A ROLE OF DIGITAL SIGNATURE TECHNOLOGY USING RSA ALGORITHM

Transcription

1 Proceeding of NCRIET-2015 & Indian J.Sci.Res. 12(1): , 2015 ISSN: (Print) ISSN: (Online) A ROLE OF DIGITAL SIGNATURE TECHNOLOGY USING RSA ALGORITHM BHAGYASHREE a1, ARPITA b, CHANDANA c AND SOUJANYA d abcd Department of ECE NIT, Raichur, India ABSTRACT A Digital Signature is the electronic or digital equivalent of a physical signature. Just as a physical signature on a paper document establishes the origin of that document, a digital signature affixed to a digital document (computer file) establishes the origin of that digital document. Digital Signatures are much more secure and fool-proof compared to physical signatures. Physical signatures are easily replicated or forged. On the other hand, the technology behind Digital Signatures makes it virtually impossible to forge them. Because of the higher security associated with Digital Signatures and the many advantages associated with storing documents electronically (as opposed to paper), governments in many countries have passed laws and regulations encouraging (and in some cases mandating) the usage of digitally signed electronic documents rather than paper documents. For example, in India, Income Tax returns, corporate returns etc are to be digitally signed and uploaded electronically. A Digital Signature is a sequence of bytes or a code that has some special characteristics. A code generated for a particular document by a particular signer is unique. An identical code cannot be generated by another signer for the same document or by the same signer for another document. This means that only the unique combination of that particular document and that particular signer can generate a particular digital signature. It provides the basic definitions of and recommendations for implementing the RSA algorithm for publickey cryptography. It defines the mathematical properties of public and private keys, primitive operations for encryption and signatures, secure cryptographic schemes. KEYWORDS: Digital Signature, Handwritten Signatures A digital signature is a mathematical scheme for demonstrating the authenticity of a digital message or documents. A valid digital signature gives a recipient reason to believe that the message was created by a known sender, that the sender cannot deny having sent the message ( authentication and non-repudiation), and that the message was not altered in transit ( integrity). Digital signatures are commonly used for software distribution, financial transactions, and in other cases where it is important to detect forgery or tampering. Digital signatures are often used to implement electronic signatures, a broader term that refers to any electronic data that carries the intent of a signature, [ but not all electronic signatures use digital signatures [Ravi Shankar Dhakar, 2012].In some countries, including the United States, India, Brazil, Saudi Arabia and members of the European Union, electronic signatures have legal significance. Digital signatures employ asymmetric cryptography. In many instances they provide a layer of validation and security to messages sent through a nonsecure channel: Properly implemented, a digital signature gives the receiver reason to believe the message was sent by the claimed sender. Digital seals and signatures are equivalent to handwritten signatures and stamped seals. Digital signatures are equivalent to traditional handwritten signatures in many respects, but properly implemented digital signatures are more difficult to forge than the handwritten type [Maryam Savari, 2012]. Digital signature schemes, in the sense used here, are cryptographically based, and must be implemented properly to be effective. Digital signatures can also provide non-repudiation, meaning that the signer cannot successfully claim they did not sign a message, while also claiming their private key remains secret; further, some nonrepudiation schemes offer a time stamp for the digital signature, so that even if the private key is exposed, the signature is valid []. Digitally signed messages may be anything representable as a bitstring: examples include electronic mail, contracts, or a message sent via some other cryptographic protocol. A digital signature is an electronic signature that can be used to authenticate the identity of the sender of a message or the signer of a document, and to ensure that the original content of the message or document that has been sent is unchanged. Digital signatures are easily transportable, cannot be imitated by someone else, and can be automatically time- 1 Corresponding author

2 stamped. A digital signature can be used with any kind of message, whether it is encrypted or plaintext. few bytes. Thus Digital Signatures provide the following three features: Authentication Digital signatures are used to authenticate the source of messages. The ownership of a digital signature key is bound to a specific user and thus a valid signature shows that the message was sent by that user. Integrity In many scenarios, the sender and receiver of a message need assurance that the message has not been altered during transmission. Digital Signatures provide this feature by using cryptographic message digest functions. Non Repudiation Digital signatures ensure that the sender who has signed the information cannot at a later time deny having signed it. DIGITAL SIGNATURE VERSUS HANDWRITTEN SIGNATURES A handwritten signature scanned and digitally attached with a document does not qualify as a Digital Signature. A Digital Signature is a combination of 0 & 1screated using crypto algorithms. An ink signature can be easily replicated from one document to another by copying the image manually or electronically [Suli Wang, 2011]. Digital Signatures cryptographically bind an electronic identity to an electronic document and the digital signature cannot be copied to another document. Further, paper contracts often have the ink signature block on the last page, allowing previous pages to be replaced after the contract has been signed. Digital signatures on the other hand compute the hash or digest of the complete document and a change of even one bit in the previous pages of the document will make the digital signature verification fail. As can be seen in the underlying figure, a Digital Signature is a string of bits appended to a document. The size of a digital signature depends on the Hash function like SHA 1 / SHA2 etc used to create the message digest and the signing key. It is usually a Overview of how Digital Signatures work The Digital Signatures require a key pair (asymmetric key pairs, mathematically related large numbers) called the Public and Private Keys. Just as physical keys are used for locking and unlocking, in cryptography, the equivalent functions are encryption and decryption. The private key is kept confidential with the owner usually on a secure media like crypto smart card or crypto token [Yashpal Kadam, 2011]. The public key is shared with everyone. Information encrypted by a private key can only be decrypted using the corresponding public key. In order to digitally sign an electronic document, the sender uses his/her Private Key. In order to verify the digital signature, the recipient uses the sender s Public Key. Let us understand how the Digital Signatures work based on an example. Assume you are going to send the draft of a contract to your lawyer in another town. You want to give your lawyer the assurance that it was unchanged from what you had sent and that it is really from you. 1. You copy-and-paste the contract into an note. Get electronic form of a document ( eg : - word or pdf file) 2. Using special software, you obtain a message hash (fixed size bit string) of the contract 3. You then use your private key to encrypt the hash. 4. The encrypted hash becomes your digital signature of the contract and is appended to the contract. At the other end, your lawyer receives the message. 1. To make sure the contract is intact and from you, your lawyer generates a hash of the received contract.

3 2. Your lawyer then uses your public key to decrypt the Digital Signature received with the contract. 3. If the hash generated from the Digital Signature matches the one generated in Step 1, the integrity of the received contract is verified. Digital Signature Certificate Verification Digital Signature Certificates are verified using a Chain of trust. The trust anchor for the Digital Certificate is the Root Certifying Authority (CCA in India). A root certificate is the top-most certificate of the hierarchy, the private key of which is used to "sign" other certificates. All certificates immediately below the root certificate inherit the trustworthiness of the root certificate. Certificates further down the tree also depend on the trustworthiness of the intermediates (often known as "subordinate certification authorities"). The Digital Certificate verification process is a recursive process in which the program verifying the end user certificate verifies the validity of the certificate of the issuing authority until it finds a valid certificate of a trusted party. On successful verification of the trusted party Certificate, the Digital Certificate verification stops. In case a trusted party Certificate is not found by the program, the Digital Certificate verification process ends in failure. Implementation of signature using cryptography scheme The Information Technology Act 2000 (IT Act) prescribes digital signatures as a means of authentication of electronic records. In short, a digital signature has the same function as that of a hand written signature. However, understanding how a digital signature is created and how it achieves the same functionality as that of a handwritten signature is by no means an easy task. This is because the technical concepts involved in creating a digital signature seem far removed from the realm of law, although the objective of affixing digital signature to an electronic record is purely legal! Digital signatures are an application of asymmetric key cryptography [Rohit Bhadauria, 2011]. This chapter traces the roots of cryptography, discusses symmetric and asymmetric key cryptography and ends with a detailed discussion on how asymmetric key cryptography can be used to create a digital signature. Cryptography has a long and interesting history 1. Cryptography is primarily used as a tool to protect national secrets and strategies. It is extensively used by the military, the diplomatic services and the banking sector. One of the landmark developments in the history of cryptography was the introduction of the revolutionary concept of public-key cryptography 2. In 1978, Ron Rivest, Adi Shamir and Leonard Adleman discovered the first practical public-key encryption and signature scheme, now referred to as RSA (after the names of its inventors). How cryptography works Cryptography is the science of using mathematics to encrypt and decrypt data. Cryptography enables you to store sensitive information or transmit it across insecure networks (like the Internet) so that it cannot be read by anyone except the intended recipient. While cryptography is the science of securing data, cryptanalysis is the science of analyzing and breaking secure communication (breaching security measures). Classical cryptanalysis involves an interesting combination of analytical reasoning, application of mathematical tools, pattern finding, patience, determination, and luck. Cryptanalysts are also called attackers. Cryptology embraces both cryptography

4 and cryptanalysis. A cryptographic algorithm, or cipher, is a mathematical function used in the encryption and decryption process. This mathematical function works in combination with a key a very large number to encrypt the plaintext (the original message). Data that can be read and understood without any special measures is called plain textor clear text. Data which requires some special function to be performed on it before it can be read and understood, is called cipher text. The same plaintext, encrypted by using different keys, will result in different cipher text. The security of encrypted data is entirely dependent on two things: the strength of the cryptographic algorithm and the secrecy of the key. A cryptographic algorithm, plus all possible keys and all the protocols that make it work comprise a cryptosystem. Encryptions used to ensure that information is hidden from anyone for whom it is not intended, even those who can see the encrypted data. The process of reverting cipher text to its original plaintext is called decryption. Rabin signature algorithm In cryptography the Rabin Signature Scheme is a method of Digital signature originally proposed by Michael O. Rabin in The Rabin Signature Scheme was one of the first digital signature schemes proposed, and it was the first to relate the hardness of forgery directly to the problem of integer factorization. Because of its simplicity and prominent role in early public key cryptography, the Rabin Signature Scheme is covered in most introductory courses on cryptography. The Rabin Signature Scheme is existentially unforgeable in the random oracle model assuming the integer factorization problem is intractable. The Rabin Signature Scheme is also closely related to the Rabin cryptosystem. The RSA algorithm involves three steps: key generation, encryption and decryption. We designed this for an 8-bit input. The Message Digest Function first pads in to 512 bits and then condenses it to 160 bits using the MD5 algorithm. The condensed message is then encrypted using the RSA algorithm and a signature is created. Both the Message and the Signature are transmitted to the receiver. The receiver decrypts the signature (using RSA algorithm) and compares it with the digested message. A digital signature, an asymmetric cryptography is designed using VHDL. The implementation has a Message Digest block and a RSA block. Implemented Digital Signature Algorithm on a Spartan 3 FPGA board. For messages sent through an insecure channel, a properly implemented digital signature gives the receiver reason to believe the message was sent by the claimed sender. Digital signatures are equivalent to traditional handwritten signatures in many respects; properly implemented digital signatures are more difficult to forge than the handwritten type. Digital signature schemes in the sense used here are cryptographically based, and must be implemented properly to be effective. Digital signatures can also provide non-repudiation, meaning that the signer cannot successfully claim they did not sign a message, while also claiming their private key

5 remains secret; further, some non-repudiation schemes offer a time stamp for the digital signature, so that even if the private key is exposed, the signature is valid nonetheless. A digital signature or digital signature scheme is a type of asymmetric cryptography. First described by Whitfield Diffie and Martin Hellman Provide a high level of assurance that the digital signature is genuinely the signer s. HOW IT WORKS One method for creating a digital signature is for the originator of data to create the signature by encrypting all of the data with the originator s private key and enclosing the signature with the original data. Anyone with the originator s public key can decrypt the signature and compare the decrypted message to the original message. Because only someone with the private key can create the signature, the integrity of the message is verified when the decrypted message matches the original. If an intruder alters the original message during transit, the intruder cannot also create a new valid signature. If an intruder alters the signature during transit, the signature does not verify properly and is invalid. Using special software, you obtain a message hash of the message. You then use a private key that you have to encrypt the hash. The encrypted hash becomes your digital signature of the message. At the other end To make sure it s intact and from you, your receiver makes a hash of the received message. Receiver then uses your public key to decrypt the message hash or summary. If the hashes match, the received message is valid. Digital signatures versus ink on paper signatures An ink signature could be replicated from one document to another by copying the image manually or digitally, but to have credible signature copies that can resist some scrutiny is a significant manual or technical skill, and to produce ink signature copies that resist professional scrutiny is very difficult. Digital signatures cryptographically bind an electronic identity to an electronic document and the digital signature cannot be copied to another document. Paper contracts sometimes have the ink signature block on the last page, and the previous pages may be replaced after a signature is applied. Digital signatures can be applied to an entire document, such that the digital signature on the last page will indicate tampering if any data on any of the pages have been altered, but this can also be achieved by signing with ink and numbering all pages of the contract. All digital signature schemes share the following basic prerequisites regardless of cryptographic theory or legal provision: 1. Quality algorithms Some public-key algorithms are known to be insecure, practical attacks against them having been discovered. 2. Quality implementations An implementation of a good algorithm (or protocol) with mistake(s) will not work. 3. The private key must remain private If the private key becomes known to any other party, that party can produce perfect digital signatures of anything whatsoever. 4. The public key owner must be verifiable A public key associated with Bob actually came from Bob. This is commonly done using a public key infrastructure (PKI) and the public key user association is attested by the operator of the PKI (called a certificate authority). For 'open' PKIs in which anyone can request such an attestation (universally embodied in a cryptographically protected identity certificate), the possibility of mistaken attestation is nontrivial. Commercial PKI operators have suffered several publicly known problems. Such mistakes could lead to falsely signed, and thus wrongly attributed, documents. 'Closed' PKI systems are more expensive, but less easily subverted

6 in this way. 5. Users (and their software) must carry out the signature protocol properly. Only if all of these conditions are met will a digital signature actually be any evidence of who sent the message, and therefore of their assent to its contents. Legal enactment cannot change this reality of the existing engineering possibilities, though some such have not reflected this actuality. Using digital signatures only with trusted applications One of the main differences between a digital signature and a written signature is that the user does not "see" what he signs. The user application presents a hash code to be signed by the digital signing algorithm using the private key. An attacker who gains control of the user's PC can possibly replace the user application with a foreign substitute, in effect replacing the user's own communications with those of the attacker. This could allow a malicious application to trick a user into signing any document by displaying the user's original on-screen, but presenting the attacker's own documents to the signing application. ff To protect against this scenario, an authentication system can be set up between the user's application (word processor, client, etc.) and the signing application. The general idea is to provide some means for both the user application and signing application to verify each other's integrity. For example, the signing application may require all requests to come from digitally signed binaries. CONCLUSIONS In this paper a digital signature will work effectively with the help of RSA for both encryption and secure communication purposes, whereas hashing is used for digital signature and hiding key information. This model provides security for the entire cloud computing environment. The specialty of our design approach is that here, each algorithm is executed in different servers which overcomes the problem of slow downing the system. In the proposed system, an intruder cannot easily access or upload the file because the algorithms are executed in different servers at different locations. For implementation purpose we have combined both RSA encryption and Digital Signatures algorithms as a result a powerful security and data integrity service system is obtained. Although RSA encryption algorithm is quite deterministic but algorithm makes the model highly secured. In a nutshell we can say that our proposed model can provide a better approach as compared to other works. REFERENCES Ravi Shankar Dhakar, Amit Kumar Gupta, "Modified RSA Encryption Algorithm (MREA)". Advanced Computing & Communication Technologies (ACCT), Second International Conference, Maryam Savari, Mohammad Montazerolzohour and Yeoh Eng Thiam, "Comparison of ECC and RSA Algorithm in Multipurpose Smart Card Application". Cyber Security, Cyber Warfare and Digital Forensic (CyberSec), International Conference, P.R. Vijayalakshmi, K. Bommanna Raja, "Performance Analysis of RSA and ECC in Identity-Based Authenticated New Multiparty Key Agreement Protocol". Computing, Communication and Applications (ICCCA), International Conference, Suli Wang, Ganlai Liu, "File encryption and decryption system based on RSA algorithm". Computational and Information Sciences (ICCIS), International Conference, Yashpal Kadam, Security Issues in Cloud Computing A Transparent View, International Journal of Computer Science Emerging Technology, Vol-2 No 5 October, 2011, Rohit Bhadauria, Rituparna Chaki, Nabendu Chaki, Sugata Sanyal, A Survey on Security Issues in Cloud Computing, 2011.