2. Cryptography 2.4 Digital Signatures

Similar documents
Digital Signature. Raj Jain. Washington University in St. Louis

Authentication requirement Authentication function MAC Hash function Security of

Public Key (asymmetric) Cryptography

Outline. Computer Science 418. Digital Signatures: Observations. Digital Signatures: Definition. Definition 1 (Digital signature) Digital Signatures

Table of Contents. Bibliografische Informationen digitalisiert durch

Communications security

Public Key Cryptography Overview

CIS 6930 Emerging Topics in Network Security. Topic 2. Network Security Primitives

Digital Signatures. Murat Kantarcioglu. Based on Prof. Li s Slides. Digital Signatures: The Problem

Overview of Cryptographic Tools for Data Security. Murat Kantarcioglu

Overview of Public-Key Cryptography

CRYPTOGRAPHY IN NETWORK SECURITY

Introduction to Cryptography CS 355

Cryptography and Network Security

Computer Security: Principles and Practice

Cryptography Lecture 8. Digital signatures, hash functions

Cryptography and Network Security Chapter 9

Signature Schemes. CSG 252 Fall Riccardo Pucella

CSCE 465 Computer & Network Security

Lecture 9: Application of Cryptography

Cryptography and Network Security Digital Signature

Hash Functions. Integrity checks

Network Security. Chapter 2 Basics 2.2 Public Key Cryptography. Public Key Cryptography. Public Key Cryptography

CS549: Cryptography and Network Security

Network Security. Security Attacks. Normal flow: Interruption: 孫 宏 民 Phone: 國 立 清 華 大 學 資 訊 工 程 系 資 訊 安 全 實 驗 室

Final Exam. IT 4823 Information Security Administration. Rescheduling Final Exams. Kerberos. Idea. Ticket

Cryptography and Network Security Chapter 10

Software Implementation of Gong-Harn Public-key Cryptosystem and Analysis

Authentication, digital signatures, PRNG

Digital Signatures. Meka N.L.Sneha. Indiana State University. October 2015

Message authentication and. digital signatures

Message Authentication

Implementation and Comparison of Various Digital Signature Algorithms. -Nazia Sarang Boise State University

Network Security. Abusayeed Saifullah. CS 5600 Computer Networks. These slides are adapted from Kurose and Ross 8-1

Notes on Network Security Prof. Hemant K. Soni

An Introduction to Cryptography as Applied to the Smart Grid

Outline. CSc 466/566. Computer Security. 8 : Cryptography Digital Signatures. Digital Signatures. Digital Signatures... Christian Collberg

Network Security. Computer Networking Lecture 08. March 19, HKU SPACE Community College. HKU SPACE CC CN Lecture 08 1/23

Evaluation of Digital Signature Process

Cryptographic Hash Functions Message Authentication Digital Signatures

DIGITAL SIGNATURES 1/1

Digital signatures. Informal properties

Crittografia e sicurezza delle reti. Digital signatures- DSA

Principles of Public Key Cryptography. Applications of Public Key Cryptography. Security in Public Key Algorithms

Network Security. Gaurav Naik Gus Anderson. College of Engineering. Drexel University, Philadelphia, PA. Drexel University. College of Engineering

Forward Secrecy: How to Secure SSL from Attacks by Government Agencies

The Mathematics of the RSA Public-Key Cryptosystem

Practice Questions. CS161 Computer Security, Fall 2008

Digital Signature Standard (DSS)

Cryptographic hash functions and MACs Solved Exercises for Cryptographic Hash Functions and MACs

SECURITY IN NETWORKS

ARCHIVED PUBLICATION

Computer Science A Cryptography and Data Security. Claude Crépeau

Elements of Applied Cryptography Public key encryption

Randomized Hashing for Digital Signatures

AC76/AT76 CRYPTOGRAPHY & NETWORK SECURITY DEC 2014

Digital Signatures. (Note that authentication of sender is also achieved by MACs.) Scan your handwritten signature and append it to the document?

Cryptography and Network Security

Overview of CSS SSL. SSL Cryptography Overview CHAPTER

Lukasz Pater CMMS Administrator and Developer

CSC474/574 - Information Systems Security: Homework1 Solutions Sketch

Cryptosystems. Bob wants to send a message M to Alice. Symmetric ciphers: Bob and Alice both share a secret key, K.

Computer Networks. Network Security 1. Professor Richard Harris School of Engineering and Advanced Technology

CS 348: Computer Networks. - Security; 30 th - 31 st Oct Instructor: Sridhar Iyer IIT Bombay

Lecture 6 - Cryptography

Part VII. Digital signatures

A New Efficient Digital Signature Scheme Algorithm based on Block cipher

EXAM questions for the course TTM Information Security May Part 1

Chapter 11 Security+ Guide to Network Security Fundamentals, Third Edition Basic Cryptography

2. Securing Transactions

A Proposal for Authenticated Key Recovery System 1

Cryptography and Network Security Chapter 15

Public Key Cryptography and RSA. Review: Number Theory Basics

Public Key Cryptography. Performance Comparison and Benchmarking

Introduction to Computer Security

CS 758: Cryptography / Network Security

1 Signatures vs. MACs

IT Networks & Security CERT Luncheon Series: Cryptography

Recommendation for Cryptographic Key Generation

Implementation of Elliptic Curve Digital Signature Algorithm

Introduction to Cryptography

Study of algorithms for factoring integers and computing discrete logarithms

RSA Attacks. By Abdulaziz Alrasheed and Fatima

Secure File Transfer Using USB

Chapter 10. Network Security

A New Generic Digital Signature Algorithm

Textbook: Introduction to Cryptography 2nd ed. By J.A. Buchmann Chap 12 Digital Signatures

Recommendation for Pair-Wise Key Establishment Schemes Using Discrete Logarithm Cryptography (Revised)

Introduction. Digital Signature

Transitions: Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths

Cryptography and Key Management Basics

Cryptographic Algorithms and Key Size Issues. Çetin Kaya Koç Oregon State University, Professor

Programming with cryptography

Security. Contents. S Wireless Personal, Local, Metropolitan, and Wide Area Networks 1

Network Security (2) CPSC 441 Department of Computer Science University of Calgary

Public Key Cryptography of Digital Signatures

CS 393 Network Security. Nasir Memon Polytechnic University Module 11 Secure

Secure Sockets Layer (SSL ) / Transport Layer Security (TLS) Network Security Products S31213

Capture Resilient ElGamal Signature Protocols

Transcription:

DI-FCT-UNL Computer and Network Systems Security Segurança de Sistemas e Redes de Computadores 2010-2011 2. Cryptography 2.4 Digital Signatures 2010, Henrique J. Domingos, DI/FCT/UNL 2.4 Digital Signatures - Slide 1

Outline Digital Signatures, Authentication and Key-Establishment Protocols Digital Signatures General Requirements and properties Authentication vs. Non-Repudiation Message Authentication with Fast (Light-Weight) Signatures Digital signatures with Public Key Methods Direct and Arbitrated Digital Signatures Public-Key Digital Signatures Digital signature methods RSA ElGammal DSS (or DSA) ECC based signatures 2010, Henrique J. Domingos, DI/FCT/UNL 2.4 Digital Signatures - Slide 2

Outline Digital Signatures, Authentication and Key-Establishment Protocols Digital Signatures General Requirements and properties Authentication vs. Non-Repudiation Message Authentication with Fast (Light-Weight) Signatures Digital signatures with Public Key Methods Direct and Arbitrated Digital Signatures Public-Key Digital Signatures Digital signature methods RSA ElGammal DSS (or DSA) ECC based signatures 2010, Henrique J. Domingos, DI/FCT/UNL 2.4 Digital Signatures - Slide 3

Required properties of digital signatures Digital signature properties Dependence of message (content) signed Unforgeable Must use controlled unique information by the signer Undeniable No new message for existent digital signature No fraudulent signature for a given message The signer can control the <message,signature> association Verifiable by principals or third parties to resolve disputes Direct or arbitrated signatures covering all the data relevance: author, data&time, content, disclaimers, usage policies, etc) Must be relatively easy to produce Must be relatively easy to recognize and verify Practical to store (with or without the signed content) 2010, Henrique J. Domingos, DI/FCT/UNL 2.4 Digital Signatures - Slide 4

Other possible requirements Sometimes (useful for specific protocols): Unique (one-time signatures) Anonymous use (blind signatures) Signature vs. Content unlinkability Content disguised before it is signed Publicly verifiable against the original (unblinded) Signer and message author are different principals Election systems, Digital Cash Schemes, 2010, Henrique J. Domingos, DI/FCT/UNL 2.4 Digital Signatures - Slide 5

Generic requirements Requirements for digital signatures Message authentication (proof of origin) Originality of contents (ownership proofs) Authentication of principals in authentication protocols (unilateral vs. mutual authentication) Authenticity proofs for non-repudiation protocols Practical issues: MACs as Light-weight (or inexpensive ) signatures Message flows in session-oriented protocols MACs in protocols for constrained devices Datagram protocols and large amounts (load) of message processing Public-Key signatures as more robust and expensive authentication proofs Authentication of principals in handshake protocolos and session-establishment 2010, Henrique J. Domingos, DI/FCT/UNL 2.4 Digital Signatures - Slide 6

Approaches to Message Authentication Authentication Using Conventional Encryption sender and receiver should share a secret key Message Authentication without Message Encryption Authentication tag (shared secret computation and verification, based on a shared secret key value) generated and appended to each message Message Authentication Code MAC computation as a function of the message and the key. MAC = F(K, M) 2010, Henrique J. Domingos, DI/FCT/UNL 2.4 Digital Signatures - Slide 7

Secure hash functions are appropriate for MAC Algorithms Henric Johnson 8 2010, Henrique J. Domingos, DI/FCT/UNL 2.4 Digital Signatures - Slide 8

MAC with a secure HASH function Secret value is added before the hash and removed before transmission. 2010, Henrique J. Domingos, DI/FCT/UNL 2.4 Digital Signatures - Slide 9

Remembering secure HASH Functions Purpose of the HASH: production of secure fingerprints. Properties : 1. H can be applied to a block of data at any size 2. H produces a fixed length output 3. H(x) is easy to compute for any given x. 4. For any given block x, it is computationally infeasible to find x such that H(x) = h - Irreversibility, One-Way 5. For any given block x, it is computationally infeasible to find with H(y) = H(x). - Weak collision resistance 1. It is computationally infeasible to find any pair (x, y) such that H(x) = H(y) - Strong collision resistance 2010, Henrique J. Domingos, DI/FCT/UNL 2.4 Digital Signatures - Slide 10

HMACs (flexible combination of secure hash functions) MAC derived from a cryptographic hash code, such as SHA-1, SHA-2 and SHA-3 in the future Motivations: Cryptographic hash functions executes faster in software than encryptoin algorithms such as DES Library code for cryptographic hash functions is widely available No export restrictions Different hash functions easily combined for security, maintaining good efficiency HMAC structure 2010, Henrique J. Domingos, DI/FCT/UNL 2.4 Digital Signatures - Slide 11

Henric Johnson 12 2010, Henrique J. Domingos, DI/FCT/UNL 2.4 Digital Signatures - Slide 12

Outline Digital Signatures, Authentication and Key-Establishment Protocols Digital Signatures General Requirements and properties Authentication vs. Non-Repudiation Message Authentication with Fast (Light-Weight) Signatures Digital signatures with Public Key Methods Direct and Arbitrated Digital Signatures Public-Key Digital Signatures Digital signature methods RSA ElGammal DSS (or DSA) ECC based signatures 2010, Henrique J. Domingos, DI/FCT/UNL 2.4 Digital Signatures - Slide 13

Direct Digital Signatures Only sender & receiver involved With public-key signatures: assumed receiver has sender s public-key digital signature made by sender signing entire message or hash with private-key can encrypt using receivers public-key important that sign first then encrypt message & signature security depends on sender s private-key 2010, Henrique J. Domingos, DI/FCT/UNL 2.4 Digital Signatures - Slide 14

Arbitrated Digital Signatures Involve sender, receiver and one or more third parties With public-key signatures: assumed third parties have all sender s public-keys digital signature made by sender signing entire message or hash with private-key, verified (and possibly logged) by the third parties, and resigned by the third parties Notarization The receivers recognize the sender signature by verifying the third party signature encryption using third-party public-key important that sign first then encrypt message & signature security depends on sender s private-key 2010, Henrique J. Domingos, DI/FCT/UNL 2.4 Digital Signatures - Slide 15

Outline Digital Signatures, Authentication and Key-Establishment Protocols Digital Signatures General Requirements and properties Authentication vs. Non-Repudiation Message Authentication with Fast (Light-Weight) Signatures Digital signatures with Public Key Methods Direct and Arbitrated Digital Signatures Public-Key Digital Signatures Digital signature methods RSA ElGammal DSS (or DSA) ECC based signatures 2010, Henrique J. Domingos, DI/FCT/UNL 2.4 Digital Signatures - Slide 16

RSA Signatures (from the algorithm RSA) Correct (undeniable) Key pair (Kpriv, Kpub) Principal P Private Key: Kpriv, N Principal P Public Key: Kpub, N Signature(M) = S M = H(M) Kpriv mod N Verification: Given M and computing H(M) S M Kpub mod N 2010, Henrique J. Domingos, DI/FCT/UNL 2.4 Digital Signatures - Slide 17

Relevant issues from RSA (1) Remembering the RSA key-pair generation process and encryption/decryption algorithm Messages hashed before signing (not the original message) Security issue when preserving confidentiality Controlled size, comparing with the key size Size of modulus and public and private exponents:» The N value (modulus) determines the key sizes M < N Any value M greater than N will be reduced to M mod N Key pair generation: Value for public exponent so that the encryption step will be computationally cheap to perform and then generate the private exponent accordingly - Encryption cheap, decryption expensive - Signature expensive, Verification cheap 2010, Henrique J. Domingos, DI/FCT/UNL 2.4 Digital Signatures - Slide 18

Relevant issues from RSA (2) Key-Generation process Public exponents, fixed (standardized) by security specifications for RSA implementation use Ex., X509v3: public exponents 0x10001 (F4) Default in the Bouncy Castle Implementation Problem: how to speed-up the decryption and the signature process in current implementations CRT theorem (and ex., Garner s Algorithm) Keep the original P and Q primes used to generate the Keys Pre-compute and keep other values in the CRT computation (dp, dq, qinv), once only Store (dp, dq, P, Q, qinv) 2010, Henrique J. Domingos, DI/FCT/UNL 2.4 Digital Signatures - Slide 19

Implementation in JAVA-JCE Optimizations are included (differently) in each crypto provider (subjacent implementation of RSA) Ex. BC uses a multi-prime remainder theorem approach To generate keys with 2048 bits, rather than having to primes P and Q of 1024 bits, it can be used 4 primes of 512 bits Note: observe the behavior of time consuming (processing) in the examples provided. 2010, Henrique J. Domingos, DI/FCT/UNL 2.4 Digital Signatures - Slide 20

RSA Padding mechanisms Operations in RSA are ober big integers What if the representation begins with 0 bits (MSBits)? See practical examples What happens if you change the value of the public exponent to a low value? See practical examples Is it secure for encryption? You need Padding! 2010, Henrique J. Domingos, DI/FCT/UNL 2.4 Digital Signatures - Slide 21

Padding in RSA PKCS#1 Implementation (ex., BC) See also the practical examples Type 1: Mp= 0x00 0x01 F 0x00 M with F = string of 0xFF bytes, at least 8 bytes Then: M <= Keysize in bytes 11 - This is used when using the private key (signatures) Type 2: Mp= 0x00 0x02 R 0x00 M with R = Random bytes, at least 8 bytes Then: M <= Keysize in bytes 11 - This is used when using the public key (encryption) 2010, Henrique J. Domingos, DI/FCT/UNL 2.4 Digital Signatures - Slide 22

Strongest padding for RSA Ex., OAEP Padding Used with parameters: P, and random seed S OAEP Optimal Asymmetric Encryption Padding M1 = Mask [ ( H(P) PZ 0x01 M), S ] M2 = Mask (S, M1) Mp=0x00 M2 M1 Note: MaxLen for the message will be klen 2hLen 2 Note: for a certain message length usable in PKCS#1, you may need a more long key if you use OAEP, but this is not an issue why? See practical examples: Suite: RSA/None/OAEPWithSHA1and MGF1Padding 2010, Henrique J. Domingos, DI/FCT/UNL 2.4 Digital Signatures - Slide 23

RSA Signatures in the JAVA-JCE See practical examples Practical class examples and verifications Signature class Steps: - Initialization of the signature object for signing - signature.update() is then used to feed data into the signature object - When all the data has been fed in, signature.sign() is called - Signature can be: - Returned as a byte array - Or load it into a passed in byte-array 2010, Henrique J. Domingos, DI/FCT/UNL 2.4 Digital Signatures - Slide 24

Use of RSA in the Java JCE Example (see practical examples) After the keypair generation process initialization byte[] message = new byte[] {..}; KeyPair KeyPair = KeyGen.generateKeyPair(); Signature signature = Signature.getInstance ( RSA, BC ); // to generate a signature signature.initsign(keypair.getprivate(), random); signature.update (message); byte[] sigbytes= signature.sign(); //verification signature.initverify(keypair.getpublic()); signature.update(message); if (signature.verify(sigbytes)) { ok } else { not ok } 2010, Henrique J. Domingos, DI/FCT/UNL 2.4 Digital Signatures - Slide 25

ElGammal public key scheme (asymetric) A variant of Diffie-Hellman Same math. principles Widely used (ex., OpenPGP implementations, standardized in RFC 2440) How does it works? Bob has a public key g y mod P (well known by Alice) Alice creates a temporary public key K puba = g x mod P Encryption: C = {M} KpubB = M g xy mod P Alice sends to Bob: C, K puba Note: makes the cipher text twice the key size 2010, Henrique J. Domingos, DI/FCT/UNL 2.4 Digital Signatures - Slide 26

ElGamal Digital Signatures Signature variant of ElGamal, related to D-H Uses exponentiation in a finite (Galois) Security based difficulty of computing discrete logarithms, as in D-H Private key for encryption (signing) Public key for decryption (verification) each user (eg. A) generates their key chooses a secret key (number): 1 < x A < q-1 compute their public key: y A = a x A mod q 2010, Henrique J. Domingos, DI/FCT/UNL 2.4 Digital Signatures - Slide 27

ElGamal Digital Signature Alice signs a message M to Bob by computing the hash m = H(M), 0 <= m <= (q-1) chose random integer K with 1 <= K <= (q-1) and gcd(k,q-1)=1 compute temporary key: S 1 = a k mod q compute K -1 the inverse of K mod (q-1) compute the value: S 2 = K -1 (m-x A S 1 ) mod (q-1) The signature is the tuple:(s 1,S 2 ) any user B can verify the signature by computing V 1 = a m mod q V 2 = y A S1 S 1 S2 mod q signature is valid if V 1 = V 2 2010, Henrique J. Domingos, DI/FCT/UNL 2.4 Digital Signatures - Slide 28

ElGamal Signature Example use field GF(19) q=19 and a=10 Alice computes her key: A chooses x A =16 & computes y A =10 16 mod 19 = 4 Alice signs message with hash m=14 as (3,4): choosing random K=5 which has gcd(18,5)=1 computing S 1 = 10 5 mod 19 = 3 finding K -1 mod (q-1) = 5-1 mod 18 = 11 computing S 2 = 11(14-16.3) mod 18 = 4 any user B can verify the signature by computing V 1 = 10 14 mod 19 = 16 V 2 = 4 3.3 4 mod 19 = 5184 mod 19 = 16 since V1 = V2, the signature is valid 2010, Henrique J. Domingos, DI/FCT/UNL 2.4 Digital Signatures - Slide 29

Schnorr Digital Signatures also uses exponentiation in a finite (Galois) security based on discrete logarithms, as in D-H minimizes message dependent computation multiplying a 2n-bit integer with an n-bit integer main work can be done in idle time have using a prime modulus p p 1 has a prime factor q of appropriate size typically p 1024-bit and q 160-bit numbers 2010, Henrique J. Domingos, DI/FCT/UNL 2.4 Digital Signatures - Slide 30

Schnorr Key Setup choose suitable primes p, q choose a such that a q = 1 mod p (a,p,q) are global parameters for all each user (eg. A) generates a key chooses a secret key (number): 0 < s A < q compute their public key: v A = a -sa mod q 2010, Henrique J. Domingos, DI/FCT/UNL 2.4 Digital Signatures - Slide 31

Schnorr Signature user signs message by choosing random r with 0<r<q and computing x = a r mod p concatenate message with x and hash result to computing: e = H(M x) computing: y = (r + se) mod q signature is pair (e, y) any other user can verify the signature as follows: computing: x' = a y v e mod p verifying that: e = H(M x ) 2010, Henrique J. Domingos, DI/FCT/UNL 2.4 Digital Signatures - Slide 32

Digital Signature Standard (DSS) Public-Key digital signature technique Like D-H, security from the discrete logarithm problem DSA is digital signature only unlike RSA US Govt approved signature scheme designed by NIST & NSA in early 90's published as FIPS-186 in 1991 revised in 1993, 1996 & then 2000 Uses the SHA hash algorithm DSS is the standard, DSA is the algorithm FIPS 186-2 (2000) includes: Alternative RSA Elliptic curve signature variants 2010, Henrique J. Domingos, DI/FCT/UNL 2.4 Digital Signatures - Slide 33

DSS vs RSA Signatures 2010, Henrique J. Domingos, DI/FCT/UNL 2.4 Digital Signatures - Slide 34

Use of DSA in the Java JCE Example (see practical examples) After the keypair generation process initialization byte[] message = new byte[] {..}; KeyPair KeyPair = KeyGen.generateKeyPair(); Signature signature = Signature.getInstance ( DSA, BC ); // to generate a signature signature.initsign(keypair.getprivate(), random); signature.update (message); byte[] sigbytes= signature.sign(); //verification signature.initverify(keypair.getpublic()); signature.update(message); if (signature.verify(sigbytes)) { ok } else { not ok } 2010, Henrique J. Domingos, DI/FCT/UNL 2.4 Digital Signatures - Slide 35

Digital Signature Algorithm (DSA) creates a 320 bit signature with 512-1024 bit security smaller and faster than RSA a digital signature scheme only security depends on difficulty of computing discrete logarithms A standard based in fact in a variant of ElGamal & Schnorr schemes 2010, Henrique J. Domingos, DI/FCT/UNL 2.4 Digital Signatures - Slide 36

DSA Key Generation have shared global public key values (p,q,g): choose 160-bit prime number q: 2 159 < q < 2 160 choose a large prime p with 2 L-1 < p < 2 L where L= 512 to 1024 bits and is a multiple of 64 such that q is a 160 bit prime divisor of (p-1) choose g = h (p-1)/q where 1<h<p-1 and h (p-1)/q mod p > 1 users choose private & compute public key: choose random private key: x<q compute public key: y = g x mod p 2010, Henrique J. Domingos, DI/FCT/UNL 2.4 Digital Signatures - Slide 37

DSA Signature Creation to sign a message M the sender: generates a random signature key k, k<q nb. k must be random, be destroyed after use, and never be reused then computes signature pair: r = (g k mod p)mod q s = [k -1 (H(M)+ xr)] mod q sends signature (r,s) with message M 2010, Henrique J. Domingos, DI/FCT/UNL 2.4 Digital Signatures - Slide 38

DSA Signature Verification having received M & signature (r,s) to verify a signature, recipient computes: w = s -1 mod q u1= [H(M)w ]mod q u2= (rw)mod q v = [(g u1 y u2 )mod p ]mod q if v=r then signature is verified 2010, Henrique J. Domingos, DI/FCT/UNL 2.4 Digital Signatures - Slide 39

DSS Overview 2010, Henrique J. Domingos, DI/FCT/UNL 2.4 Digital Signatures - Slide 40

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information