Digital Signatures. Ali El Kaafarani. Mathematical Institute Oxford University. 1 of 54

Transcription

1 Digital Signatures Ali El Kaafarani Mathematical Institute Oxford University 1 of 54

2 Outline 1 Definitions 2 Factoring Based Signatures 3 Dlog Based Signatures 4 Hash-Based Signatures 5 Certificates 6 SSL/TLS 2 of 54

3 An Overview Digital signatures are used to provide Integrity (or authenticity) in the public key setting. For instance, software companies use them to allow the clients to verify that the software updates are authentic. Companies simply sign their updates using their secret keys, and clients can then verify the authenticity of the updates by verifying the validity of the signatures against the companies public keys, that are already known to the clients. 3 of 54

4 An Overview If a signature σ on a message m is verified correctly against a given public key PK, it ensures that the message was indeed sent by the owner of this public key (already known to potential verifiers) and the message was NOT modified in transit. Non-repudiation: signers cannot deny having signed a message. In comparison to message authentication codes (MACs); Key distribution and management is hugely simplified. Signatures are publicly verifiable they are transferable (essential for certificates). MACs are shorter and more efficient to generate/verify. 4 of 54

5 Syntax A digital signature scheme S consists of the following PPT algorithms: KeyGen(1 n ): it takes the security parameter as input and returns a pair of keys (PK, SK), the public key PK and its matching secret key SK. Sign(SK, m): it takes a secret key SK, a message m and returns a signature σ. Verify(PK, m, σ): A deterministic algorithm that takes the public key PK and a signature σ, and returns a bit, 1 for valid signatures and 0 for invalid ones. 5 of 54

6 Security Definition: Unforgeability Experiment Algorithm (Unforg A,S (n)) KeyGen(1 n ): returns the keys (PK, SK). Signing Queries: the adversary A is given access to a signing oracle Sign(SK, ). Let Q be the set of all messages that A asked its oracle to sign. A s output: a pair (m, σ ). If Verify(PK, m, σ ) = 1 and m Q, return 1, else return 0. 6 of 54

7 Security Definition: Unforgeability Experiment Definition A signature scheme S = (KeyGen, Sign, Verify) is existentially unforgeable under an adaptive chosen-message attack, if for all PPT adversaries A, we have Pr[Unforg A,S (n) = 1] negl(n) 7 of 54

8 Hash-and-Sign Paradigm Let S = (KeyGen, Sign, Verify) a digital signature scheme for messages of length l(n) and H a hash function with output length l(n). We define a signature scheme S = (KeyGen, Sign, Verify ) for arbitrary length messages as follows: KeyGen (1 n ): it runs KeyGen(1 n ) to get a pair of keys (PK, SK), and KeyGen H (1 n ) to get s. Sign (SK, m): it takes the keys (s, SK), a message m {0, 1} and returns a signature σ := Sign(SK, H s (m)). Verify (PK, s, m, σ): it that takes the public keys (s, PK), a message m and a signature σ, it returns 1 iff Verify(PK, H s (m), σ) = 1. 8 of 54

9 Outline 1 Definitions 2 Factoring Based Signatures 3 Dlog Based Signatures 4 Hash-Based Signatures 5 Certificates 6 SSL/TLS 9 of 54

10 RSA Signatures: Plain RSA We define the plain RSA signatures as follows: KeyGen(1 n ): it takes the security parameter n as input and returns a modulus N, a product of two n-bit primes, p, q. It also outputs two integers e, d s.t. e d = 1 mod φ(n). PK = (N, e) and SK = (N, d) as the secret key. Sign(SK, m): it takes a secret key SK, a message m Z N and returns a signature σ := m d mod N Verify(PK, m, σ): it takes the public key PK and a signature σ, and a message m and returns a bit, 1 iff m = σ e mod N 10 of 54

11 Security Analysis of Plain RSA Same problem with the m being uniform. What about forging signatures on messages that the adversary can choose? No message attack: given a public key (N, e), pick σ Z N, and compute the message as m σ e mod N, output the forgery (m, σ). Malleability: knowing two valid signatures on two messages m 1, m 2, we can construct a valid signature on a new message m = m 1 m 2 as follows; σ σ 1 σ 2 mod N. 11 of 54

12 RSA-Full Domain Hash (RSA-FDH) We define the RSA-FDH signature scheme as follows: KeyGen(1 n ): it takes the security parameter n as input and returns a modulus N, a product of two n-bit primes, p, q. It also outputs two integers e, d s.t. e d = 1 mod φ(n). PK = (N, e) and SK = (N, d) as the secret key. It also generates a function H : {0, 1} Z N. Sign(SK, m): it takes a secret key SK, a message m Z N and returns a signature σ := H(m) d mod N Verify(PK, m, σ): it takes the public key PK and a signature σ, and a message m and returns a bit, 1 iff 12 of 54 H(m) = σ e mod N

13 Security of (RSA-FDH) Theorem If the RSA problem is hard and H is modelled as a random oracle, then the digital signature RSA-FDH is secure. 13 of 54

14 Security of (RSA-FDH) Proof. Let A be a PPT adversary, we make the following assumptions during the security proof: If A queries the signing oracle for a signature on a message m, then it previously queried m to H. Same when A outputs a forgery (m, σ). A makes exactly q(n) distinct queries to H. We will build an adversary A that can solve the RSA problem as follows: 14 of 54

15 Security of (RSA-FDH) Proof. A (N, e, y): Choose uniform j {1,, q} Send pk = (N, e) to A. Manage a storage table for triples of the form (m i, σ i, y i ) which means that A has set H(m i ) = y i, where σi e = y i mod N. Hash queries: When A makes its i-th queries, answer as follows: if i = j, answer the query by y. else Choose a uniform σ i Z N, compute y i σi e mod N, store the tuple (m i, σ i, y i ) in the table and return y i. 15 of 54

16 Security of (RSA-FDH) Proof. Signing queries: When A makes its signing queries on m, so m = m i is already in the hash queries table, answer it as follows: if i = j, then aborts. else find the entry (m i, σ i, y i ) from the table, and return σ i to A. Finally, A outputs its forgery (m, σ). If m = m j and σ e = y mod N, then output σ as an answer to the RSA problem. We observe that; Pr[RSA-Exp A ] = Pr[Unforg A,S (n)] q(n) 16 of 54

17 More on RSA-FDH Included in the RSA PKCS #1 v2.1 standards. Some practical attacks on RSA-FDH are known if H has small output length. Therefore, cryptographic hash functions such as SHA-1 are not suitable. 17 of 54

18 Outline 1 Definitions 2 Factoring Based Signatures 3 Dlog Based Signatures 4 Hash-Based Signatures 5 Certificates 6 SSL/TLS 18 of 54

19 Schnorr Identification Scheme A three round interactive protocol that can be used to allow one party to authenticate itself. We will have two parties, a prover (e.g. a user ) and a verifier (e.g a web server). Security of an identification scheme: Given an adversary that can eavesdrop on multiple executions of the protocol and who doesn t know the prover s secret key, he should NOT be able to fool the verifier into accepting. 19 of 54

20 Schnorr Identification Scheme Prover(x) Verifier(G, q, g, y = g x ) k $ Z q I g k I Challenge c $ Z q c s [cx + k mod q] s 20 of 54 g s y c? = I

21 Security of Schnorr Identification Scheme Theorem If Dlog is hard in G, then Schnorr identification is secure. Sketch proof. Assuming that the adversary can, on input y G, output a response s for any challenge c with high probability, then it can in particular respond with correct responses s 1, s 2 to two distinct challenge values c 1, c 2 Z q. But this means that we now have g s1 y c 1 = I = g s2 y c 2 And therefore, one can compute the Dlog problem by finding 21 of 54 y = g s 2 s 1 c 2 c 1.

22 Security of Schnorr Identification Scheme Sketch proof. What about the fact that the adversary is passively eavesdropping on the executions of the protocol? Does learning an honest transcript (I, r, s) help anyway? We show that the adversary can simulate the transcript himself by reversing the order of the steps: Choose uniform and independent c, s Z q Set I := g s y c. The transcript (I, r, s ) is indistinguishable from an honest one! 1 This is essential in the Zero-Knowledge Proofs topic. 22 of 54

23 Fiat-Shamir Transform It can be used to transform an interactive identification scheme into a non-interactive signature scheme. The signer runs the whole protocol by itself. It applies a hash function to (m, I) in order to generate the challenge c. The signature on m is now (c, s). The verifier can recompute I and check if the c = H(I, m). 23 of 54

24 The Schnorr Signature Scheme KeyGen(1 n ): it takes the security parameter n as input and returns (G, q, g). It chooses a uniform x Z q and sets y = g x. the secret key is SK = x whereas the public key is PK = (G, q, g, y). It also generates a hash function H : {0, 1} Z q. Sign(SK, m {0, 1} ): it takes a secret key SK and a message m Z N, it then chooses a uniform k Z q and sets I = g k. It computes c := H(I, m) and [s := cx + k mod q]. It finally returns a signature σ := (c, s) Verify(PK, m, σ): it takes the public key PK and a signature σ, and a message m and computes I := g s y c and output 1 if 24 of 54 H(I, m)? = c

25 Security of the Schnorr Signature Scheme Theorem If the Dlog is hard in G and H is modelled as a random oracle, then the Schnorr signature scheme is secure. 25 of 54

26 Digital Signature Algorithm (DSA) and (ECDSA) Some of their versions go back to Both in the Digital Signature Standard (DSS) published by NIST. They are based on some identification scheme that are secure if Dlog is hard. 26 of 54

27 DSA: underlying identification scheme Prover(x) Verifier(G, q, g, y = g x ) k $ Z q I g k I c, α Challenge c, α $ Z q s [k 1 (α + xc) mod q] s s? 0 27 of 54 g αs 1 y cs 1? = I

28 DSA: underlying identification scheme Correctness of the scheme: It is correct as long as s 0, which only happens if α = xc mod q. The probability that this happens is negligible. Security: based on the hardness of Dlog. Assume that the attacker, and after he outputs an initial message I, he can output correct responses (s 1, s 2 ) for two different challenges (α, c 1 ) and (α, c 2 ). Exercise: compute log g y. 28 of 54

29 DSA KeyGen(1 n ): it takes the security parameter n as input and returns (G, q, g). It chooses a uniform x Z q and sets y = g x. the secret key is SK = x whereas the public key is PK = (G, q, g, y). It also generates two functions H : {0, 1} Z q and F : G Z q. Sign(SK, m {0, 1} ): it takes a secret key SK and a message m Z N, it then chooses a uniform k Z q and sets c := F(g k ). It computes s := [k 1 (H(m) + xc) mod q]. If s = 0 or c = 0 start again by choosing a fresh k. It finally returns the signature σ := (c, s). Verify(PK, m, σ): it takes the public key PK and a signature σ with c, s 0, and a message m. It output 1 if g H(m) s 1 y c s 1? = c 29 of 54

30 Security of DSA/ECDSA Can be proven secure assuming the we model H and F as random oracles. Fine with H, but not with F. No known proofs for F as it is specified in the standard. Choosing k properly is crucial. Knowing k, you can recover the secret key x (check it!). Using the same k for different signatures is very bad! This is what the hackers did to recover the master secret key of Sony PS3 in 2010! 30 of 54

31 Pairings based signatures Boneh-Lynn-Shacham signatures. Boneh-Boyen signatures of 54

32 Outline 1 Definitions 2 Factoring Based Signatures 3 Dlog Based Signatures 4 Hash-Based Signatures 5 Certificates 6 SSL/TLS 32 of 54

33 Hash-Based Signatures Signature schemes that are based on hash functions. No reliance on number-theoretic hardness assumptions. No reliance on random oracles. Believed to be post-quantum secure. 33 of 54

34 Lamport s Signature Scheme It is a one-time secure signature scheme. This was introduced by Leslie Lamport in By one-time we mean that the adversary can only query the signing oracle on exactly one message. One-time secure signatures are usually used to build other cryptosystems (including digital signatures) that achieve stronger notions of security. 34 of 54

35 Lamport s Signature Scheme Example (Katz-Lindell book) Let s consider the example of a 3-bit message. Let the private key and public keys be as follows: ( ) ( ) y1,0 y PK = 2,0 y 3,0 x1,0 x SK = 2,0 x 3,0 y 1,1 y 2,1 y 3,1 x 1,1 x 2,1 x 3,1 {x i,j } are chosen uniformly at random from {0, 1} n and y i,j = H(x i,j ), for i = 1, 2, 3; j = 1, 2. Given m = 011, the signature will be σ = (x 1,0, x 2,1, x 3,1 ). Verification: given m = 011 and σ = (x 1,0, x 2,1, x 3,1 ), Check if 35 of 54 H(x 1,0 )? = y 1,0 H(x 2,1 )? = y 2,1 H(x 3,1 )? = y 3,0

36 Lamport s Signature Scheme How can an attacker forge the previous one-time scheme? 36 of 54

37 Lamport s Signature Scheme How can an attacker forge the previous one-time scheme? He can learn ONLY one signature on one message m of his choice. He has to output a signature on a new message m. The new signature will then involve some new x i,j, say x 1,1. This means that he managed to compute the preimage of y 1,1 that is a part of the public key. This can t happen if H is a one-way function, i.e. finding the preimage is computationally difficult. 36 of 54

38 Lamport s Signature Scheme Given a function H : {0, 1} {0, 1}, the Lamport s signature scheme for messages of length l(n) can be defined as follows: KeyGen(1 n ): it generates the following private and public keys: ( ) ( ) y1,0 y PK = 2,0... y l,0 x1,0 x SK = 2,0... x l,0 y 1,1 y 2,1... y l,1 x 1,1 x 2,1... x l,1 where {x i,j } are chosen uniformly at random from {0, 1} n and y i,j = H(x i,j ), for i = 1,..., l; j = 1, 2. Sign(SK, m {0, 1} l ) : the signature will be σ = (x 1,m1,..., x l,ml ), where m = m 1... m l Verify(m, σ, PK): on input m = m 1... m l and σ = (x 1,..., x l ), output 1 iff 37 of 54 H(x i )? = y i,mi, i [1, l]

39 Security of Lamport s Signature Scheme Theorem If H is a one-way function, then the Lamport s signature scheme is a one-time secure signature scheme. 38 of 54

40 Outline 1 Definitions 2 Factoring Based Signatures 3 Dlog Based Signatures 4 Hash-Based Signatures 5 Certificates 6 SSL/TLS 39 of 54

41 Certificates It solves the problem of distribution of public keys. A trusted party is needed to start the process. Then we can distribute arbitrarily many different public keys. A digital certificate is a digital signature that binds an entity to a certain public key. Assume that we have two parties Alice (PK A, SK A ) and Bob (PK B, SK B ). We also assume that Alice knows PK B. Alice can issue a certificate for Bob s key as follows: cert A B := Sign(SK A, Bob s key is PK B ) More identifying information about Bob are usually included in the certificate! 40 of 54

42 Certificates and Public Key Infrastructure (PKI) In the simplest form of PKI, we have at least one Certificate Authority (CA). A CA is a company (or a government agency) that certifies public keys. Everybody has to get a legitimate copy of PK CA. The easiest way to distribute PK CA is by physical means, e.g. USB stick (for new employees). Other ways include embedding CA s public key in the browser. Now if Charlie receives cert CA B, he will be sure that the signed public key, i.e. PK B, does indeed belong to Bob. 41 of 54

43 Certificates and Public Key Infrastructure (PKI) Delegations and certificate chains: a root CA can issue certificates to other CAs, say CA1, CA2, etc., that says: CA1 s public key is PK CA1 and is trusted to issue other certificate The web of trust model: a decentralized model- no reliance on a root CA. Pretty Good Privacy (PGP) is an example of this model. It is an -encryption software for distribution of public keys. Invalidating Certificates: Expiration: you can include an expiry date in the certificate. Revocation: you can include a serial number in the certificate, so that you can include in a certificate revocation list (CRL) that will be updated regularly. 42 of 54

44 Outline 1 Definitions 2 Factoring Based Signatures 3 Dlog Based Signatures 4 Hash-Based Signatures 5 Certificates 6 SSL/TLS 43 of 54

45 SSL/TLS Secure Socket layer (SSL) is the old version that was developed by Netscape around mid-1990s. Transport Layer Security (TLS) is its new version. Major websites now support the (TLS 1.2), although 50% of the websites still use TLS1.0! A given client (web browser) and a given server (website), can use TLS to agree on some shared keys which they will use to encrypt and authenticate their communication. 44 of 54

46 SSL/TLS TLS consists of two phases: The handshake protocol: it performs an authenticated key exchange mechanism to establish the shared keys. The record layer protocol: it usually uses the shared keys to encrypt/authenticate the communication between parties. It first authenticates servers (that have certificates) to clients, and then clients, can authenticate themselves to servers at the application level by using passwords. (Next slide s diagrams from and 45 of 54

47 46 of 54

48 47 of 54

49 The Handshake Protocol-1 Step 1:C S: (ciphersuites, nonce N C ). % A nonce is a uniform value. Step 2: S C: (Latest version of TLS it supports, ciphersuites, PK S, cert i S, nonce N S ). Step 3: C verifies the certificate against the PK of CA i, it makes sure it is not revoked or expired. If it is valid, it will use PK S as the server s public key. (c, pmk) Encaps PKS (1 n ) mk key-derivation function(pmk, N C, N S ) (k C, k C, k S, k S) PRG(mk) τ C MAC mk (transcript : all exchanged messages) C S: (c, τ C ) 48 of 54

50 The Handshake Protocol-2 Step 4: S computes pmk Decaps SKS (c). mk key-derivation function(pmk, N C, N S ). (k C, k C, k S, k S) PRG(mk). If Verify mk (transcript, τ C ) 1, then S aborts. Else τ S MAC mk (transcript ), transcript = transcript last message from C. S C: τ S Step 5: If Verify mk (transcript, τ S ) 1, C aborts. At the end of the handshake protocol, the client C and the server S share the following symmetric keys: k C, k C, k S, k S. 49 of 54

51 The Record-Layer Protocol C will use k C to encrypt and k C to authenticate all messages that it will send to S. S will do the same with k S and k S. They will use sequence numbers to prevent replay attacks. Note that even TLS 1.2 uses MAC-then-Encrypt approach, so no wonder why we have lots of attacks on TLS! 50 of 54

52 Further Reading (1) Carlisle Adams and Steve Lloyd. Understanding PKI: concepts, standards, and deployment considerations. Addison-Wesley Professional, Mihir Bellare and Phillip Rogaway. Random oracles are practical: A paradigm for designing efficient protocols. In Proceedings of the 1st ACM conference on Computer and communications security, pages ACM, Dan Boneh, Ben Lynn, and Hovav Shacham. Short signatures from the weil pairing. Journal of cryptology, 17(4): , of 54

53 Further Reading (2) Tim Dierks. The transport layer security (TLS) protocol version Carl Ellison and Bruce Schneier. Ten risks of PKI: What you re not being told about public key infrastructure. Comput Secur J, 16(1):1 7, Amos Fiat and Adi Shamir. How to prove yourself: Practical solutions to identification and signature problems. In Advances in Cryptology CRYPTO 86, pages Springer, of 54

54 Further Reading (3) Martin Georgiev, Subodh Iyengar, Suman Jana, Rishita Anubhai, Dan Boneh, and Vitaly Shmatikov. The most dangerous code in the world: validating SSL certificates in non-browser software. In Proceedings of the 2012 ACM conference on Computer and communications security, pages ACM, Hugo Krawczyk. Cryptographic extraction and key derivation: The hkdf scheme. In Annual Cryptology Conference, pages Springer, of 54

55 Further Reading (4) Hugo Krawczyk, Kenneth G Paterson, and Hoeteck Wee. On the security of the TLS protocol: A systematic analysis. In Advances in Cryptology CRYPTO 2013, pages Springer, Leslie Lamport. Constructing digital signatures from a one-way function. Technical report, Technical Report CSL-98, SRI International Palo Alto, William Stallings. Network security essentials: applications and standards. Pearson Education India, of 54