Digital Signatures Model A public key analog of MAC A digital - - PowerPoint PPT Presentation

digital signatures model
SMART_READER_LITE
LIVE PREVIEW

Digital Signatures Model A public key analog of MAC A digital - - PowerPoint PPT Presentation

Feb 06, 2024 219 likes •479 views

Digital Signatures Model A public key analog of MAC A digital signature scheme includes the following elements: A private key k A public key k A signature algorithm Public key is published Signature requires

slide-1
SLIDE 1

Digital Signatures

slide-2
SLIDE 2

Model

  • A public key analog of MAC
  • A digital signature scheme includes the following

elements: – A private key k – A public key k’ – A signature algorithm

  • Public key is published
  • Signature requires private key
  • Verification requires public key
slide-3
SLIDE 3

Ramifications

  • Commercial – anyone can sign a contract, check,

statement etc.

  • Signatures are necessary for e-commerce
  • Legal – digital signatures can be binding in a court
  • f law (unlike MACs)
  • Legal signature laws of various types are appearing
slide-4
SLIDE 4

Handwritten Signatures

  • Relate an individual, through a handwritten

signature, to a document.

  • Signature can be verified against a prior

authenticated one, signed in person.

  • Should be hard to forge.
  • Are legally binding (convince a third party, e.g. a

judge).

slide-5
SLIDE 5

Digital Signatures: Desired Properties

  • Relate an individual, through a digital string, to a

document.

  • Signature should be easy to verify.
  • Should be hard to forge.
  • Are legally binding (convince a third party, e.g. a

judge).

slide-6
SLIDE 6

Diffie and Hellman (76) “New Directions in Cryptography”

Let EA be Alice’s public encryption key, and let DA be Alice’s private decryption key.

  • To sign the message M, Alice computes

the string y=DA (M) and sends M,y to Bob.

  • To verify this is indeed Alice’s signature, Bob

computes the string x = EA (y) and checks x=M. Intuition: Only Alice can compute y=DA (M), thus forgery should be computationally infeasible.

slide-7
SLIDE 7

Problems with “Pure” DH Paradigm

  • Easy to forge signatures of random messages

even without holding DA: Bob picks R arbitrarily, computes S=EA(R). Then the pair (S,R) is a valid signature

  • f Alice on the “message” S.
  • Therefore the scheme is subject to existential

forgery.

  • “So what” ?
slide-8
SLIDE 8

Problems with “Pure” DH Paradigm

  • Consider specifically RSA. Being multiplicative,

we have (products mod N) DA (M1M2) = DA (M1) DA (M2).

  • If M2=“I OWE BOB $20” and M1=“100”

then under certain encoding of letters we could get M1M2 =“I OWE BOB $2000”…

slide-9
SLIDE 9

Standard Solution: Hash First

Let EA be Alice’s public encryption key, and let DA be Alice’s private decryption key.

  • To sign the message M, Alice first computes

the strings y=H(M) and z=DA (y). Sends M,z to Bob.

  • To verify this is indeed Alice’s signature, Bob computes

the string y=EA (z) and checks y=H(M).

  • The function H should be collision resistent, so

that cannot find another M’ with H(M)=H(M’).

slide-10
SLIDE 10

General Structure: Signature Schemes

  • Generation of private and public keys

(randomized).

  • Signing (either deterministic or randomized)
  • Verification (accept/reject) - usually

deterministic.

slide-11
SLIDE 11

Schemes Used in Practice

  • RSA
  • El-Gamal Signature Scheme (85)
  • The DSS (digital signature standard),

adopted by NIST in 94 is based on a modification of El-Gamal signature.

slide-12
SLIDE 12

El-Gamal Signature Scheme

  • Pick a prime p of length 1024 bits such

that DL in Zp* is hard.

  • Let g be a generator of Zp*.
  • Pick x in [2,p-2] at random.
  • Compute y=gx mod p.
  • Public key: p,g,y.
  • Private key: x.

Generation

slide-13
SLIDE 13

El-Gamal Signature Scheme

  • Hash: Let m=H(M).
  • Pick k in [1,p-2] relatively prime to

p-1 at random.

  • Compute r=gk mod p.
  • Compute s=(m-rx)k-1 mod (p-1) (***)
  • Output r and s.

Signing M

slide-14
SLIDE 14

El-Gamal Signature Scheme

  • Compute m=H(M).
  • Accept if 0<r<p and yrrs=gm mod p.

else reject.

  • What’s going on?

By (***) s=(m-rx)k-1 mod p-1, so sk+rx=m. Now r=gk so rs=gks, and y=gx so yr=grx, implying yrrs=gm .

Verify M,r,s,PK

slide-15
SLIDE 15

Homework Assignment 2, part I

  • Implement via Maple the El Gamal

Signature Scheme: – Key Generation – Message Signature – Message Verification

  • What happens if you use the same k twice?
slide-16
SLIDE 16

The Digital Signature Algorithm (DSA)

  • Let p be an L bit prime such that the

discrete log problem mod p is intractable

  • Let q be a 160 bit prime that divides p-1
  • Let α be a q’th root of 1 modulo p.

How do we compute α?

slide-17
SLIDE 17

The Digital Signature Algorithm (DSA)

  • p – prime, q – prime, p-1 = 0 mod q, α = 1(1/q) mod

p

  • Private key: random 1 ≤ s ≤ q-1.
  • Public key: (p, q, α, β = αs mod p)
  • Signature on message M:

– Choose a random 1 ≤ k ≤ p-1, secret!!

  • Part II: (SHA (M) + s (PART I)) / k mod q
  • Part I: ((αk mod p) mod q
slide-18
SLIDE 18

The Digital Signature Algorithm (DSA)

– p – prime, q – prime, p-1 = 0 mod q, α = 1(1/q) mod p, Private key: random 1 ≤ s ≤ q-1. Public key: (p, q, α, β = αs mod p). Signature on message M:

  • Choose a random 1 ≤ k ≤ p-1, secret!!

– Part I: ((αk mod p) mod q – Part II: (SHA (M) + s (PART I)) /k mod q

  • Verification:

– e1 = SHA (M) / (PART II) mod q – e2 = (PART I) / (PART II) mod q – OK if

12

(mod) mod (PART I)

ee

pq

  • =
slide-19
SLIDE 19

The Digital Signature Algorithm

( )

( )

( ) ( )

( )

( )

1 2

()/()(mod)mod/mod (mod)mod/()(mod)mod/mod

kk

SHAMSHAMspqkq epqSHAMspqkq e ss

  • +

==

Homework 2 part II: Prove that if the signature is generated correctly then the verification works correctly. What happens if PART II of the signature is 0?

slide-20
SLIDE 20

Signatures vs. MACs

Suppose parties A and B share the secret key K. Then M, MACK(M) convinces A that indeed M originated with B. But in case of dispute A cannot convince a judge that M, MACK (M) was sent by B, since A could generate it herself.

slide-21
SLIDE 21

Identification: Model

  • Alice wishes to prove to Bob her identity in
  • rder to access a resource, obtain a service

etc.

  • Bob may ask the following:

– Who are you? (prove that you’re Alice) – Who the **** is Alice?

  • Eve wishes to impersonate Alice:

– One time impersonation – Full impersonation (identity theft)

slide-22
SLIDE 22

Identification Scenarios

  • Local identification

– Human authenticator – Device

  • Remote identification

– Human authenticator – Corporate environment (e.g. LAN) – E-commerce environment – Cable TV/Satellite: Pay-per-view; subscription verification – Remote login or e-mail from an internet cafe.

slide-23
SLIDE 23

Initial Authentication

  • The problem: how does Alice initially convince

anyone that she’s Alice?

  • The solution must often involve a “real-world” type of

authentication – id card, driver’s license etc.

  • Errors due to the human factor are numerous

(example – the Microsoft-Verisign fiasco).

  • Even in scenarios where OK for Alice to be whoever

she claims she is, may want to at least make sure Alice is human (implemented, e.g. for new users in Yahoo mail ).

slide-24
SLIDE 24

Closed Environments

  • The initial authentication problem is fully solved

by a trusted party, Carol

  • Carol can distribute the identification material in

a secure fashion, e.g by hand, or over encrypted and authenticated lines

  • Example – a corporate environment
  • Eve’s attack avenue is the Alice-Bob connection
  • We begin by looking at remote authentication