digital signatures a primer 1. why public key cryptography? with secret key algorithms number of key...
TRANSCRIPT
![Page 1: Digital Signatures A primer 1. Why public key cryptography? With secret key algorithms Number of key pairs to be generated is extremely large If there](https://reader035.vdocument.in/reader035/viewer/2022062221/56649ebd5503460f94bc6c5d/html5/thumbnails/1.jpg)
1
Digital SignaturesA primer
![Page 2: Digital Signatures A primer 1. Why public key cryptography? With secret key algorithms Number of key pairs to be generated is extremely large If there](https://reader035.vdocument.in/reader035/viewer/2022062221/56649ebd5503460f94bc6c5d/html5/thumbnails/2.jpg)
2
Why public key cryptography?
• With secret key algorithms• Number of key pairs to be generated is extremely large• If there is a conflict between Alice and Bob, it is hard to
resolve it• Non-repudiation
• Why not public key algorithms?• Slow, computationally intensive
![Page 3: Digital Signatures A primer 1. Why public key cryptography? With secret key algorithms Number of key pairs to be generated is extremely large If there](https://reader035.vdocument.in/reader035/viewer/2022062221/56649ebd5503460f94bc6c5d/html5/thumbnails/3.jpg)
3
Public key encryption revisited
• What security services does it provide?• Confidentiality/Privacy• Authentication• Integrity• Non-repudiation
Encrypt DecryptInsecure channelAlice Bobyx x
kubobkrbob
![Page 4: Digital Signatures A primer 1. Why public key cryptography? With secret key algorithms Number of key pairs to be generated is extremely large If there](https://reader035.vdocument.in/reader035/viewer/2022062221/56649ebd5503460f94bc6c5d/html5/thumbnails/4.jpg)
4
What happens if we use the keys of both sender and receiver?
Alice Bob
e e
KRA KUB
d d
KRB KUA
x u y y u x
What security services does this provide?Can Oscar generate u?Can Bob generate u?
![Page 5: Digital Signatures A primer 1. Why public key cryptography? With secret key algorithms Number of key pairs to be generated is extremely large If there](https://reader035.vdocument.in/reader035/viewer/2022062221/56649ebd5503460f94bc6c5d/html5/thumbnails/5.jpg)
5
Digital Signatures
• Recap• Message authentication provides security services of
authentication and integrity• It does not provide non-repudiation
• Digital signatures• Should provide us the same functionality as regular
signatures• Must depend on the message
• “Binding” the signature to the message• Must be information unique to the signer that cannot be
forged
![Page 6: Digital Signatures A primer 1. Why public key cryptography? With secret key algorithms Number of key pairs to be generated is extremely large If there](https://reader035.vdocument.in/reader035/viewer/2022062221/56649ebd5503460f94bc6c5d/html5/thumbnails/6.jpg)
Digital Signature• Anyone can “verify” the signature with the public key
• No one else can “generate” a signature since the private key is known only to the owner
6
Alice Bob
x Sig(x)
Sig
KRA
x
Compare
xKUA
Ver
Sig(x)
![Page 7: Digital Signatures A primer 1. Why public key cryptography? With secret key algorithms Number of key pairs to be generated is extremely large If there](https://reader035.vdocument.in/reader035/viewer/2022062221/56649ebd5503460f94bc6c5d/html5/thumbnails/7.jpg)
7
How does a signature differ from a MAC or simple encryption?
• A MAC is used to ensure message authentication• The attack is to successfully change the message or create a
false message without detection
• A signature is used to “sign” a digital document• Goals of a successful attack
• Total Break• Oscar can determine Alice’s private key
• Selective Forgery• With some probability, create a forged signature for a
message that Alice has not previously signed• Existential Forgery
• Change the document but enable the signature to be verified
• Create a false document and signature pair such that the signature is verified
![Page 8: Digital Signatures A primer 1. Why public key cryptography? With secret key algorithms Number of key pairs to be generated is extremely large If there](https://reader035.vdocument.in/reader035/viewer/2022062221/56649ebd5503460f94bc6c5d/html5/thumbnails/8.jpg)
8
Attacks against Digital Signatures
• Key only attack• Similar to ciphertext-only attack, but Oscar knows the
public key
• Known message attack• Similar to known plaintext attack• Oscar has pairs of messages and signatures
• Chosen message attack• Oscar can choose the messages that Alice will sign
![Page 9: Digital Signatures A primer 1. Why public key cryptography? With secret key algorithms Number of key pairs to be generated is extremely large If there](https://reader035.vdocument.in/reader035/viewer/2022062221/56649ebd5503460f94bc6c5d/html5/thumbnails/9.jpg)
9
RSA Digital Signature
• Setup:• Public key: KU ={n, b}• Private key: KR = {p, q, a}• Here a b = 1 mod (n)• (n) = (p – 1)(q – 1)
AliceBob
x eKRA(x)x
Compare
xKUA
d
Sig(x)
e
KRA
Sig(x)
![Page 10: Digital Signatures A primer 1. Why public key cryptography? With secret key algorithms Number of key pairs to be generated is extremely large If there](https://reader035.vdocument.in/reader035/viewer/2022062221/56649ebd5503460f94bc6c5d/html5/thumbnails/10.jpg)
10
RSA Signature Protocol• Alice computes sigKRA(x) = xa mod n = u
• Alice sends Bob x || u
• Bob verifies the signature as follows:• He decrypts the signature first
• Compute verKUA(u) = ub mod n = x*
• Compare x and x*
• Remarks:• Only Alice can sign her documents• Anyone can verify it• Bob is assured the message is from Alice• If the message is altered, the signature will
reveal this• Signature provides authentication, integrity, and non-
repudiation
![Page 11: Digital Signatures A primer 1. Why public key cryptography? With secret key algorithms Number of key pairs to be generated is extremely large If there](https://reader035.vdocument.in/reader035/viewer/2022062221/56649ebd5503460f94bc6c5d/html5/thumbnails/11.jpg)
11
Drawbacks
• Long message => long signature• Solution: Hash the message before signing it
• Oscar can “choose” a signature and compute a plaintext from it• Choose signature u• Compute plaintext x = eKUA(u) = ub mod n• Send x||u to Bob• The message may be meaningless, but it will appear to
have come from Alice
• RSA signature is used in the ISO/IEC 9796 standard
![Page 12: Digital Signatures A primer 1. Why public key cryptography? With secret key algorithms Number of key pairs to be generated is extremely large If there](https://reader035.vdocument.in/reader035/viewer/2022062221/56649ebd5503460f94bc6c5d/html5/thumbnails/12.jpg)
12
How Digital Signatures are generated using Hash functions
Alice
Bob
x x
hHashOr MAC
e d
eKR[ h(x) ]
h
Verify
y
x || eKR[ h(x) ]
x
kABkAB
e
krA
dkuA
![Page 13: Digital Signatures A primer 1. Why public key cryptography? With secret key algorithms Number of key pairs to be generated is extremely large If there](https://reader035.vdocument.in/reader035/viewer/2022062221/56649ebd5503460f94bc6c5d/html5/thumbnails/13.jpg)
13
ElGamal Signature Scheme
• Different from ElGamal Encryption Scheme
• Published in 1985
• A variation of this forms the Digital Signature Standard (DSS)
• Not useful for encryption, but only for signatures
![Page 14: Digital Signatures A primer 1. Why public key cryptography? With secret key algorithms Number of key pairs to be generated is extremely large If there](https://reader035.vdocument.in/reader035/viewer/2022062221/56649ebd5503460f94bc6c5d/html5/thumbnails/14.jpg)
14
Setup
• Choose a large prime number p
• Choose a generator Zp*
• Choose a private key KR = a {2,3,4,…,p – 2}
• Compute the public key KU = b = a mod p
• Keys:• Public: KU ={p, , b}• Private: KR = {a}
![Page 15: Digital Signatures A primer 1. Why public key cryptography? With secret key algorithms Number of key pairs to be generated is extremely large If there](https://reader035.vdocument.in/reader035/viewer/2022062221/56649ebd5503460f94bc6c5d/html5/thumbnails/15.jpg)
15
Signing with private key
• Choose a random number k Zp-1*• This means
• k < p-1• GCD(k, p-1) = 1
• Compute the signature of the message x as
sigKR(x) = (,) whereg = k mod p
= (x - a )k-1 mod (p-1)
Make use of private key here
![Page 16: Digital Signatures A primer 1. Why public key cryptography? With secret key algorithms Number of key pairs to be generated is extremely large If there](https://reader035.vdocument.in/reader035/viewer/2022062221/56649ebd5503460f94bc6c5d/html5/thumbnails/16.jpg)
16
Public Verification
• The verification function is:
VerKU(x, (,) )
Check if b = x mod p
If true, the signature is valid
If false, the signature is invalid
![Page 17: Digital Signatures A primer 1. Why public key cryptography? With secret key algorithms Number of key pairs to be generated is extremely large If there](https://reader035.vdocument.in/reader035/viewer/2022062221/56649ebd5503460f94bc6c5d/html5/thumbnails/17.jpg)
17
Why does it work?
• What is b ?• What is b?
• b = a • b = a
• What is ?•
• Verification gives• a x - a = x
![Page 18: Digital Signatures A primer 1. Why public key cryptography? With secret key algorithms Number of key pairs to be generated is extremely large If there](https://reader035.vdocument.in/reader035/viewer/2022062221/56649ebd5503460f94bc6c5d/html5/thumbnails/18.jpg)
18
Example
• Parameters• p = 467, = 2, a = 127• Compute b = a mod p
• Alice wants to sign the plaintext message x = 108
• She chooses a random quantity k = 211
• Compute signature
• Verify signature
![Page 19: Digital Signatures A primer 1. Why public key cryptography? With secret key algorithms Number of key pairs to be generated is extremely large If there](https://reader035.vdocument.in/reader035/viewer/2022062221/56649ebd5503460f94bc6c5d/html5/thumbnails/19.jpg)
19
Security of ElGamal Signature Scheme
• What is an attack on signatures?• Oscar can generate a fake signature• Oscar can break the signing scheme to get a
knowledge of the private key
• Oscar can choose and then try to find • DL Problem
• Oscar can choose and try to find • Generally considered infeasible
• Oscar can choose and and try to come up with a random plaintext x as with the RSA signature scheme• DL Problem
![Page 20: Digital Signatures A primer 1. Why public key cryptography? With secret key algorithms Number of key pairs to be generated is extremely large If there](https://reader035.vdocument.in/reader035/viewer/2022062221/56649ebd5503460f94bc6c5d/html5/thumbnails/20.jpg)
20
Drawbacks
• Long message => long signature
• If the value of k is used repeatedly, the signature scheme becomes insecure
![Page 21: Digital Signatures A primer 1. Why public key cryptography? With secret key algorithms Number of key pairs to be generated is extremely large If there](https://reader035.vdocument.in/reader035/viewer/2022062221/56649ebd5503460f94bc6c5d/html5/thumbnails/21.jpg)
21
The Digital Signature Standard
• Based on the Digital Signature Algorithm (DSA)• A variation of the ElGamal signature scheme• See Textbook, page 294-297
• Sign the hash value of a signature to keep it small
• The 160 bit SHA based hash value is signed with a 320 bit signature
• The value of p is around 2512 to 21024
• Published in 1993 as a NIST FIPS PUBS 186 standard
![Page 22: Digital Signatures A primer 1. Why public key cryptography? With secret key algorithms Number of key pairs to be generated is extremely large If there](https://reader035.vdocument.in/reader035/viewer/2022062221/56649ebd5503460f94bc6c5d/html5/thumbnails/22.jpg)
22
Modular Roots• Definition
• Let m,n be natural numbers, c be an integer and gcd(c,n) = 1
• Let xm = c mod n for some integer x• Then x is called the m-th root of c modulo n• And c is called an m-th power residue modulo n
• Example: x2 = c mod n• x is called a square root mod n• c is called a quadratic residue mod n
• If the prime factors of n are known, then• We can use CRT to find the m-th roots modulo n• Otherwise, it is considered to be a hard problem, as
hard as integer factorization for large nYou can also have the m-th root modulo a prime number
![Page 23: Digital Signatures A primer 1. Why public key cryptography? With secret key algorithms Number of key pairs to be generated is extremely large If there](https://reader035.vdocument.in/reader035/viewer/2022062221/56649ebd5503460f94bc6c5d/html5/thumbnails/23.jpg)
23
Schnorr Signature Scheme
• Setup• Choose a large prime number p• Choose a prime number q that divides p -1• Choose a number Zp* that is the q-th root of 1 mod p
• What is the order of ? • Choose a private key KR = a {2,3,4,…,q – 1}• Compute the public key KU = b = a mod p• Keys:
• Public: KU ={p, q, , b}• Private: KR = {a}
• Let h(.) be a secure hash function (e.g., SHA-1 or RIPE-MD)
![Page 24: Digital Signatures A primer 1. Why public key cryptography? With secret key algorithms Number of key pairs to be generated is extremely large If there](https://reader035.vdocument.in/reader035/viewer/2022062221/56649ebd5503460f94bc6c5d/html5/thumbnails/24.jpg)
24
Signing with private key
• Choose a random number k Zq*• This means
• 0 < k < q
• Compute the signature of the message x as
sigKR(x, k) = (,) where
= h (x || k )
= k + a mod q
Make use of private key here
g is 160 bits is log2q bits
![Page 25: Digital Signatures A primer 1. Why public key cryptography? With secret key algorithms Number of key pairs to be generated is extremely large If there](https://reader035.vdocument.in/reader035/viewer/2022062221/56649ebd5503460f94bc6c5d/html5/thumbnails/25.jpg)
25
Public Verification
• The verification function is:
VerKU(x, (,) )Check if
h(x || b- ) = If true, the signature is valid
If false, the signature is invalid
• Why does this work?• What is b- mod p ?
![Page 26: Digital Signatures A primer 1. Why public key cryptography? With secret key algorithms Number of key pairs to be generated is extremely large If there](https://reader035.vdocument.in/reader035/viewer/2022062221/56649ebd5503460f94bc6c5d/html5/thumbnails/26.jpg)
26
Digital Signature Algorithm
• Setup• Choose a prime number p that is L bits long where L is a
multiple of 64 bits, larger than 512 bits and smaller than 1024 bits
• Choose a prime number q that divides p -1 and is 160 bits long
• Choose a number Zp* that is the q-th root of 1 mod p• What is the order of ?
• Choose a private key KR = a {2,3,4,…,q – 1}• Compute the public key KU = b = a mod p• Keys:
• Public: KU ={p, q, , b}• Private: KR = {a}
• Let h(.) be the secure hash algorithm (SHA-1)
![Page 27: Digital Signatures A primer 1. Why public key cryptography? With secret key algorithms Number of key pairs to be generated is extremely large If there](https://reader035.vdocument.in/reader035/viewer/2022062221/56649ebd5503460f94bc6c5d/html5/thumbnails/27.jpg)
27
Signing with private key
• Choose a random number k Zq*• This means
• 0 < k < q
• Compute the signature of the message x as
sigKR(x, k) = (,) where
= (k mod p) mod q
= (SHA-1(x) + a)k-1 mod q
Make use of private key
here
g is 160 bitsd is log2q bits They CANNOT
be zero
![Page 28: Digital Signatures A primer 1. Why public key cryptography? With secret key algorithms Number of key pairs to be generated is extremely large If there](https://reader035.vdocument.in/reader035/viewer/2022062221/56649ebd5503460f94bc6c5d/html5/thumbnails/28.jpg)
28
Public Verification
• The verification function is: VerKU(x, (,) )Compute
e1 = SHA-1(x) -1 mod q
e2 = -1 mod q
Check if: (e1 be2 mod p) mod q = If true, the signature is valid
If false, the signature is invalid
• Why does this work?
![Page 29: Digital Signatures A primer 1. Why public key cryptography? With secret key algorithms Number of key pairs to be generated is extremely large If there](https://reader035.vdocument.in/reader035/viewer/2022062221/56649ebd5503460f94bc6c5d/html5/thumbnails/29.jpg)
29
ECDSA
• ECDSA = Elliptic Curve Digital Signature Algorithm
• It is identical to DSA, but uses Elliptic Curves instead
• The notation is a little bit different, but the procedure is identical
![Page 30: Digital Signatures A primer 1. Why public key cryptography? With secret key algorithms Number of key pairs to be generated is extremely large If there](https://reader035.vdocument.in/reader035/viewer/2022062221/56649ebd5503460f94bc6c5d/html5/thumbnails/30.jpg)
30
Blind Signatures
• Two party protocol between Alice and Bob• Alice sends Bob a piece of information• Bob signs the information and sends it
back to Alice• Alice can now compute Bob’s signature
over another message m of her choice• After this is done, Bob does not know
either the message m or the signature associated with it
![Page 31: Digital Signatures A primer 1. Why public key cryptography? With secret key algorithms Number of key pairs to be generated is extremely large If there](https://reader035.vdocument.in/reader035/viewer/2022062221/56649ebd5503460f94bc6c5d/html5/thumbnails/31.jpg)
31
Other signature schemes
• Undeniable signatures• Requires the cooperation of the signer to verify the
signature
• One-time signature• A new public key is required for verification for each
signature
![Page 32: Digital Signatures A primer 1. Why public key cryptography? With secret key algorithms Number of key pairs to be generated is extremely large If there](https://reader035.vdocument.in/reader035/viewer/2022062221/56649ebd5503460f94bc6c5d/html5/thumbnails/32.jpg)
32
Other References
• http://www.epic.org/crypto/dss/
• http://www.itl.nist.gov/fipspubs/fip186.htm