UNIVERSITY OF MASSACHUSETTS Dept. of Electrical & Computer Engineering. Introduction to Cryptography ECE 597XX/697XX

Similar documents
The most important development from the work on public-key cryptography is the digital signature. Message authentication protects two parties who

Digital Signatures. Luke Anderson. 7 th April University Of Sydney.

Cryptography and Network Security. Sixth Edition by William Stallings

Understanding Cryptography A Textbook for Students and Practitioners by Christof Paar and Jan Pelzl. Chapter 6 Introduction to Public-Key Cryptography

Digital Signature. Raj Jain

Digital Signatures 1

Public Key Algorithms

Understanding Cryptography by Christof Paar and Jan Pelzl. Chapter 9 Elliptic Curve Cryptography

Understanding Cryptography A Textbook for Students and Practitioners by Christof Paar and Jan Pelzl. Chapter 6 Introduction to Public-Key Cryptography

Introduction to Network Security Missouri S&T University CPE 5420 Data Integrity Algorithms

LECTURE NOTES ON PUBLIC- KEY CRYPTOGRAPHY. (One-Way Functions and ElGamal System)

1. Digital Signatures 2. ElGamal Digital Signature Scheme 3. Schnorr Digital Signature Scheme 4. Digital Signature Standard (DSS)

Elliptic Curve Public Key Cryptography

Other Topics in Cryptography. Truong Tuan Anh

Introduction to Cryptography and Security Mechanisms: Unit 5. Public-Key Encryption

Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2010

Making Use of the Subliminal Channel in DSA

CSCI 454/554 Computer and Network Security. Topic 5.2 Public Key Cryptography

Outline. CSCI 454/554 Computer and Network Security. Introduction. Topic 5.2 Public Key Cryptography. 1. Introduction 2. RSA

Public-Key Cryptography. Professor Yanmin Gong Week 3: Sep. 7

Outline. Public Key Cryptography. Applications of Public Key Crypto. Applications (Cont d)

Cryptography and Network Security Chapter 13. Digital Signatures & Authentication Protocols

CHAPTER 4 VERIFIABLE ENCRYPTION OF AN ELLIPTIC CURVE DIGITAL SIGNATURE

IEEE Std and IEEE Std 1363a Ashley Butterworth Apple Inc.

This chapter continues our overview of public-key cryptography systems (PKCSs), and begins with a description of one of the earliest and simplest

Key Management and Distribution

Abhijith Chandrashekar and Dushyant Maheshwary

CSC 474/574 Information Systems Security

ASYMMETRIC (PUBLIC-KEY) ENCRYPTION. Mihir Bellare UCSD 1

Key Exchange. References: Applied Cryptography, Bruce Schneier Cryptography and Network Securiy, Willian Stallings

Channel Coding and Cryptography Part II: Introduction to Cryptography

Public Key Cryptography

Chapter 9 Public Key Cryptography. WANG YANG

Spring 2010: CS419 Computer Security

Lecture 3.4: Public Key Cryptography IV

Cryptography and Network Security Chapter 10. Fourth Edition by William Stallings

Cryptography and Network Security

The Application of Elliptic Curves Cryptography in Embedded Systems

Introduction to Elliptic Curve Cryptography

10.1 Introduction 10.2 Asymmetric-Key Cryptography Asymmetric-Key Cryptography 10.3 RSA Cryptosystem

ASYMMETRIC (PUBLIC-KEY) ENCRYPTION. Mihir Bellare UCSD 1

Chapter 9. Public Key Cryptography, RSA And Key Management

Distributed Systems. 26. Cryptographic Systems: An Introduction. Paul Krzyzanowski. Rutgers University. Fall 2015

Contents Digital Signatures Digital Signature Properties Direct Digital Signatures

Encryption. INST 346, Section 0201 April 3, 2018

SM9 identity-based cryptographic algorithms Part 2: Digital signature algorithm

CSE 127: Computer Security Cryptography. Kirill Levchenko

Digital Multi Signature Schemes Premalatha A Grandhi

ECC Elliptic Curve Cryptography. Foundations of Cryptography - ECC pp. 1 / 31

Introduction to Cryptography and Security Mechanisms. Abdul Hameed

Public Key Cryptography

Introduction to Cryptography Lecture 7

Chair for Network Architectures and Services Department of Informatics TU München Prof. Carle. Network Security

UNIT III 3.1DISCRETE LOGARITHMS

CSE 3461/5461: Introduction to Computer Networking and Internet Technologies. Network Security. Presentation L

Cryptography V: Digital Signatures

A SIGNATURE ALGORITHM BASED ON DLP AND COMPUTING SQUARE ROOTS

CS408 Cryptography & Internet Security

CPSC 467: Cryptography and Computer Security

Network Security. Chapter 4 Public Key Cryptography. Public Key Cryptography (4) Public Key Cryptography

Cryptography V: Digital Signatures

Cryptographic Systems

Introduction to Cryptography Lecture 7

Number Theory and RSA Public-Key Encryption

Topics. Number Theory Review. Public Key Cryptography

ASYMMETRIC CRYPTOGRAPHY

Innovation and Cryptoventures. Digital Signatures. Campbell R. Harvey. Duke University, NBER and Investment Strategy Advisor, Man Group, plc

Innovation and Cryptoventures. Digital Signatures. Campbell R. Harvey. Duke University, NBER and Investment Strategy Advisor, Man Group, plc

Introduction to Public-Key Cryptography

Lecture 20 Public key Crypto. Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Slides from Miller and Bailey s ECE 422

Computer Security: Principles and Practice

Elements of Cryptography and Computer and Networking Security Computer Science 134 (COMPSCI 134) Fall 2016 Instructor: Karim ElDefrawy

Kurose & Ross, Chapters (5 th ed.)

Lecture 2 Applied Cryptography (Part 2)

Public Key (asymmetric) Cryptography

The use of Elliptic Curve Cryptography in DNSSEC

Key Exchange. Secure Software Systems

HOST Cryptography I ECE 525. Cryptography Handbook of Applied Cryptography &

UNIT - IV Cryptographic Hash Function 31.1

CS 161 Computer Security

Digital Signatures. KG November 3, Introduction 1. 2 Digital Signatures 2

APNIC elearning: Cryptography Basics

Zeon PDF Driver Trial

Cryptography (DES+RSA) by Amit Konar Dept. of Math and CS, UMSL

Public Key Algorithms

Cryptography and Network Security Chapter 13. Fourth Edition by William Stallings. Lecture slides by Lawrie Brown

PROTECTING CONVERSATIONS

ICT 6541 Applied Cryptography Lecture 8 Entity Authentication/Identification

Part VI. Public-key cryptography

Overview. Public Key Algorithms I

Cryptographic Concepts

Cryptography III. Public-Key Cryptography Digital Signatures. 2/1/18 Cryptography III

Introduction. CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell

SECURITY MANAGEMENT SYSTEM FUNCTIONAL ARCHITECTURE FOR ENTERPRISE NETWORK

Public Key Algorithms

CS 161 Computer Security

Public Key Encryption

Cryptography Lecture 9 Key distribution and trust, Elliptic curve cryptography

RSA (algorithm) History

Chapter 7 Public Key Cryptography and Digital Signatures

Transcription:

UNIVERSITY OF MASSACHUSETTS Dept. of Electrical & Computer Engineering Introduction to Cryptography ECE 597XX/697XX Part 10 Digital Signatures Israel Koren ECE597/697 Koren Part.10.1 Content of this part The principle of digital signatures Security services The RSA digital signature scheme The Digital Signature Algorithm (DSA) The Elliptic Curve Signature Algorithm (ECDSA) ECE597/697 Koren Part.10.2 Page 1

Motivation Bob orders a pink car from the car dealer Alice After seeing the pink car, Bob states that he has never ordered it How can Alice prove to a judge that Bob has ordered a pink car? (And that she did not fabricate the order herself) Symmetric cryptography fails because both Alice and Bob can be malicious Can be achieved with public-key cryptography ECE597/697 Koren Part.10.3 Basic Principle of Digital Signatures Alice Bob ECE597/697 Koren Part.10.4 Page 2

Main idea For a given message x, a digital signature is appended to the message (just like a conventional signature). Only the person with the private key should be able to generate the signature. The signature must change for every document. The signature is realized as a function with the message x and the private key as input. The public key and the message x are the inputs to the verification function. ECE597/697 Koren Part.10.5 Core Security Services 1.Confidentiality: Information is kept secret from all but authorized parties. 2.Integrity: Ensures that a message has not been modified in transit. 3.Message Authentication: Ensures that the sender of a message is authentic. An alternative term is data origin authentication. 4.Non-repudiation: Ensures that the sender of a message can not deny the creation of the message. (e.g., order of a pink car) ECE597/697 Koren Part.10.6 Page 3

Additional Security Services 5. Identification/entity authentication: Establishing and verification of the identity of an entity, e.g., a person, a computer, or a credit card. 6. Access control: Restricting access to the resources to privileged entities. 7. Availability: The electronic system is reliably available. 8. Auditing: Provides evidences about security relevant activities, e.g., by keeping logs about certain events. 9. Physical security: Providing protection against physical tampering and/or responses to physical tampering attempts 10.Anonymity: Providing protection against discovery and misuse of identity. ECE597/697 Koren Part.10.7 Main idea of the RSA signature scheme To generate the private and public key: Use the same key generation as RSA encryption. To generate the signature: encrypt the message x with the private key s = sig Kpriv (x) = x d mod n Append s to message x To verify the signature: decrypt the signature with the public key x =ver Kpub (s)=s e mod n If x=x, the signature is valid ECE597/697 Koren Part.10.8 Page 4

The RSA signature Protocol Alice Bob K pub K pr = d K pub = (n, e) (x,s) Compute signature: s = sig k pr (x) x d mod n Verify signature: x s e mod n If x x mod n valid signature* If x x mod n invalid signature and the message was not modified in transit The message x and signature s can be encrypted using AES ECE597/697 Koren Part.10.9 Security and Performance of the RSA signature Scheme Security: The same constrains as RSA encryption: n needs to be at least 1024 bits to provide a security level of 80 bit. The signature, consisting of s, needs to be at least 1024 bits long Performance: The signing process is an exponentiation with the private key and the verification process an exponentiation with the public key e. Signature verification is very efficient as a small number can be chosen for the public key. Signed once but verified several times ECE597/697 Koren Part.10.10 Page 5

Existential Forgery Attack against RSA signature Alice (n,e) Oscar (n,e) Bob K pr = d K pub = (n, e) (x,s) Verification: x s e mod n 1. Choose signature: s Z n 2. Compute message: x s e mod n since x= s e mod n, x=x Signature is valid ECE597/697 Koren Part.10.11 Existential Forgery and Padding An attacker can generate valid message-signature pairs (x,s) But an attack can only choose the signature s and NOT the message x Attacker cannot generate messages like Transfer $1000 into Oscar s account Formatting the message x according to a padding scheme can be used to make sure that an attacker cannot generate valid (x,s) pairs. (A message x generated by an attacker during an Existential Forgery Attack will not coincide with the padding scheme. ECE597/697 Koren Part.10.12 Page 6

RSA Padding Probabilistic Signature Standard (PSS) M message EM encoded message MGF mask generation function (e.g., SHA) fixed padding1, padding2 and bc signature = EM d mod n ECE597/697 Koren Part.10.13 Digital signature Algorithm (DSA) - background Federal US Government standard for digital signatures (DSS) Proposed by the National Institute of Standards and Technology (NIST) DSA is based on the ElGamal signature scheme Signature is only 320 bits long while the original ElGamal signature scheme requires 1024 or more Original ElGammal scheme is subject to an existential forgery attack Signature verification is slower compared to RSA ECE597/697 Koren Part.10.14 Page 7

Digital signature Algorithm (DSA) - 1 Key generation of DSA: 1. Generate a prime p with 2 1023 < p < 2 1024 2. Find a prime divisor q of p with 2 159 < q < 2 160 3. Find an integer α with ord(α)=q (i.e., it generates the subgroup with q elements) 4. Choose a random integer d with 0<d<q 5. Compute β α d mod p The keys are: k pub = (p,q,α,β) k pr = (d) ECE597/697 Koren Part.10.15 Digital signature Algorithm (DSA) - 2 DSA signature generation: Given: message x, private key d and public key (p,q,α,β) 1. Choose a random (integer) ephemeral key k E satisfying 0<k E <q 2. Compute r (α k E mod p) mod q 3. Compute s (SHA(x)+d r) k E mod q The signature consists of (r,s) SHA denotes the hash function SHA which computes a 160-bit fingerprint of message x. ECE597/697 Koren Part.10.16 Page 8

Digital signature Algorithm (DSA) - 3 DSA signature verification: Given: message x, signature (r,s) and public key (p,q,α,β) 1. Compute the inverse of s : w s mod q 2. Compute auxiliary value u 1 w SHA(x) mod q 3. Compute auxiliary value u 2 w r mod q 4. Compute v (α u 1 β u 2 mod p) mod q If v r mod q signature is valid If v r mod q signature is invalid ECE597/697 Koren Part.10.17 Proof of DSA We need to show that the signature (r,s) satisfies the condition r v mod q given s (SHA(x))+d r) k E mod q k E s SHA(x) + d s r mod q k E u 1 +d u 2 mod q Raise α to either side of the equation and reduce modulo p: α ke mod p α u1+d u2 mod p Since β α d mod p we can write: α ke mod p α u1 β u2 mod p We now reduce both sides of the equation modulo q: (α ke mod p) mod q (α u1 β u2 mod p) mod q r v r v ECE597/697 Koren Part.10.18 Page 9

Alice Example Bob (p, q, α,β)=(59, 29, 3, 4) Key generation: 1. choose p = 59 and q = 29 2. choose α = 3 3. choose private key d = 7 4. β = α d = 3 7 4 mod 59 (x,(r, s))=(x,(20, 5)) Verify: H(x)=26 w 5 6 mod 29 u 1 6 26 11 mod 29 u 2 6 20 4 mod 29 v = (3 11 44 mod 59) mod 29 = 20 v r mod 29 valid signature Sign: Compute hash of message H(x)=26 1. Choose ephemeral key k E =10 2. k E =3 mod 29 3. r = (3 10 mod 59) 20 mod 29 4. s = (26 + 7 20) 3 5 mod 29 ECE597/697 Koren Part.10.19 Security of DSA To solve the discrete logarithm problem in p the powerful index calculus method can be applied. But this method cannot be applied to the discrete logarithm problem of the subgroup q. Therefore q can be smaller than p. p q hash output (min) security levels 1024 160 160 80 2048 224 224 112 3072 256 256 128 Standardized parameter bit lengths and security levels for the DSA ECE597/697 Koren Part.10.20 Page 10

Use the ephemeral key only once r (α k E mod p) mod q = r1=r2 s1 (h(x1)+d r) k E mod q s2 (h(x2)+d r) k E mod q If x1 and x2 are known s1= (h(x1)+d r) k E mod q and s2=(h(x2)+ d r) k E mod q s1-s2=[h(x1)-h(x2)] k E mod q Calculate k E and then d ECE597/697 Koren Part.10.21 Elliptic Curve Digital Signature Algorithm (ECDSA) Based on Elliptic Curve Cryptography (ECC) Bit lengths in the range of 160-256 bits can be chosen to provide security equivalent to 1024-3072 bit RSA (8028 bit symmetric security level) One signature consists of two integers, hence the signature is twice the used bit length (i.e., 320-512 bits for 8028 bit security level) The shorter bit length of ECDSA often result in shorter processing time ECE597/697 Koren Part.10.22 Page 11

Elliptic Curve Digital Signature Algorithm (ECDSA) Key generation of ECDSA: 1. Use an elliptic curve with modulus p and coefficients a and b. Choose a point A that generates a cyclic group of primitive order q 2. Choose a random integer d with 0<d<q 3. Compute B = d A The keys are: k pub = (p,a,b,q,a,b) k pr = (d) ECE597/697 Koren Part.10.23 ECDSA signature generation ECDSA signature generation: Given: message x, private key d and public key (p,a,b,q,a,b) 1. Choose a random (integer) ephemeral key k E satisfying 0<k E <q 2. Compute R= k E A 3. Let r be the x-coordinate of R, x R 4. Compute s (h(x)+d r) k E mod q The signature consists of (r,s) h(x) is a hash function which computes a fingerprint of the message x. ECE597/697 Koren Part.10.24 Page 12

ECDSA signature verification ECDSA signature verification: Given: message x, signature s and public key (p,a,b,q,a,b) 1. Compute the inverse of s : w s mod q 2. Compute auxiliary value u 1 w h(x) mod q 3. Compute auxiliary value u 2 w r mod q 4. Compute P= u 1 A+ u 2 B If x P r mod q signature is valid If x P r mod q signature is invalid ECE597/697 Koren Part.10.25 Proof of ECDSA We need to show that the signature (r,s) satisfies the condition x P r mod q given s (h(x))+d r) k E mod q k E s h(x) + d s r mod q k E u 1 +d u 2 mod q Multiply both sides of the equation by A k E A (u 1 +d u 2 ) A mod q = u 1 A+d u 2 A = u 1 A+ u 2 B R P r is the x-coordinate of R, x R x R = x P ECE597/697 Koren Part.10.26 Page 13

Alice Example Bob (p,a,b,q,a,b)= (17,2,2,19,(5,1),(0,6)) Key generation: 1. choose p = 17, and a=b=2 E: y 2 = x 3 +2x+2 2. choose A=(5,1) with q = #E = 19 3. choose d = 7 4. B = d A=7 (5,1)=(0,6) (x,(r, s))=(x,(7,17)) Verify: h(x)=26 w = 17 9 mod 19 u 1 = 9 26 6 mod 19 u 2 = 9 7 6 mod 19 P = 6 (5,1) +6 (0,6) = (7,11) x P r mod 19 valid signature Sign: Compute hash of message h(x)=26 1. Choose ephemeral key k E =10 2. R=10 (5,1)=(7,11) 3. r = x R = 7; k E =2 mod 19 4. s = (26 + 7 7) 2 17 mod 19 ECE597/697 Koren Part.10.27 Lessons Learned Digital signatures provide message integrity, message authentication and non-repudiation RSA is still the most widely used digital signature algorithm Competitors are the Digital Signature Standard (DSA) and the Elliptic Curve Digital Signature Standard (ECDSA) RSA verification can be done with short public keys e. Hence, RSA verification is usually faster than signing DSA and ECDSA have shorter signatures than RSA To prevent certain attacks, RSA should be used with padding The modulus of DSA and the RSA signature schemes should be at least 1024- bits long. For true long-term security, a modulus of length 3072 bits should be chosen. In contrast, ECDSA achieves the same security levels with bit lengths in the range 160 256 bits ECE597/697 Koren Part.10.28 Page 14

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback