Diffie-Hellman not secure against Man-in-the-Middle-attack: Want to - - PowerPoint PPT Presentation

diffie hellman not secure against man in the middle
SMART_READER_LITE
LIVE PREVIEW

Diffie-Hellman not secure against Man-in-the-Middle-attack: Want to - - PowerPoint PPT Presentation

Jun 30, 2023 242 likes •285 views

Diffie-Hellman not secure against Man-in-the-Middle-attack: Want to guarantee authenticity. Alice Mallory Bob Can achieve this with publc-key cryptography as well. g a a First example: Schnorr Signature g m m a 1024 bit

slide-1
SLIDE 1

Diffie-Hellman not secure against Man-in-the-Middle-attack: Alice Mallory Bob a − → ga gm ← − m gma gma n − → gn gb ← − b gnb gnb gma ← → gma, gnb ← → gnb

Eike Ritter Cryptography 2013/14 152

Want to guarantee authenticity. Can achieve this with publc-key cryptography as well. First example: Schnorr Signature a 1024 bit prime p that fixes Z∗

p,

a 360 bit prime q, such that q divides p − 1 and q is the order

  • f a subgroup Gq of Z∗

p,

a cryptographic hash function h.

Eike Ritter Cryptography 2013/14 153

Key generation: The single functions then work as follows: We start with the key generation G. Generate primes p and q as well as an element g ∈ Z∗

p that

generates the subgroup Gq. Choose a random x from {1, . . . , q − 1}. Compute y = gx mod p. (Observe that this corresponds to h in ElGamal; but here h is our hash function!) Publish the public key K = (p, q, g, y). Retain the private key K = (p, q, g, x).

Eike Ritter Cryptography 2013/14 154

Signing: Choose a random r from {1, . . . , q − 1}. Compute s = h(Mgr). Compute t = (r + x · s) mod q. Attach the signature (s, t) to the message. Verification: Accept the signature if h(M|gty−s) = s. Otherwise reject the signature.

Eike Ritter Cryptography 2013/14 155

slide-2
SLIDE 2

DSA (Digital Signature Algorithm) Parameters a 1024 bit prime p that fixes Z∗

p,

a 160 bit prime q, such that q divides p − 1 and q is the order

  • f a subgroup Gq of Z∗

p,

the cryptographic hash function SHA-1. Key generation: Generate primes p and q such that p = z · q + 1, with z ∈ Z. Choose g such that j · z ≡ g(mod p), where 1 < j < p. Choose a random x from {1, . . . , q − 1}. Compute y = gx mod p. Publish the public key K = (p, q, g, y). Retain the private key K = (p, q, g, x).

Eike Ritter Cryptography 2013/14 156

Signature function: Choose a random r from {1, . . . , q − 1}. Compute s = (gr mod p) mod q. Compute t = ((SHA-1(M) + x · s) · r−1) mod q. Attach the signature (s, t) to the message. Verification function: Calculate u1 = (SHA-1(M) · t−1) mod q. Calculate u2 = (s · t−1) mod q. Accept the signature if ((gu1 · yu2) mod p) mod q = s. Otherwise reject the signature.

Eike Ritter Cryptography 2013/14 157

RSA Signatures

Key generation as for RSA. We assume the message M to be a number in {1, . . . , n − 1}. Let h be a cryptographic hash function, then we compute the signature by s = h(M)d mod n. Given the public key K = (e, n) we can verify the signature s by comparing h(M) with se mod n.

Eike Ritter Cryptography 2013/14 158

Definition Define the signature game between Challenger and Attacker as follows: Challenger creates public and private key pair and passes public key to attacker Attacker does some computations and may ask challenger to sign messages m1, . . . , mn Challenger responds with signatures s1, . . . , sn The attacker outputs a pair (m, s) The attacker wins the signature game if (m, s) is not equal to (mi, si) for any i and s is a valid signature for m.

Eike Ritter Cryptography 2013/14 159

slide-3
SLIDE 3

Definition We call a digital signature scheme secure against existential forgery if any attacker has only a negligible chance of winning the signature game. If we omit the hash function in the RSA-signature, attacker can forge a signature for an arbitrary message.

Eike Ritter Cryptography 2013/14 160