DIGITAL SIGNATURES
Fred Piper
Codes & Ciphers Ltd12 Duncan RoadRichmondSurreyTW9 2JD
Information Security GroupRoyal Holloway, University of London
Egham, SurreyTW20 0EX
Digital Signatures 2
Outline
1. Brief Introduction to Cryptography
2. Public Key Systems
3. Basic Principles of Digital Signatures
4. Public Key Algorithms
5. Signing Processes
6. Arbitrated Signatures
7. Odds and Ends
NOTE: We will not cover all the sections
Digital Signatures 3
The Essence of Security
– Recognition of those you know
– Introduction to those you don’t
know
– Written signature
– Private conversation
Digital Signatures 4
The Challenge
• Transplant these basic social mechanisms to the telecommunications and/or business environment.
Digital Signatures 5
• Sender– Am I happy that the whole world sees this ?– Am I prepared to pay to stop them ?– Am I allowed to stop them ?
• Recipient– Do I have confidence in :
– the originator– the message contents and message stream– no future repudiation.
• Network Manager– Do I allow this user on to the network ?– How do I control their privileges ?
The Security Issues
Digital Signatures 6
Cryptography is used to provide:
1. Secrecy
2. Data Integrity
3. User Verification
4. Non-Repudiation
7Digital Signatures
Cipher System
cryptogramc
EncipheringAlgorithm
DecipheringAlgorithm
Key k(E) Key k(D)
messagem
messagem
Interceptor
Digital Signatures 8
The Attacker’s Perspective
DecipheringAlgorithm
Unknown Key
k(D)
Known c Wants m
Note: k(E) is not needed unlessit helps determine k(D)
Digital Signatures 9
Two Types of Cipher System
•Conventional or Symmetric–k(D) easily obtained from k(E)
•Public or Asymmetric–Computationally infeasible to
determine k(D) from k(E)
Digital Signatures 10
• THE SECURITY OF THE SYSTEM IS DEPENDENT ON THE SECURITY OF
THE KEYS
Digital Signatures 11
Public Key Systems
• Original Concept
• For a public key system an enciphering algorithm is
agreed and each would-be receiver publishes the key
which anyone may use to send a message to him.
• Thus for a public key system to be secure it must not be
possible to deduce the message from a knowledge of the
cryptogram and the enciphering key. Once such a system
is set up, a directory of all receivers plus their enciphering
keys is published. However, the only person to know any
given receiver’s deciphering key is the receiver himself.
Digital Signatures 12
Public Key Systems
• For a public key system, encipherment must be a ‘one-way function’ which has a ‘trapdoor’. The trapdoor must be a secret known only to the receiver.
• A ‘one-way function’ is one which is easy to perform but very difficult to reverse. A ‘trapdoor’ is a trick or another function which makes it easy to reverse the function
Digital Signatures 13
Some Mathematical One-Way Functions
1. Multiplication of two large primes.
2. Exponentiation modulo n ( n = pq ).
3. x ax in GF(2n) or GF(p).
4. k Ek(m) for fixed m where Ek is encryption in a symmetric key system which is secure against known plaintext attacks.
5. x a.x where x is an n-bit binary vector and a is a fixed n-tuple of integers. Thus a.x is an integer.
Digital Signatures 14
Public Key Cryptosystems
– Enable secure communications without exchanging secret keys
– Enable 3rd party authentication ( digital signature )
– Use number theoretic techniques– Introduce a whole new set of problems– Are extremely ingenious.
Digital Signatures 15
Digital Signatures
• According to ISO, the term Digital Signature is used: ‘to indicate a particular authentication technique used to establish the origin of a message in order to settle disputes of what message (if any) was sent’.
Digital Signatures 16
Digital Signatures
A signature on a message is some data that• validates a message and verifies its origin• a receiver can keep as evidence• a third party can use to resolve disputes.
It depends on• the message• a secret parameter only
available to the sender
It should be easy to compute
(by one person only) easy to verify difficult to forge
Digital Signatures 17
Digital Signature
• Cryptographic checksum
• Identifies sender
• Provides integrity check for data
• Can be checked by third party
Digital Signatures 18
Hand-Written Signatures
• Intrinsic to signer• Same on all documents• Physically attached to message• Beware plastic cards.
Digital Signatures• Use of secret parameter• Message dependent.
Digital Signatures 19
Principle of Digital Signatures
• There is a (secret) number which:
• Only one person can use
• Is used to identify that person
• ‘Anyone’ can verify that it has been used
NB: Anyone who knows the value of a number can use that number.
Digital Signatures 20
Attacks on Digital Signature Schemes
To impersonate A, I must either
• obtain A’s private key
• substitute my public key for A’s
NB: Similar attacks if A is receiving secret
data encrypted with A’s public key
Digital Signatures 21
Obtaining a Private Key
Mathematical attacks Physical attacks
NB: It may be sufficient to obtain a device which contains the key. Knowledge of actual value is not needed.
Digital Signatures 22
Certification Authority
AIM :To guarantee the authenticity of public keys.
METHOD :The Certification Authority guarantees the authenticity by signing a certificate containing user’s identity and public key with its secret key.
REQUIREMENT :All users must have an authentic copy of the Certification Authority’s public key.
Digital Signatures 23
Certification Process
Verifies credentials
CreatesCertificate
Receives(and checks)
Certificate
Presents Public Key and
credentials
Generates Key Set
Distribution
Centre
Owner
Digital Signatures 24
How Does it Work?
• The Certificate can accompany all Fred’s messages
• The recipient must directly or indirectly:• Trust the CA• Validate the certificate
The CA certifiesthat Fred Piper’s
public key is………..
Electronicallysigned by
the CA
Digital Signatures 25
User Authentication Certificates
• Ownership of certificate does not
establish identity
• Need protocols establishing use of
corresponding secret keys
Digital Signatures 26
WARNING
• Identity Theft
• You ‘are’ your private key
• You ‘are’ the private key corresponding to the public key in your certificiate
Digital Signatures 27
Certification Authorities
• Problems/Questions
• Who generates users’ keys?
• How is identity established?
• How can certificates be cancelled?
• Any others?
Digital Signatures 28
Fundamental Requirement
Internal infrastructure to support secure technological implementation
Digital Signatures 29
Is everything OK?
Announcement in Microsoft Security Bulletin MS01-017
“VeriSign Inc recently advised Microsoft that on January 29-30 2001 it issued two VeriSign Class 3 code-signing digital certificates to an individual who fraudulently claimed to be a Microsoft employee.”
Digital Signatures 30
RSA System
• Publish integers n and e where n = pq (p and q large primes) and e is chosen so that (e,(p-1)(q-1)) = 1.
• If message is an integer m with 0 < m < n then the cryptogram c = me (mod n).
• The primes p and q are ‘Secret’ (i.e. known only to the receiver) and the system’s security depends on the fact that knowledge of n will not enable the interceptor to work out p and q.
Digital Signatures 31
RSA System
Since (e,(p-1)(q-1)) = 1 there is an integer d such that ed = 1(mod(p-1)(q-1)).[NOTE: without knowing p and q it is ‘impossible’ to determine d.]
To decipher raise c to the power d.Then m=cd (=med) (mod n).System works because if n=pq, ak(p-1)(q-1) + 1 = a (mod n)for all a, k.
Digital Signatures 32
RSA Summary and Example
Theory Choicen = p.q 2773 = 47.59 p=47 q=59e.d 1(mod(p-1) (q-1)) 17.157 ≡ 1(mod 2668) e=17 d=157Public key is (e, n) (17,2773)Private key is (d,n) (157,2773)
Message M (0 < M < n) M = 31
NB : Knowledge of p and q is required to compute d.
Encryption using Private Key :C ≡ Me (mod n)587 ≡ 3117 (mod 2773)
Decryption using Private Key :
M ≡ Cd (mod n)
31 ≡ 587157 (mod 2773)
Digital Signatures 33
El Gamal Cipher
– Work in GF(q)
– For practical systems
• q = large prime• q = 2n
– Note: We will not define GF(2n). For a prime q arithmetic in GF(q) is arithmetic modulo q.
Digital Signatures 34
El Gamal Cipher
System wide parameters : integers g,p
NB: p is a large prime and g is a primitive element mod p.
A chooses private key x such that 1 < x < p - 1
A’s public key is y = gx mod p.
Note: x is called the discrete logarithm of y modulo p to the base g.
Digital Signatures 35
El Gamal Encryption
If B wants to send secret message m to A then
1.B obtains A’s public key y plus g and p
2.B generates random integer k.
3.B sends gk (mod p) and c = myk (mod p) to A.
A uses x to compute yk from gk and then evaluates m.
Digital Signatures 36
El Gamal Cipher
Important facts from last slide• g is special type of number
• sender needs random number generator
• cryptogram is twice as long as message
Digital Signatures 37
El Gamal - Encryption - Worked Example
Prime p = 23 Primitive element a = 11
Private key x = 6 Public key y = 116(mod 23) = 9
To encipher m = 10
Assume random value k = 3
ak = 113 mod 23 = 20
yk = 1118 mod 23 = 16
myk = 10.16 mod 23 = 22
Thus transmit (20, 22)
Digital Signatures 38
El Gamal - Worked Example
To decrypt 20, 22
yk = (ak)x = 206 = 16 mod 23
To find m: solve c = myk mod p
i.e. solve 22 = m 16 mod 23
Solution m = 10
Digital Signatures 39
Modular Exponentiation
• Both RSA and El Gamal involve computing
xa (mod N) for large x, a and N
• To speed up process need:
• Fast multiplication algorithm
• Avoid intermediate values becoming too
large
• Limit number of modular multiplications
Digital Signatures 40
How to Create a Digital Signature Using RSA
MESSAGE
HASHING FUNCTION
HASH OF MESSAGE
Sign using Private Key
SIGNATURE - SIGNED HASH OF MESSAGE
Digital Signatures 41
How to Verify a Digital Signature Using RSA
HASH OF MESSAGE
Verify theReceived Signature
Re-hash the Received Message
Verify using Public Key
Message
Hashing Function
HASH OF MESSAGE
MessageSignature
Signature
Message withAppended Signature
If hashes are equal, signature is authentic
Digital Signatures 42
Requirements for Hash Function h
(H1) condenses message M of arbitrary length into a fixed length ‘digest’ h(M)
(H2) is one-way
(H3) is collision free - it is computationally infeasible to construct messages M, M' with h(M) = h(M')
H3 implies a restriction on the size of h(M).
Digital Signatures 43
DSA
• Proposed by NIST in 1991
• Explicitly requires the use of a hash function– SHA-1
• Very different set of functional capabilities than RSA
Digital Signatures 44
DSA Set Up
• System parameters– select a 160-bit prime q– choose a 1024-bit prime p so that q | p-1
– choose g Zp* and compute a = g(p-1)/q mod p
– if a=1 repeat with different g
• User keys– select random secret key x (1 x q-1) – compute public key y = ax mod p
Digital Signatures 45
Signing with DSA
• To sign message m– hash message m to give h(m)(1 h(m) q-1)– generate random secret k(1 k q-1)– compute r = (ak mod p) mod q – compute k-1 mod q– compute s = k-1{h(m) + ar} mod q– signature on m is (r,s)
Digital Signatures 46
DSA Signature Verification
• To verify (r,s)– check that 1 r q-1 and 1 s q-1– compute w = s-1 mod q
– compute u1 = wh(m) mod q
– compute u2 = rw mod q
– accept signature if – (au1yu2 mod p) mod q = r
Digital Signatures 47
Security of DSA
• Depends on– taking discrete logarithms in GF(p) (GNFS)– the logarithm problem in the cyclic subgroup
of order q• algorithms for this take time proportional to q1/2
• we choose q 2160 and p 21024
– other concerns follow the case of El Gamal signatures
Digital Signatures 48
Performance of DSA
• Using the subgroup of order q gives good improvements over El Gamal signatures– for signature
– one (partial) exponentiation mod p, all other operations less significant
– also there are opportunities for pre-computation
– for verification– two (partial) exponentiations mod p, all other
operations less significant
Digital Signatures 49
DSA and RSA
• set a unit of time to be that required for one 1024-bit multiplication
• use e=216+1 and CRT for RSA• pre-computation with DSA not included
• also a difference in the sizes of the signatures
RSA DSA
Sign 384 240
Verify 17 480
Digital Signatures 50
Signing and Verifying
• Which is more important - signature or verification performance?– depends on the application!
• certificates: sign once but verify very often
• secure E-mail: perhaps sign and verify once
• document storage: sign once but maybe never verify
Digital Signatures 51
Digital Signatures for Short Messages
Padding /Redundancy
TextPadding /
Redundancy
Text Signature
Signature
RSA
Verify
RSAPrivateKey
PublicKey
a) Construction b) Deconstruction
SEND
Digital Signatures 52
Types of Digital Signature
1. Arbitrated SignaturesMediation by third party, the arbitrator
signing verifying resolving disputes
2. True SignaturesDirect communication between sender and receiverThird party involved only in case of dispute
Digital Signatures 53
Arbitrated Signatures
Require trusted arbitrator
• Arbitrator is involved in– Signing process– Settlement of all disputes– No one else can settle disputes – Potential bottleneck
Digital Signatures 54
Example of Arbitrated Signature Scheme (1)
Requirement: A wants to send B message
B wants assurance of contents, that A was originator and that A cannot deny either fact.
Assumption: A and B agree to trust an arbitrator (ARB) and to
accept ARB’s decision as binding.
Digital Signatures 55
Example of Arbitrated Signature Scheme (2)
Cryptographic Assumption
1. Will use symmetric Algorithm eg DES
2. Will use MACs
3. A has established a DES key KA shared with ARB
4. B has established a DES key KB shared with ARB
Digital Signatures 56
Example of Arbitrated Signature Scheme (3)
A wants to send ‘signed’ message M to BSimplified protocol
Note: B has no way of checking MACKA is correct.May be necessary to include identities in messages.
1) A ARB : M1=M || MACKA
2) ARB uses KA to check MACKA
3) ARB B : M2 = M1|| MACKB
4) B uses KB to check MACKB
Digital Signatures 57
True Signature
True Signature Requirement
• Only one person can sign but anyone can verify the signature
Public Key Requirement
• Anyone can encrypt a message but only one person can decrypt the cryptogram.
Digital Signatures 58
True Signature
It is ‘natural’ to try to adopt public
key systems to produce signature
schemes by using the secret key in
the signing process
Digital Signatures 59
Digital Signatures
Common Terminology identifies the
terms Digital Signature and True
Signature
Digital Signatures 60
The Decision Process
• Do I need Cryptography?
• Do I need Public Key Cryptography?
• Do I need PKI?
• How do I establish a PKI?
Digital Signatures 61
Often Heard
• PKI has never really taken off
• PKI is dead
• I’ve got a PKI, what do I do with it?
• Secure e-commerce needs PKI
Digital Signatures 62
Diffie Hellman Key Establishment Protocol
General Idea: Use Public System
A and B exchange public keys: PA and PB
There is a publicly known function f which has 2 numbers as input and one number as output.
A computes f (SA, PB) where SA is A’s private key
B computes f (SB, PA) where SB is B’s private key
f is chosen so that f (SA, PB) = f (SB, PA)So A and B now share a (secret) number
Digital Signatures 63
Diffie Hellman Key Establishment Protocol
For the mathematicians: Agree: Prime p primitive element a
A : chooses random rA and sends
B : chooses random rB and sends Key:
Clearly any interceptor who can find discrete logarithms can break the scheme
In this case
Note: Comparison with El Gamal
(modp)a B r
(modp)a Ar
(modp)as B A rr
BABA rrA
rB
ry a)r,f(a)r,f(a.xy)f(x,
Digital Signatures 64
D-H Man in the Middle Attack
A B
FraudsterF
AP FP
FP BP
The Fraudster has agreed keys with both A and BA and B believe they have agreed a common key
Digital Signatures 65
D-H Man-in-the-Middle Attack
A B
FraudsterF
a prA (mod ) a ( p)rF mod
a ( p)rF mod a ( p)rB mod
The Fraudster has agreed keys with both A and BA and B believe they have agreed a common key
For the mathematicians