Presentation is loading. Please wait.

Presentation is loading. Please wait.

DIGITAL SIGNATURES and AUTHENTICATION PROTOCOLS - Chapter 13 DIGITAL SIGNATURES and AUTHENTICATION PROTOCOLS - Chapter 13 Digital Signatures Authentication.

Similar presentations


Presentation on theme: "DIGITAL SIGNATURES and AUTHENTICATION PROTOCOLS - Chapter 13 DIGITAL SIGNATURES and AUTHENTICATION PROTOCOLS - Chapter 13 Digital Signatures Authentication."— Presentation transcript:

1 DIGITAL SIGNATURES and AUTHENTICATION PROTOCOLS - Chapter 13 DIGITAL SIGNATURES and AUTHENTICATION PROTOCOLS - Chapter 13 Digital Signatures Authentication Protocols Digital Signature Standard

2 AUTHENTICATION vs SIGNATURE AUTHENTICATION vs SIGNATURE Authentication auth A  B protects against {C} Signature sign A  B protects against {A,C}

3 SIGNATURE CHARACTERISTICS SIGNATURE CHARACTERISTICS Author Verifiable Date Authenticate by Time Contents Third Party

4 SIGNATURE TYPES SIGNATURE TYPES Direct X  Y weakness: security of private key Arbitrated + date X  A  Y

5 ARBITRATED DIGITAL SIGNATURE TECHNIQUES

6 Table 13.1: Scheme (a) Arbiter Sees Message Table 13.1: Scheme (a) Arbiter Sees Message Conventional Encryption: After X  A  Y Dispute between X and Y Y  A: E K ay [ID x ||M||E K ax [ID x ||H(M)]]

7 Table 13.1: Scheme (b) Arbiter Does Not See Message Table 13.1: Scheme (b) Arbiter Does Not See Message Conventional Encryption: Arbiter : neither can read message Eavesdropper

8 Table 13.1: Scheme (c) Arbiter Does Not See Message Table 13.1: Scheme (c) Arbiter Does Not See Message Public-Key (double) Encryption: advantages: 1. No information shared before communication 2. if KRx compromised date is still correct 3. message secret from Arbiter and Eavesdropper

9 REPLAY ATTACKS REPLAY ATTACKS Simple Replay: X  m E  m Logged Replay: X  m||T 0 t E  m||T 0 (< T 0 later) i m Undetected Replay:X  m e E  m  Backward Replay: X  m X  m E

10 TIMESTAMP TIMESTAMP m||T X Y synchronized clocks

11 CHALLENGE/RESPONSE CHALLENGE/RESPONSE Use NONCE: N X Y m||N X Y handshake required

12 ATTACK ON Fig 7.9 E avesdropper gets Old K s : Replay Step 3 Intercept Step 4 Impersonate Step 5 Bogus Messages  Y

13 SOLUTION: TIMESTAMP 1.A  ID A ||ID B KDC 2. KDC  E K A [ K S ||ID B ||T||E K B [K S ||ID A ||T] ] A 3. A  E K B [K S ||ID A ||T] B 4. B  E K S [N 1 ] A 5. A  E K S [f(N 1 )] B

14 CLOCK ATTACKS CLOCK ATTACKS To counteract: Suppress – Replay attacks: 1. Check clocks regularly use KDC clock 2. Handshaking via Nonce

15 AN IMPROVED PROTOCOL over Fig 7.9 AN IMPROVED PROTOCOL over Fig 7.9 To counteract suppress-replay attacks: A  ID A || N A B B  ID B ||N B ||E KB [ID A ||N A ||T B ] KDC KDC  E K A [ID B ||N A ||K S ||T B ]||E K B [ID A ||K S ||T B ]||N B A 4. A  E K B [ID A ||K S ||T B ]||E K S [N B ] B No clock synch. T B only checked by B

16 AUTHENTICATION SERVER AUTHENTICATION SERVER - no secret key distribution (public key) A  ID A ||ID B AS AS  E KR AS [ID A ||KU A ||T]||E KR AS [ID B ||KU B ||T] A 3. A  E KR AS [ID A ||KU A ||T]||E KR AS [ID B ||KU B ||T]||E KU B [E KR A [K S ||T]] B Problem: Clock Synch.

17 ALTERNATIVE NONCE PROTOCOL ALTERNATIVE NONCE PROTOCOL 1. A  ID A ||ID B KDC 2. KDC  E KR auth [ID B ||KU B ] A 3. A  E KU B [N A ||ID A ] B 4. B  ID B ||ID A ||E KUauth [N A ] KDC 5. KDC  E KR auth [ID A ||KU A ]||E KU B [E KR auth [N A ||K S ||ID A ||ID B ]] B 6. B  E KU A [E KR auth [N A ||K S ||ID A ||ID B ]||N B ] A 7. A  E K S [N B ] B

18 ONE-WAY AUTHENTICATION ONE-WAY AUTHENTICATION (e.g. email) Encrypt Message Authenticate Sender

19 SYMMETRIC-KEY (one-way auth.) SYMMETRIC-KEY (one-way auth.) 1. A  ID A ||ID B ||N 1 KDC 2. KDC  E K A [K S ||ID B ||N 1 ||E K B [K S ||ID A ]] A 3. A  E K B [K S,ID A ]||E K S [M] B

20 PUBLIC-KEY (one-way auth.) PUBLIC-KEY (one-way auth.) Use Figs 11.1b,c, and d or A  E KU B [K S ]||E K S [M] B or A  M||E KR A [H(M)] B

21 PUBLIC-KEY (one-way auth.) PUBLIC-KEY (one-way auth.) Send A’s public key to B A  M||E KR A [H(M)]||E KR AS [T||ID A ||KU A ] B

22 DSS : USES SHA-1 DSS : USES SHA-1 Signature YES Encryption NO Key-Exchange NO

23 DSS : USES SHA-1

24 DISCRETE LOG DISCRETE LOG p,q,g – global public keys x - user private key y - user public key k - user per-message secret number r = (g k mod p) mod q s = [k -1 (H(M) + xr)] mod q Signature = (r,s) precompute g k, k -1

25 VERIFY VERIFY w = (s’) -1 mod q u 1 = [H(M’)w] mod q u 2 = (r’)w mod q v = [(g u 1.y u 2 ) mod p] mod q where y = g x mod p v = r’ ? y = g x is one-way: x  y YES y  x NO

26 DIGITAL SIGNATURE ALGORITHM

27 DSS SIGNING AND VERIFYING


Download ppt "DIGITAL SIGNATURES and AUTHENTICATION PROTOCOLS - Chapter 13 DIGITAL SIGNATURES and AUTHENTICATION PROTOCOLS - Chapter 13 Digital Signatures Authentication."

Similar presentations


Ads by Google