Presentation is loading. Please wait.

Presentation is loading. Please wait.

Digital Signatures A primer 1. Why public key cryptography? With secret key algorithms Number of key pairs to be generated is extremely large If there.

Similar presentations


Presentation on theme: "Digital Signatures A primer 1. Why public key cryptography? With secret key algorithms Number of key pairs to be generated is extremely large If there."— Presentation transcript:

1 Digital Signatures A primer 1

2 Why public key cryptography? With secret key algorithms Number of key pairs to be generated is extremely large If there is a conflict between Alice and Bob, it is hard to resolve it Non-repudiation Why not public key algorithms? Slow, computationally intensive 2

3 Public key encryption revisited What security services does it provide? Confidentiality/Privacy Authentication Integrity Non-repudiation 3 EncryptDecrypt Insecure channel AliceBob y xx ku bob kr bob

4 What happens if we use the keys of both sender and receiver? 4 Alice Bob ee KR A KU B dd KR B KU A xu y yux What security services does this provide? Can Oscar generate u? Can Bob generate u?

5 Digital Signatures Recap Message authentication provides security services of authentication and integrity It does not provide non-repudiation Digital signatures Should provide us the same functionality as regular signatures Must depend on the message “Binding” the signature to the message Must be information unique to the signer that cannot be forged 5

6 Digital Signature Anyone can “verify” the signature with the public key No one else can “generate” a signature since the private key is known only to the owner 6 AliceBob xSig(x) Sig KR A x Compare x KU A Ver Sig(x)

7 How does a signature differ from a MAC or simple encryption? A MAC is used to ensure message authentication The attack is to successfully change the message or create a false message without detection A signature is used to “sign” a digital document Goals of a successful attack Total Break Oscar can determine Alice’s private key Selective Forgery With some probability, create a forged signature for a message that Alice has not previously signed Existential Forgery Change the document but enable the signature to be verified Create a false document and signature pair such that the signature is verified 7

8 Attacks against Digital Signatures Key only attack Similar to ciphertext-only attack, but Oscar knows the public key Known message attack Similar to known plaintext attack Oscar has pairs of messages and signatures Chosen message attack Oscar can choose the messages that Alice will sign 8

9 RSA Digital Signature Setup: Public key: KU ={n, b} Private key: KR = {p, q, a} Here a  b = 1 mod  (n)  (n) = (p – 1)(q – 1) 9 Alice Bob xe KRA (x) x Compare x KU A d Sig(x) e KR A Sig(x)

10 RSA Signature Protocol Alice computes sig KRA (x) = x a mod n = u Alice sends Bob x || u Bob verifies the signature as follows: He decrypts the signature first Compute ver KUA (u) = u b mod n = x* Compare x and x* Remarks: Only Alice can sign her documents Anyone can verify it Bob is assured the message is from Alice If the message is altered, the signature will reveal this Signature provides authentication, integrity, and non- repudiation 10

11 Drawbacks Long message => long signature Solution: Hash the message before signing it Oscar can “choose” a signature and compute a plaintext from it Choose signature u Compute plaintext x = e KUA (u) = u b mod n Send x||u to Bob The message may be meaningless, but it will appear to have come from Alice RSA signature is used in the ISO/IEC 9796 standard 11

12 How Digital Signatures are generated using Hash functions 12 Alice Bob xx h Hash Or MAC e d e KR [ h(x) ] h Verify y x || e KR [ h(x) ] x k AB e kr A d ku A

13 ElGamal Signature Scheme Different from ElGamal Encryption Scheme Published in 1985 A variation of this forms the Digital Signature Standard (DSS) Not useful for encryption, but only for signatures 13

14 Setup Choose a large prime number p Choose a generator   Z p * Choose a private key KR = a  {2,3,4,…,p – 2} Compute the public key KU = b =  a mod p Keys: Public: KU ={p, , b} Private: KR = {a} 14

15 Signing with private key Choose a random number k  Z p-1 * This means k < p-1 GCD(k, p-1) = 1 Compute the signature of the message x as sig KR (x) = ( ,  ) where  =  k mod p  = (x - a  )k -1 mod (p-1) 15 Make use of private key here

16 Public Verification The verification function is: Ver KU (x, ( ,  ) ) Check if b    =  x mod p If true, the signature is valid If false, the signature is invalid 16

17 Why does it work? What is b  ? What is b? b =  a b  =  a  What is   ? Verification gives  a    x - a  =  x 17

18 Example Parameters p = 467,  = 2, a = 127 Compute b =  a mod p Alice wants to sign the plaintext message x = 108 She chooses a random quantity k = 211 Compute signature Verify signature 18

19 Security of ElGamal Signature Scheme What is an attack on signatures? Oscar can generate a fake signature Oscar can break the signing scheme to get a knowledge of the private key Oscar can choose  and then try to find  DL Problem Oscar can choose  and try to find  Generally considered infeasible Oscar can choose  and  and try to come up with a random plaintext x as with the RSA signature scheme DL Problem 19

20 Drawbacks Long message => long signature If the value of k is used repeatedly, the signature scheme becomes insecure 20

21 The Digital Signature Standard Based on the Digital Signature Algorithm (DSA) A variation of the ElGamal signature scheme See Textbook, page 294-297 Sign the hash value of a signature to keep it small The 160 bit SHA based hash value is signed with a 320 bit signature The value of p is around 2 512 to 2 1024 Published in 1993 as a NIST FIPS PUBS 186 standard 21

22 Modular Roots Definition Let m,n be natural numbers, c be an integer and gcd(c,n) = 1 Let x m = c mod n for some integer x Then x is called the m-th root of c modulo n And c is called an m-th power residue modulo n Example: x 2 = c mod n x is called a square root mod n c is called a quadratic residue mod n If the prime factors of n are known, then We can use CRT to find the m-th roots modulo n Otherwise, it is considered to be a hard problem, as hard as integer factorization for large n 22 You can also have the m-th root modulo a prime number

23 Schnorr Signature Scheme Setup Choose a large prime number p Choose a prime number q that divides p -1 Choose a number   Z p * that is the q-th root of 1 mod p What is the order of  ? Choose a private key KR = a  {2,3,4,…,q – 1} Compute the public key KU = b =  a mod p Keys: Public: KU ={p, q, , b} Private: KR = {a} Let h(.) be a secure hash function (e.g., SHA-1 or RIPE-MD) 23

24 Signing with private key Choose a random number k  Z q * This means 0 < k < q Compute the signature of the message x as sig KR (x, k) = ( ,  ) where  = h (x ||  k )  = k + a  mod q 24 Make use of private key here  is 160 bits  is log 2 q bits

25 Public Verification The verification function is: Ver KU (x, ( ,  ) ) Check if h(x || b -    ) =  If true, the signature is valid If false, the signature is invalid Why does this work? What is b -    mod p ? 25

26 Digital Signature Algorithm Setup Choose a prime number p that is L bits long where L is a multiple of 64 bits, larger than 512 bits and smaller than 1024 bits Choose a prime number q that divides p -1 and is 160 bits long Choose a number   Z p * that is the q-th root of 1 mod p What is the order of  ? Choose a private key KR = a  {2,3,4,…,q – 1} Compute the public key KU = b =  a mod p Keys: Public: KU ={p, q, , b} Private: KR = {a} Let h(.) be the secure hash algorithm (SHA-1) 26

27 Signing with private key Choose a random number k  Z q * This means 0 < k < q Compute the signature of the message x as sig KR (x, k) = ( ,  ) where  = (  k mod p) mod q  = (SHA-1(x) + a  )k -1 mod q 27 Make use of private key here  is 160 bits  is log 2 q bits They CANNOT be zero

28 Public Verification The verification function is: Ver KU (x, ( ,  ) ) Compute e 1 = SHA-1(x)  -1 mod q e 2 =   -1 mod q Check if: (  e1 b e2 mod p) mod q =  If true, the signature is valid If false, the signature is invalid Why does this work? 28

29 ECDSA ECDSA = Elliptic Curve Digital Signature Algorithm It is identical to DSA, but uses Elliptic Curves instead The notation is a little bit different, but the procedure is identical 29

30 Blind Signatures Two party protocol between Alice and Bob Alice sends Bob a piece of information Bob signs the information and sends it back to Alice Alice can now compute Bob’s signature over another message m of her choice After this is done, Bob does not know either the message m or the signature associated with it 30

31 Other signature schemes Undeniable signatures Requires the cooperation of the signer to verify the signature One-time signature A new public key is required for verification for each signature 31

32 Other References http://www.epic.org/crypto/dss/ http://www.itl.nist.gov/fipspubs/fip186.htm 32


Download ppt "Digital Signatures A primer 1. Why public key cryptography? With secret key algorithms Number of key pairs to be generated is extremely large If there."

Similar presentations


Ads by Google