introduction to digital signatures
Post on 16-Nov-2014
6.171 Views
Preview:
DESCRIPTION
TRANSCRIPT
Introduction to digital signaturesBenedictine UniversityMATH 390: Cryptography2 April 2008
Robert Talbert, PhDAssociate Professor of Mathematics and Computing ScienceFranklin College, Franklin, IN
1
Menu
2
MenuThe problem of authentication
2
MenuThe problem of authentication
Non-solutions to the authentication problem; the concept of the digital signature and required parameters
2
MenuThe problem of authentication
Non-solutions to the authentication problem; the concept of the digital signature and required parameters
Digital signatures using public-key encryption algorithms
2
MenuThe problem of authentication
Non-solutions to the authentication problem; the concept of the digital signature and required parameters
Digital signatures using public-key encryption algorithms
The Digital Signature Algorithm (DSA)
2
MenuThe problem of authentication
Non-solutions to the authentication problem; the concept of the digital signature and required parameters
Digital signatures using public-key encryption algorithms
The Digital Signature Algorithm (DSA)
Further applications and issues
2
PROBLEM: AUTHENTICATION
3
PROBLEM: AUTHENTICATION
HOW DO WE DO THIS IF THE DOCUMENT IS DIGITAL AND
NOT PAPER?
3
4
HAS THIS EMAIL BEEN SIGNED?
4
HAS THIS EMAIL BEEN SIGNED?
4
HAS THIS EMAIL BEEN SIGNED?
4
5
HOW ABOUT NOW?
5
6
6
6
7
7
7
A TRUE SIGNATURE: • IS AUTHENTIC• CANNOT BE FORGED• CANNOT BE REUSED• PROVES DOCUMENT HAS NOT BEEN ALTERED • CANNOT BE REPUDIATED
7
A TRUE SIGNATURE: • IS AUTHENTIC• CANNOT BE FORGED• CANNOT BE REUSED• PROVES DOCUMENT HAS NOT BEEN ALTERED • CANNOT BE REPUDIATED
GOAL: DIGITAL SIGNATURES WHICH DO THIS FOR ELECTRONIC DOCUMENTS.
7
Implementation
8
Implementation
Public-key encryption “in reverse”
8
Implementation
Public-key encryption “in reverse”
Specialized signature-only algorithms: the Digital Signature Algorithm
8
9
PUBLIC-KEY CRYPTOGRAPHY
9
Alice
PUBLIC-KEY CRYPTOGRAPHY
9
Alice Bob
PUBLIC-KEY CRYPTOGRAPHY
9
Alice Bob
Public(e,n)
Privated
PUBLIC-KEY CRYPTOGRAPHY
9
Plaintext
Dear Bob - The meeting will be at
the embassy.
Alice Bob
Public(e,n)
Privated
PUBLIC-KEY CRYPTOGRAPHY
9
Plaintext
Dear Bob - The meeting will be at
the embassy.
Alice Bob
Public(e,n)
Privated
PUBLIC-KEY CRYPTOGRAPHY
9
Plaintext
Dear Bob - The meeting will be at
the embassy.
Alice Bob
Enc
rypt
ion
func
tion
Public(e,n)
Privated
PUBLIC-KEY CRYPTOGRAPHY
9
Plaintext
Dear Bob - The meeting will be at
the embassy.
Ciphertext
Qrne Obo - Gur zrrgvat jvyy or ng
gur rzonffl.
Alice Bob
Enc
rypt
ion
func
tion
Public(e,n)
Privated
PUBLIC-KEY CRYPTOGRAPHY
9
Plaintext
Dear Bob - The meeting will be at
the embassy.
Ciphertext
Qrne Obo - Gur zrrgvat jvyy or ng
gur rzonffl.
Alice Bob
Enc
rypt
ion
func
tion
Public(e,n)
Privated
PUBLIC-KEY CRYPTOGRAPHY
9
Plaintext
Dear Bob - The meeting will be at
the embassy.
Ciphertext
Qrne Obo - Gur zrrgvat jvyy or ng
gur rzonffl.
Alice Bob
Enc
rypt
ion
func
tion
Dec
rypt
ion
func
tion
Public(e,n)
Privated
PUBLIC-KEY CRYPTOGRAPHY
9
Plaintext
Dear Bob - The meeting will be at
the embassy.
Ciphertext
Qrne Obo - Gur zrrgvat jvyy or ng
gur rzonffl.
Original plaintext
Dear Bob - The meeting will be at the embassy.
Alice Bob
Enc
rypt
ion
func
tion
Dec
rypt
ion
func
tion
Public(e,n)
Privated
PUBLIC-KEY CRYPTOGRAPHY
9
Plaintext
Dear Bob - The meeting will be at
the embassy.
Ciphertext
Qrne Obo - Gur zrrgvat jvyy or ng
gur rzonffl.
Original plaintext
Dear Bob - The meeting will be at the embassy.
Alice Bob
Enc
rypt
ion
func
tion
Dec
rypt
ion
func
tion
Public(e,n)
Privated
No secret key is ever exchanged
Alice does not need her own key to use the system
PUBLIC-KEY CRYPTOGRAPHY
9
Plaintext
Dear Bob - The meeting will be at
the embassy.
Ciphertext
Qrne Obo - Gur zrrgvat jvyy or ng
gur rzonffl.
Original plaintext
Dear Bob - The meeting will be at the embassy.
Alice Bob
Enc
rypt
ion
func
tion
Dec
rypt
ion
func
tion
Public(e,n)
Privated
PUBLIC-KEY CRYPTOGRAPHY
9
Plaintext
Dear Bob - The meeting will be at
the embassy.
Ciphertext
Qrne Obo - Gur zrrgvat jvyy or ng
gur rzonffl.
Original plaintext
Dear Bob - The meeting will be at the embassy.
Alice Bob
Enc
rypt
ion
func
tion
Dec
rypt
ion
func
tion
Eve
Public(e,n)
Privated
PUBLIC-KEY CRYPTOGRAPHY
9
M = ab! 1e = AM + a
d = BM + b
n =ed! 1
M
KID CRYPTOChoose positive integers A, B, a, and b.
Public key: (e, n)Private key: d
10
H E L P 07 04 11 15TALBERT’S PUBLIC KEY: (E = 3242, N = 19723)
11
H E L P 07 04 11 15TALBERT’S PUBLIC KEY: (E = 3242, N = 19723)
Encryption: Compute y = (ex) mod n for each number.
11
H E L P 07 04 11 15TALBERT’S PUBLIC KEY: (E = 3242, N = 19723)
Plaintext Numerical (ex) mod n = Cipher “text”
H 7 (3242 × 7) mod 19723 = 2971
E 4 12698
L 11 15939
P 15 9184
Encryption: Compute y = (ex) mod n for each number.
11
2971 12698 15939 9184
TALBERT’S PRIVATE KEY: D = 1965
12
2971 12698 15939 9184
TALBERT’S PRIVATE KEY: D = 1965
Decryption: Compute z = (dy) mod n for each number.
12
2971 12698 15939 9184
TALBERT’S PRIVATE KEY: D = 1965
Decryption: Compute z = (dy) mod n for each number.
Ciphertext (dy) mod n Alpha
2971 7 H
12698 4 E
15939 11 L
9184 15 P
12
WHY KID CRYPTO WORKS
X = PLAINTEXT “CHARACTER”
13
WHY KID CRYPTO WORKS
X = PLAINTEXT “CHARACTER”
y = (ex) modn
13
WHY KID CRYPTO WORKS
X = PLAINTEXT “CHARACTER”
y = (ex) modn z = d(ex) modn = (ed)xmodn
13
WHY KID CRYPTO WORKS
X = PLAINTEXT “CHARACTER”
y = (ex) modn z = d(ex) modn = (ed)xmodn
n =ed! 1
M
13
WHY KID CRYPTO WORKS
X = PLAINTEXT “CHARACTER”
y = (ex) modn z = d(ex) modn = (ed)xmodn
n =ed! 1
M
ed = (Mn + 1)modn
= Mn modn + 1 modn
= 0mod n + 1 modn
= 1mod n
13
WHY KID CRYPTO WORKS
X = PLAINTEXT “CHARACTER”
y = (ex) modn z = d(ex) modn = (ed)xmodn
n =ed! 1
M
ed = (Mn + 1)modn
= Mn modn + 1 modn
= 0mod n + 1 modn
= 1mod n
z = (ed)xmodn
= xmodn
= x.
13
14
BOB
14
BOB ALICE
14
BOB ALICE
PUBLIC(E,N)
14
BOB ALICE
PUBLIC(E,N)
PRIVATED
14
BOB ALICE
PUBLIC(E,N)
PRIVATED
I HEREBY GIVE YOU A RAISE.
14
BOB ALICE
PUBLIC(E,N)
PRIVATED
I HEREBY GIVE YOU A RAISE.
14
BOB ALICE
PUBLIC(E,N)
PRIVATED
I HEREBY GIVE YOU A RAISE.
14
BOB ALICE
PUBLIC(E,N)
PRIVATED
I HEREBY GIVE YOU A RAISE.
I HEREBY GIVE YOU A RAISE.
192 2343 9102 ...
ENCRYPT WITH THE PRIVATE KEYATTACH TO END OF ORIGINAL
MESSAGE
14
BOB ALICE
PUBLIC(E,N)
PRIVATED
I HEREBY GIVE YOU A RAISE.
I HEREBY GIVE YOU A RAISE.
192 2343 9102 ...
ENCRYPT WITH THE PRIVATE KEYATTACH TO END OF ORIGINAL
MESSAGE
DIGITAL SIGNATURE = MESSAGE ENCRYPTED WITH PRIVATE KEY
14
BOB ALICE
PUBLIC(E,N)
PRIVATED
I HEREBY GIVE YOU A RAISE.
I HEREBY GIVE YOU A RAISE.
192 2343 9102 ...
ENCRYPT WITH THE PRIVATE KEYATTACH TO END OF ORIGINAL
MESSAGE
DIGITAL SIGNATURE = MESSAGE ENCRYPTED WITH PRIVATE KEY
14
BOB ALICE
PUBLIC(E,N)
PRIVATED
I HEREBY GIVE YOU A RAISE.
I HEREBY GIVE YOU A RAISE.
192 2343 9102 ...
ENCRYPT WITH THE PRIVATE KEYATTACH TO END OF ORIGINAL
MESSAGE
DECRYPT WITH THE PUBLIC KEYAUTHENTICATE BY COMPARING
TO PLAINTEXT MESSAGE
DIGITAL SIGNATURE = MESSAGE ENCRYPTED WITH PRIVATE KEY
14
BOB ALICE
PUBLIC(E,N)
PRIVATED
I HEREBY GIVE YOU A RAISE.
I HEREBY GIVE YOU A RAISE.
I HEREBY GIVE YOU A RAISE.
I HEREBY GIVE YOU A RAISE.
192 2343 9102 ...
ENCRYPT WITH THE PRIVATE KEYATTACH TO END OF ORIGINAL
MESSAGE
DECRYPT WITH THE PUBLIC KEYAUTHENTICATE BY COMPARING
TO PLAINTEXT MESSAGE
DIGITAL SIGNATURE = MESSAGE ENCRYPTED WITH PRIVATE KEY
14
WHY KID CRYPTO WORKS FOR SIGNATURES
X = PLAINTEXT “CHARACTER”
15
WHY KID CRYPTO WORKS FOR SIGNATURES
X = PLAINTEXT “CHARACTER”
s = dxmodnBOB
15
WHY KID CRYPTO WORKS FOR SIGNATURES
X = PLAINTEXT “CHARACTER”
s = dxmodnBOB
s! = edxmodn = xmodn = x.ALICE
15
16
BOB
16
BOB ALICE
16
BOB ALICE
PUBLIC(E,N)
16
BOB ALICE
PUBLIC(E,N)
PRIVATED
16
BOB ALICE
PUBLIC(E,N)
PRIVATED
16
BOB ALICE
PUBLIC(E,N)
PRIVATED
EVIL FAKE D
16
BOB ALICE
PUBLIC(E,N)
PRIVATED
I HEREBY GIVE YOU A RAISE.
EVIL FAKE D
16
BOB ALICE
PUBLIC(E,N)
PRIVATED
I HEREBY GIVE YOU A RAISE.
EVIL FAKE D
16
BOB ALICE
PUBLIC(E,N)
PRIVATED
I HEREBY GIVE YOU A RAISE.
EVIL FAKE D
16
BOB ALICE
PUBLIC(E,N)
PRIVATED
I HEREBY GIVE YOU A RAISE.
I HEREBY GIVE YOU A RAISE.
228 1893 189 ...
EVIL FAKE D
16
BOB ALICE
PUBLIC(E,N)
PRIVATED
I HEREBY GIVE YOU A RAISE.
I HEREBY GIVE YOU A RAISE.
228 1893 189 ...
EVIL FAKE D
16
BOB ALICE
PUBLIC(E,N)
PRIVATED
I HEREBY GIVE YOU A RAISE.
I HEREBY GIVE YOU A RAISE.
X FLBRUG YTEX BIP Q XETIA.
I HEREBY GIVE YOU A RAISE.
228 1893 189 ...
EVIL FAKE D
16
BOB ALICE
PUBLIC(E,N)
PRIVATED
I HEREBY GIVE YOU A RAISE.
I HEREBY GIVE YOU A RAISE.
X FLBRUG YTEX BIP Q XETIA.
I HEREBY GIVE YOU A RAISE.
228 1893 189 ...
SIGNATURE DOES NOT MATCH MESSAGE ⇒
MESSAGE NOT AUTHENTICATED
EVIL FAKE D
16
A TRUE SIGNATURE: • IS AUTHENTIC• CANNOT BE FORGED• CANNOT BE REUSED• PROVES DOCUMENT HAS NOT BEEN ALTERED • CANNOT BE REPUDIATED
17
Public-key system as signature system
Sender encrypts the message with his private key, attaches “ciphertext” to the plaintext message.
Recipient decrypts the ciphertext with the sender’s public key; compares to plaintext message. Equality ⇒ authentication.
Example using RSA
18
A national standard?
19
1977: RSA INVENTED
A national standard?
19
1977: RSA INVENTED
1982: NIST SOLICITS CANDIDATES FOR FEDERAL DIGITAL
SIGNATURE STANDARD (DSS)
A national standard?
19
1977: RSA INVENTED
1982: NIST SOLICITS CANDIDATES FOR FEDERAL DIGITAL
SIGNATURE STANDARD (DSS)
1991: NIST PROPOSES DIGITAL
SIGNATURE ALGORITHM (DSA) TO
BE USED IN DSS
A national standard?
19
1977: RSA INVENTED
1982: NIST SOLICITS CANDIDATES FOR FEDERAL DIGITAL
SIGNATURE STANDARD (DSS)
1991: NIST PROPOSES DIGITAL
SIGNATURE ALGORITHM (DSA) TO
BE USED IN DSS
1992: PUBLIC COMMENTS ON DSA;
CRITICISM FROM RSA, INC. AND
CLIENT COMPANIES
A national standard?
19
1977: RSA INVENTED 1994: DSA APPROVED
1982: NIST SOLICITS CANDIDATES FOR FEDERAL DIGITAL
SIGNATURE STANDARD (DSS)
1991: NIST PROPOSES DIGITAL
SIGNATURE ALGORITHM (DSA) TO
BE USED IN DSS
1992: PUBLIC COMMENTS ON DSA;
CRITICISM FROM RSA, INC. AND
CLIENT COMPANIES
A national standard?
19
20
227 = 2! 102 + 2! 101 + 7! 100
20
227 = 2! 102 + 2! 101 + 7! 100
227 = 1! 27 + 1! 26 + 1! 25 + 0! 24
+0! 23 + 0! 22 + 1! 21 + 1! 20
20
227 = 2! 102 + 2! 101 + 7! 100
227 = 1! 27 + 1! 26 + 1! 25 + 0! 24
+0! 23 + 0! 22 + 1! 21 + 1! 20
= 11100011
20
227 = 2! 102 + 2! 101 + 7! 100
227 = 1! 27 + 1! 26 + 1! 25 + 0! 24
+0! 23 + 0! 22 + 1! 21 + 1! 20
= 11100011BINARY FORM OF 227
227 IS AN 8-BIT INTEGER
20
227 = 2! 102 + 2! 101 + 7! 100
227 = 1! 27 + 1! 26 + 1! 25 + 0! 24
+0! 23 + 0! 22 + 1! 21 + 1! 20
= 11100011BINARY FORM OF 227
227 IS AN 8-BIT INTEGER5 = 101
1967 =11110101111
20
227 = 2! 102 + 2! 101 + 7! 100
227 = 1! 27 + 1! 26 + 1! 25 + 0! 24
+0! 23 + 0! 22 + 1! 21 + 1! 20
= 11100011BINARY FORM OF 227
227 IS AN 8-BIT INTEGER5 = 101
1967 =11110101111
Bit length of N =!
lnN
ln 2
"+ 1
20
227 = 2! 102 + 2! 101 + 7! 100
227 = 1! 27 + 1! 26 + 1! 25 + 0! 24
+0! 23 + 0! 22 + 1! 21 + 1! 20
= 11100011BINARY FORM OF 227
227 IS AN 8-BIT INTEGER5 = 101
1967 =11110101111
Bit length of N =!
lnN
ln 2
"+ 1
Decimal length of k-bit integer = !(k " 1) log10 2# + 1
20
21
Alice
21
Alice Bob
21
Alice Bob
HI, BOB. HOW’S IT GOING?(SIGNATURE ATTACHED)
21
Alice BobHI, BOB. HOW’S IT GOING?
(SIGNATURE ATTACHED)
21
Alice BobHI, BOB. HOW’S IT GOING?
(SIGNATURE ATTACHED)
AUTHENTICATED
21
Alice BobHI, BOB. HOW’S IT GOING?
(SIGNATURE ATTACHED)
AUTHENTICATED
STAGE 1: SYSTEM-WIDE PARAMETER GENERATION.
21
Alice BobHI, BOB. HOW’S IT GOING?
(SIGNATURE ATTACHED)
AUTHENTICATED
STAGE 1: SYSTEM-WIDE PARAMETER GENERATION.STAGE 2: KEY GENERATION (ALICE; ONE-TIME ONLY).
21
Alice BobHI, BOB. HOW’S IT GOING?
(SIGNATURE ATTACHED)
AUTHENTICATED
STAGE 1: SYSTEM-WIDE PARAMETER GENERATION.STAGE 2: KEY GENERATION (ALICE; ONE-TIME ONLY).
STAGE 3: SIGNING (ALICE).
21
Alice BobHI, BOB. HOW’S IT GOING?
(SIGNATURE ATTACHED)
AUTHENTICATED
STAGE 1: SYSTEM-WIDE PARAMETER GENERATION.STAGE 2: KEY GENERATION (ALICE; ONE-TIME ONLY).
STAGE 3: SIGNING (ALICE).STAGE 4: AUTHENTICATING (BOB).
21
1: SYSTEM-WIDE PARAMETERS
Name Description
pPrime number, bit length
between 512 and 1024 and a multiple of 64.
q 160-bit prime factor of p.
αα = h(p-1)/q mod p
Where h is any number ≤ p-1 such that h(p-1)/q is > 1
22
2: KEY GENERATION
23
2: KEY GENERATION
Alice
23
2: KEY GENERATION
Alice
PRIVATE KEYRandom integer x such that
1 ≤ x ≤ q-1
23
2: KEY GENERATION
Alice
PRIVATE KEYRandom integer x such that
1 ≤ x ≤ q-1
PUBLIC KEYy = αx mod p
23
3: SIGNING
Alice
Has: Message m
Public key y, Private key xSystem parameters p, q, α
24
3: SIGNING
Alice
Has: Message m
Public key y, Private key xSystem parameters p, q, α
Choose random (secret) integer k with 0 < k < q.
24
3: SIGNING
Alice
Has: Message m
Public key y, Private key xSystem parameters p, q, α
Choose random (secret) integer k with 0 < k < q.
Compute r = (!k mod p) mod q.
24
3: SIGNING
Alice
Has: Message m
Public key y, Private key xSystem parameters p, q, α
Choose random (secret) integer k with 0 < k < q.
Compute r = (!k mod p) mod q.
Compute k!1 mod q.
24
3: SIGNING
Alice
Has: Message m
Public key y, Private key xSystem parameters p, q, α
Choose random (secret) integer k with 0 < k < q.
Compute r = (!k mod p) mod q.
Compute k!1 mod q.
Compute s = k!1(H(m) + xr)mod q.
24
3: SIGNING
Alice
Has: Message m
Public key y, Private key xSystem parameters p, q, α
Choose random (secret) integer k with 0 < k < q.
Compute r = (!k mod p) mod q.
Compute k!1 mod q.
Compute s = k!1(H(m) + xr)mod q.
SIGNATURE: (R,S).
24
4: AUTHENTICATING
BOB
Receives: Message m
Signature (r,s)Has:
Public key y; System parameters p, q, α
25
4: AUTHENTICATING
BOB
Receives: Message m
Signature (r,s)Has:
Public key y; System parameters p, q, α
Verify 0 < r, s < q. Reject if not.
25
4: AUTHENTICATING
BOB
Receives: Message m
Signature (r,s)Has:
Public key y; System parameters p, q, α
Verify 0 < r, s < q. Reject if not.
Compute H(m) and w = s!1 mod q.
25
4: AUTHENTICATING
BOB
Receives: Message m
Signature (r,s)Has:
Public key y; System parameters p, q, α
Verify 0 < r, s < q. Reject if not.
Compute H(m) and w = s!1 mod q.
u1 = (w · H(m))mod q
25
4: AUTHENTICATING
BOB
Receives: Message m
Signature (r,s)Has:
Public key y; System parameters p, q, α
Verify 0 < r, s < q. Reject if not.
Compute H(m) and w = s!1 mod q.
u1 = (w · H(m))mod q u2 = (rw) mod q
25
4: AUTHENTICATING
BOB
Receives: Message m
Signature (r,s)Has:
Public key y; System parameters p, q, α
Verify 0 < r, s < q. Reject if not.
Compute H(m) and w = s!1 mod q.
u1 = (w · H(m))mod q u2 = (rw) mod q
v = (!u1yu2 mod p) mod q
25
4: AUTHENTICATING
BOB
Receives: Message m
Signature (r,s)Has:
Public key y; System parameters p, q, α
Verify 0 < r, s < q. Reject if not.
Compute H(m) and w = s!1 mod q.
u1 = (w · H(m))mod q u2 = (rw) mod q
v = (!u1yu2 mod p) mod q
IF V = R ⇒ AUTHENTICATED.
25
v = (!u1yu2 mod p) mod q
26
v = (!u1yu2 mod p) mod q
s = k!1 (H(m) + xr)mod q
s!1 = k!H(m) + xr)!1 mod q
26
v = (!u1yu2 mod p) mod q
s = k!1 (H(m) + xr)mod q
s!1 = k!H(m) + xr)!1 mod q
!u1 = !wH(m) mod q
26
v = (!u1yu2 mod p) mod q
s = k!1 (H(m) + xr)mod q
s!1 = k!H(m) + xr)!1 mod q
!u1 = !wH(m) mod q yu2 = (!x)u2 mod p
= !xrw mod q mod p
26
v = (!u1yu2 mod p) mod q
s = k!1 (H(m) + xr)mod q
s!1 = k!H(m) + xr)!1 mod q
!u1 = !wH(m) mod q yu2 = (!x)u2 mod p
= !xrw mod q mod p
!u1yu2 = !wH(m)!xrw mod p
= !w(H(m)+xr) mod q mod p
= !s!1(H(m)+xr) mod q mod p
= !k(H(m)+xr)!1(H(m)+xr) mod q mod p
= !k mod p
26
27
v = (!u1yu2 mod p) mod q
=!!k mod p) mod q
27
v = (!u1yu2 mod p) mod q
=!!k mod p) mod q
r = (!k mod p) mod q
27
v = (!u1yu2 mod p) mod q
=!!k mod p) mod q
r = (!k mod p) mod q
IF V = R ⇒ AUTHENTICATED.
IF V ≠ R ⇒ NO AUTHENTICATION.
27
28
Alice
28
Alice Bob
28
Alice Bob
PUBLICy=αx
mod p
28
Alice Bob
PUBLICy=αx
mod p
SYSTEM: P, Q
28
Alice Bob
I HEREBY GIVE YOU A RAISE.
PUBLICy=αx
mod p
SYSTEM: P, Q
28
Alice Bob
I HEREBY GIVE YOU A RAISE.
PUBLICy=αx
mod p
SYSTEM: P, Q
28
Alice Bob
I HEREBY GIVE YOU A RAISE.
I HEREBY GIVE YOU A RAISE.
(R,S)
PUBLICy=αx
mod p
SYSTEM: P, Q
28
Alice Bob
I HEREBY GIVE YOU A RAISE.
I HEREBY GIVE YOU A RAISE.
I HEREBY GIVE YOU A RAISE.
I HEREBY GIVE YOU A RAISE.
(R,S)
PUBLICy=αx
mod p
SYSTEM: P, Q
28
Alice Bob
I HEREBY GIVE YOU A RAISE.
I HEREBY GIVE YOU A RAISE.
I HEREBY GIVE YOU A RAISE.
I HEREBY GIVE YOU A RAISE.
(R,S)
PUBLICy=αx
mod p
SYSTEM: P, Q
28
Alice Bob
I HEREBY GIVE YOU A RAISE.
I HEREBY GIVE YOU A RAISE.
I HEREBY GIVE YOU A RAISE.
I HEREBY GIVE YOU A RAISE.
(R,S)
PUBLICy=αx
mod p
SYSTEM: P, Q
28
Alice Bob
I HEREBY GIVE YOU A RAISE.
I HEREBY GIVE YOU A RAISE.
I HEREBY GIVE YOU A RAISE.
I HEREBY GIVE YOU A RAISE.
(R,S)
PUBLICy=αx
mod p
SYSTEM: P, Q
HOW TO PRODUCE A FORGED (R,S) ON A NEW MESSAGE?
28
FORGERY METHOD 1: RECOVER ALICE’S PRIVATE KEY FROM AVAILABLE
INFORMATION.
29
FORGERY METHOD 1: RECOVER ALICE’S PRIVATE KEY FROM AVAILABLE
INFORMATION.
y = !x mod pSOLVE FOR X
29
FORGERY METHOD 1: RECOVER ALICE’S PRIVATE KEY FROM AVAILABLE
INFORMATION.
y = !x mod pSOLVE FOR X
DISCRETE LOGARITHM PROBLEM
29
FORGERY METHOD 1: RECOVER ALICE’S PRIVATE KEY FROM AVAILABLE
INFORMATION.
y = !x mod pSOLVE FOR X
DISCRETE LOGARITHM PROBLEM
29
FORGERY METHOD 1: RECOVER ALICE’S PRIVATE KEY FROM AVAILABLE
INFORMATION.
y = !x mod pSOLVE FOR X
DISCRETE LOGARITHM PROBLEM
O(√p)! Too expensive!
29
FORGERY METHOD 2: USE R TO RECOVER K.
30
FORGERY METHOD 2: USE R TO RECOVER K.
r = (!k mod p) mod q
30
FORGERY METHOD 2: USE R TO RECOVER K.
r = (!k mod p) mod q
DISCRETE LOGARITHM PROBLEM
30
FORGERY METHOD 2: USE R TO RECOVER K.
r = (!k mod p) mod q
DISCRETE LOGARITHM PROBLEM
s = k!1(H(m) + xr) mod q
x = r!1(sk !H(m))mod q
30
FORGERY METHOD 2: USE R TO RECOVER K.
r = (!k mod p) mod q
DISCRETE LOGARITHM PROBLEM
s = k!1(H(m) + xr) mod q
x = r!1(sk !H(m))mod q
30
FORGERY METHOD 2: USE R TO RECOVER K.
r = (!k mod p) mod q
DISCRETE LOGARITHM PROBLEM
s = k!1(H(m) + xr) mod q
x = r!1(sk !H(m))mod q
Everything on the RHS except k is public info or easy to
compute... but I still have to solve DLP! Curses!
30
FORGERY METHOD 3: HOPE FOR LAZINESS.
31
FORGERY METHOD 3: HOPE FOR LAZINESS.
Alice
31
FORGERY METHOD 3: HOPE FOR LAZINESS.
Alice
I don’t feel like generating a new value for k.
31
FORGERY METHOD 3: HOPE FOR LAZINESS.
Alice
I don’t feel like generating a new value for k.
s1 = k!1(H(m1) + xr) mod q
s2 = k!1(H(m2) + xr) mod q
31
FORGERY METHOD 3: HOPE FOR LAZINESS.
Alice
I don’t feel like generating a new value for k.
s1 = k!1(H(m1) + xr) mod q
s2 = k!1(H(m2) + xr) mod q
s1k !H(m1) = xr mod q
s2k !H(m2) = xr mod q
31
FORGERY METHOD 3: HOPE FOR LAZINESS.
Alice
I don’t feel like generating a new value for k.
s1 = k!1(H(m1) + xr) mod q
s2 = k!1(H(m2) + xr) mod q
s1k !H(m1) = xr mod q
s2k !H(m2) = xr mod q
k(s1 ! s2) = H(m1)!H(m2) mod q
31
FORGERY METHOD 3: HOPE FOR LAZINESS.
Alice
I don’t feel like generating a new value for k.
s1 = k!1(H(m1) + xr) mod q
s2 = k!1(H(m2) + xr) mod q
s1k !H(m1) = xr mod q
s2k !H(m2) = xr mod q
k(s1 ! s2) = H(m1)!H(m2) mod q
k = (s1 ! s2)!1(H(m1)!H(m2))mod q
31
FORGERY METHOD 3: HOPE FOR LAZINESS.
Alice
I don’t feel like generating a new value for k.
s1 = k!1(H(m1) + xr) mod q
s2 = k!1(H(m2) + xr) mod q
s1k !H(m1) = xr mod q
s2k !H(m2) = xr mod q
k(s1 ! s2) = H(m1)!H(m2) mod q
k = (s1 ! s2)!1(H(m1)!H(m2))mod q
Gotcha!
31
Further issues
32
Further issuesOne-way hash functions and their security (SHA-1, MD5)
32
Further issuesOne-way hash functions and their security (SHA-1, MD5)
Faster/less expensive algorithms for solving DLP
32
Further issuesOne-way hash functions and their security (SHA-1, MD5)
Faster/less expensive algorithms for solving DLP
Uses of secure authentication
32
Further issuesOne-way hash functions and their security (SHA-1, MD5)
Faster/less expensive algorithms for solving DLP
Uses of secure authentication
Electronic currency
32
Further issuesOne-way hash functions and their security (SHA-1, MD5)
Faster/less expensive algorithms for solving DLP
Uses of secure authentication
Electronic currency
Electronic notarization
32
Further issuesOne-way hash functions and their security (SHA-1, MD5)
Faster/less expensive algorithms for solving DLP
Uses of secure authentication
Electronic currency
Electronic notarization
Identification in social networking/blogging
32
Contact
Robert Talbert, PhDDepartment of Mathematics and Computing
Franklin College101 Branigin Blvd.Franklin, IN 46131
rtalbert@franklincollege.edu
33
top related