Digital signatures. Informal properties

Similar documents
Digital Signatures. Murat Kantarcioglu. Based on Prof. Li s Slides. Digital Signatures: The Problem

Outline. Computer Science 418. Digital Signatures: Observations. Digital Signatures: Definition. Definition 1 (Digital signature) Digital Signatures

Introduction to Cryptography CS 355

Digital Signature. Raj Jain. Washington University in St. Louis

CRC Press has granted the following specific permissions for the electronic version of this book:

Digital Signatures. (Note that authentication of sender is also achieved by MACs.) Scan your handwritten signature and append it to the document?

Crittografia e sicurezza delle reti. Digital signatures- DSA

Signature Schemes. CSG 252 Fall Riccardo Pucella

Digital Signature CHAPTER 13. Review Questions. (Solution to Odd-Numbered Problems)

Outline. CSc 466/566. Computer Security. 8 : Cryptography Digital Signatures. Digital Signatures. Digital Signatures... Christian Collberg

Authentication requirement Authentication function MAC Hash function Security of

Digital Signatures. Prof. Zeph Grunschlag

Cryptographic hash functions and MACs Solved Exercises for Cryptographic Hash Functions and MACs

Principles of Public Key Cryptography. Applications of Public Key Cryptography. Security in Public Key Algorithms

Cryptography and Network Security Digital Signature

Cryptographic Hash Functions Message Authentication Digital Signatures

Network Security. Gaurav Naik Gus Anderson. College of Engineering. Drexel University, Philadelphia, PA. Drexel University. College of Engineering

CIS 6930 Emerging Topics in Network Security. Topic 2. Network Security Primitives

Computer Science A Cryptography and Data Security. Claude Crépeau

Digital Signatures. What are Signature Schemes?

Network Security. Computer Networking Lecture 08. March 19, HKU SPACE Community College. HKU SPACE CC CN Lecture 08 1/23

Introduction. Digital Signature

DIGITAL SIGNATURES 1/1

1 Signatures vs. MACs

Cryptography Lecture 8. Digital signatures, hash functions

Data integrity and data origin authentication

Public Key Cryptography and RSA. Review: Number Theory Basics

2. Cryptography 2.4 Digital Signatures

Elements of Applied Cryptography Public key encryption

CSC474/574 - Information Systems Security: Homework1 Solutions Sketch

Introduction to Computer Security

Overview of Public-Key Cryptography

MTAT Cryptology II. Digital Signatures. Sven Laur University of Tartu

Cryptosystems. Bob wants to send a message M to Alice. Symmetric ciphers: Bob and Alice both share a secret key, K.

Computer Security: Principles and Practice

Hash Function Firewalls in Signature Schemes

Public Key Cryptography of Digital Signatures

Lecture 15 - Digital Signatures

Cryptography and Network Security

1 Digital Signatures. 1.1 The RSA Function: The eth Power Map on Z n. Crypto: Primitives and Protocols Lecture 6.

Digital Signatures. Meka N.L.Sneha. Indiana State University. October 2015

Textbook: Introduction to Cryptography 2nd ed. By J.A. Buchmann Chap 12 Digital Signatures

Seminar report Digital Signature Submitted in partial fulfillment of the requirement for the award of degree Of Computer Science

Capture Resilient ElGamal Signature Protocols

Digital signatures are one of the most important inventions/applications of modern cryptography.

Cryptography. Jonathan Katz, University of Maryland, College Park, MD

Software Implementation of Gong-Harn Public-key Cryptosystem and Analysis

Implementation and Comparison of Various Digital Signature Algorithms. -Nazia Sarang Boise State University

Randomized Hashing for Digital Signatures

CS549: Cryptography and Network Security

The application of prime numbers to RSA encryption

Practice Questions. CS161 Computer Security, Fall 2008

A New Generic Digital Signature Algorithm

CSCE 465 Computer & Network Security

Improved Online/Offline Signature Schemes

Network Security. Security Attacks. Normal flow: Interruption: 孫 宏 民 Phone: 國 立 清 華 大 學 資 訊 工 程 系 資 訊 安 全 實 驗 室

Fast Batch Verification for Modular Exponentiation and Digital Signatures

Authentication, digital signatures, PRNG

Public Key (asymmetric) Cryptography

Twin Signatures: an Alternative to the Hash-and-Sign Paradigm

CRYPTOGRAPHY IN NETWORK SECURITY

Message authentication and. digital signatures

Overview of Cryptographic Tools for Data Security. Murat Kantarcioglu

Security Arguments for Digital Signatures and Blind Signatures

Table of Contents. Bibliografische Informationen digitalisiert durch

Recommendation for Applications Using Approved Hash Algorithms

A Factoring and Discrete Logarithm based Cryptosystem

Hash Functions. Integrity checks

Public Key Cryptography in Practice. c Eli Biham - May 3, Public Key Cryptography in Practice (13)

Network Security CS 5490/6490 Fall 2015 Lecture Notes 8/26/2015

Universal Padding Schemes for RSA

A New Efficient Digital Signature Scheme Algorithm based on Block cipher

Index Calculation Attacks on RSA Signature and Encryption

Notes on Network Security Prof. Hemant K. Soni

1 Message Authentication

RSA Attacks. By Abdulaziz Alrasheed and Fatima

Lecture 3: One-Way Encryption, RSA Example

Message Authentication

Final Exam. IT 4823 Information Security Administration. Rescheduling Final Exams. Kerberos. Idea. Ticket

Public Key Cryptography. c Eli Biham - March 30, Public Key Cryptography

Public Key Cryptography Overview

Client Server Registration Protocol

Network Security. Abusayeed Saifullah. CS 5600 Computer Networks. These slides are adapted from Kurose and Ross 8-1

ARCHIVED PUBLICATION

Analysis of Software Realized DSA Algorithm for Digital Signature

Cryptography and Network Security Chapter 9

Schnorr Signcryption. Combining public key encryption with Schnorr digital signature. Laura Savu, University of Bucharest, Romania

Discrete logarithms within computer and network security Prof Bill Buchanan, Edinburgh Napier

Transcription:

Digital signatures Informal properties Definition. A digital signature is a number dependent on some secret known only to the signer and, additionally, on the content of the message being signed Property. A digital signature must be verifiable If a dispute arises an unbiased third party must be able to solve the dispute equitably, without requiring access to the signer's secret A.A. 2012-2013 Digital signatures 2

Classification Digital signatures with appendix require the original message as input to the verification algorithm; use hash functions Examples: ElGamal, DSA, DSS, Schnorr Digital signatures with message recovery do not require the original message as input to the verification algorithm; the original message is recovered from the signature itself; Examples: RSA, Rabin, Nyberg-Rueppel A.A. 2012-2013 Digital signatures 3 Definitions Digital signatures with appendix M is the message space h is a hash function with domain M M h is the image of h S is the signature space Key generation Alice selects a private key d A which defines a signing algorithm S A which is a one-to-one mapping S A : M h S Alice defines the corresponding public key e A defining the verification algorithm V A such that V A (m*, s) = true if S A (m*) = s and false otherwise, for all m* M h and s S, where m* = h(m) for m M. A.A. 2012-2013 Digital signatures 4

Digital signatures with appendix The signing process M M h S h S A m m* s Signature generation process Compute m* = h(m), s = S A (m*) Send (m, s) A.A. 2012-2013 Digital signatures 5 Digital signature with appendix Verification process Obtain A s public key V A Compute m* = h(m), u = V A (m*, s) Accept the signature iff u = true A.A. 2012-2013 Digital signatures 6

Digital Signature with appendix Properties of S A and V A (efficiency) S A should be efficient to compute (efficiency) V A should be efficient to compute (security) It should be computationally infeasible for an entity other than A to find an m M and an s S such that V A (m*, s) = true, where m* = h(m) A.A. 2012-2013 Digital signatures 7 Digital Signature with message recovery Definitions M is the message space M S is the signing space S is the signature space Key generation A selects a private key d A defining a signing algorithm S A which is a one-to-one mapping S A : M S S A defines the corresponding public key defining the verification algorithm V A such that V A S A is identity map on M S. A.A. 2012-2013 Digital signatures 8

Digital signature with message recovery M The signing process M R S R S A m m* s M S Compute m* = R(m), R is a redundancy function (invertible) Compute s = S A (m*) A.A. 2012-2013 Digital signatures 9 Digital signature with message recovery The signing process M M R S R S A m m* s Obtain authentic public key V A Compute m* = V(s) M S Verify if m* M S (if not, reject the signature) Recover the message m = R -1 (m*) A.A. 2012-2013 Digital signatures 10

Digital signatures with message recovery Properties of S A and V A (efficiency) S A should be efficient to compute (efficiency) V A should be efficient to compute (security) It should be computationally infeasible for an entity other than A to find an s S such that V A (s) M S A.A. 2012-2013 Digital signatures 11 Dig sig with message recovery The redundancy function R and R -1 are publicly known Selecting an appropriate R is critical to the security of the system A bad redundancy function may lead to existential forgery Let us suppose that MR MS R and SA are bijections, therefore M and S have the same number of elements Therefore, for all s S, VA(s) MR. Hence, it is easy to find an m for which s is the signature, m = R -1 (VA(s)) s is a valid signature for m (existential forgery) A.A. 2012-2013 Digital signatures 12

Digital signatures with message recovery A good redundancy function although too redundant Example M = {m : m {0, 1} n }, M S = {m : m {0, 1} 2n } R: M M S, R(m) = m m (concatenation) M R M S When n is large, M R / M S = (1/2) n is small. Therefore, for an adversary it is unlikely to choose an s that yields V A (s) M R ISO/IEC 9776 is an international standard that defines a redundancy function for RSA and Rabin A.A. 2012-2013 Digital signatures 13 Dig sig with appendix from message recovery Signature generation Compute m* = R(h(m)), s = S A (m*) A s digital signature for m is s m, s are made available to anyone who may wish to verify the signature Signature verification Obtain A s public key VA Compute m* = R(h(m)), m = V A (s), and u = (m == m*) Accept the signature iff u = true Comment R is not security critical anymore and can be any one-toone mapping A.A. 2012-2013 Digital signatures 14

Types of attacks BREAKING A SIGNATURE Total break adversary is able to compute the signer s private key Selective forgery adversary controls the messages whose signature is forged Existential forgery adversary has no control on the messages whose signature is forged A.A. 2012-2013 Digital signatures 15 Types of attacks KEY-ONLY ATTACKS Adversary knows only the signer s public key MESSAGE ATTACKS known-message attack An adversary has signatures for a set of messages which are known by the adversary but not chosen by him chosen-message attack In this case messages are chosen by the adversary adaptive chosen-message attack In this case messages are adaptively chosen by the adversary A.A. 2012-2013 Digital signatures 16

Attacks a few considerations Adaptive chosen-message attack It is the most difficult attack to prevent Although an adaptive chosen-message attack may be infeasible to mount in practice, a well-designed signature scheme should nonetheless be designed to protect against the possibility The level of security may vary according to the application Example 1. When an adversary is only capable of mounting a key-only attack, it may suffice to design the scheme to prevent the adversary from being successful at selective forgery. Example 2. When the adversary is capable of a message attack, it is likely necessary to guard against the possibility of existential forgery. A.A. 2012-2013 Digital signatures 17 Attacks a few considerations Hash functions and digital signature processes When a hash function h is used in a digital signature scheme (as is often the case), h should be a fixed part of the signature process so that an adversary is unable to take a valid signature, replace h with a weak hash function, and then mount a selective forgery attack. Example. Let m, s where s = S A (h(m)). Let adversary be able to replace h with a weaker hash function g that is vulnerable to selective forgery. Then the adversary can determine m such that g(m ) = h(m); and replace m with m A.A. 2012-2013 Digital signatures 18

Digital signatures RSA-BASED DIG SIG A.A. 2012-2013 Digital signatures 19 RSA Key generation (see public key encryption) Signing operation: exponentiation by priv key Verification opeartion: exponentiation by pub key A.A. 2012-2013 Digital signatures 20

Types of RSA-based dig sig Digital signature with message recovery Redundancy function A suitable redundancy function is necessary in order to avoid existential forgery IOS/IEC 9796 (1991) defines a mapping that takes a k-bit integer and maps it into a 2k-bits integer Digital signature scheme with appendix MD5 (128 bit) PKCS#1 specifies a redundancy function mapping 128-bit integer to a k-bit integer, where k is the modulus size (k>512, k = 768, 1024) A.A. 2012-2013 Digital signatures 21 Attacks Same attacks as the cipher Multiplicative property of RSA Requirement on R: a necessary condition for avoiding existential forgery is that R must not satisfy the multiplicative property. A.A. 2012-2013 Digital signatures 22

The re-blocking problem The problem. If Alice wants to send a secret and signed message to Bob then it must be n A < n B Possible solutions Reordering: the operation with the smaller modulus is performed first CONS: The preferred order is always to sign first and encrypt later Two moduli for entity Each entity has two moduli Moduli for signing (e.g., t-bits) are always smaller of all possible moduli for encryption (e.g., t+1-bits) A.A. 2012-2013 Digital signatures 23 Probabilistic Signature Standard (PSS) Schoolbook RSA is subject to existential forgery The attack can be prevented by allowing only certain message formats (padding) Probabilistic Signature Standard s = EM d mod n Alternative to PKCS#1 PROS Verifiable secure Salting makes EM probabilistic A.A. 2012-2013 Digital signatures 24

Digital Signature DIGITAL SIGNATURES BASED ON EL GAMAL A.A. 2012-2013 Digital signatures 25 Discrete Logarithm Systems Discrete Logarithm Systems! Let p be a prime, q a prime divisor of p 1 and g [1, p 1] has order q! Let x be the private key selected at random from [1, q 1]! Let y be the corresponding public key y = g x mod p Discrete Logarithm Problem (DLP)! Given (p, q, g) and y, determine x A.A. 2012-2013 Digital signatures 26

El Gamal digital signature Signature Randomly select k Z* p 1 r = g k mod p, s = (h(m) xr)k 1 mod (p 1) The pair (r, s) is the digital signature for m Verification Verify that 1 r p 1; if not reject the signature Compute v1 = y r r s mod p Compute h(m) and v2 = g h(m) mod p Accept the signature only if v1 = v2 A.A. 2012-2013 Digital signatures 27 ElGamal consistency! If the digital signature (r, s) has been produced by Alice then s = (h(m) xr)k 1 mod (p 1).! Multiplying both sides by k gives ks = (h(m) xr) mod (p 1). Rearranging yields h(m)=ks+xr mod (p 1).! This implies that g h(m) = g xr+ks = (g x ) r r s mod p! Thus v 1 = v 2 as required. A.A. 2012-2013 Digital signatures 28

ElGamal security In order to forge a signature, an adversary can select k at random, compute r = gk mod p. Than he has to compute s = (h(m) xr)k 1 mod (p 1). If the DLP is computationally infeasible, the adversary can do no better than to choose an s at random; the success probability is 1/p which is negligible for large p. A different k must be selected for different messages otherwise the secret key x can be revealed If no hash function h is used, an adversary can easily mount an existential forgery attack. If the check on r is not done, an adversary can sign messages of its choice provided it has one valid signature produced by Alice A.A. 2012-2013 Digital signatures 29 Digital Signatures HASH FUNCTIONS A.A. 2012-2013 Digital signatures 30

Properties Hash functions properties Pre-image resistance Second pre-image resistance Collision resistance These properties are crucial for digital signatures security A.A. 2012-2013 Digital signatures 31 Pre-image resistance Digital signature scheme based on (school-book) RSA (n, d) is a Alice s private key; (n, e) is a Alice s public key s = (h(m)) d (mod n) If h is not pre-image resistant " existential forgery Adversary selects z < n, computes y = z e (mod n) and finds m' such that h(m') = y The the adversary claims that z is the digital signature of m' A.A. 2012-2013 Digital signatures 32

2nd preimage resistance Digital signature with appendix Let s = S(h(m)) be the digital signature for m A trusted third party chooses a message x that Alice signs producing s = S(d A, h(m)) If h is not 2nd-preimage resistant, an adversary (e.g. Alice herself) can claim that Alice has signed m instead of m Adversary determines a 2nd-preimage m' of m Adversary claims that Alice has signed m' instead of m A.A. 2012-2013 Digital signatures 33 Collision resistance Digital signature with appendix s = S(h(m)) is the digital signature for m If h() is not collision resistant, Alice (an untrusted party) can choose m and m' so that h(m) = h(m') compute s = S(d A, h(m)) issue <m, s> to Bob later claim that she actually issued <m', s> A.A. 2012-2013 Digital signatures 34

Digital signatures NON-REPUDIATION VS AUTHENTICATION A.A. 2012-2013 Digital signatures 35 Non-repudiation vs authentication DEFINITION. Non-repudiation prevents a signer from signing a document and subsequently being able to successfully deny having done so. Non-repudiation vs authentication of origin Authentication (based on symmetric cyptography) allows a party to convince itself or a mutually trusted party of the integrity/authenticity of a given message at a given time t0 Non-repudiation (based on public-key cyptography) allows a party to convince others at any time t1 t0 of the integrity/authenticity of a given message at time t0 A.A. 2012-2013 Digital signatures 36

Dig sig vs non-repudiation Alice s digital signature for a given message depends on the message and a secret known to Alice only (the private key) Bob verifies the digital signature by means of another, different value: the public key A.A. 2012-2013 Digital signatures 37 Dig sig vs non-repudiation Data origin authentication as provided by a digital signature is valid only while the secrecy of the signer s private key is maintained A threat that must be addressed is a signer who intentionally discloses his private key, and thereafter claims that a previously valid signature was forged This threat may be addressed by preventing direct access to the key use of a trusted timestamp agent use of a trusted notary agent A.A. 2012-2013 Digital signatures 38

Bob Trusted timestamping service s = S B (m) Trent <m, s> s S T (s t 0 ) Alice! Trent certifies that digital signature s exists at time t 0! If Bob s priv-key is compromised at t 1 > t 0, then s is valid A.A. 2012-2013 Digital signatures 39 Trusted Notary Service TNS generalize the TTS Trent certifies that a certain statement σ on the digital signatire s is true at t 0 s exists at t 0 s is valid at t 0 Trent is trusted to verify the statement before issuing it A.A. 2012-2013 Digital signatures 40

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information