Digital Signatures
Model • A public key analog of MAC • A digital signature scheme includes the following elements: – A private key k – A public key k’ – A signature algorithm • Public key is published • Signature requires private key • Verification requires public key
Ramifications • Commercial – anyone can sign a contract, check, statement etc. • Signatures are necessary for e-commerce • Legal – digital signatures can be binding in a court of law (unlike MACs) • Legal signature laws of various types are appearing
Handwritten Signatures • Relate an individual, through a handwritten signature, to a document. • Signature can be verified against a prior authenticated one, signed in person. • Should be hard to forge. • Are legally binding (convince a third party, e.g. a judge).
Digital Signatures: Desired Properties • Relate an individual, through a digital string, to a document. • Signature should be easy to verify. • Should be hard to forge. • Are legally binding (convince a third party, e.g. a judge).
Diffie and Hellman (76) “New Directions in Cryptography” Let E A be Alice’s public encryption key, and let D A be Alice’s private decryption key. • To sign the message M, Alice computes the string y=D A (M) and sends M,y to Bob. • To verify this is indeed Alice’s signature, Bob computes the string x = E A (y) and checks x=M. Intuition: Only Alice can compute y=D A (M), thus forgery should be computationally infeasible.
Problems with “Pure” DH Paradigm • Easy to forge signatures of random messages even without holding D A : Bob picks R arbitrarily, computes S=E A (R). Then the pair (S,R) is a valid signature of Alice on the “message” S. • Therefore the scheme is subject to existential forgery. • “So what” ?
Problems with “Pure” DH Paradigm • Consider specifically RSA. Being multiplicative, we have (products mod N) D A (M 1 M 2 ) = D A (M 1 ) D A (M 2 ). • If M 2 =“I OWE BOB $20” and M 1 =“100” then under certain encoding of letters we could get M 1 M 2 =“I OWE BOB $2000”…
Standard Solution: Hash First Let E A be Alice’s public encryption key, and let D A be Alice’s private decryption key. • To sign the message M, Alice first computes the strings y=H(M) and z=D A (y). Sends M,z to Bob. • To verify this is indeed Alice’s signature, Bob computes the string y=E A (z) and checks y=H(M). • The function H should be collision resistent, so that cannot find another M’ with H(M)=H(M’).
General Structure: Signature Schemes • Generation of private and public keys (randomized). • Signing (either deterministic or randomized) • Verification (accept/reject) - usually deterministic.
Schemes Used in Practice • RSA • El-Gamal Signature Scheme (85) • The DSS (digital signature standard), adopted by NIST in 94 is based on a modification of El-Gamal signature.
El-Gamal Signature Scheme Generation • Pick a prime p of length 1024 bits such that DL in Z p * is hard. • Let g be a generator of Z p *. • Pick x in [2, p -2] at random. • Compute y = g x mod p . • Public key: p , g , y . • Private key: x .
El-Gamal Signature Scheme Signing M • Hash: Let m=H(M). • Pick k in [1,p-2] relatively prime to p-1 at random. • Compute r=g k mod p. • Compute s=(m-rx)k -1 mod (p-1) (***) • Output r and s.
El-Gamal Signature Scheme Verify M,r,s,PK • Compute m=H(M). • Accept if 0<r<p and y r r s =g m mod p. else reject. • What’s going on? By (***) s=(m-rx)k -1 mod p-1, so sk+rx=m. Now r=g k so r s =g ks , and y=g x so y r =g rx , implying y r r s =g m .
Homework Assignment 2, part I • Implement via Maple the El Gamal Signature Scheme: – Key Generation – Message Signature – Message Verification • What happens if you use the same k twice?
The Digital Signature Algorithm (DSA) • Let p be an L bit prime such that the discrete log problem mod p is intractable • Let q be a 160 bit prime that divides p -1 • Let α be a q ’th root of 1 modulo p . How do we compute α ?
The Digital Signature Algorithm (DSA) • p – prime, q – prime, p -1 = 0 mod q , α = 1 (1/ q ) mod p • Private key: random 1 ≤ s ≤ q -1. • Public key: ( p , q , α , β = α s mod p ) • Signature on message M: – Choose a random 1 ≤ k ≤ p -1, secret!! • Part II: (SHA (M) + s (PART I)) / k mod q • Part I: (( α k mod p ) mod q
The Digital Signature Algorithm (DSA) – p – prime, q – prime, p -1 = 0 mod q , α = 1 (1/ q ) mod p, Private key: random 1 ≤ s ≤ q -1. Public key: ( p , q , α , β = α s mod p ). Signature on message M: • Choose a random 1 ≤ k ≤ p -1, secret!! – Part I: (( α k mod p ) mod q – Part II: (SHA (M) + s (PART I)) / k mod q • Verification: – e 1 = SHA (M) / (PART II) mod q – e 2 = (PART I) / (PART II) mod q – OK if (mod) mod (PART I) pq �� = ee 12
The Digital Signature Algorithm ( ) ( ) ( ( ) ) ( ( ) ) ��� �� == e ss ()/()(mod)mod/mod epqSHAMspqkq SHAMSHAMspqkq (mod)mod/()(mod)mod/mod �� + kk 2 1 Homework 2 part II: Prove that if the signature is generated correctly then the verification works correctly. What happens if PART II of the signature is 0?
Signatures vs. MACs Suppose parties A and B share the secret key K. Then M, MAC K (M) convinces A that indeed M originated with B. But in case of dispute A cannot convince a judge that M, MAC K (M) was sent by B, since A could generate it herself.
Identification: Model • Alice wishes to prove to Bob her identity in order to access a resource, obtain a service etc. • Bob may ask the following: – Who are you? (prove that you’re Alice) – Who the **** is Alice? • Eve wishes to impersonate Alice: – One time impersonation – Full impersonation (identity theft)
Identification Scenarios • Local identification – Human authenticator – Device • Remote identification – Human authenticator – Corporate environment (e.g. LAN) – E-commerce environment – Cable TV/Satellite: Pay-per-view; subscription verification – Remote login or e-mail from an internet cafe.
Initial Authentication • The problem: how does Alice initially convince anyone that she’s Alice? • The solution must often involve a “real-world” type of authentication – id card, driver’s license etc. • Errors due to the human factor are numerous (example – the Microsoft-Verisign fiasco). • Even in scenarios where OK for Alice to be whoever she claims she is, may want to at least make sure Alice is human (implemented, e.g. for new users in Yahoo mail ).
Closed Environments • The initial authentication problem is fully solved by a trusted party, Carol • Carol can distribute the identification material in a secure fashion, e.g by hand, or over encrypted and authenticated lines • Example – a corporate environment • Eve’s attack avenue is the Alice-Bob connection • We begin by looking at remote authentication
Recommend
More recommend
