DIGITAL SIGNATURES and AUTHENTICATION PROTOCOLS - Chapter 13 DIGITAL SIGNATURES and AUTHENTICATION PROTOCOLS - Chapter 13 Digital Signatures Authentication Protocols Digital Signature Standard
AUTHENTICATION vs SIGNATURE AUTHENTICATION vs SIGNATURE Authentication auth A B protects against {C} Signature sign A B protects against {A,C}
SIGNATURE CHARACTERISTICS SIGNATURE CHARACTERISTICS Author Verifiable Date Authenticate by Time Contents Third Party
SIGNATURE TYPES SIGNATURE TYPES Direct X Y weakness: security of private key Arbitrated + date X A Y
ARBITRATED DIGITAL SIGNATURE TECHNIQUES
Table 13.1: Scheme (a) Arbiter Sees Message Table 13.1: Scheme (a) Arbiter Sees Message Conventional Encryption: After X A Y Dispute between X and Y Y A: E K ay [ID x ||M||E K ax [ID x ||H(M)]]
Table 13.1: Scheme (b) Arbiter Does Not See Message Table 13.1: Scheme (b) Arbiter Does Not See Message Conventional Encryption: Arbiter : neither can read message Eavesdropper
Table 13.1: Scheme (c) Arbiter Does Not See Message Table 13.1: Scheme (c) Arbiter Does Not See Message Public-Key (double) Encryption: advantages: 1. No information shared before communication 2. if KRx compromised date is still correct 3. message secret from Arbiter and Eavesdropper
REPLAY ATTACKS REPLAY ATTACKS Simple Replay: X m E m Logged Replay: X m||T 0 t E m||T 0 (< T 0 later) i m Undetected Replay:X m e E m Backward Replay: X m X m E
TIMESTAMP TIMESTAMP m||T X Y synchronized clocks
CHALLENGE/RESPONSE CHALLENGE/RESPONSE Use NONCE: N X Y m||N X Y handshake required
ATTACK ON Fig 7.9 E avesdropper gets Old K s : Replay Step 3 Intercept Step 4 Impersonate Step 5 Bogus Messages Y
SOLUTION: TIMESTAMP 1.A ID A ||ID B KDC 2. KDC E K A [ K S ||ID B ||T||E K B [K S ||ID A ||T] ] A 3. A E K B [K S ||ID A ||T] B 4. B E K S [N 1 ] A 5. A E K S [f(N 1 )] B
CLOCK ATTACKS CLOCK ATTACKS To counteract: Suppress – Replay attacks: 1. Check clocks regularly use KDC clock 2. Handshaking via Nonce
AN IMPROVED PROTOCOL over Fig 7.9 AN IMPROVED PROTOCOL over Fig 7.9 To counteract suppress-replay attacks: A ID A || N A B B ID B ||N B ||E KB [ID A ||N A ||T B ] KDC KDC E K A [ID B ||N A ||K S ||T B ]||E K B [ID A ||K S ||T B ]||N B A 4. A E K B [ID A ||K S ||T B ]||E K S [N B ] B No clock synch. T B only checked by B
AUTHENTICATION SERVER AUTHENTICATION SERVER - no secret key distribution (public key) A ID A ||ID B AS AS E KR AS [ID A ||KU A ||T]||E KR AS [ID B ||KU B ||T] A 3. A E KR AS [ID A ||KU A ||T]||E KR AS [ID B ||KU B ||T]||E KU B [E KR A [K S ||T]] B Problem: Clock Synch.
ALTERNATIVE NONCE PROTOCOL ALTERNATIVE NONCE PROTOCOL 1. A ID A ||ID B KDC 2. KDC E KR auth [ID B ||KU B ] A 3. A E KU B [N A ||ID A ] B 4. B ID B ||ID A ||E KUauth [N A ] KDC 5. KDC E KR auth [ID A ||KU A ]||E KU B [E KR auth [N A ||K S ||ID A ||ID B ]] B 6. B E KU A [E KR auth [N A ||K S ||ID A ||ID B ]||N B ] A 7. A E K S [N B ] B
ONE-WAY AUTHENTICATION ONE-WAY AUTHENTICATION (e.g. ) Encrypt Message Authenticate Sender
SYMMETRIC-KEY (one-way auth.) SYMMETRIC-KEY (one-way auth.) 1. A ID A ||ID B ||N 1 KDC 2. KDC E K A [K S ||ID B ||N 1 ||E K B [K S ||ID A ]] A 3. A E K B [K S,ID A ]||E K S [M] B
PUBLIC-KEY (one-way auth.) PUBLIC-KEY (one-way auth.) Use Figs 11.1b,c, and d or A E KU B [K S ]||E K S [M] B or A M||E KR A [H(M)] B
PUBLIC-KEY (one-way auth.) PUBLIC-KEY (one-way auth.) Send A’s public key to B A M||E KR A [H(M)]||E KR AS [T||ID A ||KU A ] B
DSS : USES SHA-1 DSS : USES SHA-1 Signature YES Encryption NO Key-Exchange NO
DSS : USES SHA-1
DISCRETE LOG DISCRETE LOG p,q,g – global public keys x - user private key y - user public key k - user per-message secret number r = (g k mod p) mod q s = [k -1 (H(M) + xr)] mod q Signature = (r,s) precompute g k, k -1
VERIFY VERIFY w = (s’) -1 mod q u 1 = [H(M’)w] mod q u 2 = (r’)w mod q v = [(g u 1.y u 2 ) mod p] mod q where y = g x mod p v = r’ ? y = g x is one-way: x y YES y x NO
DIGITAL SIGNATURE ALGORITHM
DSS SIGNING AND VERIFYING