answer 23

Today: a certificate is a signed document binding a subject (or “entity”) to other information; subjects can be people, keys, names,…

Question 24

Certification Authorities

Answer 24

• Certificates are signed by an Issuer
• Certification Authority (CA) is just another name for Issuer
• Sometimes CA is used more narrowly for organizations issuing ID certificates
• The application determines the technical and procedural ‘trust’ requirements a CA has to meet
• Sometimes Trusted Third Party (TTP) is used as a synonym for CA

Question 25

Certificate data structure

Answer 25

Certificates are data structures that contain (at least)

• Issuer identification (Distinguished Name – DN)
• Subject identification (Distinguished Name)
• Subject public key
• Issuer digital signature

In order to be interoperable, we need standards that define an exchange format and management rules for certificates

Question 26

Certificate problems

Answer 26

• How do you issue digital certificates?
• Who will issue digital certificates?
• Why should we trust the issuer of the digital certificate?
• How can I revoke a certificate?
• How can I check if a certificate is still valid?
• How do I manage/store/use/protect the corresponding private key?

Question 27

PKI

Answer 27

The protocols, services and standards that facilitate the use of public-key cryptography by allowing the secure distribution of public keys between communicating parties.

PKI standards: X.509, PKCS

Question 27

PKI

Answer 27

The protocols, services and standards that facilitate the use of public-key cryptography by allowing the secure distribution of public keys between communicating parties.

PKI standards: X.509, PKCS

Question 28

X.509 PKI

Answer 28

several possible structures: hierarchical, multi-root, mesh, bridges

Finding verification paths becomes more challenging (may require handling dead ends, loops, etc.)

Question 29

PKI: Overview of Components

Answer 29

• Certificates: Digitally signed data
• Certificate Authority (CA)
• Registration Authority (RA)
• Certificate Revocation Lists (CRL)
• Directory Service (e.g. LDAP)
• Validation Service (VA)
• Policies
• Certificate Policy - CP
  (defines requirements, i.e.: what participants must do)
• Certification Practice Statement - CPS
  (defines procedures and controls to meet these requirements)

Question 30

X.509 certificates

Answer 30

User certificate (public key certificate, certificate): the public key of a user, together with some information, rendered unforgeable by encipherment with the secret key of the certification authority which issued it

Attribute certificate: a set of attributes of a user together with some other information, digitally signed under the private key of the CA

Certification authority: an authority trusted by one or more users to create and assign certificates

Question 31

PKI life cycle

Answer 31

Key and certificate life cycle management

• Note: key ≠ identity!

Phases:

• Initialization: Generation and Issuance
• Active: Usage
• Cancellation

Question 32

PKI life cycle: Initialization 1

Answer 32

Initialization steps:

• Registration via RA
• Identity verification (according to policy)
• Key pair generation
• Certificate creation and delivery

Question 33

PKI life cycle: Initialization 2

Answer 33

Key pair generation: • Where?

• RA
• CA
• Owner
• Other trusted 3rd party
• Only owner-generation provides non-repudiation property
• In the past, simple devices (e.g., smart cards) not powerful enough
• Today, usually no longer a problem
• Dual key-pair model: separate keys for separate purposes e.g., encryption vs. signature

Question 34

PKI life cycle: Initialization 3

Answer 34

Certificate generation and distribution

• Generation by CA
• Distribution
• directly to the user (certificate, private key)
• to some public repository (certificate only)

Question 35

PKI life cycle: cancellation

Answer 35

“Natural cancellation“:
• Expiration of certificate lifetime

“Revocation“:
• Termination of certificate life before lifetime expires

Question 36

Revocation

Answer 36

Certificates may need to be revoked

• if a corresponding private key is compromised
• if a fact the certificate vouches for no longer is valid

Certification Revocation Lists (CRLs):

• distributed in regular intervals or on demand
• make sense if on-line checks are not possible or too expensive

When on-line checks are feasible, certificate status can be queried on-line:

• Online Certificate Status Protocol - OCSP
• positive lists in the German signature infrastructure

Question 37

Online Certificate Status Protocol

Answer 37

1. Alice and Bob have public key certificates issued by Ivan (CA).
2. Alice wishes to perform a transaction with Bob and sends him her public key certificate.
3. Bob creates an ‘OCSP request’ that contains a fingerprint of Alice’s public key and sends it to Ivan.
4. Ivan’s OCSP responder looks up the revocation status of Alice’s certificate (using the fingerprint Bob created) in his own CA database.
5. Ivan’s OCSP responder confirms that Alice’s certificate is still OK, and returns a signed ‘OCSP response’ to Bob.
6. Bob cryptographically verifies the signed response (He has Ivan’s public key) and ensures that it was produced recently.
7. Bob completes the transaction with Alice.

Question 38

Certificate validation

Answer 38

Validation consists of the following steps:

• Check integrity (by checking the signature)
• Check for valid certification path to a trusted CA
• Check if certificate is valid now (time constraints)
• Check if certificate has not been revoked
• Check if use is consistent with the policy
• Check if certificate is issued for the right entity

Question 39

Security issues with PKIs

Answer 39

Who do you have to trust?

• The CA itself
• All entities with certifying authority on the verification path
• Software on your computer
• Might install new CA certificates
• Might manipulate hostname -> IP mapping

Question 40

Security issues with PKIs 2

Answer 40

Mistakes do happen => need mechanism to fix mistakes

• CRLs (Certficate Recovation Lists) Compromised CA
• Wrongly issued certificates
• Leaked private keys

Practical drawbacks:

• CRL check is needed before any verification
• CRL database must be online
• CRL is central point of failure

Question 41

PKI Problems in Real Life

Answer 41

Lack of Applications

• Integrating PKI into applications is difficult

Hierarchical Model of Trust

• Conventional PKI assumes either that there is a single global name-space (i.e. world government, and a single, unique identifier imposed on every citizen of the world)

Question 42

Private Keys

Answer 42

Registration processes involve effort and expense

Underlying digital signatures and PKI is the assumption that the holder of a private key will be able to ensure its security

 There are difficulties in detecting that a private key has been subject to compromise

 There are further difficulties in implementing an effective revocation process. This is especially serious if retrospective revocation is permitted

 How can security-related actions communicated to users?

 Delegation