CMSC 414 Computer (and Network) Security Lecture 9 Jonathan Katz

Digital signatures

RSA signatures I  “Textbook RSA” –Why textbook RSA is completely insecure! (Two attacks)

RSA signatures for real  Hash functions… –Collision-resistance Birthday attacks –“Scrambling”  How to fix RSA signatures –Why does this work? –Is it actually secure?

Hash functions  SHA-1 –Proposed NIST standard –160-bit output  MD5 –Developed by Rivest (RSA) –128-bit output

DSA/DSS signatures  “Digital signature standard”  Security based on discrete logarithms –No (complete) proof of security  Royalty-free  Overall, neither RSA nor DSS has the advantage –Depends (in part) on relative strengths of assumptions

Signing long messages?  How…? –Hash-and-sign –Only need to assume that hash function is collision-resistant

Non-repudiation  Digital signatures achieve non-repudiation –In contrast to private-key case!  Is this a good or a bad thing? –Sometimes you want deniability (e.g., no trace that you logged in) –Legal ramifications – do you really know what you are signing?

A few words about PKI  Certification authorities; certificates –Single point of failure?  Certificate chains  More on this later…

“Why crypto fails”  Two examples of bad crypto: –Replay of “ok” message from bank to ATM –PIN on ATM card was authenticated, but account number on ATM card was not…

“Why crypto fails”  Lack of information about previous failures  Most frauds not caused by “bad” crypto, but by bad implementation/management –There is plenty of bad crypto, too!  “Social engineering” attacks  Importance of threat model (i.e., security policy) –Threat model may change…  Dispute resolution