Hash Function Firewalls in Signature Schemes Burt Kaliski, RSA Laboratories IEEE P1363 Working Group Meeting June 2, 2000 (Rev. June 8, 2000)

Slides:



Advertisements
Similar presentations
1 MQV and HMQV in IEEE P1363 William Whyte, Hugo Krawczyk, Alfred Menezes.
Advertisements

Revised 08/16/1999 IEEE P1363: Standard Specifications for Public-Key Cryptography Burt Kaliski Chair, IEEE P1363 August 17, 1999.
SeND Hash Threat Analysis CSI WG Ana Kukec, Suresh Krishnan, Sheng Jiang.
Chapter 14 – Authentication Applications
Public Key Cryptography INFSCI 1075: Network Security – Spring 2013 Amir Masoumzadeh.
Design and Security Analysis of Marked Blind Signature
An Introduction to Pairing Based Cryptography Dustin Moody October 31, 2008.
1 Chapter 7-2 Signature Schemes. 2 Outline [1] Introduction [2] Security Requirements for Signature Schemes [3] The ElGamal Signature Scheme [4] Variants.
Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.
Cryptography and Network Security
1 Chapter 13 – Digital Signatures & Authentication Protocols Fourth Edition by William Stallings Lecture slides by Lawrie Brown (modified by Prof. M. Singhal,
CNS2010handout 10 :: digital signatures1 computer and network security matt barrie.
CMSC 414 Computer and Network Security Lecture 7 Jonathan Katz.
Digital Signature Algorithm (DSA) Kenan Gençol presented in the course BIL617 Cryptology instructed by Asst.Prof.Dr. Nuray AT Department of Computer Engineering,
CMSC 414 Computer and Network Security Lecture 9 Jonathan Katz.
Chapter 7-1 Signature Schemes.
Introduction to Signcryption November 22, /11/2004 Signcryption Public Key (PK) Cryptography Discovering Public Key (PK) cryptography has made.
Cryptography1 CPSC 3730 Cryptography Chapter 13 Digital Signature Standard (DSS)
1 Information System Security AABFS-Jordan Summer 2006 Digital Signature and Hashing Functions Prepared by: Maher Abu Hamdeh & Adel Hamdan Supervised by:
CSE 597E Fall 2001 PennState University1 Digital Signature Schemes Presented By: Munaiza Matin.
Cryptography and Network Security Chapter 13
13.1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 13 Digital Signature.
13.1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 13 Digital Signature.
Csci5233 Computer Security1 Bishop: Chapter 10 Key Management: Digital Signature.
Information Security and Management 13. Digital Signatures and Authentication Protocols Chih-Hung Wang Fall
Lecture 8 Digital Signatures. This lecture considers techniques designed to provide the digital counterpart to a handwritten signature. A digital signature.
Digital Signatures Applied Handbook of Cryptography: Chapt 11
Chapter 5 Digital Signatures MSc. NGUYEN CAO DAT Dr. TRAN VAN HOAI 1.
Bob can sign a message using a digital signature generation algorithm
DSA (Digital Signature Algorithm) Tahani Aljehani.
1 Lect. 15 : Digital Signatures RSA, ElGamal, DSA, KCDSA, Schnorr.
The RSA Algorithm Rocky K. C. Chang, March
Information Security Principles Assistant Professor Dr. Sana’a Wafa Al-Sayegh 1 st Semester ITGD 2202 University of Palestine.
Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.
1 Network Security Lecture 6 Public Key Algorithms Waleed Ejaz
Oblivious Signature-Based Envelope Ninghui Li, Stanford University Wenliang (Kevin) Du, Syracuse University Dan Boneh, Stanford University.
Digital Signatures: Mathematics Zdeněk Říha. Data authentication Data integrity + data origin Digital signature Asymmetric cryptography public and private.
1 Optimal Mail Certificates in Mail Payment Applications Leon Pintsov Pitney Bowes 2nd CACR Information Security Workshop 31 March 1999.
PKCS #1 v2.1: RSA Cryptography Standard
Topic 22: Digital Schemes (2)
Digital Signatures A primer 1. Why public key cryptography? With secret key algorithms Number of key pairs to be generated is extremely large If there.
RSA Data Security, Inc. PKCS #1 : RSA Cryptography Standard Jessica Staddon RSA Laboratories PKCS Workshop October 7, 1998.
Cryptography and Network Security Chapter 13 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.
Some Perspectives on Smart Card Cryptography
Lecture 8 Overview. Secure Hash Algorithm (SHA) SHA SHA SHA – SHA-224, SHA-256, SHA-384, SHA-512 SHA-1 A message composed of b bits.
Certificate Requests to HIP Jani Pellikka 80 th IETF Mar 27 th – Apr 1 st 2011 Prague, Czech Republic.
PKCS #1 v2.1: RSA Cryptography Standard Burt Kaliski, RSA Laboratories PKCS Workshop, 5 October 2000.
A A E E D D C C B B # Symmetric Keys = n*(n-1)/2 F F
Prepared by Dr. Lamiaa Elshenawy
Computer Science and Engineering Computer System Security CSE 5339/7339 Lecture 11 September 23, 2004.
Digital Signature Standard (DSS) US Govt approved signature scheme designed by NIST & NSA in early 90's published as FIPS-186 in 1991 revised in 1993,
1 An Ordered Multi-Proxy Multi-Signature Scheme Authors: Min-Shiang Hwang, Shiang-Feng Tzeng, Shu-Fen Chiou Speaker: Shu-Fen Chiou.
Lecture 9 Overview. Digital Signature Properties CS 450/650 Lecture 9: Digital Signatures 2 Unforgeable: Only the signer can produce his/her signature.
COM 5336 Lecture 8 Digital Signatures
Elgamal Public Key Encryption CSCI 5857: Encoding and Encryption.
PKCS #5 v2.0: Password-Based Cryptography Standard
1 Introduction to Information Security , Spring 2016 Lecture 4: Applied cryptography: asymmetric Zvi Ostfeld Slides credit: Eran Tromer.
1 The RSA Algorithm Rocky K. C. Chang February 23, 2007.
Fourth Edition by William Stallings Lecture slides by Lawrie Brown
Overview Modern public-key cryptosystems: RSA
RSA Digital Signature Standards
B. R. Chandavarkar CSE Dept., NITK Surathkal
Factoring large integers
Digital Signature Schemes and the Random Oracle Model
Cryptography and Network Security
Digital Signatures…!.
Digital Signatures.
El Gamal and Diffie Hellman
Chapter 13 Digital Signature
Diffie-Hellman Key Exchange
Presentation transcript:

Hash Function Firewalls in Signature Schemes Burt Kaliski, RSA Laboratories IEEE P1363 Working Group Meeting June 2, 2000 (Rev. June 8, 2000)

Outline Hash function flexibility and firewalls Breaking firewalls in signature schemes Conclusions

Hash Function Flexibility Many signature schemes allow multiple hash functions, to enable improvement over time Signer typically selects from a small set Verifier may accept a larger set, for interoperability with many signers

Weak Hash Function Risks Signer accepts the risk that a hash function in its set may turn out to be weak –possibly enabling an attacker to forge signatures However, signer may also be at risk if a hash function in the verifiers set is weak Signer accepts the risk from its own choices, but needs some way to mitigate the risk due to the verifiers choices

Mitigating the Risk One approach is to limit the verifiers set to trusted hash functions –only SHA-1 in FIPS 186 –only ANSI-approved Another approach is for the signer to indicate acceptable hash functions in its certificate Alternatively, the signature scheme itself might somehow distinguish between different hash functions: a firewall

Hash Function Firewalls Apparently first suggested by J. Linn in development of Privacy-Enhanced Mail, ca RSA signature on message M: 1. Let f = Pad || HashID || Hash(M) 2. Apply RSA signature primitive to f HashID is a firewall against weak hash functions –protected directly by signature primitive –existing signatures cannot be reused with a different, weak hash function

Does It Work? Hash function firewalls have become a common practice in many signature schemes and standards A firewall prevents an attacker from reusing an existing signature with a different hash function But what about other kinds of signature forgery?

Summary of Results Firewalls in several signature schemes do not protect against signature forgery with a weak hash function If attacker can invert a hash function in these schemes, attacker can forge a signature Signer doesnt need to support the weak hash function doesnt even need to be involved! –same concept as presented by Brown and Johnson at the March 2000 P1363 meeting w.r.t. PV signatures but extended to address other signature schemes and hash function firewalls

Outline of Attacks ISO/IEC GQ from ISO/IEC –may extend to other schemes based on proofs of knowledge DSA with hash ID –extends to ECDSA PSS-R from IEEE P1363a D3

General Approach Attackers goal is twofold: 1. Develop a signature that identifies a weak hash function that the verifier accepts 2. Find a message M with the correct hash under the weak hash function Notation: –WeakHash: weak hash function –WeakHashID: identifier for weak hash function –M r : recoverable message part –M nr : nonrecoverable message part –M: message

ISO Scheme Signature scheme with message recovery based on integer factorization problem Recommendations for addressing weak hash function attacks: 1. Require a particular hash function … 2. Allow a set of hash functions and explicitly indicate in every signature the hash-function in use by an identifier included as part of the signature calculation … HashID is a one-byte ID from ISO 10118

ISO with a Firewall Public key: modulus n, exponent e Private key: d = e -1 mod (n) –RSA version; RW version is similar Sign(M r, M nr ) = s: 1. Let T = Hash(M r || M nr ) 2. Let f = 6b bb … bb ba || M r || T || HashID || cc 3. Let s = f d mod n Recover(M nr, s) = M r : 1. Let f = s e mod n 2. Decode f = 6b bb … bb ba || M r || T || HashID || cc 3. Check T = Hash(M r || M nr )

Does the Firewall Work? HashID prevents an attacker from reusing an existing signature with a different hash function But it doesnt prevent an attacker from forging a new signature with a weak hash function

Breaking the Firewall 1. Select s in [1,n-1] 2. Let f = s e mod n 3. Decode f = 6b bb … bb ba || M r || T || HashID || cc 4. If decode error or HashID WeakHashID, goto 1 5. Solve for M nr such that T = WeakHash(M r || M nr ) 6. Output M r, M nr, s Expect ~2 24 tries to get desired hash ID, padding

GQ Scheme from ISO/IEC Signature scheme with appendix based on discrete logarithm problem Recommendations for addressing weak hash function attacks: The hash-function identifier shall be included in the hash-token unless the hash-function is uniquely determined by the signature mechanism or by the domain parameters HashID is a one-byte ID from ISO 10118

GQ Signatures with a Firewall Domain parameters: modulus N, exponent V Public key: Y (identity-based) Private key: X = Y -1/V mod N Sign (M) = (R,S) 1. Let = K V mod N, K random 2. Let R = Hash( || M) || HashID 3. Let S = KX R mod N Verify (M, (R,S)): 1. Let = Y R S V mod N 2. Check R = Hash( || M) || HashID

Breaking the Firewall 1. Select S in [1,n-1], hash target T 2. Let R = T || WeakHashID 3. Let = Y R S V mod N 4. Solve for M such that T = WeakHash( || M) 5. Output M, (R,S) Only one try Target is prespecified, which may simplify inversion

DSA Scheme Signature scheme with appendix based on discrete logarithm problem In FIPS 186, a unique hash function: SHA-1 However, P1363 allows hash function flexibility Consider a variation of DSA with a firewall

DSA Signatures with a Firewall Domain parameters: prime p, base g, order q Public key y = g x mod p Private key x Sign (M) = (r,s): 1. Let r = (g k mod p) mod q, k random 2. Let R = Hash(M) || HashID 3. Let s = k -1 (R + xr) mod q Verify (M, (r,s)): 1. Let R = Hash(M) || HashID 2. Let a = Rs -1 mod q, b = rs -1 mod q 3. Check r = (g a y b mod p) mod q

Breaking the Firewall 1. Select a,b in [1,q-1] 2. Let r = (g a y b mod p) mod q 3. Let s = rb -1 mod q, R = as mod q 4. Decode R = T || HashID 5. If HashID WeakHashID, goto 1 6. Solve for M such that T = WeakHash(M) 7. Output M, (r,s) Expect ~256 tries for minimum q

PSS-R from IEEE P1363a D3 Signature scheme with message recovery based on integer factorization problem As drafted, a hash function firewall based on ISO 10118

PSS-R Signatures (D3 version) Public key: modulus n, exponent e Private key: d = e -1 mod (n) Sign(M r, M nr ) = s: 1. Let T = Hash(salt || len(M r ) || Hash(M r || M nr )) 2. Let U = G(T) (salt || 00 … 01 || M r ) 3. Let f = 6b || T || U || HashID || cc 4. Let s = f d mod n Recover(M nr, s) = M r : 1. Let f = s e mod n 2. Decode f = 6b || T || U || HashID || cc 3. Decode U G(T) = (salt || 00 … 01 || M r ) 4. Check T = Hash(salt || len(M r ) || Hash(M r || M nr ))

Breaking the Firewall 1. Select s in [1,n-1] 2. Let f = s e mod n 3. Decode f = 6b || T || U || HashID || cc 4. Decode U G(T) = (salt || 00 … 01 || M r ) 5. If decode error or HashID WeakHashID, goto 1 6. Solve for M nr such that T = WeakHash(salt || len(M r ) || WeakHash(M r || M nr )) 7. Output M r, M nr, s Expect ~2 32 tries

Comparison of Attacks Decreasing difficulty for attacker: –PSS-R: ~2 32 tries, M r constrained –ISO : ~2 24 tries, M r constrained –DSA: ~256 tries, none of message constrained –GQ: one try, hash target specified by attacker None of the attacks involves the actual signer all can be performed with access only to the signers public key

Other Schemes with Firewalls ISO/IEC (= DL/ECSSR in IEEE P1363a D4) –optional firewall, can be broken ANSI X9.31 –firewall is protected if minimum amount of padding, met in typical use PKCS #1 v1.5 –firewall is protected by minimum amount of padding PSS and PSS-R in IEEE P1363a D4 –no hash ID firewall, yet still protected if minimum amount of padding and G function is based on underlying hash function, except for pathological cases

PSS-R Signatures (D4 version) Sign(M r, M nr ) = s: 1. Let T = Hash(len(M r ) || M r || Hash(M nr ) || salt) 2. Let U = G(T) (00 … 01 || M r || salt) 3. Let f = U || T || bc 4. Let s = f d mod n Recover(M nr, s) = M r : 1. Let f = s e mod n 2. Decode f = U || T || bc 3. Decode U G(T) = (00 … 01 || M r || salt) 4. Check T = Hash(len(M r ) || M r || Hash(M nr ) || salt)

Firewall Without a Hash ID With two requirements, the current PSS-R can heurisitically protect against weak hash function attacks: –G must be based on the underlying hash function –(00 … 01 || M r || salt) must have a minimum amount of padding These requirements protect against weaknesses in conventional hash functions –only pathological hash functions are a risk, and these are unlikely to be accepted by a verifier Padding requirement met by PSS with appendix (i.e., M r empty) for typical hash function sizes

Firewall Protection Attacker wants f = s e that can be decoded as f = U || T || bc U G(T) = (00 … 01 || M r || salt) Existing signatures cannot be reused with a weak hash function because G(T) will be different New signatures cannot be forged because U G(T) will be unlikely to have the minimum padding, for random f –inverting the hash function doesnt help –only attack is to coerce verifier to use a pathological hash function constructed to match the format

Schemes without Firewalls Full Domain Hashing Pintsov-Vanstone These were not intended to protect against weak hash functions, as originally specified But if they had a hash ID firewall, the firewall could be broken –for PV scheme, extension of attack on the non-firewall version (see D. Brown and D. Johnson, Formal Security Proofs for a Signature Scheme with Partial Message Recovery, /Research)

Conclusions Hash function firewalls dont necessarily prevent weak hash function attacks! Scheme-specific analysis is needed –some schemes are protected, perhaps with a minimum amount of padding –some schemes are not Formal definitions of security against weak hash function attacks would be helpful In general, a verifier should be careful about the hash functions it accepts

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.