Digital Signatures. Murat Kantarcioglu. Based on Prof. Li s Slides. Digital Signatures: The Problem



Similar documents
Introduction to Cryptography CS 355

Signature Schemes. CSG 252 Fall Riccardo Pucella

Digital Signatures. (Note that authentication of sender is also achieved by MACs.) Scan your handwritten signature and append it to the document?

Digital Signature. Raj Jain. Washington University in St. Louis

Outline. Computer Science 418. Digital Signatures: Observations. Digital Signatures: Definition. Definition 1 (Digital signature) Digital Signatures

Digital signatures. Informal properties

Network Security. Gaurav Naik Gus Anderson. College of Engineering. Drexel University, Philadelphia, PA. Drexel University. College of Engineering

Communications security

Overview of Cryptographic Tools for Data Security. Murat Kantarcioglu

Crittografia e sicurezza delle reti. Digital signatures- DSA

Digital Signatures. What are Signature Schemes?

Computer Science A Cryptography and Data Security. Claude Crépeau

1 Digital Signatures. 1.1 The RSA Function: The eth Power Map on Z n. Crypto: Primitives and Protocols Lecture 6.

Digital Signature CHAPTER 13. Review Questions. (Solution to Odd-Numbered Problems)

Digital Signatures. Prof. Zeph Grunschlag

Authentication requirement Authentication function MAC Hash function Security of

Cryptographic Hash Functions Message Authentication Digital Signatures

Outline. CSc 466/566. Computer Security. 8 : Cryptography Digital Signatures. Digital Signatures. Digital Signatures... Christian Collberg

Public Key Cryptography and RSA. Review: Number Theory Basics

Overview of Public-Key Cryptography

Textbook: Introduction to Cryptography 2nd ed. By J.A. Buchmann Chap 12 Digital Signatures

1 Signatures vs. MACs

DIGITAL SIGNATURES 1/1

MTAT Cryptology II. Digital Signatures. Sven Laur University of Tartu

2. Cryptography 2.4 Digital Signatures

Introduction to Computer Security

Computer Security: Principles and Practice

Cryptography Lecture 8. Digital signatures, hash functions

Practice Questions. CS161 Computer Security, Fall 2008

Part VII. Digital signatures

Final Exam. IT 4823 Information Security Administration. Rescheduling Final Exams. Kerberos. Idea. Ticket

Network Security. Abusayeed Saifullah. CS 5600 Computer Networks. These slides are adapted from Kurose and Ross 8-1

CIS 6930 Emerging Topics in Network Security. Topic 2. Network Security Primitives

Cryptographic hash functions and MACs Solved Exercises for Cryptographic Hash Functions and MACs

Introduction. Digital Signature

Cryptography and Network Security Digital Signature

Public Key (asymmetric) Cryptography

Digital Signatures. Meka N.L.Sneha. Indiana State University. October 2015

CRC Press has granted the following specific permissions for the electronic version of this book:

CSC474/574 - Information Systems Security: Homework1 Solutions Sketch

Network Security. Security Attacks. Normal flow: Interruption: 孫 宏 民 Phone: 國 立 清 華 大 學 資 訊 工 程 系 資 訊 安 全 實 驗 室

Implementation and Comparison of Various Digital Signature Algorithms. -Nazia Sarang Boise State University

Message Authentication Codes. Lecture Outline

Lecture 15 - Digital Signatures

CS549: Cryptography and Network Security

Discrete logarithms within computer and network security Prof Bill Buchanan, Edinburgh Napier

Public Key Cryptography. c Eli Biham - March 30, Public Key Cryptography

SECURITY IN NETWORKS

Digital signatures are one of the most important inventions/applications of modern cryptography.

CSCE 465 Computer & Network Security

Cryptosystems. Bob wants to send a message M to Alice. Symmetric ciphers: Bob and Alice both share a secret key, K.

8th ACM Conference on Computer and Communications Security November 2001 Philadelphia - Pennsylvania - USA

CS 758: Cryptography / Network Security

Network Security. Computer Networking Lecture 08. March 19, HKU SPACE Community College. HKU SPACE CC CN Lecture 08 1/23

Table of Contents. Bibliografische Informationen digitalisiert durch

Randomized Hashing for Digital Signatures

Message authentication and. digital signatures

Cryptography and Network Security Chapter 11

Capture Resilient ElGamal Signature Protocols

Hash Functions. Integrity checks

Certificate Authorities and Public Keys. How they work and 10+ ways to hack them.

An Approach to Shorten Digital Signature Length

Secure File Transfer Using USB

Network Security (2) CPSC 441 Department of Computer Science University of Calgary

Recommendation for Applications Using Approved Hash Algorithms

Elements of Applied Cryptography Public key encryption

Public Key Cryptography. Performance Comparison and Benchmarking

Authentication, digital signatures, PRNG

Cryptography & Network Security

Forward Secrecy: How to Secure SSL from Attacks by Government Agencies

Fast Batch Verification for Modular Exponentiation and Digital Signatures

Authentication Protocols Using Hoover-Kausik s Software Token *

Cryptography and Network Security

1 Message Authentication

A novel deniable authentication protocol using generalized ElGamal signature scheme

Mathematics of Internet Security. Keeping Eve The Eavesdropper Away From Your Credit Card Information

Security Arguments for Digital Signatures and Blind Signatures

Lecture 9: Application of Cryptography

Lecture 3: One-Way Encryption, RSA Example

A Digital Signature Scheme in Web-based Negotiation Support System

Digital Signature For Text File

A Factoring and Discrete Logarithm based Cryptosystem

Public Key Cryptography Overview

One-Way Encryption and Message Authentication

9 Digital Signatures: Definition and First Constructions. Hashing.

Schnorr Signcryption. Combining public key encryption with Schnorr digital signature. Laura Savu, University of Bucharest, Romania

Implementation of Elliptic Curve Digital Signature Algorithm

Improved Online/Offline Signature Schemes

Analysis of Software Realized DSA Algorithm for Digital Signature

Evaluation of Digital Signature Process

Digital Signature Standard (DSS)

The Future of Digital Signatures. Johannes Buchmann

Message Authentication

A New Efficient Digital Signature Scheme Algorithm based on Block cipher

An Introduction to the RSA Encryption Method

Final exam review, Fall 2005 FSU (CIS-5357) Network Security

1 Domain Extension for MACs

Chapter 12. Digital signatures Digital signature schemes

Transcription:

Digital Signatures Murat Kantarcioglu Based on Prof. Li s Slides Digital Signatures: The Problem Consider the real-life example where a person pays by credit card and signs a bill; the seller verifies that the signature on the bill is the same with the signature on the card Contracts, they are valid if they are signed. Can we have a similar service in the electronic world? 2 1

Digital Signatures Digital Signature: a data string which associates a message with some originating entity. Digital Signature Scheme: for each key, there is a SECRET signature generation algorithm and a PUBLIC verification algorithm. Services provided: Authentication Data integrity Non-Repudiation (MAC does not provide this.) 3 Adversarial Goals Total break: adversary is able to find the secret for signing, so he can forge then any signature on any message. Selective forgery: adversary is able to create valid signatures on a message chosen by someone else, with a significant probability. Existential forgery: adversary can create a pair (message, signature), s.t. the signature of the message is valid. A signature scheme can not be perfectly secure; it can only be computationally secure. Given enough time and adversary can always forge Alice s signature on any message. 4 2

Attack Models for Digital Signatures Key-only attack: Adversary knows only the verification function (which is supposed to be public). Known message attack: Adversary knows a list of messages previously signed by Alice. Chosen message attack: Adversary can choose what messages wants Alice to sign, and he knows both the messages and the corresponding signatures. 5 Digital Signatures and Hash Very often digital signatures are used with hash functions, hash of a message is signed, instead of the message. Hash function must be: Pre-image resistant Weak collision resistant Strong collision resistant 6 3

RSA Signature Key generation (as in RSA encryption): Select 2 large prime numbers of about the same size, p and q n = pq, and Φ = (q - 1)(p - 1) Select a random integer e, 1 < e < Φ, s.t. gcd(e, Φ) = 1 d, 1 < d < Φ s.t. ed 1 mod Φ Public key: (e, n) Secret key: d, p and q must also remain secret 7 Signing message M M must verify 0 < M < n Use private key (d) compute S = M d mod n RSA Signature (cont.) Verifying signature S Use public key (e, n) S e mod n = (M d mod n) e mod n = M Note: in practice, a hash of the message is signed and not the message itself. 8 4

RSA Signature (cont.) Example of forging Attack based on the multiplicative property of property of RSA. y 1 = sig K (x 1 ) y 2 = sig K (x 2 ), then ver K (x 1 x 2 mod n, y 1 y 2 mod n) = true So adversary can create the valid signature y 1 y 2 mod n on the message x 1 x 2 mod n This is an existential forgery using a known message attack. 9 El Gamal Signature Key Generation (as in ElGamal encryption) Generate a large random prime p such that DLP is infeasible in and a generator α of the multiplicative group of the integers modulo p Select a random integer a, 1a p-2, and compute β = α a mod p Public key is (p, α, β) Private key is a Recommended sizes: 1024 bits for p and 160 bits for a. 10 5

ElGamal Signature (cont.) Signing message M Select random k, 1 k p-1, k Z p-1 * r = α k mod p s = k -1 (M - ar) mod (p-1) Signature is: (r,s) Size of signature is double size of p NOTE: In practice, instead of M, h(m) is used where h is a hash function 11 ElGamal Signature (cont.) Signature is: (r, s) r = α k mod p s = k -1 ( M - ar) mod (p-1) Verification Verify that r is in Z p-1* : 1 r p-1 v 1 = β r r s mod p v 2 = α M mod p Accept iff v 1 =v 2 12 6

ElGamal Signature (cont.) Security of ElGamal signature Weaker than DLP k must be unique for each message signed Hash function h must be used, otherwise easy for an existential forgery attack without h, a signature on M Z p, is (r,s) s.t. β r r s = α M mod p choose u,v s.t. gcd(v,p-1)=1, then let r= α u β v mod p= α u+av mod p, and let s=-rv -1 mod (p-1) then β r r s = α ar (α u+av ) s = α ar g avs g us = α ar α av(-rv^{-1}) α us = α ar α -ar α us = g us i.e., (r,s) is a signature of the message u.s 13 ElGamal Signature (Continued) 0 < r < p must be checked, otherwise easy to forge a signature on any message if an valid signature is available. given M, and r= α k, s=k -1 (M- ar) mod (p-1) for any message M, let u=m /M mod (p-1) computes s =su mod (p-1) and r s.t. r ru (mod (p-1)) AND r r (mod p), then β r r s = β ru r su = (β r r s ) u = (α M ) u = α M 14 7

Digital Signature Algorithm (DSA) Specified as FIPS 186 Key generation Select a prime q of 160-bits Choose 0 t 8 Select 2 511+64t < p < 2 512+64t with q p-1 Let α be a generator of Z p*, and set g = α (p-1)/q mod p Select 1 a q-1 β = g a mod p Public key: (p, q, g, β) Private key: a 15 DSA Signing message M: Select a random integer k, 0 < k < q k -1 mod q r = (g k mod p) mod q s = k -1 ( h(m) + ar) mod q Signature: (r, s) Note: FIPS recommends the use of SHA-1 as hash function. 16 8

DSA Signature: (r, s) r = (g k mod p) mod q s = k -1 ( h(m) + ar) mod q Verification Verify 0 < r < q and 0 < s < q, if not, invalid w = s -1 mod q u 1 = w h(m) mod q, u 2 = r w mod q v = (g u 1 β u 2 mod p) mod q Valid iff v = r 17 Schnorr Signature Key generation (as in DSA, h:{0,1} * Z q ) Select a prime q Select 1 a q-1 β= g a mod p Public key: (p,q,g,β) Private key: a 18 9

Schnorr Signature Signing message M Select random secret k, 1 k q-1 r = g k mod p, e = h(m r) s = ae + k mod q Signature is: (s, e) 19 Schnorr Signature Verification v = g s β -e mod p, Valid iff e = e e = h(m v) 20 10

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information