Digital Signatures A primer 1. Why public key cryptography? With secret key algorithms Number of key...
-
Upload
lillian-perkins -
Category
Documents
-
view
222 -
download
0
Transcript of Digital Signatures A primer 1. Why public key cryptography? With secret key algorithms Number of key...
1
Digital SignaturesA primer
2
Why public key cryptography?
• With secret key algorithms• Number of key pairs to be generated is extremely large• If there is a conflict between Alice and Bob, it is hard to
resolve it• Non-repudiation
• Why not public key algorithms?• Slow, computationally intensive
3
Public key encryption revisited
• What security services does it provide?• Confidentiality/Privacy• Authentication• Integrity• Non-repudiation
Encrypt DecryptInsecure channelAlice Bobyx x
kubobkrbob
4
What happens if we use the keys of both sender and receiver?
Alice Bob
e e
KRA KUB
d d
KRB KUA
x u y y u x
What security services does this provide?Can Oscar generate u?Can Bob generate u?
5
Digital Signatures
• Recap• Message authentication provides security services of
authentication and integrity• It does not provide non-repudiation
• Digital signatures• Should provide us the same functionality as regular
signatures• Must depend on the message
• “Binding” the signature to the message• Must be information unique to the signer that cannot be
forged
Digital Signature• Anyone can “verify” the signature with the public key
• No one else can “generate” a signature since the private key is known only to the owner
6
Alice Bob
x Sig(x)
Sig
KRA
x
Compare
xKUA
Ver
Sig(x)
7
How does a signature differ from a MAC or simple encryption?
• A MAC is used to ensure message authentication• The attack is to successfully change the message or create a
false message without detection
• A signature is used to “sign” a digital document• Goals of a successful attack
• Total Break• Oscar can determine Alice’s private key
• Selective Forgery• With some probability, create a forged signature for a
message that Alice has not previously signed• Existential Forgery
• Change the document but enable the signature to be verified
• Create a false document and signature pair such that the signature is verified
8
Attacks against Digital Signatures
• Key only attack• Similar to ciphertext-only attack, but Oscar knows the
public key
• Known message attack• Similar to known plaintext attack• Oscar has pairs of messages and signatures
• Chosen message attack• Oscar can choose the messages that Alice will sign
9
RSA Digital Signature
• Setup:• Public key: KU ={n, b}• Private key: KR = {p, q, a}• Here a b = 1 mod (n)• (n) = (p – 1)(q – 1)
AliceBob
x eKRA(x)x
Compare
xKUA
d
Sig(x)
e
KRA
Sig(x)
10
RSA Signature Protocol• Alice computes sigKRA(x) = xa mod n = u
• Alice sends Bob x || u
• Bob verifies the signature as follows:• He decrypts the signature first
• Compute verKUA(u) = ub mod n = x*
• Compare x and x*
• Remarks:• Only Alice can sign her documents• Anyone can verify it• Bob is assured the message is from Alice• If the message is altered, the signature will
reveal this• Signature provides authentication, integrity, and non-
repudiation
11
Drawbacks
• Long message => long signature• Solution: Hash the message before signing it
• Oscar can “choose” a signature and compute a plaintext from it• Choose signature u• Compute plaintext x = eKUA(u) = ub mod n• Send x||u to Bob• The message may be meaningless, but it will appear to
have come from Alice
• RSA signature is used in the ISO/IEC 9796 standard
12
How Digital Signatures are generated using Hash functions
Alice
Bob
x x
hHashOr MAC
e d
eKR[ h(x) ]
h
Verify
y
x || eKR[ h(x) ]
x
kABkAB
e
krA
dkuA
13
ElGamal Signature Scheme
• Different from ElGamal Encryption Scheme
• Published in 1985
• A variation of this forms the Digital Signature Standard (DSS)
• Not useful for encryption, but only for signatures
14
Setup
• Choose a large prime number p
• Choose a generator Zp*
• Choose a private key KR = a {2,3,4,…,p – 2}
• Compute the public key KU = b = a mod p
• Keys:• Public: KU ={p, , b}• Private: KR = {a}
15
Signing with private key
• Choose a random number k Zp-1*• This means
• k < p-1• GCD(k, p-1) = 1
• Compute the signature of the message x as
sigKR(x) = (,) whereg = k mod p
= (x - a )k-1 mod (p-1)
Make use of private key here
16
Public Verification
• The verification function is:
VerKU(x, (,) )
Check if b = x mod p
If true, the signature is valid
If false, the signature is invalid
17
Why does it work?
• What is b ?• What is b?
• b = a • b = a
• What is ?•
• Verification gives• a x - a = x
18
Example
• Parameters• p = 467, = 2, a = 127• Compute b = a mod p
• Alice wants to sign the plaintext message x = 108
• She chooses a random quantity k = 211
• Compute signature
• Verify signature
19
Security of ElGamal Signature Scheme
• What is an attack on signatures?• Oscar can generate a fake signature• Oscar can break the signing scheme to get a
knowledge of the private key
• Oscar can choose and then try to find • DL Problem
• Oscar can choose and try to find • Generally considered infeasible
• Oscar can choose and and try to come up with a random plaintext x as with the RSA signature scheme• DL Problem
20
Drawbacks
• Long message => long signature
• If the value of k is used repeatedly, the signature scheme becomes insecure
21
The Digital Signature Standard
• Based on the Digital Signature Algorithm (DSA)• A variation of the ElGamal signature scheme• See Textbook, page 294-297
• Sign the hash value of a signature to keep it small
• The 160 bit SHA based hash value is signed with a 320 bit signature
• The value of p is around 2512 to 21024
• Published in 1993 as a NIST FIPS PUBS 186 standard
22
Modular Roots• Definition
• Let m,n be natural numbers, c be an integer and gcd(c,n) = 1
• Let xm = c mod n for some integer x• Then x is called the m-th root of c modulo n• And c is called an m-th power residue modulo n
• Example: x2 = c mod n• x is called a square root mod n• c is called a quadratic residue mod n
• If the prime factors of n are known, then• We can use CRT to find the m-th roots modulo n• Otherwise, it is considered to be a hard problem, as
hard as integer factorization for large nYou can also have the m-th root modulo a prime number
23
Schnorr Signature Scheme
• Setup• Choose a large prime number p• Choose a prime number q that divides p -1• Choose a number Zp* that is the q-th root of 1 mod p
• What is the order of ? • Choose a private key KR = a {2,3,4,…,q – 1}• Compute the public key KU = b = a mod p• Keys:
• Public: KU ={p, q, , b}• Private: KR = {a}
• Let h(.) be a secure hash function (e.g., SHA-1 or RIPE-MD)
24
Signing with private key
• Choose a random number k Zq*• This means
• 0 < k < q
• Compute the signature of the message x as
sigKR(x, k) = (,) where
= h (x || k )
= k + a mod q
Make use of private key here
g is 160 bits is log2q bits
25
Public Verification
• The verification function is:
VerKU(x, (,) )Check if
h(x || b- ) = If true, the signature is valid
If false, the signature is invalid
• Why does this work?• What is b- mod p ?
26
Digital Signature Algorithm
• Setup• Choose a prime number p that is L bits long where L is a
multiple of 64 bits, larger than 512 bits and smaller than 1024 bits
• Choose a prime number q that divides p -1 and is 160 bits long
• Choose a number Zp* that is the q-th root of 1 mod p• What is the order of ?
• Choose a private key KR = a {2,3,4,…,q – 1}• Compute the public key KU = b = a mod p• Keys:
• Public: KU ={p, q, , b}• Private: KR = {a}
• Let h(.) be the secure hash algorithm (SHA-1)
27
Signing with private key
• Choose a random number k Zq*• This means
• 0 < k < q
• Compute the signature of the message x as
sigKR(x, k) = (,) where
= (k mod p) mod q
= (SHA-1(x) + a)k-1 mod q
Make use of private key
here
g is 160 bitsd is log2q bits They CANNOT
be zero
28
Public Verification
• The verification function is: VerKU(x, (,) )Compute
e1 = SHA-1(x) -1 mod q
e2 = -1 mod q
Check if: (e1 be2 mod p) mod q = If true, the signature is valid
If false, the signature is invalid
• Why does this work?
29
ECDSA
• ECDSA = Elliptic Curve Digital Signature Algorithm
• It is identical to DSA, but uses Elliptic Curves instead
• The notation is a little bit different, but the procedure is identical
30
Blind Signatures
• Two party protocol between Alice and Bob• Alice sends Bob a piece of information• Bob signs the information and sends it
back to Alice• Alice can now compute Bob’s signature
over another message m of her choice• After this is done, Bob does not know
either the message m or the signature associated with it
31
Other signature schemes
• Undeniable signatures• Requires the cooperation of the signer to verify the
signature
• One-time signature• A new public key is required for verification for each
signature
32
Other References
• http://www.epic.org/crypto/dss/
• http://www.itl.nist.gov/fipspubs/fip186.htm