lecture 9 overview. digital signature properties cs 450/650 lecture 9: digital signatures 2...
DESCRIPTION
Digital Signature Properties Non-Alterable: A signed document cannot be altered without invalidating the signature Non-Reusable: A signature from one document cannot be moved to another document Signatures can be validated by other users – the signer cannot reasonably claim that he/she did not sign a document bearing his/her signature CS 450/650 Lecture 9: Digital Signatures 3TRANSCRIPT
Lecture 9 Overview
Digital Signature Properties
CS 450/650 Lecture 9: Digital Signatures 2
• Unforgeable: Only the signer can produce his/her signature
• Authentic: A signature is produced only by the signer deliberately signing the document
Digital Signature Properties• Non-Alterable: A signed document cannot be
altered without invalidating the signature
• Non-Reusable: A signature from one document cannot be moved to another document
• Signatures can be validated by other users– the signer cannot reasonably claim that he/she did
not sign a document bearing his/her signature
CS 450/650 Lecture 9: Digital Signatures 3
Digital Signature Using RSA• The RSA public-key cryptosystem can be used
to create a digital signature for a message m– Asymmetric Cryptographic techniques are well
suited for creating digital signatures
• The signer must have an RSA public/private key pair– c = Me mod n– M = cd mod n
CS 450/650 Lecture 9: Digital Signatures 4
Signature Generation (Signer)
Message
SignaturePrivate Key
RedundancyFunction
Formatted Message
Encrypt
CS 450/650 Lecture 9: Digital Signatures 5
Signature Verification
Message
Signature
Public Key
Verify
Formatted Message
Decrypt
CS 450/650 Lecture 9: Digital Signatures 6
Redundancy Function• The choice of a poor redundancy function can
make RSA vulnerable to forgery
• A good redundancy function should make forging signatures much harder
CS 450/650 Lecture 9: Digital Signatures 7
Example• generate signature S– d = 53– e = 413– n = 629– m = 7– Assume that R(X) = XX
• S = R(m)e mod n – S = 7753 mod 629 = 25
CS 450/650 Lecture 9: Digital Signatures 8
Example• verify signature with message recovery– Public key (e) = 413– n = 629– S = 25
• R(m) = Se mod n – R(m) = 25413 mod 629 = 77
• The verifier then checks that R(m) is of the form XX for some message X– m = R-1(m) = 7
CS 450/650 Lecture 9: Digital Signatures 9
Forging signature (revisited)• Choose a random number between 0 and n-1
for S– S = 323
• Use the signer’s public key to decrypt S – R(m) = 323413 mod 629 = 85
• However, 85 is not a legal value for R(m)– so S = 323 is not a valid signature
CS 450/650 Lecture 9: Digital Signatures 10
Privacy • Signature provides only authenticity.• How can we provide privacy in addition?
CS 450/650 Lecture 9: Digital Signatures 11
Getting a Message Digest from a document
Hash MessageDigest
CS 450/650 Lecture 9: Digital Signatures 12
Generating Signature
MessageDigest
Signature
Encrypt using private keyEncrypt using private key
CS 450/650 Lecture 9: Digital Signatures 13
Appending Signature to document
Append
Signature
CS 450/650 Lecture 9: Digital Signatures 14
Verifying Signature
Hash
Decrypt using public keyDecrypt using public key
MessageDigest
MessageDigest
CS 450/650 Lecture 9: Digital Signatures 15
Lecture 10Key Exchange
CS 450/650
Fundamentals of Integrated Computer Security
Slides are modified from Lawrie Brown
Key Management• public-key encryption helps address key
distribution problems
• have two aspects of this:– distribution of public keys– use of public-key encryption to distribute secret
keys
CS 450/650 Lecture 10: Key Exchange 17
Distribution of Public Keys• can be considered as using one of:– public announcement– publicly available directory– public-key authority– public-key certificates
CS 450/650 Lecture 10: Key Exchange 18
Public Announcement• users distribute public keys to recipients or
broadcast to community at large– eg. append PGP keys to email messages or post to
news groups or email list• major weakness is forgery– anyone can create a key claiming to be someone
else and broadcast it– until forgery is discovered attacker can
masquerade as claimed user
CS 450/650 Lecture 10: Key Exchange 19
Publicly Available Directory• can obtain greater security by registering keys
with a public directory• directory must be trusted with properties:– contains {name, public-key} entries– participants register securely with directory– participants can replace key at any time– directory is periodically published– directory can be accessed electronically
• still vulnerable to tampering or forgeryCS 450/650 Lecture 10: Key Exchange 20
Public-Key Authority• improve security by tightening control over
distribution of keys from directory• has properties of directory• requires users to know public key for the
directory• users interact with directory to obtain any
desired public key securely• requires real-time access to directory when
keys are needed
CS 450/650 Lecture 10: Key Exchange 21
Public-Key Authority
CS 450/650 Lecture 10: Key Exchange 22
Public-Key Certificates• certificates allow key exchange without real-
time access to public-key authority• a certificate binds identity to public key – usually with other info such as period of validity,
rights of use• all contents signed by a trusted Public-Key or
Certificate Authority (CA)• can be verified by anyone who knows the
public-key authority’s public-key
CS 450/650 Lecture 10: Key Exchange 23
Public-Key Certificates
CS 450/650 Lecture 10: Key Exchange 24
Distribution of Secret Keys• use previous methods to obtain public-key• can use for secrecy or authentication• public-key algorithms are slow• usually prefer to use private-key encryption to
protect message contents• hence need a session key• have several alternatives for negotiating a
suitable session
CS 450/650 Lecture 10: Key Exchange 25
Simple Secret Key Distribution• proposed by Merkle in 1979– A generates a new temporary public key pair– A sends B the public key and the identity– B generates a session key K sends it to A encrypted
using the supplied public key– A decrypts the session key and both use
• Man in the middle attack:– an opponent can intercept and impersonate both
halves of protocol
CS 450/650 Lecture 10: Key Exchange 26
Public-Key Distribution of Secret Keys
• if have securely exchanged public-keys:
CS 450/650 Lecture 10: Key Exchange 27
Diffie-Hellman Key Exchange
Diffie-Hellman Key Exchange• public-key type scheme– proposed in 1976– note: now know that Williamson (UK CESG)
secretly proposed the concept in 1970 • A practical method for public exchange of a
secret key• Used in a number of commercial products
CS 450/650 Lecture 10: Diffie-Hellman Key Exchange 29
Diffie-Hellman Key Exchange• public-key distribution scheme – cannot be used to exchange an arbitrary message – rather it can establish a common key – known only to the two participants
• based on exponentiation in a finite field– modulo a prime or a polynomial
• security relies on the difficulty of computing discrete logarithms
CS 450/650 Lecture 10: Diffie-Hellman Key Exchange 30
Diffie-Hellman Setup• all users agree on global parameters:– large prime integer or polynomial p– g = primitive root mod p• for every integer a that has gcd(a, p) = 1, there is an
integer k such that gk ≡ a (mod p)
• each user generates their key– chooses a secret key (number): a < p – compute their public key: A = ga mod p
CS 450/650 Lecture 10: Diffie-Hellman Key Exchange 31
Diffie-Hellman Key Exchange• shared session key for users is KAB: – KAB = gab mod p
= Ab mod p (which B can compute) = Ba mod p (which A can compute)
• g can be small– 2 or 5 is common
• a, b, p should be large• attacker needs a or b to obtain the session key– must solve discrete log
CS 450/650 Lecture 10: Diffie-Hellman Key Exchange 32
Diffie-Hellman Example • users Alice & Bob who wish to swap keys– agree on prime p=353 and g=3
• select random secret keys:– A chooses a=97, B chooses b=233
• compute respective public keys:– A=397 mod 353 = 40 (Alice)– B=3233 mod 353 = 248 (Bob)
• compute shared session key as:– KAB = Ba mod 353 = 24897 = 160 (Alice)
– KAB = Ab mod 353 = 40233 = 160 (Bob)
CS 450/650 Lecture 10: Diffie-Hellman Key Exchange 33
Key Exchange Protocols• users could create random Diffie-Hellman keys
each time they communicate
• users could create a known Diffie-Hellman key and publish in a directory, then consulted and used to securely communicate with them
• both of these are vulnerable to a man-in-the-middle attack– authentication of the keys is needed
CS 450/650 Lecture 10: Diffie-Hellman Key Exchange 34