CSE

5636 Network Security

CYB 5290 Secure Data Communica=ons and Networks

Public Key Cryptography I

Dr. Marco Carvalho

Associate Professor
Harris Institute for Assured Information
Florida Institute of Technology
Melbourne, FL

Public key concept

Alices public key

Alices private key

Alices public key

Everybody knows Alices public key

Only Alice knows the corresponding private key
Infrastructure to certify the association between Alice and her public key
Example
Alice wants to send a secret message to Bob
Bob wants to authenticate the message is from Alice
CSE 5636 / CYB 5290

ApplicaAons of Public-Key Crypto

Encryption for confidentiality

Anyone can encrypt a message using Alices public key
With symmetric crypto, one must know shared secret key to encrypt
Only Alice, who knows private key, can decrypt
Digital signatures for authentication
Alice can sign a message using her private key
Non-repudiation
Integrity
Session key establishment to overcome the symmetrical crypto limitation
Exchange messages to create a secret session key, which is for
symmetric cipher
A user can use Amazons public key to encrypt a secret for shopping
at Amazon
Then switch to symmetric cryptography
Faster using symmetric key crypto

CSE 5636 / CYB 5290

Enable unknown parAes secure

communicaAons
Amazons private key

Amazons public key

Public Key
Infrastructure

Amazons public key

CSE 5636 / CYB 5290

Key establishment (1)

Key establishment: A function in the lifecycle of keying material
The process by which cryptographic keys (e.g. AES keys) are
securely established among cryptographic modules using
Manual transport methods (e.g., key loaders in home WLAN
network)
Automated methods: key transport and/or key agreement
protocols (e.g. SSL protocol)
A combination of automated and manual methods (consists
of key transport plus key agreement)
Two types of key establishment are defined:
Key transport and key agreement
Approved key establishment schemes are provided in SP800-56

CSE 5636 / CYB 5290

Key establishment (2)

Key agreement : A key establishment procedure, e.g. DH
Resultant keying material is a function of the information
contributed by two or more participants, so that no party
can predetermine the value of the keying material
independent of the other partys contribution
Key agreement schemes are used to set up keys to be
used between communicating entities
Key transport
A key establishment procedure whereby one party (the
sender) selects a value for the secret keying material and
then securely distributes that value to another party (the
receiver)
Contrast with key agreement.
E.g. shared secret keying material between different
parties using a key transport scheme
CSE 5636 / CYB 5290

Key-transport Scheme
A symmetric key-wrapping algorithm wraps
(i.e., encrypts and integrity-protects) keying
material using a symmetric key-wrapping key
The wrapping operation is specified as:
C = KWA.WRAP(KWK, K, A) ,
And the unwrapping operation is specified as:
K = KWA.UNWRAP(KWK, C, A) ,
Where KWK is the key-wrapping key, K
is the plaintext keying material, A is
additional input, and C is the ciphertext
CSE 5636 / CYB 5290

Die-Hellman Protocol

Invented by Diffie and Hellman in 1976

RFC 2631

Alice and Bob have never met and share no secrets but need a shared key
Public info: p and g
p is a large prime number, g is a generator of Zp*
Zp* = {1, 2, , p-1}; x Zp*, a such that x = ga mod p
g can be generated using the methods specified in RFC 2631 and NIST SP 186-3

MODULAR ARITHMETIC: numbers wrap around after they reach p

x mod p = y x = j*p + y x = y (mod p)

Pick secret, random a

Pick secret, random b

ga mod p, p, g and l
gb mod p
Shared key k
a mod p)b = gab mod p
Compute
k

=

(
g

b mod p)a = gab mod p

Compute
k
=
(
g

CSE 5636 / CYB 5290

Shared Key DerivaAon in

Die-Hellman Protocol
One-time generation of an appropriate prime p and generator g
of Zp* and 2 g p 2
Perform the following steps each time a shared key is needed
between Alice (A) and Bob (B)
Alice (A) chooses a random secret a, 1 a p 2, and sends B
the message ga mod p, p, g and l
The private-value length in bits, satisfies 2l-1 p
Bob (B) chooses a random secret b, 1 b p 2, and sends A
the message gb mod p
B receives ga mod p and computes the shared key as k = (ga
mod p)b mod p
A receives gb mod p and computes the shared key as k = (gb
mod p)a mod p
k = (ga mod p)b mod p = gab mod p = (gb mod p)a mod p

CSE 5636 / CYB 5290

Example for DH

Zp* is a special group, known as a cyclic group

All elements of Zp* can be written as powers of a single element g,
called a primitive element of the group or a generator
In Z7*, if g = 3 and use modulo 7 arithmetic:
31 mod 7 = 3 32 mod 7 = 2 33 mod 7 = 6
34 mod 7 = 4 35 mod 7 = 5 36 mod 7 = 1
Thus, generator g = 3 is a primitive element
The order of an element a Zp* is the least positive integer t such that at = 1
When a = 3, the order of 3 is 6
Is also known as the period of wrapping around in modulo 7 arithmetic
DH key agreement example:
Alices private key = 5, Bobs private key = 4
Alices public key = 35 mod 7 = 5, Bobs public key = 34 mod 7 = 4
Alices shared key = 45 mod 7 = 2, Bobs shared key = 54 mod 7 = 2

CSE 5636 / CYB 5290

Die-Hellman key agreement

Alice and Bob each select a secret random number, a and b,
respectively as private keys (or values)
The private-value length in bits, satisfies 2l-1 p
The private value, should be generated privately and
randomly
The length of the prime p in octets is the integer j satisfying
28(j-1) p < 28j; for example, when 8j = 1024, p < 21024
g satisfies 0 < g < p and can be generated using the methods
specified in RFC 2631 [3] and NIST SP 186-3 [4]
For the element x (0 < x < p), contained in this set, there
exists a (0 < a < p-1) such that x = ga mod p
Bob generates public key using the received p, g and l
For IPsec, p and g is specified in RFCs

CSE 5636 / CYB 5290

Man-in-the-middle aUack

The Diffie-Hellman key exchange is vulnerable to a man-in-the-middle

attack
An opponent Eve intercepts Alice's public key and sends her own public key to
Bob
When Bob transmits his public key, Eve substitutes it with her own and sends it to Alice
Eve and Alice thus agree on one shared key and Eve and Bob agree on another shared
key
After this exchange, Eve simply decrypts any messages sent out by Alice or Bob, and
then reads and modifies them before re-encrypting with the appropriate key and
transmitting them to the other party

This vulnerability is present because Diffie-Hellman key exchange does not

authenticate the parties

The Station-to-Station (STS) protocol was developed by Diffie, van

Oorschot, and Wiener in 1992 to defeat the man-in-the-middle attack
Add digital signatures, signed by the private key, for both ga mod p and gb mod p
in the exchange messages
Eve cannot forge signatures without compromising both Alice's private key and
Bob's private key

CSE 5636 / CYB 5290

Example for p, g and l

Prime: 256 hex digits or 1024 bits
9A0BEBDAE1AB4444D4F3181B5480973D12FD19957911D
0143FB5FB8DC0632927BBCB1B78D07094B5CD8FAC8E35
77033154B575F910CDEB69FCED7018429560CE3FD475B
29FD3C87FDEB9D5D41EB6D1804DFB38B1DE48E22CF95
469A5C1A44D0536EED23E1051EEC772AE9D9EE1742881
851D2BB53A961F55CBAFC5EDB8F549D7
Prime: in decimals
1081751785331286386951566521253715054391267500853
6188229148363229651415227771138735283369061943984
3009484699616572997722517361319857400134067549432
1357399445592305633119127938962045160647700907852
3240961978802446867775579113771055130324332441822
5301539875580868657909202523451560333978089107447
279438288734679
CSE 5636 / CYB 5290

Generator g
G : 256 hex digits or 1024 bits
1EA4748FCCB6EA00C20E8B58DD31BFDB45761F4AAD1693145
1317A0FD68DB89FA7D3C9C78966FC65815228323F87AC2C5B
B796C504FB1EFE5BDA24C7950214B8F50A41E14608BDA4A62
272483D6D88C3A82DD88A78EEB046695882FA38DAEAF7BB07
DBFCD3D272A7B9CFD42536D53CE325A17AD83BFBF40FC325
CAD69F25EF36
Generator g: in decimals
21517827566643959654712506169933867278799151500861664
71302013269299239763240750528525518766444586454021369
51357836625109998539894817291915868585512905817214775
72011739753867405902376527168121378707507894136914243
30800114409872561249704632585164484785869308940580496
8619243420583551652929775203283262478085942
l: 1023

CSE 5636 / CYB 5290

a
Example a and g mod p
Private Key a: 1024 bits

10421657F1FAA5C6F4DC3C908E6CBC792B7DFE9D267
F2D5214ED1CC6C351C4228C003989AB8682C241A5CD
F466D975F27FAC6D2C6B458D66BD699D52F752A6FD4
3E26A5B648BDBEFDB1A4B3EC724CEE027AC37C6CB5
72F7677E006C64FD0E40EA52B972B91EAA557F7474F2
96CEA8AB86F26CA80B791CF66AD5C9CDE396CAD99
PublicKey ga mod p : 1024 bits

3BBBAF40F8989F0C5DD66F9F2817E309D5AE263C089
7BFA1EFB45746ED7D991C1F1054B83BB911CCEEAC4
8D24D66A5EE4F24F9858950E1AE3088C815DB67F66E
97005501856C62B9C6A92252C8668786ED66E416A615
AEC39517ECE57FA0C5D1D3156A44F5FD6E9D364236E
B67B802E3A98EDF6DFBAFC43B9102F8E5CF76E347
CSE 5636 / CYB 5290

Die-Hellman Security
Discrete Logarithm (DL) problem (DLP):
given gx mod p, it is mathematically hard to extract x
There is no known efficient algorithm for doing this
Computational Diffie-Hellman (CDH) problem:
given gxmod p and gymod p, it is mathematically hard to compute gxy mod p
Unless x or y are given
DECISIONAL DIFFIE-HELLMAN (DDH) problem:
Given gxmod p and gymod p, it is mathematically hard to
distinguish the difference between gxy mod p and gr mod p where r is
random

CSE 5636 / CYB 5290

ProperAes of Die-Hellman
Assuming the DDH problem is hard, the Diffie-Hellman
protocol is a secure key establishment protocol against
passive attackers
Eavesdropper cannot tell the difference between the
established key and a random value
Use gab mod p as the key for symmetric cryptography
Symmetric Crypto is approximately 1000 times
faster than modular exponentiation
Diffie-Hellman protocol does not provide authentication
Alices identity cannot be associated with ga mod p
IPsec uses the encrypted tunnel established by gab
mod p for exchanging certificates or passwords
CSE 5636 / CYB 5290

DH Ephemeral Key and StaAc Key

Ephemeral key (DHE): A key that is intended for a very short period
of use
A cryptographic key that is generated for each execution of a key
establishment process and meets other requirements of the key
type (e.g., unique to each message or session)
The key is ordinarily used in exactly one transaction of a
cryptographic scheme
An exception to this occurs when the ephemeral key is used
in multiple transactions for a key transport broadcast
For an ephemeral key pair, the owner is the entity that generated
the key pair
Static key (DH): A key that is intended for use for a relatively long
period of time
Typically intended for use in many instances of a cryptographic
key establishment scheme
Contrast with an ephemeral key
CSE 5636 / CYB 5290

DH Ephemeral Key and StaAc Key

DH Ephemeral key
Each entity that requires the other entitys
ephemeral public key for use in the key
establishment scheme obtains that public
key and obtains assurance of its validity
The ephemeral private key is not provided
to the other entity
DH Static Key
Using a fresh nonce
CSE 5636 / CYB 5290

Use of DH

RFC 2409 and RFC 4306 for The Internet Key Exchange (IKE)
To negotiate and provide authenticated keying material for security associations
in a protected manner

NIST SP 800-57
Recommendation for Key Management Part 1: General

SP 800-56A
Recommendation for pair-wise key establishment schemes using discrete
logarithm cryptography
Finite Field Cryptography (FFC) is DH using MODP

SP 800-77
The Diffie-Hellman (DH) group used to establish the secret keying material for
IKE and IPsec should be consistent with current security requirements
DH group 2 (1024-bit MODP) should be used for Triple DES and for AES with a 128-bit
key
For greater security, DH group 5 (1536-bit MODP) or DH group 14 (2048-bit MODP)
may be used for AES with 192 and 256-bit key

CSE 5636 / CYB 5290

QuesAons?
Marco Carvalho
Associate Professor
[email protected]
(321) 674-8767

CSE 5636 / CYB 5290