1 / 29

Information Security and Management 13. Digital Signatures and Authentication Protocols

Information Security and Management 13. Digital Signatures and Authentication Protocols. Chih-Hung Wang Fall 2011. Digital Signature. Dispute of message authentication

vena
Download Presentation

Information Security and Management 13. Digital Signatures and Authentication Protocols

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Information Security and Management13. Digital Signatures and Authentication Protocols Chih-Hung Wang Fall 2011

  2. Digital Signature • Dispute of message authentication • Message authentication protects two parties who exchange messages from any third party. However, it does not protect the two parties against each other. • Several forms of dispute between the two are possible

  3. Problem of Authentication • The following disputes could arise • Receiver may forge a different message and claim that it came from sender. • Sender can deny sending the message

  4. Generic Model of Digital Signature Process

  5. Possible Disputes Using MACs • Mary may forge a different message and claim that it came from John. Mary would simply have to create a message and append an authentication code using the key that John and Mary share. • John can deny sending the message. Because it is possible for Mary to forge a message, there is no way to prove that John did in fact send the message.

  6. Simplified Depiction of Essential Elements of Digital Signature Process

  7. Properties • The digital signature is analogous to the handwritten signature. It must have the following properties: • It must be able to verify the author and the date and time of the signature • It must be able to authenticate the contents at the time of the signature • The signature must be verifiable by third parties, to resolve dispute

  8. Requirements (1/2) • The signature must be a bit pattern that depends on the message being signed • The signature must use some information unique to the sender, to prevent both forgery and denial • It must be relatively easy to produce the digital signature • It must be relatively easy to recognize and verify the digital signature

  9. Requirements (2/2) • It must be computationally infeasible to forge a digital signature, either by constructing a new message for an existing digital signature or by constructing a fraudulent digital signature for a given message • It must be practical to retain a copy of the digital signature in storage

  10. Signer’s Public Key Signer’s Private Key Signed Document Signer Receiver Verify the signature Digital Signature Concept

  11. Dispute Concept Verify & Judge Signer’s Digital Signature Third Party Dispute Sender Receiver

  12. Signer’s public key : (e,n) Signer’s private key: d Sig=h(M)d mod n Signed Document Receiver Signer Verify h(M) ?= Sige mod n =( h(M)d)e mod n RSA Digital Signature

  13. Digital Signature Standard (DSS) • The National Institute of Standards and Technology (NIST) has published Federal Information Processing Standard FIPS PUB 186, known as the Digital Signature Standard (DSS). • The DSS makes use of the Secure Hash Algorithm (SHA) • The DSS was originally proposed in 1991 and revised in 1993 in response to public feedback concerning the security of the scheme

  14. DSS Concept (1/2) • The DSS uses an algorithm that is designed to provide only the digital signature function • Unlike RSA, it cannot be used for encryption or key exchange

  15. DSS Concept (2/2)

  16. DSS Algorithm • Discrete Logarithms (page 228-233) • Consider the equation • y = gx mod p • Given g,x,and p, it is straightforward matter to calculate y • Given y, g, and p, it is, in general, very difficult to calculate x • Computational complexity • e((ln p)1/3ln(ln p))2/3

  17. DSS Algorithm • Setup • p large prime: bit length of between 512 and 1024 bits in increments of 64 bits 2L-1 < p < 2L and 512 <= L <= 1024 • q prime divisor of (p-1) and 2159 < q < 2160,i.e., the length is 160 bits • g = h(p-1)/q mod p, where 1<h < p-1 ,h is an integer(I.e., gq = 1 mod p)

  18. DSS Algorithm • Sign • User A’s private key: • x: random  0 < x <q • User A’s public key: • y = gx mod p • Signing • Randomly select k, 0<k<q • calculate r = (gk mod p) mod q • calculates = [k-1(H(M) + xr)] mod q • Signature = (r,s)

  19. DSS Algorithm • Sign

  20. DSS Algorithm • Verify • Verifying (r’, s’) & (M’) • Calculate w = (s’)-1 mod q • Calculateu1 = [H(M’)w] mod q • Calculateu2 = (r’)w mod q • Calculatev = [(gu1yu2) mod p] mod q • Verify v = r’ (?). If yes, (r’, s’) is a valid signature on the message M’

  21. DSS Algorithm • Verify

  22. Criticisms of DSS (1/2) • DSS cannot be used for encryption or key distribution • DSS was developed by the NSA, and there may be a trapdoor in the algorithm • DSS is slower than RSA • RSA is the ISO 9796, the international digital signature standard

  23. Criticisms of DSS (2/2) • The DSS selection process was not public; sufficient time for analysis has not been provided • DSS may infringe on other pattern • The key size is too small

  24. ElGamal Digital Signatures • In 1984, T. Elgamal announced a public-key scheme based on discrete logarithms, closely related to the Diffie-Hellman technique. • Use private key for encryption (signing) • Uses public key for decryption (verification) • The security of ElGamal is based on the difficulty of computing discrete logarithms • Each user (eg. A) generates their key • chooses a secret key (number): 1 < xA < q-1 • compute their public key: yA = axA mod q

  25. ElGamal Digital Signature • Alice signs a message M to Bob by computing • hash m = H(M), 0 <= m <= (q-1) • Chose random integer K with 1 <= K <= (q-1) and gcd(K,q-1)=1 • Compute temporary key: S1 = ak mod q • Compute K-1the inverse of K mod (q-1) • Compute the value: S2 = K-1(m-xAS1) mod (q-1) • Signature is:(S1,S2) • Any user B can verify the signature by computing • V1 = am mod q • V2 = yAS1 S1S2 mod q • signature is valid if V1 = V2

  26. ElGamal Signature Example • Use field GF(19) q=19 and a=10 • Alice computes her key: • A chooses xA=16 & computes yA=1016 mod 19 = 4 • Alice signs message with hash m=14 as (3,4): • Choosing random K=5 which has gcd(18,5)=1 • Computing S1 = 105 mod 19 = 3 • Finding K-1 mod (q-1) = 5-1 mod 18 = 11 • Computing S2 = 11(14-16.3) mod 18 = 4 • any user B can verify the signature by computing • V1 = 1014 mod 19 = 16 • V2 = 43.34 = 5184 = 16 mod 19 • since 16= 16signature is valid

  27. Schnorr Digital Signatures • Also uses exponentiation in a finite (Galois) • Security based on discrete logarithms, as in D-H • Minimizes message dependent computation • Multiplying a 2n-bit integer with an n-bit integer • Main work can be done in idle time • Have using a prime modulus p • p–1 has a prime factor qof appropriate size • Typicallyp1024-bit and q 160-bit numbers

  28. Schnorr Key Setup • Choose suitable primes p, q • Choose asuch that aq = 1 mod p • (a,p,q) are global parameters for all • Each user (eg. A) generates a key • Chooses a secret key (number): 0 < sA < q • Compute their public key: vA = a-sA mod q

  29. Schnorr Signature • User signs message by • Choosing random r with 0<r<q and computing x = ar mod p • Concatenate message with x and hash result to Computing: e = H(M || x) • Computing: y = (r + se) mod q • Signature is pair (e, y) • Any other user can verify the signature as follows: • Computing: x' = ayve mod p • Verifying that: e = H(M || x’)

More Related