Rennes, 15/10/2014

Cristina Onete

maria-cristina.onete@irisa.fr

Message authenticity: Digital Signatures

Cristina Onete || 15/10/2014 || 2

Why sign?

Amélie Baptiste

• Baptiste is waiting for a message from Amélie

Message authenticity

• How can he make sure it’s really from her?

Why Sign

More importantly: Telling good content from bad

updates

virusdefinitionsBaptiste

malwaretro

jansviru

ses

• Updates vs. malware and trojans

• Message should be sent by authorized party

Cristina Onete || 15/10/2014 || 3

Principle of signatures

Amélie Baptiste

A

Amélie uses a secret key (that only she knows) to sign Baptiste receives message and signature

• Check signature using Amélie’s public key

OK: from Amélie

Alert: not from Amélie!Cristina Onete || 15/10/2014 || 4

Principle of signatures

Amélie Baptiste

A

Goals of signature schemes• Message integrity: the message has not been modified

• Message origin: the message was sent by correct party

• Non-repudiation: sender can’t deny she sent the message

Cristina Onete || 15/10/2014 || 5

Contents

The basics• Structure

• Properties

Some signature schemes

• RSA-based signatures

• The Hash-and-sign paradigm

• The DSA algorithm

Common misconception

Amélie Baptiste

Amélie Baptiste

• Public-Key Encryption

• Digital Signatures

B

A

Secret

B

Inverse mechanisms?

Cristina Onete || 15/10/2014 || 7

Secret

Common misconception

Can we build signatures from encryption?• Completely different functionality and goals!

Property Encryptionschemes

Signaturesschemes

Message integrity

Message confidentiality

Non-repudiation

Sender authentication

Using one primitive to get the other is dangerous!

Single receiver

Cristina Onete || 15/10/2014 || 8

Digital Signatures – Structure

SSchemes = (KGen, Sign, Verify)

KGen()

A

Security parameter:determines key size

Everyone

𝑝𝑘 𝑠𝑘

Vf()

𝑚

𝑚 ,𝜎 Sign()

Cristina Onete || 15/10/2014 || 9

Signature Security

Functionality – correctness:

Security: unforgeability

B KGen()∀ Sign( )

Verify( )A

A

Verify

Cristina Onete || 15/10/2014 || 10

Inverse mechanisms?

PK Encryption Signatures

• Key Generation:

𝑝𝑘 𝑠𝑘• Encrypt

𝑐=𝐸𝑛𝑐𝑝𝑘(𝑚)

• Decrypt:

𝑚=𝐷𝑒𝑐𝑠𝑘(𝑐 )

• Key Generation:

𝑝𝑘 𝑠𝑘• Sign

σ=𝐷𝑒𝑐 𝑠𝑘(𝑚)

• Verify:

𝑚=𝐸𝑛𝑐𝑝𝑘(σ )?

Exercise: Find a forgery () given only (no signatures)

Cristina Onete || 15/10/2014 || 11

Inverse mechanisms?

PK Encryption Signatures

• Key Generation:

𝑝𝑘 𝑠𝑘• Encrypt

𝑐=𝐸𝑛𝑐𝑝𝑘(𝑚)

• Decrypt:

𝑚=𝐷𝑒𝑐𝑠𝑘(𝑐 )

• Key Generation:

𝑝𝑘 𝑠𝑘• Sign

σ=𝐷𝑒𝑐 𝑠𝑘(𝑚)

• Verify:

𝑚=𝐸𝑛𝑐𝑝𝑘(σ )?

Exercise: You are answered two signature queries for any two messages you want. Forge a signature for any

Suppose: for any

Cristina Onete || 15/10/2014 || 12

Attacks against Signatures

The more knows, the harder it is to get security

Security depends on what the attacker knows

Random-message attack:

• Lots of users all around

• Their messages are “random”

• Adv. gets (m, signa-ture) pairs

• Forge signature on new message!

Cristina Onete || 15/10/2014 || 13

Attacks against Signatures

The more knows, the harder it is to get security

Security depends on what the attacker knows

Known-message attack:

• Lots of users all around

• Knows messages in advance, before re-ceiving any signature

• Adv. gets (m, signa-ture) pairs

• Forge signature on new message!

Hi, how are you?

I’m fine, thanks.How are you?

I’m very well, thank you

Cristina Onete || 15/10/2014 || 14

Attacks against Signatures

The more knows, the harder it is to get security

Security depends on what the attacker knows

Chosen-message attack:

• Lots of users all around

• Can choose messages that will be signed

• Adv. gets (m, signa-ture) pairs

• Forge signature on new message!

𝑚1

𝑚𝑛

……………

Cristina Onete || 15/10/2014 || 15

Attacks against Signatures

Power of

AttackUnf-RMA Unf-KMA Unf-CMA

Weak

Not strong/ Not weak

Strong

Cristina Onete || 15/10/2014 || 16

Choosing a Correct Model

Exercise 1:

• The adversary is monitoring messages from Amélie’s phone

• Amélie conducts a signed sms-conversation with Baptiste

• Is it ok if the signature protocol resists Random msg. attacks?

• Is it ok if the signature protocol resists Known msg. attacks?

Cristina Onete || 15/10/2014 || 17

Choosing a Correct Model

Exercise 2:

• The adversary targets a certification authority

• He can send different parameters to certify

• Is it ok if the signature protocol resists Random msg. attacks?

• Is it ok if the signature protocol resists Known msg. attacks?

• Is it ok if the signature protocol resists Chosen msg. attacks?

Cristina Onete || 15/10/2014 || 18

Contents

The basics• Structure

• Properties

Some signature schemes

• RSA-based signatures

• The Hash-and-sign paradigm

• The DSA algorithm

Textbook RSA and Signatures

Textbook RSA signatures

KGen()

B

Everyone

𝑁 ,𝑒 𝑑

𝑚=𝜎 𝑒𝑚𝑜𝑑𝑁𝑚

𝑚 ,𝜎 σ=𝑚𝑑𝑚𝑜𝑑𝑁?

Cristina Onete || 15/10/2014 || 20

Textbook RSA: Sign/Encrypt

RSA Signature RSA Encryption

• Key Generation: • Key Generation:

𝑝𝑘=𝑁 ,𝑒 𝑠𝑘=𝑑 𝑝𝑘=𝑁 ,𝑒 𝑠𝑘=𝑑• Sign: • Encrypt:

σ=𝑚𝑑𝑚𝑜𝑑𝑁 𝑐=𝑚𝑒𝑚𝑜𝑑𝑁

• Verify: • Decrypt:

𝑚=𝑐𝑑𝑚𝑜𝑑𝑁𝑚=𝜎 𝑒𝑚𝑜𝑑𝑁?

Exercise: check that the two attacks we did before work on this signature scheme!

Cristina Onete || 15/10/2014 || 21

Hashed RSA

Modification: Hash before signing

σ=𝐻 (𝑚)𝑑𝑚𝑜𝑑𝑁

Verification: receive (m, )

Hash function

• Compute:

• Check:

How about those attacks? • Exercise: Assume H(m) is not-invertible. Show that our

random-message attack doesn’t work

Cristina Onete || 15/10/2014 || 22

Hashed RSA

Modification: Hash before signing

σ=𝐻 (𝑚)𝑑𝑚𝑜𝑑𝑁 Verification: receive (m, )

• Compute:

• Check:

How about those attacks?

• Exercise: Assume H is hard to invert. Show that our attack, in which we were given signatures for and doesn’t work

Cristina Onete || 15/10/2014 || 23

Hashed RSA

Modification: Hash before signing

σ=𝐻 (𝑚)𝑑𝑚𝑜𝑑𝑁 Verification: receive (m, )

• Compute:

• Check:

How about those attacks?

• In fact the construction is secure if works as a really random function!

Cristina Onete || 15/10/2014 || 24

Hash and Sign in general

Use the same thing in general Signature scheme(𝐾𝐺𝑒𝑛𝑆𝑖𝑔 ,𝑆𝑖𝑔𝑛 ,𝑉𝑓 ) Hash function(𝑮𝒆𝒏𝑯 ,𝑯 )

Key generation:

• Run and

• Signing:

σ=𝑆𝑖𝑔𝑛(𝑠𝑘 ,𝑯 𝒔 (𝑚))• Verifying:

Compute: Return

Cristina Onete || 15/10/2014 || 25

DSA (Digital Signature Alg.)

Faster than RSA-based signatures With inbuilt hash evaluation• Setup (parameters):

Choose prime of 160 bits

Choose prime of at least 512 bits such that:

𝑞=11;𝑝=23 ;𝑝−1𝑞

=2

• Key Generation (each user):

Pick such that: . Let

𝑦=5 ;𝑔=2(𝑚𝑜𝑑23)

Given: (), generate and

𝑠𝑘=3 ;𝑝𝑘=8 (𝑚𝑜𝑑23)Cristina Onete || 15/10/2014 || 26

DSA (Digital Signature Alg.)

Parameters:

• Signing:

Start with message Hash it:

𝑚=12 ;𝐻 (𝑚 )=20

Choose ephemeral key . Compute:

Compute:

Signature is:

𝑝=23 ;𝑞=11 ;𝑔=2 ;𝑠𝑘=3 ;𝑝𝑘=8

• Exercise: compute signature for message m = 12

Cristina Onete || 15/10/2014 || 27

DSA (Digital Signature Alg.)

• Verification, given () and :

Compute hash:

𝑚=12 ;𝜎=(𝑟 ,𝑠 );𝐻 (𝑚 )=20Compute and

Parameters:𝑝=23 ;𝑞=11 ;𝑔=2 ;𝑠𝑘=3 ;𝑝𝑘=8

Accept signature iff.

• Exercise: check you signature for message m = 12

Cristina Onete || 15/10/2014 || 28

Some thought:

Say you have a signature scheme

SScheme = (KGen, Sign, Vf)

Say this scheme is unforgeable against CMA Modify the signature algorithm:

𝑆𝑖𝑔𝑛′𝑠𝑘 (𝑚 )=[𝑆𝑖𝑔𝑛𝑠𝑘(𝑚)|𝑚¿

Is this still unforgeable against CMA?

iff. & = 1

Cristina Onete || 15/10/2014 || 29

Some thought:

We have an arbitrary unforgeable signature scheme:

SScheme = (KGen, Sign, Vf)

And we also have any IND-CCA encryption scheme

Say we want to ensure that a (confidential) message comes from a given party. Can we send:

• ?

EScheme = (KGen, Enc, Dec)

• ?

• ?

Cristina Onete || 15/10/2014 || 30

CIDRE

Thanks!