Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Strengthening Digital Signatures via Randomized Hashing Shai Halevi and Hugo Krawczyk IBM Research.

Published byLeona Leonard Modified over 9 years ago

Similar presentations

Presentation on theme: "1 Strengthening Digital Signatures via Randomized Hashing Shai Halevi and Hugo Krawczyk IBM Research."— Presentation transcript:

1 1 Strengthening Digital Signatures via Randomized Hashing Shai Halevi and Hugo Krawczyk IBM Research

2 2 Coping with Collisions Post-Wang Trauma (collision attacks):  A healthy reminder of our “ shaky foundations ” Applications threatened by collisions: mainly signatures What to do: avoid patches, build stronger hash funct ’ s  But do we know how? Our approach: “ Hope for the Best, Plan for the Worst ” BUILD APPLICATIONS ON AS WEAK AS POSSIBLE ASSUMPTIONS ON THE UNDERLYING HASH FUNCTIONS

3 3 Our Contribution We randomize the signature processing such that : Signatures remain secure even if off-line collision attacks against hash are successful Attacker needs to be able to mount a variant of the much harder “ second-preimage attack ” (on compr. f.) Off-line attacks useless: Per-signature attack (on line!)  Attack can start only when per-signature randomness revealed HASH FUNCTION AND SIGNING ALG UNCHANGED!!

4 4 Too Good To Be True? Simple message randomization scheme Provable reduction to “ second preimage resistance ” NIST: SP 800-106 !  Internet Draft is coming (see our website)

5 5 RMX: Message Randomization Scheme From SIGN( Hash( M ) ) to SIGN( Hash( RMX(r,M) )). RMX(r,M) : M=(m 1,m 2, …,m L ), r  (r, m 1  r,m 2  r, …,m L  r). In signatures: M=(m 1,m 2, …,m L ), r  H(r, m 1  r,m 2  r, …,m L  r)  SIGN, r r chosen by signer at random w/each sig Input to signing algorithm (r transmitted with sig) m i and r of block length (eg 512)

6 6 HASH SIGN r HASH SIGN RMX M =(m 1, …,m L ) (r, m 1  r,, …,m L  r( M =(m 1, …,m L ) RMX: Preserving Hash-then-Sign

7 7 Merkle- Damgard. Hash H The RMX Scheme (one-pass blockwise processing) IV h h h h ● ● ● Hash(M) m1m1 m2m2 m L-1 mLmL m1m1 mLmL r r h h h h ● ● ● H(r,M) IV r    ~ r

8 8  RMX: simple front-end to existing hash-then-sign modules  No change to hash functions or signature algorithms  Compatible with block-wise processing of M-D functions  Random generation by signer only (e.g., certificate issuing vs verifying) 128 bits of randomness (up to a block, 512) Transporting r: application-dependent (like IV in CBC); E.g., X.509: r as a parameter under AlgorithmIdentifier Implementations: certificate signing (openssl, NSS/Firefox [B&S] ) XML: next (note: RMX can be applied to multilevel signing) Documented by NIST: SP 800-106 (Internet Draft coming) Practical

9 9 Secure Substantial security increase for digital signatures  A fundamental shift in attack scenario: Off-line vs. On-line In particular: no inherent birthday, shorter outputs (truncation)  A much harder cryptanalytical task (~ SPR of compression function) Notes  Randomization never weakens: A SAFETY NET  Likely extension of useful life of hash functions, may prevent or mitigate catastrophic failure, more planning time upon weaknesses  Much like HMAC for MAC functions (btw, is HMAC good as RMX?)

10 10 Paper (Crypto ’ 06) Implementation experience Internet Draft http://www.ee.technion.ac.il/~hugo/rhash/

11 11 Note: Can the Signer Cheat? If H is CR then the signer cannot find collisions With RMX, if H is not CR, the signer (and only the signer!) may find r,r ’,M,M' s.t H(RMX(r,M))=H(RMX(r ’,M')) But this is no contradiction to non-repudiation  Signer is bound by any message with his signature (even if he shows two msgs with the same signature!)  NO contradiction to standard unforgeability definitions [GMR] Note: in RMX as long as H is CRHF then even the signer cannot find collisions (safety net!)

12 12 Note: Not any randomness… H r (M)=H(M||r): no help! needs collision resistance (same for r in the middle of msg) H r (M)=H(r||M): helps, but randomization fades on long msgs (contrast w/our scheme where r randomizes each block!) HMAC: H(r||H(r||M)) no better than previous

13 13 Randomized Hashing Implementation Java JCE Provider for java.security.Signature   No setParam for java.security.MessageDigest Apache XML Security library extensions  Signature Salt parameter passed as child of SignatureMethod  Transform Salt parameter passed as child of Transform

14 14 XML Signature Example Test Data <ds:CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"> JYoVX6Pqdc/z/1k … dS1mE6FG5IikizQEJKafg6kVChc= xE/1oRdq+7z3KDAj9qh/GY/6SWQ= fDDekndStUhk8wvfPJNe8pj0T2ZHPx4ZJ06s4kOhSvYucQCyNKUQrAdSQds … heazCYHwZC5kiGI6eO3ZSLjypfdgeXu3uXJoN/VYlWrP51NoJ5wR9NOnzAxChufT5qi0 … AQAB

15 15 Adding Support for New SignatureMethod or DigestMethod Adding new JCE Signature Provider  Add one class derived from base; specify: Underlying Signature Provider (e.g. DSA) Associated MessageDigest block size (e.g. SHA1 = 20 bytes, MD5 = 16 bytes, etc.) Adding new Transform  Add one class derived from base; specify: Underlying MessageDigest Provider

Download ppt "1 Strengthening Digital Signatures via Randomized Hashing Shai Halevi and Hugo Krawczyk IBM Research."

Similar presentations

Lecture 5: Cryptographic Hashes

Lecture 5: Cryptographic Hashes
Hash Function. What are hash functions? Just a method of compressing strings – E.g., H : {0,1}*  {0,1} 160 – Input is called “message”, output is “digest”

Hash Function. What are hash functions? Just a method of compressing strings – E.g., H : {0,1}*  {0,1} 160 – Input is called “message”, output is “digest”
Cryptographic Hash Functions Rocky K. C. Chang, February 2013 1.

Cryptographic Hash Functions Rocky K. C. Chang, February
Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.

Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.
Digital Signatures and Hash Functions. Digital Signatures.

Digital Signatures and Hash Functions. Digital Signatures.
Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.

Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.
PIITMadhumita Chatterjee Security 1 Hashes and Message Digests.

PIITMadhumita Chatterjee Security 1 Hashes and Message Digests.
CMSC 414 Computer and Network Security Lecture 7 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 7 Jonathan Katz.
Hash functions a hash function produces a fingerprint of some file/message/data h = H(M)  condenses a variable-length message M  to a fixed-sized fingerprint.

Hash functions a hash function produces a fingerprint of some file/message/data h = H(M)  condenses a variable-length message M  to a fixed-sized fingerprint.
Hashes and Message Digest Hash is also called message digest One-way function: d=h(m) but no h’(d)=m –Cannot find the message given a digest Cannot find.

Hashes and Message Digest Hash is also called message digest One-way function: d=h(m) but no h’(d)=m –Cannot find the message given a digest Cannot find.
Foundations of Network and Computer Security J J ohn Black Lecture #10 Sep 19 th 2007 CSCI 6268/TLEN 5831, Fall 2007.

Foundations of Network and Computer Security J J ohn Black Lecture #10 Sep 19 th 2007 CSCI 6268/TLEN 5831, Fall 2007.
Cryptography and Network Security Hash Algorithms.

Cryptography and Network Security Hash Algorithms.
By: Matthew Ng. SHA stands for Secure Hash Algorithm It is based off the Merkle-Dangard hash function There are 3 versions of it with one coming in 2012.

By: Matthew Ng. SHA stands for Secure Hash Algorithm It is based off the Merkle-Dangard hash function There are 3 versions of it with one coming in 2012.
Cryptography and Network Security (CS435) Part Ten (Hash and MAC algorithms)

Cryptography and Network Security (CS435) Part Ten (Hash and MAC algorithms)
CMSC 414 Computer and Network Security Lecture 5 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 5 Jonathan Katz.
Kemal AkkayaWireless & Network Security 1 Department of Computer Science Southern Illinois University Carbondale CS 591 – Wireless & Network Security Lecture.

Kemal AkkayaWireless & Network Security 1 Department of Computer Science Southern Illinois University Carbondale CS 591 – Wireless & Network Security Lecture.
CMSC 414 Computer and Network Security Lecture 9 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 9 Jonathan Katz.
Secure Hashing and DSS Sultan Almuhammadi ICS 454 Principles of Cryptography.

Secure Hashing and DSS Sultan Almuhammadi ICS 454 Principles of Cryptography.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
Cryptography and Network Security Chapter 12 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Chapter 12 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.

Similar presentations

Ads by Google