Cryptography and Network Security Chapter 13. Digital Signatures & Authentication Protocols

Similar documents
Cryptography and Network Security Chapter 13. Fourth Edition by William Stallings. Lecture slides by Lawrie Brown

Contents Digital Signatures Digital Signature Properties Direct Digital Signatures

Digital Signature. Raj Jain

Unit III. Chapter 1: Message Authentication and Hash Functions. Overview:

UNIT III 3.1DISCRETE LOGARITHMS

Spring 2010: CS419 Computer Security

1. Digital Signatures 2. ElGamal Digital Signature Scheme 3. Schnorr Digital Signature Scheme 4. Digital Signature Standard (DSS)

Acknowledgments. CSE565: Computer Security Lectures 16 & 17 Authentication & Applications

The most important development from the work on public-key cryptography is the digital signature. Message authentication protects two parties who

Cryptography and Network Security. Sixth Edition by William Stallings

Cryptology Part 1. Terminology. Basic Approaches to Cryptography. Basic Approaches to Cryptography: (1) Transposition (continued)

Introduction to Network Security Missouri S&T University CPE 5420 Data Integrity Algorithms

Cryptography CS 555. Topic 16: Key Management and The Need for Public Key Cryptography. CS555 Spring 2012/Topic 16 1

Overview of Security Principles

Key Management. Digital signatures: classical and public key Classic and Public Key exchange. Handwritten Signature

CS549: Cryptography and Network Security

Lecture 2 Applied Cryptography (Part 2)

Cryptography V: Digital Signatures

Protocols II. Computer Security Lecture 12. David Aspinall. 17th February School of Informatics University of Edinburgh

Cryptography and Network Security Chapter 14

Cryptography V: Digital Signatures

Security Handshake Pitfalls

T Cryptography and Data Security

CSCE 715: Network Systems Security

Session key establishment protocols

Public Key (asymmetric) Cryptography

UNIVERSITY OF MASSACHUSETTS Dept. of Electrical & Computer Engineering. Introduction to Cryptography ECE 597XX/697XX

Session key establishment protocols

Cristina Nita-Rotaru. CS355: Cryptography. Lecture 17: X509. PGP. Authentication protocols. Key establishment.

Cryptography and Network Security

Digital Signatures. Luke Anderson. 7 th April University Of Sydney.

Authentication Handshakes

CIS 6930/4930 Computer and Network Security. Topic 6.2 Authentication Protocols

User Authentication Protocols

Security Handshake Pitfalls

User Authentication Protocols Week 7

CSC 474/574 Information Systems Security

Outline. Login w/ Shared Secret: Variant 1. Login With Shared Secret: Variant 2. Login Only Authentication (One Way) Mutual Authentication

Public Key Algorithms

Distributed Systems. 26. Cryptographic Systems: An Introduction. Paul Krzyzanowski. Rutgers University. Fall 2015

Acronyms. International Organization for Standardization International Telecommunication Union ITU Telecommunication Standardization Sector

Lecture 5: Protocols - Authentication and Key Exchange* CS 392/6813: Computer Security Fall Nitesh Saxena

Outline More Security Protocols CS 239 Computer Security February 6, 2006

Spring 2010: CS419 Computer Security

Fall 2010/Lecture 32 1

INFSCI 2935: Introduction of Computer Security 1. Courtesy of Professors Chris Clifton & Matt Bishop. INFSCI 2935: Introduction to Computer Security 2

Prime Field over Elliptic Curve Cryptography for Secured Message Transaction

Grenzen der Kryptographie

Key Management and Elliptic Curves

Information Security CS 526

Outline. More Security Protocols CS 239 Security for System Software April 22, Needham-Schroeder Key Exchange

Security. Communication security. System Security

CSC 474/574 Information Systems Security

T Cryptography and Data Security

Making Use of the Subliminal Channel in DSA

Lecture 15: Cryptographic algorithms

1. Diffie-Hellman Key Exchange

Digests Requirements MAC Hash function Security of Hash and MAC Birthday Attack MD5 SHA RIPEMD Digital Signature Standard Proof of DSS

Cryptography & Key Exchange Protocols. Faculty of Computer Science & Engineering HCMC University of Technology

Lecture 3.4: Public Key Cryptography IV

Encryption. INST 346, Section 0201 April 3, 2018

Issues. Separation of. Distributed system security. Security services. Security policies. Security mechanism

Public Key Cryptography

Public Key Cryptography

This chapter examines some of the authentication functions that have been developed to support network-based use authentication.

Data Security and Privacy. Topic 14: Authentication and Key Establishment

Outline More Security Protocols CS 239 Computer Security February 4, 2004

Chapter 9: Key Management

CS Computer Networks 1: Authentication

Cryptographic Checksums

Lecture 19: cryptographic algorithms

Chapter 3. Principles of Public-Key Cryptosystems

CS Protocol Design. Prof. Clarkson Spring 2017

Introduction to Public-Key Cryptography

Chapter 7 Public Key Cryptography and Digital Signatures

Overview. Public Key Algorithms I

Chapter 3 Public Key Cryptography

CIS 6930/4930 Computer and Network Security. Final exam review

Cryptography Lecture 9 Key distribution and trust, Elliptic curve cryptography

Security Handshake Pitfalls

Public Key Algorithms

L7: Key Distributions. Hui Chen, Ph.D. Dept. of Engineering & Computer Science Virginia State University Petersburg, VA 23806

Computer Security: Principles and Practice

Security. Alessandro Margara Slides based on previous work by Matteo Migliavacca and Alessandro Sivieri

Computer Security. 08r. Pre-exam 2 Last-minute Review Cryptography. Paul Krzyzanowski. Rutgers University. Spring 2018

PUBLIC KEY CRYPTO. Anwitaman DATTA SCSE, NTU Singapore CX4024. CRYPTOGRAPHY & NETWORK SECURITY 2018, Anwitaman DATTA

CS 470 Spring Security. Mike Lam, Professor. a.k.a. Why on earth do Alice and Bob need to talk so much?!? Content taken from the following:

CSE 3461/5461: Introduction to Computer Networking and Internet Technologies. Network Security. Presentation L

CSCI 454/554 Computer and Network Security. Topic 5.2 Public Key Cryptography

KALASALINGAM UNIVERSITY

Identification Schemes

Elements of Security

Outline. CSCI 454/554 Computer and Network Security. Introduction. Topic 5.2 Public Key Cryptography. 1. Introduction 2. RSA

Remote User Authentication Scheme in Multi-server Environment using Smart Card

UNIT - IV Cryptographic Hash Function 31.1

Outline. Public Key Cryptography. Applications of Public Key Crypto. Applications (Cont d)

Cryptographic protocols

Security and Privacy in Computer Systems. Lecture 7 The Kerberos authentication system. Security policy, security models, trust Access control models

Enhancing Data Security with Certificateless Signature Scheme in Cloud Computing

The Application of Elliptic Curves Cryptography in Embedded Systems

Transcription:

Cryptography and Network Security Chapter 13 Digital Signatures & Authentication Protocols

Digital Signatures have looked at message authentication but does not address issues of lack of trust digital signatures provide the ability to: verify author, date & time of signature authenticate message contents be verified by third parties to resolve disputes hence include authentication function with additional capabilities

Digital Signature Properties must depend on the message signed must use information unique to sender to prevent both forgery and denial must be relatively easy to produce must be relatively easy to recognize & verify be computationally infeasible to forge with new message for existing digital signature with fraudulent digital signature for given message be practical to save digital signature in storage

Direct Digital Signatures involve only sender & receiver assumed receiver has sender s public-key digital signature made by sender signing entire message or hash with private-key can encrypt using receivers public-key important that sign first then encrypt message & signature security depends on sender s private-key

Arbitrated Digital Signatures involves use of arbiter A validates any signed message then dated and sent to recipient requires suitable level of trust in arbiter can be implemented with either private or public-key algorithms arbiter may or may not see message

Authentication Protocols used to convince parties of each others identity and to exchange session keys may be one-way or mutual key issues are confidentiality to protect session keys timeliness to prevent replay attacks published protocols are often found to have flaws and need to be modified

Replay Attacks where a valid signed message is copied and later resent simple replay repetition that can be logged repetition that cannot be detected backward replay without modification countermeasures include use of sequence numbers (generally impractical) timestamps (needs synchronized clocks) challenge/response (using unique nonce)

Using Symmetric Encryption as discussed previously can use a twolevel hierarchy of keys usually with a trusted Key Distribution Center (KDC) each party shares own master key with KDC KDC generates session keys used for connections between parties master keys used to distribute these to them

Needham-Schroeder Protocol original third-party key distribution protocol for session between A B mediated by KDC protocol overview is: 1. A->KDC: ID A ID B N 1 2. KDC -> A: E Ka [Ks ID B N 1 E Kb [Ks ID A ] ] 3. A -> B: E Kb [Ks ID A ] 4. B -> A: E Ks [N 2 ] 5. A -> B: E Ks [f(n 2 )]

Needham-Schroeder Protocol used to securely distribute a new session key for communications between A & B but is vulnerable to a replay attack if an old session key has been compromised then message 3 can be resent convincing B that is communicating with A modifications to address this require: timestamps (Denning 81) using an extra nonce (Neuman 93)

Using Public-Key Encryption have a range of approaches based on the use of public-key encryption need to ensure have correct public keys for other parties using a central Authentication Server (AS) various protocols exist using timestamps or nonces

Denning AS Protocol Denning 81 presented the following: 1. A -> AS: ID A ID B 2. AS -> A: E PRas [ID A PU a T] E PRas [ID B PU b T] 3. A -> B: E PRas [ID A PU a T] E PRas [ID B PU b T] E PUb [E PRas [K s T]] note session key is chosen by A, hence AS need not be trusted to protect it timestamps prevent replay but require synchronized clocks

One-Way Authentication required when sender & receiver are not in communications at same time (eg. email) have header in clear so can be delivered by email system may want contents of body protected & sender authenticated

Using Symmetric Encryption can refine use of KDC but can t have final exchange of nonces, vis: 1. A->KDC: ID A ID B N 1 2. KDC -> A: E Ka [Ks ID B N 1 E Kb [Ks ID A ] ] 3. A -> B: E Kb [Ks ID A ] E Ks [M] does not protect against replays could rely on timestamp in message, though email delays make this problematic

Public-Key Approaches have seen some public-key approaches if confidentiality is major concern, can use: A->B: E PUb [Ks] E Ks [M] has encrypted session key, encrypted message if authentication needed use a digital signature with a digital certificate: A->B: M E PRa [H(M)] E PRas [T ID A PU a ] with message, signature, certificate

Digital Signature Standard (DSS) US Govt approved signature scheme designed by NIST & NSA in early 90's published as FIPS-186 in 1991 revised in 1993, 1996 & then 2000 uses the SHA hash algorithm DSS is the standard, DSA is the algorithm FIPS 186-2 (2000) includes alternative RSA & elliptic curve signature variants

Digital Signature Algorithm (DSA) creates a 320 bit signature with 512-1024 bit security smaller and faster than RSA a digital signature scheme only security depends on difficulty of computing discrete logarithms variant of ElGamal & Schnorr schemes

Digital Signature Algorithm (DSA)

DSA Key Generation have shared global public key values (p,q,g): choose q, a 160 bit choose a large prime p = 2 L where L= 512 to 1024 bits and is a multiple of 64 and q is a prime factor of (p-1) choose g = h (p-1)/q where h<p-1, h (p-1)/q (mod p) > 1 users choose private & compute public key: choose x<q compute y = g x (mod p)

DSA Signature Creation to sign a message M the sender: generates a random signature key k, k<q nb. k must be random, be destroyed after use, and never be reused then computes signature pair: r = (g k (mod p))(mod q) s = (k -1.H(M)+ x.r)(mod q) sends signature (r,s) with message M

DSA Signature Verification having received M & signature (r,s) to verify a signature, recipient computes: w = s -1 (mod q) u1= (H(M).w)(mod q) u2= (r.w)(mod q) v = (g u1.y u2 (mod p)) (mod q) if v=r then signature is verified see book web site for details of proof why

Simple Example - 1 Suppose p is set to 7 q is a prime divisor of p-1, select q Find h and g such that g = h (p-1)/q where h<p-1, h (p-1)/q (mod p) > 1

Simple Example - 2 Suppose x is set to 1 Find y such that y = g x (mod p) Suppose k is set to 2

Simple Example - 3 Compute the signature pair: (assume H(M) = 12) r = (g k (mod p))(mod q) s = (k -1 * (H(M)+ x * r))(mod q)

Simple Example - 4 Verify the signature w = s -1 (mod q) u1= (H(M)* w)(mod q) u2= (r * w)(mod q) v = ((g u1 * y u2 )(mod p)) (mod q) if v=r then signature is verified

Summary have discussed: digital signatures authentication protocols (mutual & one-way) digital signature algorithm and standard

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback