Rennes, 15/10/2014 Cristina Onete Message authenticity: Digital Signatures.

Slides:



Advertisements
Similar presentations
Rennes, 24/10/2014 Cristina Onete CIDRE/ INRIA Privacy in signatures. Hiding in rings, hiding in groups.
Advertisements

Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.
Cryptography and Network Security
Rennes, 23/10/2014 Cristina Onete Commitment Schemes and Identification/Authentication.
Digital Signatures and Hash Functions. Digital Signatures.
 Cristina Onete || 25/09/2014 || 1 TD – Cryptography 25 Sept: Public Key Encryption + RSA 02 Oct: RSA Continued 09 Oct: NO TD 16 Oct: Digital Signatures.
Rennes, 23/10/2014 Cristina Onete Key-Exchange Protocols. Diffie-Hellman, Active Attacks, and TLS/SSL.
1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.
1 Supplement III: Security Controls What security services should network systems provide? Confidentiality Access Control Integrity Non-repudiation Authentication.
Authentication and Digital Signatures CSCI 5857: Encoding and Encryption.
1 Digital Signatures & Authentication Protocols. 2 Digital Signatures have looked at message authentication –but does not address issues of lack of trust.
Rennes, 23/10/2014 Cristina Onete Putting it all together: using multiple primitives together.
15-1 Last time Internet Application Security and Privacy Public-key encryption Integrity.
CNS2010handout 10 :: digital signatures1 computer and network security matt barrie.
CMSC 414 Computer and Network Security Lecture 7 Jonathan Katz.
Symmetric Key Distribution Protocol with Hybrid Crypto Systems Tony Nguyen.
CMSC 414 Computer and Network Security Lecture 9 Jonathan Katz.
Overview of Cryptography Anupam Datta CMU Fall A: Foundations of Security and Privacy.
Introduction to Signcryption November 22, /11/2004 Signcryption Public Key (PK) Cryptography Discovering Public Key (PK) cryptography has made.
1 Intro To Encryption Exercise Analyze the following scenario: Sender:  Cipher1= Encrypt message with symmetric key algorithm  RSA_Encrypt (SHA1(message)
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
1 CIS 5371 Cryptography 9. Data Integrity Techniques.
Information Security. Information Security Requirements Confidentiality: Protection from disclosure to unauthorised persons Access control: Unauthorised.
CSE 597E Fall 2001 PennState University1 Digital Signature Schemes Presented By: Munaiza Matin.
Alexander Potapov.  Authentication definition  Protocol architectures  Cryptographic properties  Freshness  Types of attack on protocols  Two-way.
Cryptography and Network Security Chapter 13
Computer Science Public Key Management Lecture 5.
13.1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 13 Digital Signature.
Security using Encryption Security Features Message Origin Authentication - verifying that the sender is who he or she says they are Content Integrity.
Chapter 13 Digital Signature
8. Data Integrity Techniques
Information Security and Management 13. Digital Signatures and Authentication Protocols Chih-Hung Wang Fall
CS5204 – Fall Cryptographic Security Presenter: Hamid Al-Hamadi October 13, 2009.
MT311 Java Application Development and Programming Languages Li Tak Sing ( 李德成 )
Bob can sign a message using a digital signature generation algorithm
1 Lect. 15 : Digital Signatures RSA, ElGamal, DSA, KCDSA, Schnorr.
How HTTPS Works J. David Giese. Hyper Text Transfer Protocol BrowserHTTP Server GET / HTTP/1.1 HOST: edge-effect.github.io HEADERS BODY HTTP/ OK.
Chi-Cheng Lin, Winona State University CS 313 Introduction to Computer Networking & Telecommunication Network Security (A Very Brief Introduction)
CS555Topic 211 Cryptography CS 555 Topic 21: Digital Schemes (1)
Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.
Lecture 3.2: Public Key Cryptography II CS 436/636/736 Spring 2014 Nitesh Saxena.
Secure r How do you do it? m Need to worry about sniffing, modifying, end- user masquerading, replaying. m If sender and receiver have shared secret.
Oblivious Signature-Based Envelope Ninghui Li, Stanford University Wenliang (Kevin) Du, Syracuse University Dan Boneh, Stanford University.
8-1Network Security Chapter 8 roadmap 8.1 What is network security? 8.2 Principles of cryptography 8.3 Message integrity, authentication.
Rennes, 23/10/2014 Cristina Onete Graded Exercises & Authentication.
Digital Signatures A primer 1. Why public key cryptography? With secret key algorithms Number of key pairs to be generated is extremely large If there.
Lecture 3.4: Public Key Cryptography IV CS 436/636/736 Spring 2013 Nitesh Saxena.
Cryptography Lecture 9 Stefan Dziembowski
Basic Cryptography 1. What is cryptography? Cryptography is a mathematical method of protecting information –Cryptography is part of, but not equal to,
Software Security Seminar - 1 Chapter 5. Advanced Protocols 조미성 Applied Cryptography.
Cryptography and Network Security Chapter 13 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.
Chapter 16 Security Introduction to CS 1 st Semester, 2012 Sanghyun Park.
Signcryption Parshuram Budhathoki Department of Mathematical Sciences Florida Atlantic University April 18, 2013
CSCI 172/283 Fall 2010 Hash Functions, HMACs, and Digital Signatures.
Advanced Database Course (ESED5204) Eng. Hanan Alyazji University of Palestine Software Engineering Department.
Lecture 16: Security CDK4: Chapter 7 CDK5: Chapter 11 TvS: Chapter 9.
Digital Signatures, Message Digest and Authentication Week-9.
Cryptography: Digital Signatures Message Digests Authentication
Prepared by Dr. Lamiaa Elshenawy
Network Security Continued. Digital Signature You want to sign a document. Three conditions. – 1. The receiver can verify the identity of the sender.
Protocol Analysis. CSCE Farkas 2 Cryptographic Protocols Two or more parties Communication over insecure network Cryptography used to achieve goal.
Lecture 11 Overview. Digital Signature Properties CS 450/650 Lecture 11: Digital Signatures 2 Unforgeable: Only the signer can produce his/her signature.
Lecture 9 Overview. Digital Signature Properties CS 450/650 Lecture 9: Digital Signatures 2 Unforgeable: Only the signer can produce his/her signature.
EE 122: Lecture 24 (Security) Ion Stoica December 4, 2001.
IT 221: Introduction to Information Security Principles Lecture 5: Message Authentications, Hash Functions and Hash/Mac Algorithms For Educational Purposes.
COM 5336 Lecture 8 Digital Signatures
Security. Security Needs Computers and data are used by the authorized persons Computers and their accessories, data, and information are available to.
Cryptography and Network Security Chapter 13
Chapter 13 Digital Signature
Cryptography Lecture 26.
Presentation transcript:

Rennes, 15/10/2014 Cristina Onete Message authenticity: Digital Signatures

 Cristina Onete || 15/10/2014 || 2 Why sign? AmélieBaptiste Baptiste is waiting for a message from Amélie  Message authenticity How can he make sure it’s really from her?

 Why Sign  More importantly: Telling good content from bad updates virus definitions Baptiste malware trojans viruses Updates vs. malware and trojans Message should be sent by authorized party Cristina Onete || 15/10/2014 || 3

 Principle of signatures AmélieBaptiste A  Amélie uses a secret key (that only she knows) to sign  Baptiste receives message and signature Check signature using Amélie’s public key OK: from Amélie Alert: not from Amélie! Cristina Onete || 15/10/2014 || 4

 Principle of signatures AmélieBaptiste A  Goals of signature schemes Message integrity: the message has not been modified Message origin: the message was sent by correct party Non-repudiation: sender can’t deny she sent the message Cristina Onete || 15/10/2014 || 5

 Contents  The basics Structure Properties  Some signature schemes RSA-based signatures The Hash-and-sign paradigm The DSA algorithm

 Common misconception AmélieBaptiste AmélieBaptiste Public-Key Encryption Digital Signatures BA Secret B Inverse mechanisms? Cristina Onete || 15/10/2014 || 7 Secret

 Common misconception  Can we build signatures from encryption? Completely different functionality and goals! PropertyEncryption schemes Signatures schemes Message integrity Message confidentiality Non-repudiation Sender authentication  Using one primitive to get the other is dangerous! Single receiver Cristina Onete || 15/10/2014 || 8

 Digital Signatures – Structure  SSchemes = (KGen, Sign, Verify) A Security parameter: determines key size Everyone Cristina Onete || 15/10/2014 || 9

 Signature Security  Functionality – correctness:  Security: unforgeability BAA Verify Cristina Onete || 15/10/2014 || 10

 Inverse mechanisms? PK EncryptionSignatures Key Generation: Encrypt Decrypt: Key Generation: Sign Verify: ? Cristina Onete || 15/10/2014 || 11

 Inverse mechanisms? PK EncryptionSignatures Key Generation: Encrypt Decrypt: Key Generation: Sign Verify: ? Cristina Onete || 15/10/2014 || 12

 Attacks against Signatures  The more knows, the harder it is to get security  Security depends on what the attacker knows  Random-message attack: Lots of users all around Their messages are “random” Adv. gets (m, signa- ture) pairs Forge signature on new message! Cristina Onete || 15/10/2014 || 13

 Attacks against Signatures  The more knows, the harder it is to get security  Security depends on what the attacker knows  Known-message attack: Lots of users all around Knows messages in advance, before re- ceiving any signature Adv. gets (m, signa- ture) pairs Forge signature on new message! Hi, how are you? I’m fine, thanks. How are you? I’m very well, thank you Cristina Onete || 15/10/2014 || 14

 Attacks against Signatures  The more knows, the harder it is to get security  Security depends on what the attacker knows  Chosen-message attack: Lots of users all around Can choose messages that will be signed Adv. gets (m, signa- ture) pairs Forge signature on new message! …………… Cristina Onete || 15/10/2014 || 15

 Attacks against Signatures Power of Attack Unf-RMAUnf-KMAUnf-CMA Weak Not strong/ Not weak Strong Cristina Onete || 15/10/2014 || 16

 Choosing a Correct Model  Exercise 1: The adversary is monitoring messages from Amélie’s phone Amélie conducts a signed sms-conversation with Baptiste Is it ok if the signature protocol resists Random msg. attacks? Is it ok if the signature protocol resists Known msg. attacks? Cristina Onete || 15/10/2014 || 17

 Choosing a Correct Model  Exercise 2: The adversary targets a certification authority He can send different parameters to certify Is it ok if the signature protocol resists Random msg. attacks? Is it ok if the signature protocol resists Known msg. attacks? Is it ok if the signature protocol resists Chosen msg. attacks? Cristina Onete || 15/10/2014 || 18

 Contents  The basics Structure Properties  Some signature schemes RSA-based signatures The Hash-and-sign paradigm The DSA algorithm

 Textbook RSA and Signatures  Textbook RSA signatures B Everyone ? Cristina Onete || 15/10/2014 || 20

 Textbook RSA: Sign/Encrypt RSA SignatureRSA Encryption Key Generation: Sign: Encrypt: Verify: Decrypt: ?  Exercise: check that the two attacks we did before work on this signature scheme! Cristina Onete || 15/10/2014 || 21

 Hashed RSA  Modification: Hash before signing Hash function  How about those attacks? Exercise: Assume H(m) is not-invertible. Show that our random-message attack doesn’t work Cristina Onete || 15/10/2014 || 22

 Hashed RSA  Modification: Hash before signing  How about those attacks? Cristina Onete || 15/10/2014 || 23

 Hashed RSA  Modification: Hash before signing  How about those attacks? Cristina Onete || 15/10/2014 || 24

 Hash and Sign in general  Use the same thing in general  Signature scheme  Hash function  Key generation: Signing: Verifying: Cristina Onete || 15/10/2014 || 25

 DSA (Digital Signature Alg.)  Faster than RSA-based signatures  With inbuilt hash evaluation Setup (parameters): Key Generation (each user): Cristina Onete || 15/10/2014 || 26

 DSA (Digital Signature Alg.)  Parameters: Signing: Exercise: compute signature for message m = 12 Cristina Onete || 15/10/2014 || 27

 DSA (Digital Signature Alg.)  Parameters: Exercise: check you signature for message m = 12 Cristina Onete || 15/10/2014 || 28

 Some thought:  Say you have a signature scheme SScheme = (KGen, Sign, Vf)  Say this scheme is unforgeable against CMA  Modify the signature algorithm:  Is this still unforgeable against CMA? Cristina Onete || 15/10/2014 || 29

 Some thought:  We have an arbitrary unforgeable signature scheme: SScheme = (KGen, Sign, Vf)  And we also have any IND-CCA encryption scheme  Say we want to ensure that a (confidential) message comes from a given party. Can we send: EScheme = (KGen, Enc, Dec) Cristina Onete || 15/10/2014 || 30

CIDRE Thanks!

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.