DIGITAL SIGNATURES Fred Piper Codes & Ciphers Ltd 12 Duncan Road Richmond Surrey TW9 2JD Information Security Group Royal Holloway, University of London Egham, Surrey TW20 0EX
Outline Brief Introduction to Cryptography Public Key Systems Basic Principles of Digital Signatures Public Key Algorithms Signing Processes Arbitrated Signatures Odds and Ends NOTE: We will not cover all the sections Digital Signatures
The Essence of Security Recognition of those you know Introduction to those you don’t know Written signature Private conversation Digital Signatures
The Challenge Transplant these basic social mechanisms to the telecommunications and/or business environment. Digital Signatures
The Security Issues Sender Am I happy that the whole world sees this ? Am I prepared to pay to stop them ? Am I allowed to stop them ? Recipient Do I have confidence in : the originator the message contents and message stream no future repudiation. Network Manager Do I allow this user on to the network ? How do I control their privileges ? Digital Signatures
Cryptography is used to provide: 1. Secrecy 2. Data Integrity 3. User Verification 4. Non-Repudiation Digital Signatures
Cipher System Key k(E) Key k(D) message m cryptogram c message m Enciphering Algorithm Deciphering Algorithm Interceptor Digital Signatures
The Attacker’s Perspective Unknown Key k(D) Known c Deciphering Algorithm Wants m Note: k(E) is not needed unless it helps determine k(D) Digital Signatures
Two Types of Cipher System Conventional or Symmetric k(D) easily obtained from k(E) Public or Asymmetric Computationally infeasible to determine k(D) from k(E) Digital Signatures
THE SECURITY OF THE SYSTEM IS DEPENDENT ON THE SECURITY OF THE KEYS Digital Signatures
Public Key Systems Original Concept For a public key system an enciphering algorithm is agreed and each would-be receiver publishes the key which anyone may use to send a message to him. Thus for a public key system to be secure it must not be possible to deduce the message from a knowledge of the cryptogram and the enciphering key. Once such a system is set up, a directory of all receivers plus their enciphering keys is published. However, the only person to know any given receiver’s deciphering key is the receiver himself. Digital Signatures
Public Key Systems For a public key system, encipherment must be a ‘one-way function’ which has a ‘trapdoor’. The trapdoor must be a secret known only to the receiver. A ‘one-way function’ is one which is easy to perform but very difficult to reverse. A ‘trapdoor’ is a trick or another function which makes it easy to reverse the function Digital Signatures
Some Mathematical One-Way Functions 1. Multiplication of two large primes. 2. Exponentiation modulo n ( n = pq ). 3. x ax in GF(2n) or GF(p). 4. k Ek(m) for fixed m where Ek is encryption in a symmetric key system which is secure against known plaintext attacks. 5. x a.x where x is an n-bit binary vector and a is a fixed n-tuple of integers. Thus a.x is an integer. Digital Signatures
Public Key Cryptosystems Enable secure communications without exchanging secret keys Enable 3rd party authentication ( digital signature ) Use number theoretic techniques Introduce a whole new set of problems Are extremely ingenious. Digital Signatures
Digital Signatures According to ISO, the term Digital Signature is used: ‘to indicate a particular authentication technique used to establish the origin of a message in order to settle disputes of what message (if any) was sent’. Digital Signatures
Digital Signatures A signature on a message is some data that validates a message and verifies its origin a receiver can keep as evidence a third party can use to resolve disputes. It depends on the message a secret parameter only available to the sender It should be easy to compute (by one person only) easy to verify difficult to forge Digital Signatures
Digital Signature Cryptographic checksum Identifies sender Provides integrity check for data Can be checked by third party Digital Signatures
Hand-Written Signatures Intrinsic to signer Same on all documents Physically attached to message Beware plastic cards. Digital Signatures Use of secret parameter Message dependent. Digital Signatures
Principle of Digital Signatures There is a (secret) number which: Only one person can use Is used to identify that person ‘Anyone’ can verify that it has been used NB: Anyone who knows the value of a number can use that number. Digital Signatures
Attacks on Digital Signature Schemes To impersonate A, I must either obtain A’s private key substitute my public key for A’s NB: Similar attacks if A is receiving secret data encrypted with A’s public key Digital Signatures
Obtaining a Private Key Mathematical attacks Physical attacks NB: It may be sufficient to obtain a device which contains the key. Knowledge of actual value is not needed. Digital Signatures
Certification Authority AIM : To guarantee the authenticity of public keys. METHOD : The Certification Authority guarantees the authenticity by signing a certificate containing user’s identity and public key with its secret key. REQUIREMENT : All users must have an authentic copy of the Certification Authority’s public key. Digital Signatures
Certification Process Creates Certificate Centre Verifies credentials Distribution Owner Generates Key Set Presents Public Key and credentials Receives (and checks) Certificate Digital Signatures
How Does it Work? The Certificate can accompany all Fred’s messages The recipient must directly or indirectly: Trust the CA Validate the certificate The CA certifies that Fred Piper’s public key is……….. Electronically signed by the CA Digital Signatures
User Authentication Certificates Ownership of certificate does not establish identity Need protocols establishing use of corresponding secret keys Digital Signatures
WARNING Identity Theft You ‘are’ your private key You ‘are’ the private key corresponding to the public key in your certificiate Digital Signatures
Certification Authorities Problems/Questions Who generates users’ keys? How is identity established? How can certificates be cancelled? Any others? Digital Signatures
Fundamental Requirement Internal infrastructure to support secure technological implementation Digital Signatures
Is everything OK? Announcement in Microsoft Security Bulletin MS01-017 “VeriSign Inc recently advised Microsoft that on January 29-30 2001 it issued two VeriSign Class 3 code-signing digital certificates to an individual who fraudulently claimed to be a Microsoft employee.” Digital Signatures
RSA System Publish integers n and e where n = pq (p and q large primes) and e is chosen so that (e,(p-1)(q-1)) = 1. If message is an integer m with 0 < m < n then the cryptogram c = me (mod n). The primes p and q are ‘Secret’ (i.e. known only to the receiver) and the system’s security depends on the fact that knowledge of n will not enable the interceptor to work out p and q. Digital Signatures
RSA System Since (e,(p-1)(q-1)) = 1 there is an integer d such that ed = 1(mod(p-1)(q-1)). [NOTE: without knowing p and q it is ‘impossible’ to determine d.] To decipher raise c to the power d. Then m=cd (=med) (mod n). System works because if n=pq, ak(p-1)(q-1) + 1 = a (mod n) for all a, k. Digital Signatures
RSA Summary and Example Theory Choice n = p.q 2773 = 47.59 p=47 q=59 e.d 1(mod(p-1) (q-1)) 17.157 ≡ 1(mod 2668) e=17 d=157 Public key is (e, n) (17,2773) Private key is (d,n) (157,2773) Message M (0 < M < n) M = 31 NB : Knowledge of p and q is required to compute d. Encryption using Private Key : C ≡ Me (mod n) 587 ≡ 3117 (mod 2773) Decryption using Private Key : M ≡ Cd (mod n) 31 ≡ 587157 (mod 2773) Digital Signatures
El Gamal Cipher Work in GF(q) For practical systems q = large prime q = 2n Note: We will not define GF(2n). For a prime q arithmetic in GF(q) is arithmetic modulo q. Digital Signatures
El Gamal Cipher System wide parameters : integers g,p NB: p is a large prime and g is a primitive element mod p. A chooses private key x such that 1 < x < p - 1 A’s public key is y = gx mod p. Note: x is called the discrete logarithm of y modulo p to the base g. Digital Signatures
El Gamal Encryption If B wants to send secret message m to A then 1. B obtains A’s public key y plus g and p 2. B generates random integer k. 3. B sends gk (mod p) and c = myk (mod p) to A. A uses x to compute yk from gk and then evaluates m. Digital Signatures
El Gamal Cipher Important facts from last slide g is special type of number sender needs random number generator cryptogram is twice as long as message Digital Signatures
El Gamal - Encryption - Worked Example Prime p = 23 Primitive element a = 11 Private key x = 6 Public key y = 116(mod 23) = 9 To encipher m = 10 Assume random value k = 3 ak = 113 mod 23 = 20 yk = 1118 mod 23 = 16 myk = 10.16 mod 23 = 22 Thus transmit (20, 22) Digital Signatures
El Gamal - Worked Example To decrypt 20, 22 yk = (ak)x = 206 = 16 mod 23 To find m: solve c = myk mod p i.e. solve 22 = m 16 mod 23 Solution m = 10 Digital Signatures
Modular Exponentiation Both RSA and El Gamal involve computing xa (mod N) for large x, a and N To speed up process need: Fast multiplication algorithm Avoid intermediate values becoming too large Limit number of modular multiplications Digital Signatures
How to Create a Digital Signature Using RSA MESSAGE HASHING FUNCTION HASH OF MESSAGE Sign using Private Key SIGNATURE - SIGNED HASH OF MESSAGE Digital Signatures
How to Verify a Digital Signature Using RSA Message Signature Re-hash the Received Message Message with Appended Signature Verify the Received Signature Message Signature Hashing Function Verify using Public Key HASH OF MESSAGE HASH OF MESSAGE If hashes are equal, signature is authentic Digital Signatures
Requirements for Hash Function h (H1) condenses message M of arbitrary length into a fixed length ‘digest’ h(M) (H2) is one-way (H3) is collision free - it is computationally infeasible to construct messages M, M' with h(M) = h(M') H3 implies a restriction on the size of h(M). Digital Signatures
DSA Proposed by NIST in 1991 Explicitly requires the use of a hash function SHA-1 Very different set of functional capabilities than RSA Digital Signatures
DSA Set Up System parameters User keys select a 160-bit prime q choose a 1024-bit prime p so that q | p-1 choose g Zp* and compute a = g(p-1)/q mod p if a=1 repeat with different g User keys select random secret key x (1 x q-1) compute public key y = ax mod p Digital Signatures
Signing with DSA To sign message m hash message m to give h(m) (1 h(m) q-1) generate random secret k (1 k q-1) compute r = (ak mod p) mod q compute k-1 mod q compute s = k-1{h(m) + ar} mod q signature on m is (r,s) Digital Signatures
DSA Signature Verification To verify (r,s) check that 1 r q-1 and 1 s q-1 compute w = s-1 mod q compute u1 = wh(m) mod q compute u2 = rw mod q accept signature if (au1yu2 mod p) mod q = r Digital Signatures
Security of DSA Depends on taking discrete logarithms in GF(p) (GNFS) the logarithm problem in the cyclic subgroup of order q algorithms for this take time proportional to q1/2 we choose q 2160 and p 21024 other concerns follow the case of El Gamal signatures Digital Signatures
Performance of DSA Using the subgroup of order q gives good improvements over El Gamal signatures for signature one (partial) exponentiation mod p, all other operations less significant also there are opportunities for pre-computation for verification two (partial) exponentiations mod p, all other operations less significant Digital Signatures
DSA and RSA set a unit of time to be that required for one 1024-bit multiplication use e=216+1 and CRT for RSA pre-computation with DSA not included also a difference in the sizes of the signatures Digital Signatures
Signing and Verifying Which is more important - signature or verification performance? depends on the application! certificates: sign once but verify very often secure E-mail: perhaps sign and verify once document storage: sign once but maybe never verify Digital Signatures
Digital Signatures for Short Messages Padding / Redundancy Text Signature SEND Public Key Private Key RSA RSA Padding / Redundancy Signature Text Verify a) Construction b) Deconstruction Digital Signatures
Types of Digital Signature 1. Arbitrated Signatures Mediation by third party, the arbitrator signing verifying resolving disputes 2. True Signatures Direct communication between sender and receiver Third party involved only in case of dispute Digital Signatures
Arbitrated Signatures Require trusted arbitrator Arbitrator is involved in Signing process Settlement of all disputes No one else can settle disputes Potential bottleneck Digital Signatures
Example of Arbitrated Signature Scheme (1) Requirement: A wants to send B message B wants assurance of contents, that A was originator and that A cannot deny either fact. Assumption: A and B agree to trust an arbitrator (ARB) and to accept ARB’s decision as binding. Digital Signatures
Example of Arbitrated Signature Scheme (2) Cryptographic Assumption Will use symmetric Algorithm eg DES Will use MACs A has established a DES key KA shared with ARB B has established a DES key KB shared with ARB Digital Signatures
Example of Arbitrated Signature Scheme (3) A wants to send ‘signed’ message M to B Simplified protocol Note: B has no way of checking MACKA is correct. May be necessary to include identities in messages. A ARB : M1=M || MACKA ARB uses KA to check MACKA ARB B : M2 = M1|| MACKB B uses KB to check MACKB Digital Signatures
True Signature True Signature Requirement Only one person can sign but anyone can verify the signature Public Key Requirement Anyone can encrypt a message but only one person can decrypt the cryptogram. Digital Signatures
True Signature It is ‘natural’ to try to adopt public key systems to produce signature schemes by using the secret key in the signing process Digital Signatures
Common Terminology identifies the Digital Signatures Common Terminology identifies the terms Digital Signature and True Signature Digital Signatures
The Decision Process Do I need Cryptography? Do I need Public Key Cryptography? Do I need PKI? How do I establish a PKI? Digital Signatures
Often Heard PKI has never really taken off PKI is dead I’ve got a PKI, what do I do with it? Secure e-commerce needs PKI Digital Signatures
Diffie Hellman Key Establishment Protocol General Idea: Use Public System A and B exchange public keys: PA and PB There is a publicly known function f which has 2 numbers as input and one number as output. A computes f (SA, PB) where SA is A’s private key B computes f (SB, PA) where SB is B’s private key f is chosen so that f (SA, PB) = f (SB, PA) So A and B now share a (secret) number Digital Signatures
Diffie Hellman Key Establishment Protocol For the mathematicians: Agree: Prime p primitive element a A : chooses random rA and sends B : chooses random rB and sends Key: Clearly any interceptor who can find discrete logarithms can break the scheme In this case Note: Comparison with El Gamal Digital Signatures
D-H Man in the Middle Attack B Fraudster F The Fraudster has agreed keys with both A and B A and B believe they have agreed a common key Digital Signatures
D-H Man-in-the-Middle Attack For the mathematicians A B Fraudster F The Fraudster has agreed keys with both A and B A and B believe they have agreed a common key Digital Signatures