announcements: questions? this week: birthday attacks, digital signatures , dsa
DESCRIPTION
DTTF/NB479: Dszquphsbqiz Day 30. Announcements: Questions? This week: Birthday attacks, Digital signatures , DSA. Sig = f(user, message). RSA Signatures allow you to recover the message from the signature; ElGamal signatures don’t. ElGamal Alice chooses: - PowerPoint PPT PresentationTRANSCRIPT
Announcements:Announcements:
Questions? Questions?
This week:This week: Birthday attacks, Birthday attacks, Digital signaturesDigital signatures, DSA, DSA
DTTF/NB479: DszquphsbqizDTTF/NB479: Dszquphsbqiz Day 30Day 30
RSA Signatures allow you to recover the message RSA Signatures allow you to recover the message from the signature; ElGamal signatures don’tfrom the signature; ElGamal signatures don’t
Sig = f(user, message) Sig = f(user, message)
RSARSAAlice chooses: Alice chooses:
p,q, n=pq, p,q, n=pq, e: gcd(n, (p-1)(q-1))=1, e: gcd(n, (p-1)(q-1))=1, d: ed ≡ 1(mod ((p-1)(q-1))d: ed ≡ 1(mod ((p-1)(q-1))
Publishes n, ePublishes n, eAlice’s signature:Alice’s signature:
y ≡ my ≡ mdd(mod n). Delivers (m, y)(mod n). Delivers (m, y)
Bob’s verification:Bob’s verification: Does m ≡ yDoes m ≡ yee (mod n)? (mod n)?
ElGamalElGamalAlice chooses: Alice chooses:
p,primitive root p,primitive root , secret , secret aa, , and and ≡ ≡ a a (mod p)(mod p)
Publishes (p, Publishes (p, ), keeps ), keeps aa secretsecret
Alice’s signature:Alice’s signature: Chooses k: random, Chooses k: random,
gcd(k, p-1)=1gcd(k, p-1)=1 Sends m, (r,s), where:Sends m, (r,s), where:
r ≡ r ≡ kk (mod p) (mod p)s ≡ ks ≡ k-1-1(m – ar) (mod p-1)(m – ar) (mod p-1)
Bob’s verification:Bob’s verification: Does Does rrrrss ≡ ≡ mm (mod p)? (mod p)?
It’s quicker to sign a short digest than to sign a long It’s quicker to sign a short digest than to sign a long messagemessage
Note that we need to choose Note that we need to choose n > m in RSA, p > m in ElGamaln > m in RSA, p > m in ElGamal Problem: m could be long!Problem: m could be long! But h(m) is short!But h(m) is short!
So Alice sends (m, sig(h(m)))So Alice sends (m, sig(h(m)))
Eve intercepts this, wants to sign m’ with Alice’s Eve intercepts this, wants to sign m’ with Alice’s signature, so needs sig(h(m’)) = sig(h(m)), and signature, so needs sig(h(m’)) = sig(h(m)), and thus h(m)=h(m’)thus h(m)=h(m’) Why can’t she do this?Why can’t she do this?
Birthday attacks can be successful on signatures that Birthday attacks can be successful on signatures that are too shortare too short
Slightly different paradigm: two rooms with r Slightly different paradigm: two rooms with r people each. What’s the probability that someone people each. What’s the probability that someone in this room has the same birthday as someone in in this room has the same birthday as someone in the other room.the other room.
Approximation: Approximation: Note that we divide by N, not 2N.Note that we divide by N, not 2N. But setting the probability = 0.5 and solving for r, we But setting the probability = 0.5 and solving for r, we
get get r=c*sqrt(n) r=c*sqrt(n) again again (where c=sqrt(ln 2)~.83)(where c=sqrt(ln 2)~.83)
Consider a 50-bit hash. Only need 2^25 documentsConsider a 50-bit hash. Only need 2^25 documents These are relatively easy to generate, actually.These are relatively easy to generate, actually.
N
r
e
2
1
Birthday attacks on signaturesBirthday attacks on signatures
MalloryMallory generates 2 groups of documents: generates 2 groups of documents:
Want a match (mWant a match (m11, m, m22) between them such that h(m) between them such that h(m11) = ) = h(mh(m22))MalloryMallory sends (m sends (m11, h(m, h(m11)) to Alice, who returns signed copy: )) to Alice, who returns signed copy: (m(m11, sig(h(m, sig(h(m11)).)).MalloryMallory replaces m replaces m11 with m with m22 and uses sig(h(m and uses sig(h(m11) as the ) as the signature. signature.
The pair (mThe pair (m22, sig(h(m, sig(h(m11)) looks like Alice’s valid signature!)) looks like Alice’s valid signature!
Alice’s defense? What can she do to defend herself?Alice’s defense? What can she do to defend herself?
r “good docs” r “fraudulent docs”
Alice’s defenseAlice’s defense
She changes a random bit herself!She changes a random bit herself!Note this changes her signature: Note this changes her signature: (m(m11’, sig(h(m’, sig(h(m11’))’)) Mallory is forced to generate another message with the Mallory is forced to generate another message with the
same hash as this new document. same hash as this new document. Good luck!Good luck!
Lessons:Lessons: Birthday attacks essentially halve the number of bits of Birthday attacks essentially halve the number of bits of
security. security. So SHA-1 is still secure against themSo SHA-1 is still secure against them
Make a minor change to the document you sign!Make a minor change to the document you sign!
Code-talkers?Code-talkers?
http
://xk
cd.c
om/c
257.
htm
lht
tp://
xkcd
.com
/c25
7.ht
ml
As far as I can tell, Navajo doesn’t have a word for As far as I can tell, Navajo doesn’t have a word for zero. Do-neh-lini means zero. Do-neh-lini means neutralneutral..
DSA: Digital Signature AlgorithmDSA: Digital Signature Algorithm
19941994
Similar to ElGamalSimilar to ElGamal signature with appendixsignature with appendix But verification is fasterBut verification is faster And it’s guaranteed to be more secureAnd it’s guaranteed to be more secure
Assume m is already hashed using SHA: Assume m is already hashed using SHA: so we are signing a 160-bit message, m.so we are signing a 160-bit message, m.
DSA: Digital Signature AlgorithmDSA: Digital Signature Algorithm
Alice’s Setup:Alice’s Setup: m: 160-bit messagem: 160-bit message q: 160-bit primeq: 160-bit prime p: 512-bit prime, such that q is a factor of (p-1)p: 512-bit prime, such that q is a factor of (p-1) g: a primitive root of p. g: a primitive root of p. ≡≡gg(p-1)/q(p-1)/q (mod p) (mod p)
Then Then q q ≡ 1 (mod p). (Why?)≡ 1 (mod p). (Why?) ≡ ≡ aa. Secret a, 0 < a < q-1. Secret a, 0 < a < q-1 Publishes: (p,q,Publishes: (p,q,))
Sig = (r,s)Sig = (r,s) random k, 0 < k < q-1random k, 0 < k < q-1 r ≡ r ≡ kk (mod q) (mod q) s = ks = k-1-1(m + ar) (mod q)(m + ar) (mod q)
Verify:Verify: Compute u1 ≡ sCompute u1 ≡ s-1-1m (mod q), u2 ≡ sm (mod q), u2 ≡ s-1-1r (mod q)r (mod q) Does (Does (u1u1u2u2 (mod p))(mod q) = r? (mod p))(mod q) = r?
q=17
p=103g=2
=?
1-3
DSA: Digital Signature AlgorithmDSA: Digital Signature Algorithm
Alice’s Setup:Alice’s Setup: m: 160-bit messagem: 160-bit message q: 160-bit primeq: 160-bit prime p: 512-bit prime, such that q is a factor of (p-1)p: 512-bit prime, such that q is a factor of (p-1) g: a primitive root of p. g: a primitive root of p. ≡≡gg(p-1)/q(p-1)/q (mod p) (mod p)
Then Then q q ≡ 1 (mod p). (Why?)≡ 1 (mod p). (Why?) ≡ ≡ aa. Secret a, 0 < a < q-1. Secret a, 0 < a < q-1 Publishes: (p,q,Publishes: (p,q,))
Sig = (r,s)Sig = (r,s) random k, 0 < k < q-1random k, 0 < k < q-1 r ≡ r ≡ kk (mod q) (mod q) s = ks = k-1-1(m + ar) (mod q)(m + ar) (mod q)
Verify:Verify: Compute u1 ≡ sCompute u1 ≡ s-1-1m (mod q), u2 ≡ sm (mod q), u2 ≡ s-1-1r (mod q)r (mod q) Does (Does (u1u1u2u2 (mod p))(mod q) = r? (mod p))(mod q) = r?
q=17
p=103g=2
=64
Advantages over Advantages over ElGamal?ElGamal?
In ElGamal, if you could In ElGamal, if you could solve r = solve r = kk (mod p) by (mod p) by Pollig-Hellman, you’d have Pollig-Hellman, you’d have k.k.
In DSA, (p-1) has a large In DSA, (p-1) has a large factor, q.factor, q.
If you could solve the non-q If you could solve the non-q factors, there would still be factors, there would still be q possibilities for k.q possibilities for k.
How many ints (mod p) How many ints (mod p) give a specific int (mod q)?give a specific int (mod q)?
4
DSA: Digital Signature AlgorithmDSA: Digital Signature Algorithm
Alice’s Setup:Alice’s Setup: m: 160-bit messagem: 160-bit message q: 160-bit primeq: 160-bit prime p: 512-bit prime, such that q is a factor of (p-1)p: 512-bit prime, such that q is a factor of (p-1) g: a primitive root of p. g: a primitive root of p. ≡≡gg(p-1)/q(p-1)/q (mod p) (mod p)
Then Then q q ≡ 1 (mod p). (Why?)≡ 1 (mod p). (Why?) ≡ ≡ aa. Secret a, 0 < a < q-1. Secret a, 0 < a < q-1 Publishes: (p,q,Publishes: (p,q,))
Sig = (r,s)Sig = (r,s) random k, 0 < k < q-1random k, 0 < k < q-1 r ≡ r ≡ kk (mod q) (mod q) s = ks = k-1-1(m + ar) (mod q)(m + ar) (mod q)
Verify:Verify: Compute u1 ≡ sCompute u1 ≡ s-1-1m (mod q), u2 ≡ sm (mod q), u2 ≡ s-1-1r (mod q)r (mod q) Does (Does (u1u1u2u2 (mod p))(mod q) = r? (mod p))(mod q) = r?
q=17
p=103g=2
=64
How hard is it to search for a How hard is it to search for a 512-bit prime p = kq + 1 for 512-bit prime p = kq + 1 for some even number k?some even number k?
How do we search for primes?How do we search for primes? 1/115 of odd 100-digit 1/115 of odd 100-digit
numbers are prime.numbers are prime. What fraction of odd 512-bit What fraction of odd 512-bit
integers are prime?integers are prime? Recall our discussion of the Recall our discussion of the
density of primesdensity of primes
(Day 21) Using within a primality testing (Day 21) Using within a primality testing schemescheme
Finding large probable primesFinding large probable primes
#primes < x = #primes < x =
Density of primes: ~1/ln(x)Density of primes: ~1/ln(x)
For 100-digit numbers, ~1/230.For 100-digit numbers, ~1/230.
So ~1/115 of odd 100-digit So ~1/115 of odd 100-digit numbers are primenumbers are prime
Can start with a random large odd Can start with a random large odd number and iterate, applying number and iterate, applying M-R to remove composites. M-R to remove composites. We’ll soon find one that is a We’ll soon find one that is a likely prime.likely prime.
Odd?
div by other small primes?
Prime by Factoring/advanced techn.?
n
no
no
yes
yes
prime
Pass M-R?
)ln()(
x
xx
DSA: Digital Signature AlgorithmDSA: Digital Signature Algorithm
Alice’s Setup:Alice’s Setup: m: 160-bit messagem: 160-bit message q: 160-bit primeq: 160-bit prime p: 512-bit prime, such that q is a p: 512-bit prime, such that q is a
factor of (p-1)factor of (p-1) g: a primitive root of p. g: a primitive root of p. =g=g(p-1)/q(p-1)/q (mod p) (mod p)
Then Then q q = 1 (mod p). (Why?)= 1 (mod p). (Why?) = = aa. Secret a, 0 < a < q-1. Secret a, 0 < a < q-1 Publishes: (p,q,Publishes: (p,q,))
Sig = (r,s)Sig = (r,s) random k, 0 < k < q-1random k, 0 < k < q-1 r = r = kk (mod p) (mod p) s = ks = k-1-1(m + ar) (mod q)(m + ar) (mod q)
Verify:Verify: Compute u1 = sCompute u1 = s-1-1m, u2 = sm, u2 = s-1-1rr Does (aDoes (au1u1bbu2u2 (mod p))(mod q) = r? (mod p))(mod q) = r?
Show that order of ops matters:Show that order of ops matters:((kk (mod p))(mod q) ≠ ((mod p))(mod q) ≠ (kk (mod q))(mod p) (mod q))(mod p)
Easier: find Easier: find (a(a(mod p))(mod q) ≠ (a(mod q))(mod p)(mod p))(mod q) ≠ (a(mod q))(mod p)
5
Latest versionsLatest versions
Recommended:Recommended: SHA-224/256/384/512 as the hash functionSHA-224/256/384/512 as the hash function qq of size 224 and 256 bits of size 224 and 256 bits p p of size 2048 and 3072. of size 2048 and 3072.
http://csrc.nist.gov/publications/drafts/fips_186-3/Draft_FIPS-186-3%20_November2008.pdfhttp://csrc.nist.gov/publications/drafts/fips_186-3/Draft_FIPS-186-3%20_November2008.pdf