Position Paper W3C Workshop Mountain View

Slides:



Advertisements
Similar presentations
GOPAS TechEd 2012 PKI Design Ing. Ondřej Ševeček | GOPAS a.s. |
Advertisements

XML Encryption Prabath Siriwardena Director, Security Architecture.
Cryptography and Network Security
Outline Project 1 Hash functions and its application on security Modern cryptographic hash functions and message digest –MD5 –SHA.
Information Security Principles & Applications Topic 4: Message Authentication 虞慧群
MD5 Summary and Computer Examination Process Introduction to Computer Forensics.
Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.
PIITMadhumita Chatterjee Security 1 Hashes and Message Digests.
Hash functions a hash function produces a fingerprint of some file/message/data h = H(M)  condenses a variable-length message M  to a fixed-sized fingerprint.
Dr Alejandra Flores-Mosri Message Authentication Internet Management & Security 06 Learning outcomes At the end of this session, you should be able to:
Announcements:Questions? This week: Discrete Logs, Diffie-Hellman, ElGamal Discrete Logs, Diffie-Hellman, ElGamal Hash Functions and SHA-1 Hash Functions.
Hashes and Message Digest Hash is also called message digest One-way function: d=h(m) but no h’(d)=m –Cannot find the message given a digest Cannot find.
SHA (secure hash algorithm) Jen-Chang Liu, 2005 Adapted from lecture slides by Lawrie Brown.
Secure Hashing and DSS Sultan Almuhammadi ICS 454 Principles of Cryptography.
Hash Functions Nathanael Paul Oct. 9, Hash Functions: Introduction Cryptographic hash functions –Input – any length –Output – fixed length –H(x)
Chapter 3 Encryption Algorithms & Systems (Part C)
Cryptography1 CPSC 3730 Cryptography Chapter 11, 12 Message Authentication and Hash Functions.
CSE 597E Fall 2001 PennState University1 Digital Signature Schemes Presented By: Munaiza Matin.
Overview of Digital Signatures Introduction To Networks and Communications (CS 555) Presented by Bharath Kongara.
Network Security Essentials Fifth Edition by William Stallings Fifth Edition by William Stallings.
Chapter 8.  Cryptography is the science of keeping information secure in terms of confidentiality and integrity.  Cryptography is also referred to as.
Secure Systems Research Group - FAU Patterns for Digital Signature using hashing Presented by Keiko Hashizume.
Digital signature using MD5 algorithm Hardware Acceleration
DSA (Digital Signature Algorithm) Tahani Aljehani.
Digital Signatures Slides by Kent Seamons and Tim van der Horst Last Updated: Oct 7, 2013.
Week 5 - Monday.  What did we talk about last time?  Cryptographic hash functions.
Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 21 “Public-Key Cryptography.
TLS 1.2 and NIST SP A Tim Polk November 10, 2006.
CMS Interoperability Matrix Jim Schaad Soaring Hawk Security.
Digital Signatures: Mathematics Zdeněk Říha. Data authentication Data integrity + data origin Digital signature Asymmetric cryptography public and private.
HASH Functions.
Key Management Workshop November 1-2, Cryptographic Algorithms, Keys, and other Keying Material  Approved cryptographic algorithms  Security.
PKCS #1 v2.1: RSA Cryptography Standard
Introduction1-1 Data Communications and Computer Networks Chapter 6 CS 3830 Lecture 31 Omar Meqdadi Department of Computer Science and Software Engineering.
RSA Data Security, Inc. PKCS #1 : RSA Cryptography Standard Jessica Staddon RSA Laboratories PKCS Workshop October 7, 1998.
Chapter 21 Public-Key Cryptography and Message Authentication.
On OAEP, PSS, and S/MIME John Linn RSA Laboratories S/MIME WG, San Diego IETF, 13 December 2000.
1 Network Security Lecture 5 Hashes and Message Digests Waleed Ejaz
Middleware for Secure Environments Presented by Kemal Altıntaş Hümeyra Topcu-Altıntaş Osman Şen.
1 Number Theory and Advanced Cryptography 6. Digital Signature Chih-Hung Wang Sept Part I: Introduction to Number Theory Part II: Advanced Cryptography.
1 Strengthening Digital Signatures via Randomized Hashing Shai Halevi and Hugo Krawczyk IBM Research.
Cryptographic Hash Functions and Protocol Analysis
CIT 380: Securing Computer SystemsSlide #1 CIT 380: Securing Computer Systems Modern Cryptography.
PKCS #1 v2.1: RSA Cryptography Standard Burt Kaliski, RSA Laboratories PKCS Workshop, 5 October 2000.
Week 4 - Friday.  What did we talk about last time?  Snow day  But you should have read about  Key management.
Cryptographic Hash Functions Prepared by Dr. Lamiaa Elshenawy
PKCS #5: Password-Based Cryptography Standard
Hash Functions Ramki Thurimella. 2 What is a hash function? Also known as message digest or fingerprint Compression: A function that maps arbitrarily.
11 Authentication Algorithms Discussions CCSDS Security WG Winter 2007 Colorado Springs, Colorado USA Howard Weiss NASA/JPL/SPARTA
Allowed uses of Public Keys Jim Schaad Soaring Hawk Consulting.
Digital Signature Standard (DSS) US Govt approved signature scheme designed by NIST & NSA in early 90's published as FIPS-186 in 1991 revised in 1993,
CS426Fall 2010/Lecture 51 Computer Security CS 426 Lecture 5 Cryptography: Cryptographic Hash Function.
DIGITAL SIGNATURE ALGORITHM. The National Institute of Standards and Technology (NIST) has published Federal Information Processing Standard FIPS 186,
Hashes Lesson Introduction ●The birthday paradox and length of hash ●Secure hash function ●HMAC.
Web Services Security INFOSYS 290, Section 3 Web Services: Concepts, Design and Implementation Adam Blum
IT 221: Introduction to Information Security Principles Lecture 5: Message Authentications, Hash Functions and Hash/Mac Algorithms For Educational Purposes.
PKCS #5 v2.0: Password-Based Cryptography Standard
Secure Instant Messenger in Android Name: Shamik Roy Chowdhury.
The Federal Information Processing Standards (FIPS) Encryption Suite Sean Smith COSC
RSA Laboratories’ PKCS Series - a Tutorial
Dan Brown, Certicom Research November 10, 2004
최신정보보호기술 경일대학교 사이버보안학과 김 현성.
ICS 454 Principles of Cryptography
ICS 454 Principles of Cryptography
Hashing Hash are the auxiliary values that are used in cryptography.
Diffie-Hellman Key Exchange
The Secure Hash Function (SHA)
Digital Signature Standard (DSS)
draft-ietf-lamps-pkix-shake-00
Presentation transcript:

Position Paper W3C Workshop Mountain View RSA-PSS in XMLDSig Position Paper W3C Workshop Mountain View 25.09.2007 Konrad.Lanz@iaik.tugraz.at

Konrad Lanz Digital Signature Services OASIS-DSS IAIK (Inst. f. angew. Informationsverarbeitung und Kommunikation) SIC Stiftung Secure Information and Communication Technology TUG (Technische Universität Graz) OASIS-DSS TC Voting Member W3C Zentrum für Sichere Informationstechnologie (A-SIT) W3C XML CORE Working Group Canonicalization (c14n) XMSSMWG Oasis: Organization for the Advancement of Structured Information Standards (http://www.oasis-open.org) 25.09.2007 Konrad.Lanz@iaik.tugraz.at

Introduction Currently RSASSA-PKCS1-v1_5 RSA-PSS Bleichenbacher implementation vulnerability RSA-PSS randomized method tighter security proof <Signature ID?> <SignedInfo> <CanonicalizationMethod/> <SignatureMethod/> (<Reference URI? > (<Transforms/>)? <DigestMethod/> <DigestValue/> </Reference>)+ </SignedInfo> <SignatureValue> (<KeyInfo>)? (<Object ID?>)* </Signature> http://csrc.nist.gov/publications/drafts/Draft-SP-800-106/Draft-SP800-106.pdf 25.09.2007 Konrad.Lanz@iaik.tugraz.at

RSA-DSS Recognition/Adoption Cryptographic Message Syntax (CMS, [RFC 3852]) RSA-PSS signature method ([RFC 4056]). DSS Draft [FIPS 186-3 Draft] section 5.5 references [PKCS#1 v2.1] and considers RSA-PSS as approved. [RFC 4056] Use of the RSASSA-PSS Signature Algorithm in Cryptographic Message Syntax (CMS) 25.09.2007 Konrad.Lanz@iaik.tugraz.at

What do we need? Namespace and identifiers for RSA-PSS XML schema for the algorithm parameters 25.09.2007 Konrad.Lanz@iaik.tugraz.at

Namespace Algorithm Identifiers http://www.w3.org/2007/09/xmldsig-pss Algorithm Identifiers SignatureMethod http://www.w3.org/2007/09/xmldsig-pss/#rsa-pss Mask Generation Function http://www.w3.org/2007/09/xmldsig-pss/#mgf1 Hash Functions specified in XML encryption [XMLEnc] (SHA-256, SHA-512), [RFC4051] SHA-224 and SHA-384 specified in [XMLDSig] SHA-1 25.09.2007 Konrad.Lanz@iaik.tugraz.at

RSA-PSS Parameters the digest method (dm) the mask generation function (MGF) the digest method if used in the MGF (mgf-dm) the salt length (sl) the usually constant trailer field (tf) 25.09.2007 Konrad.Lanz@iaik.tugraz.at

Default (fixed values?) NIST Drafts - moving away from SHA-1 to longer output lengths of the SHA family. [FIPS 180‑3 Draft], [NIST SP 800-107 Draft] and [NIST SP 800-57 Draft] dm SHA-256 (SHA-1 [PKCS#1v2.1]) MGF MGF1 mgf-dm = dm (SHA-1) sl length(dm)/8=32 byes (20 bytes) tf 1 (corresponds to 0xbc) 25.09.2007 Konrad.Lanz@iaik.tugraz.at

SHA-1 tarnished SHA-1[NIST SP 800-57 Draft] less than 80 bits of security, currently asses the security strength against collisions at 69 bits successful collision attacks on SHA-1 reduced SHA-1 2005 - 53 steps [WaYiYu] 2006 - 64 steps [CaMeRe] 2007 - 70 steps [MeReRei] theoretical attacks on full version (80 steps) 2005 - 269 op. [WaYiYu] announced 263 [WaYaYa] 2007 - 260 op. announced [MeReRei] "recent successful collision search attacks" ein paar Korrekturen und weitere Infos: wirkliche Kollisionen: *Wang hat für 53-step variante collision gezeigt. (2005) *Wir (Christophe und ich) für 64-steps (2006) *Wir (Christophe, Florian und ich) für 70 steps. (Referenz, "Collisions for 70-step SHA-1: On The Full Cost of Collision Search, SAC 2007) Theoretische Attacken auf 80-step SHA-1: * Wang, 269,   Announcement ohne Details: 263 * wir (Florian, ich und Vincent) haben kürzlich eine neue Attacke mit 260 Operationen angekündigt (auch ohne Details)  Referenz: CRYPTO Rump Session 2006, "Update on SHA-1" 25.09.2007 Konrad.Lanz@iaik.tugraz.at

RFC 4055 RSA-PSS parameters subjectPublicKeyInfo field of an X.509 certificate parameters to be added to the signature unless default values are used … dm = dm’ as in the key/certificate MGF = MGF’ as in the key/certificate dm-mgf = dm-mgf’ as in the key/certificate sl >= sl’ as the one in the key/certificate tf = tf’ as specified by the key/certificate (effective val) 25.09.2007 Konrad.Lanz@iaik.tugraz.at

Examples Example 1 defaults Example 2 Example 3 Example 4 SHA-256, MFG1 with SHA-256, default salt length 256/8=32 bytes, trailer = 1 (‘0xbc’) Example 2 SHA-512, MFG1 with SHA-512, salt length of 512/8=64 bytes, trailer = 1. Example 3 SHA-1, MFG1 with SHA-1, salt length of 256/8=32 bytes, trailer = 1. Example 4 SHA-1, MFG1 with SHA-1, salt length of 32 bytes, trailer = 1. <Signature ID?> <SignedInfo> <CanonicalizationMethod/> <SignatureMethod/> (<Reference URI? > (<Transforms/>)? <DigestMethod/> <DigestValue/> </Reference>)+ </SignedInfo> <SignatureValue> (<KeyInfo>)? (<Object ID?>)* </Signature> 25.09.2007 Konrad.Lanz@iaik.tugraz.at

Conclusion RSA-PSS as a signature method plain SHA-1 should not be default any more SHA-256 as default hash algorithm specification and approaches encoding the RSA-PSS parameters with the key or certificate has been discussed 25.09.2007 Konrad.Lanz@iaik.tugraz.at

Thanks Thanks for your Attention ! References in position paper. [FIN-BLEICH] Hal Finney: Bleichenbacher’s RSA signature forgery based on implementation error, 17 Aug. 2006, http://www.imc.org/ietf-openpgp/mail-archive/msg14307.html [PKCS#1v1.5] PKCS#1 v1.5: RSA Encryption Standard RSA Laboratories; 1 Nov. 1993, ftp://ftp.rsasecurity.com/pub/pkcs/ascii/pkcs-1.asc [PKCS#1v2.1] PKCS#1 v2.1: RSA Cryptography Standard RSA Laboratories; 14 June 2002, ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-1/pkcs-1v2-1.pdf [RFC 3852] Russ Housley: Cryptographic Message Syntax (CMS); RFC 3852; July 2004, http://tools.ietf.org/html/rfc3852 [RFC4051] D. Eastlake 3rd: Additional XML Security Uniform Resource Identifiers (URIs) ; RFC 4051; Apr. 2005 http://tools.ietf.org/html/rfc4051 [RFC 4055] Jim Schaad: Additional Algorithms and Identifiers for RSA Cryptography for use in the Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile; RFC 4055; June 2005 http://tools.ietf.org/html/rfc4055 [RFC 4056] Jim Schaad: Use of the RSASSA-PSS Signature Algorithm in Cryptographic Message Syntax (CMS); RFC 4056; June 2005 http://tools.ietf.org/html/rfc4056 [XMLDSig] XML-Signature Syntax and ProcessingW3C Recommendation 12 Feb. 2002, http://www.w3.org/TR/xmldsig-core/ [XMLEnc] XML Encryption Syntax and Processing, W3C Recommendation 10 December 2002 http://www.w3.org/TR/xmlenc-core/ [KAL-PSS] Burt Kaliski: Raising the Standard for RSA Signatures: RSA-PSS, RSA Laboratories 26 Feb. 2003, http://www.rsa.com/rsalabs/node.asp?id=2005 [FIPS 186-3 Draft] Digital Signature Standard (DSS) FIPS 186-3, March 2006 http://csrc.nist.gov/publications/drafts/fips_186-3/Draft-FIPS-186-3%20_March2006.pdf [FIPS 180-3 Draft] Secure Hash Standard (SHS), June 2007, http://csrc.nist.gov/publications/drafts/fips_180-3/draft_fips-180-3_June-08-2007.pdf [NIST SP 800-107 Draft] Recommendation for Using Approved Hash Algorithms, NIST July 2007, http://csrc.nist.gov/publications/drafts/Draft-SP-800-107/Draft-SP800-107.pdf [NIST SP 800-57 Draft] Recoomendation for Key Management, NIST March 2007, http://csrc.nist.gov/publications/nistpubs/800-57/sp800-57-Part1-revised2_Mar08-2007.pdf [CaRe] Christophe De Canniere, Christian Rechberger: Finding SHA-1 Characteristics; Presented at the Second NIST Cryptographic Hash Workshop (Santa Barbara, California, USA, August 2006), to appear at ASIACRYPT 2006 [WaYaYa] Xiaoyun Wang, Andrew Yao, Frances Yao: Cryptanalysis of SHA-1. Presented at the First NIST Cryptographic Hash Workshop, Oktober 2005 [WaYiYu] Xiaoyun Wang, Yiqun Lisa Yin, Hongbo Yu: Finding Collisions in the full SHA-1; CRYPTO 2005 (Santa Barbara, California, USA, August 2005) Proceedings, volume 3621of LNCS, pages 17–36. Springer, 2005.(editor: Victor Shoup) 25.09.2007 Konrad.Lanz@iaik.tugraz.at

JAVA XML-DSig (JSR 105) XML-Enc (JSR 106) http://www.jcp.org/en/jsr/detail?id=105 XML-Enc (JSR 106) http://www.jcp.org/en/jsr/detail?id=106 25.09.2007 Konrad.Lanz@iaik.tugraz.at

Thanks ! SIC – XSect Toolkit IAIK XML Signature Library (IXSIL) Successor Java XML Digital Signatures APIs (JSR105) Java XML Digtial Encryption APIs (JSR106) http://www.sic.st http://jce.iaik.tugraz.at/sic/products/xml_security Thanks for your Attention. 25.09.2007 Konrad.Lanz@iaik.tugraz.at

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.