Download presentation
Presentation is loading. Please wait.
Published byLillian Perkins Modified over 9 years ago
1
Digital Signatures A primer 1
2
Why public key cryptography? With secret key algorithms Number of key pairs to be generated is extremely large If there is a conflict between Alice and Bob, it is hard to resolve it Non-repudiation Why not public key algorithms? Slow, computationally intensive 2
3
Public key encryption revisited What security services does it provide? Confidentiality/Privacy Authentication Integrity Non-repudiation 3 EncryptDecrypt Insecure channel AliceBob y xx ku bob kr bob
4
What happens if we use the keys of both sender and receiver? 4 Alice Bob ee KR A KU B dd KR B KU A xu y yux What security services does this provide? Can Oscar generate u? Can Bob generate u?
5
Digital Signatures Recap Message authentication provides security services of authentication and integrity It does not provide non-repudiation Digital signatures Should provide us the same functionality as regular signatures Must depend on the message “Binding” the signature to the message Must be information unique to the signer that cannot be forged 5
6
Digital Signature Anyone can “verify” the signature with the public key No one else can “generate” a signature since the private key is known only to the owner 6 AliceBob xSig(x) Sig KR A x Compare x KU A Ver Sig(x)
7
How does a signature differ from a MAC or simple encryption? A MAC is used to ensure message authentication The attack is to successfully change the message or create a false message without detection A signature is used to “sign” a digital document Goals of a successful attack Total Break Oscar can determine Alice’s private key Selective Forgery With some probability, create a forged signature for a message that Alice has not previously signed Existential Forgery Change the document but enable the signature to be verified Create a false document and signature pair such that the signature is verified 7
8
Attacks against Digital Signatures Key only attack Similar to ciphertext-only attack, but Oscar knows the public key Known message attack Similar to known plaintext attack Oscar has pairs of messages and signatures Chosen message attack Oscar can choose the messages that Alice will sign 8
9
RSA Digital Signature Setup: Public key: KU ={n, b} Private key: KR = {p, q, a} Here a b = 1 mod (n) (n) = (p – 1)(q – 1) 9 Alice Bob xe KRA (x) x Compare x KU A d Sig(x) e KR A Sig(x)
10
RSA Signature Protocol Alice computes sig KRA (x) = x a mod n = u Alice sends Bob x || u Bob verifies the signature as follows: He decrypts the signature first Compute ver KUA (u) = u b mod n = x* Compare x and x* Remarks: Only Alice can sign her documents Anyone can verify it Bob is assured the message is from Alice If the message is altered, the signature will reveal this Signature provides authentication, integrity, and non- repudiation 10
11
Drawbacks Long message => long signature Solution: Hash the message before signing it Oscar can “choose” a signature and compute a plaintext from it Choose signature u Compute plaintext x = e KUA (u) = u b mod n Send x||u to Bob The message may be meaningless, but it will appear to have come from Alice RSA signature is used in the ISO/IEC 9796 standard 11
12
How Digital Signatures are generated using Hash functions 12 Alice Bob xx h Hash Or MAC e d e KR [ h(x) ] h Verify y x || e KR [ h(x) ] x k AB e kr A d ku A
13
ElGamal Signature Scheme Different from ElGamal Encryption Scheme Published in 1985 A variation of this forms the Digital Signature Standard (DSS) Not useful for encryption, but only for signatures 13
14
Setup Choose a large prime number p Choose a generator Z p * Choose a private key KR = a {2,3,4,…,p – 2} Compute the public key KU = b = a mod p Keys: Public: KU ={p, , b} Private: KR = {a} 14
15
Signing with private key Choose a random number k Z p-1 * This means k < p-1 GCD(k, p-1) = 1 Compute the signature of the message x as sig KR (x) = ( , ) where = k mod p = (x - a )k -1 mod (p-1) 15 Make use of private key here
16
Public Verification The verification function is: Ver KU (x, ( , ) ) Check if b = x mod p If true, the signature is valid If false, the signature is invalid 16
17
Why does it work? What is b ? What is b? b = a b = a What is ? Verification gives a x - a = x 17
18
Example Parameters p = 467, = 2, a = 127 Compute b = a mod p Alice wants to sign the plaintext message x = 108 She chooses a random quantity k = 211 Compute signature Verify signature 18
19
Security of ElGamal Signature Scheme What is an attack on signatures? Oscar can generate a fake signature Oscar can break the signing scheme to get a knowledge of the private key Oscar can choose and then try to find DL Problem Oscar can choose and try to find Generally considered infeasible Oscar can choose and and try to come up with a random plaintext x as with the RSA signature scheme DL Problem 19
20
Drawbacks Long message => long signature If the value of k is used repeatedly, the signature scheme becomes insecure 20
21
The Digital Signature Standard Based on the Digital Signature Algorithm (DSA) A variation of the ElGamal signature scheme See Textbook, page 294-297 Sign the hash value of a signature to keep it small The 160 bit SHA based hash value is signed with a 320 bit signature The value of p is around 2 512 to 2 1024 Published in 1993 as a NIST FIPS PUBS 186 standard 21
22
Modular Roots Definition Let m,n be natural numbers, c be an integer and gcd(c,n) = 1 Let x m = c mod n for some integer x Then x is called the m-th root of c modulo n And c is called an m-th power residue modulo n Example: x 2 = c mod n x is called a square root mod n c is called a quadratic residue mod n If the prime factors of n are known, then We can use CRT to find the m-th roots modulo n Otherwise, it is considered to be a hard problem, as hard as integer factorization for large n 22 You can also have the m-th root modulo a prime number
23
Schnorr Signature Scheme Setup Choose a large prime number p Choose a prime number q that divides p -1 Choose a number Z p * that is the q-th root of 1 mod p What is the order of ? Choose a private key KR = a {2,3,4,…,q – 1} Compute the public key KU = b = a mod p Keys: Public: KU ={p, q, , b} Private: KR = {a} Let h(.) be a secure hash function (e.g., SHA-1 or RIPE-MD) 23
24
Signing with private key Choose a random number k Z q * This means 0 < k < q Compute the signature of the message x as sig KR (x, k) = ( , ) where = h (x || k ) = k + a mod q 24 Make use of private key here is 160 bits is log 2 q bits
25
Public Verification The verification function is: Ver KU (x, ( , ) ) Check if h(x || b - ) = If true, the signature is valid If false, the signature is invalid Why does this work? What is b - mod p ? 25
26
Digital Signature Algorithm Setup Choose a prime number p that is L bits long where L is a multiple of 64 bits, larger than 512 bits and smaller than 1024 bits Choose a prime number q that divides p -1 and is 160 bits long Choose a number Z p * that is the q-th root of 1 mod p What is the order of ? Choose a private key KR = a {2,3,4,…,q – 1} Compute the public key KU = b = a mod p Keys: Public: KU ={p, q, , b} Private: KR = {a} Let h(.) be the secure hash algorithm (SHA-1) 26
27
Signing with private key Choose a random number k Z q * This means 0 < k < q Compute the signature of the message x as sig KR (x, k) = ( , ) where = ( k mod p) mod q = (SHA-1(x) + a )k -1 mod q 27 Make use of private key here is 160 bits is log 2 q bits They CANNOT be zero
28
Public Verification The verification function is: Ver KU (x, ( , ) ) Compute e 1 = SHA-1(x) -1 mod q e 2 = -1 mod q Check if: ( e1 b e2 mod p) mod q = If true, the signature is valid If false, the signature is invalid Why does this work? 28
29
ECDSA ECDSA = Elliptic Curve Digital Signature Algorithm It is identical to DSA, but uses Elliptic Curves instead The notation is a little bit different, but the procedure is identical 29
30
Blind Signatures Two party protocol between Alice and Bob Alice sends Bob a piece of information Bob signs the information and sends it back to Alice Alice can now compute Bob’s signature over another message m of her choice After this is done, Bob does not know either the message m or the signature associated with it 30
31
Other signature schemes Undeniable signatures Requires the cooperation of the signer to verify the signature One-time signature A new public key is required for verification for each signature 31
32
Other References http://www.epic.org/crypto/dss/ http://www.itl.nist.gov/fipspubs/fip186.htm 32
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.