Cryptography and Network Security Chapter 13 Fifth Edition by William Stallings.

Cryptography and Cryptography and Network SecurityNetwork Security

Chapter 13Chapter 13

Fifth EditionFifth Edition

by William Stallingsby William Stallings

Chapter 13 – Chapter 13 – Digital SignaturesDigital Signatures

To guard against the baneful influence exerted by strangers To guard against the baneful influence exerted by strangers is therefore an elementary dictate of savage prudence. is therefore an elementary dictate of savage prudence. Hence before strangers are allowed to enter a district, or Hence before strangers are allowed to enter a district, or at least before they are permitted to mingle freely with at least before they are permitted to mingle freely with the inhabitants, certain ceremonies are often performed the inhabitants, certain ceremonies are often performed by the natives of the country for the purpose of disarming by the natives of the country for the purpose of disarming the strangers of their magical powers, or of disinfecting, the strangers of their magical powers, or of disinfecting, so to speak, the tainted atmosphere by which they are so to speak, the tainted atmosphere by which they are supposed to be surrounded.supposed to be surrounded.——The Golden BoughThe Golden Bough, Sir James George Frazer, Sir James George Frazer

Digital SignaturesDigital Signatures

have looked at have looked at message authentication message authentication but does not address issues of lack of trustbut does not address issues of lack of trust

digital signatures provide the ability to: digital signatures provide the ability to: verify author, date & time of signatureverify author, date & time of signature authenticate message contents authenticate message contents be verified by third parties to resolve disputesbe verified by third parties to resolve disputes

hence digital signatures include hence digital signatures include authentication function with additional authentication function with additional capabilitiescapabilities

Alice can deny sending a message M to Bob since Bob can also produce MACs for different messages.

Bob can produce a MAC for another message M’

and can claim that it came from Alice.

PrivateKey

PublicKey

Bob

Key GenerationKey GenerationAliceBob’s

Fig 13.2 Simplified Depiction of Essential Elements of Digital Signature Process

Attacks and ForgeriesAttacks and Forgeries Goldwaser, Micali and Rivest in 1988 identified several attack Goldwaser, Micali and Rivest in 1988 identified several attack

scenarios on digital signature schemesscenarios on digital signature schemes Key-only attack:Key-only attack:

• Attacker knows only the public keyAttacker knows only the public key Known message attack:Known message attack:

• Attacker is given access to a set of messages and their signaturesAttacker is given access to a set of messages and their signatures Generic chosen message attack:Generic chosen message attack:

• Attacker chooses a list of messages before attempting to break the signature, Attacker chooses a list of messages before attempting to break the signature, independent of the particular public key. Then he obtains valid signatures for those independent of the particular public key. Then he obtains valid signatures for those messages.messages.

Directed chosen message attack:Directed chosen message attack:• Similar as generic, but the messages are chosen after knowing a particular public key.Similar as generic, but the messages are chosen after knowing a particular public key.

Adaptive chosen message attack:Adaptive chosen message attack:• Attacker and signer are playing interactive game, where attacker asks for signing Attacker and signer are playing interactive game, where attacker asks for signing

different messages, and his queries depend on the knowledge he obtained from different messages, and his queries depend on the knowledge he obtained from previous queries.previous queries.

Attacks and Forgeries (cont)Attacks and Forgeries (cont) Goldwaser, Micali and Rivest also defined success of Goldwaser, Micali and Rivest also defined success of

breaking a signature schemebreaking a signature scheme Total break:Total break:

• Attacker finds the signer’s private keyAttacker finds the signer’s private key Universal forgery:Universal forgery:

• Attacker finds an efficient signing algorithm that provides an equivalent Attacker finds an efficient signing algorithm that provides an equivalent way of constructing signatures on arbitrary messages.way of constructing signatures on arbitrary messages.

Selective forgery:Selective forgery:• Attacker forges a signature for a particular message chosen by him.Attacker forges a signature for a particular message chosen by him.

Existential forgery:Existential forgery:• Attacker can forge a signature for at least one message. However he Attacker can forge a signature for at least one message. However he

does not have control over the message (so can not harm much the does not have control over the message (so can not harm much the signer).signer).

Digital Signature RequirementsDigital Signature Requirements

must depend on the message signedmust depend on the message signed must use information unique to sendermust use information unique to sender

to prevent both forgery and denialto prevent both forgery and denial

must be relatively easy to producemust be relatively easy to produce must be relatively easy to recognize & verifymust be relatively easy to recognize & verify be computationally infeasible to forge be computationally infeasible to forge

with new message for existing digital signaturewith new message for existing digital signature with fraudulent digital signature for given messagewith fraudulent digital signature for given message

be practical save digital signature in storagebe practical save digital signature in storage

Direct Digital SignaturesDirect Digital Signatures

involve only sender & receiverinvolve only sender & receiver assumed receiver has sender’s public-keyassumed receiver has sender’s public-key digital signature made by sender signing digital signature made by sender signing

entire message or hash with private-keyentire message or hash with private-key can encrypt using receivers public-keycan encrypt using receivers public-key important that sign first then encrypt important that sign first then encrypt

message & signaturemessage & signature security depends on sender’s private-keysecurity depends on sender’s private-key

Arbitrated Digital SignaturesArbitrated Digital Signatures

involves use of arbiter Ainvolves use of arbiter A validates any signed messagevalidates any signed message then dated and sent to recipientthen dated and sent to recipient

requires suitable level of trust in arbiterrequires suitable level of trust in arbiter can be implemented with either private or can be implemented with either private or

public-key algorithmspublic-key algorithms arbiter may or may not see messagearbiter may or may not see message

Using Public-Key EncryptionUsing Public-Key Encryption

have a range of approaches based on the have a range of approaches based on the use of public-key encryptionuse of public-key encryption

need to ensure have correct public keys need to ensure have correct public keys for other partiesfor other parties

using a central Authentication Server (AS)using a central Authentication Server (AS) various protocols exist using timestamps various protocols exist using timestamps

or noncesor nonces

Public-Key ApproachesPublic-Key Approaches

have seen some public-key approacheshave seen some public-key approaches if confidentiality is major concern, can use:if confidentiality is major concern, can use:

AA->->B: EB: EPUbPUb[Ks] || E[Ks] || EKsKs[M][M] has encrypted session key, encrypted messagehas encrypted session key, encrypted message

if authentication needed use a digital if authentication needed use a digital signature with a digital certificate:signature with a digital certificate:AA->->B: M || EB: M || EPRaPRa[H(M)] || E[H(M)] || EPRasPRas[T||ID[T||IDAA||PU||PUaa] ] with message, signature, certificatewith message, signature, certificate

ElGamal Digital Signature ElGamal Digital Signature SchemeScheme

Key generationKey generation Prime number q, and generator Prime number q, and generator αα Generate a random integer XGenerate a random integer XAA such that 1<X such that 1<XAA<q-1<q-1 Compute YCompute YAA== α αXXAA

A’s private key is XA’s private key is XAA; A’s public key is (; A’s public key is (q, q, αα, Y, YAA))

ElGamal Digital Signature ElGamal Digital Signature Scheme (cont)Scheme (cont)

Signing a message MSigning a message M Produce a hash m=H(M)Produce a hash m=H(M) Chose a random integer K such that 1Chose a random integer K such that 1≤K ≤q-1 ≤K ≤q-1

and gcd(K, q-1) = 1and gcd(K, q-1) = 1 Compute SCompute S11== α αKK mod q mod q Compute KCompute K-1-1 mod (q-1) mod (q-1) Compute SCompute S22== KK-1-1(m - (m - XXAA S S11) mod (q-1)) mod (q-1)

The signature is The signature is (S(S11, , SS22))

ElGamal Digital Signature ElGamal Digital Signature Scheme (cont)Scheme (cont)

Verification of the signed message Verification of the signed message MM (S(S11, , SS22)) Produce a hash m=H(M)Produce a hash m=H(M) Compute VCompute V11== α αmm mod q mod q

Compute VCompute V22== (Y(YAA)) S S11 ((SS11)) S S22 mod q mod q

If If VV11 == == VV22 return TRUE, else return FALSE return TRUE, else return FALSE

Digital Signature Digital Signature Standard Standard (DSS)(DSS)

US Govt approved signature schemeUS Govt approved signature scheme designed by NIST & NSA in early 90's designed by NIST & NSA in early 90's published as FIPS-186 in 1991published as FIPS-186 in 1991 revised in 1993, 1996 & then 2000revised in 1993, 1996 & then 2000 uses the SHA hash algorithm uses the SHA hash algorithm DSS is the standard, DSA is the algorithmDSS is the standard, DSA is the algorithm FIPS 186-2 (2000) includes alternative RSA & FIPS 186-2 (2000) includes alternative RSA &

elliptic curve signature variantselliptic curve signature variants

Digital Signature Digital Signature Algorithm Algorithm (DSA)(DSA)

creates a 320 bit signaturecreates a 320 bit signature with 512-2048 bit securitywith 512-2048 bit security smaller and faster than RSAsmaller and faster than RSA a digital signature scheme onlya digital signature scheme only security depends on difficulty of computing security depends on difficulty of computing

discrete logarithmsdiscrete logarithms variant of ElGamal & Schnorr schemesvariant of ElGamal & Schnorr schemes

Digital Signature Digital Signature Algorithm Algorithm (DSA)(DSA)

DSA Key GenerationDSA Key Generation

have shared global public key values (p,q,g): have shared global public key values (p,q,g): choose q, a 160 bit choose q, a 160 bit choose a large prime choose a large prime p < 2p < 2LL

• where L= 512 to 2048 bits and is a multiple of 64where L= 512 to 2048 bits and is a multiple of 64• and q is a prime factor of and q is a prime factor of (p-1)(p-1)

choose choose g = hg = h(p-1)/q(p-1)/q • where where h<p-1, hh<p-1, h(p-1)/q (p-1)/q (mod p) > 1(mod p) > 1

users choose private & compute public key: users choose private & compute public key: choose choose x<qx<q compute compute y = gy = gx x (mod p)(mod p) – disseminate y – disseminate y

DSA Signature CreationDSA Signature Creation

to to signsign a message a message MM the sender: the sender: generates a random signature key generates a random signature key k, k<qk, k<q nb. nb. kk must be random, be destroyed after must be random, be destroyed after

use, and never be reuseduse, and never be reused then computes signature pair: then computes signature pair:

r = (gr = (gkk(mod p))(mod q) (mod p))(mod q)

s = (ks = (k-1-1.H(M)+ x.r)(mod q).H(M)+ x.r)(mod q) sends signature sends signature (r,s)(r,s) with message with message MM

DSA Signature Verification DSA Signature Verification

having received M & having received M & signature signature (r,s)(r,s) to to verifyverify a signature, recipient computes: a signature, recipient computes:

w = sw = s-1-1(mod q) (mod q)

u1= (H(M).w)(mod q) u1= (H(M).w)(mod q)

u2= (r.w)(mod q) u2= (r.w)(mod q)

v = (gv = (gu1u1.y.yu2u2(mod p)) (mod q) (mod p)) (mod q) if if v=rv=r then signature is verified then signature is verified see book web site for details of proof whysee book web site for details of proof why

Practical attributes important for digital Practical attributes important for digital signature schemessignature schemes

(this is not in the textbook)(this is not in the textbook)

a.a. Security level parameter of the signature scheme, Security level parameter of the signature scheme,

b.b. key generation speed, key generation speed,

c.c. signing and verification speedsigning and verification speed

d.d. the speed of the used hash function the speed of the used hash function

e.e. size of the private keysize of the private key

f.f. size of the public key, size of the public key,

g.g. size of the produced signatures, size of the produced signatures,

h.h. the underlying mathematical problem on which the scheme is based the underlying mathematical problem on which the scheme is based

i.i. The period of stability of the scheme since its last tweak or update,The period of stability of the scheme since its last tweak or update,

j.j. patent issues connected with the scheme, patent issues connected with the scheme,

k.k. Part of any standardPart of any standard

l.l. Certified software libraries and availability of open source libraries.Certified software libraries and availability of open source libraries.



a.a. Security level parameter of the signature scheme, Security level parameter of the signature scheme,




•In most use case scenarios we need the generated public/private keys to be valid for a certain period which is much longer than the period spent on key generation.

•From that point of view, the key generation speed, although an important attribute in the digital signatures metric, has not so big weight as a crucial operational attribute.

•On the other hand, the key exposure problem produces case scenarios where we need to generate just short lived public/private pairs.

•If the user plan to employ the public key cryptography in such cases, then the key generation speed should be given a higher weight.

•Different algorithms and techniques for faster generation of provable or probable prime numbers, and other parameters for the standardized digital signatures schemes.






c.c. signing and verification speedsigning and verification speed The efficiency of digital signature schemes is mostly perceived via The efficiency of digital signature schemes is mostly perceived via

the signing and the verification speed.the signing and the verification speed. Poor performances compared with symmetric encryption Poor performances compared with symmetric encryption

techniques.techniques. Which signature scheme to use should be taken depending of Which signature scheme to use should be taken depending of

what kind of signature processes will be performed in the system.what kind of signature processes will be performed in the system. If the process is such that the company server receives a lot of If the process is such that the company server receives a lot of

signed transactions from individual clients and have to verify every signed transactions from individual clients and have to verify every signature, RSA signatures with small public exponent should be signature, RSA signatures with small public exponent should be chosen.chosen.

If a company needs to send a bulk of signed invoices to hundreds If a company needs to send a bulk of signed invoices to hundreds of thousands (or millions) of users, then elliptical curve signature of thousands (or millions) of users, then elliptical curve signature schemes should be chosenschemes should be chosen















d.d. The speed of the used hash function The speed of the used hash function

The message hashing (for long messages) can have similar or even much higher computational cost then the operations of signing and verification.











e.e. Size of the private keySize of the private key If the private key is too big, that scheme might be not so appropriate If the private key is too big, that scheme might be not so appropriate

for implementing in smart cards or RFIDs since the hardware for implementing in smart cards or RFIDs since the hardware resources are scarce in those technologies. resources are scarce in those technologies.

Specifics of the signature scheme:Specifics of the signature scheme: For example the size of the private key in RSA is of the same order as For example the size of the private key in RSA is of the same order as

the size of the public key, but in all practical implementations (like in the size of the public key, but in all practical implementations (like in the popular OpenSSL) the size of the private key is actually 8 times the popular OpenSSL) the size of the private key is actually 8 times bigger than the bit size of the public key (due to the use of the bigger than the bit size of the public key (due to the use of the Chinese Remainder Theorem for speeding up the signature process).Chinese Remainder Theorem for speeding up the signature process).



f.f. Size of the public keySize of the public key Tradeoffs between security levels and the properties of the schemeTradeoffs between security levels and the properties of the scheme Example: if we need to design a digital signature scheme that has 256 Example: if we need to design a digital signature scheme that has 256

bits of security, then choosing RSA would be totally unpractical since bits of security, then choosing RSA would be totally unpractical since the public key would need 15360 bits, and the operational speed the public key would need 15360 bits, and the operational speed would be low. would be low.

In such a case, a natural choice would be a signature scheme based In such a case, a natural choice would be a signature scheme based on elliptical curves with parameters long around 512 bits.on elliptical curves with parameters long around 512 bits.



g.g. Size of the produced signaturesSize of the produced signatures NumberNumber of expected signed documents that the system will handle of expected signed documents that the system will handle

during the whole operational period (and much far beyond that - as a during the whole operational period (and much far beyond that - as a legal requirements for archiving the signed documents).legal requirements for archiving the signed documents).

Have to take into consideration the size of the produced signatures. Have to take into consideration the size of the produced signatures. For example, if we model a digital signature system that will be used For example, if we model a digital signature system that will be used

by 100 million bank customers, during a period of 30 years, and if we by 100 million bank customers, during a period of 30 years, and if we assume that every customer during a period of 30 years will produce assume that every customer during a period of 30 years will produce ~10,000 signed transactions then we have to plan for the storage of ~10,000 signed transactions then we have to plan for the storage of trillions signed documents. trillions signed documents.

In that case, any difference in the size of the signatures have big In that case, any difference in the size of the signatures have big implications.implications.



SummarySummary

have discussed:have discussed: digital signaturesdigital signatures authentication protocols (mutual & one-way)authentication protocols (mutual & one-way) digital signature algorithm and standarddigital signature algorithm and standard

Date post:	23-Dec-2015
Category:	Documents
Upload:	emily-merry-briggs
View:	255 times
Download:	2 times

Cryptography and Network Security Chapter 13 Fifth Edition by William Stallings.

Documents