Date post: | 18-Jan-2016 |
Category: |
Documents |
Upload: | scarlett-freeman |
View: | 228 times |
Download: | 0 times |
Chapter 3 - 1
ADCS
CS262/0898/V1
Chapter 3Applied Cryptography
Digital Signature
"Vision without action is a daydream. Action without vision is a nightmare"
-- Japanese Proverb
Prepared by:
SITI ZAINAH ADNAN
If you do have any feedback or comment,
please feel free to email me at
Your cooperation is very much appreciated !
Chapter 3 - 2
ADCS
CS262/0898/V1
Chapter 3Applied Cryptography
Digital Signature
TOPICS
• Introduction
• Signing Documents with Public Key Cryptography
• Signing Documents and Timestamps
• Signing Documents with Public-key Cryptography and One-way Hash Function
• Multiple Signatures
• Applications of Digital Signature
• Digital Signatures with Encryption
• Resending the Message as a Receipt
• Foiling the Resent Attack
Chapter 3 - 3
ADCS
CS262/0898/V1
References
• Book (available at the Informatics library)
• Notes (available at IVC)
Chapter 3 - 4
ADCS
CS262/0898/V1
Introduction to Digital Signature
• New needs arise, as processing and transmission of information in both computer and computer networks proliferates.
• Legal operations and transactions require the involved users to sign suitable documents.
• Allows to sign documents using their local computers or terminals.
• Creates signatures under computer environments.
Chapter 3 - 5
ADCS
CS262/0898/V1
Introduction to Digital Signature
• Signature purposes:– Evidence - authenticate the signer
of the signed document– Ceremony - calls the signer’s
attention the legal significant of signer’s act, to avoid inconsiderate engagement
– Approval - express the signer’s approval or authorization of the writing
– Efficiency and logistic - imparts a sense of clarity and finally to the transaction
Chapter 3 - 6
ADCS
CS262/0898/V1
Cryptography Mechanism
• Basic building block of cryptographic schemes
• Used in cryptography protocol and good key management to offer effective protection
• The most frequently used are:– Encryption algorithm – Digital signature scheme– Integrity check function
(cryptography hash functions)
Chapter 3 - 7
ADCS
CS262/0898/V1
Integrity Check Functions
• A one-way hash function:– Takes variable-length input - a
message of any length, even thousands or million of bits - and produces a fixed-length output e.g. 160 bits
– It ensures that, if information is changed in any way - even by just one bit - an entirely different output value is produced
Chapter 3 - 8
ADCS
CS262/0898/V1
Integrity Check Functions
• The result of applying a hash function is varyingly call:– Hash value
– Message digest
– Checksum
• Examples:– SHA-1 (Secure Hash Algorithm) for
US DSA (Digital Signature Standard)
– MD4 (Message Digest 4 - not that strong)
– MD5 (standard choice in Internet protocols)
– RIPE-MD
Chapter 3 - 9
ADCS
CS262/0898/V1
Integrity Check Functions• Basic properties for a hash function
h:– Ease of computation: given x, it
is easy to compute h(x)– Compression: the function h
maps inputs x of arbitrary bitlength to outputs h(x) of a fixed bitlength n
Chapter 3 - 10
ADCS
CS262/0898/V1
Integrity Check Functions– One-To-One Mapping between a
document with the respective hash value:
• Pre-image resistance (one-way): given a value y, it is in general computationally infeasible to find a value x so that h(x) = y
• 2nd pre-image resistant (weak collision resistance): given and input x and h(x), it is computationally infeasible to find another input x’, x =/ x’, with h(x) = h(x’)
• Collision resistance (strong collision resistance): it is computationally infeasible to find any two inputs x and x’, x =/ x’, with h(x) = h(x’)
Chapter 3 - 11
ADCS
CS262/0898/V1
Digital Signature
• Digital signature scheme consists of:– A signature algorithm and– A verification algorithm
• A digital signature of a document is a value depending on the contents of the document and on some secret only known to signer e.g. a private key, that associates the document with an entity e.g. public verification key
• The verification algorithm usually takes the document and the public verification key as input
Chapter 3 - 12
ADCS
CS262/0898/V1
Digital Signature
• A digital code (digitally signed hash result of the message) that can be attached to an electronically transmitted message that uniquely identifies the sender
• It is to guarantee that the individual sending the message really is who he/she claims to be
• Important for e-commerce • Key component of most
authentication schemes
Chapter 3 - 13
ADCS
CS262/0898/V1
Digital Signature
• Encryption:
– Protects the confidentiality of a message
– Has to be reversible
• Digital signatures:
– Provide data origin authentication and non-repudiation
– It is need not be reversible for security concern
• Non-repudiation service:
– To assure the origin or delivery of data to protect sender against false denial by recipient that the data has been received
– To protect recipient against false denial by sender that the data has been sent
Chapter 3 - 14
ADCS
CS262/0898/V1
Digital Signature
• Has similar properties of written signatures and therefore:– The signed document is not
reusable (unalterable e.g. cancelled check is not reusable)
– The signature is unforgettable (e.g. owner of check won’t forget their signature)
– The signature is authentic (only the owner can produce)
– The signature cannot be repudiated (owner cannot deny that the signature is not theirs)
– The signature is not reusable (only for digital signature)
Chapter 3 - 15
ADCS
CS262/0898/V1
Digital Signature
• Difference between the handwritten and digital signatures:
– Written signature is physically appended to the text of a documents
– Such relation is not possible in using digital signature – it is electronically attached with the respective document
– Attribute of written signatures is same for all documents being authenticated
– This attribute is no longer same in digital signatures and depends on text and signer
Chapter 3 - 16
ADCS
CS262/0898/V1
Methods of Signature Authentication
• Direct signature authentication:– Authentication process are
performed by receivers only.
• Indirect signature authentication:– Beside sender and receiver, there
are third parties known as referees or arbiters involved who solve possible disputes.
Chapter 3 - 17
ADCS
CS262/0898/V1
Signing Documents with Public Key Cryptography
• Either public key or private key algorithms are used for digital signatures.
Example (basic protocol):
1. Alice uses a digital signature algorithm with her private key to sign the message; SAprivate(M)
2. Alice sends the document to Bob.
3. Bob uses the digital signature algorithm with Alice’s public key to verify the signature; VApublic(SAprivate(M)) = M
• Alice and Bob do this without a trusted third party. If Bob cannot do step 3 above, then the signature is not valid.
Chapter 3 - 18
ADCS
CS262/0898/V1
Signing Documents with Public Key Cryptography
Chapter 3 - 19
ADCS
CS262/0898/V1
Signing Documents with Public Key Cryptography
• The above process of signing document satisfy the characteristics of digital signature:
– The signature is not reusable: the signature is a function of the document and cannot be transfer to another document.
– The signature is unforgettable: only Alice (sender) knows her private key.
Chapter 3 - 20
ADCS
CS262/0898/V1
Signing Documents with Public Key Cryptography– The signature is authentic: when
Bob (receiver) verifies the message with Alice’s (sender) public key, he knows that she signed it.
– The signature cannot be repudiated: Bob does not need Alice’s help to verify her signature.
– The signed document is unalterable: if ther is any alteration to the document, it can no longer be verified with Alice’s public key.
Chapter 3 - 21
ADCS
CS262/0898/V1
Signing Documents and Timestamps
• Under certain circumstances the digital signature and document can be reused.
• E.g. Bob used the (digital check) to bank in again and again which Alice send once only
• To avoid the reuse of signature and document, digital signatures often include timestamps.
• Timestamps – any non-repeating code/date & time, increasing series of number
• The date and the time of signature are attached to the message.
Chapter 3 - 22
ADCS
CS262/0898/V1
Signing Documents with Public Key Cryptography
and One-way Hash Function
• In practical, public key algorithms are often too inefficient to encrypt long documents.
• To save time, digital signature are often implemented with one-way hash function.
• Instead of signing the document, hash of the document is signed.
• Both one-way hash function and digital signature algorithm are agreed upon beforehand.
Chapter 3 - 23
ADCS
CS262/0898/V1
Signing Documents with Public Key Cryptography
and One-way Hash Function1. Alice produces a one-way hash of a
document.
2. Alice sign the hash of the document with her private key, thereby signing the document.
3. Alice sends the document and the signed hash to Bob.
4. Bob produces a one-way hash of the document send by Alice.
5. Bob verifies the signed hash with Alice’s public key and compares with the hash he generated.
6. If both hash of document and signed hash match, then the signature is valid.
Chapter 3 - 24
ADCS
CS262/0898/V1
Signing Documents with Public Key Cryptography
and One-way Hash Function
Chapter 3 - 25
ADCS
CS262/0898/V1
Signing Documents with Public Key Cryptography
and One-way Hash Function
Example:Message
Hash
compare
KPUBLIC
KPRIBATEHash
Chapter 3 - 26
ADCS
CS262/0898/V1
Signing Documents with Public Key Cryptography
and One-way Hash Function• Benefits:
– Speed increases drastically.
– Less chances of two different documents having the same hashsignature is kept separate from document.
– Storage requirement for the document and signature are much smaller.
– Can be used to verify the existence of documents without storing their contents.
– Databases could just store hashes of files and timestamps.
Chapter 3 - 27
ADCS
CS262/0898/V1
Multiple Signatures(Without Hash)
• There are two options in signing a digital documents from two users with out one-way hash function.
1. In first option, two users sign separate copies of the same document.
Dis: double storage spare – not good
2. In second option, first user sign the document and then second user would sign first user signature.
Dis: Impossible to verify 1st ‘s sign without verify the 2nd’s sign
Chapter 3 - 28
ADCS
CS262/0898/V1
Multiple Signatures(With Hash)
• In one-way hash function, hash of the document is signed instead of the document itself, hence multiple signatures are easy, example:
1. Alice signs the document.
2. Bob signs the document.
3. Alice or Bob sends the document and both the signatures to Carol.
4. Coral verifies both Alice’s and Bob’s signature.
• Alice and Bob can do steps (1) and (2) either parallel or in series.
• In step (5), Carol can verify one signature without having to verify the other.
Chapter 3 - 29
ADCS
CS262/0898/V1
Digital Signatures with Encryption
• Singed letter in an Envelope
(Digital signature) (Encryption)
Chapter 3 - 30
ADCS
CS262/0898/V1
Digital Signatures with Encryption
• Combination of digital signature and encryption provides both security and authentication.
• Digital signature provides proof of the authorship.
• Encryption provides privacy.
Example:– Alice signs the message with her
private key.
SAPrivate(M)
– Alice encrypts the signed message with Bob’s public key and sends it to Bob.
EBPublic(SAPrivate(M))
Chapter 3 - 31
ADCS
CS262/0898/V1
Digital Signatures with Encryption
Example:– Bob decrypts the message with his
private key.
DBPrivate(EBPublic(SAPrivate(M))) = SAPrivate(M)
– Bob verifies with Alice’s public key and recovers the message.
VAPublic(SAPrivate(M)) = M
Note: Decryption & Encryption cancelled off each other,
Of course, timestamps should be used with this protocol to prevent reuse of messages.
Timestamps can also protect against other potential pitfalls e.g. guards against replays
Chapter 3 - 32
ADCS
CS262/0898/V1
Resending the Message as a Receipt
• Its an implement of protocol with additional feature of a confirmed message received
• Wherever someone receive a message, he or she sends it back to the sender as a confirmation of receipt.
Example:1. Alice signs a message with her
private key, encrypts it with Bob’s public key, and sends it to Bob
EBPublic(SAPrivate(M))
Chapter 3 - 33
ADCS
CS262/0898/V1
Resending the Message as a Receipt
2. Bob decrypts the message with his private key and verifies the signature with Alice’s public key, thereby verifying that Alice signed the message and recovered the message.
VAPublic(DBPrivate(EBPublic(SAPrivate(M)))) = M
3. Bob signs the message with his private key, encrypts it with Alice’s public key, and sends it back to Alice.
EAPublic(SBPrivate(M))
Note: S (signature), V (verification)
E (encryption), D (decryption)
Chapter 3 - 34
ADCS
CS262/0898/V1
Resending the Message as a Receipt
4. Alice decrypts the message with her private key, and verifies the signature with Bob’s public key. If the resultant message is the same one she sent to Bob, she know that Bob received the message accurately.
VBPublic(DAPrivate(EAPublic(SBPrivate(M)))) = M
Chapter 3 - 35
ADCS
CS262/0898/V1
Resending the Message as a Receipt
– If the same algorithm is used for
both encryption and digital signatures there is a possibility of attack.
– In these cases, the digital signature operation is the inverse of the encryption operation.
VAPublic(DBPrivate(EBPublic(SAPrivate(M)))) = M
– Verification of A’s public key = Encryption of B’s public key
– Decryption of B’s private key = Signature of A’s private key
VX = EX and that SX = DX
Chapter 3 - 36
ADCS
CS262/0898/V1
Resending the Message as a Receipt
How authentication and secret transmission using same algorithm cause security problem?
1. Both encryption/decryption & signing/verification are inverse in operation
2. Encryption and verification operations are similar & make use of the same public key (VX = EX )
3. Decryption and signing operations are similar & make use of the same secret key (SX = DX )
4. 3rd party can get access to message by using public key of 1st and 2nd parties & his own secret key
Chapter 3 - 37
ADCS
CS262/0898/V1
Resending the Message as a Receipt
Example: (Resent Attack)
– Assume that Mallet is a legitimate system user with his own public and private key.
(1) Mallet records Alice’s message to Bob in Step (1).
EBPublic(SAPrivate(M))
– Then, at some time later, Mallet sends that message to Bob, claiming that it came from him. Since SX = DX therefore:
EBPublic(DAPrivate(M))
Chapter 3 - 38
ADCS
CS262/0898/V1
Resending the Message as a Receipt
– (2) Bob decrypts the message with his private key and then tries to verify Mallet’s signature by decrypting it with Mallet’s public key.
VMPublic(DBPrivate (EBPublic(DAPrivate(M))))
- Since VX = EX therefore VM EM
– The resultant message, which is pure gibberish (meaningless message):
EM(DB(EB(DA(M)))) = EMPublic(DAPrivate(M))
Chapter 3 - 39
ADCS
CS262/0898/V1
Resending the Message as a Receipt
– (3) Bob sends Mallet a receipt. Bob signs with his private key (since SX = DX ). Bob encrypt with Mallet’s public key.
EMPublic(DBPrivate(EMPublic(DAPrivate(M))))
– (4) In order to recover M, Mallet will do the following:-
• Decrypt the message with his private key,
• Encrypt it with Bob’s public key,
• Decrypt it again with his private key,
• And encrypt it with Alice’s public key.
• Finally, Mallet has M.
Chapter 3 - 40
ADCS
CS262/0898/V1
Resending the Message as a Receipt
– Acknowledging the receipt of the gibberish creates insecurity.
– It is important never to sign or to decrypt arbitrary messages and give the results to other people.
Chapter 3 - 41
ADCS
CS262/0898/V1
Foiling (Preventing) the Resent Attack
• Resent attack works because the encryption operation is the same as the signature verifying operation (VX = EX )
• Decryption operation is same as the signature operation (SX = DX )
• Resent attack can be foiled:
– By using one-way hash function
– By using different keys for each operation
– By using timestamps
– Shouldn’t accept rubbish message
Chapter 3 - 42
ADCS
CS262/0898/V1
Example, in general the most secured protocol would be:
1. Alice signs a message.
2. Alice encrypt the message and signature with Bob’s public key (using a different encryption algorithm than she used for the signature) and sends it to Bob. So that S ≠ D and V ≠ E
3. Bob decrypts the message with his private key.
4. Bob verifies Alice’s signature.
Foiling (Preventing) the Resent Attack
Chapter 3 - 43
ADCS
CS262/0898/V1
• It is possible to modify the protocol, so that Alice encrypts the message before signing it.
• Suitable under certain circumstances, when the intermediate party would need to verify the signature without able to read the message.
• In general it is better to encrypt everything.
Foiling (Preventing) the Resent Attack