Årskonference 2003

Theory and Practice of Personal Digital Signatures - The ITSCI project

Ivan Damgård, University of Aarhus

Årskonference 2003

Quote from a typical paper in Theory of Cryptography

”Player Pi signs message m with secret key sk and sends the signature Signsk(m) to Pj”

Anything wrong with that?• In practice ”Pi” is typically not a single entity!• But a conglomerate of a human user and some machines that store the key and compute the signature: a PC, a handheld authentication device, a server,..• We would like to protect the user even if some of the machines involved are corrupt.

The standard model misses some important issues because it cannot capture this..

Årskonference 2003

Example: The problem with software signatures

Private key

password

Gives access toTransaction, digital signature

hacking, phising, etc.

Årskonference 2003

Solutions?External hardware – a ”gadget” producing

a one-time code, you type on the PC. The code sometimes even depends on the transaction.

This must be secure?The good news: yes, it helps – simple

phising no longer works – you have to get the gadget as well.

The bad news...

Årskonference 2003

The man in the middle..

1-time code

Transaction, digital signature,And/or 1-time code

hacking, phising, etc.

”500 € for Ronald”

”500.000 € for Hackers Unlimited”

Årskonference 2003

The ProblemThe ”gadget” can’t tell the user what it is

doing. The user cannot verify if the 1-time code corresponds to the correct transaction.

Therefore, still enough to break into one entity if you are clever enough.

Extra gadgets are only the ultimate solution if they can talk to your PC - and to you!

Årskonference 2003

Can we do better?So we need external hardware that talks to

the user and the PC and can present the transaction?

Reasonable computing power, operating system, display, communication..

In other words, a computer, maybe a mobile phone – that can be attacked. Why trust the mobile more than the PC?

Årskonference 2003

A possible solution: divide and conquerFrom ”it all depends on the PC” to ”it all

depends on the mobile or the PDA” – no progress.

Alternative Idea: have your digital identity live in several places at the same time, e.g., have user specific info in both a mobile unit and in a server.

The hope: get the denefits of an intelligent mobile unit, yet all is not lost if it is stolen or hacked.

Årskonference 2003

Secret Sharing a key..Normal digital

signature: +

”500 € to Ronald” =

Digital signature with shared key:

”500 € to Ronald”

”500 € to Ronald”+

+

=

=

Årskonference 2003

Sharing an RSA key..Normal digital signature:

+”500 € to Ronald” =

Digital signatur with shared key:

”500 € to Ronald”

”500 € to Ronald”+

+

=

=

(n,d) m md mod n

(n,dS) m mdS mod n

(n,dM) m mdM mod n

d= dS+dM

mdS mdM mod n = md mod n

Årskonference 2003

A simple protocol..

Transaction, digital signature.

500 € for Ronald

500 € for Ronald

Secure if at most one unit is corrupt.

Server

Server- password

Årskonference 2003

A bit too simple, however..

Mobile unit must do full-scale exponentiation. Too slow, even on modern phones, when done in high-level language e.g., Java.

Maybe the PC can help? – however, not secure to give dM to the PC.

A tool for a solution: pseudo-random functions (PRF).A PRF, f, depends on a key K and input x.

Adversary does not know K, gets to choose x, is givenfK(x) or random r.Adversary cannot tell the difference.Efficient implementation: your favorite block cipher

Årskonference 2003

Outsourcing Computation to Terminal (PC)

Let f be a PRF and give key K to M and to S.

• To sign m, M computes b(m) = dM + fK(m) sends to T• T computes mb(m) mod n sends this and m to S• S computes a(m) = dS - fK(m) and ma(m)mb(m)

mod n tests if this is a valid signature. If yes, returns it to T.

Much faster for M. No information on d for T.

Randomization depends on m Corrupt T cannot use b(m) to get anything except m signed.

Årskonference 2003

Proactive Security – orWhat if the mobile is stolen?

The bad news: secret key lost, can’t issuse signaturesThe good news: we know there’s a problem, can set up new mobile unit

Solution: User and Server store back-up sharing of key,d = u + sUser gives u to new mobile (e.g., scans 2-D barcode)Sharing updated with fresh randomness, d = (u+r) + (s-r)need one secure message from S to M.

Resulting protocol proactively UC secure if at most one unit is corrupt in each phase.

Årskonference 2003

Usability – Security • Potentially easier for the user than typing 1-time codes. • Mobility: can be done from any PC.• Not necessary to use a hardware token that is only for

security. You bring you mobile anyway.• Must have communication with PC – or with the net.

Bluetooth a possibility. Longer term: Nearfield communication.

• Secure as long as break-in occurs in only one place- simultaneously.

• The server cannot sign on its own• Lives under standard PKI.

Årskonference 2003

IT-Security for Citizens, ITSCI

Based at: University of AarhusLeder: Ivan DamgårdResearchers: Susanne Bødker, Kaj GrønbækPhD students: Gert Mikkelsen, Niels MathiasenProgrammer: Daniel Andersson

Partners: University of Aarhus, PBS, TDC, GiriTech, Cryptomathic, Danske Bank

Supported by the Danish Strategic Research Council

Årskonference 2003

Idea behind ITSCI: Security depends both on technology and usability.

Solving the problems demands cooperation between expertise in both technical/crypto and human-computer interaction.

We have seen far too little of this so far.ITSCI is possibly the first Danish attempts to include both types of researchers.

Årskonference 2003

In practice1. Prototype of the system has been developed.Uses mobile phone, talks to PC via Bluetooth,

compatible with Danish nation-wide PKI.Java application on phone, Applet sent to PC

when needed.Next steps: Solution for back-up of private key,

so you can survive theft of the mobile unit without having to start everything from skratch and get a new certificate. Also need to look at key generation.