Hash Function Firewalls in Signature Schemes



Similar documents
Digital Signature. Raj Jain. Washington University in St. Louis

Digital signatures. Informal properties

Digital Signatures. Meka N.L.Sneha. Indiana State University. October 2015

A Security Flaw in the X.509 Standard Santosh Chokhani CygnaCom Solutions, Inc. Abstract

Index Calculation Attacks on RSA Signature and Encryption

Outline. CSc 466/566. Computer Security. 8 : Cryptography Digital Signatures. Digital Signatures. Digital Signatures... Christian Collberg

Outline. Computer Science 418. Digital Signatures: Observations. Digital Signatures: Definition. Definition 1 (Digital signature) Digital Signatures

Digital Signatures. Murat Kantarcioglu. Based on Prof. Li s Slides. Digital Signatures: The Problem

A New Generic Digital Signature Algorithm

DIGITAL SIGNATURES 1/1

Digital Signature CHAPTER 13. Review Questions. (Solution to Odd-Numbered Problems)

I N F O R M A T I O N S E C U R I T Y

Introduction to Cryptography CS 355

Computer Security: Principles and Practice

I N F O R M A T I O N S E C U R I T Y

Crittografia e sicurezza delle reti. Digital signatures- DSA

Digital Signatures. (Note that authentication of sender is also achieved by MACs.) Scan your handwritten signature and append it to the document?

The Mathematics of the RSA Public-Key Cryptosystem

Authentication requirement Authentication function MAC Hash function Security of

Randomized Hashing for Digital Signatures

Computer Science A Cryptography and Data Security. Claude Crépeau

Cryptanalysis of a Partially Blind Signature Scheme or How to make $100 bills with $1 and $2 ones

Cryptography and Network Security Digital Signature

CIS 6930 Emerging Topics in Network Security. Topic 2. Network Security Primitives

Final Exam. IT 4823 Information Security Administration. Rescheduling Final Exams. Kerberos. Idea. Ticket

NEW DIGITAL SIGNATURE PROTOCOL BASED ON ELLIPTIC CURVES

EXAM questions for the course TTM Information Security May Part 1

Digital Signatures. Prof. Zeph Grunschlag

2. Cryptography 2.4 Digital Signatures

Overview of Public-Key Cryptography

Public Key Cryptography. c Eli Biham - March 30, Public Key Cryptography

Principles of Public Key Cryptography. Applications of Public Key Cryptography. Security in Public Key Algorithms

Evaluation of Digital Signature Process

MTAT Cryptology II. Digital Signatures. Sven Laur University of Tartu

Information & Communication Security (SS 15)

CS549: Cryptography and Network Security

Textbook: Introduction to Cryptography 2nd ed. By J.A. Buchmann Chap 12 Digital Signatures

Table of Contents. Bibliografische Informationen digitalisiert durch

Cryptography Lecture 8. Digital signatures, hash functions

Digital Signatures. What are Signature Schemes?

IMPLEMENTATION AND PERFORMANCE ANALYSIS OF ELLIPTIC CURVE DIGITAL SIGNATURE ALGORITHM

An Approach to Shorten Digital Signature Length

Public Key (asymmetric) Cryptography

The application of prime numbers to RSA encryption

RSA Encryption. Tom Davis October 10, 2003

Digital Signature Standard (DSS)

ARCHIVED PUBLICATION

Elliptic Curve Hash (and Sign)

Network Security. Gaurav Naik Gus Anderson. College of Engineering. Drexel University, Philadelphia, PA. Drexel University. College of Engineering

Implementation of Elliptic Curve Digital Signature Algorithm

Capture Resilient ElGamal Signature Protocols

Cryptographic Hash Functions Message Authentication Digital Signatures

= = 3 4, Now assume that P (k) is true for some fixed k 2. This means that

Implementation and Comparison of Various Digital Signature Algorithms. -Nazia Sarang Boise State University

Transitions: Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths

CSCE 465 Computer & Network Security

SEC 2: Recommended Elliptic Curve Domain Parameters

Algorithms and Parameters for Secure Electronic Signatures V.1.44 DRAFT May 4 th., 2001

Software Implementation of Gong-Harn Public-key Cryptosystem and Analysis

Discrete Mathematics, Chapter 4: Number Theory and Cryptography

Authentication, digital signatures, PRNG

1 Signatures vs. MACs

Overview of Cryptographic Tools for Data Security. Murat Kantarcioglu

Lukasz Pater CMMS Administrator and Developer

Cryptography and Network Security

Signature Schemes. CSG 252 Fall Riccardo Pucella

Practice Questions. CS161 Computer Security, Fall 2008

A New Efficient Digital Signature Scheme Algorithm based on Block cipher

An Introduction to the RSA Encryption Method

CRC Press has granted the following specific permissions for the electronic version of this book:

Elements of Applied Cryptography Public key encryption

Recommendation for Pair-Wise Key Establishment Schemes Using Discrete Logarithm Cryptography (Revised)

Public Key Cryptography. Performance Comparison and Benchmarking

SEC 4: Elliptic Curve Qu-Vanstone Implicit Certificate Scheme (ECQV)

Elliptic Curve Cryptography Methods Debbie Roser Math\CS 4890

Forward Secrecy: How to Secure SSL from Attacks by Government Agencies

Cryptographic Algorithms and Key Size Issues. Çetin Kaya Koç Oregon State University, Professor

Biometrics, Tokens, & Public Key Certificates

Introduction. Digital Signature

Public-Key Infrastructure

Enhanced Privacy ID (EPID) Ernie Brickell and Jiangtao Li Intel Corporation

Digital signatures are one of the most important inventions/applications of modern cryptography.

Lecture 13 - Basic Number Theory.

ETSI TS V2.0.0 ( ) Technical Specification

CS 758: Cryptography / Network Security

VoteID 2011 Internet Voting System with Cast as Intended Verification

Lecture 3: One-Way Encryption, RSA Example

1 Message Authentication

Transcription:

Outline Hash function flexibility and firewalls Breaking firewalls in signature schemes Hash Function Firewalls in Signature Schemes Conclusions Burt Kaliski, RSA Laboratories IEEE P1363 Working Group Meeting June 2, 2000 (Rev. June 8, 2000) Hash Function Flexibility Weak Hash Function Risks Many signature schemes allow multiple hash functions, to enable improvement over time Signer typically selects from a small set Verifier may accept a larger set, for interoperability with many signers Signer accepts the risk that a hash function in its set may turn out to be weak possibly enabling an attacker to forge signatures However, signer may also be at risk if a hash function in the verifier s set is weak Signer accepts the risk from its own choices, but needs some way to mitigate the risk due to the verifier s choices Mitigating the Risk Hash Function Firewalls One approach is to limit the verifier s set to trusted hash functions only SHA-1 in FIPS 186 only ANSI-approved Another approach is for the signer to indicate acceptable hash functions in its certificate Alternatively, the signature scheme itself might somehow distinguish between different hash functions: a firewall Apparently first suggested by J. Linn in development of Privacy-Enhanced Mail, ca. 1990 RSA signature on message M: 1. Let f = Pad HashID Hash(M) 2. Apply RSA signature primitive to f HashID is a firewall against weak hash functions protected directly by signature primitive existing signatures cannot be reused with a different, weak hash function 1

Does It Work? Summary of Results Hash function firewalls have become a common practice in many signature schemes and standards A firewall prevents an attacker from reusing an existing signature with a different hash function But what about other kinds of signature forgery? Firewalls in several signature schemes do not protect against signature forgery with a weak hash function If attacker can invert a hash function in these schemes, attacker can forge a signature Signer doesn t need to support the weak hash function doesn t even need to be involved! same concept as presented by Brown and Johnson at the March 2000 P1363 meeting w.r.t. PV signatures but extended to address other signature schemes and hash function firewalls Outline of Attacks General Approach ISO/IEC 9796-2 GQ from ISO/IEC 14888-2 may extend to other schemes based on proofs of knowledge DSA with hash ID extends to ECDSA PSS-R from IEEE P1363a D3 Attacker s goal is twofold: 1. Develop a signature that identifies a weak hash function that the verifier accepts 2. Find a message M with the correct hash under the weak hash function Notation: WeakHash: weak hash function WeakHashID: identifier for weak hash function M r : recoverable message part M nr : nonrecoverable message part M: message ISO 9796-2 Scheme ISO 9796-2 with a Firewall Signature scheme with message recovery based on integer factorization problem Recommendations for addressing weak hash function attacks: 1. Require a particular hash function 2. Allow a set of hash functions and explicitly indicate in every signature the hash-function in use by an identifier included as part of the signature calculation HashID is a one-byte ID from ISO 10118 Public key: modulus n, exponent e Private key: d = e -1 mod φ(n) RSA version; RW version is similar 1. Let T = Hash(M r M nr ) 2. Let f = 6b bb bb ba M r T HashID cc 3. Let s = f d mod n 2. Decode f = 6b bb bb ba M r T HashID cc 3. Check T = Hash(M r M nr ) 2

Does the Firewall Work? HashID prevents an attacker from reusing an existing signature with a different hash function But it doesn t prevent an attacker from forging a new signature with a weak hash function 1. Select s in [1,n-1] 2. Let f = s e mod n 3. Decode f = 6b bb bb ba M r T HashID cc 4. If decode error or HashID WeakHashID, goto 1 5. Solve for M nr such that T = WeakHash(M r M nr ) 6. Output M r, M nr, s Expect ~2 24 tries to get desired hash ID, padding GQ Scheme from ISO/IEC 14888-2 GQ Signatures with a Firewall Signature scheme with appendix based on discrete logarithm problem Recommendations for addressing weak hash function attacks: The hash-function identifier shall be included in the hash-token unless the hash-function is uniquely determined by the signature mechanism or by the domain parameters HashID is a one-byte ID from ISO 10118 Domain parameters: modulus N, exponent V Public key: Y (identity-based) Private key: X = Y -1/V mod N Sign (M) = (R,S) 1. Let Π = K V mod N, K random 2. Let R = Hash(Π M) HashID 3. Let S = KX R mod N Verify (M, (R,S)): 1. Let Π = Y R S V mod N 2. Check R = Hash(Π M) HashID DSA Scheme 1. Select S in [1,n-1], hash target T 2. Let R = T WeakHashID 3. Let Π = Y R S V mod N 4. Solve for M such that T = WeakHash(Π M) 5. Output M, (R,S) Only one try Target is prespecified, which may simplify inversion Signature scheme with appendix based on discrete logarithm problem In FIPS 186, a unique hash function: SHA-1 However, P1363 allows hash function flexibility Consider a variation of DSA with a firewall 3

DSA Signatures with a Firewall Domain parameters: prime p, base g, order q Public key y = g x mod p Private key x Sign (M) = (r,s): 1. Let r = (g k mod p) mod q, k random 2. Let R = Hash(M) HashID 3. Let s = k -1 (R + xr) mod q Verify (M, (r,s)): 1. Let R = Hash(M) HashID 2. Let a = Rs -1 mod q, b = rs -1 mod q 3. Check r = (g a y b mod p) mod q 1. Select a,b in [1,q-1] 2. Let r = (g a y b mod p) mod q 3. Let s = rb -1 mod q, R = as mod q 4. Decode R = T HashID 5. If HashID WeakHashID, goto 1 6. Solve for M such that T = WeakHash(M) 7. Output M, (r,s) Expect ~256 tries for minimum q PSS-R from IEEE P1363a D3 PSS-R Signatures (D3 version) Signature scheme with message recovery based on integer factorization problem As drafted, a hash function firewall based on ISO 10118 Public key: modulus n, exponent e Private key: d = e -1 mod φ(n) 1. Let T = Hash(salt len(m r ) Hash(M r M nr )) 2. Let U = G(T) (salt 00 01 M r ) 3. Let f = 6b T U HashID cc 4. Let s = f d mod n 2. Decode f = 6b T U HashID cc 3. Decode U G(T) = (salt 00 01 M r ) 4. Check T = Hash(salt len(m r ) Hash(M r M nr )) Comparison of Attacks 1. Select s in [1,n-1] 2. Let f = s e mod n 3. Decode f = 6b T U HashID cc 4. Decode U G(T) = (salt 00 01 M r ) 5. If decode error or HashID WeakHashID, goto 1 6. Solve for M nr such that T = WeakHash(salt len(m r ) WeakHash(M r M nr )) 7. Output M r, M nr, s Expect ~2 32 tries Decreasing difficulty for attacker: PSS-R: ~2 32 tries, M r constrained ISO 9796-2: ~2 24 tries, M r constrained DSA: ~256 tries, none of message constrained GQ: one try, hash target specified by attacker None of the attacks involves the actual signer all can be performed with access only to the signer s public key 4

Other Schemes with Firewalls PSS-R Signatures (D4 version) ISO/IEC 9796-4 (= DL/ECSSR in IEEE P1363a D4) optional firewall, can be broken ANSI X9.31 firewall is protected if minimum amount of padding, met in typical use PKCS #1 v1.5 firewall is protected by minimum amount of padding PSS and PSS-R in IEEE P1363a D4 no hash ID firewall, yet still protected if minimum amount of padding and G function is based on underlying hash function, except for pathological cases 1. Let T = Hash(len(M r ) M r Hash(M nr ) salt) 2. Let U = G(T) (00 01 M r salt) 3. Let f = U T bc 4. Let s = f d mod n 2. Decode f = U T bc 3. Decode U G(T) = (00 01 M r salt) 4. Check T = Hash(len(M r ) M r Hash(M nr ) salt) Firewall Without a Hash ID Firewall Protection With two requirements, the current PSS-R can heurisitically protect against weak hash function attacks: G must be based on the underlying hash function (00 01 M r salt) must have a minimum amount of padding These requirements protect against weaknesses in conventional hash functions only pathological hash functions are a risk, and these are unlikely to be accepted by a verifier Padding requirement met by PSS with appendix (i.e., M r empty) for typical hash function sizes Attacker wants f = s e that can be decoded as f = U T bc U G(T) = (00 01 M r salt) Existing signatures cannot be reused with a weak hash function because G(T) will be different New signatures cannot be forged because U G(T) will be unlikely to have the minimum padding, for random f inverting the hash function doesn t help only attack is to coerce verifier to use a pathological hash function constructed to match the format Schemes without Firewalls Conclusions Full Domain Hashing Pintsov-Vanstone These were not intended to protect against weak hash functions, as originally specified But if they had a hash ID firewall, the firewall could be broken for PV scheme, extension of attack on the non-firewall version (see D. Brown and D. Johnson, Formal Security Proofs for a Signature Scheme with Partial Message Recovery, http://grouper.ieee.org/groups/ 1363/Research) Hash function firewalls don t necessarily prevent weak hash function attacks! Scheme-specific analysis is needed some schemes are protected, perhaps with a minimum amount of padding some schemes are not Formal definitions of security against weak hash function attacks would be helpful In general, a verifier should be careful about the hash functions it accepts 5

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information