Download presentation
Presentation is loading. Please wait.
Published byJasper Stokes Modified over 9 years ago
1
Information Security and Management 13. Digital Signatures and Authentication Protocols Chih-Hung Wang Fall 2011 1
2
Dispute of message authentication ▫Message authentication protects two parties who exchange messages from any third party. However, it does not protect the two parties against each other. ▫Several forms of dispute between the two are possible 2 Digital Signature
3
▫The following disputes could arise Receiver may forge a different message and claim that it came from sender. Sender can deny sending the message 3 Problem of Authentication
4
Generic Model of Digital Signature Process 4
5
Mary may forge a different message and claim that it came from John. Mary would simply have to create a message and append an authentication code using the key that John and Mary share. John can deny sending the message. Because it is possible for Mary to forge a message, there is no way to prove that John did in fact send the message. Possible Disputes Using MACs 5
6
Simplified Depiction of Essential Elements of Digital Signature Process 6
7
The digital signature is analogous to the handwritten signature. It must have the following properties: ▫It must be able to verify the author and the date and time of the signature ▫It must be able to authenticate the contents at the time of the signature ▫The signature must be verifiable by third parties, to resolve dispute 7 Properties
8
The signature must be a bit pattern that depends on the message being signed The signature must use some information unique to the sender, to prevent both forgery and denial It must be relatively easy to produce the digital signature It must be relatively easy to recognize and verify the digital signature 8 Requirements (1/2)
9
It must be computationally infeasible to forge a digital signature, either by constructing a new message for an existing digital signature or by constructing a fraudulent digital signature for a given message It must be practical to retain a copy of the digital signature in storage 9 Requirements (2/2)
10
10 Digital Signature Concept SignerReceiver Signer’s Private Key Signed Document Signer’s Public Key Verify the signature
11
11 Dispute Concept SenderReceiver Dispute Signer ’ s Digital Signature Third Party Verify & Judge
12
12 RSA Digital Signature Signer Receiver Signer’s private key: d Signed Document Signer’s public key : (e,n) Verify h(M) ?= Sig e mod n =( h(M) d ) e mod n Sig=h(M) d mod n
13
The National Institute of Standards and Technology (NIST) has published Federal Information Processing Standard FIPS PUB 186, known as the Digital Signature Standard (DSS). The DSS makes use of the Secure Hash Algorithm (SHA) The DSS was originally proposed in 1991 and revised in 1993 in response to public feedback concerning the security of the scheme 13 Digital Signature Standard (DSS)
14
The DSS uses an algorithm that is designed to provide only the digital signature function Unlike RSA, it cannot be used for encryption or key exchange 14 DSS Concept (1/2)
15
15 DSS Concept (2/2)
16
Discrete Logarithms (page 228-233) ▫Consider the equation y = g x mod p Given g,x,and p, it is straightforward matter to calculate y Given y, g, and p, it is, in general, very difficult to calculate x Computational complexity e ((ln p) 1/3 ln(ln p)) 2/3 16 DSS Algorithm
17
Setup ▫p large prime: bit length of between 512 and 1024 bits in increments of 64 bits 2 L-1 < p < 2 L and 512 <= L <= 1024 ▫q prime divisor of (p-1) and 2 159 < q < 2 160 , i.e., the length is 160 bits ▫g = h (p-1)/q mod p, where 1<h < p-1 , h is an integer ( I.e., g q = 1 mod p ) 17 DSS Algorithm
18
Sign ▫User A’s private key: x: random 0 < x <q ▫User A’s public key: y = g x mod p ▫Signing Randomly select k, 0<k<q calculate r = (g k mod p) mod q calculate s = [k -1 (H(M) + xr)] mod q Signature = (r,s) 18 DSS Algorithm
19
Sign 19 DSS Algorithm
20
Verify ▫Verifying (r’, s’) & (M’) Calculate w = (s’) -1 mod q Calculate u 1 = [H(M’)w] mod q Calculate u 2 = (r’)w mod q Calculate v = [(g u 1 y u 2 ) mod p] mod q Verify v = r’ (?). If yes, (r’, s’) is a valid signature on the message M’ 20 DSS Algorithm
21
Verify 21 DSS Algorithm
22
DSS cannot be used for encryption or key distribution DSS was developed by the NSA, and there may be a trapdoor in the algorithm DSS is slower than RSA RSA is the ISO 9796, the international digital signature standard 22 Criticisms of DSS (1/2)
23
The DSS selection process was not public; sufficient time for analysis has not been provided DSS may infringe on other pattern The key size is too small 23 Criticisms of DSS (2/2)
24
ElGamal Digital Signatures In 1984, T. Elgamal announced a public-key scheme based on discrete logarithms, closely related to the Diffie-Hellman technique. ▫Use private key for encryption (signing) ▫Uses public key for decryption (verification) The security of ElGamal is based on the difficulty of computing discrete logarithms Each user (eg. A) generates their key ▫chooses a secret key (number): 1 < x A < q-1 ▫compute their public key: y A = a x A mod q
25
ElGamal Digital Signature Alice signs a message M to Bob by computing ▫hash m = H(M), 0 <= m <= (q-1) ▫Chose random integer K with 1 <= K <= (q-1) and gcd(K,q-1)=1 ▫Compute temporary key: S 1 = a k mod q ▫Compute K -1 the inverse of K mod (q-1) ▫Compute the value: S 2 = K -1 (m-x A S 1 ) mod (q-1) ▫Signature is: (S 1,S 2 ) Any user B can verify the signature by computing ▫ V 1 = a m mod q ▫ V 2 = y A S 1 S 1 S 2 mod q ▫ signature is valid if V 1 = V 2
26
ElGamal Signature Example Use field GF(19) q=19 and a=10 Alice computes her key: ▫A chooses x A =16 & computes y A =10 16 mod 19 = 4 Alice signs message with hash m=14 as (3,4) : ▫Choosing random K=5 which has gcd(18,5)=1 ▫Computing S 1 = 10 5 mod 19 = 3 ▫Finding K -1 mod (q-1) = 5 -1 mod 18 = 11 ▫Computing S 2 = 11(14-16.3) mod 18 = 4 any user B can verify the signature by computing ▫ V 1 = 10 14 mod 19 = 16 ▫ V 2 = 4 3.3 4 = 5184 = 16 mod 19 ▫ since 16 = 16 signature is valid
27
Schnorr Digital Signatures Also uses exponentiation in a finite (Galois) ▫Security based on discrete logarithms, as in D-H Minimizes message dependent computation ▫Multiplying a 2n-bit integer with an n-bit integer Main work can be done in idle time Have using a prime modulus p ▫ p–1 has a prime factor q of appropriate size ▫Typically p 1024-bit and q 160-bit numbers
28
Schnorr Key Setup Choose suitable primes p, q Choose a such that a q = 1 mod p (a,p,q) are global parameters for all Each user (eg. A) generates a key ▫Chooses a secret key (number): 0 < s A < q ▫Compute their public key: v A = a -s A mod q
29
Schnorr Signature User signs message by ▫Choosing random r with 0<r<q and computing x = a r mod p ▫Concatenate message with x and hash result to Computing: e = H(M || x) ▫Computing: y = (r + se) mod q ▫Signature is pair (e, y) Any other user can verify the signature as follows: ▫Computing: x' = a y v e mod p ▫Verifying that: e = H(M || x’)
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.