AN INTRODUCTION TO CRYPTOGRAPHY - BCS

innocentsickAI and Robotics

Nov 21, 2013 (4 years and 1 month ago)

110 views

DIGITAL SIGNATURES

Fred Piper

Codes & Ciphers Ltd

12 Duncan Road

Richmond

Surrey

TW9 2JD

Information Security Group

Royal Holloway, University of London

Egham, Surrey

TW20 0EX

Digital Signatures

2

Outline

1.
Brief Introduction to Cryptography

2.
Public Key Systems

3.
Basic Principles of Digital Signatures

4.
Public Key Algorithms

5.
Signing Processes

6.
Arbitrated Signatures

7.
Odds and Ends

NOTE:

We will not cover all the sections

Digital Signatures

3

The Essence of Security


Recognition of those you know


Introduction to those you don’t
know


Written signature


Private conversation

Digital Signatures

4

The Challenge


Transplant these basic
social mechanisms to the
telecommunications
and/or business
environment.

Digital Signatures

5


Sender


Am I happy that the whole world sees this ?


Am I prepared to pay to stop them ?


Am I allowed to stop them ?


Recipient


Do I have confidence in :


the originator


the message contents and message stream


no future repudiation.


Network Manager


Do I allow this user on to the network ?


How do I control their privileges ?

The Security Issues

Digital Signatures

6

Cryptography is used to provide:

1.

Secrecy


2.

Data Integrity


3.

User Verification


4.

Non
-
Repudiation

Digital Signatures

7

Cipher System

cryptogram

c


Enciphering

Algorithm

Deciphering

Algorithm

Key
k(E)

Key
k(D)

message

m

message

m

Interceptor

Digital Signatures

8

The Attacker’s Perspective

Deciphering

Algorithm

Unknown Key

k(D)

Known

c

Wants
m

Note
:
k(E)
is not needed unless

it helps determine
k(D)

Digital Signatures

9

Two Types of Cipher System



Conventional or Symmetric


k(D)

easily obtained from
k(E)



Public or Asymmetric


Computationally infeasible to




determine
k(D)

from
k(E)

Digital Signatures

10




THE SECURITY OF THE SYSTEM IS
DEPENDENT ON THE SECURITY OF
THE KEYS

Digital Signatures

11

Public Key Systems


Original Concept


For a public key system an enciphering

algorithm is
agreed and each would
-
be

receiver publishes the key
which
anyone
may use to send a message to him.


Thus for a public key system to be secure it must not be
possible to deduce the message from a knowledge of the
cryptogram and the enciphering key. Once such a system
is set up, a directory of all receivers plus their enciphering
keys is published. However, the only person to know any
given receiver’s deciphering key is the receiver himself.

Digital Signatures

12

Public Key Systems


For a public key system, encipherment
must be a ‘one
-
way function’ which has a
‘trapdoor’. The trapdoor must be a secret
known only to the receiver.


A ‘one
-
way function’ is one which is easy
to perform but very difficult to reverse. A
‘trapdoor’ is a trick or another function
which makes it easy to reverse the
function

Digital Signatures

13

Some Mathematical One
-
Way
Functions

1.


Multiplication of two large primes.

2.


Exponentiation modulo
n ( n = pq )
.

3.


x


a
x

in
GF(2
n
)

or
GF(p)
.

4.


k


E
k
(m)

for fixed
m

where
E
k

is encryption

in a symmetric key system which is secure

against known plaintext attacks.

5.


x



a
.
x

where
x

is an
n
-
bit binary vector and

a

is a fixed
n
-
tuple of integers. Thus
a
.
x

is an

integer.

Digital Signatures

14

Public Key Cryptosystems


Enable secure communications without
exchanging secret keys


Enable 3rd party authentication ( digital
signature )


Use number theoretic techniques


Introduce a whole new set of problems


Are extremely ingenious.

Digital Signatures

15

Digital Signatures




According to ISO, the term Digital
Signature is used: ‘to indicate a
particular authentication technique
used to establish the origin of a
message in order to settle disputes
of what message (if any) was sent’.

Digital Signatures

16

Digital Signatures

A signature on a message is some data that


validates a message and verifies its origin


a receiver can keep as evidence


a third party can use to resolve disputes.


It depends on


the message


a secret parameter only


available to the sender

It should be



easy to compute


(by one person only)



easy to verify



difficult to forge

Digital Signatures

17

Digital Signature



Cryptographic checksum


Identifies sender


Provides integrity check for data


Can be checked by third party

Digital Signatures

18

Hand
-
Written Signatures


Intrinsic to signer


Same on all documents


Physically attached to message


Beware plastic cards.


Digital Signatures


Use of secret parameter


Message dependent.

Digital Signatures

19

Principle of Digital Signatures


There is a (secret) number which:


Only one person can use


Is used to identify that person


‘Anyone’ can verify that it has been
used

NB:

Anyone who knows the value of a
number can use that number.

Digital Signatures

20

Attacks on Digital Signature
Schemes



To impersonate A, I must either


obtain A’s private key


substitute my public key for A’s




NB
: Similar attacks if A is receiving secret
data encrypted with A’s public key

Digital Signatures

21

Obtaining a Private Key



Mathematical attacks



Physical attacks


NB
: It may be sufficient to obtain a
device which contains the key.
Knowledge of actual value is not
needed.

Digital Signatures

22

Certification Authority


AIM :


To guarantee the authenticity of public keys.



METHOD :


The Certification Authority guarantees the
authenticity by signing a certificate containing
user’s identity and public key with its secret key.



REQUIREMENT :


All users must have an authentic copy of the
Certification Authority’s public key.

Digital Signatures

23

Certification Process

Verifies

credentials

Creates

Certificate

Receives

(and checks)

Certificate

Presents Public

Key and

credentials

Generates

Key Set


Distribution

Centre

Owner

Digital Signatures

24

How Does it Work?






The Certificate can accompany all Fred’s
messages


The recipient must directly or indirectly:


Trust the CA


Validate the certificate

The CA certifies

that Fred Piper’s

public key

is………..

Electronically

signed by

the CA

Digital Signatures

25

User Authentication Certificates


Ownership of certificate does not
establish identity


Need protocols establishing use of
corresponding secret keys

Digital Signatures

26

WARNING



Identity Theft


You

are


your private key


You ‘are’ the private key
corresponding to the public key in
your certificiate

Digital Signatures

27

Certification Authorities


Problems/Questions


Who generates users’ keys?


How is identity established?


How can certificates be cancelled?


Any others?

Digital Signatures

28

Fundamental Requirement

Internal infrastructure to support
secure technological implementation

Digital Signatures

29

Is everything OK?

Announcement in Microsoft Security
Bulletin

MS01
-
017


Ve
ri
Sign Inc recently advised
Microsoft that on January 29
-
30 2001
it issued two Ve
ri
Sign Class 3 code
-
signing digital
certificates

to an
individual who fraudulently claimed to
be a Microsoft employee.”

Digital Signatures

30

RSA System


Publish integers n and e where n = pq (p and q large
primes) and e is chosen so that (e,(p
-
1)(q
-
1)) = 1.



If message is an integer m with 0 <

m < n then the
cryptogram c = m
e
(mod n).



The primes p and q are ‘Secret’ (i.e. known only to the
receiver) and the system’s security depends on the
fact that knowledge of n will not enable the interceptor
to work out p and q.

Digital Signatures

31

RSA System

Since (e,(p
-
1)(q
-
1)) = 1 there is an integer d such that

ed = 1(mod(p
-
1)(q
-
1)).

[NOTE: without knowing p and q it is ‘impossible’ to

determine d.]


To decipher raise c to the power d.

Then m=c
d
(=m
ed
) (mod n).

System works because if n=pq,

a
k(p
-
1)(q
-
1) + 1
= a (mod n)

for all a, k.

Digital Signatures

32

RSA Summary and Example

Theory




Choice

n = p.q




2773 = 47.59


p=47 q=59

e.d 1(mod(p
-
1) (q
-
1))


17.157


1(mod 2668)

e=17 d=157

Public key is (e,

n)


(17,2773)

Private

key is (d,n)


(157,2773)

Message M (0 < M < n)



M = 31


NB :
Knowledge of p and q is required to compute d.


Encryption using P
rivate

Key :

C


M
e

(mod n)

587


31
17

(mod 2773)

Decryption using
Private
Key :

M


C
d

(mod n)

3
1


587
157

(mod 2773)


Digital Signatures

33

E
l

G
amal

C
ipher


Work in GF(q)



For practical systems



q = large prime


q = 2
n



Note:

We will
not

define GF(2
n
). For a



prime q arithmetic in GF(q) is



arithmetic modulo q.

Digital Signatures

34

E
l

G
amal

C
ipher

System wide parameters : integers g,p


NB:

p is a large prime and g is a primitive element

mod p.



A chooses
private

key x such that 1 < x < p
-

1



A’s public key is y = g
x
mod p.


Note:

x is called the discrete logarithm of y modulo p

to the base g.


Digital Signatures

35

El Gamal Encryption

If B wants to send secret message m to A then


1.

B obtains A’s public key y plus g and p

2.

B generates random integer k.

3.

B sends g
k
(mod p) and
c

= my
k
(mod p) to A.


A

uses x

to compute y
k

from g
k

and then
evaluates m.

Digital Signatures

36

El Gamal Cipher


Important facts from last slide



g is special type of number



sender needs random number

generator



cryptogram is twice as long as

message

Digital Signatures

37

El Gamal
-

Encryption
-

Worked Example


Prime
p

= 23


Primitive element
a

= 11


Private key
x
= 6

Public key
y
= 11
6
(mod 23) = 9

To encipher

m

= 10

Assume random value
k

= 3




a
k

=

11
3

mod 23

=

20




y
k

=

11
18

mod 23

=

16






my
k

=

10.16 mod 23

=

22

Thus transmit (20, 22)

Digital Signatures

38

El Gamal
-

Worked Example

To decrypt


20, 22

y
k

= (a
k
)
x

= 20
6

= 16 mod 23


To find
m
: solve
c

=
my
k

mod
p



i.e. solve 22 =
m

16 mod 23


Solution

m

= 10

Digital Signatures

39

Modular Exponentiation


Both RSA and El Gamal involve computing
x
a

(mod
N
) for large
x, a

and
N


To speed up process need:


Fast multiplication algorithm


Avoid intermediate values becoming too
large


Limit number of modular multiplications

Digital Signatures

40

How to Create a Digital Signature
Using RSA

MESSAGE

HASHING
FUNCTION

HASH OF MESSAGE


Sign using Private Key

SIGNATURE
-


SIGNED HASH OF MESSAGE

Digital Signatures

41

How to Verify a Digital Signature Using
RSA

HASH OF MESSAGE

Verify the

Received Signature

Re
-
hash the

Received Message

Verify using

Public Key

Message

Hashing


Function

HASH OF MESSAGE

Message

Signature

Signature

Message with

Appended Signature

If hashes are equal,

signature is authentic

Digital Signatures

42

Requirements for Hash Function
h

(H1)

condenses message
M

of arbitrary length into

a fixed length ‘digest’
h(M)


(H2)

is one
-
way


(H3)

is collision free
-

it is computationally


infeasible to construct messages
M, M
'

with

h(M) = h(M
'
)




H3 implies a restriction on the size of
h(M)
.

Digital Signatures

43

DSA


Proposed by NIST in 1991


Explicitly requires the use of a hash
function


SHA
-
1


Very different set of functional
capabilities than RSA

Digital Signatures

44

DSA Set Up


System parameters


select a 160
-
bit prime
q


choose a 1024
-
bit prime
p
so that

q
|

p
-
1


choose g


Z
p
*

and compute
a
=
g
(p
-
1)/q

mod
p


if

a=1
repeat with different

g


User keys


select random secret key

x

(1





q
-
ㄩ1


compute public key
y = a
x

mod p

Digital Signatures

45

Signing with DSA


To sign message
m


hash message
m
to give
h(m)


(
1


栨h)


q
-



generate random secret
k






k


q
-



compute
r = (a
k

mod p) mod q


compute
k
-
1

mod q


compute
s =

k
-
1
{h(m) + ar}

mod q


signature on

m
is

(r,s)


Digital Signatures

46

DSA Signature Verification


To verify
(r,s)


check that
1


r


q
-

and

1


s


q
-
1


compute
w = s
-
1

mod q


compute

u
1

= wh(m) mod q


compute
u
2

= rw

mod q


accept signature if


(a
u
1
y
u
2

mod p) mod q = r

Digital Signatures

47

Security of DSA


Depends on


taking discrete logarithms in
GF(p)

(GNFS)


the logarithm problem in the cyclic subgroup
of order
q







algorithms for this take time proportional to
q
1/2


we choose
q


2
160

and
p


2
1024


other concerns follow the case of El Gamal
signatures

Digital Signatures

48

Performance of DSA


Using the subgroup of order
q

gives
good improvements over El Gamal
signatures


for signature


one (partial) exponentiation mod
p,
all other
operations less significant


also there are opportunities for pre
-
computation


for verification


two (partial) exponentiations mod
p,
all other
operations less significant

Digital Signatures

49

DSA and RSA


set a unit of time to be that required for one
1024
-
bit multiplication


use
e=2
16
+1
and CRT for RSA


pre
-
computation with DSA not included






also a difference in the sizes of the
signatures


RSA
DSA
Sign
384
240
Verify
17
480
Digital Signatures

50

Signing and Verifying


Which is more important
-

signature
or verification performance?


depends on the application!


certificates:


sign once but verify
very often


secure E
-
mail:

perhaps sign and verify
once


document storage:

sign once but maybe
never verify


Digital Signatures

51

Digital Signatures for Short Messages

Padding /

Redundancy

Text

Padding /

Redundancy

Text

Signature

Signature

RSA

Verify

RSA

Private

Key

Public

Key

a) Construction

b) Deconstruction

SEND

Digital Signatures

52

Types of Digital Signature

1. Arbitrated Signatures

Mediation by third party, the arbitrator


signing


verifying


resolving disputes


2. True Signatures

Direct communication between sender and receiver

Third party involved only in case of dispute

Digital Signatures

53

Arbitrated Signatures

Require trusted arbitrator


Arbitrator is involved in


Signing process


Settlement of all disputes


No one else can settle disputes


Potential bottleneck

Digital Signatures

54

Example of Arbitrated Signature
Scheme
(
1
)

Requirement:


A wants to send B message



B wants assurance of contents,


that A was originator and that A

cannot deny either fact.

Assumption:

A and B agree to trust an



arbitrator (ARB) and to

accept

ARB’s decision as binding.


Digital Signatures

55

Example of Arbitrated Signature
Scheme
(
2
)

Cryptographic Assumption

1.
Will use symmetric Algorithm eg DES

2.
Will use MACs

3.
A has established a DES key KA
shared with ARB

4.
B has established a DES key KB
shared with ARB

Digital Signatures

56

Example of Arbitrated Signature
Scheme
(
3
)

A wants to send ‘signed’ message M to B

Simplified protocol







Note:

B has no way of checking MAC
KA

is correct.

May be necessary to include identities in messages.

1)
A


ARB : M
1
=M || MAC
KA

2)
ARB uses KA to check MAC
KA

3)
ARB

B : M
2

= M
1
|| MAC
KB

4)
B uses KB to check MAC
KB


Digital Signatures

57

True Signature

True Signature Requirement


Only one person can sign but anyone
can verify the signature

Public Key Requirement


Anyone can encrypt a message but
only one person can decrypt the
cryptogram.

Digital Signatures

58

True Signature


It is ‘natural’ to try to adopt public
key systems to produce signature
schemes by using the secret key in
the signing process

Digital Signatures

59

Digital Signatures




Common Terminology identifies the


terms Digital Signature and True


Signature

Digital Signatures

60

The Decision Process



Do I need Cryptography?


Do I need Public Key Cryptography?


Do I need PKI?


How do I establish a PKI?

Digital Signatures

61

Often Heard



PKI has never really taken off


PKI is dead


I’ve got a PKI, what do I do with it?


Secure e
-
commerce needs PKI

Digital Signatures

62

Diffie Hellman Key Establishment
Protocol


General Idea
:
Use Public System



A and B exchange public keys: P
A
and

P
B


There is a publicly known function f which has 2
numbers as input and one number as output.


A computes f (S
A
, P
B
) where S
A

is A’s
private

key


B computes f (S
B
, P
A
) where S
B

is B’s
private

key




f is chosen so that f (S
A
, P
B
) = f (S
B
, P
A
)


So A and B now share a (secret) number

Digital Signatures

63

Diffie Hellman Key Establishment Protocol

For the mathematicians:

Agree: Prime p primitive element a

A

:

chooses random r
A
and sends

B

:

chooses random r
B
and sends




Key:


Clearly any interceptor who can find discrete
logarithms can break the scheme

In this case


Note: Comparison with El Gamal

(modp)
a
B

r
(modp)
a
A
r
(modp)
a
s
B
A

r
r

B
A
B
A
r
r
A
r
B
r
y
a
)
r
,
f(a
)
r
,
f(a
.
x
y)
f(x,



Digital Signatures

64

D
-
H Man in the Middle Attack

A

B

Fraudster

F

A
P
F
P
F
P
B
P
The Fraudster has agreed keys with both
A

and
B

A

and
B

believe they have agreed a common key

Digital Signatures

65

D
-
H Man
-
in
-
the
-
Middle Attack

A

B

Fraudster

F

a
p
r
A
(mod
)
a
(
p)
r
F
mod
a
(
p)
r
F
mod
a
(
p)
r
B
mod
The Fraudster has agreed keys with both
A

and
B

A

and
B

believe they have agreed a common key

For the mathematicians