Digital Signatures. Luke Anderson. 7 th April University Of Sydney.

Similar documents
Cryptography V: Digital Signatures

UNIVERSITY OF MASSACHUSETTS Dept. of Electrical & Computer Engineering. Introduction to Cryptography ECE 597XX/697XX

CSCI 454/554 Computer and Network Security. Topic 5.2 Public Key Cryptography

Outline. CSCI 454/554 Computer and Network Security. Introduction. Topic 5.2 Public Key Cryptography. 1. Introduction 2. RSA

Public Key Algorithms

The most important development from the work on public-key cryptography is the digital signature. Message authentication protects two parties who

Outline. Public Key Cryptography. Applications of Public Key Crypto. Applications (Cont d)

Digital Signature. Raj Jain

Cryptography and Network Security. Sixth Edition by William Stallings

Cryptography V: Digital Signatures

Key Exchange. References: Applied Cryptography, Bruce Schneier Cryptography and Network Securiy, Willian Stallings

ASYMMETRIC CRYPTOGRAPHY

UNIT - IV Cryptographic Hash Function 31.1

Introduction to Network Security Missouri S&T University CPE 5420 Data Integrity Algorithms

CSC 474/574 Information Systems Security

Lecture 2 Applied Cryptography (Part 2)

Kurose & Ross, Chapters (5 th ed.)

Distributed Systems. 26. Cryptographic Systems: An Introduction. Paul Krzyzanowski. Rutgers University. Fall 2015

CSE 127: Computer Security Cryptography. Kirill Levchenko

Introduction. CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell

Introduction to Cryptography Lecture 7

Other Topics in Cryptography. Truong Tuan Anh

CS 161 Computer Security

1. Digital Signatures 2. ElGamal Digital Signature Scheme 3. Schnorr Digital Signature Scheme 4. Digital Signature Standard (DSS)

Digital Signatures CMSC 23200/33250, Autumn 2018, Lecture 8

Chapter 9 Public Key Cryptography. WANG YANG

Part VI. Public-key cryptography

Cryptography III. Public-Key Cryptography Digital Signatures. 2/1/18 Cryptography III

Information Security. message M. fingerprint f = H(M) one-way hash. 4/19/2006 Information Security 1

ח'/סיון/תשע "א. RSA: getting ready. Public Key Cryptography. Public key cryptography. Public key encryption algorithms

Key Management. Digital signatures: classical and public key Classic and Public Key exchange. Handwritten Signature

Introduction to Cryptography Lecture 7

What did we talk about last time? Public key cryptography A little number theory

Encryption. INST 346, Section 0201 April 3, 2018

Spring 2010: CS419 Computer Security

Contents Digital Signatures Digital Signature Properties Direct Digital Signatures

Chapter 9. Public Key Cryptography, RSA And Key Management

CSC/ECE 774 Advanced Network Security

Message authentication. Why message authentication. Authentication primitives. and secure hashing. To prevent against:

Cryptography: More Primitives

Blind Signatures and Their Applications

Public-key Cryptography: Theory and Practice

Public Key Cryptography

CS Computer Networks 1: Authentication

Can we make digital signatures by digitalizing our usual signature and attaching them to the messages (documents) that need to be signed?

L13. Reviews. Rocky K. C. Chang, April 10, 2015

Digital Signatures 1

Lecture 1 Applied Cryptography (Part 1)

CSC 5930/9010 Modern Cryptography: Digital Signatures

Making Use of the Subliminal Channel in DSA

Introduction to Cryptography Lecture 10

Introduction to Public-Key Cryptography

9/30/2016. Cryptography Basics. Outline. Encryption/Decryption. Cryptanalysis. Caesar Cipher. Mono-Alphabetic Ciphers

Notes for Lecture 21. From One-Time Signatures to Fully Secure Signatures

Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2010

Cryptography Basics. IT443 Network Security Administration Slides courtesy of Bo Sheng

Lecture 3.4: Public Key Cryptography IV

CS549: Cryptography and Network Security

CS 161 Computer Security

ASYMMETRIC (PUBLIC-KEY) ENCRYPTION. Mihir Bellare UCSD 1

CPSC 467: Cryptography and Computer Security

Cryptography and Network Security Chapter 13. Digital Signatures & Authentication Protocols

Appendix A: Introduction to cryptographic algorithms and protocols

Public Key Cryptography and the RSA Cryptosystem

CS408 Cryptography & Internet Security

ASYMMETRIC (PUBLIC-KEY) ENCRYPTION. Mihir Bellare UCSD 1

n-bit Output Feedback

Spring 2010: CS419 Computer Security

LECTURE NOTES ON PUBLIC- KEY CRYPTOGRAPHY. (One-Way Functions and ElGamal System)

UNIT III 3.1DISCRETE LOGARITHMS

the validity of the signature can be checked by anyone who has knowledge of the sender's public key. In the signcryption scheme of [4], the unsigncryp

Cryptographic Checksums

Elements of Cryptography and Computer and Networking Security Computer Science 134 (COMPSCI 134) Fall 2016 Instructor: Karim ElDefrawy

CS 161 Computer Security

Math236 Discrete Maths with Applications

Introduction. Cambridge University Press Mathematics of Public Key Cryptography Steven D. Galbraith Excerpt More information

Key Establishment and Authentication Protocols EECE 412

Symmetric Encryption 2: Integrity

Applied cryptography

Digital Multi Signature Schemes Premalatha A Grandhi

Background. Network Security - Certificates, Keys and Signatures - Digital Signatures. Digital Signatures. Dr. John Keeney 3BA33

Public-Key Cryptography. Professor Yanmin Gong Week 3: Sep. 7

RSA. Public Key CryptoSystem

ISA 662 Internet Security Protocols. Outline. Prime Numbers (I) Beauty of Mathematics. Division (II) Division (I)

CSCE 715: Network Systems Security

Other Uses of Cryptography. Cryptography Goals. Basic Problem and Terminology. Other Uses of Cryptography. What Can Go Wrong? Why Do We Need a Key?

Ref:

Smalltalk 3/30/15. The Mathematics of Bitcoin Brian Heinold

Study Guide for the Final Exam

Number Theory and RSA Public-Key Encryption

Unit III. Chapter 1: Message Authentication and Hash Functions. Overview:

If DDH is secure then ElGamal is also secure w.r.t IND-CPA

1.264 Lecture 28. Cryptography: Asymmetric keys

Lecture 18 Message Integrity. Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Slides from Miller & Bailey s ECE 422

Key Exchange. Secure Software Systems

Public Key Algorithms

ENEE 459-C Computer Security. Message authentication

Key Management and Distribution

CSCI 454/554 Computer and Network Security. Topic 2. Introduction to Cryptography

ECEN 5022 Cryptography

Transcription:

Digital Signatures Luke Anderson luke@lukeanderson.com.au 7 th April 2017 University Of Sydney

Overview 1. Digital Signatures 1.1 Background 1.2 Basic Operation 1.3 Attack Models Replay Naïve RSA 2. PKCS#1 3. ElGamal 4. Digital Signature Standard 5. One-Way Function Signatures

Digital Signatures

Signatures Signatures are used to bind an author to a document. Desirable properties for a signature: Authentic Sufficient belief that the signer deliberately signed the document. Unforgeable Proof that only the signer could have signed the document, no-one else. Non-reusable The signature is intrinsically bound to the document and cannot be moved to another (i.e. be reused). Unalterable The signature cannot be altered after signing. Non-repudiation The signer cannot later deny that they did not sign it (most important). As with all things, these properties can be attacked and subverted. We must consider such attacks when designing systems that use signatures.

Digital Signatures We have: m - k - F - S - The message to be signed The secret key The signature scheme (function) The signature S = F(m, k) The message m is signed using the secret key k, known only to the signer, which binds the signature S to the message m using some signature scheme F. Given (m, S) anyone can verify the signature without the secret k. Non-repudiation is achieved through the secrecy of k.

Digital Signatures with Public Keys Say Alice wishes to sign a message and send it to Bob Generation of a key: 1. Alice generates keys: A v : public (verifying) A s : private (signing) 2. A v is published in a public directory 3. A s is kept secret Signature Generation: 1. Alice chooses n random bits: r = {0, 1} n 2. Alice hashes the message to get a message digest: d = h(m) She uses a collision resistant hash function (CRHF) 3. Alice generates S = signature(d, r, A s ) 4. Alice sends (m, S) to Bob Signature Verification: 1. Bob obtains A v from the public directory 2. Bob computes d = h(m) 3. Bob runs verify(d, A V, S)

Attack Models Total Break Attacker can recover A s from A v and (m, S) Selective Forgery Attacker can forge signatures for a particular message or class of message Existential Forgery Possible only in theory (based on currently available resources) https://en.wikipedia.org/wiki/digital_signature_forgery

Signature Replay Why might we include r = {0, 1} n in the signature? Consider the following scenario: Alice sends Bob a digital cheque for 100. Bob takes the cheque to the bank. The bank verifies that the signature is valid and credits Bob s account. What is stopping Bob from cashing the same cheque twice? (i.e. perform a replay attack) The random value r is known as a nonce and is used to avoid replay. (in other words it assures freshness ) The bank keeps track of all nonces it has seen so far from Alice.

Signature based on RSA A naïve protocol based on RSA might be as follows. Key Generation: n = pq p, q are large primes de 1 mod ϕ(n) A v = (n, e) public/verifying key A s = (n, d) private/signature key Signature Generation: Assume m Z n S = m d mod n RSA decryption Signature Verification: S e = m mod n RSA encryption

Problems with Naïve RSA scheme Eve can trick Alice into signing any message m. Based on RSA s homomorphic property: If: s 1 = m d 1 (modn) and s 2 = m d 2 (modn) Then: s 1 s 2 = (m 1 m 2 ) d mod n Attack on naïve RSA scheme: 1. Eve wants Alice to sign hidden message m 2. Eve picks random r Z n 3. Eve computes m = m r e (modn) 4. Eve asks Alice to sign m 5. Alice returns s = (m ) d (modn) 6. Eve computes s = s r (modn) The pair (m, s) is a valid message signature pair! Eve tricked Alice into signing hidden message m Note that this trick also works with RSA decryption (Eve can get Alice to decrypt messages if Alice is not careful)

PKCS#1

PKCS#1 Signature Scheme (RFC2313) Public Key Cryptography Standards #1 Where the naïve RSA signature scheme has message recovery, the verification function actually returns the message. PKCS#1 processes a hash instead (much faster) Signature Generation: 1. n = pq (1024-bit modulus) 2. Alice calculates d = h(m) (160-bit hash) 3. Define encryption block: EB = [ 00 BT PS 00 D ] PS: The header is essentially padding BT: Block type dictates padding style EB is 864 bits + 160 bits = 1024 bits 4. Alice calculates S = EB d (modn) 5. Alice sends (S, m)

PKCS#1 Signature Scheme (RFC2313) Signature Verification: S = EB d (modn) Alice calculates S e mod n = EB (modn) Alice checks the first 864 bits are valid Alice checks the last 160 bits are valid (i.e. = h(m)) Project Tip You should use a variation of PKCS#1 in part 2 of the project.

ElGamal

ElGamal Signature Scheme ElGamal is an alternative signature scheme, whose security is based on the discrete log problem. Overview: Let: H: a collision-resistant hash function p: a large prime number g: a randomly chosen integer < p, from the group: Z n

ElGamal Signature Scheme Key Generation: Choose large prime p and generator g Z n Choose secret key x where 1 < x < p 2 Compute: y = g x (mod p) Public Key: y Private Key: x Signature Generation: Choose a random k where: 1 < k < p 1 gcd(k, p 1) = 1 Compute: r = g k (mod p) Compute: s = (H(m) xr)k 1 (mod p 1) (if s == 0, start again) (r, s) is the digital signature of m

ElGamal Signature Scheme Signature Verification: Verify: 0 < r < p and 0 < s < p 1 Check signature: g H(m) = y r r s (mod p) If everything checks out, the signature is correct. Note Signature generation implies: Hence: H(m) = xr + sk (mod p 1) y r r s = (g x ) r (g r ) r 1 (H(m) xr) = (g x ) r g (H(m) xr) = g H(m)

ElGamal Notes ElGamal is rarely used in practice. DSA/DSS is more widely used If weak generators (g) are chosen, selective forgery is possible. k must be random for each signature. If the same k is used twice, then the private key (x) can be recovered.

Digital Signature Standard

Digital Signature Algorithm (DSA) The Digital Signature Algorithm (DSA) was selected by NIST in 1991 as the Digital Signature Standard (DSS). Parameter Selection: Choose a hash function H Originally SHA-1 Now SHA-2 is preferred Choose key lengths N & L Choose a N-bit prime q Choose a L-bit prime modulus p such that p 1 is a multiple of q. Choose g Z n of multiplicative order modulo p is q. i.e. g = h p 1 q (mod p) 1 for some arbitrary h (1 < h < p 1) Key Generation: Secret key x chosen randomly in: 0 < x < q Compute public key: y = g x (mod p) Also provide p, q, and g parameters as part of public key.

Digital Signature Algorithm (DSA) Signature Generation: Pick random k Z n where 1 < k < q Must be unique per message Calculate r = (g k (mod p)) (mod q) r 0 Calculate s = k 1 (H(m) + xr) (mod q) s 0 Signature is: (r, s)

Digital Signature Algorithm (DSA) Signature Verification: Verify: 0 < r < q 0 < s < q Calculate w = s 1 (mod q) Calculate u 1 = H(m) w (mod q) Calculate u 2 = r w (mod q) Calculate v = (g u1 y u 2 (mod p)) (mod q) Signature is valid if v == r Check it! Take a look at en.wikipedia.org/wiki/digital_signature_algorithm for the working.

Notes on DSA/DSS Security analysis of ElGamal is very similar to DSA. DSA is standard for signatures because: DSA cannot be used for encryption (ElGamal can) Signatures are short (approx. 320 bits) Patent issues Security of DSA is based on the security of subgroups g. It is not known whether a sub-exponential algorithm exists in the size of the subgroup for discrete log. DSA signature verification can be sped up (by a factor of 2) by using simultaneous exponentiation.

One-Way Function Signatures

Signatures based on One-Way-Functions The Lamport one-time signature scheme is a digital signature scheme based on one-way hash functions. Key Generation: For a n-bit message, generate 2n m bit numbers: {x (0) 1,..., x(0) n }, {x (1) 1,..., x(1) n } {0, 1} m Public key is: v (j) i Private key is all of: x (j) i Signature Generation: For a message M = m 1,..., m n = H(x (j) i ) for all i, j Signature is: s = (x (m 1) 1,..., x (m n) n ) i.e. we select block x (0) 1 if bit 1 of m is 0, otherwise x (1) 1 Signature Verification: Test that for all i: H(x (m i) i ) = v (m i) i

Signatures based on One-Way-Functions Notes: Only the sender knows the values of x that produce the signature. The public key is very long and must be unique for every message 1. The message itself expands by a factor of m (each bit expands to a m-bit block). Since m must be large to reduce the likelihood of attack, the message expansion is considerable. Lamport signatures are believed to be quantum-resistant, unlike ElGamal or RSA based schemes. 1 unless we use Merkle trees

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback