1

Information System SecurityAABFS-Jordan

Summer 2006

Digital Signature and Hashing Functions

Prepared by: Maher Abu Hamdeh & Adel Hamdan

Supervised by: Dr. Lo’ai Tawallbeh

2

Digital signature and Hashing

• 11.1 Message authentication• 11.2 Hash function• 11.3 Message Authentication Code MAC• 12.1 Secure hash algorithm

– SHA-512

• 13.1 Digital signature– Direct digital signature– Arbitrated digital signature

• 13.3 Digital signature standard DSS

3

Message authentication (ch11)

• Message authentication is a mechanism or service used to verify the integrity of a message. Message authentication assures that data received exactly as sent.

• The two most common cryptography techniques for message authentication are a message authentication code (MAC) and a secure hash function.

• A hash function maps a variable-length message into a fixed hash value, or message digest. For message authentication, a secure hash function must be combined in some fashion with a secret key.

4

Hash Functions (ch11)

• A hash function accepts a variable-size message M as input and produces a fixed-size output, referred to as a hash code.

• Unlike MAC, a hash code does not use a key but a function only of the input message.

• The hash code is also referred to as a message digest or hash value.

5

Hash Functions & Digital Signatures (ch11)

Only the hash code is encrypted, using public key encryption and using the sender’s private key. This provide authentication. It also provides a digital signature, because only the sender could have produced the encrypted hash code. In fact, this is the essence of the digital signature technique

• turns variable-length message M into fixed-size block H(M)

• produces “fingerprint” of a file, “message digest”

• hash function is “one way”, does not use secret key

• various uses, e.g., integrity, digital signature

6

Hash function (ch11)

• The hash function takes an input message and partitions it into L fixed-sized blocks of b bits each.

• If necessary, the final block is padded to b bits.• The final block also includes the value of the total length

of the input to the hash function.• The hash algorithm involves repeated use of a

compression function, f, that takes two inputs( an n-bit input from the previous step, called the chaining variable, and a b-bit block) and produces an n-bit output.

• At the start of hashing, the chaining variable has an initial value that is specified as part of the algorithm

7

11.3 Message Authentication Code MAC

• Use of secret key to generate a small fixed size block of data, known as a cryptographic checksum or MAC that is appended to the message.

• This technique assumes that the two communicating parties, say A and B, share a common secret key K.

• When A has a message to send to B, it calculates the MAC as a function of the message and the key, where the message plus MAC are transmitted to the intended recipient.

• The recipient performs the same calculation on the received message, using the same secret key, to generate a new MAC.

• The received MAC is compared to the calculated MAC.

8

Message Authentication Code

MAC=C(K,M)

M: input message

C: MAC Functionn

K: shared secret key

MAC: Message Authentication Code

9

12.1 secure hash algorithm SHA

• The Secure Hash Algorithm (SHA) was developed by the national institute of standards and technology (NIST)

• SHA- 512 logic– The algorithm takes as input a message with

a maximum length of less than 2128 bits and produces as output a 512-bit message digest.

– The input is processed in 1024-bit blocks

10

12.1 secure hash algorithm SHA

Table 12.1. Comparison of SHA Parameters

  SHA-1 SHA-256 SHA-384 SHA-512

Message digest size 160 256 384 512

Message size <264 <264 <2128 <2128

Block size 512 512 1024 1024

Word size 32 32 64 64

Number of steps 80 64 80 80

11

SHA-512 Overview1. pad message so its length is 896 mod 1024

2. A block of 128 bits is appended to the message. This block is treated as an unsigned 128-bit integer (most significant byte first) and contain the length of the original message (before the padding)

3. initialize 512-bit buffer (see textbook for values)

Intermediate hash value

a = 6A09E667F3BCC908 b = BB67AE8584CAA73B

c = 3C6EF372FE94F82B c = A54FF53A5F1D36F1

e = 510E527FADE682D1 f = 9B05688C2B3E6C1F

g = 1F83D9ABFB41BD6B h = 5BE0CDI9137E2179

These values are stored in big-endian format, which is the most significant byte of a word in the low address byte position.

12

SHA-512 Overview

4- process message in 1024-bit blocks (128-word):– The heart of the algorithm is a module that consists of 80

rounds– Each round takes as input the 512-bit buffer value abcefgh,

and updates the content of the buffer– At input to the first round, the buffer has the value of the

intermediate hash value , Hi-1

– expand 1024-bit block into 80 round, 64-bit blocks by mixing & shifting

– use 80 rounds of 64-bit operations on message block & buffer – add output to input to form new buffer value

5- output hash value is the final buffer value

13

SHA-512 Overview

14

SHA-512 Compression Function

15

SHA-512 Single Round

see textbook for details

16

17

13.1 Digital Signatures

• A digital signature is an authentication mechanism that enables the creator of a message to attach a code that acts as a signature.

• The signature is formed by taking the hash of the message and encrypting the message with the creator’s private key. The signature guarantees the source and integrity of the message

18

Direct Digital Signatures

• The direct digital signature involve only sender & receiver (source & destination)

• It is assumed that receiver has sender’s public-key

• digital signature may be formed by encrypting the entire message with the sender’s private key. or by encrypting a hash code of the message with the sender’s private key.

• security depends on sender’s private-key

19

Direct Digital Signatures

20

Direct Digital Signatures

• Weakness– The validity of the scheme depends on the security of

the sender’s private key. If a sender later wishes to deny sending a particular message, the sender can claim that the private key lost or stolen.

– Another threat is that some private key might actually be stolen from X at time T. the opponent can then send a message signed with X’s signature and stamped with a time before or equal to T.

21

Arbitrated Digital Signatures

• The problem associated with direct digital signature can be addressed by using an arbiter.

• Every signed message from a sender X to a receiver Y goes first to an arbiter A. who subjects the message and its signature to a number of tests to check its origin and content. The message is then dated and sent to Y with an indication that it has been verified to the satisfaction of the arbiter.

• The presence of A solves the problem faced by direct signature schemes: that X might disown the message

• requires suitable level of trust in arbiter• can be implemented with either private or public-key

algorithms• arbiter may or may not see message

22

Arbitrated Digital Signatures

• Conventional encryption (table13.1)• X A : M || E ( Kxa ,[ IDx || H (M) ] )• A Y : E( Kay ,[ IDx || M || E (Kxa ,[ IDx ||H(M))] ) || T ])

– It is assumed that the sender X and the arbiter A share a secret key Kxa and that A and Y share secret key Kay. X constructs a message M and computes its hash value H(m) . Then X transmits the message plus a signature to A. the signature consists of an identifier IDx of X plus the hash value, all encrypted using Kxa.

– A decrypts the signature and checks the hash value to validate the message. Then A transmits a message to Y, encrypted with Kay. The message includes IDx, the original message from X, the signature, and a timestamp.

– Arbiter sees message– Problem : the arbiter could form an alliance with sender to deny a

signed message, or with the receiver to forge the sender’s signature.

23

Arbitrated Digital Signatures

• Public Key encryption (table 13.1)• X A : IDx ||E( PRx,[ IDx|| E ( PUy, E( PRx, M))])• A Y : E( PRa, [ IDx ||E (PUy, E (PRx, M))|| T] )

– X double encrypts a message M first with X’s private key,PRx, and then with Y’s public key,PUy. This is a signed, secret version of the message. This signed message, together with X’s identifier , is encrypted again with PRx and, together with IDx, is sent t A. the inner, double encrypted message is secure from the arbiter ( and everyone else except Y)

– A can decrypt the outer encryption to assure that the message must have come from X( because only X has PRx). Then A transmits a message to Y, encrypted with PRa. The message includes IDx , the double encrypted message, and a timestamp.

– Arbiter does not see message

24

13.3 Digital signature standard DSS

• The DSS makes use of the secure hash algorithm (SHA) .

• The DSS uses an algorithm that is designed to provide only the digital signature function.– RSA approach– DSS approach

25

RSA Approach ...

26

RSA Approach

• The message to be signed is input to a hash function that produce a secure hash code of fixed length. This hash code is then encrypted using the sender’s private key to form the signature

• Both the message and the signature are then transmitted.

• The recipient takes the message and produces a hash code.

• If the calculated hash code matches the decrypted signature, the signature is accepted as valid.

27

DSS Approach

PRa sender’s private key

PUG global public key

Signing

r= (gk mod p) mod q

s= [k-1 (H(M) + xr)] mod q

Signature = (r, s) See algorithm 3 page 391

28

DSS Approach

• The DSS approach make use of a hash function. The hash code is provided as input to a signature function along with a random number k generated for this particular signature.

• The signature function also depends on the sender’s private key (PRa) and a set of parameters known to a group of communicating principals. We can consider this set to constitute a global public key (PuG).

• have shared global public key values (p,q,g):• The result is a signature consisting of two

components, labeled s and r.

29

DSS Approach

• At the receiving end, the hash code of the incoming message is generated. This plus the signature is input to a verification function.

• The verification function also depends on the global public key as well the sender’s public key (PUa), which is paired with sender’s private key.

• The output of the verification function is a value that is equal to the signature component r if the signature is valid

30

DSA Key Generation

• Global public key component:• have shared global public key values (p,q,g):

– p prime number where 2 L-1 < P < 2L

• where L= 512 to 1024 bits and is a multiple of 64

– q prime divisor of p-1 where 2159 < q < 2160

– g = h (p-1) /q mod p• where h is any integer with 1 < h < (p-1)• Such that h (p-1)/q mod p > 1

31

DSA Signature Verification

• having received M & signature (r,s)

• to verify a signature, recipient computes: w = s’-1(mod q)

u1= [H(M’).w]mod q

u2= (r’.w)mod q

v = [gu1.yu2(mod p)] mod q

• if v=r then signature is verified

• see book web site for details.