Академический Документы
Профессиональный Документы
Культура Документы
1 2
5
collberg@gmail.com Copyright c 2012 Christian Collberg
Christian Collberg
1/83
6
Introduction
Introduction RSA Algorithm Example Correctness Security GPG Elgamal Algorithm Example Correctness Security Die-Hellman Key Exchange Die-Hellman Key Exchange Example Correctness Security Summary
2/83
Public-key Algorithms
Public-key cryptographic algorithms use dierent keys for encryption and decryption. Bobs public key: PB Bobs secret key: SB EPB (M ) = C DSB (C ) = M DSB (EPB (M )) = M
Introduction
3/83
Introduction
4/83
Key-management is the main problem with symmetric algorithms Bob and Alice have to somehow agree on a key to use. In public key cryptosystems there are two keys, a public one used for encryption and and private one for decryption.
1 2
Alice
Bob
Alice and Bob agree on a public key cryptosystem. Bob sends Alice his public key, or Alice gets it from a public database. Alice encrypts her plaintext using Bobs public key and sends it to Bob. Bob decrypts the message using his private key.
5/83
plaintext
encrypt PB
ciphertext
decrypt SB
plaintext
Eve
Introduction
Introduction
6/83
A Hybrid Protocol
In practice, public key cryptosystems are not used to encrypt messages they are simply too slow. Instead, public key cryptosystems are used to encrypt keys for symmetric cryptosystems . These are called session keys , and are discarded once the communication session is over.
1
Alice SA , PA
PA , PB
PA , PC
PB , PC PA , PD
PB , PD
Bob sends Alice his public key. Alice generates a session key K , encrypts it with Bobs public key, and sends it to Bob. Bob decrypts the message using his private key to get the session key K . Both Alice and Bob communicate by encrypting their messages using K .
8/83
Carol SC , PC PC , PD
Dave SD , PD
Advantages : n key pairs to communicate between n parties. Disadvantages : Ciphers (RSA,. . . ) are slow; keys are large
Introduction 7/83
Introduction
Outline
1 2
Alice
Bob
3 4
encrypt PB
EPB (K )
decrypt SB
encrypt K
EK (M )
decrypt K
6
Introduction 9/83 RSA
Introduction RSA Algorithm Example Correctness Security GPG Elgamal Algorithm Example Correctness Security Die-Hellman Key Exchange Die-Hellman Key Exchange Example Correctness Security Summary
10/83
RSA
RSA: Algorithm
RSA is the best know public-key cryptosystem. Its security is based on the (believed) diculty of factoring large numbers. Plaintexts and ciphertexts are large numbers (1000s of bits). Encryption and decryption is done using modular exponentiation.
RSA
11/83
RSA
Select two primes: p = 47 and q = 71. Compute n = pq = 3337. Compute (n) = (p 1)(q 1) = 3220. Select e = 79. Compute d = e 1 mod (n) = 791 mod 3220 = 1019
2 3 4 5
n is referred to as the modulus , since its the n of mod n. You can only encrypt messages M < n. Thus, to encrypt larger messages you need to break them into pieces, each < n. Throw away p , q , and (n) after the key generation stage. Encrypting and decrypting requires a single modular exponentiation.
6 7
P = (79, 3337) is the RSA public key. S = (1019, 3337) is the RSA private key.
14/83
RSA
13/83
RSA
Encrypt M = 6882326879666683. Break up M into 3-digit blocks: m = 688, 232, 687, 966, 668, 003
1
= 68879 mod 3337 = 1570 We get: c = 1570, 2756, 2091, 2276, 2423, 158
RSA
15/83
RSA
16/83
Alice is telling Bob that he should use a pair of the form (3, n) Show the result of encrypting M = 4 using the public key (e , n) = (3, 77) in the RSA cryptosystem. or (16385, n) as his RSA public key if he wants people to encrypt messages for him from their cell phones. As usual, n = pq , for two large primes, p and q . What is the justication for Alices advice?
RSA
17/83
RSA
18/83
RSA Correctness
We have C = M e mod n
M = C d mod n.
1 2 3
Generate an RSA key-pair using p = 17, q = 11, e = 7. Encrypt M = 88. Decrypt the result from 2.
To show correctness we have to show that decryption of the ciphertext actually gets the plaintext back, i.e that, for all M<n C d mod n = (M e )d mod n = M ed mod n = M
RSA
19/83
RSA
20/83
M (n) mod n = 1 follows from Eulers theorem. Theorem (Euler) Let x be any positive integer thats relatively prime to the integer n > 0, then x (n) mod n = 1
RSA
22/83
Assume that M is not relatively prime to n, i.e. M has some factor in common with n, since M < n. There are two cases:
1 2
M k (n) mod q = M k (p)(q) mod q = (M k (p) )(q) mod q = 1 Thus, for some integer h M k (n) = 1 + hq Multiply both sides by M M M k (n) = M (1 + hq ) M k (n)+1 = M + Mhq
RSA
23/83
RSA
24/83
RSA Security
Summary:
Compute n = pq , p and q prime. Select a small odd integer e relatively prime with (n). Compute (n) = (p 1)(q 1). 4 Compute d = e 1 mod (n). 5 PB = (e , n) is Bobs RSA public key. 6 SB = (d , n) is Bob RSA private key.
1 2 3
mod n mod n
k (n)+1
= (M + Mhq ) mod n = (M + (ip )hq ) mod n = (M + (ih)pq ) mod n = (M + (ih)n) mod n = (M mod n) + ((ih)n mod n) = M mod n = M
Since Alice knows Bobs PB , she knows e and n. If she can compute d from e and n, she has Bobs private key. If she knew (n) = (p 1)(q 1) she could compute d = e 1 mod (n) using Euclids algorithm. If she could factor n, shed get p and q !
RSA
25/83
RSA
26/83
RSA Security. . .
1 2 3
Propose a cryptographic scheme. If an attack is found, patch the scheme. GOTO 2. If enough time has passed The scheme is secure! How long is enough?
1 2
If we can factor n, we can nd p and q and the scheme is broken. As far as we know, factoring is hard. We need n to be large enough, 2,048 bits.
It took 5 years to break the Merkle-Hellman cryptosystem. It took 10 years to break the Chor-Rivest cryptosystem.
RSA
27/83
RSA
28/83
On December 3, 2003, a team of researchers in Germany and several other countries reported a successful factorization of the challenge number RSA-576. The factors are
The factoring research team of F. Bahr, M. Boehm, J. Franke, T. Kleinjung continued its productivity with a successful factorization of the challenge number RSA-640, reported on November 2, 2005. The factors are:
The eort took approximately 30 2.2GHz-Opteron-CPU years according to the submitters, over ve months of calendar time.
29/83 RSA 30/83
RSA
Name : RSA704 Digits : 212 740375634 79 5 61 7 12 8 28 0 46 7 96 0 97 4 29 5 7 31 4 25 9 31 8 88 8 92 3 12 8 90 8 49 3 62 3 2 63 8 97 276503402 82 6 62 7 68 9 19 9 64 1 96 2 51 1 78 4 3 99 5 89 4 33 0 50 2 12 7 58 5 37 0 11 8 96 8 0 98 2 86 733173273 10 8 93 0 90 0 5 52 5 05 1 16 8 77 0 6 32 9 90 7 23 9 63 8 07 8 6 71 0 08 6 09 6 96 2 5 37 9 34 6 50 5 63 7 96 3 5 9 Name : RSA768 Digits : 232 123018668 45 3 01 1 77 5 51 3 04 9 49 5 8 38 4 96 2 72 0 77 2 85 3 56 9 59 5 33 4 7 92 1 97 3 22 4 52 1 51 7 2 640050726 36 5 75 1 87 4 52 0 21 9 97 8 6 46 9 38 9 95 6 47 4 94 2 77 4 06 3 84 5 9 25 1 92 5 57 3 26 3 03 4 5 373154826 85 0 79 1 70 2 61 2 21 4 29 1 3 46 1 67 0 42 9 21 4 31 1 60 2 22 1 2 4 0 4 79 2 74 7 37 7 94 0 80 6 6 5 351419597459 85 69 0 21 43 41 3 Name : RSA896 Digits : 270 412023436 98 6 65 9 54 3 85 5 53 1 36 5 3 32 5 75 9 48 1 79 8 11 6 99 8 44 3 2 7 9 8 28 4 54 5 56 2 64 3 38 7 6 4 455652484 26 1 98 0 98 8 70 4 23 1 61 8 4 18 7 92 6 14 2 02 4 71 8 88 6 94 9 2 5 6 0 93 1 77 6 37 5 03 3 42 1 1 3 098239748 51 5 09 4 49 0 91 0 69 1 02 6 9 86 1 03 1 86 2 70 4 11 4 88 0 86 6 9 7 0 5 64 9 02 9 03 6 53 6 58 8 6 7 4337317208 1 31 0 41 0 51 9 08 6 4 25 4 79 3 28 2 60 1 39 1 25 7 62 4 03 3 94 6 37 3 26 9 39 1 Name : RSA1024 Digits : 309 135066410 86 5 99 5 22 3 34 9 60 3 21 6 2 78 8 05 9 69 9 38 8 81 4 75 6 05 6 6 7 0 2 75 2 44 8 51 4 38 5 15 2 6 5 106048595 33 8 33 9 40 2 87 1 50 5 71 9 0 94 4 17 9 82 0 72 8 21 6 44 7 15 5 1 3 7 3 68 0 41 9 70 3 96 4 19 1 7 4 304649658 92 7 42 5 62 3 93 4 10 2 08 6 4 38 3 20 2 11 0 37 2 95 8 72 5 76 2 3 5 8 5 09 6 43 1 10 5 64 0 73 5 0 1 508187510 67 6 59 4 62 9 20 5 56 3 68 5 5 29 4 75 2 13 5 00 8 52 8 79 4 16 3 7 7 3 2 85 3 39 0 61 0 97 5 05 4 4 3 34999811150 05 69 7 72 36 8 90 92 75 6 3
31/83 RSA
RSA
32/83
Outline
1 2
Two plaintexts M1 and M2 are encrypted into ciphertexts C1 and C2 . But, RSA is deterministic! If C1 = C2 then we know that M1 = M2 ! Also, side-channel attacks are possible against RSA, for example by measuring the time taken to encrypt.
3 4
6
RSA 33/83 GPG
Introduction RSA Algorithm Example Correctness Security GPG Elgamal Algorithm Example Correctness Security Die-Hellman Key Exchange Die-Hellman Key Exchange Example Correctness Security Summary
34/83
Software GPG
gpg is a public domain implementation of pgp. Supported algorithms: Pubkey: RSA, RSA-E, RSA-S, ELG-E, DSA Cipher: 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH, CAMELLIA128, CAMELLIA192, CAMELLIA256 Hash: MD5, SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224 Compression: Uncompressed, ZIP, ZLIB, BZIP2
http://www.gnupg.org
Please select what kind of key you want: (1) RSA and RSA (default) (2) DSA and Elgamal (3) DSA (sign only) (4) RSA (sign only) Your selection? 1 What keysize do you want? (2048) Key is valid for? (0) Key does not expire at all Real name: Bobby Email address: bobby@gmail.com Comment: recipient You need a Passphrase to protect your secret key. Enter passphrase: Bob rocks Repeat passphrase: Bob rocks
35/83 GPG 36/83
GPG
> gpg --armor --export Bobby -----BEGIN GPG PUBLIC KEY BLOCK----Version: GnuPG v1.4.11 (Darwin) mQENBE83U28BCADTVOkHpNjWzk7yEzMhiNJcmOtmUYfn4hzgYTDsP2otI0UhfJ4q EZCuPoxECIZ479k3YpBvZM2JC48Ht9j1kVnDPLCrongyRdSko0AwG7OYAyHWa7/U SeGwjZ+0MUuM3SwqHdo1/0XS3P8LABTQNXtrQf9kF8UNLIaHr1IvBcae1K44MPL6 ................................................................ EBHmAM7iiWgWI6/6qEmN46ZQEmoR86vWhQL3LQ6p/FUaBA== =FZ78 -----END GPG PUBLIC KEY BLOCK-----
GPG
38/83
Encryption
We can encrypt a message using Bobbys key:
> cat message Attack at dawn > gpg --recipient bobby --armor --encrypt message > cat message.asc -----BEGIN PGP MESSAGE----Version: GnuPG v1.4.11 (Darwin) hQEMA97v9lbZUpHvAQf/a9QklXMiMzBWy5yyZBtNrg7FcrIqx+gXVVUXNN86tZtE RF42elwU6QwamDzfcOHqp+3zeor4Y5xN+/pL91xti6uwFOhgGrCGJq//AfUKgQyk MH2e4gR8Y1BuPm9b1c7uzXxRMMOUBBt75KquYGOBLybsP29ttD9iL/ZJl1zSPjSj El7O0Gp7PqEBotStVOtuknYW/fX0zXndU8XNllKnsnZn21Xm0rMQcFMu8Do/tF5I lRfTEcL4S9tV4vshgXhNSpTg9sZs1UZynvU2cJqyYkCtgT7TdtrK3fTa8UN+CYQv U2QRnaNtFhYwBMonFqhefNzDqeZb+P0RqOuoDllYuNJRAViJ3CLjT7kwgBgRtNfY RkGArQQmgrknW2jq/Y2GZTE8CC7pNXY8U3KYMl9hRA6U5fMp08ndFp8vowBbB2sw zjxjSY7ZeIR2uwxdLYydtW4m =B+JA -----END PGP MESSAGE----GPG 39/83
Decryption
Bobby can now decrypt the message using his private key:
> gpg --decrypt message.asc You need a passphrase to unlock the secret key for user: "Bobby (recipient) <bobby@gmail.com>" 2048-bit RSA key, ID D95291EF, created 2012-02-12 (main key ID 9974031B) Enter passphrase: Bob rocks gpg: encrypted with 2048-bit RSA key, ID D95291EF, created 2012-02-12 "Bobby (recipient) <bobby@gmail.com>" Attack at dawn
GPG
40/83
The keyring
The keyring. . .
> gpg --list-keys /Users/collberg/.gnupg/pubring.gpg ---------------------------------pub 2048R/9974031B 2012-02-12 uid Bobby (recipient) <bobby@gmail.com> sub 2048R/D95291EF 2012-02-12 pub uid sub 2048R/4EC8A0CB 2012-02-12 Alice (sender) <alice@gmail.com> 2048R/B901E082 2012-02-12
> gpg --list-secret-keys /Users/collberg/.gnupg/secring.gpg ---------------------------------sec 2048R/9974031B 2012-02-12 uid Bobby (recipient) <bobby@gmail.com> ssb 2048R/D95291EF 2012-02-12 sec uid ssb 2048R/4EC8A0CB 2012-02-12 Alice (sender) <alice@gmail.com> 2048R/B901E082 2012-02-12
GPG
41/83
GPG
42/83
You need a passphrase to unlock the secret key for user: "Bobby (recipient) <bobby@gmail.com>" 2048-bit RSA key, ID 9974031B, created 2012-02-12 Enter passphrase: Bob rocks > cat message.asc -----BEGIN PGP MESSAGE----Version: GnuPG v1.4.11 (Darwin) hQEMA7osp1S5AeCCAQgAsSqSs+Urf0f3KHTtP7cqTwugpcJ9oUAGkw/KQ0DHIE0v ................................................................ 8XEAaCwZ8aZK1lXhqBSd/9hCm9Mup2NECihO8crVyff7NTWFyaTBeGAm10q3y46o QpIgPbcdYZqIt8e/8wPU6xlMZUStzxBKLB+Rj/Zg35ZVioYL =oiv8 -----END PGP MESSAGE-----
You need a passphrase to unlock the secret key for user: "Alice (sender) <alice@gmail.com>" 2048-bit RSA key, ID B901E082, created 2012-02-12 (main key ID 4EC8A0CB) Enter passphrase: Alice is cute gpg: encrypted with 2048-bit RSA key, ID B901E082, created 2012-02-12 "Alice (sender) <alice@gmail.com>" Attack at dawn gpg: Signature made Sat Feb 11 23:10:59 2012 MST using RSA key ID 9974031B gpg: Good signature from "Bobby (recipient) <bobby@gmail.com>"
43/83 GPG 44/83
GPG
Deleting Keys
> gpg --delete-secret-keys bobby sec 2048R/9974031B 2012-02-12 Bobby (recipient) <bobby@gmail.com> Delete this key from the keyring? (y/N) y This is a secret key! - really delete? (y/N) y > gpg --delete-keys bobby pub 2048R/9974031B 2012-02-12 Bobby (recipient) <bobby@gmail.com> Delete this key from the keyring? (y/N) y
GPG
46/83
Generating Primes
GPG
47/83
GPG
48/83
> gpg --print-mds message MD5 = 36 D1 A5 12 17 CD 34 FC 04 F5 6C C4 91 39 C7 59 SHA1 = 6DA4 473A 00CE 7AB6 7B6F 884D 1E75 6633 C21A 56DB RMD160 = D1DE 4194 C0CD 3AED 30F3 38CD 68F3 800F CCF0 3B87 SHA224 = B4E94780 1AA1A9C3 418F72D8 651BA995 83284003 EBEE183A 589702EE SHA256 = B83EF405 07696578 9D4BBDA7 D7932700 5F2AE6CB A2696FDE 69694D12 AFE70E4A SHA384 = 7AC39A0C 945844F1 1316BB46 C9FC7EEA E892A178 2D20E4CA E7BE686C 1A091C8C F1BBDFD1 3D42BEA2 88AF5A4F E3705474 SHA512 = 9CA1EB88 F064CB0D 536254B2 5755919F 45564276 96CA27A0 389E4817 53F81DC2 3222488D 7D11F3DD C066B9E8 027F3870 395A2561 157DDC38 BD679D37 C2E361CC
1 2
Decrypt the message itself (OR) Determine symmetric key used to encrypt the message by other means (OR) Get recipient to help decrypt message (OR) Obtain private key of recipient.
3 4
http://www.schneier.com/paper-attacktrees-fig7.html
GPG
49/83
GPG
50/83
Brute force break asymmetric encryption (OR) Mathematically break asymmetric encryption (OR)
1 Break RSA (OR) 2 Factor RSA modulus/calculate Elgamal discrete log
Have the recipient sign the encrypted publc key (OR) Monitor the senders computer memory (OR) Monitor the receivers computer memory (OR) Determine key from pseudo-random number generator (OR)
Determine state of randseed during encryption (OR) Implant virus that alters the state of randseed. (OR) 3 Implant software that aects the choice of symmetric key.
1 2
6
GPG 51/83 GPG
GPG
53/83
GPG
54/83
In the scheme of things, the choice of algorithm and the key length is probably the least important thing that aects PGPs overall security. PGP not only has to be secure, but it has to be used in an environment that leverages that security without creating any new insecurities.
http://www.schneier.com/paper-attacktrees-fig7.html
GPG
56/83
Outline
1 2
Elgamal
3 4
6
Elgamal
Introduction RSA Algorithm Example Correctness Security GPG Elgamal Algorithm Example Correctness Security Die-Hellman Key Exchange Die-Hellman Key Exchange Example Correctness Security Summary
57/83 Elgamal
The Elgamal cryptosystem relies on the inherent diculty of calculating discrete logarithms. It is a probabilistic scheme:
a particular plaintext can be encrypted into multiple dierent ciphertexts; ciphertexts become twice the length of the plaintext.
58/83
Elgamal: Algorithm
Bob (Key generation):
Pick a prime p . Find a generator g for Zp . 3 Pick a random number x between 1 and p 2. 4 Compute y = g x mod p . PB = (p , g , y ) is Bobs RSA public key. SB = x is Bob RSA private key.
1 2
Alice must choose a dierent random number k for every message, or shell leak information. Bob doesnt need to know the random value k to decrypt. Each message has p 1 possible dierent encryptions. The division in the decryption can be avoided by use of Lagranges theorem : M = b (ax )1 mod p = b ap1x mod p
a b
= =
g k mod p My k mod p
Computing the generator is, in general, hard. We can make it easier by choosing a prime number with the property that we can factor p 1. Then we can test that, for each prime factor pi of p 1: g (p1)/pi mod p = 1
1 2 3 4
Pick a prime p = 13. Find a generator g = 2 for Z13 (see next slide). Pick a random number x = 7. Compute y = g x mod p = 27 mod 13 = 11. PB = (p , g , y ) = (13, 2, 11) is Bobs public key. SB = x = 7 is Bob private key.
Elgamal
61/83
Elgamal
62/83
Encrypt the plaintext message M = 3. Alice gets Bobs public key PB = (p , g , y ) = (13, 2, 11). To encrypt:
1 2
a2 1 4 9 3 12 10 10 12 3 9 4 1
a3 1 8 1 12 8 8 5 5 1 12 5 12
a4 1 3 3 9 1 9 9 1 9 3 3 1
a5 1 6 9 10 5 2 11 8 3 4 7 12
a6 1 12 1 1 12 12 12 12 1 1 12 1
a7 1 11 3 4 8 7 6 5 9 10 2 12
a8 1 9 9 3 1 3 3 1 3 9 9 1
a9 1 5 1 12 5 5 8 8 1 12 8 12
a10 1 10 3 9 12 4 4 12 9 3 10 1
a11 1 7 9 10 8 11 2 5 3 4 6 12
a12 1 1 1 1 1 1 1 1 1 1 1 1
63/83 Elgamal
64/83
In-Class Exercise
Bobs private key is SB = x = 7. Bob receives the ciphertext C = (a, b ) = (6, 8) from Alice. Bob computes the plaintext M : M = b (ax )1 mod p = b ap1x mod p = 8 61317 mod 13 = 8 65 mod 13 = 3
1
Pick the prime p = 13. Find the generator g = 2 for Z13 . Pick a random number x = 9. Compute y = g x mod p = 29 mod 13 = 5 PB = (p , g , y ) = (13, 2, 5) is Bobs public key. SB = x = 9 is Bob private key. Encrypt the message M = 11 using the random number k = 10. Decrypt the ciphertext from 1.
Elgamal
65/83
Elgamal
66/83
Elgamal Correctness
Show that M = b (ax )1 mod p decrypts. We have that a = g k mod p b = My k mod p y We get b (ax )1 mod p = (My k ) ((g k )x )1 mod p = (My k ) (g kx )1 mod p = (M ((g x )k ) (g kx )1 mod p = Mg kx (g kx )1 mod p = Mg kx g kx mod p = M mod p
Elgamal
Elgamal Security
= g x mod p
The security of the scheme depends on the hardness of solving the discrete logarithm problem. Generally believed to be hard.
= M
67/83
Elgamal
68/83
Outline
1 2
Key Exchange
3 4
Introduction RSA Algorithm Example Correctness Security GPG Elgamal Algorithm Example Correctness Security Die-Hellman Key Exchange Die-Hellman Key Exchange Example Correctness Security Summary
69/83
A key exchange protocol (or key agreement protocol ) is a way for parties to share a secret (such as a symmetric key) over an insecure channel. With an active adversary (who can modify messages) we cant reliably share a secret. With a passive adversary (who can only eavesdrop on messages) we can share a secret. A passive adversary is said to be honest but curious .
70/83
Die-Hellman: Algorithm
1
Pick p , a prime number. Pick g , a generator for Zp . Pick a random x Zp , x > 0. Compute X = g x mod p . Send X to Bob. Pick a random y Zp , x > 0. Compute Y = g y mod p . Send Y to Alice
Alice :
1 2
A classic key exchange protocol. Based on modular exponentiation . The secret K1 = K2 shared by Alice and Bob at the end of the protocol would typically be a shared symmetric key.
3 3 1 2
Bob :
3 4 5
Die-Hellman Key Exchange 71/83
Alice computes the secret: K1 = Y x mod p . Bob computes the secret: K2 = X y mod p .
72/83
Example
In-Class Exercise
1 2 3
Let p = 19. Let g = 10. Let Alices secret x = 7. Let Bobs secret y = 15.
1 2
Bob :
1 2
Compute K1 . Compute K2 .
5 6 7
Yx
mod p = mod p =
113
mod 13 = 5.
Xy
87
mod 13 = 5.
73/83
74/83
Die-Hellman Correctness
Die-Hellman Correctness. . .
Alice has
K1 = Y x mod p = (g y )x mod p = (g x )y mod p = X y mod p Bob has K2 = X y mod p = (g x )y mod p = X y mod p K1 = K2 . K1 = Y x mod p .
K2 = X y mod p .
75/83
76/83
Die-Hellman Security
Alice :
1
The security of the scheme depends on the hardness of solving the discrete logarithm problem. Generally believed to be hard. Die-Hellman Property :
Given p, X = g x , Y = g y computing K = g xy mod p is thought to be hard.
Eve :
Intercept X = g x mod p from Alice. Pick a number t in Zp . 3 Send T = g t mod p to Bob.
1 2
Bob :
1
Eve :
Intercept Y = g y mod p from Bob. Pick a number s in Zp . 3 Send S = g s mod p to Alice.
1 2
77/83
78/83
7 8 5
79/83
80/83
Outline
1 2
3 4
6
Summary
Introduction RSA Algorithm Example Correctness Security GPG Elgamal Algorithm Example Correctness Security Die-Hellman Key Exchange Die-Hellman Key Exchange Example Correctness Security Summary
81/83 Summary
82/83
Acknowledgments
Additional material and exercises have also been collected from these sources:
1
Igor Crk and Scott Baker, 620Fall 2003Basic Cryptography. Bruce Schneier, Applied Cryptography. Peeger and Peeger, Security in Computing. William Stallings, Cryptography and Network Security. Bruce Schneier, Attack Trees, Dr. Dobbs Journal December 1999, http://www.schneier.com/paper-attacktrees-ddj-ft.html . Barthe, Gr egoire, Beguelin, Hedin, Heraud, Olmedo, Veriable Security of Cryptographic Schemes, http://www.irisa.fr/celtique/blazy/seminar/20110204.pdf .
http://homes.cerias.purdue.edu/~crisn/courses/cs355_Fall_2008/lect18.pdf 83/83
2 3 4 5
7
Summary