Asymmetric and Public Key Signaturescs161/su19/lectures/lec09_mac.pdf · Asymmetric and Public Key...
Transcript of Asymmetric and Public Key Signaturescs161/su19/lectures/lec09_mac.pdf · Asymmetric and Public Key...
![Page 1: Asymmetric and Public Key Signaturescs161/su19/lectures/lec09_mac.pdf · Asymmetric and Public Key Signatures Ruta Jawale July 9, 2019. Announcements Review Objectives MAC HMAC Digital](https://reader036.fdocuments.in/reader036/viewer/2022081515/5f16a2d6bad42f11120fe2d9/html5/thumbnails/1.jpg)
Announcements
Review
Objectives
MACHMAC
Digital SignaturesRSA Signatures
Conclusion
Summary
Asymmetric and Public Key Signatures
Ruta Jawale
July 9, 2019
![Page 2: Asymmetric and Public Key Signaturescs161/su19/lectures/lec09_mac.pdf · Asymmetric and Public Key Signatures Ruta Jawale July 9, 2019. Announcements Review Objectives MAC HMAC Digital](https://reader036.fdocuments.in/reader036/viewer/2022081515/5f16a2d6bad42f11120fe2d9/html5/thumbnails/2.jpg)
Announcements
Review
Objectives
MACHMAC
Digital SignaturesRSA Signatures
Conclusion
Summary
Announcements
Homework 1 will be due today! (7/9)
Project 1 due Thursday! (7/11)
Project 1’s VM passwords are releasedIf you have a partner, only one submission per group
Midterm 1 in one week! (7/15)
![Page 3: Asymmetric and Public Key Signaturescs161/su19/lectures/lec09_mac.pdf · Asymmetric and Public Key Signatures Ruta Jawale July 9, 2019. Announcements Review Objectives MAC HMAC Digital](https://reader036.fdocuments.in/reader036/viewer/2022081515/5f16a2d6bad42f11120fe2d9/html5/thumbnails/3.jpg)
Announcements
Review
Objectives
MACHMAC
Digital SignaturesRSA Signatures
Conclusion
Summary
Hash functions constructions
Merkle-Damgard construction (used by SHA1, SHA2):
Let N be the message block size in bits. IV is some fixedvalue, f is some one-way compression function.
![Page 4: Asymmetric and Public Key Signaturescs161/su19/lectures/lec09_mac.pdf · Asymmetric and Public Key Signatures Ruta Jawale July 9, 2019. Announcements Review Objectives MAC HMAC Digital](https://reader036.fdocuments.in/reader036/viewer/2022081515/5f16a2d6bad42f11120fe2d9/html5/thumbnails/4.jpg)
Announcements
Review
Objectives
MACHMAC
Digital SignaturesRSA Signatures
Conclusion
Summary
Length extension attack
Let H be a hash function depending on Merkle-Damgard. LetPAD be the hash function’s internal padding scheme.
An attacker can use the digest H(m1) for some unknownmessage m1 of known length to calculate H(PAD(m1)‖m2) fora message m2 of the attacker’s choosing.
SHA3 is not vulnerable to this form of attack.
![Page 5: Asymmetric and Public Key Signaturescs161/su19/lectures/lec09_mac.pdf · Asymmetric and Public Key Signatures Ruta Jawale July 9, 2019. Announcements Review Objectives MAC HMAC Digital](https://reader036.fdocuments.in/reader036/viewer/2022081515/5f16a2d6bad42f11120fe2d9/html5/thumbnails/5.jpg)
Announcements
Review
Objectives
MACHMAC
Digital SignaturesRSA Signatures
Conclusion
Summary
Symmetric key vs. Public key encryption
Symmetric key encryption
Inconvenient: need to set up a shared, symmetric keysomehow
Efficient: bitwise operations are efficient to implement(xor, shift), also can be parallelized
Quantum resistant: double the key size!
Public key encryption
Convenient: easy to create public/private key pairs foreach person
Inefficient: exponentiation of large integers is very slow
RSA and El Gamal are broken by quantum computers!Shor’s algorithm breaks factorization and discrete logassumptions.
![Page 6: Asymmetric and Public Key Signaturescs161/su19/lectures/lec09_mac.pdf · Asymmetric and Public Key Signatures Ruta Jawale July 9, 2019. Announcements Review Objectives MAC HMAC Digital](https://reader036.fdocuments.in/reader036/viewer/2022081515/5f16a2d6bad42f11120fe2d9/html5/thumbnails/6.jpg)
Announcements
Review
Objectives
MACHMAC
Digital SignaturesRSA Signatures
Conclusion
Summary
Hybrid encryption
Hybrid encryption is where we use public key encryption to setup a shared secret key, then we use symmetric key encryptionto encrypt messages.
![Page 7: Asymmetric and Public Key Signaturescs161/su19/lectures/lec09_mac.pdf · Asymmetric and Public Key Signatures Ruta Jawale July 9, 2019. Announcements Review Objectives MAC HMAC Digital](https://reader036.fdocuments.in/reader036/viewer/2022081515/5f16a2d6bad42f11120fe2d9/html5/thumbnails/7.jpg)
Announcements
Review
Objectives
MACHMAC
Digital SignaturesRSA Signatures
Conclusion
Summary
The story so far. . .
Alice wants to ask Bob on a date. She now knows that if shewants confidentiality. . .
Alice
−−−−−−−−−−−−−−→
Bob
. . . she needs to encrypt her message!
Alice
−−−−−−−−−−−−−−→
Bob
![Page 8: Asymmetric and Public Key Signaturescs161/su19/lectures/lec09_mac.pdf · Asymmetric and Public Key Signatures Ruta Jawale July 9, 2019. Announcements Review Objectives MAC HMAC Digital](https://reader036.fdocuments.in/reader036/viewer/2022081515/5f16a2d6bad42f11120fe2d9/html5/thumbnails/8.jpg)
Announcements
Review
Objectives
MACHMAC
Digital SignaturesRSA Signatures
Conclusion
Summary
Which encryption?
Alice
−−−−−−−−−−−−−−→
Bob
Let’s say Alice prefers symmetric key encryption, so she usesDiffie-Hellman to set up a symmetric key with Bob (if shedoesn’t have one already), then uses AES-CFB.
![Page 9: Asymmetric and Public Key Signaturescs161/su19/lectures/lec09_mac.pdf · Asymmetric and Public Key Signatures Ruta Jawale July 9, 2019. Announcements Review Objectives MAC HMAC Digital](https://reader036.fdocuments.in/reader036/viewer/2022081515/5f16a2d6bad42f11120fe2d9/html5/thumbnails/9.jpg)
Announcements
Review
Objectives
MACHMAC
Digital SignaturesRSA Signatures
Conclusion
Summary
Reminder: Alice’s security specifications
Confidentiality
only Alice and Bob should know the message
IntegrityBob should be able to verify Alice’s message was notmodified or tampered with
If it was modified, Bob should realize it!
Authentication
Bob should be able to verify Alice sent the message
![Page 10: Asymmetric and Public Key Signaturescs161/su19/lectures/lec09_mac.pdf · Asymmetric and Public Key Signatures Ruta Jawale July 9, 2019. Announcements Review Objectives MAC HMAC Digital](https://reader036.fdocuments.in/reader036/viewer/2022081515/5f16a2d6bad42f11120fe2d9/html5/thumbnails/10.jpg)
Announcements
Review
Objectives
MACHMAC
Digital SignaturesRSA Signatures
Conclusion
Summary
All about Eve
Excepting Mallory’s brief cameo (see MITM attacks), so far it’sbeen all about Eve.
Eve the Eavesdropper
Likes: Reading messagesDislikes: Confidentiality
Mallory the Manipulator
Likes: Altering messagesDislikes: Integrity/Authenticity
Today let’s talk about Mallory!
![Page 11: Asymmetric and Public Key Signaturescs161/su19/lectures/lec09_mac.pdf · Asymmetric and Public Key Signatures Ruta Jawale July 9, 2019. Announcements Review Objectives MAC HMAC Digital](https://reader036.fdocuments.in/reader036/viewer/2022081515/5f16a2d6bad42f11120fe2d9/html5/thumbnails/11.jpg)
Announcements
Review
Objectives
MACHMAC
Digital SignaturesRSA Signatures
Conclusion
Summary
Achieve integrity/authenticity to upset Mallory
Mallory likes to manipulate messages. How can we ensure thatMallory can’t tamper with Alice’s correspondence? (Another
rhetorical question)
−−−−−−−→, TAG( )
Let’s send a “tag” with Alice’s message!
![Page 12: Asymmetric and Public Key Signaturescs161/su19/lectures/lec09_mac.pdf · Asymmetric and Public Key Signatures Ruta Jawale July 9, 2019. Announcements Review Objectives MAC HMAC Digital](https://reader036.fdocuments.in/reader036/viewer/2022081515/5f16a2d6bad42f11120fe2d9/html5/thumbnails/12.jpg)
Announcements
Review
Objectives
MACHMAC
Digital SignaturesRSA Signatures
Conclusion
Summary
Types of “tags”
Signature key Verification key
Symmetric key “tag” =
same private key for signing and verifying
Asymmetric key “tag” 6=separate public verification key and private signing key
Both types of “tags” achieve integrity/authenticity, necessaryto prevent Mallory’s plans. We’ll see both in today’s lecture.
![Page 13: Asymmetric and Public Key Signaturescs161/su19/lectures/lec09_mac.pdf · Asymmetric and Public Key Signatures Ruta Jawale July 9, 2019. Announcements Review Objectives MAC HMAC Digital](https://reader036.fdocuments.in/reader036/viewer/2022081515/5f16a2d6bad42f11120fe2d9/html5/thumbnails/13.jpg)
Announcements
Review
Objectives
MACHMAC
Digital SignaturesRSA Signatures
Conclusion
Summary
Learning Objectives
Learn a symmetric key integrity/authenticity
MAC (ex: HMAC)
Learn asymmetric key integrity/authenticity
Digital signatures (ex: RSA signature)
![Page 14: Asymmetric and Public Key Signaturescs161/su19/lectures/lec09_mac.pdf · Asymmetric and Public Key Signatures Ruta Jawale July 9, 2019. Announcements Review Objectives MAC HMAC Digital](https://reader036.fdocuments.in/reader036/viewer/2022081515/5f16a2d6bad42f11120fe2d9/html5/thumbnails/14.jpg)
Announcements
Review
Objectives
MACHMAC
Digital SignaturesRSA Signatures
Conclusion
Summary
Message Authentication Codes (MACs)
Gen(1n)→ k :
Input: 1n where n is the security parameterOutput: secret key k
Sign(k,m)→ σ:
Input: secret key k and message mOutput: signature σ
Verify(k,m, σ)→ {0, 1}:Input: secret key k , message m, and signature σOutput: 1 on success, 0 otherwise
Important: We will write MAC (k ,m) or MACk(m) or MIC when we
mean Sign(k ,m) to avoid confusion with digital signatures!
![Page 15: Asymmetric and Public Key Signaturescs161/su19/lectures/lec09_mac.pdf · Asymmetric and Public Key Signatures Ruta Jawale July 9, 2019. Announcements Review Objectives MAC HMAC Digital](https://reader036.fdocuments.in/reader036/viewer/2022081515/5f16a2d6bad42f11120fe2d9/html5/thumbnails/15.jpg)
Announcements
Review
Objectives
MACHMAC
Digital SignaturesRSA Signatures
Conclusion
Summary
MAC correctness
∀m Verify(k ,m,Sign(k,m)) = 1
![Page 16: Asymmetric and Public Key Signaturescs161/su19/lectures/lec09_mac.pdf · Asymmetric and Public Key Signatures Ruta Jawale July 9, 2019. Announcements Review Objectives MAC HMAC Digital](https://reader036.fdocuments.in/reader036/viewer/2022081515/5f16a2d6bad42f11120fe2d9/html5/thumbnails/16.jpg)
Announcements
Review
Objectives
MACHMAC
Digital SignaturesRSA Signatures
Conclusion
Summary
MAC security: unforgeability
Phases Challenger Adversary A
setup k ← Gen(1n)
signature query ormi or (mj , σj )←−−−−−−−−−−− for i, j ∈ poly(n)
verification query σi ← Sign(k,mi ) or where (mj , σj ) 6= (mi , σi )
b ← Verify(k,mj , σj )
determine win b = 1,A winsσi or b = 0−−−−−−−−−−−→
![Page 17: Asymmetric and Public Key Signaturescs161/su19/lectures/lec09_mac.pdf · Asymmetric and Public Key Signatures Ruta Jawale July 9, 2019. Announcements Review Objectives MAC HMAC Digital](https://reader036.fdocuments.in/reader036/viewer/2022081515/5f16a2d6bad42f11120fe2d9/html5/thumbnails/17.jpg)
Announcements
Review
Objectives
MACHMAC
Digital SignaturesRSA Signatures
Conclusion
Summary
MAC security: unforgeability
Phases Challenger Adversary A
setup k ← Gen(1n)
signature query ormi or (mj , σj )←−−−−−−−−−−− for i, j ∈ poly(n)
verification query σi ← Sign(k,mi ) or where (mj , σj ) 6= (mi , σi )
b ← Verify(k,mj , σj )
determine win b = 1,A winsσi or b = 0−−−−−−−−−−−→
What does (mj , σj) 6= (mi , σi ) mean? Cannot submitverification queries on signature queries. In other words, cannotclaim something signed by the challenger is a forgery of thechallenger’s signature.
![Page 18: Asymmetric and Public Key Signaturescs161/su19/lectures/lec09_mac.pdf · Asymmetric and Public Key Signatures Ruta Jawale July 9, 2019. Announcements Review Objectives MAC HMAC Digital](https://reader036.fdocuments.in/reader036/viewer/2022081515/5f16a2d6bad42f11120fe2d9/html5/thumbnails/18.jpg)
Announcements
Review
Objectives
MACHMAC
Digital SignaturesRSA Signatures
Conclusion
Summary
MAC security: unforgeability
Phases Challenger Adversary A
setup k ← Gen(1n)
signature query ormi or (mj , σj )←−−−−−−−−−−− for i, j ∈ poly(n)
verification query σi ← Sign(k,mi ) or where (mj , σj ) 6= (mi , σi )
b ← Verify(k,mj , σj )
determine win b = 1,A winsσi or b = 0−−−−−−−−−−−→
Pr[A wins game] = negligible.
![Page 19: Asymmetric and Public Key Signaturescs161/su19/lectures/lec09_mac.pdf · Asymmetric and Public Key Signatures Ruta Jawale July 9, 2019. Announcements Review Objectives MAC HMAC Digital](https://reader036.fdocuments.in/reader036/viewer/2022081515/5f16a2d6bad42f11120fe2d9/html5/thumbnails/19.jpg)
Announcements
Review
Objectives
MACHMAC
Digital SignaturesRSA Signatures
Conclusion
Summary
MAC has integrity/authenticity
Integrity
No one can forge a valid “tag” without knowing the key
So if Mallory changes Alice’s message, Mallory can’t forgea matching “tag”
When Bob goes to verify the “tag”, he can determine ifMallory changed Alice’s message
Authenticity
No one can forge a valid “tag” without knowing the key
So only Alice and Bob can create a correct “tag”
Knowing the key, authenticates Alice and Bob
![Page 20: Asymmetric and Public Key Signaturescs161/su19/lectures/lec09_mac.pdf · Asymmetric and Public Key Signatures Ruta Jawale July 9, 2019. Announcements Review Objectives MAC HMAC Digital](https://reader036.fdocuments.in/reader036/viewer/2022081515/5f16a2d6bad42f11120fe2d9/html5/thumbnails/20.jpg)
Announcements
Review
Objectives
MACHMAC
Digital SignaturesRSA Signatures
Conclusion
Summary
Does MAC provide confidentiality?
Given just the output of a MAC, is the input to the MACconfidential?
No, not in general. We can construct a MAC that leaks theentire message and is still unforgeable.
![Page 21: Asymmetric and Public Key Signaturescs161/su19/lectures/lec09_mac.pdf · Asymmetric and Public Key Signatures Ruta Jawale July 9, 2019. Announcements Review Objectives MAC HMAC Digital](https://reader036.fdocuments.in/reader036/viewer/2022081515/5f16a2d6bad42f11120fe2d9/html5/thumbnails/21.jpg)
Announcements
Review
Objectives
MACHMAC
Digital SignaturesRSA Signatures
Conclusion
Summary
MAC has plausible deniability
In our scenario, Alice could deny that she sent the message andclaim Bob sent the message to her. A third person cannotdetermine which one of them, Alice or Bob, sent the “tag”,since both Alice and Bob know the same key.
![Page 22: Asymmetric and Public Key Signaturescs161/su19/lectures/lec09_mac.pdf · Asymmetric and Public Key Signatures Ruta Jawale July 9, 2019. Announcements Review Objectives MAC HMAC Digital](https://reader036.fdocuments.in/reader036/viewer/2022081515/5f16a2d6bad42f11120fe2d9/html5/thumbnails/22.jpg)
Announcements
Review
Objectives
MACHMAC
Digital SignaturesRSA Signatures
Conclusion
Summary
HMAC
Let H : {0, 1}∗ → {0, 1}n be some hash function of our choice.
We want to use this hash function to construct a MAC scheme!
![Page 23: Asymmetric and Public Key Signaturescs161/su19/lectures/lec09_mac.pdf · Asymmetric and Public Key Signatures Ruta Jawale July 9, 2019. Announcements Review Objectives MAC HMAC Digital](https://reader036.fdocuments.in/reader036/viewer/2022081515/5f16a2d6bad42f11120fe2d9/html5/thumbnails/23.jpg)
Announcements
Review
Objectives
MACHMAC
Digital SignaturesRSA Signatures
Conclusion
Summary
Idea # 1
Let H : {0, 1}∗ → {0, 1}n be some hash function of our choice.
Gen(1n)→ k:
k$← {0, 1}n
Sign(k ,m)→ σ:
output H(k‖m)
Verify(k ,m, σ)→ {0, 1}:
check H(k‖m)?= σ
if equal, output 1.else, output 0.
What if the hash function weuse is SHA-256 or SHA-512?
Given a valid signature
σ = H(k‖m1)
adversary could forge thesignature
σ∗ = H(k‖PAD(m1)‖m2)
using length extension attack!
![Page 24: Asymmetric and Public Key Signaturescs161/su19/lectures/lec09_mac.pdf · Asymmetric and Public Key Signatures Ruta Jawale July 9, 2019. Announcements Review Objectives MAC HMAC Digital](https://reader036.fdocuments.in/reader036/viewer/2022081515/5f16a2d6bad42f11120fe2d9/html5/thumbnails/24.jpg)
Announcements
Review
Objectives
MACHMAC
Digital SignaturesRSA Signatures
Conclusion
Summary
Idea # 1: Can easily break unforgeability
Phases Challenger Adversary A
setup k ← Gen(1n)
signature query orverification query
m1←−−−−−−−−−−−
H(k‖m1)← Sign(k,m1) orH(k‖m1)
−−−−−−−−−−−→(m∗, σ∗)
←−−−−−−−−−−− m∗ = PAD(m1)‖m2
compute σ∗ = H(k‖m∗)
using length extension
b ← Verify(k,m∗, σ∗)
determine win b = 1,A wins
Pr[A wins game] = 1.
![Page 25: Asymmetric and Public Key Signaturescs161/su19/lectures/lec09_mac.pdf · Asymmetric and Public Key Signatures Ruta Jawale July 9, 2019. Announcements Review Objectives MAC HMAC Digital](https://reader036.fdocuments.in/reader036/viewer/2022081515/5f16a2d6bad42f11120fe2d9/html5/thumbnails/25.jpg)
Announcements
Review
Objectives
MACHMAC
Digital SignaturesRSA Signatures
Conclusion
Summary
Idea # 2
Let H : {0, 1}∗ → {0, 1}n be some hash function of our choice.
Gen(1n)→ k:
k$← {0, 1}n
Sign(k ,m)→ σ:
output H(k‖H(k‖m))
Verify(k ,m, σ)→ {0, 1}:
check H(k‖H(k‖m))?= σ
if equal, output 1.else, output 0.
Is it unforgeable?
No known length extensionattacks! The outer hashfunction appears to hide theinner hash functions’sinternal state.
However, we shouldn’t usethe same key twice.
![Page 26: Asymmetric and Public Key Signaturescs161/su19/lectures/lec09_mac.pdf · Asymmetric and Public Key Signatures Ruta Jawale July 9, 2019. Announcements Review Objectives MAC HMAC Digital](https://reader036.fdocuments.in/reader036/viewer/2022081515/5f16a2d6bad42f11120fe2d9/html5/thumbnails/26.jpg)
Announcements
Review
Objectives
MACHMAC
Digital SignaturesRSA Signatures
Conclusion
Summary
HMAC
Let H : {0, 1}∗ → {0, 1}n be some hash function of our choice.
HMAC(K ,m) = H( (K ′ ⊕ opad) ‖ H( (K ′ ⊕ ipad) ‖ m ) )
where opad = n bit block of repeating “0x5c”
ipad = n bit block of repeating “0x36”
K ′ =
K‖“0x00” K is shorter than block size n
H(K ) K is larger than block size n
K otherwise
![Page 27: Asymmetric and Public Key Signaturescs161/su19/lectures/lec09_mac.pdf · Asymmetric and Public Key Signatures Ruta Jawale July 9, 2019. Announcements Review Objectives MAC HMAC Digital](https://reader036.fdocuments.in/reader036/viewer/2022081515/5f16a2d6bad42f11120fe2d9/html5/thumbnails/27.jpg)
Announcements
Review
Objectives
MACHMAC
Digital SignaturesRSA Signatures
Conclusion
Summary
HMAC
![Page 28: Asymmetric and Public Key Signaturescs161/su19/lectures/lec09_mac.pdf · Asymmetric and Public Key Signatures Ruta Jawale July 9, 2019. Announcements Review Objectives MAC HMAC Digital](https://reader036.fdocuments.in/reader036/viewer/2022081515/5f16a2d6bad42f11120fe2d9/html5/thumbnails/28.jpg)
Announcements
Review
Objectives
MACHMAC
Digital SignaturesRSA Signatures
Conclusion
Summary
HMAC constructions
HMAC-SHA1
![Page 29: Asymmetric and Public Key Signaturescs161/su19/lectures/lec09_mac.pdf · Asymmetric and Public Key Signatures Ruta Jawale July 9, 2019. Announcements Review Objectives MAC HMAC Digital](https://reader036.fdocuments.in/reader036/viewer/2022081515/5f16a2d6bad42f11120fe2d9/html5/thumbnails/29.jpg)
Announcements
Review
Objectives
MACHMAC
Digital SignaturesRSA Signatures
Conclusion
Summary
HMAC constructions
HMAC-SHA1
SHA1 is insecure!
HMAC-SHA256
block size: 512 bits or 64 bytes
HMAC-SHA512
block size: 1024 bits or 128 bytes
HMAC-SHA3
No length extension attack!
Could actually use Idea # 1: H(k‖m)
![Page 30: Asymmetric and Public Key Signaturescs161/su19/lectures/lec09_mac.pdf · Asymmetric and Public Key Signatures Ruta Jawale July 9, 2019. Announcements Review Objectives MAC HMAC Digital](https://reader036.fdocuments.in/reader036/viewer/2022081515/5f16a2d6bad42f11120fe2d9/html5/thumbnails/30.jpg)
Announcements
Review
Objectives
MACHMAC
Digital SignaturesRSA Signatures
Conclusion
Summary
Does HMAC provide confidentiality?
Yes. If the underlying hash function has pre-image resistance,then HMAC should not leak much information about its input.
Where’s the reduction proof? Left as exercise to the reader.
![Page 31: Asymmetric and Public Key Signaturescs161/su19/lectures/lec09_mac.pdf · Asymmetric and Public Key Signatures Ruta Jawale July 9, 2019. Announcements Review Objectives MAC HMAC Digital](https://reader036.fdocuments.in/reader036/viewer/2022081515/5f16a2d6bad42f11120fe2d9/html5/thumbnails/31.jpg)
Announcements
Review
Objectives
MACHMAC
Digital SignaturesRSA Signatures
Conclusion
Summary
Break time∼
Stand up, stretch, ask a neighbor how they’re planning tostudy for the midterm.
Coming up next: public key signatures
![Page 32: Asymmetric and Public Key Signaturescs161/su19/lectures/lec09_mac.pdf · Asymmetric and Public Key Signatures Ruta Jawale July 9, 2019. Announcements Review Objectives MAC HMAC Digital](https://reader036.fdocuments.in/reader036/viewer/2022081515/5f16a2d6bad42f11120fe2d9/html5/thumbnails/32.jpg)
Announcements
Review
Objectives
MACHMAC
Digital SignaturesRSA Signatures
Conclusion
Summary
Digital Signatures
Gen(1n)→ (vk , sk):
Input: 1n where n is the security parameterOutput: secret signing key sk and public verification key vk
Sign(sk,m)→ σ:
Input: secret key sk , and message mOutput: signature σ
Verify(vk ,m, σ)→ {0, 1}:Input: verification key vk , message m, and signature σOutput: 1 on success, otherwise 0.
![Page 33: Asymmetric and Public Key Signaturescs161/su19/lectures/lec09_mac.pdf · Asymmetric and Public Key Signatures Ruta Jawale July 9, 2019. Announcements Review Objectives MAC HMAC Digital](https://reader036.fdocuments.in/reader036/viewer/2022081515/5f16a2d6bad42f11120fe2d9/html5/thumbnails/33.jpg)
Announcements
Review
Objectives
MACHMAC
Digital SignaturesRSA Signatures
Conclusion
Summary
Digital Signatures correctness
∀m Verify(vk ,m,Sign(sk,m)) = 1
Reminder: verification key vk is public, signing key sk is private
![Page 34: Asymmetric and Public Key Signaturescs161/su19/lectures/lec09_mac.pdf · Asymmetric and Public Key Signatures Ruta Jawale July 9, 2019. Announcements Review Objectives MAC HMAC Digital](https://reader036.fdocuments.in/reader036/viewer/2022081515/5f16a2d6bad42f11120fe2d9/html5/thumbnails/34.jpg)
Announcements
Review
Objectives
MACHMAC
Digital SignaturesRSA Signatures
Conclusion
Summary
Digital Signatures security: unforgeability
Phases Challenger Adversary A
setup vk, sk ← Gen(1n)vk
−−−−−−−−−−−→
signature query ormi or (mj , σj )←−−−−−−−−−−− for i, j ∈ poly(n)
verification query σi ← Sign(sk,mi ) or where (mj , σj ) 6= (mi , σi )
b ← Verify(vk,mj , σj )
determine win b = 1,A winsσi or b = 0−−−−−−−−−−−→
![Page 35: Asymmetric and Public Key Signaturescs161/su19/lectures/lec09_mac.pdf · Asymmetric and Public Key Signatures Ruta Jawale July 9, 2019. Announcements Review Objectives MAC HMAC Digital](https://reader036.fdocuments.in/reader036/viewer/2022081515/5f16a2d6bad42f11120fe2d9/html5/thumbnails/35.jpg)
Announcements
Review
Objectives
MACHMAC
Digital SignaturesRSA Signatures
Conclusion
Summary
Digital Signatures security: unforgeability
Phases Challenger Adversary A
setup vk, sk ← Gen(1n)vk
−−−−−−−−−−−→
signature query ormi or (mj , σj )←−−−−−−−−−−− for i, j ∈ poly(n)
verification query σi ← Sign(sk,mi ) or where (mj , σj ) 6= (mi , σi )
b ← Verify(vk,mj , σj )
determine win b = 1,A winsσi or b = 0−−−−−−−−−−−→
Adversary A has the verification key vk . They don’t need toask the challenger for verification queries. They only need tosubmit the forged signature.
![Page 36: Asymmetric and Public Key Signaturescs161/su19/lectures/lec09_mac.pdf · Asymmetric and Public Key Signatures Ruta Jawale July 9, 2019. Announcements Review Objectives MAC HMAC Digital](https://reader036.fdocuments.in/reader036/viewer/2022081515/5f16a2d6bad42f11120fe2d9/html5/thumbnails/36.jpg)
Announcements
Review
Objectives
MACHMAC
Digital SignaturesRSA Signatures
Conclusion
Summary
Digital Signatures security: unforgeability
Phases Challenger Adversary A
setup vk, sk ← Gen(1n)vk
−−−−−−−−−−−→
signature querymi
←−−−−−−−−−−− for i ∈ poly(n)
σi ← Sign(sk,mi )σi
−−−−−−−−−−−→
forgerym∗, σ∗
←−−−−−−−−−−− where (m∗, σ∗) 6= (mi , σi )
b ← Verify(vk,m∗, σ∗)
determine win If b = 1,A wins
Pr[A wins game] = negligible.
![Page 37: Asymmetric and Public Key Signaturescs161/su19/lectures/lec09_mac.pdf · Asymmetric and Public Key Signatures Ruta Jawale July 9, 2019. Announcements Review Objectives MAC HMAC Digital](https://reader036.fdocuments.in/reader036/viewer/2022081515/5f16a2d6bad42f11120fe2d9/html5/thumbnails/37.jpg)
Announcements
Review
Objectives
MACHMAC
Digital SignaturesRSA Signatures
Conclusion
Summary
Do Digital Signatures have non-repudiation?
Non-repudiation is the assurance that someone cannot denythe validity of something. The opposite of deniability.
Can we determine whether Alice sent the message to Bob orBob sent the message to Alice?
Yes, depending on who’s public key / private key pairing wasused, so Digital Signatures have non-repudiation.
![Page 38: Asymmetric and Public Key Signaturescs161/su19/lectures/lec09_mac.pdf · Asymmetric and Public Key Signatures Ruta Jawale July 9, 2019. Announcements Review Objectives MAC HMAC Digital](https://reader036.fdocuments.in/reader036/viewer/2022081515/5f16a2d6bad42f11120fe2d9/html5/thumbnails/38.jpg)
Announcements
Review
Objectives
MACHMAC
Digital SignaturesRSA Signatures
Conclusion
Summary
RSA signatures: key generation
Reminder: verification key vk is public, signing key sk is private
Gen(1n)→ (vk , sk):
choose primes p and q
define N = p · q
choose small prime e ∈ {1, . . . ,N − 1}
compute d to satisfy e · d = 1 (mod (p − 1)(q − 1))
define vk = (N, e) and sk = d
![Page 39: Asymmetric and Public Key Signaturescs161/su19/lectures/lec09_mac.pdf · Asymmetric and Public Key Signatures Ruta Jawale July 9, 2019. Announcements Review Objectives MAC HMAC Digital](https://reader036.fdocuments.in/reader036/viewer/2022081515/5f16a2d6bad42f11120fe2d9/html5/thumbnails/39.jpg)
Announcements
Review
Objectives
MACHMAC
Digital SignaturesRSA Signatures
Conclusion
Summary
RSA signatures: signature
Let H be a cryptographic hash function.
Sign(sk ,m)→ σ:
compute σ = H(m)d (mod N)
![Page 40: Asymmetric and Public Key Signaturescs161/su19/lectures/lec09_mac.pdf · Asymmetric and Public Key Signatures Ruta Jawale July 9, 2019. Announcements Review Objectives MAC HMAC Digital](https://reader036.fdocuments.in/reader036/viewer/2022081515/5f16a2d6bad42f11120fe2d9/html5/thumbnails/40.jpg)
Announcements
Review
Objectives
MACHMAC
Digital SignaturesRSA Signatures
Conclusion
Summary
RSA signatures: verification
Let H be our cryptographic hash function.
Verify(vk ,m, σ)→ {0, 1}:
check H(m)?= σe (mod N)
if equal, output 1. else, output 0
![Page 41: Asymmetric and Public Key Signaturescs161/su19/lectures/lec09_mac.pdf · Asymmetric and Public Key Signatures Ruta Jawale July 9, 2019. Announcements Review Objectives MAC HMAC Digital](https://reader036.fdocuments.in/reader036/viewer/2022081515/5f16a2d6bad42f11120fe2d9/html5/thumbnails/41.jpg)
Announcements
Review
Objectives
MACHMAC
Digital SignaturesRSA Signatures
Conclusion
Summary
Is RSA signatures correct?
Gen(1n)→ (vk , sk):
choose primes p and q
define N = p · qe ∈ {1, . . . ,N − 1}compute d s.t. e · d = 1(mod (p − 1)(q − 1))
vk = (N, e), sk = d
Sign(sk ,m)→ σ:
σ = H(m)d (mod N)
Verify(vk ,m, σ)→ {0, 1}:
H(m)?= σe (mod N)
if equal, output 1
Does Verify(vk ,m, σ) return 1?
σe (mod N) = (H(m)d (mod N))e (mod N)
= H(m)e·d (mod N) = H(m) (mod N)
by application of the Chinese Remainder Theorem.
![Page 42: Asymmetric and Public Key Signaturescs161/su19/lectures/lec09_mac.pdf · Asymmetric and Public Key Signatures Ruta Jawale July 9, 2019. Announcements Review Objectives MAC HMAC Digital](https://reader036.fdocuments.in/reader036/viewer/2022081515/5f16a2d6bad42f11120fe2d9/html5/thumbnails/42.jpg)
Announcements
Review
Objectives
MACHMAC
Digital SignaturesRSA Signatures
Conclusion
Summary
Why hash the message?
Gen(1n)→ (vk , sk):
choose primes p and q
define N = p · qe ∈ {1, . . . ,N − 1}compute d s.t. e · d = 1(mod (p − 1)(q − 1))
vk = (N, e), sk = d
Sign(sk ,m)→ σ:
σ = H(m)d (mod N)
Verify(vk ,m, σ)→ {0, 1}:
H(m)?= σe (mod N)
if equal, output 1
You’ll see why during Wednesday’s discussion section.
Reminder: Attend discussion sections!
![Page 43: Asymmetric and Public Key Signaturescs161/su19/lectures/lec09_mac.pdf · Asymmetric and Public Key Signatures Ruta Jawale July 9, 2019. Announcements Review Objectives MAC HMAC Digital](https://reader036.fdocuments.in/reader036/viewer/2022081515/5f16a2d6bad42f11120fe2d9/html5/thumbnails/43.jpg)
Announcements
Review
Objectives
MACHMAC
Digital SignaturesRSA Signatures
Conclusion
Summary
Is RSA signature unforgeable?
Assuming the hash function is secure, the RSA signature willbe unforgeable.
![Page 44: Asymmetric and Public Key Signaturescs161/su19/lectures/lec09_mac.pdf · Asymmetric and Public Key Signatures Ruta Jawale July 9, 2019. Announcements Review Objectives MAC HMAC Digital](https://reader036.fdocuments.in/reader036/viewer/2022081515/5f16a2d6bad42f11120fe2d9/html5/thumbnails/44.jpg)
Announcements
Review
Objectives
MACHMAC
Digital SignaturesRSA Signatures
Conclusion
Summary
Can Alice just use HMAC since it has CIA?
No, remember how a “tag” is used in our scenario when Alicewants to send a message. The message also needs to be sentfor Bob to verify!
Alice
, TAG( )
−−−−−−−−−−−−−−−−−−→
Bob
![Page 45: Asymmetric and Public Key Signaturescs161/su19/lectures/lec09_mac.pdf · Asymmetric and Public Key Signatures Ruta Jawale July 9, 2019. Announcements Review Objectives MAC HMAC Digital](https://reader036.fdocuments.in/reader036/viewer/2022081515/5f16a2d6bad42f11120fe2d9/html5/thumbnails/45.jpg)
Announcements
Review
Objectives
MACHMAC
Digital SignaturesRSA Signatures
Conclusion
Summary
Lucky 7 step plan
Alice still prefers symmetric keys, so she will use Diffie-Hellmanto set up two symmetric keys with Bob (if she doesn’t havetwo already). One for encryption and one for “tag” generation.
Then she follows “encrypt then MAC” strategy: she firstencrypts her message using AES-CFB and then appends a tagof the ciphertext using HMAC-SHA256.
![Page 46: Asymmetric and Public Key Signaturescs161/su19/lectures/lec09_mac.pdf · Asymmetric and Public Key Signatures Ruta Jawale July 9, 2019. Announcements Review Objectives MAC HMAC Digital](https://reader036.fdocuments.in/reader036/viewer/2022081515/5f16a2d6bad42f11120fe2d9/html5/thumbnails/46.jpg)
Announcements
Review
Objectives
MACHMAC
Digital SignaturesRSA Signatures
Conclusion
Summary
Let’s put it together
Alice Bob
![Page 47: Asymmetric and Public Key Signaturescs161/su19/lectures/lec09_mac.pdf · Asymmetric and Public Key Signatures Ruta Jawale July 9, 2019. Announcements Review Objectives MAC HMAC Digital](https://reader036.fdocuments.in/reader036/viewer/2022081515/5f16a2d6bad42f11120fe2d9/html5/thumbnails/47.jpg)
Announcements
Review
Objectives
MACHMAC
Digital SignaturesRSA Signatures
Conclusion
Summary
Step # 1: Diffie-Hellman to share encryption key
Alice
AES-CFB key:
Diffie-Hellman keyexchange
−−−−−−−−−−−−−−→←−−−−−−−−−−−−−−
...←−−−−−−−−−−−−−−
Bob
AES-CFB key:
![Page 48: Asymmetric and Public Key Signaturescs161/su19/lectures/lec09_mac.pdf · Asymmetric and Public Key Signatures Ruta Jawale July 9, 2019. Announcements Review Objectives MAC HMAC Digital](https://reader036.fdocuments.in/reader036/viewer/2022081515/5f16a2d6bad42f11120fe2d9/html5/thumbnails/48.jpg)
Announcements
Review
Objectives
MACHMAC
Digital SignaturesRSA Signatures
Conclusion
Summary
Step # 2: Diffie-Hellman to share MAC key
Alice
AES-CFB key:
HMAC key:
Diffie-Hellman keyexchange
−−−−−−−−−−−−−−→←−−−−−−−−−−−−−−
...←−−−−−−−−−−−−−−
Bob
AES-CFB key:
HMAC key:
![Page 49: Asymmetric and Public Key Signaturescs161/su19/lectures/lec09_mac.pdf · Asymmetric and Public Key Signatures Ruta Jawale July 9, 2019. Announcements Review Objectives MAC HMAC Digital](https://reader036.fdocuments.in/reader036/viewer/2022081515/5f16a2d6bad42f11120fe2d9/html5/thumbnails/49.jpg)
Announcements
Review
Objectives
MACHMAC
Digital SignaturesRSA Signatures
Conclusion
Summary
Step # 3: Encrypt the message using AES-CFB
Alice
Enc( , ) =
Bob
AES-CFB key:
HMAC key:
![Page 50: Asymmetric and Public Key Signaturescs161/su19/lectures/lec09_mac.pdf · Asymmetric and Public Key Signatures Ruta Jawale July 9, 2019. Announcements Review Objectives MAC HMAC Digital](https://reader036.fdocuments.in/reader036/viewer/2022081515/5f16a2d6bad42f11120fe2d9/html5/thumbnails/50.jpg)
Announcements
Review
Objectives
MACHMAC
Digital SignaturesRSA Signatures
Conclusion
Summary
Step # 4: Compute the “tag” using HMAC
Alice
Enc( , ) =
MAC( , )
Bob
AES-CFB key:
HMAC key:
![Page 51: Asymmetric and Public Key Signaturescs161/su19/lectures/lec09_mac.pdf · Asymmetric and Public Key Signatures Ruta Jawale July 9, 2019. Announcements Review Objectives MAC HMAC Digital](https://reader036.fdocuments.in/reader036/viewer/2022081515/5f16a2d6bad42f11120fe2d9/html5/thumbnails/51.jpg)
Announcements
Review
Objectives
MACHMAC
Digital SignaturesRSA Signatures
Conclusion
Summary
Step # 5: Send message via “Encrypt then MAC”
Alice
AES-CFB key:
HMAC key:
, TAG( )−−−−−−−−−−−−−−→
Bob
AES-CFB key:
HMAC key:
![Page 52: Asymmetric and Public Key Signaturescs161/su19/lectures/lec09_mac.pdf · Asymmetric and Public Key Signatures Ruta Jawale July 9, 2019. Announcements Review Objectives MAC HMAC Digital](https://reader036.fdocuments.in/reader036/viewer/2022081515/5f16a2d6bad42f11120fe2d9/html5/thumbnails/52.jpg)
Announcements
Review
Objectives
MACHMAC
Digital SignaturesRSA Signatures
Conclusion
Summary
Step # 6: Bob will verify the “tag”
Alice
AES-CFB key:
HMAC key:
Bob
Verify( , , TAG( ))?= 1
![Page 53: Asymmetric and Public Key Signaturescs161/su19/lectures/lec09_mac.pdf · Asymmetric and Public Key Signatures Ruta Jawale July 9, 2019. Announcements Review Objectives MAC HMAC Digital](https://reader036.fdocuments.in/reader036/viewer/2022081515/5f16a2d6bad42f11120fe2d9/html5/thumbnails/53.jpg)
Announcements
Review
Objectives
MACHMAC
Digital SignaturesRSA Signatures
Conclusion
Summary
Step # 7: Bob will decrypt the message
Alice
AES-CFB key:
HMAC key:
Bob
Dec( , ) =
![Page 54: Asymmetric and Public Key Signaturescs161/su19/lectures/lec09_mac.pdf · Asymmetric and Public Key Signatures Ruta Jawale July 9, 2019. Announcements Review Objectives MAC HMAC Digital](https://reader036.fdocuments.in/reader036/viewer/2022081515/5f16a2d6bad42f11120fe2d9/html5/thumbnails/54.jpg)
Announcements
Review
Objectives
MACHMAC
Digital SignaturesRSA Signatures
Conclusion
Summary
Fin∼
AliceBob
![Page 55: Asymmetric and Public Key Signaturescs161/su19/lectures/lec09_mac.pdf · Asymmetric and Public Key Signatures Ruta Jawale July 9, 2019. Announcements Review Objectives MAC HMAC Digital](https://reader036.fdocuments.in/reader036/viewer/2022081515/5f16a2d6bad42f11120fe2d9/html5/thumbnails/55.jpg)
Announcements
Review
Objectives
MACHMAC
Digital SignaturesRSA Signatures
Conclusion
Summary
Epilogue
Since our symmetric key systems, such as MAC, havedeniability. . .
Many years later, Bob still jokingly insists that he was the onewho asked Alice out first!
Alice
, TAG( )←−−−−−−−−−−−−−−
Bob
![Page 56: Asymmetric and Public Key Signaturescs161/su19/lectures/lec09_mac.pdf · Asymmetric and Public Key Signatures Ruta Jawale July 9, 2019. Announcements Review Objectives MAC HMAC Digital](https://reader036.fdocuments.in/reader036/viewer/2022081515/5f16a2d6bad42f11120fe2d9/html5/thumbnails/56.jpg)
Announcements
Review
Objectives
MACHMAC
Digital SignaturesRSA Signatures
Conclusion
Summary
Alice learned today that . . .
If she wants integrity and authentication,
she can use HMAC or RSA Signatures
How to finally ask Bob on a date!
“Encrypt then MAC”