Digital signatures. Informal properties

Transcription

1 Digital signatures Informal properties Definition. A digital signature is a number dependent on some secret known only to the signer and, additionally, on the content of the message being signed Property. A digital signature must be verifiable If a dispute arises an unbiased third party must be able to solve the dispute equitably, without requiring access to the signer's secret A.A Digital signatures 2

2 Classification Digital signatures with appendix require the original message as input to the verification algorithm; use hash functions Examples: ElGamal, DSA, DSS, Schnorr Digital signatures with message recovery do not require the original message as input to the verification algorithm; the original message is recovered from the signature itself; Examples: RSA, Rabin, Nyberg-Rueppel A.A Digital signatures 3 Definitions Digital signatures with appendix M is the message space h is a hash function with domain M M h is the image of h S is the signature space Key generation Alice selects a private key d A which defines a signing algorithm S A which is a one-to-one mapping S A : M h S Alice defines the corresponding public key e A defining the verification algorithm V A such that V A (m*, s) = true if S A (m*) = s and false otherwise, for all m* M h and s S, where m* = h(m) for m M. A.A Digital signatures 4

3 Digital signatures with appendix The signing process M M h S h S A m m* s Signature generation process Compute m* = h(m), s = S A (m*) Send (m, s) A.A Digital signatures 5 Digital signature with appendix Verification process Obtain A s public key V A Compute m* = h(m), u = V A (m*, s) Accept the signature iff u = true A.A Digital signatures 6

4 Digital Signature with appendix Properties of S A and V A (efficiency) S A should be efficient to compute (efficiency) V A should be efficient to compute (security) It should be computationally infeasible for an entity other than A to find an m M and an s S such that V A (m*, s) = true, where m* = h(m) A.A Digital signatures 7 Digital Signature with message recovery Definitions M is the message space M S is the signing space S is the signature space Key generation A selects a private key d A defining a signing algorithm S A which is a one-to-one mapping S A : M S S A defines the corresponding public key defining the verification algorithm V A such that V A S A is identity map on M S. A.A Digital signatures 8

5 Digital signature with message recovery M The signing process M R S R S A m m* s M S Compute m* = R(m), R is a redundancy function (invertible) Compute s = S A (m*) A.A Digital signatures 9 Digital signature with message recovery The signing process M M R S R S A m m* s Obtain authentic public key V A Compute m* = V(s) M S Verify if m* M S (if not, reject the signature) Recover the message m = R -1 (m*) A.A Digital signatures 10

6 Digital signatures with message recovery Properties of S A and V A (efficiency) S A should be efficient to compute (efficiency) V A should be efficient to compute (security) It should be computationally infeasible for an entity other than A to find an s S such that V A (s) M S A.A Digital signatures 11 Dig sig with message recovery The redundancy function R and R -1 are publicly known Selecting an appropriate R is critical to the security of the system A bad redundancy function may lead to existential forgery Let us suppose that MR MS R and SA are bijections, therefore M and S have the same number of elements Therefore, for all s S, VA(s) MR. Hence, it is easy to find an m for which s is the signature, m = R -1 (VA(s)) s is a valid signature for m (existential forgery) A.A Digital signatures 12

7 Digital signatures with message recovery A good redundancy function although too redundant Example M = {m : m {0, 1} n }, M S = {m : m {0, 1} 2n } R: M M S, R(m) = m m (concatenation) M R M S When n is large, M R / M S = (1/2) n is small. Therefore, for an adversary it is unlikely to choose an s that yields V A (s) M R ISO/IEC 9776 is an international standard that defines a redundancy function for RSA and Rabin A.A Digital signatures 13 Dig sig with appendix from message recovery Signature generation Compute m* = R(h(m)), s = S A (m*) A s digital signature for m is s m, s are made available to anyone who may wish to verify the signature Signature verification Obtain A s public key VA Compute m* = R(h(m)), m = V A (s), and u = (m == m*) Accept the signature iff u = true Comment R is not security critical anymore and can be any one-toone mapping A.A Digital signatures 14

8 Types of attacks BREAKING A SIGNATURE Total break adversary is able to compute the signer s private key Selective forgery adversary controls the messages whose signature is forged Existential forgery adversary has no control on the messages whose signature is forged A.A Digital signatures 15 Types of attacks KEY-ONLY ATTACKS Adversary knows only the signer s public key MESSAGE ATTACKS known-message attack An adversary has signatures for a set of messages which are known by the adversary but not chosen by him chosen-message attack In this case messages are chosen by the adversary adaptive chosen-message attack In this case messages are adaptively chosen by the adversary A.A Digital signatures 16

9 Attacks a few considerations Adaptive chosen-message attack It is the most difficult attack to prevent Although an adaptive chosen-message attack may be infeasible to mount in practice, a well-designed signature scheme should nonetheless be designed to protect against the possibility The level of security may vary according to the application Example 1. When an adversary is only capable of mounting a key-only attack, it may suffice to design the scheme to prevent the adversary from being successful at selective forgery. Example 2. When the adversary is capable of a message attack, it is likely necessary to guard against the possibility of existential forgery. A.A Digital signatures 17 Attacks a few considerations Hash functions and digital signature processes When a hash function h is used in a digital signature scheme (as is often the case), h should be a fixed part of the signature process so that an adversary is unable to take a valid signature, replace h with a weak hash function, and then mount a selective forgery attack. Example. Let m, s where s = S A (h(m)). Let adversary be able to replace h with a weaker hash function g that is vulnerable to selective forgery. Then the adversary can determine m such that g(m ) = h(m); and replace m with m A.A Digital signatures 18

10 Digital signatures RSA-BASED DIG SIG A.A Digital signatures 19 RSA Key generation (see public key encryption) Signing operation: exponentiation by priv key Verification opeartion: exponentiation by pub key A.A Digital signatures 20

11 Types of RSA-based dig sig Digital signature with message recovery Redundancy function A suitable redundancy function is necessary in order to avoid existential forgery IOS/IEC 9796 (1991) defines a mapping that takes a k-bit integer and maps it into a 2k-bits integer Digital signature scheme with appendix MD5 (128 bit) PKCS#1 specifies a redundancy function mapping 128-bit integer to a k-bit integer, where k is the modulus size (k>512, k = 768, 1024) A.A Digital signatures 21 Attacks Same attacks as the cipher Multiplicative property of RSA Requirement on R: a necessary condition for avoiding existential forgery is that R must not satisfy the multiplicative property. A.A Digital signatures 22

12 The re-blocking problem The problem. If Alice wants to send a secret and signed message to Bob then it must be n A < n B Possible solutions Reordering: the operation with the smaller modulus is performed first CONS: The preferred order is always to sign first and encrypt later Two moduli for entity Each entity has two moduli Moduli for signing (e.g., t-bits) are always smaller of all possible moduli for encryption (e.g., t+1-bits) A.A Digital signatures 23 Probabilistic Signature Standard (PSS) Schoolbook RSA is subject to existential forgery The attack can be prevented by allowing only certain message formats (padding) Probabilistic Signature Standard s = EM d mod n Alternative to PKCS#1 PROS Verifiable secure Salting makes EM probabilistic A.A Digital signatures 24

13 Digital Signature DIGITAL SIGNATURES BASED ON EL GAMAL A.A Digital signatures 25 Discrete Logarithm Systems Discrete Logarithm Systems! Let p be a prime, q a prime divisor of p 1 and g [1, p 1] has order q! Let x be the private key selected at random from [1, q 1]! Let y be the corresponding public key y = g x mod p Discrete Logarithm Problem (DLP)! Given (p, q, g) and y, determine x A.A Digital signatures 26

14 El Gamal digital signature Signature Randomly select k Z* p 1 r = g k mod p, s = (h(m) xr)k 1 mod (p 1) The pair (r, s) is the digital signature for m Verification Verify that 1 r p 1; if not reject the signature Compute v1 = y r r s mod p Compute h(m) and v2 = g h(m) mod p Accept the signature only if v1 = v2 A.A Digital signatures 27 ElGamal consistency! If the digital signature (r, s) has been produced by Alice then s = (h(m) xr)k 1 mod (p 1).! Multiplying both sides by k gives ks = (h(m) xr) mod (p 1). Rearranging yields h(m)=ks+xr mod (p 1).! This implies that g h(m) = g xr+ks = (g x ) r r s mod p! Thus v 1 = v 2 as required. A.A Digital signatures 28

15 ElGamal security In order to forge a signature, an adversary can select k at random, compute r = gk mod p. Than he has to compute s = (h(m) xr)k 1 mod (p 1). If the DLP is computationally infeasible, the adversary can do no better than to choose an s at random; the success probability is 1/p which is negligible for large p. A different k must be selected for different messages otherwise the secret key x can be revealed If no hash function h is used, an adversary can easily mount an existential forgery attack. If the check on r is not done, an adversary can sign messages of its choice provided it has one valid signature produced by Alice A.A Digital signatures 29 Digital Signatures HASH FUNCTIONS A.A Digital signatures 30

16 Properties Hash functions properties Pre-image resistance Second pre-image resistance Collision resistance These properties are crucial for digital signatures security A.A Digital signatures 31 Pre-image resistance Digital signature scheme based on (school-book) RSA (n, d) is a Alice s private key; (n, e) is a Alice s public key s = (h(m)) d (mod n) If h is not pre-image resistant " existential forgery Adversary selects z < n, computes y = z e (mod n) and finds m' such that h(m') = y The the adversary claims that z is the digital signature of m' A.A Digital signatures 32

17 2nd preimage resistance Digital signature with appendix Let s = S(h(m)) be the digital signature for m A trusted third party chooses a message x that Alice signs producing s = S(d A, h(m)) If h is not 2nd-preimage resistant, an adversary (e.g. Alice herself) can claim that Alice has signed m instead of m Adversary determines a 2nd-preimage m' of m Adversary claims that Alice has signed m' instead of m A.A Digital signatures 33 Collision resistance Digital signature with appendix s = S(h(m)) is the digital signature for m If h() is not collision resistant, Alice (an untrusted party) can choose m and m' so that h(m) = h(m') compute s = S(d A, h(m)) issue <m, s> to Bob later claim that she actually issued <m', s> A.A Digital signatures 34

18 Digital signatures NON-REPUDIATION VS AUTHENTICATION A.A Digital signatures 35 Non-repudiation vs authentication DEFINITION. Non-repudiation prevents a signer from signing a document and subsequently being able to successfully deny having done so. Non-repudiation vs authentication of origin Authentication (based on symmetric cyptography) allows a party to convince itself or a mutually trusted party of the integrity/authenticity of a given message at a given time t0 Non-repudiation (based on public-key cyptography) allows a party to convince others at any time t1 t0 of the integrity/authenticity of a given message at time t0 A.A Digital signatures 36

19 Dig sig vs non-repudiation Alice s digital signature for a given message depends on the message and a secret known to Alice only (the private key) Bob verifies the digital signature by means of another, different value: the public key A.A Digital signatures 37 Dig sig vs non-repudiation Data origin authentication as provided by a digital signature is valid only while the secrecy of the signer s private key is maintained A threat that must be addressed is a signer who intentionally discloses his private key, and thereafter claims that a previously valid signature was forged This threat may be addressed by preventing direct access to the key use of a trusted timestamp agent use of a trusted notary agent A.A Digital signatures 38

20 Bob Trusted timestamping service s = S B (m) Trent <m, s> s S T (s t 0 ) Alice! Trent certifies that digital signature s exists at time t 0! If Bob s priv-key is compromised at t 1 > t 0, then s is valid A.A Digital signatures 39 Trusted Notary Service TNS generalize the TTS Trent certifies that a certain statement σ on the digital signatire s is true at t 0 s exists at t 0 s is valid at t 0 Trent is trusted to verify the statement before issuing it A.A Digital signatures 40