DIGITAL SIGNATURES and AUTHENTICATION PROTOCOLS

- Chapter 13

• Digital Signatures

• Authentication Protocols

• Digital Signature Standard

AUTHENTICATION vs SIGNATURE

Authentication auth

A B protects against{C}

Signature sign

A B protects against{A,C}

SIGNATURE CHARACTERISTICS

Author Verifiable

Date Authenticate by

Time Contents Third

Party

SIGNATURE TYPES

• Direct X Y

weakness: security of private key

• Arbitrated + date

X A Y

ARBITRATED DIGITALSIGNATURE TECHNIQUES

T able 13.1 Arbitrated Digital S ignature T echniques

(a) Conventional Encryption, A rb ite r Sees Mes s age

(1) X ® A:

 

M || E K xaID X || H M( )[ ]

(2) A ® Y:

 

E K ayID X M E K xa

ID X H M( )[ ] T[ ](b) Conventional Encryption, A rb ite r Does Not See Mes s age

(1) X ® A:

 

ID X || E K xyM[ ] || E K xa

ID X || H E K xyM[ ]( )[ ]

(2) A ® Y:

 

E K ayID X E K xy

M[ ] E K xaID X H E K xy

M[ ]( )[ ] Té ë ê

ù û ú

(c) Public-Key Encryption, Arb ite r Does Not See Mes s age

(1) X ® A:

 

ID X || E KR xID X || E KU y

E K R xM[ ]( )[ ]

(2) A ® Y:

 

E K R aID X || E KU y

E KR xM[ ][ ] || T[ ]

N otation:X = s ender M = m es s ageY = recipient T = tim es tam pA = Arbiter

Table 13.1: Scheme (a) Arbiter Sees Message

Conventional Encryption:

After X A Y

Dispute between X and Y

Y A: EKay[IDx||M||EKax

[IDx||H(M)]]

Table 13.1: Scheme (b)Arbiter Does Not See Message

Conventional Encryption:

Arbiter : neither can read message Eavesdropper

Table 13.1: Scheme (c)Arbiter Does Not See Message

Public-Key (double) Encryption:

advantages:

1. No information shared before communication

2. if KRx compromised

date is still correct

3. message secret from Arbiter and Eavesdropper

REPLAY ATTACKSSimple Replay: X m E m Logged Replay: X m||T0 t E m||T0 (< T0 later) i mUndetected Replay:X m e E m

Backward Replay: X m X m E

TIMESTAMP

m||T X Y

synchronized clocks

CHALLENGE/RESPONSE

Use NONCE:

N

X Y

m||N

X Y

handshake required

ATTACK ON Fig 7.9

Eavesdropper gets Old Ks:

• Replay Step 3• Intercept Step 4• Impersonate Step 5• Bogus Messages Y

(1) R equest || N 1

K ey distributionsteps

A uthenticationsteps

F igur e 7.9 K ey D istr ibution Scenar io

I nitiatorA

R esponderB

K eyD istr ibution

C enter (K D C )

(2) E K a[K s || Request || N 1] || E K b(K s, ID A )]

(4) E K s[N 2]

(5) E K s[f(N 2)]

(3) E K b[K s || ID A ]

SOLUTION: TIMESTAMP

1. A IDA||IDB KDC

2. KDC EKA[ KS||IDB||T||EKB

[KS||IDA||T] ] A

3. A EKB[KS||IDA||T] B

4. B EKS[N1] A

5. A EKS[f(N1)] B

(1) R equest || N 1

K ey distributionsteps

A uthenticationsteps

F igur e 7.9 K ey D istr ibution Scenar io

I nitiatorA

R esponderB

K eyD istr ibution

C enter (K D C )

(2) E K a[K s || R equest || N 1] || E K b(K s, ID A )]

(4) E K s[N 2]

(5) E K s[f(N 2)]

(3) E K b[K s || ID A ]

CLOCK ATTACKS

To counteract: Suppress – Replay attacks: 1. Check clocks regularly use KDC clock

2. Handshaking via Nonce

AN IMPROVED PROTOCOL over Fig 7.9

To counteract suppress-replay attacks:• A IDA|| NA B• B IDB||NB||EKB[IDA||NA||TB] KDC• KDC EKA

[IDB||NA||KS||TB]||EKB[IDA||KS||TB]||NB

A4. A EKB

[IDA||KS||TB]||EKS[NB] B

No clock synch. TB only checked by B

AUTHENTICATION SERVER

- no secret key distribution (public key)

• A IDA||IDB AS

• AS EKRAS[IDA||KUA||T]||EKRAS

[IDB||KUB||T] A

3. A EKRAS[IDA||KUA||T]||EKRAS

[IDB||KUB||T]||EKUB[EKRA

[KS||

T]]

B

Problem: Clock Synch.

ALTERNATIVE NONCE PROTOCOL

1. A IDA||IDB KDC

2. KDC EKRauth[IDB||KUB] A

3. A EKUB[NA||IDA] B

4. B IDB||IDA||EKUauth[NA] KDC

5. KDC EKRauth[IDA||KUA]||EKUB

[EKRauth[NA||KS||IDA||IDB]]

B

6. B EKUA[EKRauth

[NA||KS||IDA||IDB]||NB] A

7. A EKS[NB] B

ONE-WAY AUTHENTICATION

(e.g. email)

• Encrypt Message

• Authenticate Sender

SYMMETRIC-KEY (one-way auth.)

1. A IDA||IDB||N1 KDC

2. KDC EKA[KS||IDB||N1||EKB

[KS||IDA]] A

3. A EKB[KS,IDA]||EKS

[M] B

PUBLIC-KEY (one-way auth.)

Use Figs 11.1b,c, and d

or

A EKUB[KS]||EKS

[M] B

or

A M||EKRA[H(M)] B

PUBLIC-KEY (one-way auth.)

Send A’s public key to B

A M||EKRA[H(M)]||EKRAS

[T||IDA||KUA] B

DSS : USES SHA-1

Signature YES

Encryption NO

Key-Exchange NO

DSS : USES SHA-1

F igur e 13.1 T w o A ppr oaches to D igital Signatur es

M

H

| |

K R a

(a) R SA A ppr oach

M

E KR a[ H (M ) ]E D

H

CompareK U a

M

H

| |

K R aK U G

M

Sig V er

H

C ompare

k

sr

K U aK U G

(b) DSS A ppr oach

DISCRETE LOG

p,q,g – global public keysx - user private keyy - user public keyk - user per-message secret number

r = (gk mod p) mod qs = [k-1(H(M) + xr)] mod qSignature = (r,s) precompute gk mod p, k-1 mod q

VERIFYw = (s’)-1 mod qu1 = [H(M’)w] mod qu2 = (r’)w mod qv = [(gu1.yu2) mod p] mod q where y = gx mod p

v = r’ ?

y = gx is one-way: x y YES y x NO

DIGITAL SIGNATURE ALGORITHM

Global Public Key C omponents

p prime number where 2 LÐ1 < p < 2 L

for 512 ! L ! 1024 and L a multiple of 64i.e., bit length of between 512 and 1024 bits inincrements of 64 bits

q p rime divisor of ( p Ð 1), where 2 1 59 < q < 2 1 60

i.e., bit length of 160 bits

g = h(pÐ 1)/q mod pwhere h is any integer with 1 < h < (p Ð 1)such that h(pÐ 1)/q mod p > 1

User's Private Key

x random or pseudorandom integer with 0 < x < q

U ser's Public Key

y = gx mod p

U ser's P er-M essage S ecret N umber

k = random or pseudorandom integer with 0 < k < q

Signing

r = (gk mod p) mod q

s = k - 1 H M( ) + x r( )[ ] m o d q

S ignature = ( r , s)

Verifying

w = (sÐ')Ð 1 mod q

u1 = H ¢ M ( )w[ ] m o d q

u2 = (r') w mod q

v =

g u1y u2( ) m o d p[ ] m o d q

TEST: v = r '

M = message to be signedH( M ) = hash of M using S H A-1M ', r ', s' = received versions of M , r , s

Figure 13.2 T he Digital S ignature Algorithm (DSS)

DSS SIGNING AND VERIFYING

MH

f2

p q g

f1

x qk

r

s

(a) Signing

M '

s'

r '

H

f3

y q g

f4

q

C ompar e

(b) V er ifying

F igur e 13.3 D SS Signing and V er ifying

s = f 1(H(M ), k, x, r , q) = (k -1 (H(M ) + xr)) mod q

r = f 2(k, p, q, g) = (g k mod p) mod q

= ((g (H (M ')w ) mod q yr'w mod q ) mod p) mod q

w = f 3(s', q) = (s') -1 mod q

v = f 4(y, q, g, H (M '), w , r')

v