Presentation is loading. Please wait.

Presentation is loading. Please wait.

X. Digital Signatures and Authentication Protocols We begin this chapter with an overview of digital signatures, authentication protocol and Digital Signature.

Published byBarry Nichols Modified over 8 years ago

Similar presentations

Presentation on theme: "X. Digital Signatures and Authentication Protocols We begin this chapter with an overview of digital signatures, authentication protocol and Digital Signature."— Presentation transcript:

1 X. Digital Signatures and Authentication Protocols We begin this chapter with an overview of digital signatures, authentication protocol and Digital Signature Standard(DSS)

2 2 Cryptography & Network Security: CONTENTS … 1.Digital Signatures 2. Authentication Protocols 3. Digital Signature Standard

3 3 Cryptography & Network Security: 1. Digital Signatures Requirements Analogous to the handwritten signature Properties  Must be able to verify the author and the date and time of the signature  Must be able to authenticate the contents at the time of the signature  Must be verifiable by third parties, to resolve dispute

4 4 Cryptography & Network Security: 1. Digital Signatures Requirements  Must be a bit pattern that depends on the message being signed  Must use some information unique to the sender, to prevent both forgery and denial  Must be relatively easy to produce the digital signature  Must be relatively easy to recognize and verify the digital signature

5 5 Cryptography & Network Security: 1. Digital Signatures  Must be computationally infeasible to forge a digital signature, either by constructing a new message for an existing digital signature or by constructing a fraudulent digital signature for a given message  Must be practical to retain a copy of the digital signature in storage

6 6 Cryptography & Network Security: 1. Digital Signatures Direct Digital Signature Involve only the communicating parties (source, destination) Assume that the destination knows the public key of the source May be formed by encrypting the entire message with the sender ’ s private key (Figure 8.1c) or by encrypting a hash code of the message with the sender ’ s private key(Figure 8.5c)

7 7 Cryptography & Network Security: 1. Digital Signatures Confidentiality can be provided by further encrypting the entire message plus signature with either the receiver ’ s public key (public-key encryption) or a shared secret key (conventional encryption)  See Figure 8.1d and 8.5d  Note that it is important to perform the signature function first and then an outer confidentiality function

8 8 Cryptography & Network Security: 1. Digital Signatures Common weakness  The validity of the scheme depends on the security of the sender ’ s private key Sender can claim that the private key was lost or stolen and that someone else forged his or her signature  Another threat is that some private key might actually be stolen from X at time T Opponent can send a message signed with X ’ s signature and stamped with a time before or equal to T

9 9 Cryptography & Network Security: 1. Digital Signatures Arbitrated Digital Signature Operation  Every signed message from a sender X to a receiver Y goes first to an arbiter A, who subjects the message and its signature to a number of tests to check its origin and content  The message is then dated and sent to Y with an indication that it has been verified to the satisfaction of the arbiter →the presence of A solves the problem faced by direct signature schemes: that X might disown the MSG

10 10 Cryptography & Network Security: 1. Digital Signatures Arbiter  All parties must have a great deal of trust that the arbitration mechanism is working properly Examples  Conventional encryption, Arbiter sees Message(Table 10.1a) Assume that the sender X and the arbiter A share a secret key K xa and that A and Y share secret key K ay Operation X transmits the message plus a signature to A. signature consists of an identifier of X plus hash value, all encrypted using K xa

11 11 Cryptography & Network Security: 1. Digital Signatures A decrypts the signature and checks the hash value to validate the message A transmits a message to Y, encrypted with K ay message includes Id x, the original message from X, and a timestamp Y can decrypt and store message and signature In case of dispute Y, who claims to have received M from X, sends the following message to A : E Kay [ID x  M  E Kxa [ID x  H(M)] A can verify message, signature by using K xa K ay

12 12 Cryptography & Network Security: 1. Digital Signatures  Conventional Encryption, Arbiter does not see Message(Table 10.1b) Table 10.1a + confidentiality Assumed that X and Y share the secret key K xy Operation X transmits an identifier, a copy of the message encrypted with K xy, and a signature to A. signature consists of the identifier plus the hash value of the encrypted message, all encrypted using K xa A decrypts the signature and checks hash value with the encrypted version of the message

13 13 Cryptography & Network Security: 1. Digital Signatures A transmits everything that it received from X, plus a timestamp, all encrypted with K ay to Y A remaining problem is that the arbiter could form an alliance with the sender to deny a signed message, or with the receiver to forge the sender ’ s signature  Public key Encryption, Arbiter does not see Message(Table 10.1c) All the problems just discussed can be resolved Operation X double encrypts a message M first with X ’ s private key, KR x and then with Y ’ s public key, KU y

14 14 Cryptography & Network Security: 1. Digital Signatures Signed message, together with X ’ s identifier, is encrypted again with KR x and, together with ID x,is sent to A A can decrypt the outer encryption to assure that the message must have come from X. then A transmits a message to Y, encrypted with KR a Advantages No information is shared among the parties before communication, preventing alliances to defraud No incorrectly dated message can be sent, even if KR x is compromised, assuming that KR a is not compromised The content of the message from X to Y is secret from A and anyone else

15 15 Cryptography & Network Security: 1. Digital Signatures  Table 10.1

16 16 Cryptography & Network Security: 2. Authentication Protocols Mutual Authentication Communicating parties can satisfy mutually about each other ’ s identity and to exchange session keys Problems with authenticated key exchange  Confidentiality : requires the prior existence of secret or public keys that can be used for encrypted message  Timeliness : replay attack

17 17 Cryptography & Network Security: 2. Authentication Protocols Examples of replay attack  Simple replay : copy a message and replay it later  Repetition that can be logged : replay a timestamped message within the valid time window  Repetition that cannot be detected : arise because the original message could have been suppressed and thus did not arrive at its destination; only replay message arrives  Backward replay without modification : this is a replay back to the message sender and is possible if conventional encryption is used

18 18 Cryptography & Network Security: 2. Authentication Protocols Approaches to coping with replay attacks  Sequence number : high overhead  Timestamps Require that clocks among the various participants be synchronized Should not be used for connection oriented A fault in the clock mechanism Variable and unpredictable nature of network delay  Challenge/response Parties use nonces Unsuitable for a connectionless type of application Overhead of a handshake before any connectionless transmission

19 19 Cryptography & Network Security: 2. Authentication Protocols Conventional encryption approaches  Needham and schroeder[NEED78] Secret key distribution using a KDC that includes authentication features step 1. A →KDC : ID A ll ID B ll N 1 2. KDC →A : E k a [K s ll ID B ll N 1 ll E K b [K s ll ID A ]] 3. A →B : E k b [K s ll ID A ] 4. B →A : E k s [N 2 ] 5. A →B : E k s [f(N 2 )]

20 20 Cryptography & Network Security: 2. Authentication Protocols Secret keys K a and k b are shared between A and the KDC and B and the KDC A securely acquires a new session key in step 2 Step 4 reflects B ’ s knowledge of Ks Step 4,5 is to prevent a replay attack. But the protocol is still vulnerable to a form of replay attack with old session key  Denning[DENN81,DENN82] Modification to the Needham/schroeder protocol Assumes that the master keys, K a and K b, are secure

21 21 Cryptography & Network Security: 2. Authentication Protocols Step 1. A →KDC : ID A ll ID B 2. KDC→ A:E k a [K s ll ID B ll T ll E K b [K s ll ID A ll T]] 3. A →B : E k b [K s ll ID A ll T] 4. B →A : E k s [N 1 ] 5. A →B : E k s [f(N 1 )] T is timestamp that assures A and B that the session key has only just been generated Because the timestamp T is encrypted using the secure master keys, an opponent, even with knowledge of an old session key, cannot succeed because a replay of step 3 will be detected by B as untimely Require reliance on clocks that are synchronized throughout the network

22 22 Cryptography & Network Security: 2. Authentication Protocols Suppress replay attack Occurs when a sender ’ s clock is ahead of the intended recipient ’ s clock Opponent can intercept a message from the sender and replay it later when the timestamp in the message becomes current at the recipient ’ s clock Counter 1. Enforce the requirement that parties regularly check their clocks against the KDC ’ s clock 2. Rely on handshaking protocols using nonces without clock synchronization

23 23 Cryptography & Network Security: 2. Authentication Protocols  [KEHN92] Respond to the concerns about suppress replay attacks and fix the problems in the Needham/schroeder protocol Step 1. A →B : ID A ll N a 2. B →KDC: ID B ll N b ll E k b [ID A ll N a ll T b ] 3. KDC →A : E ka [ID B ll N a ll K s ll T b ]ll E k b [ID A ll K s ll T b ] ll N b 4. A →B : E k b [ID A ll K s ll T b ] ll E k s [N b ]

24 24 Cryptography & Network Security: 2. Authentication Protocols Nonce is used for timeliness In step 3, KDC passes on to a a block encrypted with the secret key that B shares with the KDC(ticket, E k b [ID A ll K s ll T b ]) Ticket is used by A for subsequent authentication Protocol leaves A in possession of a key that can be used for subsequent authentication to B, avoiding the need to contact the authentication server repeatedly

25 25 Cryptography & Network Security: 2. Authentication Protocols Public-key encryption approaches  [DENN81] Step 1.A →AS : ID A ll ID B 2.AS →A : E kR as [ID A ll KU a ll T] ll E kR as [ID B ll KU b ll T] 3.A →B : E kR as [ID A ll KU a ll T] ll E kR as [ID B ll KU b ll T] ll E KU b [E KR a [K S llT]] AS provides public key certificates Session key is chosen and encrypted by A : no exposure by the AS Timestamps protect the replay attacks

26 26 Cryptography & Network Security: 2. Authentication Protocols  [WOO92a] Step 1.A →KDC : ID A ll ID B 2.KDC →A : E kR auth [ID B ll KU b ] 3.A →B : E KU b [N a ll ID A ] 4.B →KDC : ID B ll ID A ll E KU auth [N a ] 5.KDC →B : E kR auth [ID A ll KU a ] ll E KU b [E kR auth [N a ll K S ll ID B ] 6.B →A : E KU a [E kR auth [N a ll K S ll ID B ] ll N b ] 7.A →B : E k s [N b ]

27 27 Cryptography & Network Security: 2. Authentication Protocols In step 4, B asks the KDC for A ’ s public key certificate and a session key  [WOO92b] Step 1.A →KDC : ID A ll ID B 2.KDC →A : E kR auth [ID B ll KU b ] 3.A →B : E KU b [N a ll ID A ] 4.B →KDC : ID B ll ID A ll E KU auth [N a ] 5.KDC →B : E kR auth [ID A ll KU a ] ll E KU b [E kR auth [N a ll K S ll ID A ll ID B ] 6.B →A : E KU a [E kR auth [N a ll K S ll ID A ll ID B ] ll N b ] 7.A →B : E k s [N b ] Identifier A, ID A, is added to the set of items encrypted with the KDC ’ s private key in step 5, 6

28 28 Cryptography & Network Security: 2. Authentication Protocols One-Way Authentication Electronic mail  Chief benefit is not necessary for the sender and receiver to be on line at the same time  E-mail message should be encrypted and request the authentication

29 29 Cryptography & Network Security: 2. Authentication Protocols Conventional encryption approach  Step 1. A →KDC : ID A ll ID B ll N 1 2. KDC →A : E k a [K S ll ID B ll N 1 ll E k b [K S ll ID A ]] 3. A →B : E k b [K S ll ID A ] ll E k s [M]  provides A ’ s authentication and intended recipient of a message only can read it  Does not protect against replay

30 30 Cryptography & Network Security: 2. Authentication Protocols Public-key encryption approaches  Confidentiality A →B : E KU b [K S ]ll E k s [M] Message is encrypted with a on-time secret key  Authentication A →B : M ll E KR a [H(M)] This technique is open to another kind of fraud A →B : E KU b [M ll E KR a [H(M)]]

31 31 Cryptography & Network Security: 3. Digital Signature Standard NIST has published Federal Information Processing Standard FIPS PUB 186, known as the Digital Signature Standard(DSS) DSS uses of the SHA(secure hash algorithm) and presents DSA(digital signature algorithm) DSS was proposed in 1991 and revised in 1993

32 32 Cryptography & Network Security: 3. Digital Signature Standard

33 33 Cryptography & Network Security: 3. Digital Signature Standard DSS approach RSA approach  Hash code is encrypted using the sender ’ s private key to form the signature  If the calculated hash code matches by recipient matches the decrypted signature, the signature is accepted as valid DSS approach  Hash code is provided as input to a signature function with a random number k

34 34 Cryptography & Network Security: 3. Digital Signature Standard  Signature function depends on the sender ’ s private key(KR a )and global public key(KU g )  Result is a signature consisting of two components, labeled s and r  At the receiving end, the hash code of the incoming message and signature is input to a verification function  Verification function also depends on the global public key and sender ’ s public key  If the signature is valid, the output of the verification function is equal to r

35 35 Cryptography & Network Security: 3. Digital Signature Standard Digital signature algorithm DSA is based on the difficulty of computing discrete logarithms Algorithm  Global public-key components p : prime number where 2 L-1 < p <2 L for 512 ≤L ≤1024 and L a multiple of 64 q : prime divisor of (p-1), where 2 159 < q < 2 160 ; bit length of 64 bits g : = h (p-1)/q mod p, where h is any integer with 1 1

36 36 Cryptography & Network Security: 3. Digital Signature Standard  User ’ s private key x : random or pseudorandom integer with 0 < x < q  User ’ s public key y : = g x mod p  User ’ s per-message secret number k : random or pseudorandom integer with 0 < k < q  Signing r = (g k mod p) mod q s = [k -1 (H(M) + xr)] mod q Signature = (r, s)

37 37 Cryptography & Network Security: 3. Digital Signature Standard  Verifying W = (s ’ ) -1 mod q U 1 = [H(M ’ )w] mod q U 2 = (r ’ )w mod q V = [(g u1 y u2 ) mod p] mod q TEST : v = r ’ ※ M : message to be signed H(M) : hash of M using SHA-1, M ’,r ’,s ’ : received versions of M,r,s

38 38 Cryptography & Network Security: 3. Digital Signature Standard DSS signing and verifying

39 39 Cryptography & Network Security: 3. Digital Signature Standard  Test at the end is on the value r, which does not depend on the message at all  r is a function of k and the three global public key components  Receiver can recover r using the incoming message and signature, the public key of the user, and the global public key  for the difficulty of discrete logarithms, it is infeasible for an opponent to recover k from r or to recover x from s  Demanding task in signature generation is the exponential calculation g k mod p and k -1

Download ppt "X. Digital Signatures and Authentication Protocols We begin this chapter with an overview of digital signatures, authentication protocol and Digital Signature."

Similar presentations

Chapter 3 Public Key Cryptography and Message authentication.

Chapter 3 Public Key Cryptography and Message authentication.
DIGITAL SIGNATURES and AUTHENTICATION PROTOCOLS - Chapter 13

DIGITAL SIGNATURES and AUTHENTICATION PROTOCOLS - Chapter 13
DIGITAL SIGNATURES and AUTHENTICATION PROTOCOLS - Chapter 13 DIGITAL SIGNATURES and AUTHENTICATION PROTOCOLS - Chapter 13 Digital Signatures Authentication.

DIGITAL SIGNATURES and AUTHENTICATION PROTOCOLS - Chapter 13 DIGITAL SIGNATURES and AUTHENTICATION PROTOCOLS - Chapter 13 Digital Signatures Authentication.
Sri Lanka Institute of Information Technology

Sri Lanka Institute of Information Technology
Cryptography and Network Security

Cryptography and Network Security
Digital Signatures and Hash Functions. Digital Signatures.

Digital Signatures and Hash Functions. Digital Signatures.
Computer Science&Technology School of Shandong University Instructor: Hou Mengbo Email: houmb AT sdu.edu.cn Office: Information Security Research Group.

Computer Science&Technology School of Shandong University Instructor: Hou Mengbo houmb AT sdu.edu.cn Office: Information Security Research Group.
Cryptography and Network Security

Cryptography and Network Security
Authentication & Kerberos

Authentication & Kerberos
Cryptography and Network Security Chapter 13 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Chapter 13 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.
Cryptography and Network Security Chapter 13 Fourth Edition by William Stallings.

Cryptography and Network Security Chapter 13 Fourth Edition by William Stallings.
1 Digital Signatures & Authentication Protocols. 2 Digital Signatures have looked at message authentication –but does not address issues of lack of trust.

1 Digital Signatures & Authentication Protocols. 2 Digital Signatures have looked at message authentication –but does not address issues of lack of trust.
1 Chapter 13 – Digital Signatures & Authentication Protocols Fourth Edition by William Stallings Lecture slides by Lawrie Brown (modified by Prof. M. Singhal,

1 Chapter 13 – Digital Signatures & Authentication Protocols Fourth Edition by William Stallings Lecture slides by Lawrie Brown (modified by Prof. M. Singhal,
Cryptography and Network Security (CS435) Part Eleven (Digital Signatures and Authentication Protocols)

Cryptography and Network Security (CS435) Part Eleven (Digital Signatures and Authentication Protocols)
SMUCSE 5349/73491 Authentication Protocols. SMUCSE 5349/73492 The Premise How do we use perfect cryptographic mechanisms (signatures, public-key and symmetric.

SMUCSE 5349/73491 Authentication Protocols. SMUCSE 5349/73492 The Premise How do we use perfect cryptographic mechanisms (signatures, public-key and symmetric.
Dr Alejandra Flores-Mosri Message Authentication Internet Management & Security 06 Learning outcomes At the end of this session, you should be able to:

Dr Alejandra Flores-Mosri Message Authentication Internet Management & Security 06 Learning outcomes At the end of this session, you should be able to:
Digital signatures, DSS and authentication protocols

Digital signatures, DSS and authentication protocols
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
Henric Johnson1 Chapter3 Public-Key Cryptography and Message Authentication Henric Johnson Blekinge Institute of Technology, Sweden

Henric Johnson1 Chapter3 Public-Key Cryptography and Message Authentication Henric Johnson Blekinge Institute of Technology, Sweden
1 Information System Security AABFS-Jordan Summer 2006 Digital Signature and Hashing Functions Prepared by: Maher Abu Hamdeh & Adel Hamdan Supervised by:

1 Information System Security AABFS-Jordan Summer 2006 Digital Signature and Hashing Functions Prepared by: Maher Abu Hamdeh & Adel Hamdan Supervised by:

Similar presentations

Ads by Google