digital signaturedigital signature scheme

kitlunchroomΤεχνίτη Νοημοσύνη και Ρομποτική

21 Νοε 2013 (πριν από 3 χρόνια και 6 μήνες)

82 εμφανίσεις

Digital
Signature Correctness

with

Optimized RSA Algorithm

Introduction:


A
digital signature

or
digital signature scheme

is a mathematical scheme for demonstrating
the authenticity of a digital message or document. A valid digital signature gives a recipient
reason to believe that the message was created by a known sender, and that it was not altered in
transit. Digital sig
natures are commonly used for software distribution, financial transactions,
and in other cases where it is important to detect forgery or tampering.

On other hand,
The RSA algorithm is named after Ron Rivest, Adi Shamir and Len Ad
leman,
who invented it in

1977.

The basic technique was first discovered in 1973 by Clifford
Cocks
of

CESG (part of the British GCHQ) but this was a secret unti
l 1997. The patent taken out by
RSA
Labs has expired.











The RSA cryptosystem is the most widely
-
used public key
cryptography algorithm in the
world. It can be used to encrypt a message without the need to exchange a secret key separately

The RSA algorithm can be used for both public key encryption and digital signatures. Its security
is based on the difficulty of fa
ctoring large integers.
Party A can send an encrypted message to
party B without any prior exchange of secret keys. A just uses B's public key to encrypt the
message and B decrypts it using the private key, which only he knows. RSA can also be used to
sign

a message, so A can sign a message using their private key and B can verify it using A's
public key.
Digital signatures employ a type of
asymmetric cryptog
raphy
.




Original RSA steps
:

Encryption

Sender A does the following:
-


1.

Obtains the recipient B's public key (n, e).

2.

Represents the plaintext message as a positive integer
m
,
1 < m < n


3.

Computes the
cipher text

c = m
e

mod n
.

4.

Sends the ciphertext
c

to

B.

Decryption

Re
cipient B does the following:
-


1.

Uses his private key (n, d) to compute
m = c
d

mod n
.

2.

Extracts the plaintext from the message representative
m
.

Digital signing

Sender A does the following:
-


1.

Creates a
message digest

of the information to be sent.

2.

Represents this digest as an integer
m

between 1 and
n
-
1.

3.

Uses her
private

key (n, d) to compute the signature
s = m
d

mod n
.

4.

Sends this signature
s

to the recipient, B.

Signature verification

Recipient B does the following:
-


1.

Uses sender A's public key (n, e) to compute integer
v = s
e

mod n
.

2.

Extracts the message digest from this integer.

3.

Independently computes the message digest of the information that has been signed.

4.

If both message digests are identical, the signature is
valid

Problem
:



The only know way to attack a highly secure RSA algorithm is to perform a brute force attack
on the modulus.

However, this attack can be easily defeated by increasing the key size of the
modulus.

Moreover,

this approach

of increasing the key size can lead to number of problems
such as;



Increased processing time; decryption time increases 8
-
fold as key sizes double
.



Computational Overheads


the computation required to perform the public key and
private key transformation
s



Increased key storage requirement


RSA key storage (private and public keys) requires
significant amounts of memory for storage.

Furthermore, key generation is complex and time consuming, time increases with key size.In
RSA a short public exponent can b
e employed to speed up signature verification and encryption.
Moreover, the need to make digital signature more secure with small bits (1024) for key
generations is the main goal of the proposed algorithm and survey study.

Proposed
Algorithm
:


The
propose
d

digital signature algorithm by the
authors
of the
paper

in review

is

an adaptation
of the RSA system algorithm that overcomes the shortcoming of the RSA system
(processing

time and computational overheads). The proposed algorithm is aimed to
solve

the problem of
processing time by not increasing the key size but using key with small bit (1024 bit) so the
problem of increased processing time can be solved. It also aimed to
solve

the computational
overhead through modification of the main
RSA algorit
hm
.

The algorithm essentially involved the RSA System with DSA so that it can prevent anyone from
tempering the sender message before it get to its final destination. Nonetheless, the basic aim of
the algorithm is to make RSA algorithm more efficient.


How the proposed
Signature
algorithm works
:



In the algorithm, the message is to be assigned as input to a one
-
way hash algorithm
producing an unrecoverable digest of the message.



The digest is encrypted with
receiver’s

public
key, then

senders public key
to produce
signature,

appended to the original message and transmitted.



At the
receivers
,

the message and signed digest
(the

signature) are
separated. The

original
message

is passed through the same hash function used by the originator and
the signature is

decrypted using sender’s public key then
receiver’s

private key to
produce another copy of the original
digest. The

two digest are presented to a
comparator. If they are
equal, the

message is accepted as genuine. If they do not
match, the

message is rejec
ted.

The
digital

signature
algorithm
scheme consists of three

different

Components
and
algorithms
:

a.

A
key generation

algorithm

that selects a
private key

uniformly at random

from a set of
possible private keys. The algorithm outputs the private key and a corresponding
public
key
.

b.

A
signing

alg
orithm

that, given a message and a private key, produces a signature.

c.

A
signature verifying

algorithm that, given a message, public key and a signature, either
accepts or rejects the message's claim to authenticity.



Algorithm:

Key Generation
:


Suppose a user A w
ish to allow B to send a private message over an insecure transmission
medium. A and B take the following algorithm to generate a public key and private key;


INPUT: Bit length of modulus, k.


OUTPUT:

Public key (E; N), and private key (D; N).

1)

Generate prime numbers (P
a) and (Pb) of bit length [k/2]

2)

Generate prime numbers (Qa) and (Qb) of bit length K
-
[k/2]







Experimental Results:


To test and compare the performance
characteristic

of the

RSA
, DSS

and proposed signature
algorithm, the

authors implemented the test in c+
+ program
. The experiment was done to test
and compare the time required for
achieving

the implementation of RSA, DSS and proposed
algorithm in small range of key size.

Algorithm

Key

Generation(Seconds)

SIGNATURE ( secs)

Verification( seconds)


Experiment 1



RSA

4.48500

0.016000

13.59400

DSS

34.32800

8.110000

4.531000

Proposed

10.719000

0.015000

0.015000


EXPREIMENT 2



RSA

7.735000

0.016000

13.281000

DSS

72.922000

30.906000

8.312000

PROPOSED

10.750000

0.031000

0.047000


EXPERIMENT 3



RSA

12.324000

0.016000

19.625000

DSS

50.640000

35.344000

10.632000

PROPOSED

11.45600

0.040000

0.0500000



Correctness

Key Generation:

The time required for key generation of RSA is smaller than DSS
and their proposed algorithm.
The time required for DSS is 8 fold that of RSA since in DSS key generation algorithm there is
need to generate key for user as well as key for each message the
sender can sent it.But the time
of proposed algorithm is double that of RSA because two keys for sender and reciver are needed
to be generated.

Signature Generation:

The time required for signature generation of RSA is smaller than DSS because hash functio
n is
used in RSA signature algorithm while secure hash function is used in DSS. However,the time
required for the proposed algorithm is smaller than RSA since it develops the RSA signature
algorithm by using it with DSS.

Signature
Verification
:


In signature verification process, the proposed algorithm pulls ahead both RSA and DSS in
performance. In

Proposed algorithm, two keys are
used, private

for
receiver

and public key for
sender, while

in RSA,

only public key is
used. In

the signature verif
ication process,

part of each
algorithm time is spent
computing

the SHA
-
1 hash of the message.



Comments:

The result obtained show that RSA signature generation is significantly slower than the
developed signature algorithm.The cost of signature generatio
n can be considered as a factor in
the choice of signature systems. Hence, the proposed signature cost is lower than RSA signature.

The proposed
algorithms achieve

high security for digital signature in addition to decrease
processing time and computational overheads. Thus, an intruder cannot interfere on a sent
message since the sender’s private key is unknown to him.

On the receiver’s side, the message is verified

by using sender’s public key and his private key to
decrypt the message successfully.

In RSA, signature generation is faster than signature verification and in DSS signature
verification is faster
signature generation
. The proposed algorithm is faster
than both RSA and
DSS.

A real example

In practice, we use a modulus of size in the order of 1024 bits. That is over 300 decimal digits.
One example is

n =

11929413484016950905552721133125564964460656966152763801206748195494305685115
033

380631595703771562
02973050001186287708466899691128922122454571180605749959895
170

80042105263427376322274266393116193517839570773505632231596681121927337473973
220

312512599061231322250945506260066557538238517575390621262940383913963

This is composed of the two primes

p =

1
0933766183632575817611517034730668287155799984632223454138745671121273456287
670

008290843302875521274970245314593222946129064538358581018615539828479146469


q =

10910616967349110231723734078614922645337060882141748968209834225138976011179
993

3942998101597
36904468554021708289824396553412180514827996444845438176099727

With a number this large, we can encode all the information we need in one big integer. We put
our message into an octet string and then convert to a large integer.

Also, rather than trying to

represent the plaintext as an integer directly, we generate a random
session key

and use that to encrypt the plaintext with a conventional, much faster symmetrical
algorithm like Triple DES or AES
-
128. We then use the much slower public key encryption
alg
orithm to encrypt just the session key.

The
sender A

then transmits a message to the recipient B in a format something like this:
-


Session key encrypted with RSA = xxxx

Plaintext encrypted with session key = xxxxxxxxxxxxxxxxx

The
recipient B

would extract the encrypted session key and use his private key (n,d) to decrypt
it. He would then use this session key with a conventional symmetrical decryption algorithm to
decrypt the actual message. Typically the transmission would include in plainte
xt details of the
encryption algorithms used, padding and encoding methods, initialisation vectors and other
details required by the recipient. The only secret required to be kept, as always, should be the
private key.

If Mallory intercepts the transmissi
on, he can
either try or

crack the conventionally
-
encrypted
plaintext directly, or he can try and decrypt the
encrypted

session key and then use that in turn.
Obviously, this system is as strong as its weakest link.

When signing, it is usual to use RSA to

sign the message digest of the message rather than the
message itself. A one
-
way hash function like SHA
-
1 or SHA
-
256 is used. The sender A then
sends the signed message to B in a format like this

Hash algorithm = hh

Message content = xxxxxxxxx...xxx

Sign
ature = digest signed with RSA = xxxx

The recipient will decrypt the signature to extract the signed message digest,
m
; independently
compute the message digest,
m'
, of the actual message content; and check that
m

and
m'

are
equal. Putting the message dige
st algorithm at the beginning of the message enables the recipient
to compute the message digest on the fly while reading the message.

Two main properties are required. First, a signature generated from a fixed message and fixed
private key should verify
the authenticity of that message by using the corresponding public key.
Secondly, it should be computationally infeasible to generate a valid signature for a party who
does not possess the private key.

Applications

As organizations move away from paper doc
uments with ink signatures or authenticity stamps, digital
signatures can provide added assurances of the evidence to provenance, identity, and status of an
electronic document as well as acknowledging informed consent and approval by a signatory. The Unit
ed
States Government Printing Office (GPO) publishes electronic versions of the budget, public and private
laws, and congressional bills with digital signatures. Universities including Penn State,
University of
Chicago
, and Stanford are publishing electronic student transcripts with digital signatures.

Below are some common reasons for applying a digital signature to communications:

Authentication

Although messages may often include information about the entity sending a message, that
information may not be accurate. Digital signatures can be used to authenticate the source of
messages. When ownership of a digital signature secret key is bound to a
specific user, a valid
signature

shows that the message was sent by that user. The importance of high confidence in
sender authenticity is especially obvious in a financial context. For example, suppose a bank's
branch office sends instructions to the cent
ral office requesting a change in the balance of an
account. If the central office is not convinced that such a message is truly sent from an
authorized source, acting on such a request could be a grave mistake.


Integrity

In many scenarios, the sender and

receiver of a message may have a need for confidence that the
message has not been altered during transmission.

However, if a message is digitally signed, any
change in the message after signature will invalidate the signature. Furthermore, there is no
ef
ficient way to modify a message and its signature to produce a new message with a valid
signature, because this is still considered to be computationally infeasible by most cryptographic
hash functions

Non
-
repudiation

Non
-
repudiation
, or more specifically
non
-
repudiation of origin
, is an important aspect of digital
signatures. By this property an entity that has signed some information cannot at a later time
deny having
signed it. Similarly, access to the public key only does not enable a fraudulent party
to fake a valid signature.


Weaknesses in RSA

Limitations

Small encryption exponent

If you use a small exponent like
e=3

and

send the same message to different recipient
s
and

just
use the RSA algorithm without adding random padding to the message, then an eavesdropper
could recover the plaintext.

Using the same key for encryption and signing

Given that the underlying mathematics is the same for encryption and signing, on
ly in
reverse, if an attacker can convince a key holder to sign an unformatted encrypted
message using the same key then she gets the original.

Acting as an oracle

There are techniques to recover the plaintext if a user just blindly returns the RSA
transf
ormation of the input. So don't do that.

Solutions

1.

Don't use the same RSA key for encryption and signing.

2.

If using PKCS#v1.5 encoding, use
e=0x10001

for your public exponent.

3.

Always format your input before encrypting or signing.

4.

Always add
fresh

random padding
-

at least 8 bytes
-

to your message before encrypting.

5.

When decrypting, check the format of the decrypted block. If it is not as expected, return
an error, not the decrypted string.

6.

Similarly, when verifying a signature, if there is any er
ror whatsoever, just respond with
"Invalid Signatur

Variations & Extensions

The underlying RSA computations,
c = m
e

mod n, m' = c
d


mod n; s = m
d

mod n, m' = s
e

mod n
a
re always the same, but there are many variants of how these can be used inside an encr
yption
or digital signature
scheme
. Here are some of them.

RSAES
-
OAEP

RSAES
-
OAEP

(
RSA E
ncryption
S
cheme
-

O
ptimal
A
symmetric
E
ncryption
P
adding
) is a
public
-
key encryption scheme combining the RSA algorithm with the OAEP method. The
inventors of OAEP are
Mihir Bellare and Phillip Rogaway, with enhancements by Don B.
Johnson and Stephen M. MatyasRSASSA
-
PSS

RSASSA
-
PSS

RSASSA
-
PSS

(
RSA S
ignature
S
cheme with
A
ppendix
-

P
robabilistic
S
ignature
S
cheme
) is an
asymmetric signature scheme with appendix combining the

RSA algorithm with the PSS
encoding method. The inventors of the PSS encoding method are Mihir Bellare and Phillip
Rogaway. During efforts to adopt RSASSA
-
PSS into the P1363a standards effort, certain
adaptations to the original version of RSA
-
PSS were ma
de by Bellare and Rogaway and also by
Burt Kaliski (the editor of IEEE P1363a) to facilitate implementation and integration into
existing protocols.


X9.31 Signature Scheme

ANSI standard X9.31 requires using
strong primes

derived in a way to avoid particul
ar attacks
that are probably no longer relevant. X9.31 uses a method of encoding the message digest
specific to the hash algorithm. It expects a key with length an exact multiple of 256 bits