Diffie-Hellman not secure against Man-in-the-Middle-attack: Alice - - PowerPoint PPT Presentation

diffie hellman not secure against man in the middle
SMART_READER_LITE
LIVE PREVIEW

Diffie-Hellman not secure against Man-in-the-Middle-attack: Alice - - PowerPoint PPT Presentation

May 02, 2023 312 likes •418 views

Diffie-Hellman not secure against Man-in-the-Middle-attack: Alice Mallory Bob g a a g m m g ma g ma g n n g b b g nb g nb g ma g ma , g nb g nb Eike Ritter Cryptography 2014/15 106

slide-1
SLIDE 1

Diffie-Hellman not secure against Man-in-the-Middle-attack: Alice Mallory Bob a − → ga gm ← − m gma gma n − → gn gb ← − b gnb gnb gma ← → gma, gnb ← → gnb

Eike Ritter Cryptography 2014/15 106

slide-2
SLIDE 2

Want to guarantee authenticity. Can achieve this with publc-key cryptography as well. First example: Schnorr Signature a 1024 bit prime p that fixes Z∗

p,

a 360 bit prime q, such that q divides p − 1 and q is the order

  • f a subgroup Gq of Z∗

p,

a cryptographic hash function h.

Eike Ritter Cryptography 2014/15 107

slide-3
SLIDE 3

Key generation: The single functions then work as follows: We start with the key generation G. Generate primes p and q as well as an element g ∈ Z∗

p that

generates the subgroup Gq. Choose a random x from {1, . . . , q − 1}. Compute y = gx mod p. (Observe that this corresponds to h in ElGamal; but here h is our hash function!) Publish the public key K = (p, q, g, y). Retain the private key K = (p, q, g, x).

Eike Ritter Cryptography 2014/15 108

slide-4
SLIDE 4

Signing: Choose a random r from {1, . . . , q − 1}. Compute s = h(Mgr). Compute t = (r + x · s) mod q. Attach the signature (s, t) to the message. Verification: Accept the signature if h(M|gty−s) = s. Otherwise reject the signature.

Eike Ritter Cryptography 2014/15 109

slide-5
SLIDE 5

DSA (Digital Signature Algorithm) Parameters a 1024 bit prime p that fixes Z∗

p,

a 160 bit prime q, such that q divides p − 1 and q is the order

  • f a subgroup Gq of Z∗

p,

the cryptographic hash function SHA-1. Key generation: Generate primes p and q such that p = z · q + 1, with z ∈ Z. Choose g such that j · z ≡ g(mod p), where 1 < j < p. Choose a random x from {1, . . . , q − 1}. Compute y = gx mod p. Publish the public key K = (p, q, g, y). Retain the private key K = (p, q, g, x).

Eike Ritter Cryptography 2014/15 110

slide-6
SLIDE 6

Signature function: Choose a random r from {1, . . . , q − 1}. Compute s = (gr mod p) mod q. Compute t = ((SHA-1(M) + x · s) · r−1) mod q. Attach the signature (s, t) to the message. Verification function: Calculate u1 = (SHA-1(M) · t−1) mod q. Calculate u2 = (s · t−1) mod q. Accept the signature if ((gu1 · yu2) mod p) mod q = s. Otherwise reject the signature.

Eike Ritter Cryptography 2014/15 111

slide-7
SLIDE 7

RSA Signatures

Key generation as for RSA. We assume the message M to be a number in {1, . . . , n − 1}. Let h be a cryptographic hash function, then we compute the signature by s = h(M)d mod n. Given the public key K = (e, n) we can verify the signature s by comparing h(M) with se mod n.

Eike Ritter Cryptography 2014/15 112

slide-8
SLIDE 8

Definition Define the signature game between Challenger and Attacker as follows: Challenger creates public and private key pair and passes public key to attacker Attacker does some computations and may ask challenger to sign messages m1, . . . , mn Challenger responds with signatures s1, . . . , sn The attacker outputs a pair (m, s) The attacker wins the signature game if (m, s) is not equal to (mi, si) for any i and s is a valid signature for m.

Eike Ritter Cryptography 2014/15 113

slide-9
SLIDE 9

Definition We call a digital signature scheme secure against existential forgery if any attacker has only a negligible chance of winning the signature game. If we omit the hash function in the RSA-signature, attacker can forge a signature for an arbitrary message.

Eike Ritter Cryptography 2014/15 114