digital signatures - unr
TRANSCRIPT
0278-6648/06/$20.00 © 2006 IEEEMARCH/APRIL 2006 5
APPLICATIONS SUCH AS banking, stocktrading, and the sale and purchase of mer-chandise are increasingly emphasizingelectronic transactions to minimize opera-tional costs and provide enhanced ser-vices. This has led to phenomenal increas-
es in the amounts of electronic documentsthat are generated, processed, and storedin computers and transmitted over net-works. This electronic information han-dled in these applications is valuable andsensitive and must be protected againsttampering by malicious third parties (whoare neither the senders nor the recipientsof the information). Sometimes, there is aneed to prevent the information or itemsrelated to it (such as date/time it was cre-ated, sent, and received) from being tam-pered with by the sender (originator)and/or the recipient.
Traditionally, paper documents arevalidated and certified by written signa-tures, which work fairly well as a meansof providing authenticity. For electronicdocuments, a similar mechanism is nec-essary. Digital signatures, which are noth-ing but a string of ones and zeroes gen-erated by using a digital signature algo-rithm, serve the purpose of validationand authentication of electronic docu-
ments. Validation refers to the process ofcertifying the contents of the document,while authentication refers to the processof certifying the sender of the document.In this article, the terms document andmessage are used interchangeably.
Conventional and digital signature characteristics
A conventional signature has the fol-lowing salient characteristics: relative easeof establishing that the signature is authen-tic, the difficulty of forging a signature, thenontransferability of the signature, the dif-ficulty of altering the signature, and thenonrepudiation of signature to ensurethat the signer cannot later deny signing.
A digital signature should have all theaforementioned features of a conven-tional signature plus a few more as digi-tal signatures are being used in practical,but sensitive, applications such as securee-mail and credit card transactions overthe Internet. Since a digital signature isjust a sequence of zeroes and ones, it isdesirable for it to have the followingproperties: the signature must be a bitpattern that depends on the messagebeing signed (thus, for the same origina-tor, the digital signature is different fordifferent documents); the signature must
use some information that is unique tothe sender to prevent both forgery anddenial; it must be relatively easy to pro-duce; it must be relatively easy to recog-nize and verify the authenticity of digitalsignature; it must be computationally
infeasible to forge a digital signa-ture either by constructing a newmessage for an existing digital sig-nature or constructing a fraudulentdigital signature for a given mes-sage; and it must be practical to ret-copies of the digital signatures instorage for arbitrating possible dis-putes later.
To verify that the received docu-ment is indeed from the claimedsender and that the contents havenot been altered, several proce-dures, called authentication tech-niques, have been developed.However, message authenticationtechniques cannot be directly usedas digital signatures due to inade-quacies of authentication tech-niques. For example, although mes-sage authentication protects the twoparties exchanging messages from athird party, it does not protect thetwo parties against each other. Inaddition, elementary authenticationschemes produce signatures that areas long as the message themselves.
Basic notions and terminologyDigital signatures are computed
based on the documents (message/information) that need to be signed
and on some private informationheld only by the sender. In practice,instead of using the whole message, ahash function is applied to the messageto obtain the message digest. A hashfunction, in this context, takes an arbi-trary-sized message as input and pro-duces a fixed-size message digest as out-put. Among the commonly used hashfunctions in practice are MD-5 (messagedigest 5) and SHA (secure hash algo-rithm). These algorithms are fairly sophis-ticated and ensure that it is highlyimprobable for two different messages tobe mapped to the same hash value.There are two broad techniques used indigital signature computation—symmetrickey cryptosystem and public-key cryp-tosystem (cryptosystem broadly refers toan encryption technique). In the symmet-ric key system, a secret key known onlyto the sender and the legitimate receiveris used. However, there must be aunique key between any two pairs ofusers. Thus, as the number of user pairs
Digital signatures
S.R. SUBRAMANYA AND BYUNG K. YI
© DIGITALVISION, STOCKBYTE, COMSTOCK
6 IEEE POTENTIALS
increases, it becomes extremely difficultto generate, distribute, and keep track ofthe secret keys.
A public key cryptosystem, on theother hand, uses a pair of keys: a pri-vate key, known only to its owner, anda public key, known to everyone whowishes to communicate with the owner.For confidentiality of the message to besent to the owner, it would be encrypt-ed with the owner’s public key, whichnow could only be decrypted by theowner, the person with the correspond-ing private key. For purposes ofauthentication, a message would beencrypted with the private key of theoriginator or sender, who we will referto as A. This message could be decryptedby anyone using the public key of A. Ifthis yields the proper message, then itis evident that the message was indeedencrypted by the private key of A, andthus only A could have sent it.
Creating and verifying a digital signature
A simple generic scheme for creatingand verifying a digital signature is shownin Figs. 1 and 2, respectively. A hashfunction is applied to the message thatyields a fixed-size message digest. Thesignature function uses the messagedigest and the sender’s private key togenerate the digital signature. A verysimple form of the digital signature isobtained by encrypting the messagedigest using the sender’s private key.The message and the signature can nowbe sent to the recipient. The message isunencrypted and can be read by any-one. However, the signature ensuresauthenticity of the sender (somethingsimilar to a circular sent by a properauthority to be read by many people,with the signature attesting to theauthenticity of the message). At thereceiver, the inverse signature function isapplied to the digital signature to recov-er the original message digest. Thereceived message is subjected to thesame hash function to which the originalmessage was subjected. The resulting
message digest is compared with theone recovered from the signature. If theymatch, then it ensures that the messagehas indeed been sent by the (claimed)sender and that it has not been altered.
Creating and opening a digital envelope
A digital envelope is the equivalent ofa sealed envelope containing an unsignedletter. The outline of creating a digitalenvelope is shown in Fig. 3. The messageis encrypted by the sender using a ran-domly generated symmetric key. Thesymmetric key itself is encrypted using theintended recipient’s public key. The com-bination of the encrypted message andthe encrypted symmetric key is the digitalenvelope. The process of opening the dig-ital envelope and recovering the contentsis shown in Fig. 4. First, the encryptedsymmetric key is recovered by a decryp-tion using the recipient’s private key.Subsequently, the encrypted message isdecrypted using the symmetric key.
Creating and opening digitalenvelopes carrying signed messages
The process of creating a digitalenvelope containing a signed message isshown in Fig. 5. A digital signature iscreated by the signature function usingthe message digest of the message andthe sender’s private key. The originalmessage and the digital signature arethen encrypted by the sender using arandomly generated key and a symmet-ric-key algorithm. The symmetric keyitself is encrypted using the recipient’s
public key. The combination of encrypt-ed message and signature, together withthe encrypted symmetric key, form thedigital envelope containing the signedmessage. Figure 6 shows the process ofopening a digital envelope, recoveringthe message, and verifying the signa-ture. First, the symmetric key is recov-ered using the recipient’s private key.This is then used to decrypt and recoverthe message and the digital signature.The digital signature is then verified asdescribed earlier.
Direct and arbitrated digital signature
A variety of modes have been pro-posed for digital signatures that fall intotwo basic categories: direct and arbitrat-ed. The direct digital signature involvesonly the communicating parties, senderand receiver. This is the simplest type ofdigital signature. It is assumed that therecipient knows the public key of thesender. In a simple scheme, a digital sig-nature may be formed by encrypting theentire message or the hash code of themessage with the sender’s private key.Confidentiality can be provided by fur-ther encrypting the entire message plussignature with either the receiver’s pub-lic key encryption or the shared secretkey, which is conventional encryption. Asender may later deny sending a particu-lar message by claiming that the privatekey was lost or stolen and that someoneelse forged his signature. One way toovercome this is to include a time stampwith every message and requiring notifi-cation of loss of key to the properauthority. In case of dispute, a trustedthird party may view the message and itssignature to arbitrate the dispute.
In the arbitrated signature scheme,there is a trusted third party called thearbiter. Every signed message from asender A to a receiver B goes first to anarbiter T, who subjects the message andits signature to a number of tests tocheck its origin and content. The mes-
Fig. 2 Verifying a digital signature
Compare
MessageHash
Function
SignatureFunction
DigitalSignature
Sender’sPublic Key
MessageDigest
MessageDigest
Fig. 1 Creating a digital signature
Message
DigitalSignature
SignatureFunction
Sender’sPrivate Key
MessageDigest
HashFunctionMessage
MARCH/APRIL 2006 7
sage is then dated and sent to B with anindication that it has been verified to thesatisfaction of the arbiter. The presenceof T solves the problem faced by directsignature schemes, namely that A mightdeny sending a message. The arbiterplays a sensitive and crucial role in thisscheme, and all parties must trust thatthe arbitration mechanism is workingproperly. There are many variations ofarbitrated digital-signature schemes.Some schemes allow the arbiter to seethe messages, while others don’t. Theparticular scheme employed depends onthe needs of the applications. Generally,an arbitrated digital-signature schemehas advantages over a direct digital-sig-nature scheme such as the trust in com-munications between the parties provid-ed by the trusted arbiter and in the arbi-tration of later disputes, if any.
A public versus a private approach to digital signatures
Another way of classifying digital sig-nature schemes is based on whether aprivate-key system or a public-key sys-tem is used. The public-key systembased digital signatures have severaladvantages over the private-key systembased digital signatures. The two mostpopular and commonly used public-keysystem based digital signature schemesare the RSA (named after Rivest, Shamir,and Aldeman, the inventors of the RSApublic-key encryption scheme) and thedigital signature algorithm (DSA)approaches. The DSA is incorporatedinto the Digital Signature Standard (DSS),which was published by the NationalInstitute of Standards and Technology asthe Federal Information ProcessingStandard. It was first proposed in 1991,
revised in 1993, and further revised withminor changes in 1996.
RSA is a commonly used scheme fordigital signatures. In a broad outline ofthe RSA approach, the message to besigned is input to a hash function thatproduces a secure hash code of fixedlength. This hash code is then encryptedusing the sender’s private key to form thesignature. Both the signature and themessage are then concatenated and trans-mitted. The recipient takes the messageand produces a hash code. The recipientalso decrypts the signature using thesender’s public key. If the calculated hashcode matches the decrypted signature,the signature is accepted as valid. This isbecause only the sender knows the pri-vate key, and thus only the sender couldhave produced a valid signature. The sig-nature generation and verification usingRSA is identical to the schemes shown inFigs. 1 and 2, respectively.
The signing process in DSS (usingDSA) is shown in Fig. 7. The DSAapproach also makes use of a hash func-tion. The hash code is provided as inputto a signature function together with arandom number generated for this par-ticular signature. The signature functionalso uses the sender’s private key and aset of parameters known to a group ofcommunicating parties, referred to asglobal public key. The output signatureconsists of two components. The signa-ture verification process is shown in Fig.8. At the receiving end, the hash code ofthe incoming message is generated andinput to a verification function, togetherwith the two components of the signa-ture. The verification function uses theglobal public key as well as sender’spublic key and recreates (one of the twocomponents of) the original digital signa-ture. A match between the recreated andthe original signature indicates theauthenticity of the signature. The signa-ture function is such that it assures therecipient that only the sender, with theknowledge of the private key, couldhave produced the valid signature.
The basis of the RSA scheme is thedifficulty of factoring of large prime num-bers. That of the DSA scheme is the diffi-culty of computing discrete logarithms.The DSA provides only the signaturefunction where as the RSA scheme couldadditionally provide encryption and keyexchange. The signature verificationusing the RSA scheme is about 100 timesfaster than a DSA scheme. The signaturegeneration is slightly faster in the DSAscheme.
EncryptedSymmetric Key
EncryptedMessage
DigitalEnvelopeEncrypt
EncryptMessage
RandomSymmetric Key
Receiver’sPublic Key
SignedMessage
Encrypt
Encrypt
Receiver’sPublic Key
RandomSymmetric Key
DigitalSignature
MessageMessage
SignatureFunctionSender’s
Private Key
MessageDigest
HashFunction
RandomSymmetric
Key
MessageDecrypt
Decrypt
Receiver’sPrivate Key
EncryptedSymmetric
EncryptedMessage
DigitalEnvelope
Fig. 4 Opening a digital envelope
Fig. 3 Creating a digital envelope
Fig. 5 Creating a digital envelope carrying a signed message
8 IEEE POTENTIALS
Work is underway for several exten-sions of the basic digital signaturescheme such as enabling signatures bymultiple parties (group digital signa-tures), signatures by a hierarchy of sig-natories, and protocols for simultaneoussigning of contracts electronically bytwo or more signatories, separated bywide distances.
Digital signatures in real applications
Increasingly, digital signatures arebeing used in secure e-mail and creditcard transactions over the Internet. Thetwo most common secure e-mail systemsusing digital signatures are Pretty GoodPrivacy and Secure/Multipurpose InternetMail Extension. Both of these systemssupport the RSA as well as the DSS-basedsignatures. The most widely used systemfor the credit card transactions over theInternet is Secure Electronic Transaction(SET). It consists of a set of security pro-tocols and formats to enable prior exist-ing credit card payment infrastructure towork on the Internet. The digital signa-ture scheme used in SET is similar to theRSA scheme.
ConclusionsMany traditional and newer busi-
nesses and applications have recentlybeen carrying out enormous amountsof electronic transactions, which haveled to a critical need for protecting theinformation from being maliciouslyaltered, for ensuring the authenticity,and for supporting nonrepudiation.Just as signatures facilitate validationand verification of the authenticity ofpaper documents, digital signaturesserve the purpose of validation andauthentication of electronic documents.
This technology is rather new andemerging and is expected to experi-ence growth and widespread use inthe coming years.
Read more about it• W. Stallings, Cryptography and
Network Security, 3rd ed. EnglewoodCliffs, NJ: Prentice-Hall, 2002.
• M. Bishop, Introduction toComputer Security. Reading, MA:Addison-Wesley, 2005.
• J. Feghhi and P. Williams, DigitalCertificates: Applied Internet Security 1sted. Reading, MA: Addison-Wesley, 1999.
• C.P. Pfleeger and S.L. Pfleeger,Security in Computing, 3rd ed.Englewood Cliffs, NJ: Prentice-Hall, 2002.
• C. Kaufman, R. Perlman, and M.Speciner, Network Security: PrivateCommunication in a Public World,2nd ed. Englewood Cliffs, NJ: Prentice-Hall, 2003.
About the authorsS.R. Subramanya obtained his Ph.D. in
computer science from George washing-ton University where he received theRichard Merwin memorial award from theEECS department in 1996. He receivedthe Grant-in-Aid of Research award fromSigma-Xi in 1997 for his research in audiodata indexing. He is a senior research sci-entist at LGE Modile Research in SanDiego. His current research interestsinclude mobile multimedia services andcontent management. He is the author ofover 70 research papers and articles. Heis a Senior Member of the IEEE.
Byung K. Yi obtained his Ph.D. inelectrical engineering from GeorgeWashington University. He is the seniorexecutive vice president of LG Electronicsin San Diego. Dr. Yi’s previous affiliationsinclude Orbital Sciences Corp., Fairchild,and several high technology companies.He is a Senior Member of the IEEE.
MessageHash
FunctionMessage
Digest
Sender’sPrivate Key
RandomNumber
SignatureFunction
GlobalPublic Key
DigitalSignature
Message
Verify
MessageDigest
MessageDigest
RandomSymmetric Key
DigitalSignature
Decrypt
Decrypt
HashFunction
SignatureFunction
Sender’sPublic Key
Message
EncryptedSymmetric
Key
SignedMessage
EncryptedSigned
Message
Receiver’sPrivate Key
GlobalPublic Key
Compare
SignatureFunction
MessageDigest
Sender’sPublic Key
HashFunction
Message
DigitalSignature
Fig. 6 Opening a digital envelope and verifying a digital signature
Fig. 7 Signing using DSS
Fig. 8 Verification using DSS