Communications security

Transcription

1 University of Roma Sapienza DIET Communications security Lecturer: Andrea Baiocchi DIET - University of Roma La Sapienza andrea.baiocchi@uniroma1.it URL: [Sti02], Cap. 7, 1-4 [Sta03], Cap. 13, 1, 3 [KPS02], Cap. 6, 8 Lecture 14 Digital signatures - Part I Andrea Baiocchi, DIET, Università di Roma Sapienza - Sicurezza nelle Comunicazioni - A.A About beliefs and reality People believe willingly what they wish to be true. [Caio Giulio Cesare] Reality is that which, when you stop believing in it, doesn't go away. [Philip K. Dick] For a successful technology, reality must take precedence over public relations, for Nature cannot be fooled. [Richard P. Feynman] Andrea Baiocchi, DIET, Università di Roma Sapienza - Sicurezza nelle Comunicazioni - A.A

2 Digital signatures! A digital signature is a function of a message and a secret known only to the signer Alice s signature on a message requires her private key Anyone with the corresponding (authentic) public key can verify that the message has been signed by Alice! Digital signatures are a useful tool for authentication and data integrity services Entity authentication: Alice signs a challenge sent by Bob Message authentication: Alice signs a documents and posts it or she sends it to Bob! Symmetric-key MACs provide message authentication, but do not address lack of trust: non-repudiation is added to message authentication by digital signatures However, signatures are actually generated by a device (PC, smart card) Andrea Baiocchi, DIET, Università di Roma Sapienza - Sicurezza nelle Comunicazioni - A.A Digital signature schemes! A digital signature scheme is a five-tuple (P,A,K,S,V), where the following conditions are satisfied: P is a set of all possible messages A is a finite set of all possible signatures K, the keyspace, is a finite set of possible keys For each K!K there is a (private) signing function sig K!S and a corresponding (public) verification function ver K!V. For each sig K : P"A and ver K : P"A"{true, false} the following equations are satisfied for every message x!p and for every signature y!a. ver K (x, y) = true ver K (x, y) = false if y = sig K (x) if y! sig K (x) A pair (x, y) with x!p and y!a is called a signed message Andrea Baiocchi, DIET, Università di Roma Sapienza - Sicurezza nelle Comunicazioni - A.A

3 Digital signature requirements! A digital signature must Depend on the message signed Use information unique to signer to prevent both forgery and denial Use time information to prevent misuse Be relatively easy both to generate & verify Be practical to save in storage Be difficult to forge, i.e. the generation of any new message for an existing digital signature fraudulent digital signature for a given/chosen message must be computationally infeasible Andrea Baiocchi, DIET, Università di Roma Sapienza - Sicurezza nelle Comunicazioni - A.A Forgery! A valid signature is a pair (x, y)! P"A such that ver K (x, y) = true! A forged signature is a valid signature produced by someone who is not the intended part (Alice)! The most common digital signature schemes rely on asymmetric cryptography The signing function sig K is private (only Alice can perform it) It must be computationally unfeasible to determine sig K given the verification function ver K, which is public! Digital signature schemes can never provide unconditional security (given x in P, at least one y in A such that ver K (x, y) = true exists) Andrea Baiocchi, DIET, Università di Roma Sapienza - Sicurezza nelle Comunicazioni - A.A

4 Types of forgery! Existential forgery The opponent (Oscar) is able to create a valid signature y for at least one message x not previously signed by Alice Oscar has no control on x! Selective forgery Oscar is able (with some non-negligible probability) to create a valid signature y for at least one given message x not previously signed by Alice! Total break Oscar is able to determine Alice s private key, i.e., the signing function sig K Therefore Oscar can forge a valid signature for any message Andrea Baiocchi, DIET, Università di Roma Sapienza - Sicurezza nelle Comunicazioni - A.A Types of attack! (Public) Key only Oscar only knows Alice s public key, i.e., the verification function ver K! Known message Oscar knows a list of messages previously signed by Alice (x i, y i ) (i =1 n)! Chosen message Oscar obtains Alice s signatures on a list of selected messages (x i, y i ) (i =1 n)! In any scenario, the goal is to obtain some degree of forgery Andrea Baiocchi, DIET, Università di Roma Sapienza - Sicurezza nelle Comunicazioni - A.A

5 Naïve RSA signature! Let P=A=Z n and define Then for x,y! Z n K={(n,p,q,b,a) : b!1, ab #1 mod $(n)} y= sig K (x)=x a mod n ver K (x, y) = true ver K (x, y) = false if x=y b mod n if x! y b mod n (n,b) is the public key; a is the private key! Signature can be verified at any time by anyone who knows the couple (x,y) and (n,b), without intervention of Alice.! Note that x as a binary string must have length "size(n) Andrea Baiocchi, DIET, Università di Roma Sapienza - Sicurezza nelle Comunicazioni - A.A RSA multiplicative property! Given two pairs (x 1, y 1 ) and (x 2, y 2 ) such that y i = x i a mod n (i =1,2) and setting x=x 1 x 2 mod n and y=y 1 y 2 mod n, it holds that y= x a mod n thanks to elementary properties of modular product.! Therefore ver K (x 1 x 2 mod n, y 1 y 2 mod n) = true! This is but a consequence of the strong mathematical structure underlying naive RSA signature Andrea Baiocchi, DIET, Università di Roma Sapienza - Sicurezza nelle Comunicazioni - A.A

6 Attacks on naive RSA signature! Key only attack - Knowing (n,b), Fred can choose a signature y and obtain the corresponding (unpredictable) message x=y b mod n (existential forgery)! Known message attack - If Fred captures two valid couples (x 1,y 1 ) and (x 2,y 2 ), he can forge the new valid couple (x 1 x 2 modn, y 1 y 2 modn) (existential forgery)! Chosen message attack - Fred selects messages m and x 1! {1,..,n 1}, with gcd(x 1,n)=1; he computes x 2 =m x 1 1 modn and obtains valid signatures for x 1 and x 2 from Alice, i.e. y 1 and y 2. Then (m, y 1 y 2 modn) is a valid couple, hence a forgery (selective forgery) Last two attacks are enabled by multiplicative property of naïve RSA. Andrea Baiocchi, DIET, Università di Roma Sapienza - Sicurezza nelle Comunicazioni - A.A Preventing attacks on RSA! To prevent the exploit of the multiplicative property of RSA it is necessary to replace the message x within the signature function with some transformation of x.! Redundancy function Let w!{0,1}* be the binary string to be signed Define R: {0,1}* > {0,1}* as R(w)=w w. The integer x corresponding to R(w) can be used to sign w.! Use of hash functions The signature is computed on h(x) for a document x, where h is a collision resistant hash function: h: {0.1}*" {0,..,n 1} This is the preferred approach in practice Andrea Baiocchi, DIET, Università di Roma Sapienza - Sicurezza nelle Comunicazioni - A.A

7 Use of a hash function! The digital signature schemes most commonly used in practice rely on cryptographic hash functions. The term digital signature schemes with appendix also denotes them! To sign x, Alice evaluates First z=h(x) where h : P"H is a hash function with H%P Then y = sig K (z)! To verify the signed message (x, y) anyone has to First evaluate z=h(x) Then check whether ver K (z, y) = true! It is necessary for security of the scheme that h, whose output is signed, is a secure hash function (Pmg/Spmg/Cls resistant) Andrea Baiocchi, DIET, Università di Roma Sapienza - Sicurezza nelle Comunicazioni - A.A Signatures with appendix Other info and padding k bit + Binary representation of z MSB LSB y = z a mod n Message m s bit Hash h(m) s < k = size(n) k bit Binary representation of y MSB LSB Andrea Baiocchi, DIET, Università di Roma Sapienza - Sicurezza nelle Comunicazioni - A.A

8 Forgery of signatures with hash! Existential forgery by key only attack Oscar finds z!h and y!a such that ver K (z, y) = true If he finds also x!p such that h(x)=z, then (x, y) is a valid signature Reduces to Preimage (Pmg) problem! Existential forgery by known message attack Oscar knows a valid signature (x, y)!p"a with h(x)=z If he finds x!p such that x! x and h(x )=z, then (x, y) is a valid signature Reduces to Second Preimage (SPmg) problem! Existential forgery by chosen message attack Oscar finds x!p and x!p such that x! x and h(x )=h(x) He obtain from Alice the signature (x, y). Then (x, y) is a valid signature Reduces to Collision (Cls) problem Andrea Baiocchi, DIET, Università di Roma Sapienza - Sicurezza nelle Comunicazioni - A.A Secured RSA signature! Reconsider the original RSA signature and replace the message x with its hash h(x)=z. Note that If h is Pmg/SPmg/Cls resistant, existential forgeries as detailed above are forbidden Secure hash functions cannot have any multiplicative property. Attacks to RSA signature based on this property are therefore defeated by hashing! Generating RSA signatures using a hash function also involves some secure formatting A function F: H"Z n is needed to map the hash output into an RSA input Formatting (that is, accurate definition of F) is critical for security, since new ways of attack may open, e.g. cube root attack. Andrea Baiocchi, DIET, Università di Roma Sapienza - Sicurezza nelle Comunicazioni - A.A

9 The cube root problem (crp)! A (1,1)-forger of an RSA signature based on knowledge of public key only, b=3.! Let F(h(x)) be so defined: h(x) is padded on the right with random bits to form a binary string of length n, then this is converted to the size(n) integer z, to be signed by RSA. Padding is the real problem here!! Fred computes h(x), pads it on the right with 0s and converts it to integer u; he computes the ordinary cube root u 1/3, and rounds the result up to the nearest integer y; y is the forged signature of x.! When checking y, Bob computes y 3 mod n = (h(x) padded on the right with seemingly random bits). Andrea Baiocchi, DIET, Università di Roma Sapienza - Sicurezza nelle Comunicazioni - A.A Details of the crp! Let the modulus n and the hash h( ) have k and s bit respectively. Let v be the s bit integer corresponding to h(x).! Then u=2 k s v and y=ceil(u 1/3 )=[2 k s v] 1/3 +&, 0"&<1, and it is y 3 = 2 k s v+3&[2 k s v] 2/3 +3& 2 [2 k s v] 1/3 +& 3 = 2 k s v+w, where w is an integer of no more than 2+2k/3 bit; it suffices that s+2+2k/3 " k, i.e. s " k/3 2.! Then, the s most significant bits of y 3 mod n are just h(x). Example: k=1024, s=160; then the right padding has in the order of 6 to 7 hundreds bits. A refinement is to set u=2 k s v+a, with a an integer of less than (k s)/2 3 bits; then the padding takes essentially all k s bits on the right of the hash value. Andrea Baiocchi, DIET, Università di Roma Sapienza - Sicurezza nelle Comunicazioni - A.A

10 RSA signature in practice! Summing up, RSA signatures is so computed: Given a message x!{0,1}*, compute h(x)!h = {0,1} m Map m bit binary string h(x) into an integer z!z n, z=f(h(x)) (m<n) Compute y=z a mod n; this is the RSA signature.! Verification Given message x and signature y, check that y b mod n=f(h(x)) Preliminary check that z=y b mod n is well formatted.! Details in PKCS #1 RSA encryption standard PKCS (Public-Key Cryptography Standards) is a suite of de facto standards published by RSA Laboratories Most recent version - PKCS #1 v2.1 (2002) Andrea Baiocchi, DIET, Università di Roma Sapienza - Sicurezza nelle Comunicazioni - A.A Digital Signature Standard (DSS)! US Govt approved (1994) signature scheme (FIPS 186)! Uses the SHA-1 hash algorithm! Designed by NIST & NSA in early 90's (proposed in 1991)! DSS is the standard, DSA is the algorithm! A variant on ElGamal signature scheme (based on ElGamal cryptosystem) with improved efficiency Other variants of ElGamal scheme exist (e.g., Schnorr)! Creates a 320-bit signature (vs RSA 1024-bit)! Much of the computation is mod a 160-bit prime (vs RSA bit modulus)! Security depends on difficulty of computing discrete logarithms Andrea Baiocchi, DIET, Università di Roma Sapienza - Sicurezza nelle Comunicazioni - A.A

11 DSA key generation! Shared global public values (p, q,!) A prime p whose length in bits is L L= 512 to 1024 and multiple of 64 (NIST recently recommended L= 1024) A 160-bit prime q factor of p 1 (in practice q is generated before p) An element!!z p * of order q generated as follows Select an element g!z p * and compute! = g (p-1)/q mod p, so! q = 1 mod p If! =1, repeat previous step; since q is prime,! k = 1 mod p is possible only if k=1 or q! Each user generates his/her private key a and public key " Select a random integer a with 1 < a < q 1 Compute " =! a mod p Andrea Baiocchi, DIET, Università di Roma Sapienza - Sicurezza nelle Comunicazioni - A.A DSA signature creation! Let P={0, 1}*, A= Z q * "Z q *, with q a 160-bit integer, and define K={(p, q,!, a, " ) : " =! a mod p }! To create the signature y = sig K (x) of a message x, the sender Selects a random integer k with 1 < k < q 1 NOTE - k must be destroyed after use and never reused Then computes signature pair (r, s) r = (! k mod p) mod q s = (SHA-1(x) + ar)k 1 mod q If r=0 or s=0, repeats the previous steps! The signature y=(r, s) is sent with the message x Andrea Baiocchi, DIET, Università di Roma Sapienza - Sicurezza nelle Comunicazioni - A.A

12 DSA signature verification! To verify the signature y=(r, s) received with the message x, the recipient checks that 1"r,s"q 1 and computes u = s 1 SHA-1(x) mod q t = s 1 r mod q v = (' u ( t mod p) mod q! If v=r then ver K (x, y) = true (signature is verified) Proof v = (' u+at mod p) mod q = r since u + at # s 1 (SHA-1(x)+ ar) # s --1 ks # k (mod q)! If v!r then ver K (x, y) = false Andrea Baiocchi, DIET, Università di Roma Sapienza - Sicurezza nelle Comunicazioni - A.A Remarks on DSA! The checks r!0 and s!0 in signature creation are made for different reasons If r=0, s=sha-1(x)k 1 mod q - Not depending on a (Oscar can forge such a signature for any x) If s=0, s 1 mod q (necessary for verification) cannot be computed Anyway, both events should be very unlikely (probability # )! On both sides, nearly all the operations are performed mod q Only one calculation mod p is required For r in signing (it does not depend on x and can be pre-computed) For v in verifying Andrea Baiocchi, DIET, Università di Roma Sapienza - Sicurezza nelle Comunicazioni - A.A

13 DSA security: parameters! The DSA security relies on two distinct but related discrete logarithm (DL) problems One is the DL in Z p *, where the powerful index-calculus methods apply With the choice L = 1024, this problem should have unfeasible complexity The other is the DL in the cyclic subgroup of order q, where the best current methods run in square-root time! Validation of global values (p, q,!) - Users should test that p is actually a prime of the required size q is actually a prime factor of p 1 of the required size The element!!z p * has actually order q Otherwise, efficient attacks may exist (e.g., small subgroup) Andrea Baiocchi, DIET, Università di Roma Sapienza - Sicurezza nelle Comunicazioni - A.A DSA security: k handling! k must be destroyed since its knowledge permits DSA break Oscar knows a valid DSA signature (x, r, s) and the k value used in generating it Oscar computes Alice s private key a = (ks SHA-1(x)) r 1 mod q! k must be a nonce since its reuse permits DSA total break Oscar knows two valid DSA signatures (x, r, s) and (x, r, s ) generated with the same unknown k and therefore the same r (but different s and s ) Oscar computes Alice s private key a by obtaining first k = (SHA-1(x) SHA-1(x ))(s s ) 1 mod q and then a as above (or using the equation for s in the same way) Andrea Baiocchi, DIET, Università di Roma Sapienza - Sicurezza nelle Comunicazioni - A.A

14 DSA security: hashing! A collision resistant hash function is needed to prevent existential forgery With no hash the verification reduces to r = (' s 1 x mod q ( s 1 r mod q mod p) mod q; this can be satisfied be choosing u and v with 1"u,v"q 1 and letting r = (' u ( v mod p) mod q; s = r v 1 mod q; x = s u mod q. The condition 1"r"q 1 must be verified or Oscar can forge a signature for a given message x from a valid pair x and (r,s). Let u = h(x ) h(x) 1 mod q and s = s u mod q. Then, r can be computed by the Chinese remainder theorem from r =r!u mod q and r =r mod p. It can be verified that (r,s ) checks for x, but it is r $q. Andrea Baiocchi, DIET, Università di Roma Sapienza - Sicurezza nelle Comunicazioni - A.A DSS controversy! DSS has been issued by NIST on August 30, 1991; since then a long lived debate arose about DSS security and practicality.! DSS is much slower in signature verification with respect to RSA with b=3, much faster as to key generation.! DSS requires choosing a random number fo each signature.! DSS is apparently not covered by patents so it could be used royalty free. Andrea Baiocchi, DIET, Università di Roma Sapienza - Sicurezza nelle Comunicazioni - A.A