irma-110203

8/8/2019 irma-110203

1/65

DIGITAL SIGNATURES

Fred Piper

Codes & Ciphers Ltd

12 Duncan Road

Richmond

Surrey

TW9 2JD

Information Security Group

Royal Holloway, University of London

Egham, Surrey

TW20 0EX

8/8/2019 irma-110203

2/65

Digital Signatures 2

Outline

1. Brief Introduction to Cryptography

2. Public Key Systems

3. Basic Principles of Digital Signatures

4. Public Key Algorithms

5. Signing Processes

6. Arbitrated Signatures7. Odds and Ends

NOTE: We will not cover all the sections

8/8/2019 irma-110203

3/65


The Essence of Security

Recognition of those you know

Introduction to those you dontknow

Written signature

Private conversation

8/8/2019 irma-110203

4/65


The Challenge

Transplant these basic

social mechanisms to thetelecommunications

and/or business

environment.

8/8/2019 irma-110203

5/65


Sender

Am I happy that the whole world sees this ?

Am I prepared to pay to stop them ?

Am I allowed to stop them ? Recipient

Do I have confidence in :

the originator

the message contents and message stream

no future repudiation. Network Manager

Do I allow this user on to the network ?

How do I control their privileges ?

The Security Issues

8/8/2019 irma-110203

6/65


Cryptography is used to provide:

1. Secrecy

2. Data Integrity

3. User Verification

4. Non-Repudiation

8/8/2019 irma-110203

7/65


Cipher System

cryptogramc

Enciphering

Algorithm

Deciphering

Algorithm

Key k(E) Key k(D)

messagem

messagem

Interceptor

8/8/2019 irma-110203

8/65


The Attackers Perspective

Deciphering

Algorithm

Unknown Key

k(D)

Known c Wants m

Note: k(E)is not needed unless

it helps determine k(D)

8/8/2019 irma-110203

9/65


Two Types of Cipher System

Conventional or Symmetric

k(D) easily obtained from k(E)

Public or Asymmetric

Computationally infeasible todetermine k(D) from k(E)

8/8/2019 irma-110203

10/65


THE SECURITY OF THE SYSTEM ISDEPENDENT ON THE SECURITY OF

THE KEYS

8/8/2019 irma-110203

11/65


Public Key Systems

Original Concept

For a public key system an enciphering algorithm is

agreed and each would-be receiver publishes the keywhich anyone may use to send a message to him.

Thus for a public key system to be secure it must not be

possible to deduce the message from a knowledge of the

cryptogram and the enciphering key. Once such a systemis set up, a directory of all receivers plus their enciphering

keys is published. However, the only person to know any

given receivers deciphering key is the receiver himself.

8/8/2019 irma-110203

12/65


Public Key Systems

For a public key system, encipherment

must be a one-way function which has a

trapdoor. The trapdoor must be a secretknown only to the receiver.

A one-way function is one which is easy

to perform but very difficult to reverse. A

trapdoor is a trick or another functionwhich makes it easy to reverse the

function

8/8/2019 irma-110203

13/65


Some Mathematical One-Way

Functions

1. Multiplication of two large primes.

2. Exponentiation modulo n(n = pq).

3. xpax in GF(2n

) orGF(p).4. kpEk(m) for fixed m where Ek is encryption

in a symmetric key system which is secure

against known plaintext attacks.

5. x pa.xwherex is an n-bit binary vector anda is a fixed n-tuple of integers. Thus a.x is an

integer.

8/8/2019 irma-110203

14/65


Public Key Cryptosystems

Enable secure communications without

exchanging secret keys

Enable 3rd party authentication ( digitalsignature )

Use number theoretic techniques

Introduce a whole new set of problems

Are extremely ingenious.

8/8/2019 irma-110203

15/65


Digital Signatures

According to ISO, the term Digital

Signature is used: to indicate a

particular authentication technique

used to establish the origin of a

message in order to settle disputesof what message (if any) was sent.

8/8/2019 irma-110203

16/65


Digital Signatures

A signature onamessage is some datathat

validates a message and verifies its origin

a receiver can keep as evidence

a third party can use to resolve disputes.

Itdepends on the message

a secret parameter only

available to the sender

Itshould be

easy to compute

(by one person only)

easy to verify

difficult to forge

8/8/2019 irma-110203

17/65


Digital Signature

Cryptographic checksum

Identifies sender

Provides integrity check for data

Can be checked by third party

8/8/2019 irma-110203

18/65


Hand-Written Signatures

Intrinsic to signer

Same on all documents

Physically attached to message

Beware plastic cards.

Digital Signatures Use of secret parameter

Message dependent.

8/8/2019 irma-110203

19/65


Principle of Digital Signatures

There is a (secret) number which:

Only one person can use

Is used to identify that person

Anyone can verify that it has been

used

NB: Anyone who knows the value of a

number can use that number.

8/8/2019 irma-110203

20/65


Attacks on Digital Signature

Schemes

To impersonate A, I must either

obtain As private key

substitute my public key for As

NB: Similar attacks if A is receiving secret

data encrypted with As public key

8/8/2019 irma-110203

21/65

8/8/2019 irma-110203

22/65


Certification Authority

AIM :To guarantee the authenticity of public keys.

METHOD :The Certification Authority guarantees theauthenticity by signing a certificate containingusers identity and public key with its secret key.

REQUIREMENT :All users must have an authentic copy of theCertification Authoritys public key.

8/8/2019 irma-110203

23/65


Certification Process

Verifies

credentials

Creates

Certificate

Receives

(and checks)Certificate

Presents Public

Key andcredentials

Generates

Key Set

Distribution

Centre

Owner

8/8/2019 irma-110203

24/65


How Does it Work?

The Certificate can accompany all Freds

messages The recipient must directly or indirectly:

Trust the CA

Validate the certificate

The CA certifiesthat Fred Pipers

public keyis..

Electronically

signed by

the CA

8/8/2019 irma-110203

25/65


User Authentication Certificates

Ownership of certificate does not

establish identity

Need protocols establishing use of

corresponding secret keys

8/8/2019 irma-110203

26/65


WARNING

Identity Theft

You are your private key

You are the private key

corresponding to the public key in

your certificiate

8/8/2019 irma-110203

27/65


Certification Authorities

Problems/Questions

Who generates users keys?

How is identity established?

How can certificates be cancelled?

Any others?

8/8/2019 irma-110203

28/65


Fundamental Requirement

Internal infrastructure to supportsecure technological implementation

8/8/2019 irma-110203

29/65


Is everything OK?

Announcement in Microsoft Security

Bulletin MS01-017

VeriSign Inc recently advisedMicrosoft that on January 29-30 2001

it issued two VeriSign Class 3 code-

signing digital certificates to an

individual who fraudulently claimed tobe a Microsoft employee.

8/8/2019 irma-110203

30/65


RSA System Publish integers n and e where n = pq (p and q large

primes) and e is chosen so that (e,(p-1)(q-1)) = 1.

If message is an integer m with 0 < m < n then the

cryptogram c = me (mod n).

The primes p and q are Secret (i.e. known only to the

receiver) and the systems security depends on the

fact that knowledge of n will not enable the interceptor

to work out p and q.

8/8/2019 irma-110203

31/65


RSA SystemSince (e,(p-1)(q-1)) = 1 there is an integer d such that

ed = 1(mod(p-1)(q-1)).

[NOTE: without knowing p and q it is impossible todetermine d.]

To decipher raise c to the power d.

Then m=cd (=med) (mod n).

System works because if n=pq,

ak(p-1)(q-1) + 1 = a (mod n)

for all a, k.

8/8/2019 irma-110203

32/65


RSA Summary and ExampleTheory Choice

n = p.q 2773 = 47.59 p=47 q=59

e.d 1(mod(p-1) (q-1)) 17.157 1(mod 2668) e=17 d=157

Public key is (e, n) (17,2773)Private key is (d,n) (157,2773)

Message M (0 < M < n) M = 31

NB : Knowledge of p and q is required to compute d.

Encryption using Private Key :

C Me (mod n)

587 3117 (mod 2773)

Decryption using Private Key :

M Cd (mod n)

31 587157 (mod 2773)

|

8/8/2019 irma-110203

33/65


El Gamal Cipher Work in GF(q)

For practical systems

q = large prime

q = 2n

Note: We will not define GF(2n). For aprime q arithmetic in GF(q) isarithmetic modulo q.

8/8/2019 irma-110203

34/65


El Gamal CipherSystem wide parameters : integers g,p

NB: p is a large prime and g is a primitive elementmod p.

A chooses private key x such that 1 < x < p - 1

As public key is y = gx mod p.

Note: x is called the discrete logarithm of y modulo p

to the base g.

8/8/2019 irma-110203

35/65


El Gamal Encryption

If B wants to send secret message m to A then

1.B obtains As public key y plus g and p

2.B generates random integer k.

3.B sends gk (mod p) and c = myk (mod p) to A.

A uses x to compute yk from gk and thenevaluates m.

8/8/2019 irma-110203

36/65


El Gamal Cipher

Important facts from last slide

g is special type of number

sender needs random number

generator

cryptogram is twice as long as

message

8/8/2019 irma-110203

37/65


El Gamal - Encryption - Worked Example

Primep = 23 Primitive element a = 11

Private key x= 6 Public key y= 116(mod 23) = 9

To encipher m = 10Assume random value k= 3

ak = 113 mod 23 = 20

yk = 1118 mod 23 = 16

myk = 10.16 mod 23 = 22

Thus transmit (20, 22)

8/8/2019 irma-110203

38/65


El Gamal - Worked Example

To decrypt 20, 22

yk = (ak)x = 206 = 16mod23

To find m: solve c= myk modp

i.e. solve 22 = m 16 mod 23

Solution m = 10

8/8/2019 irma-110203

39/65


Modular Exponentiation

Both RSA and El Gamal involve computing

xa (mod N) for large x,a and N

To speed up process need:

Fast multiplication algorithm

Avoid intermediate values becoming too

large

Limit number of modular multiplications

8/8/2019 irma-110203

40/65


How to Create a Digital Signature

Using RSAMESSAGE

HASHING

FUNCTION

HASH OF MESSAGE

Sign using Private Key

SIGNATURE -

SIGNED HASH OF MESSAGE

8/8/2019 irma-110203

41/65


How to Verify a Digital Signature Using

RSA

HASH OF MESSAGE

Verify theReceived Signature

Re-hash the

Received Message

Verify using

Public Key

Message

Hashing

Function

HASH OF MESSAGE

Message

Signature

Signature

Message withAppended Signature

If hashes are equal,

signature is authentic

8/8/2019 irma-110203

42/65

8/8/2019 irma-110203

43/65


DSA

Proposed by NIST in 1991

Explicitly requires the use of a hash

function

SHA-1

Very different set of functional

capabilities than RSA

8/8/2019 irma-110203

44/65

8/8/2019 irma-110203

45/65


Signing with DSA

To sign message m

hash message mto give h(m) ( 1eh(m)eq-1)

generate random secret k (1ekeq-1) compute r = (ak mod p)mod q

compute k-1 mod q

compute s = k-1{h(m) + ar} mod q

signature on mis (r,s)

8/8/2019 irma-110203

46/65


DSA Signature Verification

To verify (r,s)

check that 1e req-1 and 1eseq-1

compute w= s-1 mod q

compute u1 = wh(m)mod q

compute u2 = rwmod q

accept signature if (au1yu2 mod p)mod q = r

8/8/2019 irma-110203

47/65


Security of DSA

Depends on

taking discrete logarithms in GF(p) (GNFS)

the logarithm problem in the cyclic subgroupof orderq

algorithms for this take time proportional to q1/2

we choose q}2160 andp }21024

other concerns follow the case of El Gamal

signatures

8/8/2019 irma-110203

48/65


Performance of DSA

Using the subgroup of orderqgivesgood improvements over El Gamal

signatures for signature

one (partial) exponentiation modp,all otheroperations less significant

also there are opportunities for pre-computation

for verification two (partial) exponentiations modp,all other

operations less significant

8/8/2019 irma-110203

49/65


DSA and RSA

set a unit of time to be that required for one1024-bit multiplication

use e=216+1 and CRT forRSA

pre-computation with DSA not included

also a difference in the sizes of thesignatures

RSA DSA

Sign 384 240

Verify 17 480

8/8/2019 irma-110203

50/65


Signing and Verifying

Which is more important - signature

or verification performance?

depends on the application!

certificates: sign once but verify

very often

secure E-mail: perhaps sign and verify

once

document storage: sign once but maybe

never verify

8/8/2019 irma-110203

51/65


Digital Signatures for Short Messages

Padding /

Redundancy

TextPadding /

Redundancy

Text Signature

Signature

RSA

Verify

RSAPrivateKey

PublicKey

a) Construction b) Deconstruction

SEND

8/8/2019 irma-110203

52/65


Types of Digital Signature

1. Arbitrated SignaturesMediation by third party, the arbitrator

signingverifying

resolving disputes

2. True SignaturesDirect communication between sender and receiverThird party involved only in case of dispute

8/8/2019 irma-110203

53/65


Arbitrated Signatures

Require trusted arbitrator

Arbitrator is involved in

Signing process

Settlement of all disputes

No one else can settle disputes

Potential bottleneck

8/8/2019 irma-110203

54/65


Example of Arbitrated Signature

Scheme (1)Requirement: A wants to send B message

B wants assurance of contents,

that A was originator and that Acannot deny either fact.

Assumption: A and B agree to trust an

arbitrator (ARB) and to accept

ARBs decision as binding.

8/8/2019 irma-110203

55/65

8/8/2019 irma-110203

56/65


Example of Arbitrated Signature

Scheme (3)A wants to send signed message M to B

Simplified protocol

Note: B has no way of checking MACKA is correct.

May be necessary to include identities in messages.

1) A ARB : M1=M || MACKA

2) ARB uses KA to check MACKA

3) ARB B : M2 = M1|| MACKB

4) B uses KB to check MACKB

8/8/2019 irma-110203

57/65


True Signature

True Signature Requirement

Only one person can sign but anyone

can verify the signature

PublicKey Requirement

Anyone can encrypt a message but

only one person can decrypt thecryptogram.

8/8/2019 irma-110203

58/65


True Signature

It is natural to try to adopt public

key systems to produce signature

schemes by using the secret key in

the signing process

8/8/2019 irma-110203

59/65


Digital Signatures

Common Terminology identifies theterms Digital Signature and True

Signature

8/8/2019 irma-110203

60/65


The Decision Process

Do I need Cryptography?

Do I need Public Key Cryptography?

Do I need PKI?

How do I establish a PKI?

8/8/2019 irma-110203

61/65


Often Heard

PKI has never really taken off

PKI is dead

Ive got a PKI, what do I do with it?

Secure e-commerce needs PKI

8/8/2019 irma-110203

62/65


Diffie Hellman Key Establishment

ProtocolGeneral Idea: Use Public System

A and B exchange public keys: PA and PBThere is a publicly known function f which has 2numbers as input and one number as output.

A computes f (SA, PB) where SA is As private key

B computes f (SB, PA) where SB is Bs private key

f is chosen so that f (SA, PB) = f (SB, PA)

So A and B now share a (secret) number

8/8/2019 irma-110203

63/65


Diffie Hellman Key Establishment Protocol

For the mathematicians:

Agree: Prime p primitive element a

A : chooses random rA and sends

B : chooses random rB and sends

Key:

Clearly any interceptor who can find discretelogarithms can break the scheme

In this case

Note: Comparison with El Gamal

(modp)a Br(modp)a Ar

(modp)as BA rr!

BABA rr

A

r

B

ry a)r,f(a)r,f(a.xy)f(x, !!!

8/8/2019 irma-110203

64/65


D-H Man in the Middle Attack

A B

Fraudster

F

AP

FP

FP

BP

The Fraudster has agreed keys with both A and BA and B believe they have agreed a common key

8/8/2019 irma-110203

65/65


D-H Man-in-the-Middle Attack

A B

Fraudster

F

a p

rA

(mod ) a ( p)

rF

mod

a ( p)rF mod a ( p)rB mod

The Fraudster has agreed keys with both A and BA and B believe they have agreed a common key

For the mathematicians

irma-110203

Documents