information security and management 13. digital signatures and authentication protocols chih-hung...
TRANSCRIPT
Information Security and Management 13. Digital Signatures and Authentication Protocols
Chih-Hung WangFall 2011
1
•Dispute of message authentication▫ Message authentication protects two
parties who exchange messages from any third party. However, it does not protect the two parties against each other.
▫ Several forms of dispute between the two are possible
2
Digital Signature
▫ The following disputes could arise Receiver may forge a different message and
claim that it came from sender. Sender can deny sending the message
3
Problem of Authentication
Generic Model of Digital Signature Process
4
•Mary may forge a different message and claim that it came from John. Mary would simply have to create a message and append an authentication code using the key that John and Mary share.
•John can deny sending the message. Because it is possible for Mary to forge a message, there is no way to prove that John did in fact send the message.
Possible Disputes Using MACs
5
Simplified Depiction of Essential Elements of Digital Signature Process
6
•The digital signature is analogous to the handwritten signature. It must have the following properties:▫ It must be able to verify the author and the
date and time of the signature▫ It must be able to authenticate the
contents at the time of the signature▫ The signature must be verifiable by third
parties, to resolve dispute
7
Properties
• The signature must be a bit pattern that depends on the message being signed
• The signature must use some information unique to the sender, to prevent both forgery and denial
• It must be relatively easy to produce the digital signature
• It must be relatively easy to recognize and verify the digital signature
8
Requirements (1/2)
• It must be computationally infeasible to forge a digital signature, either by constructing a new message for an existing digital signature or by constructing a fraudulent digital signature for a given message
• It must be practical to retain a copy of the digital signature in storage
9
Requirements (2/2)
10
Digital Signature Concept
Signer Receiver
Signer’s Private Key
Signed Document
Signer’s Public Key
Verify the signature
11
Dispute Concept
Sender ReceiverDispute
Signer’s Digital Signature
Third Party
Verify& Judge
12
RSA Digital Signature
Signer Receiver
Signer’s private key: d
Signed Document
Signer’s public key : (e,n)
Verifyh(M) ?= Sige mod n =( h(M)d)e mod n
Sig=h(M)d mod n
• The National Institute of Standards and Technology (NIST) has published Federal Information Processing Standard FIPS PUB 186, known as the Digital Signature Standard (DSS).
• The DSS makes use of the Secure Hash Algorithm (SHA)
• The DSS was originally proposed in 1991 and revised in 1993 in response to public feedback concerning the security of the scheme
13
Digital Signature Standard (DSS)
•The DSS uses an algorithm that is designed to provide only the digital signature function
•Unlike RSA, it cannot be used for encryption or key exchange
14
DSS Concept (1/2)
15
DSS Concept (2/2)
•Discrete Logarithms (page 228-233)▫ Consider the equation
y = gx mod p Given g,x,and p, it is straightforward matter
to calculate y Given y, g, and p, it is, in general, very
difficult to calculate x Computational complexity
e((ln p)1/3ln(ln p))2/3
16
DSS Algorithm
•Setup▫ p large prime: bit length of between 512
and 1024 bits in increments of 64 bits 2L-1 < p < 2L and
512 <= L <= 1024▫ q prime divisor of (p-1) and 2159 < q <
2160, i.e., the length is 160 bits▫ g = h(p-1)/q mod p, where 1<h < p-1 , h is
an integer ( I.e., gq = 1 mod p )
17
DSS Algorithm
• Sign▫ User A’s private key:
x: random 0 < x <q▫ User A’s public key:
y = gx mod p▫ Signing
Randomly select k, 0<k<q calculate r = (gk mod p) mod q calculate s = [k-1(H(M) + xr)] mod q Signature = (r,s)
18
DSS Algorithm
•Sign
19
DSS Algorithm
•Verify▫ Verifying (r’, s’) & (M’)
Calculate w = (s’)-1 mod q Calculate u1 = [H(M’)w] mod q Calculate u2 = (r’)w mod q Calculate v = [(gu1yu2) mod p] mod q Verify v = r’ (?). If yes, (r’, s’) is a valid
signature on the message M’
20
DSS Algorithm
•Verify
21
DSS Algorithm
•DSS cannot be used for encryption or key distribution
•DSS was developed by the NSA, and there may be a trapdoor in the algorithm
•DSS is slower than RSA•RSA is the ISO 9796, the international
digital signature standard
22
Criticisms of DSS (1/2)
•The DSS selection process was not public; sufficient time for analysis has not been provided
•DSS may infringe on other pattern•The key size is too small
23
Criticisms of DSS (2/2)
ElGamal Digital Signatures
•In 1984, T. Elgamal announced a public-key scheme based on discrete logarithms, closely related to the Diffie-Hellman technique. ▫Use private key for encryption (signing)▫Uses public key for decryption (verification)
•The security of ElGamal is based on the difficulty of computing discrete logarithms
•Each user (eg. A) generates their key▫chooses a secret key (number): 1 < xA < q-1
▫compute their public key: yA = axA mod q
ElGamal Digital Signature•Alice signs a message M to Bob by computing
▫hash m = H(M), 0 <= m <= (q-1)▫Chose random integer K with 1 <= K <= (q-1)
and gcd(K,q-1)=1▫Compute temporary key: S1 = a
k mod q
▫Compute K-1 the inverse of K mod (q-1)▫Compute the value: S2 = K-1(m-xAS1) mod (q-1)▫Signature is:(S1,S2)
•Any user B can verify the signature by computing▫ V1 = a
m mod q
▫ V2 = yAS1 S1
S2 mod q▫ signature is valid if V1 = V2
ElGamal Signature Example •Use field GF(19) q=19 and a=10•Alice computes her key:
▫A chooses xA=16 & computes yA=1016 mod 19 = 4
•Alice signs message with hash m=14 as (3,4):▫Choosing random K=5 which has gcd(18,5)=1▫Computing S1 = 10
5 mod 19 = 3
▫Finding K-1 mod (q-1) = 5-1 mod 18 = 11▫Computing S2 = 11(14-16.3) mod 18 = 4
•any user B can verify the signature by computing▫ V1 = 10
14 mod 19 = 16
▫ V2 = 43.34 = 5184 = 16 mod 19▫ since 16 = 16 signature is valid
Schnorr Digital Signatures•Also uses exponentiation in a finite (Galois)
▫Security based on discrete logarithms, as in D-H
•Minimizes message dependent computation▫Multiplying a 2n-bit integer with an n-bit
integer•Main work can be done in idle time•Have using a prime modulus p
▫p–1 has a prime factor q of appropriate size▫Typically p 1024-bit and q 160-bit numbers
Schnorr Key Setup
•Choose suitable primes p , q•Choose a such that a
q = 1 mod p
•(a,p,q) are global parameters for all•Each user (eg. A) generates a key
▫Chooses a secret key (number): 0 < sA < q
▫Compute their public key: vA = a-sA mod q
Schnorr Signature•User signs message by
▫Choosing random r with 0<r<q and computing x = ar mod p
▫Concatenate message with x and hash result to Computing: e = H(M || x)
▫Computing: y = (r + se) mod q ▫Signature is pair (e, y)
•Any other user can verify the signature as follows: ▫Computing: x' = ayve mod p ▫Verifying that: e = H(M || x’)