2. Cryptography 2.4 Digital Signatures

Transcription

1 DI-FCT-UNL Computer and Network Systems Security Segurança de Sistemas e Redes de Computadores Cryptography 2.4 Digital Signatures 2010, Henrique J. Domingos, DI/FCT/UNL 2.4 Digital Signatures - Slide 1

2 Outline Digital Signatures, Authentication and Key-Establishment Protocols Digital Signatures General Requirements and properties Authentication vs. Non-Repudiation Message Authentication with Fast (Light-Weight) Signatures Digital signatures with Public Key Methods Direct and Arbitrated Digital Signatures Public-Key Digital Signatures Digital signature methods RSA ElGammal DSS (or DSA) ECC based signatures 2010, Henrique J. Domingos, DI/FCT/UNL 2.4 Digital Signatures - Slide 2

3 Outline Digital Signatures, Authentication and Key-Establishment Protocols Digital Signatures General Requirements and properties Authentication vs. Non-Repudiation Message Authentication with Fast (Light-Weight) Signatures Digital signatures with Public Key Methods Direct and Arbitrated Digital Signatures Public-Key Digital Signatures Digital signature methods RSA ElGammal DSS (or DSA) ECC based signatures 2010, Henrique J. Domingos, DI/FCT/UNL 2.4 Digital Signatures - Slide 3

4 Required properties of digital signatures Digital signature properties Dependence of message (content) signed Unforgeable Must use controlled unique information by the signer Undeniable No new message for existent digital signature No fraudulent signature for a given message The signer can control the <message,signature> association Verifiable by principals or third parties to resolve disputes Direct or arbitrated signatures covering all the data relevance: author, data&time, content, disclaimers, usage policies, etc) Must be relatively easy to produce Must be relatively easy to recognize and verify Practical to store (with or without the signed content) 2010, Henrique J. Domingos, DI/FCT/UNL 2.4 Digital Signatures - Slide 4

5 Other possible requirements Sometimes (useful for specific protocols): Unique (one-time signatures) Anonymous use (blind signatures) Signature vs. Content unlinkability Content disguised before it is signed Publicly verifiable against the original (unblinded) Signer and message author are different principals Election systems, Digital Cash Schemes, 2010, Henrique J. Domingos, DI/FCT/UNL 2.4 Digital Signatures - Slide 5

6 Generic requirements Requirements for digital signatures Message authentication (proof of origin) Originality of contents (ownership proofs) Authentication of principals in authentication protocols (unilateral vs. mutual authentication) Authenticity proofs for non-repudiation protocols Practical issues: MACs as Light-weight (or inexpensive ) signatures Message flows in session-oriented protocols MACs in protocols for constrained devices Datagram protocols and large amounts (load) of message processing Public-Key signatures as more robust and expensive authentication proofs Authentication of principals in handshake protocolos and session-establishment 2010, Henrique J. Domingos, DI/FCT/UNL 2.4 Digital Signatures - Slide 6

7 Approaches to Message Authentication Authentication Using Conventional Encryption sender and receiver should share a secret key Message Authentication without Message Encryption Authentication tag (shared secret computation and verification, based on a shared secret key value) generated and appended to each message Message Authentication Code MAC computation as a function of the message and the key. MAC = F(K, M) 2010, Henrique J. Domingos, DI/FCT/UNL 2.4 Digital Signatures - Slide 7

8 Secure hash functions are appropriate for MAC Algorithms Henric Johnson , Henrique J. Domingos, DI/FCT/UNL 2.4 Digital Signatures - Slide 8

9 MAC with a secure HASH function Secret value is added before the hash and removed before transmission. 2010, Henrique J. Domingos, DI/FCT/UNL 2.4 Digital Signatures - Slide 9

10 Remembering secure HASH Functions Purpose of the HASH: production of secure fingerprints. Properties : 1. H can be applied to a block of data at any size 2. H produces a fixed length output 3. H(x) is easy to compute for any given x. 4. For any given block x, it is computationally infeasible to find x such that H(x) = h - Irreversibility, One-Way 5. For any given block x, it is computationally infeasible to find with H(y) = H(x). - Weak collision resistance 1. It is computationally infeasible to find any pair (x, y) such that H(x) = H(y) - Strong collision resistance 2010, Henrique J. Domingos, DI/FCT/UNL 2.4 Digital Signatures - Slide 10

11 HMACs (flexible combination of secure hash functions) MAC derived from a cryptographic hash code, such as SHA-1, SHA-2 and SHA-3 in the future Motivations: Cryptographic hash functions executes faster in software than encryptoin algorithms such as DES Library code for cryptographic hash functions is widely available No export restrictions Different hash functions easily combined for security, maintaining good efficiency HMAC structure 2010, Henrique J. Domingos, DI/FCT/UNL 2.4 Digital Signatures - Slide 11

12 Henric Johnson , Henrique J. Domingos, DI/FCT/UNL 2.4 Digital Signatures - Slide 12

13 Outline Digital Signatures, Authentication and Key-Establishment Protocols Digital Signatures General Requirements and properties Authentication vs. Non-Repudiation Message Authentication with Fast (Light-Weight) Signatures Digital signatures with Public Key Methods Direct and Arbitrated Digital Signatures Public-Key Digital Signatures Digital signature methods RSA ElGammal DSS (or DSA) ECC based signatures 2010, Henrique J. Domingos, DI/FCT/UNL 2.4 Digital Signatures - Slide 13

14 Direct Digital Signatures Only sender & receiver involved With public-key signatures: assumed receiver has sender s public-key digital signature made by sender signing entire message or hash with private-key can encrypt using receivers public-key important that sign first then encrypt message & signature security depends on sender s private-key 2010, Henrique J. Domingos, DI/FCT/UNL 2.4 Digital Signatures - Slide 14

15 Arbitrated Digital Signatures Involve sender, receiver and one or more third parties With public-key signatures: assumed third parties have all sender s public-keys digital signature made by sender signing entire message or hash with private-key, verified (and possibly logged) by the third parties, and resigned by the third parties Notarization The receivers recognize the sender signature by verifying the third party signature encryption using third-party public-key important that sign first then encrypt message & signature security depends on sender s private-key 2010, Henrique J. Domingos, DI/FCT/UNL 2.4 Digital Signatures - Slide 15

16 Outline Digital Signatures, Authentication and Key-Establishment Protocols Digital Signatures General Requirements and properties Authentication vs. Non-Repudiation Message Authentication with Fast (Light-Weight) Signatures Digital signatures with Public Key Methods Direct and Arbitrated Digital Signatures Public-Key Digital Signatures Digital signature methods RSA ElGammal DSS (or DSA) ECC based signatures 2010, Henrique J. Domingos, DI/FCT/UNL 2.4 Digital Signatures - Slide 16

17 RSA Signatures (from the algorithm RSA) Correct (undeniable) Key pair (Kpriv, Kpub) Principal P Private Key: Kpriv, N Principal P Public Key: Kpub, N Signature(M) = S M = H(M) Kpriv mod N Verification: Given M and computing H(M) S M Kpub mod N 2010, Henrique J. Domingos, DI/FCT/UNL 2.4 Digital Signatures - Slide 17

18 Relevant issues from RSA (1) Remembering the RSA key-pair generation process and encryption/decryption algorithm Messages hashed before signing (not the original message) Security issue when preserving confidentiality Controlled size, comparing with the key size Size of modulus and public and private exponents:» The N value (modulus) determines the key sizes M < N Any value M greater than N will be reduced to M mod N Key pair generation: Value for public exponent so that the encryption step will be computationally cheap to perform and then generate the private exponent accordingly - Encryption cheap, decryption expensive - Signature expensive, Verification cheap 2010, Henrique J. Domingos, DI/FCT/UNL 2.4 Digital Signatures - Slide 18

19 Relevant issues from RSA (2) Key-Generation process Public exponents, fixed (standardized) by security specifications for RSA implementation use Ex., X509v3: public exponents 0x10001 (F4) Default in the Bouncy Castle Implementation Problem: how to speed-up the decryption and the signature process in current implementations CRT theorem (and ex., Garner s Algorithm) Keep the original P and Q primes used to generate the Keys Pre-compute and keep other values in the CRT computation (dp, dq, qinv), once only Store (dp, dq, P, Q, qinv) 2010, Henrique J. Domingos, DI/FCT/UNL 2.4 Digital Signatures - Slide 19

20 Implementation in JAVA-JCE Optimizations are included (differently) in each crypto provider (subjacent implementation of RSA) Ex. BC uses a multi-prime remainder theorem approach To generate keys with 2048 bits, rather than having to primes P and Q of 1024 bits, it can be used 4 primes of 512 bits Note: observe the behavior of time consuming (processing) in the examples provided. 2010, Henrique J. Domingos, DI/FCT/UNL 2.4 Digital Signatures - Slide 20

21 RSA Padding mechanisms Operations in RSA are ober big integers What if the representation begins with 0 bits (MSBits)? See practical examples What happens if you change the value of the public exponent to a low value? See practical examples Is it secure for encryption? You need Padding! 2010, Henrique J. Domingos, DI/FCT/UNL 2.4 Digital Signatures - Slide 21

22 Padding in RSA PKCS#1 Implementation (ex., BC) See also the practical examples Type 1: Mp= 0x00 0x01 F 0x00 M with F = string of 0xFF bytes, at least 8 bytes Then: M <= Keysize in bytes 11 - This is used when using the private key (signatures) Type 2: Mp= 0x00 0x02 R 0x00 M with R = Random bytes, at least 8 bytes Then: M <= Keysize in bytes 11 - This is used when using the public key (encryption) 2010, Henrique J. Domingos, DI/FCT/UNL 2.4 Digital Signatures - Slide 22

23 Strongest padding for RSA Ex., OAEP Padding Used with parameters: P, and random seed S OAEP Optimal Asymmetric Encryption Padding M1 = Mask [ ( H(P) PZ 0x01 M), S ] M2 = Mask (S, M1) Mp=0x00 M2 M1 Note: MaxLen for the message will be klen 2hLen 2 Note: for a certain message length usable in PKCS#1, you may need a more long key if you use OAEP, but this is not an issue why? See practical examples: Suite: RSA/None/OAEPWithSHA1and MGF1Padding 2010, Henrique J. Domingos, DI/FCT/UNL 2.4 Digital Signatures - Slide 23

24 RSA Signatures in the JAVA-JCE See practical examples Practical class examples and verifications Signature class Steps: - Initialization of the signature object for signing - signature.update() is then used to feed data into the signature object - When all the data has been fed in, signature.sign() is called - Signature can be: - Returned as a byte array - Or load it into a passed in byte-array 2010, Henrique J. Domingos, DI/FCT/UNL 2.4 Digital Signatures - Slide 24

25 Use of RSA in the Java JCE Example (see practical examples) After the keypair generation process initialization byte[] message = new byte[] {..}; KeyPair KeyPair = KeyGen.generateKeyPair(); Signature signature = Signature.getInstance ( RSA, BC ); // to generate a signature signature.initsign(keypair.getprivate(), random); signature.update (message); byte[] sigbytes= signature.sign(); //verification signature.initverify(keypair.getpublic()); signature.update(message); if (signature.verify(sigbytes)) { ok } else { not ok } 2010, Henrique J. Domingos, DI/FCT/UNL 2.4 Digital Signatures - Slide 25

26 ElGammal public key scheme (asymetric) A variant of Diffie-Hellman Same math. principles Widely used (ex., OpenPGP implementations, standardized in RFC 2440) How does it works? Bob has a public key g y mod P (well known by Alice) Alice creates a temporary public key K puba = g x mod P Encryption: C = {M} KpubB = M g xy mod P Alice sends to Bob: C, K puba Note: makes the cipher text twice the key size 2010, Henrique J. Domingos, DI/FCT/UNL 2.4 Digital Signatures - Slide 26

27 ElGamal Digital Signatures Signature variant of ElGamal, related to D-H Uses exponentiation in a finite (Galois) Security based difficulty of computing discrete logarithms, as in D-H Private key for encryption (signing) Public key for decryption (verification) each user (eg. A) generates their key chooses a secret key (number): 1 < x A < q-1 compute their public key: y A = a x A mod q 2010, Henrique J. Domingos, DI/FCT/UNL 2.4 Digital Signatures - Slide 27

28 ElGamal Digital Signature Alice signs a message M to Bob by computing the hash m = H(M), 0 <= m <= (q-1) chose random integer K with 1 <= K <= (q-1) and gcd(k,q-1)=1 compute temporary key: S 1 = a k mod q compute K -1 the inverse of K mod (q-1) compute the value: S 2 = K -1 (m-x A S 1 ) mod (q-1) The signature is the tuple:(s 1,S 2 ) any user B can verify the signature by computing V 1 = a m mod q V 2 = y A S1 S 1 S2 mod q signature is valid if V 1 = V , Henrique J. Domingos, DI/FCT/UNL 2.4 Digital Signatures - Slide 28

29 ElGamal Signature Example use field GF(19) q=19 and a=10 Alice computes her key: A chooses x A =16 & computes y A =10 16 mod 19 = 4 Alice signs message with hash m=14 as (3,4): choosing random K=5 which has gcd(18,5)=1 computing S 1 = 10 5 mod 19 = 3 finding K -1 mod (q-1) = 5-1 mod 18 = 11 computing S 2 = 11( ) mod 18 = 4 any user B can verify the signature by computing V 1 = mod 19 = 16 V 2 = mod 19 = 5184 mod 19 = 16 since V1 = V2, the signature is valid 2010, Henrique J. Domingos, DI/FCT/UNL 2.4 Digital Signatures - Slide 29

30 Schnorr Digital Signatures also uses exponentiation in a finite (Galois) security based on discrete logarithms, as in D-H minimizes message dependent computation multiplying a 2n-bit integer with an n-bit integer main work can be done in idle time have using a prime modulus p p 1 has a prime factor q of appropriate size typically p 1024-bit and q 160-bit numbers 2010, Henrique J. Domingos, DI/FCT/UNL 2.4 Digital Signatures - Slide 30

31 Schnorr Key Setup choose suitable primes p, q choose a such that a q = 1 mod p (a,p,q) are global parameters for all each user (eg. A) generates a key chooses a secret key (number): 0 < s A < q compute their public key: v A = a -sa mod q 2010, Henrique J. Domingos, DI/FCT/UNL 2.4 Digital Signatures - Slide 31

32 Schnorr Signature user signs message by choosing random r with 0<r<q and computing x = a r mod p concatenate message with x and hash result to computing: e = H(M x) computing: y = (r + se) mod q signature is pair (e, y) any other user can verify the signature as follows: computing: x' = a y v e mod p verifying that: e = H(M x ) 2010, Henrique J. Domingos, DI/FCT/UNL 2.4 Digital Signatures - Slide 32

33 Digital Signature Standard (DSS) Public-Key digital signature technique Like D-H, security from the discrete logarithm problem DSA is digital signature only unlike RSA US Govt approved signature scheme designed by NIST & NSA in early 90's published as FIPS-186 in 1991 revised in 1993, 1996 & then 2000 Uses the SHA hash algorithm DSS is the standard, DSA is the algorithm FIPS (2000) includes: Alternative RSA Elliptic curve signature variants 2010, Henrique J. Domingos, DI/FCT/UNL 2.4 Digital Signatures - Slide 33

34 DSS vs RSA Signatures 2010, Henrique J. Domingos, DI/FCT/UNL 2.4 Digital Signatures - Slide 34

35 Use of DSA in the Java JCE Example (see practical examples) After the keypair generation process initialization byte[] message = new byte[] {..}; KeyPair KeyPair = KeyGen.generateKeyPair(); Signature signature = Signature.getInstance ( DSA, BC ); // to generate a signature signature.initsign(keypair.getprivate(), random); signature.update (message); byte[] sigbytes= signature.sign(); //verification signature.initverify(keypair.getpublic()); signature.update(message); if (signature.verify(sigbytes)) { ok } else { not ok } 2010, Henrique J. Domingos, DI/FCT/UNL 2.4 Digital Signatures - Slide 35

36 Digital Signature Algorithm (DSA) creates a 320 bit signature with bit security smaller and faster than RSA a digital signature scheme only security depends on difficulty of computing discrete logarithms A standard based in fact in a variant of ElGamal & Schnorr schemes 2010, Henrique J. Domingos, DI/FCT/UNL 2.4 Digital Signatures - Slide 36

37 DSA Key Generation have shared global public key values (p,q,g): choose 160-bit prime number q: < q < choose a large prime p with 2 L-1 < p < 2 L where L= 512 to 1024 bits and is a multiple of 64 such that q is a 160 bit prime divisor of (p-1) choose g = h (p-1)/q where 1<h<p-1 and h (p-1)/q mod p > 1 users choose private & compute public key: choose random private key: x<q compute public key: y = g x mod p 2010, Henrique J. Domingos, DI/FCT/UNL 2.4 Digital Signatures - Slide 37

38 DSA Signature Creation to sign a message M the sender: generates a random signature key k, k<q nb. k must be random, be destroyed after use, and never be reused then computes signature pair: r = (g k mod p)mod q s = [k -1 (H(M)+ xr)] mod q sends signature (r,s) with message M 2010, Henrique J. Domingos, DI/FCT/UNL 2.4 Digital Signatures - Slide 38

39 DSA Signature Verification having received M & signature (r,s) to verify a signature, recipient computes: w = s -1 mod q u1= [H(M)w ]mod q u2= (rw)mod q v = [(g u1 y u2 )mod p ]mod q if v=r then signature is verified 2010, Henrique J. Domingos, DI/FCT/UNL 2.4 Digital Signatures - Slide 39

40 DSS Overview 2010, Henrique J. Domingos, DI/FCT/UNL 2.4 Digital Signatures - Slide 40