l13 - digital signatures

8/12/2019 L13 - Digital Signatures

1/39

Cryptography andCryptography and

Network SecurityNetwork Security

Chapter 13Chapter 13

Fifth EditionFifth Edition

by William Stallingsby William Stallings


2/39

Chapter 13 Chapter 13 Digital SignaturesDigital Signatures

To guard against the baneful influence exerted by strangersTo guard against the baneful influence exerted by strangersis therefore an elementary dictate of savage prudence.is therefore an elementary dictate of savage prudence.Hence before strangers are allowed to enter a district, orHence before strangers are allowed to enter a district, orat least before they are permitted to mingle freely withat least before they are permitted to mingle freely withthe inhabitants, certain ceremonies are often performedthe inhabitants, certain ceremonies are often performedby the natives of the country for the purpose of disarmingby the natives of the country for the purpose of disarmingthe strangers of their magical powers, or of disinfecting,the strangers of their magical powers, or of disinfecting,

so to speak, the tainted atmosphere by which they areso to speak, the tainted atmosphere by which they aresupposed to be surrounded.supposed to be surrounded.

The Golden BoughThe Golden Bough, Sir James George ra!er, Sir James George ra!er


3/39

Digital SignaturesDigital Signatures

have looked athave looked at message authenticationmessage authentication but does not address issues of lack of trustbut does not address issues of lack of trust

digital signatures provide the ability to:digital signatures provide the ability to: verify author, date & time of signatureverify author, date & time of signature authenticate message contentsauthenticate message contents be verified by third parties to resolve disputesbe verified by third parties to resolve disputes

hence digital signatures includehence digital signatures includeauthentication function with additionalauthentication function with additionalcapabilitiescapabilities


4/39

Alice can deny sending

a message to !ob

since !ob can alsoproduce A"s for

different messages#

!ob can produce a A"

for another message $and can claim that it

came from Alice#


5/39

PrivateKey

PublicKey

!ob

Key GenerationKey GenerationAlice!ob$s

Fig %#' Simplified (epiction of Essential

Elements of (igital Signature )rocess


6/39

"ttacks and orgeries"ttacks and orgeries *oldwaser, icali and +ivest in %-- identified several*oldwaser, icali and +ivest in %-- identified several

attack scenarios on digital signature schemesattack scenarios on digital signature schemes .ey/only attack:.ey/only attack:

0 Attacker knows only the public keyAttacker knows only the public key

.nown message attack:.nown message attack:

0Attacker is given access to a set of messages and their signaturesAttacker is given access to a set of messages and their signatures

*eneric chosen message attack:*eneric chosen message attack:

0 Attacker chooses a list of messages before attempting to break theAttacker chooses a list of messages before attempting to break the

signature, independent of the particular public key# 1hen he obtainssignature, independent of the particular public key# 1hen he obtains

valid signatures for those messages#valid signatures for those messages#

(irected chosen message attack:(irected chosen message attack:0 Similar as generic, but the messages are chosen after knowing aSimilar as generic, but the messages are chosen after knowing a

particular public key#particular public key#

Adaptive chosen message attack:Adaptive chosen message attack:0 Attacker and signer are playing interactive game, where attackerAttacker and signer are playing interactive game, where attacker

asks for signing different messages, and his 2ueries depend on theasks for signing different messages, and his 2ueries depend on theknowledge he obtained from previous 2ueries#knowledge he obtained from previous 2ueries#


7/39

"ttacks and orgeries #cont$"ttacks and orgeries #cont$

*oldwaser, icali and +ivest also defined*oldwaser, icali and +ivest also defined

success of breaking a signature schemesuccess of breaking a signature scheme 1otal break:1otal break:

0 Attacker finds the signer$s private keyAttacker finds the signer$s private key

3niversal forgery:3niversal forgery:

0 Attacker finds an efficient signing algorithm that provides anAttacker finds an efficient signing algorithm that provides an

e2uivalent way of constructing signatures on arbitrarye2uivalent way of constructing signatures on arbitrary

messages#messages#

Selective forgery:Selective forgery:

0 Attacker forges a signature for a particular message chosenAttacker forges a signature for a particular message chosenby him#by him#

E4istential forgery:E4istential forgery:

0 Attacker can forge a signature for at least one message#Attacker can forge a signature for at least one message#

5owever he does not have control over the message 6so can5owever he does not have control over the message 6so can

not harm much the signer7#not harm much the signer7#


8/39

Digital Signature %e&uirementsDigital Signature %e&uirements

must depend on the message signedmust depend on the message signed

must use information uni2ue to sendermust use information uni2ue to sender to prevent both forgery and denialto prevent both forgery and denial

must be relatively easy to producemust be relatively easy to produce

must be relatively easy to recogni8e & verifymust be relatively easy to recogni8e & verify

be computationally infeasible to forgebe computationally infeasible to forge with new message for e4isting digital signaturewith new message for e4isting digital signature with fraudulent digital signature for given messagewith fraudulent digital signature for given message

be practical save digital signature in storagebe practical save digital signature in storage


9/39

Direct Digital SignaturesDirect Digital Signatures

involve only sender & receiverinvolve only sender & receiver assumed receiver has sender$s public/keyassumed receiver has sender$s public/key

digital signature made by sender signingdigital signature made by sender signingentire message or hash with private/keyentire message or hash with private/key can encrypt using receivers public/keycan encrypt using receivers public/key important that sign first then encryptimportant that sign first then encrypt

message & signaturemessage & signature security depends on sender$s private/keysecurity depends on sender$s private/key


10/39

"r'itrated Digital Signatures"r'itrated Digital Signatures

involves use of arbiter Ainvolves use of arbiter A validates any signed messagevalidates any signed message

then dated and sent to recipientthen dated and sent to recipient re2uires suitable level of trust in arbiterre2uires suitable level of trust in arbiter

can be implemented with either private orcan be implemented with either private or

public/key algorithmspublic/key algorithms arbiter may or may not see messagearbiter may or may not see message


11/39


12/39

(sing )u'lic*+ey ncryption(sing )u'lic*+ey ncryption

have a range of approaches based on thehave a range of approaches based on the

use of public/key encryptionuse of public/key encryption

need to ensure have correct public keysneed to ensure have correct public keysfor other partiesfor other parties

using a central Authentication Server 6AS7using a central Authentication Server 6AS7

various protocols e4ist using timestampsvarious protocols e4ist using timestampsor noncesor nonces


13/39

)u'lic*+ey "pproaches)u'lic*+ey "pproaches

have seen some public/key approacheshave seen some public/key approaches

if confidentiality is ma9or concern, can use:if confidentiality is ma9or concern, can use:

AA//!: E!: E)3b)3b;.s< == E;.s< == E.s.s;(;1==>(

AA==)3==)3

aa


14/39

lGamal Digital SignaturelGamal Digital Signature

SchemeScheme

.ey generation.ey generation )rime number 2, and generator)rime number 2, and generator

Generate a random integer XGenerate a random integer XAAsuch thatsuch that

1


15/39


Scheme #cont$Scheme #cont$

Signing a message Signing a message )roduce a hash m?567)roduce a hash m?567

"hose a random integer . such that %"hose a random integer . such that %&' &q-1&' &q-1

and gcd#'$ q-1% = 1and gcd#'$ q-1% = 1

Compute (Compute (11==

''

mod 2mod 2

Compute 'Compute '-1-1mod 62/%7mod 62/%7

Compute (Compute ())==''-1-16m /6m / XX

AA((

117 mod 62/%77 mod 62/%7

1he signature is1he signature is #(#(11,, ((

))%%


16/39


Scheme #cont$Scheme #cont$

@erification of the signed message@erification of the signed message

#(#(11,, ((

))%%

)roduce a hash m?567)roduce a hash m?567

Compute *Compute *11==

mmmod 2mod 2

Compute *Compute *))==#Y#Y

AA%%((1166((

1177(())mod 2mod 2

>f>f **11???? **))return +,.$ e"se return /A0(.return +,.$ e"se return /A0(.


17/39

Digital SignatureDigital Signature StandardStandard #DSS$#DSS$

3S *ovt approved signature scheme3S *ovt approved signature scheme designed by >S1 & SA in early BCsdesigned by >S1 & SA in early BCs published as F>)S/%-D in %%published as F>)S/%-D in %%

revised in %, %D & then 'BBBrevised in %, %D & then 'BBB uses the S5A hash algorithmuses the S5A hash algorithm (SS is the standard, (SA is the algorithm(SS is the standard, (SA is the algorithm

F>)S %-D/' 6'BBB7 includes alternative +SA &F>)S %-D/' 6'BBB7 includes alternative +SA &elliptic curve signature variantselliptic curve signature variants


18/39

Digital SignatureDigital Signature "lgorithm"lgorithm

#DS"$#DS"$

creates a 'B bit signaturecreates a 'B bit signature

with %'/'B- bit securitywith %'/'B- bit security

smaller and faster than +SAsmaller and faster than +SA a digital signature scheme onlya digital signature scheme only

security depends on difficulty of computingsecurity depends on difficulty of computing

discrete logarithmsdiscrete logarithms variant of El*amal & Schnorr schemesvariant of El*amal & Schnorr schemes


19/39

Digital SignatureDigital Signature "lgorithm"lgorithm

#DS"$#DS"$


20/39

DS" +ey GenerationDS" +ey Generation

have shared global public key values 6p,2,g7:have shared global public key values 6p,2,g7: choose 2, a %DB bitchoose 2, a %DB bit

choose a large primechoose a large prime p < 2p < 2LL

0 where G? %' to 'B- bits and is a multiple of Dwhere G? %' to 'B- bits and is a multiple of D0 and 2 is a prime factor ofand 2 is a prime factor of (p-1)(p-1)

choosechoose g = hg = h(p-1)/q(p-1)/q0 wherewhere h 1

users choose private & compute public key:users choose private & compute public key: choosechoose x


21/39

DS" Signature CreationDS" Signature Creation

toto signsigna messagea message MMthe sender:the sender: generates a random signature keygenerates a random signature key k, k


22/39

DS" Signature -eri.icationDS" Signature -eri.ication

having received &having received & signaturesignature (r,s)(r,s)

toto /eri.y/eri.ya signature, recipient computes:a signature, recipient computes:

w = sw = s-1-1

(mod q)(mod q)u1= (H(M).w)(mod q)u1= (H(M).w)(mod q)

u2= (r.w)(mod q)u2= (r.w)(mod q)

v = (gv = (gu1u1

.y

.yu2u2

(mod p)) (mod q)(mod p)) (mod q)

ifif v=rv=rthen signature is verifiedthen signature is verified

see book web site for details of proof whysee book web site for details of proof why


23/39

)ractical attri'utes important .or digital)ractical attri'utes important .or digital

signature schemessignature schemes#this is not in the te0t'ook$#this is not in the te0t'ook$

a#a# Security level parameter of the signature scheme,Security level parameter of the signature scheme,

b#b# key generation speed,key generation speed,

c#c# signing and verification speedsigning and verification speed

d#d# the speed of the used hash functionthe speed of the used hash functione#e# si8e of the private keysi8e of the private key

f#f# si8e of the public key,si8e of the public key,

g#g# si8e of the produced signatures,si8e of the produced signatures,

h#h# the underlying mathematical problem on which the scheme is basedthe underlying mathematical problem on which the scheme is based

i#i# 1he period of stability of the scheme since its last tweak or update,1he period of stability of the scheme since its last tweak or update,

9#9# patent issues connected with the scheme,patent issues connected with the scheme,

k#k# )art of any standard)art of any standard

l#l# "ertified software libraries and availability of open source libraries#"ertified software libraries and availability of open source libraries#


24/39



a#a# Security level parameter of the signature scheme,Security level parameter of the signature scheme,


25/39




0>n most use case scenarios we need the generated publicIprivate keys to be valid for a

certain period which is much longer than the period spent on key generation#

0From that point of view, the key generation speed, although an important attribute in

the digital signatures metric, has not so big weight as a crucial operational attribute#

0Jn the other hand, the key exposure problemproduces case scenarios where we

need to generate 9ust short lived publicIprivate pairs#

0>f the user plan to employ the public key cryptography in such cases, then the key

generation speed should be given a higher weight#

0(ifferent algorithms and techni2ues for faster generation of provable or probable prime

numbers, and other parameters for the standardi8ed digital signatures schemes#


26/39





27/39



c#c# signing and verification speedsigning and verification speed 1he efficiency of digital signature schemes is mostly perceived via1he efficiency of digital signature schemes is mostly perceived via

the signing and the verification speed#the signing and the verification speed#

)oor performances compared with symmetric encryption)oor performances compared with symmetric encryptiontechni2ues#techni2ues#

Which signature scheme to use should be taken depending ofWhich signature scheme to use should be taken depending of

what kind of signature processes will be performed in the system#what kind of signature processes will be performed in the system#

>f the process is such that the company server receives a lot of>f the process is such that the company server receives a lot of

signed transactions from individual clients and have to verify everysigned transactions from individual clients and have to verify everysignature, +SA signatures with small public e4ponent should besignature, +SA signatures with small public e4ponent should be

chosen#chosen#

>f a company needs to send a bulk of signed invoices to hundreds>f a company needs to send a bulk of signed invoices to hundreds

of thousands 6or millions7 of users, then elliptical curve signatureof thousands 6or millions7 of users, then elliptical curve signature

schemes should be chosenschemes should be chosen


28/39





29/39





30/39





31/39





32/39



d#d# 1he speed of the used hash function1he speed of the used hash function

1he message hashing

6for long messages7

can have similar or

even much higher

computational cost

then the operations ofsigning and

verification#


33/39




1he message hashing

6for long messages7

can have similar or

even much higher

computational cost


verification#


34/39




1he message hashing

6for long messages7

can have similar or

even much higher

computational cost


verification#


35/39



e#e# Si8e of the private keySi8e of the private key

>f the private key is too big, that scheme might be not so appropriate>f the private key is too big, that scheme might be not so appropriate

for implementing in smart cards or +F>(s since the hardwarefor implementing in smart cards or +F>(s since the hardware

resources are scarce in those technologies#resources are scarce in those technologies#

Specifics of the signature scheme:Specifics of the signature scheme:

For e4ample the si8e of the private key in +SA is of the same order asFor e4ample the si8e of the private key in +SA is of the same order as

the si8e of the public key, but in all practical implementations 6like inthe si8e of the public key, but in all practical implementations 6like in

the popular JpenSSG7 the si8e of the private key is actually - timesthe popular JpenSSG7 the si8e of the private key is actually - times

bigger than the bit si8e of the public key 6due to the use of thebigger than the bit si8e of the public key 6due to the use of the

"hinese +emainder 1heorem for speeding up the signature process7#"hinese +emainder 1heorem for speeding up the signature process7#


36/39



f#f# Si8e of the public keySi8e of the public key

1radeoffs between security levels and the properties of the scheme1radeoffs between security levels and the properties of the scheme

E4ample: if we need to design a digital signature scheme that has 'DE4ample: if we need to design a digital signature scheme that has 'D

bits of security, then choosing +SA would be totally unpractical sincebits of security, then choosing +SA would be totally unpractical since

the public key would need %DB bits, and the operational speedthe public key would need %DB bits, and the operational speed

would be low#would be low#

>n such a case, a natural choice would be a signature scheme based>n such a case, a natural choice would be a signature scheme based

on elliptical curves with parameters long around %' bits#on elliptical curves with parameters long around %' bits#


37/39



g#g# Si8e of the produced signaturesSi8e of the produced signatures

Num'erNum'erof e4pected signed documents that the system will handleof e4pected signed documents that the system will handle

during the whole operational period 6and much far beyond that / as aduring the whole operational period 6and much far beyond that / as a

legal re2uirements for archiving the signed documents7#legal re2uirements for archiving the signed documents7#

5ave to take into consideration the si8e of the produced signatures#5ave to take into consideration the si8e of the produced signatures#

For e4ample, if we model a digital signature system that will be usedFor e4ample, if we model a digital signature system that will be used

by %BB million bank customers, during a period of B years, and if weby %BB million bank customers, during a period of B years, and if we

assume that every customer during a period of B years will produceassume that every customer during a period of B years will produce

K%B,BBB signed transactions then we have to plan for the storage ofK%B,BBB signed transactions then we have to plan for the storage of

trillions signed documents#trillions signed documents#

>n that case, any difference in the si8e of the signatures have big>n that case, any difference in the si8e of the signatures have big

implications#implications#


38/39




39/39

SummarySummary

have discussed:have discussed: digital signaturesdigital signatures

authentication protocols 6mutual & one/way7authentication protocols 6mutual & one/way7

digital signature algorithm and standarddigital signature algorithm and standard

l13 - digital signatures

Documents