J. Wang. Computer Network Security Theory and Practice. Springer 2008 Chapter 4 Data Authentication Part II.

Slides:

Advertisements

Similar presentations

Advertisements

Hash Functions A hash function takes data of arbitrary size and returns a value in a fixed range. If you compute the hash of the same data at different.

Public Key Cryptosystem

1 Chapter 7-2 Signature Schemes. 2 Outline [1] Introduction [2] Security Requirements for Signature Schemes [3] The ElGamal Signature Scheme [4] Variants.

Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.

Digital Signatures and Hash Functions. Digital Signatures.

Public Key Cryptography & Message Authentication By Tahaei Fall 2012.

Lect. 18: Cryptographic Protocols. 2 1.Cryptographic Protocols 2.Special Signatures 3.Secret Sharing and Threshold Cryptography 4.Zero-knowledge Proofs.

Authentication and Digital Signatures CSCI 5857: Encoding and Encryption.

Payment Systems 1. Electronic Payment Schemes Schemes for electronic payment are multi-party protocols Payment instrument modeled by electronic coin that.

Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.

ELECTRONIC PAYMENT SYSTEMSFALL 2002COPYRIGHT © 2002 MICHAEL I. SHAMOS Electronic Payment Systems Lecture 6 Epayment Security II.

Attacks on Digital Signature Algorithm: RSA

Public-key Cryptography Montclair State University CMPT 109 J.W. Benham Spring, 1998.

CNS2010handout 10 :: digital signatures1 computer and network security matt barrie.

Announcements: 1. Presentations start Friday 2. Cem Kaner presenting O th block today. Questions? This week: DSA, Digital Cash DSA, Digital Cash.

Henric Johnson1 Chapter3 Public-Key Cryptography and Message Authentication Henric Johnson Blekinge Institute of Technology, Sweden

Secure Hashing and DSS Sultan Almuhammadi ICS 454 Principles of Cryptography.

ITIS 3200: Introduction to Information Security and Privacy Dr. Weichao Wang.

Electronic Voting Schemes and Other stuff. Requirements Only eligible voters can vote (once only) No one can tell how voter voted Publish who voted (?)

Csci5233 Computer Security & Integrity 1 Cryptography: Basics (2)

J. Wang. Computer Network Security Theory and Practice. Springer 2008 Chapter 4 Data Authentication Part I.

How cryptography is used to secure web services Josh Benaloh Cryptographer Microsoft Research.

The School of Electrical Engineering and Computer Science (EECS) CS/ECE Network Security Dr. Attila Altay Yavuz Topic 5 Essential Public Key Crypto Methods.

Chapter 3 Encryption Algorithms & Systems (Part C)

ELECTRONIC PAYMENT SYSTEMSFALL 2001COPYRIGHT © 2001 MICHAEL I. SHAMOS Electronic Payment Systems Lecture 6 Epayment Security II.

Public Key Cryptography RSA Diffie Hellman Key Management Based on slides by Dr. Lawrie Brown of the Australian Defence Force Academy, University College,

Electronic Payment Systems. Transaction reconciliation –Cash or check.

CSE 597E Fall 2001 PennState University1 Digital Signature Schemes Presented By: Munaiza Matin.

Public Key Model 8. Cryptography part 2.

13.1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 13 Digital Signature.

Digital Signatures (DSs) The digital signatures cannot be separated from the message and attached to another The signature is not only tied to signer but.

Information Security and Management 13. Digital Signatures and Authentication Protocols Chih-Hung Wang Fall

Page 1 Secure Communication Paul Krzyzanowski Distributed Systems Except as otherwise noted, the content of this presentation.

Chapter 5 Digital Signatures MSc. NGUYEN CAO DAT Dr. TRAN VAN HOAI 1.

Bob can sign a message using a digital signature generation algorithm

The RSA Algorithm Rocky K. C. Chang, March

Lecture 15 Lecture’s outline Public algorithms (usually) that are each other’s inverse.

Behzad Akbari Spring In the Name of the Most High.

Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 21 “Public-Key Cryptography.

Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.

Secure Electronic Transaction (SET)

J. Wang. Computer Network Security Theory and Practice. Springer 2008 Chapter 3 Public-Key Cryptography and Key Management.

Network Security Lecture 26 Presented by: Dr. Munam Ali Shah.

Topic 22: Digital Schemes (2)

Digital Signatures A primer 1. Why public key cryptography? With secret key algorithms Number of key pairs to be generated is extremely large If there.

Introduction1-1 Data Communications and Computer Networks Chapter 6 CS 3830 Lecture 31 Omar Meqdadi Department of Computer Science and Software Engineering.

Chapter 21 Public-Key Cryptography and Message Authentication.

Chapter 6:Esoteric Protocols Dulal C Kar. Secure Elections Ideal voting protocol has at least following six properties 1.Only authorized voters can vote.

Cryptography and Network Security Chapter 13 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.

A A E E D D C C B B # Symmetric Keys = n*(n-1)/2 F F

Prepared by Dr. Lamiaa Elshenawy

Electronic Cash R. Newman. Topics Defining anonymity Need for anonymity Defining privacy Threats to anonymity and privacy Mechanisms to provide anonymity.

Computer Science and Engineering Computer System Security CSE 5339/7339 Lecture 11 September 23, 2004.

Lecture 9 Overview. Digital Signature Properties CS 450/650 Lecture 9: Digital Signatures 2 Unforgeable: Only the signer can produce his/her signature.

IT 221: Introduction to Information Security Principles Lecture 5: Message Authentications, Hash Functions and Hash/Mac Algorithms For Educational Purposes.

. Wang and Z. Kissel. Introduction to Network Security: Theory and Practice. Wiley and HEP, 2015 Chapter 4 Data Authentication.

1 The RSA Algorithm Rocky K. C. Chang February 23, 2007.

CS480 Cryptography and Information Security Huiping Guo Department of Computer Science California State University, Los Angeles 14. Digital signature.

Information Security message M one-way hash fingerprint f = H(M)

Information Security message M one-way hash fingerprint f = H(M)

ICS 454 Principles of Cryptography

Information Security message M one-way hash fingerprint f = H(M)

ICS 454 Principles of Cryptography

Presentation transcript:

J. Wang. Computer Network Security Theory and Practice. Springer 2008 Chapter 4 Data Authentication Part II

J. Wang. Computer Network Security Theory and Practice. Springer 2008 Chapter 4 Outline 4.1 Cryptographic Hash Functions 4.2 Cryptographic Checksums 4.3 HMAC 4.4 Offset Codebook Mode of Operations 4.5 Birthday Attacks 4.6 Digital Signature Standard 4.7 Dual Signatures and Electronic Transactions 4.8 Blind Signatures and Electronic Cash

J. Wang. Computer Network Security Theory and Practice. Springer 2008 In a group of 23 people, the probability that there are at least two persons on the same day in the same month is greater than 1/2 Proof. The probability that none of the 23 people has the same birthday is: Birthday Attack Basics Thus, 1 – > 1/2

J. Wang. Computer Network Security Theory and Practice. Springer 2008 Strong Collision Resistance Complexity Upper Bound Complexity upper bound of breaking strong collision resistance Let H be a cryptographic hash function with output length l. Then H will only have at most n = 2 l different outputs Q: Is 2 l the complexity upper bound of breaking strong collision resistance? A: No. We can use birthday attack to reduce the complexity to 2 l/2 with over 50% success rate Birthday Paradox: From a basket of n balls of different colors, pick k (k<n) balls uniformly and independently at random and record their colors. If then with probability at least 1/2 there is at least one ball that is picked more than once Complexity upper bound of SHA-1: 2 160/2 = 2 80 ; SHA-512: 2 512/2 = 2 256

J. Wang. Computer Network Security Theory and Practice. Springer 2008 Set Intersection Attack Select uniformly and independently at random two sets of integers from {1,2,…,n}, with k integers in each set, where k < n What is the probability Q(n,k) that these two sets intersect?  The probability that these two sets disjoin is equal to  Thus,  It can be shown that if then

J. Wang. Computer Network Security Theory and Practice. Springer 2008 Set Intersection Attack Example The set intersection attack is a form of birthday attacks For example: Malice may fist use a legitimate document D to obtain the authority AU’s signature Malice then produces a new document F that has different meanings from D such that H (F) =H (D) (Note that there are many tricks to find such an F) Malice uses (F,C) to show that F is endorsed by AU

J. Wang. Computer Network Security Theory and Practice. Springer 2008 Malice prepares a set S 1 of 2 l/2 different documents, all having the same meaning as D. Such documents can be obtained by a)replacing a word or a phrase in D b)rephrasing sentences in D c)using different punctuation d)reorganizing the structure of D e)changing passive tense to active, or active to passive Malice prepares a set of S 2 of 2 l/2 different documents, all having the same meaning of F, and computes How to find Document F?

J. Wang. Computer Network Security Theory and Practice. Springer 2008 Chapter 4 Outline 4.1 Cryptographic Hash Functions 4.2 Cryptographic Checksums 4.3 HMAC 4.4 Offset Codebook Mode of Operations 4.5 Birthday Attacks 4.6 Digital Signature Standard 4.7 Dual Signatures and Electronic Transactions 4.8 Blind Signatures and Electronic Cash

J. Wang. Computer Network Security Theory and Practice. Springer 2008 Digital signature for a message M : Public Key Cryptosystem  The most effective mechanism to produce a digital signature for a given document  RSA (patent protected until 2000)‏ DSS  First published in 1991  RSA and ECC were included in DSS after 2000  Generate digital signatures only, not encrypt data Digital Signature Standard (DSS)

J. Wang. Computer Network Security Theory and Practice. Springer 2008 Construction of DSS H : SHA-1 (160 bit)‏ L : 512 < L < 1024 Parameters: P : prime number; 2 L–1 < p < 2 L q : a prime factor of p – 1 ; < q < g : g = h (p–1)/q mod p; 1 1

J. Wang. Computer Network Security Theory and Practice. Springer 2008 DSS Signing Alice wants to sign a message M Picks at random a private key, 0 < x A < q Computes public key: y A = g xA mod p Picks at random an integer: 0 < k A < q r A = (g kA mod p) mod q k A –1 = k A q–2 mod q s A = k A –1 (H(M)+x A r A ) mod q M ’s digital signature: (r A, s A )

J. Wang. Computer Network Security Theory and Practice. Springer 2008 DSS Signature Verification Bob gets (M', (r A ', S A ')‏) and CA[y A ] Obtains Alice’s y A using CA’s K CA u to decrypt CA[ y A ] Verifies Alice’s digital signature: w = (S A ') –1 mod q = (S A ') q–1 mod q u1 = (H(M') w) mod q u2 = (r A ' w) mod q v = [(g u1 y A u2 ) mod p] mod q If v = r A ' then the signature is verified

J. Wang. Computer Network Security Theory and Practice. Springer 2008 Security Strength of DSS Rests on the strength of SHA-1 and the difficulty of solving discrete log  The complexity of breaking the strong collision resistance of SHA-1 has recently been reduced from 2 80 to 2 63  Breaking the collision resistance is harder  Intractability of discrete log ensures that it is difficult to compute k A or x A from r A and s A

J. Wang. Computer Network Security Theory and Practice. Springer 2008 Chapter 4 Outline 4.1 Cryptographic Hash Functions 4.2 Cryptographic Checksums 4.3 HMAC 4.4 Offset Codebook Mode of Operations 4.5 Birthday Attacks 4.6 Digital Signature Standard 4.7 Dual Signatures and Electronic Transactions 4.8 Blind Signatures and Electronic Cash

J. Wang. Computer Network Security Theory and Practice. Springer 2008 Dual Signatures and Electronic Transactions Alice (customer) ‏ Bob (merchant) ‏ Charlie (banker) ‏ Alice wants bob to act on Purchase Order ( I 1 ) ‏ Bob will wait on payment confirmation from Charlie. Alice must send payment information to Charlie ( I 2 ) ‏

J. Wang. Computer Network Security Theory and Practice. Springer 2008 Dual Signatures We don't want Bob to see I 2 and Charlie to see I 1 (for better privacy) Charlie should not send I 2 to Bob before Bob gets I 1 I 1 and I 2 should be linked (this prevents separation of a payment from an order) All messages must be authenticated and encrypted (No useful information is eavesdropped, modified, or fabricated)

J. Wang. Computer Network Security Theory and Practice. Springer 2008 Dual Signature An interactive authentication protocol for electronic transactions Provides security and privacy protections Has been used in SET (Secure Electronic Transactions), designed by Visa and MasterCard in 1996 but has not been used in practice Requires Alice, Bob, and Charlie agree on a hash function H and a PKC encryption algorithm E Each of Alice, Bob, and Charlie must each have an RSA key- pair: (K A u, K A r ), (K B u, K B r ), (K C u, K C r )

J. Wang. Computer Network Security Theory and Practice. Springer 2008 SET: Alice Calculates the following values: Sends (s B, s C, ds) to Bob. Waits for a receipt R B = from Bob Decrypts R B using K A r to get and verifies Bob’s signature using K B u to get R B

J. Wang. Computer Network Security Theory and Practice. Springer 2008 SET: Bob Verifies Alice's signature; i.e. Compares with Decrypts Forwards (s B, s C, ds) to Charlie Waits for Charlie's receipt R C = ‏ Decrypts R C using K B r to get and verifies Charlie’s signature using K C u to get R C Sends a signed receipt R B = to Alice

J. Wang. Computer Network Security Theory and Practice. Springer 2008 SET: Charlie Verifies Alice's signature; i.e. Compares with Decrypts If I 2 contains valid payment information, then execute the proper payment transaction and send a receipt R C = to Bob

J. Wang. Computer Network Security Theory and Practice. Springer 2008 Chapter 4 Outline 4.1 Cryptographic Hash Functions 4.2 Cryptographic Checksums 4.3 HMAC 4.4 Offset Codebook Mode of Operations 4.5 Birthday Attacks 4.6 Digital Signature Standard 4.7 Dual Signatures and Electronic Transactions 4.8 Blind Signatures and Electronic Cash

J. Wang. Computer Network Security Theory and Practice. Springer 2008 Blind Signatures A technique to digitally sign a document without revealing the document to the signer The document to be signed is combined with a blind factor, which prevents the signer from reading the document but can later be removed without damaging the signature

J. Wang. Computer Network Security Theory and Practice. Springer 2008 Blind Signatures with RSA Randomly generate r < n (the blind factor) such that gcd(r, n) = 1 Let M r = M r e mod n Signer signs M r and obtains s r = M r d mod n The blind factor r can be removed as follows: s M = (s r r –1 ) mod n = M d mod n

J. Wang. Computer Network Security Theory and Practice. Springer 2008 Proof The blind factor is removed as s M = (s r r –1 ) mod n = (M d r ed r –1 ) mod n Since ed ≡ 1 mod ф (n)) r ed ≡ r mod n (Fermat’s little theorem) We have s M = M d mod n

J. Wang. Computer Network Security Theory and Practice. Springer 2008 Electronic Cash Real cash has the following key properties:  Anonymous  Can change hands  Can be divided into smaller values  Hard to counterfeit Can those properties be duplicated with some sort of electronic cash?

J. Wang. Computer Network Security Theory and Practice. Springer 2008 An ideal electronic cash protocol should have the following properties:  Anonymous & Untraceable  Secure: Can't be modified or fabricated  Convenient: Allows off-line transactions  Non-replicable: Can't be duplicated and reused  Transferable: Can change hands  Dividable: Can be divided into smaller values. No such protocol have been found Ideal Electronic Cash Protocol

J. Wang. Computer Network Security Theory and Practice. Springer 2008 eCash Proposed in the 1980’s A protocol that satisfies many of the most important properties for electronic cash It uses Blind Signatures to ensure anonymousness and un-traceability Let B denote a financial institution Let B ’s RSA parameters be (n, d, e)

J. Wang. Computer Network Security Theory and Practice. Springer 2008 Buying an eCash Dollar To buy an eCash dollar, Alice does the following:  Generates a sequence number m to represent the eCash dollar she is going to buy  Generates a random number r < n (blind factor) and calculates x = mr e mod n  Sends x and her account number to her bank B  B charges Alice’s account $1 and sends y = x d mod n to Alice  Alice computes z ≡ y r -1 ≡ m d mod n  Alice gets her eCash dollar (m, z)

J. Wang. Computer Network Security Theory and Practice. Springer 2008 Redeeming an eCash Dollar Bob has received an eCash dollar from Alice, and wants to redeem it  He sends (m, z) and his account number to the bank B.  If the signature is valid and no dollar with serial number m has been cashed previously, the bank records m and credits $1 to Bob's account Problem: Since it is easy to duplicate (m, z), how can Bob stop someone else from redeeming that eCash dollar before he does?