irma-110203
TRANSCRIPT
-
8/8/2019 irma-110203
1/65
DIGITAL SIGNATURES
Fred Piper
Codes & Ciphers Ltd
12 Duncan Road
Richmond
Surrey
TW9 2JD
Information Security Group
Royal Holloway, University of London
Egham, Surrey
TW20 0EX
-
8/8/2019 irma-110203
2/65
Digital Signatures 2
Outline
1. Brief Introduction to Cryptography
2. Public Key Systems
3. Basic Principles of Digital Signatures
4. Public Key Algorithms
5. Signing Processes
6. Arbitrated Signatures7. Odds and Ends
NOTE: We will not cover all the sections
-
8/8/2019 irma-110203
3/65
Digital Signatures 3
The Essence of Security
Recognition of those you know
Introduction to those you dontknow
Written signature
Private conversation
-
8/8/2019 irma-110203
4/65
Digital Signatures 4
The Challenge
Transplant these basic
social mechanisms to thetelecommunications
and/or business
environment.
-
8/8/2019 irma-110203
5/65
Digital Signatures 5
Sender
Am I happy that the whole world sees this ?
Am I prepared to pay to stop them ?
Am I allowed to stop them ? Recipient
Do I have confidence in :
the originator
the message contents and message stream
no future repudiation. Network Manager
Do I allow this user on to the network ?
How do I control their privileges ?
The Security Issues
-
8/8/2019 irma-110203
6/65
Digital Signatures 6
Cryptography is used to provide:
1. Secrecy
2. Data Integrity
3. User Verification
4. Non-Repudiation
-
8/8/2019 irma-110203
7/65
Digital Signatures 7
Cipher System
cryptogramc
Enciphering
Algorithm
Deciphering
Algorithm
Key k(E) Key k(D)
messagem
messagem
Interceptor
-
8/8/2019 irma-110203
8/65
Digital Signatures 8
The Attackers Perspective
Deciphering
Algorithm
Unknown Key
k(D)
Known c Wants m
Note: k(E)is not needed unless
it helps determine k(D)
-
8/8/2019 irma-110203
9/65
Digital Signatures 9
Two Types of Cipher System
Conventional or Symmetric
k(D) easily obtained from k(E)
Public or Asymmetric
Computationally infeasible todetermine k(D) from k(E)
-
8/8/2019 irma-110203
10/65
Digital Signatures 10
THE SECURITY OF THE SYSTEM ISDEPENDENT ON THE SECURITY OF
THE KEYS
-
8/8/2019 irma-110203
11/65
Digital Signatures 11
Public Key Systems
Original Concept
For a public key system an enciphering algorithm is
agreed and each would-be receiver publishes the keywhich anyone may use to send a message to him.
Thus for a public key system to be secure it must not be
possible to deduce the message from a knowledge of the
cryptogram and the enciphering key. Once such a systemis set up, a directory of all receivers plus their enciphering
keys is published. However, the only person to know any
given receivers deciphering key is the receiver himself.
-
8/8/2019 irma-110203
12/65
Digital Signatures 12
Public Key Systems
For a public key system, encipherment
must be a one-way function which has a
trapdoor. The trapdoor must be a secretknown only to the receiver.
A one-way function is one which is easy
to perform but very difficult to reverse. A
trapdoor is a trick or another functionwhich makes it easy to reverse the
function
-
8/8/2019 irma-110203
13/65
Digital Signatures 13
Some Mathematical One-Way
Functions
1. Multiplication of two large primes.
2. Exponentiation modulo n(n = pq).
3. xpax in GF(2n
) orGF(p).4. kpEk(m) for fixed m where Ek is encryption
in a symmetric key system which is secure
against known plaintext attacks.
5. x pa.xwherex is an n-bit binary vector anda is a fixed n-tuple of integers. Thus a.x is an
integer.
-
8/8/2019 irma-110203
14/65
Digital Signatures 14
Public Key Cryptosystems
Enable secure communications without
exchanging secret keys
Enable 3rd party authentication ( digitalsignature )
Use number theoretic techniques
Introduce a whole new set of problems
Are extremely ingenious.
-
8/8/2019 irma-110203
15/65
Digital Signatures 15
Digital Signatures
According to ISO, the term Digital
Signature is used: to indicate a
particular authentication technique
used to establish the origin of a
message in order to settle disputesof what message (if any) was sent.
-
8/8/2019 irma-110203
16/65
Digital Signatures 16
Digital Signatures
A signature onamessage is some datathat
validates a message and verifies its origin
a receiver can keep as evidence
a third party can use to resolve disputes.
Itdepends on the message
a secret parameter only
available to the sender
Itshould be
easy to compute
(by one person only)
easy to verify
difficult to forge
-
8/8/2019 irma-110203
17/65
Digital Signatures 17
Digital Signature
Cryptographic checksum
Identifies sender
Provides integrity check for data
Can be checked by third party
-
8/8/2019 irma-110203
18/65
Digital Signatures 18
Hand-Written Signatures
Intrinsic to signer
Same on all documents
Physically attached to message
Beware plastic cards.
Digital Signatures Use of secret parameter
Message dependent.
-
8/8/2019 irma-110203
19/65
Digital Signatures 19
Principle of Digital Signatures
There is a (secret) number which:
Only one person can use
Is used to identify that person
Anyone can verify that it has been
used
NB: Anyone who knows the value of a
number can use that number.
-
8/8/2019 irma-110203
20/65
Digital Signatures 20
Attacks on Digital Signature
Schemes
To impersonate A, I must either
obtain As private key
substitute my public key for As
NB: Similar attacks if A is receiving secret
data encrypted with As public key
-
8/8/2019 irma-110203
21/65
-
8/8/2019 irma-110203
22/65
Digital Signatures 22
Certification Authority
AIM :To guarantee the authenticity of public keys.
METHOD :The Certification Authority guarantees theauthenticity by signing a certificate containingusers identity and public key with its secret key.
REQUIREMENT :All users must have an authentic copy of theCertification Authoritys public key.
-
8/8/2019 irma-110203
23/65
Digital Signatures 23
Certification Process
Verifies
credentials
Creates
Certificate
Receives
(and checks)Certificate
Presents Public
Key andcredentials
Generates
Key Set
Distribution
Centre
Owner
-
8/8/2019 irma-110203
24/65
Digital Signatures 24
How Does it Work?
The Certificate can accompany all Freds
messages The recipient must directly or indirectly:
Trust the CA
Validate the certificate
The CA certifiesthat Fred Pipers
public keyis..
Electronically
signed by
the CA
-
8/8/2019 irma-110203
25/65
Digital Signatures 25
User Authentication Certificates
Ownership of certificate does not
establish identity
Need protocols establishing use of
corresponding secret keys
-
8/8/2019 irma-110203
26/65
Digital Signatures 26
WARNING
Identity Theft
You are your private key
You are the private key
corresponding to the public key in
your certificiate
-
8/8/2019 irma-110203
27/65
Digital Signatures 27
Certification Authorities
Problems/Questions
Who generates users keys?
How is identity established?
How can certificates be cancelled?
Any others?
-
8/8/2019 irma-110203
28/65
Digital Signatures 28
Fundamental Requirement
Internal infrastructure to supportsecure technological implementation
-
8/8/2019 irma-110203
29/65
Digital Signatures 29
Is everything OK?
Announcement in Microsoft Security
Bulletin MS01-017
VeriSign Inc recently advisedMicrosoft that on January 29-30 2001
it issued two VeriSign Class 3 code-
signing digital certificates to an
individual who fraudulently claimed tobe a Microsoft employee.
-
8/8/2019 irma-110203
30/65
Digital Signatures 30
RSA System Publish integers n and e where n = pq (p and q large
primes) and e is chosen so that (e,(p-1)(q-1)) = 1.
If message is an integer m with 0 < m < n then the
cryptogram c = me (mod n).
The primes p and q are Secret (i.e. known only to the
receiver) and the systems security depends on the
fact that knowledge of n will not enable the interceptor
to work out p and q.
-
8/8/2019 irma-110203
31/65
Digital Signatures 31
RSA SystemSince (e,(p-1)(q-1)) = 1 there is an integer d such that
ed = 1(mod(p-1)(q-1)).
[NOTE: without knowing p and q it is impossible todetermine d.]
To decipher raise c to the power d.
Then m=cd (=med) (mod n).
System works because if n=pq,
ak(p-1)(q-1) + 1 = a (mod n)
for all a, k.
-
8/8/2019 irma-110203
32/65
Digital Signatures 32
RSA Summary and ExampleTheory Choice
n = p.q 2773 = 47.59 p=47 q=59
e.d 1(mod(p-1) (q-1)) 17.157 1(mod 2668) e=17 d=157
Public key is (e, n) (17,2773)Private key is (d,n) (157,2773)
Message M (0 < M < n) M = 31
NB : Knowledge of p and q is required to compute d.
Encryption using Private Key :
C Me (mod n)
587 3117 (mod 2773)
Decryption using Private Key :
M Cd (mod n)
31 587157 (mod 2773)
|
-
8/8/2019 irma-110203
33/65
Digital Signatures 33
El Gamal Cipher Work in GF(q)
For practical systems
q = large prime
q = 2n
Note: We will not define GF(2n). For aprime q arithmetic in GF(q) isarithmetic modulo q.
-
8/8/2019 irma-110203
34/65
Digital Signatures 34
El Gamal CipherSystem wide parameters : integers g,p
NB: p is a large prime and g is a primitive elementmod p.
A chooses private key x such that 1 < x < p - 1
As public key is y = gx mod p.
Note: x is called the discrete logarithm of y modulo p
to the base g.
-
8/8/2019 irma-110203
35/65
Digital Signatures 35
El Gamal Encryption
If B wants to send secret message m to A then
1.B obtains As public key y plus g and p
2.B generates random integer k.
3.B sends gk (mod p) and c = myk (mod p) to A.
A uses x to compute yk from gk and thenevaluates m.
-
8/8/2019 irma-110203
36/65
Digital Signatures 36
El Gamal Cipher
Important facts from last slide
g is special type of number
sender needs random number
generator
cryptogram is twice as long as
message
-
8/8/2019 irma-110203
37/65
Digital Signatures 37
El Gamal - Encryption - Worked Example
Primep = 23 Primitive element a = 11
Private key x= 6 Public key y= 116(mod 23) = 9
To encipher m = 10Assume random value k= 3
ak = 113 mod 23 = 20
yk = 1118 mod 23 = 16
myk = 10.16 mod 23 = 22
Thus transmit (20, 22)
-
8/8/2019 irma-110203
38/65
Digital Signatures 38
El Gamal - Worked Example
To decrypt 20, 22
yk = (ak)x = 206 = 16mod23
To find m: solve c= myk modp
i.e. solve 22 = m 16 mod 23
Solution m = 10
-
8/8/2019 irma-110203
39/65
Digital Signatures 39
Modular Exponentiation
Both RSA and El Gamal involve computing
xa (mod N) for large x,a and N
To speed up process need:
Fast multiplication algorithm
Avoid intermediate values becoming too
large
Limit number of modular multiplications
-
8/8/2019 irma-110203
40/65
Digital Signatures 40
How to Create a Digital Signature
Using RSAMESSAGE
HASHING
FUNCTION
HASH OF MESSAGE
Sign using Private Key
SIGNATURE -
SIGNED HASH OF MESSAGE
-
8/8/2019 irma-110203
41/65
Digital Signatures 41
How to Verify a Digital Signature Using
RSA
HASH OF MESSAGE
Verify theReceived Signature
Re-hash the
Received Message
Verify using
Public Key
Message
Hashing
Function
HASH OF MESSAGE
Message
Signature
Signature
Message withAppended Signature
If hashes are equal,
signature is authentic
-
8/8/2019 irma-110203
42/65
-
8/8/2019 irma-110203
43/65
Digital Signatures 43
DSA
Proposed by NIST in 1991
Explicitly requires the use of a hash
function
SHA-1
Very different set of functional
capabilities than RSA
-
8/8/2019 irma-110203
44/65
-
8/8/2019 irma-110203
45/65
Digital Signatures 45
Signing with DSA
To sign message m
hash message mto give h(m) ( 1eh(m)eq-1)
generate random secret k (1ekeq-1) compute r = (ak mod p)mod q
compute k-1 mod q
compute s = k-1{h(m) + ar} mod q
signature on mis (r,s)
-
8/8/2019 irma-110203
46/65
Digital Signatures 46
DSA Signature Verification
To verify (r,s)
check that 1e req-1 and 1eseq-1
compute w= s-1 mod q
compute u1 = wh(m)mod q
compute u2 = rwmod q
accept signature if (au1yu2 mod p)mod q = r
-
8/8/2019 irma-110203
47/65
Digital Signatures 47
Security of DSA
Depends on
taking discrete logarithms in GF(p) (GNFS)
the logarithm problem in the cyclic subgroupof orderq
algorithms for this take time proportional to q1/2
we choose q}2160 andp }21024
other concerns follow the case of El Gamal
signatures
-
8/8/2019 irma-110203
48/65
Digital Signatures 48
Performance of DSA
Using the subgroup of orderqgivesgood improvements over El Gamal
signatures for signature
one (partial) exponentiation modp,all otheroperations less significant
also there are opportunities for pre-computation
for verification two (partial) exponentiations modp,all other
operations less significant
-
8/8/2019 irma-110203
49/65
Digital Signatures 49
DSA and RSA
set a unit of time to be that required for one1024-bit multiplication
use e=216+1 and CRT forRSA
pre-computation with DSA not included
also a difference in the sizes of thesignatures
RSA DSA
Sign 384 240
Verify 17 480
-
8/8/2019 irma-110203
50/65
Digital Signatures 50
Signing and Verifying
Which is more important - signature
or verification performance?
depends on the application!
certificates: sign once but verify
very often
secure E-mail: perhaps sign and verify
once
document storage: sign once but maybe
never verify
-
8/8/2019 irma-110203
51/65
Digital Signatures 51
Digital Signatures for Short Messages
Padding /
Redundancy
TextPadding /
Redundancy
Text Signature
Signature
RSA
Verify
RSAPrivateKey
PublicKey
a) Construction b) Deconstruction
SEND
-
8/8/2019 irma-110203
52/65
Digital Signatures 52
Types of Digital Signature
1. Arbitrated SignaturesMediation by third party, the arbitrator
signingverifying
resolving disputes
2. True SignaturesDirect communication between sender and receiverThird party involved only in case of dispute
-
8/8/2019 irma-110203
53/65
Digital Signatures 53
Arbitrated Signatures
Require trusted arbitrator
Arbitrator is involved in
Signing process
Settlement of all disputes
No one else can settle disputes
Potential bottleneck
-
8/8/2019 irma-110203
54/65
Digital Signatures 54
Example of Arbitrated Signature
Scheme (1)Requirement: A wants to send B message
B wants assurance of contents,
that A was originator and that Acannot deny either fact.
Assumption: A and B agree to trust an
arbitrator (ARB) and to accept
ARBs decision as binding.
-
8/8/2019 irma-110203
55/65
-
8/8/2019 irma-110203
56/65
Digital Signatures 56
Example of Arbitrated Signature
Scheme (3)A wants to send signed message M to B
Simplified protocol
Note: B has no way of checking MACKA is correct.
May be necessary to include identities in messages.
1) A ARB : M1=M || MACKA
2) ARB uses KA to check MACKA
3) ARB B : M2 = M1|| MACKB
4) B uses KB to check MACKB
-
8/8/2019 irma-110203
57/65
Digital Signatures 57
True Signature
True Signature Requirement
Only one person can sign but anyone
can verify the signature
PublicKey Requirement
Anyone can encrypt a message but
only one person can decrypt thecryptogram.
-
8/8/2019 irma-110203
58/65
Digital Signatures 58
True Signature
It is natural to try to adopt public
key systems to produce signature
schemes by using the secret key in
the signing process
-
8/8/2019 irma-110203
59/65
Digital Signatures 59
Digital Signatures
Common Terminology identifies theterms Digital Signature and True
Signature
-
8/8/2019 irma-110203
60/65
Digital Signatures 60
The Decision Process
Do I need Cryptography?
Do I need Public Key Cryptography?
Do I need PKI?
How do I establish a PKI?
-
8/8/2019 irma-110203
61/65
Digital Signatures 61
Often Heard
PKI has never really taken off
PKI is dead
Ive got a PKI, what do I do with it?
Secure e-commerce needs PKI
-
8/8/2019 irma-110203
62/65
Digital Signatures 62
Diffie Hellman Key Establishment
ProtocolGeneral Idea: Use Public System
A and B exchange public keys: PA and PBThere is a publicly known function f which has 2numbers as input and one number as output.
A computes f (SA, PB) where SA is As private key
B computes f (SB, PA) where SB is Bs private key
f is chosen so that f (SA, PB) = f (SB, PA)
So A and B now share a (secret) number
-
8/8/2019 irma-110203
63/65
Digital Signatures 63
Diffie Hellman Key Establishment Protocol
For the mathematicians:
Agree: Prime p primitive element a
A : chooses random rA and sends
B : chooses random rB and sends
Key:
Clearly any interceptor who can find discretelogarithms can break the scheme
In this case
Note: Comparison with El Gamal
(modp)a Br(modp)a Ar
(modp)as BA rr!
BABA rr
A
r
B
ry a)r,f(a)r,f(a.xy)f(x, !!!
-
8/8/2019 irma-110203
64/65
Digital Signatures 64
D-H Man in the Middle Attack
A B
Fraudster
F
AP
FP
FP
BP
The Fraudster has agreed keys with both A and BA and B believe they have agreed a common key
-
8/8/2019 irma-110203
65/65
Digital Signatures 65
D-H Man-in-the-Middle Attack
A B
Fraudster
F
a p
rA
(mod ) a ( p)
rF
mod
a ( p)rF mod a ( p)rB mod
The Fraudster has agreed keys with both A and BA and B believe they have agreed a common key
For the mathematicians