Presentation is loading. Please wait.

Presentation is loading. Please wait.

Årskonference 2003 Theory and Practice of Personal Digital Signatures - The ITSCI project Ivan Damgård, University of Aarhus.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Årskonference 2003 Theory and Practice of Personal Digital Signatures - The ITSCI project Ivan Damgård, University of Aarhus."— Presentation transcript:

1 Årskonference 2003 Theory and Practice of Personal Digital Signatures - The ITSCI project Ivan Damgård, University of Aarhus

2 Årskonference 2003 Quote from a typical paper in Theory of Cryptography ”Player Pi signs message m with secret key sk and sends the signature Sign sk (m) to Pj” Anything wrong with that? In practice ”Pi” is typically not a single entity! But a conglomerate of a human user and some machines that store the key and compute the signature: a PC, a handheld authentication device, a server,.. We would like to protect the user even if some of the machines involved are corrupt. The standard model misses some important issues because it cannot capture this..

3 Årskonference 2003 Example: The problem with software signatures Private key password Gives access to Transaction, digital signature hacking, phising, etc.

4 Årskonference 2003 Solutions? External hardware – a ”gadget” producing a one-time code, you type on the PC. The code sometimes even depends on the transaction. This must be secure? The good news: yes, it helps – simple phising no longer works – you have to get the gadget as well. The bad news...

5 Årskonference 2003 The man in the middle.. 1-time code Transaction, digital signature, And/or 1-time code hacking, phising, etc. ”500 € for Ronald” ”500.000 € for Hackers Unlimited”

6 Årskonference 2003 The Problem The ”gadget” can’t tell the user what it is doing. The user cannot verify if the 1- time code corresponds to the correct transaction. Therefore, still enough to break into one entity if you are clever enough. Extra gadgets are only the ultimate solution if they can talk to your PC - and to you!

7 Årskonference 2003 Can we do better? So we need external hardware that talks to the user and the PC and can present the transaction?  Reasonable computing power, operating system, display, communication.. In other words, a computer, maybe a mobile phone – that can be attacked. Why trust the mobile more than the PC?

8 Årskonference 2003 A possible solution: divide and conquer From ”it all depends on the PC” to ”it all depends on the mobile or the PDA” – no progress. Alternative Idea: have your digital identity live in several places at the same time, e.g., have user specific info in both a mobile unit and in a server. The hope: get the denefits of an intelligent mobile unit, yet all is not lost if it is stolen or hacked.

9 Årskonference 2003 Secret Sharing a key.. Normal digital signature: + ”500 € to Ronald” = Digital signature with shared key: ”500 € to Ronald” + + = =

10 Årskonference 2003 Sharing an RSA key.. Normal digital signature: + ”500 € to Ronald” = Digital signatur with shared key: ”500 € to Ronald” + + = = (n,d) m m d mod n (n,dS) m m dS mod n (n,dM) m m dM mod n d= dS+dM m dS m dM mod n = m d mod n

11 Årskonference 2003 A simple protocol.. Transaction, digital signature. 500 € for Ronald Secure if at most one unit is corrupt. Server Server- password

12 Årskonference 2003 A bit too simple, however.. Mobile unit must do full-scale exponentiation. Too slow, even on modern phones, when done in high-level language e.g., Java. Maybe the PC can help? – however, not secure to give d M to the PC. A tool for a solution: pseudo-random functions (PRF). A PRF, f, depends on a key K and input x. Adversary does not know K, gets to choose x, is given f K (x) or random r. Adversary cannot tell the difference. Efficient implementation: your favorite block cipher

13 Årskonference 2003 Outsourcing Computation to Terminal (PC) Let f be a PRF and give key K to M and to S. To sign m, M computes b(m) = d M + f K (m) sends to T T computes m b(m) mod n sends this and m to S S computes a(m) = d S - f K (m) and m a(m) m b(m) mod n tests if this is a valid signature. If yes, returns it to T. Much faster for M. No information on d for T. Randomization depends on m  Corrupt T cannot use b(m) to get anything except m signed.

14 Årskonference 2003 Proactive Security – or What if the mobile is stolen? The bad news: secret key lost, can’t issuse signatures The good news: we know there’s a problem, can set up new mobile unit Solution: User and Server store back-up sharing of key, d = u + s User gives u to new mobile (e.g., scans 2-D barcode) Sharing updated with fresh randomness, d = (u+r) + (s-r) need one secure message from S to M. Resulting protocol proactively UC secure if at most one unit is corrupt in each phase.

15 Årskonference 2003 Usability – Security Potentially easier for the user than typing 1-time codes. Mobility: can be done from any PC. Not necessary to use a hardware token that is only for security. You bring you mobile anyway. Must have communication with PC – or with the net. Bluetooth a possibility. Longer term: Nearfield communication. Secure as long as break-in occurs in only one place- simultaneously. The server cannot sign on its own Lives under standard PKI.

16 Årskonference 2003 IT-Security for Citizens, ITSCI Based at: University of Aarhus Leder: Ivan Damgård Researchers: Susanne Bødker, Kaj Grønbæk PhD students: Gert Mikkelsen, Niels Mathiasen Programmer: Daniel Andersson Partners: University of Aarhus, PBS, TDC, GiriTech, Cryptomathic, Danske Bank Supported by the Danish Strategic Research Council

17 Årskonference 2003 Idea behind ITSCI: Security depends both on technology and usability.  Solving the problems demands cooperation between expertise in both technical/crypto and human-computer interaction. We have seen far too little of this so far. ITSCI is possibly the first Danish attempts to include both types of researchers.

18 Årskonference 2003 In practice 1. Prototype of the system has been developed. Uses mobile phone, talks to PC via Bluetooth, compatible with Danish nation-wide PKI. Java application on phone, Applet sent to PC when needed. Next steps: Solution for back-up of private key, so you can survive theft of the mobile unit without having to start everything from skratch and get a new certificate. Also need to look at key generation.

Download ppt "Årskonference 2003 Theory and Practice of Personal Digital Signatures - The ITSCI project Ivan Damgård, University of Aarhus."

Similar presentations

Key Management. Shared Key Exchange Problem How do Alice and Bob exchange a shared secret? Offline – Doesnt scale Using public key cryptography (possible)

Key Management. Shared Key Exchange Problem How do Alice and Bob exchange a shared secret? Offline – Doesnt scale Using public key cryptography (possible)
COS 461 Fall 1997 Todays Lecture u intro to security in networking –confidentiality –integrity –authentication –authorization u orientation for assignment.

COS 461 Fall 1997 Todays Lecture u intro to security in networking –confidentiality –integrity –authentication –authorization u orientation for assignment.
Grid Computing, B. Wilkinson, 20045a.1 Security Continued.

Grid Computing, B. Wilkinson, 20045a.1 Security Continued.
Digital Signatures and Hash Functions. Digital Signatures.

Digital Signatures and Hash Functions. Digital Signatures.
More on SSL/TLS. Internet security: TLS TLS is one of the more prominent internet security protocols. TLS is one of the more prominent internet security.

More on SSL/TLS. Internet security: TLS TLS is one of the more prominent internet security protocols. TLS is one of the more prominent internet security.
1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.

1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.
Digital Signatures. Anononymity and the Internet.

Digital Signatures. Anononymity and the Internet.
Cryptography on TFT displays Cryptography on TFT displays Pablo Sánchez Pedrosa.

Cryptography on TFT displays Cryptography on TFT displays Pablo Sánchez Pedrosa.
Mar 19, 2002Mårten Trolin1 This lecture On the assignment Certificates and key management SSL/TLS –Introduction –Phases –Commands.

Mar 19, 2002Mårten Trolin1 This lecture On the assignment Certificates and key management SSL/TLS –Introduction –Phases –Commands.
Mar 12, 2002Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities SSL/TLS.

Mar 12, 2002Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities SSL/TLS.
TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 29 Cryptography and Network.

TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 29 Cryptography and Network.
FIT3105 Smart card based authentication and identity management Lecture 4.

FIT3105 Smart card based authentication and identity management Lecture 4.
Feb 25, 2003Mårten Trolin1 Previous lecture More on hash functions Digital signatures Message Authentication Codes Padding.

Feb 25, 2003Mårten Trolin1 Previous lecture More on hash functions Digital signatures Message Authentication Codes Padding.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
CNS2010handout 10 :: digital signatures1 computer and network security matt barrie.

CNS2010handout 10 :: digital signatures1 computer and network security matt barrie.
Class on Security Raghu. Current state of Security Cracks appear all the time Band Aid solutions Applications are not designed properly OS designs are.

Class on Security Raghu. Current state of Security Cracks appear all the time Band Aid solutions Applications are not designed properly OS designs are.
CMSC 414 Computer and Network Security Lecture 7 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 7 Jonathan Katz.
Proactive Secure Mobile Digital Signatures Work in progress. Ivan Damgård and Gert Læssøe Mikkelsen University of Aarhus.

Proactive Secure Mobile Digital Signatures Work in progress. Ivan Damgård and Gert Læssøe Mikkelsen University of Aarhus.
CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.
Apr 22, 2003Mårten Trolin1 Agenda Course high-lights – Symmetric and asymmetric cryptography – Digital signatures and MACs – Certificates – Protocols Interactive.

Apr 22, 2003Mårten Trolin1 Agenda Course high-lights – Symmetric and asymmetric cryptography – Digital signatures and MACs – Certificates – Protocols Interactive.

Similar presentations

Ads by Google