Presentation is loading. Please wait.

Presentation is loading. Please wait.

Announcements:Questions? This week: Birthday attacks, Digital signatures, DSA Birthday attacks, Digital signatures, DSA DTTF/NB479: DszquphsbqizDay 30.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Announcements:Questions? This week: Birthday attacks, Digital signatures, DSA Birthday attacks, Digital signatures, DSA DTTF/NB479: DszquphsbqizDay 30."— Presentation transcript:

1 Announcements:Questions? This week: Birthday attacks, Digital signatures, DSA Birthday attacks, Digital signatures, DSA DTTF/NB479: DszquphsbqizDay 30

2 RSA Signatures allow you to recover the message from the signature; ElGamal signatures don’t Sig = f(user, message) RSA Alice chooses: p,q, n=pq, p,q, n=pq, e: gcd(n, (p-1)(q-1))=1, e: gcd(n, (p-1)(q-1))=1, d: ed ≡ 1(mod ((p-1)(q-1)) d: ed ≡ 1(mod ((p-1)(q-1)) Publishes n, e Alice’s signature: y ≡ m d (mod n). Delivers (m, y) y ≡ m d (mod n). Delivers (m, y) Bob’s verification: Does m ≡ y e (mod n)? Does m ≡ y e (mod n)? ElGamal Alice chooses: p,primitive root , secret a, and  ≡  a (mod p) p,primitive root , secret a, and  ≡  a (mod p) Publishes (p,  ), keeps a secret Publishes (p,  ), keeps a secret Alice’s signature: Chooses k: random, gcd(k, p-1)=1 Chooses k: random, gcd(k, p-1)=1 Sends m, (r,s), where: Sends m, (r,s), where: r ≡  k (mod p) s ≡ k -1 (m – ar) (mod p-1) Bob’s verification: Does  r r s ≡  m (mod p)? Does  r r s ≡  m (mod p)?

3 It’s quicker to sign a short digest than to sign a long message Note that we need to choose n > m in RSA, p > m in ElGamal Problem: m could be long! Problem: m could be long! But h(m) is short! But h(m) is short! So Alice sends (m, sig(h(m))) Eve intercepts this, wants to sign m’ with Alice’s signature, so needs sig(h(m’)) = sig(h(m)), and thus h(m)=h(m’) Why can’t she do this? Why can’t she do this?

4 Birthday attacks can be successful on signatures that are too short Slightly different paradigm: two rooms with r people each. What’s the probability that someone in this room has the same birthday as someone in the other room. Approximation: Note that we divide by N, not 2N. Note that we divide by N, not 2N. But setting the probability = 0.5 and solving for r, we get r=c*sqrt(n) again (where c=sqrt(ln 2)~.83) But setting the probability = 0.5 and solving for r, we get r=c*sqrt(n) again (where c=sqrt(ln 2)~.83) Consider a 50-bit hash. Only need 2^25 documents Consider a 50-bit hash. Only need 2^25 documents These are relatively easy to generate, actually. These are relatively easy to generate, actually.

5 Birthday attacks on signatures Mallory generates 2 groups of documents: Want a match (m 1, m 2 ) between them such that h(m 1 ) = h(m 2 ) Mallory sends (m 1, h(m 1 )) to Alice, who returns signed copy: (m 1, sig(h(m 1 )). Mallory replaces m 1 with m 2 and uses sig(h(m 1 ) as the signature. The pair (m 2, sig(h(m 1 )) looks like Alice’s valid signature! The pair (m 2, sig(h(m 1 )) looks like Alice’s valid signature! Alice’s defense? What can she do to defend herself? r “good docs” r “fraudulent docs”

6 Alice’s defense She changes a random bit herself! Note this changes her signature: (m 1 ’, sig(h(m 1 ’)) Mallory is forced to generate another message with the same hash as this new document. Mallory is forced to generate another message with the same hash as this new document. Good luck! Good luck!Lessons: Birthday attacks essentially halve the number of bits of security. Birthday attacks essentially halve the number of bits of security. So SHA-1 is still secure against them Make a minor change to the document you sign! Make a minor change to the document you sign!

7 Code-talkers? http://xkcd.com/c257.html As far as I can tell, Navajo doesn’t have a word for zero. Do-neh-lini means neutral.

8 DSA: Digital Signature Algorithm 1994 Similar to ElGamal signature with appendix signature with appendix But verification is faster But verification is faster And it’s guaranteed to be more secure And it’s guaranteed to be more secure Assume m is already hashed using SHA: so we are signing a 160-bit message, m.

9 DSA: Digital Signature Algorithm Alice’s Setup: m: 160-bit message m: 160-bit message q: 160-bit prime q: 160-bit prime p: 512-bit prime, such that q is a factor of (p-1) p: 512-bit prime, such that q is a factor of (p-1) g: a primitive root of p. g: a primitive root of p.  ≡g (p-1)/q (mod p)  ≡g (p-1)/q (mod p) Then  q ≡ 1 (mod p). (Why?)  ≡  a. Secret a, 0 < a < q-1  ≡  a. Secret a, 0 < a < q-1 Publishes: (p,q,  ) Publishes: (p,q,  ) Sig = (r,s) random k, 0 < k < q-1 random k, 0 < k < q-1 r ≡  k (mod q) r ≡  k (mod q) s = k -1 (m + ar) (mod q) s = k -1 (m + ar) (mod q)Verify: Compute u1 ≡ s -1 m (mod q), u2 ≡ s -1 r (mod q) Compute u1 ≡ s -1 m (mod q), u2 ≡ s -1 r (mod q) Does (  u1  u2 (mod p))(mod q) = r? Does (  u1  u2 (mod p))(mod q) = r? q=17 p=103 g=2  =? 1-3

10 DSA: Digital Signature Algorithm Alice’s Setup: m: 160-bit message m: 160-bit message q: 160-bit prime q: 160-bit prime p: 512-bit prime, such that q is a factor of (p-1) p: 512-bit prime, such that q is a factor of (p-1) g: a primitive root of p. g: a primitive root of p.  ≡g (p-1)/q (mod p)  ≡g (p-1)/q (mod p) Then  q ≡ 1 (mod p). (Why?)  ≡  a. Secret a, 0 < a < q-1  ≡  a. Secret a, 0 < a < q-1 Publishes: (p,q,  ) Publishes: (p,q,  ) Sig = (r,s) random k, 0 < k < q-1 random k, 0 < k < q-1 r ≡  k (mod q) r ≡  k (mod q) s = k -1 (m + ar) (mod q) s = k -1 (m + ar) (mod q)Verify: Compute u1 ≡ s -1 m (mod q), u2 ≡ s -1 r (mod q) Compute u1 ≡ s -1 m (mod q), u2 ≡ s -1 r (mod q) Does (  u1  u2 (mod p))(mod q) = r? Does (  u1  u2 (mod p))(mod q) = r? q=17 p=103 g=2  =64 Advantages over ElGamal? In ElGamal, if you could solve r =  k (mod p) by Pollig-Hellman, you’d have k. In ElGamal, if you could solve r =  k (mod p) by Pollig-Hellman, you’d have k. In DSA, (p-1) has a large factor, q. In DSA, (p-1) has a large factor, q. If you could solve the non-q factors, there would still be q possibilities for k. If you could solve the non-q factors, there would still be q possibilities for k. How many ints (mod p) give a specific int (mod q)? How many ints (mod p) give a specific int (mod q)? 4

11 DSA: Digital Signature Algorithm Alice’s Setup: m: 160-bit message m: 160-bit message q: 160-bit prime q: 160-bit prime p: 512-bit prime, such that q is a factor of (p-1) p: 512-bit prime, such that q is a factor of (p-1) g: a primitive root of p. g: a primitive root of p.  ≡g (p-1)/q (mod p)  ≡g (p-1)/q (mod p) Then  q ≡ 1 (mod p). (Why?)  ≡  a. Secret a, 0 < a < q-1  ≡  a. Secret a, 0 < a < q-1 Publishes: (p,q,  ) Publishes: (p,q,  ) Sig = (r,s) random k, 0 < k < q-1 random k, 0 < k < q-1 r ≡  k (mod q) r ≡  k (mod q) s = k -1 (m + ar) (mod q) s = k -1 (m + ar) (mod q)Verify: Compute u1 ≡ s -1 m (mod q), u2 ≡ s -1 r (mod q) Compute u1 ≡ s -1 m (mod q), u2 ≡ s -1 r (mod q) Does (  u1  u2 (mod p))(mod q) = r? Does (  u1  u2 (mod p))(mod q) = r? q=17 p=103 g=2  =64 How hard is it to search for a 512-bit prime p = kq + 1 for some even number k? How do we search for primes? How do we search for primes? 1/115 of odd 100-digit numbers are prime. 1/115 of odd 100-digit numbers are prime. What fraction of odd 512-bit integers are prime? What fraction of odd 512-bit integers are prime? Recall our discussion of the density of primes Recall our discussion of the density of primes

12 (Day 21) Using within a primality testing scheme Finding large probable primes #primes < x = #primes < x = Density of primes: ~1/ln(x) For 100-digit numbers, ~1/230. So ~1/115 of odd 100-digit numbers are prime Can start with a random large odd number and iterate, applying M-R to remove composites. We’ll soon find one that is a likely prime. Odd? div by other small primes? Prime by Factoring/ advanced techn.? n no yes prime Pass M-R?

13 DSA: Digital Signature Algorithm Alice’s Setup: m: 160-bit message m: 160-bit message q: 160-bit prime q: 160-bit prime p: 512-bit prime, such that q is a factor of (p-1) p: 512-bit prime, such that q is a factor of (p-1) g: a primitive root of p. g: a primitive root of p.  =g (p-1)/q (mod p)  =g (p-1)/q (mod p) Then  q = 1 (mod p). (Why?)  =  a. Secret a, 0 < a < q-1  =  a. Secret a, 0 < a < q-1 Publishes: (p,q,  ) Publishes: (p,q,  ) Sig = (r,s) random k, 0 < k < q-1 random k, 0 < k < q-1 r =  k (mod p) r =  k (mod p) s = k -1 (m + ar) (mod q) s = k -1 (m + ar) (mod q)Verify: Compute u1 = s -1 m, u2 = s -1 r Compute u1 = s -1 m, u2 = s -1 r Does (a u1 b u2 (mod p))(mod q) = r? Does (a u1 b u2 (mod p))(mod q) = r? Show that order of ops matters: (  k (mod p))(mod q) ≠ (  k (mod q))(mod p) Easier: find (a (mod p))(mod q) ≠ (a(mod q))(mod p) 5

14 Latest versions Recommended: SHA-224/256/384/512 as the hash function SHA-224/256/384/512 as the hash function q of size 224 and 256 bits q of size 224 and 256 bits p of size 2048 and 3072. p of size 2048 and 3072.http://csrc.nist.gov/publications/drafts/fips_186-3/Draft_FIPS-186-3%20_November2008.pdf

Download ppt "Announcements:Questions? This week: Birthday attacks, Digital signatures, DSA Birthday attacks, Digital signatures, DSA DTTF/NB479: DszquphsbqizDay 30."

Similar presentations

RSA.

RSA.
Hash Function. What are hash functions? Just a method of compressing strings – E.g., H : {0,1}*  {0,1} 160 – Input is called “message”, output is “digest”

Hash Function. What are hash functions? Just a method of compressing strings – E.g., H : {0,1}*  {0,1} 160 – Input is called “message”, output is “digest”
1 Chapter 7-2 Signature Schemes. 2 Outline [1] Introduction [2] Security Requirements for Signature Schemes [3] The ElGamal Signature Scheme [4] Variants.

1 Chapter 7-2 Signature Schemes. 2 Outline [1] Introduction [2] Security Requirements for Signature Schemes [3] The ElGamal Signature Scheme [4] Variants.
Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.

Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.
Cryptography and Network Security

Cryptography and Network Security
Announcements: 1. Congrats on reaching the halfway point once again! 2. DES graded soon 3. Short “pop” quiz on Ch 3. (Thursday at earliest) 4. Reminder:

Announcements: 1. Congrats on reaching the halfway point once again! 2. DES graded soon 3. Short “pop” quiz on Ch 3. (Thursday at earliest) 4. Reminder:
Authentication and Digital Signatures CSCI 5857: Encoding and Encryption.

Authentication and Digital Signatures CSCI 5857: Encoding and Encryption.
Announcements:Questions? This week: Digital signatures, DSA Digital signatures, DSA Secret sharing Secret sharing DTTF/NB479: DszquphsbqizDay 29.

Announcements:Questions? This week: Digital signatures, DSA Digital signatures, DSA Secret sharing Secret sharing DTTF/NB479: DszquphsbqizDay 29.
Announcements: 1. Term project groups and topics due midnight 2. HW6 due next Tuesday. Questions? This week: Primality testing, factoring Primality testing,

Announcements: 1. Term project groups and topics due midnight 2. HW6 due next Tuesday. Questions? This week: Primality testing, factoring Primality testing,
20-763 ELECTRONIC PAYMENT SYSTEMSFALL 2002COPYRIGHT © 2002 MICHAEL I. SHAMOS Electronic Payment Systems 20-763 Lecture 6 Epayment Security II.

ELECTRONIC PAYMENT SYSTEMSFALL 2002COPYRIGHT © 2002 MICHAEL I. SHAMOS Electronic Payment Systems Lecture 6 Epayment Security II.
Announcements: 1. Pass in Homework 5 now. 2. Term project groups and topics due by Friday 1.Can use discussion forum to find teammates 3. HW6 posted, due.

Announcements: 1. Pass in Homework 5 now. 2. Term project groups and topics due by Friday 1.Can use discussion forum to find teammates 3. HW6 posted, due.
Public-key Cryptography Montclair State University CMPT 109 J.W. Benham Spring, 1998.

Public-key Cryptography Montclair State University CMPT 109 J.W. Benham Spring, 1998.
HW6 due tomorrow Teams T will get to pick their presentation day in the order Teams T will get to pick their presentation day in the orderQuestions? Review.

HW6 due tomorrow Teams T will get to pick their presentation day in the order Teams T will get to pick their presentation day in the orderQuestions? Review.
CNS2010handout 10 :: digital signatures1 computer and network security matt barrie.

CNS2010handout 10 :: digital signatures1 computer and network security matt barrie.
20-751 ECOMMERCE TECHNOLOGY FALL 2003 COPYRIGHT © 2003 MICHAEL I. SHAMOS Cryptography.

ECOMMERCE TECHNOLOGY FALL 2003 COPYRIGHT © 2003 MICHAEL I. SHAMOS Cryptography.
Announcements: 1. Presentations start Friday 2. Cem Kaner presenting O167 10 th block today. Questions? This week: DSA, Digital Cash DSA, Digital Cash.

Announcements: 1. Presentations start Friday 2. Cem Kaner presenting O th block today. Questions? This week: DSA, Digital Cash DSA, Digital Cash.
Introduction to Modern Cryptography Homework assignments.

Introduction to Modern Cryptography Homework assignments.
Digital Signature Algorithm (DSA) Kenan Gençol presented in the course BIL617 Cryptology instructed by Asst.Prof.Dr. Nuray AT Department of Computer Engineering,

Digital Signature Algorithm (DSA) Kenan Gençol presented in the course BIL617 Cryptology instructed by Asst.Prof.Dr. Nuray AT Department of Computer Engineering,
Pass in HW6 now Can use up to 2 late days Can use up to 2 late days But one incentive not to burn them all: teams will get to pick their presentation day.

Pass in HW6 now Can use up to 2 late days Can use up to 2 late days But one incentive not to burn them all: teams will get to pick their presentation day.
Announcements: 1. HW6 due now 2. HW7 posted Questions? This week: Discrete Logs, Diffie-Hellman, ElGamal Discrete Logs, Diffie-Hellman, ElGamal Hash Functions.

Announcements: 1. HW6 due now 2. HW7 posted Questions? This week: Discrete Logs, Diffie-Hellman, ElGamal Discrete Logs, Diffie-Hellman, ElGamal Hash Functions.

Similar presentations

Ads by Google