Outline. CSc 466/566. Computer Security. 8 : Cryptography Digital Signatures. Digital Signatures. Digital Signatures... Christian Collberg



Similar documents
Introduction to Cryptography CS 355

Network Security. Computer Networking Lecture 08. March 19, HKU SPACE Community College. HKU SPACE CC CN Lecture 08 1/23

Network Security. Gaurav Naik Gus Anderson. College of Engineering. Drexel University, Philadelphia, PA. Drexel University. College of Engineering

Lecture 6 - Cryptography

Digital Signatures. Murat Kantarcioglu. Based on Prof. Li s Slides. Digital Signatures: The Problem

Outline. Computer Science 418. Digital Signatures: Observations. Digital Signatures: Definition. Definition 1 (Digital signature) Digital Signatures

Introduction to Computer Security

Network Security. Abusayeed Saifullah. CS 5600 Computer Networks. These slides are adapted from Kurose and Ross 8-1

CIS 6930 Emerging Topics in Network Security. Topic 2. Network Security Primitives

Cryptographic Hash Functions Message Authentication Digital Signatures

Signature Schemes. CSG 252 Fall Riccardo Pucella

SECURITY IN NETWORKS

CSC474/574 - Information Systems Security: Homework1 Solutions Sketch

Authentication requirement Authentication function MAC Hash function Security of

Digital Signatures. (Note that authentication of sender is also achieved by MACs.) Scan your handwritten signature and append it to the document?

Cryptographic hash functions and MACs Solved Exercises for Cryptographic Hash Functions and MACs

Digital signatures. Informal properties

Computer Security: Principles and Practice

Network Security. Security Attacks. Normal flow: Interruption: 孫 宏 民 Phone: 國 立 清 華 大 學 資 訊 工 程 系 資 訊 安 全 實 驗 室

Cryptography Lecture 8. Digital signatures, hash functions

Overview of Public-Key Cryptography

CSCE 465 Computer & Network Security

The application of prime numbers to RSA encryption

Computer Science A Cryptography and Data Security. Claude Crépeau

Final Exam. IT 4823 Information Security Administration. Rescheduling Final Exams. Kerberos. Idea. Ticket

Principles of Network Security

Digital Signatures. Prof. Zeph Grunschlag

Digital Signature. Raj Jain. Washington University in St. Louis

Practice Questions. CS161 Computer Security, Fall 2008

Network Security CS 5490/6490 Fall 2015 Lecture Notes 8/26/2015

Chapter 7: Network security

1 Signatures vs. MACs

CS 758: Cryptography / Network Security

Public Key Cryptography. c Eli Biham - March 30, Public Key Cryptography

CSE/EE 461 Lecture 23

Public Key (asymmetric) Cryptography

Public Key Cryptography Overview

Client Server Registration Protocol

Network Security (2) CPSC 441 Department of Computer Science University of Calgary

Chapter 8 Security. IC322 Fall Computer Networking: A Top Down Approach. 6 th edition Jim Kurose, Keith Ross Addison-Wesley March 2012

Schnorr Signcryption. Combining public key encryption with Schnorr digital signature. Laura Savu, University of Bucharest, Romania

Discrete logarithms within computer and network security Prof Bill Buchanan, Edinburgh Napier

Overview of Cryptographic Tools for Data Security. Murat Kantarcioglu

Table of Contents. Bibliografische Informationen digitalisiert durch

Network Security. HIT Shimrit Tzur-David

1 Digital Signatures. 1.1 The RSA Function: The eth Power Map on Z n. Crypto: Primitives and Protocols Lecture 6.

The Mathematics of the RSA Public-Key Cryptosystem

Cryptography and Network Security Chapter 11. Fourth Edition by William Stallings

Crittografia e sicurezza delle reti. Digital signatures- DSA

Cryptography and Network Security

Hash Functions. Integrity checks

Fundamentals of Computer Security

An Introduction to the RSA Encryption Method

Message authentication and. digital signatures

CRYPTOGRAPHY IN NETWORK SECURITY

How encryption works to provide confidentiality. How hashing works to provide integrity. How digital signatures work to provide authenticity and

Communications security

A New Efficient Digital Signature Scheme Algorithm based on Block cipher

DIGITAL SIGNATURES 1/1

MTAT Cryptology II. Digital Signatures. Sven Laur University of Tartu

CIS 5371 Cryptography. 8. Encryption --

2. Cryptography 2.4 Digital Signatures

Authentication, digital signatures, PRNG

Lecture 10: CPA Encryption, MACs, Hash Functions. 2 Recap of last lecture - PRGs for one time pads

Symmetric Crypto MAC. Pierre-Alain Fouque

Implementation and Comparison of Various Digital Signature Algorithms. -Nazia Sarang Boise State University

Module: Applied Cryptography. Professor Patrick McDaniel Fall CSE543 - Introduction to Computer and Network Security

Cryptosystems. Bob wants to send a message M to Alice. Symmetric ciphers: Bob and Alice both share a secret key, K.

Message Authentication

CIS433/533 - Computer and Network Security Cryptography

Lukasz Pater CMMS Administrator and Developer

Massachusetts Institute of Technology Handout : Network and Computer Security October 9, 2003 Professor Ronald L. Rivest.

Notes on Network Security Prof. Hemant K. Soni

Digital Signatures. What are Signature Schemes?

Elements of Applied Cryptography Public key encryption

Introduction. Digital Signature

Cryptography: Authentication, Blind Signatures, and Digital Cash

Computer Networks. Network Security and Ethics. Week 14. College of Information Science and Engineering Ritsumeikan University

CS Computer Security Third topic: Crypto Support Sys

lundi 1 octobre 2012 In a set of N elements, by picking at random N elements, we have with high probability a collision two elements are equal

Advanced Cryptography

Part VII. Digital signatures

Public Key Cryptography and RSA. Review: Number Theory Basics

Cryptography and Network Security Chapter 10

CS 348: Computer Networks. - Security; 30 th - 31 st Oct Instructor: Sridhar Iyer IIT Bombay

Network Security. Security. Security Services. Crytographic algorithms. privacy authenticity Message integrity. Public key (RSA) Message digest (MD5)

7! Cryptographic Techniques! A Brief Introduction

Lecture Note 5 PUBLIC-KEY CRYPTOGRAPHY. Sourav Mukhopadhyay

RSA Attacks. By Abdulaziz Alrasheed and Fatima

Message Authentication Codes

Chapter 10. Network Security

What is network security?

Cryptography and Network Security

Lecture 3: One-Way Encryption, RSA Example

1 Message Authentication

Principles of Public Key Cryptography. Applications of Public Key Cryptography. Security in Public Key Algorithms

QUANTUM COMPUTERS AND CRYPTOGRAPHY. Mark Zhandry Stanford University

A Proposal for Authenticated Key Recovery System 1

Transcription:

Outline CSc 466/566 Computer Security 8 : Cryptography Digital Signatures Version: 2012/02/27 16:07:05 Department of Computer Science University of Arizona collberg@gmail.com Copyright c 2012 Christian Collberg Christian Collberg 1/36 Introduction 2/36 Digital Signatures Digital Signatures... In this lecture we are going to talk about cryptographic hash functions (checksums) and digital signatures. We want to be able to 1 Detect tampering: is the message we received the same as the message that was sent? 2 Authenticate: did the message come from who we think it came from? More specifically, we want to ensure: 1 Nonforgeability: Eve should not be able to create a message that appears to come from Alice. 2 Nonmutability: Eve should not be able to take a valid signature for one message from Alice, and apply it to another one. 3 Nonrepudiation: Alice should not be able to claim she didn t sign a document that she did sign. Introduction 3/36 Introduction 4/36

Digital Signatures... Digital Signatures... This works because for many public key ciphers In the non-digital world, Alice would sign the document. We can do the same with digital signatures. 1 Alice encrypts her document M with her private key S A, thereby creating a signature S Alice (M). 2 Alice sends M and the signature S Alice (M) to Bob. 3 Bob decrypts the document using Alice s public key, thereby verifying her signature. D SB (E PB (M)) = M E PB (D SB (M)) = M i.e. we can reverse the encryption/decryption operations. That is, Bob can apply the decryption function to a message with his private key S B, yielding the signature sig: sig D SB (M) Then, anyone else can apply the encryption function to sig to get the message back. Only Bob (who has his secret key) could have generated the signature: E PB (sig) = M Introduction 5/36 Introduction 6/36 Digital Signatures... Outline Bob Alice M sig D SB (M) M,sig M? = E PB (sig) Bob sent M? S B P B Introduction 7/36 RSA Signature Scheme 8/36

RSA Signature Scheme RSA Encryption: Algorithm 1 Alice encrypts her document M with her private key S A, thereby creating a signature S Alice (M). 2 Alice sends M and the signature S Alice (M) to Bob. 3 Bob decrypts the document using Alice s public key, thereby verifying her signature. Bob (Key generation): 1 Generate two large random primes p and q. 2 Compute n = pq. 3 Select a small odd integer e relatively prime with φ(n). 4 Compute φ(n) = (p 1)(q 1). 5 Compute d = e 1 mod φ(n). P B = (e, n) is Bob s RSA public key. S B = (d, n) is Bob RSA private key. Alice (encrypt and send a message M to Bob): 1 Get Bob s public key P B = (e, n). 2 Compute C = M e mod n. Bob (decrypt a message C received from Alice): 1 Compute M = C d mod n. RSA Signature Scheme 9/36 RSA Signature Scheme 10/36 RSA Signature Scheme: Algorithm RSA Signature Scheme: Correctness Bob (Key generation): As before. P B = (e, n) is Bob s RSA public key. S B = (d, n) is Bob RSA private key. Bob (sign a secret message M): 1 Compute S = M d mod n. 2 Send M, S to Alice. Alice (verify signature S received from Bob): 1 Receive M, S from Alice. 2 Verify that M? = S e mod n. RSA Signature Scheme 11/36 We have: P B = (e, n) is Bob s RSA public key. S B = (d, n) is Bob RSA private key. S = M d mod n. d = e 1 mod φ(n) de = 1 mod φ(n). Theorem (Corollary to Euler s theorem) Let x be any positive integer that s relatively prime to the integer n > 0, and let k be any positive integer, then x k mod n = x k mod φ(n) mod n Alice wants to verify that M? = S e mod n. S e mod n = M de mod n = M de mod φ(n) mod n = M 1 mod n = M RSA Signature Scheme 12/36

RSA signature: Nonforgeability RSA signature: Nonmutability Nonforgeability: Eve should not be able to create a message that appears to come from Alice. To forge a message M from Alice, Eve would have to produce M d mod n without knowing Alice s private key d. This is equivalent to being able to break RSA encryption. RSA Signature Scheme 13/36 Nonmutability: Eve should not be able to take a valid signature for one message from Alice, and apply it to another message. RSA does not achieve nonmutability. Assume Eve has two valid signatures from Alice, on two messages M 1 and M 2 : S 1 S 2 = M d 1 mod n = M d 2 mod n Eve can then produce a new signature S 1 S 2 = (M1 d mod n) (Md 2 mod n) = (M 1 M 2 ) d mod n This is a valid signature for the message M 1 M 2! Not usually a problem since we normally sign hashes. RSA Signature Scheme 14/36 Outline Elgamal: Encryption Algorithm Bob (Key generation): 1 Pick a prime p. 2 Find a generator g for Z p. 3 Pick a random number x between 1 and p 2. 4 Compute y = g x mod p. P B = (p, g, y) is Bob s RSA public key. S B = x is Bob RSA private key. Alice (encrypt and send a message M to Bob): 1 Get Bob s public key P B = (p, g, y). 2 Pick a random number k between 1 and p 2. 3 Compute the ciphertext C = (a, b): a = g k mod p b = My k mod p Bob (decrypt a message C = (a,b) received from Alice): 1 Compute M = b(a x ) 1 mod p. Elgamal Signature Scheme 15/36 Elgamal Signature Scheme 16/36

Elgamal: Signature Algorithm Elgamal Signature Algorithm: Correctness Alice (Key generation): As before. 1 Pick a prime p. 2 Find a generator g for Z p. 3 Pick a random number x between 1 and p 2. 4 Compute y = g x mod p. P A = (p, g, y) is Alice s RSA public key. S A = x is Alice RSA private key. Alice (sign message M and send to Bob): 1 Pick a random number k. 2 Compute the signature S = (a, b): a = g k mod p b = k 1 (M xa) mod (p 1) Bob (verify the signature S = (a,b) received from Alice): 1 Verify y a a b mod p? = g M mod p. Elgamal Signature Scheme 17/36 We have: y = g x mod p a = g k mod p b = k 1 (M xa) mod (p 1) Show that y a a b mod p = g M mod p. y a a b mod p = (g x mod p) a ((g k mod p) ( k 1 (M xa) mod (p 1)) mod = g xa g kk 1 (M xa) mod (p 1) mod p = g xa g (M xa) mod (p 1) mod p = g xa g M xa mod p = g xa+m xa mod p = g M mod p Elgamal Signature Scheme 18/36 Elgamal Signature Algorithm: Security Outline We have: y = g x mod p a = g k mod p b = k 1 (M xa) mod (p 1) k is random b is random! To the adversary, b looks completely random. The adversary must compute k from a = g k mod p compute discrete log! If Alice reuses k The adversary can compute the secret key. Elgamal Signature Scheme 19/36 Cryptographic Hash Functions 20/36

Cryptographic Hash Functions Signature Protocol Public key algorithms are too slow to sign large documents. A better protocol is to use a one way hash function also known as a cryptographic hash function (CHF). CHFs are checksums or compression functions: they take an arbitrary block of data and generate a unique, short, fixed-size, bitstring. > echo h e l l o sha1sum f572d396fae9206628714fb2ce00f72e94f2258f > echo h e l l a sha1sum 1519 ca327399f9d699afb0f8a3b7e1ea9d1edd0c > echo can t b e l i e v e i t s not butter! sha1sum 34 e780e19b07b003b7cf1babba8ef7399b7f81dd 1 Bob computes a one-way hash of his document. 2 Bob encrypts the hash with his private key, thereby signing it. 3 Bob sends the encrypted hash and the document to Alice. 4 Alice decrypts the hash Bob sent him, and compares it against a hash she computes herself of the document. If they are the same, the signature is valid. hash D PB (sig) sig h(m) E SB (hash)? = h(m) Cryptographic Hash Functions 21/36 Cryptographic Hash Functions 22/36 Signature Protocol... Cryptographic Hash Functions... Bob M hash h(m) S E SB (hash) M,S D PB (S)? = h(m) Bob sent M? S B Advantage: the signature is short; defends against MITM attack. P B Alice CHFs should be 1 deterministic 2 one-way 3 collision-resistant i.e., easy to compute, but hard to invert. I.e. given message M, it s easy to compute y h(m); given a value y it s hard to compute an M such that y = h(m). This is what we mean by CHFs being one-way. Cryptographic Hash Functions 23/36 Cryptographic Hash Functions 24/36

Weak vs. Strong Collision Resistance Merkle-Damgøard Construction CHFs also have the property to be collision resistant. Weak collision resistance: Assume you have a message M with hash value h(m). Then it should be hard to find a different message M such that h(m) = h(m ). Strong collision resistance: It should be hard to find two different message M 1 and M 2 such that h(m 1 ) = h(m 2 ). Strong collisions resistance is hard to prove. Hash functions are often built on a compression function C(X,Y ): Y X is (a piece of) the message we re hashing. Y and Y is the hash value we re computing. X C length(x)=m length(y )=length(y )=n Y Cryptographic Hash Functions 25/36 Cryptographic Hash Functions 26/36 Merkle-Damgøard Construction... M 1 M 2 M 3 M 4 M 5 v = d 0 d 1 C C C C C d 2 d 3 d 5 = d d 4 Outline For long messages M we break it into pieces M 1,...,M k, each of size m. Our initial hash value is an initialization vector v. We then compress one M i at a time, chaining it together on the previous hash value. Cryptographic Hash Functions 27/36 Birthday attacks 28/36

The Birthday Problem The Birthday Problem Given a group of n people, what is the probability that two share a birthday? Examine the probability that no two share a birthday: (let B i be person i s birthday) n = 1 : 1 n = 2 : 364/365 n = 3 : probability that B 3 differs from both B 1 and B 2 and that none of the first two share a birthday: 363/365 364/365 n = 4 :, probability that B 4 differs from all of B 1...3 and that none of the first three share a birthday: 362/365 (363/365 364/365) and so on... This generalizes to 365! 365 n (365 n)! It takes only 23 people to give greater than.5 probability that two people share a birthday in a domain with cardinality 365. For a domain with cardinality c,.5 probability is reached with approximately 1.2 c numbers. So what does this have to do with checksums? Birthday attacks 29/36 Birthday attacks 30/36 The Birthday Problem... Birthday Attacks Assume our hash function H has b-bit output. Number of possible hash values is 2 b. Attack: 1 Eve generates large number of messages m 1, m 2,.... 2 She computes their hash values H(m 1 ), H(m 2 ),.... 3 She waits for two messages m i and m j such that H(m i ) = H(m j ). Eve needs to generate 2 b inputs to find a collision, right? Wrong! By the birthday paradox, it is likely that two messages will have the same hash value! Security is 2 b/2 not 2 b. Thus, a hash-function with 256-bit output has 128-bit security. Little Billy wants to be the sole beneficiary of Grandma s will He prepares two message templates, like the one Charlie made, one being a field trip permission slip, and the other being a will in which Grandma bequeaths everything to her sweet grandson. Little Billy finds a pair of messages, one generated from each template, with equal checksums Little Billy has Grandma sign the field trip permission slip Little Billy now has a signature that checks out against the will he created Profit!! Birthday attacks 31/36 Birthday attacks 32/36

Outline Summary Digital signatures make a message tamper-proof and give us authentication and nonrepudiation They only show that it was signed by a specific key, however It s cheaper to sign a checksum of the message rather than the whole message Cryptographic checksums are necessary to do this securely Summary 33/36 Summary 34/36 Readings and References Acknowledgments Chapter 8.1.7, 8.2.1, 8.5.2 in Introduction to Computer Security, by Goodrich and Tamassia. Additional material and exercises have also been collected from these sources: 1 Matthew Landis, 620 Fall 2003 Cryptographic Checksums and Digital Signatures. 2 RFC1321 (MD5), www.ietf.org/rfc/rfc1321.txt Summary 35/36 Summary 36/36

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information