Lecture 9 Overview
Digital Signature Properties CS 450/650 Lecture 9: Digital Signatures 2 Unforgeable: Only the signer can produce his/her signature Authentic: A signature is produced only by the signer deliberately signing the document
Digital Signature Properties Non-Alterable: A signed document cannot be altered without invalidating the signature Non-Reusable: A signature from one document cannot be moved to another document Signatures can be validated by other users – the signer cannot reasonably claim that he/she did not sign a document bearing his/her signature CS 450/650 Lecture 9: Digital Signatures 3
Digital Signature Using RSA The RSA public-key cryptosystem can be used to create a digital signature for a message m – Asymmetric Cryptographic techniques are well suited for creating digital signatures The signer must have an RSA public/private key pair – c = M e mod n – M = c d mod n CS 450/650 Lecture 9: Digital Signatures 4
Signature Generation (Signer) Message SignaturePrivate Key Redundancy Function Formatted Message Encrypt CS 450/650 Lecture 9: Digital Signatures 5
Signature Verification Message Signature Public Key Verify Formatted Message Decrypt CS 450/650 Lecture 9: Digital Signatures 6
Redundancy Function The choice of a poor redundancy function can make RSA vulnerable to forgery A good redundancy function should make forging signatures much harder CS 450/650 Lecture 9: Digital Signatures 7
Example generate signature S – d = 53 – e = 413 – n = 629 – m = 7 – Assume that R(X) = XX S = R(m) e mod n – S = mod 629 = 25 CS 450/650 Lecture 9: Digital Signatures 8
Example verify signature with message recovery – Public key (e) = 413 – n = 629 – S = 25 R(m) = S e mod n – R(m) = mod 629 = 77 The verifier then checks that R(m) is of the form XX for some message X – m = R -1 (m) = 7 CS 450/650 Lecture 9: Digital Signatures 9
Forging signature (revisited) Choose a random number between 0 and n-1 for S – S = 323 Use the signer’s public key to decrypt S – R(m) = mod 629 = 85 However, 85 is not a legal value for R(m) – so S = 323 is not a valid signature CS 450/650 Lecture 9: Digital Signatures 10
Privacy Signature provides only authenticity. How can we provide privacy in addition? CS 450/650 Lecture 9: Digital Signatures 11
Getting a Message Digest from a document Hash Message Digest CS 450/650 Lecture 9: Digital Signatures 12
Generating Signature Message Digest Signature Encrypt using private key CS 450/650 Lecture 9: Digital Signatures 13
Appending Signature to document Append Signature CS 450/650 Lecture 9: Digital Signatures 14
Verifying Signature Hash Decrypt using public key Message Digest Message Digest CS 450/650 Lecture 9: Digital Signatures 15
Lecture 10 Key Exchange CS 450/650 Fundamentals of Integrated Computer Security Slides are modified from Lawrie Brown
Key Management public-key encryption helps address key distribution problems have two aspects of this: – distribution of public keys – use of public-key encryption to distribute secret keys CS 450/650 Lecture 10: Key Exchange 17
Distribution of Public Keys can be considered as using one of: – public announcement – publicly available directory – public-key authority – public-key certificates CS 450/650 Lecture 10: Key Exchange 18
Public Announcement users distribute public keys to recipients or broadcast to community at large – eg. append PGP keys to messages or post to news groups or list major weakness is forgery – anyone can create a key claiming to be someone else and broadcast it – until forgery is discovered attacker can masquerade as claimed user CS 450/650 Lecture 10: Key Exchange 19
Publicly Available Directory can obtain greater security by registering keys with a public directory directory must be trusted with properties: – contains {name, public-key} entries – participants register securely with directory – participants can replace key at any time – directory is periodically published – directory can be accessed electronically still vulnerable to tampering or forgery CS 450/650 Lecture 10: Key Exchange 20
Public-Key Authority improve security by tightening control over distribution of keys from directory has properties of directory requires users to know public key for the directory users interact with directory to obtain any desired public key securely requires real-time access to directory when keys are needed CS 450/650 Lecture 10: Key Exchange 21
Public-Key Authority CS 450/650 Lecture 10: Key Exchange 22
Public-Key Certificates certificates allow key exchange without real- time access to public-key authority a certificate binds identity to public key – usually with other info such as period of validity, rights of use all contents signed by a trusted Public-Key or Certificate Authority (CA) can be verified by anyone who knows the public-key authority’s public-key CS 450/650 Lecture 10: Key Exchange 23
Public-Key Certificates CS 450/650 Lecture 10: Key Exchange 24
Distribution of Secret Keys use previous methods to obtain public-key can use for secrecy or authentication public-key algorithms are slow usually prefer to use private-key encryption to protect message contents hence need a session key have several alternatives for negotiating a suitable session CS 450/650 Lecture 10: Key Exchange 25
Simple Secret Key Distribution proposed by Merkle in 1979 – A generates a new temporary public key pair – A sends B the public key and the identity – B generates a session key K sends it to A encrypted using the supplied public key – A decrypts the session key and both use Man in the middle attack: – an opponent can intercept and impersonate both halves of protocol CS 450/650 Lecture 10: Key Exchange 26
Public-Key Distribution of Secret Keys if have securely exchanged public-keys: CS 450/650 Lecture 10: Key Exchange 27
Diffie-Hellman Key Exchange
public-key type scheme – proposed in 1976 – note: now know that Williamson (UK CESG) secretly proposed the concept in 1970 A practical method for public exchange of a secret key Used in a number of commercial products CS 450/650 Lecture 10: Diffie-Hellman Key Exchange 29
Diffie-Hellman Key Exchange public-key distribution scheme – cannot be used to exchange an arbitrary message – rather it can establish a common key – known only to the two participants based on exponentiation in a finite field – modulo a prime or a polynomial security relies on the difficulty of computing discrete logarithms CS 450/650 Lecture 10: Diffie-Hellman Key Exchange 30
Diffie-Hellman Setup all users agree on global parameters: – large prime integer or polynomial p – g = primitive root mod p for every integer a that has gcd(a, p) = 1, there is an integer k such that g k ≡ a (mod p) each user generates their key – chooses a secret key (number): a < p – compute their public key: A = g a mod p CS 450/650 Lecture 10: Diffie-Hellman Key Exchange 31
Diffie-Hellman Key Exchange shared session key for users is K AB : – K AB = g ab mod p = A b mod p (which B can compute) = B a mod p (which A can compute) g can be small – 2 or 5 is common a, b, p should be large attacker needs a or b to obtain the session key – must solve discrete log CS 450/650 Lecture 10: Diffie-Hellman Key Exchange 32
Diffie-Hellman Example users Alice & Bob who wish to swap keys – agree on prime p=353 and g=3 select random secret keys: – A chooses a=97, B chooses b=233 compute respective public keys: – A=3 97 mod 353 = 40(Alice) – B=3 233 mod 353 = 248(Bob) compute shared session key as: – K AB = B a mod 353 = = 160(Alice) – K AB = A b mod 353 = = 160(Bob) CS 450/650 Lecture 10: Diffie-Hellman Key Exchange 33
Key Exchange Protocols users could create random Diffie-Hellman keys each time they communicate users could create a known Diffie-Hellman key and publish in a directory, then consulted and used to securely communicate with them both of these are vulnerable to a man-in-the- middle attack – authentication of the keys is needed CS 450/650 Lecture 10: Diffie-Hellman Key Exchange 34